Changing public folder permissions in exchange 2007

0
444 days
by in Exchange 2007

So like it or not, alot of the power of exchange is now harnessed within powershell. I had a instance recently where I wanted to allow someone almost complete control over a public folder calendar, so they could edit and delete other peoples entries. This can be done quite easily in powershell using 2 or 3 basic commands. Firstly I wanted to check what permissions were currently set on the public folder:

Get-publicfolderclientpermission -identity “\name of public folder”

This gave me a list of currently assigned permissions, now to help out you could append the basic command with a couple of extras which could list the permissions in a more friendly way and also write the output to a file for a point of reference. So the full command would look like:
Get-publicfolderclientpermission -identity | fl > c:\perms.txt

Once I have the current permissions I was happy to tinker away safe in the knowledge that I have a good idea of what I should be reverted too should something bad happen.

So the next command is Add-publicfolderclientpermission which actually amends the permissions, you can give individual permissions to to users or a role which is a collection of permissions. You can find out more by typing “get-help add-publicfolderclientpermission -detailed”.

Anyhow the basic command I used to grant read/write access to the public folder was “add-publicfolderclientpermission -identity “\public folder name” -user “mrs goggins” -accessrights publishingeditor” .

Once that has completed you could view the permissions again by typing Get-publicfolderclientpermission -identity “\public folder name” to ensure that the permission has set correctly.

The worst button in virtualization

0
480 days
by in Uncategorized

Yep its those above, I am of course talking about vmware snapshots with these dangerously entitled buttons.

The idea of snapshots in vmware is to provide you a complete point of rollback for a virtual machine, not just rollback of files on the vm but the entire system state. For example if you had a Windows XP vm installed with service pack 2 installed and some custom in-house developed critical application hosted on it how do you know that installing service pack 3 onto the vm wont entirely foobar the custom app. You could of course uninstall service pack 3 if you really had to but that would involve more probably downtime and there would be no guarantee that either the custom app or the xp installation itself would be working after the removal of the service pack.

This is where vmware snapshotting is an absolute godsend and I’ll explain why. Anyone who has played with any virtualization product even for a short while will know that vm’s are actually only files on a server/SAN or NAS themselves. Vmware vm’s are encased in files with the vmdk extension and snapshot files have the vmsn file extensions.

Now say taking the above as an example you rock up too work monday morning and you xp based critical application on virtualcenter is working lovely, your security bod rolls up at your desk and says “hey you upgraded that xp box to sp3 yet” and of course you say “nope if I did that I think it might break”. Naturally the security guy doesn’t care he just wants his pie charts that he shows management to be an entirely pretty green colour.

So the unenviable task of installing the service pack begin, users are notified of downtime (remembering to add on a couple of hours the the estimate) and sp3 downloaded and converted to an iso file. before you begin you remember to press the create snapshot button, behind the scene this does several things, firstly it locks the vmdk file for the vm so no further changes can be made to it, then it creates the vmsn file which is a delta file that all further changes to the vm are written.

So off you go installing sp3 knowing that this could quite easily go either way for your critical app. So from your actions 2 things might happen:

1: An unholy mess occurs and critical app is sent spilling into the abyss

2: Nothing, your critical app is fine and you get to go home on time

If 1 occurs then you need a way of getting the vm back to the way it was before, now say for example you were a bit green around vmware products and you were presented with the above buttons, the natural assumption is that the delete snapshot means exactly that DELETE. However in vmware delete is actually means something ever so slightly but crucially different. Delete means remove snapshot file, Not remove snapshot data. So the Delete and Delete All buttons should actually read COMMIT.

So as I’ve mentioned above the sysadmin is fairly new to vmware and uses common sense to work out that he wants to revert to the previous state of the vm so he needs to delete the snapshot therefore deleting all the changes made to the vm since the snapshots creation.

Uh-oh!

