Windows Server 2008 R2 ADDS – Remember to Open Firewall–TCP5722 and…

Was troubleshooting recent issue on AD Replication. What we found out is that we actually need to open up the following port on our firewall appliance.

TCP-UDP 135 and TCP 5722

Note: TCP 5722 is needed for Windows Server 2008 domain controllers.

One may want to take note of TCP-UDP 135. As according to the TechNet website, it only indicate TCP 135. But based on our sniffing of network while troubleshooting, we need to turn on UDP 135 too. Weird. Maybe someone can confirm on this too?

Refer to the website:

http://support.microsoft.com/kb/832017

Microsoft Excel Formulae to Convert Date from DD/MM/YYYY to YYYYMMM

Challenge

Just want to record this down on my Blog so that I can use this as again.

I encounter a scenario where I need to group item in such a way for my recent report that is using Microsoft Excel.

1. Group by Item Type

2. Group by Year and Month

3. Sum up the Qty of the Item

The Item type is nothing. The challenge is in the raw data excel sheet, the date is in format of DD/MM/YYYY but I need it to be YYYYMMM.

I tried to play with formulae such as =Year()&Month() and tried with date format… It did not turn out what I want.

With changing date format, I almost got it but when I use the raw data for pivot table, the original date format appears with the “days” and I did not managed to group the item by YYYYMMM format.

Screen shot below shows what I mean:

Using Custom Format to “YYYYMMM”

Yup.. It works. But….

Under Pivot table, It shows the actual date again. NOT what I want!

 

I know I can always copy and paste the value back but I want something that fast. So, I explore on formulae further.

Solution

So.. what Formulae I used in the end in Microsoft Excel?

=TEXT ( CELL, “yyyymmm”)

It WORKS!!

Below screen shot shows the formulae I used to convert my cell containing the date.

 

With that, even under my pivot table, data is able to be grouped accordingly!

YES! With that, I can do my data analysis faster!

Deployment of TCPIP Printer via GPO & GPP

Finally, the approach is matured thanks to my team-mate – Lee Chung Ming and Lim Choon Seng. They found the way to inject the printer driver to the Windows 7 Client machine, overcome the UAC.

Here, under my blog, I will share what my team is doing to deploy printers via GPO and GPP to more than 1000 Windows 7 machine under the same Domain.

Understand the Fundamental – Revisit the Manual Way to Setup TCPIP Printer

First, lets visit the fundamental, what we have been doing when we tried to install TCPIP printer on a Windows 7 machine.

As refer to the picture below, we need to have the network configuration of the TCPIP Printer; Drivers of the Printer (32bit or 64bit) and of course an administrative accounts to install the printer via UAC.

Translate Manual Setup to Settings in GPO and GPP and Necessary Setup in the backend Infrastructure

Part 1 – Injection of Drivers to Client Machine – How?

You will need a Print Server for to share out the TCPIP Printers for Client to obtain 32bit or 64 bit Drivers via GPP and GPO (64 Bit drives depends on availability of Printer Manufacture); and of course for later GPP to inject the TCPIP Printer.

Step 1 – Add Role – Print Management

Step 2 –Add Driver – both 32bit and 64bit – Via the Add Driver Wizard

Step 3 – Share out the driver

Step 4 – Add Printer (TCPIP) via the Wizard

Note – Add only when printer is able to be communicate by the print server to increase success rate on ability to print after the printer is installed on the client machine. Why? It is best for the print server to determine the printer processor.

Part 2 – Installation of Printer and Network Settings to Client Machine – How?

Create a GPO that will have GPP setting to inject the TCPIP Printer with network settings.

*For Print Server – FQDN

Part 3 – GPO Settings to overcome UAC in Windows 7

In the same GPO that contains the Part 1’s GPP setting, configure the following GPO setting. This GPO setting is to direct the client machine to the print server to download the printer driver and to overcome UAC during installation of printer driver.

Computer Configuration > Administrative Template … > Printers > Point and Print Restrictions

 

Deploy TCPIP Printer to Client!

After complete Part 1- Part 3. You are ready to deploy the TCPIP printer by linking the GPO to the OU that contains the computer objects that you wish to target the installation!

After you link the GPO, on the client machine that is connected to the correct network, you can run the command “GPUPDATE /FORCE” and see the printer appearing under “Device and Printers” Windows.

Simple Troubleshooting Tips

If the printer does not appear, check on the FQDN that you have entered under the GPO and GPP. And remember to share out the driver under your Print Server!

If you do not want the printer to keep appearing or you are deploying many printers, please explore the setting under the GPP – “Apply Once Only”!

Some of the Basic on GPO – GPO Processing and Precedence

Recently got many questions about how GPO works.. Why does it not work that way.. Why Computer Configuration setting is not working and more.

I start to think and realised the the root cause is those people are not familiar with the basic~ You will be shock that IT Pro here may have been managing their IT environment for years but knows nothing about Group Policy Objects.

Guess once I am done with this major project I am handling now, I will start to push more sharing session on how to use GPO to manage the environment.

Well, after much thought, before we talk about the individual settings within the GPO which is thousands of lines. I feel that one should know what comes first which is the GPO processing and precedence.

Many many years ago when I started to explore the power of GPO, no one really knows how it works in my team and I really hit a lot of “walls”.

So for those who is new in GPO and always have question on why this setting is overwritten by another GPO. You all may want to read and understand this following articles from TechNet:

http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

My suggestion to you is to draw out the diagram when you are reading it to have a better understanding the flow.

Start simple and you start to do some paper play by adding more GPOs with different setting.

