the back room tech

Howto: Delegate the enable/disable accounts permission in Active Directory

July 1, 2009 — Julie

To delegate the ability to enable and disable user accounts in Active Directory:

Launch Active Directory Users and Computers with adminsitrative credentials
Right click on the OU where you want to delegate the ability to enable and disable user accounts
Select the Active Directory security group that you want to delegate the ability to and press Next
Select Create Custom Task to Delegate and press Next
Under Delegate Control Of select the Only the following objects in the folder radio button
Select the User objects check box and press Next
Under Show these permissions uncheck General and select Property-specific
Select the Read userAccountControl and Write userAccountControl check boxes and press Next and Finish

You’ve now delegated the ability to enable and disable AD user accounts to a security group.

Additional References

http://support.microsoft.com/kb/305144

http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

Posted in Windows. Tags: accounts, Active Directory, Active Directory Users and Computers, AD, ADUC, delegate, delegation, disable, enable, Windows, Windows 2003, Windows Server 2003. Leave a Comment »

SQL Query to determine Blackberry MDS Services administration password

June 30, 2009 — Julie

I was troubleshooting a Blackberry Manager problem today that required the BES MDS credentials. The admin thought he knew what the credentials were, but wasn’t sure. So I wrote the following SQL query and ran it against the Blackberry Enterprise Server’s BesMgmt database to get the user name and password:

Use BesMgmt

select

WSAdminUserName, WSAdminPassword

from dbo.MDSAGConfig

Replace BesMgmt with the name of your BES database if you are not using the default database name.

See RIM KB15618 for additional details on how to reset the BES MDS Services administration password.

Posted in Blackberry. Tags: BES, Blackberry, Blackberry Enterprise Server, credentials, MDS, query, SQL. Leave a Comment »

Access is denied when attempting to view or restore Volume Shadow Copy contents

June 26, 2009 — Julie

I setup our help desk users to be able to restore documents using Microsoft’s Volume Shadow Copy client on remote servers yesterday. Everything worked just fine for me as an administrator, and for users who owned the files, but it didn’t work for the help desk folks. I found out they didn’t have NTFS rights to the files and folders, so I assumed all I had to do was assign them change permissions, and they’d be able to do the restore.

I made the permission change, but when the help desk folks tried to view the contents of the shadow copy snapshots they received “Access Denied” errors. I had them confirm they could UNC to the location where the snapshots were located, and they could create and delete files there.

After much Googling didn’t provide many troubleshooting ideas, I decided to manually create a snapshot of the same volume. I had them test again, and they were able to view the snapshot’s contents and restore files. Underlying cause was the help desk group didn’t have permissions to the original snapshot, so they couldn’t see the files to restore them. Hope this helps someone else out.

Posted in Windows. Tags: acess denied, snapshot, troubleshoot, troubleshooting, volume shadow copy, volume snapshot service, vss, Windows, Windows 2003. 1 Comment »

Fix: HTTP Error 413: Request Entity Too Large on Blackberry

June 23, 2009 — Julie

I was attempting to load a rather large web page on my Blackberry today, and received the following error:

HTTP Error 413: Request Entity Too Large on Blackberry

Here’s how I fixed it.

Open Blackberry Manager, selected the affected Blackberry Enterprise Server (BES).
Highlight servername_MDS-CS_1
Select the Connections Tab and click Edit Properties > General > Flow Control
Increase the KB/Connection setting (maximum is 1024, or 1MB)
Restart the Blackberry MDS Connection Service

I was then able to view the large web page on my Blackberry.

Posted in Blackberry. Tags: BES, Blackberry. 1 Comment »

BES Error: CheckNewMbSyncRecords() MISSED MAIL ITEM ARRIVED FOR INACTIVE OR NON-EXISTANT USER

June 22, 2009 — Julie

Found the following messages in my Blackberry Enterprise Server 4.1.6 MAGT log file this morning. I hadn’t noticed them previously, so I did some digging to find out their origin.

CheckNewMbSyncRecords() MISSED MAIL ITEM ARRIVED FOR INACTIVE OR NON-EXISTANT USER, Id=73

CALENDAR UPDATE REQUESTED FOR INACTIVE OR NON-EXISTANT USER, Id=73

Wrote a quick SQL query that I ran against the Besmgmt database to find out who was user ID 73.

