NetworkBrewSelector

May 17th, 2013 by Geoff Kendal 1 Comment

NBS
Who’s turn is it to make the brews? And who want’s one?

Introducing… NetworkBrewSelector!

It’s a small standalone exe system tray app that, coordinates brew round management in your office. It works in a peer to peer (P2P) manner, by using broadcast traffic on your network – So no server connection is required. The only requirement is that it can listen out on UDP port 11600.

When the cup is green, no round is in progress – double click to start one. Everyone in your team will get a baloon notification to them them know a round has started. The cup icon on all systems will turn orange – members of your group and double click the orange cup to join in the round. After 30 seconds have elapsed the app will randomly pick someone to make the brew round!

Upon first launch, you’ll be asked for a group name – this is simply so that multiple groups or rooms can use NetworkBrewSelector without interfering with each other!

Download – NetworkBrewSelector_2.3.5.zip (354k)

In a mixed PC / Mac environment, you can encounter the situation where Mac systems create filename or folders with a trailing space at the end. While files with the names are no problems for a Mac to work with, Windows systems cannot move/delete/rename the folders – they just give access denied messages.

It is possible to delete these files with the following commands:

rd /s “\\?\D:\path\to\file ”
del “\\?\D:\path\to\file.txt ”

I’ve tried to find a way to prevent this situation from happening, but have been unsuccessful so far. The next best thing I can do is hunt the files down and correct them. After spending quite a while looking all over the place for a VBScript or powershell script that would allow me to find and remove the trailing spaces I was still unsuccessful, so had a crack at developing a C# command line application to do this instead…

Enter: trailingSpaceKilla…

Run it from the command line (Or as a scheduled task!), and point it towards a directory. It will find any files or folders with the bad space at the end, and replace it with an underscore (_), allowing full access from Windows systems once again! If you’re doing to use this, please run it on some test files first, as NO WARRANTY IS PROVIDED- USE AT YOUR OWN RISK. (That said, I’ve just run it on our production file servers, with no issues)

Download – trailingSpaceKilla.exe (12k)

There’s a handful of reasons why you might need to change the name of a computer. Here’s something to get you started:

$newName = "NewName"
$oldName = gc env:computername
$Computer = Get-WmiObject Win32_ComputerSystem -ComputerName $oldName
$r = $Computer.Rename($newName, "Pa55w0rd", "DOMAIN\adminuser")
echo "Exit code: " $ret.ReturnValue
exit $r.ReturnValue

You’ll ideally fire a reboot after this has completed successfully.

If you’re running the script as a domain admin, you don’t need to specify credentials on the $Computer.Rename() function. I was running this as part of our software deployment process, which ran as the local system account, so needed to specify this info.

My code wasn’t always renaming systems, some failed with error code 1219. This is the error you get when trying to make multiple connections to a server using different credentials – The system hosting the software deployment was a domain controller, when logged on via that DC, it failed with the 1219. No biggie, as a reboot or two later, I would use another DC and the rename would happen fine.

I was recently performing a restore of some old data that had been archived to tape using Symantec Backup Exec 2010. The restore job appeared to complete fine, without any errors or warnings – however when we came to try and use the data, certain files were corrupt/empty – despite the size being correct.

I inspected the contents of the file by opening in an editor – it turned out that all the affected files just contained null/space characters and no real content, as if they had not restored correctly.

I inspected the BackupExec log and saw some entries that gave me a clue to where the problem may lie…

BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Tag=IO_REPARSE_TAG_SIS, file=example1.pdf
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Reparse data not restored during redirection of example1.pdf.
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Tag=IO_REPARSE_TAG_SIS, file=example2.pdf
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Reparse data not restored during redirection of example2.pdf.

The server in question was running Windows Storage Server 2008 – which provides the Single Instance Store (SIS) service. SIS basically removes duplicate files from your filesystem by taking a copy of the file, then putting symbolic links to the master file.

There are a couple of simple workarounds to the problem…

1) Do not redirect the restore job – just restore to the original location

2) Restore to another drive that does not have the SIS service enabled on it

In my Exchange 2010 environment, we’re using the thumbnailPhoto attribute in active directory, so that users photos appear in Outlook 2010. We also have a custom intranet page that features a company directory which pulls details such as phone numbers from AD. I wanted to also add in the image stored in thumbnailPhoto for each user, so started to create a way of extracting the image that could be used in a web page.

