The Sysadmins

This is a file share allowing access to all Sysinternals utilities. It will allow you to run these tools from any computer connected to the Internet without having to navigate to a webpage, download and extract the zip file.

If you are unfamiliar with Microsoft Windows Sysinternals, it is highly recommended that you visit the website at http://technet.microsoft.com/sysinternals before using these tools.

Accessing the suite from within Powershell/Command Prompt.

net use x: \\live.sysinternals.com\tools

Accessing the suite from within Explorer.

The post \\live.sysinternals.com\tools appeared first on The Sysadmins.

Last year I looked at installing and configuring Server 2008 R2 Core (here and here). One of the limitations of Server 2008 R2 core, was that once it was installed, that was it. There was no way of adding the GUI at a later date, you were stuck with it- and vice versa, you couldn't strip the GUI install down to the core version.

Microsoft appreciated this limitation and have added the functionality to Server 2012, not only that but they've also added a halfway house known as the Minimal Server Interface... more on that later.

One of the cool new abilities with 2012, is that you can now configure the server as normal with the GUI, and then 'take it back to the core' once you have finished! Great for those who were put off by the potential complexity of learning new commands and administration techniques with core-only.

Switch from Server 2012 Core to GUI

If you install Server Core, the binaries to add the GUI aren't present (resulting in a smaller footprint). This however means you either need to grab it from a local source, or use Windows Update. The binaries can be quite large, so I suggest you grab them from a local source. if you can.

I'm using Hyper-V and have mounted the Server 2012 install media ISO to the guest, which inside Windows is the D drive.

We first need to see which WIM index is required (the SKU/SKU version).

Dism /get-wiminfo /wimfile:D:\sources\install.wim

We're using the Datacentre edition, so we'll use index 4.

There are a couple of ways to specify the source, some people mount the wim to a local folder, but this one liner simplifies the process and achieves what we're after, to get the binaries from the install.wim and install the required features. The server will restart after the installation is complete as we've specified -restart.

Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart -source:wim:d:\sources\install.wim:4

This process should take around 5-10 minutes, after the server has restarted you will be presented with the GUI. If you find the installation process gets stuck on 68%, chances are you haven't entered the source or index correctly and the binaries are being pulled down from Windows Update. You can always disconnect/disable the NIC at this stage to test.

Switch from Server 2012 GUI to Core

There are two easy methods for removing the GUI and getting back to Core.

With Powershell:

remove-WindowsFeature Server-Gui-Shell,Server-Gui-Mgmt-Infra -restart

With Server Manager:

Select Remove Roles or Features
Untick the Graphical Management Tools and Infrastructure and the Server Graphical Shell from the features page
Reboot the Server with shutdown /r /t /0 or winkey+i -> Power -> Restart

Switch from Server 2012 GUI to Minimal Server interface

In Windows Server 2012, you can remove the Server Graphical Shell, resulting in the “Minimal Server Interface.” This is similar to a Server with a GUI installation, but Internet Explorer 10, Windows Explorer, the desktop, and the Start screen are not installed. Microsoft Management Console (MMC), Server Manager, and a subset of the Control Panel are still present.

With Powershell:

remove-WindowsFeature Server-Gui-Shell -restart

With Server Manager:

Select Remove Roles or Features
Untick Server Graphical Shell from the features page
Reboot the Server with shutdown /r /t /0 or winkey+i -> Power -> Restart

Switch from Server 2012 Core to Minimal Server Interface

With Powershell:

Install-WindowsFeature Server-Gui-Mgmt-Infra -restart source:wim:d:\sources\install.wim:4

The post Server 2012 – Moving Between GUI, Core and Minimal Server Interface appeared first on The Sysadmins.

I’ve been operating computers for the last 25 years of my life and I’ve done a bit of everything in that time, using computers to make a living for the last 17 years. I’ve been a systems administrator full-time. I’ve being a technical journalist, writing about modern PC technologies and 3D graphics. Most of all though, for fun and profit, I’ve been a programmer.

Programming for a living, for utility or for fun, I’ve connected people to the Internet, written desktop application software and sold it for big money, built web applications and tried my hand at many different programming languages to further my craft.

The most liberating thing it’s allowed me to do is ask computers questions about things. Questions about themselves and the data they hold. Questions about how they’re connected to other computers and the Internet. The questions are always followed by answers. The answers are what give you power.

Systems administration concerns itself with data more than anything else. Think about it. Users. Files. Permissions. Access controls. Configuration. Settings. There’s generally a lot of it, too. Hundreds or thousands (or hundreds of thousands!) of users with millions of files with myriad permissions and access controls in programs with countless configuration and potential settings.

That means there’s inherent (and usually unending) repetition built into everything. Repetition kills efficiency. Think about manually having to visit every seat in your company to perform a certain task. Programming is about avoiding repetition and making using computers more efficient. Programming is what enables you to stay seated and avoid that physical trek to every machine to do that tedious piece of config you can’t do remotely.

You might get lucky and have the software you use be able to ask all the questions you need about your systems. But I bet that frequently you find that you either have to make the software jump through hoops to give you the answers, or the answers are completely elusive.

Need to find all the inactive accounts in your Active Directory? Need to email everyone with connection to a certain printer to tell them it’s being serviced? What about inviting everyone with a high incidence of getting their password wrong to a workshop about good password policies?

Chances are you don’t have anything to hand that can easily help you with the last couple of things. What about if your infrastructure is modern and you have a nice virtualised setup running on top of VMware. What about automatically increasing resource pool allocation for hot-running VMs on a bunch of ESX servers, or finding out how much disk space you’re losing over time to datastore growth?

