microsoft | Electric Monk

Archive for microsoft

Upgrading Windows Server 2008R2 Editions With DISM

July 9, 2015 Upgrading Windows Editions No comments

The Task

We are currently running Windows 2008 R2 Standard Servers and we want to change the edition or upgrade to Windows 2008 R2 Enterprise to take advantage of being able to add over 32GB RAM to our VMs.

Please note the following:

You can only do upgrades. You CANNOT downgrade
The server you upgrade cannot be a domain controller (demote, upgrade, promote)
This works on Standard, Enterprise edition, both full & core installations.
You cannot switch form core to full or vice versa. It’s edition upgrade only, not for switching type of install.

Supported Upgrade Paths

Windows Server 2008 R2 Standard> Windows Server 2008 R2 Enterprise -> Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 Standard Server Core> Windows Server 2008 R2 Enterprise Server Core> Windows Server 2008 R2 Datacenter Server Core
Windows Server 2008 R2 Foundation> Windows Server 2008 R2 Standard

Using DISM

Deployment Image Servicing and Management. DISM is an extremely useful tool which lets you upgrade editions of an operating system without having to attach an iso and upgrade this way.

Instructions

Log into your server
Open a Command Prompt
Type the following to find current edition for your server

Type the following to get the target editions for your server

Type the following to upgrade the edition of your operating system. You will need your license key. If you don’t know it then if you have an edition of the O/S on another server you want to upgrade to, you can use a small piece of software called Jellybean Keyfinder which can detect keys. A very useful piece of software.
Note I have blanked out our key

Please reboot and it will go through a short process of upgrading.
Check the Edition of Windows when you are back in the system.

Link for DISM

https://technet.microsoft.com/en-us/library/dd744380%28WS.10%29.aspx

Link for Jellybean Keyfinder

https://www.magicaljellybean.com/keyfinder/

Using SQL Server Copy Database Wizard

July 3, 2015 SQL Server No comments

The Task

Move our SCOM DB from a Windows 2003 server running SQL 2005 to a Windows 2008 R2 server running SQL 2008.

The Plan

SQL Server has a copy Database functionality. The Copy Database Wizard provides a convenient way to transfer, move or copy, one or more databases and their objects from an SQL Server 2000 or SQL Server 2005 instance to an instance of SQL Server 2005 or higher.

You can use the Copy Database Wizard to perform the following tasks:

Transfer a database when the database is still available to users by using the SQL Server Management Objects (SMO) method.
Transfer a database by the faster detach-and-attach method with the database unavailable during the transfer.
Transfer databases between different instances of SQL Server 2005.
Upgrade databases from SQL Server 2000 to SQL Server 2005.

Requirements

The destination server must be running SQL Server 2005 Service Pack 2 or a later version. The computer on which the Copy Database Wizard runs may be the source or destination server, or a separate computer. This computer must also be running SQL Server 2005 Service Pack 2 or a later version to use all the features of the wizard.
To use the Copy Database Wizard, you must be a member of the sysadmin fixed server role on the source and destination servers. To transfer databases by using the detach-and-attach method, you must have file system access to the file-system share that contains the source database files

Considerations

Instructions

Open SQL Server Management Studio.
In Object Explorer, expand Databases, right-click a database, point to Tasks, and then click Copy Database.

Click Next

Select the Database you want and choose the authentication

Select a destination server. You may need to browse for other servers. E.g I want to copy a database from my server dacvsq001 to dacvsql002

If you get an error saying “Index was outside the bounds of the array” you may need to install a higher version of SQL Management Studio on the source server
You can select to transfer while the DB is offline or online

Next select the database you want to copy or move

Here you can change the name of the database and also select the location of the database and logs to copy or move

Next you can select additional objects to copy

Specify a file share containing the source database files

Configure the package

Run immediately or schedule the job

Check the details you have configured and click Finish

Installing Windows 2012 RDS Roles (License Server, Connection Broker, RD Session Host and RD Web Access)

June 16, 2015 Terminal Services No comments

Instructions

Log into your server
Click on Dashboard and under Configure this local server, select Add roles and features

Choose Role based or feature-based installation

Select the destination server for these roles

Select Remote Desktop Services. Click Next

Select any features as required

Read the description and click Next

Select Role Services
If you choose the Connection Broker role, it will prompt you to install Windows Internal Database

Choose the RDS Services you need. Note. I am installing 4 roles today

You will see a Web Server (IIS) page. Click Next

Select Role Services. This shows the IIS role services. Leave as they are for now.

Check the Confirm Installation Selections Page. I would tick Restart the destination server automatically if required.

To Activate the Licensing Server, Go to Tools > Terminal Services and Launch Remote Desktop Licensing Manager.
You will see it is not activated

Right click on the server and select Activate Server

This will bring up the Welcome to the Activate Server Wizard

You will now see the Connection Method screen

You will need to fill in your company information followed by some optional information. When you have done this click Next. It should then activate your server and ask you if you want to install Licenses

You will now see the Welcome to the Install Licenses Wizard
Note you can go try to go through this as we did but it didn’t work with web enrolment. It may work with your setup
We had to go back to the Licensing manager and right click on the server > select properties and then change the connection method to Telephone and activate our TS User CALs this way.
We the used the below link to call Microsoft to activate our licenses who then gave us back a product key to put in the Install Licenses wizard.

You will now see the License Program Page
Select your License Program. In our case it is Service Provider License Agreement
Depending on what option you select you will require enrollment numbers or agreement numbers etc

Choose your O/S
Choose whether it is Per Device/Per User or VDI Suite.
In our case it was 20 Per User Licenses

Click Next and you will see
Now go back to your RD Licensing Manager screen and click on Review.

You will see this page

You need to be a Domain Admin to add the license server to the Terminal Servers group in AD

Note at this point if you haven’t managed to activate your user CALs then this the point I mentioned earlier about going to the properties of the server and selecting telephone, phoning Microsoft and getting a key from them to put in the Install Licensing Wizard

Next go back to your 2012 Dashboard and select Add Roles and Features

Choose Remote Desktop Services Installation

You will now be on the Select Deployment Type page. Select your broker server and choose Standard Deployment

On the Select Deployment Scenario choose Session-based desktop deployment

You will find that the roles we previously installed will come up here
Click Next

It will say the RD Connection Broker Server already exists
Click Next

On the Specify RD Web Access Server, put a tick in the box which says “Install the RD Web Access role service on the RD Connection Broker server

On the Specify RD Session Host servers, select the machine you want the RDS Session host role to be on

Check the Confirm Selections and tick to Restart the destination server automatically if required followed by clicking on Deploy

It should start to install

Once the RDS Roles are installed, we see the graphical description of our environment, the roles installed on each of the servers and the FQDN names of each server on the Overview page
In case you are trying to find the tools that used to be available on a server running the RD Session Host….You can stop looking. The tools Remote Desktop Session Host Configuration and Remote App Manager have been removed from the RD Session Host role in Windows Server 2012. Instead, most of the settings can now be configured using the new Server Manager console, or using the new PowerShell module RemoteDeskop. For other settings, you can still use GPO’s.

