# daknetworks.com

You are here:

https://watchguardsupport.secure.force.com/software/

The OS upgrade option is built into the web ui and should be used to upgrade versions. The OS upgrade will also upgrade the SSL VPN client versions that are stored directly on the Firebox.

## Install WebEx Remotely

Let's say that you have limited access to a system. Let's say that you want to download a WebEx package to the system via command line/powershell. Here's how:

wget "https://akamaicdn.webex.com/client/WBXclient-39.4.5-5/webexapp.msi" -outfile "webexapp.msi"

msiexec.exe /i "webexapp.msi" ALLUSERS=1 /qn /norestart /log output.log

## Remove Appx Windows 10

Remove Appx app (is that redundant?):

Get-AppxPackage -allusers -name "Microsoft.MicrosoftOfficeHub" |Remove-AppxPackage

## Surface Pro 4 Max Perfomance

Click here to see how to set the Surface Pro 4 to Max Performance on the Intel HD Graphics and the Processor:

https://www.windowscentral.com/how-max-intel-hd-graphics-surface-pro-4

## WDF_VIOLATION BSOD 1903

MacBook Pro circa 2011 running bootcamp and Windows 10. Updated to 1903. BSOD "WDF_VIOLATION."

-hold power button to shut off.
-press power button to turn on.
-do this about 3 times. After the 3rd time, the option for ADVANCED BOOT should appear.
-press F8
-select SAFE-MODE WITH COMMAND-PROMPT
(a scary black screen shows)
-you will be at c:\windows\system32

-type: cd drivers
-type: dir |findstr /i machal
-it will show: MacHALDriver.sys
-this is our problem.
-type: rename MacHALDriver.sys MacHALDriver.sys.sav
-press ENTER key
-type: shutdown -r -t 3
-press ENTER key

The system will reboot and you should be able to login as normal with the BSOD. Apparently the BOOTCAMP DRIVERS V6 will fix. But I have not tried to install yet.

## WatchGuard Allow Web Site

Typically we block web site to weapons by default. Going to a web site like the following is blocked: beretta.com

But what if they are a client and we want the MARKETING group to allow access to the web site?

-this was the simple setup:
https://www.jscmgroup.com/watchguard-blog/2016/8/29/watchguard-webblocker-actions

Without any setup the log is:
2019-06-05 14:53:51 Deny 10.192.480.250 199.83.128.143 http/tcp 56564 80 0-LANLAG 0-External ProxyDeny: HTTP Request categories (Outbound-HTTP-proxy-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard.1" cats="Weapons" op="GET" dstname="beretta.com" arg="/favicon.ico"

-you can see that the proxy-action is: HTTP-Client.Standard.1.
-but it should be: HTTP-Client.marketing
-this is because the proxy-action is not attaching to the group. This is because I was trying on a system on a subnet with an exception for authentication:
10.192.480.0/24 (note: subnet not real for posting purposes)
-this results in NO-AUTH, NO-GROUP and NO-PROXY-ACTION.
-using different pc on: 10.192.420.0/24

-for setup, the key here is that the WatchGuard group name needs to be the same as the AD group name: MARKETING
-next, create the rule where you can create the proxy. I went the long way around.
-edit-policy > Proxy-Action > HTTP Proxy Exceptions

NOTES:
-going to: -edit-policy > Proxy-Action > WebBlocker
-click: EDIT > EXCEPTIONS
-type: *.beretta.com/*
Did not work. I still ended up with log:
2019-06-05 15:40:06 Deny 10.192.420.100 199.83.134.143 http/tcp 61063 80 0-LANLAG 0-External ProxyDeny: HTTP Content Type match (Outbound-HTTP-Marketing-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0018" proxy_act="HTTP-Client.marketing" rule_name="Default" src_user="dakruhm"

-the fix should be:
-edit-policy > Proxy-Action > HTTP-RESPONSE > CONTENT-TYPES

## OpenText Enterprise Scan and SAP

Here are my scribble notes so I don't have to look them up again.

Install the OpenText Enterprise Scan program.

Scanning is rather simple, just make sure you select the correct model of scanner and scan the document.

Next is sending to the Archive Server.

Setup the pipeline to the Archive server (ie 10.195.160.4).
scan config manager

Test the archive server pipeline:
scan > config-manager

Pipeline info:
localhost
Port 4023
Port 8080 (for management)
right-click & select LIST-PIPELINES

Start Enterprise Scan
Config Archive

Ops
Capture Center
Capture Center via shared
content server
doc pipe for content server
doc pipe for SAP
doc pipe for tcp
external storage

Flow
Doc pipeline SAP

Server
http
8080
check
nettcp secure
19284
local
localhttp

There is a possibility that there is a port on a firewall that needs to be opened if the archive server is offsite.

Check the profile: cmd > set
ecm conf dir = c:\ProgramData\Open Text (intentional space "Open" "space" "Text")
ecm doc pipeline base = c:\Program Files\OpenText
ecm doc pipeline conf = c:\ProgramData\OpenText (intentional nospace "OpenText")
ecm doc pipeline info = c:\ProgramData\OpenText (intentional nospace "OpenText")
ecm doc pipeline sap = c:\ProgramData\OpenText (intentional nospace "OpenText")

c:\ProgramData\OpenText\BASE Document Pipeline\config\dpconfig\dp.dpconfig
c:\ProgramData\OpenText\BASE Document Pipeline\config\dpconfig\dp.dpinfo

Error Message: Late_Archive_error | Could Not Process Document

Logs are here:
c:\ProgramData\OpenText\var\LogDir\doctods_1.log

http status code = '0', http status message = 'Couldn't resolve host name'
dsc::dscOpenDoc dsc.cxx-9776 cannot reserve a document id; the call of function dshDsReserveDocId() failed: 'HTTP error: connection was broken: host = denw08v701 (archive='ABC')'

This means the archive is not working because the local system cannot find the system that is named in the script. This happens because the server is outside the domain so simply stating the system as "denw08v701" it needs to be "denw08v701.domain.tld".

Or you can edit the HOSTS file:
c:\Windows\System32\drivers\etc\hosts

10.195.160.4 denw08v701

## Find What Port Number a Mac Address Is On Cisco IOS

Find What Port Number a Mac Address Is On Cisco IOS

If you know the full Mac address, you can perform the following:

If you know just part of the Mac address (where 1818 is the last 4 digits of the Mac):

show mac address-table | include 1818

enable

configure  terminal

interface GigabitEthernet0/1
description MPLS
duplex full
speed 100

Be sure that your link speed is set correctly. Sometimes auto speed doesn't work right.

And change your gateway/bgp-neighbor, if needed:

router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute connected
redistribute ospf 30
neighbor 10.162.30.1 remote-as 65006
neighbor 10.162.131.49 remote-as 1
no auto-summary

copy  running-config startup-config

You can show your routes by:

show ip route

## Hyper-V Integration Services Windows Server 2016 Datacenter

Integration services is Microsoft's terminology for client-tools/guest-tools. Other vendors such as VMware and VirtualBox have their own terminology but the idea is the same. With the tools installed the guest VM works better, faster, etc.

To see if the Integration Services are installed:

• -go to Host system.
• -type: get-vm |ft name,version

With Windows 10 Guest VM, and Server 2016 Host, the integration services are installed via Windows Update.

To see the version of Integration Services:

-type: REG QUERY "HKLM\Software\Microsoft\Virtual Machine\Auto" /v IntegrationServicesVersion

Then let us see if the service on the GuestVM is running:

-type: Get-Service -Name vm*

## Laptop Password Expired and VPN

Let's say that you have a typical Windows domain network at the headquarters. A rule of the network account policy is that the password changes every 90 days.

And let's say that you have a group of outside sales people who do not come into the office. Every once in a while they vpn into HQ.

If the password expires on their account, they can still login to their laptops because the laptop keeps a local copy of the access list. But then the VPN fails and email fails.

They call and we reset their account password.

The VPN works.

But then how does the laptop get updated?

Here's how:

• connect to a network for internet.
• start the VPN connection to HQ.
• lock the laptop (CTRL+ALT+DEL > LOCK).
• unlock (using the new password).

When unlocking, the computer is connected to the domain (via the VPN tunnel), It will verify the password with the domain. As a side effect this will update the password on the laptop.

## Linux Delete All Files Greater than a Certain Size

Lets say you have a directory of photos. The directory is about 1TB and the hard drive is packed full. How do you delete files that are larger than a certain size?

