Tuesday, November 24, 2009

Friday, November 6, 2009

red X when replying to email or sending new email via OWA on Exchange 2003

This problem happens when using IE8 to connect to an exchange 2003 OWA instance that isn't fully patched (and you can't get your admin to patch it)

This fix also works for IE8 crashing while using (exchange 2003) OWA when you hit Send on an email

I grabbed the latest S/MIME Controls setupmcl.exe from the KB924334

http://www.microsoft.com/downloads/details.aspx?FamilyId=41275DEC-4C01-4C41-AA64-C9DBE5EA3F7E&displaylang=en


file version 5.3.18.6 for the executable, when installed its version 6.5.7651.60

Installed that on my Windows 7/ IE8 machine and OWA now works again.

Tuesday, October 20, 2009

Weird problem where a shared calendar mailbox keeps sending emails to group

So I thought this going to be a case of someone adding a "outlook rule" to auto forward emails, but it turns out meeting requests were the only type of thing sent to the box where responses were forwarded to a large distro list. Turns out the fix was to go into Outlook/Tools/Options/Delegates. Someone had added a distro in there, and all meeting reuests sent to this mailbox forced a response "accepted" mail to everyone on that disto list.

Wednesday, September 30, 2009

Gmail's Evil account lockout tool Captcha

Gmail's Evil account lockout tool, a great link for those of us who have google apps for email and have ever had gmail lock you out of your account for trying 1 bad password.

https://www.google.com/a/domainname.com/UnlockCaptcha

Tuesday, September 22, 2009

So you've decided to add another nic to openfiler 2.3

here is the easy way (unless it auto detects, cause that's easier)

Go into /etc/modprobe.conf

Setup the eth2,3,4, whatever just like eth0,1 whatever

go into /etc/sysconfig/network-scripts

cp ifcfg-eth1 ifcfg-eth2(new interface)

open it, modify the following lines
DEVICE=eth2
and
IPADDR=192.168.10.10
so you don't have conflicts

save it, reboot, you should now see it in your UI

Saturday, September 19, 2009

Openfiler 2.3 intel nics disappear after applying updates

I noticed that with openfiler 2.3 my nics disappeared after applying the updates. Turns out there is a linux kernel update that changes the Nics from e1000 to e1000e .

To get these nics back, just modify your /etc/modprobe.conf and change your eth0 to e1000e from e1000.

Reboot and it should be back to a-ok

Friday, September 18, 2009

Passed the VCP4 (vcp410) exam today

I got an instructor level score, but that thing isn't easy. It's probably the most bizzare test i've ever taken. Most of the questions look like this:

You did X horribly wrong and against all best practices and recommendations.

Now you want to do Y.

What happens?

I dunno..I never did X wrong, so Y always works?

I'm just glad its over.

Tuesday, September 15, 2009

HP ESX Management Agent Cheat Sheet

To diagnose a hardware problem on an HP Server with ESX and the HP software agent installed run

hpasmcli

then you can do commands such as
show dimm
show iml
show ?
etc....

Monday, September 14, 2009

Tips for VCP 410 Exam

1) Buy this book Mastering VMware vSphere 4

2) Read this document vSphere Admin Guide

3) Read the vSphere Maximums PDF

4) Read the SAN Setup Guide

5) Read the VMWare forums.

6) Read every PDF from vmware.com about vSphere you can find.

7) Do installs, do upgrades (every method), Setup and try all the new features. You will find vSphere 4 to be a much bigger upgrade to 3.5 than you'd expect.

If you do vSphere all day long, you will fail this test (I do and I did the first time). You must read the forums and get involved in the VMWare community. They will throw some insane questions at you that any decent admin would never encounter, the ONLY way to know the answers to these is to read the forums for obscure issues bad admins have run into by setting up their ESX servers and vCenters incorrectly.

Study hard and good luck.

Friday, September 11, 2009

Build a ESX 4 Host

1) Install, take defaults, make swap partition 1600MB or just round up to 2GB
2) Setup/Configure -
NTP
Service Console Memory - 800MB
System Reserve - 1500mhz
Networks/Networking
Patch ESX
Install hardware (HP) Agents
Use Host Profiles to do all (or most) this if you can.