That kind of data-rich reporting and monitoring activity, where you need to do the same thing across a bunch of systems, usually over time, repeated periodically, is where knowing how to ask the questions yourself becomes incredibly powerful.
You stop needing to buy expensive reporting packages or trust one-off scripts you found online not to do bad things on your systems. You stop having to repeatedly click through terrible GUIs and wonder whether you remembered to check a certain tick box five levels of cascading property sheets deep inside the management console.

You write a program yourself, likely saving money, reducing your reliance on Google and random scripts and tools, usually getting it done faster and automating it for you so you save time in the future. A program doesn’t forget, or miss anything out in a large set of data.

The best part is that learning to engineer that kind of simple, time-saving, incredibly efficient, very useful software doesn’t take much. You can accomplish much of it without even to learn more than a scripting language. Scripting languages tend to have easy-to-use hooks into your OS, are simpler and easier to learn and wield effectively than more heavyweight languages, and are quicker to start executing on a system since they don’t have to be built.

You just write and go.

So the next time you catch yourself repeating a tedious task you wish you could automate away, or find yourself wishing for some software to do a new thing entirely, as a sysadmin I bet you already have most of the mental skills to learn how to write software to do it yourself. I bet you caught yourself wishing about 5 minutes before reading this, and the reason you stopped off to read Tom’s excellent blog is because you needed help doing something you could mostly automate with code.

The benefits are clear for your current employer, and your future employment elsewhere too. It can only open doors in your career, give you much greater power and flexibility over your systems and save you so much time in the long run.

The post [Guest spot] – Why Sysadmins Should Learn to Write Computer Programs appeared first on The Sysadmins.

Today we're looking at 3 easy ways to search Group Policy settings, primarily focusing on the Administrative Templates. With over 3000 settings (~3500 with Server 2012/Windows 8) you're going to want to be aware of these methods!

1. Search with Microsoft's GPSearch Site

Microsoft put this site up a couple of years ago, initially at ~~http://gps.cloudapp.net/~~, this has now changed to http://gpsearch.azurewebsites.net and will enable you to search any of the Computer or User Administrative Template settings within Group Policy. They're also linking to a Windows Mobile Application for searching group policy, it's nice to see they're putting out apps like this: http://www.windowsphone.com/en-gb/store/app/group-policy-search/d1615909-62e2-df11-a844-00237de2db9e.

2. Search with the Group Policy Management Console

You can search from within the GPMC MMC console itself by right clicking the Administrative Templates for the Computer or User segment and selecting filter options. The initial criteria is "any", so you can simply type a keyword and filter the results based on that keyword, make sure you right click Administrative Templates and set the filter to "on". The configured and commented options are quite interesting, I rarely see people commenting group policy objects or settings but this would allow you to only return commented or configured settings within a GPO.

3. Search with the Group Policy Settings Reference XLS(x)

I really like the spreadsheets that Microsoft have provided for searching Group Policy: http://www.microsoft.com/en-au/download/details.aspx?id=25250; the filters in place make it very simple to filter out what you're looking for. I particularly like the "Reboot required" and "Logoff required" columns, very helpful. These spreadsheets are well worth a look as they tend to give you a little more information than the methods above.

The post Searching Group Policy appeared first on The Sysadmins.

Chances are you've heard of DameWare, two of their main products; DameWare Remote Support (DRS) and DameWare Mini Remote Control (MRC) are both popular tools and have been around for a long time. For those who haven't heard of DameWare before, or those that just want a refresh; I'll be looking at both of these products below.

DameWare Remote Support

DameWare Remote Support (DRS) provides a simple, efficient console that integrates various tools and features into a single point. To give you an idea, you can do all of the following (and more) from the console:

Remotely reboot servers and notebooks
Start and stop Windows Services
Clear and view Windows Event Logs
Copy and delete files on remote computers
Manage Windows® Active Directory
Quickly take full control of the end-user’s desktop
Take screenshots of remote desktops
Automatically install agents as you need them

As soon as I opened the interface it felt familiar. The console is well laid out, and intuitive to use- I was using the software within a matter of minutes without having to refer to a manual or similar. As you can see from the screenshot above, you can view and expand Active Directory, Workgroups and favorite machines. Favourite machines will allow you to add a single machine via FQDN, or a scope of machines via IP. If you cast your eye over the components above, you'll begin to see what's available to you.

Managing services from DRS, is as simple as clicking on Services view.

Want a remote console? That's as simple double click on RCmd View, or RCmd Console- or, if your preference is to use PSEXEC, you can actually add system tools to the menu.

DRS also enables you to administer Active Directory, in pretty much the same way as you would with Active Directory Users and Computers. You can even control Group policy, although it's not quite the full GPMC experience. It's essentially what you'd get in ADUC (think Server 2003 Group policy editing, without GPMC).

One thing I haven't mentioned is remote control from within DRS, this is because this essentially spawns a copy of Mini Remote Control, which I'll cover in a little more detail below.

To get some of the additional features, you will need to install the DameWare Service (especially when looking at Mini Remote Control). You'll be pleased to know that you can install the Service from within DRS or via an MSI. DameWare provide an MSI builder with various options for this purpose, if only every software company provided a nice way to build MSIs... I've had no issues with the Service(s), after leaving them running for a few days memory usage is low- which is good to see.

I could go on and provide more examples, but, well... it all just works. Remotely viewing processes, disk drives, or the event logs is just as you'd expect- there are no surprises.

DameWare Mini Remote Control

DameWare Mini Control is a part of DRS, or can be purchased by itself. It provides a quick and easy way to provide remote control to Windows, OS X and Linux. Here are some of the main features.