Here's how:

cd /path/to/dir
find . -name "*.jpg" -size -3000k -delete

K is for KB.
Miss off the "-delete" if you want to run a test without deleting the files.

## Mimecast LDAPS Connection

Here is the best source for setup of LDAPS:

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

For Mimecast, if you are using a self-signed certificate as the instructions above provide, set the Encryption Mode to: Relaxed

## Rename User Active Directory

Rename user in Active Directory is a common task but putting it all in one spot

### Rename User in GUI

-open Active Directory Users and Computers.
-right-click on the Name.
-select RENAME.
(rename User dialog box appears to change other common items)

### Rename User in CMD

dsmod user "<UserDN>" -upn "<NewUserUPN>" -ln "<NewUserLastName>"

### Rename User in PS

or

For a full one-liner:
Get-ADUser "old.name" |Rename-ADObject -NewName “New Name” | Set-ADUser -GivenName “New” -Surname “Name” -DisplayName “New Name” -SamAccountName “newname” -UserPrincipalName " This e-mail address is being protected from spambots. You need JavaScript enabled to view it

NOTES:

All the following are different:

Name
GivenName
Surname
SamAccountName
DisplayName
OtherName
UserPrincipalName

Most can be set by: Set-ADUser

But the Name of the Object is a bit different and needs to be set by: Rename-ADObject

## Watchguard VPN Split Tunnel Doesn't Resolve

Watchguard VPN setup. Watchguard has a split tunnel automatically. Works for hundreds of people.

Run into a new setup where the Watchguard VPN would connect but asking for vlan resources would respond back with the local network. The desired result is the remote network.

This happens to be on an ATT home router. The laptop is hard-wired connected. Note that the wireless connection work fine. Go figure.

Here's how to diagnose on the vpn laptop:

• -click START > POWERSHELL (as admin).
• -type: get-netipinterface

Typically, out of the box, each connection will have a name (obviously) and a setting for IPV4 and IPV6. Each setting will have a METRIC.

Let's say the the connections are named: ETHERNET and VPN.

You will notice that:

ETHERNET IPV4 has a metric of 35
ETHERNET IPV6 has a metric of 35
VPN IPV4 has a metric of 35
VPN IPV6 has a metric of 35

What we need to do is set the METRIC on the hard-wired connection to a number higher than the vpn connection.

-type: netsh int ipv4 set interface interface="ETHERNET" metric=40
-type: netsh int ipv6 set interface interface="ETHERNET" metric=40

That should do it.

Note that other posts will talk about turning ipv6 off, etc.

## Watchguard Change Opened Ports | Watchguard Change Opened Outgoing Ports

Watchguard Change Opened Ports | Watchguard Change Opened Outgoing Ports

Let's say that you already have a firewall policy on your Firebox. That firewall policy has a non-standard-port open from that static internal ip-address to the rest of the www (any-external) so that it can talk to who it needs to. Note that this is not a static server internally that needs to service the rest of the www such as a web server, this is simply a piece of software that needs to reach out on a non-standard-port.

Now, at the current moment, you need to either add to the port list or change the port number.

When you click on the firewall policy there is no option to edit the port list or the port number. How you change it?

Good question. What you want to do is change what is called in Watchguard-speak, the firewall-policy-type.

Here's how:

• -click FIREWALL > FIREWALL-POLICIES.
• -click ADD-POLICY (at the top). (Yes, even if you are not adding a firewall-policy).
• -bullet CUSTOM.
• -select the policy-type (from the drop-down list).
• -click EDIT.
• -click ADD | EDIT | REMOVE as necessary.
• -click SAVE (at the bottom).
• -click CANCEL (so that it does not save a new firewall-policy).

I have yet to figure out if there is a better way to go directly to the firewall-policy-types.

## Watchguard Port Forward

Here is how to port forward if you are hosting a server of some type on your internal network that needs to be accessible outside of the office:

• -click on Firewall > SNAT.
• -type name: 5802 incoming to port 5802
• -type internal address to send traffic to. (e.g., 10.1.10.5)
• -click OK.
• -click SAVE
• -click Firewall > Firewall Policies.
• -click CUSTOM.
• -type name: 5802 incoming to port 5802
• -enter port # and click OK. (e.g., 5802)
• -click SAVE.
• -change “FROM” box to contain only “Any-External”.
• -remove everything in “TO” box.
• -change “Member Type” to “Static NAT”.
• -select the Policy Type you just added and click OK.
• -click SAVE.

## Get All Mailboxes With Permissions Other Than Themselves

Get All Mailboxes With Permissions Other Than Themselves. Here's how:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and$_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ',$_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

## Outlook Calendar Permissions for Visual Learners

Learn visually? Me too. Here's the Outlook Permissions in table format with color view:

 Author Contributor Editor None NoneEditingAuthor Owner PublishingEditor PublishingAuthor Reviewer AvailabilityOnly LimitedDetails CreateItems CreateSubfolders DeleteAllItems DeleteOwnedItems EditAllItems EditOwnedItems FolderContact FolderOwner FolderVisable ReadItems Free/Busy Free/Busy w Name & Location

## Office 365 - Join Computer to Domain | Azure Active Directory

Do you have an Office365 account for your company domain (ie daknetworks.com) and email? Did you know that you can join your laptop or desktop to the Office365 domain?

The typical access for Office365 is here:
https://portal.office.com

There is also another portal to manage your Office365 domain:

### AZURE ACTIVE DIRECTORY

Once here, you are welcomed with so many services it is hard to keep them straight. What we are interested in is Azure-Active-Directory. Once you click on Azure-Active-Directory, you will see more options. Let's cover the basics.

#### USERS

Clicking on USERS will show you the users in your company. These naturally mirror the email accounts as you can't have an email account without having an Azure-Active-Directory account. But that might not be obvious if this is new to you.

#### GROUPS

Click on GROUPS is similar.

#### DEVICES

DEVICES will show all the DEVICES that is REGISTERED or JOINED. What's the difference?

REGISTERED is allowing the company to control the device. This is what happens with your iPhone (because who in their right mind would use Android). When you add your Office365 company email address to the phone, the company can control your iPhone. You might not know that. But it is nonetheless true. They can take the email account off the phone without your permission or they can wipe your entire iPhone without your permission.

The same is true for Windows 10 laptops/desktops. If you add your Office365 company email address to Outlook, the company can control your computer is some ways. Just like your iPhone, your computer is still accessible by you with the password that you setup when you brought the computer home from the store or received in the mail/ups/fedex/amazon package. But your company can control some of the items on your computer.

JOINED is what we think of in a traditional computer setup for a small company with an on-site server. When a computer is JOINED, any user in the company can login to that computer without having to setup the password locally. All the usernames/passwords are kept on a centrally located "invitation list."

### JOIN COMPUTER TO AZURE ACTIVE DIRECTORY

So how do you do that?

• -click START > SETTINGS > ACCOUNTS
• -click ACCESS-WORK-OR-SCHOOL (on the left-hand side).
• -click CONNECT.
• -click JOIN-THIS-DEVICE-TO-AZURE-ACTIVE-DIRECTORY.
• -click NEXT.
• -click SIGN-IN > JOIN > DONE.

### MAGIC TO GET AROUND YOUR ORGANIZATION REQUIRES HELLO

There's a part here where if we continue, it will want to change your password to a PIN. Let's get around this.

• -click START > RUN.
• -type: gpedit.msc
• -click Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business (on the left-hand side).
• -click Use Windows Hello for Business (in the middle).
• -click DISABLED.
• -click OK
• -restart your computer to make sure it survives reboot.

### LOGIN WITH AZURE ACTIVE DIRECTORY

• -click OTHER-USER (at the bottom-left).

Note that when you do this, the process creates a new user on the computer so your DESKTOP, DOCUMENTS, PHOTOS, VIDEOS will all be reset to a fresh set. Any items you might have had are still in the other username and password. This can be manually transferred from the other account if needed.

### NOTES

I could go on and on about the benefits of this:

1. this computer now shows in Azure-Active-Directory > DEVICES section.
2. if you open EDGE, go to https://portal.office.com you are automatically logged in and can download and install the software.
3. if you open OUTLOOK, your account is automatically found and setup

In addition, I could go on and on about the number of misleading videos and long-winded documents I had to travel to get this far. Here are some of them:

https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

## Exchange 2013 Room Lists

Exchange 2013 Room Lists exist.

