Commvault Simpana; Linux Informix Db Jobs failing.

So for the past month I've had a reoccurring issue with one Linux client and backing up the Informix db.

        Error Code: [82:129]
Description: The job is pending because: The remote end has closed network connection unexpectedly
Source: mi-2k2-cv, Process: CVD


Here's some pertinent info from the client logs IFXXBSA.log and bar_act.log:

IFXXBSA.log
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject:  Query.CopyType:3|LGName:|CopyGpName:|ResourceType:ND
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject:  Query.ObjectType=4|ObjectStatus=2
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject:  Query.Description=
7940 b740d940 12/18 16:46:28 527474 ReadFromOnconfig() -  nitems : 2
7940 b740d940 12/18 16:46:28 527474 ReadFromOnconfig() -  Parameter SERVERNUM= 0
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: Call GetBackupInfoByJob to set/update the ArchFileMap cache
7940 b740d940 12/18 16:46:28 527474 ::GetSubclientDir() - The subclient directory is [/opt/simpana/iDataAgent/jobResults/2/5789].
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: GetBackupInfoByJob did not succeed.. ignore and continue
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: /ifmx_online/datadbs01/0 . Try ArchiveManager. size=1|PID=7940
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: Unable to find object key=/ifmx_online/datadbs01/0 in the map.
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: Check map(for debugging): key=/ifmx_online/rootdbs/0|val=/ifmx_online/rootdbs/0.1450475164.7940
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: /ifmx_online/datadbs01/0 not found in CV database
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: Trying to find /ifmx_online/datadbs01/0 in ixbar..|obj_field2=datadbs01|startrefversion=0
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: /ifmx_online/datadbs01/0 not found in /opt/IBM/informix/etc/ixbar.0.
7940 b740d940 12/18 16:46:28 527474 BSAQueryObject: Exit, status:26
7940 b740d940 12/18 16:46:28 527474 BSAEndTxn: Enter, vote:2
7940 b740d940 12/18 16:46:28 527474 BSAEndTxn: Error: Transfer Incomplete
7940 b740d940 12/18 16:46:28 527474 BSAEndTxn: Exit, status:3
7940 b740d940 12/18 16:46:28 527474 BSATerminate: Enter - PID:7933, TID:7940, xbsaParams.pid:7933
7940 b740d940 12/18 16:46:28 527474 IfxBackupRestoreBase::ExitHere() - Job[0] thread[7940]: m_totalFilesTrans=0 m_totalFilesTransferred=0
7940 b740d940 12/18 16:46:28 527474 IfxBackupRestoreBase::Finalize() - Job[0] thread[7940]: Exit.
7940 b740d940 12/18 16:46:28 527474 IfxAgentBase::Finalize() - delete m_hostName
7940 b740d940 12/18 16:46:28 527474 BSATerminate: Exit, status=0, exstatus=3


bar_act.log

 2015-12-18 16:04:29 6482  6476 onbar_d complete, returning -1 (0xffffffff)
 2015-12-18 16:24:38 7113  7106 onbar_d -b -L 0
 2015-12-18 16:24:38 7113  7106 Working with cvsm as generic storage manager.
 2015-12-18 16:24:38 7113  7106 Archive started on rootdbs, datadbs01, llogdbs01 (Requested Level 0).
 2015-12-18 16:24:38 7113  7106 (-43078) Open or close failed on file '/opt/IBM/informix/etc/ixbar.0', errno = 2 .
No such file or directory
 2015-12-18 16:24:38 7113  7106 Begin level 0 backup rootdbs.
 2015-12-18 16:24:38 7113  7106 Starting Filter /bin/gzip.
 2015-12-18 16:24:38 7116  7113 Successfully connected to Storage Manager.
 2015-12-18 16:24:58 7116  7113 The child process for the backup and restore filter is terminating
with exit code 0.
 2015-12-18 16:24:58 7113  7106 Successfully connected to Storage Manager.
 2015-12-18 16:25:01 7113  7106 Completed level 0 backup rootdbs (Storage Manager copy ID: 7113 1450473878).
 2015-12-18 16:25:01 7113  7106 Begin level 0 backup datadbs01.
 2015-12-18 16:25:01 7113  7106 Starting Filter /bin/gzip.
 2015-12-18 16:25:01 7139  7113 ASSERT: file bar_unix.c line 1448 - contact product support
 2015-12-18 16:25:01 7139  7113 See also: /storage/informixtmp//core
 2015-12-18 16:25:01 7113  7106 (-43082) Writing to backup and restore filter failed with error 136103679.
 2015-12-18 16:25:12 7113  7106 Begin backup of critical file '/opt/IBM/informix/etc/ixbar.0'.
 2015-12-18 16:25:12 7113  7106 (-43078) Open or close failed on file '/opt/IBM/informix/etc/ixbar.0', errno = 2 .
No such file or directory
 2015-12-18 16:25:12 7113  7106 onbar_d complete, returning -1 (0xffffffff)


The resolution for this particular issue was removing a pair of functions from an onconfig file on the client, specifically:

BACKUP_FILTER /bin/gzip
RESTORE_FILTER /bin/gunzip

Restarted Informix via onmode -ky then oninit -v then re-tried the incremental backup job and EUREKA! much success.

