System Center Operations Manager Invalid Management Group Removal

Invalid Management Group Removal

We recently carried out some work for a client who had a completely ruined installation of System Center Operations Manager (SCOM).

Who had done what to it, we may never know, but it was clear that the only fix was to start again. This was not such a bad thing as they did want to change the name of their Management Group anyway – which secretly lead us to believe that someone had been messing and trying to carry this out, hence the mess of the installation!

We went ahead and carried out a completely new installation of Operations Manager as this is what they wanted, however, if you are an administrator of Operations Manager, you will probably know about the potential for an absolute nightmare here – the old Management Group and the new Management Group now being referenced on the servers and end users machines (although in this case, they only wanted servers being monitored by Operations Manager).

We managed to resolve this issue by using a PowerShell script. We did not write this PowerShell script ourselves and we apologise now for not giving the credit where it is due, but we cannot remember where we got it from – if it’s you, let us know and we will update with credit.

The plan is very simple, go into the Operations Manager server, check for error EventID 20046 in the Event Viewer (which will give you the name of a server trying to report with an invalid Management Group) then edit and run the PowerShell script to remove the reportedly invalid Management Group from that server.

PowerShell Script to Remove SCOM Invalid Management Group

The PowerShell script we used is below, note these variables that you must enter per server:

  • $ComputerName = The server name with the invalid management group
  • $ManagementGroup = The name of the invalid management group
param(
$ComputerName = "SERVERNAME",
$ManagementGroup = "MGMT GROUP NAME"
)

Function Remove-SCOMManagementGroup ($ComputerName)
{
$sb = {
param($ManagementGroup,
$ComputerName)
Try {
$OMCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
} catch {
throw "$ComputerName doesn't have the SCOM 2012 agent installed"
}
$mgs = $OMCfg.GetManagementGroups() | %{$_.managementGroupName}
if ($mgs -contains $ManagementGroup) {
$OMCfg.RemoveManagementGroup($ManagementGroup)
return "$ManagementGroup removed from $ComputerName"
} else {
return "$ComputerName does not report to $ManagementGroup"
}
}
Invoke-Command -ScriptBlock $sb -ComputerName $ComputerName -ArgumentList @($ManagementGroup,$ComputerName)
}
Remove-SCOMManagementGroup -ManagementGroup $ManagementGroup -ComputerName $ComputerName

Once the PowerShell script has completed, you either need to restart the Microsoft Monitoring Agent service (Service Name is: HealthService) on the affected machine or reboot it.

If you then go into your server Control Panel and then into the Microsoft Monitoring Agent applet, you should now see that you only have the corrent new Management Group on there and that the invalid old one has been removed.

System Center Orchestrator

Of course, if you know how to use System Center Orchestrator and you have it installed in your environment, you can setup a new Runbook to check for EventID 20046 and then trigger the PowerShell script from there.

Feedback

If you have any questions or feedback on this guide, we would love to hear from you. You can contact us via our Social Media channels or just leave us a message below in the comments box.

Migrate a System Center Orchestrator database to a different SQL Server

SCORCH Logo

We were running through our list of servers and looking at what each one was doing in terms of Domain Controllers, Exchange servers, SQL servers, System Center servers etc when we noticed that we had quite a few servers that were using pretty small databases but had a large amount of host resource allocated to it. We also noticed that we had a large amount of 2008 R2 servers that we wanted rid of. We had a few server 2016 virtual machines available to us that already had SQL Server 2016 installed on them and plenty of room to migrate some databases on to them.

So one of the smaller databases we had on a Server 2008 R2 virtual machine was our System Center Orchestrator (SCORCH) database. We could live with this being down in working hours so we thought that we would hit this one first, allowing us to then completely discommission the old Server 2008 R2 server.

