Exchange 2013 – Send As, Send on Behalf and Full Access
Configuring send as, send on behalf and providing full access to a mailbox are fairly common requests. In Exchange 2010, you could set the send as and full access permissions by right clicking the user in the Exchange Management Console under recipient configuration and mailbox. Send on behalf required you to dig a little deeper into the configuration, and head into the users properties, mail flow settings tab and delivery options. In Exchange 2013 they have moved these options into a single location, which seems sensible. We'll look at how to achieve the above with the GUI and Powershell in Exchange 2013.
With the GUI
Open EAC (Exchange Admin Center), browse to recipients, select the user you would like to grant the permission for and click the pencil to edit. In this example, I would like to grant Branch Warren the right to send as Ronnie Coleman so we select Ronnie and choose edit.
Choose the option mailbox delegation at the bottom and add the user you wish add the permission to. In this example, we want to grant Branch Warren the right to send as Ronnie Coleman.
Powershell
Send on Behalf - This will grant Branch send on behalf permissions for Ronnie
Set-Mailbox ronnie.coleman -GrantSendOnBehalfTo branch.warren
Send As - This will grant Branch send as permissions for Ronnie
Add-ADPermission ronnie.coleman -ExtendedRights Send-As -user branch.warren
Full Mailbox Access - This will grant Branch, full access to Ronnie's Mailbox
Add-MailboxPermission -Identity ronnie.coleman -User branch.warren -AccessRights FullAccess -InheritanceType All
Tom’s Weekly Catch-up #1
Tom's weekly catch-up will cover things of interest in the last week, recommended reading or simply interesting bits I'd like to share that don't require a full post.
MCSA: Windows Server 2012 Training
Looking to obtain your MCSA in Windows Server 2012? You're in luck! There are two great resources to study for the 70-410,411 and 412 exams, one from Born to Learn- which have put together great resource wikis for each of the exams and Trainsignal who are providing free access to various courses. When studying for exams, people often neglect to read the "skills measured" section on the Microsoft learning site. This should be your first stop when preparing your study plan, to make sure you're covering all of the required material. The Born to learn resource Wiki's mirror the skills measured section and link you to the relevant technet/blog articles. A great time saver. The Train Signal video course are generally very good, I've used them in the past when studying for my MCSE and MCITP:EA- I would recommend you make the most of the free training and get stuck in! Enjoy.
Born To Learn - 90 days to MCSA
Train Signal - 90 days to MCSA
Best Practices for Securing Active Directory
Responsible for Active Directory? You'll want to grab the recently published (April 2013) version of Microsoft's best practices for securing Active Directory. It's pretty thorough and 314 pages long, but worth at least a scan if this is something you're responsible for or simply as a reference. Microsoft provide the document as a .docx, if you would prefer a PDF I've got that covered here: PDF Version
Best Practices for Securing Active Directory
Synergy
Synergy has been around for a while, I remembering hearing about it some time ago but only recently had a reason to use it. It can be used to share a single keyboard and mouse across multiple computers, supporting Windows, OS X and Linux. I have two machines I use fairly frequently at work, my main machine and a test machine running Hyper-V with various guests for testing. Recently my desk seems to be getting smaller (I'm sure someone is chopping bits off it every night), and having two full sized keyboards is just a bit tight. Synergy allows me to free up this space!
My Home Test-bed
Over the years I've dabbled with various setups at home, be that fully fledged servers, micro-servers, hosted solutions or similar to provide the ability to quickly provision servers for me to learn, test or troubleshoot a scenario. Let me outline some of the concerns and considerations.
- Power consumption - Often overlooked, but at one time I was sitting at around 550-600w idle running my main machine, server and other networking bits. Roughly calculated, that used to cost me £50 a month to run!
- Heat - A while ago I decided it'd be a good idea to borrow a couple of decommissioned servers for something I wanted to try out. I got them both up and running and popped out for the evening, when I returned my apartment's temperature had risen by around 3 degrees and my office in which they were hosted was fairly unbearable.
