• Console UI

    These are the main components of the console’s user interface:

    Ribbon Bar

    File Menu

    Clicking on the “File” button in the top left corner of the screen allows you to select the following functions

    SETTINGS

    Opens the Settings Window

    ACCOUNT MANAGEMENT

    This window allows you to manage common account information such as name, mobile phone number (for alerting), activation status, changing your password, etc.

    MINIMIZE

    Switches to tray mode, during which the main window is hidden. System tray bubble notifications may still be displayed, according to your settings.

    SIGN OUT/SIGN IN

    Sign Out terminates your current ControlUp session and switches to the sign in screen. If you are currently disconnected from the login servers, the “Sign In” option will be shown. The “Sign In” option may also be displayed briefly after you sign into ControlUp with the “Save Password” option enabled.

    SAVE CONFIGURATION

    Immediately saves the configuration. Especially useful for customers who work in offline/standalone mode and need to commit changes to the configuration before exiting the console.

    EXIT

    Terminates your current ControlUp session and closes the executable.

    Home Ribbon

    Here you will find a set of ribbons which include all the actions you will need when working with ControlUp. The buttons on the Home ribbon vary according to the current view and selected objects, while the Settings ribbon and the Help ribbon remain static regardless of the current view.

    Settings Ribbon

    For more information on ControlUp Settings, please refer to The Settings Window chapter.

    Help Ribbon

    Includes various help options.

    Navigation Bar

    Here you can switch between views, navigate between the recently visited views, and enter search queries for the Information Grid.

    Information Grid

    The main information display area of the console. This high-performance component can quickly display, sort, group, and filter information collected from the managed computers.

    Monitors Panel

    In this area you will see the status of all installed instances of ControlUp Monitor service in your organization. For more information on ControlUp Monitor please refer to this chapter.

    Panes

    The Outlook-style menu on the bottom left allows you to switch between panes, each of which deals with a distinct area of ControlUp’s functionality.

    Actions Panel

    Here you can find all of the available actions for the objects you select on the information grid. The actions available on the Actions Panel are also accessible by using the context menu (right-click) of the selected resource.

    Folder Tree

    A graphical display of all the computers currently added to the console, arranged in folders. There are two methods for managing the tree: right-clicking computers or folders, or by using the Folder area of the Home Ribbon.

    In Enterprise Mode, your tree is shared with other ControlUp users on your team so that all changes made to the tree are replicated automatically between all team members with appropriate permissions.

    For more information regarding ControlUp’s permission delegation capabilities, please refer to the Security Policy Pane chapter.

    In Standalone Mode, every ControlUp user manages a separate Folder Tree which is stored in XML format in the “%appdata%ControlUp” folder of the user profile. These settings can be copied between users but cannot be synchronized automatically. Your stored passwords are stored in an encrypted form and will not be accessible to any other user, even if you copy this folder.

    Status Bar

    The status bar is a dynamic display that includes the following information regarding your current ControlUp session:

    • User Name – your current ControlUp username which you provided when signing in, or a shortened unique derivative of your email address, which can be used for login.
    • Organization – the name of your current ControlUp organization
    • Status – the following values are possible:
      • Online – you are signed in using ControlUp Cloud
      • Offline – you are signed in using an Offline License File
      • Logging in – displayed briefly following login if “Save Password” is enabled
    • Central Configuration connection status:
      • Connected –Indicates an active connection to the ControlUp Cloud.
      • Connected (with errors) – displayed when some of the changes could not be committed to the ControlUp Cloud.
      • Disconnected – in Offline Mode, or when communications with Cloud Configuration Servers are disrupted.
  • Create Your User Account

    In order to utilize ControlUp’s full power to manage computers in your environment while collaborating with other administrators on your network, you will need an online User Account. This account is used by ControlUp in order to track licensing and gather usage statistics.

    After opening ControlUp for the first time, you will be presented with the following screen

    Click “Sign Up” to create your ControlUp user account and fill the following form:

    Please provide a valid e-mail address, your contact details, and password in order to proceed with the creation of your user account. After clicking “Sign up”, you will receive a confirmation e-mail with an activation link that you should visit in order to activate ControlUp.

    At the next (and final) stage of the sign-up process you will create a ControlUp organization. For more information regarding this step, please proceed to the“Get Organized” section of the documentation.

    The next time you launch ControlUp, enter your email and password in the following form:

    Internet Connectivity for ControlUp

    ControlUp requires Internet connectivity for the sign-in process. If you can successfully check the availability of your desired nickname, connectivity with the online account servers is working properly. If your network is connected to the Internet, but ControlUp’s connectivity with the online account servers is blocked by a firewall or other security appliances or software, please ensure the console is allowed to establish connections to the addresses fe1.controlup.com,fe2.controlup.com,fe3.controlup.com, and fe4.controlup.comvia port 443 (HTTPS). In order to verify connectivity, open your Command Prompt and enter the following commands:

    telnet fe1.controlup.com 443

    telnet fe2.controlup.com 443

    telnet fe3.controlup.com 443

    telnet fe4.controlup.com 443

    If the connection to at least one of the above servers is successful, you should receive a blank Command Prompt screen, from which you can exit using the telnet escape sequence (Ctrl + ]).

    If ControlUp cannot reach the online servers, then you will be presented with an option to adjust your proxy settings or create an offline license (for more information on these options, please see below in this document).

    If your network uses industry-standard security products that prevent ControlUp’s online features from performing correctly, it is very important that you contact support@controlup.com and inform our Product Team of the issue. We are working hard to ensure all Internet-connected networks can successfully sign in to ControlUp, regardless of the type of firewall, proxy or Web filter used.

    Working in Offline Environments

    If your network is not connected to the Internet, please use the “Sign in to ControlUp” screen to submit a request for an Offline License. This file is an authentication method that allows the ControlUp console to run without logging in to the online servers. As some of ControlUp’s collaboration features and management actions require Internet connectivity, this method should only be used as a last resort.

    In order to request an offline license, please use the “Request a new Offline License” option and follow the instructions on screen.

    If your computers have an Internet connection, you will not see the option to use an Offline License file (and proxy options). In order to make this option visible, please add the following registry value before launching ControlUp:

    Value Name: HKEY_CURRENT_USER\Software\Smart-X\ControlUp\Console\UsedOfflineOnce

    Value type:DWORD

    Value data:0x00000001 (1)

    Note: before issuing the Offline License request, please make sure that ControlUp is launched using the same Windows user name which you will be using to launch ControlUp in the future. Every Offline License is linked to a single Windows user and will not work if ControlUp is launched with another user account.

  • Get Organized

    ControlUp organizations are entities that represent groups of computers managed by the same administrative personnel. Once an organization is created in your network, new ControlUp Users may join the same organization in order to manage and monitor the same environment as the existing users.

    ControlUp organizations allow an unlimited number of ControlUp consoles to connect to every managed computer, as long as these consoles have different ControlUp User accounts logged on. All managed computers are configured in a way that permits connections only from ControlUp Users that are members of the same organization. Changing a managed computer’s organization membership is outlined in the “Troubleshooting” section of this document.

    Create a ControlUp Organization

    During the initial sign up process you will be prompted to create an organization.

    Make sure you provide a clear and descriptive organization name, as this will allow future ControlUp Users from your company to easily recognize the organization when they sign in to ControlUp.

    Additional organizations can be created directly after the sign in process. Although this can be useful for segmenting your network into administrative units, please note that ControlUp offers a flexible and granular Security Policy which supports permissions delegation within a single organization. Working with a single organization is the recommended practice.

    Each managed computer can be associated with a single organization only. Once a computer is associated with an organization, users from different organizations will not be able to connect to it using ControlUp.

    Sign in to an Existing Organization

    After the first ControlUp User in the enterprise has created an organization, all new ControlUp users in the same Active Directory environment will be automatically signed in to the same organization.

    If your network only includes one organization, all users will be signed in to this organization by default. If more than one organization exists, ControlUp users will be presented with the following screen:

    An administrator who regularly works in a single enterprise is advised to select the “Always use this organization” checkbox.

    Note: All managed computers are configured to permit connection from ControlUp Users which are members of the same organization. This is an important security measure aimed to prevent various “rogue administrator” issues. In Enterprise Mode, you can further harden ControlUp permissions to allow only designated administrators access to ControlUp features. For more information, please refer to the “Security Policy Pane” section.

    Create Your Folder Tree

    Before adding managed computers to ControlUp, it is recommended that you create a folder tree that reflects the structure of your IT assets. For example, you might want to create a folder for your RDS farm, a folder for file servers and a folder for workstations. You can also create subfolders for different types of servers, for example to separate physical machines from VMs. Keep in mind that a neat folder structure will make it easier to configure stress levels and security policies. In addition, the Folders View will allow you to view aggregated measurements for every folder you create, such as the total number of highly stressed workstations in a selected department.

    Note: The settings above are shared within your ControlUp organization. Any configuration changes may affect other ControlUp users in your organization. In case any of your configurations seem altered, please keep in mind that the change could be performed by another ControlUp user on your network.

    While it is best to invest several minutes in planning your folder structure before adding managed computers, it is entirely possible to move computers between folders and re-arrange the folder structure at a later time.

  • Add Managed Computers

    If it’s the first time you’re using ControlUp, click on the “Add Computers” link in the information grid. In order to launch the “Add Computers” window at a later time, right-click the Root Folder or any other folder organization tree and select “Add > Computers”, or click the “Add Computers” button on the Home ribbon.

    The Add Computers window prompts you to select your managed computers, using one of the following methods:

    By selecting computer accounts from your Active Directory (default)

    Choose a domain containing the computers to be added using the “Domain” selector button.

    Choose a root OU for the Active Directory search using the “Search Root” selector. This is useful in large environments, in which the size of the directory may slow down the discovery process.

    Search for and select computer accounts from Active Directory. Typing text in the Search Filter box performs inline filtering of the result table, which allows for faster location of computer accounts. The text you type in the Search Filter box can be any part of the computer name and does not require the use of wildcard characters.

    By default, ControlUp attempts to contact your computers by using the DNS suffix configured in the Active Directory dNSHostName attribute of the computer account. In case the DNS configuration in your network specifies a DNS suffix which is different from the domain name, use the “Alternate suffix” text box to input the name suffix used in your network.

    After locating the computers you would like to add to ControlUp, select them and click Add. The right pane will show all computers currently selected for addition.

    By entering IP addresses or scanning your internal IP range

    You may provide a list of IP addresses in the “IP Addresses” field. Multiple addresses should be separated by a semicolon (;). A contiguous IP address range may be scanned by using the “IP Range” option. Please provide the start and end addresses for the IP range and click “Scan” to discover computers in that range.

    By providing a text file that includes a list of computers to be added

    ControlUp supports adding managed computers from a text file that includes a list of computers separated by line breaks, commas, semicolons or spaces. Use the “File Path” field to select a file, choose the file encoding if needed and click “Load”.

    Note: When adding computers using a text file or by IP address, expand the “Connection Settings” optional pane to select the user account for discovery of the selected computers and to configure connection timeouts:

    The credentials you provide here will be used for the Active Directory query only. In order to configure the credentials used for the agent deployment, edit your Active Directory connection on the Settings Window.

    When you have selected your target managed computers and clicked Next, all selected computers are contacted and the following tests are performed:

    1. Ping test (unless disabled).
    2. .Net Framework installation test (unless disabled).
    3. Security test – the Windows user account you are using to connect to every managed computer is tested for local administrative rights on that computer.
    4. Existing ControlUp agent installation – if a ControlUp agent is already present on the machine, this agent will be used unless its version is outdated, in which case you may perform a seamless upgrade of the agent.
    5. You may rerun the agent installation process for any selected machine if an issue preventing agent installation has been resolved. You can also rerun the process for all failed machines using the “Rerun Failed” button.

    At the end of this process, ControlUp agents start reporting performance data, and the ControlUp console will be ready to perform a variety of management tasks on your selected machines.

    Deploying ControlUp agents from the hypervisor

    After hypervisor connections have been made (see “Connect to the Virtualization Infrastructure”), you will see all of the VMs that are managed by the hypervisors. If they already have the ControlUp agent installed, they will look like all other managed computers. If they do not have the ControlUp agent installed and the status is “Install Agent”, you can easily deploy the agent to them by either clicking on the link in the status “Install Agent” or right-clicking on the computer in the Information Grid. To deploy to multiple VMs at the same time, shift-click or control-click to choose your targets and then right-click on one of those selected computers.

    At this point, you will go to the same ‘Add Computers’ window as described above, with a few changes specific to adding computers from a hypervisor.

    First, note that there is a box to choose where to place the computers once an agent is installed.

    The credentials at the top of the window is for the same purpose as described above. If you change the credentials you choose to use, you can click the “Scan” button to rescan the chosen VMs with the new credentials. If the credentials are valid and have sufficient permissions for installing the agent, the Description column will say “Done” and the VMs put into the target list. If there are any problems, the Description column will give as much detail as it can to help solve the problem.

    The Add Computer process then continues as described above.

    Please note that deploying the agent from the hypervisor only works in the information grid and not from the organizational tree.

    Please be aware that any VM with a status of “Unmanaged” does not have any IP address information offered by the hypervisor, and therefore this method is not available for those VMs. If you want to deploy the agents to VMs in the unmanaged state, you will have to use a different method, as this method relies on knowing the IP address from the hypervisor.

    In this version, ControlUp does not filter the ability to install the agent by guest OS, since not all hypervisors always tell what the guest OS is.

    Deploying ControlUp agents behind firewalls

    By default, ControlUp uses RPC for agent deployment. In some environments, RPC access to the managed computers may be blocked by firewalls or other security measures. In order to deploy ControlUp agents to these computers, use the “Read more about adding computers…” link on the bottom of the Add Computers window. After clicking this link, you will be redirected to the ControlUp website, where you will be able to download a Windows Installer package. You can then use your deployment mechanism of choice in order to install the ControlUp agent on the managed machines. After completing the deployment, you will be able to add these machines to ControlUp using the Add Computers window, provided that the agent communication TCP port (40705 by default) is not blocked by your security hardware and software.

    Note: ControlUp agents installed using this method cannot be uninstalled remotely using ControlUp console. You should uninstall these packages manually or using your software deployment system of choice.

