Creating OpenVPN Server and Setting up OpenVPN Clients

I recently setup a remote office that houses my huge Virtual Host machine and wanted private/encrypted access to that network from where ever I am.  Thus I turned to OpenVPN as a solution after a little bit of research (see this BestVPN Article).  This article covers the basics of setting up an OpenVPN server on a Ubuntu server sitting behind a NAT firewall. 

Let’s start on the Ubuntu Server…
Enter root first…

$ sudo su

Setup OpenVPN Server

Starting with a Ubuntu computer you’d like to make the OpenVPN Server… Install OpenVPN and Easy-RSA

$ apt-get install openvpn easy-rsa -y

Certificates

The first thing to know about OpenVPN is we’ll be setting things up to use certificates.  It is the most secure method and requires you to manually distribute the client certificates and configuration files.  The method you choose determines the security.  Most secure is to hand deliver the certs on an encrypted thumb drive.

Certificate Authority

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn.

$ mkdir /etc/openvpn/easy-rsa
$ cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.

export KEY_COUNTRY=”CountryCode”
export KEY_PROVINCE=”MyStateOrProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”Organization Name”
export KEY_EMAIL=”vpn@example.com”
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN

Enter the following to generate the master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ cp openssl-1.0.0.cnf openssl.cnf
$ source vars
$ ./clean-all

Run the following command to generate CA certificate and CA key:

$ ./build-ca

Server Certificates

Next, we will generate a certificate and private key for the server:

$ ./build-key-server server

Client Certificates

Each client will need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal while being user root:

$ ./build-key client

Generate Diffie Hellman Parameter

This is a unique key used for our VPN Server, Enter the following command to generate DH parameter.

$ ./build-dh
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

$ cd /etc/openvpn/easy-rsa/keys/
$ cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

Client Configuration File

We need to copy and edit the client configuration file.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn

Edit file client.ovpn,
$ vi /home/client.ovpn

Set the VPN server host name/IP address:

remote [public ip or hostname of your vpn server] 1194

Distributing Client Certificates

You must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.

ca.crt
client.crt
client.key
client.ovpn

You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone gets ahold of your keys, they can easily intrude and get full access to your virtual private network.

Configuring VPN Server

Copy the file server.conf.gz file to /etc/openvpn/ directory.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:
$ gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,
$ vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

[…]
push “redirect-gateway def1 bypass-dhcp”
[…]

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

[…]
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
[…]

Uncomment the following lines:

[…]
user nobody
group nogroup
[…]

Save and close the file.

IP forwarding and routing Configuration

Edit sysctl.conf file,
$ vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
$ sysctl -p

Enter the following command to enable IP forwarding:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

Start OpenVPN Server

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
$ service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:
$ ifconfig

Network Router Configuration

We need to do two things on your router and how you do them greatly depends on your router.  I’m assuming you have a hardware router hooked up to your DSL, Cable or other type of internet connection and you’re setting up a Ubuntu VPN server on the internal network and want to access other computers on that internal network once your remote clients have authenticated into the VPN tunnel.

1. Your VPN server should have an internal static IP address… We need to tell your router to route all 10.8.0.0 traffic to your VPN server so when your VPN clients connect they can communicate with your internal network.

2. Open external port 1194 tcp and udp and point it at your VPN server’s internal static IP address.

Clients

Now we have the files needed to put on your clients, your server is all setup, and your router is configured correctly… it’s time to look at setting up clients.  I created a client certificate for each of my three workstations… each running a different OS:  Mac OS X, Ubuntu 14.04, and Windows 7.  I want to validate and connect into my VPN remote network from all three systems… but configuring their client is slightly different on each.  Below I go into details on setting each one up.

Ubuntu Client

I’ll assume you are using this system as a Ubuntu workstation/laptop and have a graphical interface… thus want to use Network Manager to connect in.  First we’ll need to install two items:
$ sudo apt-get install openvpn network-manager-openvpn

Navigate…
System Settings->Network->+ (hit pluse in bottom left)
Choose VPN interface and hit Create
Select OpenVPN from the type list and hit Create
Specify the Gateway (public ip or domain name of your vpn server)
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.

Save that and you’re done.  You should now connect into your VPN and run a few ping and other tests. 

