Wednesday, November 25, 2015

Typical End User…

 

151120_CBOX_Solo-Desk.gif.CROP.original-original

Animation by Lisa Larson-Walker. Images by Den Rise/Shutterstock, courtesy of Rosa Menkman/Flickr Creative Commons.

Tuesday, November 24, 2015

A simple under the covers description of NTLM/Kerberos

I did not write this, but I liked it. All credit to Summit7.
NTLM
NTLM is a Windows challenge/response authentication protocol that leverages the interactive use of a login box that requires the end user to input their network credentials manually. Those credentials would include the users Username, password and domain name if logging into an organizations domain.

Plain English: end users log in by entering a username, password and domain into a login box. That being said we need to understand at least the basics of the process.

  1. NTLM authenticates end users by first creating an encrypted one-way hash of the users password, discarding the original password and then sending the user name to the server in plain text.
  2. The server responds to the client with a 16-bit challenge called a nonce.
  3. The client encrypts the nonce and the hash of the users password and returns them to the server. This is the Response.
  4. The server in turn sends three items to the domain controller; the users name, the challenge sent to the client and the clients response to the challenge. The domain controller retrieves the hash of the user name is has received from the Security Account Manager (SAM) database and uses that hash to encrypt the challenge.
  5. Once the challenge has been encrypted by the domain controller it is compared to the challenge encrypted by the client and if they match the end user is authenticated successfully.

Plain English: If you enter your password incorrectly the hashes will not match and you won’t be able to log into the network.

Kerberos

The Kerberos security protocol has been a part of Windows since Windows Server 2000 and was intended as a replacement for NTLM. Obviously that hasn’t happened and the two can often be found working together or in a mixture across Windows environments everywhere.

Kerberos is a Windows Security Protocol designed to authenticate users and services on an organisations network and relies on three components; a client, a service and a trusted third party. The trusted third party in most Windows networks would likely be the Key Distribution Center (KDC) which creates the shared secret that is leveraged to allow access to the service. A simple view of the process might look like this:

  1. A user account is created in the domain and assigned a password.
  2. The Kerberos client adds a text string, or a SALT and the Kerberos version number to the unencrypted password and runs them through a process known as the “string2key” This conversion generates the “shared secret”.
  3. At the client the user enters their username and password and requests access to an application or service.
  4. When the user submits their username and password the Kerberos client creates the secret key on the client based on that information. Because the client uses the same key to generate the secret key that the KDC does the two will match, or should anyway. If they don’t match authentication fails and access id denied.

Plain English: If you enter your password incorrectly the hashes will not match and you won’t be able to log into the network.

Thanks to Summit7 for this – full link –> http://summit7systems.com/claims-based-authentication-adfs-3-0-and-sharepoint-2013-beginners-guide/

Monday, November 23, 2015

Setup a secure point-to-site connection to a virtual network in Azure

Configure the network and gateway

Log in to the Azure portal (http://manage.windowsazure.com/). Create a new Virtual Network. Click Custom Create. On the DNS Servers and VPN Connectivity page, then click on: 

  • Configure Point-To-Site VPN: Select the checkbox.
  • On the Point-To-Site Connectivity page, specify the IP address range from which your VPN clients will receive an IP address when connected. Don't overlap with an on-premise address.

Update the IP range for the Azure subnet

When your virtual network has been created, you will see Created listed under Status on the networks page in the Azure portal. Once your virtual network has been created, you can create your dynamic routing gateway.

 
The gateway type must be configured as dynamic. Static routing gateways will not work with this feature.
  1. In the portal, on the Networks page, click the virtual network that you just created, and navigate to the Dashboard page.
  2. Create Gateway. It can take around 15 minutes for the gateway to create.

 

Generate and upload certificates

Previously, you were required to generate your own self-signed certificate. Now, you can now use certificates that you generated using an enterprise solution. You can upload up to 20 root certificates to Azure.

Option 1: Planning to use an enterprise certificate solution, the steps within each section will be different, but you'll still need to do the following:

  • Identify or generate a root certificate.
  • Upload the root certificate .cer file to Azure.
  • Generate a client certificate.
  • Export and install the client certificate.
Option 2: Planning to use a self-signed certificate, use the steps:
  • One way to create an X.509 certificate is by using the Certificate Creation Tool (makecert.exe). To use makecert, download and install Microsoft Visual Studio Express, which is free of charge.
  • Navigate to the Visual Studio Tools folder and start the command prompt as Administrator.
  • The command in the following example will create and install a root certificate in the Personal certificate store on your computer and also create a corresponding .cer file that you'll later upload to the Azure portal.
  • Change to the directory that you want the .cer file to be located in and run the following command, where RootCertificateName is the name that you want to use for the certificate. If you run the following example with no changes, the result will be a root certificate and the corresponding file RootCertificateName.cer.

