Tim Mintner

Well after much consideration, I have finally decided to move my blog over to the Technet blogs.  I have been posting sporadically to a blog over on Technet for some time and I have been on the fence on whether to switch. 

This switch is not due in any way to this site or the guys that run the site.  Rod and Ron have done a great job providing me this blog for almost a year.  The primary reason I am switching is to make it easier to consolidate my posts.  I now have two external blogs and one internal blog to Microsoft.  By posting to Technet blogs I can eliminate two of the blogs and hopefully still be able to provide information to all of my readers.

I will slowly start to move over some of my posts over the next couple of weeks.  I will still be involved in reading and commenting on these blogs so keep up the great posts!  The RSS feed for myITforum is still the first blog I read every morning.

For those who are interested, my new blog address will be http://blogs.technet.com/tmintner

Thanks again Rod and Ron for the great service!

One of the hardest and sometimes most frustrating experiences with migrating from Notes to Exchange is using the Lotus Notes connector.  Often a migration can take months if not years and frankly the Notes connector just isn't meant to be run that long. 

Well there is another option.  The Notes connector basically provides two functions, it synchronizes Active Directory with the Notes directory and provides mail routing functionality so that Notes users can send email back and forth to Exchange users.  So instead of using the connector to synchronize the directories, you can use MIIS to perform the same function.  You can even enhance your directory synchronization.  For example, if you have a lot of applications still written in Domino databases, you will need to keep those pesky Notes clients around for quite some time.  Provisioning a new user in Notes is a pain because you have to generate a Notes ID file.  However with MIIS and a little coding you can have the Notes ID file generated automagically.  So what about mail routing?  Instead of using the Notes Connector, you can just use SMTP routing to route mail back and forth between the two mail systems.

If you are interested in more specific details on how to do this, check out this great blog post:

http://alextch.members.winisp.net/DominoExchangeSMPTSharedSpace/DominoExchangeSMTPSharedSpace.htm

I just got this in my email in regards to the Automatic Updates issue I was having.  This community is great.  Thanks Aaron!

Tim -
        Re your post this morning on wuauserv via GP - it's even easier than that:  just grant Authenticated Users (or Everyone) Read access to the service in the GPO in which you enable the service.  And this should only affect XP, but I don't remember if SP1 or SP2….

For example, here's a copy/paste from GPMC:

Automatic Updates (Startup Mode: Automatic)hide
Permissions

Type    Name    Permission     
Allow   BUILTIN\Administrators  Full Control   
Allow   NT AUTHORITY\Authenticated Users        Read   
Allow   NT AUTHORITY\INTERACTIVE        Read   
Allow   NT AUTHORITY\SYSTEM     Full Control   
Auditing

Type    Name    Access 
Failure Everyone        Full Control   

The line highlighted in Red is what I added to make it work.  Set it once in the GPO and forget it.

Enjoy!

Aaron  :)

Aaron M. Czechowski
Desktop Management Engineer
Server Administration and Engineering
Office of Technology Services
Towson University
(410) 704 - 4591
www.towson.edu/~aczech

We found an interesting issue yesterday with the Automatic Updates service.  Apparently if you have ever used Group Policy to manage the start up of that service, Group Policy messes up the permissions of the service.  We found a nice little workaround here: http://support.microsoft.com/kb/555336.

Basically just create a batch file with this command in  it and push it out to all of your SMS clients. Note all of this must be on one line.

sc sdset wuauserv  
"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

If you have machines that are not part of the domain or you do not want to wait until a reboot to turn off the Automatic Updates feature, you can set the registry entries manually through an SMS Package by doing the following:

Copy the following information into a file called disableautoupdates.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001

Create a SMS Package that includes the file disableautoupdates.reg with the following command line:

regedit /s disableautoupdates.reg

This process wil also work if you have Workgroup machines that cannot receive this registry setting through Group Policy.

Now that you have enabled the Automatic Updates service, you might be concerned that your clients will start to automatically download and install Windows Updates.  To prevent this from happening you need to set the following Group Policy setting:

Computer Configuration, Administrative Templates, Windows Components, Windows Update, Configure Automatic Updates = Disabled.

Setting the Configure Automatic Updates will disable automatic downloads and still allow you to download the updates from the Microsoft Updates web site.

