IT News for Your Ears – Tech Podcasts You Should Be Listening To

A colleague on the management team in my department insists on taking a few hours as soon as the biweekly issue of c’t arrives. If you’re reading this blog, you’re probably a time-pressed administrator who, like me, doesn’t have that luxury. However, it is part of our jobs to keep up on the wider IT world.

I listen to several podcasts each week during the drive to work – much safer than reading an IT magazine while on the road. These shows also help me put some much-needed miles on my bike ūüôā

I’ve included links to the show pages for each of my favorites, and for your convenience, an RSS link for copying into your player. If you’re looking for such an app,¬†Car Cast¬†is a nice, simple Android podcast player that is free, but once you’ve installed the free version, top it up with the paid version to get rid of the little ads and show your appreciation for this fine app.

Essential listening for Microsoft IT Pros

  • PowerScripting with Jonathan Walz and Hal Rottenberg: Love scripting or hate it, PowerShell has become a core skill for Active Directory, Exchange and SharePoint administrators, SQL Server DBAs and .NET developers. I started listening to PowerScripting shortly after I discovered PowerShell, and it really helped me along. These days, I mostly listen to it to find out about new applications for it, but still pick up tips and tricks from Jon, Hal and their guests. If you’re just getting started with PowerShell, download and listen to the first 30 episodes or so in order, along with the week’s latest one so you keep up with the community’s news. It was obvious those first few episodes that Jon, and later Hal, were new to podcasting, but now, it’s a very polished listening experience, so stick with it through those initial shows. [RSS link]
  • RunAs Radio with Richard Campbell: The main Microsoft IT Pro show, covering the wide range of MS enterprise technologies in an interview format. The older episodes are still good, but cover a lot of old news. I’d recommend downloading the most recent 10 or so for breadth, then searching the site for the specific technologies you deal with. [RSS link]
  • .NET Rocks! with Carl Franklin and Richard Campbell: Developer-centric parent show of Run-As Radio that comes out twice a week like clockwork. Good for getting a broader view of what’s going on in the Microsoft world. They also have occasional “Geek Out” episodes covering non-IT techologies for a technical, but not expert, audience. The back catalog is over 800 shows – they’re bound to have hit upon something you’re interested in. [RSS link]
  • HanselMinutes with Scott Hanselman: Scott works for Microsoft, but he covers a broad array of development-related topics, along with some non-IT ones, on his always thought-provoking show. Any random episodes will be worth listening to. [RSS link]
  • The UC Architects: An ensemble¬†of Lync and Exchange MVPs and other experts from around the world who keep us up to date on what is happening with the two¬†main constituents of¬†Microsoft Unified Communications platform, along with how it ties in to Office 365. Lync is becoming a very important secondary, even primary skill for Exchange admins, so if you are working with one platform, you need to at least be aware of what’s going on with the other. I’ve just started listening and am still catching up with previous episodes. Their website gives a very good synopsis of each episode, including when in the program each segment started so you can skip past the bits you’re not as interested in. [RSS link]

Other tech podcasts I like

  • NPR’s Technology Podcast: Highlights stitched together each week from the various technology segments on NPR, primarily covers general consumer tech and social/legal issues related to IT. [RSS link]
  • Engadget Podcast: mostly consumer tech, along with some enterprise IT. Fun.¬†[RSS link]
  • Your Website Engineer with Dustin Hartzler: good listening for anyone who does stuff with WordPress.¬†[RSS link]
  • SQLDownUnder¬†with Greg Low: episodes are sporadically released, but excellent listening for anyone who even occasionally has to deal with SQL Server, with bonus Aussie accent and detailed show transcripts for the bits . ¬†The one about SQL Server Reporting Services¬†with Jessica Moss helped me out a TON when I was getting started with reports.¬†[RSS link]
  • Quirks and Quarks: the CBC’s (Canadian Broadcasting Corporation) weekly science radio show, focusing on Canadians scientists and institutions, but reaching out for the week’s big stories. Bob McDonald, the longtime host, is possibly the best science interviewer in the business.¬†[RSS link]

Any podcasts I’m missing? Anyone ready to start that ActiveRoles Server podcast?