I have installed System Center products more times than I can remember and can probably do it with my eyes closed, but I had never migrated a SCORCH database before. So, like all good techies, I headed to Google hoping that someone had written a nice simple easy to follow guide. After trying a few out there, it looked like there wasn’t any simple, easy to follow guides and I had probably balls up our SCORCH database.

But I then came across a guide which I read all the way through first and seemed pretty simple, easy to follow and at this point, I was desperate so I went straight into it and gave it a go.

It worked! I was chuffed to bits, but mostly relived! The guide was spot on and every step was perfectly written and simple to follow. So here it is:

How to Migrate an Orchestrator Database

I would like to express my thanks for saving my evening on that one – strangely enough I’ve not migrated any System Center databases since! But I would be confident with using this guide for SCORCH again if I had to.

Feedback

We would love to hear your feedback on this article so come and join us on Facebook or Twitter and let us know what you think!

Active Directory Password Expiring Email Notification

microsoft black logo

Does your 1st line help desk get fed up of having to reset end users passwords “because they didn’t know their password was expiring?”

Well, let us show you a way that you can utilise System Center Orchestrator (SCORCH), PowerShell and Active Directory Web Services (ADWS) to email all end users a few days before their password is due to expire and also send them a daily email if they still do not change their password after the first notification.

Prerequisites

You will need to have SCORCH setup in your environment and also ADWS so that our PowerShell script can talk to your Active Directory to get the account information.

You will also need a good understanding of Active Directory, SCORCH Runbooks, PowerShell and Email. But we will try to make this as simple as possible.

Instructions

First of all, we need to load up SCORCH and create a new runbook. Give the runbook an appropriate name and then drag in a Monitor Date/Time activity from under the Scheduling branch:

Active Directory Password Expiring Email Notification 1

Now, you have a choice to make on how often you want this runbook to run. For the purposes of this guide, we are going to run it every Monday at 8am. So, double click the Monitor Data/Time item and click the Details tab on the left and enter 08:00 under the Interval section:

Active Directory Password Expiring Email Notification 2

You can also go ahead and click the General tab and give the item a better name. For this guide, we have called it 08:00 Check.

So we now have our runbook setup to run at 08:00 everyday, but we only want it to run on a Monday. To do this, we need to create a schedule under Global Settings > Schedules:

Active Directory Password Expiring Email Notification 3

Right click the Schedule folder and click New > Schedule. This will bring up the New Schedule box, enter an appropriate name for the schedule and then click on the Details tab. This will now bring up the Days of week radio buttons. You should now make your selections and ensure that you tick all of the Occurrence tick boxes. So you should end up with something similar to this:

Active Directory Password Expiring Email Notification 4

Now we go back into our runbook and add a Check Schedule activity from under the Scheduling section and join the two schedules together:

Active Directory Password Expiring Email Notification 5

Then double click the Check Schedule item and give it an appropriate name (we have called our Check Mondays) and then click on the Details tab. From here, click the three dots in the box and browse to the schedule we just created:

Active Directory Password Expiring Email Notification 6

Then go ahead and click the Finish button.

Now we need to add our PowerShell script to the runbook so add a Run .Net Script item from under the System activity and then join the Check Mondays schedule item to the Run .Net Script:

Active Directory Password Expiring Email Notification 7

Now double left click the Link part you can see highlighted blue in the above image. This will bring up the Include Filters box:

Active Directory Password Expiring Email Notification 8

Click on the Check Mondays link within the Includes Filter tab. This will bring up a Published Data box where you should select Conforms to schedule option and click the OK button:

Active Directory Password Expiring Email Notification 9

Then click on the Value option which will bring up a drop down, select the value to be True:

Active Directory Password Expiring Email Notification 10

Click on the OK button and then you should have an Includes Filter that looks like this:

Active Directory Password Expiring Email Notification 11

Now we move back to our Run .Net Script. Double click it and it will take you into the Language Type. Click the three dots button and select PowerShell:

Active Directory Password Expiring Email Notification 12

Now we need to enter our PowerShell into the Script section. The PowerShell script we are going to use is below:

