Usernames from Email exchange 365

If you have email addresses and need to get usernames ( this is for the cloud based exchange 365 ) :-

Open powershell and :

Import-Module ActiveDirectory

Also logon to Exchange environment Exchange 2010 in the cloud:-

#Logon

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

 

Then the script is:-

Get-Content emailtest.csv | %{

Get-Mailbox $_ | Select-Object PrimarySmtpAddress, UserPrincipalName

} | Export-Csv users.csv -NoTypeInformation

WSUS – machines go then come back ?

One of our engineers wrote this little rough and ready script that recreates the  AccountDomainSid and SUSClientID in the registry. This is caused often by VMs that have been cloned from a template.

 

Requirements are that PSEXEC is installed in the same directory as where the script is ran. We tend to create folder on the WSUS server and run it from there

@echo off

set /p a=”Enter IP Address or Name: please DO NOT include \”

psexec \%a% net stop wuauserv

psexec \%a% REG DELETE “HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate” /v AccountDomainSid /f

psexec \%a% REG DELETE “HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate” /v PingID /f

psexec \%a% REG DELETE “HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate” /v SusClientId /f

psexec \%a% net start wuauserv

psexec \%a% wuauclt /resetauthorization /detectnow

psexec \%a% wuauclt /reportnow

echo…………………………………………………………..

echo Machine should reappear in approx 10 minutes.

pause

 

 

He also adapted one that will force a machine to detect and report its WSUS status to the WSUS server

 

@echo off

set /p a=”Enter IP Address or Name please DO NOT include \ : “

psexec \%a% net stop wuauserv

psexec \%a% net start wuauserv

rem psexec %a% wuauclt.exe /resetauthorization

psexec \%a% wuauclt.exe /detectnow

psexec \%a% wuauclt.exe /reportnow

cls

echo …………………………………………………………..

echo REPORT STATUS

echo ————–

echo A report and detectnow has been run on the machine you specified.

pause

GOTO MENU

Apple Airplay and Meru

GiraffeIT.com have found out that Meru and Apples airplay systems dont always play well together. Specifically, the configuration out of the box doesnt work at all.

We have found the following settings of use :

 

Log into the GUI
Click on the “Configuration” Tab
Click on “System Settings” under “Devices”
Click on “UDP Broadcast Up”
Click “Add”
Enter port number “5297″ click OK
Repeat to enter in port numbers “5298″ and “5353″
Click on “UDP Broadcast Down”
Click “Add”
Enter port number “5297″ click OK
Repeat to enter in port numbers “5298″ and “5353″
Click on the “Configuration” Tab
Click on “ESS” under “Wireless”
Select the relevant ESS profile and click “Settings”
Set the “Allow Multicast Flag” to “On”

Reset home folders

GiraffeIT have often been asked how to reset home folders. It can be quite time consuming if done manually on a range of users.

We have found, tested and sucessfully used the following scriptlet. Its a powershell script so dont forget to allow execution.

 

 

#############################################################################
# Script: Repair-HomeFolderPermissions.ps1
# Author: Chris Brown    http://www.flamingkeys.com
# Date: 20/10/2010
# Keywords:
# Comments:
# Pre-Requisites: Full Control over destination folder.
#
# +------------+-----+---------------------------------------------------------+
# |       Date | Usr | Description                                             |
# +------------+-----+---------------------------------------------------------+
# | 20/10/2010 | CJB | Initial Script                                          |
# | 28/09/2011 | CJB | Fixed flags issue                                       |
# +------------+-----+---------------------------------------------------------+
#
# DISCLAIMER
# ==========
# THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
# RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
#############################################################################

# ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
#            Variables
#
# Where is the root of the home drives?
$homeDrivesDir="\uncofhomefolder"
# Report only? ($false = fix problems)
$reportMode = $false
# Print all valid directories?
$verbose = $false
# What domain are your users in?
$domainName = "something.internal"
#
# ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

# Save the current working directory before we change it (purely for convenience)
pushd .
# Change to the location of the home drives
set-location $homeDrivesDir

# Warn the user if we will be fixing or just reporting on problems
write-host ""

if ($reportMode) {
 Write-Host "Report mode is on. Not fixing problems"
} else {
 Write-Host "Report mode is off. Will fix problems"
}

write-host ""

# Initialise a few counter variables. Only useful for multiple executions from the same session
$goodPermissions = $unfixablePermissions = $fixedPermissions = $badPermissions = 0
$failedFolders = @()

# For every folder in the $homeDrivesDir folder
foreach($homeFolder in (Get-ChildItem $homeDrivesDir | Where {$_.psIsContainer -eq $true})) {

