Creating Process Automations

New Process Automation Wizard

Process Automations are comprised of the following parts:

  • You define a Scope which is a set of machines, users or groups.
  • You define a set of Actions to execute on the defined scope.

This section will guide you through this process step by step.

For examples of useful Process Automations, see our Tutorials KBA.

Launching Process Automations

Select the Process Automations feature   in the Goverlan Reach Console.

Creating a New Process Automation

  • Double click on the  http://assets.goverlan.com/userguide_img/Scope%20Actions%20v8/scope20.png  Add New Process Automation icon in the main window.or Click on the Add New button in the ribbon bar.

Creating a New Process Automation based on an Existing Process Automation

  • Select the Process Automation from the main window.
  • Click on the down arrow below the Add New button in the ribbon bar and select Add New / Copy From in the menu.

Process Automations Creation Wizard

General Information

The General Information window contains the Process Automation name and description. This is what uniquely identifies a Process Automation in the Process Automations main window. The name specified for the Process Automation is also used as the name in the Process Automations Definition Files. No two Process Automations can have the same name.

Defining the Scope

Define the set of machines, users or groups that this Process Automations Object should focus on.
Goverlan offers many flexible ways to define a list of objects. For more information, see: Scope Definition.

Defining the Actions to perform

Once you have defined the set of objects to work on, you must define what needs to be done on those objects. This is done by defining one or more Action Modules.
An Action Module contains one or more actions and optional conditions. For more information about this step, see: Defining Action Modules.

Selecting Output and Execution Settings

This final wizard step allows you to change the default output settings. For instance, you can select your preferred output report format and ask Goverlan to automatically open it once the Process Automations object is executed. For more information, see: Understanding Output Settings.

Once complete, a new Process Automations object is created and placed in the Process Automations view. You can double click on it at any time to modify its settings.

Define the Scope

The Scope defines the set of objects upon which to execute the actions of the Process Automation. It can be a set of machines, users or groups.

NOTE:

You can further fine tune which objects within a Scope will be processed by using Conditions.

Select an Object Type

A Scope is first defined by an object type: Users, Groups or Computers. Click on the desired object type button in the Target Object Type section. You should do that before you define the Scope. Once you have defined the object type, you need to define the actual set of objects for this Process Automation.

Using Scope Templates

If you have Scope Templates objects, you can drag and drop them from the template area to the Scope area.

If you haven’t yet defined a template, you need to create a new Scope definition. To create a new Scope template, either double-click the Add New button in the Scope Template area, or, click the Add New button in the Scope area and once defined, drag and drop the Scope object to the Template area.

Sharing Scope Templates

Once Sharing has been configured, you can share your Scope templates to make them available to everyone belonging to your Goverlan Workgroup.
Select a Scope template from the Template area and click the  button to share or un-share the object.

Creating a new Scope Definition

Click the Add New button to create a new Scope definition, enter a name to define this Scope object and define the scope.
Depending on the selected object type, Goverlan offers miscellaneous methods to define the set of objects.

Add a Container or Domain

Available for all object types, this method allows you to define a list of objects by selecting an Active Directory container, entire domain or an External Site. For more information on External Sites, see <<need link>>

  • Select the domain or container you wish to include in the Scope
  • Enable the Include sub-containers option if you wish to include every child container, or, disable this option to only include the objects contained at the root of the selected container.
  • Optionally configure a Name Filter. A name filter is a simple string with NO wildcard. The object’s name must contain the specified text to be included in the set.
  • Click on OK.

Add Input File

Available for all object types, this method allows you to define a list of objects based on an input file. The contents of the input file are queried during execution. For this reason, the input file’s contents can change between Process Automations executions.

The input file must contain one entry per line. Do not use quotes or double-quotes to define each entry. The format for each entry can either be a UNC Name (i.e.: DOMAINAccountID), or, a simple name (for computer objects only), or, an active directory bindstring (i.e.:LDAP://cn=Object Name, cn=Container, dc=my, dc=domain, dc=com).

Click the Add Container or Domain link to insert an entire container into the Scope. A container can be an Active Directory domain, container or organizational unit or an NT domain. When inserting an Active Directory container in the Scope, you also have the option to include all sub-containers as well.

