Deciding to Install With or Without Joining the Computer to a Zone
Before you begin a silent installation, you should decide whether you will wait until later to join the computer to a zone, or join the computer to a zone as part of the installation procedure.
If you install without joining a zone during installation:
- See Installing silently by using the Microsoft Windows Installer for details about the registry settings that you can configure manually after the installation finishes.
- See Installing silently without joining a zone for details about performing the installation.
If you install and join a zone during installation:
- You use a transform (MST) file that is provided with Verify Privilege Server Suite to configure a default set of agent-specific registry keys during the silent installation.
- You can optionally edit the MST file before performing the installation to customize agent-specific registry settings for your environment.
- You can optionally use the agent configuration control panel or the registry editor to configure registry settings after the installation finishes.
- See Installing silently by using the Microsoft Windows Installer for details about the registry settings that you can configure by editing the MST file.
- See Installing silently by using the Microsoft Windows Installer for details about how to edit the MST file before you perform the installation.
- See Installing and joining a zone silently for details about performing the installation.
Installing Silently Without Joining a Zone
This section describes how to install the agent silently without joining the computer to a zone. This procedure includes configuring registry settings manually using the registry editor or a third-party tool.
Note:To install the agent and join the computer to a zone during installation, see Installing and joining a zone silently for more information.
Check prerequisites:
- Verify that the computers where you plan to install meet the prerequisites described in Verify prerequisites. If prerequisites are not met, the silent installation will fail.
-
If you are installing audit and monitoring service, verify that the following tasks have been completed:
- Installed and configured the SQL Server management database and the SQL Server audit store database.
- Installed and configured one or more collectors.
- Configured and applied the Centrify DirectAudit Settings group policy that specifies the installation name.
To install the Centrify Agent for Windows silently without joining the computer to a zone:
-
Open a Command Prompt window or prepare a software distribution package for deployment on remote computers.
For information about preparing to deploy software on remote computers, see the documentation for the specific software distribution product you are using. For example, if you are using Microsoft System Center Configuration Manager (SCCM), see the Configuration Manager documentation.
-
Run the installer for the Centrify Agent for Windows package. For example:
msiexec /qn /i "Centrify Agent for Windows64.msi"
By default, none of the services are enabled.
-
Use the registry editor or a configuration management product to configure the registry settings for each agent.
For example, under HKEY_LOCAL_MACHINE\Software\Centrify\DirectAudit\Agent, you could set the DiskCheckThreshold key to a value other than the default value of 10%.
To install the Verify Privilege Server Suite Agent for Windows and add a computer to a zone during installation:
-
Prepare a computer account in the appropriate zone using Access Manager or the PowerShell command New-CdmManagedComputer.
-
You will use the default transform file Group Policy Deployment.mst in Step 3 to update the MSI installation file so that the computer is joined to the zone in which it was pre-created in Step 1. You can optionally modify Group Policy Deployment.mst to change or add additional registry settings during installation.
If you want to edit Group Policy Deployment.mst to change or add additional registry settings and have not yet done so, edit it now as described in Installing silently by using the Microsoft Windows Installer.
In order for the computer to join the zone from Step 1, the Group Policy Deployment.mst file must specify the GPDeployment property with a value of 1.
-
Run the following command:
msiexec /i "Centrify Agent for Windows64.msi" /qn TRANSFORMS="Group Policy Deployment.mst"
Installing and Joining a Zone Silently
This section describes how to install the agent and join the computer to a zone at the same time. The procedure described here includes the following steps in addition to executing the MSI file:
- You first prepare (pre-create) the Windows computer account in the appropriate zone.
You execute an MST file together with the MSI file to join the computer to a zone and configure registry settings during the installation.
Installing silently by Using the Microsoft Windows Installer
If you want to perform a “silent” (also called unattended) installation of the Centrify Agent for Windows, you can do so by specifying the appropriate command line options and Microsoft Windows Installer (MSI) file to deploy. You must execute the commands on every Windows computer that you want to audit.
You can also use silent installation commands to automate the installation or upgrade of the Windows agent on remote computers if you use a software distribution product, such as Microsoft System Center Configuration Manager (SCCM), that enables you to run commands remotely to deploy software packages. However, only the command-line instructions are covered in this guide.