    Note: The following functionality may be limited when accessing ControlUp agents behind firewalls: Remote Event Viewer, File System Controller (Get file properties, Gather and Send Files Here). These features rely on RPC communications and may not work if firewalls or other security measures on your network prevent this type of connection.

    Installing .Net Framework for Managed Computers

    .Net Framework 3.5 or 4.5 is a mandatory prerequisite for computers that you would like to manage using ControlUp. After completing the Add Computers action, the computer/s will appear in the organization as “Installation Failed” with an explanation that the required .Net Framework was not found. For computers running Windows Vista or later and Windows Server 2008 or later, .Net Framework feature installation can be performed remotely. To do so, select the computers, and from the Actions menu (from the ribbon bar, right-click, or the right side bar), select Agent Control, and then click “Deploy .Net Framework”. ControlUp agent installation for these computers will resume as soon as the .Net Framework installation is complete.

    Please note that .Net Framework needs to be installed manually or deployed using your software deployment mechanism of choice for computers running Windows XP or Windows Server 2003.

    Troubleshooting connections to managed computers

    Please refer to the Troubleshooting section of this document in order to review the possible causes for errors in connections to managed computers.

     

  • Connect to the Virtualization Infrastructure

    ControlUp supports monitoring and managing virtualization infrastructure based on VMware vSphere, Citrix XenServer, Microsoft Hyper-V, or a combination of those. This means that besides gathering performance data and system information directly from your managed computers, you can also receive updates and perform actions on your managed computers using the underlying hypervisor servers. ControlUp visualizes the utilization of physical resources (such as the impact of VMs on the CPU, RAM, or storage of the host) and allows for performing actions such as turning VMs on and off.

    To enable these features, you will need to supply ControlUp with credentials and connection details for your virtualization infrastructure. This operation is performed by creating a hypervisor connection in the Hypervisors folder, which is automatically created in the root of your organization tree. This is the location where all supported hypervisor connections and related objects can be created and monitored. You can manage and monitor any combination of supported hypervisors that you may have in your environment. To do so, you must create a hypervisor connection for each hypervisor instance (VMware vCenter, XenServer pool or standalone server, Hyper-V cluster or standalone server) in your environment.

    Note: there is no need to install XenCenter, vSphere client, or any other hypervisor client software in order to make connections to supported hypervisors in ControlUp.

     

    Creating a hypervisor connection

    To create a hypervisor connection, click the Add Hypervisor button on the Home ribbon of My Organization view, or right-click on the Hypervisors folder and choose Add -> Hypervisor.



    vSphere Connection

    If you are adding a vCenter server, enter the appropriate vCenter URL (in the format of https://<vCenter name or IP>/sdk) and create a meaningful name that you would like to see in the ControlUp console. Then, use the Credentials drop-down to select or create a set of Active Directory credentials for connecting to the vCenter.

     

    XenServer Connection

    To connect to a XenServer server or pool, choose ‘XenServer’ as the hypervisor type, and then enter the appropriate URL for the server or pool master (in the format of http://<Pool Master name or IP>). The connection name will be automatically created from the name of the pool.

    If your XenServer pool uses Active Directory for authentication, use the Credentials drop-down to select a set of Active Directory credentials for connecting to the pool. If the XenServer pool uses built-in Unix accounts (e.g. root), use the credentials drop-down to select or create a “Local Computer” credentials set.

     

    Hyper-V Connection

    In order to connect your Hyper-V-based virtualization infrastructure to ControlUp, you will need to add your Hyper-V hosts as managed computers to your organization tree. Use the Add Computers button on the Home ribbon to select and add your hosts and then proceed with the steps below. For more details on adding managed computers, please refer to the Add Computers page of the user guide.

    Once your Hyper-V hosts are added as managed computers in the organization tree, performance data and system information is collected from those computers as generic Windows machines. In order to enable ControlUp to recognize those computers as virtualization hosts, click the Add Hypervisor button and select Hyper-V in the Type drop-down.

    The Add Hypervisor Connection dialog will present you with a list of Hyper-V clusters and standalone hosts found in your ControlUp configuration. Select the cluster or host you would like to monitor and click OK to add the connection.

     

    Configuring Credentials for a Hypervisor Connection

    Note: Hyper-V hosts monitored by ControlUp do not require credentials to be explicitly configured. If your virtualization infrastructure is based on Hyper-V, you may skip the next paragraph.

    If multiple colleagues are using ControlUp in your environment, please ensure each of them uses the same credentials for the hypervisor connection/s you create. Once a hypervisor connection is configured, ControlUp expects to find an identical set of credentials on all machines on which an instance of the Console or Monitor is used. This behavior is intended to ensure that only authorized users have access to hypervisor-related information and management actions. Therefore, it is recommended that you use a dedicated service account to connect ControlUp to your virtualization infrastructure.

     

    Configuring Data Collection Agents

    Note: Hyper-V hypervisor connections in ControlUp do not support dedicated data collectors.  If your virtualization infrastructure is based on Hyper-V, you may skip the next paragraph.

    The Connection Options dialog is to allow you to change the computer responsible for collecting hypervisor-related data on behalf of ControlUp. By default, any open console or running monitor will retrieve data directly from the connected hypervisors.

    You may want to change the computer that collects data for some reason, such as performance issues due to the extra work involved in collecting the hypervisor data, connectivity limitations between the monitor/console and the hypervisor itself, or the desire to implement high availability for the data gathering component. In that case, use the Connections Options dialog to define one or more computers as designated data collector agents. Any active ControlUp agent is eligible to collect data from hypervisors.

    Click ‘Add’ to open the list of active agents, and choose however many agents you would like to use. You can then test the connection of the agent to the hypervisor with the ‘Test Connection’ button. The connection is tested with the configuration information at the top of the Connection window. If there is an error, ControlUp will indicate any errors from the test.

     

    Note: when a ControlUp Agent is designated for collecting hypervisor data, it will consume additional CPU and memory resources for connecting to the hypervisor infrastructure and retrieving performance data. Depending on the scale of your virtualization infrastructure, the resource footprint of the cuagent.exe process may grow significantly for those computers, so please keep this in mind when planning your deployment.


    When ControlUp connects to a VMware vSphere connection, it will automatically retrieve a list of all datacenters, clusters, and hosts that your connection credentials has access to. For more information on how to restrict access to the vCenter objects, please refer to VMware’s documentation. XenServer connections will automatically retrieve the list of all XenServer hosts in the pool. Hyper-V connections will start monitoring any clustered and standalone hosts that exist in your ControlUp organization tree as managed computers.



     

     

     

     

  • Connecting to your XenDesktop Infrastructure

    Version 6.0 of ControlUp significantly improves XenDesktop monitoring functionality by adding a data collector component which gathers operational metadata directly from XenDesktop API. This allows ControlUp to display real-time XenDesktop-specific information, such as VDA registration status, brokering performance in the console and send it to ControlUp Insights for historical analysis and reporting.

    By adding a XenDesktop connection to ControlUp, you will benefit from the following features:

    • ControlUp will automatically discover VDAs, delivery groups and brokers associated with your XenDesktop deployment. VDAs and brokers will appear on the Computers view and XenDesktop sessions will appear on the Sessions view. Note that with XenDesktop integration, ControlUp Agent deployment is not required for this discovery process.
      • Note: ControlUp Agent is required in order to monitor the performance of your VDAs and brokers, and in order to display processes running on your VDAs and brokers
      • Note: each session discovered by the XenDesktop connection is counted as 1 ControlUp license
    • The XenDesktop site will appear in the organization tree under “XenDesktop Sites”. The site itself, its delivery groups and the “Brokers” container will be displayed as folders as long as the XenDesktop connection is active. You can use the Focus action on these folders in order to filter the information grid to display VDAs or sessions in a specific delivery group, or to examine the health of your XenDesktop brokers.
      • Note: the child folders of the XenDesktop connection in the organization tree (delivery groups and the Brokers container) are ephemeral objects which are not stored in ControlUp’s configuration. As such, they cannot be used to configure custom stress settings, incident triggers or column presets. In order to save custom settings for delivery groups or brokers, please add the corresponding computers to the organizational tree using the Add Computers button.
    • Resources displayed in ControlUp will be enriched with dozens of XenDesktop-related metrics and operational metadata. For example, the Computers view will show the “XD Computer Availability” column which will show “Available” for any VDAs which should be accessible by users, and the Sessions view will show the “XD Launched via HostName” column which will contain the name of the StoreFront server used to launch each session.
      • Note: for the full list of metrics and metadata retrieved from the XenDesktop infrastructure, please refer to the Computers and Sessions column reference. For your convenience, all XenDesktop column names are prefixed with “XD ”

     

    Adding a XenDesktop connection

    In order to connect ControlUp to your XenDesktop deployment, you will need to create a XenDesktop site connection in ControlUp Console. The connection will define the address/es of the broker/s from which data will be gathered and the credentials used for data collection and management actions. The following are mandatory prerequisites for adding a XenDesktop connection:

    • XenDesktop 7.5 or later
    • XenDesktop PowerShell SDK installed on all computers running ControlUp Console and Monitor, as well as any computers configured as dedicated data collectors

    Note: It is recommended to designate at least one computer on your network as a designated collector for XenDesktop data, especially in environments in which multiple instances of ControlUp are being used concurrently. For more information on configuring dedicated data collectors for XenDesktop, see below.

    To add a XenDesktop site connection, click on the Add XenDesktop button on the Home ribbon or right-click the root folder of your organization tree and select Add > XenDesktop Site. The Add XenDesktop Site Connection dialog box will be presented.

     

     

    The following details are required:

    • Broker name / IP - enter the full name (FQDN), hostname or IP address of a broker in your XenDesktop site
    • Credentials - use the drop-down to select or add a set of credentials which will be used for data collection from your XenDesktop infrastructure.
      • Note: For more information on configuring ControlUp Monitor for XenDesktop monitoring see below

    Once ControlUp establishes a connection with your XenDesktop site, it will automatically populate the Site Name field with the site’s name and the Brokers Failover List tab with the names of all the broker servers assigned to the XenDesktop site.

      • Note: For more information on optimizing the performance of XenDesktop data collection, see below

     

    Configuring ControlUp Monitor for XenDesktop

    After creating a XenDesktop connection, all ControlUp Monitor instances in your organization will start connecting to the site and retrieving data. In order to avoid conflicts between data collected from different sources, all ControlUp instances in your network are required to use the same credentials for XenDesktop data collection. It is therefore recommended that you create a service account with adequate permissions for your XenDesktop site and save its credentials with all ControlUp instances on your network.

    In order to ensure that the monitor is able to collect data from the XenDesktop site, you need to ensure all monitor instances have the credentials you selected when creating the connection.

    To ensure that, please perform the following steps for each installed monitor instance:

    1. Open the XenDesktop connection settings dialog by right-clicking the site connection in the folder tree and clicking Connection Settings.
    2. Note the username configured for XenDesktop data collection.
    3. Double-click a ControlUp monitor instance in the area below the organization tree.
    4. Click the Monitored Resources tab and locate the Name of your XenDesktop site. If its status is Connected, your monitor is communicating with the XenDesktop site. Otherwise, proceed to the next step.
    5. Click Settings… to open ControlUp Monitor configuration wizard
    6. Click Add Credentials Set… and provide the username, password and domain for the user account recorded in step 2 above.

     

    Optimizing XenDesktop Data Collector Performance

    The following step is optional, but strongly recommended in order to ensure optimal performance of the XenDesktop connection.

    By default, when you create a XenDesktop connection in ControlUp, all consoles and monitor instances in your organization will start connecting to it automatically in order to collect information. This may create unnecessary performance overhead, especially if multiple instances of ControlUp Console and Monitor are used in your network. It is a best practice to designate one or more computers in your ControlUp organization to act as dedicated collectors for XenDesktop data.

    To configure dedicated data collectors, open the XenDesktop site connection settings dialog, expand the Data collectors panel and click the Add.. button to select a computer in your ControlUp organization to add as a dedicated data collector for XenDesktop. The following guidelines will help you select an optimal data collector:

    • 1GB of available RAM
    • Uninterrupted connectivity to the XenDesktop site
    • Always on (except for planned maintenance / reboot windows)

    We added the option to view new entities in the console - XenDesktop Site, Brokers and Delivery Groups.

    Focusing on each of the new entities shows the relevant new metrics pooled from the XD connection in the regular folder, computer and sessions views.

    This enabled us to also add a drilldown from unmanaged XD VDAs to their sessions.

    In case one of the brokers or VDA machines have an agent deployed - the console will show all available metrics both from the XD site connection and the agent.

     

    We added the ability to calculate the health of each broker in the XenDesktop site.

    The health column calculation is based on a list of services, databases and hypervisors, and in case all services are available and running, all databases can be reached and all hypervisors are available, the broker’s health is 100%. In case one of the parameters is not ok, it affects the broker’s health by a few percents.

    Each of the parameters that the calculation is based on can be excluded from the registry (by default the % hypervisors available is excluded).

    The Site itself shows an aggregated calculation of what % of brokers are 100% healthy.

     

     

  • My Organization Pane

    The Information Grid is ControlUp’s primary source of information. As such, it is worth spending a few minutes configuring the Information Grid display to your needs.

    Selecting Displayed Columns

    In order to add or remove columns, click on the “Columns” button on the Ribbon Bar. After selecting the desired columns, you can drag and drop the column headers to arrange the data in a way that best suits your needs.

    Note: In the Computers View, the displayed columns are grouped into presets. Whenever you add or remove a column, you are affecting the currently active preset. For more information on column presets please refer to the Column Presets section below.

    Column Presets

    The Computers View includes more than 70 information columns displaying various system data, performance counters, statuses and other important information. Many of these columns are generic and applicable to any type of computer (e.g. CPU utilization or Disk Free Space). However, many of the columns supported by ControlUp are specialized, and are only useful if the displayed computers are running a certain software package.

    Column presets allow you to configure which columns will be displayed for every type of resource you are monitoring. Every folder in the organization can be configured with a column preset which will determine which columns will be displayed when computers in this folder are the only ones displayed in the Computers View. There are two ways to achieve this result:

    1. By focusing on a folder (right-click > Focus in the organization tree). This operation filters all of ControlUp’s records (Sessions, Processes, Accounts and Executables) to include only those resources that reside in the folder on which you have focused.
    2. By drilling into a folder (double-click on a folder record in the Folders View). This operation displays computers residing in the folder you double-clicked, but does not filter other ControlUp views (Sessions, Processes, Accounts and Executables)

    While in the Computers View, you can change the current column preset by clicking on the Columns button menu:

     

    This selection determines the currently displayed columns, but is not saved when you navigate to a different folder or view in ControlUp.

