blog.saalmink.nl

In addition to the import procedures, here’s how to export to .pst files:

Add an import to the queue:

New-MailboxExportRequest -Mailbox p.puk -FilePath "\\FS01\data\Backup Mailbox (PST)\p.puk.pst"

And status:

Get-MailboxExportRequest

“Have you ever copied some text from a web page or a document and then wanted to paste it as simple text into another application without getting all the formatting from the original source? PureText makes this simple by adding a new Windows hot-key (default is WINDOWS+V) that allows you to paste text to any application without formatting.”

Download this 13KB utility here!

SP1 for Exchange 2010 has a new approach for importing .pst files.
First of all make sure the group “Exchange Trusted Subsystem” has NTFS permissions on the folder which contains all the .pst files.
Second, make sure this folder has been shared. Exchange only accepts unc paths.
Third, you have to make a new role assignment to a security group.
Create a universal group called “Mailbox Import Export Access” in active directory and add the user who’s going to do the export. Next, from the Exchange Management Shell:

New-ManagementRoleAssignment -Name "Mailbox Import Export Access" -SecurityGroup "Mailbox Import Export Access" -Role "Mailbox Import Export"

All the preparations have been made.

To queue (yes queue!) the import for a user:

New-MailboxImportRequest -Mailbox p.puk -FilePath "\\FS01\data\Backup Mailbox (PST)\p.puk.pst"

You can repeat the line for other users or pipe a list of users to build a bigger queue.

The following command shows the queue and the status of all imports:

Get-MailboxImportRequest

or

get-mailboximportrequest | fl filepath,status

One drawback so far:
I haven’t been able to find a way to set the locale by default (was possible with non-SP1 by typing

-locale "nl-NL"

for Dutch users) which is really annoying since users will end up with “Inbox” instead of “Postvak In”, “Sent Items” instead of “Verzonden Items”, etc.
This can be overcome by logging in to the webmail before starting the import and set the default language from there (first question asked when logging in). But that’s still annoying.

Update 2011/03/25
I haven’t been able to test it yet but running the following command prior to the import might do the trick ….

Set-MailboxRegionalConfiguration p.puk -Language "nl-NL" -DateFormat "dd-MM-yyyy" -LocalizeDefaultFolderName:$true

or for all mailboxes

get-mailbox | set-mailboxregionalconfiguration -Language nl-NL -DateFormat "dd-MM-yyyy" -LocalizeDefaultFolderName:$true

Today i needed access to a domain of servers, but one of our competitors would not provide us with the Administrator password, so i needed other ways to get in.

Petri.co.il has a nice page on that subject that consists of 2 steps:

1. change the local administrator password (so you can boot into Active Directory restore mode)
2. install a service to change the domain password

Somehow step 1 lead me to corrupt SAM/Software/system files so after restoring the original files i figured a way to skip that.

All you need is a Windows live cd or usb stick and the zipfile below. BartPE will do. Or use a commercial product like Active@ Boot Disk, which is really nice because of the fact that it’s based on a Vista kernel which supports the loading of drivers without rebooting. So you’re able to load drivers for raidcontrollers or other devices and your drives will appear directly.
Download this file and put it on a usb stick.

Now here we go:

1. Boot your Windows live environment.

2. Extract the content of the zip-file to c:\.
   You’ll have 2 directories.
   C:\RegEditPE
   C:\srvany

3. VERY IMPORTANT: make a copy of your c:\windows\system32\config now. Just copy the entire directory to some location.

4. Start C:\RegEditPE\RegEditPE.exe and after it’s done browse to HKEY_LOCAL_MACHINE.
   You’ll see new hives for windows installations that have been found, e.g. “SYSTEM_ON_G”.

5. Edit C:\srvany\_service.reg and replace (ctrl+h) “SYSTEM_ON_E” with the one on your system.

6. Check the line that says:

   "AppParameters"="/k net user Administrator 123456abc /domain"
   

   As you can see the password will be changed to “123456abc” but keep in mind that your domain can have complexity policies! Change to something more complex if needed!

7. Save the file.

8. Now doubleclick the file to merge it into the registry and close RegEditPE.

9. I’ve provided cmd.exe from Windows 2003 SP2 in the zipfile, but you might want to do:

   copy x:\windows\system32\cmd.exe x:\srvany\
   

   (where x is your drive with your Windows installation.

10. Reboot and wait a little. Now you can log in with your new password.

Tested on Windows 2003 SP2

If you have a printserver in your network and you want to change certain properties, e.g. print black/white instead of color, normally what you do is change the settings on the Advanced Tab - Default Settings Button. These are the settings a user inherits when first connecting to the shared printer.
But what if you want to revert these settings. You’d have to remove the printer from the userprofile and make sure the printer’s readded, in order to inherit the new default settings.

