Restoring Administrative Access to Redirected Folders

When you apply folder redirection to the My Documents folder, you can specify exclusive rights to the user’s folder. As an administrator, you might want to restore access to these folders. In order for folder redirection to work, the user must retain ownership of the redirected folder. This can make manually restoring administrative permissions a lengthy task. Fortunately, there is a handy script that you can use to update these permissions thanks to the My PKB blog found here: http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

You will need PsExec in order to complete this project as well as the powershell (PS1) script template below. Just follow the link above to the My PKB blog for instructions.

#ChangePermissions.ps1

# CACLS rights are usually

# F = FullControl

# C = Change

# R = Readonly

# W = Write

 

$StartingDir= "E:\Users\shares"

 

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

 

$Permission="F"

 

$Verify=Read-Host `n "You are about to change permissions on all" `

"files starting at"$StartingDir.ToUpper() `n "for security"`

"principal"$Principal.ToUpper() `

"with new right of"$Permission.ToUpper()"."`n `

"Do you want to continue? [Y,N]"

 

if ($Verify -eq "Y") {

 

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {

#display filename and old permissions

write-Host -foregroundcolor Yellow $file.FullName

#uncomment if you want to see old permissions

#CACLS $file.FullName

 

#ADD new permission with CACLS

CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

 

#display new permissions

Write-Host -foregroundcolor Green "New Permissions"

CACLS $file.FullName

}

}

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Blocking Access to USB Thumb Drives Using Symantec Endpoint Protection

Recently, I discovered how to block access to a USB thumb drive using the Symantec Endpoint Protection Management console. This proved to be very useful for one of our clients so I will share the steps with you.

In the Symantec Endpoint Protection Manager, open Policies, then click Application and Device Control.

1. Open an existing policy or click Add an Application and Device Control Policy.
2. Click on the Device Control tab.
3. Under the Blocked Devices section click the ADD button and select the USB option.
4. Click the ADD button under Excluded from Blocking and select, one by one, all of the other devices that use USB that should not be blocked (eg: pointing devices, keyboard, cameras, joysticks, HDD, etc. )
5. Click OK to save the changes and assign policy.

*From Symantec Tech Article: TECH104299

You need to make sure to pay close attention to step 4. If you leave this step out you could potentially block devices such as printers, keyboards and mice!

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Exchange 2010 Transaction Logs Rapidly Filling Disk Space

Recently we migrated a relatively small company from a POP3 email service  to their own Microsoft Exchange 2010 server. Over the course of two days we imported approximately 25 mailboxes which grew the message store database to around 16GB. On the fifth day we noticed that the disk drive on our brand new mail server was completely full. We discovered that the Exchange transaction logs had grown to an astonishing 189GB in just three or four days!

The first step was to immediately remedy the storage issue by dismounting the mailbox database and using the eseutil /mh command to verify that the database had shutdown cleanly and that there were no more log files to be played into the database. This turned out to be true which didn't really help us come to a conclusion.  We decided to move the massive amount of logs to an alternative storage location just in case.

With the database mounted and the storage situation taken care of (for now) it was time to begin monitoring the logs. I began checking on the server every few hours over the weekend and to my delight it appeared that the logs had settled down and all was well. As users began to trickle in Monday morning I quickly found out that I was very wrong. I watched transaction logs be created at the rate of one log file every 1 to 3 seconds!  After doing a little research I was pointed in the direction of ExMon. This is the Exchange User Monitoring utility that was written by MS guys a few Exchange versions back but it continues to be supported to this day. Armed with the user monitoring tool, I was able to watch performance activity as the various mailboxes were accessed and manipulated.

A few patterns became evident and two very important columns in the tool helped me resolve our problem.  One column being CPU% and the most important being Log Bytes. CPU% is the store CPU percentage consumed by the user. This can reach very high numbers upon opening Outlook and during a send/receive action but it should not constantly be in the 90%-100% range for a single user. The other tipoff was the Log Bytes per user. As a user receives a message or takes action on a message by moving it to a folder or deleting it etc., Exchange will create a transaction of this event and store it in a log file.  If a user has an excessively large number of log bytes written along with an excessively high CPU% over several refresh periods, you can be sure that they are your trouble mailboxes.