    In order to configure a permanent preset for a folder, use the folder properties. When a new folder is created in ControlUp, it inherits the column preset from its parent folder. Unless otherwise specified, the Default preset is used on the root folder, and is inherited by any child folders you create. After creating a folder, you can right-click it and click Properties, and then select a suitable column preset from the drop-down list. You can also create a new column preset by clicking the “Manage Presets” button near the drop-down list.

     

     

    To create a new preset, choose your selected columns and click on the “Save” button to configure a name for your new preset. From now on, you will be able to select this preset using the Columns drop-down menu or using any folder’s properties.

    Column presets reside in your organization’s public configuration. This means that by changing a column preset you are affecting all other ControlUp users in your organization. However, also note that the order and size of displayed columns is still a private preference, so in case you and your colleagues would like to see different columns in the same preset, just add all the columns you need to the same preset and let every colleague arrange the columns so that only relevant ones are visible.

    Sorting the Information Grid

    The data in the Information Grid can be sorted by any displayed column. Click a column’s header to sort the Information Grid by that column. Click again to change the sorting order. The information grid can also be sorted by multiple columns. To do so, press and hold the Ctrl button while clicking the column headers.

    Searching the Information Grid

    You can search the Information Grid using the Search text box on the right side of the Navigation Bar. The Information Grid will be filtered automatically as you type your search term. It is important to understand that the Search text box looks for the search terms only in a single column, depending on your current view. For example, if you type “Steve” in the Search box while in the Sessions view, the Information Grid will display only those sessions where the “User” field contains “Steve” as a substring.

    Multiple search terms can be entered, separated by “|” (pipe) which serves as a logical OR operator. For instance, when typed in the search text box in the Sessions View, “Steve|John|Mark” will filter the sessions table to include all sessions owned by users with either “Steve”, “John” or “Mark” in their names. (Read more here). When finished searching, click on the X button in the Search box to clear the filter. If not cleared manually, the Search box remembers the search terms for each of ControlUp’s views.

    Column Grouping

    In order to obtain an even more convenient display of your resources, you should try grouping the data in the Information Grid by different columns. To do so, turn on the “Enable Grouping” checkbox on the Display Settings menu of the Home Ribbon. Now you can drag any column to the grouping bar that appears between the Information Grid and the Navigation bar. This can be useful for distinguishing between servers from different vendors or separating active user sessions from disconnected ones. Grouping settings are discarded when you close the console.

    Exporting Data from the Information Grid

    ControlUp console allows you to export the data currently displayed in the Information Grid by clicking the Export button in the Ribbon Bar. The supported export format is XLS (Microsoft Excel). Your column settings and grouping configurations will be preserved in the exported document.

    Scheduled Export

    Using ControlUp, you can schedule a periodic automatic export of data from the information grid to a CSV file. To configure your automatic export settings, go to the Settings Window using the File Menu or the Settings ribbon and select “Export Schedule”. Configure your export settings by adding an export configuration and selecting the source view, time interval and destination to the target file. Please take into account the size of the views you are exporting when planning storage capacity for the export folder.

    Note: The output files can be later used for report generation and historical analysis using ControlUp Reporter. If continuous reporting is sought, it is recommended that you create the scheduled export tasks on a ControlUp Monitor instance. This setup will eliminate the need to keep a ControlUp Console open at all times in order to produce the reports.

  • Remote Desktop Pane

    The Remote Desktop pane of ControlUp serves as a remote connections manager, using the same folder hierarchy you created in the My Organization Pane. ControlUp switches to this pane every time you invoke the “Remote Desktop” action from “My Organization” pane. Besides connecting to computers that belong to your organizational hierarchy, you can also create private RDP connections as outlined below.

    Configuring Remote Desktop Connections.

    By default, the Remote Desktop pane contains an RDP connection object for every computer you have connected to using the My Organization Pane. New connections can be added by right-clicking a folder and selecting “Add > RDP Connection” or by using the “Add Machine” button on the Command Bar.

    Private vs. Public RDP Connections

    When working in Enterprise Mode, RDP connections you create under the root folder named after your ControlUp organization are automatically replicated to your colleagues, just like machines you add in “My Organization” pane. If you would like to remember an RDP connection for yourself only, create it under “My Rdp Connections” folder. Connections created in this folder are private and do not get replicated.

    When working in Standalone Mode, all RDP connections you create are always private, just like computers you add to the tree in “My Organization” pane.

    Every connected computer in the My Organization Pane has a corresponding RDP connection object in the Remote Desktop pane. The opposite, however, is not necessarily true. When an RDP connection is created manually in the Remote Desktop pane, no changes are made to the My Organization Pane. Therefore, you should manually create RDP connections if you don’t want (or cannot) connect to these computers using ControlUp. You can also create several connections to the same computer (e.g. with different credentials or using different display settings) using the Remote Desktop pane.

    Connection Properties Inheritance

    RDP connection objects are configurable in a way similar to Microsoft Remote Desktop Connection (mstsc.exe). By default, all RDP connections in this pane inherit their settings from their parent folder. Therefore, if you configure and save your connection credentials in the properties of a folder in the hierarchy, you will be able to establish all of the child RDP connections without entering your password again. To do so, right-click a folder in the hierarchy, click Properties and then select a saved credentials set using the drop-down menu. If this menu is unavailable, clear the “Inherit settings from parent folder” checkbox.

    When established, every RDP connection opens a new tab in the Remote Desktop pane. You can switch between these tabs and close them to disconnect active sessions. The “Connections” tab is always available in the Remote Desktop pane. In this tab you may sort, search, group, and edit your RDP connections in a grid view similar to the grid used in “My Organization” pane.

  • Controllers Pane

    The Controllers Pane is an advanced management interface which allows systems administrators to handle multiple computers in parallel while being able to compare and manage Windows registry, services, file system, and installed software. If you need to investigate an irregularity or a misconfiguration, you will find that Controllers offer a unique aggregated view of your computers and allow you to manage many computers with the ease of managing a single one. The following Controllers are available:

    • Registry Controller – for comparing and managing the Windows Registry on multiple computers or user sessions simultaneously. For a usage example, see this demo video.
    • Services Controller – for comparing and managing the Windows Services on multiple computers simultaneously. For a usage example, see this article or this demo video.
    • File System Controller – for comparing and managing files and folders from the perspective of multiple managed computers or user sessions simultaneously.
    • Programs and Updates Controller – for comparing installed programs on multiple computers.
    • Shares Controller – for comparing and managing files on shared folders in your enterprise (not necessarily on computers already managed by ControlUp).

    Registry Controller and Programs and Updates Controller may reference either computers or user sessions, depending on your selection in the Controllers tree on the left. Both of these types of instances are called Targets. Services Controller and File System Controller only reference computers (since user sessions do not have their own Services or File System) and Shares Controller references UNC paths on file servers in your organization.

    Exporting Results from the Controllers Pane

    The Export to Excel button located on the Home ribbon of the Controllers pane enables you to export the comparison results into an XLSX file. Only the rightmost Results is exported.

    Controllers Lists

    Controllers allow you to save lists of managed computers for future reuse. User session lists cannot be saved since they are temporary and volatile. For example, you might save a list of file servers which you frequently check for irregularities or differences. These lists are managed using the “Manage Lists” button:

    Services Controller

    The Services Controller is an advanced utility that enables controlling Windows services on a remote computer or on multiple computers simultaneously. If you select multiple computers and launch the Services Controller, you will be presented with an aggregated view of the services from all of the selected computers.

    The system services can then be browsed in a way similar to the standard Windows Services console. In order to emphasize the differences between the services configurations of different computers or users, the Services Controller uses the following color coded icons:

    In the Comparison Charts area on the right side of the Services Controller you can view the details of the differences listed above, for example the state of the selected services on the target computers.

    Adding operation targets

    You can add targets to the ControlUp Services Controller by using the “Add Target” button in the menu bar. You can only add computers that are currently connected to ControlUp.

    Removing operation targets

    In order to remove a computer from the Controller view, right-click the computer in the “Computers” panel and select “Remove”.

    Search Services

    Services Controller allows searching the selected computer(s) for services with a specified name by using the Search button in the toolbar.

    Services Actions

    The Services Controller allow you to start, stop and modify Windows Services just like you would using the Services MMC snap-in.

    If you select a service in the rightmost grid of the controller, your action will affect a single service instance on one computer. If you select a service in the middle panel, the action will ask you which of the computers you would like to be affected. The following management actions are available by right-clicking a service or by using the Actions button on the Ribbon Bar:

    Start Service

    Starts the selected service(s) on the target computer(s).

    Stop Service

    Stops the selected service(s) on the target computer(s).

    Pause Service

    Pauses the selected service(s) on the target computer(s).

    Edit Service Properties

    Enables batch modification of service(s) properties on the target computers. Using this action, you can modify the start type and logon information for a service or multiple services at once on multiple computers.

    Registry Controller

    The Registry Controller is an advanced utility that enables viewing and editing the registry on multiple computers simultaneously. If you select multiple computers and launch the Registry Controller, you will be presented with an aggregated view of the HKEY_LOCAL_MACHINE hives from all of the selected computers.

    If you select multiple user sessions and launch the Registry Controller, you will be presented with an aggregated view of the HKEY_CURRENT_USER hives from all of the selected sessions.

    The registry tree can then be browsed in a way similar to the standard Windows Registry Editor. In order to emphasize the differences between the registry configurations of different computers or users, the Registry Controller uses the following color coded icons:

    In the Comparison Charts area on the right side of the Registry Controller you can view the details of the differences listed above, for example the data of the same registry value on different computers.

    Adding targets

    You can add targets to the ControlUp Registry Controller by using the “Add Target” button in the menu bar. The “Add Target” wizard will guide you through the process of adding computer or user hives to the Controller.

    The Registry Controller is capable of managing the following targets:

    1. HKEY_LOCAL_MACHINE hives of the computers connected in ControlUp console

    2. User Profiles currently loaded on the computers connected in ControlUp console

    Note: Only targets of the same kind can be added to the Controller simultaneously. In other words, user hives cannot be compared to computer hives.

    Removing operation targets

    In order to remove a hive from the Controller view, right-click the computer/user in the “Computers” or “Users” panel and select “Remove”.

    Search Registry

    With ControlUp’s Registry Controller you can search the registry on selected computer/user hives using configured search pattern. Expand the Targets pane to select individual targets for this operation.

    Registry Actions

    The Registry Controller allow you to manipulate the Windows Registry just like you would using Windows Registry Editor (regedit.exe).

    If you select a registry value or a key in the rightmost grid of the controller, your action will affect a single target’s registry. If you select a service in the middle panel, the action will ask you which of the targets you would like to be affected. The following management actions are available by right-clicking a registry key or value or by using the Actions button on the Ribbon Bar:

    Create Key

    Creates a key with the specified name in the selected computer/user hives. Expand the Targets pane to select individual targets for this operation.

    Delete Key

    Deletes the selected key in the selected computer/user hives. Expand the Targets pane to select individual targets for this operation.

    Rename Key

    Renames the selected key in the selected computer/user hives. Expand the Targets pane to select individual targets for this operation.

    Copy/Move Key

    Copies or moves a key within the selected computer/user hives. For example, you can copy the SoftwarePolicies key to SoftwarePolicies_old in order to create a backup of this key. Copying keys and values between computers is supported using the Distribute action (see below). Expand the Targets pane to select individual targets for this operation.

    Distribute

    Copies or moves a key within between computer/user hives. You can copy a key from one computer to another or to multiple computers, or from a single user’s hive to one or more other users’ hives. Expand the Targets pane to select the source and target/s for this operation.

    Create Value

    Creates a value with specified type, name and data on the selected computer/user hives. Expand the Targets pane to select individual targets for this operation.

    Delete Value

    Deletes the selected value in the selected computer/user hives. Expand the Targets pane to select individual targets for this operation.

    Rename Value

    Renames the selected value to the configured name in the selected computer/user hives. Expand the Targets pane to select individual targets for this operation.

    Modify Value Data

    Modifies the selected value’s type and name in the selected computer/user hives, while overwriting all existing data in the selected value. Expand the Targets pane to select individual targets for this operation.

    File System Controller

    The File System Controller is an advanced utility that enables viewing and manipulating the local file system on a remote computer or on multiple computers simultaneously.

    If you select multiple computers and launch the File System Controller, you will be presented with an aggregated view of the local fixed drives from all of the selected computers. Network drives and removable media are not displayed.

    The file system tree can then be browsed in a way similar to the standard Windows Explorer. In order to emphasize the differences between the file systems of different computers, the File System Controller uses the following color coded icons:

    In the rightmost grid of the File System Controller you can view the details of the differences listed above, for example information about files in the same directory on different computers.

    Note: Please note that the File System Controller presumes files with same name, attributes, size and modification time are identical. You should not rely on the File System Controller to compare the contents of the files.

    Adding operation targets

    You can add targets to the ControlUp File System Controller by using the “Add Target” button in the command bar. The “Add Target” window will guide you through the process of adding your operation target(s).

    Removing operation targets

    In order to remove a computer from the Controller view, right-click the computer in the “Computers” panel and select “Remove”.

    File System Controller Folder Actions

    Actions available in the File System Controller allow you to manipulate files and folders using the selected computer(s). All file actions are carried out on the target computer, which means that the paths and filenames you provide must be valid ON the target computer.

    All Files actions are performed using the Local System account on the target computer. This is a highly privileged account so you are unlikely to encounter a permissions issue when performing local file operations. However, make sure to provide valid domain credentials when using network (UNC) paths or network drives, since the Local System account does not have access to the network.

    The following actions are available when right-clicking a folder in the “Folders” area:

    Create Folder – Creates a folder in the selected path on all selected computer

    Delete Folder – Deletes the selected folder and all its contents on all selected computer

    Rename Folder – Renames the selected folder on all selected computers

    Copy/Move Folder – Performs a local copy or move operation on the selected folder within all of the selected computers. Please note that during this operation no data is copied between computers.

