July 2009 Archives

Here’s something for every Administrator out there, parsing the event logs in Windows quickly and easily.

In Powershell, there is the “Get-EventLog” command.

And do you know HOW EASY it is to use?  And it works on both LOCAL and REMOTE eventlogs (Presuming permissions, etc etc etc)

Here’s the basic command line

    Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

    Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>] [<CommonParameters>]

Now I’m going to break that down into something SIMPLE and USEFUL

All you REALLY need to know to WORK with this is a simple command. “-like”

So here we’re going to get my Application Log for any time it had OUTLOOK crash

GET-EVENTLOG –LOGNAME Application | where { $_.Message –like “*outlook*” }

All that does is do wildcard search for the word Outlook ANYWHERE in the message.   If you’ve ever tried digging through the event Logs, you know what it’s like.  The Filter option JUST doesn’t cut it when you want to filter out the contents of the error messages.

Here in Powershell land?  Well we’re just getting started!

You can search FAILURE AUDITS for a particular user too!  Now of course you have to have the appropriate logging turned on first.   And the second Caveat is you HAVE to run Powershell “As Administrator” (Right Click, run as Administrator) as the Security logs are, shall we say, a little special.

But with that SAME command and an extra parameter –COMPUTERNAME I can find every time some failed to type his/her password properly.

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $_.EntryType –eq “FailureAudit” }

And if you PIPE that into an EXPORT-CSV like so

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $_.EntryType –eq “FailureAudit” } | EXPORT-CSV C:\MYRESULTS.CSV

You can have logs you can dig through with Excel. 

But wait!  There’s more.

I can get REALLY granular!  I can look for which USER was failing on their password and filter THEM into an even smaller log.  Because Powershell (unlike the Eventviewer Filter) can SEE and Filter out results in the Message field!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($_.EntryType –eq “FailureAudit”) –and (*_.Message –like “*JOHN.SMITH*”) }

And of course like before, you can pipe all of this into a useful CSV file.  This output as well contains ALL the details from the event Log, including Dates and Times!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($_.EntryType –eq “FailureAudit”) –and (*_.Message –like “*JOHN.SMITH*”) } | EXPORT-CSV C:\BADPW.CSV

This is why I love Powershell.   Without any real difficulty, it make’s Administrator’s life SOOO Much easier.  And more productive.

Sean
The Energized Tech

Did you hear the news?

FRESH OFF THE PRESS! WINDOWS 7 and SERVER 2008 R2 are OFFICIALLY RELEASED TO MANUFACTURING!

Caught this in Twitter from the @MICROSOFT feed.  Here’s the posting for all to see

http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-been-released-to-manufacturing.aspx

Oh read it and sing! YES!   The SINGLE greatest day in HISTORY is HERE!

I’d be dancing and singing about in my cubicle right now if it weren’t for the fact that I would get “called out” for it :)

But *sniff* It’s HERE!!!!!! I’m WATCHING my Technet subscription right now like a hawk.

Windows 7 !  Redmond!  Microsoft!  THANK YOU for RTM so quick.

Tomorrow is going to be a fantastic day and the future even better.

7 is here.

Well I had a real head scratcher.

Had to setup a feature on a pc called “NETPRINTQUEUE2FAX” from GFI.  The procedure is dead simple.

Add UNC Virtual printer from GFI Fax server (just like adding any other printer)

Send documents to Printer with formatted commands.

Sit back and enjoy Frosty Beverages from a job well done.

Or that’s how it was supposed to be.  I knew there was nothing wrong with the server.   The guy that put it together was my boss who really knows his stuff.

And when I asked him “Hey, did you ever get the following problems adding this feature before?” He looked at me as if I had big pink antennae coming out of my head and I was wear a large fluffy koala bear for shoes.

Yes.  This seemed to be a truly dumb question waiting for an answer.

But I plugged away at it.   Here’s what happened.  On an X64 Server 2008 box, you would connect to the printer, life was good and nothing worked when you sent to the printer.  No errors, No application logs saying anything.

Not even a peep.

So I decided to go the other path.  Try the 32bit driver instead.

It looked at me and laughed.

When I added the 32 bit driver on a 32 bit Vista machine it kept WHINING and COMPLAINING about “I can’t find FAXMAKER.CAT”

So I searched.  I dug through GIGS and GIGS of file storage.  This file didn’t exist!

I pulled off a couple of tricks and yanked the MSI files for both the 64 bit version and the 32 bit version out of the TEMP folders.  And running a neat little trick from this article on Tech-Recipes.com I pulled out ALL the files the installers dumped.

But try as I might.  This file was from the PHANTOM ZONE!

Then I thought, let’s try a different approach.  Let’s add the driver first.  If the driver files are REALLY corrupt, then they won’t add.