Hey look Email's aren't being delivered

I see an error when I Telnet to SMTP Exchange 2007 of 452 4.3.1 Insufficient system resources

The answer..

Apparently Ex2007 SMTP must have at least 1GB of free space or it gives that error and stops working.

Thursday, September 10, 2009

Vizioncore's best practices for ESX host setup

ESX Host Configuration
vReplicator 2.5 uses the ESX Service Console to control replication and also uses VMware snapshot
technology. By default, the ESX Service Console is significantly resource constrained, which can impact
the performance of replication and snapshots3.
For best performance of replication and VMware snapshot operations, increase the memory allocation
of the Service Console to 800MB and CPU Reservation to 1500 MHz. You can configure these settings
through the VMware Infrastructure Client on the Configuration tab of each ESX host. The settings are
under “Memory” and “System Resource Allocation”.
The ESX Service Console should have a dedicated4 1Gbps network interface assigned to ensure adequate
bandwidth for replication. Sharing a network card between the service console and virtual machine
network can impact on replication performance.

http://www.vizioncore.com/products/vReplicator/documents/vReplicator-Best-Practices-v1.20.pdf

Monday, August 31, 2009

ESX4 Web Admin

By default ESX4 upgrade disables the web management console. Also a fresh install does the same. When you browse to it you get 403 Service Unavailable.

To get it working, go to
/etc/init.d
run ./vmware-webAccess start

Monday, August 24, 2009

EMC Clariion unmanageable

Well I changed the IP on my Clariion CX3-20c on both SPA and SPB, now they only see themselfs, and no data. Basically the fix was to go into the setup http://IPADDRESS/Setup. then choose the Reset all domain information and restart the Management Server. (Destroy Security and Domain Information), reboot the managment agent, then repeat for Node B as well, then rebuild the domain, and whola, it works again. Don't forget to re-setup any alerts or anything else you have.

Wednesday, August 12, 2009

I want to know what users to harass because their mailbox is too large

Lets say 1GB+ is too large

Get-MailboxStatistics -Server csmailstore1 | Where {$_.TotalItemSize -gt 1GB} | Sort-Object -Property TotalItemSize -Descending | Format-Table DisplayName,TotalItemSize > c:\mailboxsizes.txt

Exchange Send-As problem

Doing an exchange migration between AD Forests, Logging in as my new account, I was able to give myself rights via Exchange and AD to my old mailbox in the old domain. Exchange permissions were a snap, the only exception is that they had to be done via powershell since the Exchange 2007 GUI doesn't allow you to 'pick' users from another forest. Granting the Send As AD Right is also done with powershell , such as

Add-ADPermission "brian smith" -user newADDom\bsmith -ExtendedRights Send-As

However, every 15 minutes or so I noticed that this right would vanish, i'd do a
Get-ADPermission "Brian Smith" ft -wrap > c:\Brian.txt
and notice there was no permissions to newADDOM\bsmith.

I found out one of the security restrictions is that Domain Admins and Enterprise Admins can't have "send-as" rights to another mailbox. Therefore I have to remove myself from those groups in order to work in a Send-As Scenario. Nice Job Microsoft, way to use a 'best practice' guide as an excuse not to fix a huge bug. There are work arounds, but they look to difficult to bother with for the short time before we migrate.

NOTE: you really gotta make sure its removed from all of the groups that are members of any of the other builtin groups.

Tuesday, August 4, 2009

DC's out of Time Sync

So apparently NET TIME is depricated, and replaced iwth w32tm /monitor and other w32tm (windows time) commands.