Outlook 2010 opening in Safe mode.. all of a sudden

We had some users report issues with Outlook 2010 this morning.. opening the program for the first time today resulted in Safe Mode. Subsequent closing and re-openings also were in Safe Mode.

Googling returned this Reddit article about KB3114409 is the cause.  removing and rebooting resolves the issue.

http://www.infoworld.com/article/3013219/microsoft-windows/microsoft-pulls-botched-patch-kb-3114409-that-triggered-problems-with-outlook-2010.html

Basically:
Microsoft's Patch Tuesday update KB 3114409, intended to help admins keep Outlook 2010 from starting in safe mode, has in fact done the opposite. Many Outlook 2010 customers report that installing KB 3114409 forces Outlook to start in safe mode....

Powershell Line Continuation

In my Powershell script that I created earlier this year to create new domain user objects while also editing several attributes I ran into an issue here yesterday where I wanted to package it up as an executable for other members of IT here. Once converted using the PS2EXE script here, it'd fail to add the streetaddress, city, zip, and scriptpath attributes only.  Very, very weird.

So in ISE the script would process 100% correctly, however in a Powershell session or after converting to an EXE it'd fail.

I posted to ExpertsExchange and only really got head scratches, and a couple comments about the organization of the script.  I had a switch array before the actual $ value, which I swapped around. I had thought initially that maybe there was a limit to the number of values you could modify either in one line or in one cmdlet but that's just crazy talk.  I tried breaking the New-ADuser part up over multiple lines but then it started missing other attribute values.

So I went looking for the correct method of busting up a long cmdlet and read about Splatting.  Splatting didn't work for me.. not sure why but most likely I got the syntax wrong.  So then I found the back tick (`) line continuation.  This method actually worked.. so to show you before I had this:

New-ADUser -path $myOU -samaccountname $name -name $displayname -DisplayName $DisplayName -Surname $Surname -givenname $givenname  -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -force) -enabled:$false -emailaddress $proxyaddress  -Description $Description -Title $jobtitle -Office $office -UserPrincipalName $proxyaddress -Department $department  -Company $company -StreetAddress $Street -city $city -state $state -PostalCode $zip -ScriptPath $scriptpath

All on one gigantic line.. Now though it's this:

New-ADUser -path $myOU -samaccountname $name -name $displayname -DisplayName $DisplayName -Surname $Surname -givenname $givenname `
 -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -force) -enabled:$false -emailaddress $proxyaddress `
 -Description $Description -Title $jobtitle -Office $office -UserPrincipalName $proxyaddress -Department $department `
 -Company $company -StreetAddress $Street -city $city -state $state -PostalCode $zip -ScriptPath $scriptpath

I know it's not MUCH different here but notice the back ticks.. those are breaking it up over 4 lines.  Makes it incredibly easier to read and now my script works again.  Now I'm not saying that breaking up this cmdlet over multiple lines actually fixed the missing variables but I'm glad I had to go through it.

Solarwinds, IT is your destiny - t-shirts

Stumbled across this yesterday: https://thwack.solarwinds.com/community/solarwinds-community/contests-missions/it-is-your-destiny?CMP=SOC-X-LI-Q415_GDL_THW_Contest_LI-X-THW_LP-THW I've already submitted a SS for the SAM module.

Powershell - Convert date to large integer

Found this today.. converting a date into a Large integer.. used in various positions within Active Directory.



(Get-Date "01/01'2015").ToFileTime()

And that's it.  Surprisingly easy.

Powershell Remote Goodies (RDP Shutdown Query)

I had cause this morning to reboot a remote server that was unresponsive to RDP sessions.  The server is running Windows 2003 (yes, yes I know.. )  So new RDP session would hang at Applying settings so I looked to POSH to take care of this.

A couple things I discovered that I'd not heard of before.. Quesry session, and MSG.

First off to see what users had sessions:
Query Session /server:"servername"

It will list all current sessions whether Active or otherwise. Very nice.

Next is MSG.

The MSG command sends a message just like the old NET SEND did.  So first thing to notify the few users who had working sessions that the server was going down.

(I didnt even need to use my admin account for this)
MSG /server:"server name" *
Enter message to send; end message by pressing CTRL-Z on a new line, then ENTER.

Easy as cake.. even my RDP session that was still Applying Settings got the notice. So next step to actively tell it to reboot.

First thing I tried was
Shutdown /r /m \\servername /force

Which didn't work because I did not have the right permissions.  Next was running POSH as my admin account, when I retried the command it wanted a reason code.

