Techibee.com

“The attempt to connect to http://ExchangeServer.domain.com/PowerShell using “Kerberos” authentication failed: connecting to remote server failed with the following error message : The WinRM client cannot complete the operation within the time specified.  Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled.  For more information, see the about_Remote_Troubleshooting Help topic.”

You might notice above error message after opening a Exchange Management Console. This error message indicates that connecting to given exchange server using WinRM has failed. Today I received the same error and verified that exchange is doing well on this box. I tried opening the console from different server and it worked file. So, it appeared some sort of profile problem to me.

I did the following to resolve the issue.

1. Close Exchange Management Console MMC
2. Go to %appdata%\Microsoft\MMC
3. Rename “Exchange Management Console” file to “Exchange Management Console.old”
4. Launch the console again.

Hope this helps…

Hello Readers,
How many of you regularly use twitter? I guess most of you. Have ever worried about the security it is providing? You should read on if your answer is NO.

One of colleagues gave a quick demo a few days back to show how insecure the default twitter is. His demo proved that, any one sitting in same network as yours can easily hijack your twitter account and tweet on behalf of you. He was able to make it because twitter runs on http by default. Since it is http, all the data transfer will happen over wire in plain text format. So, any one in your network with a couple of  tools can spoof your MAC address can easily capture what you are sending over wire and get the twitter cookie(key for maintaining your twitter session) and tweet using your twitter account. The method that my colleague demonstrated is a simple hack any one with computer knowledge can execute it.

How to I make it secure:  Twitter provides a option to make your twitter account to use https(secure http) as default protocol. Making use of this will at least prevent your twitter account from this kind of silly hacks.

You can follow the below procedure to enable the https

• Logon to twitter account.
• Go to your profile tab and click on edit profile
• Go to Account section in your profile and check the box Always use HTTPS
• Click on Save and enter your password when prompted

• Now your twitter account is secured.

Do you like one liners in powershell? Here is the quick and easy way to start, stop, restart a service on remote computer. This doesn’t require PowerShell remoting. That means you can use it against any computer which has windows operating system installed.

So far I have authored two articles on managing services using powershell:

1. Start/Stop/Restart service on remote computer with powershell
2. PowerShell: Start and stop services on remote computer with alternate credentials

The first one I wrote when I was not matured enough with PowerShell and the second one recently to address a specific requirement where user need to pass alternate credentials to manage services.

As most system administrators love to use poweshell one-liners which avoids any external script/module invocation, I want to share this little one which starts, stops, and restarts a service on remote computer.

Start a service on remote computer:

Start-Service -InputObject $(Get-Service -Computer COMPUTER1 -Name spooler)

Stop a service on remote computer:

Stop-Service -InputObject $(Get-Service -Computer COMPUTER1 -Name spooler)

Restart a service on remote computer:

Restart-Service -InputObject $(Get-Service -Computer COMPUTER1 -Name spooler)

Hope these little ones helps.

We want to assign output of a cmdlet/function to a variable so that we can use it in further processing. In scripts it is very inconvenient to debug a issue if the output is going to a variable and not to console. In such cases we can do nothing other than printing the variable value to the console by inserting extra lines of code.

To avoid such inconvenience, powershell has got a way to assign the output to a variable and print to console at the same time. This helped me in quick debugging of my scripts and oneliners.

Ok. Enough explaining about the usage and all and here is how it works.

($service = Get-Service -Name spooler)

Execute the command and you will understand what exactly it is doing. All we need to do it embed the whole command into into brackets like shown above.

Hope this little one helps you. Happy learning.

 

 

The popularity of PowerShell is increasing day-to-day and now every System administrator want to say bye to their VB scripts and enter the powerful powershell world. A system administrator who is familiar with VB script(or has in home grown scripts in VB) want to try powershell, the first question he gets into mind is, “how to do xyz task in powershell”. Of course, we can ask our big brother google.com but it will take little long to find the powershell way of coding a task.

For those kind of admins, MS has published a long list of converting xyz from VB script to PowerShell. This pretty much enough for a person who wants to convert their VB scripts into powershell code. For your easy reference I am posting the content from MS technet site to here.