- Noise - Any normal server is going to be very loud in a home environment, so if you do decide to go that way keep that in mind and make sure you have somewhere far away from your bedroom or living room to host the server. Remember it's not only pure noise, but vibrations which can drive you crazy when you're trying to sleep or relax.
- Performance - I see a surprising amount of older servers being snapped up on eBay, or mentioned on forums that are going to be used for test beds. Simply put, a lot of the older generations servers perform badly. They're loud, hot and slow.
Now, before I get into what I've settled on- I'd like to clarify that a test-bed for me means being able to quickly bring up servers for a few months at a time. I'm not looking to leave these servers in the environment for years, nor am I (normally) particularly bothered about the data on them. So here it is. A single box consisting of:
- Intel Core i7-2600k
- 32GB of Memory (£120!)
- 256GB Samsung 830 SSD
- 2 Nics
- ATI 5870 (Hey, I still game a bit).
That's it. I use this machine as my main day-to-day at home, it's running Windows 8 with the Hyper-V role enabled. I keep the vhdx files on the SSD which means that performance on the VMs is great, for example I'm able to install Server 2012 and be sat on the desktop in around 5 minutes. The machine idles at around 90w, which would be even lower if I didn't have the ATI 5870 installed (probably 75-80w). I'm able to use the host as a day-to-day desktop without the guests affecting the performance, I simply don't notice they're running yet their performance is great. For the majority of my needs this setup is great, and it's by far my favorite solution so far. I think it's easy to get caught up in thinking you need a fully fledged "server" or enterprise equipment for your test-bed, more often than not, this is not the case.
SCCM 2012 – Allow End User to Run Application As Administrator
I've been spending a bit of time recently, working around various constraints of working in an environment where UAC is enabled and end users have no local administrative rights over their machines. This especially becomes a problem when applications are written badly, don't provide any means to be packaged or simply touch the system in a way that needs administrative rights. Essentially, what I wanted to provide was the ability for an end user to run x app, as an administrator- be that a particular software update or simply a program that wants to set itself as the default PDF reader.
Scenario 1
We run Sage Accounts, and fairly often they'll release a small update. This update is provided as an .exe, has no silent switches, requires administrative rights and prompts the user to confirm the path to update. I've spent a fair amount of time trying to dissect this installation, capturing the process with an MSI packager (2 actually) with no luck. I even brought out the big guns and watched the installation with Sysinternals Process monitor. It gets to the point where you're essentially re-writing the entire update, and quite frankly it's just a massive time drain... not only that but it becomes a much riskier process and requires more testing. "Did I get everything".
Scenario 2
PDF readers. We run two flavours, and users are generally given the choice to which one they choose. Of course, changing the default programs associated with PDFs requires administrative access. So, we may get a support call that requires us to remote in, fire up the "other" applications with admin credentials, and set it as the default reader. This becomes an unnecessary interruption for both the end user and admin. You could go ahead and create a GPO that writes the required registry keys, but it's a bit messy and again requires a fair bit of initial effort to configure.
Allowing users to launch applications with administrative rights
To make this possible, we'll be using the Software Catalog provided with SCCM 2012. This application is automatically deployed as part of the agent, so shouldn't require any additional work client side.
I'll give you two examples, one running a local executable on a system and the second running an executable on a file share. When using this method, the executable is loaded with the "system" account.
Local Executable
Browse to Software Library -> Packages, right click and select create package.
Give the package a name, this is the title displayed in the software catalog, so you'll want to make it user friendly!
This is a standard program.
The name field is tagged onto the package name, so append with run/setup/launch, whatever best describes the action. I've given the path and executable, and changed the run mode to run with administrative rights. You must tick "allow users to view and interact with the program installation" otherwise it'll hide the application.
Here you can specify some additional options, it's worth changing the estimated disk space, as this is displayed in software centre and I normally bring the run time down from 120 minutes to 15.
After this, next, next yourself through the end of the wizard. As this is running a local application there is nothing to distribute, you simply need to deploy the package to a device collection. This is a bit beyond the scope of this article, but I'll look to write a post in the new future covering that.
Fire up the Software Catalog from the start menu and the package should be available for install.