    Send Files Here – Copies files or folders from your management computer or a network location to the specified folder on all selected computers.

    Gather – Copies the selected folders from all of the selected computers to a specified location, while prepending the folder names with source computer names.

    Edit Folder Attributes – Toggles the “Hidden” folder attribute on all of the selected computers.

    Permissions > Add – Adds an Access Control Entry for a specified account to the security descriptor of the folder on all selected computers.

    Permissions > Revoke – Removes an Access Control Entry for a specified account from the security descriptor of the folder on all selected computers.

    Permissions > Replace – Modifies Access Control Entries for the specified account in the security descriptor of the folder on all selected computers.

    Permissions > Migrate – Replaces occurrences of a specified account with another account in the security descriptor of the folder on all selected computers

    Set Owner – Modifies the NTFS folder ownership on all selected computers

    Folder Size – Calculates the sizes of all instances of the selected folder on all selected computers.

    Refresh – Reloads the aggregated directory content data for the selected folder

    File System Controller File Actions

    The following actions are available when right-clicking files in the “Files” area:

    Delete File – Deletes the selected file(s) on all selected computers

    Rename File – Renames the selected file on all selected computers

    Copy/Move File – Performs a local copy or move operation on the selected file within all of the selected computers. Please note that during this operation no data is copied between computers.

    Edit File Attributes – Toggles the “Archive”, “Read Only” and “Hidden” file attributes on all of the selected computers.

    Gather – Copies the selected files from all of the selected computers to a specified location, while prepending the file names with source computer names.

    Set Owner – Modifies the NTFS file ownership on all selected computers

    Permissions > Add – Adds an Access Control Entry for a specified account to the security descriptor of the file on all selected computers.

    Permissions > Revoke – Removes an Access Control Entry for a specified account from the security descriptor of the file on all selected computers.

    Permissions > Replace – Modifies Access Control Entries for the specified account in the security descriptor of the file on all selected computers.

    Permissions > Migrate – Replaces occurrences of a specified account with another account in the security descriptor of the file on all selected computers

    Refresh – Reloads the aggregated directory content data for the selected folder

    Programs and Updates Controller

    The Programs and Updates Controller is an advanced utility that enables viewing a list of installed software and updates on multiple computers simultaneously. If you select multiple computers and launch the Programs and Updates Controller, you will be presented with an aggregated view of the software packages and updates from all of the selected computers.

    Installed programs and updates can be browsed in a way similar to the standard Windows “Programs and Features” or “Add/Remove Programs” control panel applet. In order to emphasize the differences between software installed for different computers or users, the Programs and Updates Controller uses the following color-coded icons:

    The “Programs” folder in the middle panel includes an aggregated view of installed software, while the “Updates” folder includes updates for the Operating System and third-party components. You may use the Search button in the Ribbon Bar to search for programs and compare the results in the rightmost panel of the Controller.

    Currently, the Programs and Updates Controller does not support management actions and only includes read functionality.

    Shares Controller

    The Shares Controller is functionally similar to the File System Controller and includes the exact same management actions. The major difference is in the fact that the Shares Controller references UNC paths (in the form of servernamesharename), while the File System Controller references local file system paths on computers managed by ControlUp. This difference influences the operation of the Shares Controller in two aspects:

    1. You can add any file system path to the Shares Controller, as long as it is accessible to you. The share paths need not be located on computers that you added to ControlUp. They can be located on any SMB-compatible file server or workstation capable of sharing folders for Windows.
    2. In the Shares Controller, all available management actions are performed by the ControlUp console, while the File System Controller performs most of the actions in the context of the managed computers.
  • Incidents Pane

    ControlUp’s Incidents Pane is a viewer for incidents that were recorded in your organization based on incident triggers. Using this pane you can conduct retrospective investigations on various incidents, such as changes in Stress Level, user activity, Windows Events, and more. Every incident is recorded based on a trigger configured in ControlUp, either manually or with the help of ControlUp Cloud Analytics, generates an incident whenever its conditions are met. Regardless of the follow-up actions you may configure (e.g. send an e-mail alert), ControlUp will always record the incident in a database for later retrieval. The Incidents Pane is the place where all incidents can be searched, sorted and grouped for trending analysis and troubleshooting purposes.

    A few important clarifications for an easy start with the Incidents Pane:

    • The Incidents Pane is not available in Offline Mode. Offline users of ControlUp will see the Incidents Pane button as greyed out (this will also happen briefly following Fast Login).
    • Incident triggers are configured using the Triggers Settings window. That’s the place where you can control which incidents will be recorded by ControlUp.
    • The Incidents Pane is read-only and intended for viewing the incidents and performing data analysis by filtering, sorting and grouping data.
    • The default retention period for incidents is 14 days and every organization is limited to 1000 incidents per day by default. Please contact us if you feel like these are not enough for your organization.
    • Incidents are stored securely using ControlUp Cloud Services, subject to ControlUp privacy policy.

    Searching and Filtering the Incidents Grid

    Here are some ways in which you can use the incidents grid in order to locate interesting data:

    • The Filter / Search box locates incident records by searching all data fields (try computer names, user names or any other strings that might appear in the incidents, like parts of a Windows Event text).
    • Each row in this grid can be double-clicked to focus on a specific incident type. You can always come back to the home page by clicking on the Home button or by clicking on Back (<) on the navigation bar.
    • The time range slider can be adjusted to display events that happened during a specified time range.
    • Click a folder or a computer in the organization tree to show incidents for that folder or computer.

    All of the filtering options above instantly affect the information grid, causing it to recalculate the distributions. If the grid is filtered by any of those methods, the navigation bar will be highlighted in orange until all filters are cleared.

    The Incidents Home Page

    The Incidents home page is an information grid showing all available incident categories, along with their distribution over time. Its purpose is to provide a summary of incident history in your ControlUp organization. Every row in this grid represents a distinct incident category, like “Computer Stress” or “Windows Event”. Events are separated into these categories because every category has a distinct set of data fields. For example, a “Computer Stress” incident cannot be displayed in the same table as a “Session State Changed” incident since they do not have the same properties.

    The Incidents home page includes the following columns:

    • Graph column – shows the relative distribution of every event type over time, during the retention period (14 days by default). The leftmost bar in each graph represents the number of incidents logged on the first day of this period, and the rightmost bar represents the number of events logged today. By default, the graph is sorted by this column, which makes the most populated incident categories to appear on top.
    • Incident type – the incident category name.
    • Last incident on – the time of the last incident recorded in this category
    • Last hour, Last day, Last X days (14 by default) – a count of incidents within the category for the respective time frame.

    In order to research incidents in a particular category, double click that category’s row.

    Incidents Category View

    After double-clicking any row in the Incidents home page, you arrive at this view, which shows all incidents of the selected type (for example, Computer Stress). Please note that any filters previously applied on the Incidents home page will remain active, as indicated by the orange highlight of the navigation bar.

    This view includes the same columns as the Incidents home page. In addition, all data fields of the selected incident type are available for display. To add a column, click on its name in the side bar on the right.

    For example, here we’ve added the “Counter” column to the Computer Stress incidents view. Once added, this column is added to the grouping logic of the incidents grid, dividing it into all unique combinations of the selected field values. If you originally had 10 computers in the Computer Stress view, adding the “Stress Level” column will divide every computer row into all existing values of Stress Level column on that computer (to a maximum of 10*4=40 rows, if every computer has triggered all possible stress levels).

    Multiple columns can be added using the same method. This is a powerful data mining feature, which enables you to identify the most common factors contributing to incidents in your organization. For instance, in Computer Stress Level events the “Counter” column shows the specific counters responsible for each Stress Level incident. When added to this view together with the “Computer Name” column, the default sorting should highlight the specific resource that causes the most Stress Level events (e.g. Memory Utilization on Server1).

    Double-clicking on a row in this table will switch the grid to the Individual Incidents view.

    Individual Incidents View

    This view’s purpose is to display the separate occurrences of any incident recorded by ControlUp. Unlike the other views in the Incidents Pane, every row in this view is not a summary, but an individual incident.

    For every incident, all recorded details are displayed (see column reference below). In addition, this view includes the “Trigger” column which links to the trigger that caused every incident to be recorded, so that you can easily tune the relevant incident triggers. Please note that the trigger causing a particular event may have been deleted since the incident had been recorded. In this case the “Trigger” column will show “<trigger deleted>”.

    Incidents Pane Column Reference

    Home Page Columns

    Column name Description
    Incident type The incident category, as configured when creating the incident trigger.
    Last incident on The time of the last incident recorded in this category.
    Last hour, Last day, Last X days (14 by default) A count of incidents within the category for the respective time frame.

    Incidents Category View Columns

    Column name Description
    Incident type The incident category, as configured when creating the incident trigger. Events are separated into these categories because every category has a distinct set of data fields. For example, a “Computer Stress” incident cannot be displayed in the same table as a “Session State Changed” incident since they do not have the same schema.
    Last incident on The time of the last incident recorded in this category.
    Last hour, Last day, Last X days (14 by default) A count of incidents within the category for the respective time frame.
    Columns available in the “Folder Stress” category
    Stress Level The Stress Level severity recorded during the incident
    Folder The name of the folder in your ControlUp organization
    Trigger The name of the trigger that caused the incident to be recorded (links to the trigger’s settings). Could be empty if the trigger has been deleted.
    Counter Name The ControlUp column responsible for the increase in the computer’s Stress Level
    Columns available in the “Hosts Stress” category
    Stress Level The Stress Level severity recorded during the incident
    Folder The name of the folder in your ControlUp organization
    Trigger The name of the trigger that caused the incident to be recorded (links to the trigger’s settings). Could be empty if the trigger has been deleted.
    Counter Name The ControlUp column responsible for the increase in the computer’s Stress Level
    Host Name The name of the affected virtualization host
    Hypervisor Type The hypervisor platform vendor
    Version The version number of the hypervisor platform
    Installed Memory The amount of physical RAM installed on the host
    Columns available in the “Computer Stress” category
    Computer The name of the computer on which the incident has occurred
    Folder The name of the ControlUp organization tree folder in which the computer resides
    Trigger name The name of the trigger that caused the incident to be recorded (links to the trigger’s settings). Could be empty if the trigger has been deleted.
    Manufacturer The hardware manufacturer of the stressed computer
    Model The hardware model of the stressed computer
    OS The operating system of the stressed computer
    Service Pack The OS service pack installed on the stressed computer
    Counter The ControlUp column responsible for the increase in the computer’s Stress Level
    System Type The system bitness (x86/x64) of the stressed computer
    CPU Count The number of CPUs installed on the stressed computer
    Total Memory Installed The amount of physical memory on the stressed computer
    Uptime Group The uptime of the stressed computer, categorized (1 hour – 1 day, 1 day – 1 week, 1 week – 1 month)
    Stress Level The Stress Level severity recorded during the incident
    Session Count The number of user sessions established on the stressed computer, categorized (0-2,3-5,6-10, etc.)
    Domain Role The domain role of the stressed computer
    Host Name For a virtual machine, the name of the hypervisor host on which the machine was running at the time of the incident
    Hypervisor Type For a virtual machine, the vendor of the hypervisor host
    Columns available in the “Session Stress” category
    Account Name The user account name of the stressed session
    Account Domain The user account domain of the stressed session
    Computer The computer on which the stressed session was hosted
    Folder The ControlUp organization folder in which the computer hosting the session resides
    Counter The ControlUp column responsible for the increase in the session’s Stress Level
    Trigger name The name of the trigger that caused the incident to be recorded (links to the trigger’s settings)
    Client name The name of the client computer from which the stressed session has been established
    Session state The state of the user session at the time of the incident
    Initial program The program configured to start when the session is initialized (or published application)
    Columns available in the “Process Stress” category
    Image name The name of the stressed process
    EXE version The version number of the stressed process
    Product name The product name of the stressed process
    Product version The product version number of the stressed process
    Manufacturer The manufacturer of the stressed process
    User name The name of the user who launched the process
    Description The description of the stressed process
    Computer The computer on which the stressed process was executed
    Folder The ControlUp organization folder in which the computer hosting the stressed process resides
    Command line The command used to launch the process, including the full path and command-line arguments
    Priority The base CPU priority of the stressed process
    Created time The creation timestamp of the stressed process’s executable file
    Modified time The last modification timestamp of the stressed process’s executable file
    Columns available in the “Account Stress” category
    Account name The name of the user account
    Account domain The AD domain name of the user account
    Total sessions The total number of sessions established using the user account
    Total processes The total number of processes executed using the user account
    Stress Level The Stress Level severity recorded during the incident
    Columns available in the “Executable Stress” category
    Image name The name of the process executable
    Total processes The number of process instances for the executable
    EXE version The EXE version of the executable file
    Stress Level The Stress Level severity recorded during the incident
    Columns available in the “Windows Event” category
    Event log The name of the Windows Event Log in which the event was logged
    Event type The type of the event – Error, Warning, Information, Audit Success / Failure
    Event ID The event ID number
    User The User field as logged in the event
    Computer The Computer on which the event was logged
    Full message The full text of the event
    Event source The source of the event
    Raw message The raw message text of the event (without substituted parameters)
    Folder The ControlUp organization folder in which the computer that logged the event resides
    Columns available in the “Process Started” category
    Image name The name of the started process
    Image version The executable version of the started process
    Command line The command used to launch the process, including the full path and command-line arguments
    User The user who launched the process
    Computer The computer on which the process was launched
    Folder The ControlUp organization folder containing the computer on which the process was started
    Columns available in the “Process Ended” category
    Image name The name of the ended process
    Image version The executable version of the ended process
    Command line The command used to launch the process, including the full path and command-line arguments
    User The user who launched the process
    Computer The computer on which the process ended
    Folder The ControlUp organization folder containing the computer on which the process ended
    Exit code The exit code recorded when the process ended
    Columns available in the “User Logged On”, “User Logged Off” and “Session State Changed” categories
    User name The user name of the established session
    Machine name The computer hosting the session
    Initial program The program configured to start when the session is initialized (or published application)
    Session ID The session ID number
    Columns available in the “Session State Changed” category (in addition to the above)
    From state The session state before the change
    To state The session state after the change
    Columns available in the “Computer Down” category
    Computer The name of the computer disconnected from monitoring
    Action The reason for disconnection
    Error description The description of the error that led to disconnection
    Folder The ControlUp organization folder containing the computer
  • Events Pane

    By default, the Events pane provides a real-time aggregation display of selected events from your connected computers’ Windows System, Application and Security event logs. You may monitor any number of additional event logs by clicking on the “Add an Event Log” button in the Home ribbon and typing the name of the log you would like to add. The log name you enter must be exactly as it is in the computer you want to monitor. Additionally, the log file must be in the standard format. ControlUp does not yet support the Applications and Services Logs in newer versions of Windows.