Not good, what he’s actually done is commit the changes to the original vmdk file, panic ensues and the misses perfectly cooked tea starts going tepid due to the amount of extra hours that have been put in.

What should have happened was through the snapshot manager the point previous to the creation of the snapshot should have been selected and then they should have clicked the GOTO button to revert to the machines previous state, then the snapshots can be safely deleted.

If 2 had occurred then the admin could quite have happily deleted the snapshot to commit the changes and gone on his way.

I really do think that vmware should change the title of those buttons to be a little less incorrect in their meaning.

Swing-o-blog

0
490 days
by in Uncategorized

Well all, I’ve manage to land myself a new job, which I’m very pleased about. They run exchange as their mail server so I’l; guess I’ll be blogging a bit about that as its been a while since I’ve actually managed an exchange server. So as usual I will be blogging about stuff as I learn about it.

Dell Poweredge SC440 and esxi 4.1

0
508 days
by in Uncategorized

This isn’t really a post more of a info bulletin that esxi 4.1 works perfectly on a dell sc440 server. The sc440 isn’t currently on vmwares hcl and I found little info on compatibility when trying to find out myself.

For information I used the vihostupdate pearl script which comes with vsphere command line interface and the upgrade zip file to perform my update (see previous blog entry).

updating ESXI 4 to 4.1 without update manager

0
509 days
by in Uncategorized, vmware

Hi all,

So you have one or more esxi boxes at home doing various tasks and they are currently running esxi 4, your tempted to update to 4.1 but do not have update manager installed and do not want the hassle of configuring esxi again.

No Problem good old command line to the rescue again. To upgrade 4 to 4.1 you need the esxi 4.1 upgrade installation as a zip file and the vcli (vsphere command line interface) both are available from the vmware site (I wont post links as I dont know how quickly the links will age), Once you have downloaded the VCLI and installed it you will have a new program item in your start\programs\vmware folder called “vmware Vcli\command prompt”. Click on that and it will dump you in the the old familiar black and white screen. Ensure any vm’s on the server are either powered off or migrated and put the host into maintenance mode.

Navigate your way to the “bin” directory (currently “c:\program files\vmware\vsphere cli\bin” on my computer and run the following:

vihostupdate.pl –server 0.0.0.0 –install –bundle c:\zipfilelocation

Press return and enter the esxi servers admin credentials (probably the root account in a home environment.) in a few minutes the command will complete and tell you that it needs to reboot the server before the process finishes, do this and when it comes back up exit maintenance mode.

WARNING: Before updating be sure to have consulted the vmware HCL (hardware compatibility list) to ensure that your server is compatible with the version you are trying to install. If your server is not specifically listed then you can check out the individual components compatibility either through the hcl or the community driven hcl. the hcl is currently located HERE

Ebook readers for technical manuals

0
529 days
by in Uncategorized

I’d thought I’d post a little ditty about ebook readers, I’ve had one for a while now and thought I’d post my experiences.

Firstly my ereader is a sony pocket reader (prs-300) and to be honest its not a useful as I thought it might be. I had looked around before I bought it and understood that the technical diagrams might come out a bit funky but the issues I have with the device are more substantial than that.

The pocket reader seems to be only actually of use for say novels, that is to say a large amount of unformatted text, which technical manuals do not have. As you know tech books normally have maybe a paragraph or two like that then it’ll have boxout’s and diagrams which normally normally go hideously wrong on my pocket reader, also when you turn to a page that includes a picture of some description the time to process and display that page increases dramatically to 15+ seconds which is a lifetime compared to turning the pages of a book.

As a side note if you have the page size set to small then the formatting of the pages is generally acceptable however the font I am quite sure would be far too small for anyone to read at a comfortable distance.

Speaking to other IT bods a good ebook reader for technical manuals is the kindle DX as it has a much larger screen than mine so can display a properly formatted page at a decent font size. So I think I may be putting mine on ebay and saving up for a DX which at the moment I think is available in the UK.