Import-Module ActiveDirectory
#Day of span to limit the Result
$SpanDays=”5″
#Settings
$Displayname=@()
$Mail=@()
$Days=@()
$Sam=@()
$DN=@()
#Get all Users which are enabled and Password will expire
$Users=Get-ADUser -filter {(Enabled -eq $True) -and
(PasswordNeverExpires -eq $False)} -Properties DisplayName,
msDS-UserPasswordExpiryTimeComputed, Mail, samaccountname,
distinguishedName | Where-Object {$_.DisplayName -ne $null} |
Select Mail, samaccountname,distinguishedName,
DisplayName,@{Name=”ExpiryDate”;Expression=
{([datetime]::fromfiletime($_.”msDS-UserPasswordExpiryTimeComputed”)).DateTime}}
#Go through each User and check if password will expire in the next XX Days, see Span configuration
foreach ($Entry in $Users)
{
$Span=NEW-TIMESPAN -Start (Get-Date) -End (Get-date($Entry.ExpiryDate))
if ($Span -le $SpanDays -and $Span -gt 0)
{
$Displayname+=$entry.DisplayName
$Mail+=$Entry.Mail
$Days+=$span.Days
$SAM+=$Entry.samaccountname
$DN+=$Entry.distinguishedName
}
}

Once you have entered the script, click on the Published Data tab:

Active Directory Password Expiring Email Notification 13

Active Directory Password Expiring Email Notification 14

Click on the Add button to enter each published data you want to use. These are the values you should enter:

  • Displayname
  • Mail
  • Days
  • Sam
  • DN

All of these should be string types and the Variables should be the same as the name. So you should end up with something like this:

Active Directory Password Expiring Email Notification 15

You can now go ahead and click on the Finish button.

We now need to add the final piece to the runbook – the email that will be sent to the end user. Under the Email activity, add a Send Email item to the end of the runbook and join the Run .Net Script to it:

Active Directory Password Expiring Email Notification 16

Double click the Send Email item and you can now setup your email to be sent as usual (i.e. the Connect tab with the sender address and mail server) but you can now also use the Published Data to create your email body.

The only part that should not be customised to your needs is the recipients. This should have the Published Data of {Mail from “Run .Net Script”} as this is where the email will be sent to. You could always add your help desk into the CC or BCC if they want to know that an end user has been notified that their password is expiring.

Click Finish and Check In and Run your runbook. What should happen now is that every users’ password that is due to expire in the next 5 days will get an email as your specified.

You can change around all the options to get it to how you want it but this is a great process to have once completed and should save your help desk a lot of unnecessary work (even if it just means telling an end user that they must have ignored the alerts that their password was expiring!!).

Feedback

if you have any questions or feedback on this guide, please feel free to leave us a message below in our comments section and we will get back to you as soon as we can.

SCORCH runbooks not showing in SCCM or SCSM

system center

When you create a new System Center Orchestrator Runbook and you have checked it in ready to use, you may not see it in systems that will want to use it, like Configuration Manager, Microsoft Deployment Toolkit or Service Manager.

This is due to authorisation cache not updating and as so, not showing the newly created runbook.

Guide

To fix this, you will need to open up Microsoft SQL Management Console and run the following SQL query on your Orchestrator database:

Truncate Table [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache
EXEC [Microsoft.SystemCenter.Orchestrator.Maintenance].EnqueueRecurrentTask ‘ClearAuthorizationCache’

Once you have run this, you should then head back to where you want to use the runbook and you should now be able to see it!

Remember if you are using something like Service Manager, you will need to run the connector synchronisation again after running the SQL query on the database.

Comments

If you have any questions or feedback on this post, please feel free to leave us a message below in the comments section.

