We’ll start off with Inactive accounts first, and then work on the disabled accounts after that.
Active Directory in Server 2003 has a nice user/computer attribute called lastLogonTimeStamp that can help us keep track of inactive accounts. If you have ever tried to use that attribute, however, you might have come up with something like this…
I am pretty sure I’m not the only one who wants something more descriptive than DSC1900298.JPG to name my digital photos. And yes, I know that Windows Explorer allows you to rename pictures en masse, but I don’t like the convention they have chosen in that the first file is named [common name].JPG, then the subsequent files are named [common name] (2).JPG and so on and so forth.
I had a few requirements for how I wanted to go about this:
As part of our process to disable user accounts, we take ownership of the user’s server-stored documents such as roaming profiles and redirected My Documents directories. We then either keep access restricted to the domain admins group or grant access to a replacement user who should receive access to the departed user’s files.
With an upgrade to Exchange 2007, we have taken advantage of the Powershell access to Exchange objects, and have scripted the mailbox provisioning and account disable processes. One of the sticking points in getting the disable script wrapped up was seizing control of the user’s directories. Now, Powershell does have the ability to modify ACL’s through the New-Acl and Set-Acl cmdlets (links below), but the users have exclusive access to their server-side directories. It is easy enough to take ownership of a directory through the Windows Explorer Security dialog, but the Powershell methods all presented some form of error when trying to set permissions or change ownership on a file system object to which you do not already have access to.
Dell, Broadcom, and Microsoft have decided to partner up with the release of a technology called TCP/IP Offloading, or TOE for TCP/IP Offload Engine. It was bundled together in the Scalable Network Pack (SNP), included and enabled by default with Service Pack 2 (SP2) for Windows Server 2003. The gist of this technology is to enable high-load enterprise applications to be easily scalable. For those of you familiar with the OSI model, TOE moves layer 3 and 4 processing out of the OS and CPU into the NIC. The idea is to better utilize advances in network card performance and free up CPU cycles for other purposes, such as application-side processing.
This all seems well and good, if they saw fit to properly test the stuff out against their own applications!
Every now and then somebody asks me if there is some way around paying Adobe hundreds and hundreds of dollars if they just want to create some PDF’s. Answer? Absolutely!
Two free PDF printers you can use are CutePDF and PDFCreator. I have not used the latter, but I use CutePDF myself, have recommended CutePDF to several people, and have not had any problems with it.
If you are looking for a bit more functionality, such as creating a single PDF from multiple PDF’s, rearranging pages or adding/removing pages, converting PDF’s to MS Office documents, etc, be sure to check out PDF Converter Pro from Nuance Software. It has a whole whack of features, and it’s only about $100.
I’m not anti-Adobe or anything, but I just think that there are tonnes of less tech-savvy people out there paying hundreds of dollars for Adobe Acrobat functionality that they will never need.
Happy printing!
On a recent Exchange 2003 to 2007 upgrade, I ran into a very frustrating issue that significantly delayed our deployment. All new mailboxes that were created on using Exchange 2007 tools (Exchange 2007 Management Console or Powershell) were missing several crucial ADSI attributes, namely:
This topic has been covered a bit (here, here, and here, for instance) but I have been working on a project that utilizes Virtual Server for testing, and it came up again. A consultant that was working on the VM’s in question apparently struggled for quite some time before he asked for help on it. So, I thought I would see if another post on this might help someone out.
If you run into a situation where you have existing Microsoft Virtual Server/PC VHD files, but the sizes you created them with initially simply don’t cut it anymore, there is hope!
What you will need:
The beauty of the tool is that it can be without having to be installed (self-contained). Just extract the zip, double-click the VhdResize.exe executable, select your source file and destination VHD, and away you go! The VhdResize also allows you to convert from fixed-size VHD’s to dynamically-expanding VHD’s as well, and it is non-destructive on your source VHD.
Note that this only increases the size of the VHD, so that, effectively, your VM will see a larger physical hard disk present; it does not resize partitions on that drive. For that, you can either use Disk Management or diskpart in your guest VM, or mount the VHD using the vhdmount utility included in Virtual Server and use those disk utilities from your host OS (quick walkthrough here).
Let me know if that’s of use!
If you have ever had to take on a Physical-to-Virtual (P2V) migration of a server or other machine, you know that you generally have a fine balance of the following triangle of factors: cost, complexity, and reliability. It seems like the only way to get an easy and reliable solution is to throw gobs of money at either a VMWare infrastructure or something like Platespin. Don’t get me wrong: from what I’ve heard they both offer excellent solutions in that field, but it simply isn’t cheap. I had to find out the hard way, but there is another way.
I had hoped to put this all in one post, but the thing would have gone on forever! Part I covered some basics in copying group memberships to an Active Directory user from another user, such as a template account, using Powershell. Part II will delve into my misadventures in gaining more control of user group memberships, including removing users from a group either by editing the group’s attributes or editing the user’s attributes. I was also looking for a way to change dial-in permissions on user accounts, and that will be covered by a similar strategy.
While these examples should be less dependent on the MS Exchange 2007 snap-in for Powershell and Powershell Community Extensions, please note that I have not checked through the code samples to confirm what is purely Powershell and what requires those snap-ins.
I recently had to spend hours figuring out how to properly modify Active Directory group memberships using Powershell. Some of the .Net methods have not yet been implemented, so I had to get a bit tricky with it. I could find the various bits of information I needed in various places, so I hope that collecting them here in one place is of some use to others.
The scenario was that I needed to disable user accounts in a Windows Server 2003 Active Directory environment running with Exchange 2007. We have a fairly customized, hosted Exchange environment, and so disabling a user is not just a simple matter and right-clicking and disabling the account in Active Directory Users and Computers (ADUC); we have a 2-page doc for the process to catch everything from removing group memberships to setting up email forwarding or restrictions, changing dial-in permissions, changing NTFS permissions on profile directories, etc.