Doing my w32tm /monitor command showed me that my DC's were out of sync. Seeing this I wondered why. I noticed in the registry that many of my DC's were syncing with time.windows.com. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Since my PDC emulator has the appropriate settings to be an NTP server and is pointing to an external time source my company likes, it's ready to be sync'd with, so I wanted to point all my DC's to it, and not time.windows.com

I modified the "NtpServer" REG_SZ parameter to be the IP of my PDC Emulator, restarted the Windows Time Service, and blamo in less than 3600 seconds, it all works again

Thursday, July 30, 2009

Exchange Not delivering emails(SCR Replication), Active Mailbox Delivery Queue Length growing, Information store wont start Exchange 2007

We use the new SCR replication to our Remote Backup location.  For some reason emails started to queue up.  I rebooted the Mailstore in hopes the hub would then be able to deliver the messages, this didn’t help, when Exchange mailstore came back up, the IS and SA wouldn’t start, here are some of the event log errors:

==========================================

Event Type:    Error
Event Source:    MSExchange ADAccess
Event Category:    Topology
Event ID:    2142


Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1528). Topology discovery failed, error 0x8007077f.

==========================================

Event Type:    Error
Event Source:    MSExchangeIS
Event Category:    General
Event ID:    5000


Unable to initialize the Microsoft Exchange Information Store service.   - Error 0xfaf.

==========================================

Event Type:    Error
Event Source:    MSExchangeTransportLogSearch
Event Category:    General
Event ID:    7005

Microsoft Exchange couldn't read the configuration from the Active Directory directory service because of error: Failed to load config due to exception: Microsoft.Exchange.Data.Directory.NoSuitableServerFoundException: The Exchange Topology service on server localhost did not return a suitable domain controller………

==========================================

All of this told me that exchange was unable to locate a GC in it’s site.  That’s pretty odd, there is a DC/GC racked right above it on the same lan.  However, after quite a bit of trial and error I noticed that in AD Sites there was no “Subnet” for this range of IP addresses, someone had deleted it.  Once this was fixed and I forced a full AD Sync, everything came back online.

NOTE: another thing I did was to change the DNS settings for the Exchange Mailstore.  I read that sometimes you have problems locating a GC if you point to a DNS/DC server that is far away and not in your site.  I doubt this did much, but its working now so I thought i’d throw it in there.

Tuesday, July 28, 2009

I couldn't seem to find replmon on 2008 server

well turns out its been replaced by repadmin.

so commands like repadmin /replsummary , things like that should show you what you need.

Monday, July 20, 2009

When you install ESX

The only changes I recommend are these.

800 MB for Service Console (for HP ESX mgmnt, for Backups)
1600 MB for Page File (should always be 2x SC above)
1500mhz reserved for Service Console (for backups, misc)

Friday, June 19, 2009

UPS-Tastic

These guys must hate us..or be Jim Carey in Ace Ventura.


EDIT #1

Thank god I didn't need another free Dell keyboard.

EDIT #2

No, its not a new type of fancy ergonomic keyboard.

EDIT #3

No, its not a Dell keyboard, its an HP laptop keyboard, but know that only makes me sad and breaking the free Dell keyboards just doesn't...

Monday, June 8, 2009

Scanning with nmap

For local subnet
nmap [-n] -sP -PR -T[4,5] --max-retries[0,1]
-- host - timeout 4000 -oG *.*.*.*

For scans on routable subnet (icmp echo)
nmap [-n] -sP -PE -T[4,5] --max-retries [0,1]
--host-timeout 10000 -oG *.*.*.*

Red is for recommended value

Services that may be disabled in a VM

Look down to Chart 1
http://redmondmag.com/Articles/2009/06/01/Green-Power.aspx

Saturday, May 30, 2009

ESX 4 HA Errors

So I had read ESX4 was better about HA setup than 3.x. I was in the beta, but didn't have the chance to test HA. So after upgrading the production cluster to ESX4, HA was broken again.

Enabling HA gave the error:
"Cannot complete the configuration of HA agent on the host. See the task for details for addional information. Misconfiguration in the host network setup."

After poking around for a while, I realized that one host had a bad Default Gateway (off my 1) setup. After correcting that, HA works like a champ.

I did also fix the fact that one of my /etc/hosts files had my VMOTION service console IP and not the correct primary SC IP.

But its all good new..

ESX 4 is really nice..