Next, we will configure the Session Host
Go to Server Manager > Remote Desktop Services > Overview
Click on RD Session Host > Tasks > Edit Deployment Properties
Ignore RD Gateway
On the RD Licensing page select your licensing mode and put in your license server

You can check your RD License Server configuration in Powershell by running the below

You may find that your licensing errors and says “The licensing mode for the remote desktop session host server is not configured”
If this is the case, you will need to open gpedit.msc and navigate to the 2 locations below
Navigate until : Computer Configuration | Administrative Template | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
Modify Use the specified Remote Desktop License Servers and put in the license server
Modify the Remote Desktop Licensing mode to Per User or Per Device depending on your agreement
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing

Next On to Session Collections.
Go to Server Manager > Remote Desktop Services > Collections
Note: The Connection Broker connects and reconnects users to their virtual desktops, RemoteApp-published applications and session-based desktops. It’s a mandatory RDS component in Windows Server 2012, and it’s installed by default when you deploy Remote Desktop Services. The Connection Broker load-balances requests to RD Session Host servers in a session collection or to virtual desktop pools
Click Tasks > Create Session Collection
Collections are a logical grouping of Remote Desktop Servers that provides either session-based or virtual machine-based (VDI) deployments.
Each Session host that’s a member of an RDS collection is limited to only participating in one collection.

Click Next

Put in a name and description

Specify the RD Session Hosts you want to add to this collection

Specify the User Groups

Specify user profile disks – Uncheck the Enable user Profile Disks checkbox and hit next.

Confirm Selections

You might also want to look into certificates which is accessed from Server Manager > Remote Desktop Services > Overview > Tasks > Edit Deployment Properties

Select Certificates

More information can be found on Microsoft’s webpages 🙂

Some other important information

We also had 2 Terminal servers in this setup which were on a different network. I had to do the following

Go to Server Overview
Go to Add other Servers to manage

Search and add the servers you need

Once these are added, Go to Server Manager > Remote Desktop Services and add these servers which should now appear. Be careful as it will install the RD Session host role and will reboot the servers.

Load Balancing

If you want full load balancing, your users can use RD Web Access. The GUI for the remote desktop client (on any platform) does not have a way to specify the collection. Connecting to the RD Connection Broker will not load balance, nor would connecting to any RD Session Host server directly. You can manually edit an .rdp file to specify the collection and that process works, but is convoluted for end users. RD Web Access has become the preferred method for disseminating .rdp connection info in 2012 to accommodate the change to collections and the RDCB role.

RD LIcensing Manager

You may notice there is an expiry period on issued licenses in RD LIcensing Manager

The time is based on the minimum transfer rights in the license agreement which is a Service Provider Agreement. (IBM’s licensing agreement from Microsoft) In this case 60 days.

The license agreement is a part of the purchase. It varies by region and by how you purchased it. It is a legally binding document and describes how the purchased product can be used. For example, an OEM server license offend includes the stipulation that it cannot be transferred to a new machine at all. The discounted OEM pricing benefit comes at the cost of reduced mobility.

For CALs, it is common to see restrictions stating that a CAL can only be transferred to a new user every 60/90/120 days. This allows you to reassign a CAL in the event a user had to be dismissed, but prevents abuse by using one user CAL for multiple shift users by claiming “I transfer the CAL every 8 hours.”

SO in theory you buy the amount of licenses for the amount of users you have. So say you have 20 licenses and 20 users log in and take a license. If for some reason a 21st person logs in, the system will allow it because it will assign a temporary CAL however this is a breach of your license agreement until another CAL expires and is released after the 60 days. Note that TS/RDS CALs are *not* legally licensed by concurrent users, but by TOTAL users. So if you have 50 users, but only expect 17 to be logged on at a time. You still need 50 CALs. Not 10, or even 20. The same applies to device licensing and device CALs. You pay for total devices, not concurrent devices. Which in the era of mobility, BYOD, and similar trends, can be an unknown, making user licensing more flexible in most (but not all) circumstances.

Other good links

http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/

http://pdfs.loadbalancer.or/Microsoft_Remote_Desktop_Services_Deployment_Guide.pdf

NTFS File/Folder and Path Limits

June 2, 2015 NTFS 2 comments

What is a file system?

A file system is a part of the operating system that determines how files are named, stored, and organized on a volume. A file system manages files and folders, and the information needed to locate and access these items by local and remote users. NTFS, short for New Technology File System, is a file system that was introduced by Microsoft in 1993 with Windows NT 3.1.

Benefits of NTFS

Increasing reliability

NTFS uses its log file and checkpoint information to restore the consistency of the file system when the computer is restarted in the event of a system failure. In the event of a bad-sector error, NTFS dynamically remaps the cluster containing the bad sector and allocates a new cluster for the data, as well as marking the cluster as bad and no longer using it. For example, by formatting a POP3 mail server with NTFS, the mail store can offer logging and recovery. In the event of a server crash, NTFS can recover data by replaying its log files.

Increasing security

NTFS allows you to set permissions on a file or folder, and specify the groups and users whose access you want to restrict or allow, and then select the type of access. NTFS also supports the Encrypting File System (EFS) technology used to store encrypted files on NTFS volumes. Any intruder who tries to access your encrypted files is prevented from doing so, even if that intruder has physical access to the computer. For example, a POP3 mail server, when formatted with an NTFS file system, provides increased security for the mail store, security that would not be available should the server be formatted with the FAT file system.

Supporting large volumes

NTFS allows you to create an NTFS volumes as per below

Up to 16 terabytes using the default cluster size (4 KB) for large volumes.
Up to 256 terabytes using the maximum cluster size of 64 KB.
NTFS also supports larger files and more files per volume than FAT File Systems.

Limited space on a volume

If your organization has limited space on a volume, NTFS provides support for increasing storage on a server with limited disk space.

Disk quotas allow you to track and control user disk space usage for NTFS volumes.
NTFS supports compression as well as adding unallocated space from the same disk or from another disk to increase the size of an NTFS volume.
Mounted volumes allow you to mount a volume at any empty folder on a local NTFS volume if you run out of drive letters or need to create additional space that is accessible from an existing folder.

