tag:briandagan.com,2013:/posts BrianDagan.com 2017-05-16T16:39:42Z tag:briandagan.com,2013:Post/1126726 2017-01-27T22:29:39Z 2017-01-27T22:29:39Z Y U lie to me, Azure?
tag:briandagan.com,2013:Post/622921 2013-11-24T03:41:36Z 2013-11-24T03:41:37Z Recovering/resetting a Windows Server password from an AWS AMI -or- "I'm paying for this, so let me in already!"
Love me some AWS (Amazon Web Services); however, if you use a public AMI, you're more than likely to run up against a scenario where the AMI's author doesn't want you to be able to log into the VM via RDP.  You'll quickly discover this when you attempt to "Generate Windows Password":

If you see this after you've let an AMI-based VM "settle" for, oh, I don't know, an hour or so... you'll probably guess that something's awry.

You'd be correct... something is awry... the AMI's author decided to modify the "C:\Program Files\Amazon\Ec2ConfigService\Settings\config.xml" to set Ec2SetPassword from Enabled to Disabled.  AWS doesn't tell you this--you're just left to infer this on your own, after the Windows Administrator password fails to generate after a more-than-generous amount of time.

Figure 1: The AMI's author, Scott

A shame, really.  But there's a way around it.


Following the steps below may result in additional AWS usage bills, data loss or other unfortunate circumstances.  By following the instructions below, you hereby agree that I am not liable for losses of any type (data, financial, sanity, etc.).

Step 1
Shut down your hamstrung VM.

Step 2
Spin up a new t1.micro instance of Windows Server 2008 R2 x64 (not tested: Windows Server 2012, though I assume this process would be virtually identical):

Why pay if you don't have to?

Choose the same network as your exiting VM (if you don't do this, then you won't be able to detach/attach your volumes later on):

They won't let you have less than 30GB on the free tier for this AMI (I tried, don't bother):

Because #%$@ tags:

If you're feeling frisky, name the new Security Group something informative (to let Future You know that this is RDP only):


Set your AMI key (you had to do this when you set up the first VM) and launch it:

Go grab some coffee/tea/monster:

Step 3
Grab the Windows password from your new scratch VM:

Upload your previously-created PEM or paste it:

Save your Administrator password someplace safe... you'll need it in a sec:

Step 3
Detach the volume from the hamstrung instance, and attach it to your scratch instance by visiting the Volumes section:

Right-click on the volume associated with your hamstrung instance and choose Detach:

Click Yes, then Refresh the screen ( ) until the volume shows as "available":

Now that it's detached, let's attach it to the scratch VM:

Choose your scratch VM and attach the volume:

Step 4
RDP into the scratch VM (use the credentials and IP from Step 3).

You should see a new drive letter... this used to be the root volume of your hamstrung VM:

Let's edit that key file:

The one we care about is Ec2SetPassword... that needs to be changed to Enabled:

Step 5
Make the partitions bootable again, before you nuke your scratch machine!

Remember seeing that D:\ drive in your scratch machine, along with the E:\ drive which contains your actual OS?  On 64-bit versions of Windows, an additional "boot" partition is created (32-bit versions do not create this additional boot partition... these instructions assume you're using the x64 AMI mentioned earlier):

That said, we're going to modify our commands appropriately to ensure that the boot volume (D) is the one we're "fixing."

Why do we need to fix the volume?  If Windows sees more than one drive as bootable, it will mark the other drives that it didn't boot from as non-bootable:

You'll need a copy of the 32-bit (x86) bootsect.exe.  Feel free to Google for it, or download it here: https://dl.dropboxusercontent.com/u/22121/_BrianDagan.com/bootsect.exe  (Note: When your downloading using the Internet Explorer that's built in, you'll need to either add *.dropboxusercontent.com as a trusted site -or- disable IE ESC in Server Manager):

Throw bootsect.exe in C:\Windows\System32 on your scratch machine (just so it's in %PATH%):

Fire up a Command Prompt on your scratch machine as Administrator:

Run the following commands, in order (this assumes that you've not switched processor architectures on me... these x64 commands assume a D:\ "boot" drive and E:\ "Windows" drive (as shown in your scratch machine), which would be the case assuming the above has been followed :-)):

bootsect /nt60 D: /mbr

bcdboot E:\Windows /s D:

bcdedit /store D:\Boot\BCD /set {default} device partition=E:

bcdedit /store D:\Boot\BCD /set {default} osdevice partition=E:

bcdedit /store D:\Boot\BCD /set {bootmgr} device partition=E:

SHUT DOWN (do not restart) the scratch VM:

Hopefully, you'll never need this scratch VM again.  This would be an appropriate occasion to thank it for its service:

Step 6
Confirm that both your scratch and production VMs are stopped:

Detach the volume from the scratch instance, and attach it to your now-hopefully-not-hamstrung instance by visiting the Volumes section:

Right-click on the 2nd volume (the one mounted as xvdf) associated with your scratch instance and choose Detach:

Click Yes, then Refresh the screen ( ) until the volume shows as "available":

Attach the volume...:

...and choose the original machine, but do not choose xvdf:

Instead, change this to /dev/sda1

Step 7
Fire up your production VM on the Instances tab:

I'm keeping my scratch machine around until I know this boots and I can recover the Windows password:

Step 8
Let's get that Windows password!

Finally!  We're in!

Time to nuke that scratch VM :-)

Credits & Attributions
It took me a while to parse all of the available information on this topic, and I couldn't have put together as comprehensive a guide without these folks:
tag:briandagan.com,2013:Post/130285 2013-02-12T18:22:35Z 2016-05-06T09:45:36Z Warning: Don't use for public DNS, use or instead

If you’re up for some light reading: http://www.tummy.com/Community/Articles/famous-dns-server/

If you’re not the “reading type,” here’s the key part of the article:  Should I Use  Unless you are a Level-3 customer, absolutely not.

Essentially, belongs to Level 3, and they have no obligation to ensure that this service is reliable or accurate.  As of late, a number of DNS queries made against have been timing out, which makes it a bad choice to verify DNS name resolution. and, please.


To add to this, Allied Telecom (and my independent tests) have noted that is having some major issues today, which is manifesting itself as many of their customers calling them for Internet connectivity issues when the issue actually lies with the DNS provider that the IT Engineer chose to put in the firewall/DNS settings long before started going downhill.

tag:briandagan.com,2013:Post/130287 2013-01-29T17:49:07Z 2013-10-08T15:48:48Z How To: Create Files Of A Specific Size

No, not rodents of unusual size…

…a file of a specific size.  Where would you use this?

·         Testing e-mail attachment size limits

·         Testing file transfer speeds

·         Deliberately filling a counterfeit Chinese flash drive to examine the file write “looping” behavior

It’s quick & easy to do this… just fire up an Administrative Command Prompt and type in the following:

fsutil file createnew [Filename] [Size in Bytes]


Happy testing!

tag:briandagan.com,2013:Post/130290 2012-06-12T21:00:48Z 2013-10-08T15:48:48Z How To: Install Entrust Certificates On A HP Thin Client For Citrix

If you’ve just installed a shiny new Entrust certificate on your Citrix server and you find out that your HP Thin Client machines can’t connect to published applications with a SSL Error:

“You have not chosen to trust ‘Entrust.net Certification Authority (2048)’, the issuer of the server’s security certificate (SSL Error 61).”

…then there’s a two-phase process to get this fixed.  The first phase, done on your workstation, requires that you have a USB thumb drive.

Phase 1: Done once on your workstation

1) Plug in the USB thumb drive

2) Open a web browser and download all eight of these files with their original filenames to the root directory of your USB thumb drive:

     2.1) https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer

     2.2) https://www.entrust.net/downloads/binary/entrust_2048_ca.cer

     2.3) https://www.entrust.net/downloads/binary/entrust_ev_ca.cer

     2.4) https://www.entrust.net/downloads/binary/entrust_g2_ca.cer

     2.5) https://www.entrust.net/downloads/binary/entrust_l1e.cer

     2.6) https://www.entrust.net/downloads/binary/entrust_l1e_chain_root.cer

     2.7) https://www.entrust.net/downloads/binary/entrust_l1c.cer

     2.8) https://www.entrust.net/downloads/binary/entrust_2048_chain_root.cer

3) Safely eject the USB thumb drive, and go find yourself some thin clients

Phase 2: Done on every HP Thin Client

1) Hop on the Thin Client, and plug in your USB drive from earlier

2) Click on the lower left corner (HP Menu)

3) Click on Administrator/User Mode Switch

4) On the Switch To Admin Mode login screen, type in “root” (without quotes) as the password (this is the default value) and hit Enter

5) In the “Thin Pro Control Center (Administrative Mode)” application, double-click “Control Panel”

6) Choose the “Advanced” tab

7) Double-click on “X Terminal”

NOTE: All commands going forward are case-sensitive!

8) Type “su” (without quotes) and hit Enter

9) Type “fsunlock” (without quotes) and hit Enter

10) Type “cd /media” (without quotes) and hit Enter

11) Type “ls” (without quotes) and hit Enter to list the drives… the names are case-sensitive in the next step

12) Type “cd [First few case-sensitive letters of your USB drive]” (without quotes or []s) followed by the Tab key, and it will auto-complete the name, then hit Enter:


13) Type “cp *.cer /usr/lib/ICAClient/keystore/cacerts/”  (without quotes) and hit Enter

    (No result is a good result, i.e. a blank line after the command means the files were successfully copied)

14) Type “fslock” (without quotes) and hit Enter

15) Type “reboot” (without quotes) and hit Enter

At this point, the HP Thin Client should connect to Citrix without issue.

tag:briandagan.com,2013:Post/130292 2012-04-17T15:33:00Z 2013-10-08T15:48:48Z Photos: Space Shuttle Discovery (OV-103) Final Flight Into Dulles (IAD) / Air & Space Museum's Udvar-Hazy Center

This was a joy to watch… we were right in the flight path:

tag:briandagan.com,2013:Post/130294 2012-04-06T02:36:20Z 2013-10-08T15:48:48Z BIFL: Paper Shredders - My Preemptive Parts Procurement Request to Fellowes

This may seem odd...

I'm a big proponent of the BIFL mindset (Buy It For Life).  If one buys a product, it should be designed to last a lifetime... even if it means paying a little bit extra.  So when I spent over $200 on a shredder (after careful research), I chose a Fellowes 99ci, based on reliability reviews and the excellent Customer Service record you have amassed over the years.

Being of the slightly... fixated... variety, I know from my research that virtually no shredder (short of a $2,500 GSA-schedule-listed model that's designed to shred a man-sized safe's worth of documents) has end-to-end metal gearing and/or a chain drive.

My last shredder (non-Fellowes-brand) died in this fashion... the single nylon gear finally became brittle and decided to unceremoniously off itself.  Naturally, the single nylon gear is impossible to obtain, which forced me to grudgingly haul its otherwise-still-good-except-for-a-designed-to-fail-nylon-gear carcass to my dumpster's gaping maw.

I therefore beseech you, o kind reader of support requests... can I please possibly preemptively procure (alliteratively) the replacement nylon gear(s) for this shredder such that I can pass this beast of a shredder on to the next generation?