Because you have created a root certificate from which client certificates will be generated, you may want to export this certificate along with its private key and save it to a safe location where it may be recovered.

C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert -sky exchange -r -n "CN=NewRootCertName" -pe -a sha256 -len 4096 -ss My "NewRootCertFile.cer"

    • NewRootCertName refers to the self-signed root certificate that you generated.
Upload the root certificate .cer file to the Azure portal
  1. In the Azure portal, on the Certificates page for your virtual network, click Upload a root certificate.
Generate a client certificate

The steps below are for generating a client certificate. On the same computer that you used to create the self-signed root certificate, open a Visual Studio command prompt window as administrator.

  1. Change the directory to the location where you want to save the client certificate file. RootCertificateName refers to the self-signed root certificate that you generated. If you run the following example (changing the RootCertificateName to the name of your root certificate), the result will be a client certificate named "ClientCertificateName" in your Personal certificate store.
  2. C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert.exe -n "CN=NewClientCertificateName" -pe -sky exchange -m 96 -ss My -in "NewRootCertName" -is my -a sha256

    image

  3. All certificates are stored in your Personal certificate store on your computer. If you want to reuse it export it

Installing a client certificate on each computer that you want to connect to the virtual network is a mandatory step.

The steps below will walk you through installing the client certificate manually.

  1. A client certificate must be installed on each computer that you want to connect to the virtual network. This means you will probably create multiple client certificates and then need to export them. To export the client certificates, use certmgr.msc. Right-click the client certificate that you want to export, click all tasks, and then click export.
  2. Export the client certificate with the private key. This will be a .pfx file. Make sure to record or remember the password (key) that you set for this certificate.
  3. Copy the .pfx file to the client computer. On the client computer, double-click the .pfx file in order to install it. Enter the password when requested. Do not modify the installation location.

Configure your VPN client

The client requires both a client certificate and the proper VPN client configuration in order to connect.

Create the VPN client configuration package
  1. In the Azure portal, on the Dashboard page for your virtual network, navigate to the quick glance menu in the right corner and click the VPN package that pertains to the client that you want to connect to your virtual network.
  2. After you generate and download the VPN client package from the Azure portal, you can install the client package on the client computer from which you want to connect to your virtual network.

  3. If you plan to install the VPN client package to multiple client computers, make sure that they each also have a client certificate installed. The VPN client package contains configuration information to configure the VPN client software built into Windows. The package does not install additional software.

Install the VPN configuration package on the client and start the connection. Done.

 

 

This information is a simplification of the article https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/#create-your-certificates

Thursday, October 22, 2015

Script to strip out details from phone numbers ( brackets in this example )

 

 

#requires -Modules ActiveDirectory

<#

.SYNOPSIS

    Removes and brackets () from phone number fields of an Active Directory

.EXAMPLE

    .\Remove brackets from phones.ps1

.NOTES

   Developed By:

     n: Dave Colvin

     e: dave.colvin_at_experteq.com

     m : +61411265846

#>

Import-Module ActiveDirectory

clear-host

Get-ADUser -Filter {sAMAccountName -like "dave.colv.in*"} -SearchBase "OU=Users,DC=int" -searchscope subtree -Properties telephoneNumber, facsimileTelephoneNumber, homePhone, ipPhone, displayName |

foreach {

write-host "updating -> " $_.displayName

if ($_.telephoneNumber) {set-aduser -identity $_ -replace @{telephoneNumber=$_.telephoneNumber -replace '[()]',''}}

if ($_.facsimileTelephoneNumber) {set-aduser -identity $_ -replace @{facsimileTelephoneNumber=$_.facsimileTelephoneNumber -replace '[()]',''}}

if ($_.homePhone) {set-aduser -identity $_ -replace @{homePhone=$_.homePhone -replace '[()]',''}}

#if ($_.ipPhone) {set-aduser -identity $_ -replace @{ipPhone=$_.ipPhone -replace '[()]',''}}

            }

Thursday, October 08, 2015

Get SQL Server Product Keys for Local and Remote Servers

This script you download and paste into PowerShell, then call function Get-SqlServerKeys and it outputs to the console. Nice and easy.

