MSADMIN.NET

Site Sections

• Home
• Contact
• Syndication
• Login

Posts

24

Comments

229

Trackbacks

0

Tuesday, November 02, 2010

Group Policy Refresh for Permissions

So, you want to set permissions using a GPO? Cool. But before you do it is important to understand how permissions are applied using a GPO, and the effects this can have on your environment.

I’m going to keep this short but sweet.

When you apply a new GPO to an OU, each computer that gets the GPO will process it during its normal refresh interval. When this is the same for all GPOs. The thing is, with permissions, every 16 hours (plus a random 30 minute offset) each computer will do a “full refresh” (that’s my own parlance) in which every ACL affected by the GPO will be fully overwritten by the setting in the GPO. If the GPO only controls the ACL for one folder or registry key then this isn’t a big deal. When you start hitting lots of folders, or a deep folder structure then what you end up with his high CPU utilization and lots of disk writes as the folders and keys are enumerated and the ACLs written to disk.

Also, if you are doing patching or some other regular maintenance on your computers that requires a reboot then you really need to watch out. This is because if you reboot them all right around the same time then they will all process the GPO at the same 16 hour interval, with the only difference being the random offset. In the case of an application farm it is quite possible to see every server in the farm experience slowness at nearly the same time, and that’s not a pretty thing.

So, use GPOs to apply ACL controls if you’d like, but test, and monitor the systems to be sure they can handle the additional load.

posted @ Tuesday, November 02, 2010 10:16 AM | Feedback (0)

Wednesday, September 08, 2010

Pasting into Outlook using Ctrl + V

OK, so there are a few people out there besides myself that are experiencing this issue.

You go to send out an email. So first you put in the recipient address, then the subject.

OK, so far everything is normal.

Then you start typing the body of your message. So far, so good.

Then you go to paste something into the message. I doesn’t matter what you paste, some text, a URL, whatever, and zip, your message is sent without the part you were trying to paste.

This has been happening to me randomly for well over a year, on several computers. So I decided to figure out what was happening, and I did.

I realized something, when I paste things into the body of my email, I hit the enter key twice in order to separate  the pasted content from what is already in the body of the message.

I knew about the Ctrl + Enter feature in Outlook (it sends the message, same as Alt + S) , but I SWORE to myself I wasn’t hitting the enter key.

I WAS hitting the Ctrl + Enter key and so are you. There is no bug, you aren’t hitting some mystery keys, you are hitting the Enter key and then the Ctrl key in such a way that you are sending the message before your pasted content gets pasted via Ctrl + S. I can duplicate it 100% of the time.

Think about it, you don’t paste content right under what is already in the body of your message, right? You hit the enter key twice. So, you are hitting the Enter key, and the Ctrl key, and you still think you are not hitting them together? Let me guess this, you are a fast typist. Right?

Right.

There is no bug.

Problem fixed. Go slower when pasting content into your email message in Outlook.

Or, disable the Ctrl + Enter key combination. You can still use the Alt + S key combination.

To disable the Ctrl + Enter key combination create the following registry keys/values:

Key:  HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\DisabledShortcutKeysCheckBoxes
String Value: CtrlEnter
Value Data: 13,8

Key:  HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Word\DisabledShortcutKeysCheckBoxes
String Value: CtrlEnter
Value Data: 13,8

 

Now see if you still have the problem. (You won’t.)

The full step-by-step instructions are here: http://bhandler.spaces.live.com/Blog/cns!1pt1v0Q4vD8jSvNS4lqdAuug!303.entry?wa=wsignin1.0&sa=724991135

Thanks to Blake Handler for the regkey info to disable ctrl + enter!

posted @ Wednesday, September 08, 2010 1:07 AM | Feedback (0)

Upgrade!

Got the latest version of Subtext. Not too shabby.

posted @ Wednesday, September 08, 2010 12:34 AM | Feedback (0)

Tuesday, September 07, 2010

I’m BACK!!!!

Well, after about a year and half (maybe a little longer) I finally hunkered down and really, really tried to find a way to reset my blog server password.

Thanks to Code Zest for this post on how to properly reset your Subtext password.

I ended up having to simply paste the following text “sIHb6F4ew//D1OfQInQAzQ==” into the password field of the database instead of using the SQL script, but it worked.

ah… I have so much to write about. So many things have happened in the last two years minus four months!

posted @ Tuesday, September 07, 2010 8:11 PM | Feedback (0)

Wednesday, January 14, 2009

Kerberos Failure Codes

Better than reading RFC 1510 page 84, I found this web page.

I then decided to reformat and post here for my own easy reference.