My shredder serial number is: [REDACTED]

Respectfully submitted,

Brian Dagan


tag:briandagan.com,2013:Post/130297 2011-12-12T15:52:12Z 2017-01-12T20:08:14Z How To: Eliminate Superfluous "Critical" Alerts From APC Network Management Cards

Here’s another one to file under the, “web UI is inferior to the command line interface” category of gotchas.  First, the basics:

·         APC Symmetra UPS

·         AP9619 Network Management Card (latest firmware)

·         “Critical” alerts set to page On-Call Engineers

Ever since this UPS was installed, we had all “Critical” events being sent to the distribution list for paging the On-Call Engineers.

Here’s the problem… every time the UPS would pass a self-test, we’d receive a Critical Ticket, which would wake up the On-Call Engineers, who would then proceed to curse my name, close the ticket, and go back to bed after punching the pillow repeatedly.  Imagine getting this alert at 3 AM… how would that make you feel?

Each time this would happen, I would:

·         Check for upgraded firmware

·         Run through the wizards to #1) Clear the alerts and #2) Re-instate the alerts

·         Get cursed out again two weeks later when the scheduled self-test ran again

This got to be so frustrating that I just turned off self-tests altogether (not advised).

Finally, I called APC (thanks, D. Petrarc!) and they showed me the solution: The web UI doesn’t display all of the alerts and their clearing actions, so no matter how many times you run through the wizard, you’ll still get these alerts… unless you do the following:

1) Clear all alerts

2) Reinstate critical alerting to your “Critical” distribution list

3) Manually disable (via hex code) the alerts that aren’t shown in the web UI

Step 1: Clear all alerts

This walkthrough assumes you already have the latest firmware loaded on your APC NMC.  If this looks nothing like your UPS (e.g. your tabs are along the left-hand side), you’re not running the latest firmware.  Upgrade your firmware first by going to http://www.apc.com, clicking on “Software & Firmware,” locating & downloading the appropriate firmware specific to the model number of your Network Management Card, and following the directions in the ReadMe to get the firmware up-to-date.  In my experience, if you’re going from a way-outdated firmware version to the current version, you may have to try a couple of times, but it will work eventually (be patient).

1A) Go ahead and log into your APC NMC’s web UI, then go to Administration > Notification > Event Actions > by group:


1B) Choose “Events by Severity,” check all three boxes and hit Next:


1C) Choose “E-mail Recipients” and click Next:


1D) Check the box next to the e-mail address (you’ve already configured this under Administration > Notification > E-mail > recipients, right?) and click Next:


1E) Confirm the information matches the screenshot below (in particular the “Disable Notifications” radio button) and click Next:

1F) Confirm the “will not be notified” phrasing and click Apply… this will take 5-10 seconds:


1G) Click Finish:

Step 2: Reinstate critical alerting to your “Critical” distribution list

2A) Back on the Administration > Notification > Event Actions > by group page (see Step 1A), choose “Events by Severity” and check only the box next to “All Critical Events” and click Next:

2B) Choose “E-mail Recipeints” and click Next:


2C) Check the box next to the e-mail address and click Next:


2D) Confirm the settings below, especially the “Enable Notifications” selection… and turn off the repeat option so you don’t generate a heap of Critical tickets, then click Next:


2E) Confirm the settings and click Apply:


2F) Click Finish:

Step 3: Manually disable (via hex code) the alerts that aren’t shown in the web UI

3A) Go to the  Administration > Notification > Event Actions > by event page:


3B) Choose a random event category… I’m going to choose Battery:


3C) Now choose a random event… I’m going to choose “UPS: The number of batteries increased”:

3D) Take a look at your browser’s address bar… notice the hex code at the end?  This is what we’ll be changing in the next step:

3E) Substitute the hex code for 0x0105 (for “UPS: Passed a self-test”) and hit Enter:

3F) Un-check the box for the e-mail recipient and click Apply:

3G) If there are any other superfluous events (mostly “clearing” events) that you don’t want sent to the “Critical” distribution list, you can repeat steps 3E and 3F for those alerts as well… see “APC_NMC_Events.txt” (attached)

Hooray for not unnecessarily waking people up!

; System: Coldstart.

; System: Warmstart.

; System: SNMP configuration change.

; System: Detected an unauthorized user attempting to access the SNMP interface.

; System: Detected an unauthorized user attempting to access the Control Console interface.

; System: Detected an unauthorized user attempting to access the Web interface.

; System: Detected an unauthorized user attempting to access the FTP interface.

; System: Network service started.

; System: Password changed.

; System: Restarting.

; System: FTP File transfer started.

; System: TFTP File transfer started.

; System: File transfer failed.

; System: Console user logged in.

; System: Web user logged in.

; System: FTP user logged in.

; System: Reset to Defaults.

; System: Initializing data in the file.

; System: Email information.

; System: TCP/IP stack failure.

; System: Console user logged out.

; System: Web user logged out.

; System: FTP user logged out.

; System: Set Date or Time.

; System: Trace information.

; System: Data Log cleared.

; System: Modem dial-out failed.

; System: RMS CLI user logged in.

; System: RMS CLI user logged out.

; System: Network service information.

; System: Network service could not start.

; System: Network service stopped.

; System: SSL Error: Invalid certificate.

; System: New certificate loaded.

; System: SSL enabled (now using HTTPS).

; System: SSL disabled (now using HTTP).

; System: Session Management enabled.

; System: Session Management disabled.

; System: WebServer could not start

; System: DNS Network Error.

; System: Configuration change.

; System: Configuration file uploaded complete.

; System: Paging: Failed to send message.

; System: SSL information.

; System: SSH/SCP information.

; System: Certificate, host key, and log store information.

; System: Set Daylight Saving Time.

; System: NTP update failure.

; System: Data Log Upload event.

; System: RMS failed to send email/modem.

; System: Event Log cleared.

; System: Lost communications event manually cleared.

; UPS: Restored the local network management interface-to-UPS communication.

; UPS: Lost the local network management interface-to-UPS communication.

; UPS: The load exceeds 100% of rated capacity.

; UPS: The load no longer exceeds 100% of rated capacity.

; UPS: Passed a self-test.

; UPS: Failed a self-test.

; UPS: The battery power is too low to support the load; if power fails, the UPS will be shut down immediately.

; UPS: A discharged battery condition no longer exists.

; UPS: On battery power in response to an input power problem.

; UPS: No longer on battery power.

; UPS: The battery power is too low to continue to support the load; the UPS will shut down if input power does not return to normal soon.

; UPS: A low battery condition no longer exists.

; UPS: The output power is now turned on.

; UPS: The output power is turned off.

; UPS: Turned off for a defined period of time in response to a software command, or off while waiting for input power to return to normal.

; UPS: Turned on after a defined period of time, or input power has returned to normal.

; UPS: Started a reboot process.

; UPS: At least one faulty battery exists.

; UPS: A faulty battery no longer exists.

; UPS: In bypass in response to the UPS front-panel or a user-initiated software command, typically for maintenance.

; UPS: No longer in bypass.

; UPS: Started a runtime calibration.

; UPS: Completed a runtime calibration.

; UPS: Graceful shutdown in progress.

; UPS: A battery charger fault exists.

; UPS: A battery charger fault no longer exists.

; UPS: The internal battery temperature exceeds the critical threshold.

; UPS: The internal battery temperature no longer exceeds the critical threshold.

; UPS: Started a scheduled shutdown.

; UPS: Failed a scheduled shutdown.

; UPS: deleted a scheduled shutdown.

; UPS: A synchronization command information message occurred.

; UPS: Started a self-test.

; UPS: Lost the management interface-to-UPS communication while the UPS was on battery.

; UPS: SNMP was used to issue a control command.

; UPS: A power module fault exists.

; UPS: A power module fault no longer exists.

; UPS: A main intelligence module fault exists.

; UPS: A main intelligence module fault no longer exists.

; UPS: A redundant intelligence module fault exists.

; UPS: A redundant intelligence module fault no longer exists.

; UPS: A battery fault exists.

; UPS: A battery fault no longer exists.

; UPS: A load (kVA) alarm threshold violation exists.

; UPS: A load (kVA) alarm threshold violation no longer exists.

; UPS: Redundancy lost.

; UPS: Redundancy returned.

; UPS: A redundancy alarm threshold violation exists.

; UPS: A redundancy alarm threshold violation no longer exists.

; UPS: An input voltage or frequency problem prevents switching to bypass mode.

; UPS: An input voltage or frequency problem no longer prevents switching to bypass mode.

; UPS: The bypass relay is stuck in its bypass position.

; UPS: The bypass relay is no longer stuck in its bypass position.

; UPS: The bypass relay is stuck in its online position.

; UPS: The bypass relay is no longer stuck in its online position.

; UPS: In bypass in response to an internal hardware fault.

; UPS: No longer in bypass.

; UPS: In bypass in response to an overload.

; UPS: No longer in bypass.

; UPS: In bypass for maintenance.

; UPS: No longer in bypass.

; UPS: The input circuit breaker is open.

; UPS: The input circuit breaker is no longer open.

; UPS: System level fan fault exists.

; UPS: System level fan fault no longer exists.

; UPS: The redundant intelligence module is in control.

; UPS: The main intelligence module is now in control.

; UPS: An internal communication bus fault exists.

; UPS: An internal communication bus fault no longer exists.

; UPS: No power modules detected as installed.

; UPS: Power modules are now detected.

; UPS: An input voltage or frequency problem occurred while in bypass, turning off the UPS.

; UPS: The power problem that caused the UPS to turn off while in bypass no longer exists.

; UPS: A runtime alarm threshold violation exists.

; UPS: A runtime alarm threshold violation no longer exists.

; UPS: An extended run frame fault exists.

; UPS: An extended run frame fault no longer exists.

; UPS: The output voltage is outside its defined limits.

; UPS: The output voltage is no longer outside its defined limits.

; UPS: A phase synchronization fault exists.

; UPS: A phase synchronization fault no longer exists.

; UPS: The battery is not installed properly.

; UPS: The battery is now installed.

; UPS: The battery voltage exceeds the nominal battery voltage rating.

; UPS: The battery voltage no longer exceeds the nominal battery voltage rating.

; UPS: Non-specific fault; Access UPS keyboard for details.

; UPS: Non-specific fault cleared.

; UPS: A site wiring fault exists.

; UPS: A site wiring fault no longer exists.

; UPS: The number of batteries increased.

; UPS: The number of batteries decreased.

; UPS: Number of Power Modules increased.

; UPS: Number of Power Modules decreased.

; UPS: The main intelligence module was inserted.

; UPS: The main intelligence module was removed.

; UPS: The redundant intelligence module was inserted.

; UPS: The redundant intelligence module was removed.

; UPS: The number of extended run frames increased.

; UPS: The number of extended run frames decreased.

; UPS: A system fault exists.

; UPS: A system fault no longer exists.

; UPS: A bypass relay failure exists.

; UPS: A bypass relay failure no longer exists.

; UPS: A power module turn off failure exists.

; UPS: A power module turn off failure no longer exists.

; UPS: A frame identification failure exists.

; UPS: A frame identification failure no longer exists.

