It's Time for 5 Stupid IT Questions

You got IT questions? I got stupid answers.  Pull up a chair, sit down, and destroy your precious little mind reading my stupid ramblings for a bit.  What else do you have to do?  Silly Earthling.

(Note:  This is going to be an ongoing series, I think.  It depends on feedback from folks like you)

Question 1 - "In VMware Workstation and VMware Player, it has an option to preallocate the virtual hard drives.  What does this do and why should I consider it?"

Answer: It carves out physical storage space (on whatever drive/disk/volume you have it pointed at) to store the disk .VMDK file before using it the first time.  Like most things in life, there's a trade-off...

On the good side, preallocating space avoids the need to incrementally allocate more space as needed.  The incremental growth usually happens while the VM guest is running, causing some delays and pauses at times.

On the bad side, preallocating space takes up designated storage space which may not be fully-used on the inside (guest VM referencing).  For example, if you specify a 60 GB disk, it will grab 60 (plus a little chump-change space for overhead) right away.  In the end, you may only end up filling 40 GB within the guest machine, leaving 20 (or thereabouts) unused but still occupied on the physical disk.

If space isn't a concern, preallocate it to squeeze a little more performance from your virtual toyland.

Question 2 - "If I want to roll out a new Group Policy ADMX template during production hours, what negative impact would that have?"

Answer: "Would" or "Could"?  The answer depends on several factors.  But starting at step 1:  deploying an ADMX template into an AD environment involves updating the SYSVOL on the first domain controller.  From there it replicates (because domain controllers like to replicate, as nasty as that sounds).

The factors that come into play after step 1 are like a Rubik's cube.  Site link configurations, replication schedules, the size of the ADMX files, the WAN links, the network configuration, the KCC mess in the background, the amount of drugs your engineers consume, the prevailing winds, the high tide, the... whatever.  Hopefully you get the idea.  I would recommend that (after you've tested them in a separate environment of course) that you deploy them during off-peak hours.  If that isn't possible, blame it on the last person to have quit.

Question 3 - "Will shifting my SCCM environment over to a user-demand, Application Catalog scheme fix all my problems with overseeing software deployments?"

Answer:  It depends.  In general, the answer is "no", it won't fix "all" of those "problems".  Can it lessen your workload?  At best: usually.  At worst:  it will replace one set of problems with another.

Will it eliminate some problems on the whole?  Sometimes.

It depends on how diverse your applications are and how diverse the target platforms are in your SCCM site.  If you support 4,000 products, but they are well-defined in terms of assigning one product+version for each business role, then you will be better off.  If you have a lot of alternatives for the same role/purpose, start drinking and get your Liver in good shape.

The surprise "gotchas" I've seen, or heard about, with handing over the role of installing applications to end users via a catalog shopping-cart concept, have been basically from two general areas.  Each of which breaks down into two more areas:

1. Setting up the catalog
2. Cleaning up messes

The first area (setting up the catalog), involves not only building the catalog, but assigning roles and permissions, but that's the easy part.  Then comes the spaghetti-like enigma of validating product licensing and usage terms, as well as planning out the potential conflicts.  Those are the nasty things like "Product A and Product B cannot exist on the same client or they break things." or "Product A only works with .NET 4.0 while Product B only works with .NET 4.5" and so on.

The second area (cleaning up messes) involves hand-holding users that mistakenly install things and run into problems with them.  Even if you teach them how to remove those mistakes, there are going to be the breaks that require rolling up your sleeves and taking time away from other work.

The secondary issues are delegation reliability, and platform resiliency.  Big words.  I like big words.

The former (delegation) involves how well your delegated staff hold up with handling rights and assignments, as well as tech support issues that arise.  The latter (resiliency) involves how mature your environment is with regards to platform standards and methods for repairing breaks in the assembly line.  How many versions of Windows you support, how many device types, models, vendors, component versions (JRE, .NET).  Good stuff for beer talk.

Question 4 - "Is it more important to have a college degree or a certification when entering the IT field?"

Answer:  My kids' friends and their friends hit me with this question a lot.  Usually after some introductory phrase like "Excuse me, old man?  Can I axe yuze a question about getting a computer job?".

From an entry perspective (first-time job seeker), it depends on what kind of IT job you're aiming for.  If you're looking for a fairly low to intermediate job, such as anything from Tier1/desktop support, to even Systems Admin or Systems Engineer, it helps to have a degree, but it really helps to have a lot of (current/recent/relevant) certifications.

Many entry level IT jobs only require A+, Network+ and Security+ certifications, unless you start getting into VMware or Cisco type stuff (and so on).  Even then, having a Microsoft MCSA/MCSE will help a lot.

If the job your aiming for is "senior research scientist" or "database architect", well, start filling out those college enrollment applications.  It won't hurt to have your CCNA or MCSE/MCwhatever, but most high-level, expert type fields within IT expect more educational background.  And don't forget those Analysts and Project Managers, who may need a mix of schooling and certs like PMP, ITIL, etc.  Just poke around the job postings online and you'll see what I mean. (Not that I've been looking of course, cough-cough.  That's just what I've been told).

Question 5 - "What is the toughest part of getting technology to work well?"

Answer:   People.  It's just human nature to try to pound nails using a wrench.

(Thank you for reading!  Stay tuned for more IT stupidity coming soon...)

If I Were In Charge of Microsoft Right Now...

Yes.  This is extremely "pie-in-the-sky" stuff, but I need a mental break from working two jobs every day.  I'm sure you can poke a million holes in these suggestions, but whatever... enjoy!

1. Stop all work on the Windows OS and call a big-ass meeting to do a massive "reset" on that 400-headed beast.  Consolidate and streamline EVERY command utility, API, etc.  A common syntax for everything.  Eliminate overlaps and redundancy.  Retool for true 64-bit (or 128?) rather than the dragging on the current 32/64 band-aid stupidity.  Tell partners/vendors "f-u" if you don't comply with the new platform specs.  No more backwards compatibility work.
2. Redesign the interface so it adapts to the devices, rather than forcing you to use a tablet interface for a keyboard and mouse work environment.
3. Give away App-V for free (like MDT and WSUS are handled)
4. Get rid of MDOP as a product and make the rest of it (sans App-V) part of the Windows platform.
5. Get some fresh faces in the System Center group to retool Configuration Manager to be easier and simpler to (A) install and configure and (B) manage.
6. Revisit the "Essentials" idea.
7. Deploy physical "Microsoft Store" facilities, like Apple did.  Online shopping is cool but tinkering with shit in your physical hands shouldn't be ignored.  Oh, and include those nifty-ass Starbucks automated barista machines they have at their own campuses.  Those things kick ass.
8. Make ads that are funny.  If it doesn't make me laugh and cough my beer through my nose, then it needs to go back to the production room and get some more work.