Using features available only in NTFS

NTFS has a number of features that are not available if you are using a FAT file system. These include:

Distributed link tracking. Maintains the integrity of shortcuts and OLE links. You can rename source files, move them to NTFS volumes on different computers within a Windows Server 2003 or Windows 2000 domain, or change the computer name or folder name that stores the target without breaking the shortcut or OLE links.
Sparse files. Large, consecutive areas of zeros. NTFS manages sparse files by tracking the starting and ending point of the sparse file, as well as its useful (non-zero) data. The unused space in a sparse file is made available as free space.
NTFS change journal. Provides a persistent log of changes made to files on a volume. NTFS maintains the change journal by tracking information about added, deleted, and modified files for each volume.
Hard links. NTFS-based links to a file on an NTFS volume. By creating hard links, you can have a single file in multiple folders without duplicating the file. You can also create multiple hard links for a file in a folder if you use different file names for the hard links. Because all of the hard links reference the same file, applications can open any of the hard links and modify the file.

Volume Shadow Copy Service

Service that provides an infrastructure for creating highly accurate, point-in-time shadow copies. These copies of a single volume or multiple volumes can be made without affecting the performance of a production server. The Volume Shadow Copy Service can produce accurate shadow copies by coordinating with business applications, backup applications, and storage hardware.

Distributed File System (DFS).

Strategic storage management solution in Windows Server 2003 that enables you to group shared folders located on different servers logically by transparently connecting them to one or more hierarchical namespaces.

File System Replication (FRS)

Technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers

FAT32 and NTFS Limits

FAT32:

Maximum disk size: 2 terabytes
Maximum file size: 4 gigabytes
Maximum number of files on disk: 268,435,437
Maximum number of files in a single folder: 65,534

NTFS:

Maximum disk size: 256 terabytes
Maximum file size: 256 terabytes
Maximum number of files on disk: 4,294,967,295
Maximum number of files in a single folder: 4,294,967,295

File Path Lengths

In the Windows API, the maximum length for a path is MAX_PATH, which is defined as 260 characters. A local path is structured in the following order: drive letter, colon, backslash, name components separated by backslashes, and a terminating null character. For example, the maximum path on drive D is “D:\some 256-character path string” where “” represents the invisible terminating null character for the current system codepage. (The characters < > are used here for visual clarity and cannot be part of a valid path string.)

The Windows API has many functions that also have Unicode versions to permit an extended-length path for a maximum total path length of 32,767 characters. This type of path is composed of components separated by backslashes, each up to the value returned in the lpMaximumComponentLength parameter of the GetVolumeInformation function (this value is commonly 255 characters). To specify an extended-length path, use the “\\?\” prefix. For example, “\\?\D:\very long path“.

Long Path Tool

There is a brilliant piece of software called Long Path Tool. This can scan a directory or folder and tell you which paths are over the 256 character limit

http://longpathtool.com/

GetFolderSize

This is another piece of free software which can tell you folder and file sizes for a directory and folders

http://www.getfoldersize.com/en_download.htm#info

Useful Microsoft Link for detailed NTFS information

https://msdn.microsoft.com/en-us/library/aa365247%28VS.85%29.aspx

Software rollout via Group Policy

May 14, 2015 Group Policy No comments

How can we install software remotely from Group Policy?

Assigning Software

You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed. Assigned means that the application appears on the start menu.

Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there

What type of software file can we deploy?

The Group Policy Management Console’s job is to deploy MSI files. GPMC can also deploy other kinds of files, but I’m going to skip over that for today and focus only on MSI files.

Remember: MSI files are application packages that come from manufacturers (or, you can also create them yourselves with 3rd party MSI repackaging tools.

Step 1 Create a Distribution Point

Log on to the server as an administrator (I am using my Test Lab)
Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute

Set permissions on the share to allow access to the distribution package.
You must add Authenticated Users with Read Access to the Share and NTFS permissions if you are applying this to Computer OUs as Computers are Authenticated Users in AD

Copy or install the package to the distribution point.
I’m going to use the Google Chrome 32bit .msi

Step 2 Create a Group Policy Object

I am just going to test this on a Windows 7 machine
Open Group Policy Management Console
Find the OU which contains the computer/computers you want to apply the policy to and right click and select Create a GPO in this domain and link it here

Put in a name. Mine is Software_Distribution_GPO

Click on the policy and select it.
In my policy I am going to set the security filtering to just my Windows 7 test machine (dacvmed001)

Click Edit on your GPO
Under Computer Configuration expand Policies to see Software Settings

Right click and select New Package
Type in the full (UNC) path to your Software Distribution share. In my case \\dacvads001\SoftwareDistribution

You should now see your .msi software

Click Assigned. If you click Advanced, it gives you options to configure Published or Assigned Options and to apply modifications to a package
NOTE: The Published option is greyed out as it is only available if I deploy my package to a User Container. Software deployed to computers does not support publishing

You can now see your package in your GPO

If you right click on your package and select Properties, you can see further information. Note I have screenprinted the properties of the SQL Client
The General Tab

The Deployment tab
Basic means that the user will see few / no screens when the application installs.
Maximum means that the user will have full interaction when the application installs.

Advanced Options

Upgrades

Categories

Modifications

Security

Next do a gpupdate /force on the Domain Controller and reboot your PC.

Check that the software has been installed in Control Panel > Programs and Features

Redeploy a MSI package

Sometimes you may need to redeploy a package (for example when doing an upgrade). For redeploying a package you can follow these steps:

Open Group Policy tab, select the object you used to deploy the package and click Edit
Expand the Software Settings element (per-user or per-machine) which contains the deployed package
Expand the Software Installation element which contains the deployed package
Right-click the package in the right pane of the Group Policy window
Select the All Tasks menu and click Redeploy application
Click the Yes button for reinstalling the application wherever it is installed
Close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

Remove an MSI package

Group Policy also allows you to remove packages which have been deployed in the past. Here are the steps for removing a package:

Open Group Policy, select the object you used to deploy the package and click Edit
Expand the Software Settings element (per-user or per-machine) which contains the deployed package
Expand the Software Installation element which contains the deployed package
Right-click the package in the right pane of the Group Policy window
Select the All Tasks menu and click Remove
Select from the following options:
- Immediately uninstall the software from users and computers
- Allow users to continue to use the software but prevent new installations
Click the OK button to continue
Close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

What can we do about .exe’s that we want to turn into usable .msi’s?

You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are available for instant download from internet

One of the best one’s I have trialled is http://www.exetomsi.com/

Tips and Advice on EXE to MSI Repackaging

http://exe-to-msi.com/

Using WMI Filters in Group Policies

April 1, 2015 Active Directory No comments

What are WMI Filters?

