Fragged!
Archive for category IT
ServiceDesk Plus with own Microsoft PKI
Posted by Simon Juul Larsen in IT on April 17, 2012
Sometimes it might be useful to have a certificate for ServiceDesk Plus that has been issued by your own Microsoft PKI, rather than a public vendor.
Here is how I did it:
(%SDPfolder% refers to the “ServiceDesk” folder, in my case this was C:\ManageEngine\ServiceDesk)
Items marked with bold are variables that you have to change to reflect your environment.
- Rename the default keystore “sdp.keystore” in %SDPfolder%\jre\bin to “sdp.keystore.original”
- Start a commando-prompt and “CD” to %SDPfolder%\jre\bin
- Generate a new keystore with the command: keytool -genkey -alias domain.com -keyalg RSA -keystore sdp.keystore
Explanation; Alias is only used internally in the keystore, end users will not see it. You should set it to the domain, not the FQDN. As keystore, specify original “sdp.keystore” name – then you don’t have to change any configs later. - Next you will be promted for a password for your new keystore – set it to: sdpsecured
Explanation; By using the default sdpsecured password you don’t have to change any configs later. - Now you will be prompted for first name, last name and all that stuff.
First name and last name: server.domain.com <FQDN>
Organizational unit: server.domain.com <FQDN>
Organization: server.domain.com <FQDN>
City or Locality: dk <2-letter country code>
State or Province: dk <2-letter country code>
Two-letter country code: dk <2-letter country code>
Is CN=server.domain.com, OU=server.domain.com, O=server.domain.com, L=DK, ST=DK, c=DK correct? Yes - Use the same password as keystore password, so press RETURN.
- Now to generate a Certificate Request: keytool -certreq -keyalg RSA -alias domain.com -file C:\certreq.txt -keystore sdp.keystore
Keystore password: sdpsecured - Copy all the text from the new Certificate request file C:\certreq.txt
- Visit your PKI Certificate Enrollment website (https://certenroll.domain.local)
- Request a certificate -> Submit a certificate request by using a base-64-encoded….
- Paste the Certificate request, and select an appropriate Certificate Template (a web server certificate with key usage: Server Authentication)
- Submit and generate the certificate.
- Download the DER encoded Certificate Chain – this will give you a “certnew.p7b” file. Save this somewhere easy to reach.
- Open the “certnew.p7b” file (will open with certmgr)
- Expand the “Certificates” folder.
- Double-click the certificate issued to your own PKI ROOT CA, click the Details tab and use the Copy to File… button. Save the certificate to C:\root.der
- Double-click the certificate issued to your own PKI ISSUER CA, click the Details tab and use the Copy to File… button. Save the certificate to C:\intermed.der
- Back in command promt; keytool -import -trustcacerts -keystore sdp.keystore -alias root -file C:\root.der.cer
- keytool -import -trustcacerts -keystore sdp.keystore -alias intermed -file C:\intermed.der.cer
- keytool-import -trustcacerts -keystore -sdp.keystore -alias domain.com -file C:\certnew.p7b
- Verify all certificates are installed with keytool -list -keystore sdp.keystore
- Copy the keystore file we have generated and populated: %SDPfolder%\jre\bin\sdp.keystore to %SDPfolder%\server\default\conf\sdp.keystore (overwrite or rename the target file if there is one)
- Stop and start ServiceDesk Plus – You should now have your own SSL certificate being used, assuming you had already enabled SSL for ServiceDesk Plus
If HTTPS/SSL is not already enabled, do the following to enable:
- Stop ServiceDesk Plus
- Run %SDPfolder%\bin\changeWebServerPort.bat 443 https
- Start ServiceDesk Plus again
Also, another neat trick is to install IIS (Internet Information Services) on the same server, and use this to redirect HTTP users to your HTTPS site:
- If not already installed, install IIS (Windows Server 2008 – Add Role). Be sure to check the ASP feature when installing.
- Create a “default.asp” file in C:\Inetpub\wwwroot with the following content;
<%@ Language=VBScript %>
<%
Response.Status=”301 Moved Permanently”
Response.AddHeader “Location”,”https://server.domain.com/”
%> - Done!