WSUS – Cleanup using Powershell with email notification output

powershell

lntroduction

If you are using WSUS in your environment, you may want to run a scheduled task to cleanup old updates and compress some of the larger updates to free up space on your server. A good way of doing this is to run a Powershell script which will take care of all your cleanup requirements and as we are using Powershell, we can even get it to send us an email once it is complete with the output information on what the script has managed to clean up.

Guide

First of all, you need to decide on what you actually want to do with the script. This includes whether you want to run it manually or add it as a scheduled task or even a System Center Orchestrator Runbook.

For the purposes of this guide, we are going to run the Powershell script with all available options but manually.

For a local WSUS installation, you should use the script below:

Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

If you want to run the script on a remote server, you can state the server name like below:

Get-WsusServer "WSUSServer" | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

Parameters

As you can see from the script above, we are running the cleanup on all options available to us, i.e. Declined Updates. You can add and remove these as you so wish. The parameters available to you are:

  • -CleanupObsoleteComputers
  • -CleanupObsoleteUpdates
  • -CleanupUnneededContentFiles
  • -CompressUpdates
  • -DeclineExpiredUpdates
  • -DeclineSupersededUpdates

Email Parameters

So the above will run manually and then output something like the following within your Powershell window:

WSUS - Cleanup using Powershell with email notification output 17

But what if you want to receive an email with this information on so that you can stay up to date with what the cleanup is doing, especially if you are running it to a schedule. Using Powershell, you can add additional script to your cleanup script to send an email.

To do this, you need to amend your script so it has the email parameters of your local email server and also build an output to the body of the email, so your script should look like this:

$output = Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
Send-MailMessage -from "WSUS PS Cleanup <wsus@techygeekshome.info>" -to "blog@techygeekshome.info" -Subject "WSUS Cleanup Stats" -Body ($output | Out-String) -SmtpServer smtp.techygeekshome.info

You should change the email parameters to suit your local email environment.

When this script is run, it will then output to an email as specified.

Download

You can download the Powershell script as a PS1 file by clicking the link below:

Download WSUS Cleanup PS1

Comments

If you have any questions or feedback on this guide, please feel free to leave us a message below and we will get back to you when we can.

System Center Orchestrator – SQL Query to show log file data

SystemCenter logo

If you are using System Center Orchestrator (SCORCH)  Runbooks then you may have run into issues where the database is increasing in size due to the large amount of log files being created. This typically occurs when monitoring event logs on servers amongst some other runbook options in SCORCH.

If you want to check how many log files are in existence per each individual runbook that you have, then you can run the following SQL query on your SCORCH database.

SQL Query

SELECT COUNT(OBJECTS.Name) AS Instances,
POLICIES.Name AS Runbook, 
Objects.Name 
FROM OBJECTINSTANCEDATA
INNER JOIN OBJECTINSTANCES ON OBJECTINSTANCEDATA.ObjectInstanceID = OBJECTINSTANCES.UniqueID
INNER JOIN OBJECTS ON OBJECTINSTANCES.ObjectID = OBJECTS.UniqueID
INNER JOIN POLICIES ON OBJECTS.ParentID = POLICIES.UniqueID
GROUP BY Policies.Name,
Objects.Name
ORDER BY Instances DESC

Running this will bring back a list of your existing runbooks and the total amount of logs against each one. You can then purge logs manually or re-evaluate your automated log purge settings within the Runbook Designer Console.

More Queries

Our full range of SQL and WQL Collection queries are available here.

Feedback

If you have any questions or feedback about this post, or if you would like us to create any queries for you, please go ahead and leave us a message below in the comments section and we will get back to you as quick as we can.

WSUS – Server Clean Up Using Powershell

microsoft windows white logo

If you use WSUS then you will be familiar with running Server Cleanup Wizard which is fine but what if you want to use Powershell? well, you can also use that to run the server cleanup on all your WSUS servers.

By using Powershell you have the option to then automate its running using basic windows task scheduler or something a bit more advanced like Orchestrator Runbooks or build it all in to Service Manager.