Quickly and easily connect to and control remote desktops, laptops and servers
Provides remote control for Mac OS X, Windows and Linux
Deploy agents “on the fly” and start remote control sessions without rebooting
Connect to unattended computers without the need for remote user interaction
Easily configure and install agents in bulk with the included MSI package builder
Complete security, including smart card authentication
Chat with the end-user and exchange files as you troubleshoot problems

If you want to connect up using the MRC viewer you will need to install the service on the remote machine. Failing that, you can fall back to plain RDP, VNC or Intel's AMT KVM. MRC viewer gives you the most functionality, adding things like chat, file transfer, requiring permission from the end user, taking a screenshot, printing the current screen and the ability to lock the remote keyboard and mouse which if you've ever done remote support will appreciate. You can limit access client side to particular security groups, or IPs.

Pricing and Finishing Up

DameWare Remote Control is currently priced at £230 per administrator, and Mini Remote Control alone comes in at £65- the time saved by having all of these tools and functions in one console makes these prices attractive. DameWare software is licensed per administrator, and each license allows you to install on 3 computers. The DRS Client Agent Service is not licensed and there are no additional fees for installing the service on remote systems. For example, if you have 10 computers running DRS and you use DRS to manage 10,000 remote systems, you only need to license the 10 DRS computers to maintain compliance. I really like this licensing model.

DameWare provide fully functional 14 day trials for both of these products, so if this review inspires you to have a play please head over to:

DRS Trial Download
MRC Trial Download

The post Dameware – Remote Support & Mini Remote Control [Sponsored Review] appeared first on The Sysadmins.

http://www.youtube.com/watch?v=fToRej14lCQ

The post How Administering SCCM Feels… appeared first on The Sysadmins.

I've been spending a bit of time recently, working around various constraints of working in an environment where UAC is enabled and end users have no local administrative rights over their machines. This especially becomes a problem when applications are written badly, don't provide any means to be packaged or simply touch the system in a way that needs administrative rights. Essentially, what I wanted to provide was the ability for an end user to run x app, as an administrator- be that a particular software update or simply a program that wants to set itself as the default PDF reader.

Scenario 1

We run Sage Accounts, and fairly often they'll release a small update. This update is provided as an .exe, has no silent switches, requires administrative rights and prompts the user to confirm the path to update. I've spent a fair amount of time trying to dissect this installation, capturing the process with an MSI packager (2 actually) with no luck. I even brought out the big guns and watched the installation with Sysinternals Process monitor. It gets to the point where you're essentially re-writing the entire update, and quite frankly it's just a massive time drain... not only that but it becomes a much riskier process and requires more testing. "Did I get everything".

Scenario 2

PDF readers. We run two flavours, and users are generally given the choice to which one they choose. Of course, changing the default programs associated with PDFs requires administrative access. So, we may get a support call that requires us to remote in, fire up the "other" applications with admin credentials, and set it as the default reader. This becomes an unnecessary interruption for both the end user and admin. You could go ahead and create a GPO that writes the required registry keys, but it's a bit messy and again requires a fair bit of initial effort to configure.

Allowing users to launch applications with administrative rights

To make this possible, we'll be using the Software Catalog provided with SCCM 2012. This application is automatically deployed as part of the agent, so shouldn't require any additional work client side.

I'll give you two examples, one running a local executable on a system and the second running an executable on a file share. When using this method, the executable is loaded with the "system" account.

Local Executable

Browse to Software Library -> Packages, right click and select create package.

Give the package a name, this is the title displayed in the software catalog, so you'll want to make it user friendly!

This is a standard program.

The name field is tagged onto the package name, so append with run/setup/launch, whatever best describes the action. I've given the path and executable, and changed the run mode to run with administrative rights. You must tick "allow users to view and interact with the program installation" otherwise it'll hide the application.

Here you can specify some additional options, it's worth changing the estimated disk space, as this is displayed in software centre and I normally bring the run time down from 120 minutes to 15.

After this, next, next yourself through the end of the wizard. As this is running a local application there is nothing to distribute, you simply need to deploy the package to a device collection. This is a bit beyond the scope of this article, but I'll look to write a post in the new future covering that.

Fire up the Software Catalog from the start menu and the package should be available for install.

"Installing" this package, will launch the application under the system account and allow the user to set as default (it prompts on launch). Obviously the users mapped drivers will not be present in this session, but when was the last time you opened a PDF viewer and opened the file from within?

Executable on UNC Path

The process is essentially the same, except you provide the UNC path for the startup folder. If this is going to be launched on multiple sites, I'd recommend you use something like DFS to replicate the installation files around your particular locations.

When this package is installed, it launches the accounts2013update2.exe under the system context and allows the users to confirm the update path and update the application.

How do you deal with these kind of issues in your environment? Comments below.

The post SCCM 2012 – Allow End User to Run Application As Administrator appeared first on The Sysadmins.

Tom's weekly catch-up will cover things of interest in the last week, recommended reading or simply interesting bits I'd like to share that don't require a full post.

MCSA: Windows Server 2012 Training

Looking to obtain your MCSA in Windows Server 2012? You're in luck! There are two great resources to study for the 70-410,411 and 412 exams, one from Born to Learn- which have put together great resource wikis for each of the exams and Trainsignal who are providing free access to various courses. When studying for exams, people often neglect to read the "skills measured" section on the Microsoft learning site. This should be your first stop when preparing your study plan, to make sure you're covering all of the required material. The Born to learn resource Wiki's mirror the skills measured section and link you to the relevant technet/blog articles. A great time saver. The Train Signal video course are generally very good, I've used them in the past when studying for my MCSE and MCITP:EA- I would recommend you make the most of the free training and get stuck in! Enjoy.

