We recently had an issue where a user brought their laptop in from home and plugged it into the network, attempting to get internet access. I know on a port level I could setup MAC restrictions, but I was wondering if there was a way that I could prevent a non-compliant machine from even getting access to our network in the future? We currently run all Windows 7 client machines and I'd like to simply tell it "if not Windows 7, no access", but not sure exactly how to go about that. We are running an AD environment, 2008 and above Windows Servers.

I thought maybe NAP would work, and it appears to have a setting for WinXP (and one for Win7), but it allows me to disallow/allow access based on if it is up to date, if virus protection is on, etc, not if it's Windows XP itself. Is there a way that I could disable anything but what I specify from getting access to the network like this?

Thanks in advance for your help!

I'm currently trying to setup a Polycom CX600 to test the operability with Lync. We have been using Lync for several months, but only really using the IM aspect. I didn't set the Lync server up initially but am trying to troubleshoot where the problem may lie. I'll explain my setup to better help track the problem down.

Lync Server 2013 is installed on Windows 2008 R2. Domain Controller is Windows Server 2008, DHCP/DNS server role. To my knowledge there was no DHCP setup on the Lync server itself.
My client is Windows 7 x64, fully patched. Lync client is 2013.

We just have one Lync server being used internally, nothing on the outside, no federation, etc.

Here's what I did:

1. Reset the phone so it was a clean start.
2. Plugged the phone into the wall for network access, plugged my PC into the phone.
3. Plugged the USB cable from the phone into my PC.
4. Starting up it asks if I want to connect via the PC, I tell it next.
5. It prompts on my PC to authenticate via Lync with a box labeled "Logon Information Needed".
   It has auto-populated my Sign-In address and username. I enter my password and select OK.
6. On the phone it states that it is contacting the time server, this takes about 50 seconds or so.
7. Then it says it is connecting to Lync Server, this takes about 5 seconds.
8. Next it says it is locating the server to download the certificate, this takes about 20 seconds.
9. Then it briefly flashes that it's installing the certificate, then gives me a sign-in error that says: "Cannot sign in. Please verify your sign-in address, domain\user name, and password, and try again. Please verify that the domain entered @domain.com is correct".

On the phone screen I click Next.

It says USB connection is detected, I click Skip (only option is Skip or Menu). It asks me for my extension or phone number. I put the number in that is assigned to me on the Lync Server (I set it to 5551212 and verified in AD that the number I put in is the same as the msRTCSIP-Line field.
I click Next, then enter my PIN (I also reset my PIN to make sure it was valid).

I click Sign in, it says "Contacting time server" for a bit, then "Connecting to Lync Server" for just a split second, then quickly an error flashes that says "Account used is not authorized, please contact your support team". Afterward it goes to the screen saying "An account matching this phone number cannot be found. Please contact your support team."

I see looking at the menu/system information on the phone that it grabbed an IP address from the DHCP server (and verify it is shown in leases), the mask and GW/DNS are all set correctly. I did notice VLAN ID is set to 1...which we don't use, but I don't see a way to change that to the VLAN ID we do use on our network (if that is even relevant?). I can't access the phone via the web or ping it, but my computer can use the built-in switch to work through it just fine.

On the Lync server I have ran the test command -

Test-CsPhoneBootstrap -PhoneOrExt "5551212" -PIN "16778" -serSipAddress "sip:[email protected]"

All results come back positive.

I have ran the command -

Test-CsClientAuth -TargetFqdn lync.domain.local -UserSipAddress "sip:[email protected]" -UserCredential "domain\user"

All results come back positive.

I have looked at the certificate store on my local machine, I see a certificate under Personal/Certificates issues by Communications Server, and from what I've seen online this is part of the Polycom/Lync setup. I don't however see anything similar in the Trusted Root store...should it have something in there?

In AD Attributes I verified my msRTCSIP-PrimaryUserAddress setting is the same as my SMTP address, but my sAMAccountName is different to logon to the domain (saw one place saying this had to be the same, but others saying only the SMTP/SIP needed to be the same) and the same as my UserPrincipalName.

So anyway, I'm kind of at a loss, I have tried everything I can think of and so far I've had no luck getting this phone to connect up to Lync. Exchange and Lync seem to work fine, OWA, EWS, Autodiscover, DNS settings are all right, but for some reason this won't connect. If anyone has an idea of something I could try, I would be very appreciative. Thanks in advance!