And so I did.  I went to the list of printers.  I pulled up “File/Run as Administrator/Server Properties” to get my list of drivers.   I added the driver manually, browsed to the folder on GFI where the drivers were kept and SURPRISE!

And what do you think popped up in front of me the minute I tried?  This lovely little message

image

Hmmm so it appears the drivers were failing halfway through the install.  An no error message either!  Thanks a lot GFI!

So I manually added the drivers to each computer through the Printer console.  Both the 64bit *AND* the 32bit gave the same error.  But after being added FIRST and agreeing to the evil red error message, connecting to the NETPRINTQUEUE2FAX printer afterwards was fine.   In fact I was actually sending faxes with no problem.

So if you’re running GFI Faxmaker banging your head against the wall WHY the NETPRINTQUEUE2FAX isn’t working in Vista?  Take this answer and use it.

And *ahem*.  Somebody give GFI a little kick in the pants for lack of Quality Control. 

image

You can read the whole story here.  But straight from Microsoft we have ALL the dates officially released for Windows 7 and Server 2008R2

We all know from yesterdays news that the official RTM date is August 6th 2009.  Techs, Devs, IT Pros, Managers and most of the general population of the Planet EARTH are cheering about that.

But Not EVERYBODY can have Windows 7 on that day. 

But looking at those dates tells you one thing.  Summer is about to get a LOT more fun!  OEM’s will be receiving English media as EARLY as TOMORROW!  Technet, MSDN and Volume License as early as August 6th and 7th!

And if you’re looking ANY kind of Server deployment, Mid August is the time to target for with the unquenchable power of Server 2008R2 being released for the most part then!

And every IT Pro and Architect that’s an absolute speed freak has got to be quaking in their shoes to let loose this power!

FASTER BOOT TIMES!  Live Migration in Hyper-V!  A blazing rocket fast INTERFACE!  A system that’s praised by Mac, Linux AND PC’ users!

And oh… Did I mention the most important feature of Windows 7 and Server 2008R2?

The one you should get FOR THAT REASON ALONE?!

POWERSHELL V2 IS RELEASED IN THE O/S!!!

---------------------------

Oh THANK YOU THANK YOU THANK YOU MICROSOFT!

For bringing us CHRISTMAS in the SUMMER! w00t w00t w00t!

Sean
The over top the, can’t wait for August 6th 2009, singing and bouncing in his cubicle!

THE ENERGIZED TECH!

YEEEEEEEEEEEEEHHHHAAAAAAAAAAAA!!!!!!!!!!”

Well I had a real head scratcher.

Had to setup a feature on a pc called “NETPRINTQUEUE2FAX” from GFI.  The procedure is dead simple.

Add UNC Virtual printer from GFI Fax server (just like adding any other printer)

Send documents to Printer with formatted commands.

Sit back and enjoy Frosty Beverages from a job well done.

Or that’s how it was supposed to be.  I knew there was nothing wrong with the server.   The guy that put it together was my boss who really knows his stuff.

And when I asked him “Hey, did you ever get the following problems adding this feature before?” He looked at me as if I had big pink antennae coming out of my head and I was wear a large fluffy koala bear for shoes.

Yes.  This seemed to be a truly dumb question waiting for an answer.

But I plugged away at it.   Here’s what happened.  On an X64 Server 2008 box, you would connect to the printer, life was good and nothing worked when you sent to the printer.  No errors, No application logs saying anything.

Not even a peep.

So I decided to go the other path.  Try the 32bit driver instead.

It looked at me and laughed.

When I added the 32 bit driver on a 32 bit Vista machine it kept WHINING and COMPLAINING about “I can’t find FAXMAKER.CAT”

So I searched.  I dug through GIGS and GIGS of file storage.  This file didn’t exist!

I pulled off a couple of tricks and yanked the MSI files for both the 64 bit version and the 32 bit version out of the TEMP folders.  And running a neat little trick from this article on Tech-Recipes.com I pulled out ALL the files the installers dumped.

But try as I might.  This file was from the PHANTOM ZONE!

Then I thought, let’s try a different approach.  Let’s add the driver first.  If the driver files are REALLY corrupt, then they won’t add.

And so I did.  I went to the list of printers.  I pulled up “File/Run as Administrator/Server Properties” to get my list of drivers.   I added the driver manually, browsed to the folder on GFI where the drivers were kept and SURPRISE!

And what do you think popped up in front of me the minute I tried?  This lovely little message

image

Hmmm so it appears the drivers were failing halfway through the install.  An no error message either!  Thanks a lot GFI!

So I manually added the drivers to each computer through the Printer console.  Both the 64bit *AND* the 32bit gave the same error.  But after being added FIRST and agreeing to the evil red error message, connecting to the NETPRINTQUEUE2FAX printer afterwards was fine.   In fact I was actually sending faxes with no problem.