Why would I want to deprovision an Active Directory Group?

Most of my posts are about issues I’ve run into on the job. However, I occasionally look at the search terms that brought people here, and saw the question, “why would I want to deprovision a group?”

Deprovisioning in ActiveRoles Server is mostly focused around user accounts, because those are what most visibly consume resources: mailboxes (Exchange CAL), space on a file server, an ARS license (ARS licensing is completely based on the number of enabled User objects) and are most subject to abuse if there’s no legitimate need for them anymore. You can copy and then modify the sample “Built-in Policy – Default Deprovisioning” that ships with ARS. I recommend that you copy any Built-In Policy and change your copy.

However, groups can also be deprovisioned. Deprovisioning lets you take a group out of action without deleting it. What “out of action” means depends on exactly what groups do in your environment, and what information you need to retain. Do you need to keep the membership list of the group? Do you want to be able to “undeprovision” it, bringing it quickly back into use? Is there any data in the Description or Info (Notes) attributes that other systems use for accounting? Do you need a record of who the secondary owners were? Should a group that granted read privileges on a departmental folder be deprovisioned differently from one that was used to give administrator access to the file server that was at an office that has just been closed?

Deprovisioning policy for groups, just like deprovisioning policy for users, can be configured in both the Policy Object wizard, which is a good idea if it’s a simple attribute change based on a pattern or another attribute in the same object, or a script that you then attach to the Policy Object.

You can configure different deprovisioning policies for different OUs, which you then attach to the container you want to apply them to with Policy Object Links, similar to Access Template Links, except for the lack of a snazzy AD Management Shell cmdlet that will let you do them in bulk, like you can with New-QARSAccessTemplateLink.

If you create your Group Deprovisioning policy actions in a script, you put them in the onPreDeprovision(), onDeprovision() and onPostDeprovision() event handlers. Make sure you put your group-related code inside an if ($Request.class -eq “Group”) {¬† } black to distinguish it from what you want to do when $Request.class -eq “User”. You should do that object class check even if you have separate Policy Objects for deprovisioning user and deprovisioning groups.

As far as whether something should be in onPreDeprovision(), onDeprovision() or onPostDeprovision(), think about what needs to happen before the group goes offline, what attributes you want to be able to restore, and what needs to happen after everything else is finished.

onPreDeprovision() might do checks to see if it is in the local Administrators group for a specific sensitive server, and this has to happen in onPreDeprovision() if converting the group from a Security Group to a Distribution List is part of your deprovisioning process (Distribution Lists do not have SIDs.)

onPostDeprovision() is for clean-up activity: perhaps dynamically determining who the recipients for the notification email should be.

If it is a property change you wish to revert, however, it should be in the onDeprovision() event handler, because that is what is recorded in the data retrieved by that group’s edsvaDeprovisionRecordXML, which is used if you ever tell ARS to undo the deprovisioning.

Once you’ve got your group deprovisioning the way you want it, you might want to use PowerShell to deprovision them the same way you can deprovision users with Deprovision-QADUser. There’s no native Deprovision-QADGroup cmdlet, but I’ve written one, along with UnDeprovision-QADUser and UnDeprovision-QADGroup:¬†Deprovision and UnDeprovision Users and Groups with PowerShell

NetLogon.log: Control what goes in, and get what you want out

Or, when you want some, but not all, of what Netlogon.log has to offer – especially when trying to track down the source of a user account’s¬†lockouts or find subnets that haven’t been put into an Active Directory site yet.

At one point, we had Netlogon turned up to 11 on all our domain controllers – that is, DBFlag is set to 0x2080ffff, just like this TechNet article¬†and everything else you see at first glance on the Internet has it. That quick looks makes it look like your options are EVERYTHING!!1!1 or nothing. Since that one Knowledge Base article literally IS the only place on the Internet where these flags are listed in detail, and Microsoft has recently started featuring the automated “Fix It” solution, here is the info for posterity (and convenience),
nicely formatted into tables.

Data Source:
Formatting into tables: Amanda Debler (me)
All descriptions as-is from Microsoft.

