The Sysadmins

Tips and tricks from the Sysadmins

Page 4 of 15

Exchange 2013 – Accessing the Exchange Admin Center

When you install Exchange 2013, you’ll notice that the console you’d expect to see has been dropped in favour of a web-based management console. This can be found here:

https://yourexchange2013server/ecp

This URL isn’t presented in the start menu/modern UI or particularly obvious after the installation. If you’re setting up a greenfield environment the URL above should get you straight to the new Exchange 2013 Admin Center.

I don’t see the 2013 Exchange Admin Center when I browse to ECP, I get redirected to the old Exchange 2010 ECP page

Exchange 2010 ECP
Exchange 2010 ECP

There is a caveat if you are coexisting with Exchange 2010, if this is the case you will have to specify the Exchange version in the URL to get to the Exchange 2013 Admin Center:

https://yourexchange2013server/ecp/?ExchClientVer=15

Exchange 2013 Admin Center
Exchange 2013 Admin console

Exchange – Mailbox size and Item Count HTML Report

A nice and quick way to get a list of users in a particular database, ordered by their mailbox size including item count. Displayed as so:

ExchangeHTMLSizeReport

Get-Mailbox -database "Databaseabc" | Get-MailboxStatistics | Sort-Object TotalItemSize -descending |Select-Object DisplayName,ItemCount,@{name="MailboxSize";exp={$_.totalitemsize}} | Convertto-Html | out-File Databaseabcreport.htm

Exchange 2013 – Send As, Send on Behalf and Full Access

Configuring send as, send on behalf and providing full access to a mailbox are fairly common requests. In Exchange 2010, you could set the send as and full access permissions by right clicking the user in the Exchange Management Console under recipient configuration and mailbox. Send on behalf required you to dig a little deeper into the configuration, and head into the users properties, mail flow settings tab and delivery options. In Exchange 2013 they have moved these options into a single location, which seems sensible. We’ll look at how to achieve the above with the GUI and Powershell in Exchange 2013.

With the GUI

Open EAC (Exchange Admin Center), browse to recipients, select the user you would like to grant the permission for and click the pencil to edit. In this example, I would like to grant Branch Warren the right to send as Ronnie Coleman so we select Ronnie and choose edit.

Exchange 2013 Admin Center

Choose the option mailbox delegation at the bottom and add the user you wish add the permission to. In this example, we want to grant Branch Warren the right to send as Ronnie Coleman.

Exchange 2013 Send on Behalf

Powershell

Send on Behalf – This will grant Branch send on behalf permissions for Ronnie

Set-Mailbox ronnie.coleman -GrantSendOnBehalfTo branch.warren

Send As – This will grant Branch send as permissions for Ronnie

Add-ADPermission ronnie.coleman -ExtendedRights Send-As -user branch.warren

Full Mailbox Access – This will grant Branch, full access to Ronnie’s Mailbox

Add-MailboxPermission -Identity ronnie.coleman -User branch.warren -AccessRights FullAccess -InheritanceType All

Tom’s Weekly Catch-up #1

Tom’s weekly catch-up will cover things of interest in the last week, recommended reading or simply interesting bits I’d like to share that don’t require a full post.

MCSA: Windows Server 2012 Training

Looking to obtain your MCSA in Windows Server 2012? You’re in luck! There are two great resources to study for the 70-410,411 and 412 exams, one from Born to Learn- which have put together great resource wikis for each of the exams and Trainsignal who are providing free access to various courses. When studying for exams, people often neglect to read the “skills measured” section on the Microsoft learning site. This should be your first stop when preparing your study plan, to make sure you’re covering all of the required material. The Born to learn resource Wiki’s mirror the skills measured section and link you to the relevant technet/blog articles. A great time saver. The Train Signal video course are generally very good, I’ve used them in the past when studying for my MCSE and MCITP:EA- I would recommend you make the most of the free training and get stuck in! Enjoy.