So if you’re running GFI Faxmaker banging your head against the wall WHY the NETPRINTQUEUE2FAX isn’t working in Vista?  Take this answer and use it.

And *ahem*.  Somebody give GFI a little kick in the pants for lack of Quality Control. 

Did you hear the news?

FRESH OFF THE PRESS! WINDOWS 7 and SERVER 2008 R2 are OFFICIALLY RELEASED TO MANUFACTURING!

Caught this in Twitter from the @MICROSOFT feed.  Here’s the posting for all to see

http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-been-released-to-manufacturing.aspx

Oh read it and sing! YES!   The SINGLE greatest day in HISTORY is HERE!

I’d be dancing and singing about in my cubicle right now if it weren’t for the fact that I would get “called out” for it :)

But *sniff* It’s HERE!!!!!! I’m WATCHING my Technet subscription right now like a hawk.

Windows 7 !  Redmond!  Microsoft!  THANK YOU for RTM so quick.

Tomorrow is going to be a fantastic day and the future even better.

7 is here.

Now here was what I thought was a “simple task”

Add a couple of sites (or in my case machines) to the Trusted Sites Zone in Internet Explorer, do it via Group Policy

There were a couple of suggested methods.  Most involved what I refer to as “Total Control” mode.   That’s right.   Make a list of Trusted Sites, push it down the pipe and let the users suffer.  No user additions.  “Muah haha haha….” I can see others in the background laughing madly.

And in truth, from a security standpoint, that is the best way to do it. 

But from a business standpoint, you may have to offer some flexibility.  Maybe not in the Enterprise, but definitely Small Business.  And in some cases, even that.

So my challenge was this.  Add one or more Trusted Sites to the Trusted Sites Zone WITHOUT locking out the users, or forbidding all else, destroying existing settings.

I decided to go about the “Hack method”.  Try to find where in the registry these settings were and what form they took.  I looked and found them and as it turned out they were in a nice workable pattern.  The settings per user for Trusted Sites (and various other Zones) are stored under

“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains”

Now we could get into a really funky way of getting all the keys out and putting them into a script and flashing the workstations.   That would quick and the job over.  But then again, how does that work with Vista /  Windows 7 and UAC?  Not so good.

But this is Server 2008 and GPO.   And there is a simple and SECURE way of deploying these changes.  It’s called PREFERENCES in Server 2008 GPO.  And like every good Administrator I have the RSAT (Remote Server Administration Tools) on my workstation to Manage GPO.  So we fire it up and go into a New Group Policy

Let’s take a quick look at the Preferences when you go to edit your policy.

image

*WHOA* – Quite the pile of goodies! Now to go into the nitty gritty would be a different article entirely.  Today we’re just going to look at the “REGISTRY” preference under “User Configuration”

But all we’re concerned with is getting those settings from say, a workstation that has them to easily deploy to everybody else.  IT’s quite simple actually.

Right click on “REGISTRY” under “User Configuration / Preferences / Windows Settings” and then choose “New / Registry Wizard” which will bring you this screen.

image image

The process is seamless at this point.   If you have the settings on your workstation for the list of Trusted Sites (even if your list is larger than what you need) You can build that list for your users here.  

Choose your local computer as the source, click next and you’ll see a somewhat familiar tree.  And all you have to do is browse down to the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” key and choose what sites you need.

image image

Make sure when you select your sites you ALSO check off the values for each site.   These values ENSURE the type of trusted link (http or https) as well as the particular zone within Internet Explorer.   Click Finish when you’re done.   Make sure to test it on a TEST user (not the Whole domain!) first and see the results.  Since it is a USER based preference, Make sure to apply it to whatever policies apply to your users. 

But when you’re done, you’ll be able to look at your Internet options for Trusted Sites Zone, see your new settings and users can STILL add to the list for their personal preferences.   The nice part is, because it’s part of GPO, those settings will keep applying whether users delete them or not.

 image

GPO.   The only way to drive your domain.

Sean
The Energized Tech

So last time we combined Snapins to give us a Powershell that was Pumped up.   Combining multiple management functions from different applications in to Quest ActiveRoles Management Shell for Active Directory.

And now you get to see why.

What I wanted to get done was a nice simple script in Powershell that would not only create a user (or users), but do it consistently.   I wanted to just type in a First and Last Name, let the script run and Generate the Account in A/D, The Email address, most of the basics, create the User in OCS.

I wanted a One Shot deal

And hear it is.

Granted.  The syntax of this script is VERY simplistic.  There’s a reason for that.   I want ANYBODY to pick up this script and be able to take it, improve it, learn from it.

What is does is simple, Asks for a First and Last name as well as a password.

