Remove Receive Connector permissions

Few days ago I started playing with permissions on our Exchange 2010 Receive Connector. I wanted to achieve that one of my service accounts users could send emails. During this testing I added all sorts of permissions to this Receive Connector. After I finished testing I wanted to get rid of all permissions I gave to this user. And how did I do it?

First I wanted to see all permissions that I gave to this user:

Get-ReceiveConnector "Server\Full Connector Name" | Get-ADPermission -User "Domain\Username"  |? {$_.extendedrights} | select identity,user,extendedrights | Format-List

Second I got rid of all permissions that I got from previous command:

Get-ReceiveConnector "Server\Full Connector Name" | Remove-ADPermission -User "Domain\Username" -ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Authoritative-Domain-Sender,ms-Exch-Accept-Headers-Routing,ms-Exch-SMTP-Accept-Any-Sender

At the end I run first command set again just to check if I really got rid of everything.

I hope this will help you clean up your Exchange server as it helped me.

This is it for this year. Have fun!

Change Internet Explorer default save location

I’m sure some of you are interested how to change default save location in Internet Explorer (IE) because I know I was as soon as I started using it.
Until now I found two ways how to do this.

1. Users friendly version:- Open Internet Explorer and press Ctrl+J (I love shortcuts don’t you) to open View Downloads window.

- At the lower left corner find Options and click it.

- Choose folder by clicking on Browse and selecting new default Save folder of your choice.

- Confirm changes by clicking OK few times.

2. Advanced users version:- Open Windows Registry Editor (regedit.exe)
- Browse to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

- Find String “Default Download Directory” and Modify it.
- Enter new default Save folder location. For example: c:\temp
- Exit Windows Registry Editor

Now you can just press Save button in IE and items will be saved to new location without the need of selecting Save As all the time :)

This is it for today. Have fun!

Window7 SP1 and group policy exception for RDP on clients firewalls

I’ve been struggling with annoying problem on one of my virtual test machines running Windows 7 SP1. One of them suddenly decided that I can’t log on to it using Remote Desktop Services (RDP).

I know that I created group policy (GPO) exception to allow Remote Desktop connections for all my PC’s from LAN and VPN. For configuring I used this link.

I also know that it worked just fine not long ago. So I checked it and it seemed OK.

Group policy for Remote Desktop exceptions:

 
 
 
 
 
 
 
 

Group policy exceptions:

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

I did some Googling and found similar problem which lead me to solution. It seems that the problem was in Windows 7 SP1.
 
And finally the recipe for solution:
Solution was that I just needed to open for editing GPO that controlled RDP on computer running Windows 7 SP1 or on Windows 2008 R2 server with SP1. After I did that and run “gpupdate /force” on problematic PC I could finally connect to it using RDP.

This is it for today. Have fun!

Backing up all MS SQL databases

Today I got a task to backup all databases on our Microsoft SQL 2005 running on Windows 2008. The solution also needed to satisfy two conditions:
- must always backup all databases even if we add new one's
- must remove backup files older than 3 days

So I started Googling for solutions. At the end I combined different solutions into script below. This script can be used on Windows server 2003 and 2008 with MS SQL 2005 and 2008 with slight difference in one line:

SQL 2008:
sqlcmd -E -S "%ServerName%" -h-1 -W -Q "SET NoCount ON;SELECT NAME FROM sys.sysdatabases WHERE [Name] NOT IN ('master','model','msdb','tempdb')" > %DBList%

SQL 2005
sqlcmd -E -S "%ServerName%" -h-1 -W -Q "SET NoCount ON;SELECT NAME FROM master.dbo.sysDatabases WHERE [Name] NOT IN ('master','model','msdb','tempdb')" > %DBList%

And what this script does?
- Gets system date for later use in backup file names.
- Saves names of all databases in temporary file.
- Removes backup files older than 3 days.
- Backup each database, prepending the server name and date to the filename.
- Clean up the temp file.
Warning: Text marked as this should be customized according to your specifications!