; Environment: A critical fault exists for external Environmental Monitor input contact 1 ({name} at {location}).

; Environment: A fault no longer exists for external Environmental Monitor input contact 1 ({name} at {location}).

; Environment: A critical fault exists for external Environmental Monitor input contact 2 ({name} at {location}).

; Environment: A fault no longer exists for external Environmental Monitor input contact 2 ({name} at {location}).

; Environment: A critical fault exists for external Environmental Monitor input contact 3 ({name} at {location}).

; Environment: A fault no longer exists for external Environmental Monitor input contact 3 ({name} at {location}).

; Environment: A critical fault exists for external Environmental Monitor input contact 4 ({name} at {location}).

; Environment: A fault no longer exists for external Environmental Monitor input contact 4 ({name} at {location}).

; Environment: A minimum temperature threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting under {threshold}.

; Environment: A minimum temperature threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A low temperature threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting under {threshold}.

; Environment: A low temperature threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A high temperature threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting over {threshold}.

; Environment: A high temperature threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A maximum temperature threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting over {threshold}.

; Environment: A maximum temperature threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A minimum humidity threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting under {threshold}.

; Environment: A minimum humidity threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A low humidity threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting under {threshold}.

; Environment: A low humidity threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A high humidity threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting over {threshold}.

; Environment: A high humidity threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A maximum humidity threshold violation exists for external Environmental Monitor sensor 1 ({name} at {location}) reporting over {threshold}.

; Environment: A maximum humidity threshold violation no longer exists for external Environmental Monitor sensor 1 ({name} at {location}).

; Environment: A minimum temperature threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting under {threshold}.

; Environment: A minimum temperature threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A low temperature threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting under {threshold}.

; Environment: A low temperature threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A high temperature threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting over {threshold}.

; Environment: A high temperature threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A maximum temperature threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting over {threshold}.

; Environment: A maximum temperature threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A minimum humidity threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting under {threshold}.

; Environment: A minimum humidity threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A low humidity threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting under {threshold}.

; Environment: A low humidity threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A high humidity threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting over {threshold}.

; Environment: A high humidity threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: A maximum humidity threshold violation exists for external Environmental Monitor sensor 2 ({name} at {location}) reporting over {threshold}.

; Environment: A maximum humidity threshold violation no longer exists for external Environmental Monitor sensor 2 ({name} at {location}).

; Environment: Restored the local network management interface-to-external Environmental Monitoring Card communication.

; Environment: Lost the local network management interface-to-external Environmental Monitoring Card communication.

; Environment: A critical fault exists for integrated Environmental Monitor input contact {number} ({name} at {location}).

; Environment: A fault no longer exists for integrated Environmental Monitor input contact {number} ({name} at {location}).

; Environment: A minimum temperature threshold violation exists for integrated Environmental Monitor sensor ({name} at {location}) reporting under {threshold}.

; Environment: A minimum temperature threshold violation no longer exists for integrated Environmental Monitor sensor ({name} at {location}).

; Environment: A low temperature threshold violation exists for integrated Environmental Monitor sensor ({name} at {location}) reporting under {threshold}.

; Environment: A low temperature threshold violation no longer exists for integrated Environmental Monitor sensor ({name} at {location}).

; Environment: A high temperature threshold violation exists for integrated Environmental Monitor sensor ({name} at {location}) reporting over {threshold}.

; Environment: A high temperature threshold violation no longer exists for integrated Environmental Monitor sensor ({name} at {location}).

; Environment: A maximum temperature threshold violation exists for integrated Environmental Monitor sensor ({name} at {location}) reporting over {threshold}.

; Environment: A maximum temperature threshold violation no longer exists for integrated Environmental Monitor sensor ({name} at {location}).

; Environment: A minimum humidity threshold violation exists for integrated Environmental Monitor sensor ({name} at {location}) reporting under {threshold}.

; Environment: A minimum humidity threshold violation no longer exists for integrated Environmental Monitor sensor ({name} at {location}).
tag:briandagan.com,2013:Post/130299 2011-12-05T21:39:31Z 2013-10-08T15:48:48Z Best Practices: Do NOT Use External DNS Servers For Internal Servers' IP Configurations... Here's Why...

First, yes… I’ll let the cat out of the bag…

Figure 1: Bag Cat

…that this is not new information.  Y’all know (and have known) for some time that it’s never a good idea to use external DNS servers for internal servers’ IP configurations, but you may be asking yourself:

“But Dagan, what’s the harm?   I mean, if it’s not a Domain Controller, why shouldn’t I add an external DNS server as my tertiary DNS server in the server’s IP configuration?  You know… just in case the DCs decide to call Ralph on the porcelain telephone, they’ll still be able to get to the Internet… so who cares?”

Well, for one, the folks who can’t use Citrix.


Let me explain by way of example.

I received a critical call at 3:00 PM today from a client who said that, “Nobody can connect to Citrix… everybody is getting an ‘RPC server unavailable’ message!”

Looking back in the Event Logs, I see the following error:

Event Type: Error

Event Source:     Userenv

Event Category:   None

Event ID:   1053

Date:       12/5/2011

Time:       1:55:07 PM


Computer:   [REDACTED]


Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

I also saw a whole slew of errors pertaining to an inability “to start XXXXX.exe.  The RPC server is unavailable.”  It’s only after digging further that I found the “magic event” that pointed me in the networking direction (emphasis added):

Event Type: Error

Event Source:     NETLOGON

Event Category:   None

Event ID:   5719

Date:       12/5/2011

Time:       2:56:58 PM

User:       N/A

Computer:   [REDACTED]


This computer was not able to set up a secure session with a domain controller in domain [REDACTED] due to the following:

The RPC server is unavailable. 

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.


If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

So, the server can’t contact any domain controllers in the domain.

Let’s ping the internal domain (yes, this company had matching internal and external domains… we’ll ignore this bad juju for now):

[REDACTED]>ping internaldomain.com

Pinging internaldomain.com [74.205.X.X] with 32 bytes of data:

Reply from 74.205.X.X: bytes=32 time=10ms TTL=246

Reply from 74.205.X.X: bytes=32 time=10ms TTL=246

Reply from 74.205.X.X: bytes=32 time=9ms TTL=246

Reply from 74.205.X.X: bytes=32 time=9ms TTL=246

Ping statistics for 74.205.X.X:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 9ms, Maximum = 10ms, Average = 9ms

So, as we can see, this is resolving outside of the 192.168.X.X network to a public IP range of 74.205.X.X… that’s odd…

Even more odd… if I do an nslookup, the primary DNS server in the 192.168.X.X range responds happily with the correct information… so, that means one of two things:

Option 1: There’s a HOSTS file entry.

Option 2: It’s a cached DNS entry.

So, I checked %WINDIR%\System32\Drivers\etc\HOSTS, but it’s unmodified.  Option 1 is out.

A quick check of the IP configuration (in the Advanced screen, no less) revealed the following DNS servers:



So, then the question becomes, “How did the first two DNS servers fail to the point where the DNS query hit the tertiary DNS record?”

A quick check of the patching/reboot schedules shows the problem… the Domain Controllers are rebooting within half an hour of each other, so it’s possible (though calamitously unlikely) that both servers were inaccessible either due to patching operations or reboot operations taking place simultaneously.

So, let’s fix this puppy…

Get it?  Moving on…

1) I removed the tertiary DNS server entry from the IP configuration of the Citrix server

2) I ran an ipconfig /flushdns from the command line

3) I checked for name resolution both of the internal domain and the primary DNS server… happily, we’re now getting a 192.168.X.X response (like we should)

4) I attempted to connect to the Citrix server and was able to get in

So, in a timeline:

·         3:49 AM: Both DCs go down at the same time, and the Citrix server resolves the internal domain to an external IP address on account of the tertiary DNS server being set to the external DNS IP address of… this entry gets cached until the TTL expires (evidently, being a caching DNS server, gave the internaldomain.com A records a long TTL)

·         1:55 PM: The Citrix server starts quietly freaking out about the fact that it can’t contact the domain

·         2:57 PM: The Citrix server slams on the brakes and says, “Nope, I’m not running any more programs or allowing any more connections until you let me talk to my lawyer… erm, I mean, the domain!”

·         3:00 PM: The client calls to say that his Citrix server is down

·         3:35 PM: After the troubleshooting & changes 1-4 detailed above, the Citrix server started working again without a reboot

…and in summary:

Please only use internal DNS server IP addresses on internal servers’ respective IP configurations.  Oh, and tip your wait staff.  :-)

tag:briandagan.com,2013:Post/130300 2011-11-30T19:48:09Z 2013-10-08T15:48:48Z How To: Cancel Your Verio Web Hosting Account Without Waiting On Hold

If your company, like mine, is not tolerant of 5+ days of downtime for your website hosted on Verio, this should help you through the process of running for the hills…

As Verio’s official “party line” is that you must call Customer Care to close your account (Reference: http://support.verio.com/documents/view_article.cfm?doc_id=3755), I figured I’d save you the hassle of sitting on hold for an hour+ by telling you what they’ll tell you to do after you sit on hold.

1) Log into your website control panel… if you don’t know where that lives, go here: http://support.verio.com/apps/p_custtools/accountAccess.php and put in your domain and the primary account holder’s e-mail address as follows:


2) Once logged in, click the “Account Administration” link (it’s at the top left of the page or thereabouts)

3) Log in again with the same username and password that you just used to log into your website’s control panel

4) At the top of the page, click the Account Management link:


5) Under “Profile,” choose “Account Options”:


6) You should see an icon to modify or close your account (sorry I don’t have a screenshot for this one)

7) Run through the wizard to close the account (it’s a few steps asking why you’re leaving, etc.)

8) Print or save your confirmation page… Verio has been known to continue charging after cancellation, so having this confirmation page saved is essential if you continue to see Verio charges on your credit card!


The cancellation e-mail will go to your primary e-mail contact and will probably get caught in your spam filter, so check there first before getting huffy with Customer Service :-)

tag:briandagan.com,2013:Post/130302 2011-10-13T17:22:26Z 2013-10-08T15:48:48Z Creepy: Verizon Wireless Is Tracking Your Phone: You Must Opt Out

Verizon Wireless is now tracking your phone, they claim “anonymously,” in the following ways:

• Websites you visit (including search terms)

• Device location

• Device & app usage statistics

• Demographic information (from third parties)

Due to changes in contract terms, you must opt out of this information sharing if you don’t want Big Red tracking you in this fashion.

