May 4 2015

Microsoft Local Administrator Password Solution



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

Microsoft have released a new tool to manage local Administrator account passwords for domain joined machines. The solution automatically creates and manages the password on each managed computer so that it is unique, randomly generated and securely stored in Active Directory. ACLs are then used to allow access to view the password.

More info:

The tool is free!

Microsoft Security Advisory 3062591 – Local Administrator Password Solution (LAPS) Now Available



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

June 22 2013

The System Management container

I’m often asked what the System Management container in Active Directory is used for. SCCM can use this container to store a small amount of configuration data for clients (or at least clients that are attempting an installation) can retrieve and use.

Configuration that is commonly stored in this container includes:

  • Client computer installation and site assignment (eg installation properties like management points, client cache size)
  • Port configuration for client-to-server communication
  • Network Access Protection (validate a client’s statement of health)
  • Content deployment scenarios (eg if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you can use the container to obtain the source primary site’s public key)

A full list and much more detail is available from http://technet.microsoft.com/en-us/library/gg712272

Important information worth noting:

  • Site Servers will only write their information into the System Management container in their OWN domain
  • SCCM clients will query a global catalog to retrieve this information, so as long as they are in the same AD forest then they can query information from all domains, not just their own
  • The System Management container needs to be created manually, it isn’t done by the SCCM setup process
  • Permissions must be set manually on the System Management container. The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

 

December 31 2010

Adding photos in Lync 2010

There are a number of ways for users to have photos in Lync 2010 but my preference is to store them in Active Directory because they can then be reused by Sharepoint, Exchange / Outlook and other applications.

This is a quick post about the easiest and cheapest way I have found to do this. I’m assuming that you already have your user photos.

Firstly, obtain and install Picture Resizer from here. I used the following options “-o -f96x96 -q100”. This meant that I can easily right-click on a user photo and have it resized to 96 x 96 while maintaining photo quality. This still results in image size reduction, which we are aiming to have well under 30KB to avoid bloating the AD database.


Right-click resize to 96 x 96
Right-click resize to 96 x 96


Next, install a piece of software by a guy named OliD that extends the Active Directory Users and Computers MMC with two tabs on the user properties page – from here. Read the installation instructions can be found in the .zip file.

Once installed you will have a Photo tab in ADUC. Select your newly resized photos and add them to to the thumbnail section.


Photo tab
Photo tab


More useful info here and here.
 
 

November 5 2009

Improving the SIDMap.wsf script for OCS attribute synchronization

Microsoft’s definition of SIDMap.wsf is : It uses the same disabled user account in the resource forest to enable users for Office Communications Server. To provide single sign-in, the primary user account must also be mapped to the disabled user account in the resource forest for Office Communications Server. This tool performs the mapping.

This script is part of the Office Communications Server 2007 Resource Kit and basically will syncronize the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute on the  SIP-enabled disabled user account.

I’ve made some improvements to the script to add a log file and also provide some feedback to the user so they know it has worked. I’ve create a batch file that can be put on a server and run by the support team. This is outlined in attribute_sync.bat below and then the modified SIDMap.wsf is included too.

attribute_sync.bat

REM **   This script copies the value in the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute
REM **   for every disabled user that is SIP enabled in the 'Testing' OU
REM **   www.danovich.com.au
for /f "tokens=1* delims= " %%a in ('date/t') do set dayname=%%a
for /f "tokens=1* delims= " %%a in ('date/t') do set mmddyyyy=%%a
for /f "tokens=1* delims=/" %%a in ('echo %mmddyyyy%') do set day=%%a
for /f "tokens=2* delims=/" %%a in ('echo %mmddyyyy%') do set month=%%a
for /f "tokens=3* delims=/" %%a in ('echo %mmddyyyy%') do set year=%%a
for /f "tokens=1* delims=:" %%a in ('echo %time%') do set hour=%%a
for /f "tokens=2* delims=:" %%a in ('echo %time%') do set mins=%%a
for /f "tokens=3* delims=:" %%a in ('echo %time%') do set sec=%%a
for /f "tokens=1* delims=." %%a in ('echo %sec%') do set secs=%%a
for /f "tokens=2* delims=." %%a in ('echo %sec%') do set mili=%%a
wscript //h:cscript //B
c:
cd "C:Program FilesMicrosoft Office Communications Server 2007 R2ResKitLcsSync"
SIDMap.wsf /OU:OU=OU=Testing,DC=danovich,DC=com /logfile:C:LogsOCS-%username%-%day%-%month%-%year%-%hour%.%mins%.%secs%.log