***************************************************

REM @ECHO OFF
SETLOCAL

REM: get computer name ad write it into variable
set ServerName=%computername%

REM: Get System Date to be used for DB backup file namesSETLOCAL ENABLEEXTENSIONS
if "%date%A" LSS "A" (set toks=1-3) else (set toks=2-4)
for /f "tokens=2-4 delims=(-)" %%a in ('echo:^|date') do (
for /f "tokens=%toks% delims=.-/ " %%i in ('date/t') do (
 set '%%a'=%%i
 set '%%b'=%%j
 set '%%c'=%%k))
if %'yy'% LSS 100 set 'yy'=20%'yy'%
set Today=%'yy'%-%'mm'%-%'dd'%
ENDLOCAL & SET v_year=%'yy'%& SET v_month=%'mm'%& SET v_day=%'dd'%

REM Build a list of databases to backup
SET DBList=C:\BackupSQL\SQLDBList.txt
echo %DBList%
sqlcmd -E -S "%ServerName%" -h-1 -W -Q "SET NoCount ON;SELECT NAME FROM sys.sysdatabases WHERE [Name] NOT IN ('master','model','msdb','tempdb')" > %DBList%

REM Remove backup files older than 3 days
REM /d -3 defines how old must be files before they are deleted
IF EXIST "%DBList%" forfiles /p C:\BackupSQL /s /m * /d -3 /c "cmd /c del @file"

REM Backup each database, prepending the servername and date to the filename
FOR /F "tokens=*" %%I IN (%DBList%) DO (
ECHO Backing up database: %%I
SqlCmd -E -S "%ServerName%" -Q "BACKUP DATABASE [%%I] TO Disk='C:\BackupSQL\Backup_%ServerName%_%v_year%_%v_month%_%v_day%_%%I.bak'"
ECHO
)

REM Clean up the temp file
IF EXIST "%DBList%" DEL /F /Q "%DBList%"
ENDLOCAL

***************************************************

Now just copy/paste this script into BackupSQL.bat file and run it from Scheduled Tasks.

I also suggest to all that they test restore of their databases because you never know if it's OK until you try :)

This is it for today. Have fun!

Useful Command prompt (CMD) and PowerShell commands

This time I’ll make it short. In this blog I’ll start collecting useful Command prompt and PowerShell commands that I frequently use. Commands are inside the quotes:

Command prompt:

Did you ever search what is the username of the currently logged in user? Here is an answer:

Windows XP: “echo %username%”

Windows 7: “whoami” or “echo %username%”

And command that shows computer name:

Windows XP, 7, 2003, 2008: “hostname”


************************************************
On the file server you need a list of all opened files:

“net file”

“net file < .\desktop\openfiles.txt” if the list is too long and doesn’t fit into command prompt window.
net file | find "Search string" filter results by specified search string.


************************************************
Get a list of all drivers installed to Windows computer:
driverquery


************************************************Display user logon server (domain controller) in command line:
“set”
“echo %logonserver%”

************************************************
This tool displays operating system configuration information for a local or remote machine, including service pack levels, original install date, system boot time, total physical memory, available physical memory, page file max size, page file available, page file in use and much more:
"systeminfo"

************************************************
Get a list of all roles applied to Windows 2008 server:
servermanagercmd -q

************************************************

Detecting memory leaks:

Create memory snapshots into a file, if you run this command repeatedly new memory snapshots will be added to the end of the file:

"memsnap /m memsnap.log"
Analyze memory snapshots for memory leaks:
"memsnap /ah memsnap.log"

 

************************************************

This tool enables an administrator to display the MAC address for network adapters on a system:
"getmac /v"



************************************************
Group Policy Results (GPResult.exe) is a command line tool that displays Group Policy Settings that are in effect for a specific user or computer.
"gpresult /s ComputerName /user UserName /r /v > gpresult_filename.txt"


************************************************
Display / list Active directory FSMO (Flexible Single Master Operations) roles. Run this command on domain controller:
netdom query fsmo



************************************************
Get a list of group members from AD:
dsget group "CN=Domain Admins,CN=Users,DC=domain,DC=local" –members


************************************************
Get a list of disabled user accounts from AD:
DSQUERY USER -disabled


************************************************
Get a list of inactive user accounts from AD (in weeks):
DSQUERY USER -inactive 4


************************************************
Get a list of inactive computer accounts from AD (in weeks):
DSQUERY computer -inactive 4



************************************************
Get a list of all computer accounts and servers from AD (name and OS):
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer))" -attr sAMAccountName operatingSystem -limit 1000


************************************************
Get AD schema version. Run this command on domain controller:
dsquery * cn=schema,cn=configuaration,dc=domain,dc=local -scope base -attr objectVersion


************************************************
Klist is a command line utility included in the default installation of Windows Server 2008 and Windows Server 2008 R2 which can be used to list and purge Kerberos tickets on a given computer. To run KLIST, open a command prompt in Windows Server 2008 and type Klist:
klist tickets


************************************************
Get Exchange schema version:
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper



************************************************
Get a list of Service Principal Name (SPN) for specified server:
setspn -l ServerName


************************************************
Get AD site information for computer on which you're running this command:
Nltest.exe /dsgetsite


************************************************
Get DFS server list for computer on which you're running this command:
dfsutil /pktinfo


This is it for today. Have fun!