Hope this helps…

Mapped drives are the shares on remote computers for which you assigned a drive letter for easier access. We can query these drives and the target shares behind them with a simple and easy powershell one liner.

Here is the tip of the day. Happy Learning.

 

Get-WmiObject -Class Win32_MappedLogicalDisk | select Name, ProviderName

 

You might see the error message outlined in subject while installing/uninstalling software on windows 2003 computer by connecting to terminal services. We all know that application installation has certain limitations when it comes to terminal services (anyone know why?). In such cases if you still want to install/uninstall the application on these terminal services enabled servers, you need to choose one of the following methods.

If this the requirement is just one of the case, then option#1 best suits you.

Option#1:

start mstsc with /console or /admin option and then connect to the server. This allows you to connect to the console of the server directly eliminating terminal services piece from you way.

Go to start -> Run -> type “mstsc /admin /v:servername” and click OK if you are using RDP client v6 or above

Go to start ->Run -> type “mstsc /console /v:servername” and click OK if you are using legacy version of RDP client.

Option#2:

If your administrators are expected to install applications on servers by connecting via terminal services, then you need to make sure that application installation is allowed. You can do it via group policies.

“computer configuration” -> “administrative templates” -> “windows components” -> “windows installer” -> “allow admin to install from terminal server session” should be enabled

Hope this helps.

I inspired from my previous post,  and decide to do some network interface related operations from command line as they helps me when managing Windows 2008 Core Operating system. Another command that I am going to provide now is to disable network connection from command line.

netsh interface set interface name=”Local Area Connection 1″ admin=DISABLED

In about command, “Local Area Connection 1″ is the name of the connection that you want to disable. You can change the value of “Admin” to “Enable” to enable back the network connection. Similarly, if you want to rename the network connection, you can use newname parameter. Below is the command.

netsh interface set interface name=”Local Area Connection 1″ newname=”My NIC1″

Above command renames “Local Area Connection 1″ network to “My NIC1″.

Hope this helps…

I bought a new Cisco LINKSYS WRT120N wireless router and noticed that reset button is not working properly in it. That means if I press and hold the reset button to reset the router settings to factory defaults, it is not working. After some troubleshooting, I figured out the problem and fixed it. The solution here is to upgrade the firmware of the wireless router to latest version.

To do this, follow below steps.

1. Download latest firmware for WRT120N wireless router from Cisco site(http://homesupport.cisco.com/en-us/wireless/lbc/WRT120N ) and save to disk
2. Now takeout the router power -> Hold the reset button -> Connect the power
3. Now connect a network cable from your computer to port#1 of wireless router. To surprise you here, the LED#4 glows though you connected the cable to port#1. Don’t worry…. This is not much to bother
4. Open browser in your computer and go to http://192.168.1.1
5. A window appears asks you to input the firmware file. Here select the file and click on reset
6. This upgrades the firmware version to latest and now you can use the regular method for resetting the password to factory settings by holding the reset key. The reset key should work now as expected

 

Feel free to write in comments section if you have some questions.

It is very common requirement that most system administrators will get. They will be requested for allowing some domain user to restart specific service on specific server. In this case most Administrators, either adds the domain user to power users groups or local administrators group. While this works, it is not a efficient solution as it allow the domain user to perform more actions in the computer than what he wants. Sometimes, it might result in server down if he does something unknowingly.

One solution in such  situations is, granting the permissions exclusively at service level. This allows the user to just start or stop the service but nothing else.

C:>setacl.exe -on spooler -ot srv -actn ace -ace “n:domainuser1;p:start_stop”
Processing ACL of: <spooler>

SetACL finished successfully.

C:>

In above example, I am trying to give start_stop permissions to spooler (print spooler) service on computer where I am running this command. 

To list the permissions of a given service, try the below command 

C:>setacl.exe -on spooler -ot srv -actn list

 

Above steps are for doing for single computer. If you want to do it on multiple computer, then  using the Group Policies is the best option. Group policies has built-in option to define service level permissions. Let me know if you need any help in doing that.

To know more option of SETACL.exe, look at the below help.

