Skip to content

Creating Custom MetaFrame Admins with VBscript: Part 1

Overview
Setting privileges on a custom administrator account in Presentation Server is not quite as simple as I thought when I set out to create a script to do so - there’s not much information on the CDN forums, so this was a bit of trial and error.

The process for creating a custom administrator account and setting privileges goes like this:

  1. Create the custom administrator account.
  2. Bind to the new account and add privileges except for those that apply to application or server folders.
  3. Bind to the Applications folder/s and add privileges for the specified administrator.
  4. Bind to the Servers folder/s and add privileges for the specified administrator.

As you can see the process isn’t completed in a single step, there are actually three seperate steps to setting privileges. The first is setting privileges on the objects outlined here in this screenshot (those objects in colour):

ctx-privsset1.png

The next steps set the permissions on the folder objects rather than the administrator object as outlined in this screenshot (those objects in colour):

ctx-privsset2.png

Something I should note here though, is that I’ve not been able to set permissions on the Monitoring Profiles folder. I could be wrong but from what I can tell you can’t currently access these types of folders.

Reading The Privileges
First up I had to read the privileges from an existing object to make it simpler to set the privileges on any new administrators - you’ve gotta learn to read before you can write. Initially setting the privileges is easy via the Access Management Console then programatically reading back then simplifies the write process.

Reading the privileges on an administrator account is simple enough because we can bind to the administrator object and then read the privileges. Reading the privileges for that account on the Applications and Servers folders is a little different - unless you want to statically supply the list of folders, you’ll need to enumerate them.

I’ve created a fuction and a few subroutines, based on some code from the CDN forums, that will return an array containing the distinguished names of the Application or Server folders. The code essentially walks the folder tree to find the subfolders of each folder, while calling itself to do so until the subfolder count reaches 0.

The full script will echo out the privleges in both the numerical value and the privilege name defined by MetaFrameAdminPrivilege. Check out the MFCOM SDK 4.5 for a complete list of the privileges. This script will work on Presentation Server 4.0 and 4.5, I’ve not tested on any earlier versions.

Click To View The Code

<package>
  <job id="CustomPermissions" prompt="no">
    <?job error="false" debug="false" ?>
    <comment>
    </comment>
    <runtime>
      <description>
      </description>
    </runtime>
    <reference object="MetaFrameCOM.MetaFrameFarm"/>
    <script language="VBScript">
 
sDomainName = "AD"
sAdminAccountName = "Domain Admins"
 
'Return lists of application and server folders
aApplicationFolders = ReturnMFFolders(MetaFrameAppFolder)
aServerFolders = ReturnMFFolders(MetaFrameSrvFolder)
 
'Create a dictionary that references the names of the privileges
Set oDictPermsList = PrivNamesDictionary
 
'Create the farm object and initialise
Set oFarm = CreateObject("MetaFrameCOM.MetaFrameFarm")
oFarm.Initialize(MetaFrameWinFarmObject)
 
WScript.Echo "[" & sAdminAccountName & " privileges]"
Set oMFAdministrator =  CreateObject("MetaFrameCOM.MetaFrameAdministrator")
oMFAdministrator.Initialize MFAccountAuthorityNTDomain, sDomainName, MFAccountDomainUser, sAdminAccountName
For Each Privilege In oMFAdministrator.Privileges
  WScript.Echo Privilege & ", " & oDictPermsList.Item(Privilege)
Next
 
'Echo the server folder privileges
WScript.Echo
For n = 0 To UBound(aServerFolders)
  WScript.Echo "[" & aServerFolders(n) & "]"
  ListFolderPerms aServerFolders(n), MetaFrameSrvFolder, sDomainName, sAdminAccountName
  WScript.Echo
Next
 
'Echo the application folder privileges
WScript.Echo
For n = 0 To UBound(aApplicationFolders)
  WScript.Echo "[" & aApplicationFolders(n) & "]"
  ListFolderPerms aApplicationFolders(n), MetaFrameAppFolder, sDomainName, sAdminAccountName
  WScript.Echo
Next
 
' List permissions on the specified folder for the specified administrator
' Currently assumes an AD global group
'------------------------------------------------------------------------
Sub ListFolderPerms(sFolderName, iFolderType, sAAName, sAccountName)
  Set oMFAdministrator =  CreateObject("MetaFrameCOM.MetaFrameAdministrator")
  oMFAdministrator.Initialize MFAccountAuthorityNTDomain, sAAName, MFAccountGlobalGroup, sAccountName
  Set oFolder = CreateObject("MetaFrameCOM.MetaFrameFolder")
  oFolder.Initialize iFolderType, sFolderName
  Set Privs = oFolder.Privs3ByID32(oMFAdministrator.AdminID.IDH32,oMFAdministrator.AdminID.IDL32)
  If Privs.Count < 1 Then
    WScript.Echo "No permissions for this folder."
  Else
    For i = 0 To Privs.Count-1
      WScript.Echo Privs.Item(i) & ", " & oDictPermsList.Item(Privs.Item(i))
    Next
  End If
End Sub
 
