Some Quires

(imported topic written by ivynash)

Can some one help me out with these quires

  1. What is Unmanaged Asset?

  2. How to reset administrator password for all the BES clients at once.

  3. How to check all the computer accounts available on a computer.

  4. Does it support Linux? If yes, how to install on Linux.

  5. Postpone restart does not forcefully restart the machine after the specified time.

  6. What is License tracking?

  7. What is Configuration Discovery and Control using baseline.

  8. Is it possible to manage Trend Micro OfficeScan trough BES console.

  9. How to disable users from sopping the service.

  10. Can we make CD-Writers to only read?

  11. How to manage Windows XP firewall trough BES console.

(imported comment written by brolly3391)

Hello Ivynash,

I will try to help you with some of your list items. It’s a long list so my answers will be brief. We can explore these in more depth as the conversation progresses.

  1. Unmanaged Asset - I think you are referring to our Unmanaged Asset site that allows you to set up an NMAP scanner to detect devices on your network and imports those results into the BES Database. This allows you to see assets on your network that do not have BES Clients installed and take appropriate action.

  2. Local Admin Password - This cannot be done securely but it can be done. See this post:

  3. All Local accounts - The relevance for this might look like this: unique values of (members of local groups as string). You could use that relevance in a retrieved property or analysis.

  4. The BES Server and Relays must be on Windows Server machines. The Linux clients are found here:

  5. Postpone just makes the reboot message hide. The countdown until a forced reboot occurs continues to count independent of postponements.

  6. I am not sure what you are referring to here. Can you elaborate?

  7. I am not sure what you are referring to here. Can you elaborate?

  8. I am not aware of any content for Trend Micro OfficeScan yet. You could develop some custom content on your own or you could contact Professional Services and contract us to build it for you.

  9. You could lock down the permissions on the BESClient service. This would involve using the windows command

sc sdset

. More information from Microsoft here: I have not tested doing this so please test the modifications you might make before using it in production.

  1. Disabling writing to a CDR drive - We discussed this in another thread but nobody ever verified that it was working.

  2. There are fixlets in the BES Support site to manipulate the Windows XP firewall to allow BES Client communication. Windows Firewall is Blocking BES Traffic - BES Relay/Server >= for example. Review that fixlet for a sample of how to write your own content to manipulate the Windows XP Firewall.



(imported comment written by BenKus)

Hi Ivy,

Couple additional notes:

  1. We have a Fixlet site “BES Asset Discovery”, which allows you to scan your network for computers not running the BES Agent along with getting information about network devices (such as printers, routers, switches, etc.) Here is some more information:

  2. In our “License and Inventory” site, we have an Application Tracking feature that allows you to track which computers are running an application and see info such as “How many computers ran Adobe Photoshop in the last month?” and other similar software licensing questions.

  3. The “Client Manager for AntiVirus” site supports Trend Micro (along with Symantec, McAfee, eTrust, and Sophos). You can use this site to see which computers have Trend Micro installed (install if necessary), see if it is running (start it if necessary), update the engine, update the definitions, and more.


(imported comment written by ivynash)

Hi brolly & ben,

Thanks for the info, can you please give some samples on how to retrive User accounts and to manipulate Windows XP firewall. waiting for your earliest reply.



(imported comment written by BenKus)

Hi Ivy,

Can you give us some ideas on what you are looking for with the user accounts or the XP firewall questions? We can take your questions and convert them to relevance.


(imported comment written by ivynash)

Hi ben,

  1. I need to check all local users and local administrators available over the network for audit purpose.

  2. I have to block some unwanted local ports on all the machines which uses Windows XP firewall, coz I don’t

want to go to each computer and change the polices of the Desktop firewall.



(imported comment written by brolly3391)

Hello Ivy,

  1. I think you are looking for

q: members of local groups

or a little more granular

q: members of local groups whose (name of it = “Administrators” or name of it =“Users”)

That will give you the names of all the local users and administrators. If you need them separated out you can use something more like this.

q: (name of it , members of it) of local groups whose (name of it = “Administrators” or name of it =“Users”)

Drop any of those into an analysis or retrieved property. Note there is case sensitivity on the group names.

  1. You need the commands for manipulating the XP firewall from the command line and drop them into an action script in a custom task. Check out the Fixlets

Windows Firewall is blocking BES Traffic

for examples of using the netsh command in XP for manipulating the Windows XP Firewall.



(imported comment written by ivynash)


I have checked netsh command in Windows XP and successfully changed the Desktop Firewall options using netsh command, but the same command I tried in BES, it was unsuccessful.

For Eg: If I need to block port 80 (HTTP) on Windows XP Firewall then I use the following action:

wait RunQuiet.exe “{pathname of systemfolder}\netsh.exe” firewall add portopening protocol=TCP port=80 name=DisHTTP mode=DISBALE profile=ALL

Can you please provide some sample relevance for the same.



(imported comment written by brolly3391)


At first glance the only thing I see that could be wrong is the quote symbols look like smart quotes instead of normal quotes.

“ and ” instead of " "

wait RunQuiet.exe “{pathname of systemfolder}\netsh.exe” firewall add portopening protocol=TCP port=80 name=“DisHTTP” mode=DISBALE profile=ALL

also I believe that if the rule called DisHTTP already exists then an

add portopening

command may fail. You might need to use

set portopening

instead or do 2 commands, the first a

delete portopening

and the second an

add portopening

Let me know how things work out.