Born To Learn – 90 days to MCSA
Train Signal – 90 days to MCSA

Best Practices for Securing Active Directory

Responsible for Active Directory? You’ll want to grab the recently published (April 2013) version of Microsoft’s best practices for securing Active Directory. It’s pretty thorough and 314 pages long, but worth at least a scan if this is something you’re responsible for or simply as a reference. Microsoft provide the document as a .docx, if you would prefer a PDF I’ve got that covered here: PDF Version

Best Practices for Securing Active Directory

Synergy

Synergy has been around for a while, I remembering hearing about it some time ago but only recently had a reason to use it. It can be used to share a single keyboard and mouse across multiple computers, supporting Windows, OS X and Linux. I have two machines I use fairly frequently at work, my main machine and a test machine running Hyper-V with various guests for testing. Recently my desk seems to be getting smaller (I’m sure someone is chopping bits off it every night), and having two full sized keyboards is just a bit tight. Synergy allows me to free up this space!

Synergy

My Home Test-bed

Over the years I’ve dabbled with various setups at home, be that fully fledged servers, micro-servers, hosted solutions or similar to provide the ability to quickly provision servers for me to learn, test or troubleshoot a scenario. Let me outline some of the concerns and considerations.

  • Power consumption – Often overlooked, but at one time I was sitting at around 550-600w idle running my main machine, server and other networking bits. Roughly calculated, that used to cost me £50 a month to run!
  • Heat – A while ago I decided it’d be a good idea to borrow a couple of decommissioned servers for something I wanted to try out. I got them both up and running and popped out for the evening, when I returned my apartment’s temperature had risen by around 3 degrees and my office in which they were hosted was fairly unbearable.
  • Noise – Any normal server is going to be very loud in a home environment, so if you do decide to go that way keep that in mind and make sure you have somewhere far away from your bedroom or living room to host the server. Remember it’s not only pure noise, but vibrations which can drive you crazy when you’re trying to sleep or relax.
  • Performance – I see a surprising amount of older servers being snapped up on eBay, or mentioned on forums that are going to be used for test beds. Simply put, a lot of the older generations servers perform badly. They’re loud, hot and slow.

Now, before I get into what I’ve settled on- I’d like to clarify that a test-bed for me means being able to quickly bring up servers for a few months at a time. I’m not looking to leave these servers in the environment for years, nor am I (normally) particularly bothered about the data on them. So here it is. A single box consisting of:

  • Intel Core i7-2600k
  • 32GB of Memory (£120!)
  • 256GB Samsung 830 SSD
  • 2 Nics
  • ATI 5870 (Hey, I still game a bit).

That’s it. I use this machine as my main day-to-day at home, it’s running Windows 8 with the Hyper-V role enabled. I keep the vhdx files on the SSD which means that performance on the VMs is great, for example I’m able to install Server 2012 and be sat on the desktop in around 5 minutes. The machine idles at around 90w, which would be even lower if I didn’t have the ATI 5870 installed (probably 75-80w). I’m able to use the host as a day-to-day desktop without the guests affecting the performance, I simply don’t notice they’re running yet their performance is great. For the majority of my needs this setup is great, and it’s by far my favorite solution so far. I think it’s easy to get caught up in thinking you need a fully fledged “server” or enterprise equipment for your test-bed, more often than not, this is not the case.

HomeSetup

SCCM 2012 – Allow End User to Run Application As Administrator

I’ve been spending a bit of time recently, working around various constraints of working in an environment where UAC is enabled and end users have no local administrative rights over their machines. This especially becomes a problem when applications are written badly, don’t provide any means to be packaged or simply touch the system in a way that needs administrative rights. Essentially, what I wanted to provide was the ability for an end user to run x app, as an administrator- be that a particular software update or simply a program that wants to set itself as the default PDF reader.

Scenario 1

We run Sage Accounts, and fairly often they’ll release a small update. This update is provided as an .exe, has no silent switches, requires administrative rights and prompts the user to confirm the path to update. I’ve spent a fair amount of time trying to dissect this installation, capturing the process with an MSI packager (2 actually) with no luck. I even brought out the big guns and watched the installation with Sysinternals Process monitor. It gets to the point where you’re essentially re-writing the entire update, and quite frankly it’s just a massive time drain… not only that but it becomes a much riskier process and requires more testing. “Did I get everything”.