Born To Learn - 90 days to MCSA
Train Signal - 90 days to MCSA

Best Practices for Securing Active Directory

Responsible for Active Directory? You'll want to grab the recently published (April 2013) version of Microsoft's best practices for securing Active Directory. It's pretty thorough and 314 pages long, but worth at least a scan if this is something you're responsible for or simply as a reference. Microsoft provide the document as a .docx, if you would prefer a PDF I've got that covered here: PDF Version

Best Practices for Securing Active Directory

Synergy

Synergy has been around for a while, I remembering hearing about it some time ago but only recently had a reason to use it. It can be used to share a single keyboard and mouse across multiple computers, supporting Windows, OS X and Linux. I have two machines I use fairly frequently at work, my main machine and a test machine running Hyper-V with various guests for testing. Recently my desk seems to be getting smaller (I'm sure someone is chopping bits off it every night), and having two full sized keyboards is just a bit tight. Synergy allows me to free up this space!

Synergy

My Home Test-bed

Over the years I've dabbled with various setups at home, be that fully fledged servers, micro-servers, hosted solutions or similar to provide the ability to quickly provision servers for me to learn, test or troubleshoot a scenario. Let me outline some of the concerns and considerations.

Power consumption - Often overlooked, but at one time I was sitting at around 550-600w idle running my main machine, server and other networking bits. Roughly calculated, that used to cost me £50 a month to run!
Heat - A while ago I decided it'd be a good idea to borrow a couple of decommissioned servers for something I wanted to try out. I got them both up and running and popped out for the evening, when I returned my apartment's temperature had risen by around 3 degrees and my office in which they were hosted was fairly unbearable.
Noise - Any normal server is going to be very loud in a home environment, so if you do decide to go that way keep that in mind and make sure you have somewhere far away from your bedroom or living room to host the server. Remember it's not only pure noise, but vibrations which can drive you crazy when you're trying to sleep or relax.
Performance - I see a surprising amount of older servers being snapped up on eBay, or mentioned on forums that are going to be used for test beds. Simply put, a lot of the older generations servers perform badly. They're loud, hot and slow.

Now, before I get into what I've settled on- I'd like to clarify that a test-bed for me means being able to quickly bring up servers for a few months at a time. I'm not looking to leave these servers in the environment for years, nor am I (normally) particularly bothered about the data on them. So here it is. A single box consisting of:

Intel Core i7-2600k
32GB of Memory (£120!)
256GB Samsung 830 SSD
2 Nics
ATI 5870 (Hey, I still game a bit).

That's it. I use this machine as my main day-to-day at home, it's running Windows 8 with the Hyper-V role enabled. I keep the vhdx files on the SSD which means that performance on the VMs is great, for example I'm able to install Server 2012 and be sat on the desktop in around 5 minutes. The machine idles at around 90w, which would be even lower if I didn't have the ATI 5870 installed (probably 75-80w). I'm able to use the host as a day-to-day desktop without the guests affecting the performance, I simply don't notice they're running yet their performance is great. For the majority of my needs this setup is great, and it's by far my favorite solution so far. I think it's easy to get caught up in thinking you need a fully fledged "server" or enterprise equipment for your test-bed, more often than not, this is not the case.

The post Tom’s Weekly Catch-up #1 appeared first on The Sysadmins.

Configuring send as, send on behalf and providing full access to a mailbox are fairly common requests. In Exchange 2010, you could set the send as and full access permissions by right clicking the user in the Exchange Management Console under recipient configuration and mailbox. Send on behalf required you to dig a little deeper into the configuration, and head into the users properties, mail flow settings tab and delivery options. In Exchange 2013 they have moved these options into a single location, which seems sensible. We'll look at how to achieve the above with the GUI and Powershell in Exchange 2013.

With the GUI

Open EAC (Exchange Admin Center), browse to recipients, select the user you would like to grant the permission for and click the pencil to edit. In this example, I would like to grant Branch Warren the right to send as Ronnie Coleman so we select Ronnie and choose edit.

Choose the option mailbox delegation at the bottom and add the user you wish add the permission to. In this example, we want to grant Branch Warren the right to send as Ronnie Coleman.

Powershell

Send on Behalf - This will grant Branch send on behalf permissions for Ronnie

Set-Mailbox ronnie.coleman -GrantSendOnBehalfTo branch.warren

Send As - This will grant Branch send as permissions for Ronnie

Add-ADPermission ronnie.coleman -ExtendedRights Send-As -user branch.warren

Full Mailbox Access - This will grant Branch, full access to Ronnie's Mailbox

Add-MailboxPermission -Identity ronnie.coleman -User branch.warren -AccessRights FullAccess -InheritanceType All

The post Exchange 2013 – Send As, Send on Behalf and Full Access appeared first on The Sysadmins.

A nice and quick way to get a list of users in a particular database, ordered by their mailbox size including item count. Displayed as so:

Get-Mailbox -database "Databaseabc" | Get-MailboxStatistics | Sort-Object TotalItemSize -descending |Select-Object DisplayName,ItemCount,@{name="MailboxSize";exp={$_.totalitemsize}} | Convertto-Html | out-File Databaseabcreport.htm

The post Exchange – Mailbox size and Item Count HTML Report appeared first on The Sysadmins.

When you install Exchange 2013, you'll notice that the console you'd expect to see has been dropped in favour of a web-based management console. This can be found here:

https://yourexchange2013server/ecp

This URL isn't presented in the start menu/modern UI or particularly obvious after the installation. If you're setting up a greenfield environment the URL above should get you straight to the new Exchange 2013 Admin Center.

I don't see the 2013 Exchange Admin Center when I browse to ECP, I get redirected to the old Exchange 2010 ECP page

Exchange 2010 ECP

There is a caveat if you are coexisting with Exchange 2010, if this is the case you will have to specify the Exchange version in the URL to get to the Exchange 2013 Admin Center:

https://yourexchange2013server/ecp/?ExchClientVer=15

Exchange 2013 Admin Center

The post Exchange 2013 – Accessing the Exchange Admin Center appeared first on The Sysadmins.