Problems connecting to Exchange 2010 from different AD

Not while ago we suggested to our customer that has few other companies to merge all email traffic to one Exchange 2010 server. The plan is that all users use email addresses from their original company. This setup would be like some kind of email hosting. After we migrated first of this external companies to centralized mail server we encountered strange behavior on merged company client side.

External company has few users that use Outlook 2007, just like all other users, with a difference that they can't open Out Of Office Assistant (OOF). If they open this wizard they receive this error:

"Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later."

They also receive Offline Address Book (OAB) synchronization error:

"Task 'Microsoft Exchange' reported error (0x8004010f): 'The operation failed. An object could not be found.'"

I started troubleshooting this problem and tried all sorts of suggested solutions that I could found on Google. Steps that didn’t help were:
- checked if there is a proxy problem
- check permissions inheritance in AD on problematic users
- reapplied permissions inheritance on problematic users
- created new user from problematic user (copy) and tested new user. New user doesn't have these problems
- other user, except problematic ones, on the same computer doesn't have problems
- problematic user have problems on different computers
- created new mailbox store, move test user there and test if it works
- checked Exchange autodiscovery

Then I noticed something that pointed me to what could be wrong, but still couldn’t solve the problem. When I deleted user, created new one (with the same username) and attached old orphaned mailbox everything worked well until I:
- Unchecked "Automatically update e-mail addresses based on e-mail address policy."
- Set primary email address from name.surname @ domainA.com to name.surname @ domainB.com

After I made this change problem came back. If I apply the setting "Automatically update e-mail addresses based on e-mail address policy." back the problem remains.

I was so desperate at this point that I went sniffing Outlook traffic with WireShark. After this I finally found out what is going on and prepared a workaround. It looks like autodiscovery messes up Outlook to the point that it thinks that OAB and OOF is located on different address (in our case domainB.com) as other services. I’m not quite sure if this is an Exchange 2010/Outlook bug or my misconfiguration.

Workround goes like this:
For existing user:
- change primary email address of a user back to original domain (name.surname @ domainA.com)
- create new profile in Outlook and open Outlook to setup/initialize new profile and wait to receive few emails
- check if OOF and OAB are working
- close Outlook
- change primary email address of a user back to hosted domain (name.surname @ domainB.com)
- check if OOF and OAB still works

For new user:
- leave primary email address as given by Exchange policy (name.surname @ domainA.com)
- create new profile in Outlook and open Outlook to setup/initialize new profile and wait to receive few emails
- check if OOF and OAB are working
- close Outlook
- change primary email address of a user to hosted domain (name.surname @ domainB.com)
- check if OOF and OAB still works

Customer is now happy and so am I :)

This is it for today. Have fun!

Unable to remove printer driver from Windows 7

I was contacted by a customer few days ago with yet another challanging problem. He called and said: “Luka hi, we can't upgrade or remove some printer drivers from one third of our Windows 7 x64 SP1 machines.”

The error message when we tried to remove different printer driver packages was:
Failed to remove driver HP Universal Printing PCL 6 (v5.2). The specified printer driver is currently in use.
Failed to remove driver HP Universal Printing PCL 6. The specified printer driver is currently in use.
Failed to remove package hpcu111u.inf. Driver package is in use.

and

Failed to remove driver Kyocera Classic Universaldriver. The specified printer driver is currently in use.
Failed to remove package oemsetup.inf. Driver package is in use.


I started troubleshooting this and tried almost all suggested solutions I could found on the net like:
- stop / start spooler
- reboot to safemode and unistall driver from there
- msconfig disabling all non Microsoft services
- cleanspl.exe
- logged on as every user, deleted both the printer and the driver
- disabling bidirectional support
- RUNDLL32 PRINTUI.DLL,PrintUIEntry /dd /c \\MachineName /m "AGFA-AccuSet v52.3" /h "Intel"
- printui /s /t2
- MS forum post: Deleting Printer drivers from Vista system 
- MS Answers question: Trying to un-ininstall print driver error message ...
- Skidzopedia post: How To Fix “Cannot remove or delete network printer” Error in Windows 
- and probably other solutions that also didn't help ...