Mac Client

My primary laptop is a Mac, so let’s go there next.  Here you’ll need to install a VPN client application called TunnelBlick.  https://www.tunnelblick.net/

Once you’ve installed the application, you need to dbl-click on your client.ovpn file.  The ovpn file type has been associated with Tunnelblick when it was installed and will open up the file allowing you to add that connection ot your available list.  Once done, simply connect into the VPN and run your tests.

Windows Client

Visit http://sourceforge.net/projects/securepoint and download the windows OpenVPN client.
Launch the Securepoint SSL VPN client, dbl click the tray icon when it appears, and select New. 
Next
Enter Name of your VPN Connection and hit Next
Enter the Public IP or Domain Name of your VPN server, the port you configured (default is 1194) and I prefer TCP connections due to reliability reasons… then hit Next
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.
Hit Next
Under Advanced Settings
– check the “Comp-LZO” checkbox
– uncheck the “Auth user/pass” checkbox
– leave all others at their Defaults
hit Next
Lastly hit Finish

 

All done… let me know if you have any questions below.

Installing Tanium v6.1

Installing Tanium is actually really easy and I’m going to make it even easier by walking you through the express installation of the product.

In the following article I’ll provide you with the various screen shots for the express installation of Tanium v6.1.314.2342 and I’ll call out screens that may need additional explainations. Let’s get started!
I assume you’ve already acquired the installation executable from your Technical Account Manager or Sales person…
tanium01
Double click it to launch the installer. If you’re installing onto a Windows 2008r2 server, like I am here, you may need to click yes to the UAC request dialog:
tanium02
tanium03
tanium04
This virtual computer I’m installing our server onto, does not have an MSSQL server installed, so we’ll choose to install the MSSQL Express Edition.
tanium05
tanium06
tanium08
We’ll have to agree to Microsoft’s EULA…
tanium09
I’ve chosen to download and install updates to MSSQL here.
tanium10
I’m also using the default options…
tanium13
Leave the named instance settings as is.
tanium14
As well as the service configuration settings…
tanium15
We only support Windows authentication so choosing between only Windows Auth or both is up to you.
tanium16
tanium19
Now… back to the Tanium installation… choose the Express Install.
tanium20
Provide your windows credentials for the initial user. If your server is linked to a domain, it can be a domain login (does not need to be an admin or anything). If your server is NOT on a domain, simply provide one of the local accounts username/passwords to continue.
tanium22
All done!
tanium23

The express installation of our product creates a self signed certificate for the console, so you’ll need to agree to continue.
tanium24
Log in with the username/password you specified earler…
tanium25
When you have successfully logged in, an initial content load will occur. This means your server is downloading a “starter” pack of content (sensors, packages, dashboards, etc) which will get you started with the product immediately. This process does take several minutes, so please be patient.
tanium26
Once the content load is complete, you’ll get to play around with the product!
tanium27

Currently you do not have any endpoints to work with. I’ll release another article very soon which explains a few ways of getting agent installed onto your computers.

Installing DB2 Enterprise v10.1

Extract installer file…

 

Run Prechecks…

SNAGHTMLf817c13

I already solved the first one… See below on how to disable SELinux on your RHEL system.

 

Below that, I’ll show you how to solve the missing packages so we can continue with DB2 installation

 

 

 

 

 


Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labeling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

… and then reboot the system.

(thanks… http://www.crypt.gen.nz/selinux/disable_selinux.html)


Installing dapl…

On my ISO are the various RPM packages I’ll need.  Attempting to install dapl resulted in additional dependencies…

image

…installing libibverbs…

image

…installing librdmacm…

image

and finally… it works

image


Installing sg3_utils…

This seems to be a recurring theme any time I play with *nix boxes.. dependencies upon dependencies…

image

…installing libsgutils2 which refers to sg3_utils-libs…

image

and finally… it works

image


I was unable to find an sg_persist package… so I re-ran the db2prereqcheck script… and looks like it is included in one of the packages that were installed… and v10.1.0.0 is ready for installation!

Back to the installation:

image

After answering some basic questions like where to install, etc…  it finished!

 

To validate it is running… try this:

ps –eaf | grep –i db2sysc

image

 

To automatically start DB2 instance…

/opt/ibm/db2/V10.1/bin/db2iauto –on db2inst1

image

Installing Microsoft SQL 2012

Like many of my step-by-step articles, it’s mostly for corporate level documentation purposes.