Using the new Shell environment combining Exchnage 2007 Snapin and ActiveRoles Management from Quest it will create a rule and populate as MANY default fields as possible.  It will create and assign a user’s home drive.  The user will be enabled in OCS (if you have OCS)

Here is the monster.   Use it, abuse it.   Email me at sean@energizedtech.com for comments on it or questions.

Let’s REALLY get a feel for what Powershell can do for you.

Not just Batch jobs (but that’s easy to) But simple consistency

Enjoy and abuse.  Save the File as NEWUSER.PS1 in your script

---------------------------- Start Script ---------------------------------------------------------

# New User In PowerShell
# ye110wbeard Finally shuts up and writes a script that is USEFUL and doesn't sing about it
# 7/15/2009 :)
# And it couldn't have happened if it wasn't for the Powershell Community
#
# This script in many ways is VERY simple.  I simply chose to use simple assignments instead of a fancy "CSV Import" so a Powershell
# Newbie might be able to look at it, and get a better grasp of what everything is in Active Directory when THEY want to do something similiar
#
# For Newbie Users, a line beginning with a '#' is a comment.   If you put a '#' the line will be ignored.

# Prompt User for FirstName and LastName of new user

$FirstName = read-host -Prompt "Enter User First Name: "
$LastName = read-host -Prompt "Enter User Last Name: "

# Password must be read from Console as Secure String to be applied.  If you're manipulate this to a Batch User process, you can use this one password as a default.  The Exchange New-Mailbox has the "Change Password at login" enabled by default

$TempPassword = read-host -AsSecureString -Prompt "Please Enter Temporary Password"

# SAM name will appear as Firstname.Lastname in Active Directory.   Adjust to meet your needs

$Sam=$FirstName+"."+$LastName

$max=$Sam.Length

#The SAM account cannot be greater than 20 characters.  You have to account for this.  A better functionn would stop query and say "Too big stupid" but this is my first time out

if ($max -gt 20) {$max=20}

$Sam=$Sam.Substring(0,$max)

# This is handy if your organization must have the names listed by Lastname, Firstname.  Exchange 2007 cannot do this natively (as least not that I have found)

$Name=$Lastname+", "+$FirstName
$DisplayName=$Lastname+", "+$FirstName

# User Alias Displaying as Firstname.Lastname

$Alias=$FirstName+"."+$LastName

# UPN will be your internal login ID.  Typically Alias@domain.local or Username@domain.com

$UPN=$FirstName+"."+$LastName+"@Contoso.local"

# UNC Pathname to a share where all user folders reside.  Path must exist.  Recommend adding $ to sharename to hide from User Browsing

$HomeDir='\\CONTOSOFILE\USERHOME$\'+$Alias

# Drive Letter assigned to \\CONTOSOFILE\USERHOME$\USERNAME Folder - Pick one

$HomeDrive='Z:'

# Generic inbound office line and format of User Phone Extension.  Display purposes only.   Could be prompted as well

$Phone='212-555-0000 x111'

# Your friendly neighbourhood ZIPCODE (or POSTALCODE if you're from Canada 'eh'?)

$PostalZip='90210'

# City the user works in.  If you have multiple offices, you could prompt this as well

$City='Toronto'

# Your State (no not Confusion, the one you live in) or Province for those 'Canadians' Again

$StateProv='Ontario'

# Address you work at

$Address='123 Sesame Street'

# Default web site

$Web='www.contosorocks.com'

# Company where you work at, or won't work at if your boss catches you spending too much time drooling over Powershell

$Company='Contoso Rocks Ltd'

# What location in the building?  typically floor X, Division Y, the back room behind the boxes

$Office='In the Basement with my stapler'

# A generic description for the user

$Description='New User'

# Job Description.  Carpet burner, box stacker, cable monkey

$JobTitle='New User Hired'

# What department.  Where you hiding?  Network Admins, Secretaries?

$Department='New Department Hire'

# Office Fax Number

$Fax='212-555-1234'

# The ending part of the domain @wherever.com @fabrikam.com etc etc

$ourdomain='@contoso.local'

# This first line is done within the Microsoft Exchange Management Shell from Exchange 2007.  I add it's ability to my Powershell with the command
# ADD-PSSNAPIN -name Microsoft.Exchange.Management.Powershell.Admin IF you have the Microsoft Exchange console on the computer running this script.  And you have Microsoft Exchange Server 2007 in the environment

New-Mailbox -Name $Name -Alias $Alias -OrganizationalUnit 'Contoso.local/Users' -UserPrincipalName $UPN -SamAccountName $SAM -FirstName $FirstName -Initials '' -LastName $LastName -Password $TempPassword -ResetPasswordOnNextLogon $true -Database 'CONTOSOEXCHANGE\First Storage Group\Mailbox Database'