If you watched the ITMU webcast on Friday, you noticed that you have to enable the automatic updates servcie for the new ITMU scan engine to work properly.  If you have disabled the Automatic Updates service on your machines, you will need to re-enable this service.

This little VBscript will start the Automatic Updates service and set it to start Automatically.  You can either run this remotely or push this out with SMS to all of your clients:

On Error Resume Next

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='wuauserv'")
For each objService in colServiceList
call objService.Change( , , , , "Automatic")
objService.StartService()
Next

Unless your application packagers are really really careful, chances are that they will overwrite DLL registration settings in the registry that could break certain features of IE or Windows Scripting Host (WSH).  When this happens use a batch file with the following command and send it out to your PCs.  This fixes about 90% of the errors associated with bad DLL references.  You can set this up as a recurring task or just make it non-mandatory and have your users run it if they are experiencing problems.

regsvr32 /s oleaut32.dll
regsvr32 /s shdocvw.dll
regsvr32 /s actxprxy.dll
regsvr32 /s mshtml.dll 
regsvr32 /s vbscript.dll

regsvr32 /s Urlmon.dll
regsvr32 /s Shell32.dll

regsvr32 /s Msjava.dll
regsvr32 /s Browseui.dll

regsvr32 /s Scrrun.dll
regsvr32 /s Jscript.dll

regsvr32 /s activeds.dll

I'm going to chimp here a bit. I can't let Rod take all of the fun.
I had a friend of mine recently show me a non-compete employment agreement that was absolutely ludicrous. It stated that he basically could not do his job anywhere in the world for 2 years post employment and any idea he thought of within 7 years of termination belonged to his current employer. To top it off the agreement also stated that by signing this he acknowledges that this agreement will not hurt his future chances of employment and he waves the right to a jury trial. I don't know about you but that just makes my skin crawl and my blood start to boil. First, let me state that I am a little biased here. I am the victim (and I don't use that word lightly) of two non-compete disputes. Both times I was forced to either pay or give up over $10,000 in revenue. That said, I cannot totally be objective here. Still, the idea of an employment agreement limiting a person's ability to either advance in her/her career or keep that person from working is just flat out unethical.

As a business owner, I can understand how a company would want to protect themselves. I totally agree with intellectual property agreements on work performed for the benefit of the company during working hours or if the employee is working on a work related project off hours that should belong to the company as well. I also believe that a company should protect their assets including financial data and customer lists from disgruntled employees. That is where the employment agreement should end from the employees part, in my opinion. Anything stricter should come with quite a few extra perks such as stock or partial employee ownership. A company should not expect an employee to give up any chance of career advancement outside of their current employer if they have absolutely no control or say in how the company that they work for operates or compensates them.

I also feel that work or projects done on personal time should belong to the person doing the work and not that person's employer as long as it does not overlap with the employer's core business model. If an employee wants to spend his/her own time developing an application for sale, consulting for a couple of Mom and Pop organizations, writing a book or article, or creating a new technical based web site, then that work should belong to that employee. The employer should have no rights to try to claim ownership of that material.
Think I'm being crazy and that this never happens? Well let me give you a couple of examples of people I know. I will leave the names and companies out but you should be able to get the idea:

• A consultant that I worked with wrote a very popular technical book during his own time after hours and on the weekend using his own computer equipment. His consulting company claimed that his knowledge was obtained on the job and threatened to sue for the profits.

• Another consultant put together one of the most popular web sites on the web for Microsoft support content during his own time and also was threatened by his employer to give the site over to them

• Two employees left an organization to start an unrelated business and were sued for making contact with a former customer regarding a product that their previous employer had no intent on ever selling

This list could go on and on. Companies today say that my generation has no loyalty to their employers. How can we when stuff like this is becoming more of the norm than the exception? When are companies going to learn that if they want loyalty then they have to treat their employees with the TRUST and RESPECT that their employees deserve. When employees feel that they are valued and can provide helpful insights into their organizations and are compensated accordingly, they will remain loyal and the company overall will thrive.

I'll stop my chimping now. :)

Thanks for reading,
Tim

If you need a way to run an application in elevated priveleges but you don't want to store the password someplace in clear text, Quimeras has a great tool you should check out.  Their tool is called TQCRunas.  This allows you to encrypt the password information in a one way hash file that the TQCRunas program reads as it kicks off the program executable.