I won’t describe every screen, only those that include important decision points that affect my particular use case.

 

MSSQL_2012_Install_01

MSSQL_2012_Install_02

MSSQL_2012_Install_03

MSSQL_2012_Install_04

MSSQL_2012_Install_05

MSSQL_2012_Install_06

MSSQL_2012_Install_07

MSSQL_2012_Install_08

MSSQL_2012_Install_09

MSSQL_2012_Install_10

MSSQL_2012_Install_11

MSSQL_2012_Install_12

The above dialog is warning me that the firewall does not allow remote database connectivity.  The below command line can be used to open up the SQL port.  The cmd prompt must be opened with administrative permissions for this to work.
netsh advfirewall firewall add rule name = SQLPort dir = inprotocol = tcp action – allow localport = 1433 remoteip = localsubnet profile = DOMAIN

MSSQL_2012_Install_13

MSSQL_2012_Install_14

This is one of those major decision points.  My purpose for this database is to house the newest IBM Endpoint Manager v9 database… nothing else.  So I only require a few items to accomplish this simple task.  The following items are needed for my particular use case:

  • Database Engine Services
    • Full-Text and Semantic Extractions for Search
  • Management Tools – Basic
    • Management Tools – Complete

MSSQL_2012_Install_15MSSQL_2012_Install_16

MSSQL_2012_Install_17

MSSQL_2012_Install_18

MSSQL_2012_Install_19

MSSQL_2012_Install_20

MSSQL_2012_Install_21

In order to get IEM installed properly… an SA account is required. So I’ll configure the database authentication in “Mixed Mode” and specify a password for the SA account.

MSSQL_2012_Install_22

MSSQL_2012_Install_23

MSSQL_2012_Install_24

MSSQL_2012_Install_25

MSSQL_2012_Install_26

MSSQL_2012_Install_27

MSSQL_2012_Install_28

That’s all there is to it.  Installations are almost always straight forward… but some corporations require complete step-by-step documentation, I hope this fits the bill.

Installing Windows Server 2012

Recently I’ve had a need to setup a Windows Server 2012 and wanted to document the process for future attempts.

I won’t document every single screen, only those that include decisions to be made and considerations to be considered.

 

Windows_Server_2012_Install_01

Windows_Server_2012_Install_02

Windows_Server_2012_Install_03

Windows_Server_2012_Install_04

Windows_Server_2012_Install_05

I’ll be using this server as a root server for my new IBM Endpoint Manager v9, so a GUI would be very handy during install and general maintenance of that application.

Windows_Server_2012_Install_06

Windows_Server_2012_Install_07

At first I wanted to go with a regular install… not Custom… so I chose the top option.

Windows_Server_2012_Install_08

Turns out this is for upgrading an existing OS installation.  Since this is a brand new hard drive with no pre-existing OS, I should have chosen the “Custom” option.  After hitting Close, I was sent back to the very beginning of the installation.

Windows_Server_2012_Install_09

Windows_Server_2012_Install_10

Windows_Server_2012_Install_11

Windows_Server_2012_Install_12

Windows_Server_2012_Install_13

Once I arrived at the start up screen… it hung there for nearly 30 minutes.  Turns out since I was setting this up on a VMWare ESXi v5.0 server it doesn’t support Windows Server 2012.  So after some research I came across this article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2006859 

I learned that I had to upgrade my VMWare ESXi server to a patch or v5.1… I opted for v5.1 and was able to get past this sticky part.

Windows_Server_2012_Install_14

Windows_Server_2012_Install_15

Windows_Server_2012_Install_16

Windows_Server_2012_Install_17

Windows_Server_2012_Install_18

Windows_Server_2012_Install_19

Windows_Server_2012_Install_20

The server manager has been redesigned for the new GUI.  Interesting choices…

Windows_Server_2012_Install_21

Windows_Server_2012_Install_22

Windows_Server_2012_Install_23

I don’t want this application to come up every time I log in… so choosing the Manager –> Server Manager Properties, I was able to check the “Do not start Server Manager automatically at logon”.

Windows_Server_2012_Install_24

Now I need to add my new server to my LDAP domain.  Choosing “Local Server” from the left menu…

Windows_Server_2012_Install_25

Click on “WORKGROUP” and the familiar computer properties dialog opens where you can change these settings.

