Microsoft have released a new tool to manage local Administrator account passwords for domain joined machines. The solution automatically creates and manages the password on each managed computer so that it is unique, randomly generated and securely stored in Active Directory. ACLs are then used to allow access to view the password.
I’m often asked what the System Management container in Active Directory is used for. SCCM can use this container to store a small amount of configuration data for clients (or at least clients that are attempting an installation) can retrieve and use.
Configuration that is commonly stored in this container includes:
Client computer installation and site assignment (eg installation properties like management points, client cache size)
Port configuration for client-to-server communication
Network Access Protection (validate a client’s statement of health)
Content deployment scenarios (eg if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you can use the container to obtain the source primary site’s public key)
Site Servers will only write their information into the System Management container in their OWN domain
SCCM clients will query a global catalog to retrieve this information, so as long as they are in the same AD forest then they can query information from all domains, not just their own
The System Management container needs to be created manually, it isn’t done by the SCCM setup process
Permissions must be set manually on the System Management container. The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.
There are a number of ways for users to have photos in Lync 2010 but my preference is to store them in Active Directory because they can then be reused by Sharepoint, Exchange / Outlook and other applications.
This is a quick post about the easiest and cheapest way I have found to do this. I’m assuming that you already have your user photos.
Firstly, obtain and install Picture Resizer from here. I used the following options “-o -f96x96 -q100”. This meant that I can easily right-click on a user photo and have it resized to 96 x 96 while maintaining photo quality. This still results in image size reduction, which we are aiming to have well under 30KB to avoid bloating the AD database.
Next, install a piece of software by a guy named OliD that extends the Active Directory Users and Computers MMC with two tabs on the user properties page – from here. Read the installation instructions can be found in the .zip file.
Once installed you will have a Photo tab in ADUC. Select your newly resized photos and add them to to the thumbnail section.
Microsoft’s definition of SIDMap.wsf is : It uses the same disabled user account in the resource forest to enable users for Office Communications Server. To provide single sign-in, the primary user account must also be mapped to the disabled user account in the resource forest for Office Communications Server. This tool performs the mapping.
This script is part of the Office Communications Server 2007 Resource Kit and basically will syncronize the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute on the SIP-enabled disabled user account.
I’ve made some improvements to the script to add a log file and also provide some feedback to the user so they know it has worked. I’ve create a batch file that can be put on a server and run by the support team. This is outlined in attribute_sync.bat below and then the modified SIDMap.wsf is included too.
REM ** This script copies the value in the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute
REM ** for every disabled user that is SIP enabled in the 'Testing' OU
REM ** www.danovich.com.au
for /f "tokens=1* delims= " %%a in ('date/t') do set dayname=%%a
for /f "tokens=1* delims= " %%a in ('date/t') do set mmddyyyy=%%a
for /f "tokens=1* delims=/" %%a in ('echo %mmddyyyy%') do set day=%%a
for /f "tokens=2* delims=/" %%a in ('echo %mmddyyyy%') do set month=%%a
for /f "tokens=3* delims=/" %%a in ('echo %mmddyyyy%') do set year=%%a
for /f "tokens=1* delims=:" %%a in ('echo %time%') do set hour=%%a
for /f "tokens=2* delims=:" %%a in ('echo %time%') do set mins=%%a
for /f "tokens=3* delims=:" %%a in ('echo %time%') do set sec=%%a
for /f "tokens=1* delims=." %%a in ('echo %sec%') do set secs=%%a
for /f "tokens=2* delims=." %%a in ('echo %sec%') do set mili=%%a
wscript //h:cscript //B
cd "C:Program FilesMicrosoft Office Communications Server 2007 R2ResKitLcsSync"
SIDMap.wsf /OU:OU=OU=Testing,DC=danovich,DC=com /logfile:C:LogsOCS-%username%-%day%-%month%-%year%-%hour%.%mins%.%secs%.log
<?xml version="1.0" ?>
<job id="Main" prompt="no">
<?job debug="true" error="true" ?>
helpstring="The Active Directory DN of the organizational unit to search under"
helpstring="Generates a list of disabled users that are mailbox and SIP enabled and associated with an external account"
helpstring="Text file used to log the output."
<script id="VBScript_Block" language="VBScript">
' Initialize variables
Set WshShell = CreateObject("WScript.Shell")
const ForWriting = 2
intCount = 0
bQuery = False
On Error Resume Next 'Force continuation on errors when initializing globals
' Retrieve command-line arguments
' Check whether an OU is provided.
if WScript.Arguments.Named.Exists("OU") then
strNamingContext = "LDAP://" & WScript.Arguments.Named("OU")
Set objRootDSE = GetObject("LDAP://rootDSE")
strNamingContext = "LDAP://" & objRootDSE.Get("defaultNamingContext")
' Check whether the user only wants to query the AD.
if WScript.Arguments.Named.Exists("query") then
' Query only all disabled users that are mailbox and SIP enabled.
bQuery = True
' Check whether logging to a file is required.
if WScript.Arguments.Named.Exists("logfile") then
strLogFile = WScript.Arguments.Named("logfile")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogFile = fso.OpenTextFile(strLogFile, ForWriting, True)
objLogFile.WriteLine("List of disabled users associated with an external account and SIP enabled:")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
' Create connection to AD.
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
' Define AD query.
' Search for disabled user accounts that are SIP enabled and mailbox enabled.
objCommand.CommandText = _
"<" & strNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(msRTCSIP-UserEnabled=TRUE)(msExchMasterAccountSid=*)(userAccountControl:1.2.840.113522.214.171.1243:=2));" & _
' Disable caching to reduce memory consumption for very large result sets.
objCommand.Properties("Cache Results") = FALSE
' Define the maximum page size.
objCommand.Properties("Page Size") = 1000
' Execute query.
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
WScript.Echo("Failed to query Active Directory " & strNamingContext)
WshShell.Popup "Failed to query Active Directory", ," Attribute sync failed ", 16
While Not objRecordset.EOF
intCount = intCount + 1
if IsObject(objLogFile) then
if bQuery = False then
' Set the msRTCSIP-OriginatorSid attribute.
Set objContact = GetObject(objRecordset.Fields("ADsPath"))
strExchSid = objRecordset.Fields("msExchMasterAccountSid").Value
objContact.Put "msRTCSIP-OriginatorSid", strExchSid
If Err.Number <> 0 Then
if IsObject(objLogFile) then
objLogFile.WriteLine("Failed to set msRTCSIP-OriginatorSid attribute " & _
WScript.Echo("Failed to set msRTCSIP-OriginatorSid attribute " & _
WshShell.Popup "Failed to set msRTCSIP-OriginatorSid attribute", ," Attribute sync failed ", 16
WshShell.Popup "Attribute sync has been successful for " & intCount & " users in the following OU:" & vbCrLf & vbCrLf & strNamingContext & vbCrLf & vbCrLf & "Log file is located at " & strLogFile, ," Attribute sync successful ", 64
WScript.Echo "Attribute sync has been successful for " & intCount & " users in the " & strNamingContext & " OU "
if IsObject(objLogFile) then
objLogFile.WriteLine(vbNewLine & intCount & " disabled users.")