 # dump the current ACL in a variable
 $Acl = Get-Acl $homeFolder

 # create a permission mask in the form of DOMAINUsername where Username=foldername
 #    (adjust as necessary if your home folders are not exactly your usernames)
 $compareString = "*" + $domainName + "" + $homeFolder.Name + " Allow  FullControl*"

 # if the permission mask is in the ACL
 if ($Acl.AccessToString -like $compareString) {

 # everything's good, increment the counter and move on.
 if ($verbose) {Write-Host "Permissions are valid for" $homeFolder.Name -backgroundcolor green -foregroundcolor white}
 $goodPermissions += 1

 } else {
 # Permissions are invalid, either fix or report
 # increment the number of permissions needing repair
 $badPermissions += 1
 # if we're in report mode
 if ($reportMode -eq $true) {
 # reportmode is on, don't do anything
 Write-Host "Permissions not valid for" $homeFolder.Name -backgroundcolor red -foregroundcolor white
 } else {
 # reportmode is off, fix the permissions
 Write-Host "Setting permissions for" $homeFolder.Name -foregroundcolor white -backgroundcolor red
 # Add the user in format DOMAINUsername
 $username = $domainName + "" + $homeFolder.Name
 # Grant the user full control
 $accessLevel = "FullControl"
 # Should permissions be inherited from above?
 $inheritanceFlags = "ContainerInherit, ObjectInherit"
 # Should permissions propagate to below?
 $propagationFlags = "None"
 # Is this an Allow/Deny entry?
 $accessControlType = "Allow"
 try {
 # Create the Access Rule
 $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($username,$accessLevel,$inheritanceFlags,$propagationFlags,$accessControlType)

 # Attempt to apply the access rule to the ACL
 $Acl.SetAccessRule($accessRule)
 Set-Acl $homeFolder $Acl
 # if it hasn't errored out by now, increment the counter
 $fixedPermissions += 1
 } catch {
 # It failed!
 # Increment the fail count
 $unfixablePermissions += 1
 # and add the folder to the list of failed folders
 $failedFolders += $homeFolder
 }
 } #/if
 } #/if
} #/foreach

# Print out a summary

Write-Host ""
Write-Host $goodPermissions "valid permissions"
Write-Host $badPermissions "permissions needing repair"
if ($reportMode -eq $false) {Write-Host $fixedPermissions "permissions fixed"}
if ($unfixablePermissions -gt 0) {
 Write-Host $unfixablePermissions "ACLs could not be repaired."
 foreach ($folder in $failedFolders) {Write-Host " -" $folder}
}

# Cleanup
popd

Mandatory Profiles

GiraffeIT.com have been asked many a time to create mandatory ( or roaming as they used to be known ) profiles for various people.

The benefits are small, rapidly loading profiles that end users cannot write back to.

1.) Make a local user on the server

2.) Make the user member of the local administrators group on your server

3.) Login in with this user and customize for example the start menu

4.) Create a share on your file server.

5.) Copy the complete template folder from the C:Users directory to the new server share

6.) Rename the template folder to mandatory.V2 The .v2 is significant as it tells windows seven its a man profile for it.

7.) Delete the Local and LocalLow folders from the AppData folder

8.) Open REGEDIT and load the NTUSER.DAT hive ( make sure HKEY_USERS is highlighted

9.) Right-click on the Mandatory profile and choose permissions

10.) Delete the template user and add the Authenticated Users (Full Control)

11.) Unload the NTUSER.DAT from your registry

12.) Rename the NTUSER.DAT to NTUSER.MAN

13.) change the relevant users profiles in ADUC or via Policy preferences.

 

Preparing your desktop delays

GiraffeIT have been investigating a curious issue where no matter what server load is the profile that is loading ( a mandatory windows seven on since you ask ) is taking an age to get “past” preparing your desktop.

We moved the profiles to different servers, we disabled DFS namespaces ( crucially note that DFS replication is strongly advised against being used ) monitored network traffic with wireshark.

The problem wasn’t obvious. There were no RSOP/GPResult errors. All looked fine.

Logons were taking 2m40 under low load and 15minutes(!) under heavy load.

We eventually diagnosed the fault as an errant file filter placed on filescreening. The curious desktop.ini was being screened on the fileserver. Once removed the thin ( 1.7Mb ) mandatory profile loaded quickly.

23seconds now from CTRL-ALT-DEL to working desktop.