# This command l

set-qaduser -identity $alias -homedirectory $HomeDir -homedrive $Homedrive -city $City -company $Company -department $Department -fax $Fax -office $Office -phonenumber $Phone -postalcode $PostalZip -stateorprovince $StateProv -streetaddress $Address -webpage $web -displayname $displayname -title $JobTitle

#http://www.powergui.org/thread.jspa?messageID=14099 Source post for creating OCS user with Powershell!  Thank you Powergui.ORG!
#
# Tips.  If you do have Office Communications Server or Live Comm and looking for the Variables used, Check an enabled user in Active Directory while in ADVANCED mode
# and choose the "Attribute Editor" tab.  You'll find them all down there.   If it doesn't say "Enabled" or contain a value?  Don't use it

$SIPHOMESERVER='CN=LC Services,CN=Microsoft,CN=CONTOSO-OCSSERVER,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=CONTOSO,DC=local'

$oa = @{'msRTCSIP-OptionFlags'=384; 'msRTCSIP-PrimaryHomeServer'=$SIPHOMESERVER; 'msRTCSIP-PrimaryUserAddress'=("sip:"+$alias+$ourdomain); 'msRTCSIP-UserEnabled'=$true }

Set-QADUser $Alias -oa $oa

#http://blogs.msdn.com/johan/archive/2008/10/01/powershell-editing-permissions-on-a-file-or-folder.aspx - Great reference on SETTING NTFS permissions with SET-ACL! Thumbs up!

#Make User Home Folder and Apply NTFS permissions - This was taken almost VERBATIM from the Blogpost.  I added in the $alias created from the FirstName Lastname to automatically populate a HomeFolder based upon the user name

$HomeFolderMasterDir='\\CONTOSOFILE\USERHOME$\'

new-item -path $HomeFolderMasterDir -name $Alias -type directory

$Foldername=$HomeFolderMasterDir+$Alias
$DomainUser='CONTOSO\'+$Alias

$ACL=Get-acl $Foldername
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($DomainUser,"FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $Foldername $Acl

--------------------------- End Script Here ---------------------------------------------------------

There are a lot of reasons for my deep love affair with Powershell.   Why I find myself want to delve into it more each and every day. 

Those late nights at the office, just me and a cup of hot coffee with my Mistress, Powershell

The one thing it can introduce into ANY environment.  Consistency.

Now Group Policy and Desktop Standardization help a lot.   But A Good Powershell Script for User Creation can REALLY make the day.

I create users.  My job calls for it.  I unlock accounts, disable accounts, delete accounts.   I like to be consistent with what I do every time.  Whenever possible.   Keeps me happy.  Keeps users happy.

And the more efficient I can be (or the lazier, depending on how you’d like to view it ;) ) the Better.

So my task was to build a “Superscript” in Powershell.  Really it’s task was simple.   Create a user in Exchange, OCS and Active Directory but have all the field populated in ONE shot.  This would allow me to create multiple users consistently, and without fuss.

My tools at hand were the Microsoft Exchange Management Shell and the ActiveRoles Management Shell for Active Directory from Quest.

There wasn’t a Powershell console for OCS 2007 R2 but thanks to this Great article on Powergui.org written by the best of the best, it wasn’t needed.

So task one.   Getting my Exchange Management Tools and my Active Directory Management tools into one shell.  That’s actually quite easy.   You add the Powershell Management Snapins.

But how do you get and use those?

When you are in a particular console, Say “Exchange Management Console”; you can run a command called GET-PSSnapin.  The one near the bottom is most likely (but not definitely) the name of the snap-in you want.   But usually the names are very obvious and descriptive

image

As you can see in the Window above there is a Snapin named “Microsoft.Exchange.Management.Powershell.Admin”

All YOU need to do to use that in ANY other Powershell console (Provided of course the Exchange Administrator Tools are installed on that machine is type

ADD-PSSNAPIN –name Microsoft.Exchange.Management.Powershell.Admin

Now in my world, I love using my ActiveRoles from Quest for working with Active Directory.  Simply Unlocking a user is a Quick command line.  So I wanted these two together.  PERMANENTLY.   I like creating users from the Microsoft Exchange Tools since it’s stock Microsoft, creates my SID’s right, Enables the user in Exchange 2007 the ways it’s supposed to be.

Then I use Quest ActiveRoles to manipulate all the other important details.  It’s an excellent tool for that and other needs.

To make it permanent I had to look at the shortcut for launching Quest’s console in Powershell

image

In this shortcut is it’s command line

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -psconsolefile "%ProgramFiles%\Quest Software\Management Shell for AD\ConsoleSettings.psc1" -noexit -command ". '%ProgramFiles%\Quest Software\Management Shell for AD\qsft.ps1'"

*WHEW!*

But really all it’s doing is launching a Powershell Script called “qsft.ps1” and a customized Console called “ConsoleSettings.psc1”

And if you go in the that file called “ConsoleSettings.psc1” it’s just a standard editable Text/XML file.  Notepad is your friend for this next task but you HAVE to run it in Elevated Administrator mode (Run as Administrator) in order to edit and save the file.  So here’s the contents

image

Now all *YOU* have to do is add the name of your SNAPIN to it’s list to have both running under the same Console everytime you run Quest ActiveRoles.