This post will cover updating an existing Server 2008 R2 KMS host to allow the activation of Server 2012 and Windows 8 clients. The update will carry across your existing activation count and if you currently use your KMS host for Microsoft Office activations, this will go untouched.

Once this update has been applied the KMS host will be able to service the following KMS clients:

Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows 8
Windows 7
Windows Vista

Before running the update, I'd recommend you record the output of your existing configuration by running:

slmgr /dli all > before.txt.

Download the required KB2757817 update package from here: http://support.microsoft.com/kb/2757817

Run the installer and select yes.

Once the installation is complete you must restart the server.

To install and activate your new KMS license key. Use the following command to add the new key:

cscript %windir%\system32\slmgr.vbs /ipk

Then to activate:

cscript %windir%\system32\slmgr.vbs /ato

$cscript %windir%\system32\slmgr.vbs /ipk$

Now would be a good time to run slmgr /dli all > after.txt and compare with your results from earlier. The text file should state:

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System - Windows Server(R), VOLUME_KMS_2012_C channel
Partial Product Key: partialkeyhere
License Status: Licensed

If you want some additional confirmation, dig into the key management event log and look for events with the ID of 12290. You're mainly looking for the license state near the far right, you want to see "1" meaning the client is activated. Here are the various licensing states:

0 - Unlicensed
1 - Licensed (Activated)
2 - OOB grace
3 - OOT grace
4 – NonGenuineGrace
5 – Notifications
6 – Extended Grace

Troubleshooting KMS Event Log

More information about troubleshooting KMS can be found here: http://technet.microsoft.com/en-us/library/ee939272.aspx

The post Licensing – Upgrade 2008 R2 KMS Host to Support Server 2012 and Windows 8 appeared first on The Sysadmins.

Patch management is a vital part of an organization's upkeep, not only does it help you stay abreast of bug fixes and features it can also help decrease security risks by patching vulnerabilities as soon as they are fixed. If you've ever been tasked with taking charge of patch management, especially for 3rd-party products, you'll understand the potential difficulty and complexity of getting the updates out in a timely manner. This is where SolarWinds Patch Manager comes in. SolarWinds Patch Manager extends your existing WSUS or SCCM environment to help you efficiently deploy and automate 3rd-party patches.

Here are the ready to deploy 3rd-party patches available to you with the product, as you can see these cover a lot of the commonly deployed baseline applications.

Adobe Acrobat Professional, Acrobat Standard, Air, Reader, Shockwave and Flash
Apple iTunes
Google Chrome
Mozilla Firefox
Mozilla Thunderbird
Opera
Oracle/Sun Java Runtime Environment
QuickTime Player for Windows
Skype
WinZip
RealPlayer

You can also create your own package to deploy via SCCM or WSUS with the Patch Manager package wizard.

I'm not going to cover the installation or initial configuration, as it was pretty straight forward. Let's get straight into a real world scenario.

Using Patch Manager to Deploying Java 7 Update 25

If you've been keeping your eye on Oracle Java, you'll know it's been getting a lot of attention lately and Oracle are releasing some pretty hefty updates. The latest update, update 25 released on the 18 of June contains 40 (yes 40) new security fixes, 37 of which can be remotely exploitable without authentication (Oracle Java SE Critical Patch Update Advisory - June 2013). It's obvious that this update is of high importance, and must be dealt with as soon as possible. So, let's run through how this would look using Patch Manager. I'm going to show the majority of the steps, to give you a good feel for how it all ties together and the time required to get this update out the door.

For this demo I'm going to be leveraging my existing WSUS environment.

After a quick synchronization I see Java 7 Update 25 appear in the Sun Packages group (not long after the update was released by Java itself).

Right click the update you would like to deploy and choose download, this gives you a link to download the executable from Oracle.

Download the executable from the link provided and import the source.

Patch Manager doesn't simply import the executable, beneath the update you'll see several tabs outlining details of the package, prerequisite rules and the like. These are all part of the ready-to-deploy feature of the product and ensure a reliable deployment.

Now right click on the update and select publish package, this publishes the update into WSUS (my DC1) for you to deploy.

The Patch Manager console essentially has the WSUS MMC built into it, meaning you don't have to move far after running through the steps above. Next up is how you want to deploy the Java update we just published to WSUS. There are two main methods. The first is approving the update, just as you normally would with Windows Updates. The Java update would then get deployed to the machine following the schedule you currently have in place for your Windows Updates.

The second option is using the update management feature. Which removes the need to wait for the Windows Update Agent to pick the update up and (in most setups) the user to shutdown their machine. This will deploy the update almost instantly to the selected clients.

As you can see, deploying the Java update using the Patch Manager console is very straight forward. The steps above took me around 5 minutes, from start to the update showing on the client(s). The ability to leverage WSUS for this also adds the ability to stage the updates for further testing in your own environment. I was very impressed at how quick and reliable the process was. This is partly due to what SolarWinds call the Package Boot Helper. This ensures that the pre-install environment is in the right state before applying the update. If you've ever tried to install Java without terminating the iexplorer or Java processes you'll know how important this is...

General Use

I've found the general use of the product fairly straight forward, if you're used to using WSUS and other Microsoft consoles you'll feel fairly at home here. If you do get a little lost the administrators guide will set you in the right direction. Reporting again, is very WSUS-esque providing a nice graphical display and plenty of information and reports to dig into the require data.

There is some additional functionally to be had from the console, allowing you to remotely manage clients within your network. A nice add-on. If you're using the traditional WSUS deployment method with your 3rd-party updates, this will allow you to force a "detect now" on a group of computers to speed up the detection.

