RE: Off Topic - Automatically provisioning AD accounts from SIS & EIS

@george1421 Great suggestion! Will do.

Hello fellow gurus,
This is not a FOG related question, but thought this may be a good place to pose this question as it seems many of you also work for school districts and have to deal with the unique situations that we often do.

For years we have been provisioning (batch script) our student and employee Active Directory accounts using our own home brew methods based on data extracted from our Student Information System (SIS) and Employee Information System (EIS). Although this has worked sometimes things get out of “sync” as it’s not really a two way road. AD commands are just sent to our DCs and we hope everything executes properly. To remedy this I have built a .NET desktop application that pulls AD users, memberships, etc and compares them to what they should, then re-issue commands to fix any of the discovered discrepancies. Most of this work is done in SQL.

My question to you all is what are you using to provision user accounts in Active Directory when the source is the SIS and EIS(SQL)?

Operating requirements:
• Process must generate unique student and employee usernames. Employee usernames can never be reissued (even if the employee leaves the district).
• Users must be placed in the appropriate OU according to their associated building in the SIS or EIS.
• Users must be automatically made members of security groups based on data in SIS and EIS: associated building, associated grade level, job status code(employees)
• User object attributes must be automatically populated: First Name, Sur Name, Department, Phone, Description, etc.
• User home directory must be created and NTFS permissions set. If the user moves building their home directory must be moved also and permissions set once again.
• Of course all memberships, object locations, home directory, etc will have to be updated if the user moves buildings, changes name, building, grade level, etc.

@Joe-Schmitt Got it. Thanks for the clarifying. Is there any possibility this will be added back in the future? This could be so useful for proprietary business processes to just use the FOG service instead of having to create our own and install it in addition to the FOG service.

I haven’t played around with the new client since our 0.32 version so I’m excited to see what’s changed.

Thanks for all you guys do!

@Joe-Schmitt said in Service Modules in new Client?:

The new client is much much easier to build modules for. However it doesn’t allow third party ones. If you have some ideas get in contact with me and we can see about possibly adding them.

Hi Joe,
I installed fog 1.3 RC1 last night and noticed under Fog Configuration > Client Updater it looks like there is a module upload section for the fog client. I thought in the new version of fog it didn’t allow third party modules. I guess I’m confused or misunderstood. Can someone explain what this is used for?

Thanks!

This is fantastic news! We are eagerly awaiting the official release. I will spin up a VM and test it out.

@Avaryan said in FOG 1.3.0 Release Candidate 1:

Awesome.

Any expectations as to when the full 1.3.0 might be out? Liking what I’ve seen so far.
+1

@george1421 said in Service Modules in new Client?:

The FOG client, could do this, but the issue you will have is managing what the passwords are/will be.

This is exactly what the module would be programmed to do.

Sudo code:

'Check against the database first
If @PassLastChangedDate < @DateThreshold
'Create a random password and set in on the database side first
’ If successful set it on the local machine
End

We also really like the idea of google’s project GRR, however navigating and creating tasks in it is complicated at best. It would be incredibly convenient if we could build modules for fog to do some of the simple stuff GRR does.

• Search hosts for a file hash - if it exists report back
• Search hosts for a specific event in the event viewier - if it exists report back

@george1421 said in Service Modules in new Client?:

@RobertD Sorry I was going to post a link, but the URL I had saved was broken so it took me a bit longer to get the links.

https://technet.microsoft.com/en-us/mt227395.aspx
https://adsecurity.org/?p=1790

Good information! However it’s only effective for domain joined machines. Most of our mobile devices are not on the domain (thin clients, laptops, etc - Everything has the fog client)

@george1421 We are an AD shop, but some of our machines are not domained.

@Joe-Schmitt said in Service Modules in new Client?:

The new client is much much easier to build modules for. However it doesn’t allow third party ones. If you have some ideas get in contact with me and we can see about possibly adding them.

So compiling dlls and dropping the fog service folder will no longer work?

In the past we have had problems with students acquiring the local admin password (Cracking the ntlm hash, it being exposed on a post it note or something else). This password is set across the board on desktops, which allowed them to jump from machine to machine (RDP, SMB, Remote execution, or being leaked by some other method). One of the modules we want to create would manage the local Administrator password. Each machine would have a randomly set admin password by this module which would then be sent to an encrypted web service where it would also be stored encrypted. So every admin password on every machine is different. If a campus technician needed the local password for a machine they would request it through a web portal where they would access restriction based on their credentials. Everything could then be audited.

This service module could also be configured to cycle passwords on a normal basis and/or reset the admin password for a specific host on demand from the web portal.

Now in English lol…
We have a few ideas of modules we would like to build to extend the fog service.

We are still running version 0.32, but have plans to move to 1.30 when the stable is released. We have a few ideas of service module ideas we would like to build to extend the fog service. Does the new client still support this?:

https://wiki.fogproject.org/wiki/index.php?title=Creating_Custom_FOG_Service_Modules

I would like to participate in the next meeting. 7ish~ CST weekdays works best for me.

Hmmm I have been making a lot of changes. I created a “Production” field in MySQL so that it doesn’t list non production images. I guess I need to go look at the original files. Thanks Tom!

So we have a huge variety of hardware that has greatly increased the number of images we have. So much that we are almost out of screen space when listing the images with the ‘?’ during the registration process. Is there any way to page or give the option to display more images from the registration screen when pressing ‘?’ so the full list of images can be displayed?

Fog 0.32

Thanks for all the replies! Good information to have. I guess what I should probably be more concerned about is the fog server serving up the tftp boot file to every client as they reboot. I imagine at the start of the school year a lot of machines will be booting up at the same time, but only time will tell.

Thanks for the suggestions moss. I will check them out. (Not much of a Linux guy myself)

On this same topic regarding the fog client/service - Is it possible to have the service update the fog database when the host name changes. Often times our repair department does not know where a machine is going when they reimage it so they give it a generic name. When it gets to a campus and positioned in a class room it is then given a name and put on the domain. It would be nice if our fog database properly matched the machine name. (We are not using the host name changer)

Hello Community FOG Gurus!
I work for a very large school district in Texas. We are implementing FOG as our new imaging system and so far everything is working out great (Love the system so far). We have customized the setup so the images are stored on our NAS as opposed to setting up multiple fog server storage servers. We did this for sheer reasons of speed and redundancy.

These are the specs of the server FOG is installed on:
HP DL380 G8
E5-2430 (6 Core/12 Threads)
6 - 500 GB 7200RPM Drives (RAID 10)
12GB Ram
Ubuntu 12.04

My concern is the Fog service. We have added it to our new images, but will this server and MySQL be able to handle 20-30,000 devices checking in all the time? (We also changed the checkintime in the ini file to 999.)

This is probably a question better suited for the Ubuntu forums, but is there an easy way to monitor CPU usage, network connections, etc from command line or will I need to install a GUI to do this?