Reasons on this computer:
(E = Expected U = Unexpected P = planned, C = customer defined)
Type    Major   Minor   Title

 U      0       0       Other (Unplanned)
E       0       0       Other (Unplanned)
E P     0       0       Other (Planned)
 U      0       5       Other Failure: System Unresponsive
E       1       1       Hardware: Maintenance (Unplanned)
E P     1       1       Hardware: Maintenance (Planned)
E       1       2       Hardware: Installation (Unplanned)
E P     1       2       Hardware: Installation (Planned)
  P     2       3       Operating System: Upgrade (Planned)
E       2       4       Operating System: Reconfiguration (Unplanned)
E P     2       4       Operating System: Reconfiguration (Planned)
  P     2       16      Operating System: Service pack (Planned)
        2       17      Operating System: Hot fix (Unplanned)
  P     2       17      Operating System: Hot fix (Planned)
        2       18      Operating System: Security fix (Unplanned)
  P     2       18      Operating System: Security fix (Planned)
E       4       1       Application: Maintenance (Unplanned)
E P     4       1       Application: Maintenance (Planned)
E P     4       2       Application: Installation (Planned)
E       4       5       Application: Unresponsive
E       4       6       Application: Unstable
 U      5       15      System Failure: Stop error
E       5       19      Security issue
 U      5       19      Security issue
E P     5       19      Security issue
E       5       20      Loss of network connectivity (Unplanned)
 U      6       11      Power Failure: Cord Unplugged
 U      6       12      Power Failure: Environment
  P     7       0       Legacy API shutdown

I re-ran the command but by this time the local staff had powered it off since it was not responding to a shutdown at the console either. :(

But I did learn some new things today.

Thank you Imgur

Found this today and I like it.

Sauce: http://i.imgur.com/z6VaJuo.jpg

Powershell Script - Change Contractor Info

Crafted this gem today.. I need to change some AD attributes for contracted personnel, namely adding a 'c-' to the beginning of their email, UPN and SAMAccountName. Adding a '(Contractor)' to the end of the DisplayName field and changing a couple proxyaddresses.


First things, the csv used has the following columns:

name, mail, displayname, samaccountname, proxyaddress_0, proxyaddress_1, proxyaddress_2

Code:

#========================================================================
# Created with: SAPIEN Technologies, Inc., PowerShell Studio 2012 v3.1.26
# Created on:   10/9/2015 1:46 PM
# Created by:   Ben Hart
# Organization: UnifiedBrands
# Filename:     Change-ContractorInfo.ps1
#========================================================================


Import-module ActiveDirectory
Import-Csv -Path d:\Users\username\Desktop\test.csv | foreach-object {


$email = $_.mail
$Displayname = $_.displayName
$UPN = $_.mail
$sam = $_.samaccountname
$proxy0 = $_.Proxyaddress_0
$proxy1 = $_.Proxyaddress_1
$proxy2 = $_.Proxyaddress_2


set-aduser -identity $sam -emailaddress $email -UserPrincipalName $email -DisplayName $Displayname



Set-ADUser -Identity $sam -Replace @{proxyaddresses=@("SMTP:"+$email)}
Set-ADUser -Identity $sam -Add @{proxyaddresses="$proxy0"}
Set-ADUser -Identity $sam -Add @{proxyaddresses="$proxy1"}
Set-ADUser -Identity $sam -Add @{proxyaddresses="$proxy2"}
Set-ADUser -identity $sam -Replace @{targetaddress="$email"}

}

CommVault - Simpana iData Agent install on LInux

So push installations from the Simpana console sometimes don't work on *nix hosts, so I resorted to installing interactively.  Problem was I was getting an error concerning an incorrect version of KSH.

My resolution was a 'chmod -R 755 .'  Running that from within the directory where the cvpkgadd file is.  Fixed me right up!

PowerShell Script - Backing up ESXi Configuration

Crafted this guy today because I've been forgetting to backup our ESXi hosts configs in quite a while.

I used a small part of the PowerCLI script to load the modules for this..



# Loads additional snapins and their init scripts
function LoadSnapins(){
   $snapinList = @( "VMware.VimAutomation.Core", "VMware.VimAutomation.Vds", "VMware.VimAutomation.License", "VMware.DeployAutomation", "VMware.ImageBuilder", "VMware.VimAutomation.Cloud")

   $loaded = Get-PSSnapin -Name $snapinList -ErrorAction SilentlyContinue | % {$_.Name}
   $registered = Get-PSSnapin -Name $snapinList -Registered -ErrorAction SilentlyContinue  | % {$_.Name}
   $notLoaded = $registered | ? {$loaded -notcontains $_}
 
   foreach ($snapin in $registered) {
      if ($loaded -notcontains $snapin) {
         Add-PSSnapin $snapin
      }
   }
}
LoadSnapins




$cred = Get-Credential
connect-viserver 1.2.3.4  -credential $cred
get-vmhost | get-vmhostfirmware -backupconfiguration -destinationpath "C:\vmware_backups"

pause

Outlook 2013 Message Header Analyzer

Damn near the best Outlook add-on I think I've ever used, period. You can get it here:

https://store.office.com/message-header-analyzer-WA104005406.aspx?assetid=WA104005406


What it does is allow you to inspect message headers right from the Preview pane, or if you don;t use that from the email itself without having to pull up the Properties and then copy/paste from that tiny little window into Notepad or something in order to read it all.
The bonus though about this add-on is that it breaks the headers down just like Microsoft's Header Analyzer from: https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx

Here's what it looks like from within Outlook

PowerShell Script - Generate list of domain users and their Logon Script values

Yesterday I had cause to make some logon script changes.. Now we still use Batch files but in combination with PowerShell scripts and Group Policy Objects.  However a few years ago I made some test changes and discovered that I had not pushed those out to all users. *DOH*
The push currently to get everyone on the same page is DFS.  Distributed File System for those who don't know... We're preparing to make changes to some file servers and if all users are using DFS paths it'll be very easy.
Anyway below is the script I used to generate the text file with the data.