ISA 2006 Firewall Service won't start

I get an error just like this:
==============================================================================
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 2/20/2008
Time: 10:19:44 AM
User: N/A
Computer: ISA
Description:
The Microsoft Firewall service depends on the MSSQL$MSFW service which failed to start because of the following error:
The operation completed successfully.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
and when i try to start Microsoft Firewall service it says: " Could not start the Microsoft Firewall service on Local Computer.

Error 1068: The dependency service or group failed to start."

also the other automatic service on which Microsoft Firewall service is dependant is stopped and when i try to start that service it says "The MSSQL$MSFW service on Local Computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service."
================================================================================

Following these articles
http://forums.isaserver.org/m_2002062646/printable.htm
and
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2008-07/msg00461.html

they say there is a problem writing to the logs, and that's why I can't start the service. After changing the logging types, and many other changes, the final fix was to do as others had said. Export your ISA config, uninstall and reinstall ISA, and blamo, everything works again.

Wednesday, May 20, 2009

How to find and kill a hung VM on ESX 3.5

First you must find the PID

ps auxfww | grep Name_of_the_VM

Then kill it

Stop Soft Technique:

# vmware-cmd /path/to/config/file.vmx stop soft

Stop Hard Technique:
# vmware-cmd /path/to/config/file.vmx stop hard

kill Techniques:
# kill <pid>

If the above doesn't work you may need to issue a kill –9

# kill -9 <pid>

Thanks to This article I used to get my information.

http://communities.vmware.com/message/245617;jsessionid=AC54B73461657AECCF0CB98763CE2C2C

Tuesday, May 19, 2009

Issues using ISA 2006 for a back firewall

For some reason after reinstalling ISA 2006 as a back firewall, you can’t reach some machines on the DMZ network.  Without a long discussion for the routing reasons for this, The solution is to modify the ISA back firewall in order to disable the proxy on it.

To disable the Web Proxy filter for HTTP, do the following:

  1. In ISA Server Management, click the Firewall Policy node.
  2. On the Toolbox tab, click Protocols.
  3. Expand All Protocols, right-click HTTP, and then click Properties.
  4. Click the Parameters tab, and in Application Filters, clear Web Proxy Filter. Then click OK.
  5. Click Apply to update the firewall policy.

Tuesday, May 12, 2009

Really awesome new stuff in Windows 7

Microsoft has created some great videos showing off some of the new features, I can't wait to start getting end users upgraded after seeing these.

Problem Steps Recorder

Bitlocker

Applocker

And More...

Monday, April 27, 2009

Ok, I think I finally have a work around to the BL460C ASR reboots and ILO error 57's

Reading a couple articles, it appears with the latest HP Proliant Support Pack (8.2), they have screwed the pooch and broken ILO to a point that it will cause Random Reboots, ASR's and other things. This seems to only effect 64 bit Windows Systems.

Here is what i've found...

HP ProLiant Integrated Lights-Out Management Interface Driver for Windows Server 2003/2008 x64 Editions

Latest = 1.14.0.0
Stable = 1.13.0.0

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=3709945&prodSeriesId=1842750&swItem=MTX-b0749333be7a4336a9957e40eb&prodNameId=3288156&swEnvOID=1113&swLang=8&taskId=135&mode=5

and

HP ProLiant iLO 2 Management Controller Driver for Windows Server 2003 x64 Editions

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=3709945&prodSeriesId=1842750&swItem=MTX-b016a4092d95486b88c4ebe86d&prodNameId=3288156&swEnvOID=1113&swLang=8&taskId=135&mode=5

Latest = 1.11.0.0
Stable = 1.8.0.0

Here is where I found it:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1240871128552+28353475&threadId=1323879
and
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1332008

and the fun keeps going

Well my previous post didn't solve the issue, looks like the issue is with the
"HP iLO Management Channel Interface Driver"

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=3709945&prodSeriesId=1842750&swItem=MTX-b016a4092d95486b88c4ebe86d&prodNameId=3288156&swEnvOID=1113&swLang=8&taskId=135&mode=5

and i'm not the only with with an issue

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1240868410367+28353475&threadId=1323879

I am going to try and go back on the version to 1.13 and see if that stops the random reboots and the error ID 57's.

