ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SaltStack Windows Playbooks

    IT Discussion
    salt windows saltstack active directory
    2
    9
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Emad RE
      Emad R
      last edited by Emad R

      Hello,

      I wanted to start topic that hopefully will be always updated and kinda pinned, listing all the guides and neat stuff we can do with saltstack, I use it to manage Windows clients mostly, so for me this will be like Active Directory replacement show case.

      Want to hear your feedback and correct me if you see room for improvements, and share ideas as well.

      This will not cover setting up Salt, just the techniques which I call playbooks (I know taken from Ansible).

      Emad RE 4 Replies Last reply Reply Quote 3
      • Emad RE
        Emad R @Emad R
        last edited by Emad R

        @msff-amman-Itofficer

        Sophos Virus Removal Tool:

        Upload sohpos folder to salt master and send to clients
        salt '*' cp.get_dir salt://sophos/ c:/salt
        Run sophos silently and delete the temp files prior:
        salt '*' cmd.run 'del /q/f/s %TEMP%\*'
        salt '*' cmd.run '"c:/salt/sophos/SVRTcli.exe" -yes -reboot'

        To view the log file, you can read this file:
        salt '*' cmd.run 'type "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log"'

        To clean the log file:
        salt '*' cmd.run 'del /q/f/s "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\*"'

        Other Command line options:
        -debug Display extra logging information.
        -help Display this text help.
        -noupdate Don't download updates when the tool starts.
        -preview Don't do disinfection/cleanup.
        -reboot Reboot automatically if required for cleanup.
        -reset Remove any pending cleanup on reboot operations.
        -uninstall Uninstall after scan and cleanup is complete.
        -yes Don't ask for confirmation before cleanup.

        You can create state file and schedule it in cron as well:

        Create sophos.sls in /srv/salt with:

        push_sophos_av_files:
  file.recurse:
    - source: salt://sophos
    - name: 'c:\salt\sophos'
    - makedirs: True
  cmd.run:
    - name: 'c:\salt\sophos\state.cmd'

        Then schedule the below command in crontab (VISUAL=nano crontab -e) to run every 2 hours:
        0 */2 * * * salt '*' state.apply sophos

        And in the state.cmd file put your command.

        1 Reply Last reply Reply Quote 0
        • Emad RE
          Emad R
          last edited by Emad R

          Windows Local Group Policy:

          controlling Updates + screenwallpaper

          Create lgpo.sls in /srv/salt with:

          Company Local Group Policy:
    lgpo.set:
        - computer_policy:
            Configure Automatic Updates:
                Configure automatic updating: 4 - Auto download and schedule the install
                Scheduled install day: 5 - Every Thursday
                Scheduled install time: "16:00"
        - user_policy:
            Do not process the legacy run list: Enabled
            Desktop Wallpaper:
                Wallpaper Name: C:\salt\wallpaper.jpg 
                WallpaperStyle: Fill
Run myscript:
  cmd.run:
    - name: gpupdate.exe /force

          Then schedule the below command to run “every 30 mins.”
          */30 * * * * salt '*' state.apply lgpo

          This location: C:\Windows\PolicyDefinitions
          has the adm files that you can view for trouble-shooting.
          Windows 10 Configure Automatic Updates differs from Windows 7, so if you have environment with both Win7 and Win 10 your screwed, you need to create different setting for both some times, for example this update setting will work on Windows 7 but Windows 10 will report error missing value you need to add and I forgot what it is, and if you add it, Windows 7 machines wont work.

          Sometimes the response will be invalid, however the policy will work, to verify use one of the below:

          	salt '*' lgpo.get user											# By default shows only configured policies
	salt '*' lgpo.get machine
	salt '*' lgpo.get machine return_not_configured=True
	salt '*' lgpo.get_policy_info 'Maximum password age' machine
	salt '*' lgpo.get_policy_info 'Desktop Wallpaper' user
          1 Reply Last reply Reply Quote 0
          • Emad RE
            Emad R @Emad R
            last edited by

            @msff-amman-Itofficer

            CCleaner:

            Download ccleaner portable and check items you want to clear on clients, then Upload ccleaner folder to salt master and send to clients:
            salt '*' cp.get_dir salt://ccleaner/ c:/salt

            Run ccleaner silently as well as delete the temp files and recycle bin prior:

            salt '*' cmd.run 'del /q/f/s %TEMP%\*'
salt '*' cmd.run 'rd /s /q %systemdrive%\$Recycle.bin'
salt '*' cmd.run '"c:/salt/ccleaner/CCleaner.exe" /AUTO'
            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender
              last edited by

              Add some tags to the OP.
              Will make it easier to find in the future.