At the end I found interesting workaround that went like this:
1. First I removed printer in "Devices and Printers"
2. Then I stopped print spooler
3. In registry I opened

HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\

4. I renamed all Print Processors that were listed. Like Winprint to Winprint.old, Hpcpp107 to Hpcpp107.old, and so on ...
5. I started print spooler
6. Removed problematic driver pack in Print Management MMC
7. Reopened registry location

HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\

8. Renamed back all Print Processors to original name. Like Winprint.old to Winprint, Hpcpp107.old to Hpcpp107, and so on ...
9. Restart print spooler
10. Installed new printer drivers
11. Tested printing

Maybe this procedure will also help someone else with similar problems :)

This is it for today. Have fun!

This should be an easy task (push install Mozilla Firefox 3.6.x)

Not while ago one of our partners gave me, what was supposed to be an easy task. He said: “Please help us install Mozilla Firefox on all our computers”. No problemo, I said. You have Script Logic Desktop Authority which is great for these kinds of tasks and Firefox also shouldn’t be a problem. How wrong could I be? 

My objectives were:
- Preconfigure Firefox homepage to predefined web site
- Preconfigure Firefox so it won’t use proxy
- Do not configure Firefox as default browser. Do not ask to become default browser.
- Disable automatic updates Firefox.

After Googling for a while I found numerous blogs, notes and hints how to accomplish this task but no complete solution. The most useful links I found are Mike’s Musings, Glen Bettridge, Chris Ilias and Shivanand Sharm’s blogs.  Mozilla Firefox turned out to be quite difficult to roll out and preconfigure.

For these task to accomplish I had one virtual Windows 7 to test on, Windows 2008 R2 AD servers, Windows 2008 R2 member server with Script Logic Desktop Authority. I also installed 7zip on test computer and added 7zip install folder to Windows PATH.

1. Prepare batch file to install Firefox
To script Firefox installation we need three files:
- FirefoxDeploy.ini
- Install_Firefox.cmd and
- Later also FirefoxSalus.exe

All these files should be copied to network share from where you’ll push installation.

- In FirefoxDeploy.ini is:
[Install]
InstallDirectoryName=Mozilla
FirefoxCloseAppNoPrompt=true
QuickLaunchShortcut=false
DesktopShortcut=true
StartMenuShortcuts=true
StartMenuDirectoryName=Firefox

- In Install_Firefox.cmd is:
REM x32 install Mozilla FireFox
IF NOT EXIST "C:\Program Files\Mozilla\firefox.exe" (
pushd \\SALFS\InstallPoint\FireFox
FirefoxSalus.exe /INI=\\SALFS\InstallPoint\FireFox\FirefoxDeploy.ini
popd
)

2. Preconfigure Firefox home page and proxy
- Unpack Firefox installer to some temp folder

- Change folder previously unpacked installer folder .\Firefox Setup 3.6.13\nonlocalized\ and cerate file named mozilla.txt.

- Open mozilla.txt and put these lines in it:
//
lockPref("network.proxy.type", 0);
lockPref("browser.startup.homepage", http://www.Hoponbike.com/);

- Download program ByteShifter and encode Mozilla.txt to Mozilla.cfg by simple “byte-shifting” with an offset of 13.

- Copy Mozilla.cfg to unpacked installer folder where Firefox.exe is.

- At the end of file named all.js located in unzipped installer folder ".\Firefox Setup 3.6.13\nonlocalized\greprefs\" add this line:
pref("general.config.filename", "mozilla.cfg");

Preconfigure Firefox to skip default browser checking and automatic updating

- Find file named firefox.js in unzipped installer folder ".\Firefox Setup 3.6.13\nonlocalized\defaults\pref\” and change these:
pref("browser.shell.checkDefaultBrowser", false);
pref("app.update.enabled", false);

3. Repackage Firefox and create installer
- Repackage installer by first zipping changes you made. To do this open command line and change directory to the root of unzipped installer folder. Enter these command to create a file called app.7z:
7z a -r -t7z app.7z -mx -m0=BCJ2 -m1=LZMA:d24 -m2=LZMA:d19 -m3=LZMA:d19 -mb0:1 -mb0s1:2 -mb0s2:3

- Download file 7zSD.sfx needed to repackage installer and save it to the root of unzipped installer folder.

- Create file named app.tag, also in the root of unzipped installer folder and put in it these lines:
;!@Install@!UTF-8!
Title="Mozilla Firefox"
RunProgram="setup.exe"
;!@InstallEnd@!

- Repackage installer by executing this command:
copy /B 7zSD.sfx+app.tag+app.7z FirefoxSalus.exe

- Copy newly created installer FirefoxSalus.exe to your install point folder.

So this is it, now you’re ready to test your Mozilla Firefox deployment on small group of computers with a help of Group policy or some other method. I personally did it with Script Logic Desktop Authority.

This is it for today. Have fun!