 

https://gallery.technet.microsoft.com/scriptcenter/Get-SQL-Server-Product-4b5bf4f8

Wednesday, September 30, 2015

Script to read in email addresses and set passwords, enable accounts

Hopefully the blog does not mundge the code… Self explanatory I hope…

 

 

Import-Module activedirectory

# Based on email addresses in file, sets password to common or predefined (choose below) and enable accounts

#

#format of CSV:

#

#importfile.csv

#email,password

#First.Last@ment.gov.au,SecretPassword!1

#dave.colv.in,SecretPassword!1

#Write-Output "Startup "

Import-Csv ".\ChurnReset.csv" | Foreach {

$email = $_.email

$dynamicPW = $_.password     #use this the passwords in the CSV

$setPW = "davecolvin00111!!" #use this for a preset password

#Write-Output "checking user -> $email password -> $dynamicPW"

try {

#Get-ADUser $user

$user = Get-ADUser -Filter {mail -like $email } -SearchBase "DC=dec,DC=int" -searchscope subtree -Properties samAccountName

Set-ADAccountPassword $user -NewPassword (ConvertTo-SecureString $setPW -AsPlainText -force) -Reset

Enable-ADAccount $user

Write-Output "$user, Password reset and enabled"

    } catch

    { Write-Output "$user,Error" }

}   # <-remove if you want a log file instead of screen       | Out-File PassChange.log

Friday, August 21, 2015

The scale of apathy..

apathy-1024x640

A friend wanted to know what was lower on the scale of apathy then Meh. So I have put together the scale:

Apathetic

indifference

lack of interest

lack of enthusiasm

lack of concern

unconcern

uninterestedness

unresponsiveness

impassivity

dispassion

lethargy

languor

ennui

listlessness

torpor

acedia

inertia

coolness

passivity

coldness

stoicism

nonchalance

phlegm

sluggishness

unconcern

insensibility

unresponsiveness

impassivity

passiveness

impassibility

unfeelingness

emotionlessness

meh

Tuesday, July 14, 2015

Google Chrome getting business ready

Google now support GPO policy templates for administrators who want to set Chrome policies on their corporate-managed devices.

Download the policy templates zip file here and view the Chromium developer site for additional information.

 

Enter chrome://policy in your Chrome address bar, and Chrome will display all the policies which are currently in effect for that browser.

 

Policies which say “Applies to: Current user” are cloud-based user policies set from the Admin console, or they could be OS-user policies set by Group Policy Objects (GPO). Group policies can be per user or per machine. Device policies will show up as “Device” on Chrome devices, and “Machine” on Windows/Mac/Linux computers.

Machine Policies are applied through Group Policy Objects (GPO) on Windows and through the Admin console for Chrome OS ("Applies to: Device"). These are device-specific and apply to all users, regardless of which browser they’re using or whether or not they’re signed into Chrome or the device.

OS-user policy is applied to Chrome when a user signs into their corporate-managed computer. These policies are set using GPO on Windows. OS-user policies take precedence over cloud policies set for Chrome.

Chrome Profile refers to a user’s Chrome experience when he signs in to the Chrome browser on his machine. These are also called cloud-based user policies in the documentation, and they’re set by an administrator using the Admin console.

 

When there is a conflict between policies set on different scopes, the one that’s higher on the list above takes precedence. Machine Policies take precedence over OS-user and Chrome Profile policies.

https://support.google.com/chrome/a/answer/187202?hl=en

Wednesday, July 08, 2015

Windows Licences and Azure


Windows Server 2012 r2 brings a consistent licensing model and common features (for enterprises). These options are Standard and Datacenter.

Both Standard and Datacenter editions provide the same set of features; the only thing that differentiates the editions is the number of Virtual Machines (VMs). A Standard edition license will entitle you to run up to two VMs on up to two processors (subject to the VM use rights outlined in the Product Use Rights document). A Datacenter edition license will entitle you to run an unlimited number of VMs on up to two processors.

All features that are available in the Datacenter edition are also available in the Standard edition, including high availability features like failover clustering. The only difference between the two editions will be virtualization rights.

 

Hyper-V and Azure?