To get a list of all the room resources:

get-mailbox |? {$_.resourcetype -eq "room"} Just as mailboxes can be part of a group/distribution-group, the room resources can be part of a group/distribution-group. These are groups do not show in the ECP. To get a list of all the roomlist groups: get-DistributionGroup |? {$_.recipienttypedetails -eq "roomlist"}

To create a new roomlist group:

New-DistributionGroup conference-rooms-foo -RoomList

To add a member to the roomlist group:

To get a list of all the members of a roomlist group:

get-DistributionGroupMember conference-rooms-foo

## SPF Records

For some reason, we have never done an article on SPF records. Here are some notes concerning SPF.

Here are our current records:

v=spf1 a mx ip4:216.245.219.162 include:_spf.freshbooks.com -all

A is for the A record

MX is for the MX record

ip4 is for a dedicated ip address.

include is for including an outside system. In this case Freshbooks which handles our billing for us.

Since A, MX and IP are all the same, only one is needed. We changed it to this:

v=spf1 mx a include:_spf.freshbooks.com -all

## FileMaker Server Install Certificate

Client has a FileMaker Server installed at a datacenter. They need the certificate installed and working.

### Generate a CSR

• -open FILEMAKER SERVER.
• -click DATABASE-SERVER > SECURITY.
• -click CREATE-REQUEST.
• -create a password by typing it in.
• -when you do, a CSR file (certificate request) and a PRIVATE-KEY will be generated.
• -the files are automatically kept here: C:\Program Files\FileMaker\FileMaker Server\CStore
• -the CRS is called ServerRequest.pem
• -this is just a text file. Open the file with NOTEPAD or TEXTEDIT or EDITPAD or NOTEPAD++ (not WORD).

### Create a Signed Certificate

• -take the contents of the CSR and give them to your SSL provider (GoDaddy, RapidSSL, Comodo, etc).
• -once submitted, that will generate a signed certificate.
• -it will also give you an intermediary certificate or chain certificate.

### Gathering All the Certificates

• -create a folder on the desktop of the FileMaker Server.
• -create a new text file in the folder.
• -copy the contents of the signed certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
• -rename the file your.filemaker.domain.tld.crt
• -create another new text file in the folder.
• -copy the contents of the SHA-1 Root certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
• -copy the contents of the intermediary certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file directly under the root certificate.
• -so the file should look like this:

=================

-----BEGIN CERTIFICATE-----
root-certificate-here-blah-blah-blah
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediary-certificate-here-blah-blah-blah
-----END CERTIFICATE-----

=================

• -rename the file chain.crt
• -copy the file C:\Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem to this folder as well.
• -so the folder has 3 files:
• 1-your.filemaker.domain.tld.crt
• 2-chain.crt
• 3-serverKey.pem

### Install the Certificate on FileMaker Server

• -click DATABASE-SERVER > SECURITY.
• -click IMPORT CERTIFICATE.
• -for SIGNED-CERTIFICATE choose the file your.filemaker.domain.tld.crt
• -for PRIVATE-KEY choose the file serverKey.pem
• -for INTERMEDIATE-CERTIFICATE choose the file chain.crt
• -for password, type in the password create during the CRS in the first step.
• -click IMPORT.
• -restart the service (or restart the server).

That should do it! You're awesome! You now have a green lock in the FileMaker Pro clients running around the country and everyone is happy.

### NOTES

What makes this difficult is the terminology and the different certificate types and extensions (crt, cer, pem, p7s, etc). Naturally, I think most people try to use CER files by mistake.

Also the Intermediate certificate is a pain since sometime it is needed but not provided. When it is provided, they expect you to know what to do with it.

Lastly, sometimes they provide 2 Intermediate certificate along with their root-certificates and they expect you to know which one to use. Hint, use SHA-1-root with FM Server v16.

Here are the intermediate certificates for RAPIDSSL:

• -find ROOT
• -it will show the root-certficate.
• -put this at the top of the chain.crt (which has nothing other than this pasted text).
• -find INTERMEDIATE CA
• -it will show the intermediate-certficate.
• -put this in the same file but under the root certificate.
• -save the file as chain.crt

## Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)

Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)

### SCENARIO

This happens after an upgrade to v1803 or to v1809 or to v1903.

### RESOLUTION

Get the HOMEDRIVE:

get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties homedrive, homedirectory, scriptpath |ft name, homedrive, homedirectory

This will output:

name            homedrive homedirectory
----               ---------      -------------
Foo User     Z                \\server\users$\foo.user You will see above the HOMEDRIVE is something like a capital letter. In this case: "Z" This needs to be set as: "Z:" In other words, it is missing the colon ":" To implement, first get the usernames in the OU needing serviced:$usernames = (get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties samaccountname |foreach { $_.samaccountname }) Now set the correct HOMEDRIVE value: foreach ($username in $usernames) {set-aduser$username -homedrive Z:}

This happens because the HOMEDRIVE value is set incorrectly for the update script.

There is some sort of script that is trying to move the profile (Desktop, Documents, Favorites, Pictures, Photos, Videos) to OneDrive. The script errors when the HOMEDRIVE doesn't have the colon.

## WSUS - Force System to Check for Windows Updates

Windows Service Update Service (WSUS) is groaned by many administrators. What should be a drop-dead-easy process is overly complicated and difficult to manage.

Everything should "just work." But it doesn't.

On 80% of the systems, the ones left on all the time, the success rate is high. The updates download and install on schedule as per the Group Policy (GPO).

On 20% of the systems, the laptops not left on all the time or away from the office, the success rate is mixed. Sometimes the downloads update, sometimes not. Sometimes the downloads install. Sometimes not.

Invariably, throughout the course of a deployment, a handful of laptops and tablets start to lag behind. They refuse to download and install the updates for whatever reason.

This necessitates the ability to force the client system to download and update.

To force them to update and install used to be:

wuauclt /detectnow
wuauclt /updatenow

Now with Windows 10, wuauclt is no longer working. But the completely undocumented USOCLIENT can be used to do the same:

USOClient.exe ScanInstallWait
USOClient StartInstall
(no slashes needed. No output is given.)

I cannot figure out why the whole process isn't easier, why there is not another way or why this is undocumented.

## All Enabled Accounts on Exchange Sorted by Last Name

Them: Can you give us a list of All Enabled Accounts on Exchange Sorted by Last Name?

Me: Sure.

The problem becomes this is trickier than it seems.

There are 3 commands that are helpful:

get-mailbox: a list of all the mailboxes, including SHARED, RESOURCE, EQUIPMENT, ROOM but not including contacts, mailuser, distributiongroup, etc. Disabled accounts are included. There is no disabled/enabled property.
Use the following to see what it shows and the number of items:

Get-Mailbox |Group-Object RecipientTypeDetails |Select name,count

get-recipient: a list of all recipients including mailboxes, contacts, mailuser, distributiongroup, etc. Basically, any type of existing Exchange Online recipient.
Use the following to see what it shows and the number of items:

Get-recipient |Group-Object RecipientTypeDetails |Select name,count

get-user: get the USER objects from Active Directory, including the users without mailboxes and disabled users.
Use the following to see what it shows and the number of items:

Get-user |Group-Object RecipientTypeDetails |Select name,count

Knowing the above, we can put together a command that lists out all the USERS from AD that is enabled:

Get-User -RecipientTypeDetails UserMailbox -sortby lastname |where {$_.UserAccountControl -notlike “*AccountDisabled*”} |Select samaccountname ## Find What Groups a User In AD is a Member Of Find What Groups a User In AD is a Member Of Here is how for one person: get-aduser foo.user -properties MemberOf |Select -ExpandProperty memberof or use the newer command: Get-ADPrincipalGroupMembership foo.user | select name or use the older command-line: net user foo.user /domain Here is how for a group in an OU: get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select -ExpandProperty memberof or you need just the Name and MemberOf: get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select samaccountname,memberof And if you need to put the whole thing together: get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-name,dc=com" -properties Memberof |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership$_).name}} |ft -wrap

Or if you need just the accounts that are more than the "Domain Users" group:

get-ADuser -Filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties Memberof |where memberof -ne "Domain Users" |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}} But maybe miss off the Guest account: get-ADuser -Filter * -searchbase "ou=Disabled Users,dc=jenoptik-inc,dc=com" -properties Memberof |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership$_).name}}

And to take this one step further, if you need to remove the user from all the account's groups, then:

## In-Place Archive Exchange 2013

The archive mailbox is an additional mailbox that's enabled for an account where messages older than 2 years are automatically moved (this can be customized in the retentionpolicy). This keeps the everyday mailbox at a more manageable level and allows for faster indexing and email searches.