Friday, April 24, 2009

HP Blade Server rebooting for no apparent reason

Just a bit less than a week after applying an HP Proliant Support pack to our BL460c G5 blades one of them running Windows 2003 begain rebooting randomly. The only real errors I could find were in the System log. These errors are about Event Source: hpqilo2 with an Event ID: 57. They had to do with Timeouts causing a ASR (reboot)

Description: The system has rebooted from a Automatic Server Recovery (ASR) event.
ProbableCause: 111 0x6f (Timeout)
ProbableCauseDescription: "ASR Reboot Occurred"

I did a full hardware swap since everything I found on google pointed to hardware. After that didn't resolve anything, I found that there is a new driver for HP ProLiant iLO 2 Management Controller Driver available. One of the known fixes is
"Resolved a problem where system could spontaneously reboot (ASR) if all CPU's were under continuous 100% load, and iLO 2 was reset (e.g. due to firmware update, changes to network settings, etc.)."

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=3709945&prodSeriesId=3808910&swItem=MTX-b016a4092d95486b88c4ebe86d&prodNameId=3808911&swEnvOID=1113&swLang=13&taskId=135&mode=4&idx=2

This looks like it could be our issue, only time will tell, but if history is my guide then I should see within 48 hours if this machine will be stable or keep blowing up.

Thursday, April 16, 2009

MAC ARP Poisoning, The case of the missing response packets ISA

Yesterday my network was subject to one of the most difficult to trace network problems i've seen. Basically at 12:45pm, the "internet died", and I rebooted our ISA server, it worked again. About 20 minutes later, it died again, this happened about 2-3 times more, I knew we had a major issue. Microsoft ISA Server is one of microsoft's best products, and especially ISA 2006 SP1 is very reliable. I put a packet trace outside my ISA firewall, it showed packets leaving my network AND returning, however, my ISA server reported that the packets were leaving, and NEVER returning. VERY ODD, ISA doesn't lie. We did the normal replace hardware, we even swapped out a router, switches and the ISA server hardware to no avail. This was very perplexing. Finally after 14 hours of wanting to tear my hair out, we found something in a packet trace. I had captured a ping of google.com when stuff worked, and when it wasn't working. This was just outside our ISA server(which is a back firewall, not a front one)but on the other side of our router (but this router doesn't do any packet filtering, so I ignored this *bad idea*). We noticed that packet responses LOOKED the same, but when we dug deeper we saw the MAC address on the response packets were different, but with the same correct IP. One Mac was accurate when it worked, and different when it wasn't. Someone had created a machine with the same IP Address of our router outside our ISA firewall. This was causing return packets from the internet to be misdirected to a server, and not to our router. So ISA wasn't lying, and doing some Mac Table lookups showed me which switches and ports to chase until I found the culprit rogue machine. After powering it down(and disconnecting the ethernet cable) all the problems stopped and I could finally go home at 3AM.
God I love IT.

Tuesday, April 7, 2009

How to Query Machine owner (registered windows) from a command prompt

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOrganization

Tuesday, February 24, 2009

User Can't open another users mailbox, "The name cannot be resolved."

So user1 is trying to open user2's mailbox, pure exchange 2007 environment, all patched, SP1, etc.. User2's mailbox says that user1 has full access.

So the exact error from outlook was "The name cannot be resolved. The name cannot be matched to a name in the address list." I assumed this was an outlook issue, deleted profiles, etc.. Nothing I did seemed to help, this was where I got frustrated and needed a new direction.

For troubleshooting I opened OWA logged in as user1, tried to open user2's mailbox, it says that it could not be found. I could open that mailbox logged in as myself through OWA and Outlook, and so could my two test user accounts. Very weird, user2's mailbox is a legacy account from Exchange 2000, 2003, but it doesn't make sense. After quite a bit of troubleshooting, moving the mailbox to other information stores, even detaching the mailbox and creating a new mailbox, no luck. I went into ADSIedit, checked all the properties, it was NOT hidden from the GAL.

Finally, I just deleted the user2 AD user2&mailbox. Created a new windows user2, reattached the original mailbox to that user, and after about 20 minutes of sync time, it worked and user1 was able to see user2's mailbox again.