Get-AdUser -Filter * -Properties ScriptPath | ft Name, Scriptpath > C:\PathToFile\File.txt


Which resulted in A LOT of accounts that I don;t need to sift through.. ex-consultants, service accounts and the like. So I narrowed my field of search down a bit...


Get-AdUser -Searchbase "OU=blahblah,OU=blahblah,DC=Domain,DC=com" -filter * -properties ScriptPath | sort-object ScripPath | ft Name, ScriptPath > C:\PathToFile\File.txt




There you go, enjoy.

Exchange Online and Remotely Terminated Employees

So as you know my company recently (Feb) migrated to Exchange Online and one thing we did not think to ask about during that really hurried and busy time period was how to immediately sever email communications with remote employees when they are terminated.

What I've been hearing today is that our practice of firing people without having either them come into an office or an employee (likely HR) travelling to them.  Do things like collect hardware, deal with exit interviews, company property, outstanding expense reports, etc.

We actually fire people via phone calls, and hope they want their last check bad enough to ship in all the company property AND to not do anything stupid.  Well it happened yesterday.
We apparently fired a person who 8 hours later sent out some emails under his company account.


Many folks blew a virtual gasket.. then of course flooded IT with questions: How did he do that? Why was his access not cut off?, etc, etc..

Well to answer that we have a procedure that worked perfectly pre-migration that consisted of
running a powershell script that I developed two years ago that performed the following

1. Changed the domain user password
2. Disabled the domain account
3. Changed the description field to term the exact time/date of termination
4. Hid the user from the GAL
5. And moved the user object into a Disabled Users OU

All of that took care of the issue because once the domain account was disabled any VPN session were terminated. Disabled user account and changed password meant no OWA access either.

Now, however, once all of that is done if the user keeps outlook open their session lives on for up to 10 hours.  That's how this latest guy was able to send email.

So it turns out that we have protections in place for mobile devices, however the way our local domain info syncs to the parent company which in turn syncs to Microsoft is rather convoluted IMO.

We use PCNS to sync AD credentials.. which is good except password changes are synced in almost real time.  Account changes though can take anywhere up to 6 hours. So while we can change their password, if they keep Outlook open their current session will keep working for 10 hours or so before checking to see that the password has changed in order to prompt the user to input the new password.  Or before it determine the account is disabled which then makes Outlook cough and sputter.

So how to fix this?

I/We played with settings such as disabling MAPI, OWA, Activesync via ECP but those seem to need Outlook (or the device) to be restarted before the change takes affect.. or 10 hours passes in the case of Outlook.

What we eventually determined was that changing the MaxSendSize to 0 takes roughly 10 minutes. You could change the RecieveSize too just to be safe.

This is our fix until the company decides to either bring the term into an office or send a representative to them.

Win?

Upgrading forest functional level, and DFS mode

So today I ran into a small issue.. I noticed that it seems that computer tombstoning is not happening as I have multiple computer objects with lastLogonTimestamps of 2012...

In pursuing further I discovered that I don't have the AD Recycle Bin because we're still running at a Forest Functional Level of 2003.  Gotta fix that!  Except WHOA.. we use DFS and it's stuck at a 2000 mode.
I go looking and Microsoft graciously did not craft an upgrade for DFS, so it looks like the only way to upgrade my forest level and keep a functioning DFS is to upgrade them both.

Raising the forest functional level is easy and fast.

Open the Active Directory Administrative Center
Right-Click on your domain
Choose raise your Forest functional level

Easy peasey.

Now 'upgrading' your DFS mode take a little more work.


First you're going to want to backup your existing DFS configuration, run the following from one of your domain controllers:

dfsutil root export \\<domain.fqdn>\<Namespace> %temp%\namespace_backup.xml

Next you are going to remove your old namespace..  open your DFS Management snap-in and remove your namespace servers. That's it.

Now in this step you will be creating a 'new' namespace however you will keep the original names.  If your original namespace was "consoso.com\Public" then create the new one using that name.  Except during the creation make sure the box for 2008-mode is checked. Also it hurts nothing to leave the DFS Share from the default "C:\%systemroot%\DFSRoots"

Make sure you add all the same namespace servers you had before as well..

Lastly you will import your old config via:

dfsutil root import merge %temp%\namespace_backup.xml \\<domain.fqdn>\<Namespace>

DFS and non-domain joined pc's

It won't work, period.


We have some outside consultants in-house for the next few months.. I created them all domain accounts and they VPN in.  Since they are all using laptops that are not part of our domain they cannot follow DFS links.  So for a shared folder I had to give them the direct path :(

Search-ADAccount -lockedout.. Where have you been all my life?

So yesterday I had a supervisor call me because a few of his users could not get logged in.  I went down the usual list of accounts that I know they use and non-were locked out.  I tell him to get find out what username the problem folks are using and to let me know.  So he hangs up and while Im sitting there I decide to google it.