Here’s the link (you’ll need to log in with your account information):


The full announcement is here: https://email.vzwshop.com/servlet/website/ResponseForm?OSPECC_9_0_9hg_eLnHs_u...

tag:briandagan.com,2013:Post/130306 2011-09-19T20:15:37Z 2017-04-13T09:32:58Z How To: *CORRECTLY* Redirect Exchange Client Access Servers To The /owa Virtual Directory In IIS

I was recently on the phone with Microsoft support, and they are still very much aware of (and seem to have no plans to fix) the bug in the IIS 7 Manager (Server 2008+) wherein changes at the top “Default Web Site” level tend to propagate to—and overwrite—settings on subfolders: http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

In more detail, if you decide to use the HTTP Redirect option to redirect the “root” directory to https://owa.customer.com/owa, you will break IIS and OWA unless you then go back and un-check the HTTP Redirect option on the other Exchange virtual directories, including (but not limited to):

·         aspnet_client

·         Autodiscover

·         ecp

·         EWS

·         Microsoft-Server-ActiveSync

·         OAB

·         PowerShell

·         Rpc

(YMMV… these folders are dependent on the version of Exchange)

So, with that glaring bug still present in IIS 7, what’s the Microsoft-approved way to redirect to the /owa Virtual Directory?  I’m glad you asked!

1) Log onto your Exchange server that has the CAS (Client Access Server) role

2) Fire up the “Internet Information Services (IIS) Manager”:


3) Expand down the tree until you can highlight “Default Web Site,” then click the “Content View” button:


    SIDEBAR: Do NOT rename the “Default Web Site”… things will break until you change it back!

4) Right-click a blank area and choose “Explore” from the menu:


5) Right-click in a blank area in the (by default) C:\inetpub\wwwroot directory and choose “New > Text Document”:


6) Type in the following code (though this is purely cosmetic and strictly unnecessary… the file could be blank and it would still work… it’s just helpful if someone is coming in behind you and doesn’t understand how the redirect is actually working):



<title>Redirecting to /owa...</title>



Redirecting to /owa using a HTTP Redirect added to this index.html document in IIS Manager’s Content View...



7) Save the file as “index.html” (with quotes so that the file extension remains intact) in the (default) C:\inetpub\wwwroot directory:


8) Close notepad and return to IIS Manager

9) Highlight your new “index.html” file (you may have to Refresh the screen before you can see it), then right-click on the file and choose “Switch to Features View”:


10) You’ll now see “index.html” under the “Default Web Site” tree… highlight it and choose “HTTP Redirect” from the right-hand pane:


11) Put in the full URL for OWA (including HTTPS, assuming you have a certificate installed) and check the boxes for “Redirect requests…” and “Only redirect requests…” with a status code of “Found (302)”:


12) Highlight “Default Web Site” and double-click on “Default Document”:


13) Highlight “index.html” and click “Move Up” in the Actions pane until it’s at the top of the list:


14) You’re done!  Test it out by going to https://owa.mycompany.com/owa (or whatever your OWA URL is)

tag:briandagan.com,2013:Post/130307 2011-09-06T15:57:04Z 2013-10-08T15:48:48Z Fix: Outlook 2007/2010 Out-Of-Office and Free/Busy Data Not Working

This is a rather obscure one and requires a very limited set of circumstances for this problem to affect your clients in this way; however, I believe it’s worth noting:

Base Assumptions

·         You’ve already properly configured the Exchange service URLs

o    Exchange 2007: http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

o    Exchange 2010: http://technet.microsoft.com/en-us/library/bb124251.aspx

·         A few (or even a good percentage) of your users are having difficulty setting their Out-Of-Office messages or viewing the Free/Busy scheduling data when scheduling calendar appointments

·         You have, at one point in time, used the Microsoft Online Services Sign In client application in order to get folks connected up to Microsoft’s BPOS solution


As alluded to above, you’ll receive the following error messages when attempting to set your Out-Of-Office:

“Your automatic reply settings cannot be displayed because the server is currently unavailable.  Try again later.”

…or when you try to view the Free/Busy data on other calendars (other people and/or resources/rooms):

“No free/busy information could be retrieved.  Your server location could not be determined.  Contact your administrator.”

If you hold down the Ctrl key and right-click on the Outlook icon, you can “Test E-Mail AutoConfiguration…”:

…and when you un-check “Use Guessmart” and “Secure Guessmart Authentication” and hit the “Test” button, you’ll get the “Autoconfiguration was unable to determine your settings!” error message shown below:

Please note that the standard setup process of creating a new Outlook profile will work without issue; however, it’s only after you set up the profile that Autodiscover (and, by extension, the Exchange Web Services and/or Availability Service) goes to hell in a handbasket.

Root Cause

The following registry entries are the cause of the issue:









What these registry entries are effectively doing is telling Outlook to “not even try” Autodiscover, and to instead prefer a local XML file to tell it how to connect to your Exchange server.

You’ll definitely notice this if you do a two-sided packet capture on a “problem” machine and the Exchange server simultaneously while running the “Test E-Mail AutoConfiguration…” utility—there will not be any traffic from the Outlook client on the “problem” machine to the Exchange server or any of the usual autodiscover URLs.  That’s because the registry entries above are preventing Outlook from even going out to check those URLs.

So, you might be asking yourself, “Well, how in the name of Chuck Norris did those get there?”

The answer is: the Microsoft Online Services Sign In client application… you know, this guy:

Let’s check the registry branch before I use the Microsoft Online Services Sign In client application to configure a new Outlook profile to connect to BPOS:

(there are others listed, these are just a sample)

Notice that all keys/values are of type “REG_SZ” (string values) and point to various XML files in the following directories:

·         Office 2007: C:\PROGRA~1\MICROS~1\Office12\OUTLOO~1\

·         Office 2010: C:\PROGRA~1\MICROS~1\Office14\OUTLOO~1\

Again, prior to using the Microsoft Online Services Sign In client application to configure Outlook, there are no REG_DWORD values in this registry branch.

Now let’s use the utility to configure Outlook.  If you’re doing this the first time (i.e. you’re just installing the client application), this will be done automatically.  If you ever need to go back and re-do this step, you can do it from Options > Advanced Options > “Reconfigure my desktop applications”:

You’ll select only Outlook and click the “Configure applications” button (you will have to exit Outlook):

…and once that’s done, presto-change-o, you have some shiny new REG_DWORD values like the ones I listed earlier:

You’ll also notice another shiny new REG_SZ value for yourcompany.microsoftonline.com:


Just for giggles, let’s look at what’s in this XML file:

So, it would appear that Microsoft is “hedging their bets” in regards to how autodiscover actually works, even though I have no idea why they would need to do this, seeing as though they already have a CNAME record for autodiscover.mycompany.microsoftonline.com that gets me to the right place:

After working with Microsoft support, they referenced a cached (read: suspiciously deleted from the KB) article that addresses these exact registry entries.  Why this KB article was removed I’m not sure.  See the attached PDF for the full article, but the key parts are detailed here (emphasis added):

Consider the following scenario:

o    The e-mail environment in your organization uses the following programs:

§  Microsoft Exchange Online

§  Microsoft Exchange Server 2007

§  Microsoft Office Outlook 2007

o    You have a mailbox in Exchange Online and a mailbox in Exchange Server 2007.

o    You have the same primary Simple Mail Transfer Protocol (SMTP) e-mail address in Exchange Online and in Exchange Server 2007.

In this scenario, you experience the following issues:

·         The AutoDiscover feature that Outlook 2007 uses does not configure Outlook 2007 for the Exchange Online environment.

·         The AutoDiscover feature reverts back to Exchange Server 2007. Additionally, you cannot access e-mail when you use the Outlook 2007 client.

Note: These issues usually occur during the Exchange Online trial period or during an e-mail coexistence period between Exchange Online and Exchange Server 2007. When the Exchange Server 2007 mailbox that you use is fully migrated to the Exchange Online environment, the Exchange Server 2007 mailbox is deleted.

Interestingly, after checking our partner BPOS account (https://admin.microsoftonline.com), I see that neither our primary SMTP domain nor my personal address have our actual @mycompany.com domain set as primary… instead, my primary domain is @mycompany.microsoftonline.com:

…and here’s my user account:

So that still begs the question, “Why would Microsoft change the registry entries when I use the client application if my e-mail domain in BPOS (@mycompany.microsoftonline.com) isn’t the same as my actual primary SMTP domain on my Exchange server (@mycompany.com)?”

I decided to look for a newer version of the client application… as we can see, I’m running version 1.0.1427.0040, and the latest available is 1.0.1442.000 released on 4/25/2011 (at the time of writing).  The download page for the newest version is located here: http://www.microsoft.com/download/en/details.aspx?id=11859

So, I tried an experiment.  I deleted the “REG_DWORD” keys from the registry branch mentioned earlier (HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover), uninstalled the old client application, installed the new client application, and attempted to have it configure Outlook once again.

Surrrrrveyyyy says:

Dear Microsoft,

So, I reckon that this will continue to be an issue for as long as we continue to use the Microsoft Online Services Sign In client application.  Hooray!

The Quick-N-Dirty Fix

Because the registry entries are in HKEY_CURRENT_USER, I can’t easily update these en-masse using our centralized management system, as the HKEY_CURRENT_USER designation is dependent upon who is logged in at the time.

The quickest way to fix this, I’ve found, is to add the following lines to all of the necessary logon scripts (which run in the correct user context of the currently logged on user):

@echo off


echo Deleting errant registry entries that prevent Autodiscover functionality...


echo Office 2010...

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v PreferLocalXML /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v ExcludeHttpRedirect /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v ExcludeHttpsAutodiscoverDomain /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v ExcludeHttpsRootDomain /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v ExcludeScpLookup /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v ExcludeSrvLookup /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover /v ExcludeSrvRecord /f


echo Office 2007...

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v PreferLocalXML /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v ExcludeHttpRedirect /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v ExcludeHttpsAutodiscoverDomain /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v ExcludeHttpsRootDomain /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v ExcludeScpLookup /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v ExcludeSrvLookup /f

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover /v ExcludeSrvRecord /f


echo Errant registry keys (if they exist) have been deleted!


It appears that the registry entries, once deleted, remain deleted until such time that the user chooses to “Reconfigure my desktop applications” (again, per the screenshot below):

So this is definitely something to be aware of… if a user installs the client application and can no longer access his/her Out-Of-Office settings and his/her Free/Busy data, and assuming that you’ve added the aforementioned lines to everybody’s logon script, just tell him/her to log off and log back on again and the problem should be fixed.

For the record, I’m leaving this as part of everybody’s logon script until we’ve transitioned our partner account to Office 365. :-)

tag:briandagan.com,2013:Post/130310 2011-09-02T16:12:55Z 2013-10-08T15:48:48Z How To: Allow Standard Users To Join Computers to Your Internal Domain

By default, an authenticated user can join up to 10 computers to a domain.  Once they exceed 10 machines, (s)he will no longer be able to add any more computers to the domain.  Ever.  Neat!