SELECT     Id, DisplayName, UserName
FROM         UserConfig
WHERE     (Id = ‘73′)

The results returned were:

73 Amy Jones ajones

I verified that Amy Jones was still listed as a user in Blackberry Manager. She was, so I looked at her Groupwise account. Apparently our User Access group had disabled her Groupwise account while she was on leave from the company. Disabling the account is what caused the above entries in the log files.

Posted in Blackberry. Tags: BES, Blackberry. Leave a Comment »

Fix: The SNMP Service is ignoring extension agent dll c:\webacc\gwwasnmp.dll because it is missing or misconfigured

June 19, 2009 — Julie

Windows Server 2003 R2 error message

Event ID: 1102 Source: SNMP

The SNMP Service is ignoring extension agent dll c:\webacc\gwwasnmp.dll because it is missing or misconfigured.

Symptoms

Groupwise Webaccess was originally installed to c:\webacc. Found documentation that states it should be installed to c:\Inetpub\scripts. Webaccess was removed, then reinstalled to the new suggested directory.

When attempting to register gwwasnmp.dll using

regsvr32 c:\inetpub\scripts\gwwasnmp.dll

the following error is displayed:

c:\inetpub\scripts\gwwasnmp.dll was loaded but the DllRegisterServer entry point was not found. The file can not be registered.

When attempting to unregister gwwasnmp.dll using

regsvr32 /u c:\webacc\gwwasnmp.dll

the following error is displayed:

LoadLibrary(”c:\webacc\gwwasnmp.dll”) failed – The specified module could not be found

Fix

Open Regedit, Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Groupwise WebAccess\CurrentVersion

Change Pathname value from c:\webacc\gwwasnmp.dll to c:\inetpub\scripts\gwwasnmp.dll or wherever gwwasnmp.dll is located.

Stop Groupwise WebAccess Service

Restart Windows SNMP service

Start Groupwise WebAccess Service

Posted in Groupwise. Leave a Comment »

Fix: Groupwise Login Failed Login Rejected (8219)

June 18, 2009 — Julie

Specific Error Message shown in the Groupwise 7.0.3HP2 WebAccess log file:

Login Failed: User PO5 Groupwise login rejected (8219)

Two of my post offices could be accessed via WebAccess, while four could not. I was pretty sure the problem was with domain or post office links. I doubted the problem was with the domain links, since one of the post offices that could be accessed through WebAccess was in the same secondary domain as three post offices that could not.

The solution was to edit the Groupwise WebAccess object’s post office links in ConsoleOne. All six of my post office access mode links were set to Client Server only.

For the four post offices I could not access through WebAccess, I changed the links to Use Current Post Office Address, restarted WebAccess, and verified I could login to each of the problematic post offices.

I then changed the links from Use Current Post Office Address back to Client Server only, restarted WebAccess, and verified I could login to each post office. My 8219 errors were no longer listed in the WebAccess log file.

Posted in Groupwise. Tags: 8219, ConsoleOne, Groupwise, Login Rejected. Leave a Comment »

HowTo: Export a list of all computers in an AD OU

June 11, 2009 — Julie

To export a list of all computers and non domain controller servers in an Active Directory OU, use dsquery.exe. For example, to export all computers in mydomain.com’s servers OU to machines.txt :

DSQUERY COMPUTER “OU=servers,DC=mydomain,DC=com” -o rdn -limit 1000 > c:\machines.txt

Use -limit when you want to return more than the default 100 results. Note that -rdn will producte the relative distinguished name (which means no OU=,DC= in the name).

Full dsquery syntax:

Syntax: dsquery computer [{<StartNode> | forestroot | domainroot}]

[-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]

[-name <Name>] [-desc <Description>] [-samid <SAMName>]

[-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [-r] [-gc]

[-limit <NumObjects>] [{-uc | -uco | -uci}]

Parameters:

Value Description

{<StartNode> | forestroot | domainroot}

The node where the search will start:

forest root, domain root, or a node

whose DN is <StartNode>.

Can be “forestroot”, “domainroot”

or an object DN.

If “forestroot” is specified, the search is done

via the global catalog. Default: domainroot.

-o {dn | rdn | samid} Specifies the output format.

Default: distinguished name (DN).

-scope {subtree | onelevel | base}

Specifies the scope of the search:

subtree rooted at start node (subtree);

immediate children of start node only (onelevel);

the base object represented by start node (base).

Note that subtree and domain scope

are essentially the same for any start node

unless the start node represents a domain root.

