Aaron Steele, Author at Perficient Blogs

Exchange 2010 RC – MailTips

Aaron Steele — Wed, 19 Aug 2009 19:17:15 +0000

MailTips are a new feature to Exchange 2010 and for the first time in a released version are viewable and testable by you. The Exchange 2010 RC was release yesterday and I have had a chance to see what they can do.

MailTips are manageable both at the Exchange Organization layer and at a per user (as a mail delivery target) layer. The management of MailTips will primarily be done with the new Exchange Control Panel (ECP), with minor forays into the tried and true Exchange Management Shell (EMS).

I took the first step of enabling MailTips for External Recipients with a EMS commands like below. This notifies all Outlook 2010 clients, and all OWA users that they are sending messages outside the organization when ever they add a contact or an email address outside the company to a mail message. It is a quick way to see MailTips work.

First check to see what your current setting is for External Recipients, second update as desired.

The remaining management of MailTips is done through the ECP on a per user or per contact basis. Accessing the ECP is done with https:///ecp in a browser as an Exchange/Organizational Administrator. More info about the features of the new web based ECP can be found at MyBlog.

Accessing the ECP you navigate into the details of a user and scroll down and expand the MailTips section and add what ever plain text or custom HTML up to 175 characters in total length to get the point you desire across to your users.

In our case, we just want to let anyone emailing the President of the United States of America know that they are doing so, before they send the message.

This data is then stored in AD, in an Attribute on the target mail enabled end recipient user of the message, called msExchSenderHintTranslations as an entry in the Multi-valued String field

From looking at this info, it looks like multiple language translations can be stored in this attribute, and properly delivered to the sender of the message in their language of composition.

The same field is there on an email enabled contact in the organization.

And is stored in the same AD Attribute on the email enabled contact.

When a user in the company then tries to send a message to the POTUS or our “Do Not Reply” user they get notified, during message composition, encouraging them to consider their actions before sending the message.

A quick aside here is that the Outlook Web Access “Premium” view works in my testing on: Windows 7 client with Internet Explorer 8, Firefox 3.5.2 and Google Chrome 2.0.X. I wasn’t able to get OWA Premium to come up on a Windows version of Safari 4.

These same user helping MailTips will show with the Outlook 2010 client.

The other helpful MailTips are related to replies when you’ve been BCC’ed on a message, Replies to too many people, a Reply if someone has an Out of Office set, etc. Details about the settings at the organization are at http://technet.microsoft.com/en-us/library/aa997443(EXCHG.140).aspx

Exchange 2007 – per user Voicemail codec settings

Aaron Steele — Fri, 03 Jul 2009 14:40:00 +0000

If you’ve deployed Exchange Server 2007 for your UM platform to house your company voicemail and enable voice access to said mail and all the other sundry things involved, you may have noticed something. It looks, on initial blush that the CODEC used for the voicemail is a per dial-plan setting and can’t be customized outside of that.

I have found otherwise. The reasons you may want to this are primarily for email access from non Windows platforms. The default, and arguably the best CODEC is WMA. The kicker is that iPhone, BlackBerry, Android Phones, as well as Mac OSX, and Linux clients all can’t decode WMA files without effort by the end user or technical staff.

Using the set-UMMailbox command you can modify the "CallAnsweringAudioCodec” on the users mailbox.

The largest use case I’ve seen for this is for iPhone, BlackBerry and Android clients on your network. Neither of these devices come with the ability to decode WMA and neither are easily made to be able to decode WMA. Now you say, how do you know which users are using a non Windows Mobile device to ActiveSync data from your servers. I have help for you here as well.

On a per user basis you could comb through your users with get-activesyncdevicestatistics –mailbox , but a better solution exists. Export-ActiveSyncLog. The only requirement here is that you haven’t stopped IIS logging on the ActiveSync IIS virtual directories.

You run this command against the folder in which your IIS logs live, pointing it at a log file and specifying an output path.

The output is 6 CSV files. The Users.csv is the one you care about here. You may want to do this analysis over a couple of recent days just to make sure you don’t miss people. Opening it with Excel you can sort by the “Device Type” column. iPhone, and Android clients will need to have their CallAnsweringAudioCodec modified.

I hope this helps you in making your users more connected and productive.

Mobile Device Management in Exchange 2007

Aaron Steele — Wed, 08 Oct 2008 19:23:00 +0000

As a colleague recently discovered, losing your cell phone to a thief is a disheartening experience. If you ever find yourself in this situation, and in this case have had your smart phone (including an iPhone) connected to your companies Microsoft Exchange Server 2007 system you can find small amounts of solace in its ability to help you manage said device. It should be noted that recent revisions of BlackBerry handhelds, even without a BlackBerry Enterprise Server in your environment, can configure their device to sync over the air through BlackBerry Internet Services. These type of connections are not detected nor can they be controlled in the same way as a Windows Mobile or iPhone Active Sync style Over The Air (OTA) Connection. Lost/Stolen BlackBerry devices should be wiped by contacting your cell phone provider.

