New Process Automation Wizard
Process Automations are comprised of the following parts:
- You define a Scope which is a set of machines, users or groups.
- You define a set of Actions to execute on the defined scope.
This section will guide you through this process step by step.
For examples of useful Process Automations, see our Tutorials KBA.
Launching Process Automations
Select the Process Automations feature in the Goverlan Reach Console.
Creating a New Process Automation
- Double click on the Add New Process Automation icon in the main window.or Click on the Add New button in the ribbon bar.
Creating a New Process Automation based on an Existing Process Automation
- Select the Process Automation from the main window.
- Click on the down arrow below the Add New button in the ribbon bar and select Add New / Copy From in the menu.
Process Automations Creation Wizard
The General Information window contains the Process Automation name and description. This is what uniquely identifies a Process Automation in the Process Automations main window. The name specified for the Process Automation is also used as the name in the Process Automations Definition Files. No two Process Automations can have the same name.
Defining the Scope
Define the set of machines, users or groups that this Process Automations Object should focus on.
Goverlan offers many flexible ways to define a list of objects. For more information, see: Scope Definition.
Defining the Actions to perform
Once you have defined the set of objects to work on, you must define what needs to be done on those objects. This is done by defining one or more Action Modules.
An Action Module contains one or more actions and optional conditions. For more information about this step, see: Defining Action Modules.
Selecting Output and Execution Settings
This final wizard step allows you to change the default output settings. For instance, you can select your preferred output report format and ask Goverlan to automatically open it once the Process Automations object is executed. For more information, see: Understanding Output Settings.
Once complete, a new Process Automations object is created and placed in the Process Automations view. You can double click on it at any time to modify its settings.
Define the Scope
The Scope defines the set of objects upon which to execute the actions of the Process Automation. It can be a set of machines, users or groups.
Select an Object Type
A Scope is first defined by an object type: Users, Groups or Computers. Click on the desired object type button in the Target Object Type section. You should do that before you define the Scope. Once you have defined the object type, you need to define the actual set of objects for this Process Automation.
Using Scope Templates
If you have Scope Templates objects, you can drag and drop them from the template area to the Scope area.
If you haven’t yet defined a template, you need to create a new Scope definition. To create a new Scope template, either double-click the Add New button in the Scope Template area, or, click the Add New button in the Scope area and once defined, drag and drop the Scope object to the Template area.
Sharing Scope Templates
Once Sharing has been configured, you can share your Scope templates to make them available to everyone belonging to your Goverlan Workgroup.
Select a Scope template from the Template area and click the button to share or un-share the object.
Creating a new Scope Definition
Click the Add New button to create a new Scope definition, enter a name to define this Scope object and define the scope.
Depending on the selected object type, Goverlan offers miscellaneous methods to define the set of objects.
Add a Container or Domain
Available for all object types, this method allows you to define a list of objects by selecting an Active Directory container, entire domain or an External Site. For more information on External Sites, see <<need link>>
- Select the domain or container you wish to include in the Scope
- Enable the Include sub-containers option if you wish to include every child container, or, disable this option to only include the objects contained at the root of the selected container.
- Optionally configure a Name Filter. A name filter is a simple string with NO wildcard. The object’s name must contain the specified text to be included in the set.
- Click on OK.
Add Input File
Available for all object types, this method allows you to define a list of objects based on an input file. The contents of the input file are queried during execution. For this reason, the input file’s contents can change between Process Automations executions.
The input file must contain one entry per line. Do not use quotes or double-quotes to define each entry. The format for each entry can either be a UNC Name (i.e.: DOMAINAccountID), or, a simple name (for computer objects only), or, an active directory bindstring (i.e.:LDAP://cn=Object Name, cn=Container, dc=my, dc=domain, dc=com).
Click the Add Container or Domain link to insert an entire container into the Scope. A container can be an Active Directory domain, container or organizational unit or an NT domain. When inserting an Active Directory container in the Scope, you also have the option to include all sub-containers as well.
Add individual Objects
This method allows you to define a list of objects by selecting them individually from Active Directory.
If you are defining a Computer Scope, this method also allows you to define a list of computers via an IP subnet scan. This method is slightly different than selecting the Add an IP Range method (see below) because it defines a static list of found IPs, while adding an IP range defines a dynamic scope (the IP range is scanned during execution).
You may also select individual External Machines. They will appear under their own AD forest structure or as individual workstations.
Add an IP Range
Available only for computer objects, this method allows you to define an IP range to be scanned at execution time. The IP addresses that fulfill the configured criteria (i.e., is alive, resolves to a name) are used for the Scope.
Add an Active Directory Site
Available only for computer objects, this method allows you to define the Scope based on an Active Directory Site. As with the IP Range definition, you can configure criteria on the IP addresses that belong to the selected site.
This is where you define the actions to be executed on the objects selected in the Scope. A very large set of actions is available in Goverlan which encompasses virtually all aspects of account and machine administration. In addition, WMI technology has been fully integrated so that any WMI generated data and available tasks are accessible through Process Automations.
