You are here: Blog

Set Out of Office for Mailboxes in Exchange 2013

Want to set an out of office reply for an account in Exchange 2013? Here's how:


To get the current settings:

Get-MailboxAutoReplyConfiguration foo.user


To set the Out of Office reply:

Set-MailboxAutoReplyConfiguration foo.user -AutoReplyState Scheduled `
-StartTime “10/14/2019” -EndTime “12/15/2019” `
-ExternalMessage “Type External automatic reply here” `
-InternalMessage “Type External automatic reply here”


It can be tough to set escpecially if you have double-quotes. The backtick when used at the end of the line is used to join to the next line. Also, the backtick is used to escape the double-quote. Example for escaping quotes:

Set-MailboxAutoReplyConfiguration foo.user –AutoReplyState Scheduled `
-StartTime “10/14/2019” -EndTime “12/15/2019” `
–ExternalMessage “<html><head><meta name=`"Generator`" content=`"Microsoft Exchange Server`"><!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }--></style></head><body><font size=`"2`"><span style=`"font-size:10pt;`"><div class=`"PlainText`">Hello,<br><br>I'm out of office due to sudden medical leave. Please contact Other User ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or Other User2 ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) in my absence. I will have limited email access.<br> <br>Thank you.</div></span></font></body></html>” `
-InternalMessage “<html><head><meta name=`"Generator`" content=`"Microsoft Exchange Server`"><!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }--></style></head><body><font size=`"2`"><span style=`"font-size:10pt;`"><div class=`"PlainText`">Hello,<br><br>I'm out of office due to sudden medical leave. Please contact Other User ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or Other User2 ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) in my absence. I will have limited email access.<br> <br>Thank you.</div></span></font></body></html>”



Microsoft Teams | Skype for Business


Once upon a time, Skype was Skype and everything was good. Then Microsoft bought them and everything became confusing; really confusing.

In another point in the time, Slack came into existence. It caught steam. All the cool kids used it, the marketing was a bit viral and the company went public company on the NYSE.


To compete, Microsoft developed Microsoft-Teams; the Microsoft version of Slack.

Microsoft added Teams to their Office365 packages so anyone with an Office365 account could use Microsoft Teams. But it still wasn't enough.

To make the offering more attractive, they offer Microsoft-Teams for free. This is up to 300 accounts on the same domain.


At this point Skype for Business is becoming Microsoft Teams:

What is interesting is that if you have a Microsoft Teams License (free), you can use Skype for Business:

1- Signup for free Office365 account: https://portal.office.com

Unlicensed accounts are free. You cannot do anything per se but it doesn't cost anything, so there is no harm.

2- Sync with on-site Active Directory (if needed)

If you have an onsite AD, you can setup a separate server just for the purpose of syncing with Office365 Azure Active Directory.

Download Microsoft Azure Active Directory Connect here:

 3- Assign Microsoft Teams License

You'll have to Connect to Office365/AzureAD via Powershell but once you do, you can perform 3 steps.

    3a- assign a Location:

    set-msoluser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -usagelocation US

    3b- check the Office365 Licenses

    get-msoluser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it |fl |findstr /i licen

    3c- assign a Microsoft Teams License

    set-msoluserlicense -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

4- Download Skype for Business Basic

To make matters worse, documentation will try to convince you to download the software at: https://portal.office.com/account#installs

While this is logical, this will not work if you have Office 2016/2019 installed. This is because the download is a click-to-run (c2r) application. C2R applications cannot be mixed with others.

The Skype for Business Basic Full Client (448.1 MB) is found here:

Typically, Skype for Business Basic needed an onsite Lync Server or an Offce365 account (Office 365 ProPlus, Office 365 Enterprise E3 or Office 365 Enterprise E4).

I guess because of the convergence of Skype for Business and Microsoft Teams, the Microsoft Teams license will work with Skype for Business Basic now.

Note that the download is called: lyncentry.exe

5- Install Skype for Business Basic

6- Login to Skype for Business Basic

That's it! It should work! Good job, well done!

Disable Chrome Software Reporter Tool via GPO

Just like disabling Microsoft Telemetry, the Google Chrome Software Reporter Tool can become a pain. Let's turn it off.

In my other article about adding GPO ADMX files to control Chrome, I explain how to add the ADMX files to the GPO to control CHROME so I won't go through that again.

  • -new GPO.
  • -name: c-chrome-cleanup-disabled
  • -set: DISABLED
  • -set: DISABLED

Save the GPO but don't forget to turn off User-Configuration: DETAILS > USER-CONFIGURATION-SETTINGS-DISABLED.

Apply GPO where needed.

Disable Windows Telemetry via GPO

Windows Telemetry does "stuff." I don't want it to do that "stuff." In certain cases, it hogs resources sometimes it becomes out of control.

  • -new GPO.
  • -name: c-disable-telemetry
  • -set: ENABLED:0 (only works on Windows Enterprise).

But wait, there's more:

  • -set: ENABLED.

Save the GPO but don't forget to turn off User-Configuration: DETAILS > USER-CONFIGURATION-SETTINGS-DISABLED.

That's it! Link to all OU's necessary.

MPLS Connection Cisco Routes

So routes in an MPLS cisco router can have the following codes; the highlighted ones are the most common I see:


  • L - local
  • C - connected
  • S - static
  • R - RIP
  • M - mobile
  • B - BGP
  • D - EIGRP
  • EX - EIGRP external
  • O - OSPF
  • IA - OSPF inter area
  • N1 - OSPF NSSA external type 1
  • N2 - OSPF NSSA external type 2
  • E1 - OSPF external type 1
  • E2 - OSPF external type 2
  • i - IS-IS
  • su - IS-IS summary
  • L1 - IS-IS level-1
  • L2 - IS-IS level-2
  • ia - IS-IS inter area
  • * - candidate default
  • U - per-user static route
  • o - ODR
  • P - periodic downloaded static route
  • H - NHRP
  • l - LISP
  • + - replicated route
  • % - next hop override

As elsewhere, you can see the routes by:

show ip route

Or you can search for a route by (ie search for routes to 10.116.x.x):

show ip route | incude 116

 To add a route to the MPLS router nodes, the route must be added as a STATIC route to the node that is LOCAL to the subnet.

For example, we add a new node to the MPLS network. That new node has the following network as a LOCAL subnet:

This network would show as the following:

L is directly connected, GigabitEthernet0/1

The new node also has the following network as a subnet The problem is that while the subnet at the location will already know about the subnet, the other locations will not know about the subnet until it is advertised/distributed across the MPLS network routers.

If you try to traceroute a address on the new subnet from a different location, the other routers will not know what to do and bounce the packet to the default route, causing a loop/bounce.

As stated above, to resolve, the STATIC route must be added to the router where the subnet is located:

S [1/0] via

Once that is added, the other routers will pickup the route as a BGP route:

B [20/0] via

Rename Files

Let's say you have a bunch of files to rename. You want to minus the first 10 characters of each file. What's the best way?

It depends.

Total Commander

My favorite for small-to-medium batches is Total Commander. It understands REGEX and it shows the before-names and after-names before committing the command.

  • -highlight the files (they show as red filenames).
  • -click FILE > MULTI-RENAME-TOOL (the rename box shows)
  • -find RENAME-MASK (in the upper-left).
  • -type: [N10-]
  • -adjust according to your situation.
  • -click START (at the bottom-right).

This should do it!


For powershell, the command will be something like:

get-childitem 'c:\path\to\file\*.txt | rename-item -newname { [string]($_.name).substring(8) }

Or if you need to split at an underscore "_".

Get-ChildItem'c:\path\to\file'|Rename-Item-NewName{ $_.BaseName.Split('_')[0]+ $_.Extension}



Uninstall TeamViewer

TeamViewer uninstall.

First, stop the service:

sc stop teamviewer

See if the service stopped:

sc query teamviewer

See if there is any TeamViewer process running:

powershell "ps |findstr /i team"

If there is a TeamViewer process running, taskill it:

taskkill /F /T /IM teamviewer.exe

Run the uninstall command:

"C:\Program Files (x86)\TeamViewer\uninstall.exe" /S

Powershell Connect To AzureAD | Connect to Office365

This information is in other articles that are posted but they can be overly complicated. This is the TLDR version.

Start Powershell

  • -start POWERSHELL (as administrator).
  • -type: $LiveCred = Get-Credential
  • -type in your username/password.

Office365 Endpoints | O365 Endpoints | Azure Endpoints | Microsoft Online Endpoints

From here you have the option to connect to different ENDPOINTS of Office365/AzureAD. The information is the same but data is displayed differently depending on which endpoint is being used.

The ENDPOINTS I use regularly are:

  1. OUTLOOK/Exchange-Online
  2. AzureAD
  3. MSOnline

Install Module

To connect to the endpoints, a module must be installed into Powershell. So if this is the first time, depending on the endpoint,use the following

  1. Outlook/Exchange-Online: does not need a moduel
  2. AzureAD: type: Install-Module AzureAD
  3. MSOline: type: Install-Module MSOline

Note that this only has to be done once. After the module is installed into Powershell, it remains.

Connect to Endpoint

After the module is installed into Powershell, the connection is as follows:

  1. OUTLOOK/Exchange-Online: type:
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session -AllowClobber
  2. AzureAD: Connect-azuread -Credential $LiveCred
  3. MSOnline: Connect-MsolService -Credential $LiveCred

Which Endpoint Is Best

It depends on what you are trying to do.

  1. OUTLOOK/Exchange-Online: for the Exchange portion of Office365. Should be easy to determine if it is needed.
  2. AzureAD: new endpoint that seems to have development in the works. To me the commands are long and arduous.
  3. MSOnline: tried and true as a legacy option that seems to work.

License Accounts in Office365 | License Accounts in AzureAD

As a refresher, get-msoluser and get-azureaduser are similar but provide information differently.

This is a case where it seems to be easier to use get-msoluser.

To see all accounts:


That returns a maximum of 500 results in a command, so you can check with (20000 represents some really high number because 'unlimited' or 'all' doesn't exist):

get-msoluser -maxresults 20000

To search for a specific account:

get-msoluser -searchstr foo.user

To see if accounts are licensed:

get-msoluser -maxresults 20000 |where {$_.islicensed -eq $true}

To see if accounts are not licensed:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $false}

To see an example of the details of a licensed account for ADHOC:

get-msoluser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it |fl |findstr /i licen
IndirectLicenseErrors                  : {}
IsLicensed                             : True
LicenseAssignmentDetails               : {Microsoft.Online.Administration.LicenseAssignmentDetail}
LicenseReconciliationNeeded            : False
Licenses                               : {foodomain:RIGHTSMANAGEMENT_ADHOC}

To see an example of the details of an unlicensed account:

get-msoluser -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it |fl |findstr /i licen
IndirectLicenseErrors                  : {}
IsLicensed                             : False
LicenseAssignmentDetails               : {}
LicenseReconciliationNeeded            : False
Licenses                               : {}

To assign a license to an account, you might think that set-msoluser has a key/value but they break it out to set-msoluserlicense (which is weird because there is no get-msoluserlicense). But before that is possible, the account must be set for USAGELOCATION (which is set-msoluser):

set-msoluser -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it -usagelocation US

set-msoluserlicense -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

Likewise for removing the license:

set-msoluserlicense -UserPrincipalName  This e-mail address is being protected from spambots. You need JavaScript enabled to view it -removeLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

What options are available for the license key?

Glad you asked. Here is how to get the options for your tenant:


If something doesn't show, it is because it has not been provisioned.

Exchange 2013; Get Accounts that Someone Else Has Access To

So it is easy to find out what USER is a member of what GROUP. Or vice-versa.

What is not as easily available is finding out what USER has access to another account. Or another way of putting it is; how to find mailboxes that have additional permissions than just their own?

Here's how:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}}

Or if you need to create an Excel document out of it:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv


This is found in the article for Remove Mailbox Permissions That Are Not Inherited but the info might be hidden there.

Delete User from Azure AD

For whatever reason, I had an account in Azure AD that picked up the @foobar.onmicrosoft.com domain rather than the actual local domain. I suspect this happened because there was already an account manually created as a Global Admin so when the AD sync was happening, it could not create an account and defaulted to the onmicrosoft.com account.

In any regard, you can delete the account on Azure AD without affecting the Local AD. After the deletion, sync back to Azure AD from the Local AD.

These are the steps:

Connect to Office365/ExchangeOnline

Set-ExecutionPolicy RemoteSigned

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session -AllowClobber

Connect to MSOnline

Install-Module AzureAD

Install-Module MSOnline

Connect-MsolService -Credential $LiveCred

Get the User / Delete the User

get-msoluser -searchstring foouser

get-MsolUser -ObjectId 33f85584-acde-4c23-aa00-d8ab654a258b

remove-MsolUser -ObjectId 33f85584-acde-4c23-aa00-d8ab654a258b

Connect to AzureAD & Verify the Account Does not Exist

Connect-azuread -Credential $LiveCred


get-azureaduser -searchstring fooname

Permanently Delete

Go to Azure Acive Directory > Users > Deleted Users

Select User

Permanently Delete

Sync from Local AD

Then to sync back from the Local AD.

-connect directly to the system that has Azure AD Connect.

Check the schedule:


Run the sync:

Start-ADSyncSyncCycle -PolicyType Delta


get-msoluser and get-azureaduser are pretty much the same in that they will provide the same basic details. They are different in that they connect to different endpoints of the service and therefore provide similar information but provide it differently.

In short, get-msoluser is the 'old way' and get-azureaduser is the 'new way.'

The problem is that the old way is easier to use and not everything is in the new way.

Redirect Entire Domain

Of course you can use the DNS at the REGISTRAR (GoDaddy, Enom, etc) level but what if you have access to the server but not the domain?

