Tuesday, October 18, 2011

Deploy Adobe Flash over Existing Versions

2. Download appropriate MSI packages for newest version
3. Create GPO

Seems easy right? Except the MSI installer has issues overwriting the C:\WINDOWS\system32\Macromed\Flash\***.ocx file for versions of flash prior to 11. I searched high and low to resolve this issue and the only thing that I found that worked (and could be scaled) was running the Flash player uninstaller, which of course is only comes in the executable flavor.

My new plan was to create a startup script to run the uninstaller, but then I realized we would have flash player being uninstalled and reinstalled on every reboot - not very efficient use of resource.

I did some testing and found the registry keys for Flash Player 11 (11 was current version at time of writing this) were stored in a different key than previous versions. I created the below startup script to check for previous versions and then run uninstaller and we were all set!
setlocal

REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************

REM Setting Adobe Flash Product Name
set ProductName=Adobe Flash Player Plugin

REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
if %errorlevel%==1 (goto UninstallFlash) else (goto End)

:UninstallFlash
start \\\NETLOGON\Files\AdobeFlash\uninstall_flash_player_32bit.exe -uninstall

REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End

Endlocal

Friday, August 12, 2011

Copy + Paste in cmd prompt!

If you use a lot of cmd prompt you have to know how annoying it is to not be able to use ctrl + c and ctrl + v to copy paste. Well if you have ever used unix/linux command line you know that in almost all of them you can highlight text with your mouse and paste with a right click – very useful and time saving.

Apparently you can do you the same in cmd prompt if you enable “QuickEdit” mode:

To enable QuickEdit mode:
1. Right-click the Command Prompt's title bar and go to Properties.
2. Under Edit Options, select QuickEdit Mode.
3. Paste text using the mouse right-click button.
This will also let you select text using the mouse and copy it to the clipboard from the Command Prompt by hitting Enter or right-clicking.

Windows 7 will save your QuickEdit mode preference, however if you are using an older OS version and want this to be the default behavior for the Command Prompt, use the Registry Editor (regedit.exe from Run), go to HKEY_CURRENT_USER \ Console and set the QuickEdit key's value data to 1. That should do the trick, permanently.

Source: http://www.techspot.com/guides/311-paste-cmd-using-ctrl-v/

Happy copy/pasting!

Thursday, July 7, 2011

Can't get SEP to install?

Just had the most frustrating/bizarre/nightmare SEP installation issue. Been working on it all night and FINALLY got it to work. Thought I’d share what finally got it to work for me.

It all started with user who had SEP installed, but virus definitions hadn’t been updated in a couple months. When I tried to run LiveUpdate it gave me errors. Uninstalled LiveUpdate and reinstalled and LiveUpdate still gave me same errors. Decided to remove SEP and re-install to try and fix and then SEP wouldn’t install!

All the errors I received along the way:

Eventvwr:

“The description for Event ID 101 from source AutomaticLiveUpdate Scheduler cannot be found”

“Product: Symantec Endpoint Protection -- Error 1606.Couldnot access network location %APPDATA%\.”

“LiveUpdate returned a non-critical error. Availablecontent updates may have failed to install.”

“Windows Installer installed the product. Product Name:Symantec Endpoint Protection. Product Version: 11.0.6300.803.Product Language: 1033. Manufacturer: Symantec Corporation.Installation success or error status: 1603.” (NOT a successM$)

“Product: Symantec Endpoint Protection -- SymantecEndpoint Protection has detected that there are pending systemchanges that require a reboot. Please reboot the system and rerunthe installation.”

“Failed to connect to server. Error: 0x800401F0”

SEPInst.log:

“Failed unregistering service.”

“serviceIsRunning: OpenService FAILED with error 1060” ( Original Live Update Error I think, can’t remember at this point)

Resolution:

All these steps may not be required, but I had already tried clean wipe several times and a lot of different Google’d steps and none in themselves worked so I did all of these before trying another install.

#1 (VERY IMPORTANT) Block any SEP install GPO for JUST the computer you are working on. If you don’t SEP will try to re-install on every reboot.

Deleted the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService\SymantecManagement Client

Deleted the following folders (if they exist):

C:\Program Files\Symantec

C:\Program Files\Symantec Antivirus

C:\Documents and Settings\All Users\ApplicationData\Symantec\LiveUpdate (Win XP)
C:\program data\symantec\liveupdate (Windows 7 or Windows Server2008)

C:\Program Files\Common Files\Symantec Shared

C:\Users\%username%\AppData\Local\Symantec

Ran this M$ FixIt

Removed Deny permissions for “Everyone” group on“C:\Users\All Users\Application Data” (Hint: have to dothrough advanced permissions) – Although this is just a junction point, I also saw errors saying Access Denied to that folder so Ifigured it wouldn’t hurt.

I then found this link which walks through the manual uninstall of SEP. Most of the stuff was already deleted by CleanWipe so it didn’t take much longer.

Finally after this I was rebooted, re-enabled SEP GPO forcomputer, did a “gpupdate /force”, rebooted again andcrossed my fingers and it worked!

Wednesday, May 18, 2011

Can't Re-Add BB user after deleting in Admin Service

To verify if BlackBerry smartphone user accounts are queued for deletion, perform the following steps:

  1. Under BlackBerry Solution Management, expand User.
  2. Click Manage Users.
  3. In the Search for users menu, click Advanced search.
  4. In the Email criteria section of the Advanced Search, select True in the Queued removal of BlackBerry services drop-down box.
  5. Click Search.

