Tuesday, April 12, 2005

Convert Today's Date to YYYYMMDD In Batch File

Here is a simple script to convert today's date into yyyy-mm-dd format in batch file:
FOR /F "usebackq tokens=1,2,3,4 delims=/ " %%i IN (`date /t`) DO (
set yyyymmdd=%%l%%j%%k
)

Posted by at 2 comments:
Tags:

Thursday, March 31, 2005

Using Active Directory Group Policy to Deploy SmbDeviceEnabled Registry Setting

I deployed a pair of firewall appliances onto our network using Network Address Translation (NAT). Soon after that, users start to report they encounter intermittent network problems. e.g. Corrupted word documnet, garbage data in files on file server, XP machines receive a "Write Delay Error" warning, corrupted Visual Source Safe database.

One thing in common is that the problems are all found when the connection is using Server Message Block (SMB) protocol.

Turns out there is a problem with SMB protocol running on NAT. Refer to Microsoft KB 301673 article for more detail. The work around is to change a registry setting so that NetBT protocol will be used. You can change it either on the client workstations or the servers side.

For us, since the client workstations may connect to more than one servers, and some of those servers are not managede by us (and as a result, they are outside our firewalls, we have to change the registry setting on the client side.

So, I used Active Directory Group Policy to help me to deploy the registry setting.
  • Create a custom Administrative Template as follows:

    CLASS MACHINE
    CATEGORY "NetBT Settings"
    POLICY "SmbDeviceEnabled"
    KEYNAME "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"
    EXPLAIN "This policy configures the registry value HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled. You can disable this value to solve the problem of SMB using NAT. Refers to Microsoft KB 301673 for more information."
    VALUENAME "SmbDeviceEnabled"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    END POLICY
    END CATEGORY

  • Save the file as NetBT.adm.
  • In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
  • Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this NetBT.adm custom administrative template.
  • Now, under Administrative Template, a NetBT Settings category will appear.
  • Under this NetBT Settings category, double-click on SmbDeviceEnabled and change the status to Disable.
  • Close the Group Policy Editor to finish.
  • Link this group policy to the right OU to apply onto all the machines under it. (always do it on test machines first!)
  • Within 90 minutes (default time for Active Directory Group Policy refresh), the machines will obtain the new registry value.
  • You still have to reboot the machines to make the registry change effective.
One thing you have to know is that this kind of group policy is a tattoo type policy. The registry setting would not be changed back to the original value if you later on remove this group policy. To undo the change, you will have to explicitly change this group policy NetBT Settings to Enable.

Posted by at No comments:
Tags: ,

Wednesday, March 30, 2005

WSU IT Forum Presentation

The Vice President of Information Technology of our university organized the first Information Technology Forum. I was invited to co-present with the Enterprise Administrator. The topic is Active Directory: Securing the Enterprise.

Here is the slides of my part of the presentation.



Of course, it's my professional responsibility (as a systems administrator) to strip out or obscure any real server name and infrastructure details. But the essence of the presentation, the power of Active Directory and group policies, remains.

Posted by at No comments:
Tags: , ,

Monday, March 28, 2005

Using Active Directory Group Policy to Protect Against Adware/ Spyware Tracking Cookies

Continuing my journey to fully utilize Active Directory to streamline computer management, I found that we could use Group Policy to block adware and spyware tracking cookies.

More police powers for spyware

Here is how:
  • Start Group Policy Editor.
  • Under User Configuration | Windows Settings | Internet Explorer Maintenance | Security,
  • Right-click on Security Zones and Content Ratings.
  • Under Security Zones and Privacy, choose Import the current security zones and privacy settings.
  • Note: Before you click on Modify Settings
    It will import the Internet Explorer Security Zones and Privacy settings of the machine where you are running the Group Policy Editor. Be careful! Since Windows 2003 disables a lot of IE settings by default, you may not want to run the editor on a Windows 2003 machine and define a IE group policy for Windows XP machines.
  • Click Modify Settings.
  • Go to Privacy tab. Click Sites.
  • Add the advertisement sites/ domains that you want to block their tracking cookies.
  • Click OKs to finish.
This approach only works for Internet Explorer. Of course, it doesn't compare with a real adware/ spyware checking software, since they can do other checks, like file system, registry. I call this a poor man's version. It doesn't cost you anything, other than the time it takes to configure the group policy, and then link it to the right Organization Unit (OU) for deployment.

Posted by at No comments:
Tags: ,

Thursday, March 24, 2005

Exchange/ Outlook Rules Handling

For current (non-Exchanged) Outlook users that is getting onto Exchange, beware!
Exchange/ Outlook rules handling can bite you in many ways.

Before you proceed, export all your current rules into a file.
You will need it!

