Archive for microsoft

Upgrading Windows Server 2008R2 Editions With DISM

Upgrade1

The Task

We are currently running Windows 2008 R2 Standard Servers and we want to change the edition or upgrade to Windows 2008 R2 Enterprise to take advantage of being able to add over 32GB RAM to our VMs.

Please note the following:

  • You can only do upgrades. You CANNOT downgrade
  • The server you upgrade cannot be a domain controller (demote, upgrade, promote)
  • This works on Standard, Enterprise edition, both full & core installations.
  • You cannot switch form core to full or vice versa. It’s edition upgrade only, not  for switching type of install.

Supported Upgrade Paths

  • Windows Server 2008 R2 Standard> Windows Server 2008 R2 Enterprise -> Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard Server Core> Windows Server 2008 R2 Enterprise Server Core> Windows Server 2008 R2 Datacenter Server Core
  • Windows Server 2008 R2 Foundation> Windows Server 2008 R2 Standard

Using DISM

Deployment Image Servicing and Management. DISM is an extremely useful tool which lets you upgrade editions of an operating system without having to attach an iso and upgrade this way.

Instructions

  • Log into your server
  • Open a Command Prompt
  • Type the following to find current edition for your server

dism0

  • Type the following to get the target editions for your server

dism1

  • Type the following to upgrade the edition of your operating system. You will need your license key. If you don’t know it then if you have an edition of the O/S on another server you want to upgrade to, you can use a small piece of software called Jellybean Keyfinder which can detect keys. A very useful piece of software.
  • Note I have blanked out our key

dism2

  • Please reboot and it will go through a short process of upgrading.
  • Check the Edition of Windows when you are back in the system.

edition

Link for DISM

https://technet.microsoft.com/en-us/library/dd744380%28WS.10%29.aspx

Link for Jellybean Keyfinder

https://www.magicaljellybean.com/keyfinder/

Using SQL Server Copy Database Wizard

SQLMigration

The Task

Move our SCOM DB from a Windows 2003 server running SQL 2005 to a Windows 2008 R2 server running SQL 2008.

The Plan

SQL Server has a copy Database functionality. The Copy Database Wizard provides a convenient way to transfer, move or copy, one or more databases and their objects from an SQL Server 2000 or SQL Server 2005 instance to an instance of SQL Server 2005 or higher.

SCOMDBUpgrade1

You can use the Copy Database Wizard to perform the following tasks:

  • Transfer a database when the database is still available to users by using the SQL Server Management Objects (SMO) method.
  • Transfer a database by the faster detach-and-attach method with the database unavailable during the transfer.
  • Transfer databases between different instances of SQL Server 2005.
  • Upgrade databases from SQL Server 2000 to SQL Server 2005.

Requirements

  • The destination server must be running SQL Server 2005 Service Pack 2 or a later version. The computer on which the Copy Database Wizard runs may be the source or destination server, or a separate computer. This computer must also be running SQL Server 2005 Service Pack 2 or a later version to use all the features of the wizard.
  • To use the Copy Database Wizard, you must be a member of the sysadmin fixed server role on the source and destination servers. To transfer databases by using the detach-and-attach method, you must have file system access to the file-system share that contains the source database files

Considerations

SCOMDBUpgrade2

Instructions

  • Open SQL Server Management Studio.
  • In Object Explorer, expand Databases, right-click a database, point to Tasks, and then click Copy Database.

Copydb01

  • Click Next

SCOMDBUpgrade3

  • Select the Database you want and choose the authentication

Copydb02

  • Select a destination server. You may need to browse for other servers. E.g I want to copy a database from my server dacvsq001 to dacvsql002

Copydb03

  • If you get an error saying “Index was outside the bounds of the array” you may need to install a higher version of SQL Management Studio on the source server
  • You can select to transfer while the DB is offline or online

Copydb04

  • Next select the database you want to copy or move

Copydb05

  • Here you can change the name of the database and also select the location of the database and logs to copy or move

Copydb06

  • Next you can select additional objects to copy

Copydb07

  • Specify a file share containing the source database files

Copydb08

  •  Configure the package

Copydb09

  • Run immediately or schedule the job

Copydb10

  • Check the details you have configured and click Finish

Copydb11

Installing Windows 2012 RDS Roles (License Server, Connection Broker, RD Session Host and RD Web Access)

terminal

Instructions

  • Log into your server
  • Click on Dashboard and under Configure this local server, select Add roles and features

TS1

  • Choose Role based or feature-based installation

TS2

  • Select the destination server for these roles

TS3

  • Select Remote Desktop Services. Click Next

TS4

  • Select any features as required

TS5

  • Read the description and click Next

TS6

  • Select Role Services
  • If you choose the Connection Broker role, it will prompt you to install Windows Internal Database

TS7

  • Choose the RDS Services you need. Note. I am installing 4 roles today

TS8

  • You will see a Web Server (IIS) page. Click Next

TS9

  • Select Role Services. This shows the IIS role services. Leave as they are for now.

TS10

  • Check the Confirm Installation Selections Page. I would tick Restart the destination server automatically if required.

TS11

  • To Activate the Licensing Server, Go to Tools > Terminal Services and Launch Remote Desktop Licensing Manager.
  • You will see it is not activated

TS12

  • Right click on the server and select Activate Server

TS13

  • This will bring up the Welcome to the Activate Server Wizard

TS14

  • You will now see the Connection Method screen

TS15

  • You will need to fill in your company information followed by some optional information. When you have done this click Next. It should then activate your server and ask you if you want to install Licenses

TS16

  • You will now see the Welcome to the Install Licenses Wizard
  • Note you can go try to go through this as we did but it didn’t work with web enrolment. It may work with your setup
  • We had to go back to the Licensing manager and right click on the server > select properties and then change the connection method to Telephone and activate our TS User CALs this way.
  • We the used the below link to call Microsoft to activate our licenses who then gave us back a product key to put in the Install Licenses wizard.

TS17

  • You will now see the License Program Page
  • Select your License Program. In our case it is Service Provider License Agreement
  • Depending on what option you select you will require enrollment numbers or agreement numbers etc

TS21

  • Choose your O/S
  • Choose whether it is Per Device/Per User or VDI Suite.
  • In our case it was 20 Per User Licenses

TS20

  • Click Next and you will see
  • Now go back to your RD Licensing Manager screen and click on Review.