So the issue was with User2's AD account, not the mailbox. Hopefully if it happens again I can nail it down a little more.

Thursday, February 12, 2009

Removing Legacy Permissions from Pure Exchange 2007 Environment

First let me explain the context of the issue. We had an exchange admin who over the years upgraded our exchange from 5.5 to 2000 to 2003. This person also had to occasionally add himself permissions to a mailbox in order to check on this or that and assist with issues, normal exchange admin stuff. This person decided to move onto another role inside the company, but now no longer should be an exchange admin. These permissions were removed sucessfully, and we then upgraded fully to Exchange 2007.
Later doing a full audit of mailbox permissions, we noticed that this person still had their "manually assingned mailbox rights" to about 50 users mailboxes. A simple powershell remove-mailboxpermission command and boom MOST of them were gone.
However some of them gave us a disturbing error:
========================================
Remove-MailboxPermission : Cannot remove ACE on object "CN=Mailbox.Name,OU=Resources,OU=Exchange,OU=Accounts,DC=Domain,DC=local
" for account "Domain\old.admin" because it is not present.
At line:1 char:25
========================================
After a VERY LONG call to Microsoft to just confirm we had an issue and i'm not a moron, they were completely out of ideas. I tried some vbscripts to "output" our permissions. One from this blog http://gsexdev.blogspot.com/2005/04/reverse-msexchmailboxsecuritydescripto.html was useful, but didn't quite get me there, Also modifying Greg's Script, I was able to remove permissions to msExchMailboxSecurityDescriptor (with this help http://msdn.microsoft.com/en-us/library/aa705958(VS.85).aspx), but unfortunatley this permission still existed inside of powershell and in reality. ADSI Edit had nothing that could help me, there simply wasn't a permission anywhere you can modify it. Microsoft suggested I add the permission back to the user, but I got the error the permission was already there. They also suggested I give the old IT user Domain admin permissions, shockingly that did nothing. They also said I should detach both the old IT admin's mailbox, and one of the mailboxes with the permissions, this also did nothing, once they were re-attached the permissions were still there.

Ultimately, I tried the easist thing in the world, which of course worked. I got on my old XP desktop with Exchange 2003 admin tools installed. This worked like a champ, went into the properties of the users who needed to be modified, went to "Exchange Advanced" then "Mailbox Rights" and removed the old IT admin from the permissions.

I personally consider this a bug with Exchange 2007 admin tools/powershell. but we'll see how Microsoft sees it.

Friday, February 6, 2009

Exchange 2007 scripted removal of Sendas AD rights

If you want to globally kill a certain users Send-as rights.

Get-mailbox | Remove-ADPermission -user S-1-5-21-2713965889-454821854-3254304360-14624 -ExtendedRights Send-As

Thursday, February 5, 2009

Adding NT AUTHORITY\SELF back for permissions to your mailboxes

Some of you that have upgraded exchange for years like myself may notice that in EXCHANGE 2007, users don't get rights to their own mailboxes, they user "NT AUTHORITY\SELF" to gain access.

Some older users were granted rights directly to their own mailboxes. Before you remove those (and lock them out of their email) run this Powershell script to grant that Authority account back in.

Get-mailbox | Add-Mailboxpermission -user "NT AUTHORITY\SELF" -Accessrights FullAccess

Now that you've found out someone needs to have their permissions cleaned out from other mailboxes

Mass Permission Removal

See what rights a user has to all mailboxes

Get-Mailboxpermission * -user domain\user.name | format-list > File.txt (for later reference)

Get-Mailbox | remove-mailboxpermission -user domain\user.name -Accessrights DeleteItem

If you just want to remove someones rights to everything, or a broken SID's rights.

Get-mailbox | Remove-mailboxpermission -user domain\user.name -Accessrights DeleteItem, SendAs, FullAccess, ReadPermission, ExternalAccount, ChangePermission, ChangeOwner

Here is the fun part, if you are doing a large group of mailboxes, you MUST finish the wizard, it queue's everythign up, so if you say Y, Y, Y, CTRL-C, NOTHING will happen, but if you Finish the wizard, the job completes

http://technet.microsoft.com/en-us/library/bb125153.aspx

Find out what permissions a user has to Exchange 2007 Mailboxes

Sometimes you just need to know what user "X" has rights to in your Exchange Mailboxes.