Big News! E-Book Price Reductions!

If you have ever stayed awake long enough to read through any of my books: THANK YOU!

If you've read one or two of them, and wondered if any of the others are any good, well.... now is your chance to explore.

Big News...
Major Pricing Discounts on my E-Books!

Major Discounts will be applied starting this week.  Amazon has to process the price changes, so they may not be posted for another 24-48 hours (from today: July 24, 2013).

If you still see the "Old Price" posted on the Amazon product page, refresh the web page or come back to it until you see the updated prices.

The new prices are shown below.  Read the Q & A below for more information...

Amazon Kindle Publication	Old Price (USD)	New Price (USD)	Discount
Grinding Gears: The Art of Software Repackaging and Deployment Packaging, Testing, Deploying, Uninstalling and Upgrading Software Applications on the Windows platform.  Also covers Configuration Manager, Scripting, Group Policy, and more!	$6.99	$5.99	15%
Why Your Next IT Project Will Fail (and What You Can Do to Avoid It) Why do Projects fail? More specifically: Why do IT Projects fail? Is there a common thread or pattern that exists among failed IT Projects? Is it predominantly a failure of technology; of people; or a failure of both? Are there warning signs that make it easy to spot the causes before they become problems, with sufficient time to correct them? Are there steps that can be taken to correct the problem once it's begun? Are there strategies that can help prevent these potential issues from occurring again?	$4.99	$2.99	40%
The Visual LISP Developer's Bible: 2011 Edition Developing, Testing and Compiling VLISP code for AutoCAD 2011.  VLIDE options as well as tips and tricks.	$7.99	$5.99	25%
The Visual LISP Developer's Bible: 1st Edition The Original. The e-book that started it all for me.	$4.99	$2.99	40%
The AutoCAD Network Administrator's Bible: 2013 Edition Setting up FlexLM and network licensing. Building, Testing and Deploying Autodesk 2013 products (aka "Deployments"), logs, option files, troubleshooting and more.	$9.99	$7.99	20%
The AutoCAD Network Administrator's Bible: 2012 Edition Setting up FlexLM and network licensing. Building, Testing and Deploying Autodesk 2012 products (aka "Deployments"), logs, option files, troubleshooting and more.	$6.99	$4.99	30%
The AutoCAD Network Administrator's Bible: 2011 Edition Setting up FlexLM and network licensing. Building, Testing and Deploying Autodesk 2011 products (aka "Deployments"), logs, option files, troubleshooting and more.	$3.99	$2.99	25%

In addition: Some of my e-Books which were not enrolled in the Amazon KDP Select program, are now enrolled! 

• The Packager's Pocket Reference, 2nd Edition ($5.99)
• Grinding Gears: The Art of Software Repackaging and Deployment ($5.99)
• You're Only as Good as Your Last Mistake ($2.99)

Q & A (Questions and Answers)

How Long will this Discount Offer Last?  These prices will remain in effect until August 10, 2013, or roughly 16 days from when the new prices go into effect.  After that, they will be returned to their previous prices.

Do you need a Kindle to read these?  NO.  You can download a FREE Kindle Reader App for almost any mobile device.  You can also read them in almost any web browser using the Amazon Kindle Cloud Reader.

You can read these, using a FREE reader app, on your iPhone, iTablet, iPod, Blackberry, Android device, Windows device, and more.

What Locations will see these Discounts?  The new prices will go into effect in all markets in which Amazon applies international currency conversions.  If you live or reside in a location which is not handled by their automated currency conversion process,  you will see whatever discount is applied as a derived translation of the U.S. Dollar value, as best as I can figure out. 

The markets which are covered by their automatic conversion process, as of now,  include: The United States, United Kingdom, France, Germany, Spain, Italy, India, Japan, Brazil, and Canada.  For more information, visit the Amazon web site and be sure to drink plenty of caffeine.

What does this "KDP Select" stuff mean?  It means Amazon Prime members can LEND and BORROW those e-books for FREE.  Yes.  For Free!  Ok, well, becoming an Amazon Prime member isn't really "free", but it does give you some pretty darn amazing discounts and cool features you can't get otherwise.

How Many of my e-Books are enrolled in this "KDP Select" program for Amazon Prime members to benefit from?  All of them.  If you find any that are not available for lending and borrowing on Amazon Prime as of July 26, 2013, please post a comment here and let me know!

How do I know which books are written by this same "David M. Stein"?  I've been told there are other "David Stein" authors out there, some with rather interesting tastes in book topics.  Rest assured that I have only written the books you see listed on my Kindle Author's page

Why am I doing this?  It's simple:  I have four kids still living at home, and my car is pretty darn old.  So you can rest assured that while you save money, and stuff your brain with new information, you're also helping a good cause.

Best Exam Ever

If you work in IT and have ever chased certification, you are well aware of the familiar exam questions.  Most are scenario based, but they are always focused on the technical aspects.  We all know that technical skills will only get you so far in a career.  There's much more that has to be mastered in order to gain upward mobility.  Here's an example exam to try out...

1. Your boss calls you into a private meeting and explains his new "vision" for the IT environment.  He read an article on a recent business trip flight about how switching from Windows to Linux will save tons of money.  He insists there's no research or planning required.  "Just do it" he says, like the Nike commercials say.  You try to explain the problems with getting all the Windows applications to run either natively with WINE or through virtualization, but he waves you off as if you were a noisy mosquito at a wine festival.  You need to make a decision on what to do.  You choose one of the following:

A. Request a transfer to a different department (different manager)
B. Apply for a job at a different employer
C. Insist he increase his dosage of Xanax and avoid business flights for another year
D. Put a Linux wallpaper theme on his Windows desktop and convince him the migration is complete

Mixing Oil and Water: Systems Engineering and Software Development

In all my years working this field we call "IT" I have never seen an environment where these two groups coexist cohesively and with a common goal.  Systems Engineering and Software Development.  Sure, they might get along well, and share working spaces, but as functional entities they typically exist in separate worlds, chasing their own beasts to slay.  And why not?  After all, they serve different purposes, for different masters (usually). They use different tools and techniques.  They often have very different reasons for doing things as well.