We are currently looking at archiving emails and revamping our retention policy. The big question is (for the legal department), how far back do we want to save? Currently our users have a huge mailbox limit, and in the past have all been able to archive as they saw fit. So we have a couple hundred GB of data that isn't in the Exchange Database, but that we'd probably end up sucking into an Archive database for discovery. What I'd like to do is be able to quantify for the legal team how much that would be if we went back 1 year, 2 years, 3 years, etc.

I found a fairly straightforward Powershell Script at TheDailyAdmin that does what I want for the most part, but it lumps it all in one pile. I'd like to be able to see the results but sorted by user to know that Sally has 47MB that is older than 2 years, Charles has 190MB over 2 years old, etc.

Here is the script I've ran:

get-mailboxdatabase | get-mailbox -resultsize unlimited | get-mailboxfolderstatistics -folderscope all -includeoldestandnewestitems | export-csv mailbox_stats.csv

It works fine for putting them all in on file, but I can't tell who's email belongs to who. I also ran it on my mailbox specifically but I'd rather not run that manually on every user as that would take awhile! I'm not a Powershell guru but was hoping someone out there has a firmer grasp and can help point me in the right direction of the commands to help break it down a bit more.

Thanks in advance!

I recently installed a second Exchange Server (standard, 2010) to our organization as part of a Disaster Recovery solution. The two servers will soon be part of a DAG. Before placing the server at our remote location I was curious as to the amount of data that is transferred back and forth between the two servers.

Is there a way to monitor or get a daily report of how much data is transferred per second and/or per day between the two? I would like to have an average metric so as to know if our current connection will be saturated or not.

Thanks for any help you can offer.

I've read quite a bit online about this and thought I had found a solution, but it doesn't seem to be working like I would expect.

I am wanting to get a user based on the username I input, then remove all groups that it is a member of. Basically the same thing as going into ADUC, selecting the user, selecting the Member Of tab, highlighting everything (except domain users of course) and selecting remove.

Here's the command I'm trying to use:

Get-QADUser -Name $username | Remove-QADMemberOf -RemoveAll

Others have said online that it works for them, but so far it hasn't for me. It doesn't give an error, it accepts the command just fine, but when I look in ADUC, the groups are still there for the user.

Any suggestions as to what I may be doing wrong?

Executing from Windows 7 with domain admin rights, Exchange cmdlets and Quest snapin loaded.

Thanks!

We have a few hundred users and about 40-50 of them need Java for one reason or another. The problem we run into (as have many others online apparently) is that Java seems to want to update all the time. How this differs is that most people online seem to all want to disable automatic updates. I was curious if you could set it to automatically update without prompting the user?

Personally I'd not want that because in the past updating Java to the latest and greatest has caused issues with ASDM for me, and this may be the case with other end users' programs as well (or may not). I'm just trying to weigh my options and figure out if this is possible as one less pop-up prompting them to update (when they can't without admin rights) would be great. And, I don't like the idea of ignoring potential security risks, I'd rather update things as they need to be updated.

Thanks in advance for your thoughts.

We currently use Bitlocker on our laptops here at work. The helpdesk are responsible for backing the Bitlocker key up to AD when they build the system. We ran into an issue recently where a user had a hardware problem that set Bitlocker off, so it won't go past the screen prompting for the recovery key.

No problem, we have had this before, except that when I look in AD there's no key, which means somebody forgot to back it up. So I randomly click on a handful of other laptop objects and find another not backed up. So this has me thinking we need to seriously look into this before it happens again (on a higher profile employee).

Instead of going through the entire laptop OU and clicking on the Bitlocker recovery tab, is there a way in PowerShell to check that tab and see if anything is in there? I wouldn't even need to know the key there, just to know if any data is there which would show it's been backed up. If not it's not the end of the world, but I'd much rather be able to do that with a script than manually. :)

I've been looking online but so far found nothing exactly what I want, usually it's much more complex than I'm needing.

Thanks for any help you can give!

I'm trying to automate the uninstall/install of Office. Removing 2007, installing 2010. I've downloaded the OCT and made changes as I needed. In there I can select, "Remove the following earlier versions of Microsoft Office Programs:" and you can select which to remove (default Remove All), or you can select the option "Default Setup behavior; earlier versions of installed programs are removed."

Initially I tried the Default Option, but it gave me the below error. Then I tried manually selecting the second option but leaving them all as "Remove". Same results.