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.

GPOs are processed in the following order

The WMI filter is a separate object from the GPO in the directory.

To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.

WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.

The local GPO is applied.
GPOs linked to sites are applied.
GPOs linked to domains are applied.
GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied

A practical GPO and WMI example.

We had a requirement to have separate GPOs for Windows 7 Internet Explorer 10 users than Windows XP Internet Explorer 8 users. This is where we can have a policy which is filtered by Windows 7.

First of all log into your Group Policy Management Console
Create a new Group policy which will need to be assigned at the domain level, OU level or sub OU level depending on your design.
Modify the Group Policy with the settings you require
Now have a look at where WMI Filters are located by scrolling down to the bottom of the GPMC

Right click and select New

Put in a name and description

Next Click Add and you will get a new box where we can then add our WMI filter code

It is probably worth talking a little about the Namespace and WMI language at this point. The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.

I downloaded a small free program from Microsoft called WMI Code Creator. The tool also allows you to browse through the available WMI namespaces and classes on the local computer to find their descriptions, properties, methods, and qualifiers.

As an example below, I can look at the Operation System properties and find the version and also the name if I look at the Caption Properties

Note: This piece of software is useful for delving into the WMI information but you need to be able to use the WMI query in a way Active Directory understands.

SELECT [property] from [wmi class]

Have a look at the table below. Both Windows Server 2012 and Windows 8 return version numbers that begin with 6.2. To differentiate between the client and server versions, include the clause to check the ProductType field. This value returns 1 for client versions of Windows such as Windows 8, 2 for server versions of Windows operating as domain controllers, and 3 for server versions of Windows that are not operating as domain controllers.

You can also create combination filters when required by your design. The following table shows query statements for common operating system combinations.

As an example we wanted our policy to apply to Windows 7, Windows 8 and Windows 8.1 so this was our filter

Click Save and go back to your Group Policy
Click on Scope and look at the bottom of the Scope Page where you will see WMI Filters
Here you will need to select your WMI Filter and apply it

Next click start run and type gpupdate /force on your DC to push out the settings.
If you want to test that your GPO and WMI filters work then you can go back to your Group policy management console and look right down the bottom again where you have an option – Group Policy Results

Right click and select Group Policy Results wizard and you can run through this and select a target computer and user to test whether then WMI works.
At the end you will get a Summary, Details and Policy Events and you want to scroll down and check Details where it will say whether the WMI Filter came out as True or False!

And that’s it. It’s worth having a look through the many ways you can filter and write queries.

An interesting point to finish

What takes precedence when multiple, conflicting GPOs apply to the same OU?

“Links to a specific site, domain, or organizational unit are applied in reverse sequence based on link order. For example, a GPO with Link Order 1 has highest precedence over other GPOs linked to that container.”

What takes precedence when multiple, conflicting enforced GPOs apply to the same OU?

Setting a GPO to enforced effectively moves it to the end of the processing order, meaning it always wins. If you have multiple conflicting Enforced GPOs they go in reverse order. (The ‘higher’ one in the OU structure wins,) But if it ever got that complex, you would need to rethink your overall GPO strategy in the long term.

Standard GPO Inheritance Rules in Organizational Units

Any unconfigured settings anywhere in a GPO are ignored, and only configured settings are inherited. There are three possible scenarios:

A higher-level GPO has a value for a setting, and a lower-level GPO does not.
A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a non-conflicting value for the same setting.
A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a conflicting value for the same setting.

If a GPO has settings configured for a parent organizational unit and the same policy settings are unconfigured for a child organizational unit, the child inherits the parent’s GPO settings. That makes sense.

If a GPO has settings configured for a parent organizational unit that do not conflict with the settings in a GPO configured for a child organizational unit, the child organizational unit inherits the parent GPO settings and applies its own GPOs as well. A good example of this is two logon scripts; these scripts don’t conflict, so both are run

If a GPO has settings configured for a parent organizational unit that conflict with the same settings in another GPO configured for a child organizational unit, the child organizational unit does not inherit those specific GPO settings from the parent organizational unit. The settings in the GPO child policy take priority

Excel 2010: Not enough system resources to display completely

February 3, 2015 Excel One comment

The Problem

When opening an Excel file or running calculations within an Excel file, you may get the following error

This is a very miscellaneous error and one that is not easily solved sometimes but here are a few things to try

If you have any COM add-ins installed, un-install them unless they are absolutely required or just untick them to test. COM add-ins are a special type of add-in written in machine language. They are often installed without explicit approval. COM add-ins are often reported as causing memory problems
To see if you have multiple sessions open, press CTL-ALT-DELETE and check how any Excel applications are running. There should be just one running. If a new Excel session opens each time you double click on a workbook, try unchecking the Excel Option “Ignore other applications” if it is checked on the Options General tab.
Excel may think your worksheets are larger than you do. This can consume a lot of memory. Normally your scroll area controlled by the scroll bars is very small. However, sometimes Excel thinks there are cells well below your used range. One way is to check where Excel thinks the last cell is located. Do this by pressing CTRL+SHIFT+END. If it well below your used range, then select all “unused” columns in this range and delete them. Then select all unused rows in this range and delete them . Then close and re-open Excel
Install the latest upgrades to your version of Office.
You can try deleting temp files. There is a nice piece of software called Temp File Deleter https://www.add-ins.com/temp_file_deleter.htm
If you are using Google Desktop Search, un-install it. Google Desktop Search appears to be a memory hog and has been reported to interfere with Microsoft Excel. Specifically, it installs a COM add-in that monitors every action in Excel so that it can index it which can slow everything down
If you are using Excel 2010-2013, click File, Options, Advanced, and go to the General section. Check if you have an alternate startup folder and check its content, and remove anything you do not need
Check and see if you have an un-needed add-in or workbook in your XLSTART folder. This folder may vary location wise depending on local and roaming profiles
Delete your XLB file. (Search for *.XLB) It can become corrupt but cause no visible problems. If corrupt it can consume lots of memory. Excel will recreate, but button customization will be lost. This is a file where Excel stores its toolbar settings. To delete it, use the XLB File Deleter which is a free product. There have been reports that doing this will solve problems.
Your printer or its driver may be causing the problem. HP printers have a history of causing a memory problem with Excel. We do not know if HP fixed the problem and it may still be around or surfacing again. Change your default printer if you have other printers available as a test
Use of macros that do very extensive file creating, data manipulation, and graphing have been known to cause memory leak problems. Such macros are ones that typically run for 30 minutes or longer.
If you have Track Changes turned on in Excel, turn off Track Changes as it uses a fair amount of memory. The default is Off.
Turn off AutoRecovery, as this takes up Excel memory. However, have a backup if you do. To turn off AuoRecovery go to File,Options, Save. Uncheck Auto Recovery
Problems in your application data folder for Excel can be the cause. The folder is typically “c:\documents and settings\%username%\application data\microsoft\excel”. This is a hidden folder, so set your Explorer options to show hidden folders. After backing up, rename or delete this folder and its subfolders. Reboot the machine and open Excel. Excel will recreate the folder and needed contents.
Run the following 2 commands. “C:\Program Files\Microsoft Office\OFFICE11\excel.exe” /unregserver and “C:\Program Files\Microsoft Office\OFFICE11\excel.exe” /regserver. (Change the number 11 to 12 for Excel 2007, 14 for Excel 2010 and 15 for Excel 2013) These commands remove most of the Excel registry entries and then resets them. However, they do leave some residual settings.
A more extensive way to clean the registry is to rename the Excel registry key and let Excel recreate it. It depends on the version of Excel. First, close Excel. Then do Run, Regedit and go to the Excel registry key. It will be “HKEY_CURRENT_USER\Software\Microsoft\Office\%version_number%\Excel”
where %version_number% is 11 for Excel 2003, 12 for Excel 2007, 14 for Excel 2010 and 15 for Excel 2013. Rename this to OldExcel (this will back it up). Then re-open Excel. Excel will rebuild the registry entry. You will need to manually install any needed add-ins
It may be the case that the Server or PC that Excel is running on needs more memory or that you need to close other running apps which may be interfering with Excel or taking up more memory that Excel needs
Try opening Excel in Safe Mode. For example C:\Program Files\Microsoft Office\Office\Excel.exe /s
Try opening Excel whilst holding the shift key down to stop any macros from executing or type Click Start, Run, “C:\Program Files\Microsoft Office\Office\Excel.exe” /Automation