It turns out that four of our users had some imported messages that were corrupted and therefore stuck on synchronizing to the database. Each time the message begins to sync a transaction is recorded. Since the message failed to synchronize it attempts again and again which creates a constant loop. We determined that all of the necessary mail had already completed the import process so the resolution was simple. We rebuilt each problem users Outlook profile which downloaded all of the "good" mail that was successfully synchronized after the initial PST import.

Tips for using the ExMon tool can be found here.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Profile Migration Made Easy!

Once again on the subject of useful tools is ForensIT's User Profile Wizard. If anyone is familiar with the longhand method of migrating a user's profile, you will be very excited to get your hands on this gem!

Recently, we have been building a lot of domain environments from the ground up which requires us to migrate many user’s beloved local profile to their new domain profile. The User Profile Wizard has helped us slash the time it takes to do this and has improved the success rate at the same time. This tool completely automates the process of changing the various permissions on the local profile folders and registry keys, sets the default login name and even lets you join the computer to the domain all within one intuitive wizard. Using the migration tool preserves the user's custom settings, wallpaper, email configuration, internet favorites, shortcuts and desktop icons. It fully supports both Active Directory and Novell networks. When purchased, you will gain access to the deployment kit which supports scripting and customization and has the capability automatically migrate thousands of workstations at once! This is a solid tool that just works.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

PDQ Deploy

I was recently recommended a brilliant free utility from Admin Arsenal called PDQ Deploy. This is a free software deployment tool that will allow you to deploy just about any type of installer package or command line script from a source to a network client. It is capable of remotely executing EXE, MSI, REG, BAT, VBS, MSP and MSU including any command line switches that are supported by the installation package. I found this software to be a great alternative to using Group Policy startup scripts for immediately deploying single Microsoft hotfixes that might not be included in your WSUS database. It also works quite well for small scriptable installations like Adobe Reader and Flash Player. It has a simple user interface that keeps track of your deployment history so that you can quickly see which computers were successful and which may have failed.

While there are more robust options for software deployment such as System Center Essentials and a few other third party alternatives those may be too expensive or just plain overkill for a small network. I would definitely suggest putting Admin Arsenal's PDQ Deploy into your "admin arsenal".

Find PDQ Deploy here.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Handy Hyper-V Tools

This week we have been building a new Microsoft Hyper-V server for a client. For this installation, I decided to use a couple of tools that really helped to speed up the process.

Hvremote is a handy script written by John Howard who is a senior program manager on the Hyper-V team at Microsoft. This script compiles the multiple strings of commands used for diagnosing and configuring the Windows firewall, WMI and DCOM permissions in order to control a Hyper-V server from a remote client MMC regardless of the domain or workgroup association of either computer. This was once an extremely lengthy task that can now be completed in just 3 or 4 commands using the hvremote tool.

VHDtool was another big help. I needed to create a rather large 450GB fixed-size VHD. Personally this is the largest virtual hard disk that I have ever created and I was quite surprised at how long the process was taking through the manager. After several hours I decided to employ VHDtool.exe which is a nifty command line tool that allows you to instantly create large fixed-size VHDs. My 450GB VHD was created in approximately one second! This tool also provides the ability to extend drives, convert RAW disk images to VHD and repair broken Hyper-V snapshot chains.

I will definitely be keeping both of these time savers in my Hyper-V arsenal! If you need help configuring a Hyper-V server for your company feel free to Contact Us and an engineer will be glad to assist!

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Windows Server Update Services

Windows Server Update Services (WSUS) is an essential tool for maintaining Windows updates in networks of all sizes. WSUS allows administrators full control over which critical and noncritical updates are applied to client computers. 