I'm trying to get this done via group policy and have downladed and installed the ADM template as well, create a GPO for this OU to test in, etc. Using 2008 Server.

I've seen others online with the same error, and instructions are typically "remove the old version first" or use a third party tool (Revo), which I have used in the past with success, but on an individual uninstall/install basis, not via GPO. My end result is for a laptop to boot up on a given day, references the GPO, if it has 2007 it uninstalles 2007 and installs 2010.

Here is the error I'm getting, I'm sure it's nothing new as it's fairly prevelant online.

You cannot install the 64-bit version of Office 2010 because you have 32-bit Office products installed. These 32-bit products are not supported with 64-bit installations:

        Microsoft Office Professional Plus 2007

If you want to install 64-bit Office 2010, you must uninstall all 32-bit Office products first, and then run setup.exe in the x64 folder. If you want to install 32-bit Office 2010, close this Setup program, and then either go to the x86 folder at the root of your CD or DVD and run setup.exe, or get the 32-bit Office 2010 from the same place you purchased 64-bit Office 2010.

Here's what I have in the config.xml file under ProPlus.WW:

REM Get ProductName from the Office product's core Setup.xml file, and then add "office14." as a prefix. 
set ProductName=Office14.PROPLUS

REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=\\filesvr\shared\Office2010

REM Set ConfigFile to the configuration file to be used for deployment (required)
set ConfigFile=\\filesvr\shared\Office2010\ProPlus.WW\config.xml

REM Set LogLocation to a central directory to collect log files.
set LogLocation=\\filesvr\shared\Office2010\LogFiles

Any thoughts on the subject would be appreciated, thanks!

We have just implemented RD Gateway for our own department in preparation for a push to the whole agency for telecommuting. It is all setup and working great, but I was trying to figure out how best to go about monitoring/reporting of users. I see third party software out there that will do it, but is there anything built-in or via powershell/scripting that I could use that would give me a report of the daily activity of users? Something to say, "User A connected at this time, was on for this long, sent/received this much data"? Basically some of the same stuff you can see in event viewer. Ideally I'd like to be able to have this setup so that once a day it emails me with the daily usage for when a supervisor asks about if their person is actually working (or at least online sending and receiving x amount of data), I'll have some metrics to give them. I realize that actual work output is relevant and more of a managerial issue, but I would like to be able to offer as much as I can from my end when asked.

Thoughts? Thanks!

I'm trying to get a list of all Exchange accounts, format them in descending order from largest mailbox and put that data into an email in HTML format to email to myself. So far I can get the data, push it to a text file as well as create an email and send to myself. I just can't seem to get it all put together. I've been trying to use ConvertTo-Html but it just seems to return data via email like "pageFooterEntry" and "Microsoft.PowerShell.Commands.Internal.Format.AutosizeInfo" versus the actual data. I can get it to send me the right data if i don't tell it to ConvertTo-Html, just have it pipe the data to a text file and pull from it, but it's all ran together with no formatting. I don't need to save the file, i'd just like to run the command, get the data, put it in HTML and mail it to myself. Here's what I have currently:

#Connects to Database and returns information on all users, organized by Total Item Size, User
$body = Get-MailboxStatistics -database "Mailbox Database 0846468905" | where {$_.ObjectClass -eq “Mailbox”} | Sort-Object TotalItemSize -Descending | ft @{label=”User”;expression={$_.DisplayName}},@{label=”Total Size (MB)”;expression={$_.TotalItemSize.Value.ToMB()}}  -auto | ConvertTo-Html

#Pause for 5 seconds for Exchange 
write-host -foregroundcolor Green "Pausing for 5 seconds for Exchange"
Start-Sleep -s 5


$toemail = "[email protected]" # Emails report to this address.
$fromemail = "[email protected]" #Emails from this address.
$server = "Exchange.company.com" #Exchange server - SMTP.


#Email the report.
$email = New-Object System.Net.Mail.MailMessage
$email.IsBodyHtml = $True
$email.To.Add($toemail)
$email.From = $fromemail
$email.Subject = "Exchange Mailbox Sizes"
$email.Body = $body
$client = New-Object System.Net.Mail.SmtpClient $server
$client.UseDefaultCredentials = $true
$client.Send($email)

Any thoughts would be helpful, thanks!

I've been slowly working on a script that will do everything I normally do for a new employee when they start. So far it all seems to be fine except one thing. Here's what I have:

Loads Quest snap-in.

Prompts for specific information for the user.

