Wednesday, 28 September 2011

Script to get service tag from Dell device

I needed to get the service tag off my Dell laptop today, but i was in the middle of doing a million things, so didn’t fancy undocking it to look underneath.

So I put this quick vb script together to get the service tag.

If you’re not running any kind of NMS like SCCM, SCOM or SCE (which would gather the service tags for you) this may be useful to use if you need the tag from a remote host.
Enjoy!

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSMBIOS = objWMIService.ExecQuery _
("Select * from Win32_SystemEnclosure")
For Each objSMBIOS in colSMBIOS
Wscript.Echo "Dell Service Tag: " & objSMBIOS.SerialNumber
Next
Posted by Marc at 13:23 3 comments
Labels: , , ,

Sunday, 25 September 2011

Configuring default FTP logon domain

If you’re still stuck in the dark insecure age of the internet and using FTP, you may want users to login to your FTP site using their domain credentials.

By default, the FTP service will use the local user database on the server itself (unless you enter your username in the domain\username format), you can however configure IIS to use a domain by default.

Take caution in doing this though, if you’ve ever put an FTP server on the internet, take a look at the event logs, it will have a ton of brute force attacks on it within minutes.
By default FTP will be trying to authenticate locally, which is a much smaller attack surface (fewer users) as soon as you point it at your domain, it’s going to have a much larger attack surface (more users)

You need to make sure you don’t have any accounts such as “test” or users like “mary” with passwords of “password” or any dictionary word at all. You should also tie the FTP site down to the specific users that need access, so if an account does get compromised it can’t be used to put data in the FTP directory.
With the above in mind, use an elevated command prompt to run the following on the FTP server
adsutil set msftpsvc/DefaultLogonDomain "YourDomainName"
This will set the default logon domain for all FTP sites.
Posted by Marc at 21:37 0 comments
Labels: , , , , , , , , ,

Wednesday, 21 September 2011

Keeping up to date with technology (Specifically Microsoft)

There is plenty going on with Microsoft Technology at the moment, Windows 8, Windows Server 8, cloud, Configuration Manager 2012, the list goes on.

Keeping up to date with these while still doing a dayjob is a struggle.
I use the RSS feed functionality in outlook and I have feeds from a select few blogs, so when something interesting comes along, its dropped into my outlook.
Below is a list of feeds that I use:

Ctrl P - The Data Protection Manager Blog! -
http://blogs.technet.com/b/dpm/rss.aspx

Windows Server Division WebLog - http://blogs.technet.com/b/windowsserver/rss.aspx

Windows Virtualization Team Blog - http://blogs.technet.com/b/virtualization/rss.aspx

Forefront Team Blog - http://blogs.technet.com/b/forefront/rss.aspx

System Center Configuration Manager Team Blog -
http://blogs.technet.com/b/configmgrteam/rss.aspx

Microsoft Forefront Unified Access Gateway Product Team Blog -
http://blogs.technet.com/b/edgeaccessblog/rss.aspx

Microsoft Server and Cloud Platform Blog - http://blogs.technet.com/b/server-cloud/rss.aspx

TechNet Blogs - http://blogs.technet.com/b/MainFeed.aspx?Type=BlogsOnly

The Configuration Manager Support Team Blog -
http://blogs.technet.com/b/configurationmgr/rss.aspx

The Microsoft Application Virtualization Blog - http://blogs.technet.com/b/appv/rss.aspx

The WSUS Support Team Blog - http://blogs.technet.com/b/sus/rss.aspx

Enterprise Strategy UK - http://blogs.technet.com/b/enterprise_strategy_uk/rss.aspx
Posted by Marc at 12:21 0 comments
Labels:

Friday, 19 August 2011

Viewing queues on all hub transport servers in one handy PowerShell command

I can’t take any credit for this, a college and I came up with the idea that we needed a way of viewing the queues on all of our hub transport servers in once place, opposed to having to connect to each one individually, it just so happened that he came up with the goods quicker than I did!

So what is the problem?  Using the queue viewer in EMC, it will only display the queues on the server you have selected, the same goes for the PowerShell command get-queue; you have to specify a hub transport server.

The solution, pipe the results of a get-exchangeserver cmdlet filtered to return hub transport servers into the get-queue command.
Here it is – enjoy!

get-exchangeserver | where {$_.ishubtransportserver -eq $true } | get-queue | sort messagecount –descending

Thanks Jon!
Posted by Marc at 10:33 6 comments
Labels: , , , , , , ,

Monday, 1 August 2011

Creating a dynamic distribution group based on any Active Directory attribute in exchange 2010

A Common requirement I’m sure for most businesses is to be able to send a mail to all users who are located in a specific building.

A dynamic distribution group based on the office attribute is surely the answer – well yes it is, but not using the Exchange Management Console.

I have the office attribute set for each user within active directory




However, if you use the exchange management console to build your query, its options are limited and does not include the office attribute.



Although using the EMC it isn’t possible, it can be done in powershell.