Windows Server licenses are not eligible for License Mobility through Software Assurance. The license to run Windows Server in the Azure environment is included in the per-minute cost of your Windows Virtual Machine. Licenses for use of Windows Server on-premises (whether in a VHD or otherwise) must be obtained separately through volume licensing.

Can you, the customer bring their own image that has applications and middleware on top of Windows Server?

Yes, Azure will charge the Windows Server Virtual Machine rate applicable for their instance. Customers are responsible for proper licensing of any application or middleware in the image.

Do you need Windows Server CALs to connect to a Windows Server image that is running in Azure Virtual Machines?

No. Windows Server CALs are not required for accessing Windows Server running in the Azure environment because the access rights are included in the per-minute charge for the Virtual Machines. Use of Windows Server on-premises (whether in a VHD or otherwise) requires obtaining a separate license and is subject to the normal licensing requirements for use of software on-premises.

 

Windows Server 2012 R2 Editions

 

Windows Server Datacenter

Windows Server Standard

Maximum number of users

based on CALs

based on CALs

Maximum SMB Connections

16,777,216

16,777,216

Maximum RRAS Connections

unlimited

unlimited

Maximum IAS Connections

2,147,483,647

2,147,483,647

Maximum number of 64-bit sockets

64

64

Maximum RAM

4 TB

4 TB

Server can join a domain

Yes

Yes

DirectAccess

Yes

Yes

Server Roles

 

Windows Server Datacenter

Windows Server Standard

Active Directory Certificate Services

Yes

Yes

Active Directory Domain Services

Yes

Yes

Active Directory Federation Services

Yes

Yes

AD Lightweight Directory Services

Yes

Yes

AD Rights Management Services

Yes

Yes

Application Server

Yes

Yes

DHCP Server

Yes

Yes

DNS Server

Yes

Yes

Fax Server

Yes

Yes

File Services

Yes

Yes

Hyper-V

Yes

Yes

Network Policy and Access Services

Yes

Yes

Print and Document Services

Yes

Yes

Remote Access

Yes

Yes

Terminal Services Application Sharing

Yes

Yes

Terminal Services Gateway

Yes

Yes

Web Services (IIS)

Yes

Yes

Windows Deployment Services

Yes

Yes

Windows Essentials

Yes

Yes

Windows Media Services support (Streaming Media Services)

See Installation Options documentation

See Installation Options documentation

WINS Server

Yes

Yes

Features

 

Windows Server Datacenter

Windows Server Standard

RODC – read only domain controller

Yes

Yes

Automatic Virtual Machine Activation

Both guest and host

As guest

Best Practices Analyser

Yes

Yes

BranchCache Hosted Server

Yes

Yes

BranchCache P2P Cache

Yes

Yes

Windows Control Panel

Yes

Yes

Distributed File System Replication

Yes

Yes

Data Deduplication

Yes

Yes

ISCSI target support

Yes

Yes

DirectAccess

Yes

Yes

Dynamic Memory (in virtualization)

Yes

Yes

Failover Clustering

Yes

Yes

"Hot" add/replace RAM

Yes

Yes

IPAM (IP Address Management)

Yes

Yes

Microsoft Management Console

Yes

Yes

Minimal Server Interface

Yes

Yes

Network Load Balancing

Yes

Yes

Support for Non-volatile Memory Express

Yes

Yes

Windows PowerShell

Yes

Yes

Server Core mode

Yes

Yes

Server license logging

Yes

Yes

Server Manager

Yes

Yes

SMB Direct and SMB over RDMA

Yes

Yes

Storage Management Service

Yes

Yes

Storage Spaces

Yes

Yes

Volume Activation Services

Yes

Yes

VSS (Volume Shadow Copy Service) integration

Yes

Yes

Windows Server Update Services

Yes

Yes

 

 

 

These are non-typical enterprise customer editions. Just here for completeness.