Two files are needed:

  1. index.php
  2. .htaccess (don't forget the leading '.' and there are no extensions)

The contents of the index.php file to redirect to the new web site:

    header('Location: https://foo.tld');

The contents of the .htacess file to redirect any phantom links to the index page:

Options +SymLinksIfOwnerMatch
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

GPO gpresult rsop | gpupdate

All this time and I never covered this... GPO, gpupdate, gpresult, rsop


You know GPO, right? The Default Domain Policy is the applied for the entire domain and should override the rest. Put the password stuff in this policy but nothing else.


The GPO's will apply automatically but if you need to do it now:

gpupdate /force


To see what is being applied, type:

gpresult /r

It shows what server the system is connecting to, what GPO's are applying, what GPO's are not applying and what security-group is being applied. All useful information.

To see more info, use verbose mode:

gpresult /v

Note that the command will only show the USER gpo's. If you want to show the COMPUTER gpo's, the command should be run AS-ADMINISTRATOR.

Or if you need to run remotely:

gpresult /r /scope:computer


Groups are applied on login. If the group doesn't show, logout/login.


Since GPO's can overlap, the follow will show what GPO's are winning in case they are fighting: rsop.msc


Or a quicky to show password rules: net accounts /domain


10 Steps for NVMe Drives | Microsoft, Intel, Toshiba

On 2 separate occasions today, I ran into problems with NVMe drives. These are SSD drives on a chip through a pcie slot rather than a SATA connection.

The drives were Toshiba KXG60ZNV512G NVM and would BSOD coming out of sleep/hibernate.

Here are 10 steps to make sure you have the best NVMe experience.

1- Update the drive firmware. Be sure to match the model number (KXG60ZNV512G). Dell's web site provided the wrong drive firmware. This firmware would not install as the drive was not found on the system. I found the correct firmware by showing all downloads for the model (Precision 7530).

2- Update the bios. The bios needs to be built to work with an NVMe drive. So if the bios doesn't work, it may need updated.

3- Write down the bios settings for the drive and reset to the default bios settings. Reboot. After reboot, manually set the settings again. There are some settings that cannot be changed manually. If there are hidden settings the default should be appropriate. But we want to make sure we have the drive settings (probably RAID/RST) because we don't want to guess after the update. Changing them incorrectly produces a BSOD on bootup. Not the end of the world as it can be fixed.

4- In the bios, turn off the C-STATE. While we are at it, turn of SPEEDSTEP... ugh.

4- Update the chipset drivers.

5- Update the NVMe drivers. There are 4 providers of NVMe drivers:

  1. Microsoft built-in drivers.
  2. Samsung.
  3. Intel RST (iastorAC.inf).
  4. OpenFabrics Alliance.

Word on the street is that the OpenFabrics drivers perform best but let's stick with the crowd and use Intel RST drivers.

6- Manually install the drivers; UPDATE-DRIVERS > BROWSE > LET-ME-PICK > HAVE-DISK > choose IASTORAC.INF > Reboot.

7- Enable the Device Manager Write Caching Options by disabling the write cache buffer; DEVICE-MANAGER > DISK-DRIVES > RIGHT-CLICK > PROPERTIES > POLICIES > CHECKMARK "turn off windows write cache buffer."

8- Disable the Link Power Management (LPM). Open the Intel Rapid Storage Technology Software > PERFORMANCE > LINK-POWER-MANAGEMENT > DISABLE.

9- Set to ultimate performance. Windows has power settings for both plugged into power and for battery. If it is plugged in, use it for maximum performance. Some settings are hidden in the Windows UI, so set it via command line:
powercfg -s e9a42b02-d5df-448d-aa00-03f14749eb61

While we are at it, make sure the hibernation is off:
powercfg -h off

10- Have fun! Remember, if this "feels heavy," get someone else to do it for you. Here is a benchmark:


10 Reasons Why I Prefer Webroot Antivirus

I wrote this email for a colleague who inquired about Webroot. After I finished the message and sent it, I realized that it was appropriate for a blog post:

Webroot is very good protection.


The installation is very simple with msi or exe options available. Both options are simple, silent and fast install. The command line looks something like this: msiexec.exe /i "wsasme.msi" ALLUSERS=1 /qn /norestart /log output.log GUILIC=664CG8545895728446C


Once installed, the protection has the following areas:

1-Real time Protection

2-Rootkit Protection

3-Web Protection

4-USB Protection

5-Firewall Protection

6-Identity Protection

7-Phishing Protection

8-DNS protection is available as well as an upgrade.


Scans are very fast and use little processor resources. A “deep” scan takes around 30 seconds. A “Full” scan takes around 30-60 minutes but this scan is not needed because of the central console.


All computers report back to a central console which is located here:



The console is a central place to monitor systems, control systems and will show which systems are clean and which systems have problems.


The console also controls the options for Webroot and will determine the settings for the software. One policy we like is the inability to uninstall the software. So even if a person has administrator rights, they are unable to remove Webroot. Uninstall is only performed by the console.

The console also gives limited control access to the systems. You can perform manual scans, lock the computer, restart the computer or restart in safe-mode. This is good when the system is out of the office and might have little control over the system through other access.


In the event that Webroot finds a threat, it will automatically resolve the issue and either quarantine the file or delete the file. There is very little maintenance to perform.


While the firewall blocks websites, Webroot is a second layer of protection that blocks when the system is not behind a company firewall.


Definition updates are handled by the console with cloud-based threat intelligence. All systems use the same definition updates and policies.


Webroot will automatically update to the newest version. There is no need to manually update the software version.


The console can generate alerts and reports. Alerts send an email or text message when any problem is found. Reports shows a list of problems for a time period; for example for the last 30 days, 60 days or 90 days.


The only other antivirus we are considering Cylance.

Reset Cisco Router Password and Config | Authorization failed

Trying to reset cisco password; getting "% Authorization failed" for every command. I guess there is an AAA set.

PC <-> usb-to-serial-connection <-> serial-to-ethernet <-> ethernet-to-console
plug into console
select serial
type: com3
Power on router
startup sequence shows.
hit CTRL + BREAK (within 60 seconds).
type: confreg 0x2142
type: reset
Wait for reboot.
type: no
type: enable
type: show startup-config
copy the entire output to your pc and save.
type: config t
type: config-register 0x2142
type: end
type: reload
type: no
confirm the reload with enter
type: no (when ask to enter the initial config).
type: enable
type: config t
type: config-register 0x2102 (notice this is different)
type: end
type: write memory
type: reload
hit ENTER to confirm reload

10 Items I Wish I Knew Before Setting Up Webex Room Kit

We had our first interaction with Webex Room Kit recently. After hashing it out for a few days, here are a couple of tips that might help:

1- Webex Meetings and Webex Teams are 2 separate products.

Webex Meetings is traditional Webex. You can host/schedule meetings and other people can join. The meetings can be for small 1-on-1 type of meetings or they can be webinar type of meetings where one person presents and everyone else is muted. Up to 1000 people can attend.

Webex Teams is like Skype. Others ring you and you can ANSWER or DECLINE.

2- Webex Meetings and Webex Teams are 2 separate software.

Since they function differently, you will need both, if needed. My recommendation is to skip Webex Teams altogether. More on that later.

Here is the current link for Webex Meetings (Windows):

You can install silently by:
msiexec.exe /i "webexapp-39.4.5-5.msi" ALLUSERS=1 /qn /norestart /log output.log

3- Close Outlook when installing Webex Meetings.

When Outlook is closed, Webex Meetings buttons will install into Outlook. You can use the buttons to Start a Meeting or Schedule a Meeting directly from Outlook.

These buttons are not available for Webex Teams. This is a deal-breaker for Webex Teams.

4- Licensed Accounts are only needed for people who START/HOST/SCHEDULE meetings.

If a user is not going to START/HOST/SCHEDULE a meeting, they do not need a license.

They can still attend meetings that others START/HOST/SCHEDULE.

5- Webex Meetings (& Teams) is licensed per NAMED-USER (colloquially called PER-USER) or ACTIVE-USER (colloquially called CONCURRENT-USER).

In NAMED-USER, you will pay for every person that has an account. If they never HOST/SCHEDULE a meeting, you will still pay.

In ACTIVE-USER, you pay for the number of meetings that can happen at one-time. Like incoming/outgoing phone lines, once they are used up, someone will have to wait till a spot is free to make a call.

6- ACTIVE-USER (aka CONCURRENT-USER) starts at 40 licenses.

This is kind of a bummer for small companies. It would be awesome if a 5 license option were available for smaller companies who may want the features of Webex but don't host meetings too often.

For larger companies, with ACTIVE-LICENSE, you can install on everyone's computer (say 250 computers) and only pay for 40 licenses. Awesome option!

7- Webex Room Kits are Webex Teams by default.

In thinking about it, it makes sense. If you have a conference room of 4 people and they need to call another room, that other room will have to ANSWER for anything to happen. If not, it just rings like a phone until a NO-ANSWER message shows. It will not just show the other conference room and wait for other people to show. That would be kind of creepy.

8- Webex Room Kit TouchPanel has a Directory which is Webex Teams by default.

So if someone starts a Webex Meeting and you try to join via Webex Room Kit by calling their name from the Directory, it will not join the Meeting. It will just ring. This has been the single biggest source of frustration with the Webex Room Kit. People stomp away cursing under their breath about how the stuff doesn't work.

I'm trying to see if that can be changed.

9- Call the Personal Room.

If you start to type in someone's name, they will show twice. Once as their name and a second time as a PERSONAL-ROOM. By tapping on their name, you are calling them via Webex Teams. By tapping on their PERSONAL-ROOM, you are calling them via Webex Meetings. This is "fix" for the frustration above. Trying to communicate (educate?) people on this has proven to be difficult.

In short, call the Personal Room.

10- Adjust the Options from https://admin.webex.com

This web site can control the Webex Room Kit. Options like Whiteboard focus, so that the camera can focus on the person in the conference room along with a Whiteboard and options like Standby-Branding, so that you can display a web site on the TV while the Webex Room Kit is not being used are both options can be found by a little digging.

11 (Bonus!)- Siri/Cortana is Built Into the Webex Room Kit

OK, it is their version of Siri/Cortana but you can say, "Hey Webex, call John" and it will do your bidding. Of course, use caution on the whole Teams/Meeting Personal Room aspect.


In the end, Webex Room Kits along with Webex Meetings is one of the best all around options available for video conferencing and can change the entire culture of the company while providing best-in-class service to customers. Webex Meetings is great but needs a bit of class time to get the full features out of it. Webex Teams,while perhaps necessary, is very confusing to communicate and for users to pick up on their own. Having 2 options only serves to increase support times. Do yourself a favor and ditch Webex Teams going with Webex Meetings only is the way to go.

Now to see if it is possible to change that darn Directory in Webex Room Kit Touchpad to only show Personal Rooms...

Why WatchGuard?

Why WatchGuard instead of {insert brand name here}? Good question.

Fine Grain Control

First and foremost, WatchGuard has fine-grain control. This means that WatchGuard will inspect every incoming and outgoing traffic. This is done on a port level (0-65,535) and a portocol level. This means it can allow/deny protocols on ports that it should not be running on. This is different than lower-end systems that will allow all outgoing traffic but only port-forwards incoming ports.

Automatic Deny

WatchGuard automatically denies something that it does not recognize. This is important for security. This way, only items that need to go through are doing so through manual allowance rather than automatic allowance.

Multiple Interfaces

WatchGuard can handle multiple interfaces. This means dual WAN connections or possibly more; such as dual-WAN and MPLS connections. Or perhaps a single WAN connection and multiple internal network segments that are completely separate. Think in terms of an office suite where there might be 5 tenants or more sharing a single internet connection. The economies of scale are at work here as every tenant could share a single fiber connection rather than each getting their own WAN/ISP.

Multiple IP Addresses

WatchGuard can handle multiple public IP addresses all on the same interface. This means that we can use one ip address for our LAN and other dedicated IP addresses for servers. This helps for security but also if you have multiple servers using the same port number, say port 80 for web hosting. You can have multiple web servers behind the same WatchGuard with different public ip address but using the same WAN connection.

No Reboot Configuration Updates

WatchGuard will apply new configurations without rebooting the system. The only time a reboot is needed is when the OS is updated. This is a dream if you ever managed any other system that wants to reboot everytime a change is made.

Wireless Controller

WatchGuard has wireless controller builtin. This allows for easy deployment of several access points (AP's) at once. It will sniff out new AP's and ask if it should manage them. This can be done via internet as well. So upgrading AP firmware is done in one fell scheduled swoop in the wee hours of the morning during low/no traffic.

Business Class Ready

WatchGuard is business class ready. Stop using home quality routers at the office. With uptimes more than a year, WatchGuard is built for the offices both large and small.

Integrated Threat Detection Against Cryptolocker

WatchGuard has integrated Threat Detection client that can run on the systems. If cryptolocker is detected, WatchGuard can shut it down automatically.

VPN Options

WatchGuard handles VPN through SSL VPN (it can also do PPTP and IPSEC). With PPTP being outdated and other systems difficult to setup, WatchGuard SSL VPN works out of the box. And it works at most remote situations since it runs over https/port 443. This saves on support time for road warriors and conference travelers needing to connect back to the office.

Also WatchGuard VPN can be site to site with super easy drag and drop configuration.

Next, WatchGuard VPN can be split-tunnel for remote workers. This allows remote workers to use the local internet connection for web surfing and the VPN connection for office network shares. Helps in situations where road warriors need to print to their local network printers but still need access to the office server.

WatchGuard VPN works with OpenVPN. This allows the traffic to be forced over the VPN connection.

Centralized Management

WatchGuard can be managed centrally through WatchGuard System Manager. This means that if you have several WatchGuard firewalls (or hundreds... cough, cough), you can manage them all from a single console. This manages licenses, upgrades, wireless firmware, firewall rules. You name it and the WatchGuard System Manager can manage it.