Configuring Registry Settings
When you perform a silent installation, several registry settings specific to the agent are configured by the default MSI file. In addition, a default transform (MST) file is provided for you to use if you join the computer to a zone as part of the installation procedure. When executed together, the default MSI and MST files ensure that the computer is joined to a zone, and that a default set of agent-specific registry keys is configured.
If your environment requires different or additional registry settings, you can edit the MST file before performing an installation. Then, when you execute the MSI and MST files to perform an installation, your customized registry settings are implemented. For details about how to edit the MST file, see Editing the default transform (MST) file.
Note:If you do not join the computer to a zone during installation, you do not use the MST file. In this situation, you can create or edit registry keys manually after the installation finishes by using the , or the registry editor.
The following table describes the agent-specific registry settings that are available for you to configure during installation (by using the MST file) or after installation (by using the or the registry editor). Use the information in this table if you need to configure registry settings differently than how they are configured by the default MSI and MST files. Keep the following in mind as you review the information in the table:
-
The default MSI file is named Centrify Agent for Windows64.msi, and is located in the Agent folder in the Centrify download location.
-
The default MST file is named Group Policy Deployment.mst, and is located in the Agent folder in the Centrify download location.
-
All of the settings in the following table are optional, although some are included in the default MSI and MST files so that they are configured when the MSI and MST files execute during an installation.
-
Settings that are included in the default MSI and MST files are noted in the table.
-
Some settings are environment-specific, and therefore do not have a default value. Others are not environment-specific, and do have a default value.
-
The settings described in the table are located in the MSI file’s Property table.
-
The Setting column shows both the property name in the MSI file, and the name (in parentheses) of the registry key in the Windows registry.
Service | Setting | Description |
---|---|---|
Auditing and Monitoring | REG_MAX_FORMAT (MaxFormat) | Specifies the color depth of sessions recorded by the agent. The color depth affects the resolution of the activity recorded and the size of the records stored in the audit store database when you have video capture auditing enabled. You can set the color depth to one of the following values: 0 to use the native color depth on an audited computer. 1 for a low resolution with an 8-bit color depth 2 for medium resolution with a 16-bit color depth (default) 4 for highest resolution with a 32-bit color This setting is included in the default MSI file. In the registry, this setting is specified by a numeral (for example, 1). In the MSI file Property table, it is specified by the # character and a numeral (such as #1). The default value is 1. |
Auditing and Monitoring | REG_DISK_CHECK_THRESHOLD (DiskCheckThreshold) | Specifies the minimum amount of disk space that must be available on the disk volume that contains the offline data storage file. You can change the percentage required to be available by modifying this registry key value. This setting is included in the default MSI file. In the registry, this setting is specified by a numeral (for example, 1). In the MSI file Property table, it is specified by the # character and a numeral (such as #10). The default value is 10, meaning that at least 10% of the disk space on the volume that contains the offline data storage file must be available. If this threshold is reached and there are no collectors available, the agent stops spooling data and audit data is lost. |
Auditing and Monitoring | REG_SPOOL_DIR (SpoolDir) | Specifies the offline data storage location. The folder location you specify will be where the agent saves (“spools”) data when it cannot connect to a collector. This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that it is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes. |
Auditing and Monitoring | REG_INSTALLATION_ID (InstallationId) | Specifies the unique global identifier (GUID) associated with the installation service connection point. This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that it is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes. |
Auditing and Monitoring | REG_LOG_LEVEL_DA (LogLevel) | Specifies what level of information, if any, is logged. Possible values are: off information warning error verbose This setting is included in the default MSI file. The default value is information. |
Authentication & Privilege | REG_RESCUEUSERSIDS (RescueUserSids) | Specifies which users have rescue rights. Type user SID strings in a comma separated list. For example: user1SID,user2SID,usernSIDThis setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that the setting is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes. |
Authentication & Privilege | REG_LOG_LEVEL_DZ (LoggingLevel) | Specifies what level of information, if any, is logged. Possible values are: off information warning error verbose This setting is included in the default MSI file. The default value is information. |
Authentication & Privilege | GPDeployment | Specifies whether the computer is joined to the zone where the computer was pre-created. This setting is used only during installation and does not have a corresponding registry key. Possible values are: 0 - The computer is not joined to the zone. 1 - The computer is joined to the zone. This setting is included in the default transform (MST) file. To use it, you must execute the MST file when you execute the default MSI file. The default value is 1, meaning that the pre-created computer is joined to the zone. |
Editing the Default Transform (MST) File
The default transform file, Group Policy Deployment.mst, enables you to specify registry key settings that are different from the default settings that are defined in the MSI file. You can use the Group Policy Deployment.mst file to customize a silent installation for a specific environment.