 

Windows Server Essentials

Windows Server Foundation

Microsoft Hyper-V Server

Windows Storage Server Standard

Windows Storage Server Workgroup

Maximum number of users

25

15

unlimited

unlimited

50

Maximum SMB Connections

16777216

30

16,777,216

16,777,216

250

Maximum RRAS Connections

50

50

250

50

50

Maximum IAS Connections

50

10

50

50

50

Maximum number of 64-bit sockets

2

1

64

64

1

Maximum RAM

64 GB

32 GB

4 TB

4 TB

32 GB

Server can join a domain

For migration only

For migration only

Yes

Yes

Yes

DirectAccess

See documentation

Yes

No

Yes

Yes

Server Roles

 

Windows Server Essentials

Windows Server Foundation

Microsoft Hyper-V Server

Windows Storage Server Standard

Windows Storage Server Workgroup

Active Directory Certificate Services

Yes

Yes

No

No

No

Active Directory Domain Services

Required

Yes (optional)

No

No

No

Active Directory Federation Services

Yes

Yes

No

No

No

AD Lightweight Directory Services

No

Yes

No

Yes

Yes

AD Rights Management Services

Yes

Yes

No

No

No

Application Server

Yes

Yes

No

No

No

DHCP Server

Yes

Yes

No

Yes

No

DNS Server

Yes

Yes

No

Yes

No

Fax Server

Yes

Yes

No

No

No

File Services

Yes

Yes

Limited features

Yes

Yes

Hyper-V

No

No

Yes

Yes

No

Network Policy and Access Services

Yes

Yes

No

No

No

Print and Document Services

Yes

Yes

No

Yes

Yes

Remote Access

Yes

Yes

No

No

No

Terminal Services Application Sharing

No

Yes

No

No

No

Terminal Services Gateway

No

See documentation

No

No

No

Web Services (IIS)

Yes

Yes

No

Yes

Yes

Windows Deployment Services

Yes

Yes

No

No

No

Windows Essentials

Default

No

No

No

No

Windows Media Services support (Streaming Media Services)

Yes

See Installation Options documentation

No

No

No

WINS Server

Yes

Yes

No

Yes

No

Features

 

Windows Server Essentials

Windows Server Foundation

Microsoft Hyper-V Server

Windows Storage Server Standard

Windows Storage Server Workgroup

RODC – read only domain controller

No

No

No

No

No

Automatic Virtual Machine Activation

As guest

No

No

No

No

Best Practices Analyser

Yes

Yes

Yes

Yes

Yes

BranchCache Hosted Server

Yes

Yes

No

Yes

No

BranchCache P2P Cache

Yes

Yes

No

Yes

Yes

Windows Control Panel

Yes

Yes

No

Yes

Yes

Distributed File System Replication

Yes

Yes

No

Yes

Yes

Data Deduplication

No

No

No

Yes

No

ISCSI target support

Yes

Yes

No

Yes

Yes

DirectAccess

Yes

Yes

No

Yes

Yes

Dynamic Memory (in virtualization)

Yes

No

No

Yes

No

Failover Clustering

No

No

Yes

Yes

No

"Hot" add/replace RAM

Yes

No

Yes

Yes

Yes

IPAM (IP Address Management)

Yes

Yes

No

Yes

Yes

Microsoft Management Console

Yes

Yes

Remote only

Yes

Yes

Minimal Server Interface

No

No

No

Yes

Yes

Network Load Balancing

Yes

Yes

No

Yes

Yes

Support for Non-volatile Memory Express

Yes

Yes

Yes

Yes

Yes

Windows PowerShell

Yes

Yes

Yes

Yes

Yes

Server Core mode

No

No

Yes--the only option

after setup

after setup

Server license logging

Yes

Yes

Yes

Yes

Yes

Server Manager

Yes

Yes

From a remote computer

Yes

Yes

SMB Direct and SMB over RDMA

Yes

Yes

Yes

Yes

Yes

Storage Management Service

Yes

Yes

Basic file server only

Yes

Yes

Storage Spaces

Yes

Yes

Yes

Yes

Yes

Volume Activation Services

No

No

No

No

No

VSS (Volume Shadow Copy Service) integration

Yes

Yes

No

Yes

Yes

Windows Server Update Services

Yes

No

No

No

No

Tuesday, June 30, 2015

Azure Active Directory editions

The Free edition of Azure Active Directory is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronise with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Google Apps, ServiceNow, Dropbox, etc.

Azure AD premium is what you will need for password self service in the cloud and AD write back.