To add on, Please read this following settings to let you know about more rules when configuring GPOs – “Loopback processing with merge or replace”

http://technet.microsoft.com/en-us/library/cc782810(WS.10).aspx

By understand the logic on when to use “Loopback with Replace” and “Lookback with Merge”, you can understand how you should arrange your OU and link your GPOs.

O… almost forgot – Please read on GPP too! – Download the document on GPP, understand the difference – the document is Great~ Just that you have to spend some time to read. But please understand the above fundamental first!

Link to download GPP Documentation from Microsoft:

 http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=24449

Ok! Time to get back to my Work now.. I will start to prepare my sharing session on how to use GPO and GPP to deploy TCPIP Printer over this weekend~ FUN!

Managing Active Directory using Quest Powershell cmdlet– Get-QADObject and Move-QADObject

Last night… was shock to see some of my groups are been shifted \ landed up into wrong OUs in my Active Directory.

I have approx 300 over OUs and there are just so many groups to be moved back to their respective OU…

How?

This is where powershell cmdlet comes in handle! Imagine using vbscripts… Yes, we can do it. But the script needs to be modify and it is quite lengthy~

In my environment, I am using Quest AD Cmdlet… I find it easier to use. Just imagine, for vbscript, you will need to comb through the whole AD for the user-group and compare before you know where to move it to. For powershell, you just need one line as there is a ready cmdlet that does what I want!!

Here is the command I use..

Get-QADObject <Group Name> -type Group | Move-QADObject –to <FQDN of Domain>/OU_01_LEVEL/OU_02_LEVEL

<Group Name> – just state the group you want to move.

For my case, I am looking for group that starts with site code “ABCD_”

My Command will be:

Get-QADObject ABCD`_* -type Group | Move-QADObject –to tanchee.panda.local/OU_01_LEVEL/OU_02_LEVEL

This command will search the whole domain for group that is like “ABCD_Tan”, “ABCD_Chee” and “ABCD_PAN” and move the Group to the target site “tanchee.panda.local/OU_01_LEVEL/OU_02_LEVEL”

Cool, right?

So… is there anything stopping you as a AD administrator from learning powershell? STOP THINKING AND GIVING YOURSELF REASON… START LEARNING AND START PLAYING WITH POWERSHELL!

Tested working in 2008 R2 and 2003 AD environment.

Link to download quest powershell cmdlet (free) for active directory.

http://www.quest.com/powershell/activeroles-server.aspx

“ ` ” is not equal to “ ‘ ” (Escape Character for Powershell is Back Quote, not Single Quote…)

Was busy writing powershell script and met some issue… Troubleshoot for a while and wonder what went wrong till I look carefully on what I was using… We had a good laugh in the end… I went to use Single Quote as Escape Character instead of the Back Quote.. LOL~

So, I think I will share this information with you all~ And to remind myself of my silly mistake…

Quick Summary

Escape character for Powershell is back quote – “ ` ” The button beside on the left of  “1” on the Keyboard (My Laptop).

Just in case you are not sure where is the Single Quote is “ ‘ ” – The button beside on the left of the “Enter” button on the Keyboard.

One good Website to Share

http://www.techotopia.com/index.php/Windows_PowerShell_1.0_String_Quoting_and_Escape_Sequences

The website has good example to explain to you when to use double quote and single quote too! Good one!

So, Happy Reading and Scripting!!

Be careful when setting user “password never expires” using DSMOD

Today, yes.. Today (Sat), I got a last minute request to set all the users “password never expires” to “yes” for a short period of time.

For this AD I am working on consist several OU contain users (approx 100 per OU). About 100 OUs.

So, lazy to write script (vbscript), I thought of DSquery and DSmod  command that can do the trick!

Happily preparing my batch file that will comb through all the OUs and modify the users’ setting using the following command:

dsquery user “OU=TanCheeOU,dc=Tan,dc=Chee” | dsmod user -pwdneverexpires yes

So, when I am testing on my development environment, I just had a weird thinking.. What if the user has not change password as the account is newly created?

Why I have concern? The reason is one can never set “Password never expires” if “User must change password as next logon”!! If you insist to set “Password never expires”, the other option will be “unchecked” (Not Set). <Screen shot below shows what happened if you want to do it by GUI way>

Impact

What could be the possible impact if I were to run the DS command?

This is what will happen – Examples:

After running the command, user account in the AD will change as following:

For account A that does not have “User must change password at next logon” will have the “Password never expires” set (Checked)

For account B that has “User must change password at next logon” set, the setting will be cleared and the “Password never expires” will be set (Checked).

End-User experience

Account A logon to machine as usual.

Account B logon to machine and start using the account will not get prompt to change password upon next logon.

After period of time… when we need to revert the setting using the command:

dsquery user “OU=TanCheeOU,dc=Tan,dc=Chee” | dsmod user -pwdneverexpires no

After running the command, user account in the AD will change as following:

For account A that does not have “User must change password at next logon” set will remain unchecked;and the “Password never expires” will be cleared (Unchecked).

For account B that has “User must change password at next logon” set, the setting will be reverted! (Checked);and the “Password never expires” will be cleared (Unchecked).

So.. End-User Experience (Impact arise…)

Account A will logon as usual.

Account B will be prompt to change password at the next logon!!! Oh My!!

Conclusion

Must write a script to check if the user’s must change password at next logon, before setting the “password never expires” to YES~

One method if you do not know how to write vbscript…

Use DSquery | DSget command to get the list of users from all the OU.

Massage the data using Excel.. Then use DSquery | DSmod to set the setting!

Cheers\