Windows_Server_2012_Install_26

Windows_Server_2012_Install_27

Windows_Server_2012_Install_28

Windows_Server_2012_Install_29

Windows_Server_2012_Install_30

Windows_Server_2012_Install_31

Windows_Server_2012_Install_32

One restart later I was able to log in and I’m done.

Content Database

Large App Icon

I’ve just added a new feature to my BigFix.me website… the Content Database!!! Come check it out!

This side-project catalogues fixlets, tasks, and analyses into one big content database (CDB). The first available feature of the CDB is the ability to search relevance statements. Type in one or more keywords like "operating system" or "exists" and you’ll get back tons of examples of how to use those inspectors or key words within your own relevance statements. The database even knows what type of data will be returned and we sort all the results by re-use count, which can be helpful in finding the most popular statements.

If you want to contribute to the database, simply logon or register and visit our import BES content page.

You can learn more here: http://bigfix.me/cdb.

Installing BigFix.me MDM onto your iOS devices.

The following step-by-step process demonstrates how to install/configure MDM on your iOS devices… iPhones, iPods, and iPads.

1. Visit https://bigfix.me using your mobile device. Step 1 of 13
2. Click "Continue to this website (not recommended)" if prompted. Step 2 of 13
3. Click the "SSL certificate" link towards the bottom. Step 3 of 13
4. Click the "Install" button on the "Install Profile" screen. Step 4 of 13
5. Click the "Install" button on the "Warning" screen. Step 5 of 13
6. If you have a password set, you will need to enter it now and hit "Done". Step 6 of 13
7. Click the "Done" button on the "Profile Installed" screen, you will be returned to Sarfari. Step 7 of 13
8. Enter your email address, choose Device Ownership value and click the "Enroll" button. Step 8 of 13
9. Click the "Install" button on the "Install Profile" screen. Step 9 of 13
10. Click the "Install Now" button within the popup box. Step 10 of 13
11. If you have a password set, you will need to enter it now. Step 11 of 13
12. Click the "Install" button one more time for the "Warning" screen and your done. Step 12 of 13
13. Click "Done" and your all finished. Step 13 of 13

BigFix Endpoint Command Polling

Command polling is a feature built into every Tivoli Endpoint Manager endpoint.  This feature instructs endpoints to query their relay for new instructions instead of waiting the UDP ping regarding new actions.

This feature is invaluable when it comes to endpoints that are beyond your DMZ or UDP pings are not allowed.  By activating this task, you can speed up the responsiveness of your endpoints in this ping restricted locations.

Look for the “BES Client Setting: Enable Command Polling” task within the BES Support external site.

My DMZ relay is identified when endpoints communicate with my public domain name: bigfix.me.  When the endpoint talks to this relay I would like them to poll for commands every 45 minutes.  When the endpoints switch to talking to a different relay, I would like them to turn off the polling settings.

To do this I will activate two different actions.  One that is targeted at computers talking to my bigfix.me relay.  A second task will have additional relevance to differentiate them and allow me to turn off polling.

Enable Polling

Activate this action choosing the second take action option which allows us to specify the number of seconds… at 2700 or 45 minutes.

Command Polling 1

Command Polling 2

Next we’ll need to copy the “Relay” global property relevance so we can add a bit of logic to our action.

Command Polling 3

Copy the relevance for “Relay” into the clipboard and hit Cancel to close the Manage Properties window.

Command Polling 4

Returning to the Take Action dialog, specify the Preset = Policy   and select “All Computers” as the target.

Command Polling 5

On the “Applicability” tab we’ll want to modify the relevance and add the following to the end of what is there (copied from the Relay global property):

 AND (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server") as lowercase contains "bigfix.me" AND NOT exists setting "_BESClient_Comm_CommandPollEnable" of client

Command Polling 6

After updating the relevance, we’re ready to hit OK to activate this action.

It will run on all endpoints which have “bigfix.me” within the Relay global property.

Disable Polling

Now that we have this feature getting enabled, we’ll want to disable it where it is not needed.  In other words, when endpoints are talking to any other relay except my “bigfix.me” DMZ relay.

Command Polling 7

Under the Target tab, specify all computers, configure Preset = Policy and update the name so we know this will “Disable Command Polling”.

