In a previous blog post I explained how to enable the Active Directory Recycle Bin which allows you to restore deleted active directory object.
But even though it’s great to be able to restore objects, it is even better to prevent accidental deletion. What accidental deletion basically does, is modify the permissions on an AD object to Deny Everyone so you won’t be able to delete it by accident.
More information about protection from accidental deletion can be found in “Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory” and “Windows Server 2008 Protection from Accidental Deletion“.
In Windows Server 2012 with all the new cmdlets, it has become much easier to enable protection from accidental deletion.
By example, you could use these commands:
#Get-ADobject class names
get-adobject -filter * | select objectclass | group objectclass
#Protect specific AD object classes from accidental deletion
get-adobject -filter * | where{($_.ObjectClass -eq “container”) -or ($_.ObjectClass -eq “organizationalunit”) -or ($_.ObjectClass -eq “user”) -or ($_.ObjectClass -eq “group”) -or ($_.ObjectClass -eq “computer”)} | Set-ADObject -ProtectedFromAccidentalDeletion $true
#Protect all AD organizational units from accidental deletion
Get-ADOrganizationalUnit -filter * | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
#Protect all AD objects from accidental deletion
Get-ADobject -filter * | Set-ADObject -ProtectedFromAccidentalDeletion $true
Tags: accidental deletion, Active Directory, AD, automation, Microsoft, Powershell, protect from accidental deletion, protection from accidental deletion, Script, Scripting, Windows, Windows Server, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Currently report files for multiple customers are placed in a source folder monthly. These report files include the customer name and need to be uploaded a for each customer in a subfolder named “Backup Controle” of their own folder.
Notes:
- The customer’s root folder name can differ from the customer name used in the report files.
- The folder “Backup Controle” isn’t always located in the same relative location from the root folder
Example:
- The source report files folder contains:
- Backup Controle – Customer 1 – 12-2012.pdf
- Backup Controle – Customer 2 – 12-2012.pdf
- The customer’s root folder’s might be:
- C:\Customersroot\Cust1
- C:\Customersroot\Client2
- The “Backup Controle” folder might be located at:
- C:\Customersroot\Cust1\folder1\folder2\folder3\temp\folder4\Backup Controle
- C:\Customersroot\Client2\folder1\folder2\Backup Controle
This action was performed manually at first using the SharePoint web interface to browse to each customer’s folder and upload the report. This is ofcourse not the type of work you want to do. Using the SharePoint WebDAV you can perform this using Explorer and drag and drop, which would make it a bit more bearable.
It would however be even better if it could be automated and that’s just what we did with this script. The script contains a function where you can define for each customer:
- Which name filter specifies the customer for the report name. B.e. : “Customer 1” or “Customer 2”
- What the name of the folder is for the customer’s root folder. B.e. : “Cust1” or “Client2”
The script will then recursively look inside the customer’s folder for a folder matching the “Backup Controle” folder and will copy the report to it (assuming the report is not already there).
In this example you would call the function like this:
- Copy-FileMatchingFilterToCustomerFolder “Customer 1” “cust1”
- Copy-FileMatchingFilterToCustomerFolder “Customer 2” “client2”
Note: It is assumed that there is only one folder named “Backup” Controle in the customer’s folder.
Tags: copy, File, folder, move, Powershell, report
I’ve been around in the Windows world for quite some time and have studied quite a bit as well. As such I have always been taught that upgrading the functional level was irreversible. It also didn’t help that I got my Windows 2008 certification through beta exams before R2 was released and even before there were any books available.
Thanks to this blog post however, it came to my attentention that it is possible to lower the Forest and Domain Functional Level from 2008R2 to 2008 or from 2012 to 2008R2.
All of this can only be done using PowerShell as you can read in “Step by Step guide to lower Active Directory functional level” by Aman Sahota.