Logon script to copy 2 folders into a user’s Roaming Profile

January 15, 2015 PowerShell No comments

The Task

Our users are logging into several Terminal Server Farms where they are running a TM1 application client which connects to the main TM1 Server. On opening the client it is meant to put 2 folders in their profile under the AppData folder. This is a folder called Applix which also contains another folder called TM1.

We have roaming profiles where we have a profile drive and a home drive and the AppData folder is redirected to the user’s Home Drive. It seems that this application does not cope well with creating the Applix folder on the redirected Home Folder location

However we have found it works fine when you have a straight roaming profile with no redirected folders!

So what do we need to happen?

A user logs on to a Terminal Server Farm
At logon a GPO containing a PowerShell script to do this task will run
The script will test that the folder path exists first \\ServerXYZ\Home\Username\AppData\Roaming and if it does, it will do nothing
If the path doesn’t exist, it will put a folder called Applix in the following path \\ServerXYZ\Home\Username\AppData\Roaming
Note, we put the Applix folder on the Terminal Servers as C:\Applix and the script picks this up for copying from this location

The PowerShell Script

if (!(Test-path “\\ServerXYZ\Home\$env:USERNAME\AppData\Roaming\Applix”))
{
Copy-Item -path “C:\Applix” -Recurse -Destination “\\ServerXYZ\Home\$env:USERNAME\AppData\Roaming\Applix” -Container
}

ActiveSync on Microsoft Exchange 2010 +

December 30, 2014 ActiveSync One comment

ActiveSync

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that’s optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization’s information on a server that’s running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to access their e-mail, calendar, contacts, and tasks and to continue to be able to access this information while they’re working offline When you allow mobile phones or other mobile devices to synchronize with your Exchange 2010 server, you allow sensitive corporate information to be stored on small, portable devices that can be easily lost or stolen. Before you deploy Exchange ActiveSync, we recommend that you familiarize yourself with the various security settings you can configure to keep your corporate information safe. You can configure an authentication method for Exchange ActiveSync, deploy Exchange ActiveSync mailbox policies, and use remote device wipe to remove personal and corporate data from a lost or stolen mobile phone

Things to have setup

In order to be able to receive external email into your internal Exchange server, you will need to have an external domain which is setup to forward your MX and A records to your internal environment. As an example I have a domain called electricmonk.org.uk which I use as my test external domain for this blog. I had to ask my domain company to setup the following records and forward them to my routers external address.

MX mail.electricmonk.org.uk
A mail.electricmonk.org.uk
A owa.electricmonk.org.uk
A autodiscover.electricmonk.org.uk

These records will then hit my router then depending on your routers setup, you will need to forward the relevant mail ports to your Exchange Server.

POP3 = 110
IMAP = 143
SMTP = 25
HTTP = 80
HTTPS = 443
Secure SMTP = 465
Secure POP3 = 995
Secure IMAP = 585
IMAP4 over SSL = 995
Exchange (SMTP-MSA) =587

This is my BT Router Port Forwarding setup set to forward these ports to my mail server on my internal network

Features in Exchange ActiveSync

Exchange ActiveSync provides the following:

Support for HTML messages
Support for follow-up flags
Conversation grouping of e-mail messages
Ability to synchronize or not synchronize an entire conversation
Synchronization of SMS messages with a user’s Exchange mailbox
Support for viewing of message reply status
Support for fast message retrieval
Meeting attendee information
Enhanced Exchange Search
PIN reset
Enhanced device security through password policies
Autodiscover for over-the-air provisioning
Support for setting auto-replies when users are away, on vacation, or out of the office
Support for tasks synchronization
Direct Push
Support for availability information for contacts

Exchange ActiveSync Server Security

There are several security-related tasks you can perform on a server that’s running Exchange ActiveSync. One of the most important tasks is to configure an authentication method. Exchange ActiveSync runs on a computer running Exchange 2010 that has the Client Access server role installed. This server role is installed with a default self-signed digital certificate. Although the self-signed certificate is supported for Exchange ActiveSync, it isn’t the most secure method of authentication. For additional security, consider deploying a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) certification authority.