Some power users will familiar with archiving in Outlook as they may have crossed this issue in the past. They archive the email older than 2 years into a pst file. That pst file will show as a separate set of folders on the left hand side.

In-Place Archive is very similar. However, where this different is that in-place archive is controlled by the Exchange administrator and does not require user intervention. The Exchange administrator can turn archiving on/off on the fly and control where the archive mailbox lives; this can be placed on the same edb or a different edb.

Here's how to enable archiving:

enable-mailbox foo.user -archive

Here's how to see what accounts have archive enabled:

get-mailbox -Filter {ArchiveState -Eq 'local'}

If you want to get the pertinent details of the archive such as archive database and archivename:

get-mailbox -Filter {ArchiveState -Eq 'local'} |select alias,archivestate,archivedatabase,archivename,retentionpolicy |fl

NOTES:

https://docs.microsoft.com/en-us/exchange/policy-and-compliance/in-place-archiving/manage-archives

https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mrm/apply-retention-policies-to-mailboxes

## Federation Trust in Exchange

### Setup

1-First setup a trust to the Microsoft servers:

• -click ORGANIZATION.
• -click SHARING.
• -click ENABLE to add a Federation Trust to the Microsoft servers.
• -click CLOSE.
• -click MODIFY.
• -select the PRIMARY domain.
• -click OK.
• -it will return a TXT record.
• -create a TXT record for this domain on your public DNS server that contains the key. It will look like this:
g1lg/IZ3MIHN0TaBsNMF+QzYbbA8Z39B/d46rQfQVmtNYbb6w0vRDQagL1b+bkbXbhstfg6PWw6JRtQqIIJ3Q==
• -create a TXT record for this domian on your Private DNS servers in your Active Directory.
• -wait. This should be around 15 minutes but can take 24 hours.

2-Second, the outside domain must do the same steps above.

3-Third setup an ORGANIZATION-SHARING using the outside domain. It will fail if the domains have not setup the trusts.

• -checkmark enable calendar free/busy information sharing.

4-Fourth setup an INDIVIDUAL-SHARING policy and set it as the default policy for everyone in the Exchange server.

### Result

That should do it; you should now be able to see each others calendars as FREE/BUSY (not details).

To my dismay, this does not update users in the Global Address List (GAL) to include the outside domain. This means that, by default, looking up another person's calendar in the outsidedomain.tld is near impossible. You either have to manually type in all the outsidedomain.tld users into Exchange or use tools to do the sync for you; it is not built into Exchange. Grrrr...

### Troubleshooting

As troubleshooting, you can get the URL by:

• -hold CONTROL
• -right-click the OUTLOOK icon (bottom-right).
• -click TEST-EMAIL-AUTOCONFIGURATION.
• -click TEST.
• -the AVAILABILITY-SERVICE-URL is the important URL.

Also, in the EMS, you can use the commands:

get-sharingpolicy foo-policy |fl

get-organizationrelationship |fl

get-federationinformation -DomainName outsidedomain.tld

Test-FederationTrust -useridentity mail\inside.foo.user

test-organizationrelationship -useridentity This e-mail address is being protected from spambots. You need JavaScript enabled to view it -identity outsidedomain.tld

As a result of the above test-organizationrelationship troubleshooting command failing, I had to toggle two properties and had to run the following:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication$True

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $false Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication$True

## Setup Send Connector in Exchange 2013 With Custom Port Number

Setup Send Connector in Exchange 2013 With Custom Port Number

• -click MAIL-FLOW (left-hand side).
• -click SEND-CONNECTORS (top)
• -click the "+" symbol.
• -name it anything you want. Let's say "foo-send-connector".
• -bullet CUSTOM.
• -click NEXT.
• -bullet ROUTE-THROUGH-SMART-HOSTS
• -click the "+" symbol.
• -type in the IP ADDRESS of the server you want to deliver the mail to.
• -click SAVE.
• -click NEXT.
• -bullet EXTERNALLY SECURED.
• -click NEXT.
• -click the "+" symbol.
• -type in the domain name that will be used for this sending setup.
In other words, this setup is only going to be used with a particular domain name; contoso.com. In another way, when sending to contoso.com use the following custom smtp route instead of the normal smtp route.
• -checkmark SCOPED-SEND-CONNECTOR.
• -click the "+" symbol.
• -select the server that this will apply to.
Small setups will probably only have 1 server.
• -click FINISH.

Now this will work. But it is setup on the default port 25. This is standard. But what if you want a non-standard port. Let's say because the SAP setup is out of your control.

-start the EMS.

-type: Get-SendConnector |fl
This will allow you to see the complete Send Connector setup in the steps above. You will notice the Port number is in the setup.

-type: Set-SendConnector -identity "foo-send-connector" -Port:587

## Ricoh Windows 10 1803

This article says it better than I can on how to setup a Ricoh Printer with Windows 10 v1803.

## WordPress Multiple Category Search

Where do I start? Forgot my rant on how the world operates and has chosen WordPress over so many other better CMS's...

Have an array in an URL like this: &foo=1,2,3,4

Take that array and search for all of them.

The OPERATOR => IN, is the includes.

Basically, we are trying to get a %like% sql statement.

if (isset($_GET['area']) && !empty($_GET['area']) && $_GET['area'] != 'all') {$propareaArray = explode(",", $_GET["area"]);$tax_query[] = array(
'taxonomy' => 'property_area',
'field' => 'slug',
//'terms' => $_GET['area'], //'terms' => array($proparea[0],$proparea[1]), 'terms' => array_values($propareaArray),
'operator' => 'IN'
);
}

NOTES:

Don't ask me why 'EXISTS' doesn't work. I think it should. If it did, I wouldn't have to go through this.

## Manage Printers In Windows 10

So, I'm late to the game on this one: printmanagement.msc

## Shared Mailbox Won't Disconnect From Outlook

Scenario

You are an administrator of an Exchange system. Through the ECP, you add yourself FULL-ACCESS to another mailbox account. The account naturally shows in your Outlook. You are finished with the account and no longer need access to it. Again, through the ECP, you remove yourself FULL-ACCESS. The account still shows in your Outlook. What gives?

You might be tempted to remove the FULL-ACCESS through the EMS with the following:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

But that yields:

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]  and was ignored on object "CN=where,OU=ever,OU=city,OU=Users,DC=domain,DC=tld".

Description

The mailbox is inheriting FullAccess permissions and has explicit FullAccess permissions. So when you removed the explicit FullAccess permissions, it won't have any effect unless a Deny permission is added. The problem is that Exchange doesn't tell you it is doing this.

Solution

To fix this, simply clear the Deny permission:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -Deny

NOTES:

I've must have run into this before as I already have this post: http://www.daknetworks.com/blog/404-remove-mailbox-permissions-that-are-not-inherited

## ColdFusion Access

The access page for ColdFusion:

C:\ColdFusion10\cfusion\lib\neo-security.xml

• -change 'true' to 'false'
• -restart the ColdFusion application server.

Once you access the CFIDE, you can change the email settings there and test them as you save the settings.

Any undelivered emails will show in:
C:\ColdFusion10\cfusion\Mail\Undelivr

You simply drop them back into the spool directory and ColdFusion will send them:
C:\ColdFusion10\cfusion\Mail\Spool

## SuperMicro IKVM | Remote Console

So the IKVM/Remote-Console doesn't work with Java 8 (aka jre1.8.0_171). Apparently, this is because starting with JAVA-8 any JAR signed with an MD5 hash will no longer be considered trusted. There are instructions to workaround the new JAVA limits but why bother.

### GET THE SERVER IKVM INFO

If you can connect to the SUPERMICRO server, when you try to launch the CONSOLE-REDIRECT, it will download a LAUNCH.JNLP file.

• -open the LAUNCH.JNLP file with NOTEPAD.
• -at the bottom, it will have all the parameters neededd.

### RUN IKVM WITH PARAMETERS

• (ie: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" 10.7.14.8 ADMIN PASSWORD null 5900 623 0 0)

## Cloning Disks

Cloning disk can be in many ways. A following is a list of some of the ways:

## Move Wordpress Subdomain

Creating a new web site in WordPress. Doing so, I create the web site at a subdomain such as: new.foowebsite.tld

After the web site is up to client standards, we change the dns at the name servers.

Now we have little squares where pictures once were. The pictures are coming from the CSS but only strange characters show.

Here's how to fix.

### 1- change in the sql database:

-use the following as a guide. Be sure to change "wp_" with the prefix of your database "fooprefix_".