Tags: Active Directory, AD, domain functional level, forest functional level, functional level, guide, lower domain functional level, lower forest functional level, lower functional level, Powershell, raise domain functional level, raise forest functional level, raise functional level, step by step, step-by-step guide
[EDIT] 09-04-2013 : As described in my blog post, this script has become unnecessary for most people. This is because Microsoft to allow almost every Flash site by default. [EDIT]
[EDIT] 13-01-2013 : Apparently for Windows RT, the script doesn’t seem to be working yet. Unfortunately I have no Windows RT to troubleshoot and resolve the issue. [EDIT]
Windows 8 and Windows RT include support for Flash in Internet Explorer 10.
In Windows 8 there are however two version of Internet Explorer 10 that handle flash websites differently. First there’s Internet Explorer 10 Desktop, which is similar as the Internet Explorer you’ve been used to with previous versions of Windows. Then there’s also Internet Explorer 10 (non Desktop), which is the Internet Explorer in the new modern/Windows interface (Metro) that is full screen.
Internet Explorer 10 Desktop allows Flash for all websites. Internet Explorer 10 (Metro) only allows Flash for websites that have been whitelisted.
Especially for Windows tablets, Flash support can be a selling point because most other tablets don’t have Flash support. It is however confusing for regular consumers that not all their websites will work. By example a friend of mine who’s a hairdresser, uses http://www.kapperssite.nl to show her customers hair models and their haircuts. The site is however completely in Flash and that it is not working by default is very annoying.
The websites that have been whitelisted are defined in your local appdate folder. By example: “C:\Users\Bjorn\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml”. This file also contains information about websites and which compatibility mode should be used for each. The segment between <flash> and </flash> contains the websites that have been whitelisted for flash. You can manually modify this file as described here: http://forum.xda-developers.com/showthread.php?t=1961793
Basic steps include:
- Modifying the iecompatdata.xml to add the websites you want to whitelist for Flash. Wildcards don’t work unfortunately.
- Open Internet Explorer 10 Desktop, press ALT, Tools, “Compatibility View setting”. Then Disable “Download updated compatibility lists from Microsoft”. This way Microsoft won’t overwrite the updates you’ve made in step 1.
- Delete the IE10 browser history. The disadvantage of this method however is, that you won’t be taking advantage of future compatibility updates because you’ve disabled the update functionality. Leaving it enabled however means that you you would have to keep re-adding sites you want to whitelist for Flash.
As a workaround, I’ve created this script that will automatically perform these tasks:
- Disable “Download updated compatibility lists from Microsoft”
- Close all internet explorer processes.
- Download the latest iecompatdata.xml to the appropriate folder. Currently the latest version is: https://iecvlist.microsoft.com/ie10/201206/iecompatviewlist.xml
The script however will dynamically look for the latest versions by modifying the date in the url.
- Combine the data from the latest iecompatdata.xml with websites you want to whitelist for Flash (specified in “C:\Users\Bjorn\AppData\Local\Microsoft\Internet Explorer\IECompatData\flashsitestoadd.txt).
- Backup the original iecompatdata.xml and store the modified iecompatdata.xml
- Clear the Internet Explorer browsing history.
Because automatic downloading of updated compatibility lists has been disabled, I advise to schedule the script to run on a regular basis (by example monthly). For instructions read this blog post: http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx Keep in mind that this will clear your Internet Explorer browsing history though.
Tags: automation, Compatibility list, Flash, Internet Explorer, Internet Explorer 10, Powershell, Script, Scripting, Whitelist, Windows, Windows 8, Windows RT
Many companies and people in the past have encountered where they lost users, groups or other resources from Active Directory either by disaster or human error. Since Windows Server 2008 R2, you can use the Active Directory Recycle Bin to easily recover from this.
The AD Recycle Bin features requires a forest functional level of Server 2008 R2 or higher and is disabled by default. Also, once it has been enabled it cannot be disabled.