The new-dynamicdistributiongroup cmdlet doesn’t natively support anything other than the attributes you see listed in the EMC, however you can use a recipientfilter to specify any attribute you like.

The command below will create a dynamic distribution group called “Users in Example Office name” which will contain any user with the office location set to “Example office Name”

New-DynamicDistributionGroup -Name "Users in Example Office Name" -OrganizationalUnit "domain.net\users" -RecipientFilter { ((RecipientType -eq 'UserMailbox') –and (Office -eq 'Users in example office name')) }

This command can be extended futher using the –and variable. The command below would create the same dynamic distribution group, only the members would be those who are in the “Example office name” building AND their manager is James Bond



New-DynamicDistributionGroup -Name "Users in Example Office Name" -OrganizationalUnit "domain.net\users" -RecipientFilter { ((RecipientType -eq 'UserMailbox') -and (Manager –eq 'James Bond') –and (Office -eq 'Users in example office name')) }

Posted by Marc at 14:54 2 comments
Labels: , , , , , , , ,

Wednesday, 1 June 2011

A quick way to set calendar permissions using Powershell

A Common request from users is to grant others access to their calendars.
You can either talk the user through this, or setup a new outlook profile to open their mailbox and set it yourself using the GUI – both are time consuming.
This simple powershell command allows you to set permissions with ease:

add-mailboxfolderpermission -identity USERNAME:\calendar -user "Username of person who needs access" -accessrights reviewer



The Identity switch needs to be the username of the mailbox which you are giving access TO, the user switch is the user you are giving access FROM.
The accessrights switch is the level of access you wish to grant the user, the link below lists some additional switches you can use:

http://technet.microsoft.com/en-us/library/dd298062.aspx
Posted by Marc at 12:02 5 comments
Labels: , , , , , , ,

Friday, 13 May 2011

Using a PAC file to set proxy settings

There are many ways to configure proxy settings, via a GPO, via a build, or an application.

Proxy settings can cause issues for mobile users if they use their device away from the corporate LAN as the proxy server will not be reachable, this will render the internet browser unusable (unless of course Direct Access has been implemented)

There are many solutions to this problem, some common ones are:
1. Teach users to enable and disable proxy settings, This is not the most elegant solution, is likely to cause a fair amount of support calls, and also means proxy settings cannot be enforced.
2. Run a 3rd party app that users can click on and select proxy on or proxy off. Im not a fan of these types of applications that sit there and use up resources for no real reason.

3. Run a login script that sets the proxy setting if you are connected to the corporate LAN, and doesn’t if you are not. This is a long winded way of doing it, and is not 100% effective.

In my opinion, the most effective and efficient way of configuring proxy settings is to use a proxy auto config file (PAC)
A PAC file contains a JavaScript function "FindProxyForURL(url, host)". This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly
.
You configure your browser (works in all popular browsers) to use a script to configure proxy settings, this setting remains in place permantly. If the PAC file is placed on a web server accessible only within the corporate LAN, if the user is away from the LAN, the config file is not found, so therefore a proxy is not used.

When the user is within the LAN, the file is found, and proxy settings configured.
Some say that a login script can achieve this too, however the login script requires you to login to take effect.

Take a scenario where a user is in the office, closes the lid on his or her laptop, gets on the train then opens the lid, and connects via 3G.
If proxy settings were configured with a login script, the office proxy settings would still be present unless the user logged off and on again.
With a PAC method in place, the browser looks for the settings each time a page is requested, therefore it would fail to find the config file and connect directly.
Below is an example PAC file which can be modified to suit your needs. This could be further extended to look at the current IP of the client, and return a different proxy depending on where the client is. Eg if the client is within an IP range which is associated with the Paris office, the Paris proxy would be returned, or if the client is on a New York IP range, the New York proxy would be returned.


function FindProxyForURL(url, host)
 {
        
        // Direct connections to Hosts
         if (isPlainHostName(host) ||
         (host == "127.0.0.1") ||
         (host == "www.a-whole-domain.com") ||
         (shExpMatch(host, "*.a-entire-domain.com")) ||
         (shExpMatch(host, "10.20.30.*"))) {
           return "DIRECT"
         } else {
           return "PROXY proxy-server.domain.com:8080"
         }
 }


Within this file, access to the IP range 10.20.30.0 - 10.20.30.255 would be accessed directly (bypassing the proxy) aswell as the domain www.a-whole-domain.com. anything under the domain a-entire.domain.com would also bypass the proxy. everything else will be directed at the proxy server "proxy-server.domain.com" on port 8080.
Add additional sites to the proxy bypass list by copying an existing line and pasting it below.


Although a WPAD file could also offer similar functionality, in my experience a PAC file is much more flexible and will enable changes to take effect instantly.
Posted by Marc at 20:56 14 comments
Labels: , , , , , , , , , , , , , , , ,

Tuesday, 25 January 2011

Using Powershell to grant access to all user mailboxes, or a whole exchange database

You may have a requirement to be able to open any users mailbox in your exchange 2010 environment.