              Emad RE 1 Reply Last reply Reply Quote 1
              • Emad RE
                Emad R @Dashrender
                last edited by

                @Dashrender said in SaltStack Windows Playbooks:

                Add some tags to the OP.
                Will make it easier to find in the future.

                sure

                1 Reply Last reply Reply Quote 0
                • Emad RE
                  Emad R @Emad R
                  last edited by

                  SaltStack control power settings for Windows machines, you can control via the below commands, you need to create state file with the below:

                  monitor:
    powercfg.set_timeout:
        - value: 30
        - power: ac
disk:
    powercfg.set_timeout:
        - value: 30
        - power: ac
standby:
    powercfg.set_timeout:
        - value: 0
        - power: ac
hibernate:
    powercfg.set_timeout:
        - value: 0
        - power: ac

                  You can also get those information, and not apply rules by replacing set with get, for example: get_disk_timeout

                  Then schedule the below command in crontab (VISUAL=nano crontab -e) to run
                  */30 * * * * salt '*' state.apply power_ac
                  */30 * * * * salt '*' state.apply power_dc

                  It is good to apply this prior to windows update, or virus scan command.

                  1 Reply Last reply Reply Quote 0
                  • Emad RE
                    Emad R @Emad R
                    last edited by

                    @msff-amman-Itofficer

                    Fix Windows Time :

                    Get list of configured NTP servers
                    salt '*' ntp.get_servers

                    Set Windows to use a list of NTP servers
                    salt '*' ntp.set_servers 'pool.ntp.org'

                    Verify:
                    salt '*' system.get_system_date
                    salt '*' system.get_system_time

                    Make sure the Windows Time Service is running and set to automatic startup.
                    salt '*' system.start_time_service
                    salt '*' system.stop_time_service

                    After setting ntp, ensure Timezone is correct as well:

                    	salt '*' timezone.set_zone 'Asia/Amman'
	salt '*' system.set_system_date '03-28-13'
	salt '*' system.set_system_time "'14:16 +0300'" 						# (if set using NTP it wont work)
	salt '*' system.set_system_time "'+0300'"								# (if set using NTP it wont work)
                    1 Reply Last reply Reply Quote 0
                    • Emad RE
                      Emad R
                      last edited by Emad R

                      My Favorite Ultra-VNC setup:

                      Not all issues can fixed from command line alas, thus this recipe:

                      uvnc:
  file.recurse:
    - source: salt://uvnc
    - name: 'c:\salt\uvnc'
    - makedirs: True
  cmd.run:
    - name: 'c:\salt\uvnc\state.cmd'
  module.run:
    - name: firewall.disable

                      remeber to re-enable the firewall of the client when finished. (salt "client" firewall.enable)
                      you will need to create uvnc folder (get it from UltraVNC portable builds) folder in your Salt master, in /srv/salt

                      in it :

                      • winvnc.exe

                      • UltraVNC.ini

                      • state.cmd

                      • SecureVNCPlugin32.dsm (Optional Encryption plugin)

                      • Server_ClientAuth.pubkey (Optional Encryption server SSL handshake check)

                      And in the state.cmd put the following:

                      taskkill /f /im winvnc.exe
sc stop uvnc_service
sc delete uvnc_service
"c:\salt\uvnc\winvnc.exe" -install
"c:\salt\uvnc\winvnc.exe" -startservice
sc config uvnc_service start= demand
ipconfig | findstr /i "ipv4"

                      And whenever you want to connect to client, run this in salt master:
                      salt '172' state.apply uvnc

                      And you will see the IP of the client, you will need to match the IP and if you made any custom setting like port number/encryption plugin with vnc viewer and connect to client.

                      1 Reply Last reply Reply Quote 1
                      • 1 / 1
                      • First post
                        Last post