Centralized Reporting

Likewise, WatchGuard has Centralized Reporting in the form of WatchGuard Dimension. All traffic from all clients across all WatchGuard Firewalls is recorded in a central location. If we need to run a report on web sites visited during a certain time, no problem. Here it is.

Putting All Together

Putting this all together means that we can manage many WatchGuard systems and their wireless access points and their reporting across North America without ever leaving network operations center.

Powershell Get Disk Space

Here is how to get the disk space in powershell with GB (aka human readable numbers):


Here it is cleaned up a bit:

get-psdrive -PSProvider filesystem | Format-Table -Wrap -AutoSize -Property Root,@{Name='UsedGB';Expression={[math]::round($_.used/1gb,2)}}, @{Name='FreeGB';Expression={[math]::round($_.free/1gb,2)}}, @{Name='PctFree';expression={$_.free/($_.free+$_.used)*100 –as [int]}}

It has every connected drive,  drive letter, used GB, free GB and Percentage Free GB.


WatchGuard Downloads

WatchGuard Downloads are here:


The OS upgrade option is built into the web ui and should be used to upgrade versions. The OS upgrade will also upgrade the SSL VPN client versions that are stored directly on the Firebox.

Install WebEx Remotely

Let's say that you have limited access to a system. Let's say that you want to download a WebEx package to the system via command line/powershell. Here's how:

wget "https://akamaicdn.webex.com/client/WBXclient-39.4.5-5/webexapp.msi" -outfile "webexapp.msi"

msiexec.exe /i "webexapp.msi" ALLUSERS=1 /qn /norestart /log output.log

Remove Appx Windows 10

Remove Appx app (is that redundant?):

Get-AppxPackage -allusers -name "Microsoft.MicrosoftOfficeHub" |Remove-AppxPackage

Surface Pro 4 Max Perfomance

Click here to see how to set the Surface Pro 4 to Max Performance on the Intel HD Graphics and the Processor:



MacBook Pro circa 2011 running bootcamp and Windows 10. Updated to 1903. BSOD "WDF_VIOLATION."

-hold power button to shut off.
-press power button to turn on.
-do this about 3 times. After the 3rd time, the option for ADVANCED BOOT should appear.
-press F8
-login as normal.
(a scary black screen shows)
-you will be at c:\windows\system32

-type: cd drivers
-type: dir |findstr /i machal
-it will show: MacHALDriver.sys
-this is our problem.
-type: rename MacHALDriver.sys MacHALDriver.sys.sav
-press ENTER key
-type: shutdown -r -t 3
-press ENTER key

The system will reboot and you should be able to login as normal with the BSOD. Apparently the BOOTCAMP DRIVERS V6 will fix. But I have not tried to install yet.

WatchGuard Allow Web Site

It is possible to setup different access to different groups.

Typically we block web site to weapons by default. Going to a web site like the following is blocked: beretta.com

But what if they are a client and we want the MARKETING group to allow access to the web site?

-this was the simple setup:

Without any setup the log is:
2019-06-05 14:53:51 Deny 10.192.480.250 http/tcp 56564 80 0-LANLAG 0-External ProxyDeny: HTTP Request categories (Outbound-HTTP-proxy-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard.1" cats="Weapons" op="GET" dstname="beretta.com" arg="/favicon.ico"

-you can see that the proxy-action is: HTTP-Client.Standard.1.
-but it should be: HTTP-Client.marketing
-this is because the proxy-action is not attaching to the group. This is because I was trying on a system on a subnet with an exception for authentication:
10.192.480.0/24 (note: subnet not real for posting purposes)
-this results in NO-AUTH, NO-GROUP and NO-PROXY-ACTION.
-using different pc on: 10.192.420.0/24

-for setup, the key here is that the WatchGuard group name needs to be the same as the AD group name: MARKETING
-next, create the rule where you can create the proxy. I went the long way around.
-ultimately, I had to:
-edit-policy > Proxy-Action > HTTP Proxy Exceptions
-add: *.beretta.com

-going to: -edit-policy > Proxy-Action > WebBlocker
-click: ADD
-type: *.beretta.com/*
Did not work. I still ended up with log:
2019-06-05 15:40:06 Deny 10.192.420.100 http/tcp 61063 80 0-LANLAG 0-External ProxyDeny: HTTP Content Type match (Outbound-HTTP-Marketing-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0018" proxy_act="HTTP-Client.marketing" rule_name="Default" src_user="dakruhm"

-the fix should be:
-edit-policy > Proxy-Action > HTTP-RESPONSE > CONTENT-TYPES

OpenText Enterprise Scan and SAP

Here are my scribble notes so I don't have to look them up again.

Install the OpenText Enterprise Scan program.

Scanning is rather simple, just make sure you select the correct model of scanner and scan the document.

Next is sending to the Archive Server.

Setup the pipeline to the Archive server (ie
scan config manager

Test the archive server pipeline:
scan > config-manager

Pipeline info:
Port 4023
Port 8080 (for management)
right-click & select LIST-PIPELINES

Start Enterprise Scan
Config Archive

Capture Center
Capture Center via shared
content server
doc pipe for content server
doc pipe for SAP
doc pipe for tcp
external storage

Doc pipeline SAP

nettcp secure

There is a possibility that there is a port on a firewall that needs to be opened if the archive server is offsite.

Check the profile: cmd > set
ecm conf dir = c:\ProgramData\Open Text (intentional space "Open" "space" "Text")
ecm doc pipeline base = c:\Program Files\OpenText
ecm doc pipeline conf = c:\ProgramData\OpenText (intentional nospace "OpenText")
ecm doc pipeline info = c:\ProgramData\OpenText (intentional nospace "OpenText")
ecm doc pipeline sap = c:\ProgramData\OpenText (intentional nospace "OpenText")

c:\ProgramData\OpenText\BASE Document Pipeline\config\dpconfig\dp.dpconfig
c:\ProgramData\OpenText\BASE Document Pipeline\config\dpconfig\dp.dpinfo

Error Message: Late_Archive_error | Could Not Process Document

Logs are here:

http status code = '0', http status message = 'Couldn't resolve host name'
dsc::dscOpenDoc dsc.cxx-9776 cannot reserve a document id; the call of function dshDsReserveDocId() failed: 'HTTP error: connection was broken: host = denw08v701 (archive='ABC')'

This means the archive is not working because the local system cannot find the system that is named in the script. This happens because the server is outside the domain so simply stating the system as "denw08v701" it needs to be "denw08v701.domain.tld".

Or you can edit the HOSTS file:

Add: denw08v701

Find What Port Number a Mac Address Is On Cisco IOS

Find What Port Number a Mac Address Is On Cisco IOS

If you know the full Mac address, you can perform the following:

show mac address-table address 6476.7A98.1818

If you know just part of the Mac address (where 1818 is the last 4 digits of the Mac):

show mac address-table | include 1818

Change your interface, if needed:


configure  terminal

interface GigabitEthernet0/1
 description MPLS
 ip address
 duplex full
 speed 100

Be sure that your link speed is set correctly. Sometimes auto speed doesn't work right.

And change your gateway/bgp-neighbor, if needed:

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 redistribute ospf 30
 neighbor remote-as 65006
 neighbor remote-as 1
 no auto-summary

And remember to save your running config as your startup config:

copy  running-config startup-config

You can show your routes by:

show ip route

Hyper-V Integration Services Windows Server 2016 Datacenter

Integration services is Microsoft's terminology for client-tools/guest-tools. Other vendors such as VMware and VirtualBox have their own terminology but the idea is the same. With the tools installed the guest VM works better, faster, etc.

To see if the Integration Services are installed:

  • -go to Host system.
  • -powershell (as admin).
  • -type: get-vm |ft name,version

With Windows 10 Guest VM, and Server 2016 Host, the integration services are installed via Windows Update.

To see the version of Integration Services:

-type: REG QUERY "HKLM\Software\Microsoft\Virtual Machine\Auto" /v IntegrationServicesVersion

Then let us see if the service on the GuestVM is running:

-type: Get-Service -Name vm*

Laptop Password Expired and VPN

Let's say that you have a typical Windows domain network at the headquarters. A rule of the network account policy is that the password changes every 90 days.

And let's say that you have a group of outside sales people who do not come into the office. Every once in a while they vpn into HQ.

If the password expires on their account, they can still login to their laptops because the laptop keeps a local copy of the access list. But then the VPN fails and email fails.

They call and we reset their account password.

The VPN works.

But then how does the laptop get updated?

Here's how:

  • login on the laptop without network (using the old password).
  • connect to a network for internet.
  • start the VPN connection to HQ.
  • lock the laptop (CTRL+ALT+DEL > LOCK).
  • unlock (using the new password).

When unlocking, the computer is connected to the domain (via the VPN tunnel), It will verify the password with the domain. As a side effect this will update the password on the laptop.

Linux Delete All Files Greater than a Certain Size

Lets say you have a directory of photos. The directory is about 1TB and the hard drive is packed full. How do you delete files that are larger than a certain size?

Here's how:

cd /path/to/dir
find . -name "*.jpg" -size +1000k -delete

K is for KB.
Miss off the "-delete" if you want to run a test without deleting the files.
Adjust accordingly.

Or if you need to delete base on date (files older than 30 days):
find ./path/to/dir/ -type f -mtime +30 -delete

Mimecast LDAPS Connection

Here is the best source for setup of LDAPS:


For Mimecast, if you are using a self-signed certificate as the instructions above provide, set the Encryption Mode to: Relaxed

Rename User Active Directory

Rename user in Active Directory is a common task but putting it all in one spot

Rename User in GUI

-open Active Directory Users and Computers.
-right-click on the Name.
-select RENAME.
(rename User dialog box appears to change other common items)

Rename User in CMD

dsmove "<UserDN>" -newname "<NewUserName>"
dsmod user "<UserDN>" -upn "<NewUserUPN>" -ln "<NewUserLastName>"

Rename User in PS

rename-adobject "oldname" "newname"
Get-ADUser -Identity 'oldname' | Rename-ADObject -NewName 'newname'

For a full one-liner:
Get-ADUser "old.name" |Rename-ADObject -NewName “New Name” | Set-ADUser -GivenName “New” -Surname “Name” -DisplayName “New Name” -SamAccountName “newname” -UserPrincipalName " This e-mail address is being protected from spambots. You need JavaScript enabled to view it


All the following are different:


Most can be set by: Set-ADUser

But the Name of the Object is a bit different and needs to be set by: Rename-ADObject

Check your work by using Get-ADUser.

Here is Get-ADUser:

Here is Set-ADUser:

Here is Rename-ADObject:

Watchguard VPN Split Tunnel Doesn't Resolve

Watchguard VPN setup. Watchguard has a split tunnel automatically. Works for hundreds of people.

Run into a new setup where the Watchguard VPN would connect but asking for vlan resources would respond back with the local network. The desired result is the remote network.

This happens to be on an ATT home router. The laptop is hard-wired connected. Note that the wireless connection work fine. Go figure.

Here's how to diagnose on the vpn laptop:

  • -click START > POWERSHELL (as admin).
  • -type: get-netipinterface

Typically, out of the box, each connection will have a name (obviously) and a setting for IPV4 and IPV6. Each setting will have a METRIC.

Let's say the the connections are named: ETHERNET and VPN.

You will notice that:

ETHERNET IPV4 has a metric of 35
ETHERNET IPV6 has a metric of 35
VPN IPV4 has a metric of 35
VPN IPV6 has a metric of 35

What we need to do is set the METRIC on the hard-wired connection to a number higher than the vpn connection.

-type: netsh int ipv4 set interface interface="ETHERNET" metric=40
-type: netsh int ipv6 set interface interface="ETHERNET" metric=40

That should do it.

Note that other posts will talk about turning ipv6 off, etc.

Watchguard Change Opened Ports | Watchguard Change Opened Outgoing Ports

Watchguard Change Opened Ports | Watchguard Change Opened Outgoing Ports

Let's say that you already have a firewall policy on your Firebox. That firewall policy has a non-standard-port open from that static internal ip-address to the rest of the www (any-external) so that it can talk to who it needs to. Note that this is not a static server internally that needs to service the rest of the www such as a web server, this is simply a piece of software that needs to reach out on a non-standard-port.

Now, at the current moment, you need to either add to the port list or change the port number.

When you click on the firewall policy there is no option to edit the port list or the port number. How you change it?

Good question. What you want to do is change what is called in Watchguard-speak, the firewall-policy-type.

Here's how:

  • -click ADD-POLICY (at the top). (Yes, even if you are not adding a firewall-policy).
  • -bullet CUSTOM.
  • -select the policy-type (from the drop-down list).
  • -click EDIT.
  • -click ADD | EDIT | REMOVE as necessary.
  • -click SAVE (at the bottom).
  • -click CANCEL (so that it does not save a new firewall-policy).

I have yet to figure out if there is a better way to go directly to the firewall-policy-types.


Watchguard Port Forward

Here is how to port forward if you are hosting a server of some type on your internal network that needs to be accessible outside of the office:

  • -log in via web
  • -click on Firewall > SNAT.
  • -click ADD.
  • -type name: 5802 incoming to port 5802
  • -click ADD.
  • -type internal address to send traffic to. (e.g.,
  • -click OK.
  • -click SAVE
  • -click Firewall > Firewall Policies.
  • -click ADD-POLICY.
  • -click CUSTOM.
  • -type name: 5802 incoming to port 5802
  • -click ADD.
  • -enter port # and click OK. (e.g., 5802)
  • -click SAVE.
  • -click ADD POLICY button.
  • -change “FROM” box to contain only “Any-External”.
  • -remove everything in “TO” box.
  • -click ADD button.
  • -change “Member Type” to “Static NAT”.
  • -select the Policy Type you just added and click OK.
  • -click SAVE.

Get All Mailboxes With Permissions Other Than Themselves

Get All Mailboxes With Permissions Other Than Themselves. Here's how:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

Outlook Calendar Permissions for Visual Learners

Learn visually? Me too. Here's the Outlook Permissions in table format with color view:

  Author Contributor Editor None NoneEditingAuthor Owner PublishingEditor PublishingAuthor Reviewer AvailabilityOnly LimitedDetails
ReadItems                   Free/Busy Free/Busy w Name & Location

Office 365 - Join Computer to Domain | Azure Active Directory

Do you have an Office365 account for your company domain (ie daknetworks.com) and email? Did you know that you can join your laptop or desktop to the Office365 domain?

The typical access for Office365 is here:

There is also another portal to manage your Office365 domain:


Once here, you are welcomed with so many services it is hard to keep them straight. What we are interested in is Azure-Active-Directory. Once you click on Azure-Active-Directory, you will see more options. Let's cover the basics.


Clicking on USERS will show you the users in your company. These naturally mirror the email accounts as you can't have an email account without having an Azure-Active-Directory account. But that might not be obvious if this is new to you.


Click on GROUPS is similar.


DEVICES will show all the DEVICES that is REGISTERED or JOINED. What's the difference?

REGISTERED is allowing the company to control the device. This is what happens with your iPhone (because who in their right mind would use Android). When you add your Office365 company email address to the phone, the company can control your iPhone. You might not know that. But it is nonetheless true. They can take the email account off the phone without your permission or they can wipe your entire iPhone without your permission.

The same is true for Windows 10 laptops/desktops. If you add your Office365 company email address to Outlook, the company can control your computer is some ways. Just like your iPhone, your computer is still accessible by you with the password that you setup when you brought the computer home from the store or received in the mail/ups/fedex/amazon package. But your company can control some of the items on your computer.

JOINED is what we think of in a traditional computer setup for a small company with an on-site server. When a computer is JOINED, any user in the company can login to that computer without having to setup the password locally. All the usernames/passwords are kept on a centrally located "invitation list."


 So how do you do that?

  • -click ACCESS-WORK-OR-SCHOOL (on the left-hand side).
  • -click CONNECT.
  • -type in your email-address.
  • -click NEXT.
  • -type in your email-password.
  • -click SIGN-IN > JOIN > DONE.


There's a part here where if we continue, it will want to change your password to a PIN. Let's get around this.

  • -click START > RUN.
  • -type: gpedit.msc
  • -click Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business (on the left-hand side).
  • -click Use Windows Hello for Business (in the middle).
  • -click DISABLED.
  • -click OK
  • -restart your computer to make sure it survives reboot.


At the login screen,

  • -click OTHER-USER (at the bottom-left).
  • -type in your email-address.
  • -type in your email-password.

Once you do a whole new world begins. Now you can use your email-address and email-password to access the computer. You might notice that it automatically has your name from your email address. This is some the power of JOINING to an Azure-Active-Directory.

Note that when you do this, the process creates a new user on the computer so your DESKTOP, DOCUMENTS, PHOTOS, VIDEOS will all be reset to a fresh set. Any items you might have had are still in the other username and password. This can be manually transferred from the other account if needed.


I could go on and on about the benefits of this:

  1. this computer now shows in Azure-Active-Directory > DEVICES section.
  2. if you open EDGE, go to https://portal.office.com you are automatically logged in and can download and install the software.
  3. if you open OUTLOOK, your account is automatically found and setup

In addition, I could go on and on about the number of misleading videos and long-winded documents I had to travel to get this far. Here are some of them:






Exchange 2013 Room Lists

Exchange 2013 Room Lists exist.

To get a list of all the room resources:

get-mailbox |? {$_.resourcetype -eq "room"}

Just as mailboxes can be part of a group/distribution-group, the room resources can be part of a group/distribution-group. These are groups do not show in the ECP.

To get a list of all the roomlist groups:

get-DistributionGroup |? {$_.recipienttypedetails -eq "roomlist"}

To create a new roomlist group:

New-DistributionGroup conference-rooms-foo -RoomList

To add a member to the roomlist group:

Add-DistributionGroupMember conference-rooms-foo -Member foomember1

To get a list of all the members of a roomlist group:

get-DistributionGroupMember conference-rooms-foo

SPF Records

For some reason, we have never done an article on SPF records. Here are some notes concerning SPF.

Here are our current records:

v=spf1 a mx ip4: include:_spf.freshbooks.com -all

A is for the A record

MX is for the MX record

ip4 is for a dedicated ip address.

include is for including an outside system. In this case Freshbooks which handles our billing for us.

Since A, MX and IP are all the same, only one is needed. We changed it to this:

v=spf1 mx a include:_spf.freshbooks.com -all

FileMaker Server Install Certificate

Client has a FileMaker Server installed at a datacenter. They need the certificate installed and working.

Generate a CSR

  • -click CREATE-REQUEST.
  • -create a password by typing it in.
  • -when you do, a CSR file (certificate request) and a PRIVATE-KEY will be generated.
  • -the files are automatically kept here: C:\Program Files\FileMaker\FileMaker Server\CStore
  • -the CRS is called ServerRequest.pem
  • -this is just a text file. Open the file with NOTEPAD or TEXTEDIT or EDITPAD or NOTEPAD++ (not WORD).

Create a Signed Certificate

  • -take the contents of the CSR and give them to your SSL provider (GoDaddy, RapidSSL, Comodo, etc).
  • -once submitted, that will generate a signed certificate.
  • -it will also give you an intermediary certificate or chain certificate.

Gathering All the Certificates

  • -create a folder on the desktop of the FileMaker Server.
  • -create a new text file in the folder.
  • -copy the contents of the signed certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
  • -rename the file your.filemaker.domain.tld.crt
  • -create another new text file in the folder.
  • -copy the contents of the SHA-1 Root certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
  • -copy the contents of the intermediary certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file directly under the root certificate.
  • -so the file should look like this:




  • -rename the file chain.crt
  • -copy the file C:\Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem to this folder as well.
  • -so the folder has 3 files:
    • 1-your.filemaker.domain.tld.crt
    • 2-chain.crt
    • 3-serverKey.pem

Install the Certificate on FileMaker Server

  • -for SIGNED-CERTIFICATE choose the file your.filemaker.domain.tld.crt
  • -for PRIVATE-KEY choose the file serverKey.pem
  • -for INTERMEDIATE-CERTIFICATE choose the file chain.crt
  • -for password, type in the password create during the CRS in the first step.
  • -click IMPORT.
  • -restart the service (or restart the server).

That should do it! You're awesome! You now have a green lock in the FileMaker Pro clients running around the country and everyone is happy.

Test the certificate: echo GET | openssl s_client -connect yourwebnameserver.tld:5003


What makes this difficult is the terminology and the different certificate types and extensions (crt, cer, pem, p7s, etc). Naturally, I think most people try to use CER files by mistake.

Also the Intermediate certificate is a pain since sometime it is needed but not provided. When it is provided, they expect you to know what to do with it.

Lastly, sometimes they provide 2 Intermediate certificate along with their root-certificates and they expect you to know which one to use. Hint, use SHA-1-root with FM Server v16.

Here are the intermediate certificates for RAPIDSSL:


  • -find ROOT
  • -click DOWNLOAD
  • -it will show the root-certficate.
  • -put this at the top of the chain.crt (which has nothing other than this pasted text).
  • -click DOWNLOAD
  • -it will show the intermediate-certficate.
  • -put this in the same file but under the root certificate.
  • -save the file as chain.crt

Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)

Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)



This happens after an upgrade to v1803 or to v1809 or to v1903.



get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties homedrive, homedirectory, scriptpath |ft name, homedrive, homedirectory

This will output:

name            homedrive homedirectory
----               ---------      -------------
Foo User     Z                \\server\users$\foo.user

You will see above the HOMEDRIVE is something like a capital letter. In this case: "Z"

This needs to be set as: "Z:"

In other words, it is missing the colon ":"

To implement, first get the usernames in the OU needing serviced:

$usernames = (get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties samaccountname |foreach { $_.samaccountname })

Now set the correct HOMEDRIVE value:
foreach ($username in $usernames) {set-aduser $username -homedrive Z:}


This happens because the HOMEDRIVE value is set incorrectly for the update script.

There is some sort of script that is trying to move the profile (Desktop, Documents, Favorites, Pictures, Photos, Videos) to OneDrive. The script errors when the HOMEDRIVE doesn't have the colon.

WSUS - Force System to Check for Windows Updates

Windows Service Update Service (WSUS) is groaned by many administrators. What should be a drop-dead-easy process is overly complicated and difficult to manage.

Everything should "just work." But it doesn't.

On 80% of the systems, the ones left on all the time, the success rate is high. The updates download and install on schedule as per the Group Policy (GPO).

On 20% of the systems, the laptops not left on all the time or away from the office, the success rate is mixed. Sometimes the downloads update, sometimes not. Sometimes the downloads install. Sometimes not.

Invariably, throughout the course of a deployment, a handful of laptops and tablets start to lag behind. They refuse to download and install the updates for whatever reason.

This necessitates the ability to force the client system to download and update.


To force them to update and install used to be:

wuauclt /detectnow
wuauclt /updatenow

Or you could use the switches together:

wuauclt /detectnow /updatenow


Now with Windows 10, wuauclt is no longer working. But the completely undocumented USOCLIENT can be used to do the same:

USOClient StartScan
USOClient StartDownload
USOClient StartInstall
USOclient Refreshsettings
USOclient StartInteractiveScan
USOClient RestartDevice
USOClient ScanInstallWait
USOclient ResumeUpdate

I’ve used the following command to get remote systems to update with success:
USOclient ScanInstallWait
USOclient StartInstall

Few notes:

  1. there is no slash.
  2. there is no documentation on the command.
  3. there is no output or feedback from the command.
  4. this command replaces: wuauclt


Or you can use powershell. This is not built-in so a module will have to be installed.

Install-Module PSWindowsUpdate


I cannot figure out why the whole process isn't easier, why there is not another way or why this is undocumented.

All Enabled Accounts on Exchange Sorted by Last Name

Them: Can you give us a list of All Enabled Accounts on Exchange Sorted by Last Name?

Me: Sure.

The problem becomes this is trickier than it seems.

There are 3 commands that are helpful:

get-mailbox: a list of all the mailboxes, including SHARED, RESOURCE, EQUIPMENT, ROOM but not including contacts, mailuser, distributiongroup, etc. Disabled accounts are included. There is no disabled/enabled property.
Use the following to see what it shows and the number of items:

Get-Mailbox |Group-Object RecipientTypeDetails |Select name,count

get-recipient: a list of all recipients including mailboxes, contacts, mailuser, distributiongroup, etc. Basically, any type of existing Exchange Online recipient.
Use the following to see what it shows and the number of items:

Get-recipient |Group-Object RecipientTypeDetails |Select name,count

get-user: get the USER objects from Active Directory, including the users without mailboxes and disabled users.
Use the following to see what it shows and the number of items:

Get-user |Group-Object RecipientTypeDetails |Select name,count

Knowing the above, we can put together a command that lists out all the USERS from AD that is enabled:

Get-User -RecipientTypeDetails UserMailbox -sortby lastname |where {$_.UserAccountControl -notlike “*AccountDisabled*”} |Select samaccountname

Find What Groups a User In AD is a Member Of

Find What Groups a User In AD is a Member Of

Here is how for one person:

get-aduser foo.user -properties MemberOf |Select -ExpandProperty memberof

or use the newer command:

Get-ADPrincipalGroupMembership foo.user | select name

or use the older command-line:

net user foo.user /domain

Here is how for a group in an OU:

get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select -ExpandProperty memberof

or you need just the Name and MemberOf:

get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select samaccountname,memberof

And if you need to put the whole thing together:

get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-name,dc=com" -properties Memberof |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}} |ft -wrap

Or if you need just the accounts that are more than the "Domain Users" group:

get-ADuser -Filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties Memberof |where memberof -ne "Domain Users" |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}

But maybe miss off the Guest account:

get-ADuser -Filter * -searchbase "ou=Disabled Users,dc=foodomain,dc=tld" -properties Memberof |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}

And to take this one step further, if you need to remove the user from all the account's groups, then:

Get-ADUser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -Properties MemberOf |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |ForEach-Object{$_.MemberOf |Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false}


Windows Could Not Complete The Installation

Windows Could Not Complete The Installation


Here's how to fix.

  • -hold SHIFT and press F10.
    (a command prompt shows)
  • -type: oobe
  • -hit ENTER key.
  • -type: msoobe
  • -hit ENTER key.
  • -wait for around 5 minutes.
  • -restart the computer and it should work.

If not then do the following:

  • -press the power button on the computer for around 5 seconds. The system will shut off.
  • -press the power button on the computer the system will turn on.
  • - this needs to happen 3 times until a message that says “Preparing Automatic Repair“.
  • -click TROUBLESHOOT.
  • -click RESET THIS PC.
  • -click KEEP MY FILES.
  • -it will ask for an ADMINISTRATOR username & password.
  • -click CONTINUE.
  • -wait for around 5 minutes.
    (RESET THIS PC screen will show)
  • -click CANCEL.
  • -click CONTINUE.

 If that doesn't work, you can download an iso/usb and repair the installation.

Blinking Back Screen After 1809 | Explorer Crashing After 1809 | Blinking Black Screen After Windows Update

Blinking Back Screen After 1809 | Explorer Crashing After 1809 | Blinking Black Screen After Windows Update. Note that this is NOT a driver issue and this is NOT flickering.


This took awhile but in my case of a corporate environment, the AD Account being used had a HOMEFOLDER setup to a network share (homedrive & homedirectory). Changing this account to use the LOCALPATH instead of the NETWORKPATH seemed to have resolved this.

On the AD server:

  • -open powershell
  • -type: set-aduser foo.user -clear homedrive, homedirectory

On client system:

  • -login with AD account.


  • -to get the values, type: get-aduser foo.user -properties homedrive, homedirectory
  • -to clear the values, type: set-aduser foo.user -clear homedrive, homedirectory
  • -to set the values, type: set-aduser foo-user -homedrive Z -homedirectory \\<server-name>\users$\foo.user
    (ie: set-aduser foo-user -homedrive Z -homedirectory \\server\users$\foo.user)
  • -to get the values being used on a system, start command-prompt or powershell and type: set

Exchange 2013 Inherited Permission for Every Mailbox

Recently I found out that my individual account was given FULLACCESS permission on every mailbox in Exchange. What was strange was that the permissions were INHERITED and had a DENY=TRUE on them.

How in the world did that happen? Also, how do I fix it?

I traced it back to permissions in AD on the Exchange Service:

dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"

Also it was here:

dsacls "CN=COMPANY-NAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"

So it must have happened durning an Exchange CU upgrade. More specifically during the Prepare Active Directory schema:
setup.exe /PrepareSchema
setup.exe /PrepareAD

To remove:
dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld" /R DOMAIN\Account


  • -rigth-click > PROPERTIES
  • -click SECURITY tab (at the top).

If needed, you can look further down:


  • -right-click > PROPERTIES
  • -click SECURITY tab (at the top).
  • -click ADVANCED

Look for the account and it will show where the inheritance is coming from.

Asterisk Debugging

Turn on the debug log:

  • vi /etc/asterisk/logger.conf

Uncomment or add a line for debugging:

  • debug => notice,warning,error,verbose,debug
    debug => debug

Start the Asterisk command line:

  • asterisk -rvvvvv
    (this is showing verbose at level 5)

Set the debug level to 5:

  • core set debug 5

Turn off debug for interoffice exchange (iax):

  • iax2 set debug off

Reload the logger and rotate the log:

  • module reload logger
  • logger rotate

Perform the action such as make a call. There is going to be a ton of logs in a few minutes so use cautiously. When do with the action, turn the debug log off or set to low-level:

  • asterisk -rvvvvv
  • core set debug 0
  • module reload logger

Look at the debug file:

  • cat /var/log/asterisk/debug

Don't forget to comment out the debug in the:

  • vi /etc/asterisk/logger.conf

If you need to look at all the phone sets that are connected:

Start asterisk:

  • asterisk -rvvvvv
  • sip show peers

Or if you need just one:

  • sip show peer 04167F120093

After you make changes to the sip.conf, you can reload the changes by:

  • asterisk -rvvvvv
  • sip reload

If you need to debug sip, here's how:

  • asterisk -rvvvvv
  • sip set debug on
  • sip set debug off

If you need to debug rtp, here's how:

  • asterisk -rvvvvv
  • rtp set debug on
  • rtp set debug off



Windows 10 WIFI Won't Turn On on Toshiba

Here's how to fix:

It should be the button above the keyboard.

Or it should be the FN + F8.

But if neither of those work then try the following:

C:\Program Files\TOSHIBA\TBS\TBSWireless.exe

Ping Results are Different Than NSLOOKUP

We are on a large network with multiple subnets.

Our client device it called: COMPUTER-26

If you ping COMPUTER-26, you get:

If you NSLOOKUP COMPUTER-26, you get:

What gives?


Well it all starts with the dns-record. The client computer owns the dns-record, not the dns server. That is kinda strange in my thinking but so be it.

Since the client computer owns the record, the client computer need to register the dns record with the dns server. This should happen automatically in the dhcp but if you need to register the dns-record manually, you can do the following on the client-computer:

ipconfig /registerdns


Great. Now when you NSLOOKUP a record from a second computer, it should return the correct result as per the client-computer.

nslookup computer-26


When you PING a device, it goes through several steps to find the device. The steps are as follows:

  1. checks if the host name is the same as the local host name.
  2. searches the DNS client resolver cache.
  3. sends DNS Name Query Request messages to its configured DNS servers.
  4. converts the host name to a NetBIOS name and checks its local NetBIOS name cache.
  5. contacts WINS servers.
  6. broadcasts NetBIOS Name Query Request messages on the directly attached subnet.
  7. searches the local Lmhosts file.

So if it finds the name in the local cache file, it doesn't go any further. This is why the results are different.

If you need to manually update the cache, you can:

ipconfig /flushdns

Now do an NSLOOKUP to get the newest results from DNS.

nslookup computer-26

Now when you PING, the correct result will show:

ping computer-26


This usually happens when the DNS records are changing on the DHCP server. The new record the client computer has might not register in the DNS server. Or if they do register, there are 2 records in the DNS server from the same computer.

This happens when the records are not being scavenged correctly. The scavenge time is longer then the DHCP lease time.

Here is a linear scenario:

  • -the lease time is 1-day in DHCP.
  • -the scavenge time is set for 4-days in DNS.
  • -on the second day, the record is renewed with another address.
  • -that new record is registered in the DNS server.
  • -now the DNS server has 2 records with the same name.
  • -the first record is not scavenged because the time to do so is still 3 days away.
  • -when pinging the system by name, the first record returns the incorrect address.
  • -this happens because the first record has not gone stale.


Follow the DNS scavenging settings here: http://www.daknetworks.com/blog/433-dns-scavenging

WinSxS is Huge

Here's how to fix:


  • -cleanmgr.exe /verylowdisk /autoclean


  • -Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase

Google Chrome v69 Flash Settings | Chrome ADMX to Apply GPO

Google Chrome has removed Flash-allowed-on-specified-websites from v69.

You can still manually set to Flash-allows-on-specified-website by:

  • -open Chrome.
  • -type: chrome://flags/#enable-ephemeral-flash-permission
  • -press ENTER key.
    (the setting shows)
  • -set to: DISABLED

You should now be able to set certain web sites to allow Flash without asking.

 Across Entire Location

But what if you want to run this on several hundreds/thousands of comptuers?

Thankfully, the Google crew has Group Policy Administrative Templates that can be installed on a GP server.

Now set the GPO:

  • -right-click to create new GPO.
  • -click "Default Flash setting"
  • -click ENABLED.
  • -select CLICK-TO-PLAY.
  • -click OK.

Now set another GPO to allow certain web sites:

  • -right-click to create new GPO.
  • -click "Allow the Flash plugin on these sites"
  • -click ENABLED.
  • -click SHOW.
  • -type: [*.]foo.tld
  • -click OK.

This will force Chrome to use these settings and the user cannot change/delete/add to them.


  • adm files are older.
  • admx files are newer.
  • adml files are xml translation/localization files.

Block iPhone from Exchange Account | Data Wipe iPhone via Exchange

Here's how to get the details of any connections to an Exchange mailbox:

Get-MobileDeviceStatistics -mailbox foo.user |select deviceuseragent,lastsuccesssync,deviceid

Data Wipe an iPhone that has an Exchange account on it:

Clear-MobileDevice foo.user

Get-MobileDevice -mailbox foo.user |Clear-MobileDevice

If you need to cancel the wipe:

Get-MobileDevice -mailbox foo.user |Clear-MobileDevice -cancel

If you need to simply remove the relationship:

Get-MobileDevice -mailbox foo.user |Remove-MobileDevice



get-help mobile

get-help get-mobiledevice

get-help Get-MobileDeviceStatistics -full

get-help clear-mobiledevice -full

get-help remove-mobiledevice -full

Renesas Electronics USB 3.0 Not Working in Windows 10


Windows 10 64-bit. Can't get the Renesas Electronics USB 3.0 to work on a Toshiba Satellite P755. Here's how to get it working:

You will see it go through an update. Afterwards, simply reboot the laptop and it should be good to go.

Payflow TLS 1.2

I had a bunch of notes, but it has been awhile and so some of it is lost I wanted to capture as much as I could.

Basically, Paypal Payflow will only speak TLS 1.2. This is a very good since the security protocol has been around for about 10 years or so.

The protocols listed here are all old:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0

Of course, TLS 1.2 is the one that is new and should be used.


Now, IIS can both communicate TO something as a SERVER as you would expect. But it can also communicate FROM something as a CLIENT.

This is what happens when interfacing with PAYPAL-PAYFLOW.

Here is the REGEDIT for the security protocols BEFORE the change:


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]


And here is the REGEDIT for the security protocol AFTER the change:


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]


As you can see, we disabled all the old protocols and only enabled TLS 1.2.

After this REGEDIT is complete, the change is immediate. Nothing is needed to be restarted except for COLDFUSION-APPLICATION-SERVICE, if you have it.

ColdFusion Java

ColdFusion might need JAVA to be updated. If so, the files might be here:



DFARS regulations are here:

With the PDF being here:

With the NIST SP 800-53 database here:

 The STIGS are here:

DISA is here:

Although the use of the principles and guidelines in these SRGs/STIGs provide an environment that contributes to the security requirements of DoD systems, applicable NIST SP 800-53 cybersecurity controls need to be applied to all systems and architectures based on the Committee on National Security Systems (CNSS) Instruction (CNSSI) 1253.

Typically, questions revolve around the following:

NIST SP 800-171

FAR 52.204-21: http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/far/52_000.htm#P901_130612

DFARS 252.204-7012: http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/dfars/dfars252_000.htm#P962_54607

Parallels Activate License

Parallels Activate License

  • -type: prlsrvctl activate-license-online

Parallels Deactivate License:

  • -type: prlsrvctl deactivate-license

Dell Precision 7720 Graphics

Discrete Graphics / Switchable Graphics

It can be confusing as there are many variables here with different definitions. By default, the Precision 7720 has both an Intel onboard graphics chip and an added graphics chip (Nvidia/AMD; aka discrete-graphics). By default, the onboard chip is on as the primary graphics. This is true when using the laptop monitor, when a docking station is used and when a monitor is plugged directly into the laptop’s DisplayPort, HDMI connectors, and Thunderbolt/MiniHDMI port.

Dell calls this switchable-graphics. Disabling this must be done in the bios. If you have switchable graphics disabled, the onboard Intel GPU is not used.

With the "Discrete graphics controller direct output mode" or “Graphics Special Mode”, the external ports (DisplayPorts, HDMI connectors and Thunderbolt/MiniHDMI port) will be driven by the GPU directly.

Click here to see:


In short:

  • -enter bios
  • -disable switchable-graphics.
  • -enable special-graphics mode.
  • -enable dock-display-port

Dell Dock

To make it more confusing, the WD15 dock with 130W adapter is not powerful enough for a Precision 7720 with discrete-graphics. A 180W adapter is needed with the WD15 or if you are using a TB16, you would need a 240W adapter.

Lastly, there are special drivers/firmware that are needed to make the USB-c supply the correct power. The following must be updated:

  • -Thunderbolt Controller Driver
  • -Thunderbolt 3 Firmware Update
  • -ASMedia USB 3.0 Extended Host Controller Driver for Dell Thunderbolt Dock
  • -RealTek USB GBE Ethernet Controller Driver for Dell Thunderbolt Dock
  • -RealTek USB Audio Driver for Dell Thunderbolt Dock

Click here to see:


Share From Windows 10 Ricoh Savin

For my own notes, there are a few steps here.

1- create scans user & add to administrators group

net user scans /add

net localgroup administrators scans /add

2- turn on older sharing protocol

dism /online /enable-feature /featurename:smb1protocol

3- create folder

mkdir c:\scans

4- share folder & grant share-permissions

net share scans=c:\scans /grant:everyone,FULL /grant:administrators,FULL

5- grant ntfs-permissions

icacls c:\scans /grant scans:f /t /grant administrators:f /t



1- create a user called scans and give it administrator permissions

2- turn on the smb1 through the appwiz.cpl

3- create a scans folder at c:\scans

4- share the folder & grant scans user read/write

5- the ntfs permissions should be automatically set.
(youraccount, system, scans, administrators)


You can check your work by seeing the users on the system:

net user

You can see the details of the scans user to see group membership:

net user scans

You can check to see the share & share-permissions:

net share scans

You can check to see the ntfs-permissions:

icacls c:\scans


Sometimes it works after I:

  • -turn off smb1: dism /online /disable-feature /featurename:smb1protocol
  • -turn on smb1: dism /online /enable-feature /featurename:smb1protocol
  • -reboot: shutdown -r -t 3

Outlook 2016 Search Not Working

There are many problem with Outlook 2016 not working. Here's a fix for some:

  • -open Outlook
  • -go to “File” > “Options” > “Search” > “Indexing Options” > “Modify”
  • -uncheck “Microsoft Outlook“.
  • -click “Close”
  • -close OUTLOOK.
  • -navigate to the folder where the OST file lives (“C:\Users\username\AppData\Local\Microsoft\Outlook“).
  • -right-click a highlighted file
  • -click “Properties“.
  • -click “Advanced"
  • -checkmark “Allow this file to have contents indexed in addition to file properties” option if it isn’t checked already.
  • -click “OK“
  • -open Outlook
  • -go to “File” > “Options” > “Search” > “Indexing Options” > “Modify”
  • -recheck “Microsoft Outlook“
  • -click “Close”

SQL Server 2017 High CPU

Have a client with Windows SQL Express 2017. Every once in a while the thing goes awol, tops out the CPU and is slow to respond. This happens for a few hours then it settles down and doesn't happen for another four months or so. They are asking me why.

I'll tell you... I have no idea. They claim something is wrong with the server... I think a sql query is zombied and gone awry.

Here are my notes for the future...


As for some diagnostics, this says it better than I can:



  • -click FILE.
  • -go to: C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Policies\DatabaseEngine\1033
  • -select all the files.
  • -click EVALUATE.

Multiple Instances

There might be multiple sql server versions running. Or instances running. We left the 2014 as a failsafe in case something went wrong with 2017, since we didn't know how it would react.

Upgrade Away from Sql 2014:

I still think there's a serious bug in 2014 that everyone's ignoring. Since sql-2016 and sql-2017 released, there's no reason to fix bug per se. As a fix, simply upgrade, kill off 2014 and move on.

You are probably fine with 2017 and are at a place where we can remove sql-2014.

Remove Any Unused Sql instance:

Or perhaps there's some type of process in the othe sql-instance that is set to run. If you are not using the other Sql instance, it is probably best to remove it so you can narrow down the number of variables.


Ram-memory is meant to be used. That's what it is for. So if it is at 100% there's no need to be alarmed. In a traditional physical system, once the ram-memory is used up, the cpu will access the hard drive as virtual-memory/swap-space.

In a virtual system, such as this system, more ram-memory is dynamically added as the system needs it. This is referred to as hot-add ram. And it will keep a 20% buffer.

While this is supported by the operating system of the database server (Windows Server 2012 Standard), what I'm finding out is that SQL-Express (and the SQL-Standard version btw) is unable to hot-add ram. As shown here (Hot add memory):

Also, looking at the link above, it shows that SQL-Express has a max buffer pool/buffer-cache of 1410MB, so hot-adding ram wouldn't help.

Looking into the db, this is exactly what it is using now:

1429700 kb physical_memory_in_use

This system is set to start with 4GB of ram-memory. Adding the 1410MB memory from above will put the usage around 5400MB. Adding 20% buffer will assign 6480MB. Here is the recent screenshot of memory assignment looking similar to our calculations:

All of this to say that you can double the startup Ram to 8GB. According to the datapoints, this is overkill and unnecessary but you have the memory so we might as well try it.

If those 3 items don't work then perhaps we can get away with using the Developer version of sql on the system which doesn't have the limitations.

Bad Query

Lastly, if the CPU load is at 100% then something is topping it out. A bad query is going to consume all resources available no matter how much you have. Adding more resources to compensate for a bad query is a bad idea.


vmware tools on Centos 6.9 / SME 9

vmware-tools are here:


This means the Centos packages are here:


It seems like these packages should work. Maybe there is something that I am missing but vmware-tools can be a pain. This says it better than I can:


For me, here's how I did it:

-open bash shell

-type (or copy/paste):

/sbin/e-smith/db yum_repositories set epel repository \
Name 'Epel - EL6' \
BaseURL 'http://download.fedoraproject.org/pub/epel/6/$basearch' \
MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL \
Exclude perl-Razor-Agent \
Visible no \
status disabled

-type: signal-event yum-modify

-type: yum --enablerepo=* install open-vm-tools

-Voila! I get the following:


-don't forget to start them by typing: /etc/init.d/vmtoolsd start


mkdir /mnt/cdrom

/dev/cdrom /mnt/cdrom

Hyper-V P2V Missing Operating System

I used Disk2VHD to create a P2V. Then I started Hyper-V and created a new VM. Upon startup I got, "Missing Operating System."

Here's how to fix:

-connect Windows 10 iso (or a Windows repair disk).
-press any-key to boot via iso.
-wait for windows 10 to show (it could take a minute).
-select Windows 10.
-select your language.
-click NEXT.
-select REPAIR YOUR COMPUTER (bottom left).
-click NO (for automatic repair).
-click NEXT (at bottom right).
-type: bootrec /scanos.
(If it isn't already there, it should find the WINDOWS installation and ask if you want to add it.)
-type: Y

Now, at this point, if you try to do some work in bootrec (rebuildbcd), you will get a message, ""the volume does not contain a recognized file system."

-type: Diskpart
-type: LIST DISK
-type: SELECT DISK 0 (change this to the number of the disk . most likely 0)
-type: SELECT PARTITION 3 (change this to your partition number. most likely 3)
(it will show the details of the partition. We're trying to find the partition with the windows installation.)
-if you found it, it will probably say ACTIVE: NO
-type: ACTIVE
-type: EXIT

-type: bootrec /fixmbr (needed?)
-type: bootrec /fixboot (needed?)
-type: bootrec /rebuildbcd
-type: exit
-click RESTART

-boot from the iso one more time.

It should find the Windows 10 installation and fix itself.


This is the same set of instructions for this article: http://www.daknetworks.com/blog/221-clone-macbook-pro-hard-drive-with-boot-camp

Outlook 2016 | Exchange 2013: The signature is too big. Please try a smaller format.

When a person goes to OWA and tries to customize the signature, they get a message that the signature is too big.

  • -go to EMS:
  • -type: Get-MailboxMessageConfiguration foo.user

You will see the SignatureHtml. Most likely, there will be inline css styles in the signature pushing the character limit.

Or the DefaultFontSize is greater than what is acceptable. The following should clear the clear the signature-text and the signature-html. Then have the account try again to set the signature:

  • -type: Set-MailboxMessageConfiguration -Identity user -SignatureText $null -DefaultFontSize 7

In-Place Archive Exchange 2013

The archive mailbox is an additional mailbox that's enabled for an account where messages older than 2 years are automatically moved (this can be customized in the retentionpolicy). This keeps the everyday mailbox at a more manageable level and allows for faster indexing and email searches.

Some power users will familiar with archiving in Outlook as they may have crossed this issue in the past. They archive the email older than 2 years into a pst file. That pst file will show as a separate set of folders on the left hand side.

In-Place Archive is very similar. However, where this different is that in-place archive is controlled by the Exchange administrator and does not require user intervention. The Exchange administrator can turn archiving on/off on the fly and control where the archive mailbox lives; this can be placed on the same edb or a different edb.

Here's how to enable archiving:

enable-mailbox foo.user -archive

Here's how to see what accounts have archive enabled:

get-mailbox -Filter {ArchiveState -Eq 'local'}

If you want to get the pertinent details of the archive such as archive database and archivename:

get-mailbox -Filter {ArchiveState -Eq 'local'} |select alias,archivestate,archivedatabase,archivename,retentionpolicy |fl




Federation Trust in Exchange


1-First setup a trust to the Microsoft servers:

  • -login to the EAC.
  • -click ORGANIZATION.
  • -click SHARING.
  • -click ENABLE to add a Federation Trust to the Microsoft servers.
  • -click CLOSE.
  • -click MODIFY.
  • -select the PRIMARY domain.
  • -click OK.
  • -it will return a TXT record.
  • -create a TXT record for this domain on your public DNS server that contains the key. It will look like this:
  • -create a TXT record for this domian on your Private DNS servers in your Active Directory.
  • -wait. This should be around 15 minutes but can take 24 hours.

2-Second, the outside domain must do the same steps above.

3-Third setup an ORGANIZATION-SHARING using the outside domain. It will fail if the domains have not setup the trusts.

  • -checkmark enable calendar free/busy information sharing.

4-Fourth setup an INDIVIDUAL-SHARING policy and set it as the default policy for everyone in the Exchange server.


That should do it; you should now be able to see each others calendars as FREE/BUSY (not details).

To my dismay, this does not update users in the Global Address List (GAL) to include the outside domain. This means that, by default, looking up another person's calendar in the outsidedomain.tld is near impossible. You either have to manually type in all the outsidedomain.tld users into Exchange or use tools to do the sync for you; it is not built into Exchange. Grrrr...


As troubleshooting, you can get the URL by:

  • -hold CONTROL
  • -right-click the OUTLOOK icon (bottom-right).
  • -type in your password.
  • -click TEST.
  • -the AVAILABILITY-SERVICE-URL is the important URL.

Also, in the EMS, you can use the commands:

get-sharingpolicy foo-policy |fl

get-organizationrelationship |fl

get-federationinformation -DomainName outsidedomain.tld

Test-FederationTrust -useridentity mail\inside.foo.user

test-organizationrelationship -useridentity This e-mail address is being protected from spambots. You need JavaScript enabled to view it -identity outsidedomain.tld

As a result of the above test-organizationrelationship troubleshooting command failing, I had to toggle two properties and had to run the following:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $True

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $false
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $True

Setup Send Connector in Exchange 2013 With Custom Port Number

Setup Send Connector in Exchange 2013 With Custom Port Number

  • -login to ECP.
  • -click MAIL-FLOW (left-hand side).
  • -click SEND-CONNECTORS (top)
  • -click the "+" symbol.
  • -name it anything you want. Let's say "foo-send-connector".
  • -bullet CUSTOM.
  • -click NEXT.
  • -click the "+" symbol.
  • -type in the IP ADDRESS of the server you want to deliver the mail to.
  • -click SAVE.
  • -click NEXT.
  • -click NEXT.
  • -click the "+" symbol.
  • -type in the domain name that will be used for this sending setup.
    In other words, this setup is only going to be used with a particular domain name; contoso.com. In another way, when sending to contoso.com use the following custom smtp route instead of the normal smtp route.
  • -click the "+" symbol.
  • -select the server that this will apply to.
    Small setups will probably only have 1 server.
  • -click FINISH.

Now this will work. But it is setup on the default port 25. This is standard. But what if you want a non-standard port. Let's say because the SAP setup is out of your control.

-start the EMS.

-type: Get-SendConnector |fl
This will allow you to see the complete Send Connector setup in the steps above. You will notice the Port number is in the setup.

-type: Set-SendConnector -identity "foo-send-connector" -Port:587

Ricoh Windows 10 1803

This article says it better than I can on how to setup a Ricoh Printer with Windows 10 v1803.

WordPress Multiple Category Search

Where do I start? Forgot my rant on how the world operates and has chosen WordPress over so many other better CMS's...

Have an array in an URL like this: &foo=1,2,3,4

Take that array and search for all of them.

The OPERATOR => IN, is the includes.

Basically, we are trying to get a %like% sql statement.

        if (isset($_GET['area']) && !empty($_GET['area']) && $_GET['area'] != 'all') {
            $propareaArray = explode(",", $_GET["area"]);
            $tax_query[] = array(
                'taxonomy' => 'property_area',
                'field' => 'slug',
                //'terms' => $_GET['area'],
                //'terms' => array($proparea[0],$proparea[1]),
                'terms' => array_values($propareaArray),
                'operator' => 'IN'



Don't ask me why 'EXISTS' doesn't work. I think it should. If it did, I wouldn't have to go through this.

Manage Printers In Windows 10

So, I'm late to the game on this one: printmanagement.msc

Shared Mailbox Won't Disconnect From Outlook


You are an administrator of an Exchange system. Through the ECP, you add yourself FULL-ACCESS to another mailbox account. The account naturally shows in your Outlook. You are finished with the account and no longer need access to it. Again, through the ECP, you remove yourself FULL-ACCESS. The account still shows in your Outlook. What gives?

 You might be tempted to remove the FULL-ACCESS through the EMS with the following:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

But that yields:

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]  and was ignored on object "CN=where,OU=ever,OU=city,OU=Users,DC=domain,DC=tld".


The mailbox is inheriting FullAccess permissions and has explicit FullAccess permissions. So when you removed the explicit FullAccess permissions, it won't have any effect unless a Deny permission is added. The problem is that Exchange doesn't tell you it is doing this.


To fix this, simply clear the Deny permission:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -Deny


I've must have run into this before as I already have this post: http://www.daknetworks.com/blog/404-remove-mailbox-permissions-that-are-not-inherited

ColdFusion Access

The access page for ColdFusion:

If needed, you can remove the USERNAME & PASSWORD by editing:

  • -find: admin.security.enabled variable tag.
  • -change 'true' to 'false'
  • -restart the ColdFusion application server.

Once you access the CFIDE, you can change the email settings there and test them as you save the settings.

Any undelivered emails will show in:

You simply drop them back into the spool directory and ColdFusion will send them:

SuperMicro IKVM | Remote Console

So the IKVM/Remote-Console doesn't work with Java 8 (aka jre1.8.0_171). Apparently, this is because starting with JAVA-8 any JAR signed with an MD5 hash will no longer be considered trusted. There are instructions to workaround the new JAVA limits but why bother.



If you can connect to the SUPERMICRO server, when you try to launch the CONSOLE-REDIRECT, it will download a LAUNCH.JNLP file.

  • -open the LAUNCH.JNLP file with NOTEPAD.
  • -at the bottom, it will have all the parameters neededd.


  • -to run, type: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" IP-ADDRESS USERNAME PASSWORD PORT
  • (ie: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" ADMIN PASSWORD null 5900 623 0 0)
  • -or type: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.exe" IP-ADDRESS USERNAME PASSWORD PORT

Cloning Disks

Cloning disk can be in many ways. A following is a list of some of the ways:

Move Wordpress Subdomain

Creating a new web site in WordPress. Doing so, I create the web site at a subdomain such as: new.foowebsite.tld

After the web site is up to client standards, we change the dns at the name servers.

Now we have little squares where pictures once were. The pictures are coming from the CSS but only strange characters show.

Here's how to fix.

1- change in the sql database:

-go to myphpadmin

-use the following as a guide. Be sure to change "wp_" with the prefix of your database "fooprefix_".

UPDATE wp_options SET option_value = replace(option_value,'http://old.url.tld','https://www.newurl.tld') WHERE option_name ='home' OR option_name ='siteurl';
UPDATE wp_posts SET guid = replace(guid,'http://old.url.tld','https://www.newurl.tld');
UPDATE wp_posts SET post_content = replace(post_content,'http://old.url.tld','https://www.newurl.tld');
UPDATE wp_postmeta SET meta_value = replace(meta_value,'http://old.url.tld','https://www.newurl.tld');

This can be used to go from http to https as well. Or to go to an entirely different domain name.

2- change in the file names:

But that doesn't change the files. If you are a sysadmin, you can use grep. Also WordPress has some built in functionality if you ssh into the server.

First, test:

wp search-replace 'http://old.url.tld' 'https://www.newurl.com' --dry-run

Then run:

wp search-replace 'http://old.url.tld' 'https://www.newurl.com'

3- check the wp-config.php

Sometimes the site is hardcoded into the wp-config.php file. Check it to make sure it is correct. The hard coded line will typically be the last lines.