So, in order to allow key users/groups to add computers to the domain, you’ll need to do the following:

1) Hop on an AD domain controller

2) Bring up “Active Directory Users and Computers” (Start > Run > dsa.msc)

3) Right-click on your domain and choose :Delegate Control…”:


4) Hit Next on the welcome screen and hit the Add button to add the users and groups you need, and then hit Next again:


5) Chick the box for “Join a computer to the domain” and hit Next:


6) Hit Finish to complete the wizard

7) Now you’ll need to remove the 10-item-limit… open ADSI Edit (Start > Run > adsiedit.msc)

8) Expand the tree until you see your domain… right-click on it and choose Properties:


9) Scroll down until you find the “ms-DS-MachineAccountQuota” item and click Edit:


10) Click the Clear button, hit OK, hit OK again, and close ADSI Edit:


This should make it so that selected users & groups can join computers to the domain without running up against the 10-item-limit.

tag:briandagan.com,2013:Post/130312 2011-08-18T19:26:11Z 2013-10-08T15:48:48Z How To: Add A Domain Group To The Local Administrators Group On A Domain Controller

There are a very limited number of circumstances when you’d want to do this, most of which are boring & technical (e.g. adding an Exchange 2010 Database Availability Group and using a “Witness Server” of one of your Domain Controllers requires that the “Exchange Trusted Subsystem” domain group be added to the Local Administrators group on the Domain Controller itself)… but here goes anyway…

You’ll notice that if you use a “net localgroup administrators /add DOMAIN\Group” that the command fails with a syntax error.  Some folks say that this is because of a limitation on the length of the group name, but I call shenanigans on that explanation.  At any rate, you’ll slam your head against your desk for a while, until you do the following:

1) Open up Notepad

2) Paste in the following lines, substituting [DOMAINNAME] and [DOMAINGROUPNAME] as necessary:

Set objLocalGroup = GetObject("WinNT://./Administrators")



Set objLocalGroup = Nothing

Set objADGroup = Nothing

3) Go to File > Save As, and save it on your Desktop as “script.vbs”

4) Go to Start and type in cmd, then right-click on cmd and choose “Run as Administrator”:


5) CD to your Desktop and then run the command: “cscript script.vbs” as in the example below, and once the script runs, do a “net localgroup administrators” to verify that the script added the requested group properly:


As you can see, the script works :-)

tag:briandagan.com,2013:Post/130313 2011-08-15T17:37:23Z 2013-10-08T15:48:48Z Tip: Using Excel To Speed Up Your PowerShell Scripting On Exchange

If you’ve run across a scenario where you need to create/edit/remove more than a few Exchange objects at a time, your best bet is to script the fix using PowerShell.  The biggest problem you’ll come across though is, “I have this list of users, so how can I pre-populate a PowerShell script with the correct variables?”

Here’s the quick-and-dirty method:

1) Fire up Excel

2) Arrange your columns in such a way that you can simply paste in columns from text files or other spreadsheets with the correct first name and last name values—as well as any other variables you might need—and have those columns fit into the general syntax of what you’re trying to script… here’s an example:


    As we can see above, I’m running the following command for each user on an individual line:

    New-MailContact –Name “Billy Bob (Mozambique)” –ExternalEMailAddress billybob@somewhere.mz

    I can also easily paste in the list of first & last names, as well as copy the standard contents of columns A and E all the way down to the end, as shown below:


    You can even get fancy with the cell values & tabs… by way of example, I’ve broken down my ultimate goal into three discrete steps, each of which is its own tab:


    …and on the additional tabs, just set the values for the First Name and Last Name columns based on the value in the first tab using a formula like the xample below:


3) With your spreadsheet complete, do a Ctrl-A (Select All) and paste the contents into Notepad:


4) Highlight one of the tab characters and hit Ctrl-C (or right-click and Copy):


5) On the Edit menu, go to Replace:


6) Paste in the tab character you copied earlier and click the Replace All button:


7) Now that the text document is correctly formatted and doesn’t have any additional spaces or tabs, you should just be able to paste it into PowerShell on the Exchange server directly:


Tip: I’d recommend only pasting in a few lines at a time to start with just to make sure your syntax is correct.

Hope this saves you some time!  :-)

tag:briandagan.com,2013:Post/130315 2011-06-10T19:35:58Z 2013-10-08T15:48:48Z Remember when AIM was relevant?

tag:briandagan.com,2013:Post/130317 2011-06-02T20:10:27Z 2014-06-11T14:37:15Z How To: Troubleshoot Exchange 2007 Queues Being Overrun With "Undeliverable" Messages

Like any good MSP… or maybe unlike many MSPs? ;-)… we have a monitor set placed on Exchange servers for when their queues get “out of hand,” i.e. there are too many outbound mail queues –or- the queues that are present are too large and have too many messages bound for a single destination.

Sometimes, when this alarm trips, it’s hard to know where to begin.  Did User McUserton decide to send out a blast e-mail to thousands of recipients… again?  Has the SMTP server been compromised via SMTP AUTH attack?  Is the outbound intermediary server down?  Has the server been blacklisted?  There are many scenarios here, of which this is just one; however, the troubleshooting steps here are a good starting point to see what you’re dealing with in most situations.

For this example, I was asked to investigate the presence of many outbound queues consisting of a few messages each—all of which are from a blank sender and have a subject line beginning with “Undeliverable”:

1) Hop on the Exchange server and open the Exchange Management Console

2) In the Microsoft Exchange tree, go to Toolbox and double-click on Queue Viewer:


3) Notice the characteristics of the scenario I outlined earlier (pictured below)… but even if your scenario doesn’t match this one, you can continue investigation… just pick a queue that looks the most “interesting” (e.g. has the most messages or seems the most backed up):


4) When you double-click on the queue, you’ll see a message or two… double-click on one of them to look at its properties:


    Things to notice here:

    Subject: Undeliverable: [Spammy subject line]

    From Address: <>

    Source IP:

    Last Error: [Delivery delay, DNS query failed, other failures]

5) In the example above, I’ve highlighted and copied “Watches, Luxury Items and Handbags!” to the clipboard, leaving out the “Undeliverable” bit… and now, back in the Exchange Management Console, go to the Toolbox > Message Tracking:


6) Un-check all of the checkboxes except for “Subject,” paste in the subject line you just copied, and hit Next:


7) Now… what you’ll see here is too much to put in a screenshot… here’s the trick… read it like a narrative, from left-to-right and top-to-bottom.  This takes practice and patience… hang in there, buddy!


    Here’s an example of what reading this narrative might sound like, with each line being a bullet point:

·         On June 2nd, 2011, a connection was logged from IP and had a from address of <SpammyMcSpammerson@ILikeTacos.com> and a subject of “Watches, Luxury Items and Handbags!”, and this message was sent to <CEODistributionList@TheClient.com> and the result of this connection was “OK”

·         At the same date and a second later, [ExchangeServerName] tried to figure out who the <CEODistributionList@TheClient.com> distribution list should go to

·         At the same date and a second after that, the resolver figured out that the distribution list contains <BeckySue@TheClient.com> and <BillyBob@TheClient.com>

o    A second after that, the STOREDRV process attempts to deliver to <BeckySue@TheClient.com> and succeeds

o    At the same time, the STOREDRV process attempts to deliver to <BillyBob@TheClient.com>, but an error is logged saying that the recipient doesn’t exist

§  The [ExchangeServerName] then tries to send a message from <> (blank) to <SpammyMcSpammerson@ILikeTacos.com> with the subject “Undeliverable: Watches, Luxury Items and Handbags!”

§  A second after that, the transport driver says the recipient server said “4.4.0 – Unknown recipient” and rejected the message, so the transport driver put the queue into a retry state

§  Rinse, repeat, and presto change-o, you now have hundreds of queues stuck in a retry state!  Wooooo!


    Again, take your time and read slowly :-)

    Tip: You can select a message row and hit “Next” again to search for only that message ID.

          This will save you a lot of reading, especially if there are multiple messages with the same subject!

8) In my example above, we can see that the message originally hit the <CEODistributionList@TheClient.com> and then broke out to go to <BeckySue@TheClient.com> and <BillyBob@TheClient.com>, where the message to Billy Bob bounced (Billy Bob got a job down at Initech as one of the Bobs)… so two questions arise:

    Question 1: Why is Billy Bob still on the CEO’s distribution list?  We fired that guy!

    Solution 1: Remove Billy Bob from the CEO’s distribution list!  Disable his account!  Wipe hands on pants!

    Question 2: How in the heck did such an obvious piece of spam get through the spam filter?!?!

    Solution 2:  Check your spam filter!  In this case, we checked Postini… see if you can spot the problems:


Please use this knowledge for good and not for evil :-)

tag:briandagan.com,2013:Post/130320 2011-05-26T15:25:51Z 2013-10-08T15:48:49Z Humor: SonicWALL Content Filter Fail

God Save the Queen!

tag:briandagan.com,2013:Post/130322 2011-05-13T17:33:17Z 2017-05-16T16:39:42Z Fix: Configuring SonicPoint APs on a SonicWALL TZ on a **Shared Interface**

Here’s 3 hours of mine and another Engineer’s lives that we’ll never get back… so if you do run across this configuration, this should save you some time.  Here’s the scenario:

You have:

1 x SonicWALL TZ210

4 x SonicPoint wireless access points

1 x PoE switch, shared with both the SonicPoints and a few wired LAN clients


Due to having been completely locked out of all interfaces and all protocols by the previous IT company (morons) and because we didn’t have a console cable anywhere nearby (d’oh!), we had to factory reset the SonicWALL TZ210.  It was only at that point that we realized that the SonicWALL TZ210 also had four (4) SonicPoints that used to be bound to it (thanks to correct labeling in the MySonicWALL portal).  We attempted to get the TZ210 to recognize the SonicPoints (we even factory reset a SonicPoint), but they never showed up in the web UI:

So, here’s your problem… the SonicPoints will not talk to the TZ210 unless they are plugged into an interface designated as a WLAN (wireless LAN) interface.

If you were setting this up from scratch, you would want to design your network in such a way that the SonicPoints were on one PoE switch attached to an X2-X6 interface, and the LAN clients were on a different non-PoE switch connected to the X0 (LAN) interface.  You would then designate the interface to which your PoE switch and SonicPoints are connected as being in the WLAN zone.  Here’s a good site documenting that process: http://www.brandontek.com/networking/solution-to-your-sonicpoint-wlan-woes/

…but, since we didn’t have two switches, we were up a creek.  Oh, and did I mention that putting a SonicPoint into standalone mode is not supported by SonicWALL?  Major bummer, dude!  So, these were our choices:

If we plugged the PoE switch with the SonicPoints and the wired LAN clients to X0, the SonicPoints would not be recognized.

If we plugged the PoE switch with the SonicPoints into an X2-X6 interface which was designated as a WLAN, then the wired LAN clients would not be able to get out of that interface to the Internet.

One SonicWALL case and one undocumented setting later (correction: the Murphy is strong today (Friday the 13th?)… see the last paragraph for the link to the KB article), it’s working.  Here’s how:

1) Log into the TZ210, and, once logged in, substitute main.html in the address bar for diag.html, which brings you to this page:


2) Click the “Internal Settings” button, scroll down to the Wireless Settings section, and check the box for “Enable local wireless zone traffic to bypass gateway firewalling,” and then be sure to scroll back up and hit Apply:


    Don’t forget:


3) Hit the “Close” button on the diag.html page, which then takes you back to the normal interface… go to Network > Zones and edit your WLAN zone to match the following settings:


    Now, on the Wireless tab, you’ll have a new checkbox:



    Don’t forget:


4) Now, change an interface (in this case, X2) to the WLAN zone, and plug the uplink from your PoE switch (which, again, has the SonicPoints and some wired LAN clients attached) into said interface you just configured as follows:


…and Murphy’s law states that as soon as I put this together, I’d find a KB article that SonicWALL didn’t mention, even when I’d asked tech support, “Is there some sort of article or walkthrough I can follow?”  http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8334&formaction=faqalert

Anyway, their KB article doesn’t actually bridge the new interface to the X0 interface… mine does… and it still works.  Nyah.