Search-ADAccount - locked out

Is what I found.. OMG! Where has this command been for the past few years? So easy.. So short.. So easy to remember.

GT Rebuild: Sears ST/16 Part 3

And now the moment I have been waiting for ;)  She's is finally finished*.

Here's some pics as I know everyone wants pics first.. then text.

Technically she';s not "finished" finished, as I still need to replace the regulator, and wire up the lights however I am able to drive it and plow with it.

PowerShell: Export-CSV with specific user info

Today I had need to export a bunch of info about our users for some sort of internal survey sending situation.


Get-ADUser -Filter * -SearchBase "OU=Employees,DC=Domain,DC=Com" -Properties DisplayName, EmailAddress, Department, Manager | Select DisplayName, EmailAddress, Department, Manager | Export-CSV "D:\path"

GT rebuild: Sears ST/16 Part 2

So one of the very first problems I ran into on this build was the engine smoked like a freight train.  The previous owner said he thought it needed piston rings.  I ran able to get it started and drove it around the yard twice and I noticed two things: A. The head gasket was blowing oil onto the back of the muffler and B. Yes lots of smoke comes out of the muffler itself.

I checked, and double checked and triple checked the valve clearance and the .006 intake and .010 exhaust is set correctly. The starter, sheet metal, valve train, and SSI were all good.

Being as the ring kits were upwards of $60 bucks, and I lack the tools to remove the rockers and valves I decided to re-power.

Lucked into a nice guy on Craigslist who had a Tecumseh OH140 14hp engine, with a bad SSI.  Since I had a known good one I figured it'd be a good buy. We tested the starter before exchanging money and it turned over very well, which mine did not.  So I bought it and brought it home.

I spent quite a few days cleaning the new engine. and then putting on and testing the SSI swap.  Now what I don;t know is, at some point during the SSI testing I somehow either killed mine or it just stopped working. Damn.  Replacement SSI units even on eBay run almost $250!  No way would I spend that kind of dough on it so in my many googling sessions I stumbled across Ed Stoller's website about converting SSI ignitions into coil/battery setups.
Engines and Magnets

Of Note: Be careful scraping off the existing epoxy, once it gets hot and you start pushing with the flathead the pieces will basically shatter off and they are hot to boot so yeah..watch out for burns.
Secondly: Do NOT try to crank the engine without a spark plug attached and grounded.  The SSI (if working) will build up current and end up shorting some internal component as it tried to find it's own ground.

Anyway after breaking the trace, and soldering both the jumper and the diode my SSI is now a pickup coil :)

I've gotten excellent spark with Ed's setup and it's MUCH cheaper than replacing the SSI with either new or even refurbished modules.

GT rebuild: Sears ST/16

I'm veering off my normal path here with a non-IT posting.  I've recently gotten into rebuilding garden tractors, and my latest project is a 1973 Sears ST/16. I bought it from a guy down towards the southern end of the state and it came without a mowing deck but with a front blade, rear blade, a single bottom moldboard plow and a disc.
These units were built tough before built tough was a trademark. It originally came with a Tecumseh OH160 16hp overhead valve, single cylinder engine. And a 3 forward and 1 rear speed geared transmission.

Here it is at the beginning. Rusty and ugly.

I have taken the hood, grill and fenders off and repainted them all. The white I used was IH white, the yellow was New Caterpillar yellow. This hog came with heavy wheel weights and a body weight that I sold the front blade which was for a John Deere 200 series.

Engine wise is smoked like a freight-train.. lots of blow by. So with the ring kits being upwards of $60 I found a replacement engine for $75 (which gives me a lot of spare engine parts) which ended up being an OH140 14hp Tecumseh.  Same exact setup only with a smaller piston.

Other existing issues included a leaky gas tank, frozen up carb, old fuel lines, no fuel filter or pump, the transmission fluid was horribly old, left front tire has holes and the muffler was rotten.

I post this now because I'm almost at the end of this rebuild.. I'll follow it up with an after pic once fully completed.

Powershell - Change computer object description to username

Two years ago, with help from ExpertsExchange, I had created a VisualBasic script to collect the currently logged on users username, and set the computers description to that username in AD.

To us it's purpose was to help associate the computers to the actual user, since computers change hands, get re purposed and you don't always remember to change the description.

So here's the old script:

On Error Resume Next

strComputer = "."

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2").ExecQuery("Select Description FROM Win32_OperatingSystem")

For Each object In objRegistry

strDescription = object.Description 

Next 

Set objSysInfo = CreateObject("ADSystemInfo")

Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)

objComputer.Description = strDescription

objComputer.SetInfo

And the new Powershell version:

Import-Module ActiveDirectory

$computer = $env:computername

$username = $env:USERNAME

set-adcomputer $computer -description $username

Shocking, no?  Another reason I :heart: Powershell.


UPDATE:

Well this script has failed me.  Well not the script mind you but I ran into an issue in it's utilization here that will not work.  Our images of Win7Ent do not contain the RSAT tools for obvious reasons.. but that means that my attempt to call this via a GPO logon script failed because running this script locally on a machine that does not have the module means import-module ActiveDirectory fails.