SetACL by Helge Klein

Homepage:        http://setacl.sourceforge.net

Version:         2.0.1.0

Copyright:       Helge Klein

License:         GPL

-O-P-T-I-O-N-S——————————————————–

-on    ObjectName

-ot    ObjectType

-actn  Action

-ace   “n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where”

-trst  “n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where”

-dom   “n1:Domain;n2:Domain;da:DomainAction;w:Where”

-ownr  “n:Trustee;s:IsSID”

-grp   “n:Trustee;s:IsSID”

-rec   Recursion

-op    “dacl:Protection;sacl:Protection”

-rst   Where

-lst   “f:Format;w:What;i:ListInherited;s:DisplaySID”

-bckp  Filename

-log   Filename

-fltr  Keyword

-clr   Where

-silent

-P-A-R-A-M-E-T-E-R-S————————————————-

ObjectName:      Name of the object to process (e.g. ‘c:mydir’)

ObjectType:      Type of object:

                 file:       Directory/file

                 reg:        Registry key

                 srv:        Service

                 prn:        Printer

                 shr:        Network share

Action:          Action(s) to perform:

                 ace:        Process ACEs specified by parameter(s) ‘-ace’

                 trustee:    Process trustee(s) specified by parameter(s)

                             ’-trst’.

                 domain:     Process domain(s) specified by parameter(s)

                             ‘-dom’.

                 list:       List permissions. A backup file can be

                             specified by parameter ‘-bckp’. Controlled by

                             parameter ‘-lst’.

                 restore:    Restore entire security descriptors backed up

                             using the list function. A file containing the

                             backup has to be specified using the parameter

                             ‘-bckp’. The listing has to be in SDDL format.

                 setowner:   Set the owner to trustee specified by parameter

                             ‘-ownr’.

                 setgroup:   Set the primary group to trustee specified by

                             parameter ‘-grp’.

                 clear:      Clear the ACL of any non-inherited ACEs. The

                             parameter ‘-clr’ controls whether to do this for

                             the DACL, the SACL, or both.

                 setprot:    Set the flag ‘allow inheritable permissions from

                             the parent object to propagate to this object’ to

                             the value specified by parameter ‘-op’.

                 rstchldrn:  Reset permissions on all sub-objects and enable

                             propagation of inherited permissions. The

                             parameter ‘-rst’ controls whether to do this for

                             the DACL, the SACL, or both.

TrusteeAction:   Action to perform on trustee specified:

                 remtrst:    Remove all ACEs belonging to trustee specified.

                 repltrst:   Replace trustee ‘n1′ by ‘n2′ in all ACEs.

                 cpytrst:    Copy the permissions for trustee ‘n1′ to ‘n2′.

DomainAction:    Action to perform on domain specified:

                 remdom:     Remove all ACEs belonging to trustees of domain

                             specified.

                 repldom:    Replace trustees from domain ‘n1′ by trustees with

                             same name from domain ‘n2′ in all ACEs.

                 cpydom:     Copy permissions from trustees from domain ‘n1′ to

                             trustees with same name from domain ‘n2′ in all

                             ACEs.

Trustee:         Name or SID of trustee (user or group). Format:

                 a) [(computer | domain)]name

                 Where:

                 computer:   DNS or NetBIOS name of a computer -> ‘name’ must

                             be a local account on that computer.

                 domain:     DNS or NetBIOS name of a domain -> ‘name’ must

                             be a domain user or group.

                 name:       user or group name

                 If no computer or domain name is given, SetACL tries to find

                 a SID for ‘name’ in the following order:

                 1. built-in accounts and well-known SIDs

                 2. local accounts

                 3. primary domain

                 4. trusted domains

                 b) SID string

Domain:          Name of a domain (NetBIOS or DNS name).

Permission:      Permission to set. Validity of permissions depends on the

                 object type (see below). Comma separated list.