This is exactly what the following script does.
It also cleans removed/unshared printers, as it can only re-add printers that still exist.

on error resume next
Set WshNetwork = WScript.CreateObject("WScript.Network")

'## Enumerate all the current printers in the profile
Set oPrinters = WshNetwork.EnumPrinterConnections

For i = 0 to oPrinters.Count - 1 Step 2

'## Disconnect the printer
WshNetwork.RemovePrinterConnection ""& oPrinters.Item(i+1) &"", true, true
'## Readd the same printer (if still exists)
WshNetwork.AddWindowsPrinterConnection ""& oPrinters.Item(i+1) &"", true, true

Next

msgbox "Done"

You might want to comment the last line to make the script run totally silent.

If you’re migrating data from one domain to another, sometimes you need to retain file and directory permissions.
Let’s assume you’ve recreated users and security groups the way they were. Then you can do the following:

dump all rights to a file (on the old fileserver)

subinacl /noverbose /outputlog=D:\apps_perms.txt /subdirectories d:\apps\*.* /display

replay the file (on the new fileserver)

subinacl /playfile D:\apps_perms.txt

In addition to the previous article, you might want to add your default locale to the import-mailbox command.
e.g.

import-mailbox -identity "hugo" -pstfolderpath "c:\pstfiles" -locale "nl-NL"

Otherwise annoying duplicate folders like Inbox/Postvak IN, Calendar/Agenda, Drafts/Concepten, etc will appear.

I haven’t figured out how to get proper resultcodes or errorhandling from the “Import-Mailbox” command, but you can use your transcript file for that. See my other post for that.

You’ll need some global vars, e.g.:

$your_import_file="c:\import\import.csv"
$folder_with_psts="C:\exmerge\primary database export files"

Then it’s as simple as this:

function import_mailboxes()
{
  $UserDetails=Import-Csv -delimiter ";" $your_import_file
  $count=0
  $found=0
  $notfound=0
  foreach($UD in $UserDetails)
  {
    $count++
    $username=$UD.Code.ToLower()
    $full_path_to_pst=$folder_with_psts + $username + ".pst"
    $FileExists = Test-Path $full_path_to_pst
    if ($FileExists)
    {
      write-host "$count - $username - Ready to import ($full_path_to_pst)" -ForegroundColor Green
      $found++
      Import-Mailbox -Identity $username -PSTFolderPath $folder_with_psts
    }
    else
    {
      write-host "$count - $username - No matching pst file found!" -ForegroundColor Red
      $notfound++
    }
  }
  write-host "Summary: Found (and hopefully successfully imported): $found, Not Found: $notfound"
}

This script uses the RemoteExchange calls for Exchange 2010:

. 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'
Connect-ExchangeServer -auto

And the function:

function enable_mailbox_for_existing_user([string]$username)
{
  $check = get-aduser -Filter { samAccountName -eq $username }
  if($check -eq $null)
  {
    write-host "- User does not exist - ERROR" -ForegroundColor Red
  }
  else
  {
    # seems like the user exists
    $mailbox_test = get-user $username | select recipienttype
    if ($mailbox_test.RecipientType -eq "userMailbox")
    {
      write-host "- User is allready mail-enabled - WARNING" -ForeGroundColor Yellow
    }
    if ($mailbox_test.RecipientType -eq "User")
    {
      Enable-Mailbox -Identity $username -Alias $username | Out-Null
      write-host "- Mailbox for user created - OK" -ForeGroundColor Green
    }
  }
}

Again, you’ll need the Windows 2008 r2 ActiveDirectory module for this to work:

import-module ActiveDirectory

Some static variables:

$default_securitygroup_ou="OU=MySecurityGroups,"

And the functions:

function add_security_group([string]$StrGroupName)
{
  $check = get-adgroup -Filter { name -eq $StrGroupName }
  if($check -eq $null)
  {
    $ad_path = $default_securitygroup_ou + (get-addomain).distinguishedname
    New-ADGroup -Path $ad_path -name $StrGroupName -GroupScope Global -GroupCategory Security
    write-host "- Security Group created - OK" -ForeGroundColor Green
  }
  else
  {
    write-host "- Security Group allready exists" -ForeGroundColor Yellow
  }
}

function add_user_to_group([string]$username, [string]$security_group)
{
  $grp = get-adgroup -Filter { name -eq $security_group }
  if ($grp -eq $null)
  {
    write-host "- Security Group does not exist - ERROR" -ForeGroundColor Red
  }
  else
  {
    # group does exist, lets see if the users is allready a member
    $members = get-adgroupmember -Identity $security_group
    foreach ($mem in $members)
    {
      if($mem.samAccountName -eq $username)
      {
        $found = $true
      }
    }
    if ($found)
    {
      write-host "- User is allready a member of this Security Group - WARNING" -ForegroundColor Yellow
    }
    else
    {
      add-adgroupmember -identity $security_group $username
      write-host "- User succesfully added to Security Group - OK" -ForegroundColor Green
    }
  }
}

In addition to the previous example it would be nice to create users from the .csv files.