UPDATE wp_options SET option_value = replace(option_value,'http://old.url.tld','https://www.newurl.tld') WHERE option_name ='home' OR option_name ='siteurl';
UPDATE wp_posts SET guid = replace(guid,'http://old.url.tld','https://www.newurl.tld');
UPDATE wp_posts SET post_content = replace(post_content,'http://old.url.tld','https://www.newurl.tld');
UPDATE wp_postmeta SET meta_value = replace(meta_value,'http://old.url.tld','https://www.newurl.tld');

This can be used to go from http to https as well. Or to go to an entirely different domain name.

### 2- change in the file names:

But that doesn't change the files. If you are a sysadmin, you can use grep. Also WordPress has some built in functionality if you ssh into the server.

First, test:

wp search-replace 'http://old.url.tld' 'https://www.newurl.com' --dry-run

Then run:

wp search-replace 'http://old.url.tld' 'https://www.newurl.com'

### 3- check the wp-config.php

Sometimes the site is hardcoded into the wp-config.php file. Check it to make sure it is correct. The hard coded line will typically be the last lines.

NOTES:

-here is the long version: https://codex.wordpress.org/Moving_WordPress

## Add New Domain Email Address to All Mailboxes in Exchange 2013

Lets say that your Exchange 2013 has multiple domains from various companies over the years:

• @company1.tld
• @company2.tld
• @company3.tld

Some mailboxes have @company1.tld email addresses but not all mailboxes have @company1.tld email addresses.

A decision has been made that everyone without an @company1.tld email address needs to have one. Or you are staging for a domain change or company merger of some type.

How do you find the mailboxes without @company1.tld and then add an @company1.tld email address without changing the current email address?

Here's how:

Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |ForEach {set-mailbox $_.samaccountname -EmailAddresses @{Add=$_.samaccountname+"@company1.tld"}}

Boom.

## DNS Scavenging

First it is important to note that the dns record is owned by the node or individual computer. The dns record is not owned by the dns server. The dns server only keeps a record of the individual dns records. Kinda strange, right?

What often happens is that the dns record changes on the individual computer but the dns server is not updated. When a query is run against the dns server, the record is incorrect because it was not updated.

Secondly, there are 2 server roles here that work together; DNS and DHCP.

Thirdly, the lease-time should be set to double the refresh-rate.

Let's begin by starting with the DNS server:

• -right-click on the server-name.
• -click SET-AGING-SCAVENGING-FOR-ALL-ZONES.
• -checkmark "Scavenge stale resource records".
• -set both the no-refresh and the refresh interval to: 2-days
• -click OK
• -click "Apply these settings to existing..."
• -click OK

Great! You are on your way!

Let's move to the the DHCP server:

• -right-click on each dhcp zone.
• -click PROPERTIES.
• -set the dhcp-lease-time to: 4 days
• -click the DNS tab (at the top).
• -checkmark "Enable DNS Dynamic Updates..."
• -bullet "Always Dynamically Update DNS"
• -checkmark "Discard A and PTR records..."
• -checkmark "Dynamically Update DNS Records..."

Awesome! Almost finished. Now the second part on the DHCP server. This will allow the DHCP server to update the DNS server:

• -right-click on IPV4.
• -click PROPERTIES.
• -click ADVANCED tab (at the top).
• -click CREDENTIALS button

Finally, let's move back the DNS server:

• -right-click on the server-name.
• -click ADVANCED tab (at the top).
• -checkmark "Enabled Automatic Scavanging of Stale Records"
• -set the scavenging interval to: 1-day.

You're done!

BONUS

If you have more than one DHCP server (for example, mulitple locations):

• -find the built-in group, DnsUpdateProxy
• -add the DHCP servers from all locations.

## Find User's OU

You know Joel in Sales. But you don't remember Joel's last name (because you've been staring at names all week) and you don't know Joel's OU.

Here's how to find Joel:

get-aduser -filter * |select samaccountname |findstr /i joel

This will bring up all the Joel's in the domain. Hopefully you can narrow it down from here.

Now to find Joel's OU in the details of his record:

This will show the "distinguishedname" and allow you to narrow down the OU.

If you really want to see this properly in one line, we need to use the "canonicalname" and it would be like this:

get-aduser -filter * -Properties Canonicalname |select samaccountname,canonicalname |fl |findstr /i joel

## Dell Bios Upgrade Command Line

Here's how to upgrade the bios for Dell Latitude/Precision laptop if from remote:

• -click START > RUN > CMD
• -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /s /r
"/s" is silent "/r" is reboot
• "/f" is force if the battery is not present.

And if the battery is not present in the Dell Latitude/Precision laptop:

• -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /forceit
"/forceit" is force if the battery is not present.

Usually I schedule a restart with some network tools I have. But in this case, I can remotely access the system via command-line/powershell but my network tools are not working. Probably because it needs a reboot after installing some updates.

Here's how to schedule a reboot with command line/powershell (works in either):

• -click START > RUN
• -type: cmd (or type: powershell)
• -click OK
• -type: schtasks /create /sc once /tn restart /tr “shutdown -r -f “”restart””” /st 13:00 /RU system
Where "/st" is the time in 24H clock and "/ru" is necessary to run even if the user is logged in or not.

## Core i7 6500u Dell Inpiron 5559

Core i7 6500u Dell Inpiron 5559 should be a good fast processor. The laptop was dreadfully slow. Something had to be wrong.

• -hit CTRL+ALT_DEL
• -click PERFORMANCE tab
• -click CPU (on the left-hand side)

You will notice the SPEED to around 0.39GHz. Hmmm... seems like something is throttling the CPU.

### BIOS Settings

I tried to fix some Bios Settings:

• c-states = off
• intel speedstep = off
• intel turboboost = off

Same result. Hmmm.... there must be some settings not being shown in the Bios that can be adjusted.

### ThrottleStop

Here's how to fix (as shown in my really edited picture below):

• 1-click LIMITS (on the right-hand side)
• 2-this will show you exactly why the throttle is happening. The culprit being BD_PROCHOT.
• 3-uncheck BD_PROCHOT (on the left-hand side)
• 4-checkmark DISABLE-TURBO
• 5-do NOT turn on SPEEDSTEP
• 5-do NOT turn on SPEED-SHIFT-EPP (if on, it will have a green SST "speed shift technology".)
(you can change the number next to SPEED-SHIFT and set it to zero, just delete the number and type over it)

You will notice the SPEED to around 2.49GHz and the speed is noticably faster.

### Schedul to Auto Start

• -start TASK-SCHEDULER using the basic scheduler.
• -open the properties of the task.
• -start THROTTLESTOP on startup whether someone is logged in or not.
• -change the user to be SYSTEM.
• -since THROTTLESTOP doesn't have to stay running, you can close it automatically. Find the THROTTLESTOP.INI file in the THROTTLESTOP directory/folder, open with text editor and change "DCExitTime" to the number of seconds to remain open, say 5 seconds.

### Final Thoughts

There are reasons why this is happening. In the end, buy business class hardware (Dell Latitude/Precision; Lenovo ThinkPads, etc) that have more options in the BIOS.

Intel-Adaptive-Thermal-Monitor might be the actual culprit. The issue is that there is no option to turn off in the BIOS.

NOTES:

## Exchange Distribution Group Members

Here's how to blank out all members in a distribution group:

Update-DistributionGroupMember foo.group -Members $null Here's how to update the members in a distribution group: Update-DistributionGroupMember rochester.hills -Members foo.user1, foo.user2, foo.user3 If you need to add a member to the group: add-DistributionGroupMember foo.group -member foo.user If you need to remove a member from the group: removeDistributionGroupMember foo.group -member foo.user If you need to adjust the list, do so in Excel, Word, Notepad, etc. Here's how to add a Dynamic Distribution Group that contains all emails of a certain Organizational Unit (OU) in Active Directory (AD): New-DynamicDistributionGroup -Name "foo.group.dynamic" -OrganizationalUnit "Foo OU" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox'))} There's probably a better way to do this. Here's how to see the members of a Dynamic Distribution Group:$foovariable = Get-DynamicDistributionGroup foo.dynamic.group
Get-Recipient -RecipientPreviewFilter $foovariable.RecipientFilter -OrganizationalUnit$foovariable.RecipientContainer

## Exchange 2013 Distribution Groups Allow Outside Email

First, find the groups you want to change and give us the group email name and the value:

or
• $get-MailboxFolderPermission foo.room:\calendar #### Add Permissions Afterwards, set the permissions for the calendar. This must be done at the calendar level: •$set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Reviewer

To schedule the calendar in OUTLOOK,

• -click NEW > MEETING
• -click TO
• -select ALL-ROOMS
• -click the room required.
• -click RESOURCES (at bottom-left, to add the room to the RESOUCE area).
• -click the date and time you need.
• -click SEND

This will schedule the room for you, put the event on your personal calendar, put the event on the room calendar for everyone to see and manage if it is in use or not.