TS22

  • You will see this page

TS23

  • You need to be a Domain Admin to add the license server to the Terminal Servers group in AD

TS24

  • Note at this point if you haven’t managed to activate your user CALs then this the point I mentioned earlier about going to the properties of the server and selecting telephone, phoning Microsoft and getting a key from them to put in the Install Licensing Wizard

TS25

  • Next go back to your 2012 Dashboard and select Add Roles and Features

TS26

  • Choose Remote Desktop Services Installation

TS28

  • You will now be on the Select Deployment Type page. Select your broker server and choose Standard Deployment

TS29b

  • On the Select Deployment Scenario choose Session-based desktop deployment

TS30

  • You will find that the roles we previously installed will come up here
  • Click Next

TS31

  • It will say the RD Connection Broker Server already exists
  • Click Next

TS32b

  • On the Specify RD Web Access Server, put a tick in the box which says “Install the RD Web Access role service on the RD Connection Broker server

TS33b

  • On the Specify RD Session Host servers, select the machine you want the RDS Session host role to be on

TS34

  •  Check the Confirm Selections and tick to Restart the destination server automatically if required followed by clicking on Deploy

TS35

  • It should start to install

TS36

  • Once the RDS Roles are installed, we see the graphical description of our environment, the roles installed on each of the servers and the FQDN names of each server on the Overview page
  • In case you are trying to find the tools that used to be available on a server running the RD Session Host….You can stop looking. The tools Remote Desktop Session Host Configuration and Remote App Manager have been removed from the RD Session Host role in Windows Server 2012. Instead, most of the settings can now be configured using the new Server Manager console, or using the new PowerShell module RemoteDeskop. For other settings, you can still use GPO’s.

TS38

  • Next, we will configure the Session Host
  • Go to Server Manager > Remote Desktop Services > Overview
  • Click on RD Session Host > Tasks > Edit Deployment Properties
  • Ignore RD Gateway
  • On the RD Licensing page select your licensing mode and put in your license server

TS37

  • You can check your RD License Server configuration in Powershell by running the below

TS40

  • You may find that your licensing errors and says “The licensing mode for the remote desktop session host server is not configured”
  • If this is the case, you will need to open gpedit.msc and navigate to the 2 locations below
  • Navigate until : Computer Configuration | Administrative Template | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
  • Modify Use the specified Remote Desktop License Servers and put in the license server
  • Modify the Remote Desktop Licensing mode to Per User or Per Device depending on your agreement
  • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing

TS51

  • Next On to Session Collections.
  • Go to Server Manager > Remote Desktop Services > Collections
  • Note: The Connection Broker connects and reconnects users to their virtual desktops, RemoteApp-published applications and session-based desktops. It’s a mandatory RDS component in Windows Server 2012, and it’s installed by default when you deploy Remote Desktop Services. The Connection Broker load-balances requests to RD Session Host servers in a session collection or to virtual desktop pools
  • Click Tasks > Create Session Collection
  • Collections are a logical grouping of Remote Desktop Servers that provides either session-based or virtual machine-based (VDI) deployments.
  • Each Session host that’s a member of an RDS collection is limited to only participating in one collection.

TS41

  • Click Next

TS42

  • Put in a name and description

TS43

  • Specify the RD Session Hosts you want to add to this collection

TS44

  • Specify the User Groups

TS45

  • Specify user profile disks – Uncheck the Enable user Profile Disks checkbox and hit next.

TS46

  • Confirm Selections

TS47

  • You might also want to look into certificates which is accessed from Server Manager > Remote Desktop Services > Overview > Tasks > Edit Deployment Properties

TS48

  • Select Certificates

TS50

  • More information can be found on Microsoft’s webpages 🙂

Some other important information

We also had 2 Terminal servers in this setup which were on a different network. I had to do the following

  • Go to Server Overview
  • Go to Add other Servers to manage

TS52

  • Search and add the servers you need

TS53

  • Once these are added, Go to Server Manager > Remote Desktop Services and add these servers which should now appear. Be careful as it will install the RD Session host role and will reboot the servers.

Load Balancing

If you want full load balancing, your users can use RD Web Access. The GUI for the remote desktop client (on any platform) does not have a way to specify the collection. Connecting to the RD Connection Broker will not load balance, nor would connecting to any RD Session Host server directly. You can manually edit an .rdp file to specify the collection and that process works, but is convoluted for end users. RD Web Access has become the preferred method for disseminating .rdp connection info in 2012 to accommodate the change to collections and the RDCB role.

RD LIcensing Manager

You may notice there is an expiry period on issued licenses in RD LIcensing Manager

RD-Licensing-Expiry

The time is based on the minimum transfer rights in the license agreement which is a Service Provider Agreement. (IBM’s licensing agreement from Microsoft) In this case 60 days.

The license agreement is a part of the purchase. It varies by region and by how you purchased it. It is a legally binding document and describes how the purchased product can be used. For example, an OEM server license offend includes the stipulation that it cannot be transferred to a new machine at all. The discounted OEM pricing benefit comes at the cost of reduced mobility.

For CALs, it is common to see restrictions stating that a CAL can only be transferred to a new user every 60/90/120 days. This allows you to reassign a CAL in the event a user had to be dismissed, but prevents abuse by using one user CAL for multiple shift users by claiming “I transfer the CAL every 8 hours.”

SO in theory you buy the amount of licenses for the amount of users you have. So say you have 20 licenses and 20 users log in and take a license. If for some reason a 21st person logs in, the system will allow it because it will assign a temporary CAL however this is a breach of your license agreement until another CAL expires and is released after the 60 days. Note that TS/RDS CALs are *not* legally licensed by concurrent users, but by TOTAL users. So if you have 50 users, but only expect 17 to be logged on at a time. You still need 50 CALs. Not 10, or even 20. The same applies to device licensing and device CALs. You pay for total devices, not concurrent devices. Which in the era of mobility, BYOD, and similar trends, can be an unknown, making user licensing more flexible in most (but not all) circumstances.

Other good links

http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/

http://pdfs.loadbalancer.or/Microsoft_Remote_Desktop_Services_Deployment_Guide.pdf

 

NTFS File/Folder and Path Limits

ntfs

What is a file system?

A file system is a part of the operating system that determines how files are named, stored, and organized on a volume. A file system manages files and folders, and the information needed to locate and access these items by local and remote users. NTFS, short for New Technology File System, is a file system that was introduced by Microsoft in 1993 with Windows NT 3.1.

Benefits of NTFS

  • Increasing reliability

NTFS uses its log file and checkpoint information to restore the consistency of the file system when the computer is restarted in the event of a system failure. In the event of a bad-sector error, NTFS dynamically remaps the cluster containing the bad sector and allocates a new cluster for the data, as well as marking the cluster as bad and no longer using it. For example, by formatting a POP3 mail server with NTFS, the mail store can offer logging and recovery. In the event of a server crash, NTFS can recover data by replaying its log files.

  • Increasing security

NTFS allows you to set permissions on a file or folder, and specify the groups and users whose access you want to restrict or allow, and then select the type of access. NTFS also supports the Encrypting File System (EFS) technology used to store encrypted files on NTFS volumes. Any intruder who tries to access your encrypted files is prevented from doing so, even if that intruder has physical access to the computer. For example, a POP3 mail server, when formatted with an NTFS file system, provides increased security for the mail store, security that would not be available should the server be formatted with the FAT file system.

  • Supporting large volumes

NTFS allows you to create an NTFS volumes as per below

  1. Up to 16 terabytes using the default cluster size (4 KB) for large volumes.
  2. Up to 256 terabytes using the maximum cluster size of 64 KB.
  3. NTFS also supports larger files and more files per volume than FAT File Systems.

Limited space on a volume

If your organization has limited space on a volume, NTFS provides support for increasing storage on a server with limited disk space.