The Developers want to create and update things.
The Engineers want to implement and upgrade things.

Hmmm.  Those aren't that different after all.  Are they?  I know some folks would argue that engineers want to implement and "maintain" things, but maintenance is really an operations role, which in most cases falls into the hands of Systems Administrators (or "sysadmins" to use contemporary parlance).  Engineers want to engineer things.  Simple enough.  However, maintaining isn't really engineering, it's really maintaining or administering; keeping things moving along without interruption.

Developers want to create new things.  Write new code, new features, new widgets.  Add new capabilities or make the interface more "cool" and intuitive.  They don't want to maintain things any more than engineers do, even though they have to deal with bug fixes, patches, service packs and regression testing.  Life sucks.  Nobody said the gravy doesn't have lumps every now and then.  Engineers have to deal with those lumps too, especially when transitioning new things into the hands of the SysAdmins.  It's life (and it happens to pay pretty darn well, thank you).

So, if these two camps are so similar, and they often possess such awesome potential, when then are they not more often exploited towards a common goal?

Prologue

I'm writing this because this quasi-mythical world is precisely where I've found myself repeatedly over the past twenty-odd years.  You see, I started out as a draftsman (on the board, with sepia, paper and Mylar, thank you), and was part of the wave of folks in the 1980's who got corralled into the emerging world of CAD, or Computer Aided Design.  That led to customizing the CAD toolset, which sucked me into the world of software development and programming like drunk sailor in front of a Thai brothel (no, I was never in the Navy, nor have I ever been to Thailand, the phrase just seems to fit).

After years of that, I drifted into "mainstream" IT by way of helping an old friend implement SMS 2.0 in a large corporate environment (ok, he did 99% of the work, I just handed him some wrenches), but it was enough to turn on a light bulb in my head about the incredible potential of a networked environment, the tools, frameworks and protocols that make it possible to leverage a whole new level of capability and productivity on a much larger scale.  LDAP, ADSI, WMI, TCP/IP, SNMP, the Windows API stacks, Registry, Event logs, alert mechanisms, and so on.  Then came ever-increasing power and simplicity with enterprise databases (Oracle, SQL Server), and the arrival of web technologies.

Oh man, I was so there.  SO THERE. It was like a labor camp escapee wandering into a Ruth's Chris restaurant on "free dinner" night.

Even now, even when I get involved in another project to inject Development into Engineering, it's the exception, never the rule.  In most cases it creates such an oddity that neither camp gets offended, just more or less confused about the value.  That is, until the project starts to bear fruit.  Then I get Engineers asking about the development aspects, and Developers asking about the infrastructure engineering aspects.  It's kind of like the old Reese's Peanut Butter Cup ads from the 1980's.

Continuing On...

As Yogi Berra might have said, I've been doing the same thing over and over again, only differently each time.  I am handed some problems to solve, which span multiple systems, multiple departments, multiple environments, multiple business cultures, multiple security realms, multiple personalities, and asked to somehow build something of a bridge across all of it to get the traffic (information) moving.  I don't really have name for it.  Some call it BPA, or Business Process Automation, or Systems Automation, or Data Mining (not a really great term).  Some don't know what to call, so they just give a description like "that stuff Dave is working on".  But whatever it might be called, it's where these two worlds intersect.  And the result is quite a lot like the Super Hero Action League touching their power rings together (only without the "shazamm!!!" sound effect).

A lot of vendors would argue you can solve almost every problem with an out-of-the-box solution, but anyone who's worked in this realm for more than a decade knows that's as realistic as pocket-sized nuclear fusion power.  Maybe someday.  Maybe someday.

Putting this a slightly different way: Any time you implement something to abbreviate the steps required to perform a repetitive task, it most likely involves writing a script, a program, or configuring a bunch of options in a widget to enable this to happen.  This borders on Software Development.  With the advent of PowerShell, especially the concerted effort behind its proliferation, we're seeing a surge in the popularity and prevalence of SysAdmins writing scripts to handle chores that were once considered off limits.  Maybe it was because of a bad perception about VBscript or Batch scripting?  Maybe it's because PowerShell is becoming so intrinsically part of more and more Microsoft (and VMware) products?  Maybe it's because of it's Spartan syntax and brevity (at the command line, not always so within cmdlets)?

I've met so many people in this line of work who have strong feelings about "best practices".  Many are of the opinion that unless there's a ready-made product to do something, it shouldn't be done by other means.  This is not only short-sighted and foolish, it's downright disingenuous towards the employer.  If there exists a means to solve a problem now, even if it requires a little elbow grease, you owe it to yourself, your employer, and your customers to consider it.  Especially if this involves existing means which are "free" (provided with the products already purchased: Windows, etc.)

Microsoft didn't provide this insanely broad inventory of API's, protocols, command tools, and utilities for talking about at dinner parties.  They were provided for your benefit, and the benefit of their customers to build things to do more than they do "out of the box".   Don't be afraid.  Don't fear change.  The "Soft" in Software was Charles Babbage's gift to all of us that freed us of the Iron shackles to hardware.  It was intended, from the very start, to be "changeable".  To allow us to adapt processes and capabilities to meet newer challenges.

If you ever, and I mean EVER, enjoyed building things as a child, whether it be Lego's, model kits, model rockets, Linkin Logs, or even stacking wooden blocks, you should find a lot to enjoy building things on the Windows platform.  Heck, any platform to be honest, but for this discussion I'm thinking along the lines of Windows.  It seems that either a lot of grown-ups forgot how much fun that experience was, or they never got into it in the first place.  If you consider yourself an Engineer, and ever wondered what it was that Developers found appealing in their work, it's the fascination with putting things together from scratch and seeing them perform when finished.  Engineers get that sensation as well, but at a higher level in the logical technology stack.

In most cases, Engineers are working with components which were provided by Developers, but this is where it often stands and never changes.  There's still room for development during the Engineering phase.  When the out-of-box components don't hit every note in the song, it can do wonders to get a Developer involved.  In most cases, if the right people are involved, the song comes out even better than expected and ideas start popping out for new potential and new directions.