The Microsoft Enterprise Mobility Suite (EMS) discount makes it the most cost-effective way to acquire the included cloud services:

  1. Microsoft Azure Active Directory Premium for hybrid identity management, Microsoft Intune and Microsoft Azure Rights Management for information protection

Features

Free edition

Basic edition

Premium edition

Directory as a service

Up to 500K objects

No object limit

No object limit

User and group management using UI or Windows PowerShell cmdlets

Tick

Tick

Tick

Device registration

Tick

Tick

Tick

Access Panel portal for SSO-based user access to SaaS and custom applications

Tick

Up to 10 apps per user

Tick

Up to 10 apps per user

No app limit

User-based application access management and provisioning

Tick

Tick

Tick

Self-service password change for cloud users

Tick

Tick

Tick

Azure AD Connect – For syncing between on-premises directories and Azure Active Directory

Tick

Tick

Tick

Standard security reports

Tick

Tick

Tick

Features

 

Basic edition

Premium edition

High availability SLA uptime (99.9%)

 

Tick

Tick

Group-based application access management and provisioning

 

Tick

Tick

Customisation logo and colours to the Sign In and Access Panel pages

 

Tick

Tick

Self-service password reset for cloud users

 

Tick

Tick

Application Proxy: Secure Remote Access and SSO to on-premises web applications

 

Tick

Tick

Features

Premium edition

Advanced application usage reporting

   

Tick

Self-service group management for cloud users

   

Tick

Self-service password reset with on-premises write-back

Tick

Microsoft Identity Manager (MIM) user licenses – For on-premises identity and access management

Tick

Advanced anomaly security reports (machine learning-based)

   

Tick

Cloud app discovery

   

Tick

Multi-Factor Authentication service for cloud users

Tick

Multi-Factor Authentication server for on-premises users

   

Tick

Multi-Factor Authentication is included with Premium and can secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 etc.

Microsoft Identity Manager (MIM) - Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure.

 

Note, if you have SSPR on prem too?

Q: Can I synchronise data for security questions from on premises?
A: No, this is not possible today, but Microsoft are considering it.

Note2, locked out account?

Q: Do you unlock the local active directory accounts when users reset their passwords?

A: Yes, when a user resets his or her password and password writeback has been deployed with versions of AADSync 1.0.0485.0222 or later, then that user’s account will be automatically unlocked when that user resets his or her password.

Note3 & 4, worries about hackerz?

Q: Do you prevent users from attempting password reset many times in a short time period?

A: Yes, Users may only try 5 password reset attempts within an hour before being locked out for 24 hours. Users may only try to validate a phone number 5 times within an hour before being locked out for 24 hours. Users may only try a single authentication method 5 times within an hour before being locked out for 24 hours.

Q: For how long are the email and SMS one-time passcode valid?

A: The session lifetime for password reset is 105 minutes. This means that from the beginning of the password reset operation, the user has 105 minutes to reset his or her password. The email and SMS one-time passcode are invalid after this time period expires.

 

 

 

 

Azure AD versions: https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Azure AD Password writeback: https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx

Setting up SSRP: https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx

Friday, June 12, 2015

XenDesktop 7.6, Windows 2012 R2, Office 365

 

When opening any Office 365 application before opening Internet Explorer 11 (IE11) Office will fail with file permissions error.

It turns out Office 365 uses the temporary internet folder location from IE11 as its path to open temp files into. IE 11 has now got a new path for these files:

%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 – this Content.IE5 file does not exist until up have opened up IE11 first.

Even if you change the path in the user profile it ignores it and looks to use IE11 path regardless.

Solution:

Create group policy in IE11 (may have to load the IE11 admx files) which changes the path back to %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files

All works correctly once this applied.

 

Thanks to Andrew Hill – Senior Consultant, Experteq for the tip.

Wednesday, June 10, 2015

Moving the FIM 2010 R2 (FIM Service, read FIM portal) to a new SQL server

Shutdown the Forefront Identity Manager Service in services.cpl.

Backup the DB from the SQL Manager

Move it, rename it, restore it.

On the new DB server, set the FIM service account you are using as DB_Owner

 

You need to run the following command to enable SQL server service broker for the FIM Service Database since the DB has been restored. Remember that every time you restore FIM Service from a backup or move the DB to a new server, you would need to:

ALTER DATABASE [SQLD0040Q] SET ENABLE_BROKER WITH NO_WAIT

The alter query may fail if there are active connections to the database. You need to fix that if so.

 

On the FIM portal server

Open RegEdit
    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMService

DatabaseServer is the name of the new SQL Server (it would have been blank if the local server was the SQL server)

DatabaseName is the file name in the remote SQL Server

 

Start the FIM Services

Moving the FIM 2010 R2 SQL database (or renaming the database)

Shutdown any jobs on FIM. Shut down the FIM Service in services.cpl.