  1. Disk quotas allow you to track and control user disk space usage for NTFS volumes.
  2. NTFS supports compression as well as adding unallocated space from the same disk or from another disk to increase the size of an NTFS volume.
  3. Mounted volumes allow you to mount a volume at any empty folder on a local NTFS volume if you run out of drive letters or need to create additional space that is accessible from an existing folder.

Using features available only in NTFS

NTFS has a number of features that are not available if you are using a FAT file system. These include:

  1. Distributed link tracking. Maintains the integrity of shortcuts and OLE links. You can rename source files, move them to NTFS volumes on different computers within a Windows Server 2003 or Windows 2000 domain, or change the computer name or folder name that stores the target without breaking the shortcut or OLE links.
  2. Sparse files. Large, consecutive areas of zeros. NTFS manages sparse files by tracking the starting and ending point of the sparse file, as well as its useful (non-zero) data. The unused space in a sparse file is made available as free space.
  3. NTFS change journal. Provides a persistent log of changes made to files on a volume. NTFS maintains the change journal by tracking information about added, deleted, and modified files for each volume.
  4. Hard links. NTFS-based links to a file on an NTFS volume. By creating hard links, you can have a single file in multiple folders without duplicating the file. You can also create multiple hard links for a file in a folder if you use different file names for the hard links. Because all of the hard links reference the same file, applications can open any of the hard links and modify the file.
  • Volume Shadow Copy Service

Service that provides an infrastructure for creating highly accurate, point-in-time shadow copies. These copies of a single volume or multiple volumes can be made without affecting the performance of a production server. The Volume Shadow Copy Service can produce accurate shadow copies by coordinating with business applications, backup applications, and storage hardware.

  • Distributed File System (DFS).

Strategic storage management solution in Windows Server 2003 that enables you to group shared folders located on different servers logically by transparently connecting them to one or more hierarchical namespaces.

  • File System Replication (FRS)

Technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers

FAT32 and NTFS Limits

FAT32:

  • Maximum disk size: 2 terabytes
  • Maximum file size: 4 gigabytes
  • Maximum number of files on disk: 268,435,437
  • Maximum number of files in a single folder: 65,534

NTFS:

  • Maximum disk size: 256 terabytes
  • Maximum file size: 256 terabytes
  • Maximum number of files on disk: 4,294,967,295
  • Maximum number of files in a single folder: 4,294,967,295

File Path Lengths

In the Windows API, the maximum length for a path is MAX_PATH, which is defined as 260 characters. A local path is structured in the following order: drive letter, colon, backslash, name components separated by backslashes, and a terminating null character. For example, the maximum path on drive D is “D:\some 256-character path string” where “” represents the invisible terminating null character for the current system codepage. (The characters < > are used here for visual clarity and cannot be part of a valid path string.)

The Windows API has many functions that also have Unicode versions to permit an extended-length path for a maximum total path length of 32,767 characters. This type of path is composed of components separated by backslashes, each up to the value returned in the lpMaximumComponentLength parameter of the GetVolumeInformation function (this value is commonly 255 characters). To specify an extended-length path, use the “\\?\” prefix. For example, “\\?\D:\very long path“.

Long Path Tool

There is a brilliant piece of software called Long Path Tool. This can scan a directory or folder and tell you which paths are over the 256 character limit

http://longpathtool.com/

LongPathTool

GetFolderSize

This is another piece of free software which can tell you folder and file sizes for a directory and folders

http://www.getfoldersize.com/en_download.htm#info

GetFolderSize

Useful Microsoft Link for detailed NTFS information

https://msdn.microsoft.com/en-us/library/aa365247%28VS.85%29.aspx

 

Software rollout via Group Policy

Softwareicon

How can we install software remotely from Group Policy?

  • Assigning Software

You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed. Assigned means that the application appears on the start menu.

  • Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there

What type of software file can we deploy?

The Group Policy Management Console’s job is to deploy MSI files. GPMC can also deploy other kinds of files, but I’m going to skip over that for today and focus only on MSI files.

Remember: MSI files are application packages that come from manufacturers (or, you can also create them yourselves with 3rd party MSI repackaging tools.

Step 1 Create a Distribution Point

  • Log on to the server as an administrator (I am using my Test Lab)
  • Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute

SoftwareDistribution

  • Set permissions on the share to allow access to the distribution package.
  • You must add Authenticated Users with Read Access to the Share and NTFS permissions if you are applying this to Computer OUs as Computers are Authenticated Users in AD

authusers

  • Copy or install the package to the distribution point.
  • I’m going to use the Google Chrome 32bit .msi

Step 2 Create a Group Policy Object

  • I am just going to test this on a Windows 7 machine
  • Open Group Policy Management Console
  • Find the OU which contains the computer/computers you want to apply the policy to and right click and select Create a GPO in this domain and link it here

CreateanewGPO

  • Put in a name. Mine is Software_Distribution_GPO

NameGPO

  • Click on the policy and select it.
  • In my policy I am going to set the security filtering to just my Windows 7 test machine (dacvmed001)

GPOSecurityFiltering

  • Click Edit on your GPO
  • Under Computer Configuration expand Policies to see Software Settings

SoftwareSettings

  • Right click and select New Package
  • Type in the full (UNC) path to your Software Distribution share. In my case \\dacvads001\SoftwareDistribution

SelectSoftware

  • You should now see your .msi software

softwarerepository

  • Click Assigned. If you click Advanced, it gives you options to configure Published or Assigned Options and to apply modifications to a package
  • NOTE: The Published option is greyed out as it is only available if I deploy my package to a User Container. Software deployed to computers does not support publishing

DeploySoftware

  • You can now see your package in your GPO

gposoftware

  • If you right click on your package and select Properties, you can see further information. Note I have screenprinted the properties of the SQL Client
  • The General Tab

Properties1

  • The Deployment tab
  • Basic means that the user will see few / no screens when the application installs.
  • Maximum means that the user will have full interaction when the application installs.

Properties2

  • Advanced Options

Properties3

  • Upgrades

Properties4

  • Categories

Properties5

  • Modifications

Properties6

  • Security

Properties7

  • Next do a gpupdate /force on the Domain Controller and reboot your PC.

gpupdate

  • Check that the software has been installed in Control Panel > Programs and Features

chrome

Redeploy a MSI package

Sometimes you may need to redeploy a package (for example when doing an upgrade). For redeploying a package you can follow these steps:

  • Open Group Policy tab, select the object you used to deploy the package and click Edit
  • Expand the Software Settings element (per-user or per-machine) which contains the deployed package
  • Expand the Software Installation element which contains the deployed package
  • Right-click the package in the right pane of the Group Policy window
  • Select the All Tasks menu and click Redeploy application
  • Click the Yes button for reinstalling the application wherever it is installed
  • Close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

Remove an MSI package

Group Policy also allows you to remove packages which have been deployed in the past. Here are the steps for removing a package:

  • Open Group Policy, select the object you used to deploy the package and click Edit
  • Expand the Software Settings element (per-user or per-machine) which contains the deployed package
  • Expand the Software Installation element which contains the deployed package
  • Right-click the package in the right pane of the Group Policy window
  • Select the All Tasks menu and click Remove
  • Select from the following options:
    • Immediately uninstall the software from users and computers
    • Allow users to continue to use the software but prevent new installations
  • Click the OK button to continue
  • Close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

What can we do about .exe’s that we want to turn into usable .msi’s?