With Windows Server 2008 R2 you could only enable the AD Recycle Bin using Windows PowerShell and you could also only restore objects using CLI. With Windows Server 2012 you can both enable and restore very easily from the GUI using Active Directory Administrative Center (ADAC).
The script can be found here.
The script basically performs the following steps:
- Determine the current forest.
- Use parts of the current forest name to dynamically generate a command that is appropriate for every environment to enable the Active Directory Recycle Bin Feature.
- If the Active Directory Recycle Bin Feature hasn’t been enabled yet, enable it.
Even though it has become very easy to do using the GUI in Windows Server 2012, automating is Always better. Therefore I also added it to the script I used in: Home LAB Setup guide – 04 Configuring Server 2012 VM as DC with DNS and DHCP using PowerShell
Tags: Active Directory, active directory recycle bin, AD, AD Recycle Bin, automation, Powershell, recycle bin, Script, Scripting, Windows
In the first part of this LAB setup guide, I described the hardware selection process.
In the second part, I described the hypervisor selection and installation.
In the third part, I described VM guest considerations and preparations.
In the fourth part, I described Configuring Server 2012 VM as DC with DNS and DHCP using PowerShell
In the fifth part, I described easily creating (many) proper AD users with PowerShell
In this post I will describe creating a local PowerShell v3 Help Repository.
First of all, let me explain what a local PowerShell v3 Help Repository is and why you might want it. With PowerShell v3 not all help files are included. You can however always selectively download the latest versions of the help files (for specific commands). This saves space and also makes for a more flexible system where help files can be updated more easily.
Downloading the updates to the help files requires an internet connection however, and this might not be possible or desirable in many situations. Also if every server would download these files from the internet, this would waste internet bandwidth. Microsoft realizes this and provides you with the option to create a local PowerShell v3 Help Repository.
My script to create this local PowerShell v3 Help Repository can be found here. The basic steps include:
- Create a folder where the Help files will be stored.
- Share the folder.
- Create a scheduled task to daily update the help files in .the share
- Create a file in the share that contains the command that needs to be run from another server to update its help files using the local repository (so you don’t have to remember the command).
As stated in step 4, you can manually update the help files. Personally I prefer creating a GPO that creates a scheduled task on every other system to update the help files on a regular basis using the local repository share you just made. This way when you need the help files, you don’t have to wait until the update has been completed and you also don’t have to rely on internet access.
Personally I would have preferred it if Microsoft also offered an option to deploy the help file updates using WSUS. But for now, this will have to do.
Tags: account, automate, help, help files, Help Repository, ICT, lab, Powershell, Powershell 3.0, Powershell v3, scheduled task, Script, share, update, update help files, Update-help
In the first part of this LAB setup guide, I described the hardware selection process.
In the second part, I described the hypervisor selection and installation.
In the third part, I described VM guest considerations and preparations.
In the fourth part, I described Configuring Server 2012 VM as DC with DNS and DHCP using PowerShell
In this post I want to share with you this great blog post “How to use PowerShell to populate Active Directory with plenty enough users for SharePoint” by Wictor Wilén – SharePoint MCA, MCM and MVP.
What you basically do is:
- Use http://www.fakenamegenerator.com to create x number of users from countries you specify and containing fields/data that you specify. This will be sent by mail for free as a .csv
- Use PowerShell to import the CSV and create the user accounts in AD.
What I like about the method is that besides creating many users, it also uses user data that you could encounter in real-life. Also you can modify the user data to more closely match your desired environment. By example by specifying that you want to have Dutch and US names only. For testing purposes, it can be good to include names with strange characters as well, because when these work well …. chances are that everything works well.
[UPDATE 25-01-2014]
Since there were some issues with the original source, I decided to store a cached version as PDF as well (just in case) : How to use PowerShell to populate Active Directory with plenty enough users for SharePoint
It is best to visit the original site though, if it’s available.