Finishing Up

Coming from running SCCM 2012 in my day-to-day environment to trialing SolarWinds Patch Manager, I have been very impressed. Once the software was setup and I had worked my way around the console I could see how this would decrease complexity and time spent testing and deploying updates in the future. I especially like the way you can tag the 3rd-party updates onto Windows update if you're leveraging WSUS. There are plenty of other features and clever bits within the software, but instead of listing everything I really wanted to run you through a real example. To find out more, including the other features of this product please use the links below.

30 day trial of SolarWinds Patch Manager

More information about SolarWinds Patch Manager

Thwack Patchzone - Community Dedicated to the Topic of Patching

The post SolarWinds – Patch Manager [Sponsored Review] appeared first on The Sysadmins.

There are times when you need to remotely refresh the group policy on a group of computers, bypassing the 90 minute (+30 minute offset) default interval. Let's look at 3 ways to achieve that, two of the methods require Server 2012 or Windows 8 with the remote administration tools to initiate the refresh, and the 3rd method can be initiated from Windows 7 or Server 2008 R2.

Method 1. Server 2012 introduced the functionality to remotely refresh Group Policy settings for all computers in an OU from the Group Policy Management Console (GPMC). When you use this method, there is a random delay of up to 10 minutes, with the view of decreasing load on network traffic- this random delay cannot be configured when using the GUI. This method supports a Group Policy refresh for Windows Server 2012 R2 Preview, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8.1 Preview, Windows 8, Windows 7 and Windows Vista clients.

Open the GPMC, right click the OU of Computers you'd like to refresh and select Group Policy Update.

This will return the number of computer objects in the OU, and ask if you're sure.

This will run a GPUpdate /force on all computer objects in the OU selected and any child OUs and will refresh both the computer and user policies.

Method 2. This method, requires Server 2012, or Windows 8 with the remote server administration tools. The following command will retrieve the computer objects from the Servers OU and run the Invoke-GPUpdate against them.

get-adcomputer -SearchBase "OU=Servers,DC=thesysadmins,DC=local" -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; "Refreshing host $_."}

Be aware, this method will display the command prompt with "Updating Policy" on the computer objects you run it against. So bear this in mind if you're running this against your desktops or laptops with users logged in.

Method 3. Fear not! If you're not using Server 2012, you can still achieve the above with fairly little effort using Powershell to generate a list of computers and PSEXEC to run the GPUpdate command. The following Powershell will get you a list of computers from the Servers OU and export them to a text file on the C drive. You can replace this with a UNC path if desired. I've added a dummy first entry to the text file, for some reason PSExec fails the first entry so this gets around that.

Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=thesysadmins,DC=local" | Select -expand Name | Out-File -Encoding utf8 "C:\Servers.txt" -append

PSEXEC will connect to each of the machines in the Desktops.text and run a gpupdate /force, this method isn't particuarly quick but it gets the job done.

psxec @"C:\Servers.txt" gpupdate /force

The post Group Policy – GPUpdate an OU of Computers appeared first on The Sysadmins.

Group Policy Preferences allow you to deploy and modify registry settings quickly and easily. This post will run through a couple of examples to give you a starting point and some guidance for using this in your own environment. As with any Group Policy based changes, use a test Organizational Unit to confirm and test changes before making them live.

Example 1

You have made some changes to HKEY_LOCAL_MACHINE on a reference machine, and would like to deploy the same registry settings to an OU of computers.

1. Open the Group Policy Management Console

2. Right click Group Policy Objects and select New, give the GPO a meaningful name, this does not link it to an OU so will not affect any computers or users. This is a good practice to get into. If you create at a live OU level, any changes (and mistakes) will be deployed if you're unlucky enough for the computers or users to perform a Group Policy refresh as you're creating the GPO. Always link the GPO later, when you have tested it.

3. Right click the New GPO, and select edit

4. Expand Computer Configuration, Preferences, Windows Settings and head down to Registry. Right Click and select New, you will be present with 3 options.

Registry Item allows you to manually change single entries of the registry
A collection simply allows you to organize registry preference items into a folder, this can be useful if you need to set item level targeting over a bunch of registry changes
Registry Wizard allows you to use the local machine as a reference, or connect to a remote machine to add multiple entries, this is the method we will use this this example

When using the Registry wizard, the remote computer must have the Remote Registry service enabled, otherwise you will be greeted with the error message "The network path was not found".

To resolve this, enable the service on the remote machine with the following commands

sc config remoteregistry start =demand

(this sets the service to manual, it's disabled by default)

net start remoteregistry

It will then allow you to select items from the HKEY_LOCAL_MACHINE and HKEY_USERS on the remote machine, if you need other areas of the registry you will need to install the Remote Server Administration Tools onto the reference computer and add the Group Policy Preferences Console via Programs and Turn Windows Features on or off. Run through the same process on the remote machine's console to import the relevant registry items.

RSAT for Windows 7
RSAT for Windows 8

In this example we're okay, as we want to pull settings from the HKEY_LOCAL_MACHINE.

5. Browse to the required location and tick the required keys and values to import into the GPP. Click Finish.

6. Now you can expand the entries we imported with the wizard to review. Common tasks are available, as usual with Group Policy Preferences, if you right click an entry and select properties, then choose the common tab. By default the entries are set to Update

If you ever notice that the hive column isn't populated after the import, double click on the entry or right click and select properties. Without changing anything click OK, this will then populate the hive entry. I've only seen this a couple of times... but if it isn't populated the settings won't get deployed, so it's worth mentioning!

Example 2

If you want to manually add, remove or change a registry key you can do so using the registry item. You can only add one entry at a time with this method.

Example below, it will create new keys if needed so if you enter HKEY_LOCAL_MACHINE\Software\1\2\3\4\5 it'll create the 1,2,3,4,5 keys if they are not already present.

The default behavior when using Group Policy Preferences to modify the registry is "update". Let's look at the 4 options and what they mean.