Hope this helps save you some time when configuring non-optimal SonicWALL-based networks :-)

tag:briandagan.com,2013:Post/130323 2011-05-13T17:30:38Z 2013-10-08T15:48:49Z PSA: Do NOT Surf Non-End-To-End HTTPS Sites While On a Public Wi-Fi Network

I'm about to share a not-so-well-known issue with public Wi-Fi networks.  Essentially, many websites we know & love—when logged into while you're on a public Wi-Fi network—do not adequately protect your session information.

What's the problem?

In non-geek-speak (and by way of example):

If you are joined to a public Wi-Fi network…

   …and you log into Facebook (for example)

      …and someone nefarious on the same Wi-Fi network is "listening" to the traffic

         …then said nefarious person can easily log in as you and take over your session.

Let's look at this from the "attacker's perspective":

I, the "attacker," load a simple (free) plug-in for my Firefox browser called Firesheep, available here:


I then, in Firefox, go to View > Sidebar > Firesheep.  I then click the "Start Capturing" button and just wait…

On a busy public Wi-Fi network, and within a matter of 5-10 minutes, you can see a list of all of the logins that I can "hijack" (image has been obscured to preserve anonymity):

So, that's 9 Google accounts, 5 Facebook accounts, 1 Amazon account, and 1 Yahoo account that I can then "take over"--simply by double-clicking on the account I'm interested in.

Let's see what pops up on my screen when I double-click on one of these accounts (image has again been obscured to preserve anonymity):

Now, obviously, you can imagine how this session hijack could be a problem.  Use your imagination… will the "attacker" put up:

> Embarrassing photos?

> A derogatory wall post?

> A link to malware or a virus?

…and that's just for Facebook.  What if someone hijacked your Amazon account and sent you boxes upon boxes of random doodads and geegaws?

The problem (technically speaking) is when a website uses HTTPS only for the initial login.

In other words, your username and password are still encrypted to and from Facebook (for example), but all subsequent communications are across the un-secure HTTP protocol.  Firesheep "captures" the "session cookie"—a bit of code that tells Facebook that you are who you say you are—and intercepts it.  Once I (the "attacker") have a copy of the "session cookie," I'm effectively you, and can do anything that you could normally do once you logged in.

What's the solution?

In short, don't browse to non-end-to-end HTTPS sites while you're on a public Wi-Fi network.

What does "non-end-to-end HTTPS" mean?

When you log into Facebook for the first time, your login is encrypted; however, past that point, your address bar will show just a normal HTTP connection once you're logged in:

So, at this point, the "attacker" can intercept the "session cookie," and thus your entire Facebook login—and again, the same applies to any site that drops you back into HTTP once you log in.

What should I do if I log in while connected to public Wi-Fi and notice that my session is in HTTP mode and not HTTPS?

Log off of the website… and quickly!  Don't just close the browser… actually hit the "Log Off" link in the website itself.  Doing this will make the "session cookie" invalid—so even if the attacker has a copy of the "session cookie" that he/she has intercepted, it will no longer be valid.

Then, don't browse to that site again while you're on a public Wi-Fi network.

Best practices then, Dagan?

Here's a good general rule to follow when you're on a public Wi-Fi network:

Don't do anything on a public Wi-Fi network that you wouldn't want projected onto the side of a building for everyone in the area to see.

Safe surfing :-)

tag:briandagan.com,2013:Post/130324 2011-04-27T18:03:35Z 2013-10-08T15:48:49Z UPDATE: Confirmed: Your iPhone Is Tracking Your Every Move

NOTE: This is an update to my original post, located here: http://briandagan.com/confirmed-your-iphone-is-tracking-your-every

Apple has officially responded to the iPhone concerns (we are in the DC area… I’m surprised there hasn’t been a “gate” appended to this yet… iPhonegate… GPSgate).  Anyway, here’s the official press release:


To boil it down into a couple of grossly oversimplified key points:

Why is this “tracking database” enabled by default?

The “tracking database” was designed to track cell towers & Wi-Fi hotspots in relation to each other.  This is part of the “Location Services” setting on your iPhone, but turning off “Location Services” won’t necessarily turn off communications to/from Apple to share this “crowdsourced” information, which appears to be a bug in their iOS software—a bug that should be fixed in the next iOS update.

What do you mean “crowdsourced?”

In the same way your TomTom GPS “Live” edition uses other TomToms to track traffic flow in near real-time, the iPhone (in collaboration with other iPhones) will, in the future, be able to do the same thing (even Apple says they’re working on “crowdsourced traffic reports”).  For now though, you’re sharing information about cell towers, Wi-Fi hotspots, and how they relate to each other geographically.  This helps pinpoint your location faster.

Why not just rely on the built-in GPS to figure out your current location?

GPS resolution (the initial “lock on” phase) is slow.  Try opening your new GPS navigator for the first time and turning it on.  Notice how it takes 3-5 minutes to initially triangulate your location?  That “lock on” time decreases as your GPS gets more familiar with where it “thinks” you spend most of your time, but the “lock on” time is always relatively slow.  The iPhone attempts to circumvent this limitation of GPS by using the aforementioned “crowdsourced” database of cell towers & Wi-Fi hotspots to triangulate your location based on the wireless signals being broadcast in your current location.  For example, I can’t get a clear GPS signal inside this warehouse—but I can pick up the closest cell towers & the Wi-Fi networks immediately—so the iPhone uses that to do the initial location calculation until the GPS chip can “lock on” to a more accurate location (within feet of where you are).

But why would this database need to be so large?

Good question—and Apple acknowledges that it doesn’t need to be an “indefinite record” as it is currently.  They’re going to reduce the database size by removing location data older than 7 days—again, in the next iOS update.  There’s a tradeoff here—the smaller you make the database, the longer it might take to calculate your location; however, the larger you make the database, the more likely it is that the data logged might come back to bite you (i.e. Try not to murder anyone while you’re carrying your iPhone around).

If I’m using this “crowdsourced” database, I’m sharing my information too, right?

Yes, you are.  But Apple says that the data is anonymous and encrypted.  For whatever you think that’s worth…

For me personally, I’m still leery that this data even exists, though I understand its purpose.  Words like “encrypted” and “anonymous” rarely hold true, and I believe it’s only a matter of time before this information can be intercepted, decrypted & correlated to you (if that isn’t happening already… *cough* Patriot Act (http://en.wikipedia.org/wiki/USA_PATRIOT_Act) *cough*)

Anyway, hope this helps…

tag:briandagan.com,2013:Post/130286 2011-04-25T15:43:49Z 2013-10-08T15:48:48Z Tip: Typing Phrases Repeatedly? Why Not Automate Commonly-Used Phrases?

After having found myself typing the following line (among others) roughly 5,000,000 times, I decided there must be a better way:

“The issue in this ticket appears to be resolved.  If you have any questions or if this same issue recurs, please reply back to this e-mail and the ticket will automatically be re-opened.  Alternatively, you can call XXX-XXX-XXXX xX and reference the ticket number in the subject line.  Thanks!”

I just completed a quick search for freeware that would automate typing in these commonly-used phrases.

For the PC, I’d recommend Autotext: http://www.autotext-software.com/

For the Mac, I’d recommend Kissphrase: http://www.chimoosoft.com/products/kissphrase/

Both allow you to find-and-replace in real time for key phrases or key combinations, which it will then replace with the text you specify.

Here’s a screenshot of the configuration of Kissphrase for the Mac:

…and the configuration screen for Autotext for the PC:

So, when I type in t-r-! (without the dashes), I get this:

Hope this helps save you some time!

tag:briandagan.com,2013:Post/130288 2011-04-21T15:43:45Z 2013-10-08T15:48:48Z Fix: Group Policy "Gotcha" for Internet Explorer Trusted Sites

There are two places that you can define “Trusted Sites” in Internet Explorer through Group Policy.

First, find the GPO that applies to the users/computers in question in your Group Policy Management Console.  If you don’t already have the GPMC installed, search Google for “GPMC for Server ______” and install the GPMC.

The first place Trusted Sites are defined is under:

User (and/or Computer (check both)) Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List:

Example list here:

When you check through the Group Policy Management console, changes to the “Site to Zone Assignment List” will show up as “Extra Registry Settings”… this is important, as you may wind up spending hours tearing your hair out trying to find an ADM file that doesn’t exist that would help you define the “Extra Registry Settings.”  There is no ADM file.

As you can see, here’s where the “Extra Registry Settings” appear after editing said list:

The second place Trusted Sites are defined is under:

User (and/or Computer (check both)) Configuration > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings > “Import the current security zones and privacy settings”

You are effectively copying the Internet Security settings of the machine you’re on:

If Internet Explorer Enhanced Security Configuration is enabled on the local machine from which you’re editing the Group Policy, you must disable it to apply settings to computers that are not running IE ESC.

…and vice versa (If ESC is disabled on the local machine, you must enable it to apply settings to ESC-enabled endpoints).

Most times, you will want IE ESC to be disabled on the machine you’re using to apply the Group Policy, as it’s unlikely that the endpoints you’ll be applying the Group Policy to will have IE ESC enabled.  If you do want to apply this policy to an IE ESC-enabled server, you should probably create a separate policy.

I’m not sure if one policy setting overrides the other… so you should probably pick one.  If (in the case I’m currently working), both settings are defined, I’m going to update both locations in the Group Policy.

tag:briandagan.com,2013:Post/130289 2011-04-20T18:03:00Z 2013-10-08T15:48:48Z Confirmed: Your iPhone Is Tracking Your Every Move

Note: This post has been updated--read here: http://briandagan.com/update-confirmed-your-iphone-is-tracking-your

This is a rather disturbing assertion, that I wouldn’t have believed myself if I hadn’t tried it…

Your iPhone Is Secretly Tracking Everywhere You’ve Been, All The Time

Please note that you must have a Mac in order to run the application that can parse the map data.  Also, your iPhone must be running at least iOS 4 (which was released around a year ago).

You can download the Mac application from here: http://static.openheatmap.com.s3.amazonaws.com/iPhoneTracker.app.zip

…and an explanation of how it works: http://petewarden.github.com/iPhoneTracker/#faq

To test this, I plugged in my iPhone and fired up iTunes… I then had to run a manual backup to make sure the most up-to-date tracking data had been downloaded to my Mac from my iPhone.  To force a manual backup, right-click on your device in iTunes on your Mac and choose Back Up from the menu:

You can then extract and run the Mac application:


…and then prepare to be shocked, as you look at all of your logged locations from the time you upgraded to iOS 4 and onward:



…and here’s a zoomed-in view of my travels in the DC area:


At this point, there is no way to disable this tracking.