You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are available for instant download from internet

One of the best one’s I have trialled is http://www.exetomsi.com/

Tips and Advice on EXE to MSI Repackaging

http://exe-to-msi.com/

Using WMI Filters in Group Policies

filtericon

What are WMI Filters?

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.

GPOs are processed in the following order

The WMI filter is a separate object from the GPO in the directory.

To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.

WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.

  •     The local GPO is applied.
  •     GPOs linked to sites are applied.
  •     GPOs linked to domains are applied.
  •     GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied

A practical GPO and WMI example.

We had a requirement to have separate GPOs for Windows 7 Internet Explorer 10 users than Windows XP Internet Explorer 8 users. This is where we can have a policy which is filtered by Windows 7.

  • First of all log into your Group Policy Management Console
  • Create a new Group policy which will need to be assigned at the domain level, OU level or sub OU level depending on your design.
  • Modify the Group Policy with the settings you require
  • Now have a look at where WMI Filters are located by scrolling down to the bottom of the GPMC

wmi1

  • Right click and select New

wmi2

  • Put in a name and description

wmi3

  • Next Click Add and you will get a new box where we can then add our WMI filter code

wmi4

It is probably worth talking a little about the Namespace and WMI language at this point.  The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.

I downloaded a small free program from Microsoft called WMI Code Creator. The tool also allows you to browse through the available WMI namespaces and classes on the local computer to find their descriptions, properties, methods, and qualifiers.

As an example below, I can look at the Operation System properties and find the version and also the name if I look at the Caption Properties

wmi5

Note: This piece of software is useful for delving into the WMI information but you need to be able to use the WMI query in a way Active Directory understands.

SELECT [property] from [wmi class]

  • Have a look at the table below. Both Windows Server 2012 and Windows 8 return version numbers that begin with 6.2. To   differentiate between the client and server versions, include the clause to check the ProductType field. This value returns 1 for client versions of Windows such as Windows 8, 2 for server versions of Windows operating as domain controllers, and 3 for server versions of Windows that are not operating as domain controllers.

wmi6

  • You can also create combination filters when required by your design. The following table shows query statements for common operating system combinations.

wmi7

  • As an example we wanted our policy to apply to Windows 7, Windows 8 and Windows 8.1 so this was our filter

wmi8

  • Click Save and go back to your Group Policy
  • Click on Scope and look at the bottom of the Scope Page where you will see WMI Filters
  • Here you will need to select your WMI Filter and apply it

wmi10

  • Next click start run and type gpupdate /force on your DC to push out the settings.
  • If you want to test that your GPO and WMI filters work then you can go back to your Group policy management console and look right down the bottom again where you have an option – Group Policy Results

wmi11

  • Right click and select Group Policy Results wizard and you can run through this and select a target computer and user to test whether then WMI works.
  • At the end you will get a Summary, Details and Policy Events and you want to scroll down and check Details where it will say whether the WMI Filter came out as True or False!

wmi13

  • And that’s it. It’s worth having a look through the many ways you can filter and write queries.

An interesting point to finish

What takes precedence when multiple, conflicting GPOs apply to the same OU?

“Links to a specific site, domain, or organizational unit are applied in reverse sequence based on link order. For example, a GPO with Link Order 1 has highest precedence over other GPOs linked to that container.”

What takes precedence when multiple, conflicting enforced GPOs apply to the same OU?

Setting a GPO to enforced effectively moves it to the end of the processing order, meaning it always wins. If you have multiple conflicting Enforced GPOs they go in reverse order. (The ‘higher’ one in the OU structure wins,) But if it ever got that complex, you would need to rethink your overall GPO strategy in the long term.

Standard GPO Inheritance Rules in Organizational Units

Any unconfigured settings anywhere in a GPO are ignored, and only configured settings are inherited. There are three possible scenarios:

  • A higher-level GPO has a value for a setting, and a lower-level GPO does not.
  • A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a non-conflicting value for the same setting.
  • A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a conflicting value for the same setting.

If a GPO has settings configured for a parent organizational unit and the same policy settings are unconfigured for a child organizational unit, the child inherits the parent’s GPO settings. That makes sense.

If a GPO has settings configured for a parent organizational unit that do not conflict with the settings in a GPO configured for a child organizational unit, the child organizational unit inherits the parent GPO settings and applies its own GPOs as well. A good example of this is two logon scripts; these scripts don’t conflict, so both are run

If a GPO has settings configured for a parent organizational unit that conflict with the same settings in another GPO configured for a child organizational unit, the child organizational unit does not inherit those specific GPO settings from the parent organizational unit. The settings in the GPO child policy take priority

Excel 2010: Not enough system resources to display completely

excelicon

The Problem

When opening an Excel file or running calculations within an Excel file, you may get the following error

excel2010

This is a very miscellaneous error and one that is not easily solved sometimes but here are a few things to try