If forestroot is specified as <StartNode>,

subtree is the only valid scope.

Default: subtree.

-name <Name> Finds computers whose name matches the value

given by <Name>, e.g., “jon*” or “*ith”

or “j*th”.

-desc <Description> Finds computers whose description matches

the value given by <Description>,

e.g., “jon*” or “*ith” or “j*th”.

-samid <SAMName> Finds computers whose SAM account name

matches the filter given by <SAMName>.

-inactive <NumWeeks> Finds computers that have been inactive (stale)

for at least <NumWeeks> number of weeks.

-stalepwd <NumDays> Finds computers that have not changed their

password for at least <NumDays> number of days.

-disabled Finds computers with disabled accounts.

{-s <Server> | -d <Domain>}

-s <Server> connects to the domain controller

(DC) with name <Server>.

-d <Domain> connects to a DC in domain <Domain>.

Default: a DC in the logon domain.

-u <UserName> Connect as <UserName>. Default: the logged in

user. User name can be: user name,

domain\user name, or user principal name (UPN).

-p <Password> Password for the user <UserName>.

If * then prompt for password.

-q Quiet mode: suppress all output to

standard output.

-r Recurse or follow referrals during search.

Default: do not chase referrals during search.

-gc Search in the Active Directory global catalog.

-limit <NumObjects> Specifies the number of objects matching the

given criteria to be returned, where <NumObjects>

is the number of objects to be returned.

If the value of <NumObjects> is 0, all

matching objects are returned.

If this parameter is not specified, by default

the first 100 results are displayed.

{-uc | -uco | -uci} -uc Specifies that input from or output

to pipe is formatted in Unicode.

-uco Specifies that output to pipe or file is

formatted in Unicode.

-uci Specifies that input from pipe or file is

formatted in Unicode.

Remarks:

The dsquery commands help you find objects in the directory that match

a specified search criterion: the input to dsquery is a search criteria

and the output is a list of objects matching the search. To get the

properties of a specific object, use the dsget commands (dsget /?).

If a value that you supply contains spaces, use quotation marks

around the text (for example, “CN=John Smith,CN=Users,DC=microsoft,DC=com”).

If you enter multiple values, the values must be separated by spaces

(for example, a list of distinguished names).

Examples:

To find all computers in the current domain whose name starts with “ms”

and whose description starts with “desktop”, and display their DNs:

dsquery computer domainroot -name ms* -desc desktop*

To find all computers in the organizational unit (OU) given

by ou=sales,dc=micrsoft,dc=com and display their DNs:

dsquery computer ou=sales,dc=microsoft,dc=com

Assigning Netware rights via the command line

June 10, 2009 — Julie

Here at the office we have a group in charge of assigning and maintain user and group rights and permissions to our various systems. It’s nice not having to worry about that aspect of server administration.

But I have an urgent need to have some eDirectoy group rights assigned to a specific directory on every Netware server in our Enterprise. The group that controls user access is saying that they can’t meet my timeframe for getting these rights assigned, so I had to come up with my own solution.

My solution was to use Wolfgang Schreiber’s lrights.exe utility to script assigning the rights command line style. The syntax is:

LRights <path> <rights> /name=<trustee>

For example, to assign read and file scan rights to the .mygroup.OU.O user:

lrights \\server\volume\directory R F /Name=.mygroup.OU.O

This utility was written to support long path/file names, unlike Novell’s rights.exe utility.

Posted in Novell. Tags: Command Line, edirectory, NDS, Netware, Novell, permissions, Rights. Leave a Comment »

Fix: Blank screen when using Windows XP telnet client

May 28, 2009 — Julie

Today when I established a telnet session to a host on port 80 from my Windows XP machine, I was unable to see any commands I typed echoed on the screen. I knew I had to enable local echo, but always seem to forget how to do it.

KB196748 describes how to enable local echo so you can see the commands you type. To enable local echo:

1. Telnet to the host, ie

telnet host 80

Where host is the name of the host you are connecting to, and 80 is the port number you wish to connect to.

2. Type

CTRL+]

(That means, with the CTRL key depressed, hit the plus key then the closed bracket key)

3. Type

set localecho

Note: If using Windows 2000, replace set localecho with set local_echo

4. Press Enter on a blank line

If each letter you type appears twice, use the same process to deactivate local echo.

Posted in Windows. Tags: local echo, localecho, Telnet. Leave a Comment »

« Older posts