Basic Netlogon Flags

Flag Name Value Description
NL_INIT 0x00000001 Initialization
NL_MISC 0x00000002 Misc debug
NL_LOGON 0x00000004 Logon processing
NL_SYNC 0x00000008 Synchronization and replication
NL_MAILSLOT 0x00000010 Mailslot messages
NL_SITE 0x00000020 Sites
NL_CRITICAL 0x00000100 Only real important errors
NL_SESSION_SETUP 0x00000200 Trusted Domain maintenance
NL_DOMAIN 0x00000400 Hosted Domain maintenance
NL_2 0x00000800
NL_SERVER_SESS 0x00001000 Server session maintenance
NL_CHANGELOG 0x00002000 Change Log references
NL_DNS 0x00004000 DNS name registration

Verbose Netlogon Flags

Flag Name Value Description
NL_WORKER 0x00010000 Debug worker thread
NL_DNS_MORE 0x00020000 Verbose DNS name registration
NL_PULSE_MORE 0x00040000 Verbose pulse processing
NL_SESSION_MORE 0x00080000 Verbose session management
NL_REPL_TIME 0x00100000 replication timing output
NL_REPL_OBJ_TIME 0x00200000 replication objects get/set timing output
NL_ENCRYPT 0x00400000 debug encrypt and decrypt across net
NL_SYNC_MORE 0x00800000 additional replication dbgprint
NL_PACK_VERBOSE 0x01000000 Verbose Pack/Unpack
NL_MAILSLOT_TEXT 0x02000000 Verbose Mailslot messages
NL_CHALLENGE_RES 0x04000000 challenge response debug
NL_SITE_MORE 0x08000000 Verbose sites

Netlogon Control Flags

Flag Name Value Description
NL_INHIBIT_CANCEL 0x10000000 Don’t cancel API calls
NL_TIMESTAMP 0x20000000 TimeStamp each output line
NL_ONECHANGE_REPL 0x40000000 Only replicate one change per call
NL_BREAKPOINT 0x80000000 Enter debugger on startup

Right now, I just want a clear look at account lockouts and subnetless IPs, even on our busiest DCs. A very busy DC can blow through a 100MB log file allowance in a few hours, and even with Netlogon.bak, collection and filtering would have to happen several times a day to make sure we see all the bad logons.

“But why would you want to capture LESS diagnostic information?!?” Because heavy logging can cause its own problems – read and think about this article from the Directory Services team¬†before you implement “All Logging, All The Time”. It explains how to enable (and disable) logging for all facets of Directory Services.

As a compromise, I’m just going to turn off all those ‘[SITE]’ messages, since they are most of the entries in netlogon.log, and don’t provide any information I need right now. So, 0x2080ffff - 0x00000020 = 0x2080ffdf. I tried the nice .NET/PowerShell way, but it failed against a 2003 server. Back to the old-fashioned way – still possible from within a PowerShell script:

(all one line) reg add "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v DBFlag /t REG_DWORD /d 0x2080ffdf /f

Make sure that your log file is the size you want it to be (in this case, 100 megabytes):

(all one line)reg add "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v MaximumLogFileSize /t REG_DWORD /d 100000000 /f

And to check our work…

(all one line) reg query "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v DBFlag

(all one line) reg query "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v MaximumLogFileSize

Finish up by stopping and starting the Netlogon service, again, the old-fashioned way with NT Service Controller. You need to use sc.exe in PowerShell, because sc is an alias for Set-Content:

sc.exe \\$computerName stop netlogon

sc.exe \\$computerName start netlogon

Here’s a table of the result codes to interpret the [LOGON] entries (from Section “Netlogon Log File Error Codes”, copied in case that particular link goes away):

Log Code Description
0x0 Successful login
0xC0000064 The specified user does not exist
0xC000006A The value provided as the current password is not correct
0xC000006C Password policy not met
0xC000006D The attempted logon is invalid due to a bad user name
0xC000006E User account restriction has prevented successful login
0xC000006F The user account has time restrictions and may not be logged onto at this time
0xC0000070 The user is restricted and may not log on from the source workstation
0xC0000071 The user account’s password has expired
0xC0000072 The user account is currently disabled
0xC000009A Insufficient system resources
0xC0000193 The user’s account has expired
0xC0000224 User must change his password before he logs on the first time
0xC0000234 The user account has been automatically locked