  1. If you have any COM add-ins installed, un-install them unless they are absolutely required or just untick them to test.  COM add-ins are a special type of add-in written in machine language. They are often installed without explicit approval.  COM add-ins are often reported as causing memory problems
  2. To see if you have multiple sessions open, press CTL-ALT-DELETE and check how any Excel applications are running.  There should be just one running. If a new Excel session opens each time you double click on a workbook, try unchecking the Excel Option “Ignore other applications” if it is checked on the Options General tab.
  3. Excel may think your worksheets are larger than you do.  This can consume a lot of memory. Normally your scroll area controlled by the scroll bars is very small.  However, sometimes Excel thinks there are cells well below your used range. One way is to check where Excel thinks the last cell is located.  Do this by pressing CTRL+SHIFT+END.  If it well below your used range, then select all “unused” columns in this range and delete them. Then select all unused rows in this range and delete them .  Then close and re-open Excel
  4. Install the latest upgrades to your version of Office.
  5. You can try deleting temp files. There is a nice piece of software called Temp File Deleter https://www.add-ins.com/temp_file_deleter.htm
  6. If you are using Google Desktop Search, un-install it.  Google Desktop Search appears to be a memory hog and has been reported to interfere with Microsoft Excel.  Specifically, it installs a COM add-in that monitors every action in Excel so that it can index it which can slow everything down
  7. If you are using Excel 2010-2013, click File, Options, Advanced, and go to the General section. Check if you have an alternate startup folder and check its content, and remove anything you do not need
  8. Check and see if you have an un-needed add-in or workbook in your XLSTART folder. This folder may vary location wise depending on local and roaming profiles
  9. Delete your XLB file. (Search for *.XLB) It can become corrupt but cause no visible problems. If corrupt it can consume lots of memory. Excel will recreate, but button customization will be lost.  This is a file where Excel stores its toolbar settings.   To delete it, use the XLB File Deleter which is a free product. There have been reports that doing this will solve problems.
  10. Your printer or its driver may be causing the problem.  HP printers have a history of causing a memory problem with Excel.  We do not know if HP fixed the problem and it may still be around or surfacing again.  Change your default printer if you have other printers available as a test
  11. Use of macros that do very extensive file creating, data manipulation, and graphing have been known to cause memory leak problems. Such macros are ones that typically run for 30 minutes or longer.
  12. If you have Track Changes turned on in Excel, turn off Track Changes as it uses a fair amount of memory.  The default is Off.
  13. Turn off AutoRecovery, as this takes up Excel memory.  However, have a backup if you do. To turn off AuoRecovery go to File,Options, Save. Uncheck Auto Recovery
  14. Problems in your application data folder for Excel can be the cause.  The folder is typically “c:\documents and settings\%username%\application data\microsoft\excel”.  This is a hidden folder, so set your Explorer options to show hidden folders. After backing up, rename or delete this folder and its subfolders.  Reboot the machine and open Excel.  Excel will recreate the folder and needed contents.
  15. Run the following 2 commands. “C:\Program Files\Microsoft Office\OFFICE11\excel.exe” /unregserver and “C:\Program Files\Microsoft Office\OFFICE11\excel.exe” /regserver. (Change the number 11 to 12 for Excel 2007, 14 for Excel 2010 and 15 for Excel 2013) These commands remove most of the Excel registry entries and then resets them.  However, they do leave some residual settings.
  16. A more extensive way to clean the registry is to rename the Excel registry key and let Excel recreate it. It depends on the version of Excel.  First, close Excel.  Then do Run, Regedit and go to the Excel registry key.  It will be “HKEY_CURRENT_USER\Software\Microsoft\Office\%version_number%\Excel”
    where %version_number% is 11 for Excel 2003, 12 for Excel 2007, 14 for Excel 2010 and 15 for Excel 2013. Rename this to OldExcel (this will back it up). Then re-open Excel.  Excel will rebuild the registry entry.  You will need to manually install any needed add-ins
  17. It may be the case that the Server or PC that Excel is running on needs more memory or that you need to close other running apps which may be interfering with Excel or taking up more memory that Excel needs
  18. Try opening Excel in Safe Mode. For example C:\Program Files\Microsoft Office\Office\Excel.exe /s
  19. Try opening Excel whilst holding the shift key down to stop any macros from executing or type Click Start, Run, “C:\Program Files\Microsoft Office\Office\Excel.exe” /Automation

 

 

Logon script to copy 2 folders into a user’s Roaming Profile

Script

The Task

Our users are logging into several Terminal Server Farms where they are running a TM1 application client which connects to the main TM1 Server. On opening the client it is meant to put 2 folders in their profile under the AppData folder. This is a folder called Applix which also contains another folder called TM1.

We have roaming profiles where we have a profile drive and a home drive and the AppData folder is redirected to the user’s Home Drive. It seems that this application does not cope well with creating the Applix folder on the redirected Home Folder location

However we have found it works fine when you have a straight roaming profile with no redirected folders!

So what do we need to happen?

  1. A user logs on to a Terminal Server Farm
  2. At logon a GPO containing a PowerShell script to do this task will run
  3. The script will test that the folder path exists first \\ServerXYZ\Home\Username\AppData\Roaming and if it does, it will do nothing
  4. If the path doesn’t exist, it will put a folder called Applix in the following path \\ServerXYZ\Home\Username\AppData\Roaming
  5. Note, we put the Applix folder on the Terminal Servers as C:\Applix and the script picks this up for copying from this location

The PowerShell Script

if (!(Test-path “\\ServerXYZ\Home\$env:USERNAME\AppData\Roaming\Applix”))
{
Copy-Item -path “C:\Applix” -Recurse -Destination “\\ServerXYZ\Home\$env:USERNAME\AppData\Roaming\Applix” -Container
}

 

ActiveSync on Microsoft Exchange 2010 +

ActiveSync

ActiveSync

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that’s optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization’s information on a server that’s running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to access their e-mail, calendar, contacts, and tasks and to continue to be able to access this information while they’re working offline When you allow mobile phones or other mobile devices to synchronize with your Exchange 2010 server, you allow sensitive corporate information to be stored on small, portable devices that can be easily lost or stolen. Before you deploy Exchange ActiveSync, we recommend that you familiarize yourself with the various security settings you can configure to keep your corporate information safe. You can configure an authentication method for Exchange ActiveSync, deploy Exchange ActiveSync mailbox policies, and use remote device wipe to remove personal and corporate data from a lost or stolen mobile phone

Things to have setup

In order to be able to receive external email into your internal Exchange server, you will need to have an external domain which is setup to forward your MX and A records to your internal environment. As an example I have a domain called electricmonk.org.uk which I use as my test external domain for this blog. I had to ask my domain company to setup the following records and forward them to my routers external address.

  • MX mail.electricmonk.org.uk
  • A mail.electricmonk.org.uk
  • A owa.electricmonk.org.uk
  • A autodiscover.electricmonk.org.uk

These records will then hit my router then depending on your routers setup, you will need to forward the relevant mail ports to your Exchange Server.

  • POP3 = 110
  • IMAP = 143
  • SMTP = 25
  • HTTP = 80
  • HTTPS = 443
  • Secure SMTP = 465
  • Secure POP3 = 995
  • Secure IMAP = 585
  • IMAP4 over SSL = 995
  • Exchange (SMTP-MSA) =587

This is my BT Router Port Forwarding setup set to forward these ports to my mail server on my internal network

Exchange31

Features in Exchange ActiveSync

Exchange ActiveSync provides the following:

  • Support for HTML messages
  • Support for follow-up flags
  • Conversation grouping of e-mail messages
  • Ability to synchronize or not synchronize an entire conversation
  • Synchronization of SMS messages with a user’s Exchange mailbox
  • Support for viewing of message reply status
  • Support for fast message retrieval
  • Meeting attendee information
  • Enhanced Exchange Search
  • PIN reset
  • Enhanced device security through password policies
  • Autodiscover for over-the-air provisioning
  • Support for setting auto-replies when users are away, on vacation, or out of the office
  • Support for tasks synchronization
  • Direct Push
  • Support for availability information for contacts

Exchange ActiveSync Server Security

There are several security-related tasks you can perform on a server that’s running Exchange ActiveSync. One of the most important tasks is to configure an authentication method. Exchange ActiveSync runs on a computer running Exchange 2010 that has the Client Access server role installed. This server role is installed with a default self-signed digital certificate. Although the self-signed certificate is supported for Exchange ActiveSync, it isn’t the most secure method of authentication. For additional security, consider deploying a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) certification authority.