This application is perfect if you have a locked down environment and you have a troublesome application that will only run as a local administrator.

Here is the link to the product information:

One of our consultants found a great utility this week while working with a client.  This tool allows you to add or remove networking services from a Windows 2000 or Windows XP client.  This is perfect if you have a client with an overzealous security administrator that has removed File and Print Sharing and you want to install it on all of your Windows 2000 or XP systems.  This can also be used to remove services such as the Microsoft client for Netware Networks when doing a migration.

Check out the article here:

http://www.jsifaq.com/subj/tip4700/rh4705.htm

You can download the tool from here:

http://www.jsifaq.com/dl/snetcfg_wxp.zip

Centerlogic has created a web site so that you can download all of their SMS related Tools.  The web site is: http://www.centerlogic.com/sms/tools.asp

Here are some of the tools they have available:

Enhanced System Discovery for SMS 2003 or SMS 2.0

Enhanced AD User Discovery for SMS 2003 and SMS 2.0

User Security Login auditng for SMS 2.0 and 2003

Good to see that Steve's tools finally have a home!

I've been using this script for a while to find workstations that have not been active.  It is such an awesome script.  It runs against all of your domain controllers and returns a CSV file with the results of the last logon for every workstation in your domain.  Just change the container in the script and you are good to go.

You can get the script from:

http://minasi.com/forum/topic.asp?topic_id=3724

I was asked a while back if I could modify my script in my earlier post in order to create local user accounts on multiple servers.  Well ask the Lazy Administrator and you shall receive.  Here is the code:

Set objFileSystem= CreateObject("Scripting.FileSystemObject")
Set objErrFile = objFileSystem.CreateTextFile("errors.txt")
objErrFile.Close
Set objErrFileOpen = objFileSystem.OpenTextFile(".\errors.txt",2)

Set objExcel = CreateObject("Excel.Application")
Set objWorkbook = objExcel.Workbooks.Open("users.xls")
intRow = 2
intSize=0
Do Until objExcel.Cells(intRow,1).Value = ""
    ReDim Preserve arrUsers(intSize)
    ReDim Preserve arrPasswords(intsize)
    arrUsers(intsize) = objExcel.Cells(intRow, 1).Value
    arrPasswords(intsize) = objExcel.Cells(intRow, 2).Value
    intSize = intSize + 1
    intRow = intRow + 1
Loop
objExcel.Quit

Set objExcel = CreateObject("Excel.Application")
Set objWorkbook = objExcel.Workbooks.Open("servers.xls")
intRow = 2
intsize=0
Do Until objExcel.Cells(intRow,1).Value = ""
    ReDim Preserve arrServers(intSize)
   
    arrServers(intsize) = objExcel.Cells(intRow, 1).Value
    intRow = intRow + 1
    intSize = intSize + 1
Loop
objExcel.Quit

For i=Lbound(arrservers) to Ubound(arrservers)
  For j=Lbound(arrUsers) to Ubound(arrUsers)
    strUserName = arrUsers(j)
    Set objLocalServer = GetObject("WinNT://" & arrservers(i) & "")
    objDomain.Filter = Array("user")

    For Each User In objLocalServer
      If lcase(User.Name) = lcase(strUserName) Then
        objErrFileOpen.WriteLine(User.Name & " already exists on server " & arrservers(i))
      Else
        Set colAccounts = GetObject("WinNT://" & arrservers(i) & "")
        Set objUser = colAccounts.Create("user", arrUsers(j))
        objUser.SetPassword arrPasswords(j)
        objUser.SetInfo
      End If   
    Next
  Next
Next

So how do you use this little snippet.  Well to start with you will need to create two Excel spreadsheet files in the same directory as this script.  The first file is called users.xls and should have the following format:

Username        Password

bob1               abc123

bob2               abc123

The second file is called servers.xls and should follow the following format:

Server

MyServer1

MyServer2

At this point just copy the script above into a .vbs file and run it!  You will need be an administrator on any server that you include in the servers.xls file.

In a later post I will go over the syntax of this script in more detail

The Lazy Administrator