Conclusion

IT is all about change.  It's an intrinsic part of the fabric of technology.  To fear it is to refuse the absolute purpose in and of itself.  Nothing demonstrates, or proves, the value in embracing this more than seeking a convergence between Development and Engineering. Nothing.  The teaming of the "thinkers" with the "do-ers" is the ultimate way to push it as far as it can go.  As long as these two worlds are kept isolated, or at the very least, un-involved, the less we take this profession seriously and the more handicapped we keep our employers as a result.

Querying Services on Remote Computers

I'm still amazed that so many up-and-coming admins and SE's knee-jerk to using a script to perform a task that is readily available from a command prompt.  In this case, the SC command.  The SC.exe command resides in the %WINDIR%\System32 folder on most Windows XP, Vista and Windows 7 systems (as well as Windows Server 2003, 2008 and 2008 R2).  It's also alive an well on Windows 8 (Dev Preview build, anyway), and I presume resting within Windows Server 8 as well (I haven't seen it yet).

The syntax is rather basic:

sc <server> <option> <parameters>

but most people use it for querying the local services state, as follows:

sc query

The flexibility comes with the "<server>" argument, which is the NetBIOS computer name (with preceeding \\), so to query a remote computer named DESKTOP1 over your network...

sc \\DESKTOP1 query

And just add a piped "| more" to pause screen-by-screen (or redirect into a file, etc.)

One short and simple command, instead of a bunch of VBScript or even a lengthy Powershell cmdlet.  Nothing wrong with those options, but it's nice to know there are other alternatives.

Remember: To break open this little nugget, open a CMD console and type "sc /?", press Enter and enjoy!

11 Ways to Manipulate the Windows Registry

• Direct via REGEDIT
• Command line using REG.exe
• Import via .REG file (invokes REGEDIT)
• COM Scripting: VBscript, KiXtart, Perl, Javascript, etc.
• .NET Scripting: PowerShell
• Group Policy
• Group Policy Preferences
• .MSI installer
• .EXE application
• Stream Interface: Java
• Temp Labor:  Order Timmy to do it

Group Policy Loopback Processing: Replace vs Merge

Recommended reading:

http://feeds.4sysops.com/~r/4sysops/~3/1zE6FrBmHj0/

This is a great "part 2" article on Group Policy Loopback processing by Kyle Beckman at 4SysOps.  The entire article set is a great resource for anyone who works with Active Directory Group Policy, even if you don't bother with loopback processing.

The best way to summarize loopback processing to someone that has no idea what Group Policy is, would be to say it's like an election ballot where the question reads: "Vote NO to not allow the disallowance of none of the nothings nobody never not wanted"  It can be pretty twisted if you don't pace yourself on the way in.  The best advice I can give anyone (if I'm permitted to give any advice of any kind) is that you shouldn't touch any Group Policy feature without first [A] reading up on it from as many sources as you can find, and [B] testing the behavior in a lab that mimicks your actual production environment.

I cannot stress [B] enough.  Having a lab that is "sort of" like the production environment is fine for testing applications, Windows deployments, SCCM, SCOM, SQL, LDAP and so on, but for Group Policy testing it is not going to work.  There is way too much involved with layering, merging, blocking, inheritance, WMI filtering, user vs computer, loopback processing, and so on.  One small difference can change the course of the entire test.  And with "tattooing" you can end up with a mistake that is very difficult to undo or reconfigure.  A minimalist approach is the absolute best approach to implementing Group Policy.

With all this in mind, this article is a fantastic resource for wrapping your mind around one of the more terse aspects of Group Policy: loopback processing.  Enjoy!

Calling a URL from WinPE / DaRT Environment

So maybe you find a need to call a URL from a WinPE or DaRT session (yes, I know, DaRT is a modified WinPE), but without IE or a browser you find it a challenge.  Fear not.  There are options at your disposal.

Option 1 is to install a light-weight browser into your WinPE bundle, like Bart’sPE did/does.  Firefox is a fairly common choice for that, but if you can get another browser to do that you have that option.

Option 2 is to invoke the XMLHttp object via script.  You can do that with VBscript since wscript/cscript components are part of WinPE and DaRT.  The nice thing about this is with XMLhttp, you essentially have a browser but without the GUI.  You call URL's and even fetch (i.e. "scrape") the return HTML results if needed (I do that a lot and may post some examples soon).  A command-line browser, sort of.

Here’s an example of option 2 – calling an ASP page with parameters…

url = "http://myserver.domain.com/loginfo.asp?c=Workstation123&os=Windows7&ts=Enterprise32b"
 
On Error Resume Next
Set ohttp = CreateObject("Microsoft.XmlHttp")
oHttp.open "GET", url, False
If err.Number <> 0 Then
    wscript.Echo "fail: unable to open remote URL for asset number!"
    wscript.Echo "fail: error is " & err.Number & " / " & err.Description
Else
    oHttp.send ""
    textData = oHttp.responseText
    wscript.echo "info: completed"
End If

If error-checking isn't your cup of tea (or Four Loco), you can leave off the code from line no.4 to the end.  The meat of this is lines 2 and 3 actually.  Just create the object instance and call the .open method.  That boils down to just the following...

url = "http://myserver.domain.com/loginfo.asp?c=Workstation123&os=Windows7&ts=Enterprise32b"
 
Set ohttp = CreateObject("Microsoft.XmlHttp")
oHttp.open "GET", url, False

Group Policy vs Scripting. Version 2011

I know I repeat myself quite a bit.  My kids tell me that.  My wife tells me.  My dog tells me as well.  That’s ok.  Sometimes things need repeating.

I’ve worked with scripting and programming, in various languages and on various platforms, for about 22 years now.  I still do a lot of scripting and code development for servers, desktops, web applications, infrastructure, and just for the hell of it.  Ok, at times it’s a lot of for-the-hell-of-it, but that’s ok, since I have no life whatsoever it makes me forget that while I curse and swear at my screen.

So why does it freak out my colleagues when I respond to most questions involving automation with “have you looked at using Group Policy?” ?  Or when someone says “I need to push out this registry/file/shortcut/scheduled task/drive mapping/printer mapping/environment variable (or whatever) to 50,000 computers by tomorrow!” and I say “Group Policy Preferences” and slurp the bottom of my cup through the straw loudly without blinking.