To manage and potentially remotely wipe your device you should

1. Sign onto your companies Exchange 2007 OWA interface and select Options from the top bar.

2. Then select Mobile Devices from the menu on the left

3. In there you will see the different mobile devices that are setup to sync with your account, their status and it will give you the ability to remove that device’s ability to sync, Wipe All data from it, and display the recovery password setup for that device. If you have multiple devices setup to sync over the air, you can disable/delete them individually.

4. If you select "Wipe All Data from Device…" you will get prompted with a confirmation dialog

5. Selecting OK will initiate the wipe, and then you should remove the device from your device list. It is recommended to perform this wipe before you contact your service provider because as soon as your provider disconnects it from the network you can no longer wipe it with this service.

As a note, your friendly neighborhood Exchange Administrator has the same abilities as you do in control of your device, the same rules apply. If you’ve canceled your service through your cell phone provider and disabled the device via their customer service, wiping the device in this way will have no impact. The device has be on the network and able to be contacted by the Exchange Server for the remote wipe to happen.

Enjoy, and I hope you don’t have the misfortune of needing to wipe your phone.

OCS – Open Federation

Aaron Steele — Tue, 01 Apr 2008 02:16:00 +0000

Today the topic is the way that PointBridge supports and encourages other users of Office Communication Server to communicate with us. We have turned on and support Open Federation. We have published the requisite DNS records and have the communication ports open to allow your OCS services to contact ours.

The required DNS records are as follows:

TYPE	Name	Content
SRV	_sipfederationtls._tcp.	0 0 5061
SRV	_sip._tls.	0 0 443

This means that any OCS user could open a new IM simply to my email address and the communication would go through. No need to contact me to setup a server side federation setting, no need to contact your network team to set things up. Just IM me. The communication supports the entier OCS stack.

the URLs come in the form of sip:user@domain.com and tel:user@domain.com.

Hope this helps and encourages more companies to support Open Federation. A good note for security conscious people, even though OCS supports Open Federation, the pool records the domains that are connected in this way, and can apply rules to block communication from those domains that are determined to be acting out of normal means will be automatically blocked.

Happy IMing and happy Federation.

(Get,Add,Remove)IPAllowListEntry

Aaron Steele — Tue, 15 May 2007 14:52:00 +0000

I had occasion to need to allow a set of servers to send email into our environment adding them to allow lists. In Exchange 2007 this is done through the EMS (Exchange Management Shell) with the cmdlets of Get-IPAllowListEntry, Add-IPAllowListEntry and Remove-IPAllowListEntry.

Obviously Get shows you the current list. Add obviosly adds and remove removes, remove does this based on the identity of the entry, this is an automatically incrementing number that is assigned with an entry is created.

Format for Add is

Add-IPAllowListEntry -IPRange [-ExpirationTime ]

Or
Add-IPAllowListEntry -IPAddress [-ExpirationTime ]

The date is optional on each entry and the format for -IPRange is either CIDR IP or an IP Range of the format x.x.x.x-x.x.x.x

Hope this helps those of you that need to make these changes.

Client Access Server – Pt1

Aaron Steele — Thu, 21 Dec 2006 17:03:00 +0000

The CAS server role in Exchange 2007 takes over some of the services previously done by a Front-End server in Exchange 2003.
Microsoft help describes the CAS as "Client Access Server This is the middle-tier server that hosts the client protocols, such as Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), Secure Hypertext Transfer Protocol (HTTPS), Outlook Anywhere, Availability service, and Autodiscover service. The Client Access Server also hosts Web services."

Some of these "services" are just new names for old tricks, some of them are new to us all. Within OWA, there is now the "Direct File Access" feature, Outlook anywhere replaces RPC over HTTP, Autodiscover configures Outlook 2007 and Mobile clients for us.

In this blog, and future blogs on the subject, I will discuss the new features provided, with an eye towards the best of the best. Our clients likely will be very interested in things like Direct File Access and the new features of ActiveSync.

The Client Access Role is similar to the role a Front-End server would play in an Exchange 2000/2003 organization. The Client Access server is the server that users connect to with their mail client, mobile device, or web browser. The Client Access server handles all connections whether they come from an application such as Outlook 2003 or 2007, Outlook Express, or any other MAPI, POP3 or IMAP4 client. The Client Access server also handles connections made from mobile devices such as a Windows Mobile 5 Smartphone, or any other device using Exchange ActiveSync. Exchange ActiveSync in Exchange 2007 supports all devices with PocketPC 2002/2003 and Windows Mobile 5.