The fix for our scenario was to fall back to the visual basic script above.  It's still called from a GPO though, after giving Authenticated Users write permission to computer-Description.

Powershell - Script generates CSV with computer names and bitlocker recovery key and TPM-OwnerInformation

So here at work we're in the process of Bitlocking 'important' users laptops and to help keep track and poll AD I went looking for a powershell script to accomplish this.  I found a script here: https://gallery.technet.microsoft.com/ScriptCenter/4231a8a1-cc60-4e07-a098-2844353186ad/

Props to Jan Egil Ring, his relevant blog post is http://blog.powershell.no/2010/10/24/export-bitlocker-information-using-windows-powershell/ for creating the first iteration using  Quests Powershell addons back in 2010.

I don;t use the QAD tools anymore so I went to work on configuring the script to run natively.


So this script generates a CSV with all computer objects with Windows 7 or 8, pulls the msTPM-OwnerInformation and msFVE-RecoveryInformation and marks the columns for the recovery key and TPM owner as either True or False.

Anyway here's the meat:

# 
# 
# NAME: Get-BitlockerEnabledComputer.ps1 
# 


# EDITTED BY: Benjamin Hart
# EMAIL: Invalid.path@gmail.com
# 
# COMMENT: Script to retrieve BitLocker-information for all computer objects with Windows 7 or Windows Vista in the current domain. 
# 
#          The information will be exported to a CSV-file containing the following information: 
#          -Computername 
#          -OperatingSystem 
#          -HasBitlockerRecoveryKey 
#          -HasTPM-OwnerInformation 
#           
#          Required version: Windows PowerShell 1.0 or 2.0 
#          Requried privileges: Read-permission on msFVE-RecoveryInformation objects and Read-permissions on msTPM-OwnerInformation on computer-objects (e.g. Domain Admins) 
#     
#  
# 




import-module activedirectory 

#Custom variables
$CsvFilePath = "path_to_csv" 

set-location AD:
$bitlockerenabled = Get-ADObject -LDAPFilter '(objectclass=msFVE-recoveryInformation)' -Properties cn,distinguishedname | ForEach `
{
    ((($_ | Select -ExpandProperty DistinguishedName) -split ",?CN=")[2] -split ",")[0]
}

$computers = Get-ADComputer -filter * -Properties cn,OperatingSystem,msTPM-OwnerInformation | Where-Object {$_.operatingsystem -like "Windows 7*" -or $_.operatingsystem -like 
"Windows 8*"} | Sort-Object msTPM-OwnerInformation

#Create array to hold computer information 
$export = @() 

read-host "Created array"

foreach ($computer in $computers) 
  { 
    #Create custom object for each computer 
    $computerobj = New-Object -TypeName psobject 
    
     
    #Add name and operatingsystem to custom object 
    $computerobj | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $computer.Name 
    $computerobj | Add-Member -MemberType NoteProperty -Name OperatingSystem -Value $computer.operatingsystem 
     
    #Set HasBitlockerRecoveryKey to true or false, based on matching against the computer-collection with BitLocker recovery information 
    if ($computer.cn -match ('(' + [string]::Join(')|(', $bitlockerenabled) + ')')) { 
    $computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $true 
    } 
    else 
    { 
    $computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $false 
    } 
    
     
    #Set HasTPM-OwnerInformation to true or false, based on the msTPM-OwnerInformation on the computer object 
     if ($computer."msTPM-OwnerInformation") { 
    $computerobj | Add-Member -MemberType NoteProperty -Name HasTPM-OwnerInformation -Value $true 
    } 
    else 
    { 
    $computerobj | Add-Member -MemberType NoteProperty -Name HasTPM-OwnerInformation -Value $false 
    } 
   #  $computerobj | add-member -membertype noteproperty -name recoveryguid -value $object.recoveryguid
   #$computerobj | add-member -membertype noteproperty -name When-Created -value $computer.whencreated
#Add the computer object to the array with computer information 
$export += $computerobj 

  } 

#Export the array with computerinformation to the user-specified path 
$export | Export-Csv -Path $CsvFilePath -NoTypeInformation | sort hastpm-ownerinformation -descending
read-host "Exported csv"

Major Iphone bug found - text can make your phone crash - fixed?

Sourced here: http://www.reddit.com/r/apple/comments/37enow/about_the_latest_iphone_security_vulnerability/

Long story short, latest iphone vulnerability has to do with how it processes banner notifications with Unicode text.  Sending the following as a text while a phone is locked it supposed to crash teh phone.



effective
Power.
لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗


I 'tested' this with a friend, looks like Apple might have already fixed it.  I can paste the string and it's correct but when sent the jihadi looking string get's mirrored.  The friend's phone did not do anything weird or detrimental... it just kept on working.

Yay Apple?

PowerShell - Searching AD for locked out domain accounts

So yeah.. should be a no-brainer to most however with the changed cmdlets in Powershell 4 I had to look it up.  This is one of those little things that you probably don't need very often but when you do it's a life saver.

Import-Module activedirectory
Search-ADaccount - Lockedout


That's it.  Easy right?