 

Failure code(Decimal, then Hex) | Kerberos RFC description | Notes on common failure codes

 

1 0x1 Client's entry in database has expired

2 0x2 Server's entry in database has expired

3 0x3 Requested protocol version # not supported

4 0x4 Client's key encrypted in old master key

5 0x5 Server's key encrypted in old master key

6 0x6 Client not found in Kerberos database - Bad user name, or new computer/user account has not replicated to DC yet

7 0x7 Server not found in Kerberos database - New computer account has not replicated yet or computer is pre-w2k

8 0x8 Multiple principal entries in database

9 0x9 The client or server has a null key administrator should reset the password on the account

10 0xA Ticket not eligible for postdating

11 0xB Requested start time is later than end time

12 0xC KDC policy rejects request - Workstation/logon time restriction

13 0xD KDC cannot accommodate requested option

14 0xE KDC has no support for encryption type

15 0xF KDC has no support for checksum type

16 0x10 KDC has no support for padata type

17 0x11 KDC has no support for transited type

18 0x12 Clients credentials have been revoked - Account disabled, expired, or locked out.

19 0x13 Credentials for server have been revoked

20 0x14 TGT has been revoked

21 0x15 Client not yet valid - try again later

22 0x16 Server not yet valid - try again later

23 0x17 Password has expired The user’s password has expired.

24 0x18 Pre-authentication information was invalid - Usually means bad password

25 0x19 Additional pre-authentication required*

31 0x1F Integrity check on decrypted field failed

32 0x20 Ticket expired Frequently logged by computer accounts

33 0x21 Ticket not yet valid

33 0x21 Ticket not yet valid

34 0x22 Request is a replay

35 0x23 The ticket isn't for us

36 0x24 Ticket and authenticator don't match

37 0x25 Clock skew too great - Workstation’s clock too far out of sync with the DC’s

38 0x26 Incorrect net address IP address change?

39 0x27 Protocol version mismatch

40 0x28 Invalid msg type

41 0x29 Message stream modified

42 0x2A Message out of order

44 0x2C Specified version of key is not available

45 0x2D Service key not available

46 0x2E Mutual authentication failed may be a memory allocation failure

47 0x2F Incorrect message direction

48 0x30 Alternative authentication method required*

49 0x31 Incorrect sequence number in message

50 0x32 Inappropriate type of checksum in message

60 0x3C Generic error (description in e-text)

61 0x3D Field is too long for this implementation

posted @ Wednesday, January 14, 2009 3:17 PM | Feedback (18)

Thursday, January 08, 2009

List Subnets for a Specific Site

So I'm doing a report about our AD infrustructure and some specific servers. The report needs to show which subnets are being covered by a specific site. Easy eh? Just open up ADSS and go to the site you need the information about and simply copy the subnets.

Hah! Why would Microsoft make it that easy? Well, they wouldn't. Sorry, no copy, no pastey.

 

So here is a script that will list all the subnets for a site in CIDR format. I like it. You will too.

 

Just enter the name of the site as you see it in ADSS as an argument. No need to enter the distinguished name or any other kind of mumbo jumbo.

Oh, make sure you run this with cscript, not wscript.

 

varSiteName = lcase(WScript.Arguments(0)) 'list the regular name that you see in ADSS, not the DN

Set objRootDSE = GetObject("LDAP://RootDSE")
strDomainCNC = objRootDSE.get("configurationNamingContext")'working with the configuration container
set objSites = getObject("LDAP://CN=sites," & strDomainCNC)'grabbing all sites

For Each i In objSites'for each site
If lcase(i.cn) = varSiteName Then 'if the name is the same as the argument
For Each x In i.siteObjectBL 'then list all the subnets (siteObjectBL is a list of the DN of all the subnets for that site.
aryx = Split(x,",CN=") 'clean up
WScript.Echo Mid(aryx(0),4) 'more cleanup
Next
End If
Next

posted @ Thursday, January 08, 2009 5:54 PM | Feedback (3)

Tuesday, December 02, 2008

SCOM: Bulk Enable ACS for a Group

I've seen a few scripts out there on bulk-enabling ACS for just one group of servers in SCOM (OpsMgr 2007.) but nothing seemed to work.

So, I decided to learn powershell so that I could write a better script to do this. Here is what I came up with. About a third of the script is comments that should help you understand

exactly what the script is doing. That way you can have a bit of confidence when running it. Also, if you read the script and the comments a few time hopefully things will start to click

in your mind and you will start to get a better understanding of powershell and SCOM.

 

To use the script type the script name followed by the FQDN of the RMS the FQDN of the ACS collector, and the display name of the group you want to affect.