Yes.  Group Policy, and the newer Group Policy Preferences extensions, are better, easier and quicker to use for solving most sys-admin problems than scripting.  There are exceptions of course (hey, EVERY rule has exceptions), but they are rare.  To sum it up in the simplest “general rule”:

- If you need deploy or push a configuration change “outward”, use GPO or GPP

- If you need to collect something or some things from desktops and servers, use scripting (or System Center Configuration Manager 2007)

Does that make sense?  Again: this is a general rule, and it applies mostly to environments with Windows Vista or Windows 7 and Windows Server 2008 or 2008 R2.  However, there are extensions for GPP to run on Windows XP and Windows Server 2003 (eeew!).  I say “mostly” because even though GPP is applicable to XP/2003 and newer versions, there are hundreds of base-level Group Policy Object settings which are only applicable to Vista/2008 and newer versions.  Since nothing works in a vacuum, it really takes a comprehensive approach to judiciously leverage GPO settings with GPP to accomplish real automation results.

So, whenever you are facing a task involving the deployment of a configuration change to your environment, always, ALWAYS, consider Group Policy and Group Policy Preferences FIRST.

AutoCAD Profiles

What is a Profile?

An AutoCAD "profile" is a named collection of configuration settings.  A Profile may include options that control display, modeling, user interaction, printing and plotting, saving, importing and exporting, units of measurement, and so on.  There are essentially two types of "Preferences" in the AutoCAD environment: Application and Database.  "Database" is another word for "Drawing" in this context, so "Database Preferences" translates into "Drawing Preferences" or configuration settings that are drawing level or drawing-specific.

How are they stored?

They are actually stored as Windows Registry keys under the path: HKEY_CURRENT_USER\Software\Autodesk\AutoCAD\R18.2\ACAD-A001:409\Profiles\

The first profile created by default is the "<<Unnamed Profile>>" but as you create new profiles they will be added under the \Profiles\ path as well.

How are Profiles accessed and controlled?

There are several ways to get at profiles.

• From the OPTIONS dialog forms within AutoCAD
• From the Windows Registry
• From exported .ARG files
• From programmatic interfaces like COM and .NET

The first method is pretty simple and self-explanatory. So let's dig into the others.

The Windows Registry is where profiles are stored and maintained.  When you create a new Profile within the OPTIONS dialog, it creates a new sub-tree with the corresponding name and populates it with all the pertinent keys and values to store the profile configuration.

If you export the profile from within the OPTIONS dialog, it creates an .ARG file.  This is actually a .REG file (a Windows Registry export file format), so you can very easily rename a .ARG to .REG and use it like any other Registry data file (import, export, archive, etc.)

The programmatic interfaces for accessing and manipulating profile data are most often via .NET or the older COM interfaces.  Because they are stored in the Windows Registry, ANY other programmatic interfaces that can manipulate the registry can be used as well.  When it comes to leveraging .NET interfaces, you can pretty much narrow that down to Visual Studio tools like VB.NET, C#.NET, PowerShell, as well as ObjectARX®   When it comes to COM interfaces, you can use anything that talks COM.  Some examples include VBscript, Javascript, KiXtart, PowerShell.

Programmatic Access to Preferences

VB.NET

Dim acPrefComObj As AcadPreferences = Application.Preferences

C#

AcadPreferences acPrefComObj = (AcadPreferences)Application.Preferences;

VBA

Dim acadPref As AcadPreferences
Set acadPref = ThisDrawing.Application.Preferences

Visual LISP

(setq objAcad (vlax-get-acad-object))
(setq objAcadPrefs (vla-get-Preferences objAcad))

Windows Scripting Host - VBScript

Because VBScript is external to the AutoCAD application environment, it must first obtain an object instance of the AcadApplication class in order to begin drilling into the internal objects, properties, methods and so on.

Dim objAcad, objAcadPrefs
Set objAcad = CreateObject("AutoCAD.Application")
Set objAcadPrefs = objAcad.Preferences

Programmatic Access to Profiles

VB.NET

Dim acadApp As AcadApplication = CType(Application.AcadApplication, AcadApplication)
acadApp.Preferences.Profiles.ExportProfile("PROFILE_NAME", "C:\test.arg")

This is one way to get at Profiles from within an AutoCAD session environment.

Visual LISP

This is (or these are) another example of getting at Profiles from within AutoCAD.

example: linear expression…

(setq objActProfile (vla-get-ActiveProfile (vla-get-Profiles (vla-get-Preferences (vlax-get-Acad-Object)))))

example: unfactored collection of expressions

(setq objAcadApp (vlax-get-Acad-Object))
(setq objAcadPrefs (vla-get-Preferences objAcad))
(setq objProfiles (vla-get-Profiles objAcadPrefs))
(setq objActProfile (vla-get-ActiveProfile objProfiles))
(vla-ExportProfile objProfiles "Fubar" "c:\fubar.arg")

Windows Scripting Host - VBScript

This is an example of getting at profiles from outside of AutoCAD.

The downside to accessing the Profile collection via a non-object interface is that you don't get the nice object-oriented methods and syntax that make it kind of neat-o to use.  So instead of crawling the object tree, as it were, you have to fetch each entity as a distinct data value.

setq objShell = CreateObject("Wscript.Shell")
path = objShell.RegRead("HKCU\Software\Autodesk\AutoCAD\R18.2\ACAD-A001:409\Profiles\MyProfile\ACAD")
For each folderName in Split(path, ";")
    wscript.echo folderName
Next

Keep in mind that the Wscript.Shell RegRead() method is only useful on the local computer.  But this isn't really an obstacle since you don't really want to access HKCU on a remote computer (you have to first map the user SID to obtain the HKEY_USERS path because HKCU is a pseudo registry hive that exists only under the local user context).  So… you can do it, but you have to ask yourself if it's really the best approach to getting at things on a remote computer.  Why not invoke the interface under the local user context?

PowerShell

$a = get-item HKCU:\Software\Autodesk\AutoCAD\R18.2\ACAD-A001:409\Profiles
$a.SubKeyCount <-- returns the number of profile trees beneath the Profiles path
$a.GetSubKeyNames() <-- enumerates the profile names

The upside to using PowerShell over VBscript is that you can invoke object programming techniques.  This is because $a (in this example) is actually an object instance.  There are other ways to employ PowerShell, so don't think this is the only possible approach (it's barely scratching the surface).

Group Policy Preferences

That's right.  As astounding as it may be, I have long ago recommended Windows admins explore the use of Group Policy Preferences for managing and manipulating computer settings with less effort than scripting typically requires.

But you say "Dave?! How can you suggest we leave scripting out in the cold, starving and dying of neglect?!  How cruel!"