Change audio device with 1 click
Posted by Simon Juul Larsen in IT on April 11, 2012
At work I have a USB Headset connected to my PC, as well as a regular set of speakers with a 3,5mm Minijack. I often need to switch from one device to the other, and the Sound settings in the systray is simply too annoying to use.
I searched and stumbled upon this discussion; https://getsatisfaction.com/microsoft/topics/need_shortcut_to_change_audio_device_in_one_click
I ended up using the solution provided by “Bas”, which involves a script using AutoIT. It works perfectly! I have added a shortcut to the executable to my Taskbar, and now I can switch audio devices with 1 click. 
Get the AutoIT file here: toggle-audio-7
Policy Reporter – Trace slow logon times
Posted by Simon Juul Larsen in IT on March 13, 2012
Primarily while working with Citrix/Terminal Services installations, I often came across the sentence; “Why are logon times so slow?”
One very good tool to assist in troubleshooting this problem is to use SysPro Policy Reporter, which is even freeware!
In brief it allows you to view the content of %systemRoot%\Debug\UserMode in a meaningful manner. You will be able to view the exact timestamp for each entry, and this can give you clues to optimize your logon experience. You will not get exact answers, but hopefully you will be able to translate the results yourself.
To be able to generate logon debug-output, you first have to enable this. See the instructions here: http://support.microsoft.com/kb/221833
In brief:
Use Registry Editor to add or to modify the following registry entry:
Subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)
You can get SysPro Policy Reporter here: http://www.sysprosoft.com./policyreporter.shtml
Alternative download link: Policy Reporter 4.2.11
PowerShell snips
Posted by Simon Juul Larsen in IT on December 29, 2011
An assortment of PowerShell scripts I have stumbled upon, modified where needed. Use at your own risk blah blah.
Sorry if I don’t give credit, but I simply can’t remember where I got them all from!
Many of them require Quest ActiveRoles Management Shell, an extension for Windows PowerShell (freeware).
Generic PowerShell
Read .CSV file and do something for each object:
ForEach ($usr in Get-Content “C:\temp\Users.csv”) { Get-Mailboxstatisti
cs($usr)}
Groups/AD users
Copy Group Members from Group A to B:
Get-QADGroupMember GroupA | % { Add-QADGroupMember GroupB -Member $_ }
Copy Group Membership information from User A to B:
(Get-QADUser userA).MemberOf | Add-QADGroupMember -Member domain\userB
“Bulk” change attributes on AD users:
Get-QADuser -sizelimit 0 | where-object { $_.Department -eq “Sales” } | foreach-object {Set-QADuser $_ -Department “Commercial”}
(Searches all users (sizelimit 0) where Department = “Sales” and for each object sets Department = “Commercial”)
Find “indirect” (nested) AD group memberships for a specific user:
Get-QADMemberOf “John Doe” -indirect | fl name,description >> C:\JDoe.txt
Find members of AD group, export to CSV:
get-qadgroupmember “group name” | select-object logonname, firstname, lastname | export-csv c:\filename.csv
Export selected ExtensionAttribute (or other) to CSV file
Get-QADUser -IncludedProperties extensionAttribute1 -sizeLimit 0 | Select-Object Name, samaccountname, extensionAttribute1 | Out-File C:\WhoIsWho.csv -width 400
Blank out ExtensionAttribute1 for all users that have it
Get-QADuser -sizelimit 0 | Set-QADUser -ObjectAttribute @{extensionAttribute1=$null}
Select users by country CAUTION, do not edit in this way!