' Return a dictionary listing the names of each of the privileges
Function PrivNamesDictionary
  Set oFDict = CreateObject("Scripting.Dictionary")
  oFDict.Add 0, "MFPrivilegeUnknown"
  oFDict.Add 1, "MFPrivilegeManageApps"
  oFDict.Add 2, "MFPrivilegeViewApps"
  oFDict.Add 3, "MFPrivilegeEditApps"
  oFDict.Add 4, "MFPrivilegeManageUsers"
  oFDict.Add 5, "MFPrivilegeViewUsers"
  oFDict.Add 6, "MFPrivilegeEditUsers"
  oFDict.Add 7, "MFPrivilegeManagePrinters"
  oFDict.Add 8, "MFPrivilegeViewPrinters"
  oFDict.Add 9, "MFPrivilegeReplicateDrivers"
  oFDict.Add 10, "MFPrivilegeEditDrivers"
  oFDict.Add 11, "MFPrivilegeEditPrinters"
  oFDict.Add 12, "MFPrivilegeSetPrinterSettings"
  oFDict.Add 13, "MFPrivilegeManageLoadEvaluators"
  oFDict.Add 14, "MFPrivilegeViewLoadEvaluators"
  oFDict.Add 15, "MFPrivilegeEditLoadEvaluators"
  oFDict.Add 16, "MFPrivilegeAssignLoadEvaluators"
  oFDict.Add 17, "MFPrivilegeManageLicenses"
  oFDict.Add 18, "MFPrivilegeViewLicenses"
  oFDict.Add 19, "MFPrivilegeAssignLicense"
  oFDict.Add 20, "MFPrivilegeEditLicenses"
  oFDict.Add 21, "MFPrivilegeManageFarm"
  oFDict.Add 22, "MFPrivilegeViewFarm"
  oFDict.Add 23, "MFPrivilegeManageInteroperability"
  oFDict.Add 24, "MFPrivilegeManageZone"
  oFDict.Add 25, "MFPrivilegeManageFarmOther"
  oFDict.Add 26, "MFPrivilegeManageSessions"
  oFDict.Add 27, "MFPrivilegeViewSessions"
  oFDict.Add 28, "MFPrivilegeConnectSessions"
  oFDict.Add 29, "MFPrivilegeSendMessages"
  oFDict.Add 30, "MFPrivilegeLogoffSessions"
  oFDict.Add 31, "MFPrivilegeDisconnectSessions"
  oFDict.Add 32, "MFPrivilegeResetSessions"
  oFDict.Add 33, "MFPrivilegeTerminateProcess"
  oFDict.Add 34, "MFPrivilegeManageServers"
  oFDict.Add 35, "MFPrivilegeViewServerInfo"
  oFDict.Add 36, "MFPrivilegeEditServerSNMPSettings"
  oFDict.Add 37, "MFPrivilegeEditServerOtherSettings"
  oFDict.Add 38, "MFPrivilegeRemoveServer"
  oFDict.Add 39, "MFPrivilegeAddServer"
  oFDict.Add 40, "MFPrivilegeManageInstall"
  oFDict.Add 41, "MFPrivilegeViewInstall"
  oFDict.Add 42, "MFPrivilegeEditConfigurations"
  oFDict.Add 43, "MFPrivilegeRemovePackages"
  oFDict.Add 44, "MFPrivilegeScheduleJobDeletion"
  oFDict.Add 45, "MFPrivilegeEditPackages"
  oFDict.Add 46, "MFPrivilegeManageResources"
  oFDict.Add 47, "MFPrivilegeViewResources"
  oFDict.Add 48, "MFPrivilegeEditResources"
  oFDict.Add 49, "MFPrivilegeManageUserPolicies"
  oFDict.Add 50, "MFPrivilegeViewUserPolicies"
  oFDict.Add 51, "MFPrivilegeEditUserPolicies"
  oFDict.Add 52, "MFPrivilegeManageAdmins"
  oFDict.Add 53, "MFPrivilegeViewAdmins"
  oFDict.Add 54, "MFPrivilegeLogonAdminTools"
  oFDict.Add 55, "MFPrivilegeManageServerFolder"
  oFDict.Add 56, "MFPrivilegeManageLicenseServer"
  oFDict.Add 57, "MFPrivilegeAssignApps"
  oFDict.Add 58, "MFPrivilegeManageRMServer"
  oFDict.Add 59, "MFPrivilegeAssignRMApps"
  oFDict.Add 60, "MFPrivilegeReceiveRMAlerts"
  oFDict.Add 61, "MFPrivilegeCurrentAndSummaryReports"
  oFDict.Add 62, "MFPrivilegeBillingReports"
  oFDict.Add 63, "MFPrivilegeManageRMApps"
  oFDict.Add 64, "MFPrivilegeViewRMApps"
  oFDict.Add 65, "MFPrivilegeEditRMApps"
  oFDict.Add 66, "MFPrivilegeInstallAndUninstallPackages"
  oFDict.Add 67, "MFPrivilegeLogonWIConsole"
  oFDict.Add 68, "MFPrivilegeIEManagement"
  oFDict.Add 69, "MFPrivilegeManageIE"
  oFDict.Add 70, "MFPrivilegeViewIE"
  oFDict.Add 71, "MFPrivilegeMonitoringAlerting"
  oFDict.Add 72, "MFPrivilegeViewKcConfig"
  oFDict.Add 73, "MFPrivilegeEditKcConfig"
  oFDict.Add 74, "MFPrivilegeViewKcAlertConfig"
  oFDict.Add 75, "MFPrivilegeEditKcAlertConfig"
  oFDict.Add 76, "MFPrivilegeRMAppsAlerts"
  oFDict.Add 77, "MFPrivilegeViewRMInfoSrv"
  oFDict.Add 78, "MFPrivilegeEditRMInfoSrv"
  oFDict.Add 79, "MFPrivilegeRMNotifications"
  oFDict.Add 80, "MFPrivilegeViewMonProfiles"
  oFDict.Add 81, "MFPrivilegeEditMonProfiles"
  oFDict.Add 82, "MFPrivilegeEditConfigLogging"
  oFDict.Add 83, "MFPrivilegeAssignMonProfileToServers"
  oFDict.Add 84, "MFprivilegeKillAppProc"
  Set PrivNamesDictionary = oFDict
  Set oFDict = Nothing
End Function
 