If you want a pdf reader for technical manuals or anything that does not consist of one large block of text then a Sony Pocket Reader is not for you.

UPDATE: I’ve had a Kindle DX for a few months now and I must say I love it, its so much better than the smaller sony I’ve had (much quicker too), a great feature is the ability to email PDF’s to it which is useful for all those whitepapers and vewndor guides that you pick up along the way.

Security tool fake-AV

0
536 days
by in Uncategorized

Hi all,

Well today a staff member handed me their laptop to have a look at (a toshiba something with vista HP on it), it was infected with the security tool fake antivirus product. I am always really impressed with these types of infections they are very well written and can be a complete headache for anyone to try and remove. usually access to the command prompt and task manager is disabled, and the code is buried in all sorts of places so malware products find it tricky to remove, a reboot later and there it is still well and truly stuck on your computer.

Now the extra problem with this laptop is that it has never had any antivirus products installed on it and of course also had various p2p clients installed on it which is obviously just asking for trouble.

The fix for this one was simple as I was fairly sure that the infection must have been recent because the security tool is fairly prominent on an infected machine and generally causes a nuisance.

All I did was roll back to the last system restore point (type “system restore” into vista’s search function, this will work for any OS from XP upwards) and viola it was gone. Next I installed the Comodo internet security suite (free firewall and av product www.comodo.com ). I then disabled the system restore feature and rebooted the laptop so it removed the system restore backups. (as viri’s and trojans can reside in these locations and antivirus products cannot remove them, although they are generally only a risk if you use system restore to revert to a point where the viri’s reside).
A quick reboot later I began a full av scan with comodo and also installed malwarebytes http://www.malwarebytes.org/ and ran that, both came up clear, several reboots after that the security tool has not reappeared so all now seems to be well. Then re-enabled the system restore feature.

The laptop can now be handed back to the staff member with a scathing reminder to: not use p2p services, have and use av products, and never do general browsing as administrator and treat uac prompts whilst browsing with a very high amount of suspicion.

These type of events always take me back to my first IT job working for a repair workshop, I mostly repaired home users pc’s and they would phone up saying “my machines all messed up and doing weird things” OK I’d say, you’ve got AV haven’t you. ” yes of course I have”, Ok you better bring it in then.

80% of the time you could bet that they have norton or mcaffee installed and it was a year or two out of date at least. Then you go down the “well I take it you’ve got a backup of all your work ” (blink) blank stare fiasco.

ahh lovely!

RODC password replication

0
551 days
by in RODC, Uncategorized

Read Only Domain controllers in windows server 2008 are designed primarily for use in branch offices (satellite locations with no onsite IT staff and slower links back to HQ).

I have blogged previously about installing an RODC which is a nice straightforward dcpromo with an added tickbox at the end, and the purpose obviously of an RODC is to provide local authentication and if required a local DNS and global catalogue. One thing that is not stored within an RODC is passwords for user accounts which obviously results in WAN traffic when an authentication attempt is made.

However there are two ways in which local users passwords can be stored within the RODC’s db.

One way is to add the users at the branch office to the “allowed RODC password replication group” in a writable domain controller.

The other is to assign objects to the “password replication policy” tab in the RODC’s computer account in AD.
When I say object this can be a group or individual user accounts (although creating and assigning a group for this purpose if clearly easier).

It is quicker and easier to add the user accounts to the allowed RODC password replication policy group in AD however this presents a possible minor issue. By putting users into this group it will replicate the password data to all RODC’s in the domain. This is not a problem if you only have one branch office, but what about if you have more than one say you have 20 or more all over the world, and branch offices can have a decent number of staff in them. This could quickly balloon the Wan traffic in each branch office as they receive all the completely unnecessary password data for the other 19 branch offices in the organisation.

Of course even with a modest residential ADSL line it probably wont bring the connection crashing down around your ears but every meg counts.

So if you have more than one branch office or it seems expansion of the business is on the cards then taking a few extra minutes to set up new groups and assign them specifically to the RODC computer accounts.