[UPDATE 25-01-2014]
[UPDATE 24-03-2016]
An alternative method is displayed here: https://gallery.technet.microsoft.com/scriptcenter/Create-Real-Fake-Names-e1635ef4
[UPDATE 24-03-2016]
Tags: account, Active Directory, Active Directory Domain Services, AD DS, automate, DC, Domain Controller, fake name generator, ICT, lab, name generator, Powershell, Script, user, user data
In the first part of this LAB setup guide, I described the hardware selection process.
In the second part, I described the hypervisor selection and installation.
In the third part, I described VM guest considerations and preparations.
In this post I cover quickly configuring a Server 2012 VM as DC with DNS and DHCP by using PowerShell.
The steps I do take less than 10 minutes in my test lab now. Here’s a short description:
- Create a VM that uses your previously made parent disk.
- Configure the server name and IP addressing and reboot the computer.
- Install AD DS (domain controller) including DNS forward lookup zone and reboot the computer.
- Configure AD and DNS : Enable AD Recycle Bin, Add DNS forwarder, add DNS reverse lookup zone, create DNS PTR record for DC.
- Install + configure DHCP : Install DHCP, Add scope, configure scope, authorize DHCP server in AD.
The scripts I’ve created for steps 2 to 5 can be found here and are based on the great work Stefan Stranger already did in his blog post Installing a new OpsMgr 2012 (SP1) environment the fast way. I added some stuff of my own so it would meet my needs and I tried to keep it as generic as possible so other people can re-use my code as well.
PS: In step 2, IP addressing is not in place yet. To get scripts tot the system, consider:
- Putting the scripts in an ISO file that you can mount.
- Opening Hyper-V Virtual Machine Connection to VM and using “Clipboard”, “Type Clipboard Text”.
Tags: Active Directory, Active Directory Domain Services, AD DS, automate, configuration, DC, DHCP, DNS, Domain Controller, Domain Naming System, Dynamic Host Configuration Protocol, forward lookup zone, forwarder, Hyper-V, hypervisor, ICT, installation, lab, Powershell, reverse lookup zone, Script, Virtual Machine, virtualization, VM
In the 2nd half of this year I started blogging more actively and even though the last couple of weeks didn’t feature many posts, I still have lots of things I want to blog about in 2013.
For now however, you can check out the statistics of 2012 which the WordPress.com stats helper monkeys prepared: Click here to see the complete report.
Thanks everyone for visiting my blog and contributing. Also if you have ideas/suggestions what I should improve or blog about, please let me know.
Tags: 2012, annual, blog, stats
In the first part of this LAB setup guide, I described the hardware selection process.
In the second part I described the hypervisor selection and installation.
In this post I will describe the VM guest considerations and preparations.
VM guest considerations
Considerations for your VM guests:
- Use legacy network adapter ? Could be necessary for by example PXE boot.
- In most cases the regular network adapters will be the best choice.
- How much memory to assign ? Should I use dynamic memory in Hyper-V ? Should I overcommit using VMware ?
- In most cases for your home lab it is probably best to use dynamic memory / overcommit. Some applications however might not work correctly, or you might not have the desired outcome.
- How many virtual CPUs should I assign ?
- Should I store my VMs on a single physical disk or on multiple physical disks ?
- Should I use virtual disks or pass-through disks ?
- For VMs that I use for testing, I use virtual disks because they provide more flexibility.
- For my file server I choose to use pass-through disks so I can simply remove the disk from my server and place them in another system. I’m also afraid that should you encounter an issue when using a virtual disk, that the chance is greater that you lose everything because the virtual disk will break.
- When I use virtual disks, should I use thin provisioned disks or thick provisioned disks ?
- Thick provisioned disks are supposed to deliver better performance, but at the cost of more disk space. Also for a home LAB I doubt the performance loss is minimal and acceptable, so I would go with thin provisioned disks. Also when using SSD disks, space is costly and limited. Be sure to monitor disk space usage though.