Updates are downloaded from the public Microsoft Update site and are stored in a repository on the WSUS server. Next, they are met with an administrator led approval or disapproval process. In the situation where a critical security patch needs to be deployed to all client computers on the network the administrator will mark this as an approved update. You are also given the option to set a deadline for the deployment to ensure that all computers receive the update in a timely fashion.

The ability to disapprove an update is equally important. Administrators and developers can verify the compatibility of the updates with company-wide applications before deploying them to the entire network. Some other major advantages offered by WSUS are the ability to identify failed or missed installations and define groups to which various updates may apply. These features are a must for ensuring that your computers are properly protected.

If you think your company would benefit from WSUS feel free to Contact Us.  An engineer will be ready to help.

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Expired Stored Credentials and Microsoft Exchange 2007 Management Console

I ran into an interesting issue the other day while working on a server that was running Microsoft Exchange Server 2007 management tools. When I would call up the tools, I was receiving an error stating that “Active Directory Server DC01.xxx.local  is not available. Error message: A local error occurred. Get-ExchangeServer” I thought this error was rather odd because I was, in fact, loading the tools directly from the domain controller in question and it was indeed healthy.

After a little poking around on Microsoft forums, I discovered that the suggested fix is to completely delete the local user profile from the server and start from scratch. This seemed like overkill to me so I continued searching and it was a good thing! Apparently the issue was due to an expired stored password for the logged on user account in the key manager. The fix was to open the key manager by navigating to Start>Run and typing control keymgr.dll and deleting all stored credentials for the account in question. The management tools will open right up!

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Remote Desktop Connection

With the recent snowstorms in the Northeast, I have been supporting quite a few companies that have employees working remotely. Many of these organizations have never explored the possibility of remote connectivity nor do they have technology budgets that allow for remote app servers, remote access gateways or terminal servers so we have turned to RDC in a pinch.

RDC or Remote Desktop Connection is an application from Microsoft that allows users to make secure remote connections to their computers over a local network or the internet. The user will be presented with their desktop just as if they were sitting in front of it. One great feature of RDC is the ability to redirect local resources. This allows you to not only connect your screen but also connect your local disk drives, speakers and printers to the remote computer as well.        

Since RDC is either built into or available for download for all versions of Windows and Windows Server it is quite inexpensive to implement for being such a powerful productivity tool.

If your company is looking to implement remote access of any style please feel free to Contact Us and we would be happy to put you in touch with an engineer to help you meet your needs!  

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Helpful Free Tools

Over the past few years, there have been a couple of reliable, handy and FREE tools that I wouldn’t leave the office without. I thought I would share a few of them.

SpecOps Remote Gpupdate

This software adds a set of tools to the Active Directory Users and Computers console that allows administrators to selectively perform remote Group Policy updates as well as restart and shutdown commands. This is very useful when deploying critical GPO’s across the domain.

AnalogX Port Mapper

Port mapper allows you to map any port on one computer to any port on another computer. It also lets you filter the incoming IP address for enhanced security. One great use for this program is assigning remote desktop ports without the need to change the RDP port in the Windows registry.

Malwarebytes

This is by far the most consistent anti-spyware software that I have ever used. The interface is very simple and the technology behind its detection and removal process is top notch. These guys seem to stay on top of their game in the spyware removal world.

EZ GPO

Using this custom GPO and software provided by Energy Star gives administrators the ability to centrally manage power settings on Windows XP and Windows 2000 operating systems. This is something that Microsoft did not develop for the Windows 2003 platform. You can deploy this FREE tool and save your company some serious coin on the power bill by ensuring that computers are set into standby when not in use.

Angry IP Scanner

IPScan is an awesome and simple network scanning utility. This is a great security tool because you can use it as port scanner as well as an IP scanner. It’s great for finding available IP addresses and tracking down nodes on the network. The output can be exported to an Excel document which also makes it useful for network audits.  

Adam Jones - Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!