Daniel Ramawidjaja Blog

April 15, 2010

Mail Control Panel Paths

Filed under: Office Outlook — Daniel Ramawidjaja @ 4:15 pm
Tags:

The possible paths for the Mail Control Panel are:

x86 installations:
Outlook 2003 : “C:\Program Files\Common Files\System\MSMAPI\1033\mlcfg32.cpl”
Outlook 2007 : “C:\Program Files\Microsoft Office\Office12\MLCFG32.CPL”

x64 installations:
Outlook 2003 : “C:\Program Files (x86)\Common Files\System\MSMAPI\1033\mlcfg32.cpl”
Outlook 2007 : “C:\Program Files (x86)\Microsoft Office\Office12\MLCFG32.CPL”

Advertisements

July 25, 2009

Delegation Control to Modify Only Certain User Attributes (Part 2)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:33 am
Tags:

In this post, I will explain how to delegate certain users to be able to modify attributes that can not be delegated by using Delegation of Control Wizard. Not all attributes can be delegated using the wizard, without allowing other attributes that you do not want to delegate.
For example, Office location. You can delegate the Office location attribute by selecting Read/Write Permissions for Private Information. But, may be you need to for the delegation to be more specific. In this case, using ADSIEDIT.MSC.

If you do not have ADSIEDIT.MSC ready (test by run ADSIEDIT.MSC from Run), you should install first.
It’s available on the Windows Server 2003 CD, in folder \Support\Tools. Install by double-click on suptools.msi.
For Windows Server 2008, it has been available on the Domain Controller since you installed the Active Directory.

Create connection to open the Domain partition.
Then you can modify the permissions of an OU just like the following picture:

Custom Delegation (Part 2)

This tip has been tested to work successfully, such as in the following picture.

Custom Delegation (Part 2)

The Office location attribute was changed to Semarang.

Custom Delegation (Part 2)

Delegation Control to Modify Only Certain User Attributes (Part 1)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:14 am
Tags:

Based on my student request, I post an article about custom delegation task in Active Directory. This delegation will allow user with specific function, for example, Human Resource to edit only certain properties of users in certain OUs.

User Attributes that can be changed after the custom delegation:
Job Title, Department, Company, Manager, and Direct Reports.

Testing will be done by user Jet Lee (JetL) as a member of Human Resources group.

 

Attributes that Will Be Allowed to Be Changed in This Custom Delegation Example

Custom Delegation

 

Delegation Control Steps
Right-click on Finance OU, for example, and then click Delegate Control. It will launch the Delegation of Control Wizard.

Custom Delegation

Select users or groups for delegation

Custom Delegation

Select Create a custom task to delegate

Custom Delegation

Select Only the following objects in the folder, then select User objects.

Custom Delegation

On the Permissions page, select Property-specific. Then select read and write permissions for the following attribute:
– Department
– Job Title
– Company
– Direct Reports
– Manager
Click Next, and then click Finish.

Custom Delegation

 

Test the Delegation
For testing I use user Jet Lee (JetL) that is a member of Human Resources group.

Custom Delegation

Now, JetL can modify the user properties in the Organization tab like the following picture:

Custom Delegation

Here the result of setting the Manager property as you can see in Direct Reports list in the user properties for the manager (NaomiW)

Custom Delegation

June 27, 2009

Group Policy Management Console (GPMC) Installation on Windows Server 2003 R2 x64

Filed under: Group Policy,Windows Server 2003 R2 — Daniel Ramawidjaja @ 4:41 am
Tags: ,

You can download the GPMC here:
http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Unfortunately, GPMC need the .NET Framework 1.1 while the Windows Server 2003 R2 x64 includes only .NET Framework 2.0.

GPMC Installation Needs .NET Framework 1.1

You can install .NET Framework 1.1, but you may find error on other web applications. See my previous post, Error on Certificate Services Web Enrollment After Installing .NET Framework 1.1 on Windows Server 2003 R2 x64.

After installing .NET Framework 1.1 and some troubleshooting when necessary, you can install install GPMC sucessfully.

GPMC Installation completed

 

Here the test of GPMC usage after installation

GPMC Testing

GPMC Testing

GPMC Testing

 

To avoid problems with incompatibility of .NET Framework 1.1, it is recommended for you to install GPMC on client computers, such as Windows XP or Windows Vista. I wrote this post just to show you that actually we can install GPMC on Windows Server 2003 x64 that includes only .NET Framework 2.

Error on Certificate Services Web Enrollment After Installing .NET Framework 1.1 on Windows Server 2003 R2 x64

I won’t recommend someone to do this. I meant the installation of .NET Framework 1.1 on Windows Server 2003 R2 x64 that includes only .NET Framework 2.0. Here I found the problems with the Certificate Services Web Enrollment, you may find other problems on your web applications.
This tip only to show you how to solve the problem on Certificate Services Web Enrollment after the installation of .NET Framework 1.1.

I installed .NET Framework 1.1 on Windows Server 2003 R2 x64 that includes only .NET Framework 2.0 in Add/Remove Windows Components.

Install .NET Framework 1.1 on Windows Server 2003 R2

The installation completed successfully, then the problem come when I run Certificate Services Web enrollment.

Error after install NET FX 1.1 on Windows Server 2003 R2 x64

Even access to the Default Web Site or http://server-name returns errors.