Simply add in a

<PSSnapIn Name=”NameofthatSnapinYouFoundWhenYouTypedGetPSSnapin” />

Just before the line marked

</PSSnapIns>

So with Exchange Snapin it will look like this

image

Now as you can see I got carried away and added in my Snapin for Virtual Machine Manager 2008 as well.  You’re not limited to how many you can add in to preload.  Be careful too.  Too much power in that Console COULD be dangerous.  Add in what you use on a regular basis to make your admin tasks easier.

Once you save that new Console file, everytime you fire up YOUR copy of Quest ActiveRoles for Active Directory, you’ll REALLY be able to flex some Powershell Muscle.

Next time, I’ll show you WHY I went through this effort. :)

Sean
The Energized Tech

I had a fun task.  I’m working with a new piece of software from Microsoft and the documentation is still be cleaned up put together etc.

So one of my tasks was to figure out to deploy the client software silently.

I mean, I certainly don’t want to walk about to a pile of workstations going “clickity click click click type type click type type type type.”

That would be… “Repetitive” at the minimal.

So on the Plus side, the client components were already in an MSI file (YAY!)

On the negative side, I needed to pre populate certain information INTO the MSI (Servername, Email address etc) without the documentation to do it.

Somebody in the Forum suggested using “ORCA” for editing the MSI file.  I could just as easily used “Inst-ED” too.

Really all I needed was to fill in two fields “SERVERNAME” and “EMAIL Address” and had no clue where to start.  So I fired up ORCA and looked at the MSI file.

What is nice, is that inside an MSI file, all the variables, all the information is in TEXT and readable.   (with the appropriate Editor) and you can just dig through that file and look.   Most of it makes sense too.  If you understand a little coding.  Even just a bit.

It’s actually pretty easy to work with too.  Just open the “MSI” file in question and search with the find command.

image

Now this was a complete shot in the dark trying to find “email” as the parameter name.  It could have been anything but it DID reveal this

image

I did a few more searches in the file and found several references to “MONITORED_EMAIL” and did a guess that this might be the variable in question for the email address.  It really helps the Developers gave it a good descriptive name :)

My other one I had to see was the server name.  Normally a bit trickier.   But how about searching for “SERVER” and see what it came up with?

But a cheat.  When this particular installer ran it populated the name of the server as “LOCALHOST” so I took a shot and searched for that. 

And look what I found

 image

Yes a whole whack of variables.   I did some more searching for RMS_LOCATION and found several references to it in the file.    So again.  A “Guess” but a relatively educated one.

So to plug in the info and see what it did wasn’t hard.

To assign information to a variable within an MSI file is not hard.   You have to call up the MSI file with MSIEXEC.EXE and literally just say “X=Y” like so

MSIEXEC.EXE /I FILENAME.MSI VARIABLEX=WHATEVER VARIABLEY=SOMETHINGELSE

In my case this was for the ILM Client for Forefront Identity Manager 2010 RC0.  So it’s line turned out to be.

MSIEXEC.EXE /I ILM-CLIENT.MSI RMS_LOCATION=MYSERVERNAME.DOMAIN.LOCAL MONITORED_EMAIL=secretemailaddressiwonttell@domain.local

By the way, if you tack on a “/QUIET” to the end of that, it will make it a silent and UNattended install. (That’s assuming you have the necessary credentials to INSTALL!)

 

I realize this is a bit cryptic but I wanted to show that even if the file doesn’t have a documented, Silent install, you don’t have documentation to make it; As long as you can see INSIDE that MSI file, you might be able to pull out enough information to make it work.

 

Cheers all
Sean
The Energized Tech

I’ve been tasked to deploy this wonderful package and I ran into some interested issues on the install.  This is still in the RC stage, so I would expect some glitches, but here’s some things I ran across.  Maybe it will save somebody else a few bottles of Bufferin ;)

First off, there is NO IMPORT USER WIZARD!  In ILM you’ll have to learn all about Synching up with Management agents.   FIM2010 is an incredibly powerful product.  I equate it to being a LOT like Biztalk Server.  It can have as simple a task as doing password resets and handing off some user management to HR.  It can be so powerful to sync up various foreign directory systems like Lotus Notes, Active Directory and SQL.

Do NOT install the Feature Pack giving you Certificate Lifecycle Manager and Identity Lifecycle Manager on the same server.   I found when CLM went onto the server it changes the settings dramatically and kills your ability to use the Sharepoint site.   I found a few workarounds that if I accessed the server with a different alias in DNS I could validate.  But the better solution was to use a separate server.