 

Backup the DB from the SQL Manager

Move it, rename it, restore it.

On the new DB server, set the FIM service account you are using as DB_Owner

 

On the FIM server

Open RegEdit
    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters

        Server is the name of the new SQL Server (it would have been blank if the local server was the SQL server)

        DBName is the file name in the remote SQL Server

        SQLInstance Property should equal the name of the instance (default instance, then it should be blank)

Start the FIM Services

 

Hat-tip: http://social.technet.microsoft.com/wiki/contents/articles/5465.fimilm-how-to-move-the-backend-sql-server-synchronization-service-database.aspx  (note this says Server Property inferring the key is called “Server Property“ it is just “Server”

Thursday, June 04, 2015

FIM portal, the setup needs to run under SharePoint Farm administrator

Well they got an error, it just turns out it is wrong, here is the answer.
image
Error message text:
To install FIM portal, the setup needs to run under SharePoint Farm administrator account with at least Open permission that allows users to open a Web site, list, or folder in order to access items inside that container. Please make sure you are a SharePoint Farm administrator with Open permission and then click “Retry”. Click “Cancel” to abort setup.
Despite what the message says, you configure the farm administrators group and it does not work. What it really needs is a Site Collection Administrator. The Site Collection Administrators is an individual user (ie not two and not a group)!

Go to, Central Admin (URL:34997), then click on Application Management, then click on Change Site Collection Administrators, change to the user.
 
image

Hattip: http://blog.msresource.net/2013/01/29/to-install-fim-portal-the-setup-needs-to-run-under-sharepoint-farm-administrator-account-with-at-least-open-permission-that-allows-users-to-open-a-web-site-list-or-folder-in-order-to-access-items-i/

Tuesday, June 02, 2015

July 29 2015 – Windows 10 - free for the first year

 

image

Microsoft officials* said Windows 10 Home will be priced at $119usd and Windows 10 Pro will cost $199usd. Windows 10 upgrade $99usd will allow users to move from Windows 10 Home to Pro. You will also need to buy this if you are running Windows XP or Vista.

Microsoft is making Windows 10 available for FREE for the first year to computers with Windows 7 Service Pack 1 and Windows 8.1 on July 29, 2015. This is a limited time promotion that expires on July 29, 2016. Once the promotion ends, Microsoft will charge Windows 7 and Windows 8.1 users to upgrade to Windows 10.

New today!

If you are using a Windows 7/8.1, you will notice a Windows flag icon in your system tray starting today. This is the “Get Windows 10″ reservation launcher.

To reserve the upgrade, you just need to click the button in the wizard that launches. This will prepare Windows Update for Windows 10 upgrade when it arrives on July 29. So you will need to do this on each PC you intend to upgrade to Windows 10.

image

image


* According to to Neowin

Thursday, May 21, 2015

FIM Portal (No Display Name)

 

If you did an important and everyone came in a (No display name) here is what to do.

image

First, set the display name precedence in the FIM Sync Manager console

image

http://social.technet.microsoft.com/wiki/contents/articles/5140.fim-reference-checking-configuring-attribute-precedence.aspx

Then you need to bulk delete all the crap (this is slow)

image

http://social.technet.microsoft.com/wiki/contents/articles/2108.how-to-use-powershell-to-delete-all-users-from-the-fim-portal.aspx

And you are ready to start again.

 

Forefront Identity Manager Portal

Sunday, May 17, 2015

Robocopy to Onedrive Personal

 

If you are sick of the stupid sync clients for onedrive, map a drive a use robocopy, it runs, it is restartable and can tick away for weeks or months.

First map a drive to onedrive:

Open the outlook.com onedrive link in the web.

image

This is an example of the link location: https://onedrive.live.com/#cid=a3e4ab99159b06d6

In Windows explorer, map a drive to https://d.docs.live.net/a3e4ab99159b06d6

Connect using different credentials and use your outlook account, if you have two factor, you need an APP password. Once this is done use your robocopy command of choice and site back and wait.

image

Thursday, May 07, 2015

Find the detailed XenServer tools version

 

To get the UUID:

xe vm-list | \
awk '{if ( $0 ~ /uuid/) {uuid=$5} if ($0 ~ /name-label/) \
{$1=$2=$3="";vmname=$0; printf "%s - %s\n", vmname, uuid}}'