    The following event types can be collected:

    1. Error events
    2. Warning events
    3. Failure Audit events

    Note: In order to collect and investigate windows events of other types (such as Information or Success Audit), or to enable long-term storage of event details for later analysis, it is recommended that you create a trigger of type Windows Event and configure a filter to include the events of interest. As those events occur, incidents will be recorded and become available for investigation using the Incidents pane.

    Events are preserved in the Events pane for a retention period that can be configured in the Command Bar. (Default event retention period is set to 60 minutes).

    The following actions are available when right-clicking on events:

    Filtering Events

    Using the Events Settings button from the Home ribbon bar (or the Events tab in the Settings window), you can configure parameters according to which the events will be displayed. The following filtering methods are available:

    • Excluded Events: by adding an Event Log Filter Rule here, you are setting a condition which, if matched, will cause the event to be ignored. For example, setting a rule which specifies Event ID 33 will drop all future events with the ID number of 33 from the console.
    • Event type. You can choose to ignore errors, warnings, and/or audit failure events.
    • Frequent Events Filter. By default, ControlUp is configured to ignore events that appear repeatedly for a configured amount of times during the event retention period. The default value is 100, so by default an event that appears a hundred times within an hour will fall under the “Frequent Events Filter” category and will no longer be reported. When an event reaches this threshold, you will see a pop-up notification in the left bottom corner of ControlUp console. This notification may be hidden by using the “Disable Frequent Event Filter Notifications” checkbox.

    Note: Please note that if you turn off the default Frequent Event Filter, your ControlUp console may accumulate a large number of events, which may dramatically increase the amount of RAM consumed by the console. You may mitigate this condition by clearing events or by decreasing the Event Retention Period.

    Note: The above filtering mechanisms only affect future events. In order to remove unneeded events from the current view, use the Clear or Clear All buttons on the Command Bar.

    Event Actions

    Add to Filter

    The selected event’s details will be used to create a new filter rule to prevent similar events from appearing in the Events pane. You will be presented with a configuration window in which you will be able to customizing the rule before applying it.

    Remove from this View

    The selected event(s) will be removed from the current view. This will not prevent similar events from appearing in the Events pane in the future.

    Search In: (Google, EventID, Microsoft TechNet)

    Right-clicking on an event and selecting “Search In” will enable you to conduct online research using selected search engines with the details of this event. Internet connectivity is required for this feature.

    Remote Desktop to Computer

    Use this action to switch to the Remote Desktops pane and establish a Remote Desktop connection to the computer from which the selected event originated.

    Launch Event Viewer

    Use this action to open the Windows Event Viewer while connecting to the machine on which the event originated.

    Note: This action requires RPC access to the managed computer(s) and administrative privileges on these computer(s). You might not be able to display the events on computers which do not meet these prerequisites.

  • Security Policy Pane

    The Security Policy pane is a user interface which allows ControlUp users within the same organization to delegate administrative tasks by configuring a Security Policy. ControlUp’s Security Policy is a collection of settings that determines which actions can be performed by each ControlUp user. These settings may be different for every folder in the Organization Tree, which allows for segmenting your environment into distinct areas of responsibility.

    Note: for a brief beginner’s guide to the ControlUp Security Policy, please refer to the Secure Your Organization chapter.

    ControlUp’s Security Policy is dependent upon the Central Configuration Store which is enabled in Enterprise Mode only. In Standalone Mode the Security Policy pane is disabled. For more information regarding ControlUp modes please refer to the “Choose Your ControlUp Mode” chapter.

    Note: As a security precaution, you will not be able to modify the Security Policy if you have been disconnected from the Central Configuration Store for more than 24 hours. Should you wish to limit your organizations maximum offline period even further, please contact support@controlup.com.

    Organization Ownership and User Roles

    Each ControlUp Organization has a designated owner record, which initially contains the identity of the user who first created this organization. The Organization Owner is a Windows user or group account, who permanently possess the ability to change permissions. Regardless of the changes to the Security Policy, the Organization Owner will always be able to reset the Security Policy to its default settings. You can view the current owner for you organization by clicking the “Manage Roles” button on the Home ribbon of the Security Policy pane:

    Upon initial configuration of the ControlUp Security Policy, it is recommended that you configure a restricted Active Directory group as an organization owner. This way you will always have the ability to reset ControlUp’s Security Policy to factory settings, even if the user who originally created the organization cannot be contacted any longer.

    ControlUp evaluates administrative permissions according to your currently logged on Windows account. Every ControlUp organization contains a list of roles which determine the actions allowed for each role member. Every ControlUp role has to include at least one Windows user or a security group. By default, the Security Policy includes the following user roles:

    • Organization Members – all authenticated ControlUp users in your organization.
    • Local Admins – Windows users with local administrative permissions on the managed computers.

    These built-in roles are special in the sense that they cannot be deleted or have their membership modified using ControlUp.

    The Security Policy pane features a permissions grid, which contains a column for every role and a row for every management action:

    New roles may be created by a Roles Manager, which is a built-in right initially granted to the organization’s owner. Upon initial configuration of ControlUp Security Policy, it is recommended that you configure a restricted Active Directory group as a Roles manager. Custom roles are created and managed using the “Manage Roles” button on the Home ribbon of the Security Policy pane:

     

    To create a custom ControlUp role:

    1. Open the “Manage Roles” screen (using the Home ribbon in the Security Policy pane, or using the “Security Policy Settings” button on the Settings ribbon, or using File menu > Settings > Security Policy)
    2. Click on “Add New Role” (If the button is greyed out, please ensure your currently logged on Windows user account is a member of the “Roles Manager” group)
    3. Type a descriptive role name, such as “Help Desk Users”
    4. Click on “Add Users/Groups” and select the appropriate users or groups from Active Directory domains available to you. Please note that by default, ControlUp only displays group accounts in the search box. In order to display individual user accounts, please select the “Users and Groups” radio button.

    After your custom role is created, you should see a new column with the role’s name appear to the right of the existing role columns.

    Permissions for Management Actions

    The rows in the permissions grid correspond to management actions, which are divided into the following groups:

    1. Perform organization-wide actions
    2. Run computer actions
    3. Run session actions
    4. Run processes actions

    For more details regarding particular permissions, please refer to the “Action Permissions” section below.

    Eventually, every ControlUp user may be either allowed or denied access to the management action, depending on their role membership and the location of the managed resource in the organization tree. Every cell in the permissions grid may be in one of the following states:

    “Allow” – users in the current role are allowed to run the action, unless they are also members of another role which is configured with a “Deny” entry.

    “Not Set” – users in the current role are not allowed to run the action, unless permitted by another role.

    “Deny” – users in the current role are never allowed to run the action.

    For example, by default, a member of the “Local Admins” is allowed to perform all computer actions on all computers in the organization. This permission is granted since the “Local Admins” role has an “Allow” permission on all computer actions for the root folder, and all subfolders inherit this permission.

    Note: the “Apply” button on the Home ribbon of the Security Policy pane commits your changes to the Central Configuration Store. Until this button is clicked, any changes to the Security Policy are not applied.

    Security Policy Inheritance

    When a ControlUp Organization is first created, the default Security Policy is configured on the root folder of the organization, which bears the organization’s name.

    Configuring Security Policy for Subfolders

    By default, all of the subfolders under the root folder in your organization tree inherit their Security Policy from the root folder. A marked “Inherit” checkbox near each permission in the grid signifies this. If you would like the Security Policy of a subfolder to be different from its parent folder, you should uncheck this checkbox for the selected permission row.

    Once the “Inherit” checkbox is unchecked, you will see a blue “i” sign on the folder, indicating that part of its Security Policy is no longer inherited from the parent folder:

    In the above example, the “Chat” permission for the “CU Lab” folder is not inherited from its parent folder, hence the blue “i” icon in the organization tree.

    Granting Permissions

    In order to grant a ControlUp user permissions for a management action, you will need the following details:

    Folder name – the name of a folder in the organization tree, which contains resources on which you would like to grant the permission. Select the root folder if you would like to grant permissions on computers in the entire organization, otherwise select a subfolder (e.g. Workstations) Note: You may also grant permissions on individual computers by selecting them in the organization tree. However, for manageability reasons it is recommended that you grant permissions on folders only.

    Role name – the name of a built-in or custom role to which the user belongs. (e.g. Help Desk Users).

    Action name – the name of the management action which you would like to permit (e.g. “Refresh Machine Policy”). You can also grant permissions on an entire action group (e.g. “Run Computer Actions”).

    Once you have obtained the details above, click on the desired Folder name in the organization tree on the left, locate the row in the table with the desired Action name in the row name.

    If the “Inherit” checkbox for that row is selected, deselect it. If not, click on the cell with the desired Role name in the column header and select “Allow” from the drop-down list.

    Click “Apply” on the Home ribbon to save the changes. As a result of the operations in the example above, members of the “Helpdesk” role will have the ability to run the “Refresh Group Policy” action on computers located in the “Workstation” folder.

    Note: As with standard Windows permissions, ControlUp “Deny” permissions always override “Allow” permissions. This means that any “Allow” permission applies only if the affected user is not a member of any other role which has a “Deny” permission entry in the same row.

    Denying Permissions

    ControlUp’s Security Policy includes two approaches of preventing users from running management actions:

    1. Implicit Deny – not granting permissions in the first place, or setting the permission to “Not Set”.
    2. Explicit Deny – settings the permission to “Deny”.

    The difference between these two methods is the fact that Explicit Deny overrides any other permission, and the affected users will always be denied access to the action, even if they are members in additional roles which allow access to the same action. Implicit Deny (or “Not Set”) means that users are not allowed to run the management action, unless permitted to another role they are also a member of.

    Note: It is considered best practice to use the explicit Deny approach only if you need to configure an exception for an existing rule. For example, “all Local Admins should be able to restart workstations, except for Helpdesk users” is a valid example for explicit Deny. However, a rule such as “Local Admins should not be allowed to restart computers” should be configured by using implicit Deny (“Not Set”) permission only.

    Resetting Inheritance

    There are several methods of restoring the default Security Policy in ControlUp, depending on your needs:

    1. If there’s a single permission entry which is currently set on a folder and you would like to reset this permission to inherit its parent folder settings, check the “Inherit” checkbox next to that permission and click “Apply” on the Home ribbon.
    2. If you have a folder with a complete Security Policy you would like to propagate to all its subfolders, then select this folder, click “Reset Inheritance” on the Home ribbon, and then click “Apply” on the Home ribbon. You will need an “Allow” setting in the “Change Permissions” row for the selected folder in order to be able to perform this action.
    3. If your entire Security Policy is misconfigured and you would like to reset it to factory defaults, click on the “Reset Defaults” button on the Home ribbon. Please note that this operation will also remove any custom user roles you have created. In order to be able to perform this operation, your user account has to be the Organization’s Owner OR a Roles Manager with sufficient permissions to change permissions on the root folder.

    Action Permissions

    This section describes all the permissions configurable in ControlUp.

    Perform Organization-wide actions

    These actions are performed on objects in ControlUp’s organization tree only, without affecting managed resources such as computers or user sessions. They can also be referred to as “tree actions” since they are executed using the ControlUp Console and include the ability to add or remove computers, create and arrange folders, and change permissions.

    Change Permissions – modify the Security Policy for the current folder or computer.

    Note: The Organization Owner is always allowed to change permissions, regardless of other settings.

    Manage ControlUp Insights Access Settings – modify all settings on the Insights Access tab of the Settings window

    Manage User Permissions to ControlUp Insights – modify the per-user permissions to access ControlUp Insights in the Organization Properties window

    Manage Data Upload Settings – modify all settings on the Data Upload tab of the Settings window

    Edit Stress Settings – modify Stress Level settings for the current folder.

    Manage Branch mapping settings  - configure the subnet-to-name lookup table on the Branch Mapping tab  of the Settings window

    Configure Incident Triggers – view and change the configurations of incident triggers in the organization.

    Add Computer – add new managed computers to the current folder.

    Add Folder – add new folders to the current folder.

    Change Folder Description – modify the description field for this folder.

    Remove Computer – remove computers from the current folder / remove the current computer.

    Remove Folder – remove the current folder.

    Rename Folder – rename the current folder.

    Run Shared Script-based Actions – globally permits execution of Script-based actions. In addition, the user will need an explicit permission to perform the Script-based Action of choice (see Script-based Actions below).

    Run Draft Script-based Actions – permits the creation of new Script-based actions (drafts).

    Download and Share Script-based Actions – permits downloading SBAs shared by the community and sharing user-created SBAs with the community.

    Manage Script-based Actions – permits managing Script-based Actions for your organization.

    View Folder – see the folder in the organization tree. The folder will be invisible to users lacking this permission (not applicable for the root folder, which has to stay visible).

    Launch Controllers – switch to the Controllers pane. Without this permission, users cannot launch any controllers. This is a user interface restriction which can be configured on the root folder only.

    View Incidents – use the Incidents Pane to display entries recorded in the organizational incidents database. Applies to the entire organization and cannot be changed for subfolders.

    View Events – use the Events Pane to display event entries recorded on the managed computers. Applies to the entire organization and cannot be changed for subfolders.

    View Hypervisors – View all hypervisor-related objects in the organization (VMs, Hosts, and hypervisor connections). Applies to the entire organization and cannot be changed for subfolders.

    Manage Hypervisors – Create, edit and delete hypervisor connections in the organization. Applies to the entire organization and cannot be changed for subfolders.

    Run Computer Actions

    These actions are performed on the managed computers via the ControlUp Agent. Actions which have an asterisk after the action name are dependent on your currently logged-on Windows user’s rights because they use RPC to access the remote computers.