Selecting an Authentication Method for Exchange ActiveSync

In addition to deploying a trusted digital certificate, you should consider the different authentication methods that are available for Exchange ActiveSync. By default, when the Client Access server role is installed, Exchange ActiveSync is configured to use Basic authentication with Secure Sockets Layer (SSL). To provide increased security, consider changing your authentication method to Digest authentication or Integrated Windows authentication

Exchange ActiveSync Mailbox Policies

Exchange ActiveSync for Exchange 2010 enables you to create Exchange ActiveSync mailbox policies to apply a common set of security settings to a collection of users. These settings include the following

Requiring a password
Specifying the minimum password length
Requiring numbers or special characters in the password
Designating how long a mobile phone can be inactive before the user is required to re-enter the password
Specifying that the mobile phone or mobile device be wiped if an incorrect password is entered more than a specific number of times

Accessing ActiveSync Policies

Click on Organization Configuration > Client Access then in the Action pane select Exchange ActiveSync Mailbox Policies

Right click on Default and select Properties

Allow non-provisional devices – Select this check box to allow mobile phones that can’t be provisioned automatically. These mobile phones may be unable to enforce all the Exchange ActiveSync policy settings. By selecting this box, you’re allowing these mobile phones to synchronize even though some policy settings may not be applied.
Refresh Interval – Select this check box to force the server to resend the policy to clients at a fixed interval defined in the number of hours between policy refresh events.
Click on Password

Require password – Select this checkbox to require a password for the mobile phone. If passwords are required, the following options become available.
Require alphanumeric password – Select this check box to specify that the mobile phone password must include non-numeric characters. Requiring non-numeric characters in passwords increases the strength of password security.
Minimum number of character sets – Use this text box to specify the complexity of the alphanumeric password and force users to use a number of different sets of characters from among the following: lower case letters, upper case letters, symbols and numbers.
Enable password recovery – Select this check box to enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone. Administrators can use the EMC to look up a user’s recovery password.
Require encryption on device – Select this check box to require encryption on the mobile phone. This increases security by encrypting all information on the mobile phone.
Require encryption on storage cards – Select this check box to require encryption on the mobile phone’s removable storage card. This increases security by encrypting all information on the storage cards for the mobile phone.
Allow simple password – Select this check box to allow users to lock their mobile phones with simple passwords such as 1111 or 1234. If you clear this check box, users will be required to use more secure password sequences.
Number of failed attempts allowed – Use this text box to limit the number of failed password attempts a mobile phone accepts before all information on the mobile phone is deleted and the mobile phone is automatically returned to the original factory settings. This reduces the chance of an unauthorized user accessing information on a lost or stolen mobile phone that has a password.
Minimum password length – Use this text box to specify a minimum password length for the mobile phone password. Long passwords can provide increased security. However, long passwords can decrease mobile phone usability. A moderate password length of four to six characters is recommended.
Time without user input before password must be re-entered (in minutes) – When a mobile phone password is required, you can use this text box to prompt the user for the password after the mobile phone has been inactive for a specified period of time. For example, if this setting is set to 15 minutes, the user must enter the mobile phone password every time that the mobile phone is idle for 15 minutes. If the mobile phone is idle for 10 minutes, the user won’t have to re-enter the password.
Password expiration (days) – Use this text box to force users to reset their mobile phone’s password at a given interval. The interval is set in a number of days.
Enforce password history – Select this check box to force the mobile phone to prevent the user from re-using their previous passwords. The number you set determines how many past passwords the user won’t be allowed to reuse.
Next Click on Sync Settings

Include past calendar items – Use this drop-down list to select the date range of calendar items to synchronize to the mobile phone. The available options include the following: All, Two Weeks, One Month, Three Months, and Six Months. If you have to specify other options, use the Shell to configure this setting.
Include past e-mail items – Use this drop-down list to select the date range of e-mail items to synchronize to the mobile phone. The available options include the following: All, One Day, Three Days, One Week, Two Weeks, and One Month. If you have to specify other options, use the Shell to configure this setting.
Limit e-mail size to (KB) – Select this check box to limit the message size that can be downloaded to the mobile phone. After you’ve selected the check box, use the text box to specify a maximum message size, in kilobytes (KB).
Allow Direct Push when roaming – Select this check box to enable the mobile phone to synchronize as new items arrive when you’re roaming with your phone. You’re roaming when you’re outside your normal service area. Check with your mobile service provider to determine your normal service area. Clearing this check box forces you to manually launch synchronization when you’re roaming with the phone and data rates are traditionally higher.
Allow HTML-formatted e-mail – Select this check box to enable e-mail messages that are formatted in HTML to be synchronized to the mobile phone. If this check box isn’t selected, all e-mail messages will be converted to plain text before synchronization. Use of this check box doesn’t affect whether or not messages are received on the mobile phone.
Allow attachments to be downloaded to device – Select this check box to enable attachments to be downloaded to the mobile phone. If this check box is cleared, the name of the attachment is visible within the e-mail message but can’t be downloaded to the mobile phone.
Maximum attachment size (KB) – Select this check box to specify a maximum size for attachments that are downloaded to the mobile phone. After you select the check box, use the text box to enter a maximum attachment size, in KB. If this check box is selected, attachments that are larger than the specified size can’t be downloaded to the device.
Next Click on Device. Use the Device tab to specify a variety of device-specific settings. All settings that you access on the Device tab of the Exchange ActiveSync policy Properties page are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

Allow removable storage – Select this check box to allow storage cards to be accessed from a mobile phone. If this check box isn’t selected, storage cards can’t be accessed from a mobile phone.
Allow camera – Select this check box to allow the mobile phone camera to be used.
Allow Wi-Fi – Select this check box to allow the mobile phone to use a Wi-Fi connection for Internet access. Direct Push isn’t supported over Wi-Fi.
Allow infrared – Select this check box to allow the mobile phone to establish an infrared connection with other devices or computers.
Allow Internet sharing from device – Select this check box to allow another device to share the Internet connection of the mobile phone. Internet sharing is frequently used when the device functions as a modem for a laptop or desktop computer.
Allow remote desktop from device – Select this check box to allow the mobile phone to establish a remote desktop connection to another computer.
Allow desktop synchronization – Select this check box to allow the mobile phone to synchronize with a desktop computer through desktop ActiveSync or the Windows Mobile Device Center.
Allow Bluetooth – Use this drop-down list to control the Bluetooth functionality of the mobile phone. You can choose to Allow, Disable, or enable Bluetooth for Handsfree only
Click on Device Application. Use the Device Applications tab to enable or disable specific features on a mobile phone. All settings that you access on the Device Applications tab of the Exchange ActiveSync policy Properties pages are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

Allow browser – Select this check box to allow mobile phones to use Pocket Internet Explorer
Allow consumer mail – Select this check box to allow the mobile phone to access e-mail accounts other than Microsoft Exchange accounts. Consumer e-mail accounts include accounts that are accessed through POP3 and IMAP
Allow unsigned applications – Select this check box to allow unsigned applications to be installed on the mobile phone.
Allow unsigned installation packages – Select this check box to allow unsigned installation packages to be run on the mobile phone
Click on Other. Use the Other tab to specify allowed and blocked applications. All settings that you access on the Other tab of the Exchange ActiveSync policy Properties pages are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

Allowed Applications You can add applications to or remove them from the Allowed Applications list. Allowed applications can be installed and run on the mobile phone. Click Add to add an application, and click Delete to remove an application.
Blocked Applications You can add applications to or remove them from the Blocked Applications list. Blocked applications are prohibited from running on the mobile phone. Click Add to add an application, and click Delete to remove an application.

