1 2 Previous Next 13 Replies Latest reply on May 29, 2009 2:13 AM by rhythm_methods

    Agent Deployment via AD/GPO?

      My company is getting rid of login scripts and taking admin access away from users.

      Currently I deploy the agent to PCs via login script, so any new PC that logs onto the domain gets the agent straight away.

      As I won't be able to keep using login script, and users will not have adminm rights now, I was wondering how it can be done using AD or GPO?

      I am hoping somebody has actually done this ok with McAfee Agent now?
        • 1. RE: Agent Deployment via AD/GPO?
          JeffGerard
          Well you could use RSD to deploy the agent...but if that's not an option, I'll just keep my eye on this thread too.

          I use startup scripts...(if that's an option let me know and I can definitely help with that). I find startup much better than logon because they don't wait for a user to logon...it all happens as soon as a machine is added to the domain.
          • 2. RE: Agent Deployment via AD/GPO?
            Thanks for that. Yea, using a startup script from AD/GPO is the way I will need to go I think.
            Unless somebody has worked out a better way?

            RSD isn't an option right now, though I have that on my want to implement list I can't at the momment.
            (Though I have done some testing with it and want to use it)

            For my logon script at the momment it is done with a VBScript and it works fine.
            It just checks if the correct version of agent is installed and if not it runs the framepkg from the users local file and print server.

            If you (or others) have any good tips for deploying the agent from a startup script that would be great if you want to pass some info along? It looks like that is what I will be doing I think.

            Thanks.
            • 3. RE: Agent Deployment via AD/GPO?
              JeffGerard
              Here's a snippet of my startup script with the releated info...I don't check version but just the existence of EvtFiltr.ini to determine if the machine is managed or not. The version can be easily updated by the agent with an update task so that part is not necessary.

              ** Keep in mind that I am assuming that all AD computers other than XPe thin clients are candidates for the McAfee Agent here.

              HTH...(comments/criticism/pointers welcome!)

              @echo off
              rem Startup script to check for McAfee Agent and current ePO Server name
              rem If MA does not exist, install it, if exists, poke it
              rem ** Note: if logging, log file must exist and be writeable by the process involved as all the log file entries assume appending to the file **

              rem Test if client is XPe Thin Client
              if /i %runtimeskucode% == XPeCli goto thin_client

              rem Set MADir variable to location of Common Framework directory
              if exist "%ProgramFiles%\McAfee\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles%\McAfee\Common Framework
              if exist "%ProgramFiles(x86)%\McAfee\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles^(x86^)%\McAfee\Common Framework
              if exist "%ProgramFiles%\McAfee\CmdAgent.exe" set MADir=%ProgramFiles%\McAfee
              if exist "%ProgramFiles%\Network Associates\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles%\Network Associates\Common Framework
              if exist "%SystemDrive%\ePOAgent\CmdAgent.exe" set MADir=%SystemDrive%\ePOAgent
              if exist "%ProgramFiles%\ePOAgent\CmdAgent.exe" set MADir=%ProgramFiles%\ePOAgent

              rem Test if client is ePO managed (EvtFiltr.ini only exists on ePO managed machines)
              if exist "%ALLUSERSPROFILE%\Application Data\McAfee\Common Framework\EvtFiltr.ini" goto check_epo_server
              if exist "%ALLUSERSPROFILE%\Application Data\Network Associates\Common Framework\EvtFiltr.ini" goto check_epo_server

              :epo_inst
              rem If we're here we need to install agent (uses system credentials when run as a startup script)
              "\\myad.dom\netlogon\FramePkg_AD.exe" /FORCEINSTALL /INSTALL=AGENT /SILENT
              echo ***** %date% %time%: MA was NOT detected on %computername% ***** >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
              echo %date% %time%: Attempted to install MA on %computername% > \\10.1.1.1\pub\pub\ePO_Inst_Logs\%computername%.log
              goto end_epo_inst

              :check_epo_server
              rem Check registry key for existence of current ePO server name - if pointing to old ePO server, update sitelist with new version
              REG QUERY "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v ePOServerList | find /i "my_active_ePO_server_name" > nul
              if %errorlevel% == 1 (
              "%MADir%\FrmInst.exe" /Silent /siteinfo=\\myad.dom\netlogon\epo\SiteList.xml
              echo %date% %time%: Updated ePO SiteList.xml on %computername% >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
              )

              :end_epo_inst
              rem Wakeup agent and log computer name (if log desired remove "rem" on next line)
              rem echo %date% %time%: MA exists on %computername% >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"
              "%MADir%\CmdAgent.exe" /p /c
              goto quit

              :thin_client
              rem Log computer is a thin client if desired
              rem echo %date% %time%: %computername% is an %runtimeskucode% - skipping... >> "\\10.1.1.1\pub\pub\ePO_Inst_Logs\general.log"

              goto quit


              :quit
              exit
              • 4. RE: Agent Deployment via AD/GPO?
                Thanks for that, it is usefull to see what others are doing.

                I haven't done much research (i mean googling) yet, but I think I am going to just modify my current VB script and use that as a startup script. I haven't done that before, just used them as logon scripts, but do you know of any tips or things to look out for if I do this?

                Currently I use a framepgk with no credentials embeded into it and that just runs as the logged on user from the login script.

                I like to check the version of the agent just so that if for some reason there are systems that have not been updated via ePO (for whatever reason) it will try and run the framepkg again when that system logs on.
                I could probbaly get away with out it, as I don't have any problems with that actually, but I like it just as a kind of a backup method etc.

                If I modifiy the VBS and make that as a startup script what user will it run as?
                Will it still be ok to use a framepkg with no credentials?
                • 5. RE: Agent Deployment via AD/GPO?
                  JeffGerard
                  If the install is using current logged on user credentials, then they would have to have local admin rights. The embeded credential agent package has been posted for download so you could create a custom install package.

                  The user that runs the installer just needs to have local admin rights.
                  • 6. RE: Agent Deployment via AD/GPO?
                    Thanks Jeff, yup, currently users have local admin rights which is why I get away with no embeded credentials.


                    We will be killing local admin rights too.

                    So I guess what I was wondering is what happens when you use a script as startup instead of logon.
                    The logon runs as the user who is logging on, but do you know what would be the default user for when a script is run on startup instead of logon?

                    heh, I still haven't googled this yet :)

                    I did used to use a package with embeded credentials in the past, but somebody complained about the security issues, so canned that, because I could get away with doing so. So I would prefer not to embed credentials if I don't have to.
                    • 7. RE: Agent Deployment via AD/GPO?
                      JeffGerard
                      Well, seeing as MA P2 came out without embedded cred options, I ended up using a non-cred package for deploying via startup. It works fine. I believe the system account is used at this point of the bootup process so you should be good with a non-cred'd install with startup.
                      • 8. RE: Agent Deployment via AD/GPO?
                        Excellent, thanks for the info, it's just good to know somebody else got that to work ok before I waste too much time on it, as you know, thats the one things that's hard to come by :)

                        Once I get a chance I will make a start on this side of things.

                        Thanks again.

                        If anyone else has any info feel free to chip in happy
                        • 9. RE: Agent Deployment via AD/GPO?
                          oh yea, and thanks for the tip on the new package being available, I am downloading it now.
                          1 2 Previous Next