The CA must be installed on an Enterprise edition of the server to get the needed Certificates.

I found the CA should be on the same server as CLM.

When installing CLM in Server 2008 or 2008 R2 for that matter, the installer does not recognize the newer platform properly (yet) and as such has no proper clue what to do with UAC.   Run a cmd.exe as an Administrator, and run the MSI and Installers from there.  You’ll find it goes a lot more smoothly.

The built in templates for Smart Cards in CLM.   You’ll have to make a new one of course but make sure you add in your CA to it of course.  In addition make sure you add in (as available certificates) both CA Certificates for Smartcard Logins into the Template.  And of course into your CA.  Or you’ll wonder why the Smartcard doesn’t work so well.

Don’t try putting the Card reader/writer on the Server.  It won’t work.  It’s not meant to.  The whole process will run on a workstation all the way to Windows 7 RC1.  Make sure in both the ILM web site and the CLM website  they are under your “TRUSTED SITES”.

If you are accessing any of the sites with a 64bit version of Windows you HAVE to use the 64 based browser.

READ THE README NOTES!  This is product in development and there are a lot of little bits to be done by hand.

You may have issues validating the CLM site.  It’s Kerberos based.  If you’re Kerberos isn’t quite up to snuff, you may have to disable that in Authentication under IIS7.  Not recommended but it DOES work.

I recommend if you’re trying things out, don’t go fully automatic Server assigned PINs.  Mine kept failing until I switched to User defined.  Reason?  The card may not recognize the complexity of the PIN code and it generates a weird “Makes no sense” error when it happens.

When you need to compile the DLL for ObjectSidString, the source code is older than the compiler.   The solution is A) get a real Developer to compile it and supply him with lunch or B) download Visual C# 2008 Express and compile with that.  It wasn’t that difficult really.  And I’m not a Dev.

When you’re editing your Management Agents, you might find you get an 0x8 something or other permissions error.   I found Exporting the agents first to an XML file saves you a lot of time later when you say “AIAIGHAGH” and have to delete and restart again.

In the documentation, when they say “Fabrikam.com” they don’t always mean the REAL domain name, they are sometimes referencing the “Set Name”.   The documentation is getting better but it needs more work.   But that doesn’t mean you won’t figure it out.

There is NO stock Management agent installed for ILM.  You’ll have to make one yourself.   I drawn out (as best I could) a pretty ok relationship between AD / the Metaverse / ILM to help get things to match up.    Hope this helps somebody.

Active Directory Names Metaverse Names ILM Directory Names
     
sAMAccountName AccountName AccountName
  AD_UserCannotChangePassword AD_UserCannotChangePassword
streetAddress Address Address
assistant Assistant Assistant
     
  AuthNWFLockedOut AuthNWFLockedOut
  AuthNWFRegistered AuthNWFRegistered
l City City
company Company Company
  CostCenter CostCenter
  CostCenterName CostCenterName
co Country Country
  Creator Creator
  DeletedTime DeletedTime
department Department Department
description Description Description
  DetectedRulesList DetectedRulesList
displayName DisplayName DisplayName
  Domain Domain
mail Email Email
  EmployeeEndDate EmployeeEndDate
employeeID EmployeeID EmployeeID
  EmployeeStartDate EmployeeStartDate
employeeType EmployeeType EmployeeType
  ExpirationTime ExpirationTime
givenName FirstName FirstName
  IsRASEnabled IsRASEnabled
title JobTitle JobTitle
sn LastName LastName
  LastResetAttemptTime LastResetAttemptTime
  LoginName LoginName
mailNickname MailNickname MailNickname
  Manager Manager
  MiddleName MiddleName
  MobilePhone MobilePhone
objectSid ObjectID ObjectID
  ObjectSID ObjectSID
  ObjectType ObjectType
facsimileTelephoneNumber OfficeFax OfficeFax
  OfficeLocation OfficeLocation
telephoneNumber OfficePhone OfficePhone
    Owner
photo Photo Photo
postalCode PostalCode PostalCode
  ProxyAddressCollection ProxyAddressCollection
  Register Register
  RegistrationRequired RegistrationRequired
  ResetPassword ResetPassword
sIDHistory SIDHistory SIDHistory
objectsid objectSidString objectsidstring


I’m working on more details as I can, this honestly is really “Rough notes” but if you’re new to ILM here’s what I ran across.  Also here are some excellent links if you need to know a lot more than I could every provide

The IDA Guys - Identity Management Experts at Microsoft

The Identity Lifecycle Manager TechCenter on Technet

Identity Lifecycle Manager 2 Forums on Microsoft – Need an Answer ? LOOK HERE!