Accepted Domains

Make sure you have your accepted external domain listed here

Click on Organization Configuration and then click on Hub Transport
Click on the Accepted Domains tab and you should see your local address
In the Actions pane, click on New Accepted Domain
Put in a name for this Domain and the name itself

You should now see your domains

Send Connectors

Go to Organisation Configuration > Hub Transport
Click New Send Connector

Type a name and choose Internet for the intended use
Click Next
On the Address space page click Add and add in * to Address and tick Include all subdomains
Keep Use Domain name system (DNS) “MX” records to route mail automatically ticked

Check your Source Server is selected

The Summary Page will appear. Check the details and click New
You should now see your new Send Connector

Double click on this Send Connector and select Properties
You need to put in your external domain here

Set up an email policy

Go to Organization Configuration
Go to Hub Transport
Go to E-mail Address Polices
Click on the Default Policy
Click Next

You are now on the New E-Mail Address Policy Page. Don’t select anything on here for now

Click Next and you are now on the E-Mail Addresses Page
Click Add

Click OK

Click the %m@mail.electricmonk.org.uk and select Set as Reply
On the Schedule Page, leave this as Immediately

Finally click New and the wizard will complete

ActiveSync Virtual Directory

By default, when Exchange 2010 is installed, a new virtual directory is created in the default website in Internet Information Services (IIS). This virtual directory is named Microsoft-Server-ActiveSync. You can create additional Exchange ActiveSync virtual directories under Web sites other than the default Web site. All Exchange ActiveSync virtual directories you create will have the name Microsoft-Server-ActiveSync. After you have installed the Client Access server role on an Exchange Server 2010 computer, Exchange ActiveSync is enabled by default. An Exchange ActiveSync virtual directory is created on the Exchange 2010 Client Access server. You can configure a variety of options on that virtual directory.

Viewing the ActiveSync Virtual Directory Properties

In the console tree, navigate to Server Configuration > Client Access
In the work pane, click the Exchange ActiveSync tab, and then click the Microsoft-Server-ActiveSync virtual directory.

In the action pane, under click Microsoft-Server-ActiveSync, click Properties.
Use the General tab to view display-only information about the Exchange ActiveSync virtual directory and to modify the Internal and External URLs.
Server – This read-only field shows the name of the server the virtual directory is located on.
Web site This read-only field shows the name of the Web site that holds the virtual directory. Normally, this will be the Default Website.
SSL Enabled This read-only field shows the Secure Sockets Layer (SSL) status of the virtual directory. The default is True.
Modified This read-only field shows the date and time that the virtual directory was last modified.
Internal URL This field shows the InternalURL setting for the virtual directory. In most cases, you shouldn’t change this setting.
External URL This field shows the ExternalURL setting for the virtual directory. In an Internet-facing Active Directory site, this field will be populated with the external DNS endpoint for Exchange ActiveSync, for example, http://mail.electricmonk.org.uk/Microsoft-Server-ActiveSync.

Use the Authentication tab to control the authentication methods for the Exchange ActiveSync virtual directory.
Basic authentication (password is sent in clear text) Select this check box if you want the mobile device to send the user name and password in clear text. Because passwords are sent in clear text with Basic authentication, you should configure SSL to encrypt data transferred between your mobile clients and the Exchange ActiveSync virtual directory.

Exchange03

Client Certificate authentication – Select whether you want to ignore, accept, or require client certificate authentication.
Certificates can reside in the certificate store on a mobile device or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols. In EAP-TLS certificate authentication, the client and the server prove their identities to each other. For example, an Exchange ActiveSync client presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the mobile device to provide mutual authentication.

Note: Requiring client certificates will force you to configure SSL on the Web site that’s hosting the Exchange ActiveSync virtual directory.

Exchange ActiveSync clients can access files and Web sites that are located on Windows SharePoint Services and Windows file shares. Use the Remote File Servers tab to specify allowed and blocked host names for your Exchange ActiveSync clients. This tab also allows you to configure which domains are treated as internal.

Block List – Click Block to configure a list of host names of servers to which clients are denied access.
The Block list takes precedence over the Allow list. To add a host name to the Block list, type the host name in the Block List dialog box, and then click Add. To remove a host name from the Block list, select the host name, and then click Delete in the Block List dialog box.
Allow List – Click the Allow button to configure a list of host names of servers from which clients are allowed to access files.
To add a host name to the Allow list, type the host name in the Allow List dialog box, and then click Add. To remove a host name from the Allow list, select the name, and then click Delete in the Allow List dialog box.
If a host name is specified in the Allow list and the Block list, clients will be blocked from accessing files from that host name.
Unknown Servers Use this list to specify how to access files from host names that aren’t listed in either the Block list or the Allow list. The default value is Allow.
Enter the domain suffixes that should be treated as internal Use this option to configure specific host names as internal host names. Click Configure to add host names to the Internal Domain Suffix List. When clients try to access files on one of these host names, Exchange ActiveSync uses the internal network to access these files instead of trying to access them over the Internet

IMAP Configuration

Go to Server Configuration
Go to Client Access
Go to POP3 and IMAP4
Double click on IMAP4 and go to Authentication
In the X.509 certificate name type in your domain

Enabling Anonymous Authentication

If this is not enabled, it can stop external mail programs from being able to email your Exchange server. See below when trying to send email from Gmail to my Exchange Address

Open EMC
Go to Server configuration > Hub Transport Server
Click on Default Receive Connector and select Properties
Click on last tab “Permission Groups” and place check mark into “Anonymous users” click apply and ok.

Now if you try resending the email it should work

Devices Enabled for Exchange ActiveSync

Users can take advantage of Exchange ActiveSync by selecting mobile phones that are compatible with Exchange ActiveSync. These mobile phones are available from many manufacturers. For more information, see the device documentation.