Selecting an Authentication Method for Exchange ActiveSync

In addition to deploying a trusted digital certificate, you should consider the different authentication methods that are available for Exchange ActiveSync. By default, when the Client Access server role is installed, Exchange ActiveSync is configured to use Basic authentication with Secure Sockets Layer (SSL). To provide increased security, consider changing your authentication method to Digest authentication or Integrated Windows authentication

Exchange ActiveSync Mailbox Policies

Exchange ActiveSync for Exchange 2010 enables you to create Exchange ActiveSync mailbox policies to apply a common set of security settings to a collection of users. These settings include the following

  • Requiring a password
  • Specifying the minimum password length
  • Requiring numbers or special characters in the password
  • Designating how long a mobile phone can be inactive before the user is required to re-enter the password
  • Specifying that the mobile phone or mobile device be wiped if an incorrect password is entered more than a specific number of times

Accessing ActiveSync Policies

  • Click on Organization Configuration > Client Access then in the Action pane select Exchange ActiveSync Mailbox Policies

Exchange05

  • Right click on Default and select Properties

Exchang06

  • Allow non-provisional devices – Select this check box to allow mobile phones that can’t be provisioned automatically. These mobile phones may be unable to enforce all the Exchange ActiveSync policy settings. By selecting this box, you’re allowing these mobile phones to synchronize even though some policy settings may not be applied.
  • Refresh Interval – Select this check box to force the server to resend the policy to clients at a fixed interval defined in the number of hours between policy refresh events.
  • Click on Password

Exchange07

  • Require password – Select this checkbox to require a password for the mobile phone. If passwords are required, the following options become available.
  • Require alphanumeric password – Select this check box to specify that the mobile phone password must include non-numeric characters. Requiring non-numeric characters in passwords increases the strength of password security.
  • Minimum number of character sets – Use this text box to specify the complexity of the alphanumeric password and force users to use a number of different sets of characters from among the following: lower case letters, upper case letters, symbols and numbers.
  • Enable password recovery – Select this check box to enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone. Administrators can use the EMC to look up a user’s recovery password.
  • Require encryption on device – Select this check box to require encryption on the mobile phone. This increases security by encrypting all information on the mobile phone.
  • Require encryption on storage cards – Select this check box to require encryption on the mobile phone’s removable storage card. This increases security by encrypting all information on the storage cards for the mobile phone.
  • Allow simple password – Select this check box to allow users to lock their mobile phones with simple passwords such as 1111 or 1234. If you clear this check box, users will be required to use more secure password sequences.
  • Number of failed attempts allowed – Use this text box to limit the number of failed password attempts a mobile phone accepts before all information on the mobile phone is deleted and the mobile phone is automatically returned to the original factory settings. This reduces the chance of an unauthorized user accessing information on a lost or stolen mobile phone that has a password.
  • Minimum password length – Use this text box to specify a minimum password length for the mobile phone password. Long passwords can provide increased security. However, long passwords can decrease mobile phone usability. A moderate password length of four to six characters is recommended.
  • Time without user input before password must be re-entered (in minutes) – When a mobile phone password is required, you can use this text box to prompt the user for the password after the mobile phone has been inactive for a specified period of time. For example, if this setting is set to 15 minutes, the user must enter the mobile phone password every time that the mobile phone is idle for 15 minutes. If the mobile phone is idle for 10 minutes, the user won’t have to re-enter the password.
  • Password expiration (days) – Use this text box to force users to reset their mobile phone’s password at a given interval. The interval is set in a number of days.
  • Enforce password history – Select this check box to force the mobile phone to prevent the user from re-using their previous passwords. The number you set determines how many past passwords the user won’t be allowed to reuse.
  • Next Click on Sync Settings

Exchange08

  • Include past calendar items – Use this drop-down list to select the date range of calendar items to synchronize to the mobile phone. The available options include the following: All, Two Weeks, One Month, Three Months, and Six Months. If you have to specify other options, use the Shell to configure this setting.
  • Include past e-mail items – Use this drop-down list to select the date range of e-mail items to synchronize to the mobile phone. The available options include the following: All, One Day, Three Days, One Week, Two Weeks, and One Month. If you have to specify other options, use the Shell to configure this setting.
  • Limit e-mail size to (KB) – Select this check box to limit the message size that can be downloaded to the mobile phone. After you’ve selected the check box, use the text box to specify a maximum message size, in kilobytes (KB).
  • Allow Direct Push when roaming – Select this check box to enable the mobile phone to synchronize as new items arrive when you’re roaming with your phone. You’re roaming when you’re outside your normal service area. Check with your mobile service provider to determine your normal service area. Clearing this check box forces you to manually launch synchronization when you’re roaming with the phone and data rates are traditionally higher.
  • Allow HTML-formatted e-mail – Select this check box to enable e-mail messages that are formatted in HTML to be synchronized to the mobile phone. If this check box isn’t selected, all e-mail messages will be converted to plain text before synchronization. Use of this check box doesn’t affect whether or not messages are received on the mobile phone.
  • Allow attachments to be downloaded to device – Select this check box to enable attachments to be downloaded to the mobile phone. If this check box is cleared, the name of the attachment is visible within the e-mail message but can’t be downloaded to the mobile phone.
  • Maximum attachment size (KB) – Select this check box to specify a maximum size for attachments that are downloaded to the mobile phone. After you select the check box, use the text box to enter a maximum attachment size, in KB. If this check box is selected, attachments that are larger than the specified size can’t be downloaded to the device.
  • Next Click on Device. Use the Device tab to specify a variety of device-specific settings. All settings that you access on the Device tab of the Exchange ActiveSync policy Properties page are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

Exchange09

  • Allow removable storage – Select this check box to allow storage cards to be accessed from a mobile phone. If this check box isn’t selected, storage cards can’t be accessed from a mobile phone.
  • Allow camera – Select this check box to allow the mobile phone camera to be used.
  • Allow Wi-Fi – Select this check box to allow the mobile phone to use a Wi-Fi connection for Internet access. Direct Push isn’t supported over Wi-Fi.
  • Allow infrared – Select this check box to allow the mobile phone to establish an infrared connection with other devices or computers.
  • Allow Internet sharing from device – Select this check box to allow another device to share the Internet connection of the mobile phone. Internet sharing is frequently used when the device functions as a modem for a laptop or desktop computer.
  • Allow remote desktop from device – Select this check box to allow the mobile phone to establish a remote desktop connection to another computer.
  • Allow desktop synchronization – Select this check box to allow the mobile phone to synchronize with a desktop computer through desktop ActiveSync or the Windows Mobile Device Center.
  • Allow Bluetooth – Use this drop-down list to control the Bluetooth functionality of the mobile phone. You can choose to Allow, Disable, or enable Bluetooth for Handsfree only
  • Click on Device Application. Use the Device Applications tab to enable or disable specific features on a mobile phone. All settings that you access on the Device Applications tab of the Exchange ActiveSync policy Properties pages are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

Exchange10

  • Allow browser Select this check box to allow mobile phones to use Pocket Internet Explorer
  • Allow consumer mailSelect this check box to allow the mobile phone to access e-mail accounts other than Microsoft Exchange accounts. Consumer e-mail accounts include accounts that are accessed through POP3 and IMAP
  • Allow unsigned applications – Select this check box to allow unsigned applications to be installed on the mobile phone.
  • Allow unsigned installation packages – Select this check box to allow unsigned installation packages to be run on the mobile phone
  • Click on Other. Use the Other tab to specify allowed and blocked applications. All settings that you access on the Other tab of the Exchange ActiveSync policy Properties pages are premium features of Exchange ActiveSync. For these features to be implemented on a mobile phone, the mailbox requires an Exchange Enterprise client access license (CAL).

