New "logged on user" inspector in BES 7.0

(imported topic written by BenKus)

Now that BES 7.0 is released, we can start to discuss many of the nice changes. One change in particular that I think people will be happy about is the new inspectors for “logged on users”.

As a quick background, in BES 6.0, the “current user” was only considered to be the user at the local console and RDP connections did not count as current users. If a message box was displayed, only the local console user would see the message (and if no local user existed, the message would not be shown).

This behavior was changed in BES 7.0 to allow logged in users to be properly handled. A new inspector “logged on user” was introduced with some properties, for instance:

q: (name of it, active of it, remote of it) of logged on users
A: ben, True, True
A: Administrator, False, True
A: Administrator, True, True

Additionally, you can now easily get access to the “HKEY_CURRENT_USER” branch of the registry for logged in users. For example:

q: exists key “Software\BigFix” of current user keys (logged on users) of registry
A: True

These inspectors should be very useful for advanced relevance queries that require looking at logged on users.

Also note that these were quite a pain to implement and took 10x longer than our original estimate due to the complexities of the MS APIs for accessing these registry keys. We told the developers that their pains were well worth it because this will be a widely used set of inspectors.

Ben

(imported comment written by dgibson91)

Ben,

I am a a little confused when you say RDP connections didn’t count as current users in BES 6.0. Our 6.0 clients were reporting remote desktop users as current users for Windows XP machines. In 7.0 the current user inspector behaves as you described.

For example, when logged in via remote desktop on Windows XP SP2:

q: exists current user
A: True

(QNA 6.0.15.7)

A: False

(QNA 7.0.1.128)

Can anyone recommend a new retrieve property to replace our old “User Name” property?

Pre 7.0:

if exists current user then name of current user else “”

What we would like to see is the name of the console user, or the active user if there is no console user. I am not quite sure how to take into account vista, xp, servers, and terminal servers for this.

How does this affect deploying actions to clients using the “Run only when there is no user logged on” option?

One of our operators deployed an action using this option and the action was run on a client where a user was logged in via remote desktop. Is this the intended behavior or a bug?

More importantly, this same client snoozed the restart and disconnected from remote desktop (but still logged on). After disconnecting the machine rebooted and closed all running applications. This seems like a bug, can someone confirm?

Daryl

(imported comment written by BenKus)

Hi Daryl,

I believe all the issues stem from the same question:

‘What is the “active user” of a Windows system?’

In BES 6.0, I believe that the answer was ‘any user logged in as the “0-session” user’… This explains why you would see remote users in XP sometimes be the “current user”… The behavior was problematic and considered a bug in many cases because it is inconsistent (sometimes remote users would count as “current user” and sometimes not). Additionally, Windows Vista tweaked a bunch of user session related configurations and it became further clouded.

To address these issues, we implemented a new inspector “logged on users” that I described above. There should be no ambiguity with this inspector and it should hopefully meet all your needs… However, since the “current user” inspector was widely used, we couldn’t throw it away… I believe the best thing we could do to approximate the “desired behavior” of a single “current user” status was to consider the “current user” the “console user” (RDP sessions don’t count).

A bit confusing? I blame Microsoft personally…

To answer your question directly:

‘How does this affect deploying actions to clients using the “Run only when there is no user logged on” option?’

  • In BES 6.0 agents, only users in “session 0” will count as a logged on user (for WinXP this can be an RDP user, but for Win2000/2003 it normally doesn’t count RDP users as logged on users).
  • In BES 7.0 agents, any logged in user (RDP or console users) will count as a logged on user (and messages will be shown to all users).

Can you help clarify the OS and the BES Agent versions for your other questions (otherwise I will need to build you a table to answer all possibilities)?

Thanks,

Ben

(imported comment written by dgibson91)

I understand the need for the new inspector (especially with the way Windows Vista reserves session 0 for system services,) and I think the new inspector is a great addition. But it seems like the “current user” inspector has changed from 6.0 -> 7.0 and now only looks for console users.

As far as the “User Name” property, I really am just interested in what other people are using. I believe we chose this property from the bes website way back when we first installed BES. I was thinking of changing it to something like this:

if exists regapp “besclient.exe” whose (version of it > “7.0.0.0”) then if exists logged on user then names of logged on users else “” else if exists current user then name of current user else “”

I looked into the action problem a little further. I see in the .fxf file for the action:


activate-when: not exists current user

To me this means the “Run only when there is no user logged on” option is using the current user inspector and not the logged on user inspector to determine if no user is logged on. Which in 7.0 means it is only looking for console users.

All clients I tested this on are domain PCs running Windows XP SP2 with fast user switching turned off. BES clients are version 7.0.1.376 or 6.0.21.5. The 6.0.21.5 clients are working as expected, but the 7.0.1.376 clients are getting the actions even when someone is logged in via remote desktop. The actions i tested the “Run only when there is no user logged on” option with were all created with BES console version 7.0.1.376.

The last problem with the PC automatically rebooting is most likely due to an action we have that restarts any PC that is pending restart and no one is logged in. The action was created 2 years ago with whatever version of the console we were using back then. I am hoping we can fix this problem by recreating the restart action.

Daryl

(imported comment written by BenKus)

Ah… yes… There are some subtleties here…

Couple key points:

  • In BES 7.0, there is an “advanced deployment option” in BES 7.0 that uses “efficient mime”. The purpose behind the new efficient mime is that action definitions become more efficient, but they are not reverse compatible with BES 6.0 Clients and so you need to update all your agents first to BES 7.0 and then switch the to the new efficient mime mode (which makes the agents faster, uses less bandwidth, allows more components in a baselines, etc.) More info here: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=420

  • The behavior of BES 6.0 “current user” is considered a bug for several reasons related to inconsistencies around remote desktop… For instance, I believe that it would consider a 0-session remote desktop user a “current user” but it wouldn’t show the message/restart boxes to the user in some scenarios. To fix this issue, we have made the “current user” only refer to the console user (which was the intended and documented behavior).

  • The BES 7.0 behavior I mentioned above is correct when using efficient MIME. The behavior you mention is correct when not using efficient mime and using a 7.0 agent.

So, in summary:;

  • In BES 7.0 (non-efficient mime), the remote desktop users are not considered ‘current users’ (this also applies to the “run only when user is present”).
  • In BES 7.0 (efficient mime), any user (remote desktop or console) are considered ‘logged on users’ (this also applies to the “run only when user is present”).

Additional note is that in BES 7.0 agents, the message/restart boxes are shown to all users on the system.

Hopefully that all makes sense… BES 7.0 (with efficient mime) I think is by-far the most correct, least confusing, and most functional.

Let me know if I need to explain part of that better,

Ben

(imported comment written by dgibson91)

I suppose this makes sense. I guess we will have to be very careful when using the “Run only when there is no user logged on” until we can get all clients to the 7.0 level. This creates sort of a catch-22 for us, we don’t want to deploy the 7.0 client until it is fully tested, but we can’t test the efficient mime until the 7.0 client is fully deployed.

Looks like my 2 issues could be solved by turning on efficient mime and recreating our open action.

Thanks,

Daryl

(imported comment written by BenKus)

Hey Daryl,

I

think

it is possible to query the WMI to find logged in users that would work in BES 6.0. That might help your short term issue…

Ben

(imported comment written by mynameisbear91)

Ben Kus

Now that BES 7.0 is released, we can start to discuss many of the nice changes. One change in particular that I think people will be happy about is the new inspectors for “logged on users”.

Does regset also handle HKCU properly? regset and I spent a good afternoon together, and by “good” I mean “why isn’t this working?” and then I realized the SYSTEM vs HKCU thing. I’ve been using the RunAsCurrentUser tool to fake it, but if BESClient supports using regset and friends on HKCU in v7 …

… then me and BESClient might have to elope. :open_mouth:

(imported comment written by BenKus)

Hi cgolightly,

RunAsCurrentUser should work well… You can also try something like this:

http://forum.bigfix.com/viewtopic.php?id=11

Ben

(imported comment written by mynameisbear91)

Ben Kus

Hi cgolightly,

RunAsCurrentUser should work well… You can also try something like this:
http://forum.bigfix.com/viewtopic.php?id=11

Ben

Right on. I’ve been using a template RACU package I created and copying it to new fixlets and changing the actionscript/relevance to make RACU run reg.exe to do my HKCU edits. :slight_smile:

(imported comment written by sonny.mcmanigle91)

Hey Ben,

Check out this error when trying to run a query on current_User

Error: The expression could not be evaluated: Windows Error: A required privilege is not held by the client.

do you know how i can drill down see what privilege is needed?

(imported comment written by jr6591)

I am having an issue between qna and analysis for HKCU.

I am trying to detect if a reg key exists in HKCU. Qna displays it properly, yet analysis does not. I am using the same text.

Q: exists key “HKEY_CURRENT_USER\Software\Government of Ontario” of registry

A: True

When I do it via the Console and in an analysis, I get False.

Any reason why this discrepancy. It’s the same PC.

Also, in using Ben’s syntax, I get the following error;

Q: (name of it, active of it, remote of it) of logged on users

A: DoeJo, True, False

Q: exists key “Software\BigFix” of current user keys (logged on users) of registry

E: The expression could not be evaluated: Windows Error: A required privilege is not held by the client.

(imported comment written by BenKus)

Hey jr / sonny,

That error “E: The expression could not be evaluated: Windows Error: A required privilege is not held by the client.” is expected due to Windows permissions errors when you examining other user’s registry keys (even if you are an admin), but the BigFix agent running as SYSTEM doesn’t seem to have the issue…

In this post, I mentioned you could run QnA as the SYSTEM account to get around this permission issue:

http://forum.bigfix.com/viewtopic.php?id=1909

Ben

(imported comment written by labuski91)

Ben Kus

Hi cgolightly,

RunAsCurrentUser should work well… You can also try something like this:
http://forum.bigfix.com/viewtopic.php?id=11

Ben

I feel like i keep going in circles from this thread to that thread… What is the way to set a key using this new trick in 7.0?

i tried as a proof of concept

regset (“Software\Microsoft\Internet Explorer\Main” of current user key (logged on users) of registry) “Start Page”=“http://www.google.com

in an action tab in the fixlet debugger running as system. It said it completed but never sets that key. any help for a nub?

(imported comment written by BenKus)

The easiest way is to use the “Windows Registry Wizard” and click the “Run the generated task as the currently logged-in user” button on the first page.

That should hopefully be very easy.

Ben

(imported comment written by labuski91)

Ben Kus

The easiest way is to use the “Windows Registry Wizard” and click the “Run the generated task as the currently logged-in user” button on the first page.

That should hopefully be very easy.

Ben

The problem with that is, heres the relevance:

(name of operating system = “WinXP” OR name of operating system = “WinXP-2003”) AND (TRUE) AND (exists ((string values of selects “UserName from Win32_ComputerSystem” of wmi) , (members of local group “administrators” as string)) whose (item 0 of it = item 1 of it))

After the last AND does this mean that they have to be an admin to import these in their registry? If thats the case then it will fail since I am trying to do this in an AD environment with the registry locked down.

Thanks

Jesse

edit: i ran this relevance in my QnA when i was logged on as an administrator it proved false so I’m guessing its checking to make sure current user logged in isnt administrator?

edit2: I went ahead and ran this on test box and it failed since the user doesnt have privileges to edit the registry. I did a search and came up with this thread http://forum.bigfix.com/viewtopic.php?id=409 it showed that runascurrentuser.exe assumes the security settings that the user logged in has. so i guess i’m back to my original question which is below:

labuski

{quote:title=Ben Kus}Hi cgolightly,

RunAsCurrentUser should work well… You can also try something like this:
http://forum.bigfix.com/viewtopic.php?id=11

Ben

I feel like i keep going in circles from this thread to that thread… What is the way to set a key using this new trick in 7.0?

i tried as a proof of concept

regset (“Software\Microsoft\Internet Explorer\Main” of current user key (logged on users) of registry) “Start Page”=“http://www.google.com

in an action tab in the fixlet debugger running as system. It said it completed but never sets that key. any help for a nub?{quote}

(imported comment written by BenKus)

OK… Quick summary:

  • The “current user key” inspector is good for looking up relevance, but you can’t see the actual key name (other than “HKEY_CURRENT_USER” so it doesn’t help much for actions.
  • Normally, you would “Run as User”, but your user doesn’t have access (correct?).
  • So with these constraints, you need to resort to an old try we used in the past where you look up the user key:

regset “” “Start Page”=“http://www.google.com

It is a hack and I don’t think it works on Win7, but you can try it out…

Ben

(imported comment written by labuski91)

Ben Kus

OK… Quick summary:

The “current user key” inspector is good for looking up relevance, but you can’t see the actual key name (other than “HKEY_CURRENT_USER” so it doesn’t help much for actions.

Normally, you would “Run as User”, but your user doesn’t have access (correct?).

So with these constraints, you need to resort to an old try we used in the past where you look up the user key:

regset “” “Start Page”=“http://www.google.com

It is a hack and I don’t think it works on Win7, but you can try it out…

Ben

Thanks Ben. This worked. Just for clarification, i’m not using Win7. I’m using XP. By saying 7.0 trick I meant Bes Client 7.0 trick of using “of current user key (logged on users) of registry”. I didn’t know if you could use that language in conjunction with regset.