Where a user has been specifically assigned, minus their own mailbox, it shouldn't show their own mailbox anyways because that should be NT AUTHORITY\Self.

Using Powershell.

Get-Mailbox | Get-ADPermission | where {($_.User -like “*Brian*”)} ft -wrap

Now for some reason this only returns "Send As" permissions (guess those are in AD). If you want others you have to use get-mailboxpermission

Get-Mailboxpermission * -user domain\user.name | format-list


Thanks to these articles for setting me in the right direction.
http://exchangeshare.wordpress.com/2008/09/01/how-to-find-all-mailboxes-with-send-as-permission-assigned/


http://exchangepedia.com/blog/2008/02/how-to-list-mailboxes-with-full-mailbox.html

Friday, January 30, 2009

ESX sees Raid Adapater, but it isn't available for a VMFS volume

First I did an fdisk, created a primary partition that took up the whole disk. It was type "fb"


Command (m for help): p
Disk /dev/sdb: 640.1 GB, 640136773632 bytes 255 heads, 63 sectors/track, 77825 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdb1 1 77825 625129281 fb Unknown Command (m for help): q

Then to put VMFS3 on it,
vmkfstools -C vmfs3 -S local vmhba1:0:0:1

Asus DSBV-DX mobo, Raid & ESX

Trying to use some local storage (3 x 750GB Seagate's in a Raid 5, and another random 80gb drive for the OS) on an ESX box, I decided to use the onboard raid for the Asus DSBV-DX. I had two problems, and I can thank some newsgroup posters for solving my issue(s).

Problem #1
Using the Default LSI controller build into the mobo (there are 6 Raid ports, they can be controlled by either the LSI or the Intel Storage Matrix) I could not create a raid 5 out of my disks, I tried everything, but in the LSI bios, it allowed me to choose Raid 5, but then gave the error of "Invalid Operation. Pls check the RAID key", so after my friend google found me this article http://vip.asus.com/forum/view.aspx?board_id=5&model=DSBV-DX&id=20080601052918421&page=1&SLanguage=en-us I realized that I had to use the Intel controller to leverage Raid 5, since the LSI doesn't support it.

Problem #2
Now that I have swapped the jumper over to Intel, and sucessfully configured a Raid 5 out of my drives, The ESX 3.5 Up3 install tells me that I have 3 individual drives, not the Raid 5 Single Drive it should see. Again Mr Google found me this http://vip.asus.com/forum/view.aspx?board_id=5&model=DSEB-DG&id=20080601004357890&page=1&SLanguage=en-us . So I grabbed a PCI-X ESX supported Raid controller, and now my ESX server is working again with local storage just like I wanted it.

another 20 minute job that took 6 hours...I love technology

Thursday, January 15, 2009

8 minimum Windows Security Best Practices

Inside of your "Domain security policy", "Local Policies", "Security Options"

Network Security: (enable these)
1) LAN Manager authentication level: "Send NTLMv2 response only, Refuse LM"
2) LDAP client signing requirements :"Negotiate Signing"
3) Do not allow anonymous enumeration of SAM accounts (and shares)
4) Do not store LAN Manager has value on next password change

Microsoft Network client
5) Digitally sign communications (always + if server agrees) = Enabled
6) Send

Microsoft Network server
7) Digitally sign communications (always + if server agrees) = Enabled

Domain Member:
8) Digitally encrypt and sign whenever possible.

Thursday, January 8, 2009

Windows 7 Beta1

So far so good.  Only found a few bugs, I like the Install, boot times, most software seems compatible (Vista software that is).  I like a lot of the windows live functions, I'm using Windows Live Writer to publish this post, so far, so good.  Antivirus seems a bit touchy, The latest Symantec EP doesn’t work, but AVG does.  Our systems management products are having some trouble gathering data, but I'm not surprised since its beta 1