Rancid, Cisco networking device config backup/differencing

So Monday I started setting up a Rancid server.  Honestly I needed something to do until the DR project really kicks off, I was googling.. found mention of a cisco switch/router configuration backup and ran with it.

I setup a CentOS 7 virtual machine, and following the advice laid out here: http://ciscoskills.net/2015/01/03/install-rancid-and-viewvc-on-centos-7/

Was able to get the server going.  What I like about ViewVC is that it gives you a nice web gui to view the captured configs with.  Also you can select a specific config file and it can display the differences between the selection and the current file.  Really cool.

Anyway I think this will be one of those systems that just kinda runs.. for months or years and gets forgotten about.  Until a switch dies and you need the configuration.

Carbon - powershell module

I got an email this morning from Powershell.com letting me know about a new and recommended module named Carbon.

I have only been playing with it for a short time but so far I'm interested.  they've added quite a few new and handy cmdlets.  And if the folks at Powershell.com recommend it it automatically has my support.

Check it out. Oh and sign up for Powershell.com's PowerTips, I've been getting them every few days for months now.  A number of them have proven very useful.

BitLocking an SSD

So today we ran into an issue encrypting an HP Z230 desktop with BitLocker.  The desktop did have a TPM chip, which was enabled.  The tech went through the typical Bitlocking steps.. enabling, performing the BL check and they it prompted for a reboot like normal.
Here's where it gets a little sticky, upon reboot the user was presented with an F1 to enter the BIOS.  I do not know whether or not that was a function of Bitlocking since I have not tried it myself on a Z230 but he assures me the TPM was enabled and functioning properly. which I believe if TPM is disabled or otherwise unusable then BL should have cancelled itself or otherwise complained.


Anyway after that it proceeded to blue screen.  Inspecting the disk inside the BIOS results in:

Nice huh?  I had him reset to defaults the BIOS, no help. Changed SATA ports, no help. Changed from AHCI to SATA mode, disabled TPM, disabled secure boot.. nothing helped.  There is no Recovery info in AD nor could the drive technically be encrypted because this was one reboot and encryption takes many hours.

he is currently trying to slave it onto a machine with Samsung Magician installed just to see what they're own utility reports.

In Googling I found https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/  and http://superuser.com/questions/700009/how-do-i-encrypt-samsung-840-ssd-with-bitlocker

Now from what I have read it's not just Samsung related, but they are popular so it stands to reason more people using them = more people encrypting.

I will obtain a test ssd and perform my own spelunking however this has stopped my plans for encrypting my own Z230 ;)

BitLocker - A short story on how to setup in a domain.

Bitlocker, well in case you've never heard of it is a data encryption method developed by Microsoft for use on the 'recent' Windows platform, OS requirements include:

Windows Vista/7 - Ultimate and Enterprise
Windows 8/8.1/2008/Later - Professional and Enterprise


BitLocker meets FIPS 140-2 using AES encryption.

Now having recently gone through this in my own company I can say it was MUCH less painful that I ever thought it could have been previously.  First off make sure your domain is at least a functional level of 2008.  If you are still on a 2003 level you will need to extended the schema.  I did not have so you;d need to Google-Fu up the procedures on doing that.


Now one of the first things I did was go here:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

I used the Add-TPMSelfWriteACE.vbs script to make sure the access control entry for TPM in AD was created.

1. Download and review Add-TPMSelfWriteACE.vbs (http://go.microsoft.com/fwlink/?LinkId=167133) from the download page.
2. Modify Add-TPMSelfWriteACE.vbs as appropriate for your environment.
3. Type the following at a command prompt, and then press ENTER:
   cscript Add-TPMSelfWriteACE.vbs

Then I created the GPO that would require the Recovery Key to be stored within AD:

Now quite honestly.. once those were done I took a test laptop.. enabled the TPM within the bios.  I enabled BitLocker and let it do the hardware check.  It rebooted once, came back up and proceeded to encrypt the drive which took like 6 hours for a 500gb drive.

Once complete I verified the Recovery Key was stored in AD under the computer object:

Boom, done.  I didn't really notice any performance hit after the encryption process completed however admittedly this is not my main machine so I need to use it for a while to better gauge that.

Enabling TPM on HP Zbook and Elitebook laptops

Ran into an issue this Am with trying to enable TPM or Trusted Platform Module on a new Zbook from HP.  If you hit ESC then BIOS Options, then Security you will see that TPM, User Management and a few other options are greyed out.  Turns out you must set a BIOS Password in order to change those options.

Stupid move HP but whatever I guess, at least now I can encrypt the drive.

Backup and recover Vmware ESXi installs on SD cards

Here's a small piece on teh backing up and restoring of vmware 'firmware' most often used when running the hypervisor off SD cards.


Using the Vcenter-CLI:

Get-VmHostFirmware -Vmhost x.x.x.x -backupconfiguration -destinationpath c:\users\blah

Restoring:

Set-VmHostFirmware -Vmhost x.x.x.x -restore -sourcepath c:\users\blah\configbundle-<vmhost ip>.tgz -HostUser root -HostPassword <password>

Google Chrome sign-in issues..

