Shrewsoft Cisco VPN client for 64 bit Windows

I’m *not* wearing my ITS Network Services hat for this… but, since there isn’t an official way to connect your 64 bit Windows (Vista, 7, 2008) machine to the UNI VPN (which is a Cisco IPSec-based connection) here is the best-thing going:

Shrewsoft has a free VPN client application – Shrewsoft download here

Once installed, import the UNI configuration file (MUST UNZIP)

Use your AD.uni.edu credentials as usual (just short username).  Voila.

Posted in Uncategorized | Leave a comment

Samsung Replenish Video

this is probably my next cellphone – although it really is a bad compromise for screen resolution, I’ll make that sacrifice in order to get a portrait oriented qwerty keyboard.

Posted in Uncategorized | Leave a comment

Windows XP end-of-support Desktop Gadget

Capture

What better way to remind you from a glance of your Windows Vista or 7 desktop that the end is near for Windows XP
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=53a27766-0168-4617-b44e-74b2886cec6d###

Posted in Uncategorized | Leave a comment

Converting NT Time/Determining lockoutTime on AD Account object

Since the Googles didn’t help me find this again quickly: if you have an AD user object with an NT time value, say of 129433827748670500 (attribute editor or ADSI edit: lockoutTime) and you want an “English time and date”

w32tm.exe /ntte 129433827748670500

Yields:
149807 16:06:14.8670500 - 2/28/2011 10:06:14 AM
Posted in Uncategorized | Leave a comment

allowing anonymous email in Exchange 2010 (Printer/Fax device)

Say you have a network fax/printer/copier that generates PDF files and emails them out via SMTP.  Many of these devices lack the ability to authenticate to a SMTP host (some only can do plain old non-encrypted communication also), so what do you do?

If you’ve looked at the SMTP receive connector from the Internet to your Exchange 2010 server in the Exchange Management Console (EMC), you’ve got 90% of what you want for your printers:  Create a new Receive Connector using the wizard – call it Fax/Printers, for intended use choose custom,

fax1

list all your public facing (or routed) network addresses (defaults to All Available IPv4) on port 25 and the FQDN

fax2

IMPORTANT: on the remote network settings make your list of discrete devices or the minimum subnet mask to allow your printer/fax/copiers without exposing this connector to *ANY* Internet addresses (if you are NAT/Private addresses) and no more than your stupid fax/printer device/s.

fax3

Finish the wizard by clicking new then open the properties of your newly created Fax/Printer Receive Connector.  For the Authentication tab there is nothing required (check TLS if you want).  On the Permission Groups tab check only Anonymous Users.

fax4

That got me to the point where an email generated from the device might make it to an internal email address (destination mailbox was inside our Exchange organization) but probably ended up in the Junk E-mail folder.  This is likely because of Exchange Content Filtering.  If you are sending authenticated to the SMTP host, your mail bypasses content filtering – otherwise Exchange examines and if you have a similar situation to the Konica/Minolta that I ran into it thinks a message with no body, and a PDF attachment is likely spam.

Here is a good and extensive flow chart of how messages are handled by Exchange 2010’s Anti-Spam and Anti-Virus

Understanding Anti-Spam and Antivirus Mail Flow

Next, I want email processed through this SMTP connector to not be subject to content filtering.  Exchangepedia.com solved this for me:

Disable Antispam agents on a Receive Connector

In my case the PowerShell line is: Get-ReceiveConnector "Fax/Printer" | Add-ADPermission -User "NT Authority\Anonymous Logon" -AccessRights ExtendedRight -ExtendedRights ms-exch-bypass-anti-spam

So now I can send mail to internet/organizational mailboxes and it is delivered to their inboxes.  Finally I want to be able to deliver email outside of the organization – aka relay.  Open SMTP relays are a bad hangover from the early 2000s – and rightfully Microsoft has banished the opportunity for otherwise bored sysadmins to go click-happy on things they shouldn’t touch.  That is to say that allow relay is no longer in the GUI EMC, you’ll need power shell for that.

Allow Anonymous Relay on a Receive Connector

The power shell cmd: Get-ReceiveConnector "Fax/Printer" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Posted in Uncategorized | Leave a comment

Word/Excel documents remember paper tray

File-under ‘silly things I’ve learned lately’: Microsoft Word (and Excel) files can call for a printer paper tray independent of the printer selected.  A real problem when someone creates documents daily with a really-old template file that calls for say tray #3, even though the printer your office had with letter size in tray 3 is long gone (and the new replacement has legal in tray 3).