Deploystudio

GiraffeIT have found a fantastic bit of free Apple image software that really helps us deploy multiple Apple mac images to multiple machines. Its called Deploystudio ( available here )

Its straightforward to get it installed, and works really really well. Had a few minor snags ( mostly to do with clients errant DNS servers ) but no showstoppers.

Recommended !

 

 

NetVol not replicating, yet GPOs are ?

We were called out today for a job where a Domain controller ( DC ) was responding to requests , but only really, really slowly. Hit an alternative DC and it logged you on at the speed of light. Some digging was involved and GiraffeIT diagnosed that the netvol wasnt replicating.

The fix wasnt too bad.

  1. Stop the NTFRS service
  2. add in an administrator / elevated privledge user to the system information folder on the server with full control
  3. goto the folder that has a uniqueID and rename it ( I chose folderXYZold
  4. find the “private” folder , rename that ( I chose PrivateOLD )
  5. Restart the NTFRS service.
  6. Either await replication on cycle, or force start with the active directory sites and services snap in.

SOPA / Protect IP

We dont normally venture into the politics side of things here at GiraffeIT.com ,however this one has us a little bit worried.

If you are unsure of what the fuss about SOPA / ProtectIP is about , have a look at this :

SOPA / ProtectIP
[FMP]http://giraffeit.com/protectip/SOPA.mp4[/FMP]

 

 

DNS Scavenging

Happy new year !

A site I visited over the Christmas period was experiencing issues with DNS. There were no obvious faults other than an exceedingly large number of records in a somewhat small environment.

I discovered that the DHCP lease time was set to 8 hours and that scavenging was not set at all.

A few days later after the cycle had completed and 875 scavenged nodes later all is healthy again. Not to mention a decrease in network traffic.

Printer Scripts for Windows Seven

I have been onto a site recently, and had issues with the Group Policy Preferences not applying to the printers. I found out that this was due to the time it takes the printer to respond to the request to be “mapped” and made default.

I spent a few hours and hacked around some code and came up with this little masterpiece to allow multiple room printers to be added to the relevant OU based PC

‘—————Delete all Printers————————————————–
Dim wshNetwork, sPrintPath, clPrinters, i
Set wshNetwork = CreateObject(“WScript.Network”)

‘Remove Existing Printers
Set clPrinters = wshNetwork.EnumPrinterConnections
On Error Resume Next
For i = 0 to clPrinters.Count – 1 Step 2
wshNetwork.RemovePrinterConnection clPrinters.Item(i+1), true
Next
On Error Goto 0

‘—- For citrix script, un-comment following two lines:

‘Set Sh = CreateObject(“WScript.Shell”)
‘sys = Sh.ExpandEnvironmentStrings(“%CLIENTNAME%”) ‘sys= the returned workstation name (Citrix only)

‘—- For normal Windows machines un-comment the following line

sys = wshNetwork.ComputerName ‘sys = computer name (standard domain workstations – not citrix)

‘—- Note, you can’t have both of these uncommented!!!

‘User = CreateObject(“WScript.Network”).Username ‘ This returns the logged on username to variable: User

‘—————————————————————————————————————

CName = UCase(sys) ‘Get name from network object (Uppercase)
Set oNet = CreateObject(“WScript.Network”)

‘ -=( Add printer and set a default based on computer name (CName) )=-

‘ Test for Left(CName,NumberofChars)

‘ WEST BLOCK SCRIPTS

if Left(CName,3) = “W21” Then

oNet.AddWindowsPrinterConnection “\print-serverw21-mono”
oNet.AddWindowsPrinterConnection “\print-serverw21-colour”
oNet.SetDefaultPrinter “\print-serverw21-mono”

Elseif Left(CName,3) = “W22” Then

oNet.AddWindowsPrinterConnection “\print-serverw22-Mono”
oNet.AddWindowsPrinterConnection “\print-serverw22-Colour”
oNet.SetDefaultPrinter “\print-serverw22-mono”

etc etc

end IF

iOS5

Updated a few of my iDevices tonight. No real revolution , just a miriad of evolutions.

DelProf2

GiraffeIT.com was called into a site to help diagnose some GPO not working quite how they were expecting.
Long of the short is a locally cached copy of the profile was being stored on the local machines. There are a few settings you can use in Windows 2008R2 to prevent the cached copy staying on the machine for more than x days. However for completeness I wanted the profiles gone there and then. Cue DelProf2. ( available here ) A few tweaks and a rough and ready batch file called via a startup trigger in a GPO and voila. No more cached local profiles at machine turn on.

New Blog !

We hope to add more of GiraffeIT real world experiences in here. I hope to share some of the issues and solutions that the herd have met and overcome.

GiraffeIT – sticking our neck out so you dont have to