Fair enough.  But once you see how easy it is to create, modify and delete registry keys and values on a bazillion computers, you will look at your old login and startup scripts like the old girlfriend you dumped years ago (and never regretted).

Possibilities

They are almost endless.  For example, using the available tools and technologies, you can rig up a way to automatically reset profiles for classroom settings (if you don't use virtual machines to handle state management).  You can deploy and update a standard profile for specific business groups, locations or for the entire operation.  If a path reference is set in a default profile, but later needs to be changed (and you didn't map it to a DFS target) you can push out a fix using scripts or even a Windows Group Policy Preferences object setting.

Conclusion / Summary / Mumbo-Jumbo Ay Carumbo!

I have no intention of trying to create an ebook expose to exhause every conceivable way you can get at Profiles, create, rename, modify, delete, import or export them.  I also did not intend to cover every programming language or programmatic option available or possible.  The goal here is to simply show the following:

1. The Preferences and Profiles items are structured and fairly well-defined
2. They are accessible from a lot of different angles using a lot of different tools
3. You have choices and options at your disposal

That said: go forth and hack away.  Just don't call me if you break anything.

Possibilities

My mind boggles at the potential to build incredible things from free and built-in functions within Windows and other Microsoft products.  Then there's all the bazillion freeware third-party tools out there and the result is unlimited possibilities for automating your environment.

For example, the DriverView utility from NirSoft is a standalone runtime (akin to Sysinternals' utilities) which runs without requiring a dedicated installation.  Better yet, beyond the fact that it does an amazing job of reporting driver information, it provides a robust command-line interface as well.

Just one example: you could run a command-line statement to dump all the driver information for each computer to an XML file and import the data into a database for collective/aggregate reporting.  Hmmm.

What's Old is New…

Any of you remember a few years back, when Microsoft was kicking around the idea of an ad-supported Windows?  The concept of putting paid advertisements on the desktop in exchange for making the operating system either free or really cheap, was at the time considered absurd and offensive to many.  The general public scoffed at the idea and Microsoft quietly killed it off.  Like WebTV, Tablet Computers, and other projects: it was an idea that was struck before the iron was hot enough to bend.

So now we have ads in Facebook, Twitter, YouTube, Bing, Yahoo!, Google (including Gmail), on every "news" web site from CNN, to Fox, MSNBC and 99.999999 percent of local TV news organizations as well.  They're on our mobile phones and in every sports poster known to every fan around the world.  Ads are all around us, and in our faces, so much that we've become effectively unaware of them, as compared to our perception back in 2000.  Heck, they even slip ads into RSS feeds now and that was once considered an impossible idea.

So what now?

It's 2011.  If Microsoft said "Hey, we'll ship a free version of Windows X that forces ads on the desktop wallpaper background" would you go for it?  I sure as hell would. 

Group Policy Horrors

I'm reviewing a client's environment to assess the root causes for reported "slow logins".  I do my usual quick-pass analysis of the AD environment, the connectivity, DNS, blah blah.  Then I do a second pass with DCDIAG, NETDIAG, REPADMIN, event logs, nslookup, and gpresult, etc.  Three words: Oh My God.  They don't have a log of GPO's in their environment, but after 30 minutes of intense scrutiny of what each GPO has "enabled" or "disabled" and I had to look around to find where my jaw bone had fallen off.

People.

Please.

If you tinker with GPO's…

TEST THEM in an ISOLATED environment BEFORE you ever put them into PRODUCTION.

I beg you.  Please.

Apparently, the sysadmin dudes (I haven't yet met them so I will withhold judgement until I do) had found quite a few (translation: hundreds) of settings they thought interesting enough to modify their setting.  Aside from the DNS errors, the replication errors, the DHCP errors, the roaming profiles (oh holy geez, I haven't yet begun to digest that part, ugh), and the WINS/NetBIOS master browser bullshit flying around like gnats at carcas party in the Sahara, I would say that at least a good portion of the "slowness" is from having to process a (excuse my technical term here…) shitload of Group Policy settings at every login, every 90 minutes thereafter, as well as at every startup, login, logoff and shutdown.  Yes.  I'm not kidding.  They enabled or disabled things for all of those events. Wonderful.

How can I compare this to something tangible in life?…. hmm…. finger's tapping…. stares into space pondering a suitable analogy or metaphor…. hmm….

Ok.

It's like this:  Group Policy is powerful and insanely useful.  It is fire.  Fire can cook food.  It can provide warmth in a harshly cold environment.  It can dry things.  It can also burn the absolute living shit out of you if you don't treat it with respect.  Yes.  I mean that absolutely.  GPO's are not something to tinker with unless you've studied them, tested them and tested them again.  Jeremy Moskowitz has some great info out there to read up on, as do many other sites, blogs, etc.

One word to keep in mind at all times with GPO's is "tattooing".  Undoing a GPO change in a large environment can often be a daunting and difficult task.  It's not always a matter of changing a setting from "Enabled" to "Not Configured".  Many times you have to "double-smack" it by setting it to the opposite, and then back to "Not Configured".  It's messy.  In some instances things can get broken so bad that the only pragmatic "fix" is a new environment.  Yep.  I've seen that.

My wife is cooking something that smells so f-ing good I'm ready to eat my own shirt sleeve in response to uncontrollable hunger.  Gotta go - cheers!

Happy Friday: Scripting Windows Search

As a small example of my previous post, here's a script that reads a search list (text strings, phrases) from a text file, and runs document searches for any that contain those phrases. It involves a few moving parts:

• A CMD script
• A VBScript script (sorry, redundant I know)
• An input text file
• A "logs" folder beneath the folder that stores the scripts and input file

To test this, drop a bunch of files with matching phrases on your C: drive using various formats like TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF, CSV, LOG and whatever.  Set up the three files below, then run the scanFiles.cmd script from the computer where the files reside.