Command Polling 8

Next we’ll move over to the “Applicability” tab as we did before and add the following slightly modified relevance from before (notice the “does not” at the end):

AND (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server") as lowercase does not contains "bigfix.me" AND exists setting "_BESClient_Comm_CommandPollEnable" of client

Command Polling 9

After updating the relevance, we’re ready to hit OK to activate this action.

Now I will start to receive better response from endpoints communicating through my DMZ relay server.

If you have any questions or comments, please add them to the comments section below.

How to Tattoo your BigFix Endpoints

A large organization utilizing Tivoli Endpoint Manager (BigFix) has many things to do when it comes to organizing your endpoints.

Organization comes in many forms… grouping computers by: Operating System, Processor, Available Disk Space and Last Report Time are all out-of-the-box features of any BigFix infrastructure.  BUT that doesn’t make it very useful for the business side of your organization. 

To help organize your endpoints into business centric groups… we need to utilize a process I call automatic tattooing.  Tattooing endpoints can happen in many ways but they are all triggered off from properties on endpoints.  These properties can be values within INI files somewhere on the file system of your endpoints.  They can also take the form of: is a certain program installed?

For this article I will limit the scope to a few windows properties that are hidden deep within the registry.  In a later article I will help describe the process of a cross-platform tattooing method.

For my purpose I will focus on the RegisteredOrganization and RegisteredOwner string values within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion of the Registry.

I will create a few things:

1. Two global properties which I can use within WebReports, and to help with targeting actions.

2. A task to make it very easy to configure this value using an action.

Global Properties

Crafting relevance for my two global properties is actually really easy.  In my case I’ll be reading into the registry for the values of my properties as such:

Registered Organization = value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 1

Registered Owner = value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 2

Now let’s implement those within our console. 

Tattooing 3

Click on Tools->Manage Properties, Click “Add New” and specify the “Name:” and “Relevance:”.  If you have more than 100k endpoints, you may want to consider increasing the “Evaluate” property to something like “1 day” or longer.  For my tiny deployment, I will leave it at the default “Every Report”.

Tattooing 5    Tattooing 6

Once the properties have propagated, your endpoints will start to return data…

Tattooing 7

 

Configuration Task

Next up is something a tad more difficult, depending on your experience with creating custom content.  We will create a custom task which will allow us to configure these two registry values.  This task will utilize to very special commands: action parameter query, regset and regset64.  Read more about those in this document.

Let’s start with a new task:

Tattooing 8

Tattooing 9

As anybody who has read my previous articles knows, I like to fill in every blank.  It makes for a better deliverable product to customers.

Tattooing 10

The action script for this task will need to do the following things expressed in sudo-code:

Query the user for the value they want to configure for both properties.

if 64bit OS

    configure 64bit registry values

else

    configure 32bit registry values

validate

After a bit of research, our action script ends up looking like this:

action parameter query "Organization" with description "Please enter the name of your Organization (Ex: Moran IT):" and with default value ""
action parameter query "Owner" with description "Please enter the Owner’s name (Ex: Daniel):" and with default value ""

if {exists x64 of operating system}
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}"
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"
endif 


regset  "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}" 
regset  "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"

continue if {(value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Organization")}
continue if {(value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Owner")}

Tattooing 11

Of course we can’t forget about a URL with additional detail on this task…

Tattooing 12

The relevance required to do this is actually very simple.  Since only windows computer have a “registry” we can eliminate all non-windows endpoints from running this action with the following relevance:

name of operating system contains "Win"

Tattooing 13

It is highly unlikely that a windows registry will not have the following key, but so we all learn good habits I’ve added the following relevance as well:

exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 14

Let us not forget my article on Properties.

Tattooing 15

It’s been a few minutes and it looks like my fastest computers have already responded with their applicability responses.

Tattooing 16

I won’t go into detail on how to launch this task, I’ve already covered that.  Targeting is way more important to think through and understand how you are going to organize your endpoints.  In later articles I will cover other tattooing methods and how they can benefit your organizations.

For your convenience, here is a zip file containing the content covered in this article:  http://dl.dropbox.com/u/41985632/Content/Configure%20Registered%20Organization%20and%20Owner.zip

If you have any questions or comments, please leave them below.  I’d love to hear about some other tattooing methods and how you implement them within your deployment.