Actions are defined by creating one or more Action Modules. Most of the time, a single action module is sufficient to meet your needs.
For examples of useful Process Automations, see our Tutorials KBA.
Using Action Templates
If you have Action Templates defined, you can drag and drop them from the template area to the Action area.
If you haven’t yet defined a template, you need to create a new Action Module. To create a new Action Template, either double-click on the Add New button in the Template area or click the Add New button in the Action area. Once defined, drag and drop the Action Module object to the Template area.
Sharing Action Templates
Once Sharing has been configured, you can share your templates to make them available to everyone belonging to your Goverlan Workgroup. Select a template and click the button to share or un-share the object.
Creating an Action Module
An action module is a set of defined actions and optional conditions. A Process Automation must have at least one Action Module defined. Action Modules are convenient because they can define a specific set of conditions and re-usable actions. Once you have configured action modules and placed them into the templates area, you can re-use them in any Process Automation.
To create an Action Module, double click the Add New button. Enter a name and description, then use the Add / Remove button to add actions or conditions.
You can add three types of actions:
- Report Actions
Use this category to report information on the objects defined in the Scope. You can report on a single attribute or multiple attribute sets.
- Set Actions
Use this category to modify one or more properties of the objects defined in the Scope.
- Execute Actions
Use this category to execute one or more methods on the objects defined in the Scope.
To add an action, click on the Add/Remove button or right click on the desired action category root item. Navigate through the Action Selection Menu to select the desired action and click on it to insert it into the list. To remove one or more actions, select them from the list and click on the button or press on the [DEL] key of your keyboard.
If you have selected a Set or Execute action, you will be prompted for the necessary arguments (see: Defining Arguments).
Setting the Execute Actions Order
If you configure two or more Execute actions, you can control the order in which they are executed using the execution order controls. Select one or more Execute action and click on either the up or down arrow to move the selected actions up or down.
Optionally, you can configure one or more conditions to the Action Module. Objects must pass all configured conditions for the actions to be executed.
Conditions are very useful to perform object detection or to target sub-objects within the primary object.
For more information and to see examples of conditions, see: Defining Conditions.
Special Action Objects
Goverlan includes a large set of report, set and execute actions. It also includes a set of special objects which are used to further extend the original set.
Working with WMI Objects
The actions available for computers include a menu section named WMI Objects. Selecting this sub-menu discloses a large set of WMI objects, their attributes and methods. WMI is a very powerful technology providing you access to virtually every bit of information which can be queried on a machine. It also includes a large set of administrative tasks which can be used for managing computers.
The list of WMI objects shown in a Process Automation does not include all of the available WMI objects, however, this list can be modified.
Working with Registry Objects
Using a Process Automation, you can fully manage the registry of client machines. You can query registry keys and values, modify values or even transfer entire hives.
However, before you can query the registry keys you must define a list of accessible registry keys. To do so:
Click on Add/Remove > Report Computer Property > Registry Value > Manage Accessible Key Paths…
Working with File System Objects
Using a Process Automation, you can fully manage the file system of client machines. You can query file and directory information, add or remove files or even transfer entire directories.
However, before you can query the file system objects you must define a list of accessible directories. To do so:
Click on Add/Remove > Report Computer Property > File System > Manage Accessible Directories…
Working with Extended Active Directory Properties
Most commonly used Active Directory attributes are available in a Process Automation. For instance, you can query the department, location, title and many other user account properties. However, if there is an Active Directory attribute which is not available, you can add it to the Extended AD Properties set.
- Click on Add/Remove > Report User (or Computer) Property > Extended AD Properties > Manage AD Attributes…
- Use the Accessible ADSI Attributes Manager to enable or disable the attributes you wish to access via the Process Automation feature.
- Click OK.
The argument selector window is used to configure conditions, set properties and specify method parameters.
Some arguments may have been allocated a default value, while others show with a entry. You need to configure every argument which is in the list, even if the value is irrelevant or is blank.
If multiple arguments are displayed, selecting an argument from the list updates the Description panel at the bottom of the Argument Selector window. If only one argument is displayed, the description is placed in the Task Panel on the left. Pay special attention to the description of each argument since it will provide you with the necessary information to configure the value.
Setting the Argument Value
To enter the value, click on its value field. Refer to the argument’s description for information about the value expected by Goverlan.
Example: Referring to the figure above, we see that the Argument Selector has been opened for the execute action named Shutdown. The Shutdown action requires 5 arguments. As shown, the Action Type argument is selected. The Action Type is an argument of type = Number. To find out what the actual number value should be, we look at the description panel which tells you that the Action Type must either be 0, 1 or 2 depending on the desired action: Shutdown, Power Off or Reboot. Since we want to Power Off the computer, we set this value to 1.
Using Substitution Variables
Substitution Variables are keywords which are automatically substituted at runtime with the value they represent. Substitution Variables can only be used for string arguments.
