Do the secedit call in the same external command in a blpackage that does an “echo * rw,user=superadmin” > c:\windows\rsc\exports”
And echos null into users and users.local
Then do an acl push right after this.
so something like this
echo * rw,user="superadmin" > C:\windows\rsc\exports
echo null > c:\windows\rsc\users
echo null > c:\windows\rsc\users.local
would i need to create an nsh command to push the ACL's my goal is to automate this entirely
you'll have to forgive me a little not super clear on all the in'ss and out's of BMC bladelogic yet.
However, i have created a blpackage that deploys a command file to a host that will allow me to execute the secedit command. within that file i have the echo statements as listed above.
however Secedit requires a reboot in order to take affect and i am not sure how i can incorporate that into the overall PPBJ process
also how would i update the ACLs on the target... this is all very confusing...
in the blpackage you can select a reboot option for the external command - set it to require reboot. then in the deploy job set the reboot options to honor the item defined reboot settings and that should cause the reboot.
are you sure this requires a reboot? iirc it took effect immediately...
While the change is instanteanous i get the following error when attempting to do anything on the target machine.
"No mapping between account names and security IDS was done"
I am retesting the build to see if i can regenerate the issue.
The specific secedit job is now set to reboot via the blpackage and the deploy job is set to adhere to the blpackage settings.
The other changes i have made in the system deploy job is to uncheck the Push ACLS job, as when its checked all PPBJ fail with access denied.
i am guessing this is due to the fact that i have not executed an ACL update.
the ACL update you spoke off, should that be executed via a NSH script or something else... should i create a seperate package or script and include it in the PPBJ section...
once again i appreciate your help...
1 of 1 people found this helpful
when i've done this in the past what i did was:
prov the box, admin name is 'administrator'
in the ppbj i call a deploy job, which calls a blpackage.
in the blpackge is the secedit policy to rename administrator 'xAdministrator'
in the blpackage is a single external command that has like:
secedit <blah blah>
echo "<appserver ip> rw,user=xAdministrator" > c:\windows\rsc\exports
echo "" > c:\windows\rsc\users
echo "BLAdmins:* rw,map=xAdminstrator" > c:\windows\rsc\users.local
then i have the reboot option set there to require a reboot
then the next job in the batch after this pushes acls, and i'm mapping to the ADMIN_ACCOUNT property for my roles, and ADMIN_ACCOUNT is set to xAdministrator.