Read the following article to have a better idea about Exchange server-based and client-based rules
http://www.slipstick.com/rules/serverbased.htm

This talks about the Exchange rules storage limit of 32K:
http://support.microsoft.com/kb/241325

Some workarounds for this 32K storage limit problem
http://support.microsoft.com/?kbid=886616

For the advanced,
Bruse Heimbigner has a suggestion of using some programming technique to workaround the 32K storage limit problem:
http://blogs.msdn.com/adioltean/archive/2004/11/18/259448.aspx
http://www.google.com/search?q=RULE.DLL

Posted by at No comments:
Tags:

Wednesday, March 23, 2005

Exchange Outlook Rules 32K Limit - Frustrating!

I signed up as a WSU Exchange early tester. After two days of using it, I get really frustrated.

I use my emails as a filing system. I have a place/ category/ folder for everything.
In my non-Exchanged Outlook, I have 115 filtering rules to automatically sort my incoming emails.

But once "Exchanged"... Outlook allows me to have only 27 of my rules (all the remaining 88 are being disabled). Reason is they exceed the Exchange server rules storage limit of 32K...... yes...32K only!

There are two types of filtering rules in Exchange - server-only, and client-only rules.
  • Server-only rules are executed on the Exchange server directly. There is no need to have any email client. One can use it to automatically sort email out of the default Inbox, and keeping the Inbox clean and small. It is especially useful when one checks email a lot using mobile device.
  • Client-only rules are executed on the client side (in my case, Outlook). One can use it to sort email onto different Personal Folders on the local machine.

All my existing rules are client-only. So, why would Outlook ever need to upload those rules to the Exchange server? and subsequently be counted into the 32K Exchange server rule storage limit? A bad design, or integration on the two Microsoft products.

I then removed the Exchange server connection from my Outlook. It shocked me to find that all my rules were removed as well. Another bad product design (should I call it a bug?) in Outlook - client-only rules should always stay with the email client, and not be affected by whether there is an Exchange server configuration or not.

There is a Microsoft KB that talks about some workarounds on the Exchange 32K rules storage limit problem. Basically, rename your rules to shorter names, merge some of your rules, change your local folders to shorter names, move your Outlook data files to another location on the file system that has a shorter path, etc.

It costs me an entire afternoon and I'm finally able to cut down my number of rules to 65. Exchange is still complaining that I can only enable 64 of them. :-(

Posted by at No comments:
Tags:

Monday, January 31, 2005

Getting Start with Microsoft SMS 2003

Here is a summary of steps involved to get started on Microsoft Systems Management Server 2003.

Watch these essential webcasts
Procedure to install SMS 2003
  • Install SQL 2000 and patched.
  • Install SMS 2003 and apply SP1.
  • Install BITS support on IIS.
  • Install WebDAV on IIS.
  • Install SSL Certificate on IIS (if you want https in reporting).
  • Configure Site Settings (Site Boundary/ Roaming Boundary, Publish to AD, etc).
  • Configure Site Systems (Management Point, Reporting Point, etc).
  • Configure Client Agents (Hardware Inventory, Software, etc, polling schedule).
  • Configure Client Installation Methods (Software Distribution Account, SMSSITECODE).
  • Configure Component Configuration (Software Distribution Account).
  • Configure Discovery Methods (Active Directory, etc).
  • Grant permissions for others to access the SMS server.
  • In Collections (after AD Discovery complete), refresh on All Systems. Install SMS clients (push installation) selectively.
  • In Software Updates, download and Install Inventory Scanning Programs.
Procedure to deploy package
  • Build Query (to select machine eligible for package deployment).
  • Define Collection based on Query.
  • Build Package.
  • Build Advertisement (Schedule, Target Collection).
  • Wait for machine's regular advertised program polling cycle, or go to client machine (Control Panel, System Management) to initial machine policy refresh. Then, the package will be deployed.
Procedure to deploy patches
  • Run report "Software updates with count of applicable and installed computers".
  • Based on the missing updates reported, go to Software Updates, Distribute Software Updates.
  • Build Package (one package contains all necessary patches).
  • Specify parameters (/z /Q or other options) for each patch included the package.
  • Specify the rest of the package option (Postpone reboot, allow users to defer, etc).
  • This process will automatically create the advertisement.
Procedure to deploy custom package
  • Create Package.
  • In Package | create Program, and define program install command there.
  • In Package | Distribution Point, associate the package with a distribution point.
  • Create Collection (optional).
  • Create Advertisement.
Remember
  • A Collection contains a set of machines. It can be generated based on the result of a Query. (Note: a Query can run based on a Collection. This is used to limit the scope on which the query command is run against.).
  • A Package can contain a software, a service pack, or multiple patches. It basically just points to the source folder that contains all the executables, config, etc required.
  • Inside a package, you can define more than one programs. A program is for you to define what the executable is and the corresponding command line options.
  • e.g. A package for Sun Java 1.4.2_07 can have two programs, one to define how to install sun java, and one for uninstalling it.
  • An Advertisement associates a Program (inside a Package) to a Collection with a deployment schedule.
Posted by at No comments:
Tags:
Subscribe to: Posts (Atom)