    Console-based Actions

    Monitor Computer – connect to the ControlUp Agent and start gathering performance data.

    Change Computer Description – edit the “Description” field for a computer in ControlUp

    Event Viewer on Remote Computer – open a new Event Viewer (eventvwr) window, attempting to connect to the remote computer.

    RDP to Computer – switch to the Remote Desktop pane and establish an RDP session to the managed computer.

    ControlUp Agent Management

    Agent-based Actions

    The rest of the Computer Actions are performed using the ControlUp Agent on the managed computers. A user who is granted access to agent-based actions is permitted to instruct the ControlUp Agent on the managed computers to perform these actions. The ControlUp Agent on a managed computer will use its Local System account to perform the action unless otherwise specified. For example, when using the “Processes > Run as…” action, the ControlUp user will be able to execute any process accessible by the Local System account. As a side effect, you will not be able to run processes from the network unless you specify valid credentials, since Local System cannot access network locations.

    For a full list of agent-based actions, please refer to the chapter regarding My Organization Pane.

    Run Session Actions

    Actions in this group are invoked using the Sessions view and performed on the managed computers using the ControlUp Agent.

    A user who is granted access to these actions will be able to execute them only on user sessions hosted on managed computers affected by the Security Policy you are currently editing. Please note the caption on top of the permissions grid, saying “Security Policy for …”

    For more information regarding these actions, please refer to the chapter regarding My Organization Pane.

    Run Processes Actions

    Actions in this group act upon processes on managed computers and are executed using the ControlUp Agent.

    A user who is granted access to these actions will be able to execute them only on processes running on managed computers affected by the Security Policy you are currently editing. Please note the caption on top of the permissions grid, saying “Security Policy for …”

    For more information regarding these actions, please refer to the chapter regarding My Organization Pane.

  • Secure Your Organization

    Whether you are the only systems administrator in your environment or have a large IT team collaborating on management and monitoring tasks using ControlUp, it is important that you make yourself familiar with out-of-the-box Security Policy and adjust it to your needs.

    (This article provides a brief overview of ControlUp’s Security model. For more information regarding ControlUp’s rights and permissions, please refer to the “Security Policy Pane” chapter).

    Know Your Roles

    ControlUp’s default Security Policy grants permissions for two built-in user roles. You cannot delete or modify membership for these roles:

    Local Admins – a ControlUp user is considered a member of this role when they have local administrative privileges on the managed computer. By definition, your membership in this role may vary depending on the context. When performing a management action on multiple computers, a ControlUp user’s current Windows credentials are evaluated on each computer, so a user might be a member of “Local Admins” on one computer but not on another.

    Organization Members – this role includes all ControlUp users logged into your organization. When a user on your network launches ControlUp and logs on to your current organization, they become members of this group and remain so until logging off or exiting ControlUp.

    Review Default Permissions

    By default, Local Admins are granted permission to perform all management actions available in ControlUp. This means that before a ControlUp user can perform a management action, ControlUp checks whether this user’s current Windows account is a member of the local Administrators group on the managed computer. If this validation fails, the management action is not invoked.

    Organization Members are allowed to perform organization-wide actions but not management actions. For example, they can see the folder tree, create or modify folders, add or remove computers and connect to computers to see their performance information. However, they cannot perform any actions on the managed computers.

    Configure Custom Roles and Restrict Actions

    You can create custom roles for different teams or individuals on your network using the “Manage Roles” window. Active Directory users and groups from any domain or forest configured in ControlUp may be members of these custom groups.

  • Locking UI With Group Policy

    Starting with ControlUp 3.0 there is an option to restrict the display of ControlUp Console user interface components trough Microsoft Group Policy. You can hide panes, views, actions, columns and buttons, thus creating a limited view which may be useful for delegated administrators, such as helpdesk personnel. These restrictions are visual only and do not change any rights the user might have.

    Usage

    Download the administrative templates ZIP file and extract ‘ControlUpConsole.admx’ and ‘ControlUpConsole.adml’ files to your policy definition folder.

    For detailed explanation on Group Policy Templates please refer to http://msdn.microsoft.com/en-us/library/bb530196.aspx
    After importing the template, your policy should look similar to the following:

    The policies are applied to users. Use the template in GPOs linked to Active Directory OUs in which your delegated ControlUp administrators’ user accounts are located.

    Under ControlUp > Console in the policy there is a subfolder for each pane, view, ribbons, and settings window. The policy names are sorted alphabetically.

    The following user interface components may be hidden using the policy template:

    Action pane

    • The action history pane has only one policy ‘Hide’, when applied it hides the action history pane.

    Controllers pane

    • The controller pane can hide the entire pane or individual controller
      • Registry controller
      • User Registry
      • File System
      • Program and Updates Machine
      • Program and Updates User
      • Services
      • Shares

    Events pane

    • The events pane has only one policy ‘Hide’.

    Incidents pane

    • The incidents pane has only one policy ‘Hide’.

    Monitor status view

    • The monitor status view has only one policy ‘Hide’.

    My Organization pane

    • Holds the majority of the policies, as the default view of ControlUp it cannot be hiding.

    Accounts view

    • You can hide the accounts view
    • The sub folder “Accounts columns” you can ‘Hide’ each of the available columns

    Agent Control

    • You can hide any of the actions you can perform on ControlUp agents
      • Hide Deploy .net framework
      • Hide Agent Ribbon
      • Hide Set listening port
      • Hide Remove remote agent
      • Hide Restart remote agent
      • Hide Start remote agent
      • Hide Stop Remote Agent
      • Hide Agent tree view context menu
      • Hide Upgrade remote agent
      • Hide agent properties

    Computer view

    • You cannot hide the computers view.
    • The subfolder “Computer columns” you can ‘Hide’ each of the available columns
    • You can hide the following actions:
      • Abort Shutdown
      • Admin$ Diagnostics Instruction
      • Disable Process Execution
      • Enable Process Execution
      • Launch Event Viewer On Remote Computer
      • Flush Dns
      • Import Registry Computer
      • NSLookup Diagnostics Instruction
      • Ping Diagnostics Instruction
      • Reboot machine
      • Refresh Machine Policy
      • Send Message (same as in sessions view)
      • Send Super Message (same as in sessions view)
      • Send Wake On Lan Signal
      • Shutdown machine
      • Run As User
      • Test WMI Diagnostics Instruction
      • Trace Diagnostics Instruction
      • Wake On Lan

    Executables view

    • You can hide the Executables view
    • The sub folder “Executables columns” you can ‘Hide’ each of the available columns

    Folders view

    • You can hide the Folders view
    • The sub folder “Folders columns” you can ‘Hide’ each of the available columns

    Process view

    • You can hide the Process view
    • The sub folder “Process columns” you can ‘Hide’ each of the available columns
    • You can hide the following actions:
      • End Process
      • Go To >> Session
      • Kill Process
      • PsKill
      • Set Process Priority

    Session view

    • You can hide the Session view
    • The sub folder “Session columns” you can ‘Hide’ each of the available columns
    • You can hide the following actions:
      • Chat
      • Disconnect Session
      • Get Session Screenshot With Approval
      • Get Session Screenshot With Notification
      • Get Session Screenshot Without notifying the user
      • Go To >> Computer
      • Import registry user
      • Logoff session
      • Reapply group policy
      • Refresh user group policy
      • Remote assistance
      • Kill policy
      • Send message (same as in computers view)
      • send super message (same as in computers view)

    Remote Desktop pane

    • You can hide the ALL Remote Desktop actions from ControlUp Console

    Ribbons

    • You can hide the following options from the Ribbons menus
      • Help ribbon
      • Add context menu on tree view
      • Organization properties
      • Button actions
      • Button add computers
      • Button Add folders
      • Button Export
      • Button move computer or folder
      • Button remove computer or folder
      • Button rename folder
      • Button Script based actions

    Security Policy pane

    • You can hide the Security Policy pane from ControlUp Console

    Settings

    • You can hide all the settings or the following individual settings:
      • AD Connection Settings
      • Agent
      • Agent
      • Alert
      • Controllers
      • Credentials
      • Display
      • Events
      • Export
      • Manage monitors
      • Schedule
      • Manage triggers
      • Proxy
      • Remote assistance
      • Security
      • Stress
  • 3rd Party Integration

    ControlUp 4.0 introduces a new way to locate managed resources by leveraging the moniker functionality of Windows. The most commonly used moniker is “http:“, which tells the operating system that the resource locator that follows it should be opened using a web browser. In a similar fashion, “controlup://” tells the operating system that the trailing resource locator should be parsed by ControlUp. When ControlUp is first launched, it associates the “controlup://” moniker with the console executable, so that it is launched when a URL beginning with this moniker is clicked or otherwise invoked.

    ControlUp URLs consist of the following components:

     

    moniker

    pane name

    view (if applicable)

    search string

    Example:

    controlup://

    MyOrganization/

    Computers/

    server1

    In the example above, after the user clicks controlup://MyOrganization/Computers/server1 URL or uses the Start>Run command in Windows to invoke this URL, ControlUp will be launched or brought to the foreground if already running. Then, it will switch to the Computers view in My Organization pane and populate the search box with the term “server1“. Effectively, if a computer named server1 exists in your ControlUp configuration, it will be shown in the information grid.

    The pipe ( | ) character can be used as an OR logical operator for the search box. For example to display computers named server1 and server2, the following URL can be used: controlup://MyOrganization/Computers/server1|server2

    Other views in My Organization pane can be searched by using URLs like:

    – controlup://MyOrganization/Hosts/esx55srv01

    – controlup://MyOrganization/Sessions/user50

    – controlup://MyOrganization/Processes/wuauclt.exe

    – controlup://MyOrganization/Accounts/user50

    – controlup://MyOrganization/Executables/Outlook

    Other ControlUp panes can also be used with URLs:

    controlup://RemoteDesktop/server1 Switches to the Remote Desktop pane and establishes a remote desktop connection to server1, if exists
    controlup://Controllers Switches to the Controllers pane
    controlup://Incidents/user50 Switches to the Incidents pane and searches for incidents that include user50 in any field
    controlup://Events/user50 Switches to the Events pane and searches for Windows Events that include user50 in any field
    controlup://SecurityPolicy Switches to the Security Policy pane

    The URLs above can be leveraged in several scenarios in which a resource managed by ControlUp is addressed from an external location. Here are some ideas:

    • You send your colleague an email asking to take a look at the performance metrics of a resource
    • You receive an email alert from ControlUp, in which you can click the name of the affected resource to view it in ControlUp
    • An entry is created in your support ticketing system, in which user names can be clicked to show their sessions in ControlUp
  • File Menu

    The File menu, located in the top left corner of ControlUp, includes shortcuts to the following functions:

    • Settings – opens the Settings window. For more details, please refer to the Settings Window page.
    • Account Management – opens the Account Management window. In this window you can perform the following tasks:
      • View your ControlUp username
      • View and update your email address, name, and mobile number
      • Re-send the account activation email (if your account has not yet been activated)
      • Manage the mobile devices on which you would like to receive push notifications. For more information, please refer to the Mobile Apps documentation page.
      • Disable or enable email alerts (This option disables all alerts. To disable alerts for specific triggers, please use the Trigger Settings window)
      • Change your ControlUp account password
    • Minimize – minimizes ControlUp to the system tray (notification area)
    • Sign Out – ends the current ControlUp session and launches the login wizard
    • Save Configuration – flushes the current personal ControlUp configuration to the disk
    • Exit – ends the current ControlUp session and closes the console
  • Incidents Triggers & Alerts

    This article will highlight ControlUp’s incident trigger and e-mail alerting feature. By exploring the ins and outs of the feature, along with its major use cases, we will demonstrate how to create a specific incident trigger using a typical use case. Covering the entire process from start to finish, we will also explain how an incident is detected, what happens after it is unearthed, and finally the resulting email alert configuration. With this information, you will be able to configure an advanced incident trigger, including email alerts, with your very own console.

    ControlUp incident triggers let you know about important events in your network, whether you, specifically, indicate the events you want to be observed or ControlUp brings them to your attention. That way, whenever a specific incident is taking place, you can take proper action. Whenever a specific incident is detected, multiple follow-up actions can be carried out (i.e. email alerts, mobile push notifications to Android or IOS applications, and event logs).

    Don’t use ControlUp? Learn more about it here.

    ControlUp Incident Triggers – Primary Use Cases

    Some common incident trigger use cases include:

    1. Detecting when critical Windows services are no longer available (i.e. have crashed or stopped) – ControlUp can monitor particular Windows services so the appropriate actions can be taken.
    2. Uncovering host, server, or endpoint performance issues (i.e. when RDS servers or VDI Endpoints exceed a stress level threshold) – ControlUp can detect when high resource usage causes increased levels of stress to be placed on systems or processes.
    3. Identifying application performance issues – ControlUp observes application stress levels and detects when an application or specific process (i.e. .exe file) is consuming too much memory, I/O, or CPU.
    4. Monitoring specific application usage – Exposing certain metrics for particular applications (i.e. how many times the application has been opened and by who).
    5. Catching specific Windows events – ControlUp triggers can detect when a specific event is created on any Windows-managed computer.

    Creating an Advanced Application Performance Incident Trigger

    Let’s begin our exploration into incident triggers with an application performance use case. One of our customers’ ERP applications started behaving erratically to the extent that when a user would begin performing an action, CPU usage would reach 30%. After a mere 30 seconds, this caused processes to jam up, prohibiting end users from using the application. As a result, the sysadmin wanted to be notified of this peculiar behavior as well as the accompanying information that could be saved for further analysis and troubleshooting.

    ControlUp monitors specific processes and enables the detection of similar cases, including notifying sysadmins when issues occur. ControlUp triggers can be configured with advanced filters to monitor a specific process at hand with a defined threshold metric, such as CPU utilization.

    For this specific use case, we will simulate an ERP.EXE application’s processes, in efforts to show exactly how to create an incident trigger with the valid parameters, as well as a follow up email alert.

    Check out our User Guide to learn more about incident triggers.

    1. Stress Level Settings

    Before creating the trigger, we need to check our stress level and adapt it to our specific scenario.

    The ControlUp Stress Level incident type applies to all record types in ControlUp (Folders, Hosts, Computers, Sessions, Processes, Executables and Accounts). With the stress level trigger, we will be able to identify performance issues, such as excessive CPU consumption.