It does not use the GPS functionality—it triangulates your location based on cell towers…

This is spooky… I’m sure there will be updates to follow.  It will be interesting to see what Apple has to say about this.

tag:briandagan.com,2013:Post/130291 2011-04-19T19:25:48Z 2013-10-08T15:48:48Z Fix: Uninstall Stubborn Non-UAC-Compliant Applications

If you’re in a situation where you’re trying to remove an application and you get a dialog box saying “Your System Administrator has set policies that prevent this installation,” even though you’re logged in as a Local Administrator, you have two choices:

1) Turn off User Account Control (UAC) for the computer


2) Use the workaround below to uninstall the program from an Administrator command prompt, thus saving you from having to disable the UAC security feature

(I hope you’ll agree that using the workaround makes far more sense than disabling UAC system-wide and having to reboot the machine!)

Here’s what you need to do:

1) Hop on the machine as a Local Administrator

2) Go to Start, and in the “Search programs and files” box, type in “cmd” (without quotes)

3) When “cmd” pops up, right-click on it and choose “Run as Administrator,” and click Yes on the UAC warning:


4)  At the command prompt, type wmic and hit Enter

5) Type in the following line, substituting ComputerName for the computer’s actual name:


    /node:ComputerName product get name,version,vendor

6) In the list of programs, you need to make a note of the exact program name… you’ll need this in the next step

7) Type in the following line, again with the ComputerName substitution, and also substituting ProgramName for the full name of the program as output from the last command:

    /node:ComputerName product where name=”ProgramName” call uninstall

8) You will have to type “y” (without quotes) and hit Enter in order for the uninstall to proceed.. at which point, you’re done!  The program should no longer be in your “Programs and Features” list!

Screenshot of process:

A return value of 0 indicates a successful uninstall.

tag:briandagan.com,2013:Post/130293 2011-04-07T15:24:36Z 2017-04-10T15:48:05Z How To: Deploy a Set of Power Settings to ALL Workstations

After having struggled with this for a mind-bendingly long time, I’ve finally found a solution that allows you, the Administrator, to deploy a Group Policy from a 2008+ server that allows you to manage Power Settings on XP and Vista/7 workstations.

Previously, as anyone who has lived this dream can attest, it was damn near impossible to do this from a 2003-based server, as the Group Policy settings didn’t propagate to Vista/7 workstations.  The best you could do was to select “High Performance” as your power scheme…

and hope against hope that none of the workstation manufacturers decided that “High Performance” was as follows:

Figure 1: Bite me, Dell

Even if you thought you’d be clever and create your own “Always On” power scheme on the server and then select that as your “Active Power Plan” in Group Policy, you’d quickly find out that the only power-related setting you could change was the display timeout.  Useless.

For Server 2008, the game has changed!  Took long enough, no? :-)

So, on your server, go to Start > Administrative Tools > Group Policy Management and drill down through your domain until you find the “Default Domain Policy” item in your “Group Policy Objects” container.  Right-click on it and choose Edit:

Really?  Default Domain Policy? If you already have special Group Policies or are more well-versed in the granular application of Group Policies to your organization’s computers (this is a Computer and a User-based setting), feel free to use whichever Group Policy you deem worthy.  This is just the quickest way to apply these settings across the entire domain.

You SHOULD run a GPResult to verify that the settings applied here aren’t overridden by other default policies—particularly if you’re running Small Business Server 2008.

You should NOT apply power settings to the Default Domain Policy if you are intending to implement a power scheme that is not of the “Always On” variety.

Remember that the Default Domain Policy applies to everything in the domain—including servers.  Will a server go into sleep mode if you set the Default Domain Policy to do so after 20 minutes?  I don’t actually know, but I don’t plan on finding out.

So, once you’re editing the policy (right-click, Edit), drill down through Computer Configuration > Preferences > Control Panel Settings > Power Options…

You are going to want to create new Power Options and Power Schemes for each OS type that you have in the organization.

For more details on this process, I’d recommend reading Alan Burchill’s post here:  http://blogs.technet.com/b/grouppolicy/archive/2009/09/30/configuring-a-power-plan-with-group-policy-preferences-by-alan-burchill.aspx

Ultimately though, this is what you’ll see on a SBS 2008 (non-R2) server:

You can see that I’ve created a Power Options set and a Power Scheme set for Windows XP.

I then did the same thing under User Configuration > Preferences > Control Panel Settings > Power Options (you know, just to be safe):

I also made sure to set the old “Administrative Templates”-based settings back to “Not Configured” so as not to override these new settings.

Unfortunately, as we see in the screenshots, when you’re configuring these settings on a SBS 2008 (non-R2) server, or any other 2008 non-R2 server, you cannot add power schemes for any OS other than Windows XP:

I also didn’t have any Server 2008 R2 Domain Controllers or Member Servers that I could adjust this Default Domain Policy on.

If I did, I could have simply added the Group Policy Management Console and gotten to editing the GPO, per the video below:

Thanks to Jeremy Moskowitz, by the way!

But again, I don’t have any R2-based servers on the network, so I can’t add a Vista+ Power Plan to the policy.



If you do have a Server 2008 DC or Member Server, please skip this next section and go right to Adding a Power Plan for Vista+

So, to add this new policy, I had to find at least a Windows 7 Domain Member machine that I could install the Group Policy Management Console on.  I located one, and logged on as a Domain Administrator.

Here’s what’s next:

First, you need to download the Remote Server Administration Tools (RSAT) for Windows 7 (select Win32 or x64 depending on your current Windows 7 OS type as found by checking the Properties of My Computer):


Next, go ahead and install the RSAT package you just downloaded.  You can skip the reboot for now.

Finally, you need to go to Control Panel > Programs and Features and click on the “Turn Windows features on or off” link.  Drill down through the feature list as shown until you can check the box next to “Group Policy Management Tools” and click OK:

Thanks to Jeremy Moskowitz’s video below:

You will indeed now have to reboot after installing this feature.

And hey… once you restart, log back in as a Domain Administrator, find the Group Policy Management console:

…and find your way back into editing the Default Domain Policy, you will find that which you seek:

Adding a Power Plan for Vista+

aka. Another Wonderful “Gotcha!”

After trying to add the Power Plan like the above screenshot, I discovered that you couldn’t set the timeouts to “Never,” you could only select a number of minutes.  Double lame!  Not wanting to set the number of minutes to “0” and having to cross my fingers in the hopes that the client machines didn’t take it literally and all go to sleep at the same time, I wanted to find out whether or not a “0” would equate to “Never” in the normal Power Plan settings:

On the 7 machine that I installed the GPMC on, I added a new power plan from the Control Panel > Power Options:

I named it [CLIENT]-AlwaysOn… and proceeded to edit it to as many of the “Keep this computer running all the time” settings as I could find:

I then checked the properties of the Power Plan in the Default Domain Policy… and yes, a “0” is equivalent to “Never.”


(Having to always create the Power Plan on a 7 machine would have sucked!)

So, back to the policy creation… I created the Vista+ policy in both User Configuration and Computer Configuration… and just a tip to save you some time—you can copy-paste :-)

I then ran a GPUpdate /force on my test workstation… aaaand…

Windows XP: Great Success!

Windows Vista & 7: FAIL.

I could see that the new power policies (both the “CC” and “UC” ones I’d created earlier) showed up in the end users’ Control Panel > Power Options, but had no idea why the Vista/7 “Power Plan(s)” weren’t actually being set as active… I confirmed that I’d checked the box for “Set as the active power plan”… after Googling, I found this:

So… change both your “User Configuration” and “Computer Configuration” power plans to “Update” while making sure the “Set as active power plan” checkbox remains checked:

Run another GPUpdate /force and you should be in business:

There, I just saved you 8 hours of your life.  You can thank me later :-)

tag:briandagan.com,2013:Post/130295 2011-04-04T17:55:36Z 2013-10-08T15:48:48Z Tip: Comcast-Leased Modems: Verify DOCSIS Compatibility & EOL Status

I just had an interesting run-in with Comcast in lining up an appointment to fix my horribly intermittent Internet service.

I’d been paying $5/month to lease a modem for the few years or so—and it turns out that the modem they’d been leasing me (a Terayon TJ715x http://mydeviceinfo.comcast.net/DisplayCMDevice.php?device=109) was only DOCSIS 2.0 compatible… which, in turn, means that the 16 Mbps service I was paying for was effectively limited by the modem to 12 Mbps.

I negotiated a credit for the modem rental fees and got the next 6 months for $29/month… but…

If you have Comcast and have anything over the 12 Mbps service level, you should probably check to see if your modem is DOCSIS 3.0 compatible… and if not, demand a credit and threaten to jump to Clear.  They’ll hook you up :-)

While you’re checking, you should also see if your leased modem has been end-of-lifed.  My Terayon was EOLed back in 2009 (!), which may be part of the issue.


Also, as a side note… if you schedule an appointment and receive a robocall an hour later stating, “Comcast has just fixed a service issue in your area, and it’s likely that this may have fixed the problems you were experiencing.  If you are no longer experiencing issues and would like to cancel your appointment, press 1,” do not cancel the appointment, even if things appear to be working.  I got burned on this on Sunday and a co-worker mentioned a similar experience.

tag:briandagan.com,2013:Post/130296 2011-03-30T17:13:42Z 2016-01-16T16:04:34Z Fix: Best Practices for Cleaning Up Superfluous Firewall Rules & NAT Policies on a SonicWALL NSA

I must first profess that I


I’m also a huge fan of the Public Server Wizard:

That being said, I will admit that when you use the Public Server Wizard to set up access to an externally-accessible resource, you can, over time, end up with a confusing litany of NAT Policies, Access Rules, Service Groups and Address Objects.  In some cases, I’ve seen instances where the previous Administrator has run the Public Server Wizard for each port that needed opened to the same internal resource.

Trust me, this will make your head hurt when you’re trying to parse “which policy/rule does what?”

You’ll end up looking at something like this, using the example of an Administrator that ran the Public Server Wizard to open ports 80, 443 and 25 to a SonicWALL E-Mail Security appliance:

6 Address Objects: E-Mail Security Public, Email Security Public, ES300 Public, E-Mail Security Private, Email Security Private, ES300 Private

3 Service Groups: E-Mail Security Services (contains HTTP(80) service), Email Security Services (contains HTTPS(443) service), ES300 Services (contains SMTP(25) service)

9 NAT Policies: Inbound, Outbound and Loopback policies for all Service Groups correlated to all Private & Public Address Objects

15 (potentially) Firewall Rules: WAN > LAN, LAN > WAN, LAN > LAN, VPN > LAN and LAN > VPN rules that correspond to the NAT policies

This is my usual reaction to seeing a configuration like the one above:

So, when I’m charged with cleaning this up, I generally do three things:

1) Swear profusely

2) Get caffeine

3) Back up the current configuration

4) Follow my time-tested best practices listed below

Here’s what I’ve found to be the fastest, most efficient way to clean up a mess like this:

1) In case you hadn’t already done so, back up the current settings:

    A) System > Settings > Export Settings

    B) Save the .exp file

    I also like to save the Tech Support Report:

    A) System > Diagnostics

    B) Check all boxes shown and hit Download Report:


    C) Save the report to a secure location (it contains unencrypted information)

2) Identify your duplicative or in-need-of-consolidation rules/policies/objects/groups (best done by perusing NAT Policies under Network > NAT Policies and selecting Custom Policies until you have a clearer understanding of what goes where and which rules/policies/objects/groups are redundant):


    Tip: Look for items with similar names/devices… like “E-Mail Security,” “Email Security” and “ES300”

3) Pick one good set of rules/policies/objects/groups and remember the prefix… per the earlier example, I’ve decided to keep the rules/policies/objects/groups with the “E-Mail Security” prefix, and I will eventually consolidate and ditch the “Email Security” and “ES300” prefixed rules/policies/objects/groups

4) Go to Network > Address Objects and make sure to select “Custom Address Objects”:


5) Locate and edit each of the Address Objects that have the prefixes that you are trying to eliminate (again, in this case, “Email Security” and “ES300”)… edit each Address Object where you see these prefixes… and add your own prefix called “FIX:”—this will help you easily identify which rules/policies/objects and groups will eventually be consolidated & removed:


    Now that all of the superfluous Address Objects have been marked, we’ll work on Services.