'#region Return Application or Server folders Array
' Returns an array with the folders of the selected type
Function ReturnMFFolders(iFolderType)
  Set oFarm = CreateObject("MetaFrameCOM.MetaFrameFarm")
  oFarm.Initialize(MetaFrameWinFarmObject)
  Dim aFolderList()
  Dim iFolder
  GetSubFolders iFolderType, oFarm, aFolderList, iFolder
  ReturnMFFolders = aFolderList
End Function
 
' Lists all of the Application Or Server folders And subfolders
' Used by ReturnMFFolders
Sub GetSubFolders(iFolderType, oFarm, aFolderList, iFolder)
  iFolder = 0
  Set RootFolder = oFarm.GetRootFolder(iFolderType)
  AddToFolderList RootFolder.FolderDN, aFolderList, iFolder
  For Each Folder in RootFolder.SubFolders
    AddToFolderList Folder.FolderDN, aFolderList, iFolder
    RecurseSubFolders Folder.FolderDN, iFolderType, aFolderList, iFolder
  Next
End Sub
 
' Used to recurse sub-folders of a given folder.
' Used by GetSubFolders and called recursively
Sub RecurseSubFolders(sFolderDN, iFolderType, aFolderList, iFolder)
  Set oFolders = CreateObject("MetaFrameCOM.MetaFrameFolder")
  oFolders.Initialize iFolderType, sFolderDN
  If oFolders.SubFolders.Count > 0 Then
    For Each SubFolder In oFolders.SubFolders
      AddToFolderList SubFolder.FolderDN, aFolderList, iFolder
      RecurseSubFolders SubFolder.FolderDN, iFolderType, aFolderList, iFolder
    Next
  End If
End Sub
 
' Adds a supplied String To the aFolderList Array
' Used by GetSubFolders and RecurseSubFolders
Sub AddToFolderList(sFolderName, aFolderList, iFolder)
    ReDim Preserve aFolderList(iFolder)
    aFolderList(iFolder) = sFolderName
    iFolder = iFolder + 1
End Sub
' #endregion
 
    </script>
  </job>
</package>

Continue to part 2 here

Comments closed Trackback URI RSS 2.0 feed for these comments This entry (permalink) was posted on Tuesday, August 21, 2007, at 8:18 am by Aaron Parker. Filed in Scripting and tagged .