Gets information about a current similar employee for reference and pipes it into the new employee, minus the specific information I'm prompting for. Creates the AD account.

Gets group information of current employee and put the new user in the same groups.

Loads Exchange credentials and mail-enables the new user.

Goes to the File server and creates their home drive and gives specific rights as needed.

All works fine, except that when the new user is created, I can't login as them until I have went into ADUC and reset their password, unchecked "User must change password at next logon". It all looks fine, all the fields are populated, but when I go to OWA to test login, it says bad username and/or password. I've tried telling the script to manually uncheck the box, reset the password, disable, re-enable the account, etc. The commands execute just fine, no errors, but it seems like none of that works. But, if I right click on the user, select reset password, type in a password and uncheck the box, then I can immediately logon afterward.

So, it seems like there's another setting somewhere that I'm missing with the script that is happening when I do it manually. Here is the command I'm using to try and replicate what I'm doing manually:

Get-QADUser $username | Set-QADUser -UserPassword $accountpassword -userMustChangePassword $false

It seems to work, but not work... any suggestions would be greatly appreciated, this is the only thing holding me up from a pretty handy script! :) Thanks!

Currently we have VPN setup on an ASA 5510. I have it set to use NPS for RADIUS authentication, but I've never really configured much as far as accounting. I'm wanting to set this up to be able to tell more of what people are doing/accessing when they are telecommuting. I just have it set up pretty basic right now:

aaa-server VPN protocol radius
aaa-server VPN host 10.10.4.25
timeout 3
key “password”
authentication-port 1812
accounting-port 1813
radius-common-pw “password”

On NPS, under NPS (Local) > Accounting, I see "Configure Accounting", is it that straight forward??

Is there anything else needing done for accounting to be sent to the host 10.10.4.25? It looks way too straight forward.

Thanks for your input.

This may be a somewhat simplified question, but I've read online quite a bit and have found very little on the comparison. We are a smaller shop, approximately 200 users. Currently our Exchange mailbox quotas are set at 400MB. For as long as I can remember we've had users archive email as they fill up their mailbox, so we have more .psts floating around than we would like. I've looked into the archiving feature of Exchange, and it looks nice, but I'm having a hard time determining why I would go that route (for the cost, would be about 12K for licensing) versus just having more hard drive space on the server and increasing everyone's mailbox limit to 10GB (for example).

I would imagine having their primary mail on one server and archive on another would be ideal for balancing the load/stress on the system, but with our small shop we only have the one server/database and had planned on putting the archive database on the same server anyway. We plan to deploy DAG with a DR site in the near future as well.

So, other than being able to give our legal department more capabilities with the discovery process, is there any benefits I'm not seeing here? Also, we are currently on Office 2007, from what I read a lot of features aren't usable unless you are running 2010, so that would be something else to take into consideration I suppose. But anyway, I would appreciate some thoughts on this from those who have used both ways and are more "in the know" than I am with regards to Exchange/archiving. :) Thanks for your input!

About a year ago we implemented WDS and MDT. Using this we have been successfully deploying Windows 7 x86 and x64 on every PC and laptop we have. We put the OS on, then add on Office, Adobe, Antivirus, etc. Also, I have it set to do Windows Updates from our WSUS server. The question I have is, is there anyway to speed the process up or slipstream in some of the updates? It seems that it takes about as long to do the Post Installation Windows Updates as it does the OS and all of the application installs combined. The only thing I can think of is to make a new OS capture with Windows 7 w/SP1 so it doesn't have to install SP1 via the update task. Is there any other way that I might speed this process up? Any suggestions would be greatly appreciated, thanks.

I'm in the process of setting up a server. Dell PE R510, 6 450GB HD. It came with all drives RAID 5'd, I'm wanting to wipe the configuration and set 0 and 1 as RAID 1, then 2-5 as RAID 5. When I go to setup RAID 1, it's asking me about which Caching Policy to use - Read/Write, Write only, Read only, and none. I'm not sure which to pick here...suggestions? This server will be used for Exchange 2010 and the RAID 1 drives will be used for the OS and Logs, and the server will be on a battery backup. Thanks in advance.