Add individual Objects

This method allows you to define a list of objects by selecting them individually from Active Directory.

If you are defining a Computer Scope, this method also allows you to define a list of computers via an IP subnet scan. This method is slightly different than selecting the Add an IP Range method (see below) because it defines a static list of found IPs, while adding an IP range defines a dynamic scope (the IP range is scanned during execution).

You may also select individual External Machines. They will appear under their own AD forest structure or as individual workstations.

NOTE:

Select individual objects or a group of objects using the Goverlan Object Selector. The group members will be queried at execution time.

Add an IP Range

Available only for computer objects, this method allows you to define an IP range to be scanned at execution time. The IP addresses that fulfill the configured criteria (i.e., is alive, resolves to a name) are used for the Scope.

Add an Active Directory Site

Available only for computer objects, this method allows you to define the Scope based on an Active Directory Site. As with the IP Range definition, you can configure criteria on the IP addresses that belong to the selected site.

Selecting Actions

This is where you define the actions to be executed on the objects selected in the Scope. A very large set of actions is available in Goverlan which encompasses virtually all aspects of account and machine administration. In addition, WMI technology has been fully integrated so that any WMI generated data and available tasks are accessible through Process Automations.

Actions are defined by creating one or more Action Modules. Most of the time, a single action module is sufficient to meet your needs.

For examples of useful Process Automations, see our Tutorials KBA.

Using Action Templates

If you have Action Templates defined, you can drag and drop them from the template area to the Action area.

If you haven’t yet defined a template, you need to create a new Action Module. To create a new Action Template, either double-click on the Add New button in the Template area or click the Add New button in the Action area. Once defined, drag and drop the Action Module object to the Template area.

Sharing Action Templates

Once Sharing has been configured, you can share your templates to make them available to everyone belonging to your Goverlan Workgroup.  Select a template and click the    button to share or un-share the object.

Creating an Action Module

An action module is a set of defined actions and optional conditions. A Process Automation must have at least one Action Module defined. Action Modules are convenient because they can define a specific set of conditions and re-usable actions. Once you have configured action modules and placed them into the templates area, you can re-use them in any Process Automation.

To create an Action Module, double click the Add New button. Enter a name and description, then use the Add / Remove button to add actions or conditions.

Adding Actions

You can add three types of actions:

  1. Report Actions
    Use this category to report information on the objects defined in the Scope. You can report on a single attribute or multiple attribute sets.
  2. Set Actions
    Use this category to modify one or more properties of the objects defined in the Scope.
  3. Execute Actions
    Use this category to execute one or more methods on the objects defined in the Scope.

To add an action, click on the Add/Remove button or right click on the desired action category root item. Navigate through the Action Selection Menu to select the desired action and click on it to insert it into the list. To remove one or more actions, select them from the list and click on the    button or press on the [DEL] key of your keyboard.

If you have selected a Set or Execute action, you will be prompted for the necessary arguments  (see: Defining Arguments).

Setting the Execute Actions Order

If you configure two or more Execute actions, you can control the order in which they are executed using the execution order controls. Select one or more Execute action and click on either the up or down arrow to move the selected actions up or down.

Adding Conditions

Optionally, you can configure one or more conditions to the Action Module. Objects must pass all configured conditions for the actions to be executed.
Conditions are very useful to perform object detection or to target sub-objects within the primary object.

For more information and to see examples of conditions, see: Defining Conditions.

Special Action Objects

Goverlan includes a large set of report, set and execute actions. It also includes a set of special objects which are used to further extend the original set.

Working with WMI Objects

The actions available for computers include a menu section named WMI Objects. Selecting this sub-menu discloses a large set of WMI objects, their attributes and methods. WMI is a very powerful technology providing you access to virtually every bit of information which can be queried on a machine. It also includes a large set of administrative tasks which can be used for managing computers.

The list of WMI objects shown in a Process Automation does not include all of the available WMI objects, however, this list can be modified.

Working with Registry Objects

Using a Process Automation, you can fully manage the registry of client machines. You can query registry keys and values, modify values or even transfer entire hives.