                 Example:    ‘read,write_ea,write_dacl’

IsSID:           Is the trustee name a SID?

                 y:          Yes

                 n:          No

DisplaySID:      Display trustee names as SIDs?

                 y:          Yes

                 n:          No

                 b:          Both (names and SIDs)

Inheritance:     Inheritance flags for the ACE. This may be a comma separated

                 list containing the following:

                 so:         sub-objects

                 sc:         sub-containers

                 np:         no propagation

                 io:         inherit only

                 Example:    ‘io,so’

Mode:            Access mode of this ACE:

                 a) DACL:

                 set:        Replace all permissions for given trustee by

                             those specified.

                 grant:      Add permissions specified to existing permissions

                             for given trustee.

                 deny:       Deny permissions specified.

                 revoke:     Remove permissions specified from existing

                             permissions for given trustee.

                 b) SACL:

                 aud_succ:   Add an audit success ACE.

                 aud_fail:   Add an audit failure ACE.

                 revoke:     Remove permissions specified from existing

                             permissions for given trustee.

Where:           Apply settings to DACL, SACL, or both (comma separated list):

                 dacl

                 sacl

                 dacl,sacl

Recursion:       Recursion settings, depends on object type:

                 a) file:

                 no:         No recursion.

                 cont:       Recurse, and process directories only.

                 obj:        Recurse, and process files only.

                 cont_obj:   Recurse, and process directories and files.

                 b) reg:

                 no:         Do not recurse.

                 yes:        Do Recurse.

Protection:      Controls the flag ‘allow inheritable permissions from the

                 parent object to propagate to this object’:

                 nc:         Do not change the current setting.

                 np:         Object is not protected, i.e. inherits from

                             parent.

                 p_c:        Object is protected, ACEs from parent are

                             copied.

                 p_nc:       Object is protected, ACEs from parent are not

                             copied.

Format:          Which list format to use:

                 sddl:       Standardized SDDL format. Only listings in this

                             format can be restored.

                 csv:        SetACL’s csv format.

                 tab:        SetACL’s tabular format.

What:            Which components of security descriptors to include in the

                 listing. (comma separated list):

                 d:          DACL

                 s:          SACL

                 o:          Owner

                 g:          Primary group

                 Example:    ‘d,s’

ListInherited:   List inherited permissions?

                 y:          Yes

                 n:          No

Filename:        Name of a (unicode) file used for list/backup/restore

                 operations or logging.

Keyword:         Keyword to filter object names by. Names containing this

                 keyword are not processed.

-R-E-M-A-R-K-S——————————————————–

Required parameters (all others are optional):

                 -on         (Object name)

                 -ot         (Object type)

Parameters that may be specified more than once:

                 -actn       (Action)

                 -ace        (Access control entry)

                 -trst       (Trustee)

                 -dom        (Domain)

                 -fltr       (Filter keyword)

Only actions specified by parameter(s) ‘-actn’ are actually performed,

regardless of the other options set.

Order in which multiple actions are processed:

                 1.          restore

                 2.          clear

                 3.          trustee

                 4.          domain

                 5.          ace, setowner, setgroup, setprot

                 6.          rstchldrn

                 7.          list

-V-A-L-I-D–P-E-R-M-I-S-S-I-O-N-S————————————-

a) Standard permission sets (combinations of specific permissions)

Files / Directories:

              read:          Read

              write:         Write

              list_folder:   List folder

              read_ex:       Read, execute

              change:        Change

              profile:       = change + write_dacl

              full:          Full access

Printers:

              print:         Print

              man_printer:   Manage printer

              man_docs:      Manage documents

              full:          Full access

Registry:

              read:          Read

              full:          Full access

Service:

              read:          Read

              start_stop:    Start / Stop

              full:          Full access

Share:

              read:          Read

              change:        Change

              full:          Full access

b) Specific permissions

Files / Directories:

              traverse:      Traverse folder / execute file

              list_dir:      List folder / read data

              read_attr:     Read attributes

              read_ea:       Read extended attributes

              add_file:      Create files / write data

              add_subdir:    Create folders / append data

              write_attr:    Write attributes

              write_ea:      Write extended attributes

              del_child:     Delete subfolders and files

              delete:        Delete

              read_dacl:     Read permissions

              write_dacl:    Write permissions

              write_owner:   Take ownership

Registry:

              query_val:     Query value

              set_val:       Set value

              create_subkey: Create subkeys

              enum_subkeys:  Enumerate subkeys

              notify:        Notify

              create_link:   Create link

              delete:        Delete

              write_dacl:    Write permissions

              write_owner:   Take ownership

              read_access:   Read control