The first thing to consider, is how you will control access, will you add individual users, or a security group with users in it.
A security group is the most efficient and tidiest by far, therefore this post will assume you are using a security group.

Method one

The first option is to give the security group full access to all user mailboxes

Advantage

The permissions will follow the mailbox around when it is moved between databases

Disadvantage

You will have to apply the permission to all new users you create

To use this method, use the Exchange Management Shell (also known as Powershell or EMS)to get all the mailboxes in your organisation, and then pipe this into a command that set the permissions:




Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue

$userAccounts = get-mailbox -resultsize unlimited

ForEach ($user in $userAccounts)

{

add-MailboxPermission -identity $user -user “Your Security Group Name” -AccessRights FullAccess

}


Method two:
The second option is to apply the permissions to the exchange mailbox database, so all mailboxes within that database will inherit those permissions.
Advantage

All new users will automaticly inherit the permissions you set on the storage group

Disadvantage

If different permissions are set on different databases, when users are moved between databases they will not be subject to the permissions that were assigned to the original database.

Use EMS to run the following command


Add-ADPermission -identity YourDatabasename -user “Your Security Group Name” -AccessRights genericall

Posted by Marc at 22:48 0 comments
Labels: , , , , , , ,

Wednesday, 24 November 2010

Draining sessions from Remote Desktop Session Hosts / Terminal Servers

Maintaining terminal servers (or remote desktop session hosts as they are known now) in today’s world when users require access 24/7 is a challenge. Setting up an RDS farm, with a session broker will give you load balancing and fault tolerance. (I will write more about remote desktop server farms and session brokers in another article)
However notice I say “Fault Tolerance” this doesn’t mean that you can reboot session hosts without affecting users, it just means that your system will tolerate the failure of a session host. The users who were connected to the rebooted (or failed) session host will lose what they were working on and will have to reconnect.
The nature of a session broker is that it will try to distribute sessions evenly across all members of a farm; this is great, apart from when you want to reboot a session host without annoying your users.
There is no “live migration” of RDS sessions, once a user is on a host, that’s where they will stay until they log off. 
So how do you free up a session host to perform maintenance on it? Firstly you will need to plan your work in advance.
You can then use the “chglogon” command to begin “draining” sessions. There are many ways sessions can be drained, but it basically means the session host will stop accepting new connections. Eventually once your users have logged off, they will not be able to establish a new log onto the draining session host, so will establish a new connection on another session host, which mean eventually the session host you are draining will have no users logged into it.
There are four switches for the chglogon command:
/query – this will tell you what mode the session host is currently in
/enable – allows users to establish connections to the session host
/disable – doesn’t allow any new connections, or reconnections to an existing session.
/drain – doesn’t allow any new connections, but does allow users to reconnect to an existing session
/drainuntilrestart – does the same as /drain, but reverts to /enable after a reboot
NOTE: when using the /disable switch, this will prevent you reconnecting to the server via RDP. You need to ensure you have access to the console via another method other than RDP, or use the RD configuration utility from another RDS server to change the setting.
These commands could be utilised to help with automated updates. You could configure RDS1 to automatically install updates on a Saturday at 6PM, then create a scheduled task to run on a Friday at 6AM to run the chglogon /drainuntilrestart command.
This would hopefully mean by Saturday at 6PM there were no users left on RDS1 and it would be safe to automatically reboot after an update installation.
You could then use the same method with RDS2, RDS3 etc, but on different days to ensure 100% uptime of your RDS farm
Posted by Marc at 20:42 1 comments
Labels: , , , , , ,

Monday, 25 October 2010

Using dsget and dsrm to delete users who are a member of a group from active directory.

I use the “DS” set of commands almost daily, they are a very powerful set of tools, which allow the output to be piped between them.

In this example, we are going to use the dsget command, to retrieve a list of users from a security group, then pipe the result into dsrm to delete them.
This can be useful in an educational environment where lots of users leave at once, and hundreds of accounts need removing. Or in the current corprate climate, when an entire department disappears!

Before jumping in at the deep end, I recommend seeing what results you are going to pipe into a dsrm, so run the dsget command on its own.

Dsget group “cn=year13,ou=groups,ou=myschool,dc=domain,dc-suffix –members -expand

This will return the members of a group called “Year13” which is in an OU called “Groups”, which is within an OU called “myschool” which is in the domain domain.suffix.




You are telling the dsget command that it is looking at a group by specifying “group” after dsget. the switches at the end are also important.


-members tells dsget to return the members of the group
-expand returns all members of the group, if this isn’t used it is limited to 100

If you are happy with the results returned, you can pipe the results into DSRM. Piping is just like typing something into a command yourself, only you’re letting the previous command do the work.

To get the pipe character, hold shift and press your backslash key

Dsget group “cn=year13,ou=groups,ou=myschool,dc=domain,dc-suffix –members –expand | dsrm –noprompt

The –noprompt commant prevents dsrm from asking you to confirm before deleting each object. If your deleting a large amount of objects this well worth using (as long as you are confident the results being outputted by dsget are correct)
Posted by Marc at 14:24 0 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)