However, before you can query the registry keys you must define a list of accessible registry keys. To do so:

Click on Add/Remove > Report Computer Property > Registry Value > Manage Accessible Key Paths…

Working with File System Objects

Using a Process Automation, you can fully manage the file system of client machines. You can query file and directory information, add or remove files or even transfer entire directories.

However, before you can query the file system objects you must define a list of accessible directories. To do so:

Click on Add/Remove > Report Computer Property > File System > Manage Accessible Directories…

Working with Extended Active Directory Properties

Most commonly used Active Directory attributes are available in a Process Automation. For instance, you can query the department, location, title and many other user account properties. However, if there is an Active Directory attribute which is not available, you can add it to the Extended AD Properties set.

  • Click on Add/Remove > Report User (or Computer) Property > Extended AD Properties > Manage AD Attributes…
  • Use the Accessible ADSI Attributes Manager to enable or disable the attributes you wish to access via the Process Automation feature.
  • Click OK.

Argument Windows

The argument selector window is used to configure conditions, set properties and specify method parameters.

Some arguments may have been allocated a default value, while others show with a entry. You need to configure every argument which is in the list, even if the value is irrelevant or is blank.

If multiple arguments are displayed, selecting an argument from the list updates the Description panel at the bottom of the Argument Selector window. If only one argument is displayed, the description is placed in the Task Panel on the left. Pay special attention to the description of each argument since it will provide you with the necessary information to configure the value.

TIP:

When setting the value of a string, you can generally include Substitution Variables (see below).

Setting the Argument Value

To enter the value, click on its value field. Refer to the argument’s description for information about the value expected by Goverlan.

Example: Referring to the figure above, we see that the Argument Selector has been opened for the execute action named Shutdown. The Shutdown action requires 5 arguments. As shown, the Action Type argument is selected. The Action Type is an argument of type = Number. To find out what the actual number value should be, we look at the description panel which tells you that the Action Type must either be 0, 1 or 2 depending on the desired action: Shutdown, Power Off or Reboot. Since we want to Power Off the computer, we set this value to 1.

Using Substitution Variables

Substitution Variables are keywords which are automatically substituted at runtime with the value they represent. Substitution Variables can only be used for string arguments.

The available substitution variables are:

  • %DOMAINNAME% – is automatically substituted by the NetBIOS domain name of the target object
  • %USERNAME% – is automatically substituted with the user name of the target user object
  • %COMPUTERNAME% – is automatically substituted with the computer name of the target computer object
  • %GROUPNAME% – is automatically substituted with the group name of the target group object

For example, you could apply the following Set Action to the users of a selected Scope:

  • User.Account Information.Roaming Profile Path =“SERVERNAME\%USERNAME%”
  • User.Account Information.Description = “This user belongs to the %DOMAINNAME% domain”

During the execution of the Process Automation, the variables are automatically replaced by the focused object’s user id and domain.

NOTE:

Conditions do not process substitution variables. Substitution variables can only be set for Set or Execute Actions.

Using Dynamic Values

Dynamic Values allow you to set a parameter to a value based on other object attributes and calculated during the execution of the Process Automation. A dynamic value is a string which defines how the final value should be compiled. You can configure a dynamic value definition for every type of value: String, Number, Date & Time and Boolean.

See Understanding Dynamic Value Definitions for more information.

Defining Conditions

An Action Module can be configured with one or more conditions. Conditions are a powerful way to:

Detect machines, users or groups with a specific configuration.
For instance, you want to generate a report of all user accounts with a password age older than 120 days, or, a report of all machines which are Windows XP SP2 and the firewall is turned off.

Target specific child object instances.
For instance, you want to delete all members of the local Administrators group of your machines except for ‘Domain Admins’, ‘Administrator’ and ‘John Doe’.

Setting a Condition

  1. Click the Add/Remove button of the Condition section.
  2. Browse through the attribute selection menu and select the root object attribute or child object attribute to set a condition on.
    A new attribute is added to the Users Conditions list.
  3. Click on the Condition cell of the attribute row and select the condition operator.
    NOTE:

    The available condition operators depend on the attribute type (number, string, date, …).

  4. Click on the Desired Value cell of the attribute row and enter the value for this condition in the Argument window.
    NOTE:

    The desired value can be static or dynamic. For more information about dynamic values, see: Understanding Dynamic Values.