CertSrv-default-033

 

To Resolve the Problem:
Open Command Prompt. Go to Windows\Microsoft.NET\Framework64\v2.x.xxx (replace x.xxx with the correct version of the .NET Framework installed). Type:

> aspnet_regiis -i

How to resolve the problem

The Result of Previous Step:

Result after run: "aspnet_regiis.exe -i"

 

I also got another problem when running Certificate Services Web Enrollment. You may find another error message like “Unexpected Error getting the templates list”.

Go to see another error..

Another Error comes

 

How to Resolve the Second Error:
I have to Unregister and Register some DDLs

  • regsvr32 /u scrdenrl.dll
  • regsvr32 scrdenrl.dll
  • regsvr32 /u xenroll.dll
  • regsvr32 xenroll.dll

Step to Resolve the Second Error

Then I can continue the certificate enrollment process till completed.

The Result

 

Note:
I can solve the problem after googling the related error message and found this answer.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/a80a4eeb-d592-4d53-a1fc-3b0a993630f3

June 22, 2009

Restore Deleted Objects from Active Directory Database Using Tombstone Reanimation (AdRestore.exe and ADRestore.NET)

By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

I wrote the previous post to make deep understanding of the tombstone reanimation concept.

AdRestore.exe
Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality.

You can download this tool from here:
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

ADrestore.exe

 

ADRestore.NET
Restoring objects with ADRestore.net
Guy Teverovsky has written a GUI version that allows you to easily restore deleted AD objects.
I found this tool will help you a lot when you need to restore more than one deleted objects, for example, an OU contains some objects.

You can download the ADRestore.NET here:
http://blogs.microsoft.co.il/files/folders/guyt/entry40811.aspx

Here the demo steps:
I deleted an OU named Accounting contained some objects including users and groups.
Delete an OU

Enumerating Tombstones
ADRestore.NET

First restore the OU.
ADRestore.NET

Then restore the other objects one by one.
ADRestore.NET

Until the last object
ADRestore.NET

Then view the result
ADRestore.NET - The Result

You can see from the steps above that using ADRestore.NET will be a lot of easier to restore more than one objects.

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.

For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots

 

The previous condition
Jenny Gates (username: JennyG) has the following attributes:

Tombstone Reanimation - Before Deletion

Tombstone Reanimation - Before Deletion

Jenny has permissions set to C:\Data\Marketing folder.

Tombstone Reanimation - Before Deletion

Delete the user account Jenny

Tombstone Reanimation - Deletion

As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.

Tombstone Reanimation - Impact of Deletion

 

For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Tombstone Reanimation - Support Tools

 

Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Tombstone Reanimation

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.

Right click on the Jenny account, then click Modify.

Tombstone Reanimation

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

Tombstone Reanimation

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

Tombstone Reanimation - The Result

But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.

Tombstone Reanimation - The Result

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

Tombstone Reanimation - The Result

Tombstone Reanimation - The Result

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.

June 20, 2009

Visio Connector for MBSA 2.1

Filed under: Security — Daniel Ramawidjaja @ 9:03 pm
Tags:

In this documentation, I use Microsoft Visio Professional 2007 and Microsoft Baseline Security Analyzer (MBSA) 2.1. You can download Visio Connector for MBSA 2.1 here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=95e0f821-9c2c-4287-9157-49c1205e08ef&displaylang=en

I do not give a really details documentation for step by step implementation. If you need more information about the steps, see the details here:
http://msdn.microsoft.com/en-us/library/bb232815.aspx

 

Here are the snapshots of Visio Connector for MBSA usage:

Visio Connector for MBSA 2.1 - Perform Scanning

Visio Connector for MBSA 2.1 - Perform Scanning

Visio Connector for MBSA 2.1 - Perform Scanning

Visio Connector for MBSA 2.1 - Perform Scanning

Visio Connector for MBSA 2.1 - Perform Scanning

Visio Connector for MBSA 2.1 - Perform Scanning

Microsoft Baseline Security Analyzer (MBSA), Part 2: Report Details

Filed under: Security — Daniel Ramawidjaja @ 11:36 am
Tags:

MBSA 2.1 Report

 

Security Update Scan Results

Security Update Scan Results (1)

You can download or view the security update information directly from Microsoft Update web site.

Security Update Scan Results (2)

 

Windows Scan Results

Windows Scan Results (1)

Windows Scan Results (2): detail info

How to correct this information

Windows Scan Results (2): How to correct

 

Additional System Information

Report Details: Additional System Information (1)

 

Other Microsoft Products Scan Results

Other Microsoft Products Scan Results

Microsoft Baseline Security Analyzer (MBSA), Part 1: Usage

Filed under: Security — Daniel Ramawidjaja @ 11:07 am
Tags:

MBSA is a free security analyzer to detect common security misconfigurations and missing security updates on your computer systems.

You can download from here:
http://technet.microsoft.com/en-us/security/cc184923.aspx

 

Setup

MBSA 2.1 Setup

 

Scanning

You can select whether scan a computer, scan multiple computers, or view existing security scan reports.

Microsoft Baseline Security Analyzer (MBSA) 2.1

Select Configure computers for Microsoft Update and scanning prerequisites, if you want to automatic install the Windows Update Agent to the computers you want to scan in case they don’t have meet the scanning prerequisites.

Microsoft Baseline Security Analyzer (MBSA) 2.1

It downloads the Security Update Catalog from the Internet and continue scanning.

Microsoft Baseline Security Analyzer (MBSA) 2.1

 

Reports

MBSA 2.1 Report

Next Page »

Blog at WordPress.com.