BlackBerry smartphone users who are pending a deletion, but the process has not completed, will be displayed.

The BlackBerry smartphone user account can be purged from the database or removed immediately from the BlackBerry service by performing the following steps:

  1. Click the Display name of the BlackBerry smartphone user that is displayed when searching for BlackBerry smartphone users that are Queued removal of BlackBerry services.
  2. Click Immediate removal of BlackBerry services.
After completing this you should be able to re-create the user in BAS immediately!

Thursday, April 28, 2011

"Extra Registry Settings" GPOs

Recently went to add some trusted sites to an existing IE GPO on a Windows 2003 DC. Found the GPO and the sites already in there were listed in the Settings tab under "Computer Configuration\Administrative Templates\Extra Registry Setting".

However... when I went to EDIT that GPO there was no "Extra Registry Settings" under Computer Configuration\Administrative Templates. Looked all over and couldn't find it anywhere!

Eventually came upon this gem on MS Technet:
When searching for a given .adm file, GPMC will only use the first .adm file it finds in the listed search order. If there are policy settings in the GPO for which no .adm file can be found, these settings will be displayed in the report in a section called “Extra Registry Settings” which displays the registry keys and values for those settings.

Found a DC that was running Windows 2008 and tried editing the GPO and what do you know, the "Extra Registry Settings" were not there, but there was a looooong list of other settings, one being named "Policy: Site to Zone Assignment List" under "Computer Configuration\Admin Templates\Windows Components\Internet Control Panel\Security Page\". The existing trusted sites were in it so just added the new ones and did a gpupdate and was ready to go.

Wednesday, April 27, 2011

Exchange 2007 Public Folder Permissions

To grant a group permissions on an Exchange 2007 public folder the group MUST be mail enabled. To do this you must first create a Universal Security group and then mail-enable the group via Exchange Management console/shell. Once these two steps are complete you will be able to assign permissions via Outlook or Exchange management shell.

As a final step I recommend hiding the group from the GAL via Exchange Management Console > Recipient Configuration > Distribution Groups > GroupName properties and finally Advanced tab.

Monday, April 25, 2011

Mac RDP and Time Zone Redirection

This issue is becoming more and more popular as an increasing number of users have been accessing terminal servers from the Mac RDP client.

The Mac RDP client does not forward the client time zone correctly. When Mac RDP clients connect to Windows 2008 or Windows 7 computers remotely, the system time appears to be correct, but it's really set to "(GMT -07:00) Unknown time zone" [May be different for those outside of PST]. This issue is most apparent when launching Outlook and looking at calendar appointment times.

Server 2008 and Windows 7 include a utility called tzutil that you can use to update the time zone. Example: TZUTIL /s "Pacific Standard Time"

Or this can be resolved by turning off the TS Time Zone Redirection GPO, but then all users get same time zone:

GPO for it:
Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Allow time zone redirection

(Source: http://technet.microsoft.com/en-us/library/cc725887(WS.10).aspx)

Edit: Aforementioned GPO is location on a Server 2003 DC, for Server 2008 DC look in: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection

Friday, April 22, 2011

Turn off Windows 7 Error Reporting

Get a lot of these?
Heres how to disable it in Windows 7

Start > Control Panel > All Control Panel Items > Action Center > Change Action Center settings > Problem reporting Settings:

For the domain administrators out there, to disable via GPO try:

Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting

Disable Windows Error Reporting:
“If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Action Center control panel.”

Check Computer BIOS version remotely

Just learned how to do this, thought it would be helpful to share:

Start > Run > msinfo32 from another machine on the network

View > Remote computer… and enter your target machine



Enable Remote Desktop... REMOTELY!

I often need to RDP to a client's computer from another machine on the domain, however it becomes problematic when RDP is not enabled on their machine. Well here is a registry hack that you can do to enable RDP ... wait for it... REMOTELY!

1.Logon to a machine on the same network as as a domain admin:Start > run > regedit.
**Insert cautionary registry editing warning here**

2.From regedit: File > Connect Network Registry… > Input the computer name you need to enable RDP on and click OK

3.Navigate to the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server key and change the “fDenyTSConnections” REG_DWORD value from 1 TO 0 (Remote Desktop enabled)

4.Reboot the target machine from command prompt with: “shutdown /m \\computername /r” MAKE SURE YOU USE THE /m FLAG OTHERWISE YOU COULD ACCIDENTALLY REBOOT THE SERVER!

5.RDP to their machine

6.Send Mike a cookie

I would assume this goes without saying, but just in case, the target computer must be connected to the same network as the machine you are on.

Make Windows 7 Explorer open My Computer

Right click the explorer icon on the task bar > Right click windows explorer and select properties

Change “%SystemRoot%\explorer.exe” to:

%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

To make all new explorers open My Computer and then anything from there will open in a new explorer window.

or...

%SystemRoot%\explorer.exe ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

To make all new explorers open My Computer and then anything from there will open in the same explorer window.

Convert scanned form to Fillable PDF

I found this site online: http://www.pdfescape.com/open/

Tested and I was able to create some fields and then download the pdf and it all worked. (Note: only for pdfs < 5mb and < 50 pages)