Then:

xe vm-param-get uuid=<uuid from above> param-name=PV-drivers-version

 

Example output:

major: 6; minor: 2; micro: 0; build: 6

major: 6; minor: 2; micro: 0; build: 7 (update http://support.citrix.com/article/CTX142219)

 

 

Thanks: http://larryn.blogspot.com.au/2012/02/list-of-vms-on-xenserver-with-uuids.html

Tuesday, March 31, 2015

XenDesktop 7.6 Feature Pack 1 (Platinum Edition Below) Released

 

Features:

  1. Session Recording - Session Recording enhances the ability for admins to actively monitor and record user sessions to simplify troubleshooting, accelerate issue resolution, evaluate personnel for training guidance, and monitor user behavior for compliance purposes.
  2. Director 7.6.200 - This release includes controls to start and stop session recording (Session Recording is a feature in the Platinum Edition), as well as bug fixes.
  3. HDX RealTime Optimization Pack 1.7 for Microsoft Lync - offers clear, crisp high-definition video calls in conjunction with Microsoft Lync®. This release adds support for Lync 2013 on Windows and Linux devices, plus new calling features.
  4. License Server 11.12.1 for Windows - An optional component in Feature Pack 1. This release introduces the opportunity to participate in the Customer Experience Improvement Program.
  • Note: that the components listed above are only the new items in Feature Pack 1. Even if you have already deployed 7.6, there are five components (beyond the items listed above) that have been updated or added since the initial 7.6 release.

Removing the Windows update cache

 

If your Windows update is stuck, errors on install or does not download, you can install manually or remove the Windows Update cache and let Windows learn again.

Run ‘cmd’ as Administrator

Either from the command line run ‘net stop wuauserv’ or stop the service in services.msc.

Go to the %windir% folder

run the commad ‘rd /s SoftwareDistribution’ to delete the contents

Restart the wuauserv (Windows update) service.

Microsoft detail this here.

Hat tip to…

Wednesday, March 25, 2015

Need to run Windows XP? do it safely

 

There are still plenty of Windows XP machines needed, so pull them out of virtualisation platforms, rip them off hardware and put them somewhere safe, on a VDI environment with read only, stateless disks !

If you try install the current version of the Virtual Desktop Agent (VDA) v7.6 on a machine running Windows XP or Windows Vista; however, you can install an earlier VDA version on these.

Setup your XenDesktop VDA environment, your PVS servers and once ready.

Downloading the older VDA for your VDI platform:

Install VDA as described in Installing and Upgrading the Virtual Desktop Agent.

Installing the latest VDA Hotfix Rollup, the latest rollup is available at:

 

Link to article http://support.citrix.com/article/ctx140941

Monday, March 09, 2015

Why you should move to Office 365

 

If you have an email administrator and you have less then 1000 users, what are you thinking?

  • You could move just the contractors to Office 365, and keep your staff internal or any mix you like?
  • You dont need to worry what device people want email delivered to, Office 365 is everywhere and on every device
  • When you get Office 365 each users gets a minimum of 1TB of cloud storage so you can kill off the DropBox accounts
  • It has a 99.9% uptime guarantee
  • Lync is already setup for you are ready to go. If you have never setup lync you wont know why that is great
  • SharePoint and applications on top like WIKIs etc are already built in
  • The data can now be hosted in Sydney and Melbourne so the latency issues with Singapore are largely gone
  • You could sack that lazy good for nothing email administrator, of get them doing something more interesting
  • It is updated in the background for you
  • Web access, mobile phones, outlook client are all ready to go
  • Unless you have thousands of high security users, it will be cheaper then on-prem Exchange
  • Archiving is built in – oh and it works

Now if you want help call me and I will setup some time with you….

 

Dave@Colv.in or call me 0411 COLVIN

Friday, February 27, 2015

Working with Powershell locked down? Unlock it…

 

If the machine you are running on and locked down there are several options to running the scripts shown below.

image

Via PowerShell - Get-Content AScript.ps1 | Invoke-Expression

image

Via DOS (note the spurious characters coming from the piped file) – TYPE AScript.ps1 | PowerShell.exe -noprofile

image

Or via a script to disable the execution policy by removing the AuthorizationManager in the current PowerShell session:

function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))} Disable-ExecutionPolicy

image

I found this here: –> https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

Blog Archive