The available substitution variables are:
- %DOMAINNAME% – is automatically substituted by the NetBIOS domain name of the target object
- %USERNAME% – is automatically substituted with the user name of the target user object
- %COMPUTERNAME% – is automatically substituted with the computer name of the target computer object
- %GROUPNAME% – is automatically substituted with the group name of the target group object
For example, you could apply the following Set Action to the users of a selected Scope:
- User.Account Information.Roaming Profile Path =“SERVERNAME\%USERNAME%”
- User.Account Information.Description = “This user belongs to the %DOMAINNAME% domain”
During the execution of the Process Automation, the variables are automatically replaced by the focused object’s user id and domain.
Using Dynamic Values
Dynamic Values allow you to set a parameter to a value based on other object attributes and calculated during the execution of the Process Automation. A dynamic value is a string which defines how the final value should be compiled. You can configure a dynamic value definition for every type of value: String, Number, Date & Time and Boolean.
See Understanding Dynamic Value Definitions for more information.
An Action Module can be configured with one or more conditions. Conditions are a powerful way to:
Detect machines, users or groups with a specific configuration.
For instance, you want to generate a report of all user accounts with a password age older than 120 days, or, a report of all machines which are Windows XP SP2 and the firewall is turned off.
Target specific child object instances.
For instance, you want to delete all members of the local Administrators group of your machines except for ‘Domain Admins’, ‘Administrator’ and ‘John Doe’.
Setting a Condition
- Click the Add/Remove button of the Condition section.
- Browse through the attribute selection menu and select the root object attribute or child object attribute to set a condition on.
A new attribute is added to the Users Conditions list.
- Click on the Condition cell of the attribute row and select the condition operator.
- Click on the Desired Value cell of the attribute row and enter the value for this condition in the Argument window.
- If the condition you configured points to a child object (for instance Local Drives, Processes or Software Products), you may need to change the Condition Scope.
The Condition Scope controls whether the conditions should be applied to one or more instance of the child object or to all instances of the child object.
Example 1 – Reporting machines which have Microsoft Office installed
> Add the condition: Computer Condition.Software Products.Product Name :: Contains :: Office
> Select the condition, click on the Set Scope button, and select: Only one or more instances of Program must pass the condition for the computer object to be accepted.
Example 2 – Reporting machines which DO NOT have Microsoft Office installed
> Add the condition: Computer Condition.Software Products.Product Name :: NOT= :: Office
> Select the condition, click on the Set Scope button, and select:
All instances of Program must pass the condition for the computer object to be accepted.
- Repeat Steps 1 through 4 to configure additional conditions.
To remove a condition, select it from the list and click on the button or press the [DEL] key.
Using Conditions to Detect Objects
One primary purpose of a Condition is to detect objects with a specific configuration.
REPORTING ALL MACHINES EQUIPPED WITH A SPECIFIC SOFTWARE INSTALLED:
- Add the report action: Computer Property > Software Products > All Product Information to view detailed information about the Office products installed.
- Configure the following conditions:
- Run the Process Automation and open the HTML – Data Sheet Model format.
REPORTING ALL MACHINES EQUIPPED WITH A SPECIFIC SOFTWARE INSTALLED:
- Add the report action: Computer Property > Local Drives > All Local Drive Information
- Configure the following conditions:
- Run the Process Automation and open the HTML – Report Model format.
Using Conditions to Target Specific Child Objects
Another purpose for a Condition is to target a specific child object. A root object (a computer, user or group) will have one or more instances of a child object (i.e., computer drives, services, processes, etc.).
If you configure a Set or Execute action on a child object, the action is applied to all instances of that child object. If you want to only execute the action on a specific instance of the child object, you need to configure a condition to isolate this instance from the set. Since most Execute actions allow you to specify a child object instance name, this is rarely needed. However, in some advanced cases, it can be useful.
DISABLING THE GUEST ACCOUNT ON ALL MACHINES
Disabling computer local accounts is one action which can only be done using a condition. This is because the Process Automation > Computer > Local Account Database > Local User category doesn’t include a method which allows you to disable a specific account name. However, it allows you to set the value of the Account Disabled attribute of a local user object.
If you were to simply add the set action: Set Computer Property > Local Account Database > Local Users > Account Disable :: = :: TRUE with no condition, all local users in the account database would be disabled. To target only the guest account, add the following condition:
For more examples of Process Automations, see our Tutorials KBA.
Finalizing the Process Automation
The Run Process Automation screen determines how the Process Automation will execute.
Next: Run On Wizard Finish
This will run the Process Automation with the configured scheduling options.
This will tell the Process Automation to “do nothing” after clicking the finish button.
Then: Re-Run Full Scope
Keep on Running until all nodes are processed
This will run the Process Automation at the scheduled time, but will only run on the nodes that it was unable to process on the first scheduled run.
Re-Run the full scope on a periodic basis
This will re-run the Process Automation against all the nodes selected at the scheduled time regardless if the nodes were processed or not.