6) Go to Network > Services, and choose Custom Services:



7) Again, in this scenario, there are multiple Service Groups that were added by the Public Server Wizard that need to be consolidated… here’s the list: E-Mail Security Services (contains HTTP(80) service), Email Security Services (contains HTTPS(443) service), ES300 Services (contains SMTP(25) service)

    Since I’ve decided to keep items with the “E-Mail Security” prefix, I will:

    A) Re-name “Email Security Services” and “ES300 Services” to add the “FIX:” prefix

    B) Add the Services listed in the “FIX:” prefixed groups to the “E-Mail Security Services” group:


        Don’t forget this step!  If you fail to add all services to the “keeper” Service Group, things will break!

8) Go to Firewall > Access Rules and choose All Rules:


9) Go through all of the Firewall Rules and un-check any rules that have the “FIX:” prefix, making sure that anything with a name other than “Any” is prepended by “FIX:”—if you see a rule that does not have a Source, Destination or Service (other than “Any”) that is not prefixed by “FIX:”, then STOP and re-check your work... you must’ve missed renaming a Service Group or Address Object:


10) Test external connectivity to the key services/servers in question and verify that everything still works as needed:


11) If everything is still good, go ahead and delete the aforementioned Firewall Rules you just disabled:


12) Go back into Network > NAT Policies and select Custom Policies:


13) Do the same thing we did for the Firewall Rules… Go through all of the NAT Policies and un-check any policies that have the “FIX:” prefix, making sure that anything with a name other than “Any” is prepended by “FIX:”—if you see a policy that does not have an Original or Translated name (other than “Any”) that is not prefixed by “FIX:”, then STOP and re-check your work... you must’ve missed renaming a Service Group or Address Object:


14) Once again test external connectivity to the key services/servers in question and verify that everything still works as needed:


15) If everything is still good, go ahead and delete the aforementioned NAT Policies you just disabled:


16) Go back to Go to Network > Address Objects and make sure to select “Custom Address Objects”:



    …and then delete any Address Objects with the “FIX:” prefix:


17) Go back to Network > Services, and choose Custom Services:


    …and then delete any Service Groups with the “FIX:” prefix:


18) It’s time to back up the modified settings one last time:

    A) System > Settings > Export Settings

    B) Save the .exp file

    I also like to save the Tech Support Report:

    A) System > Diagnostics

    B) Check all boxes shown and hit Download Report:


    C) Save the report to a secure location (it contains unencrypted information)

…and you’re done!

As you can see, this is a huge pain to clean up duplicative rules/policies/objects/groups, so—going forward—always follow the one rule that would have prevented this whole mess in the first place:

If you already have a hole punched through the firewall for the server/appliance, please just modify the existing rules/policies/objects/groups as opposed to re-running the Public Server Wizard.

You’ll save yourself and others a major headache later on down the road.

tag:briandagan.com,2013:Post/130298 2011-03-25T16:28:35Z 2013-10-08T15:48:48Z Fix: AD Account Keeps Getting Locked Out & Specifying Credentials in DHCP for Dynamic DNS Registration

This was an odd one… we had an account at a client that kept getting locked out and we couldn’t figure out why.

We followed the standard steps to enable Security Auditing for Failure events (which you too can follow if you find that an account is being locked out and Failure Auditing is not enabled (it’s not enabled by default)):

1) Hop onto a Domain Controller

2) Start > Programs > Administrative Tools > Domain Controller Security Policy

3) Match the settings below:


4) If you’re feeling frisky, you can force a replication between AD DCs in Active Directory Sites & Services… otherwise, just go get some coffee and wait a bit

5) Start checking the Event Viewer (Start > Run > eventvwr.msc) Security logs for “Failure Audit” events… you can set up a filter if you’d like by going to View > Filter and un-checking everything except for “Failure audit” and using an Event ID of 675:


6) Look for event 675s for the account in question… you should see the IP address of the client machine that’s trying to authenticate and failing:


If you don’t see any Failure Audits in the Security log of one Domain Controller, try another one!  If the account that’s being locked out is a domain account, it will show up in the Security logs on at least one Domain Controller.

You don’t even have to leave the Domain Controller that you’re on… just right-click “Event Viewer (Local)” and choose “Connect to another computer…” and put in the name of the other Domain Controller(s), searching the Security logs one Domain Controller at a time:

As you can see from the example, we’ve noted that “the call was coming from inside the house” ( in regards to the failed authentication attempts.  Here’s the full event:

Event Type: Failure Audit

Event Source:     Security

Event Category:   Account Logon

Event ID:   675

Date:       3/24/2011

Time:       [Redacted]


Computer:   [Redacted]


Pre-authentication failed:

      User Name:  admin-[Redacted]

      User ID:          [Redacted]

      Service Name:     krbtgt/[Redacted]

      Pre-Authentication Type:      0x2

      Failure Code:     0x12

      Client Address:

…but we couldn’t find any Services, Scheduled Tasks or interactive processes (through Task Manager) that were running with the credentials in question.  Normally, at this point, you would have at least found something that would point you in the right direction—but we couldn’t find anything using the credentials that kept getting locked out.

That’s when we found an Experts Exchange article where someone had mentioned checking “DHCP credentials for DNS dynamic registration.”  Further researching this, we discovered where to set these credentials:

Whoa… whoa… wait a sec here… why would you need to set credentials for the DHCP server to process DNS dynamic registrations?

Full explanation of how to set the credentials here:  http://technet.microsoft.com/en-us/library/cc774834%28WS.10%29.aspx and http://support.microsoft.com/kb/282001

But that still doesn’t explain WHY would this be set this way?!

I mean, seriously… 99.999% of our customers running Windows Server DHCP don’t have this option set!  And sure, they get the occasional 1056 error in their System event log (after every reboot or whenever the DHCP Server service starts up)…

…but why should we worry about this?

From Microsoft KB 282001 http://support.microsoft.com/kb/282001:

The DHCP Server service runs under the domain controller's computer account and therefore has full control of all DNS objects. As a result, DNS records that you have dynamically registered with DNS are susceptible to having their name records overwritten by an earlier version of DHCP Client. This behavior may be undesirable, especially if you have configured the DNS zone for Secure Updates only. By using the DNSCredentials parameter, you can run the DHCP Server service under a specified user account that does not have the ability to overwrite the DNS records.

Microsoft strongly recommends the use of DNSCredentials when you are running the DHCP Server service and DNS services on the same domain controller to ensure the integrity of Secure Dynamic Updates. If you do not use DNSCredentials, Microsoft recommends that you run the services on different computers.

Though I get the gist of what they’re saying here, it was still pretty unclear as to what the tangible security impact would be.  I then stumbled across this post from Shilpesh Desai (a Microsoft employee) posted here: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/1515eca4-8716-4360-9d40-383145c528ff/ (clipped, emphasis added)

1." Always dynamically update DNS A and PTR records" - Which mean we are asking DHCP to register DNS records on behalf of client machines. As we run DHCP on DC, DHCP will not register records in DNS unless we set credentials (standard user credentials). You can create one user and use his credentials for DNS registration, you don't need to use Admin accounts.

2. instead of above option you can use another option "Dynamically update A and PTR records only if requested by DHCP client machines". If we select this option, client will register A records  and DHCP will register PTR records. We need to set credentials for registering PTR records.

We need to use one of above two options.

3. Dynamically update DNS A and PTR records for DHCP clienst that do not request updates (for example, clients running Windows NT 4.0) - This option can be selected if we have network printers/Downlevel clients (95/98/NT) or third party OS who doesn't have functionality of DDNS. If we uncheck them, mentioned clients will unable to register themselves with DNS.

It's very difficult to crack DC directly as when we prompt server to DC, it enables lot of security. DHCP server mostly interact with clients directly and reason it will be good chance hacker will try to expolit it with melicious discover packet to duplicate IP request, get details about network IP range, etc. He can even use DHCP server service to act as proxy for run remote execution of melicious codes.

if we are using encrypted traffic on network, unknown users will unable to track what traffic we are going through wire.

So, in simpler terms… the as-yet-to-be-determined-where-the-heck-it-is-setting (Hey, look… here it is!  http://support.microsoft.com/kb/816592 (it’s in the DHCP Server or DHCP Scope properties on the DNS tab)) can be updated as follows:

**All of the settings shown above are the defaults for DHCP servers**

“Dynamically update DHS A and PTR records only if requested by the DHCP clients” – default setting – does not require credentials to be set unless the machine requesting the DHCP lease does not request DNS registration, in which case, credentials would be required to allow DHCP to update DNS; however, only clients of the 95/98/NT generation will not request DNS registration

The 2nd highlighted checkbox almost seems redundant, but gets at the same end result.

The Bottom Line                                                               .

As long as you don’t have any 95/98 or NT machines on the network, you do not need to specify credentials for DHCP DNS dynamic registration, and you can safely ignore the error.  If credentials are present, you can remove them without adverse security impact.

Note: I don’t want to get into a huge security argument here… there may still be a small chance that this configuration could cause a problem from a security perspective; however, from a practicality perspective, the hacker would need physical or wireless access to the internal network… at which point, you’ve got bigger problems to deal with.  I suspect that this would be at the very-very-very-bottom of the “penetration test list of things to try” anyway.  Again though, as long as perimeter & wireless security is intact, there’s really nothing to worry about.

Anyway, here’s where to check which credentials are being used:

For Server 2000 & 2003, you need open your DHCP server configuration snap-in (Start > Programs > Administrative Tools > DHCP):

1)  Right-click on the server name and go to Properties:


2) Click on the Advanced tab, and hit the “Credentials” button for “DNS dynamic updates registration credentials”:


For Server 2008, they’ve actually removed the “Credentials” button under DHCP > right-click [Server Name] > Properties > Advanced tab… but you can check this via the command line.

1) On the DHCP server, you must run cmd as an Administrator (note that it’s not enough simply to be logged on as a Domain Administrator if UAC is enabled):


2) Run the command as follows:

    netsh dhcp server show dnscredentials


3) If these credentials are not blank, you can zero them out by running the following command:

    netsh dhcp server delete dnscredentials dhcpfullforce


This will stop your account from getting locked out, but will result in the occasional 1056 error mentioned earlier (again, not a big deal).