Mobile phones that are compatible with Microsoft Exchange include the following

Apple – The Apple iPhone, iPod Touch, and iPad all support Exchange ActiveSync.
Nokia – Nokia offers Mail for Exchange on their E series mobile phones. E-mail, calendar, and contact data can be synchronized over a cellular network or a wireless LAN.
Sony Ericsson – Sony Ericsson offers Exchange ActiveSync support on several of their newer smartphones. They also support Direct Push through a third-party program.
Palm – Palm offers some models of mobile phones that have the Windows Mobile operating system. These devices support Direct Push.
Motorola – Motorola has its own synchronization framework that enables over-the-air synchronization through Exchange ActiveSync on many of its devices.
Symbian – Symbian Limited licenses Exchange ActiveSync for use in the Symbian operating system. This operating system is an open standard operating system for mobile phones.
Android – Many mobile phones with the Android operating system support Exchange ActiveSync. However, these mobile phones may not support all available Exchange ActiveSync mailbox policies.

Setting up an iPhone 5S

Go into Settings > Mail Contacts and Settings
Click Add Account
Choose Exchange

Put in your e-mail address and password
You will also see your Exchange Device ID

Tap Next
As I don’t have a proper certificate I get these 2 warnings. Just click Continue

Next you will need to enter the relevant information for your servers and email addresses and passwords.
E-mail: Your e-mail address
Server: The external address you setup with you domain provider
Domain: Note: I had to put my internal local domain for this to work which is my test lab domain dacmt.local
Username: Active Directory Username
Password: Active Directory Password

Click Done and it should say Verifying and then place a tick against all settings
Now you need to test sending an email to your email account

If all the settings verify but email is not coming through

This may be the cause of a simple mis-configuration in the Microsoft Active Directory services for that user.

Open the Active Directory Users and Computers
Select the View menu from the top and click on “Advanced Features”.
Open the properties on the user having the issue and select the “Security” tab. Under this tab will be windows with user accounts listed and a “Advanced button” at the bottom. Select this button and find the check box “Include Inheritable permissions from this object’s parent” . If this is the problem you will find the box “unchecked”. Just check the box and try again. You should see mail start to come in.

If you have set an Exchange Active Sync Policy which requires a password

Then when the account is setup, after a few minutes it should come up with the following prompts

Using Remote Wipe

Mobile phones can store sensitive data that belongs to your organization and provide access to many of your organization’s resources. If a mobile phone is lost or stolen, that data can be compromised. Remote device wipe is a feature that enables the Exchange server to set a mobile phone to delete all data the next time that the mobile phone connects to the Exchange server. A remote device wipe effectively removes all synchronized information and personal settings from a mobile phone. This can be useful when a mobile phone is lost, stolen, or otherwise compromised. After a remote device wipe has occurred, data recovery is very difficult. However, no data removal process leaves a mobile phone or other mobile device as free from residual data as it is when it’s new. Recovery of data from a mobile phone or other mobile device may still be possible using sophisticated tools.

Microsoft Exchange Server 2010 lets you send a command to a mobile phone to perform a remote device wipe of that phone. This process removes all the information that’s stored on the phone. This includes Exchange information. This process then completes a full reset of the device. You can use the EMC or the Exchange Management Shell to perform a remote wipe on a mobile phone. You can use this procedure to clear data from a stolen phone or to clear data from a phone before you assign it to another user

In the console tree, navigate to Recipient Configuration > Mailbox.
Select the user from the Mailbox window.

In the action pane, click Manage mobile device, or right-click the user’s mailbox, and then click Manage mobile device.
Select the mobile phone you want to clear all data from.
In the Actions section, click Perform a remote wipe to clear mobile phone data

Click Clear.
Note: Performing either of these actions will wipe the iPhone!
It will also send an email message to you saying that the device has been wiped

Recovering a Device Password

Note: This feature does not appear to be available for iPhones unfortunately which is a shame as the only option is to wipe the phone to get round a forgotten password

http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_clients

You can use

The EMC
The Shell
Microsoft Office Outlook Web App to recover a device password.

You can require a device password through Microsoft Exchange ActiveSync policies. A user can configure a device password even if your Exchange ActiveSync policies don’t require one. If users forget their password, you can obtain a recovery password using the EMC or the Shell. The recovery password unlocks the device and lets the user create a new password. Users can also recover their device passwords by using Outlook Web App.

The EMC

You need to be assigned permissions before you can perform this procedure.

In the console tree, navigate to Recipient Configuration > Mailbox.
In the details pane, select a user, and then select Manage Mobile Device from the action pane. The device recovery password is displayed in the Manage Mobile Device dialog box

The Shell

Open Exchange Management Shell
Type Get-ActiveSyncDeviceStatistics -Mailbox:”rhian.cohen” -ShowRecoveryPassword:$true

Outlook Web Access

Log into Outlook Web Access
Click on Options

Useful links

http://technet.microsoft.com/en-us/library/bb124558(v=exchg.141).aspx http://technet.microsoft.com/en-us/library/aa998357.aspx#WindowsPhone7 https://www.apple.com/kr/ipad/business/docs/iOS_6_EAS_Sep12.pdf

Youtube Tutorials (Thanks to Hotfoot Training

Part 1 https://www.youtube.com/watch?v=dDg4oY1oUzQ

Part 2 https://www.youtube.com/watch?v=2tyhnOptqZ0

Part 3 https://www.youtube.com/watch?v=glASOiu8yMY

Windows Server 2008 R2 UAC

October 6, 2014 UAC No comments

What is UAC?

User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users in Windows Vista), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default.

When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user’s group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users’ computers without notifying the users. (This is sometimes referred to as a “silent” installation.)

How can we change UAC Settings?

Control Panel

Click Start > Control Panel > User Accounts > Change User Account Control Settings

You will then need to reboot

Using Local Security Policy

Click Start > Administrative Tools > Local Security Policy > Security Options > Scroll down to the User Account Control Settings

There are 10 separate Settings

Group Policy

Click Start > Administrative Tools > Group Policy Management on a DC > Right click on Group Policy Objects and select New > Type GPO Name in > Find GPO and right click and select Edit

Navigate to Computer Configuration > Windows Settings > Security Settings > Security Options > Scroll down to User Account Control

Using the Registry

The registry keys are found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. For information about each of the registry keys, see the link below

http://technet.microsoft.com/en-gb/library/dd835564%28v=ws.10%29.aspx

« Older Entries

Archive for microsoft

Upgrading Windows Server 2008R2 Editions With DISM

Using SQL Server Copy Database Wizard

Installing Windows 2012 RDS Roles (License Server, Connection Broker, RD Session Host and RD Web Access)

NTFS File/Folder and Path Limits

Software rollout via Group Policy

Using WMI Filters in Group Policies

Excel 2010: Not enough system resources to display completely

Logon script to copy 2 folders into a user’s Roaming Profile

ActiveSync on Microsoft Exchange 2010 +

Windows Server 2008 R2 UAC

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Fatcow Webhosting

Archive for microsoft

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Tags

Fatcow Webhosting