#### Everyone In Office To Add Events To A Shared Calendar

If everyone in the office is "playing nice" and if you just want the calendar to show, have people double-click on the calendar day to start an event and schedule a time, then set the calendar permissions to AUTHOR:

• $set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Author #### NOTES: -REVIEWER role is the following: (the "-" is not allowed) ReadItems FolderVisible -CreateItems -EditOwnedItems -EditAllItems -CreateSubfolders -DeleteOwnedItems -DeleteAllItems -FolderOwner -FolderContact -AUTHOR role is the following: (the "-" is not allowed) ReadItems FolderVisible CreateItems EditOwnedItem DeleteOwnedItemss -EditAllItems -CreateSubfolders -DeleteAllItems -FolderOwner -FolderContact More at: https://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx ## Can't Scan From Ricoh Printer After Update | Can't Scan From Savin Printer After Update Your scanning used to work from the Ricoh/Savin. It used to go right into a folder you had setup. Then the computer updated itself in the Fall/Winter of 2018 or early 2018. Now when you try to scan, it doesn't work. This is because the computer updated to Windows 10 v1709 (aka Fall Creators Update). In this update, a change was made so that your computer can no longer talk to the Ricoh/Savin scanner. The update took away a communication protocol called SMBv1. The correct fix is to change the way the scanner talks to the computer and use a newer communication protocol. In lieu of making those changes, you can re-enable SMBv1: • -click START > RUN • -type: CMD • -click OK • -type: dism /online /enable-feature /featurename:smb1protocol The same is true for disabling: • -type: dism /online /disable-feature /featurename:smb1protocol ## Fix Office 2016 For 32-bit (x86) Office 2013 installed in 32-bit Windows using Click-To-Run: • "C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us For 32-bit (x86) Office 2013 installed in 64-bit Windows using Click-To-Run: • "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us For 64-bit (x64) Office 2013 installed in 64-bit Windows using Click-To-Run: • "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x64 culture=en-us For Office 2013 installed using traditional MSI method: • "C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe" ## Outlook Rules / Exchange 2013 Rules / Inbox Rules For Mail You can see INBOX rules every mailbox: GET:$get-InboxRule -mailbox foo.user

You will get something like:
Name                          Enabled                       Priority                      RuleIdentity
----                          -------                       --------                      ------------
foo.bar.rule                  True                          1                             6404806255763783681

Of course, you can see the details by:

## Get Computer Information Via Command Line - WMIC

I spent some time in compuer maintenance. This is thousands of computers across multiple locations on the globe. If I have to physically visit a computer, I've lost. The goal is to be able to provide network administration to all computers without ever having to physically visit on-site.

Because of this goal, gathering information is important.

WMIC is one tool for this. Here are some nice cheatsheet items:

Get the video card information/display-adapter information:
wmic path win32_VideoController get name

Get the video card driver:
wmic path win32_VideoController get driverVersion

Get the motherboard information:
wmic baseboard get product

Get the onboard devices:
wmic onboarddevice get description

Get the serial number in the bios:
wmic bios get serialnumber

Get the bios version:
wmic bios get smbiosbiosversion

Love it!

## Dropbox See What Computer Is Making Chages

There are three areas that we need to look at to see what computer is making changes. This is in the online web site version.

In the RECENT area:

• -click the ELIPSES (the dots next to the title).
• -click the VERSION-HISTORY.
• -hover over the word DESKTOP. It will show the name of the computer that made the change.

## Remove Mailbox Permissions That Are Not Inherited

In performing a periodic check on permissions on mailboxes in EXCHANGE 2013, I saw that there are some permissions that would not remove.

Here's how to check for additional permissions across all mailboxes:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and$_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ',$_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

There are some entries that did not belong that look like this:

RunspaceId: 03d29daa-2ca3-4428-bbe4-4ebc1102b86e
AccessRights: {FullAccess}
Deny: True
InheritanceType: All
User: DOMAIN:foo.user2
Identity: DOMAIN/Users/foo.user
IsInherited: False
IsValid: True
ObjectState: Unchanged

When I tried to remove them, I used this command:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

But that didn't work, the permission remained the same. I could see that the permission is not-inherited and that the permission is to DENY.

To get it to work, I had to remove the DENY permission, like this:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -InheritanceType All -deny

The MS doc site shows like the following but I had no idea what <switchparameter> options were.

[-Deny <SwitchParameter>]

NOTES:

I've run into this more than one, as I created another post: http://www.daknetworks.com/blog/439-shared-mailbox-wont-disconnect-from-outlook

## Brother Printer DOA

Brother Printer DOA. Plugged in. Turned on. Lights flash. Then go off.

Called Brother support. They said it was a firmware issue and I had to take it to the authorized Brother dealer... I guess I can't handle it.

• -find a Windows XP computer.
• -install the Brother Maintenance USB Driver.
• -plug in the USB printer.
• -the computer should recognize it and install the device in the PRINTERS list.
• -click on the MAINTENANCE printer in the list to highlight it.
• -click FILE > PRINT-FILE
• -select the firmware.
• -wait a few minutes till all  the lights on the printer are on and stay on.
• -power cycle the printer.

NOTES:

## "Windows 10" Black Screen After September 2017 Updates

Client Dell Latitude Laptop E5570 boots past the Dell logo (bios logo) and gets a black screen and can see nothing. The computer responds to a remote support software. I see nothing but I can run commands via command line (cmd) and get a response.

• -start the command line interface.
• -type: sc config "appreadiness" start= disabled
• -type: shutdown -r -t 3

This will disable the appreadiness service and restart the computer. The computer should boot to the login screen without difficulty.

If I didn't have the command line interface and simply has a laptop at home, I would try to get into safe-mode and then run the commands there:

• -click start > run
• -type: cmd
• -click OK
• -type: sc config "appreadiness" start= disabled
• -type: shutdown -r -t 3

## Add Photo into Outlook / Exchange 2013 for Everyone

Sometimes when I get an email from someone in OUTLOOK, their photo shows. How do they do that?

Setting your picture can happen in a few ways.

OUTLOOK

• -open OUTLOOK.
• -click FILE (at the top-right).
• -click CHANGE (under the picture).

WEB SITE

This is also possible on the web site at:

• -https://domain.tld/owa
• -click your name (at the top-right).
• -click CHANGE (under the picture).

This is also possible by having the administrator do it for a single user, OU or entire domain.

For a single user and you know the file location:

• Set-UserPhoto "username" -PictureData ([Byte[]] $(Get-Content -Path "C:\path-to-file\username.jpg" -Encoding Byte -ReadCount 0)) -Confirm:$false

For everyone:

• -save photos in common location.
• -name the photos the same as the username.
• -get all the users in EXCHANGE:
get-user -resultsize unlimited |select samaccountname |export-csv c:\pah-to-file\users.csv
• -add a column called "picture"
• -run the command:
Import-csv "c:\pah-to-file\users.csv" | foreach {Set-UserPhoto -Identity $_.samaccountname -PictureData ([System.IO.File]::ReadAllBytes(c:\path-to-pics\$_.samaccountname.jpg)) -Confirm:$false} For an OU • get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties HomeDirectory |foreach ($_.samaccountname ) {Set-UserPhoto -Identity $_.samaccountname -PictureData ([System.IO.File]::ReadAllBytes($_.HomeDirectory+"\"+$_.samaccountname+".jpg")) -Confirm:$false}

Done!

## Compress PDF With Ghostscript On Windows

Compress PDF with Ghostscript On Windows

Installation is easy but the installer doesn't put the directory in the PATH. Until that time, you will have to type in the whole path to run the program:
C:\Program Files\gs\gs9.21\bin\gswin64c.exe

Adding to the PATH allows you to run the program by just using:
gswin64c.exe

To change the PATH temporarily, you can add to the PATH by typing in the command line:
set PATH=%PATH%;C:\Program Files\gs\gs9.21\bin\;C:\Program Files\gs\gs9.21\lib\

Or you can:

• -right-click MY-COMPUTER/
• -click PROPERTIES
• -click ENVIRONMENTAL-VARIABLES (at the bottom-right).
• -in the lower section called "SYSTEM VARIABLES", find PATH
• -click EDIT
• -find VARIABLE VALUE
• -keep everything there
• -go to the end of the value
;C:\Program Files\gs\gs9.21\bin\;C:\Program Files\gs\gs9.21\lib\;

NOTE: do not remove any of the existing values.