  5. If the condition you configured points to a child object (for instance Local Drives, Processes or Software Products), you may need to change the Condition Scope.
    The Condition Scope controls whether the conditions should be applied to one or more instance of the child object or to all instances of the child object.

    Example 1 – Reporting machines which have Microsoft Office installed

    > Add the condition: Computer Condition.Software Products.Product Name ::  Contains :: Office
    > Select the condition, click on the Set Scope button, and select: Only one or more instances of Program must pass the condition for the computer object to be accepted.

    Example 2 – Reporting machines which DO NOT have Microsoft Office installed

    > Add the condition: Computer Condition.Software Products.Product Name ::   NOT=   :: Office
    > Select the condition, click on the Set Scope button, and select:
    All instances of Program must pass the condition for the computer object to be accepted.

  6. Repeat Steps 1 through 4 to configure additional conditions.
    NOTE:

    Most attributes can be selected multiple times for conditions. For instance, you can configure the two conditions:
    User.Password Age > 30 and User.Password Age < 60.
    If you have two or more conditions, they must all be true for the object to pass. This means that you cannot set conditions like:
    User.Password Age = 0 OR User.Password Age > 120.

To remove a condition, select it from the list and click on the    button or press the [DEL] key.

Using Conditions to Detect Objects

One primary purpose of a Condition is to detect objects with a specific configuration.

Examples

REPORTING ALL MACHINES EQUIPPED WITH A SPECIFIC SOFTWARE INSTALLED:

  • Add the report action: Computer Property > Software Products > All Product Information to view detailed information about the Office products installed.
    NOTE:

    You do not need to explicitly report on the computer name. Since the Scope target object type is Computer, the computer name is always included in the reports.

  • Configure the following conditions:
  • Run the Process Automation and open the HTML – Data Sheet Model format.http://assets.goverlan.com/userguide_img/Scope%20Actions%20v8/html%20report%20view%20combined.png

REPORTING ALL MACHINES EQUIPPED WITH A SPECIFIC SOFTWARE INSTALLED:

  • Add the report action: Computer Property > Local Drives > All Local Drive Information
  • Configure the following conditions:
  • Run the Process Automation and open the HTML – Report Model format.http://assets.goverlan.com/userguide_img/Scope%20Actions%20v8/html%20report%20model.png

 

Using Conditions to Target Specific Child Objects

Another purpose for a Condition is to target a specific child object. A root object (a computer, user or group) will have one or more instances of a child object (i.e., computer drives, services, processes, etc.).

If you configure a Set or Execute action on a child object, the action is applied to all instances of that child object. If you want to only execute the action on a specific instance of the child object, you need to configure a condition to isolate this instance from the set. Since most Execute actions allow you to specify a child object instance name, this is rarely needed. However, in some advanced cases, it can be useful.

Examples

DISABLING THE GUEST ACCOUNT ON ALL MACHINES

Disabling computer local accounts is one action which can only be done using a condition. This is because the Process Automation > Computer > Local Account Database > Local User category doesn’t include a method which allows you to disable a specific account name. However, it allows you to set the value of the Account Disabled attribute of a local user object.

If you were to simply add the set action: Set Computer Property > Local Account Database > Local Users > Account Disable :: = :: TRUE with no condition, all local users in the account database would be disabled. To target only the guest account, add the following condition:

For more examples of Process Automations, see our Tutorials KBA.

Finalizing the Process Automation

The Run Process Automation screen determines how the Process Automation will execute.

Next: Run On Wizard Finish

Run Now

This will run the Process Automation with the configured scheduling options.

Run Later

This will tell the Process Automation to “do nothing” after clicking the finish button.

Then: Re-Run Full Scope

http://assets.goverlan.com/userguide_img/Scope%20Actions%20v8/2015-03-31_9-48-29.png

Keep on Running until all nodes are processed

This will run the Process Automation at the scheduled time, but will only run on the nodes that it was unable to process on the first scheduled run.

Re-Run the full scope on a periodic basis

This will re-run the Process Automation against all the nodes selected at the scheduled time regardless if the nodes were processed or not.


Was this article helpful?

Related Articles