Within the RODC’s computer account “PRP” tab you can also add other groups and accounts to the policy and also specify whether the group/user is allowed or denied the password replication policy, as always if a user is a member of several groups then a deny permission always over rides an allow.

Also dont forget that computer accounts also logon to the domain so adding computers to the policy is also a good idea as a prolonged wan outage may well cause issues for the computers if their passwords are not cached as well.

Cloned Template Hardware Bug in Vmware ESX 3.5 U2

0
556 days
by in Uncategorized

Today I’ve been wrestling with this http://xtravirt.com/xd10070 bug in ESX 3.5 u2.

The link provides a good insight into what causes it (basically when cloning a template and editing the hardware before the clone begins the source vmdk is actually used instead of the newly cloned vmdk).

This of course becomes a problem if you decide you dont need the template anymore and delete it, the flat file doesnt delete but everything else does and the next time you go to reboot the problem vm you get “a file not found” error and will not let you boot the vm back up again.

I managed to get round this problem by creating a blank vm with the same specifications (most importantly disk size and OS version).

Then copy the remaining flat file of the corrupted vm into the folder containing the newly created vm using the datastore browser.

Rename the newly created vm’s flat file either though ssh on a host to /vmfs/volumes/{your bit here} or through the datastore browser.

Rename the corrupted flat file to the newly created vm name (for example the corrupted flat file might be called vm1-flat.vmdk and the newly created vm might be called vm2, so rename vm1-flat.vmdk to vm2-flat.vmdk).

Then power on the vm and confirm that the os is still intact and working as it should.

I though it was best to copy the corrupted flat file just incase something went wrong as I was performing these actions so I would still have the actual vm os data to go back to.

TTFN.

Read Only Domain Controller for Windows Server 2008 R2

0
578 days
by in RODC, Uncategorized

RODC (Read Only Domain Controller’s) is a great new feature of server 2k8. A nice little light feature as well that does not require a great deal of setting up or babysitting.

RODC’s primary purpose is to provide local caching of the active directory database and DNS if required to remote branch offices. The main reasons for this could be that the link between the branch office and the domain controller at the head office is slow or prone to failures.

To implement a RODC there are several obvious pre-requisits:
Because its read only the RODC will need to be installed in an already established domain so all the fun stuff that goes with it is also required.

A RODC also has a couple of gotcha’s you will need to keep in mind, a RODC has a local administrator account….. Yep thats right it fly’s in he face of everything you know about domain controllers but it does, or at least a domain user or group is elected the local administrator of the RODC only. You can think of an RODC as not actually a full DC but maybe something along the lines of a a member server running a mini DC role. The handy thing with having a local administrator password is that maybe someone at your branch office has been given a little bit of power on the server, maybe they are allowed to reboot it for you if required or check something, They can without any fear of them being able to fiddle with any aspect of the DC service.

To install an RODC you will need to have added the server to the domain already as a member, it does not need to be added to the exact domain that the server will be an RODC for only a domain in the tree.

You would then need to run a DCpromo and follow the prompts as you would normally expect to until you get to the point of clicking the RODC option. You will also then have the choice of including DNS and global catalog as part of the RODC’s role. Now thinking back to the purpose of an RODC which is primarily to provide local authentication to branch office users without the constant game of ping pong across a WAN or some other slow means it sensible to leave DNS and global catalog so that it will be installed on the RODC as well. This will have the added bonus of allowing at least some backup and functionality on the branch site should the WAN link go down, this would leave the branch office at least some form of name resolution and authentication to any other servers or services in the branch site.

By default an RODC will not store password information from AD in its RODC role, this is controlled by 2 policies one allow and one denied. You may decide that it would be a good idea to allow password caching on the RODC for the users based at the branch office so they dont need to hop across the WAN for all authentication requests.

I will post another blog on administering an RODC once the role has been installed.

« Previous
Next »
Go to Top