Create

Creates the item
Does nothing if the item already exists

Let me expand on the 2nd point. If there is already a DWORD with the value of 1, and you create a Group Policy Preference with the same DWORD set to 2 with the option of Create- nothing would happen to the DWORD. It would remain at 1.

Update (Default)

If the item already exists, it will update with the configuration specified in the Group Policy Preference
It the item does not exist, it will be created

It is important to understand that Group Policy Preferences doesn't lock the registry item, it merely (as it's name suggests) uses it as a preference. So if you set a DWORD to 1, depending on the area of the registry a user could go and set that to 0 which would stick until a Group Policy update occurred and the item was re-evaluated.

Replace

Delete existing item if it already exists and create a new object

There aren't many situations where you would need to delete an item before populating it again, I can't say I've used this to modify registry items before. But there may be a case for you to use it.

Delete

Deletes the item

I'd like to thank you for reading and I hope it's been informative for you!

The post Group Policy Preferences – 1. Deploying Registry Settings appeared first on The Sysadmins.

Device collections in System Center 2012 Configuration Manager represent a logical container for a grouping of devices. These collections can then be used to perform a number of tasks, such as deploying software, compliance settings or task sequences. I've outlined 4 of the most common collection types below.

Device Collection based on OU

1. Browse to Assets and Compliance, right click on Device Collections and select "Create Device Collection".

2. Give the collection a meaningful name, and set the limiting collection.

3. Add a Query Rule.

4. Edit Query Statement.

5. Head to the criteria tab, and click on the new star item.

6. Click on Select, and set the attribute class to System Resource and attritube to System OU Name.

7. Operator should be set to is equal to, click on values to choose the desired OU. It should read Domain/OU/ChildOU.

8. Next, Next through the rest of the wizard.

9. The device collection has now been created.

Query Language

Device Collection based on an Active Directory Security Group

1. Follow steps 1-5 from the first example.

2. Click on Select, and set the attribute class to System Resource and attritube to Security Group Name.

3. Click on value and choose from one of the populated entries, or manually enter the security group name.

4. Next, Next through the rest of the wizard.

5. The device collection has now been created.

Query Language

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SecurityGroupName = "THESYSADMINS\\London Security Group"

Device Collection based on machines with x software installed

1. Follow steps 1-5 from the first example.

2. Click on Select, and set the attribute class to Installed Appliactions and attritube to Display Name.

3. In this example, I've set the operator to "is like" and %java%. This will return any device with Java in the title of add/remove programs.

4. Next, Next through the rest of the wizard.

5. The device collection has now been created.

Query language:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "%Java%"

Device Collection with Manual Direct Rules

1. Following steps 1-2 from the first example

2. Add a Direct Rule.

3. Enter a value of the device you wish to add. The device must already be in SCCM, you can confirm this by searching for the device under "Devices".

4. If the device is found you will be able to select it on the next page.

5. Next, Next through the rest of the wizard.

6. The device collection has now been created.

You can also manually add devices by right clicking on the collection and selecting Add Resources.

Type in a device name at the top, click search, then select the device in the search results pane and click add and OK.

The post SCCM 2012 – Creating Device Collections appeared first on The Sysadmins.

Around this time a year ago, I took a look at SolarWinds Server and Application Monitor version 5.2 and came away pretty impressed with the package. Version 6.0 has just been released and introduces some cool new features. Today I'll take a look at a couple of the new features, namely the Real-time event log viewer and AppInsight for SQL.

For those unfamiliar with the Server and Application Monitor product, please head over to the SolarWinds product page.

SolarWinds 6.0 New Features

AppInsight for SQL – AppInsight is a new feature, with SQL being the first domain released. AppInsight for SQL provides deep insights into SQL performance to include details on the most expensive queries, index fragmentation, database and transaction log size and much more.
Baseline threshold calculator – This feature allows admins to calculate thresholds from baseline data for both day and night system performance. Warning and critical thresholds are calculated at 2 and 3 standard deviations from normal performance.
IT Asset Inventory Dashboard – Administrators can now maintain a view of current hardware and software asset inventory to include server warranty status, driver software, hard drive inventory, and custom properties like PO number and purchase price.
Real-time Event Log Viewer – This feature allows administrators to view and filter Windows events logged by applications, security events, system failures and DNS events. Customers can filter logs by type, event source and severity.

Bringing up and trialing the 6.0 release candidate was as straight forward as you would hope for and I was able to have a fully functioning installation within 15 minutes or so. The installation has retained its straight forward express or advanced installation methods, with the express method installing a local copy of SQL.

AppInsight for SQL

SAM 6.0 introduces a new concept to the product titled AppInsight, with the view of giving you a greater level of detail and monitoring ability for a given application. The first application to get the AppInsight treatment is Microsoft SQL Server, which is typically at the heart of most businesses and can be fairly complicated and time consuming to monitor correctly.

Discovering MSSQL servers as you'd expect with SAM is very straight forward by either adding an individual node, scanning a subnet, list of IP Addresses or adding directly to AppInsight for SQL:

Once setup, the initial polling takes a little while and the counters begin to populate for that particular server, which takes us nicely onto the default AppInsight dashboard... and boy, has this thing got everything covered! The depth of information on one page is fantastic, essentially putting any performance counter that matters for SQL at your fingertips.

The performance counters can be easily switched between 1 hour, 12 hour and the last 24 hours depending on your requirement. Other information such as SQL Error logs can be configured to show x events from the event log.

Basic information like SQL Server version and product level is available, leading you to the real-time process explorer, event log viewer and service control manager. The top 10 databases by active user connection breaks down the active users by database and displays this via a pie chart and expandable list. Beneath this we have the top 10 expensive queries by CPU time, allowing you to hone in on inefficient queries- enabling you to look at optimizing them or scheduling them for off-peak.