Tray3

So for gosh sake, unless you really, really need to specify it – leave the page setup in Word as “automatically select”, otherwise expect your jobs to not print and to find a flashing warning light on your printer asking you to insert different sized paper in the tray or choose an alternate tray.

Posted in Uncategorized | Leave a comment

2010 Q101 Top 101 Songs

Since Q101 (WKQX of Chicago – http://www.q101.com) hasn’t seen fit to publish the list of 101 songs played yesterday (and Google doesn’t find anyone else that has) here goes in good-old-CSV style (since I suck at tables in Movable Type):

1,Odd One,Sick Puppies
2,This is War,30 Seconds To Mars
3,Nighmare,Avenged Sevenfold
4,The Sound,Switchfoot
5,In One Ear,Cage The Elephant
6,Letter From a Thief,Chevelle
7,Resistance,Muse
8,Panic Switch (Album Version),Silversun Pickups
9,Shameful Metaphors,Chevelle
10,Impossible,Anberlin
11,The Good Life,Three Days Grace
12,Your Decision,Alice in Chains
13,Say You’ll Haunt Me,Stone Sour
14,Tighten Up,The Black Keys
15,Uprising,Muse
16,Kings and Queens,30 Seconds To Mars
17,Again,Flyleaf
18,Mountain Man,Crash Kings
19,Maybe,Sick Puppies
20,Undisclosed Desires,Muse
21,The Fixer,Pearl Jam
22,Another Way To Die,Disturbed
23,Eyesore,Janus
24,World So Cold,Three Days Grace
25,Diamond Eyes,Deftones
26,Back Against The Wall,Cage The Elephant
27,The Crow & The Butterfly,Shinedown
28,Lesson Learned,Alice in Chains
29,Living In A Dream,Finger Eleven
30,Give Me A Sign,Breaking Benjamin
31,Here We Are Juggernaut,Coheed and Cambria
32,Animal,Neon Trees
33,Kick In The Teeth,Papa Roach
34,You Got Me,Crash Kings
35,Waiting For The End,Linkin Park
36,Snuff,Slipknot
37,My Best Theory,Jimmy Eat World
38,"You’re Gonna Go Far, Kid",The Offspring
39,Love Hate Sex Pain,Godsmack
40,Break,Three Days Grace
41,Closer to the Edge,Thirty Seconds To Mars
42,I Will Not Bow,Breaking Benjamin
43,I Was A Teenage Anarchist,Against Me!
44,End Of Me,Apocalyptica Featuring Gavin Rosdale
45,I Want You To,Weezer
46,Rise Up,Cypress Hill
47,You’ve Seen the Butcher,Deftones
48,The Animal,Disturbed
49,Die By The Drop,"Dead Weather, The"
50,White Flag Warrior,Flobots Featuring Tim from Rise
51,Radioactive,Kings of Leon
52,Check My Brain,Alice in Chains
53,Your Betrayal,Bullet For My Valentine
54,Freak,Smashing Pumpkins
55,You’re Going Down,Sick Puppies
56,Jars,Chevelle
57,Issues,Escape the Fate
58,Sick of You,Cake
59,Welcome to the Family,Avenged Sevenfold
60,Take Back The Fear,Hail The Villan
61,Wild and Young,American Bang
62,Substitution,Silversun Pickups
63,I’m Your Daddy,Weezer
64,Mess of Me,Switchfoot
65,Na Na Na (Na Na Na Na Na Na Na Na Na),My Chemical Romance
66,Cryin Like a Bitch!,Godsmack
67,Jesus Stole My Girlfriend,Violent Soho
68,Chasm,Flyleaf
69,Scream With Me,Mudvayne
70,New Low,Middle Class Rut
71,If I Were You,Janus
72,Shoot It Out,10 Years
73,Sing,My Chemical Romance
74,Lights Out,Breaking Benjamin
75,Between The Lines,Stone Temple Pilots
76,Oildale (Leave Me Alone),Korn
77,Last of the American Girls,Green Day
78,Just Breath,Pearl Jam
79,Fed Up,AM Taxi
80,Lay Me Down,Dirty Heads
81,Memories,Weezer
82,This Addiction,Alkaline Trio
83,Crash,Cavo
84,All I Want,A Day To Remember
85,Shake Me Down,Cage The Elephant
86,Neutron Star Collision,Muse
87,Isolation,Alter Bridge
88,Take a Load Off,Stone Temple Pilots
89,This Too Will Pass,OK Go
90,The Catalyst,Linkin Park
91,Beautiful Thieves,AFI
92,1983,Neon Trees
93,I’m Alive,Story of the Year
94,Gypsy Woman,Jonathan Tyler & the Northern Lights
95,New Fang,Them Crooked Vultures
96,Little Lion Man,Mumford & Sons
97,We’ve Got a Situation Here,"Damned Things, The"
98,Yeah Yeah Yeah,New Politics
99,Far From Home,Five Finger Death Punch
100,Whipped Cream,Ludo
101,Mind Eraser, No Chaser,Them Crooked Vultures

