Re: LSA vs LSP GUI on Vista/2008?

Hello Jialiang,

Thank you for all the helpful answers and the many links!

I've had a quick look at all the links; most of what I see is what I expected, but I will spend some time next week studying in more detail.

I mentioned WMI because Joe had suggested it in this thread, I will instead post to WMI group about it.

I'm a bit confused about .NET Remoting; are they saying you have to INSTALL the server component to every remote box before you can call it? I was assuming you could remote a call to any class that's part of the base .NET Framework on the remote machine.

After reading more, I just don't understand why anyone would use .NET and PowerShell for anything. ATL/COM/DCOM seem much more powerful to me, but I'm not convinced they are going to be pushed as future technologies; the article from Don Box is many years old and I don't see ATL advertised in flashing lights on the Microsoft home page.

Hello Gerry

I understand that you are selecting the solutions between COM, WMI and .NET (including .NET Remoting), WinRM. Here, I can only provide you with some materials for references. If you want a more formal, official and complete analysis, I suggest that you try our Advisory Service. http://support.microsoft.com/gp/advisoryservice. Newsgroup support service focus on break fix issues that are neither urgent, nor complex.


The complete roadmap of the latest ATL/COM can be found here.
http://msdn.microsoft.com/en-us/library/t9adwcde.aspx

=============================
1. Where is the roadmap on Microsoft's website showing the future of
ATL/COM?

I think that I can understand the question as the comparison between COM and .NET. I never hear that Microsoft is going to give up COM. In fact, many .NET runtime components are in the form of COM objects. Both techs have their own strengths and weaknesses. Here is an articles that discusses the topic:

Is COM Dead? By Don Box
http://msdn.microsoft.com/en-us/magazine/cc301471.aspx

=============================
2. How quickly can we expect bugs in ATL to be fixed over the next two
years 2009/2011 compared to .NET?

As far as I know, PG fixes the issues based on its severity. If the issue has very big business impact and no workaround is available, PG may even consider a hotfix. This applies to both ATL/COM and .NET. You mentioned that you once reported an ATL issue and received no help. Did the MS engineer provide a workaround to you? If you still need helps about that ATL issue, you may consider posting it in microsoft.public.vc.atl and I will do my best to assist you.

=============================
3. My native code in C/C++ is able to work with LSA on thousands of
remote machines without any installation. My understanding is that in
order to use COM clients and servers, I'd need information added to the
registry of EVERY remote machine?

Yes. Registering a COM object requires writing to HKCR with admin privileges. But after the setup, the app that uses (consumes) the COM object does not need the Admin privileges. In other words, you need the admin privileges only during the installation (setup).

=============================
4. Regarding writing a WMI provider, and assuming this provider would be
installed to the target machine, is there any way to install a WMI
provider to a remote machine at run time and then uninstall it when the
calling program finishes? What about enabling a WMI provider that's shipped with Windows but not installed, such as the MSI provider on Windows Server 2003 or the SNMP provider on Windows Server 2008, is it possible to enable them on thousands of machines without logging in to each one with an interactive shell?

microsoft.public.platformsdk.security does not cover WMI questions. I suggest that you post the question to the WMI newsgroup: microsoft.public.win32.programmer.wmi.

=============================
5. Using .NET Remoting, my understanding is that it will only work if
the class exists in the library of the remote machine, so it's the same
problem of having to install it to thousands of machines? Can it work
without Admin rights, like what you can do with DCOM?

As far as I know, .NET Remoting can run without admin rights because the messages are transferred through HTTP/TCP. But to get a more detailed confirmation, you may consider posting a question in microsoft.public.dotnet.distributed_apps. Here is an article that compares .NET Remoting, COM/DCOM, Web service.
http://www.csharphelp.com/archives2/archive460.html

=============================
6. Using WinRM, my understanding is that it's disabled by default and it
only works with Admin rights - unlike DCOM that can work without Admin
rights.

To obtain data from a Remote computer using WinRM, admin authentication is required:
http://msdn.microsoft.com/en-us/library/aa384423(VS.85).aspx
<quote>
If the account on the remote computer has the same logon username and password, the only extra information you need is the transport, the domain name, and the computer name. Because of User Account Control (UAC), the remote account must be a domain account and a member of the remote computer Administrators group. If the account is a local computer member of the Administrators group, then UAC does not allow access to the WinRM service. To access a remote WinRM service in a workgroup, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy.
</quote>

I like the examples on codeplex, but I did not see much information about perfecting the installation process for remote machines; these

Thank you, Gerry. There are not many samples in HelloWorld because the project is in the very young stage. I started it 30 days ago. In order to sketch the skeleton of all MS dev techs (including the installation process for remote machines as you mentioned), I need to get my team and the community's supports. I did a lot of work to promote the project in front of my manger last week, and they appear to like the idea.

things sometimes need keys written to HKLM\Software\Classes, AppID,CLSID, then x-ref GUIDs pointing all over the place, then launch/activation ACLs. It's easy on a local machine with Admin rights and Visual Studio, but I have not found a good way to do this on thousands of machines at run time, and then clean them up after.

This is one of the weaknesses of COM. If your business environment requires frequent reinstallation of the COM object, COM may not be a good solution in this case.

Best Regards, Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================



--
Gerry Hickman (London UK)
.

Relevant Pages

  • Re: Securing win32_process.create ?
    ... The reason you are having problems is essentially because you're expecting an admin operation to be able to be performed by a user who does not have admin rights. ... Looking at TrueCrypt, it certainly does not look like it's been designed for remote instantiation, nor to run as a non-interactive remote process. ... would be allowed to run a process on a remote machine and you'd also ...
    (microsoft.public.win32.programmer.wmi)
  • Re: New to Replication - Need Help
    ... installation onto the local machine. ... able to set up the remote machine with its local replica and then ... that experienced in Access to be honest :-) but if the remote users are ...
    (microsoft.public.access.replication)
  • Re: LSA vs LSP GUI on Vista/2008?
    ... remote machines without any installation. ... Regarding writing a WMI provider, and assuming this provider would be ... provider to a remote machine at run time and then uninstall it when the ... only works with Admin rights - unlike DCOM that can work without Admin ...
    (microsoft.public.platformsdk.security)
  • Re: WMI Access Denied WIN32_UserAccount Class
    ... I added in the additional ConnectionOptions, ... but rather the WMI security setup on the other machine - I ... >for ConnectionOptions object to remote machine, ... >> domain, String machine, String username, String ...
    (microsoft.public.win32.programmer.wmi)
  • Re: change local admin password on remote computers
    ... Start tthe script remotely on the server, let it eg. mail the results. ... Or place the script on the remote machine, start it over WMI and let the ...
    (microsoft.public.scripting.vbscript)