Scenario 2

PDF readers. We run two flavours, and users are generally given the choice to which one they choose. Of course, changing the default programs associated with PDFs requires administrative access. So, we may get a support call that requires us to remote in, fire up the “other” applications with admin credentials, and set it as the default reader. This becomes an unnecessary interruption for both the end user and admin. You could go ahead and create a GPO that writes the required registry keys, but it’s a bit messy and again requires a fair bit of initial effort to configure.

Allowing users to launch applications with administrative rights

To make this possible, we’ll be using the Software Catalog provided with SCCM 2012. This application is automatically deployed as part of the agent, so shouldn’t require any additional work client side.

I’ll give you two examples, one running a local executable on a system and the second running an executable on a file share. When using this method, the executable is loaded with the “system” account.

Local Executable

Browse to Software Library -> Packages, right click and select create package.

SCCM-Admin-1

Give the package a name, this is the title displayed in the software catalog, so you’ll want to make it user friendly!

SCCM-Admin-2

This is a standard program.

SCCM-Admin-3

The name field is tagged onto the package name, so append with run/setup/launch, whatever best describes the action. I’ve given the path and executable, and changed the run mode to run with administrative rights. You must tick “allow users to view and interact with the program installation” otherwise it’ll hide the application.

SCCM-Admin-4

Here you can specify some additional options, it’s worth changing the estimated disk space, as this is displayed in software centre and I normally bring the run time down from 120 minutes to 15.

SCCM-Admin-5

After this, next, next yourself through the end of the wizard. As this is running a local application there is nothing to distribute, you simply need to deploy the package to a device collection. This is a bit beyond the scope of this article, but I’ll look to write a post in the new future covering that.

Fire up the Software Catalog from the start menu and the package should be available for install.

SCCM-Admin-6

“Installing” this package, will launch the application under the system account and allow the user to set as default (it prompts on launch). Obviously the users mapped drivers will not be present in this session, but when was the last time you opened a PDF viewer and opened the file from within?

There is a security risk when launching a full application this way, as the application is elevated a user could open other applications from within with elevated privileges. This method is more suited to allowing the end user to run scripts, or applications that do not allow the user to open applications from within.

Executable on UNC Path

The process is essentially the same, except you provide the UNC path for the startup folder. If this is going to be launched on multiple sites, I’d recommend you use something like DFS to replicate the installation files around your particular locations.

SCCM-Admin-7-2

When this package is installed, it launches the accounts2013update2.exe under the system context and allows the users to confirm the update path and update the application. This particular application does not allow for any additional interaction bar allowing the user to confirm the update path, so the security concerns outlined above do not apply.

How Administering SCCM Feels…

Searching Group Policy

Today we’re looking at 3 easy ways to search Group Policy settings, primarily focusing on the Administrative Templates. With over 3000 settings (~3500 with Server 2012/Windows 8) you’re going to want to be aware of these methods!

1. Search with Microsoft’s GPSearch Site

Microsoft put this site up a couple of years ago, initially at http://gps.cloudapp.net/, this has now changed to http://gpsearch.azurewebsites.net and will enable you to search any of the Computer or User Administrative Template settings within Group Policy. They’re also linking to a Windows Mobile Application for searching group policy, it’s nice to see they’re putting out apps like this: http://www.windowsphone.com/en-gb/store/app/group-policy-search/d1615909-62e2-df11-a844-00237de2db9e.

SearchingGroupPolicy-6

2. Search with the Group Policy Management Console

You can search from within the GPMC MMC console itself by right clicking the Administrative Templates for the Computer or User segment and selecting filter options. The initial criteria is “any”, so you can simply type a keyword and filter the results based on that keyword, make sure you right click Administrative Templates and set the filter to “on”. The configured and commented options are quite interesting, I rarely see people commenting group policy objects or settings but this would allow you to only return commented or configured settings within a GPO.

SearchingGroupPolicy-2

SearchingGroupPolicy-3

SearchingGroupPolicy-4

3. Search with the Group Policy Settings Reference XLS(x)

I really like the spreadsheets that Microsoft have provided for searching Group Policy: http://www.microsoft.com/en-au/download/details.aspx?id=25250; the filters in place make it very simple to filter out what you’re looking for. I particularly like the “Reboot required” and “Logoff required” columns, very helpful. These spreadsheets are well worth a look as they tend to give you a little more information than the methods above.

SearchingGroupPolicy-7

« Older posts Newer posts »