You’ll need the Windows 2008 r2 ActiveDirectory module for this to work:

import-module ActiveDirectory

Also i have a couple of static variables:

$default_users_ou="OU=myusers,"
$ad_domain="my.domain.local"
$share_profiles="\\fileserver01\profiles"
$share_users="\\fileserver01\users"
$homeshare_drive="Z:"

And here we go:

function add_user([string]$username, [string]$plaintextpassword, [string]$group, [string]$givenname, [string]$surname, [string]$displayname, [bool]$enabled)
{
  # syntax: add_user f.deboer mypass$78 teacher "Boer, De" "Frank" "Boer, De, Frank" $true

  $check = get-aduser -Filter { samAccountName -eq $username }
  if($check -eq $null)
  {
    $user_password=ConvertTo-SecureString -string $plaintextpassword -asPlainText -Force
    $ad_user_path=$default_users_ou + (get-addomain).distinguishedname
    $loginscript=$group + ".bat"
    New-ADUser -Name $displayname -SamAccountName $username -UserPrincipal "$username@$ad_domain" -AccountPassword $user_password -CannotChangePassword $true -PasswordNeverExpires $true -Enabled $enabled -ProfilePath "$share_profiles\$username" -HomeDirectory $share_users\$username -HomeDrive $homeshare_drive -ScriptPath $loginscript -GivenName $givenname -Surname $surname -DisplayName $displayname -Path $ad_user_path
    write-host "- User Created - OK" -ForeGroundColor Green
  }
  else
  {
    write-host "- User allready exists" -ForeGroundColor Yellow    
  }
}

Powershell is ideal for bulk operations, e.g. creating lots of users in active directory.

Say we have a .csv file that looks like this:

loginname;firstname;middlename;lastname;fullname;function;password
f.deboer;f;de;boer;Boer, de, Frank;teacher;mypass$78
r.deboer;r;de;boer;Boer, de, Ronald;teacher;123pass60
m.manager;m;;manager;Manager, Mike;manager;superpassw0rd

You might want to specify some global variables first.

$import_file="d:\import\importfile.csv"

Now let’s create a simple function to read the file.

function readcsvfile()
{
  $UserDetails=Import-Csv -delimiter ";" $import_file
  foreach($UD in $UserDetails)
  {
    $loginname=$UD.loginname
    $firstname=$UD.firstname
    $middlename=$UD.middlename
    $lastname=$UD.lastname
    $fullname=$UD.fullname
    $function=$UD.function
    $password=$UD.password

    echo "$username"
    echo "$password"
    # or something else you want to do with tis information
  }
}

# Modules
# - http://technet.microsoft.com/en-us/library/ee617195.aspx
import-module ActiveDirectory

To log your entire powershell session to a file you can use the start-transcript and stop-transcript commands.

$mypowershellapplicationdir = "c:\myapp"
$logfiledate = (get-date).tostring("yyyyMMddHHssmm") + ".txt"
start-transcript -path $mypowershellapplicationdir\logs\$logfiledate

Stop-transcript will automatically be done when leaving powershell.

Currently, Exchange 2010 SP1 is still in beta. Among other new features it’s not longer necessary to install Outlook 2010 (64 bit!!) on your Exchange 2010 server.
For now you have to.

To import or export .pst files you need to get the right Role Assignment. From the Exchange Management Shell:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User “Administrator”

Then it’s just a matter of:

Export-Mailbox Administrator -PSTFolderPath E:\

HOWEVER
If you have all the roles (Mailbox, Client Access and Hub Transport) on the same server, you’ll run into error:

Error occurred in the step: Approving object. An unknown error has occurred., error code: -2147221219

Solution:

• Either move the Mailbox (+Outlook 2010 64bit) to a second Exchange server.
• Or change the following:
  • adsiedit
  • connect to..
  • Well known Naming Context: Configuration
  • CN=Configuration,DC=your,DC=domain,DC=local
  • CN=Services,
  • CN=Microsoft Exchange,
  • CN=<Your Organization Name>,
  • CN=Administrative Groups,
  • CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
  • CN=Databases,
  • CN=Mailbox Database 0123456789,
  • Now rightclick on “CN=Mailbox Database 0123456789” (left pane), properties
  • security tab
  • Grant the System user the following rights: Read, Administer information store, Allow Impersonation to Personal Exchange, Create named properties in the information store, Open mail send queue, Receive as, Send as, View information store status
  • Restart

This should be fixed in SP1 or even before that.