Get-QADuser -sizelimit 0 -IncludedProperties c | Where-Object {$_.C -eq “GB” }
Exchange 2007/2010
Set Exchange mailbox quota:
set-mailbox “John Doe” -UseDatabaseQuotaDefaults $false -IssueWarningQuota 4GB -ProhibitSendQuota 5GB -ProhibitSendReceiveQuota 6GB
(Warning at 4GB, Block Send at 5GB and block receive at 6GB, remember to NOT use QuotaDefaults)
Export mailbox statistics to CSV file
C:\>Get-MailboxStatistics | ft Displayname,totalitemsize,databasename | Out-File C:\Mailboxstatistics.csv -width 200
Export mailboxes to .PST file
Add-mailboxpermission -identity “John Doe” -accessrights fullaccess -user “AdminUser01″
Export-Mailbox -Identity “John Doe” -PSTFolderpath X:\folder
(AdminUser01 has to be the one who’s running the Powershell at the moment of Exporting)
Removing disconnected mailboxes in Exchange Server 2007/2010
Listing all disconnected mailboxes:
Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null } | Select DisplayName,MailboxGuid
Removing a single entry:
Remove-Mailbox -Database <Database-Name> -StoreMailboxIdentity <MailboxGuid> -confirm:$false
Removing all users at the same time:
$users = Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null } | Select DisplayName,MailboxGuid
Now that we have all disconnected mailboxes in a var, we can run the following cmdlet to remove all of them:
$users | ForEach { Remove-Mailbox -Database “Mailbox Database” -StoreMailboxIdentity $_.MailboxGuid -confirm:$true }
Password Expiration Notice email
Posted by Simon Juul Larsen in IT on November 28, 2011
Found this very nice solution to sending password-reminders to users, all rights reserver Richard L. Mueller. http://www.rlmueller.net/PasswordExpires.htm
VBScript program demonstrating how to use ADO to find all user accounts where the password will expire within a specified number of days in the future. The program does not retrieve users whose password has already expired. The program also does not retrieve users whose password does not expire, whose password cannot change, where the user is not required to have a password, or where the account is disabled.
The program uses the domain maximum password age policy and the value of the pwdLastSet attribute of the users to determine when the passwords expire. Do not use this program if you use the new fine-grained password policies feature of Windows Server 2008. This program assumes the same password policy applies to all users.
The program filters on users where the pwdLastSet attribute corresponds to dates in the past such that the password will expire in the specified range. This requires converting the critical dates into the corresponding Integer8 values. For the users retrieved, the program uses the pwdLastSet attribute value to determine when the password will actually expire, in the time zone of the local computer.
For each user account found the program sends an email message to the user. The program uses the value of the “mail” attribute of the user object, which corresponds to the field “E-mail” on the “General” tab of ADUC. If this attribute does not have a value, the program uses the “proxyAddresses” attribute. This multi-valued attribute is used by Exchange to specify email addresses. This program uses the “primary” address of the user, which is the value which has either “SMTP:” or “X400:” as the prefix, in upper case. There can be only one “primary” email address in the collection. All other values have all lower case prefixes.
PwdExpires.txt <<– Click here to view or download the program
Next is a similar PowerShell script that retrieves all users whose passwords will expire within the specified number of days. An email function has recently been added, so the program is identical to the first.
PSPwdExpires.txt <<– Click here to view or download the program
Hosted copies of the original script can be found here:
I modified the script (PowerShell) to allow for HTML emails with multiple lines of text.
First bit:
Function SendEmail($To, $Body)
{
$Message = New-Object System.Net.Mail.MailMessage `
$Script:From, $To, $Script:Subject, $Body
$Message.IsBodyHtml = "true"
$Client.Send($Message)
}
Last bit (where you enter your custom text):
If ("$Mail" -ne "") { $Notice = "<font size='2' face='Verdana'>" ` + "<b>This is an automated message!</b><br><br>" ` + "Your password for username $Name will expire by: <b>$PwdExpires</b> (mm/dd/yyyy) <br>" ` + "Before then you must change your password by following one of the procedures mentioned below: <br>" ` + "</font>" SendEmail $Mail $Notice "Email sent to $Name ($Mail), password expires $PwdExpires" }
Battlefield 3 CO-OP and playing with friends doesn’t work
Posted by Simon Juul Larsen in Gaming, IT on October 28, 2011
Symptoms: When inviting a friend (in platoon or otherwise) to a game in Battlefield 3 on PC via the Battlelog (web-based) browser, one player will be unable to receive invites, and the invites that same player sends will not be usable by the other party. Also the player having this problem will not be able to receive chats, but can send.
Cause: Avast! Antivirus is causing this.
Solution: Disable Avast! Antivirus when playing Battlefield 3.