I ended up with a C# ASP page, called userPhoto.aspx with the following contents:

<%@ Page Language="C#" %>
<%@ OutputCache Duration="6000" VaryByParam="u" %>
<%@ Import Namespace="System.DirectoryServices" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

    private void Page_Load(object sender, EventArgs e)
    {
        String myUser = Request.QueryString["u"];
        
        if (myUser == null)
            Response.Redirect("app_graphics/user.jpg");

        Response.ContentType = "image/jpeg";
        Response.Clear();
        Response.BufferOutput = true;
        
        DirectoryEntry de = new DirectoryEntry();
        de.Path = "LDAP://OU=Users,DC=domain,DC=local";

        DirectorySearcher search = new DirectorySearcher();
        search.SearchRoot = de;
        search.Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + myUser + "))";
        search.PropertiesToLoad.Add("samaccountname");
        search.PropertiesToLoad.Add("thumbnailPhoto");

        SearchResult user;
        user = search.FindOne();

        String userName;
        if (user == null)
            Response.Redirect("app_graphics/user.jpg");
        else
            userName = (String)user.Properties["sAMAccountName"][0];

        try
        {
            byte[] bb = (byte[])user.Properties["thumbnailPhoto"][0];
            Response.BinaryWrite(bb);
            Response.Flush();
        }
        catch
        {
            Response.Redirect("app_graphics/user.jpg"); 
        }

    }

</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>userImage</title>
</head>
<body>
    <form id="form1" runat="server">
    </form>
</body>
</html>

You can then use the file by passing a parameter of u on a HTTP GET request, containing the users sAMAccountName.

For example, <img src=’userPhoto.aspx?u=gkendal’/>. Also, don’t forget to set the OU of where your user objects are in AD on line 21, and to add a placeholder image for those users that dont have anything stored in thier thumbnailPhoto attribute!

After an upgrade to Exchange 2010 SP1, to add the update rollup 3 (v3), OWA stopped logging users in, instead just leaving them on a blank page (This was really a HTTP 500 error page for auth.owa).

Turns out that the “Microsoft Exchange Forms-Based Authentication service” was not restarted after the patching. Starting the service fixes this issue.

Unsolicited Remote Assistance and UAC

February 1st, 2011 by Geoff Kendal No Comments

I’ve always liked the idea of using unsolicited remote assistance to support users, as it’s already built in to Windows, so no need for 3rd party software and additional costs. The downside was it’s inability to handle UAC prompts very well (Which are pretty inevitable if you’re having to use remote assistance to help someone to do anything moderately taxing!).

When you offer remote assistance to a users system, they have a checkbox option of letting you respond to UAC prompts, but that would then require them to provide admin credentials, which is a no-goer. The other situation that is often encountered, is the UAC prompt causing a black screen with a pause icon/symbol to the remote user – another show stopper!

There is however, a simple fix that will allow the UAC prompts to be show to the remote user! You’ll need to use a GPO to force the following security setting: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

Once this is done, unsolicited remote assistance becomes a very useful tool!

Problems binding Mac to Active Directory

January 6th, 2011 by Geoff Kendal No Comments

I bound one of our new iMacs to our MS AD a while back, however a week later it stopped working out of the blue. After unbinding and trying to bind again I recieved the following error:

Unable to add server. The daemon encountered an error processing the request (10002)

After a bit of investigation, it turned out that the issue was due to the clock drifting on the Mac, and causing kerberos authentication to fail. Fixed by setting the clock to sync with a domain controller (will prevent the issue from recurring), after this it rebound straight away.

Sharing all users calendars on Exchange 2010

September 14th, 2010 by Geoff Kendal No Comments

We have a couple of requirements in our environment, firstly Admin users need access to all mailboxes, then all users need reviewer (Read only) access to everyone elses calendars.

To achieve this, I have the following powershell script scheduled to run overnight…

$userAccounts = get-mailbox -resultsize unlimited
ForEach ($user in $userAccounts)
{
	Add-MailboxPermission -Identity $user -User "DOMAIN\Domain Admins" -AccessRights FullAccess
	Add-MailboxFolderPermission -Identity ($user.UserPrincipalName + ":\Calendar") -User entire-company -AccessRights Reviewer
}

I initially tried using the ‘Default’ user for the calendar permissions, but this caused some odd results and errors in outlook, so I put that back to ‘AvailabilityOnly’ and used a mail-enabled active directory group that contained the whole company instead!

There might be a nicer way to set default mailbox permissions at the time of account creation, but I’ve yet to find this!

Problem transferring schema master role

August 5th, 2010 by Geoff Kendal 1 Comment

When trying to move the Schema Master FSMO role from a 2003 to 2008 R2 server, I came accross an issue. In order to transfer the Schema master role, you need to run the following command:

regsvr32 schmmgmt.dll

Once you’ve done this, you should be able to load the AD schema MMC snap-in, however I kept getting the following error when I ran it.

The module “schmmgmt.dll” was loaded but the call to DllRegisterServer failed with error code 0x80040201

Simple solution to the problem: Run the command from an elevated command prompt, or use the ntdsutil command to do it (But RTFM!)