If you want to customize the agent settings for your environment, you should edit the Group Policy Deployment.mst file before executing the command to perform a silent installation. If you want to use the default settings specified in the MSI file, you can skip this section and go directly to Installing silently from the command line.
You must use the Orca MSI editor to edit the Group Policy Deployment.mst file. Orca is one of the tools available in the Windows SDK. If you do not have the Windows SDK or Orca installed on your computer, you can download and install it from this location: http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx.
To edit the default MST file:
-
In the Agent folder in the Centrify download location, create a backup copy of the default Group Policy Deployment.mst file.
-
Open a Command Prompt window and execute the following command to launch Orca:
Orca.exe
-
In Orca, select File > Open and open the Centrify Agent for Windows64.msi file located in the Agent folder in the Centrify download location.
-
In Orca, select Transform > Apply Transform.
-
In Orca, navigate to the Agent folder in the Centrify download location and open Group Policy Deployment.mst. The file is now in transform edit mode, and you can modify data rows in it.
-
In the Orca left pane, select the Property table. Notice that a green bar displays to the left of “Property” in the left pane. This indicates that the Property table will be modified by the MST file. The right pane displays the properties that configure registry keys when you execute the command to install the agent using the MSI file. Notice that the last property in the table, GPDeployment, is highlighted in a green box. This indicates that the GPDeployment property will be added to the MSI file by the MST file.
-
In the right pane, edit or add properties as necessary to configure registry keys for your environment.
Property Description REG_MAX_FORMAT Sets the MaxFormat registry key to specify the color depth of sessions recorded by the agent. The color depth affects the resolution of the activity recorded and the size of the records stored in the audit store database when you have video capture auditing enabled. In the MSI file Property table, you can set the color depth to one of the following values: #0 to use the native color depth on an audited computer. #1 for a low resolution with an 8-bit color depth. #2 for medium resolution with a 16-bit color depth. #4 for highest resolution with a 32-bit color. The default value is #1. To edit this property, double-click the Value column and type a new value. REG_DISK_CHECK_THRESHOLD Sets the DiskCheckThreshold registry key to specify the minimum amount of disk space that must be available on the disk volume that contains the offline data storage file. In the MSI file Property table, the default value is #10, meaning that at least 10% of the disk space on the volume that contains the offline data storage file must be available. You can change the percentage required to be available. To edit this property, double-click the Value column and type a new value. REG_SPOOL_DIR Sets the SpoolDir registry key to specify the offline data storage location. The folder location you specify will be where the agent saves data when it cannot connect to a collector. To add a this property to the transform file, right-click anywhere in the property table, then select Add Row. REG_INSTALLATION_ID Sets the InstallationId registry key to specify the unique global identifier (GUID) associated with the installation service connection point. This property is not required if you are using the Installation group policy to identify the audit installation to use. If you are not using group policy to identify the audit installation, you can add a this property to the transform file. Right-click anywhere in the property table, then select Add Row to add the property and value to the file. REG_LOG_LEVEL_DA Sets the LogLevel registry key to specifies what level of information, if any, is logged. Possible values are: off information warning error verbose The default value is information. To edit this property, double-click the Value column and type a new value. -
After you have made the necessary modifications, select Transform > Generate Transform to save your modifications to the default MST file. Be sure to save the MST file in the same folder as the MSI file. If the MST and MSI files are in different folders, the MST file will not execute when you execute the MSI file.
The MST file is now ready to be used as described in Installing silently from the command line.