So, all you need to do is to take the below Powershell script, save it as a .PS1 file and then run as admin on your WSUS server.

$outFilePath = '.wsuscleanup.txt' [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null   
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();   
$cleanupScope = new-object Microsoft.UpdateServices.Administration.CleanupScope;   
$cleanupScope.DeclineSupersededUpdates = $true      
$cleanupScope.DeclineExpiredUpdates     = $true   
$cleanupScope.CleanupObsoleteUpdates   = $true   
$cleanupScope.CompressUpdates         = $true   
$cleanupScope.CleanupObsoleteComputers = $true   
$cleanupScope.CleanupUnneededContentFiles = $true   
$cleanupManager = $wsus.GetCleanupManager();   
$cleanupManager.PerformCleanup($cleanupScope) | Out-File -FilePath $outFilePath 

If you wish to just download the Powershell script then you can do so from here.

It may take time to complete on your server if you have a lot of cleaning up to do so give it time. The script will create a text file in the same location you ran the script from with the completed values for what it has achieved.

Once complete, check your disk space and you should notice a big change in your free space and your updates will be a lot tidier!

Comments

If you have any questions about this guide, please feel free to leave us a message below using our comments system.

System Center Technical Preview VHD Downloads Available

System Center Configuration Manager SCCM

Microsoft have recently released the System Center Technical Preview Evaluation VHD’s for you to to take a look at and launch using your Hyper-V environment.

DOWNLOADS

You can download the VHD’s using the links below for the following products:

Data Protection Manager Evaluation VHD

Operations Manager Evaluation VHD

Orchestrator Evaluation VHD

Service Manager Evaluation VHD

Virtual Machine Manager VHD

COMMENTS

If you have any questions or questions about these evaluation VHDs, please feel free to use our comments system below.

Configuration Manager – Change the Approve/Deny Status of an Application Catalog Request

sccm logo 600x400

If you are a Configuration Manager administrator, the chances are that you are using the Application Catalog to allow users to install their own software.
A great feature of this is that you can put in specialist or licensed software and add a “Request” button. This means that your end users will only get the software if you approve it.

To begin with we found a number of bits missing for this though, things like email notification – how are you supposed to know when a user requests some software – how is the user supposed to know when you have approved it?

Those issues are easily solved using Powershell and Orchestrator Runbooks but that is for another time….

In this post, we are going to show you how to do something very dangerous indeed – if you use this method and screw up your Configuration Manager database – DO NOT BLAME US!

Scenario

We came across an issue where a helpdesk technician had approved and denied software incorrectly. By default in the Configuration Manager Console, once you have approved or denied a request – that’s it, you cannot change your mind by simply right clicking and amending your selection. So, how to do work around it? The answer is very simple – you manually amend your SQL database.

Now, as stated above, this is extremely stupid and we are not recommending that you do it, but if you are desperate and an absolute expert in SQL and are confident in your own ability – then why not!

Instructions

First things first. In your CM database there is a table called:

UserApplicationRequests

In here there is all the information about your users requests include a column called:

CurrentState

There are four numbers that make up the current state of a user application request – they are:

  • 1 – Requested
  • 2 – Cancelled
  • 3 – Denied
  • 4 – Approved

So, you can now run a query on your CM database like this to show you all Denied user approval requests:

SELECT * FROM UserApplicationRequests WHERE CurrentState = 3
ORDER BY LastChanged

In our example, we are going to use an extreme – we want to change ALL of our Denied CurrentStates back to Requested – then we can go into the Configuration Manager Console and manually approve or deny them.

To this, you can run the following query on your CM database:

UPDATE UserApplicationRequests
SET CurrentState= 1
WHERE CurrentState = 3

What this query does is updates the UserApplicationRequests table to make CurrentState = 1 where the CurrentState is = 3.

If you now go into your Configuration Manager Console, you should see that all your Denied requests are now back into a Requested state.