    In our example, below, we will configure the process’ CPU Stress Level.

    Enter ControlUp Settings ⇒ Stress Settings ⇒ select the relevant folder (XenApp6.5 in our case) -> Processes ⇒ CPU Settings:

     

     

    We need to optimize the stress level settings to match the scenario we want. For example, if you want to make the stress level critical when CPU usage is over 30% for a duration of 30 seconds or more, you can change the duration to 30 seconds and change the load to 6. These changes mean that whenever any process running on the XenApp farm reaches 30% CPU for more than 30 seconds, the process load will increase to the number 6, and without any connection to the other metrics, it will switch to the critical stress level. In order to prepare the proper stress level metrics, in this case, both the duration and the load factor had to be changed.

    2. Create the Trigger

    To create an incident trigger, click on the “Add Incident Trigger” button on the “ControlUp Management Console” window.

     

     

    This step will provide you with all of your possible trigger options via the New Incident Trigger Wizard. You can then relate the type of incident trigger you need to your specific use case (i.e. stress level, windows event, computer down, process started…).

    As shown below, if you are monitoring a specific application process, select the ‘Process’ record type. As for choosing a stress level, we are only interested in ‘Critical’ for the sake of our use case.

    For this particular use case, we will be using a stress level incident trigger. Therefore we will select“Stress Level” and click Next.

     

     

    Select Record Type: “Process”, Stress Level: “Critical”, and Duration: Leave Default (since the 30 seconds duration is already part of the Stress Level Settings), then click Next.

     

     

    As seen above, the newly created incident trigger will detect any process that exceeds the critical stress level. In order to configure our own custom trigger related to this specific process we need to continue on to the next step and use the filter editor. As shown below, we set the filter name (ERP.EXE) and the specific CPU usage threshold (>=30%).

     

     

    ERP.EXE only runs on XenApp 6.5 servers, so we will select the Scope to be our XenApp6.5 folder and set the schedule for Weekdays (i.e. if you want the trigger to be detected between 9:00am-6:00pm during the workweek), then click Next.

     

     

    If you don’t configure any follow-up actions, by default, whenever ControlUp detects that an ERP.EXE process in the XenApp 6.5 folder is about to cross the 30% CPU usage mark, it will be logged into the central incidents database. This allows you to later go to the incidents pane and view the details regarding that specific incident (i.e. how many times the incident happened, when, which users it happened with, etc…) in order to do a historical analysis.

     

     

    If you also want to be alerted in real-time when the incident happens, you have to select ‘Send an email alert’ under the type of follow-up actions. For alert settings, select ‘Send an e-mail alert’ and choose the relevant recipients, then click Next.

    At the end, enter a trigger name and click Finish.

     

     

    Now you can see the new trigger added below in the trigger list and click Ok.

     

     

    3. Watching it in Action – Viewing Incidents and Email Alerts

    Once a new incident occurs, the incident trigger will generate an email alert, as seen below:

     

     

    As seen above, the details of the incident are recorded in ControlUp’s historical incident database. The link at the email to the problematic process (ERP.EXE) refers to ControlUp’s incidents pane, as shown below:

     

     

    You can double click the highlighted ‘Process Stress’ line to drilldown and see specific incidents:

     

     

    Once the email alert is received, the sysadmin should check ControlUp’s real time performance views, enter the XenApp6.5 folder and filter by “erp” to reveal the problematic process, as shown below:

     

     

    In this case, in order to eliminate any additional performance issues, the sysadmin can simply right click and kill the process.

     

     

    Check out our User Guide to learn more about incident triggers.

    Final Note

    In this article, we saw how a ControlUp incident trigger can track advanced performance issues. With ControlUp incident triggers, sysadmins gain a great deal of flexibility with detailed monitoring capabilities that drive transparency and control over their environment’s performance.

  • ControlUp Monitor

    Introducing ControlUp Monitor

    ControlUp Monitor is a component principally equivalent to ControlUp Console, but without an interactive user interface. Once installed and started, ControlUp Monitor signs into your ControlUp organization and connects to your managed computers. The Monitor starts receiving system information and performance updates from your organization, just like an additional ControlUp Console user. The primary difference between a Monitor and a Console is the fact that the Monitor runs as a Windows service, requiring no user interaction and allowing for continuous monitoring of your resources.

    Benefits of ControlUp Monitor

    ControlUp Monitor offers a number of benefits to admins who require continuous monitoring of their resources:

    1. After a Monitor is installed in the organization, monitoring of resources is a continuous process, running 24/7 regardless of the presence of active ControlUp Consoles in the network. Multiple Monitor instances automatically provide mutual backup and high availability for monitoring.
    2. Monitors can be configured to alert ControlUp users about incidents that cannot be detected by ControlUp Console. For example, only the Monitor records “Computer Down” incidents, since detection of this incident requires continuous monitoring.
    3. ControlUp Monitor can be configured to export data tables to disk for future analysis using ControlUp Reporter. The scheduled export process runs in the background and ensures continuous logging, which cannot be guaranteed using the interactive Console.
    4. The Monitor is mandatory for uploading data to ControlUp Cloud Insights and for exporting activity files for the Insights On-Premises

    Respectively, the following limitations apply to ControlUp organizations which do not have a Monitor instance installed:

    1. Monitoring of resources and alerting about system issues can only occur if at least one instance of ControlUp Console is active and connected to the entire organization.
    2. “Computer Down” incidents cannot be detected or recorded.
    3. In order to support historical reporting and trending analysis, at least one instance of ControlUp Console has to be connected to the entire organization and configured to export data tables to disk.

    Prerequisites for ControlUp Monitor

    ControlUp Monitor can be deployed to any computer running Windows Server 2008 or later. It requires the .NET Framework 3.5 features to be enabled and RPC access to be enabled at the installation phase. In addition, in order to enable the Monitor Service to connect to all your managed computers, you will need to assign domain credentials to the Monitor Service as described below in the "Domain Identity" section.

    Installing and Configuring ControlUp Monitor

    By default, no instances of ControlUp Monitor exist in a ControlUp organization. In order to install a new instance of ControlUp Monitor, go to the Home Ribbon and click on Add Monitor.

    Alternatively, click on the "Monitor Inactive" label in the ControlUp Monitors area below the organization tree and then click on the "Deploy Monitor" button to install and configure a monitor.

    Click on “Add Monitor”. ControlUp Monitor Installation Wizard will guide you through the process of installing and configuring the monitor instance. The first stage of the Wizard is a computer object picker. Use this page to select a computer from one of your managed domains that will host the Monitor Service.

    Note that by default, the Monitor Service listens on TCP port 40706, which is also customizable on this screen. After checking for prerequisites, all the files required for the installation of the Monitor Service are copied to the selected computer and a “ControlUp Monitor” Windows service is created.

    Immediately after installing the service, ControlUp will open the Monitor Configuration Wizard, which will gather all the required information to configure and start the Monitor service. The Wizard will go through the following stages:

    Domain Identity

    In the first stage, the wizard offers to import your currently saved credentials for use by the Monitor service. If you agree, then your current list of AD Connections and Credentials Store are imported. Note that you need to click “Edit” for each entry to confirm that the correct credentials are being used for each AD Connection. If you connect to more than one AD domain, choose one of the connections to be the primary one. If you decline to import your personal credentials, you will be prompted to create at least one set of valid AD credentials for the Monitor instance to use when connecting to your resources.

    The Monitor Service needs valid credentials to establish connections with all of your managed computers. It is also responsible for deploying ControlUp Agents to the managed computers, in case they have no agent installed. By default, ControlUp Monitor service is configured to start using the Network Service account, which is not sufficient for administrative connections to your managed computers. In addition, if your organization includes several Active Directory domains, the Monitor will need valid administrative credentials to access all these domains.

    It is recommended that you create a dedicated account for the ControlUp Monitor in each of your Active Directory domains. This account needs to possess:

    1. Local administrative privileges on all your managed computers
    2. Modify permissions on the directory used for scheduled data export (see below)

    The bottom of the Domain Identity page hosts the credentials saved with the Monitor instance in order to enable it to connect to your virtualization infrastructure. In order to monitor virtualization hosts, ControlUp requires for consoles and monitors to use the same credentials. In order to enable continuous monitoring of the virtualization hosts using the monitor, use this page to save the same service account credentials used by other ControlUp users in your organization to connect to your hosts. Saving those credentials is optional. However, if no credentials are provided for hypervisor connections, the monitor will not be able to connect to the hypervisor infrastructure. For more information on monitoring virtualization hosts with ControlUp, please refer to the Connect to the Virtualization Infrastructure page.

    Login Mode

    At this stage, select the type of ControlUp login for your Monitor instance. If your organization works with online ControlUp login, leave the default online option selected. In this case, ControlUp will automatically create a new ControlUp user account for your monitor instance.

    If your organization uses ControlUp in Offline Mode, your ControlUp Monitor will need an offline license file, just like a regular ControlUp user.

    Proxy Settings

    If applicable, configure the proxy settings needed for the Monitor to connect to the Internet for login. Please keep in mind that if the Monitor is installed in a network subnet that differs from your administrative workstation, the required proxy settings may be different from the ones used on your machine.

    In case of an issue connecting to ControlUp servers or uploading data to S3, please refer to this article - Missing Data In Insights

     

    Scheduled Export

    The Scheduled Export feature allows ControlUp to record any activity displayed in My Organization pane. The output CSV files can later be used to produce reports using ControlUp Reporter. If your ControlUp console is already configured to export data on a scheduled basis, the Monitor configuration wizard will offer you to move your export rules from your personal settings to the monitor. If you choose to agree, the monitor service will start exporting the data instead of your ControlUp console, which eliminates the need to keep a ControlUp console open in order to produce data reports. You can configure additional export rules for the Monitor.

    For the scheduled export feature to work, you are required to configure the export path for the CSV files, as well as a credentials set which is sufficient for the monitor to write files to that directory. The export path can be either a local or a UNC path. In case the “Delete files older than…” option is configured, the configured account will also need permission to delete files.

    SMTP Settings

    ControlUp supports delivery of email alerts using a user-provided SMTP server, which is useful for customers who cannot or prefer not to utilize the built-in cloud alerting service. In order to submit alert messages to a custom SMTP server, the Monitor service needs to be configured with the server name or IP, sender details, and credentials.

    This tab of the Monitor Configuration window allows for customizing those details. If no information is provided on this page, incident triggers using the “Send an email alert using a local SMTP server” follow-up action will fail to generate email alerts.

    Advanced Settings

    ControlUp Monitor can be configured to regulate information updates from the Agents. Configurations on this tab of the Monitor Configuration window may help with optimizing resource consumption by the Monitor Service.

    For more information regarding the regulation of information updates and its impact on the performance of ControlUp, please refer to the Advanced Settings section in the Settings Window documentation.

    Service Port

    After the initial installation and configuration, this tab is available in the Monitor Configuration window. This allows you to configure a TCP listening port number for the ControlUp Monitor Service. The default port is 40706.

    Note: ControlUp Monitor is similar to a ControlUp console, acting like a client which connects to a listening TCP port (40705 by default) on the managed computers. The Monitor listens on port 40706 only to allow ControlUp console instances in your organization to receive status updates and display the status of the monitor in the console. This port is not used for communications with managed computers.

  • Monitoring Citrix License Server

    ControlUp supports monitoring the usage of licenses installed on a Citrix License Server. The only prerequisite for this is that the License Server needs to be added as a managed computer to the ControlUp organization. Once ControlUp Agent is deployed to the License Server and started, the agent starts gathering license usage data and reporting it to the console and monitor instances in your organization.

    When a Citrix License Server entry in the Computers view is double-clicked, the grid displays a “Citrix Licenses” tab in addition to the default “Sessions” and “Processes” tabs. When this additional tab is clicked, the information grid displays the license objects installed on the License Server. The following metrics are displayed for every licensed product:

    Column Name

    (sorted alphabetically)

    Explanation

    License Count

    The total amount of installed licenses for the product

    License Pool - Available

    Number of remaining licenses in the license pool that are ready for use

    License Type

    Describes the license type of the installed product

    Licenses in Use

    Number of licenses currently in use

    Licenses in Use Percentage

    Percentage of licenses currently in use

    Overdraft

    Additional 10% licenses granted to support temporary spikes in demand (relevant to XenDesktop with User/Device model only)

    PLD

    Technical ID of the licensed product

    Product

    License product name and model

     

    Alerting on Citrix License Utilization

    The Citrix Licenses view does not include a Stress Level column. However, you can still configure ControlUp to send alerts whenever Citrix license utilization crosses a threshold. This can be done by modifying the stress settings to include the Top Citrix License Utilization column in the Computers view to contribute to the computers’ stress level, as shown below:

    In the example depicted in the screenshot above, the “Top Citrix License Utilization Column” will trigger an increase of 1 point in the License Server computer’s Stress Level when the most highly utilized licensed product on the server crosses a utilization threshold of 101%.

  • Script-based Actions

    Introducing Script-Based Actions

    Script-based Actions (SBA) allow the admin to extend the functionality of ControlUp to include anything that can be written in a CMD batch file, VBScript, or PowerShell script. Scripts can be run on the target computers, the ControlUp console, or any other computer in the ControlUp environment. They can also be run in different security contexts, if needed. Any admin can create an SBA and share it not only with the rest of their organization, but also share it with the ControlUp community. Users are automatically notified when there are additions and updates to either community or organizational SBAs.

    ControlUp SBAs offer the following advantages over traditional system scripts:

    1. Each time you run an SBA, you can choose any number of remote computers / user sessions / processes to act upon. ControlUp will handle the concurrent task execution, while passing all the relevant arguments to the scripts, depending on the objects you select.
    2. The user credentials used to execute the script can be configured every time you run the SBA. In addition, you can run SBAs on computers that belong to untrusted Active Directory domains and forests, as long as you have added them to ControlUp with valid credentials.
    3. Script output is automatically collected and compared, so you can quickly determine the outcome of the SBA execution on multiple targets, which can be a laborious task with scripts.
    4. Scripts can be executed either on your console machine, on any of your managed computers, or on a third computer of your choice. This feature allows for a great deal of flexibility – for example you may configure an SBA that uses a command-line tool that only exists on a specific server in your environment, select multiple computers and run the SBA on that dedicated server against all of the selected computers.