Exchange11

  • Allowed Applications   You can add applications to or remove them from the Allowed Applications list. Allowed applications can be installed and run on the mobile phone. Click Add to add an application, and click Delete to remove an application.
  • Blocked Applications   You can add applications to or remove them from the Blocked Applications list. Blocked applications are prohibited from running on the mobile phone. Click Add to add an application, and click Delete to remove an application.

Accepted Domains

Make sure you have your accepted external domain listed here

  • Click on Organization Configuration and then click on Hub Transport
  • Click on the Accepted Domains tab and you should see your local address
  • In the Actions pane, click on New Accepted Domain
  • Put in a name for this Domain and the name itself

Exchange37

  • You should now see your domains

Exchange38

Send Connectors

  • Go to Organisation Configuration > Hub Transport
  • Click New Send Connector

Exchange39

  • Type a name and choose Internet for the intended use
  • Click Next
  • On the Address space page click Add and add in * to Address and tick Include all subdomains
  • Keep Use Domain name system (DNS) “MX” records to route mail automatically ticked

Exchange17

  • Check your Source Server is selected

Exchange18

  • The Summary Page will appear. Check the details and click New
  • You should now see your new Send Connector

Exchange40

  • Double click on this Send Connector and select Properties
  • You need to put in your external domain here

Exchange32

Set up an email policy

  • Go to Organization Configuration
  • Go to Hub Transport
  • Go to E-mail Address Polices
  • Click on the Default Policy
  • Click Next

Exchange34

  • You are now on the New E-Mail Address Policy Page. Don’t select anything on here for now

Exchange22

  • Click Next and you are now on the E-Mail Addresses Page
  • Click Add

Exchange35

  • Click OK

Exchange33

  • Click the %m@mail.electricmonk.org.uk and select Set as Reply
  • On the Schedule Page, leave this as Immediately

Exchange28

  • Finally click New and the wizard will complete

Exchange36

ActiveSync Virtual Directory

By default, when Exchange 2010 is installed, a new virtual directory is created in the default website in Internet Information Services (IIS). This virtual directory is named Microsoft-Server-ActiveSync. You can create additional Exchange ActiveSync virtual directories under Web sites other than the default Web site. All Exchange ActiveSync virtual directories you create will have the name Microsoft-Server-ActiveSync. After you have installed the Client Access server role on an Exchange Server 2010 computer, Exchange ActiveSync is enabled by default. An Exchange ActiveSync virtual directory is created on the Exchange 2010 Client Access server. You can configure a variety of options on that virtual directory.

Viewing the ActiveSync Virtual Directory Properties

  • In the console tree, navigate to Server Configuration > Client Access
  • In the work pane, click the Exchange ActiveSync tab, and then click the Microsoft-Server-ActiveSync virtual directory.

Exchange01

  • In the action pane, under click Microsoft-Server-ActiveSync, click Properties.
  • Use the General tab to view display-only information about the Exchange ActiveSync virtual directory and to modify the Internal and External URLs.
  • Server – This read-only field shows the name of the server the virtual directory is located on.
  • Web site   This read-only field shows the name of the Web site that holds the virtual directory. Normally, this will be the Default Website.
  • SSL Enabled   This read-only field shows the Secure Sockets Layer (SSL) status of the virtual directory. The default is True.
  • Modified   This read-only field shows the date and time that the virtual directory was last modified.
  • Internal URL   This field shows the InternalURL setting for the virtual directory. In most cases, you shouldn’t change this setting.
  • External URL   This field shows the ExternalURL setting for the virtual directory. In an Internet-facing Active Directory site, this field will be populated with the external DNS endpoint for Exchange ActiveSync, for example, http://mail.electricmonk.org.uk/Microsoft-Server-ActiveSync.

Exchange41

  • Use the Authentication tab to control the authentication methods for the Exchange ActiveSync virtual directory.
  • Basic authentication (password is sent in clear text) Select this check box if you want the mobile device to send the user name and password in clear text. Because passwords are sent in clear text with Basic authentication, you should configure SSL to encrypt data transferred between your mobile clients and the Exchange ActiveSync virtual directory.

Exchange03

  • Client Certificate authenticationSelect whether you want to ignore, accept, or require client certificate authentication.
  • Certificates can reside in the certificate store on a mobile device or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols. In EAP-TLS certificate authentication, the client and the server prove their identities to each other. For example, an Exchange ActiveSync client presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the mobile device to provide mutual authentication.

Note: Requiring client certificates will force you to configure SSL on the Web site that’s hosting the Exchange ActiveSync virtual directory.

  • Exchange ActiveSync clients can access files and Web sites that are located on Windows SharePoint Services and Windows file shares. Use the Remote File Servers tab to specify allowed and blocked host names for your Exchange ActiveSync clients. This tab also allows you to configure which domains are treated as internal.

Exchange04

  • Block List – Click Block to configure a list of host names of servers to which clients are denied access.
  • The Block list takes precedence over the Allow list. To add a host name to the Block list, type the host name in the Block List dialog box, and then click Add. To remove a host name from the Block list, select the host name, and then click Delete in the Block List dialog box.
  • Allow List – Click the Allow button to configure a list of host names of servers from which clients are allowed to access files.
  • To add a host name to the Allow list, type the host name in the Allow List dialog box, and then click Add. To remove a host name from the Allow list, select the name, and then click Delete in the Allow List dialog box.
  • If a host name is specified in the Allow list and the Block list, clients will be blocked from accessing files from that host name.
  • Unknown Servers   Use this list to specify how to access files from host names that aren’t listed in either the Block list or the Allow list. The default value is Allow.
  • Enter the domain suffixes that should be treated as internal   Use this option to configure specific host names as internal host names. Click Configure to add host names to the Internal Domain Suffix List. When clients try to access files on one of these host names, Exchange ActiveSync uses the internal network to access these files instead of trying to access them over the Internet

IMAP Configuration

  • Go to Server Configuration
  • Go to Client Access
  • Go to POP3 and IMAP4
  • Double click on IMAP4 and go to Authentication
  • In the X.509 certificate name type in your domain

Exchange42

Enabling Anonymous Authentication

If this is not enabled, it can stop external mail programs from being able to email your Exchange server. See below when trying to send email from Gmail to my Exchange Address

Exchange52

  • Open EMC
  • Go to Server configuration > Hub Transport Server
  • Click on Default Receive Connector and select Properties
  • Click on last tab “Permission Groups” and place check mark into “Anonymous users” click apply and ok.

Exchange51

  • Now if you try resending the email it should work

Exchange53

Devices Enabled for Exchange ActiveSync

Users can take advantage of Exchange ActiveSync by selecting mobile phones that are compatible with Exchange ActiveSync. These mobile phones are available from many manufacturers. For more information, see the device documentation.