More Queries

Our full range of SQL and WQL Collection queries are available here.

Feedback

If you have any questions or feedback about this post, or if you would like us to create any queries for you, please go ahead and leave us a message below in the comments section and we will get back to you as quick as we can.

System Center Orchestrator Integration Packs

microsoft black logo

We have been using SCORCH for a while now and have acquired a number of Integration Packs. So, we thought we would zip them all up and add them to our site for you to download and use.

Sorry but we cannot remember where most of them have come from as they have been gathered over a few years, so if one of yours is here and you want credit for it, please let us know and we’ll add a credit for you.

DOWNLOAD

System Center Orchestrator Integration Packs 18

WHATS INCLUDED

The following Integration Packs are included in this download package:

  • Configuration Manager 2007 IP
  • Data Protection Manager 2010 IP
  • Execute PS IP
  • Operations Manager 2007 IP
  • Orchestrator Integration Pack for Data Manipulation
  • SC2012 Configuration Manager IP
  • SC2012 Data Protection Manager IP
  • SC2012 Operations Manager IP
  • SC2012 Service Manager IP
  • SC2012 Virtual Machine Manager IP
  • SC2012 SP1 IP for Azure
  • SC2012 SP1 IP for Configuration Manager
  • SC2012 SP1 IP for Data Protection Manager
  • SC2012 SP1 IP for Operations Manager
  • SC2012 SP1 IP for REST
  • SC2012 SP1 IP for Service Manager
  • SC2012 SP1 IP for Virtual Machine Manager
  • Service Manager 2010 IP
  • SC2012 SP1 IP for Active Directory
  • SC2012 SP1 IP for Exchange Admin
  • SC2012 SP1 IP for Exchange User
  • SC2012 SP1 IP for FTP
  • SC IP for Active Directory
  • Virtual Machine Manager 2008 IP
If you have any problems with this or have any suggestions for other IPs, please leave a comment below.

Email Notification at the end of a SCCM OSD Task Sequence

sccm logo

I have been working on a method to send our helpdesk an email notification when an OSD task sequence has completed.

I started by looking into using the Status Filters and Powershell but this didn’t seem to work well enough for what I wanted to do, which was to create a fancy looking email by using HTML for the outputed email.

So, I decided that as I have MDT integrated into my SCCM environment, I could use the Execute Runbook step and design a solution in Orchestrator.

Instructions

To do this, I created a new runbook in Orchestrator with two very simple steps, Initialize Data and Send Email and then link them together…

Email Notification at the end of a SCCM OSD Task Sequence 19

In the Initialize Data part, I added the OSDComputerName variable so that I could use that information in my email to be sent….

Email Notification at the end of a SCCM OSD Task Sequence 20

I’m not going to share my email settings as these are very personalised to almost every different setup so you can setup your own settings under the Send Email options, but remember that you can use HTML to design our email and you can use the Published Data to input the OSDComputerName of the machine that is being built by the task sequence where you will execute this runbook.

Once you have your runbook setup and you have checked it in, you can now edit your SCCM OSD task sequence. You should add your Execute Runbook right at the end of your task sequence (remember to add the Use MDT Toolkit Package step before you run the Execute Runbook step)…

Email Notification at the end of a SCCM OSD Task Sequence 21
As you can see from above, after you have added your Use MDT Toolkit Package, you should then add the Execute Runbook step (you can then rename it something more appropriate like I have above) and enter the settings like below:
Email Notification at the end of a SCCM OSD Task Sequence 22

As you can see, I’ve blocked out my Orchestrator Server but you obviously enter your own server name here. You can then browse to your runbook which will then give you the option to specify the OSDComputerName variable which should be entered as:

%_SMSTSMachineName%

You can then save your task sequence and when you run the process, at the end it should send the email you created under the Send Email option in Orchestrator.

Feedback

If you have any questions about this process, leave a comment and I’ll get back to you when I can.