Confirmed with Avast! Program Version 6.0.1289, definitions version 111028-0
VBScript: Bypass the “Open File – Security Warning” dialog from VbScript
Posted by Simon Juul Larsen in IT on September 1, 2011
Found this solution to an annoying VBscript problem that I just had to save here:
You have had it before: the “Open File – Security Warning”. Nice feature, but not very interesting during execution of scripts. However you may not want to turn it off.
The simple solution in VBScript has been offered by MS themselve: the SEE_MASK_NOZONECHECKS environment variable. Change it at the start of your script and restore it at the end. Plain & simple!
Sample code (same as the KB article):
set oShell= CreateObject(“Wscript.Shell”)
set oEnv = oShell.Environment(“PROCESS”)
oEnv(“SEE_MASK_NOZONECHECKS”) = 1
oShell.Run “c:\ms04-038\WindowsXP-KB834707-x86-enu /quiet /passive /norestart”,0,True
oEnv.Remove(“SEE_MASK_NOZONECHECKS”)The Open File – Security Warning dialog box is displayed when you try to silently install a hotfix or an update by using a Visual Basic script in Windows XP Service Pack 2
http://support.microsoft.com/kb/889815
Exchange 2007 Certificate renewal
Posted by Simon Juul Larsen in IT on July 20, 2011
Reference/credits go to: http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
SSL certificates are issued for periods of spanning a number of years (typically in multiples for example 1, 2 or more years – however eventually they do expire and need to be renewed.
The renewal process involves generating a fresh CSR (Certificate Signing Request) on one of your Exchange Client Access servers – this is then sent to a root certification authority (for example VeriSign or Thwate) for processing into a valid SSL certificate (essentially they sign the request).
Disable Image Resize Dialog in MS-Outlook
Posted by Simon Juul Larsen in IT on July 20, 2011
If you select an image file and choose “Send To — Mail Recipient” in the context menu, the Send Pictures via E-mail dialog appears to ask you if you want to resize the image. To disable the dialog and to directly open the email client with the image attachment, follow the instructions below. This tip was hard to find with Google, so I pasted it here verbatim:
To disable the resize dialog for .JPG file type, use these steps [Reference]:
- Click Start, Run. Type regedit.exe and press {ENTER}
- Navigate to the following location: HKEY_CLASSES_ROOT\.JPG
- Backup the key by exporting it to a file.
- In the right-pane, double-click PerceivedType and assign a blank data to it.
- Close Registry Editor.
The same procedure applies for other image types. The original source also gives this caution, however, I did not encounter the mentioned problem:
There may be some minor side effects of using this method, as the PerceivedType string is another important file class information. PerceivedType string helps Windows determine the actual Type (image, video, audio or whatever) for a file. In case you experience image preview issues or any other problems after following the method in this article, you can revert the setting by changing the PerceivedType to image. Alternately, type REGSVR32 SHIMGVW.DLL in Start, Run dialog to regain the functionality.
Logitech Flight System G940, my experiences
Posted by Simon Juul Larsen in Gaming, IT on July 20, 2011
While working on my DIY simulator-seat (more on this when it’s done!), I decided I needed a ‘real’ joystick, with both stick and throttle (HOTAS – Hands On Throttle And Stick). I looked around and came up with 3 options; Logitech Flight System G940 (USD $300), Saitek X65-F Combat Control System (USD $400) or the Thrustmaster HOTAS WARTHOG (USD $500).
-
- G940
-
- X65-F
-
- WARTHOG
Not only was the Logitech the cheapest, it was also the only one that included Rudder pedals, as well as Force Feedback! Many people have complaints about the Logitech Gaming software – but having tried this previously with my G25 wheel, I wasn’t concerned. The Logitech G940 has one major drawback though; it shows up as 3 seperate input devices (Joystick, Throttle, Pedals) – and this can render it completely useless for some games.
The Saitek X65-F has ‘Force Sensing’ , which looks really awesome, but is apparently only really good for jet-fighter sims.
With both the Saitek X65-F and Thrustmaster HOTAS WARTHOG you will need separate pedals, further adding to the already high costs. (Saitek Pro Flight Combat Rudder Pedals $200, for the Thustmaster, CH Pro Pedals $123)
Read the rest of this entry »