Mobile phones that are compatible with Microsoft Exchange include the following

  • Apple – The Apple iPhone, iPod Touch, and iPad all support Exchange ActiveSync.
  • Nokia – Nokia offers Mail for Exchange on their E series mobile phones. E-mail, calendar, and contact data can be synchronized over a cellular network or a wireless LAN.
  • Sony Ericsson – Sony Ericsson offers Exchange ActiveSync support on several of their newer smartphones. They also support Direct Push through a third-party program.
  • Palm – Palm offers some models of mobile phones that have the Windows Mobile operating system. These devices support Direct Push.
  • Motorola – Motorola has its own synchronization framework that enables over-the-air synchronization through Exchange ActiveSync on many of its devices.
  • Symbian – Symbian Limited licenses Exchange ActiveSync for use in the Symbian operating system. This operating system is an open standard operating system for mobile phones.
  • Android – Many mobile phones with the Android operating system support Exchange ActiveSync. However, these mobile phones may not support all available Exchange ActiveSync mailbox policies.

Setting up an iPhone 5S

  • Go into Settings > Mail Contacts and Settings
  • Click Add Account
  • Choose Exchange

IMG_0306

  • Put in your e-mail address and password
  • You will also see your Exchange Device ID

IMG_0308

  • Tap Next
  • As I don’t have a proper certificate I get these 2 warnings. Just click Continue

IMG_0309

IMG_0310

  • Next you will need to enter the relevant information for your servers and email addresses and passwords.
  • E-mail: Your e-mail address
  • Server: The external address you setup with you domain provider
  • Domain: Note: I had to put my internal local domain for this to work which is my test lab domain dacmt.local
  • Username: Active Directory Username
  • Password: Active Directory Password

IMG_0313

  • Click Done and it should say Verifying and then place a tick against all settings
  • Now you need to test sending an email to your email account

If all the settings verify but email is not coming through

This may be the cause of a simple mis-configuration in the Microsoft Active Directory services for that user.

  • Open the Active Directory Users and Computers
  • Select the View menu from the top and click on “Advanced Features”.
  • Open the properties on the user having the issue and select the “Security” tab. Under this tab will be windows with user accounts listed and a “Advanced button” at the bottom. Select this button and find the check box “Include Inheritable permissions from this object’s parent” . If this is the problem you will find the box “unchecked”. Just check the box and try again. You should see mail start to come in.

Exchange54

If you have set an Exchange Active Sync Policy which requires a password

Then when the account is setup, after a few minutes it should come up with the following prompts

IMG_0034

IMG_0035

IMG_0036

Using Remote Wipe

Mobile phones can store sensitive data that belongs to your organization and provide access to many of your organization’s resources. If a mobile phone is lost or stolen, that data can be compromised. Remote device wipe is a feature that enables the Exchange server to set a mobile phone to delete all data the next time that the mobile phone connects to the Exchange server. A remote device wipe effectively removes all synchronized information and personal settings from a mobile phone. This can be useful when a mobile phone is lost, stolen, or otherwise compromised. After a remote device wipe has occurred, data recovery is very difficult. However, no data removal process leaves a mobile phone or other mobile device as free from residual data as it is when it’s new. Recovery of data from a mobile phone or other mobile device may still be possible using sophisticated tools.

Microsoft Exchange Server 2010 lets you send a command to a mobile phone to perform a remote device wipe of that phone. This process removes all the information that’s stored on the phone. This includes Exchange information. This process then completes a full reset of the device. You can use the EMC or the Exchange Management Shell to perform a remote wipe on a mobile phone. You can use this procedure to clear data from a stolen phone or to clear data from a phone before you assign it to another user

  • In the console tree, navigate to Recipient Configuration > Mailbox.
  • Select the user from the Mailbox window.

Exchange12

  • In the action pane, click Manage mobile device, or right-click the user’s mailbox, and then click Manage mobile device.
  • Select the mobile phone you want to clear all data from.
  • In the Actions section, click Perform a remote wipe to clear mobile phone data

Exchange55

  • Click Clear.
  • Note: Performing either of these actions will wipe the iPhone!
  • It will also send an email message to you saying that the device has been wiped

IMG_0132

Recovering a Device Password

Note: This feature does not appear to be available for iPhones unfortunately which is a shame as the only option is to wipe the phone to get round a forgotten password

http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_clients

You can use

  • The EMC
  • The Shell
  • Microsoft Office Outlook Web App to recover a device password.

You can require a device password through Microsoft Exchange ActiveSync policies. A user can configure a device password even if your Exchange ActiveSync policies don’t require one. If users forget their password, you can obtain a recovery password using the EMC or the Shell. The recovery password unlocks the device and lets the user create a new password. Users can also recover their device passwords by using Outlook Web App.

The EMC

You need to be assigned permissions before you can perform this procedure.

  • In the console tree, navigate to Recipient Configuration > Mailbox.
  • In the details pane, select a user, and then select Manage Mobile Device from the action pane. The device recovery password is displayed in the Manage Mobile Device dialog box

exchangeactivesync1

The Shell

  • Open Exchange Management Shell
  • Type Get-ActiveSyncDeviceStatistics -Mailbox:”rhian.cohen” -ShowRecoveryPassword:$true

exchangeactivesync3

Outlook Web Access

  • Log into Outlook Web Access
  • Click on Options

exchangeactivesync2 Useful links

http://technet.microsoft.com/en-us/library/bb124558(v=exchg.141).aspx http://technet.microsoft.com/en-us/library/aa998357.aspx#WindowsPhone7 https://www.apple.com/kr/ipad/business/docs/iOS_6_EAS_Sep12.pdf

Youtube Tutorials (Thanks to Hotfoot Training

Part 1 https://www.youtube.com/watch?v=dDg4oY1oUzQ

Part 2 https://www.youtube.com/watch?v=2tyhnOptqZ0

Part 3 https://www.youtube.com/watch?v=glASOiu8yMY

Windows Server 2008 R2 UAC

uacuser

What is UAC?

User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users in Windows Vista), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default.

When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user’s group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users’ computers without notifying the users. (This is sometimes referred to as a “silent” installation.)

How can we change UAC Settings?

  • Control Panel

Click Start > Control Panel > User Accounts > Change User Account Control Settings

UAC1

You will then need to reboot

  • Using Local Security Policy

Click Start > Administrative Tools > Local Security Policy > Security Options > Scroll down to the User Account Control Settings

UAC2

There are 10 separate Settings

UAC3

UAC4

UAC5

UAC6

UAC7

UAC8

UAC9

UAC10

UAC11

UAC12

  • Group Policy

Click Start > Administrative Tools > Group Policy Management on a DC > Right click on Group Policy Objects and select New > Type GPO Name in > Find GPO and right click and select Edit

Navigate to Computer Configuration > Windows Settings > Security Settings > Security Options > Scroll down to User Account Control

UAC13

  •  Using the Registry

The registry keys are found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. For information about each of the registry keys, see the link below

UAC14

http://technet.microsoft.com/en-gb/library/dd835564%28v=ws.10%29.aspx