Installing Silently from the Command Line
If you want to perform a “silent” or unattended installation of the Centrify Agent for Windows, you can do so by specifying the appropriate command line options and Microsoft Windows Installer (MSI) file to deploy.
Before running the installation command, you should verify the computers where you plan to install meet the prerequisites described in Verify prerequisites. If the prerequisites are not met, the silent installation will fail. You should have also completed the following tasks:
- Installed and configured the SQL Server management database and the SQL Server audit store database.
- Installed and configured one or more collectors.
- Configured and applied the Centrify DirectAudit Settings group policy that specifies the installation name.
You can use similar steps to install the Centrify Common Component using the Centrify Common Component64.msi file before you install the agent. If you install the common component first, information about the agent installation is recorded in a log file for troubleshooting purposes. However, you are not required to install the common component separately from the agent.
To install the Centrify Agent for Windows silently:
- Open a Command Prompt window or prepare a software distribution package for deployment on remote computers.
-
Run the installer for the Centrify Agent for Windows package for a 64-bit architecture with the appropriate command line options.
For example, to install the Centrify Common Component on a computer with 64-bit architecture, run the following command:
msiexec /i "Centrify Common Component64.msi" /qn
If you want to enable both auditing and access control features on a computer with a 64bit operating system and use the values defined in the Group Policy Deployment.mst file, you would run the following command:
msiexec /i "Centrify Agent for Windows64.msi" /qn TRANSFORMS="Group Policy Deployment.mst"
Installing from a Central Location by Using Group Policy
You can use a Group Policy Object (GPO) to automate the deployment of Centrify Agent for Windows. Because automated installation fails if all the prerequisites are not met, be sure that all the computers on which you intend to install meet the requirements described in Verify prerequisites.
You can use similar steps to install the Centrify Common Component using the Centrify Common Component64.msi file before you install the agent. If you install the common component first, information about the agent installation is recorded in a log file for troubleshooting purposes. However, you are not required to install the common component separately from the agent.
In most cases, you can use the default agent settings defined in the Group Policy Deployment.mst transform file. If you want to modify the default settings prior to installation, see the instructions in Installing silently by using the Microsoft Windows Installer.
To create a Group Policy Object for the deployment of Centrify Agents for Windows:
-
Copy the Centrify Agent for Windows64.msi and Group Policy Deployment.mst files to a shared folder on the domain controller or a location accessible from the domain controller. When you select a folder for the files, right-click and select Share with > Specific people to verify that the folder is shared with Everyone or with appropriate users and groups.
-
On the domain controller, click Start > Administrative Tools > Group Policy Management.
-
Select the domain or organizational unit that has the Windows computers where you want to deploy the Centrify Agent, right-click, then select Create a GPO in this domain, and Link it here. For example, you might have an organizational unit specifically for Centrify-managed Windows computers. You can create a group policy object and link it to that specific organizational unit.
-
Type a name for the new Group Policy Object, for example, Centrify Agent Deployment, and click OK.
-
Right-click the new Group Policy Object and click Edit.
-
Expand Computer Configuration > Policies > Software Settings.
-
Select Software installation, right-click, and select New > Package.
-
Navigate to the folder you selected in Step 1, select the Centrify Agent for Windows64.msi file, and click Open.
-
Select Advanced and click OK.
-
Click the Modifications tab and click Add.
-
Select the Group Policy Deployment.mst file, click Open, and click OK.
-
Close the Group Policy Management Editor, right-click the Centrify Agent Deployment group policy object, and verify that Link Enabled is selected.
By default, when computers in the selected domain or organizational unit receive the next group policy update or are restarted, the agent will be deployed and the computer will be automatically rebooted to complete the deployment of the agent.
If you want to test deployment or deploy immediately, you can open a Command Prompt window to log on to a Windows client as a domain administrator and force group policies to be updated immediately by running the following command:
gpupdate /force
After installation, all of the registry settings that were specified in the MSI and MST files are configured. If you need to change any of the default agent settings, open the DirectAudit Agent Control Panel or the Registry Editor.
For more information about how to configure and use Group Policy Objects, see the documentation on the Microsoft Windows website.