I'm trying to build a script that will create a folder for a new user on our file server. Then take the inherited rights away from that folder and add specific rights back in. I have it successfully adding the folder (if i give it a static entry in the script), giving domain admin rights, removing inheritance, etc...but i'm having trouble getting it to use a variable I set as the user. I don't want there to be a static user each time, I want to be able to run this script, have it ask me for a username, it then goes out and creates the folder, then gives that same user full rights to that folder based on the username i've supplied it. I can use Smithd as a user, like this:

New-Item \\fileserver\home$\Smithd –Type Directory

But can't get it to reference the user like this:

New-Item \\fileserver\home$\$username –Type Directory

Here's what i have:

Creating a new folder and setting NTFS permissions.

$username = read-host -prompt "Enter User Name"

New-Item \\\fileserver\home$\$username –Type Directory

Get-Acl \\\fileserver\home$\$username  

$acl = Get-Acl \\\fileserver\home$\$username

$acl.SetAccessRuleProtection($True, $False)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain\Domain Admins","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain\"+$username,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

Set-Acl \\\fileserver\home$\$username $acl

I've tried several ways to get it to work, but no luck. Any ideas or suggestions would be welcome, thanks.

We currently have a pretty simple setup. We have a 2008 Windows Server using DHCP for our clients. We have a remote site that has 10 people. The remote site currently get their IPs from the router, but we'd like for them to get their IP from our local DHCP server here. From what i've read this seems fairly straightforward. On the remote router turn on Ip-helper x.x.x.x to point to the DHCP server back here. I guess my concern is, how will the transition go? If i enable that right now, will the users who currently have an IP lease from the router drop and acquire a new one, or will it just allow those leases to expire, then once they do, it will then look at the new IP range from the local DHCP server here? Just curious if this is anything i need to worry about or is it really as simple as it seems, just set it and run. I've configured RRAS on my side as well per several online articles discussing how to set this up. Thanks for any insight you can give!

I've never attempted to restore a deleted individual mailbox and figure it's a good thing to have tried for when/if it's actually needed. I have a full backup from Monday (today is Wednesday), i have the GRT options checked in the backup for Exchange, I can browse through the backup job and find a particular employee's mailbox that I removed on Tuesday. My question is, is it as simple as selecting that checkbox and submitting the job? His account no longer exists on the network because he is no longer employed with us, i figured it was a good person to try this on. I see an option in Backup Exec that says "automatically recreate user accounts and mailboxes", so i assume i would select that as well. I guess it just seems too easy, and since this is a production server i wanted to ask around before attempting to restore this individual mailbox back. Anyone have any experience with this? Thanks.

I'm currently running a Windows 2008 R2 print server. Everything seems to work fine, except that i can't seem to cancel jobs stuck in the queue. One of our helpdesk asked me to give them rights to do this, and upon inspection, I couldn't cancel the job either (although I'm sure I could bounce the spooler which would have the same effect). It seems simple enough when I look online-- go to the print server, open up printer management, right click the server, properties, security and add the person or group you want to have rights. I've tried adding our helpdesk there as a group, individually, even adding myself and giving myself full rights. Every option gives me the same result. When I click "Cancel" or "Cancel All Docuements" I get the following error:

Authentication Failed The error indicates that the action you chose requires a higher privilege than what you have with your account. Please contact your system administrator to verify that you have the privilege on the requested action.

As far as I can tell adding the person or group where I was should fix it, but nothing seems to be working when I try it. I've even tried giving a user full admin rights on that server, putting them in the administrator group...same results. Anyone have any idea why I'm getting this and how to make it work? Thank you in advance!

Don

I'm currently wanting to implement a backup Exchange server, and from what i read it sounds like SCR is the way to go. I currently have one Exchange 2007 server, pretty small and nothing special going on. I built another server and set the drives the same (as was recommended on technet). Online i see several sites saying, "all you need to do is this" run these commands:

Enable-StorageGroupCopy -Identity -StandbyMachine -ReplayLagTime 0.1:0:0

Suspend-StorageGroupCopy -Identity -StandbyMachine

Update-StorageGroupCopy -Identity -StandbyMachine

But my question is even more basic i guess... I logon to the secondary server, and obviously Exchange isn't on there so i assume i'd need to install it first before i can set it as a passive/backup server. I run the install but when i select Passive Clustered Mailbox Role it informs me it needs to be setup as a Clustered Server first (which makes sense). But i'm wondering, do i need to set up two servers in a cluster to make this work? I'm not wanting real-time failover, just the SCR ability to turn the passive server into the active server in response to a disaster. Would i just need to install Exchange on the second server as if it were the only one in the domain (Mailbox Role) and then once done, run the above commands? Any help explaining this woudl be greatly appreciated, thanks!