### RUNNING GHOSTSCRIPT

The idea here is that Ghostscript will create PDF's for you without step-by-step interaction. Let's say you have a directory of PDF that somebody scanned at 1200dpi with each PDF at 10MB. After time, this directory becomes entirely too large. We can use Ghostscript to re-compress the PDF's by 90% and take each PDF down to 1MB.

Ghostscript is suite of commands and not just one command. The command we are interested in is: ps2pdf

To run for a single file:
ps2pdf -dPDFSETTINGS#/ebook C:\path\to\input\file.pdf c:\path\to\output\file.pdf

There are a bunch of options but the most are correctly set by default:
https://www.ghostscript.com/doc/current/Ps2pdf.htm

Here is a script to run for an entire directory. Create the batch file and name it compress-all.bat. Put the batch file in the directory for which you want to compress files. Run the batch file from command line. It will create a "compressed" folder and put a copy of the compressed files in there:
=====

@echo off
setlocal
set GS_OUTPUT_DIR=compressed
mkdir %GS_OUTPUT_DIR%
for %%i in (*.pdf) do ps2pdf -dPDFSETTINGS#/ebook "%%i" "%GS_OUTPUT_DIR%\%%i"


## Branch Office AD isn't working when the HQ AD is offline

### SITUATION DISCOVERY

Branch Office Domain Controller Active Directory isn't working when the HQ DC AD is offline. Hurricane Irma knocked power out at the HQ location. The HQ DC AD server was shut down to prevent any issues.

Branch offices across North America have DC's, AD's and DNS.

When users go to a local server share, they get the login box with an error message:
"Search Results The system cannot contact a domain controller to service the authentication request"

When I go to the AD Users & Computers, I get an error message:
"Active Directory Naming Information Could Not Be Located"

The Users & Computers tree on the left hand side has an X for "Active Directory Users and Computers" and the center box is blank.

### DIAGNOSTICS

I make sure DNS is setup correctly:
IPV4: 10.162.99.99
DNS1: 10.162.99.99 (SELF, always should be this way)
DNS2: 10.162.55.55 (HQ1)
DNS3: 10.162.55.56 (HQ2)

==========
I make sure the FORWARDERS are set correctly:
4.2.2.2

And working:
nslookup where-ever.tld 4.2.2.2

PASS     PASS

==========
Ping domain:
ping my-domain-name-here.com

Positive reply. So I know the domain and AD exists. I just can't reach it.

==========
Next, I try a dcdiag /fix:
dcdiag /fix

<snip>
"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
</snip>

Bummer... it cannot reach a Global-Catalog. This is certainly the heart of the issue.

==========
Next, I check to see if my server is a GLOBAL-CATALOG server:

Repadmin: running command /options against full DC DC-01.my-domain-here.com
Current DSA Options: IS_GC

Well, I now know that the server I am using is a GLOBAL-CATALOG.

==========
Next, I check to see what servers are global catalog servers as stated in DNS:
nslookup gc._msdcs.my-domain-name-here.com

Server:  dc-al-01.my-domain-name-here.com

Name:    gc._msdcs.my-domain-name-here.com
10.162.190.213
10.162.509.231
10.162.260.101
10.162.430.110
10.162.410.19
10.162.100.222

The server is in the list on DNS as a GLOBAL-CATALOG.

==========
Next, I try a dsquery:
dsquery server -isgc

dsquery failed:The specified domain either does not exist or could not be contacted.

==========
Next, I try a nltest:
nltest /dsgetdc:my-domain-name-here.com
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

==========
Next, I look at a registry value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

### CAUSE

There is certainly more to this. The AD isn't setup correctly. Active Directory uses the _msdcs.my-domain-here.com sub-domain to host SRV records. These records are not automatically updated, even in 2012-R2. Consequently, there may be outdated servers listed. In addition, the new servers will be missing.

You can find the domain and the servers here:

DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs

dc1.my-domain-name-here.com
dc.my-domain-name-here.com

Since this list is not updated automatically, the old servers are not available to provide the info. The new servers are not in the list since it is not added automatic. That means that the only server in the list was the original server. Once that server is no longer available, AD is unavailable. So much for fault tolerance.

### SOLUTION

Workaround solution:

This makes the SYSVOL folder available and the AD Users-&-Computers should populate.

Permanent solution:

Once available, go to DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs

Manually edit them. Remove the ones that don't exist and add the ones that do.

## SMTP Providers

SMTP providers:

 SERVICE PRICE ElasticEmail (up to 150K free) $- AWS SES$       2.50 SendInBlue $7.37 MailGun$       7.50 MailJet $8.00 SparkPost$       9.00 SendGrid $10.00 SCANMAILX$   15.00 Mandrill $20.00 PostMark$   37.50 SocketLabs $80.00 -based on 25K emails per month. ## apcupsd apcupsd runs ups's. It's rather simple: ### DOWNLOAD & INSTALL Downloading and installation isn't hard ### RUN APCUPSD Running apcupsd isn't hard: • -click START > PROGRAMS > APCUPSD > START-APCUPSD This will shut your computer down when the battery is nearing end of power. ### TEST BATTERY WITH APCUPSD One of my favorite parts is that apcupsd has some options to test a battery and set some battery options. Here's how: • -first, stop apcupsd by: click START > PROGRAMS > APCUPSD > STOP-APCUPSD • -you may have to stop the APCUPSD service: click START > RUN > SERVICES.MSC. Find APCUPSD in the list. Click STOP. • -CMD (as admin) • -cd to: C:\apcupsd\bin • -type apcaccess.exe to see stats • -type apctest.exe to test/configure battery ### PERFORM CALIBRATION Most of the trouble comes from performing calibration to the unit. This can be done in 2 different ways: • -with APCTEST. • -with a manual calibration. A manual calibration is basically, to put at least a 30% load on the unit. Unplug the unit and let it drain to zero. Plug the unit back in. ### NOTES: -you cannot run apctest.exe with apcupsd running. -click here for manual calibration docs as it gets into more detail than I care to display: http://www.apcupsd.com/manual/manual.html#manual-runtime-calibration ## FileMaker on a cloud Virtual Machine I've had a interest in FileMaker for decades. Nothing else seems to fit the custom software solution like FMP does. So putting the FMP Server on a cloud VM was a information worth pursuing. The costs from various places range like this (obscured to avoid any love letters):  SOURCE MONTHLY-COST TOTAL COST aws 50 600 lsn 50 600 host-1 71 852 host-2 79 948 host-3 99 1188 host-4 100 1200 host-5 130 1560 host-6 130 1560 host-7 140 1680 host-8 150 1800 host-9 150 1800 As outgoing Rackspace CEO recently referenced, it is hard to beat a disrupter like AWS. You're going to have to join them. In the end, I decided to go with LSN. They have a CloudStack running and I can rely on their support if I'm ever in a jam. NOTES: http://www.soliantconsulting.com/blog/2016/01/filemaker-server-on-amazon-web-services ## The Quick and Dirty Windows 10 Fix 1- fix Windows Update Use the Windows Update Troubleshooter here: https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors 2- fix Windows Image -open POWERSHELL (as admin) -type: DISM.exe /Online /Cleanup-image /Restorehealth 3- fix Windows System File -type: sfc /scannow 4- fix Windows Apps: -type: Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} ## Exchange 2013 Error: The Global Catalog Verification failed Exchange 2013 Error: The global catalog verification failed Working on Exchange 2013 and adding permissions to a mailbox, I get: Active Directory operation failed on exchange.domain.tld. This error could have been caused by user input or by the Active Directory server being unavailable. Please retry at a later time. Additional information: Additional information: The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available. Active directory response: 000020E1: SvcErr: DSID-03200672, problem 5002 (UNAVAILABLE), data 0 Here's how to fix: • -delete the files in: C:\Users\administrator\AppData\Roaming\Microsoft\MMC (or C:\Users\administrator.<foo>\AppData\Roaming\Microsoft\MMC) • -re-run the command: Add-MailboxPermission foo.user -User foo.user2 -AccessRights FullAccess -InheritanceType All • set-mailbox foo.user -GrantSendOnBehalfTo foo.user1,foo.user2,foo.user3 That is all. ## The Trust Relationship Between This Workstation and the Primary Domain Has Failed The Trust Relationship Between This Workstation and the Domain Has Failed ### Reset-ComputerMachinePassword Just as a USER-ACCOUNT is an object in AD, a COMPUTER-ACCOUNT is an object in AD. This has a password but the password isn't working. Let's reset the password. •$credential = Get-Credential
(enter the domain admin account when prompted)
• -type: Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere -Credential $credential ### Test-ComputerSecureChannel Now, let's test the secure channel • -start > programs > powershell (as administrator) • -type: Test-ComputerSecureChannel It will come back either TRUE or FALSE. If it's false, let's try and repair it. • -login to localadmin-account on local system and type: Test-ComputerSecureChannel -repair • -if that didn't work, try: Test-ComputerSecureChannel -Repair -Credential (Use the username/password of the domain admin account) • -if you need to run remotely: Invoke-Command -ComputerName REMOTE-COMPUTER-NAME-HERE -ScriptBlock { Test-ComputerSecure Channel } -Credential (Get-Credential -UserName 'admin-here' -Message 'User') • -if you need a one-liner: Test-ComputerSecureChannel -Repair -Credential (New-Object System.Management.Automation.PSCredential 'domain\adminaccounthere',(convertto-securestring$('password-here') -asplaintext -force))