- Should I use differencing disks in Hyper-V / linked clones in VMWare ?
- When you plan to use multiple VMs running the same operating system, you can save space by using differencing disks / linked clones. This also impacts the disk I/O however, so monitor it to see if it fits your needs. Since I use SSD disks and run multiple VMs with the same OS, I use differencing disks.
VM guest preparations
An home LAB is not complete without VM guests ofcourse. The basic methods for provisioning are:
- Using pre-prepped VMs that are provided by third parties like by example Microsoft and VMWare. For VMWare there is even a virtual appliance Marketplace.
- Installing VMs manually every time.
- Using 3rd party deployment tools to provision operating systems to VMs. By example System Center Configuration Manager.
- Deploying VMs from templates you create manually.
Often you’ll use a combination of the methods. In my case I’ll deploy many instances of the same guest OS versions for my test lab. I’ll often deploy various versions of Windows multiple times. Therefore I create my own templates for my test lab.
Basic actions for template creation are:
- Installation of the operating system
- Installing the Hyper-V Integration Component (or VMWare tools).
- Adding roles and features I expect to be using in (the majority of) my VMs.
- Downloading and installing the latest updates.
- Performing sysprep to generalize the installation and choosing to turn off the system afterwards.
DO NOT TURN ON THE SYSTEM, otherwise you need to run sysprep again.
- Saving the virtual disk files for future use.
- If you’re going to be using differencing disks, you will use this disk as the parent disk. Make sure you set it to read-only.
Using this approach I’ve created my own templates consuming 180GB and covering most of the operating systems I (can) encounter and want to test with:
Windows2003-Enterprise-R2-SP2-x64-ParentDisk-Readonly.vhdx
Windows2003-Enterprise-R2-SP2-x86-ParentDisk-Readonly.vhdx
Windows2008-SP2-x64-ParentDisk-Readonly.vhdx.vhdx
Windows2008-SP2-x86-ParentDisk-Readonly.vhdx.vhdx
Windows2008R2-SP1-x64-ParentDisk-Readonly.vhdx
Windows2012-Datacenter-Core-ParentDisk-Readonly.vhdx
Windows2012-Datacenter-GUI-ParentDisk-Readonly.vhdx
Windows7-Enterprise-SP1-x64-ParentDisk-Readonly.vhdx
Windows7-Enterprise-SP1-x86-ParentDisk-Readonly.vhdx
Windows8-Enterprise-x64-ParentDisk-Readonly.vhdx
Windows8-Enterprise-x86-ParentDisk-Readonly.vhdx
WindowsVista-Enterprise-SP2-x64-ParentDisk-Readonly.vhdx
WindowsVista-Enterprise-SP2-x86-ParentDisk-Readonly.vhdx
WindowsXP-Pro-SP3-ParentDisk-Readonly.vhdx
WindowsXP-Pro-x64-ParentDisk-Readonly.vhdx
Storing backups and ISO files
When you have files that have lots of similar data, they are very suitable for deduplication. Also read this great blog post if you want to know how it works.. With for example ISO files and powered-off VMs you can save a lot of space. You should however not configure this for files that change on a regular basis like by example actively running VMs. With Server 2012, you can easily enable deduplication for volumes. Also keep in mind that these files do not require high IOPS, so you can store them on slower disks.
If you want to check how much space you can save without installing Server 2012 and its deduplication feature, you can also run the deduplication evalutation tool (ddpeval.exe) on Windows 7, Windows 8, Windows 2008 R2 or Windows Server 2012. You can even “hack” Windows 8 Pro to allow deduplication.
I was able to reduce the used disk space with 75% from 215 GB to 50 GB. This was with ISO files and the backups of the parent disks I created earlier (not the ones in use).
In the next post I will describe configuring Server 2012 VM as DC with DNS and DHCP using PowerShell.
Tags: hypervisor, ICT, lab, virtualization
blog.bjornhouben.com 