-here is the long version: https://codex.wordpress.org/Moving_WordPress

Add New Domain Email Address to All Mailboxes in Exchange 2013

Lets say that your Exchange 2013 has multiple domains from various companies over the years:

  • @company1.tld
  • @company2.tld
  • @company3.tld

Some mailboxes have @company1.tld email addresses but not all mailboxes have @company1.tld email addresses.

A decision has been made that everyone without an @company1.tld email address needs to have one. Or you are staging for a domain change or company merger of some type.

How do you find the mailboxes without @company1.tld and then add an @company1.tld email address without changing the current email address?

Here's how:

Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |ForEach {set-mailbox $_.samaccountname -EmailAddresses @{Add=$_.samaccountname+"@company1.tld"}}


(Of course, this is provided that your samaccountname/computer-username is the name that you want to use for your email address. Most of the time it is.)

Check your work:

Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |select emailaddresses

DNS Scavenging

First it is important to note that the dns record is owned by the node or individual computer. The dns record is not owned by the dns server. The dns server only keeps a record of the individual dns records. Kinda strange, right?

What often happens is that the dns record changes on the individual computer but the dns server is not updated. When a query is run against the dns server, the record is incorrect because it was not updated.

Secondly, there are 2 server roles here that work together; DNS and DHCP.

Thirdly, the lease-time should be set to double the refresh-rate.

Let's begin by starting with the DNS server:

  • -right-click on the server-name.
  • -checkmark "Scavenge stale resource records".
  • -set both the no-refresh and the refresh interval to: 2-days
  • -click OK
  • -click "Apply these settings to existing..."
  • -click OK

Great! You are on your way!

Let's move to the the DHCP server:

  • -right-click on each dhcp zone.
  • -click PROPERTIES.
  • -set the dhcp-lease-time to: 4 days
  • -click the DNS tab (at the top).
  • -checkmark "Enable DNS Dynamic Updates..."
  • -bullet "Always Dynamically Update DNS"
  • -checkmark "Discard A and PTR records..."
  • -checkmark "Dynamically Update DNS Records..."

Awesome! Almost finished. Now the second part on the DHCP server. This will allow the DHCP server to update the DNS server:

  • -right-click on IPV4.
  • -click PROPERTIES.
  • -click ADVANCED tab (at the top).
  • -click CREDENTIALS button
  • -type in a USERNAME/DOMAIN/PASSWORD for an administrator account that can update DNS.

Finally, let's move back the DNS server:

  • -right-click on the server-name.
  • -click ADVANCED tab (at the top).
  • -checkmark "Enabled Automatic Scavanging of Stale Records"
  • -set the scavenging interval to: 1-day.

You're done!


If you have more than one DHCP server (for example, mulitple locations):

  • -open AD Users-&-Computers
  • -find the built-in group, DnsUpdateProxy
  • -add the DHCP servers from all locations.

Find User's OU

You know Joel in Sales. But you don't remember Joel's last name (because you've been staring at names all week) and you don't know Joel's OU.

Here's how to find Joel:

get-aduser -filter * |select samaccountname |findstr /i joel

This will bring up all the Joel's in the domain. Hopefully you can narrow it down from here.

Now to find Joel's OU in the details of his record:

get-aduser joel.user

This will show the "distinguishedname" and allow you to narrow down the OU.

If you really want to see this properly in one line, we need to use the "canonicalname" and it would be like this:

get-aduser -filter * -Properties Canonicalname |select samaccountname,canonicalname |fl |findstr /i joel

Dell Bios Upgrade Command Line

Here's how to upgrade the bios for Dell Latitude/Precision laptop if from remote:

  • -download the new bios
  • -cd c:\path-to-the-download
  • -click START > RUN > CMD
  • -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /s /r
    "/s" is silent "/r" is reboot
  • "/f" is force if the battery is not present.

And if the battery is not present in the Dell Latitude/Precision laptop:

  • -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /forceit
    "/forceit" is force if the battery is not present.

Schedule a Restart with Command Line & Powershell

Usually I schedule a restart with some network tools I have. But in this case, I can remotely access the system via command-line/powershell but my network tools are not working. Probably because it needs a reboot after installing some updates.

Here's how to schedule a reboot with command line/powershell (works in either):

  • -click START > RUN
  • -type: cmd (or type: powershell)
  • -click OK
  • -type: schtasks /create /sc once /tn restart /tr “shutdown -r -f “”restart””” /st 13:00 /RU system
    Where "/st" is the time in 24H clock and "/ru" is necessary to run even if the user is logged in or not.

Core i7 6500u Dell Inpiron 5559

Core i7 6500u Dell Inpiron 5559 should be a good fast processor. The laptop was dreadfully slow. Something had to be wrong.

  • -hit CTRL+ALT_DEL
  • -start TASK-MANAGER
  • -click PERFORMANCE tab
  • -click CPU (on the left-hand side)

You will notice the SPEED to around 0.39GHz. Hmmm... seems like something is throttling the CPU.


BIOS Settings

I tried to fix some Bios Settings:

  • c-states = off
  • intel speedstep = off
  • intel turboboost = off

Same result. Hmmm.... there must be some settings not being shown in the Bios that can be adjusted.


Here's how to fix (as shown in my really edited picture below):

  • -download ThrottleStop
  • 1-click LIMITS (on the right-hand side)
  • 2-this will show you exactly why the throttle is happening. The culprit being BD_PROCHOT.
  • 3-uncheck BD_PROCHOT (on the left-hand side)
  • 4-checkmark DISABLE-TURBO
  • 5-do NOT turn on SPEEDSTEP
  • 5-do NOT turn on SPEED-SHIFT-EPP (if on, it will have a green SST "speed shift technology".)
    (you can change the number next to SPEED-SHIFT and set it to zero, just delete the number and type over it)


You will notice the SPEED to around 2.49GHz and the speed is noticably faster.


Schedul to Auto Start

  • -start TASK-SCHEDULER using the basic scheduler.
  • -open the properties of the task.
  • -start THROTTLESTOP on startup whether someone is logged in or not.
  • -change the user to be SYSTEM.
  • -since THROTTLESTOP doesn't have to stay running, you can close it automatically. Find the THROTTLESTOP.INI file in the THROTTLESTOP directory/folder, open with text editor and change "DCExitTime" to the number of seconds to remain open, say 5 seconds.

Final Thoughts

There are reasons why this is happening. In the end, buy business class hardware (Dell Latitude/Precision; Lenovo ThinkPads, etc) that have more options in the BIOS.

Intel-Adaptive-Thermal-Monitor might be the actual culprit. The issue is that there is no option to turn off in the BIOS.



Exchange Distribution Group Members

Here's how to blank out all members in a distribution group:

Update-DistributionGroupMember foo.group -Members $null

Here's how to update the members in a distribution group:

Update-DistributionGroupMember rochester.hills -Members foo.user1, foo.user2, foo.user3

If you need to add a member to the group:

add-DistributionGroupMember foo.group -member foo.user

If you need to remove a member from the group:

removeDistributionGroupMember foo.group -member foo.user

If you need to adjust the list, do so in Excel, Word, Notepad, etc.

Here's how to add a Dynamic Distribution Group that contains all emails of a certain Organizational Unit (OU) in Active Directory (AD):

New-DynamicDistributionGroup -Name "foo.group.dynamic" -OrganizationalUnit "Foo OU" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox'))}

There's probably a better way to do this.

Here's how to see the members of a Dynamic Distribution Group:

$foovariable = Get-DynamicDistributionGroup foo.dynamic.group
Get-Recipient -RecipientPreviewFilter $foovariable.RecipientFilter -OrganizationalUnit $foovariable.RecipientContainer

Exchange 2013 Distribution Groups Allow Outside Email

First, find the groups you want to change and give us the group email name and the value:

[PS] Get-DistributionGroup |Where {$_.alias -like "verse*"} |select name,RequireSenderAuthenticationEnabled
(where "*" is anything. So *foo is barfoo but not food. And foo* is foobar and food but not barfoo.)

Let at the results and see if these are the groups you want changed.

Next, get the groups and change the value you want changed:

[PS] Get-DistributionGroup |Where {$_.alias -like "verse*"} |Set-DistributionGroup -RequireSenderAuthenticationEnabled $false

Asterisk Interoffice Calling Doesn't Work | IAX2

Three pbx/asterisk servers. MPLS is in place. Two servers can interoffice call through extension number. The third is reachable through the main number but not through extension number. It waits, then says "goodbye" and hangs up.

Looking at the logs when a call is made:

-type: asterisk -rvvvvv
-dial an extension in the other office

[Apr 26 16:52:37] WARNING[5653]: app_dial.c:1523 dial_exec_full: Unable to create channel of type 'IAX2' (cause 20 - Unknown)
  == Everyone is busy/congested at this time (1:0/0/1)
    -- Executing [s@macro-remote-call:11] Goto("Local/P1220@hud-caller-answer-e107;1", "s-CHANUNAVAIL,1") in new stack
    -- Goto (macro-remote-call,s-CHANUNAVAIL,1)
    -- Executing [s-CHANUNAVAIL@macro-remote-call:1] Goto("Local/P1220@hud-caller-answer-e107;1", "s,x-dial") in new stack
    -- Goto (macro-remote-call,s,12)
    -- Executing [s@macro-remote-call:12] Dial("Local/P1220@hud-caller-answer-e107;1", "IAX2/c10325x@c16067x/1524775950.8016-1-3109-external-") in new stack
[Apr 26 16:52:37] WARNING[5653]: app_dial.c:1523 dial_exec_full: Unable to create channel of type 'IAX2' (cause 20 - Unknown)
  == Everyone is busy/congested at this time (1:0/0/1)
    -- Timeout on Local/P1220@hud-caller-answer-e107;1
  == CDR updated on Local/P1220@hud-caller-answer-e107;1
    -- Executing [t@internal:1] BackGround("Local/P1220@hud-caller-answer-e107;1", "vm-goodbye") in new stack


-type: asterisk -R -x 'iax2 show peers'
Name/Username    Host                 Mask             Port          Status
c23013x    (S)  4569          OK (44 ms)
c23013i    (S)  4569          OK (44 ms)
c16067x    (S)  4569          UNREACHABLE
c16067i    (S)  4569          UNREACHABLE
4 iax2 peers [2 online, 2 offline, 0 unmonitored]

This shows that the servers are set to be reached through the local IP addresses in the MPLS. This also shows that the second server is "unreachable."

-there is a file at: /etc/asterisk/iax.conf
-iax is interoffice asterisk exchange

Perhaps what is happening here is that the UDP port binding in the MPLS is maintained by sending traffic through it. The binding expired, and there is no way for Asterisk to communicate with the IAX peer (other-Asterisk).

-go to remote asertisk server that cannot be reached.
-type: asterisk -R -x 'iax2 show peers'
Name/Username    Host                 Mask             Port          Status
c23013x    (S)  4569          UNREACHABLE
c23013i    (S)  4569          UNREACHABLE
c11025x   (S)  4569          UNREACHABLE
c11025i   (S)  4569          UNREACHABLE
4 iax2 peers [0 online, 4 offline, 0 unmonitored]

This shows that the server cannot reach either of the other two servers.

You have 2 options here.

1- Restart the iax service

asterisk -rx "module unload chan_iax2.so"
sleep 90;
asterisk -rx "module load chan_iax2.so"

2- Rebooted the server:

-type: /sbin/shutdown -r +5

-wait for reboot to finish

-type: asterisk -R -x 'iax2 show peers'
Name/Username    Host                 Mask             Port          Status
c23613x    (S)  4569          OK (40 ms)
c23613i    (S)  4569          OK (41 ms)
c11325x   (S)  4569          OK (28 ms)
c11325i   (S)  4569          OK (28 ms)

You can see the peers are reachable again.


Watchguard Partner Announcement

DAK Networks Company is pleased to announce that we are certified to sell/support/maintain WatchGuard firewalls, routers and access points through our relationship with the GigJit Company.

This relationship allows us to provide a total solution to clients as an easy solution for problems that small and medium sized companies deal with on a daily basis.

So no matter if you are IT manager at a medium-sized company, a CEO/President at a small company or a marketing manager at a small to medium sized company, we can help you make sure that your WatchGuard Firewall equipment is installed, subscribed and working correctly.

Contact us today if you need further information.


In 2 separate occasions today, I've come across the following error:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}  and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}

To fix, I followed this:

Also in both cases, the system was a Dell All In One. One was an Dell Inspirion 24" and one was a Dell Optiplex 7440. Both had Intel HD Graphics 530 and both needed the Intel RST updated.

I don't know why just yet but the RST drivers for the systems are not on the Dell Drivers web site. But they are in the Dell Enterprise Wiki:

Everything you need is in the CAB file.

Once again, I urge everyone to purchase Dell business class computers. I've been saying this for 20 years now and it is still the same issue. The business class systems are supported better. It isn't worth saving the money just to have you paying me to fix it for you. There is no savings.


Konica BizHub Error Deletion

Printers are a pain for so many reasons.

This time around, printing to a Konica BizHub would automatically delete the print job with the status "Error Deletion" and the details, "Login Error."

But yet, others could print without hassle. What gives?

Konica BizHub printer options are awesome. There are so many settings it is mind blowing. One of these settings is User-Authentication or User-Auth.

If User-Auth is set to ON (on the physical printer\web settings) and the printer is installed, the driver is set to automatically pickup the settings of the physical-printer. Since the setting is User-Auth = ON (on the physical printer\web settings), the driver picks up that setting and tries to send a username & password. Since there are no usernames & passwords setup, the print job fails due to a login error.

How do you get around this?

So to print, you can manually set the settings on the print driver (rather than automatic). This allow you to set printer to User-Auth = OFF (on the driver).

Here's how in picture format:




Hyper-V VHDX Disk to VirtualBox VDI Disk

Hyper-V VHDX disks can be created from a physical computer with Disk2VHD. You will end up with a VHDX disk. If you run into a problem where you cannot run Hyper-V, VirtualBox is a good alternative. The roadblock you might run into is that VirtualBox cannot run VHDX files. To convert to VirtualBox VDI Disk (VirtualBox native format):

  • -click START > RUN
  • -type: cmd
  • -inside the command window, type: cd c:\program files\oracle\VirtualBox\
  • -hit enter
  • -type: VBoxManage clonemedium disk c:\path-to-vhdx\DESKTOP.VHDX c:\path-to-vdi\DESKTOP.VDI --format VDI

Now simply create a VM and use/attach the VDI disk.
(In the settins, I had to checkmark "Enable I/O APIC")


Let's say you want to start the VM without a GUI. This is "headless". If you want the VM to start when the host starts:

  • -click START > RUN
  • -type: cmd
  • -inside the command window, type: cd c:\program files\oracle\VirtualBox\
  • -hit enter
  • -type: VBoxManage list vms
    (this will show a list of VM's)

Let's add the VM to start automatically on a Windows host:

  • -click START > RUN
  • -type: shell:startup
  • -create a shortcut in this directory
  • VBoxManage startvm MyVM --type headless

Delete Emails Across Entire Exchange 2013

1-First create a folder in your Outlook called: SearchAndDeleteLog
(As a root folder. Not an INBOX subfolder)

2-Now in Exchange-Mangement-Shell EMS) search for the messages with the SENDER, DATE and SUBJECT and put the results in your own mailbox:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/17/2018" AND Subject:"Your bank statement"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full

Or for a date-range:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/16/2018 10:00..03/17/2018 13:00" AND Subject:"Your bank statement"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full

3-Look in your Outlook and verify the results.

4-After you are sure of the results, run the command to delete:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/17/2018"} -DeleteContent

If you need to copy the messages from a specific mailbox:

Get-Mailbox foo.user | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/01/2018"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog"

Resource Room in Exchange 2013

Resource room in Exchange 2013. Let's say you have a conference room. And you want everyone in the office to:

  • -see a calendar for the conference room.
  • -see if the conference room is available/busy.
  • -schedule an event for the conference room.
  • -see the details of the conference room.

Create Resource Room

First create a mailbox resource room. This can be a ROOM or it can be EQUIPMENT. The idea is that it is a shared resource.

  • $new-mailbox foo.resource -type room
  • $new-mailbox foo.resource -type equipment

View Default Permissions

You can view the default permissions of the mailbox like so:

  • $get-MailboxPermission foo.resource |? {$_.IsInherited -eq $false -and $_.User -ne "NT AUTHORITY\SELF"}

You can view the default permissions of the mailbox calendar like so:

  • $get-MailboxFolderPermission foo.room:\
  • $get-MailboxFolderPermission foo.room:\calendar

Add Permissions

Afterwards, set the permissions for the calendar. This must be done at the calendar level:

  • $set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Reviewer

To schedule the calendar in OUTLOOK,

  • -click NEW > MEETING
  • -click TO
  • -click GLOBAL-ADDRESS-LIST (upper-right)
  • -select ALL-ROOMS
  • -click the room required.
  • -click RESOURCES (at bottom-left, to add the room to the RESOUCE area).
  • -click the date and time you need.
  • -click SEND

This will schedule the room for you, put the event on your personal calendar, put the event on the room calendar for everyone to see and manage if it is in use or not.

Everyone In Office To Add Events To A Shared Calendar

If everyone in the office is "playing nice" and if you just want the calendar to show, have people double-click on the calendar day to start an event and schedule a time, then set the calendar permissions to AUTHOR:

  • $set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Author


-REVIEWER role is the following:
(the "-" is not allowed)


-AUTHOR role is the following:
(the "-" is not allowed)


More at: https://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx

Gmail Aliases

So I'm probably the last to know but aliases are built right into gmail addresses.

If your email address is:

The following will also work:

In addition, you can add a plus sign (+) and any word before the @ symbol and the email will still reach you

Can't Scan From Ricoh Printer After Update | Can't Scan From Savin Printer After Update

Your scanning used to work from the Ricoh/Savin. It used to go right into a folder you had setup.

Then the computer updated itself in the Fall/Winter of 2018 or early 2018.

Now when you try to scan, it doesn't work.

This is because the computer updated to Windows 10 v1709 (aka Fall Creators Update). In this update, a change was made so that your computer can no longer talk to the Ricoh/Savin scanner. The update took away a communication protocol called SMBv1.

The correct fix is to change the way the scanner talks to the computer and use a newer communication protocol.

In lieu of making those changes, you can re-enable SMBv1:

  • -click START > RUN
  • -type: CMD
  • -click OK
  • -type: dism /online /enable-feature /featurename:smb1protocol

The same is true for disabling:

  • -type: dism /online /disable-feature /featurename:smb1protocol

Fix Office 2016

For 32-bit (x86) Office 2013 installed in 32-bit Windows using Click-To-Run:

  • "C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us

For 32-bit (x86) Office 2013 installed in 64-bit Windows using Click-To-Run:

  • "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us

For 64-bit (x64) Office 2013 installed in 64-bit Windows using Click-To-Run:

  • "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x64 culture=en-us

For Office 2013 installed using traditional MSI method:

  • "C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe"

Outlook Rules / Exchange 2013 Rules / Inbox Rules For Mail

You can see INBOX rules every mailbox:

$get-InboxRule -mailbox foo.user

You will get something like:
Name                          Enabled                       Priority                      RuleIdentity
----                          -------                       --------                      ------------
foo.bar.rule                  True                          1                             6404806255763783681

Of course, you can see the details by:
$get-InboxRule -mailbox foo.user |fl

remove-InboxRule -mailbox FOO.USER 6404806255763783681

Linux Laptop Power Management | Linux Laptop Too Hot | Linux Laptop Fan Speed

First step is diagnostics; find out how hot it is running. There is a package called lm_sensors.


lm_sensors is installed by default in Centos. If not, you can install:
yum install lm_sensors

Detect The Sensors

lm_sensors needs to know what sensors are available. To do this:
answer YES to all the questions / accept all the defaults

Show the Temp

lm_sensors will show the temperature in C by:

Or will show the temperature in F by:
sensors -f

Or to see a continuous monitor of temp by:
watch -n 2 sensors
watch -n 2 sensors -f
watch -d sensors

How Hot?

A normal temperature is 45C/100F.

A high temperature is 87C/189F.

A critical temperature is 105C/225F.

Fans should kick in around 60C/140F.

Why Hot? CPU

The burning question (ba-dom-tiss), why is it hot.

One reason could be the CPU. The CPU will have different speeds that it can run. So a 2700 CPU may only be running at 1200. This is called "governors".

To see your max speed and current running speed:
grep -E '^model name|^cpu MHz' /proc/cpuinfo

Not all cpus will have the same options. To see your available governors:
cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors

To see your set governor:
cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

service cpuspeed status

And if that doesn't work, try:
/etc/init.d/cpuspeed status

To set your governor:
echo ondemand > /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

Why Hot? Graphics Chip

A second reason is the graphic chip or graphic drivers. In laptops, secondary graphics cards can be installed along with the built-in graphics card. The idea is that the secondary card takes over when the built-in card needs it. This is called discrete graphics card or Nvidia’s Optimus graphics-switching technology. The idea is to save power and to make the battery last longer. There are all sorts of problems this happening in real life.

To see if the discrete graphics card is on:
grep -i switcheroo /boot/config-*

To change, edit the file manually and change "CONFIG_VGA_SWITCHEROO=n" to "CONFIG_VGA_SWITCHEROO=y":
vi /boot/config-2.6.32-696.20.1.el6.x86_64
(of course, change the config number file that you select when you boot the laptop)

Then reboot:
signal-event reboot

Why Hot? Fans

For me, the laptop isn't hot. It is just that the fan are running at full speed all the time.

Typically, fan control is done through a service called: acpid (this is the same service that provides shutdown control when you press a power button). But, in some cases, Dell laptops lacks ACPI fan control capability. Also, Dell laptops lack pwm-capable sensor for the fans/pwm controllable fans. So lm_sensors from above will not find a sensor for the fans. Consequently, the following typical solutions will not work:

trying with ACPI boot parameters.
fancontrol/pwmconfig program.


Some have had luck editing the /etc/grub.conf file and editing ACPI boot parameters by either reporting to the BIOS as Linux or reporting as not Windows 2012. When Linux boots, it reports to the BIOS as Windows. Reporting as Linux may allow it more control.

In the same fashion, reporting as Linux doesn't work but reporting as not Windows 2012 does work.

vi /etc/grub.conf
you will see a list of kernels with numbers. Ususally the highest number is the newest release and the one being used.
find the line that starts with: kernel
at the end, simply add: acpi_osi=Linux
or at the end, simply add: acpi_osi='!Windows 2012'

You can also test this before making the changes permanent:

wait till the list of kernels show
use the up/down arrow keys to move the highlighted kernel
select the kernel (again, usually the highest number).
press 'e' (for edit)
selec the line that starts with 'kernel'
press 'e' again (for edit)
go all the way to the right (it usually puts you at the end of the line)
at the end, simply add: acpi_osi=Linux
at the end, simply add: acpi_osi='!Windows 2012'
at the end, simply add: acpi_enforce_resources=lax
press enter (to accept the edit)
press 'b' to boot

For example, my normal line looks like:

kernel /vmlinuz-2.6.32-696.20.1.el6.x86_64 ro rd_NO_PLYMOUTH root=/dev/mapper/main-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=main/root nodmraid rd_LVM_LV=main/swap SYSFONT=latarcyrheb-sun16 rd_MD_UUID=701062e5:0b13b844:9523e658:0c4b0c3d  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet crashkernel=auto

My modified line looks like:

kernel /vmlinuz-2.6.32-696.20.1.el6.x86_64 ro rd_NO_PLYMOUTH root=/dev/mapper/main-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=main/root nodmraid rd_LVM_LV=main/swap SYSFONT=latarcyrheb-sun16 rd_MD_UUID=701062e5:0b13b844:9523e658:0c4b0c3d  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet crashkernel=auto acpi_osi=Linux


Try typing:

You will get a standard message stating:
There are no pwm-capable sensor modules installed

Load i8kutils

So to workaround this, you have to install i8kutils package

First, you have to load a kernel module:

modprobe -v i8k

You can see the loaded modules by:


In there, you should see: i8k

Great! Now that i8k is loaded, we need the i8kutils package.


W52P Yealink Firmware Upgrade - W52P Brick - Not Getting IP

In theory, the handset and the base go together. Plug in the base and the handset works with that base.


However, you can add the handset to another base if needed:

  • -press the button on the base.
  • -press REGISTER on the phone set.

Long way:

  • -login to the base web page.
  • -click ACCOUNT (at the top).
  • -fill in the necessary information


To factory-default the base:

  • -unplug power.
  • -hold in the button (there's only one button).
  • -plug in the power.
  • -all 3 led's will light up.
  • -unplug power.
  • -plug power back in.


In normal circumstances, the firmware of the base and the handset can be updated here:

The firmware of the base can be updated via the web.

The firmware of the handset can be updated via the web (if the base firmware is new enough). Or the firmware of the handset can updated via usb. This requires the usb tool here:
Upgrading W52x Handset Firmware.zip


In some cases, there is still no response after the factory default or if the firmware upgrade was incomplete/corrupt. The base needs to be put in recovery mode and is look for a tftp from

To fix, you will need to:


  • -download a TFTP-SERVER: http://www.tftpd64.com/tftpd32_download.html
  • -get the PORTABLE version.
  • -unzip the files.
  • -set your computer IP to:
  • -set your computer SUBNET to:
  • -set your computer GATEWAY to:


  • -get a switch.
  • -get 2 ethernet cables.
  • -plug computer into switch.
  • -disable wireless, if needed.
  • -disable firewall.


  • -start the tftpd32.exe/tftpd64.exe
  • -create a tftproot folder at the root of c:\ (so it should be: c:\tftproot)
  • -upload the W52P.rom, W5X.rfs, W5X.bin


  • -click SETTINGS.
  • -click GLOBAL
  • -checkmark DHCP
  • -checkmark TFTP


  • -set SIZE-OF-POOL to: 11
  • -set the options to (these are irrelevant, so it doesn't matter):
  • -set the BIND-ADDRESS to:




  • -close the TFTP server software
  • -start the TFTP server software


  • -unplug power
  • -hold in the button (there's only one button).
  • -plug in the power.
  • -all 3 led's will light up.
  • -release the button.
    (if that doesn't work, try when only 2 led's light up and release the button)
  • -wait about 10 minutes to be sure.
  • -the BASE unit should upgrade the firmware, reboot and be accessible at:
    (You can follow along in the TFTP log. It will show activity so you know if it is working)


-here is the Yealink PDF instructions: Recovery_Mode_on_Yealink_IP_Phones_build.pdf

WD MyBook


Here are the drivers if your WD MyBook is not recogized.

Examine httpd access logs

I spend a large amount of time defending from spam attacks and sql injection attacks. I can analyze the httpd logs with the following:

grep schem ./access_log* |cut -d ' ' -f 2 |uniq -c |sort -n

  • The 'grep' command searches for the word schema as in information_schema. No real sql query searches for this. It is always an sql hacking attempt.
  • The files we are searching is 'access_log*' which means search through all the access logs that we have. For me, that is usually around 4 months of data. That is a fairly good data set.
  • The 'cut' command chunks up the data. The '-d' part tells how to chunck the data; by a space character. The '-f 2' tells what data to collect; the second item in each line.
  • The 'uniq -c' tells to count each unique item.
  • The 'sort -n' sorts them least to greatest.

Page 1 of 5

  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  3 
  •  4 
  •  5 
  •  Next 
  •  End 
  • »

Contact Dak Networks

Please contact us at the following.