What I usually find is that I can't run the commands remotely because the trust is broken. And when I run locally, it simply runs "False."

So I copy a powershell script onto the computer with the file name rejoin-domain.ps1

==================
$computer = Get-WmiObject Win32_ComputerSystem$computer.UnjoinDomainOrWorkGroup("password-here", "administrator", 0)
$computer.JoinDomainOrWorkGroup("domain.tld", "password-here", "administrator",$null, 3)
Restart-Computer -Force
==================

Then run the powershell through a remote command line like this:
powershell c:\path-to-file\rejoin-domain.ps1

### Netdom

An older way of fixing this was with NETDOM

I found out the relationship failed by:

• -right-click a folder that is a shared folder for a group on the domain.
• -click properties
• -click security tab (at the top)
• -click advanced button (at the bottom)
• -effective-access tab
• -select a user
• -click VIEW-EFFECTIVE-ACCESS

## ForensiT User Profile Wizard For Entire Location

ForensiT User Profile Wizard is a great tool when you are migrating from domainold.tld to domainnew.tld.

The free version is a manual process but the corporate version is an automated process that helped migrate an entire office.

### Cost

The cost is around $2 USD per computer. So for 100 computers, the cost is$200. Priced correctly on the time you will save.

### Installation

A license file will be emailed to you. Save the file in the location: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\

### Run The Wizard

Running the wizard will create a CONFIG file. The config file is an xml file that is editable by any text editor. The options are pretty standard. You will be able to get through them. Very simple, nothing complex. I think the only gotchas are:

-reboot without notice (as you'll be doing this off-hours).

-create a SINGLE-DEPLOYMENT-FILE.

When finished. It will save the CONFIG file in: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\

### Edit the Config File

Edit the CONFIG file at C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\. Run the PROFWIZ.EXE again to edit the file you just created.

You need to edit a few items to get it to work the way we want it to. Namely, the following:

<! -- Corporate Edition Settings -- >
< Silent > True
< NoMigrate > False
< NoReboot > False
< MachineLookupFile >\\server\share\migrate-pc-file.csv
< Log > \\sever\share\Migrate.Log
< ScriptLocation > \\server\share\Migrate.vbs
(yes, change this even if it says not to. I find having the server share is more accomodating)

<! -- Settings for migrating all profiles -- >
< All > True

<! -- Advanced Settings -- >
< Persist > False
< NoGUI > True

< ProtocolPriority > LDAP
< DC > \ \ britannic2.britannic.domainname.tld

< ProfBatRetryLimit > 3
< ProfBatRetryDelay > 2

Most of the key/values are self explanitory. To choose which domain controller you want to join, the ProtocolPriority must be set to LDAP and the DC setting specifies the FQDN of the domain controller (make sure you precede with the "\\").

### Create Migrate-PC.CSV File

A .csv file needs to be created. Column A is the current computer name. Column B is the new computer name. If the names are the same then the computer name doesn't change.

Save this file in \\server\share\migrate-pc-file.csv

Save the single-deployment-file in the same location: \\server\share

### Deployment

I used 3 ways to deploy.

• -save it in:C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\
• -make sure you are still on the domainold.tld and logged in a users at domainold.tld
• -reboot all the computers for a fresh start (use PDQ inventory if you need to do this automatically).
• -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin)
• -a cmd prompt opens
• you should be at: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\
• -type: profbat.exe
• -hit enter
• -wait... It will give some feedback but not much.
• -it will automatically go through all the computers in the .csv list, migrate all the profiles and join the new domain and reboot the computers.
• -once rebooted, everyone can use their new login at newdomain.tld
• -AWESOME!
• -the logs should be at \\server\share
• -each pc will have it's own migration log.

• -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin)
• -a cmd prompt opens
• -type: profwiz.exe /COMPUTER computer-name-here
• -hit enter
• -you will see:
>
• -wait... It won't give any verbose information.
• -soon it will go to a new line once finished and you will see:
>
>
• -the logs are the place you indicated (which should be \\server\share\).

3-manually at admin workstation after domainnew.tld

If for some reason, the pc's are joined to the domainnew.tld without the profiles being migrated, don't worry as it is pretty much the same process. The most important part is the first step:

• -make sure you are on the domainnew.tld and logged into a user with domainnew.tld
• -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin)
• -a cmd prompt opens
• -type: profwiz.exe /COMPUTER computer-name-here
• -hit enter
• -you will see:
>
• -wait... It won't give any verbose information.
• -soon it will go to a new line once finished and you will see:
>
>
• -the logs are the place you indicated (which should be \\server\share\).

4- manually at the client computer:

• -save the profwiz.exe, profwiz.config, migrate.exe, migrate.vbs at the share: \\server\share\
• -edit the profwiz.config
• -change: <GUI> True
• -save
• -run: migrate.vbs
• -it should show the progress and migrate all the profiles over.
• -reboot the computer.

5- automatically via logonscript

• -save the profwiz.exe, profwiz.config, migrate.exe, migrate.vbs at the share: \\server\share\
• -login to the client pc. It will begin the migrate process and skip if has already been run (of course it won't be referenced once the computer is joined to the new domain).

### Final Thoughts

That's it! That should handle all the scenarios that will work. Of course, there are many scenarios that will NOT work. Most of the errors will be trying to move a client-pc on domainold.tld by using an admin-workstation already joined to domainnew.tld (and logged into domainnew.tld user). Or vice-versa. If you are making changes, the client-pc and the admin-pc must be on the same domain (at least for it to be easy).

In any event, in all scenarios I did not visit a single client pc. Everything worked with a little thinking. This should be built into Windows Server.

NOTES:

For the curious... Yes, it is possible to have 2 domains on the same network subnet at the same time. But there can only be one DHCP and both domains should reference the other in the DNS -> FORWARD LOOKUP ZONES. Simply add the other domain and IP address of the other domian server.

## Null result from socket | Watchguard, Mimecast and Office365

Watchguard, Mimecast and Office365

Couldn't get email from certain outside domains. Further investigation revealed that this is only happening from domains hosted at Office365. The error message in Mimecast is "Null result from socket."

This means that there is no response from the internal email server when Mimecast tries to deliver the message. That means it is being blocked by the WatchGuard.

So WatchGuard is blocking anything where the header is too large.

You can see above the "Maximum email header size" is at 20,000 bytes.

We set it to: 21000.

Save > Push-Config

That did it!

NOTES:

http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/proxies/smtp/proxy_smtp_gen_settings_c.html

## Set Logon Script For Everyone in Domain With Powershell | Set Logon Script For Everyone in OU With Powershell

### Set Logon Script For Everyone in Domain | Set Logon Script For Everyone in OU

Good morning class! Today, let's set the LOGON SCRIPT for everyone in a domain or in an OU:

To clear the value:

To set the value:

Or for a single user:

### See Logon Script for Everyone in Domain | Set Logon Script For Everyone in OU

Or in table form:

Or for a single user:

### What About More? I Want More! Like the Home Folder?

Now I already know what you are going to ask... "Can I set the HOME FOLDER as well?"

YES!!! It's a little complicated so it is in another article here: http://www.daknetworks.com/index.php/blog/390-how-to-setup-home-drives-home-folders-and-login-scripts

Page 1 of 4

• «
•  Start
•  Prev
•  1
•  2
•  3
•  4
•  Next
•  End
• »