The most important ones to distinguish between are 0xC000006A (bad password was entered this time – these ARE the droids you’re looking for) and 0xC0000234 (a logon attempt has been made with a user account that has been locked out, but this says nothing about whether this current attempt used a good or bad password)

Continue reading

You should buy SnagIt, because I didn’t have to…

… ¬†TechSmith dug up my (VERY) old license key!

Ten years ago, I was working in a government basement in suburban Maryland, testing Java code and writing step-by-step user manuals for the Treasury’s intra-departmental payments program. There were five different user roles with several dozen actions, and the customer wanted detailed, step-by-step instructions. With pictures. Lots of pictures. Each of those things averaged 300 pages. At first, it was miserable. I knew how to do Print Screen, then crop in Word. Tedious.

Then kind soul informed me of the existence of SnagIt and swore the license cost was totally worth it. It was – the whole manuals business started flying by.

Fast forward to this week. Once I get my test environment set up (thank you Dell/Quest for the long-running sample license for ActiveRoles Server!), I wanted to make good screenshots for you guys. I vaguely remembered using SnagIt back in that basement, and dug through my email accounts for something from TechSmith. Nothing. I went to their website and plugged in all the email addresses I still had access to. Nothing.

I then followed their instructions, filing a service request with the billing addresses I could remember using during the years at that job, and not two hours later, received a friendly response that they found my purchase record, but since it was for a REALLY old version, they were offering me the license key for the oldest one they still support, along with the same half-price upgrade rights to the current version.

So thanks, TechSmith. If you need to do a lot of end-user documentation, SnagIt will save your sanity. You can try it for free for 30 days, at which point you’ll be hooked.

Disabling P2P File Transfers in Lync – and other settings not found in ClientPolicy

We’re rolling out Lync Server 2010, and among other limits on end-user behavior, management wanted a way to prevent most, but not all, users from transfering files from their Lync or Microsoft Office Communicator clients.

Most client-related settings are controlled with Set-CsClientPolicy -Identity "MyAwesomeClientPolicy" -TheSettingName thesettingvalue, then granted to specific users with Grant-CsClientPolicy -PolicyName "MyAwesomeClientPolicy" -Identity SomeHaplessUser

Oddly enough, the right to transfer files or use audio/video in their peer-to-peer chats is not controlled with ClientPolicy, but by ConferencingPolicy. Our Global (that is, default) ConferencingPolicy have, among many other attributes, AllowIPAudio and AllowIPVideo set to False and EnableAppDesktopSharing set to None in order to keep most of the users on the less-expensive Standard Lync Server CALs during our testing period.

To test if “Keith’s” answer to this question in the MS TechNet forums about blocking file transfers for specific users or groups was correct, my colleague first sent a file from a test user with no explicitly-assigned ConferencingPolicy to her Lync user (which does have a more permissive ConferencingPolicy). Success.

I then ran:

Set-CsConferencingPolicy -Identity Global -EnableP2PFileTransfer $false

She signed the test user off and back on, and the test user’s Office Communicator did not display the option to transfer a file to her real account.

She then tried sending that test user a file. Denied!

My colleague was still able to send me a file, and vice versa, because we have the same (generous) conferencing policy, which since it was assigned to us, overrides the settings in the Global policy.

So, if the user has a ConferencingPolicy that has EnableP2PFileTransfer set to False, the user can neither send nor receive files in chat. However, they can still send and receive files in a conference. Set EnableFileTransfer to False to prevent the user from sending or receiving files in a conference he organizes. From cmdlet help for Set-CsConferencePolicy, it appears that he would still be able to send and receive files in a conference someone with EnableFileTransfer=True organized, but we have not tested that yet.

Other things set in CsConferencingPolicy affecting peer-to-peer chats that I thought would be in ClientPolicy: