@msff-amman-Itofficer

Fix Windows Time :

Get list of configured NTP servers
salt '*' ntp.get_servers

Set Windows to use a list of NTP servers
salt '*' ntp.set_servers 'pool.ntp.org'

Verify:
salt '*' system.get_system_date
salt '*' system.get_system_time

Make sure the Windows Time Service is running and set to automatic startup.
salt '*' system.start_time_service
salt '*' system.stop_time_service

After setting ntp, ensure Timezone is correct as well:

	salt '*' timezone.set_zone 'Asia/Amman'
	salt '*' system.set_system_date '03-28-13'
	salt '*' system.set_system_time "'14:16 +0300'" 						# (if set using NTP it wont work)
	salt '*' system.set_system_time "'+0300'"								# (if set using NTP it wont work)

SaltStack control power settings for Windows machines, you can control via the below commands, you need to create state file with the below:

monitor:
    powercfg.set_timeout:
        - value: 30
        - power: ac
disk:
    powercfg.set_timeout:
        - value: 30
        - power: ac
standby:
    powercfg.set_timeout:
        - value: 0
        - power: ac
hibernate:
    powercfg.set_timeout:
        - value: 0
        - power: ac

You can also get those information, and not apply rules by replacing set with get, for example: get_disk_timeout

Then schedule the below command in crontab (VISUAL=nano crontab -e) to run
*/30 * * * * salt '*' state.apply power_ac
*/30 * * * * salt '*' state.apply power_dc

It is good to apply this prior to windows update, or virus scan command.

@Dashrender said in SaltStack Windows Playbooks:

Add some tags to the OP.
Will make it easier to find in the future.

sure

@msff-amman-Itofficer

CCleaner:

Download ccleaner portable and check items you want to clear on clients, then Upload ccleaner folder to salt master and send to clients:
salt '*' cp.get_dir salt://ccleaner/ c:/salt

Run ccleaner silently as well as delete the temp files and recycle bin prior:

salt '*' cmd.run 'del /q/f/s %TEMP%\*'
salt '*' cmd.run 'rd /s /q %systemdrive%\$Recycle.bin'
salt '*' cmd.run '"c:/salt/ccleaner/CCleaner.exe" /AUTO'

@aaronstuder

With this, I can SSL an internal site and it will show up without and SSL warning message correct ? and for free ?

Windows Local Group Policy:

controlling Updates + screenwallpaper

Create lgpo.sls in /srv/salt with:

Company Local Group Policy:
    lgpo.set:
        - computer_policy:
            Configure Automatic Updates:
                Configure automatic updating: 4 - Auto download and schedule the install
                Scheduled install day: 5 - Every Thursday
                Scheduled install time: "16:00"
        - user_policy:
            Do not process the legacy run list: Enabled
            Desktop Wallpaper:
                Wallpaper Name: C:\salt\wallpaper.jpg 
                WallpaperStyle: Fill
Run myscript:
  cmd.run:
    - name: gpupdate.exe /force

Then schedule the below command to run “every 30 mins.”
*/30 * * * * salt '*' state.apply lgpo

This location: C:\Windows\PolicyDefinitions
has the adm files that you can view for trouble-shooting.
Windows 10 Configure Automatic Updates differs from Windows 7, so if you have environment with both Win7 and Win 10 your screwed, you need to create different setting for both some times, for example this update setting will work on Windows 7 but Windows 10 will report error missing value you need to add and I forgot what it is, and if you add it, Windows 7 machines wont work.

Sometimes the response will be invalid, however the policy will work, to verify use one of the below:

	salt '*' lgpo.get user											# By default shows only configured policies
	salt '*' lgpo.get machine
	salt '*' lgpo.get machine return_not_configured=True
	salt '*' lgpo.get_policy_info 'Maximum password age' machine
	salt '*' lgpo.get_policy_info 'Desktop Wallpaper' user

@msff-amman-Itofficer

Sophos Virus Removal Tool:

Upload sohpos folder to salt master and send to clients
salt '*' cp.get_dir salt://sophos/ c:/salt
Run sophos silently and delete the temp files prior:
salt '*' cmd.run 'del /q/f/s %TEMP%\*'
salt '*' cmd.run '"c:/salt/sophos/SVRTcli.exe" -yes -reboot'

To view the log file, you can read this file:
salt '*' cmd.run 'type "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log"'

To clean the log file:
salt '*' cmd.run 'del /q/f/s "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\*"'

Other Command line options:
-debug Display extra logging information.
-help Display this text help.
-noupdate Don't download updates when the tool starts.
-preview Don't do disinfection/cleanup.
-reboot Reboot automatically if required for cleanup.
-reset Remove any pending cleanup on reboot operations.
-uninstall Uninstall after scan and cleanup is complete.
-yes Don't ask for confirmation before cleanup.

---

You can create state file and schedule it in cron as well:

Create sophos.sls in /srv/salt with:

push_sophos_av_files:
  file.recurse:
    - source: salt://sophos
    - name: 'c:\salt\sophos'
    - makedirs: True
  cmd.run:
    - name: 'c:\salt\sophos\state.cmd'

Then schedule the below command in crontab (VISUAL=nano crontab -e) to run every 2 hours:
0 */2 * * * salt '*' state.apply sophos

And in the state.cmd file put your command.

Hello,

I wanted to start topic that hopefully will be always updated and kinda pinned, listing all the guides and neat stuff we can do with saltstack, I use it to manage Windows clients mostly, so for me this will be like Active Directory replacement show case.

Want to hear your feedback and correct me if you see room for improvements, and share ideas as well.

This will not cover setting up Salt, just the techniques which I call playbooks (I know taken from Ansible).

@scottalanmiller said in Intel Sees Irrelevance in Its Future, Turns to Legal Threats Instead of Technology:

@msff-amman-Itofficer said in Intel Sees Irrelevance in Its Future, Turns to Legal Threats Instead of Technology:

... like AMD Ryzen is on par with intel performance but cheaper, and that is what after 5 years of AMD catching up.

Which was after eight years of Intel catching up They go back and forth, AMD has been the overall leader for the last ~15 years. Intel just had a brief period in the spotlight again. Their last big win was the Pentium IIIS which did not last long before AMD crushed it.

AMD's ARM play is for the datacenter, though, not for the desktop. Their ARM Opterons are not intended for end user usage but for big servers.

I disagree with you on this one, they will not make it. and I really think that they U turned to AMD zen server chips.

Who needs an Cortex a57 server CPU ? it is sooo 2013 ...

https://seekingalpha.com/article/4072289-amd-better-without-arm
http://www.pcworld.com/article/3106852/amd-turns-back-to-x86-for-server-reboot-as-it-downgrades-arm.html

@mlnews

I dont understand why all the comments are filled with AMD, this topic has little to do with AMD.

When Windows 10 be able to run on ARM and not only from Qualcom, just like Android can run from:
Mediatek chips/RockChip/Xiaomi ...etc
thats when everything will change, the cost of those ARM chips can get low as 10$ per chip cause of the insane competition, and they include much more than traditional x86 CPU, and you really dont get innovation with 2 company monopoly, like AMD Ryzen is on par with intel performance but cheaper, and that is what after 5 years of AMD catching up.

With ARM the whole playground will change, all my family and friends can live with ARM level of performance, my mom uses her smartphone for everything, she does not play games and stuff, so using that logic 1 or 2 in 10 people will only require the performance of x86 CPU, the rest will be served fine with ARM.

Plus ARM:
efficient
cheaper
will come with much more mobile options with plenty of battery
has integrated modem usually.

@scottalanmiller said in Intel Sees Irrelevance in Its Future, Turns to Legal Threats Instead of Technology:

Did they not fold badly years ago? They seemed to back out of the game and ceed a lot to Intel.

Really I dont see that, there plans of ARM server processors seem very short-lived, the only thing that will seem to continue with ARM is the co-security processor they integrate with their x86-x64 CPUs, but thats it. I think its cortex a5 they integrate in each CPU as well.

@scottalanmiller

I want to backup the user account with the most data ? the thing is we have different user account names on each computer, and that is the why I am having issues, if only I can find way to run as logged in user

@scottalanmiller said in Saltstack commands redirects to systemprofile:

If you think about it, that variable would run in the context of Salt itself. So makes no sense. You need to back up the user in question, not Salt's own files.

Yh just wondered if there is command that I can use to pinpoint that user, but the safest thing to do is to simply grab this :

%SYSTEMDRIVE%\Users

and that would do, even if it took extra files.

The environment I inherited does not have standard Windows user naming

Sometimes it helps to ask those questions, and then later reply to my self and find out a solution

@travisdh1 said in Saltstack commands redirects to systemprofile:

@msff-amman-Itofficer Seems like salt is uses some sort of system account. You'd have to add salt logging in as the user before running a script with user land variables like %USERPROFILE%.

I know the cmd.runas stuff, but how can I make this work globally...

Aha perhaps add salt user globally to my minions, and run the command as that user, but that will backup the new salt user profile, not the existing user profile.