CMD script (scanFiles.cmd)

@echo off
SETLOCAL
SET logfile=%~dps0logs\%computername%_files.txt
cscript.exe /nologo "%~dps0scanFiles.vbs" >%logfile%
ENDLOCAL

VBScript (scanFiles.vbs)

'****************************************************************
' Filename..: scanFiles.vbs
' Author....: David M. Stein
' Date......: 02/10/2011
' Purpose...: generate file scan report using Windows Search queries
'****************************************************************
Option Explicit

Const verbose = False

'----------------------------------------------------------------
' comment: DO NOT CHANGE ANY CODE BELOW THIS POINT !!!
'----------------------------------------------------------------

echo "info: script initialized " & Now

Const ForReading = 1
Const ForWriting = 2

Dim objConnection, objRecordset, query, scriptPath, inputFile
Dim objFSO, objFile, strLine, searchList, itemCount : itemCount = 0
Dim filePath, phrase

Set objFSO = CreateObject("Scripting.FileSystemObject")

scriptPath = Replace(wscript.ScriptFullName, "\" & wscript.ScriptName, "")
inputFile = "searchlist.txt"
filePath = scriptPath & "\" & inputFile

On Error Resume Next
echo "info: searching for searchlist.txt input file..."
If objFSO.FileExists(filePath) Then
    echo "info: reading search values..."
    Set objFile = objFSO.OpenTextFile(inputFile, ForReading)
    Do Until objFile.AtEndOfStream
        strLine = objFile.Readline

     If Left(strLine,1) <> ";" Then

         If searchList <> "" Then

             searchList = searchList & vbTab & strLine

         Else

             searchList = strLine

         End If

         itemCount = itemCount + 1

     End If

Loop
    objFile.Close
End If

echo "info: " & itemCount & " phrases were queued"

'----------------------------------------------------------------
  
echo "info: initializing window search interface..."
 
Set objConnection = CreateObject("ADODB.Connection")

echo "info: opening windows search data connection..."
objConnection.Open "Provider=Search.CollatorDSO;Extended " & _

"Properties='Application=Windows';"

If err.Number <> 0 Then
    echo "fail: connection-open failure [" & _

err.Number & ":" & err.Description & "]"
    wscript.quit(2)
End If

echo "info: beginning windows search scan process..."
For each phrase in Split(searchList, vbTab)
    wscript.echo "PHRASE: " & phrase
 
    query = "SELECT System.FileName, System.ItemPathDisplay, " & _
        "System.DateCreated, System.DateModified " & _

     "FROM SYSTEMINDEX WHERE Contains('" & Chr(34) & phrase & Chr(34) & "')"

 Set objRecordSet  = CreateObject("ADODB.Recordset")

objRecordSet.Open query, objConnection
 
    If err.Number <> 0 Then
        echo "fail: recordset-open failure [" & _

         err.Number & ":" & err.Description & "]"

     objConnection.Close

     Set objConnection = Nothing

     wscript.quit(3)

End If

    If Not (objRecordset.BOF and objRecordset.EOF) Then
        objRecordSet.MoveFirst

     echo "info: iterating recordset results..."

     Do Until objRecordset.EOF

         wscript.echo "MATCH: " & _

             objRecordset.Fields.Item("System.ItemPathDisplay").value & _

             vbTab & objRecordset.Fields.Item("System.DateCreated").value & _

             vbTab & objRecordset.Fields.Item("System.DateModified").value

         objRecordset.MoveNext

     Loop

     wscript.echo

Else
        echo "info: no matching records were found"

End If
    objRecordset.Close
    Set objRecordset = Nothing
Next

objConnection.Close
Set objConnection = Nothing

echo "info: processing completed " & Now

Sub Echo(s)
    If verbose = True Then
        wscript.echo s
    End If
End Sub

Input File (searchlist.txt)

; input file, prefix with semi-colon to disable lines
Dogs hate cats
Fish hate cats
Cats love fish

Windows Admin Basics: Security 101

\\Server1\e$\FolderA (NTFS):
(local) Administrators = Full Control
(local) Users = Read
(domain) SalesManagers = Modify

\\Server1\FolderSales (Shared: "FolderA")
Everyone = Read
(local) Administrators = Change

User "jdoe" is a member of "SalesManagers" AD security group.  He gets an "access denied" message when trying to save a file into the folder "\\Server1\FolderSales".  Which of the following actions can be taken to allow "jdoe" to save the file into this shared location without requiring "jdoe" to log off and log back onto the domain?

1. Add user "jdoe" to the local "Administrators" security group on Server1.

2. Add the "SalesManagers" domain security group to have Change rights to the FolderSales share permissions.

3. Add user "jdoe" to the "Server Admins" domain security group, which is a member of the local "Administrators" group on every server in the domain.

Domain Service Accounts are STUPID

I've covered this before, but apparently, amazingly, there are people on this planet who do not read my stupid blog.  As if there is anything more important or interesting out there.  Geez.

(Imagine this for just a moment: Rioting in Cairo comes to a halt, as one guy over on the side yells out "Hey!  Check this American idiot blog out!" and the crowds quietly converge around this guy's laptop to read this right now.  Yeah.  It could happen.  Right after the monkeys fly out of my butt).

I've mentioned this topic several times in the past, like here http://skatterbrainz.blogspot.com/2009/02/windows-7-2008-r2-managed-service.html and here http://skatterbrainz.blogspot.com/2008/11/can-you-roll-your-own-management.html and here, but most importantly here http://skatterbrainz.blogspot.com/2008/08/using-system-account-instead-of-domain.html

I feel like a traveling minstrel everytime I have to explain this to someone.  Even more amazing when I have to explain it to a SCCM administrator.  As if they didn't already use this when granting permissions to the MP and SLP role hosts on the System Management OU in Active Directory.

It goes like this:

The local SYSTEM account only has rights to the local machine, by default.  But, what happens when you attempt to access a remote resource using the local SYSTEM account, is that the remote resource sees the incoming authentication request coming from DOMAIN\COMPUTERNAME$ (where "DOMAIN" is your NetBIOS domain name, and "COMPUTERNAME$" is the name of the computer where the SYSTEM account process was initiated).  The "$" suffix is Windows' way of identifying a computer account (as if it doesn't already have enough other ways to know this).

All computers which have been joined to a domain become members of the default group "Domain Computers".  This group is not a member of any other groups by default.  It is not granted any resource accesses either, by default.  It's just sitting there, in case you need it.  Well - YOU NEED IT.

You can go about this in one of three ways:

1. For resources that need to grant access to all domain computers, just grant the "Domain Computers" group the appropriate access.
2. For resources that need to grant access to one specific computer, just grant the Computer$ account explicit access (although, this technically breaks the AGUDLP or ADLGUP methodology, or whatever.  I live by it, but don't ask me to say it right)
3. For resources that need to grant access to a specific collection of computers, create a security group (Global or Universal, whatever) and grant access to the group

Sounds easy - Right?   That's because IT IS EASY.  EASY as taking a dump after eating a pound of Chinese food and a box of laxatives.  You'll wonder why you EVER bothered making stupid domain accounts to run scheduled tasks, backups, launch services, etc.  Then you'll smack yourself in the face realizing you don't need to manage passwords anymore either.