"Installing" this package, will launch the application under the system account and allow the user to set as default (it prompts on launch). Obviously the users mapped drivers will not be present in this session, but when was the last time you opened a PDF viewer and opened the file from within?
There is a security risk when launching a full application this way, as the application is elevated a user could open other applications from within with elevated privileges. This method is more suited to allowing the end user to run scripts, or applications that do not allow the user to open applications from within.
Executable on UNC Path
The process is essentially the same, except you provide the UNC path for the startup folder. If this is going to be launched on multiple sites, I'd recommend you use something like DFS to replicate the installation files around your particular locations.
When this package is installed, it launches the accounts2013update2.exe under the system context and allows the users to confirm the update path and update the application. This particular application does not allow for any additional interaction bar allowing the user to confirm the update path, so the security concerns outlined above do not apply.
Dameware – Remote Support & Mini Remote Control [Sponsored Review]
Chances are you've heard of DameWare, two of their main products; DameWare Remote Support (DRS) and DameWare Mini Remote Control (MRC) are both popular tools and have been around for a long time. For those who haven't heard of DameWare before, or those that just want a refresh; I'll be looking at both of these products below.
DameWare Remote Support
DameWare Remote Support (DRS) provides a simple, efficient console that integrates various tools and features into a single point. To give you an idea, you can do all of the following (and more) from the console:
- Remotely reboot servers and notebooks
- Start and stop Windows Services
- Clear and view Windows Event Logs
- Copy and delete files on remote computers
- Manage Windows® Active Directory
- Quickly take full control of the end-user’s desktop
- Take screenshots of remote desktops
- Automatically install agents as you need them
As soon as I opened the interface it felt familiar. The console is well laid out, and intuitive to use- I was using the software within a matter of minutes without having to refer to a manual or similar. As you can see from the screenshot above, you can view and expand Active Directory, Workgroups and favorite machines. Favourite machines will allow you to add a single machine via FQDN, or a scope of machines via IP. If you cast your eye over the components above, you'll begin to see what's available to you.
Managing services from DRS, is as simple as clicking on Services view.
Want a remote console? That's as simple double click on RCmd View, or RCmd Console- or, if your preference is to use PSEXEC, you can actually add system tools to the menu.
Searching Group Policy
Today we're looking at 3 easy ways to search Group Policy settings, primarily focusing on the Administrative Templates. With over 3000 settings (~3500 with Server 2012/Windows 8) you're going to want to be aware of these methods!
1. Search with Microsoft's GPSearch Site
Microsoft put this site up a couple of years ago, initially at http://gps.cloudapp.net/, this has now changed to http://gpsearch.azurewebsites.net and will enable you to search any of the Computer or User Administrative Template settings within Group Policy. They're also linking to a Windows Mobile Application for searching group policy, it's nice to see they're putting out apps like this: http://www.windowsphone.com/en-gb/store/app/group-policy-search/d1615909-62e2-df11-a844-00237de2db9e.
2. Search with the Group Policy Management Console
You can search from within the GPMC MMC console itself by right clicking the Administrative Templates for the Computer or User segment and selecting filter options. The initial criteria is "any", so you can simply type a keyword and filter the results based on that keyword, make sure you right click Administrative Templates and set the filter to "on". The configured and commented options are quite interesting, I rarely see people commenting group policy objects or settings but this would allow you to only return commented or configured settings within a GPO.
3. Search with the Group Policy Settings Reference XLS(x)
I really like the spreadsheets that Microsoft have provided for searching Group Policy: http://www.microsoft.com/en-au/download/details.aspx?id=25250; the filters in place make it very simple to filter out what you're looking for. I particularly like the "Reboot required" and "Logoff required" columns, very helpful. These spreadsheets are well worth a look as they tend to give you a little more information than the methods above.
[Guest spot] – Why Sysadmins Should Learn to Write Computer Programs
I’ve been operating computers for the last 25 years of my life and I’ve done a bit of everything in that time, using computers to make a living for the last 17 years. I’ve been a systems administrator full-time. I’ve being a technical journalist, writing about modern PC technologies and 3D graphics. Most of all though, for fun and profit, I’ve been a programmer.