Posted in Uncategorized | Leave a comment

BitLocker password recovery viewer

Anyone deploying Windows 7 to UNI portable computers should consider installing the Enterprise version (instead of Business which ships with most new Dells — our Microsoft Campus Agreement entitles us to install Enterprise on UNI-owned systems) and enabling full-disk encryption using Microsoft’s Bit Locker.

New-ish hardware will have hardware trusted platform module (TPM) which makes this job trivial (For Dell notebooks, I think anything newer than July 2006 – starting with the Latitude D620 has TPM). 

Install Windows 7 Enterprise, join to ad.uni.edu Active Directory, and then go into control panel and turn it on (expect a few hours for your disk to be encrypted – during which time the system will be notably slower).

We have automatic escrowing of Bit Locker encryption keys in ad.uni.edu – so if you do something to the machine (update BIOS, move the hard disk into another computer, etc.) you can find the recover key easily: If you are an OU Administrator for your division/department, the newer Remote Server Assistant Tools have an additional feature selection for "bit locker password recover viewer" which when enabled will display an additional tab on each computer object property.  (Thanks to Nate K. for pointing this out to me, the feature doesn’t work until an Enterprise Admin enables it on at least one domain controller).  If for some odd reason that extra tab bothers you (it displays on all computers, whether you have BL turned on or not) – uncheck the feature for RSAT-Bit Locker Password Recover Viewer and it will be hidden.

BLFeature

 

Once you enable it – this is what it should look like in Active Directory Users and Computers (ADUC, aka dsa.msc)

ADUC

 

If you are wondering who has the ability to see these recovery keys: only Domain Admins can see all computers.  OU Administrators can see the computers insider their OU boundaries.  Standard users can not see any recovery keys, unless you delegate that right (or modify security permissions on those computer objects).

Posted in Uncategorized | Leave a comment

Windows Vista Hibernate after 0 minutes doesn’t equal disabled

Odd one: user complains that when they leave their desk for several hours, when they return they cannot get the computer to “wake up” – but if they turn their computer off, when they return and turn power on – everything comes up fine.

Vista Enterprise x86 – it seems that the power control panel applet, setting hibernate to “after zero minutes” doesn’t truly disable the hibernation feature.  In this case, it still attempted to hibernate after a few hours (much longer than the 1 hour to sleep – which did work, and did resume by a simple keystroke).

Instead you need to use the powercfg.exec command to truly disable hibernation (I found this largely by accident: when clicking on the GUI shutdown, log off, restart, sleep I noticed the “hibernate” feature and did a double-take).

Microsoft support article for WS2008, Vista, and Windows7: http://support.microsoft.com/kb/920730

Posted in Uncategorized | Leave a comment

Symantec Endpoint Protection client not start on WS2008R2

Found this while trying to install/run SEP client 11.0.5002.333 and 11.0.6000.550 on Domain Controllers running Windows Server 2008 R2.  SEP’s client service – “Symantec Management Client” depends on the “System Event Notification” service, which at least on my 3 DCs is startup=disabled.

After changing “System Event Notification” service to automatic, starting it, I was able to start the “Symantec Management Client” service, and a few minutes later that server/DC had new defs and appeared in the SEP Management list of clients.

Posted in Uncategorized | Leave a comment