From the Exchange Management Shell:

Get-Mailboxdatabase | Add-AdPermission -User Administrator -AccessRights GenericAll

sysprep.inf:

[Identification]
    JoinDomain=DOMAIN
    DomainAdmin=sysprepadmin
    DomainAdminPassword=password
    MachineObjectOU="OU=Desktops,OU=Machines,DC=Domain,DC=local"

User policies are applied based on who you are.
More specific: in what OU your user account is, since group policy objects are linked to OU’s.
But sometimes you want to apply policies based on where you are.
For instance, specific settings apply when you log on to a terminal server instead of your own pc.
This is where loopback policies come in place.

• create a new OU
• move the terminal server computer account to this OU
• create and link a new group policy object
• edit the policy object
• computer policy, Administrative templates, System, Group Policy, and enable the Loopback Policy
• choose to replace all user policies or to merge (policies from this policy object will overrule others)

Microsoft’s knowledgebase: http://support.microsoft.com/kb/231287

XP or 2003 rktools gives you version XP010. There is a newer version, but hard to find.
Here’s XP026, the latest that’ll run on XP (Vista and up have 027 embedded but won’t run on XP).

robocopy.exe

This “system reserved partition” is used for two things:

• When booting from an encrypted volume (bitlocker), some bootfiles simply can’t be crypted. They reside on this partition
• Windows Recovery Environment (WinRE)

If you do not need bitlocker and you want to keep things simple (e.g. for imageing purposes), you might want to remove this partition when installing Windows. In this example i assume there’s only one drive and it’s empty.

• Start Windows setup as usual
• At the screen where you select your language, keyboard and locale, press Shift+F10. You now enter a dos prompt.
• diskpart
• list disk
• select disk 0
• create partition primary
• select partition 1
• format fs=ntfs quick
• exit
• exit
• now resume setup as normal, but select the primary partition at the partitioning screen

Windows 7 audit mode is used for preparation of computers in order to add software and drivers without the need to do the final OOBE (Out Of Box Experience), which should be done by the end-user.
It is also used to create images for deployment, but i’ll do an article on that later.

• Insert Windows 7 DVD and boot from it
• Choose language and keyboard
• Choose Install
• Choose I Agree and Next
• Custom installation and Next
• Partition as you like, then select the disk or partition you want to install to, then press Next
• The computer will reboot a couple of times
• When the setup asks for a username, press CTRL+SHIFT+F3
• The computer will now reboot
• After reboot, you will automatically log in as Administrator and you’ll see a Sysprep screen. You can close it.

You are now in audit mode and will have the opportunity to install any application you want.

Reboot as many times as necessary. After reboot, you’ll see the sysprep window again, just close it every time until done installing.
Do a final reboot. At the sysprep screen choose the OOBE option.
Don’t check the Generalize option, unless you want to create an image for deployment purposes.

The system is now ready for the end-user with all applications pre-installed.

The net is full of discussions whether severe fragmentation will be able to cause a system crash or not. Allthough in theory it will only cause a performance bottleneck, from own experience i can tell you it will be able to crash your system!
Therefor always defragment your partitions. It will not only gain performance but also stability!

Took me quite some time to figure out the problems this client was having:

• couldn’t see properties of users in Active Directory Users and Computers
• couldn’t see properties of events in the eventviewer
• couldn’t move icons on the desktop
• certain software wasn’t functioning

All came down to one simple solution:

regsvr32 %systemroot%\system32\ole32.dll

Microsoft KB 926932

Run from prompt:

for /f "tokens=*" %a in ('dir /b *.dll') do regsvr32 /s %a

Remember: when running from a batchfile %a becomes %%a

Running around 300 servers in small environments (meaning: only one 2003 server as domain controller and file/print/exchange) lead me to the following tweaks:

@echo off

echo "This server has 1 GB or more of physical memory"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v HeapDeCommitFreeBlockThreshold /t REG_DWORD /d 262144 /f
echo "This server is running Windows 2003"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v SystemPages /t REG_DWORD /d 0 /f
echo "This server is a domain controller - faster shutdown"
reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v WaitToKillServiceTimeout /t REG_SZ /d 20000 /f