ILM 2 RC0 Multiforest Management 

(Note this entire article assumes TWO separate domains, think one and skip everything referring to the other Domain if you’re working in a single domain Environment)

ILM "2" (Release Candidate) Password Reset and Registration

(This is the walkthrough to get the Password Reset feature setup in ILM2 RC0)

And when you get to the Community area, check out the ILM MVP’s.  These are the absolute EXPERTS on ILM.   They use it in the field.  They have their own blogs which REALLY show you how to get the most out of ILM.

Sean
The Energized Tech

I ran into a small problem when backing up a Child in Hyper-V that drove me nuts.    5 times out of 6 it would fail.

The Integration Services for Backup was installed properly but for whatever reason, Data Protection Manager 2007 would not back it up.

But another machine would.

I still haven’t nailed down the “why”.  I’m assuming there is too much going on with the Machine with SQL running on it, for it to get a solid window of quiet in Shadow Copy to get all the information.

But I did find an acceptable workaround in the moment.

First thing, for the particular virtual machine giving you problems with Data Protection Manager 2007, Go into it’s settings in Hyper-V.  De-select “Backup” from under Integration Services.

Then in Data Protection Manager 2007, Right click on the particular object for the Child partition being backed up and select “Stop Protection of Member”

In the Window coming up after this, choose “OK” and MAKE SURE 200% that the box marked “Delete replica on disk” is ***NOT CHECKED OFF***

This will remove the computer from the configuration for Data Protection Manager 2007.

Now go and RE-add the machine back in to the configuration as you normally would in Data Protection Manager 2007.   You will find that Hyper-V child is now being backed up using “Backup Using Saved State”

The advantage is you will find this is a more consistent backup.  The drawback is that you ARE interrupting the normal operation of this machine for a moment as Hyper-V does a quick save and backup of the Child partition in question.

It will involve a deeper look to know the WHY but it is also just as highly critical to have a backup of the system.  

A second alternate solution I came up with, would be to attach an additional VHD to the Machine in question (if you can’t interrupt it’s flow) and run whatever native backup it has (Full Backup) and use the secondary VHD as a storage location for the data.

Cheers
Sean
The Energized Tech

A great teacher spoke to me today.   A challenge, a task.

A friend stuck in a bind.

“I have a series of Virtual Machines for Demos but they were prepared for Virtual PC.  I need them to run in Hyper-V and have to remove the Virtual Machine Additions...”

“But master!” I the ignorant student was about to burst out “Just uninstall….”

“Ahhhh…” knowingly interrupted the Master. “But they are in Server 2008 Core environments”

A pause.

Just how DO you do that?

A quick search online found this excellent article Uninstall applications from Server Core by Michael Greene which yielded the answer.

But I decided to go, weeeellllll just a little overboard.

What CAN you do (say the installer is pooched, Murphy is having a particularly rotten day, whatever, to make sure the VMAdditions are dead and gone BEFORE Hyper-V?  Let’s just say you only have physical access to the VHD file.  

Yeah.  Mr. Murphy at his prime.

I came a few extra bits of ammo

Location in registry for Uninstall on VMaddtions

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E799CA03-7E46-4AE7-A7B6-E904CCFD1529}

Command line to uninstall

Uninstall

MsiExec.exe /X{E799CA03-7E46-4AE7-A7B6-E904CCFD1529}

Command line to make changes (suspiciously the SAME! :} )

Modify

MsiExec.exe /X{E799CA03-7E46-4AE7-A7B6-E904CCFD1529}

 

If you’d like to just make sure the VMAdditions can’t RUN the next time round

Service names to End Task

VPCMAP.EXE
VMUSRVC.EXE
VMSRVC.EXE

Rename C:\Program Files\Virtual Machine Additions\

Here’s the start key in the Registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\VMUserServices

Manually Delete the entry for “VMUserServices” or rename the contents by adding a “-“ to the beginning of the Command Line

Want to get MEAN and REALLY pull it out?

Fire up Notepad.exe (Yes, that’s in CORE)

Copy these contents in a file called “KILLIT.REG” and run that from a command line

---------------------------------------

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

----------------------------------------

That will stop it from loading automatically permanently

And if ALL ELSE FAILS!

Copy these contents into a file called Deadkey.reg and run this from the command Line.  This will remove it from the “Add/Remove Programs” (which you really can’t see anyhow but is referenced by uninstallers)

----------------------------------------------------------

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E799CA03-7E46-4AE7-A7B6-E904CCFD1529}]

---------------------------------------------------------

 

Honestly, the first option (uninstall with the provided lines) should just work and there is no need for drastic measures.

But by renaming the folder, killing the start key, stopping the tasks and running the two reg files (And rebooting afterwards) enough of Virtual Machine Additions SHOULD be removed that Hyper-V shouldn’t care.

Cheers
Sean
the Energized Tech