Better yet I make it to backup the %SYSTEMDRIVE%\Users folder all instead and be sure.

Hello,

So I found myself getting to this issue alot lately, I wonder if some can help.

So I want to backup files using salt, and when I run commands with variables like %USERPROFILE%\Desktop

C:\Windows\System32\config\systemprofile\Desktop

And backs up the files of that location, instead of the files of the current user.

Now 1 way is to have standard non AD local user account on all the machines with same name:
C:\Users\msffuser

but is there anyway else ?

and what is the quickest way to create new local user if needed and migrate all the existing account to the new msffuser without losing any data.

Thanks.

@msff-amman-Itofficer

@msff-amman-Itofficer

It stalking me, I disabled task scheduler service just to give me some extra few days ...

@mlnews

More resources:

"Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.) If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of "send a personal cheque to: Petya Payments, PO Box …"). The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of "ransomware."

https://www.techpowerup.com/234772/petya-notpetya-the-ransomware-that-wasnt-actually-looking-to-ransom-anything

@mlnews

Its good news (Anything better than outdated XP or Win7), but this is starting to be bad practice, cause all the big organization that does this, just use Ubuntu and change a couple of user interface elements add some packages and give it a new name.

If you really want to do it right, spin your own Linux OS and hire I.T skills to do this, and make it as small as possible to reduce attack surface, for example when you go to banks and big grocery markets, you can still see that some of them use like shell interface client for operations like Terminal or Command Prompt.

I feel that the cause this is just BIG organization, using Ubuntu might not be the cure, cause there is SAMBACRY, and when you dont understand the OS, bad stuff bound to happen. And the only way to truly understand Linux is to try spinning your own OS.

@matteo-nunziati said in open source hypervisors: do we really have them? do we really need them?:

ok put this simply. I go open source because it has more benefits then freeware. So I pick projects which do not depend on single corporate devel groups. Assume XAPI is not this. at least for the sake of stats I've extracted from git.

you go on premise with KVM on CentOS OR with Xen on opensuse leap (I would not go on ubuntu or debian - that's another topic).

Then I have to administer it. all open source because it pays more than freeware. I will use virt-manager with libvirt. This is ok with KVM even live migration is there. but Xen?
it starts appearing a bit risky IMHO probably XenCenter is the solution here. ok we hit another problem with XenCenter. just skip it.

What about open source backup for VMs? To my knowledge you can eihter buy super big NASes for a longer retention policy of the OSes OR you backup the app (as I do in my web apps) and you simply try to make the OS backup irrelevant, AKA DevOps style a-la salt/ansible.

Otherwise you need baremetal-like restore of the OS. Which open source project does this?

Of course a proper mix of LVM snapshots, mount, rsnapshot (rsync) can do the work, but home made backup solution is probably NOT the way I would go in SMB (I did it with KVM just at LVM level, no dedup with rsnapshot - and retention was poor).

just link me to a proper quick to setup solution and honestly I will be able to sold benefits of opensource over freeware.
I miss this now. Then I will be able to sold openness even at hypervisor level not only application/OS level!

Sadly the main reason why folks choose other than KVM is the above. The time and research and method and custom scripts is what KVM all about if you ask me. Just document your trial and errors and you will eventually have all this.

What I do, I have 2 KVM hosts running from centos minimal:

1. Check CPU support for Virtualization:
   grep -E '(vmx|svm)' /proc/cpuinfo

2. Install KVM:
   yum groupinstall Virtualization "Virtualization Platform" "Virtualization Tools"

3. Then make proper selinux and firewall configuration.

4. Then I load Fedora on my work laptop using virtualbox, and use virt-manager to manage the hosts.

5. Create passwordless SSH login between the hosts and preferably the virt-manager machine.

6. Alot of scripts and tools and guides to manage KVM and images got created by me due to going this route, for example I like to start the VM images with thin profile and expand over time, instead of allocating full amount of storage/Defalting the qcow2 image after time for backup or archiving (however I dont recommenced archvie cause qcow2 stores everything in 1 file/converting the qcow2 to other formats/ when will new image FVD be ready/ What VIRT IO drivers to install.... etc) The best thing is how simple is its to offline migrate VM images in KVM, and under Fedora there is tool like WinSCP called Gigolo I reckon, and with KVM you just need to copy the image disk and paste to the other Host and BAM, you copied the VM. due to there is no DRM feel or cause the file disk format is OSS everything is clear however with that comes the notion of everything can be setup in 100 diffrent ways.

If you want to bypass all this just get ESXi licensed, and your set.