Example: acsGroupEnable.ps1 RMS1.yourdomain.int ACS1.yourdomain.int 'your group name'  -yes single quotes. Maybe double quotes work too, but I'm too scared to try. ;-)

 

Here's the script:

 

param ($rmsServerName,$collectorServerName,$groupName)
#To list all groups by displayName connect to root of management server
#via powershell and run: get-childitem | format-list -property displayname

#Connect to RMS using FQDN

#add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client" #Use this if you aren't on the SCOM Powershell Console.
set-location "OperationsManagerMonitoring::"
new-managementGroupConnection -ConnectionString:$rmsServerName;
set-location $rmsServerName

#Create Health Service Class Instance for later use.
$healthServiceClass = get-monitoringclass -name:Microsoft.SystemCenter.HealthService

#Create a task that enables ACS when invoked
$enableAcsTask = get-task -path \ | where {$_.Name -eq 'Microsoft.SystemCenter.EnableAuditCollectionService'}

#Create override for ACS
$overrides = new-object Hashtable
$overrides.Add("CollectorServer",$collectorServerName)

#Use credentials only if you need to. Otherwise leave commented out.
#$credentials = Get-Credential #use this if you are not logged in with correct OpsMgr account.

#get all computer objects from the group you want to affect and put them into a collection
$colServers = Get-ChildItem (get-childItem | where {$_.displayName -eq $groupName}).PathName;

#for each computer in the collection, connect to that computer's health service object
foreach($varServer in $colServers)
   {
      $healthServices = $varServer.GetRelatedMonitoringObjects($healthServiceClass)
      foreach($hs in $healthServices) #for each server in that class (Only the one server you have connected to.)
         {
            if ($hs.isAvailable -eq $true) #if the server is currently talking to OpsMgr
               {
                  "Enabling Audit Collection for " + $hs.DisplayName;
                  #Enable ACS on the computer
                  Start-Task -task:$enableAcsTask -TargetMonitoringObject:$hs -overrides:$overrides #-credential:$credentials #uncomment the credentials if you need to use alternate credentials.
               }
            else
               {
                  "Skipping: " + $hs.DisplayName + ". This computer is disconnected from OpsMgr."
               }

            }

   }

posted @ Tuesday, December 02, 2008 5:10 PM | Feedback (17)

Monday, November 24, 2008

Beating a Dead Server

Beating a dead horse won’t get you much.

But beating a dead (Blue screened) server will sometimes get it to boot up again.

I know sometimes we get frustrated with our jobs. I know that we also have to deal with funky hardware.

Here are some steps that have been developed over my career to deal with both issues. These steps are time tested.

These steps are called Computer Punching Repair (CPR.)

It’s kind of like regular CPR, but for servers.

Here is what you do:

1. Pull server mostly out of rack.

2. Position yourself above the server.

3. Raise your fist.

4. Beat the Holy crud out of the thing, releasing all that built up frustration… Sigh…

5. Press the power button and see if it boots up.

6. Repeat steps 3 through 5 until you feel better or the server boots up.

I hope some of you can make use of these steps.

posted @ Monday, November 24, 2008 7:15 AM | Feedback (3)

Friday, October 31, 2008

AD Replication

This is a good article on AD replication:

http://blogs.technet.com/kenstcyr/archive/2008/07/...

posted @ Friday, October 31, 2008 11:26 AM | Feedback (3)

DSQuery discovery

Did you know there is a tool called dsquery????? DID YOU???

OH MY GOSH!!! This is the best tool EVER! (for AD queries.)

Why didn't I know about this tool before? This tool can do all SORTS of stuff! And you can combine it with some other tools like DSMOD, etc...

It can also do ldap queries, althought the out put, using the -o option, is limited to just a four things. Basically it is for getting back account names, not certain attributes, so vbscript will still be useful in that case.

I just looked this up and it is part of the "Directory Service Command-line Tools" suite. Here is a list of the tools:

 

Directory Service command-line tools help:
dsadd /? - help for adding objects.
dsget /? - help for displaying objects.
dsmod /? - help for modifying objects.
dsmove /? - help for moving objects.
dsquery /? - help for finding objects matching search criteria.
dsrm /? - help for deleting objects.

 

Also, here is a primer from MS:

http://support.microsoft.com/kb/322684

posted @ Friday, October 31, 2008 7:08 AM | Feedback (3)

Article Categories

• Technical Articles

Archives

• November, 2010 (1)
• September, 2010 (3)
• January, 2009 (2)
• December, 2008 (1)
• November, 2008 (1)
• October, 2008 (5)
• February, 2008 (1)
• December, 2007 (3)
• July, 2007 (1)
• June, 2007 (1)
• May, 2007 (1)
• October, 2006 (4)

My Links

• Minus Forty