Programming for a living, for utility or for fun, I’ve connected people to the Internet, written desktop application software and sold it for big money, built web applications and tried my hand at many different programming languages to further my craft.
The most liberating thing it’s allowed me to do is ask computers questions about things. Questions about themselves and the data they hold. Questions about how they’re connected to other computers and the Internet. The questions are always followed by answers. The answers are what give you power.
Systems administration concerns itself with data more than anything else. Think about it. Users. Files. Permissions. Access controls. Configuration. Settings. There’s generally a lot of it, too. Hundreds or thousands (or hundreds of thousands!) of users with millions of files with myriad permissions and access controls in programs with countless configuration and potential settings.
That means there’s inherent (and usually unending) repetition built into everything. Repetition kills efficiency. Think about manually having to visit every seat in your company to perform a certain task. Programming is about avoiding repetition and making using computers more efficient. Programming is what enables you to stay seated and avoid that physical trek to every machine to do that tedious piece of config you can’t do remotely.
You might get lucky and have the software you use be able to ask all the questions you need about your systems. But I bet that frequently you find that you either have to make the software jump through hoops to give you the answers, or the answers are completely elusive.
Need to find all the inactive accounts in your Active Directory? Need to email everyone with connection to a certain printer to tell them it’s being serviced? What about inviting everyone with a high incidence of getting their password wrong to a workshop about good password policies?
Chances are you don’t have anything to hand that can easily help you with the last couple of things. What about if your infrastructure is modern and you have a nice virtualised setup running on top of VMware. What about automatically increasing resource pool allocation for hot-running VMs on a bunch of ESX servers, or finding out how much disk space you’re losing over time to datastore growth?
That kind of data-rich reporting and monitoring activity, where you need to do the same thing across a bunch of systems, usually over time, repeated periodically, is where knowing how to ask the questions yourself becomes incredibly powerful.
You stop needing to buy expensive reporting packages or trust one-off scripts you found online not to do bad things on your systems. You stop having to repeatedly click through terrible GUIs and wonder whether you remembered to check a certain tick box five levels of cascading property sheets deep inside the management console.
You write a program yourself, likely saving money, reducing your reliance on Google and random scripts and tools, usually getting it done faster and automating it for you so you save time in the future. A program doesn’t forget, or miss anything out in a large set of data.
The best part is that learning to engineer that kind of simple, time-saving, incredibly efficient, very useful software doesn’t take much. You can accomplish much of it without even to learn more than a scripting language. Scripting languages tend to have easy-to-use hooks into your OS, are simpler and easier to learn and wield effectively than more heavyweight languages, and are quicker to start executing on a system since they don’t have to be built.
You just write and go.
So the next time you catch yourself repeating a tedious task you wish you could automate away, or find yourself wishing for some software to do a new thing entirely, as a sysadmin I bet you already have most of the mental skills to learn how to write software to do it yourself. I bet you caught yourself wishing about 5 minutes before reading this, and the reason you stopped off to read Tom’s excellent blog is because you needed help doing something you could mostly automate with code.
The benefits are clear for your current employer, and your future employment elsewhere too. It can only open doors in your career, give you much greater power and flexibility over your systems and save you so much time in the long run.
Server 2012 – Moving Between GUI, Core and Minimal Server Interface
Last year I looked at installing and configuring Server 2008 R2 Core (here and here). One of the limitations of Server 2008 R2 core, was that once it was installed, that was it. There was no way of adding the GUI at a later date, you were stuck with it- and vice versa, you couldn't strip the GUI install down to the core version.
Microsoft appreciated this limitation and have added the functionality to Server 2012, not only that but they've also added a halfway house known as the Minimal Server Interface... more on that later.
One of the cool new abilities with 2012, is that you can now configure the server as normal with the GUI, and then 'take it back to the core' once you have finished! Great for those who were put off by the potential complexity of learning new commands and administration techniques with core-only.
Switch from Server 2012 Core to GUI
If you install Server Core, the binaries to add the GUI aren't present (resulting in a smaller footprint). This however means you either need to grab it from a local source, or use Windows Update. The binaries can be quite large, so I suggest you grab them from a local source. if you can.