For a while I've had a problem signing into Chrome.  I ignored it for the longest until I needed my tabs and bookmarks sync'd so I went looking.
Long story short this is what resolved my issue.

The symptoms were: entering username/passwd, and the sign-in animation keeps spinning forever.

Resolution: Renamed the following folder; c:\users\username\appdata\local\google\chrome\user data\default

Opening chrome will create a new Default folder, allowing you to sign in so all your addins, and info will sync correctly.

Backing up Putty saved sessions

Found a quick way to backup your saved sessions list in Putty..

Export the following registry key:

HKCU\Software\SimonTatham\PuTTY\Sessions

Or via Powershell:

reg export hkcu\software\simontatham\putty\sessions exported_putty_sessions.reg

Remotely determining a mac address

So today I had need of finding the mac address of a license server.. this server is a virtual and currently my vcenter server is down.  So unbeknownst to me Windows has had a nice little built-in command since XP called GetMac.

Read more here: https://technet.microsoft.com/en-us/library/bb490913.aspx

For those who don;t want to read it let me give you the simplest syntax for it..


getmac /s <hostname> /u domain\user /p <password>

That's it.  Short, simple and quick.. does exactly what you want it to.  Also there's no subnet limitations like with arp -a.


Enjoy.

Office 365: Managing On-premise Distribution Groups - ALTERNATIVE

So I've ran into an issue where people can no longer manage the DL's they are the manager of using Outlook after migrating to O365.  Stupid me for not thinking of this sooner.

I wrote that Powershell script yesterday and today I found something even easier.

 %systemroot%\system32\rundll32.exe dsquery.dll,OpenQueryWindow

Create a shortcut with this as the location and it opens up the ADUC (or ADUG) 's find window.  Allowing the user to search for Groups or Users to modify.  If the user in question is the 'ManagedBy' for a Group then they can edit the membership.

Works like a champ and since it's a gui versus a command line window it's more user friendly.

Powershell: Modifying ADGroup membership

Here's a script I made today that is destined for users who manage certain AD distribution groups for their own departments and the like.





function list_groups
    {
    Get-ADGroup -Filter "managedby -eq '$($user.DistinguishedName)'" |fl samaccountname
    }
function add_member
    {
    $newuser = read-host = "Enter username to add"
    $group = read-host = "Enter the group name you wish to modify as they are named above"
   add-adgroupmember -identity $group -members $newuser
   get-adgroupmember -identity $group |fl name
    }
function remove_member
    {
    $olduser = read-host = "Enter the username you wish to remove"
    $group1 = read-host = "Enter the group name as they are named above"
   remove-adgroupmember -identity $group1 -members $olduser -confirm:$false
   get-adgroupmember -identity $group1 |fl name
    }

$username = Read-host "Enter your username"
$user = Get-ADUser $username

[int]$xMenuChoiceA = 0
do {

Write-host "1. List groups I manage"  -fore Cyan
Write-host "2. Add members to a group" -fore Cyan
Write-host "3. Delete members from a group" -fore Cyan
Write-host "4. Quit and exit" -fore Cyan

$xMenuChoiceA = read-host "Please enter an option 1 to 4"

Switch( $xMenuChoiceA ){
  1
    {
    list_groups
    }
  2
    {
    add_member
    }
 
  3
    {
    remove_member
    }
default
    {
    write-host "Valid responses are 1,2,3,4"
    }
    }
}while  ( $xMenuChoiceA -le 3 )

Connecting to Powershell in Office 365

Here's a little script I've got for connecting to a Powershell session in MSOnline or Office365.




Import-Module MSOnline
# Imports the O365 Commandlets

$CloudCredential=Get-Credential -Credential "username"
# Saves your User name and password

$CloudSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $CloudCredential -Authentication Basic -AllowRedirection -WarningAction SilentlyContinue

Import-PSSession $CloudSession -Prefix 365
# Sets the O365 Commands to start with 365

Connect-MsolService -Credential $CloudCredential
# Connects to O365 services

Remington 742 Woodsmaster - repairing broken toe

Ok so recently I bought a new hunting rifle, a Remington 742 Woodsmaster.  I know what you might say or think but I had a budget of only 300 smackers and this was the best thing I found.

Now you can see by the pictures the tip of the toe was broken off, which is the reason I got it for less than $400 or $450.

Now being that I have a few wood working skills, but I am not expert by any means I figured.. yes I can fix this.  The following are progressive shots of the work I've done thus far.

Note that I assumed the stock was walnut.. I was wrong and now I'm leaning more towards maple.  However I did source walnut and used it in the repair.

I was able to source the replacement butt plate from https://www.gunpartscorp.com/ and being a cheap skate I did not want to pay $8 for the white plastic trim piece.  So I fashioned one out of white plastic gutter down spout.

And here's the finale pics.. I wound up putting 4 coats of Minwax Antique Oil Finish, which is a 50/50 mix of boiled linseed and varnish (basically)  Oh yeah and I let each coat dry for about 5 minutes then buffed out with a clean rag and allowed to sit for about 24 hours.

*Thinking about putting on a couple more coats once it warms up outside.

And finally the before and after overall: