Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

NT SERVICE\ALL SERVICES — cannot grant Log on as a Service role

leave a comment »

Pissed off at NT SERVICE\ALL SERVICES not being able to grant Log on as a service role because the Local Security Policy “cannot find it?” Here’s an unelegant but working quickie:

  • Grant EVERYONE Log on as a service rights
  • Install the service you need
  • If the service uses an NT SERVICE\* as its service account, create a LOCAL ACCOUNT and grant it Log on as a service right. Replace the NT SERVICE\* service account in services.msc.
  • Reboot the machine. The service you installed should still be there. (the problem manifests itself when you reboot the machine and the service you installed gets uninstalled).
  • Remove EVERYONE from Log on as a service right
  • Reboot the machine again. verify that the service is still present.

NOTE: Be aware of the security repercussions of this post before following anything you read online!

Written by jpaloma

May 22, 2014 at 9:57 PM

My Favorite SCCM 2012 R2 Resources

leave a comment »

These are my favorite resources for SCCM 2012 R2

More to follow

Written by jpaloma

April 7, 2014 at 7:31 PM

Posted in Microsoft, SCCM

Review: SCCM 2012 Role-based Administration Modelling and Auditing Tool

leave a comment »

Problem: You are tasked with coming up with a huge organization’s role-based access control for System Center 2012 Configuration Manager during early deployment. You already have the strategy, but you are very much aware that given the hundreds of Active Directory Groups, Collections, Security Scopes and Custom Security Roles. You need a tool to test all possible security combinations.

To make it worse: because of the thousands of objects that need to be created, you know you will deploy via PowerShell to make it easier. Unfortunately in automation, one does not make small mistakes — you either make no mistake or a massive one. You need a tool to test out your strategy in small scale, and then after creation of all those objects using PowerShell, ensure that as far as the security settings is concerned, everything’s properly in place.

Solution: Good thing there’s the Role Based Administration Modelling and Auditing Tool for Microsoft System Center 2012 Configuration Manager.

  • Compare your custom groups with the default ones
  • Ensure that user accounts could only access the intended collections, scopes, etc.
  • Test out how the Console behaves based on different user accounts logged on.
  • And more!

The Role Based Auditing and Modelling Tool is available as part of the System Center 2012 Configuration Manager Component Add-ons and Extensions. Download it now!

Testing against a user account

01 RunAs A

02 RunAs B

In the Console tab, we can see that this user account can only see Device Collections of “AAA” in spite of the fact that there are more collections in this SCCM Site than what’s visible to this user account

03 Based on Full Admin A

Choosing the Full Administrator default role to test

04 Based on Full Admin B

05 Based on Full Admin C

Comparing two roles – the default role and the custom role

Audit RBA

06 Audit RBA A

In Audit RBA, we can see which roles and scopes had been assigned to a specific Active Directory Group

07 Audit RBA B

The AAA Engineers can only access AAA resources

08 Audit RBA C

We can see here that the AA2 engineer can only access AA2 objects and scopes

Written by jpaloma

February 1, 2014 at 2:21 PM

Posted in Microsoft, SCCM

Becoming a community speaker – everyone starts somewhere

leave a comment »

It’s really sad that while people are excited whenever community leads announce new events, everyone keeps quiet whenever speaker or demoer volunteers are needed. They say they would rather defer to the “experts” i technology and delivery.

Well, let me say that these “experts” also started somewhere. And we all have our terrifying experiences. Let me share with you mine.

This was during the DevDays Manila in November 1999. I was two months in Microsoft Philippines. The event was at the Philippine International Convention Center (PICC). And for those of us too young to know, that same building houses the Office of the Vice President of the Republic of the Philippines. And guess who was VP that time? The lady known for her Presidential temper. That one is another story.

Anyway, I was to demo dev stuff on Windows 2000 (message queueing?). I did my due diligence and prepared like mad. However when you hear your name being called out by the plenary session speaker (yes it was a plenary session with an audience of 1500 or so), all you’ve prepared for goes down the drain. I went in there, did my demo (yes, only demo, no PPT), and my hand is trembling like mad to the point that my mouse clicks don’t hit their mark. My trembling may not be noticeable on my monitor, but projected on a big screen it is very obvious. People noticed, and began laughing. This was were the plenary speaker had to do his thing to maintain contact with the audience and calm me down in the process.

To cut the story short, yes, I was trembling, and yes the audience saw the nervousness, but  pull through. The people called “experts” also started with terrifying stage experiences. We should be frightened onstage, because if not, we won’t be careful and we would not take what we’re doing seriously!

So, if your community lead comes knocking at your door to assist as a speaker or demoer, GRAB THE OPPORTUNITY, since at least one would be speaking in a small community event. You mess up, what could go wrong? You won’t get fired, right? The fact that you became a speaker may reflect on your CV, but your mess-up won’t. Anyway, at least participate in the smaller events to gain confidence little by little and prepare you for the bigger events.

This is not work, you are a volunteer, and as such your community leads only ask for your participation. They would not ask for perfection.

On the side note re: the VP? Well to add to the tension, we were at the receiving end of the Vice Presidential temper due to the noise. It was an experience!

CALL TO ACTION: PHIWUG is building up its speaker pool. Do help out, and use the experience and connections. Yes, PHIWUG can actually help you get better at your technical career!

Speakers of DevDays 1999 Manila

I had a terrifying experience onstage while being a demoer during DevDays 1999 Manila

Written by jpaloma

January 12, 2014 at 9:17 PM

SCCM 2012 Site Servers Planning Quick Guide

leave a comment »

Central Administration Site (CAS)

  • Needed if you have more than one Primary Site
  • Database should be in a SQL Server instance
  • Does not support roles that involve servicing clients
  • Can support up to 25 child primary sites

Primary Site Server

  • Database should be in a SQL Server instance
  • Avoid placing client-servicing roles in this server
  • Each primary site can support up to 250 secondary sites
  • If co-hosted on a SQL Server, a primary site can support up to 50,000 clients.
  • If a dedicated SQL Server is used, the primary site can support 100,000 clients.

Secondary Site Server

  • In SCCM 2012, this requires its own database
  • Database can be in a SQL Express or SQL Server
  • Database should be co-located with the Secondary Site server

Other notes

  • Management Point on a primary site can support 25,000 clients.
  • Management Point on a secondary site can support 2,500 clients
  • Ensure Distribution Points are available per client location
  • Distribution Point supports up to 4,000 clients. Add more DP as needed
  • Client-facing roles should not be assigned to site servers, especially if servicing Internet-based clients
  • Do not co-locate SCCM and SQL if the database is clustered.
  • Better performance is achieved if SCCM site server is co-located with its SQL Server. If this is not possible, then ensure good connectivity between SQL Server and SCCM
  • Software Update Point (SUP)  running WSUS 3.0 SP2 can support up to 100,000 clients

Reference: http://technet.microsoft.com/en-us/library/gg682077.aspx

Written by jpaloma

January 11, 2014 at 9:55 PM

Posted in Microsoft, SCCM

Tagged with ,

Microsoft System Center Configuration Manager Materials

leave a comment »

Here is my compilation of Microsoft SCCM important links

Learning Microsoft SCCM

System Center Updates Publisher

Written by jpaloma

January 5, 2014 at 10:41 AM

Earn Your Microsoft Certified Specialist: Server Virtualization Title with a Free Exam

leave a comment »

Free TRAINING and EXAM from Microsoft! If you pass the exam, you earn the Microsoft Certified Specialist: Server Virtualization title.

Get the full story here. Good luck!

Written by jpaloma

January 5, 2014 at 9:32 AM

Posted in Uncategorized


Get every new post delivered to your Inbox.