    The main SBA management window can be found on the Home Ribbon of My Organization pane and is divided into three sections: My Draft Actions, Organizational Actions, and Community Actions.

    My Draft Actions

    When you first create an SBA (see below for the procedure), it is stored in the My Draft Actions section in your private configuration where it can be tested and debugged until it is ready to be shared with others. The only restrictions on draft SBAs are that they cannot be used against more than one target at a time, and they cannot be shared with other ControlUp admins. When an SBA is finalized, it can also be shared with the user community at the same time.

    Organizational Actions

    In this section are all of the finalized SBAs created by all of the ControlUp users in the organization. If an SBA is modified here, it automatically goes back to the Drafts section until it is finalized again. From here, the SBAs can also be shared with the user community.

    Community Actions

    In this section are SBAs that have been shared by other ControlUp users throughout the world. They are all freely availble for use by all.

    Creating a Script-based Action

    To create a new SBA, click the ‘New’ button on either the Organizational Actions or My Draft Actions. Either way, the newly created SBA will be saved in the My Draft section.

    Name A name for your script-based action – required.
    Description Optional, but very helpful, especially when it is shared with the community.
    Icon Any JPEG or .png file that is 5KB or less in size. (This is usually 32×32 pixels.)
    Assigned to Which record type that the script will act upon as well as the basis for creating and evaluating script arguments (see below). The assignment also defines which view the script can be invoked from. If multiple views are desired, then the assignment ‘Advanced’ is chosen and multiple views can be defined.

    Note: that an action can only be assigned to one record type, even if it can be invoked from multiple views.

    For example: An SBA assigned to Computer is only viewable/runnable from the Computer view. If the action is also relevant to the Folders view, then the original assignment is ‘Advanced’ and within the Advanced Assignment box that appears, assign the action to ‘Computer’ and then choose to invoke it from both the Computer and Folders views. This could be useful if you want to use the folder as a method of choosing a group of computers to act upon.
    Execution Context This indicates which computer the script will run on. The only requirement from ControlUp is that the agent is installed on it. The script itself may have other requirements, such as certain PowerShell modules or snap-ins.
    Security Context Which user account will be used to run the script. The ‘Network Only Credentials’ checkbox is similar to ‘runas /noprofile’.

    Note: Be aware that scripts are not run in a shell with elevated privileges.

    Script tab

    The script text is what would be run if it were executed directly at the configured execution context. Parameters can be passed to the script according to the script type (see next section on arguments).

    Arguments tab

    Any property of a ControlUp record can be used as an argument to the script. The list of properties depends on the type of record that the script is assigned to (e.g., Computer, Session, Process).

    Example: A script is assigned to ‘Computer’. If arguments are assigned, ‘Name’ and ‘IP Addresses’ are possible properties that can be used. If the script were assigned to ‘Session’, those properties are not there but instead ‘Logon Time’ and ‘User’ are in the list, because those are relevant to the record type.

    It is also possible to prompt for parameter input at runtime. Manually entered parameters can be validated with a regex expression, if desired.

    Note: if you want to ensure that the field is not left blank, a simple “.+” (no quotes) can be used in the input validation box.

    The arguments will be mapped according to the script type and are referenced appropriately:

    BAT/CMD %1, %2, %3, etc.
    VBScript wscript.arguments(0), wscript.arguments(1), wscript.arguments(2), etc.
    PowerShell $args[0], $args[1], $args[2], etc.

    The Preview button allows you to preview exactly how the arguments will be passed to the script. If an argument comes from a record property, you are prompted to choose a record to use for the preview. If an argument is from user input, then you are given the opportunity to type in the input you are looking for and validate it with the regex expression that was supplied. This way you can easily test the field and the validation.

    Once the SBA is created, it is placed in the My Draft Actions tab until finalized. This allows you the opportunity to test the SBA privately (and on only one target at a time).

    Version numbers

    Version numbers are organized according to the following system:
    <community>.<organization>.<draft>

    Examples:
    • A script with a version of 0.3.3 means that it was edited 3 times in the draft folder, and also 3 versions of it at the organizational level. It has never been published to the community. (every time it was edited, it was finalized).
    • A script with a version of 0.1.3 means that it was edited 3 times in the drafts folder, and then finalized once to the organization. It has never been published to the community.
    • A script with a version of 3.8.22 means that it has been edited 22 times in the drafts folder, finalized to the organization 8 times, and also published/shared to the community 3 times.

    Editing an existing SBA

    Editing an SBA, whether from Organization or from My Draft, is done the same way. Highlight the SBA, click the ‘Modify’ button (or double-click the item or click on the pencil at the right side of the row), and then you will have a window with all three tabs/sections of the SBA available for editing.

    If an organizational script is edited, it creates a new draft script, incrementing the draft version number (e.g., an organizational script at version 0.1.2 after editing will also be in the drafts folder at version 0.1.3.). You will then see two scripts in the context menu, one from the Organizational Actions and the other from the My Drafts Action, labeled ‘(Draft)’.

    If you edit the same organizational SBA while there is a version already in the drafts folder, ControlUp will warn you that the existing draft version will be overwritten by the new edits if you continue.

    When the new draft SBA is finalized, it will replace the previous organizational script (if it exists) and increment the organizational version number (in our example above, the script becomes version 0.2.3)

    Using an SBA and understanding the output

    SBAs can be invoked for ControlUp records from the Actions ribbon bar (Home -> Actions), the Actions side panel, or the context menu for the appropriate record. All SBAs from Organizational Actions and My Draft Actions will be in the list.

    The listed SBAs will be appropriate to the current view. Click on the desired script while the desired targets are chosen from the grid.

    If the SBA is configured to prompt for parameter input from the admin (for example, execution context of ‘other computer’, or security context ‘prompt upon execution’), those values will be requested when the script is run. If the script uses record properties as arguments, the console automatically retrieves those properties at this time without requesting input from the admin.

    The results screen is below. There are a number of sections of the results screen of interest.

    In the top half of the window, the ‘Output’ section displays normal output (StdOut) and the ‘Error’ section displays StdErr. The bottom section gives various details about the script execution on each target attempted. Some of the fields, like ‘Status’ and ‘Exit Code’ can depend on how the script is written. In the top half of the window, ‘Output’ and ‘Error’ refer to command line output and errors.

    Example:

    Here we see a VBScript that failed to run because the target computer (Execution Context) is not a part of a domain that has a trust relationship with the domain that the running user (Security Context) belongs to. There is a command-line error shown, but since the script never ran, nothing was in StdErr.

    Consider this XenDesktop PowerShell script snippet:

    If ($TargetMachine -ne $null) {
            $TargetMachine | Set-BrokerPrivateDesktop -InMaintenanceMode $false
            Write-Host "$machineName is no longer in Maintenance Mode"
        } else {
            Write-Host "Could not find desktop $machineName"
            Exit 1
        }

     

    Without the ‘Exit 1’ command to explicitly send the exit code, the script status would show ‘Exit Successfully’, even though there was a failed condition. This is due to how PowerShell evaluates error conditions and return codes. Since we want regular messages to StdOut, the Write-Host is used to write to the ‘Output’ window. Write-Error would put the message into StdErr (‘Error’ – see below).

    Getting the script to report on the result screen as desired may take some extra scripting. For example, continuing to use the PowerShell snippet above, $TargetMachine could have a value, but the Set-BrokerPrivateDesktop cmdlet could still fail for some reason. The cmdlet in this case may require a Try/Catch construct to get the desired behavior from the results window.

    Batch commands and VBScript will behave similarly. If you do not see the results in the windows that you expect, try other similar batch/VBS/PoSh commands and review how the language processes output and return codes.

    The result groups are simply a way of grouping records with identical outputs to help simplify reading and interpreting results. Any error messages must also be identical for the targets to be in the same result group.

    Lastly, the Stop/Rerun buttons at the top give the admin a way to force an SBA to quit before it is finished, or immediately re-run the action on the desired targets with the same parameters without having to go through the setup steps again. This could be useful if, for example, there was an error condition that prevented a script from completing successfully. Upon seeing the script error, the admin makes the necessary fix and can now re-run the script just on the failed computer/account with a single click.

    Removing SBAs

    Removing SBAs in My Draft Actions or Organizational Actions is as simple as highlighting the SBA(s) that you want deleted and click ‘Remove’. You will be prompted to confirm your choice before deletion.

    Important Tip: Changes (add/edit/delete) made in the Scripts Management window are not committed to disk until ‘Apply’ or ‘OK’ is clicked in the main Scripts Management window. If a script was changed or deleted by mistake, cancelling out of the main Scripts window will throw away those changes, even if ‘OK’ or ‘Finish’ was clicked in the specific SBA window itself.

    Sharing SBAs with the Organization and the ControlUp community

    One of the powerful features of ControlUp is the ability to share your SBAs with other admins in your organization as well as with all ControlUp users. Conversely, you can also benefit from the SBAs of other ControlUp users all over the world. Once your script is ready, you can share it from either the My Draft Actions folder, or the Organizational Actions folder.

    All SBAs in the My Drafts Actions list are in your private configuration. For an SBA that is in the My Drafts Actions folder, there is a ‘Finalize’ button. This will transfer your SBA to your organization’s configuration, increment the version number, and remove the single target restriction. All organization members will receive a notification in the console and immediately be able to use it. At the same time, you can upload it to the ControlUp servers to be made available to all ControlUp users worldwide. The community scripts are approved by Smart-X before they are released. Although Smart-X will review all scripts before releasing them, safety and best practice dictate that you are responsible to review for yourself any script you download before you run it so that you are fully aware of what actions it will take.

    To finalize a draft SBA, simply highlight it in the ‘My Draft Actions’ tab and click the ‘Finalize’ button on the screen. The options here are:

    Yes, I want to share my work with the community In addition to moving it to the online organizational configuration, you may also share it with the community at the same time by leaving this box checked. If you do so, then the following fields are available.
    Credit to: This text box is to allow you to give credit to other people if they made contributions to the script, mention the original author of the code, which web site it came from (if applicable) or anyone else you want to acknowledge (Thanks, Mom!). For example, you may find something at the Scripting Guy website that you use to create an SBA. This would be the place to mention that and the URL where others can go to see the source for themselves.

    Tags

    If desired, enter a comma-separated list of tags that can be used to search for this SBA.

    Publish anonymously If you do not wish to be known, checking here will make the Author/Last Editor fields be filled by the word “Anonymous”.
    Allow community members to contact me by e-mail If you publish anonymously, this is automatically unchecked and greyed out. Otherwise, you have the option to allow others to contact you or not.
    Notes Enter a note to Smart-X relevant to the SBA approval (this field is only seen by Smart-X).
    “I accept the terms of the license agreement” You mus

    If you have finalized an SBA without sharing it, you can share it later from the Organizational Actions tab using the ‘Share’ button. This contains the same information and choices as the Finalize window in the ‘My Drafts Action’ section.

    Once an SBA is shared, it is reviewed and approved by ControlUp and then released to the community.

    If you remove a finalized (organizational) SBA that you have already shared with the community, the community version will not be deleted. If you need a public script removed from the community SBA collection, please contact ControlUp Support.

    Downloading community SBAs

    The ‘Community Actions’ tab contains all of the scripts contributed by ControlUp users everywhere. There are also a few scripts from ControlUp to demonstrate different SBA functions and some things that can be accomplished with SBAs, although they are not meant to be comprehensive examples.

    In order to import the community SBA for use in your organization, click the green ‘Add’ button. You will get a window with the full description, credits given, and a check box to accept the terms of the License Agreement. Click ‘Add Action’ and the script will be downloaded to your organizational configuration. In a few moments the button will turn to grey, show “Installed”, and you will see the script on the ‘Organizational Actions’ tab, at which point you will have full use of the script. You may also modify it and re-publish your version of the script (giving credit to the original author, of course). If the author chose to allow others to contact them by email, then the ‘Contact Author’ button will be active. When the user clicks that button, ControlUp will shell execute the ‘Mailto:’ command with the author’s email address.

    If you already have a community SBA and it is updated, the button for that SBA changes to ‘Update’ so that you know that a new version has been published. The first time that the Scripts Management window is opened after the updated SBA is published, there will also be a “New” graphic on the SBA. When the Scripts Management window is closed, the “New” graphic goes away, but the button will still be ‘Update’, so that you can update your organization’s copy of the SBA when you are ready.

    Additionally, all of your downloaded community scripts can be updated from the Organization Actions tab, either by clicking on each individual update icon on the right, or using the ‘Update All’ button that will appear on the top of the table. The ‘Update All’ button does not appear if there are no scripts to update.

    For your convenience, there is a search box on the right side of the Community Actions tab which searches by any text in the window – name, author, description, tags, etc.

    SBA and Security Policies

    Security Policies can be configured for SBAs.

    There are four management actions at the organizational level regarding SBAs:

    – Run shared SBAs: ability to run SBAs in the organization

    Run draft SBAs: ability to run SBAs in the drafts folder

    Download and share SBAs: ability to download SBAs from the community and share them with the community.

    Manage SBAs: ability to open the SBA window to manage SBAs. This does not prevent a ControlUp user from running SBAs they have been given permission to run. It just prevents opening the SBA management window.

    Once an SBA is finalized from a draft or imported from the community, it will be entered into the Security Policy template in the appropriate assignment and permissions can be assigned to SBAs individually if desired. Permissions granted or denied at the individual script level override anything granted at the organization level.

    SBAs assigned to Computer, Session, or Process records are part of the normal folder hierarchy of Security Policies. However, SBAs assigned to Folder, Account, or Executable records are not associated with the folder hierarchy and the security settings assigned to them will be in effect for the entire organization.

    Please refer to the documentation page for Security Policies for more details on how to assign permissions to Security Policy items.

  • Licensing

    Whenever you launch ControlUp, a license test is performed in order to determine the maximum number of concurrent user sessions that your current license permits you to manage using ControlUp.

    Your active license is determined by the ControlUp online servers during the login process. If you are using the offline option, your Offline License file needs to be available on your computer every time you launch ControlUp.

    In order to display your active license, click the “About” button on the Help ribbon and then click the “Licensing” button. This window will also pop up automatically any time your current license limit is exceeded.

    For more information on ControlUp licenses and pricing, please refer to our Pricing page.