SIDMap.wsf

<?xml version="1.0" ?>
<package>
<job id="Main" prompt="no">
<?job debug="true" error="true" ?>
<runtime>
<named
name="OU"
helpstring="The Active Directory DN of the organizational unit to search under"
many="false"
type="string"
required="false"
/>
<named
name="query"
helpstring="Generates a list of disabled users that are mailbox and SIP enabled and associated with an external account"
type="simple"
required="false"
/>
<named
name="logfile"
helpstring="Text file used to log the output."
type="string"
required="false"
/>
</runtime>
<script id="VBScript_Block" language="VBScript">
<![CDATA[
' Initialize variables
Set WshShell = CreateObject("WScript.Shell")
const ForWriting = 2
intCount = 0
bQuery = False
On Error Resume Next 'Force continuation on errors when initializing globals
' Retrieve command-line arguments
' Check whether an OU is provided.
if WScript.Arguments.Named.Exists("OU") then
strNamingContext = "LDAP://" & WScript.Arguments.Named("OU")
else
Set objRootDSE = GetObject("LDAP://rootDSE")
strNamingContext = "LDAP://" & objRootDSE.Get("defaultNamingContext")
end if
' Check whether the user only wants to query the AD.
if WScript.Arguments.Named.Exists("query") then
' Query only all disabled users that are mailbox and SIP enabled.
' set.
bQuery = True
end if
' Check whether logging to a file is required.
if WScript.Arguments.Named.Exists("logfile") then
strLogFile = WScript.Arguments.Named("logfile")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogFile = fso.OpenTextFile(strLogFile, ForWriting, True)
objLogFile.WriteLine("List of disabled users associated with an external account and SIP enabled:")
end if
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open
' Create connection to AD.
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
' Define AD query.
' Search for disabled user accounts that are SIP enabled and mailbox enabled.
objCommand.CommandText = _
"<" & strNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(msRTCSIP-UserEnabled=TRUE)(msExchMasterAccountSid=*)(userAccountControl:1.2.840.113556.1.4.803:=2));" & _
"ADsPath,cn,msRTCSIP-PrimaryUserAddress,msExchMasterAccountSid,msRTCSIP-OriginatorSid;subtree"
' Disable caching to reduce memory consumption for very large result sets.
objCommand.Properties("Cache Results") = FALSE
' Define the maximum page size.
objCommand.Properties("Page Size") = 1000
' Execute query.
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
WScript.Echo("Failed to query Active Directory " & strNamingContext)
WshShell.Popup "Failed to query Active Directory", ," Attribute sync failed ",  16
WScript.Quit(Err.Number)
end if
While Not objRecordset.EOF
intCount = intCount + 1
if IsObject(objLogFile) then
objLogFile.WriteLine(objRecordset.Fields("cn").Value)
else
WScript.Echo(objRecordset.Fields("cn").Value)
end if
if bQuery = False then
' Set the msRTCSIP-OriginatorSid attribute.
Set objContact = GetObject(objRecordset.Fields("ADsPath"))
strExchSid = objRecordset.Fields("msExchMasterAccountSid").Value
objContact.Put "msRTCSIP-OriginatorSid", strExchSid
objContact.SetInfo
If Err.Number <> 0 Then
if IsObject(objLogFile) then
objLogFile.WriteLine("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
else
WScript.Echo("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
WshShell.Popup "Failed to set msRTCSIP-OriginatorSid attribute", ," Attribute sync failed ",  16
end if
end if
end if
WScript.Echo()
objRecordSet.MoveNext
Wend
WshShell.Popup "Attribute sync has been successful for " & intCount & " users in the following OU:" & vbCrLf & vbCrLf & strNamingContext & vbCrLf & vbCrLf & "Log file is located at " & strLogFile, ," Attribute sync successful ", 64
WScript.Echo "Attribute sync has been successful for " & intCount & " users in the " & strNamingContext & " OU "
if IsObject(objLogFile) then
objLogFile.WriteLine(vbNewLine & intCount & " disabled users.")
objLogFile.Close
end if
objConnection.Close
]]>
</script>
</job>
</package>