I'm using Hyper-V and have mounted the Server 2012 install media ISO to the guest, which inside Windows is the D drive.
We first need to see which WIM index is required (the SKU/SKU version).
Dism /get-wiminfo /wimfile:D:\sources\install.wim
We're using the Datacentre edition, so we'll use index 4.
There are a couple of ways to specify the source, some people mount the wim to a local folder, but this one liner simplifies the process and achieves what we're after, to get the binaries from the install.wim and install the required features. The server will restart after the installation is complete as we've specified -restart.
Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart -source:wim:d:\sources\install.wim:4
This process should take around 5-10 minutes, after the server has restarted you will be presented with the GUI. If you find the installation process gets stuck on 68%, chances are you haven't entered the source or index correctly and the binaries are being pulled down from Windows Update. You can always disconnect/disable the NIC at this stage to test.
Switch from Server 2012 GUI to Core
There are two easy methods for removing the GUI and getting back to Core.
With Powershell:
remove-WindowsFeature Server-Gui-Shell,Server-Gui-Mgmt-Infra -restart
With Server Manager:
- Select Remove Roles or Features
- Untick the Graphical Management Tools and Infrastructure and the Server Graphical Shell from the features page
- Reboot the Server with shutdown /r /t /0 or winkey+i -> Power -> Restart
Switch from Server 2012 GUI to Minimal Server interface
In Windows Server 2012, you can remove the Server Graphical Shell, resulting in the “Minimal Server Interface.” This is similar to a Server with a GUI installation, but Internet Explorer 10, Windows Explorer, the desktop, and the Start screen are not installed. Microsoft Management Console (MMC), Server Manager, and a subset of the Control Panel are still present.
With Powershell:
remove-WindowsFeature Server-Gui-Shell -restart
With Server Manager:
- Select Remove Roles or Features
- Untick Server Graphical Shell from the features page
- Reboot the Server with shutdown /r /t /0 or winkey+i -> Power -> Restart
Switch from Server 2012 Core to Minimal Server Interface
With Powershell:
Install-WindowsFeature Server-Gui-Mgmt-Infra -restart source:wim:d:\sources\install.wim:4
\\live.sysinternals.com\tools
This is a file share allowing access to all Sysinternals utilities. It will allow you to run these tools from any computer connected to the Internet without having to navigate to a webpage, download and extract the zip file.
If you are unfamiliar with Microsoft Windows Sysinternals, it is highly recommended that you visit the website at http://technet.microsoft.com/sysinternals before using these tools.
Accessing the suite from within Powershell/Command Prompt.
net use x: \\live.sysinternals.com\tools
Accessing the suite from within Explorer.
Server 2012 – Active Directory Fine Grained Passwords Revisited
Fine grained password policies were introduced back in Server 2008, and the process for creating them, whilst not massively difficult wasn't particularly intuitive. Microsoft have improved this a lot with Server 2012, custom password policies are now easier to create, assign and monitor.
How to Create a Password Setting
Open Active Directory Administrative Center, expand System, find the password settings container, select new and password settings.
These settings should all be familiar to you, if you've ever set a domain password policy before with group policy. If not, please refer to this Technet page for more detail about each of the settings.
In this example I've disabled the account lockout policy, and added the Sales security group.
To add users or groups, select add and find the object in Active Directory.
View members of a password setting, or check if a user has a password setting applied
There are two easy ways to find which users or groups are assigned to a custom password setting, or if a user is a member of a password setting.
To find what users/groups are members of a custom password setting, simply find the policy in the password settings container and double click. View the "Directly applies to" box, to view the members (See the 2nd screenshot above for an example).
To see if I particular user has a custom policy against it, simply right click the user within the Active Directory Administrative Center and select view resultant password settings. If there is a password setting against the user, it will open the policy to expose the current settings.
If a user does not have a custom password policy, it will show you a message stating "User does not have resultant fine grained password settings. Please check the user's domain password settings."
Much easier, I'm sure you'll agree.