Please.  Give it a try.

Like I said: Scripting vs Group Policy

After consuming a tasty beer and a steak delivered by the hand of God herself (yes, it was *that* awesome) I was thinking about how to frame this topic.  Then it dawned on me that the best way is the simple way.  You know: simple.

** Effecting outbound configuration management: Group Policy

** Collecting inbound configuration data: Scripting

Got it?  Ok, let me try it the complicated and confusing way…

If you want (or need, and let's be honest, it's hard to distinguish between want and need most of the time - isn't it?) to touch a bunch of computers or users to modify settings, lock down things, open up things, add things, take away things, in the registry, files and folders, shortcuts, drive mappings, printer mappings, environment variables, services, networking, screen savers, wallpaper, home pages and favorites, etc. --- then use Group Policy.

If you want or need to scrape data from machines or user sessions, collecting files and registry data, tallying counts of things, installing and patching things, uninstalling and cleaning up things, etc. --- the use Scripting.  And even then, check to be sure there isn't a GPO setting that can do it first.

Oh, and one more thing: DO NOT use Group Policy to install software.  Yes - it's technically feasible.  It's also technically feasible to fornicate with a moose, but you don't do it (at least I hope you don't).

And if you want to grill a steak, don't use scripting or Group Policy.  Use a grill.

Group Policy, Tattooing, Scripting, Blabber

Put them all together and what do you get?  That's right: GroupPolicyTattooingScriptingBlabber.  That's what.  I don't need to explain or define Group Policy.  Nor scripting.  But many folks who work in the IT field don't really understand the Group Policy characteristic known as tattooing.  Relax, I'm not going to explain that one either. (insert hysterical laughter here).  But I will brush up against it here a bit.

Tattooing is basically where a GPO setting is applied by virtue of scope validity, but then once the target is out of scope, the setting remains.  This is because the "Not Configured" option means that nothing is affecting or manipulating the setting, so if it was set by something already, it is simply ignored, so it remains.

Need a tangible example?  Ok.

You create a GPO.  The GPO contains a setting to change the desktop wallpaper to a photo of a gay pride parade in downtown San Francisco.  You thought it would be a great idea for your redneck buddies to see that when they log in on Monday morning.  Until now, you have no GPO's that apply desktop wallpaper settings, at least not linked to the OU where the redneck buddy user accounts reside (it is a user-based setting after all).  So now you go ahead and link your clever little GPO to the OU where their user accounts reside and you leave to go have a few dozen beers with some friends. 

Monday comes around.  You completely forgot about your little prank.  Jimmy Bob gets to work, takes off his camo jacket and matching camo hat, sits down and logs on.  Five minutes later, Jimmy Bob is standing over your shoulder breathing heavy.  You turn to inquire as to his visit and are met with a fist to your face.  Not a good Monday.  After stuffing tissues in your nostrils to soak up the leaking blood, you turn back to your keyboard and mouse and unlink the GPO.  You assure angry Jimmy Bob all is well and he finally leaves.

Five minutes later, Jimmy Bob returns and kicks you in the nuts with his size 12 steel toe Gortex camo hunting boots.  He also spits a glob of baccky juice on you as you roll around in a fetal ball on the floor.  Your IT co-workers wisely pay no attention.  So you ask: "I unlinked it.  Why is Jimmy Bob still hurting me?"

Because now that that GPO is unlinked, there is nothing to effectively "undo" or override the settings it effected.  You have options:

1. Make another GPO to forcefully modify that setting to something that causes you less physical harm, and leave it in effect.
2. Make another GPO to forcefully modify that setting to something that causes you less physical harm, and then unlink it.
3. Use a script or manually remove the Group Policy settings from the target computer (usually in the Registry)

Option 3 is the ugliest, and since your face is bleeding and your crotch is damaged, you probably don't feel like doing a lot of manual labor right now.  And let's not forget that time is of the essence here?  You need to placate Jimmy Bob soon or he will pay you another painful visit.  Nerds are no match for angry moose-sized rednecks after all.  So this leaves options 1 and 2.  Which is best?

Option 2.  Unless you plan on continuing to use that GPO for managing those settings going forward.  This simply nudges the targets back into a newer configuration state and leaves alone, sort of like bumping a model ship in the water to change its course.  This option also reduces subsequent startup/login processing overhead after the change has been implemented.

I told you there was blabbering involved.

Next up: Another spin on Scripting versus Group Policy…

Systems Management Interfaces

I'm sure I'm missing a bunch of other items, but this is a rough start anyway.  I was thinking of what "things" a system admin deals with most often, as it pertains to local vs remote management of each item.  The two that bother me most are Power Plans and Scheduled Tasks.  I sure hope Microsoft decides to clean those up within WMI.  On an even more grandiose delusion I have: I'd love to see them standardize their command syntax and syntactical structures.  Just compare the SC, SCHTASKS and POWERCFG commands (use /? for each).  Holy crap!   And the first person who chimes with "PowerShell is the standard command structure…": Wrong!  It's a bandaid on an amputated leg.  You don't add tools to fix a problem.  You replace them.  It's called efficiency.  I'm cranky tonight.  Going for a walk in the icy slush, which makes me even crankier because cold weather SUCKS!

	COMMAND	REMOTE	IMPORT	EXPORT	WMI (root/)	WMIC
Scheduled Tasks	SCHTASKS	YES	YES	YES	?	JOB
Services	SC	YES	NO	NO	CIMV2, Win32_Service	SERVICE
Registry	REG	YES	YES	YES	DEFAULT, StdRegProv	REGISTRY
Event Logs	WEVTUTIL	YES	YES	YES	CIMV2, Win32_NTLogEvent	NTEVENT
Power Plans	POWERCFG	NO	YES	YES	CIMV2\Power	-
Computer Serial Number	-	-	-	-	CIMV2, Win32_SystemEnclosure	SYSTEMENCLOSURE
Drive Mappings	NET USE	NO	NO	NO	CIMV2, Win32_LogicalDisk	NETUSE
Shared Folders	NET SHARE	YES	NO	NO	CIMV2, Win32_Share	SHARE