AppInsight doesn't just work at the MS SQL server level, you can also dig into individual databases and access a wealth of information including top 10 indexes by fragmentation, top 10 tables by size, database and transaction file size and white space per database.

Real-time Windows event log viewer

The real-time Windows event log viewer allows you to view, filter and setup monitors directly from the Node details summary within SAM. The interface itself is very similar to the standard Windows MMC, and allows you choose between the various Windows logs types (application, security, system and others depending on the services installed). You then have the ability to dig down into event levels (error, warning, information, security audit and failures). The interface polls via WMI and refreshes every 20 seconds or so, handy if you're wanting to keep an eye out for a particular event as it happens.

The real-time event log viewer is positioned next to the real-time process explorer and service control manager which were both added in recent versions. This puts 3 very common troubleshooting and monitoring tools right at your fingertips. The reboot button is also very close, but luckily SolarWinds have added a prompt for you to confirm before rebooting the machine! Having these available from one console reduces the need to fire up a remote session to the server, or launch a custom MMC.

Thoughts

I love AppInsight! Having that level of information readily available really takes the complexity out of troubleshooting and monitoring a given application. For those who don't have the experience or knowledge to choose the right performance counters, this is a great time saver. It will be interesting to see what application SolarWinds choose next to give the AppInsight treatment to. It's hard to capture just how much AppInsight displays, I'd recommend installing a trial of the software and having a play around yourself. The real-time event viewer, whilst not being revolutionary is a welcome addition.

The post SolarWinds – SAM 6.0 New Features [Sponsored Review] appeared first on The Sysadmins.

If you’ve used Group Policy Internet Explorer Maintenance (IEM) to configure your organisations Internet explorer settings and are looking to upgrade to IE10 or above you will find that the settings defined with IEM will no longer work. Not only that but if you try to modify the GPO from a machine running IE10 you will not be able to modify the GPO settings.

Settings configured with IEM are not automatically removed when you upgrade from IE9 -> IE10, however any changes made to the IEM GPO will not be reflected by the clients and any new users logging onto a machine with IE10 will not receive the IEM settings.

If UserA is logged onto a Windows 7 machine running IE9 and the user updates to IE10. The settings from IEM will be retained- but not enforced by Group Policy.
If UserB logs onto the same Windows 7 machine for the first time after IE10 has been installed, they will not receive any IEM settings.
If you are deploying or using Windows 8 (which ships with IE10) no settings from IEM will apply, ever.

IEM has been dropped in favour Group Policy preference, Administrative Templates and the Internet Explorer Administration Kit 10 (IEAK 10). This post will run you through a couple of common settings you may need to migrate across. I will cover setting the home page and proxy settings.

Setting Home Page with Group Policy Preferences

Open the Group Policy Management Console and create a new GPO. Browse to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings. Right click and choose New -> Internet Explorer 10.

Enter the URL of the Home page you wish to set, and select start with home page. Notice the red dots underlining the home page entry.

You must press F5 (F6 seems to work too), to confirm the entry. If you do not the setting will not be applied. Once you have done so, the entry turns green.

Setting a Proxy with Group Policy Preferences

Create or modify an existing Internet Settings policy as explained above, this time head over the connection tab -> Lan Settings.

Specify the proxy, again note the red dots showing that the setting have not been confirmed. Press F5 to confirm.

Takeaway

Internet Explorer Maintenance will NOT apply to to Internet Explorer 10 or above
You will not be able to modify existing IEM GPOs from machines with IE10 or above installed
Press F5 to confirm entries made to Group Policy Preferences Internet Settings, basically- made sure you’re green!

The post Group Policy – Internet Explorer 10+ and the Death of IEM appeared first on The Sysadmins.

With Internet Explorer 11 being released a couple of days ago for Windows 7 / Server 2008 R2 and Internet Explorer Maintenance being deprecated since IE10- you’re going to want to use one of the alternative methods (Group Policy Preferences, Administrative Templates or the Internet Explorer Administration Kit) to configure Internet Explorer for your organisation. If you’re used to configuring Internet Explorer with Group Policy Preferences, you’ll be thinking “not a problem” and install IE11 onto an administration machine or a server assuming it will add the option to create a new GPP for Internet Explorer 11. This is what you’ll see if you try that.

Where is the option to add an Internet Explorer 11 Group Policy Preference Internet Settings Policy?

There is no option. The Internet Explorer 10 option actually covers Internet Explorer from version 10 to … 99! That’s right 99. To prove this and to visually confirm this is the case, create a policy by using Internet Explorer 10 Internet Settings and find the unique ID of the GPO.

Browse to \\DC\SYSVOL\Domain\Policies\uniqueID\User\Preferences\InternetSettings and open the InternetSettings XML document in notepad. Note the 5th line which states version 10.0.0.0 -> 99.0.0.0.

If you’re looking to use Group Policy Preferences to configure Internet Explorer 11, using the Internet Explorer 10 Internet Settings option will work for version 11 and future releases of Internet Explorer.

The post Group Policy – Internet Explorer 11 Group Policy Preferences appeared first on The Sysadmins.

There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Site to Zone Assignment List

Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.

Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

In this example I have added http://intranet.corp.local to the Trusted sites (2).

Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.

If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.

Group Policy Preferences Registry Items

This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.

I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.

Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.

Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
Value name will typically be http or https
Value type is REG_DWORD
Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

This is what you will see on the client machine.

If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.

Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Value name is Flags
Value type is REG_DWORD
Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal

Takeaway

User Site to Zone Assignment to prevent users from editing the Security Zone Sites
User Group Policy Preferences to allow users to edit the Security Zone Sites

The post Group Policy – Internet Explorer Security Zones appeared first on The Sysadmins.