This role also provides Outlook Web Access (OWA). OWA allows a user to access his or her mailbox from a web browser and have full access to all the information in the mailbox including task lists, calendar information, mail items and public folders. One of the hot new functions of OWA is Sharepoint and UNC access. Now users can access UNC shares (\servernameshare) and Sharepoint document libraries reducing the need for complex VPN configurations.

The CAS can also hold the OAB for download, if you can implement a public-folder free OAB solutiuon. It accomplishes this through the FDS (File Distribution Service). The OAB is generated and the copied to the CAS server on a 480 minute interval (default).

The process is as follows:
1. The OAB Generation Servers generates a Version 4 Offline Address List.
2. At the end of the generation the files will reside in the System Attendant Mailbox as this is the master location. The files are then copied from the System Attendant Mailbox to the local distribution share on the OAB Generation Server.
3. At this point the files can be downloaded from the OAB Generation Server by an Outlook client.
4. A notification is sent to the FDS service on the Client Access Server that there are files to be replicated.
5. The FDS will then start replication of the files to the remote distribution points where they may be.

When an Offline Address List has been successfully replicated you will see the below in the event log on the CAS.

Event Type: Information
Event Source: MSExchangeFDS
Event Category: FileReplication
Event ID: 1008
Date: XXX
Time: XXX
User: N/A
Computer: XXX
Description:
Process MSExchangeFDS.exe (PID=620). Offline Address Book data synchronization task has completed successfully. OAB name: "Test", Guid: 1fd83cb9-8887-4bbd-83f2-59c8a5ab29a4

The link http://www.microsoft.com/technet/prodtechnol/exchange/e2k7help/481ed6ca-674b-46d3-ae8a-375819bcc780.mspx?mfr=true has a great set of content on the individual tasks related to Mananging a CAS.

A custom Content Type Feature for Office 2007:

Aaron Steele — Mon, 02 Oct 2006 18:21:00 +0000

Custom Content Types:

As described in a previous blog titled “Office 2007 Features” the new way to create and deploy custom types and code in Office 2007 Server is to use Features. This blog describes how to build a custom Content Type and its deployment as a feature. The feature adds an additional item to the toolbar’s Action Menu.

A feature is defined as a logical collection of items and methods and is considered the modular building block for Office 2007. It is comprised of one or more Xml files, each with a specific role in the structure or makeup of the feature.

Step 1. Create PBC Custom Menu feature.

The custom feature will be created using Visual Studio 2005 but the technique can be implemented in many other technologies including the old reliable NotePad technology.

Open up VS2005 and create a new Class Library project called SPSFeatures.
Create a folder structure in the Solution Explorer as follows:

Features (root Folder)

PBCMenu (This is name of the Feature)

In the PBCMenu folder, add an .xml file called Feature.xml (this name is a system requirement)

To enable Intellisense in the Xml add a Schema reference in the page properties:

C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12TEMPLATEXMLwss12.xsd

Add this code to Feature.Xml where:

Id: A new GUID generated with Tools> Create GUID (in registry format).

ElementMaifest/Location: The relative path to the second .Xml generated above.

<Feature Id="626BEB89-5A13-46f5-A2A2-0790E85FE66A"

Title="PBC Custom Menu"

Description="Custom nenu by PointBridge Solutions LLC"

Version="1.0.0.1"

Scope="Site"

Hidden="FALSE"

DefaultResourceFile="core"

xmlns="http://schemas.microsoft.com/sharepoint/">

ElementManifests>

Feature>

The Feature file lists all the components to be used either directly or using the ElementManifest element.

Add another file to the PBCMenu folder called PBCMenuElements.xml (or a name of your choosing, editing the Feature.xml ElementManifest element appropriately).

Again add a reference to the wss12.xml schema file through the page’s Schema property.

Add the following to PBCMenuElements.Xml where:

GroupId: SiteActions is the system name for the target menu.

Location: Menu library reference

Sequence: Position in dropdown

UrlAction: Target page of the new menu item.

<CustomAction

Id="PointBridge.ActionMenu"

GroupId="SiteActions"

Location="Microsoft.SharePoint.StandardMenu"

Sequence="1000"

Title="PointBridge Custom Action Menu">

CustomAction>

Module>

Elements>

The Module element specifies the page for the UrlAction element.

Create this page PBCMenu.aspx and add the following content:

<%@ Page Language="C#" Inherits="System.Web.UI.Page"%>

Response.Write("

This is a PointBridge hello world test page!!!!

");

This is a very simple page. To build a page that uses the default.master page copy the contents from a standard page from _layouts directory.

Step 2. Install the custom menu feature.

Copy the folders under Features from the project directory and paste them into:

C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12TEMPLATEFEATURES.

It is best to do this from the command prompt to avoid any folder permissions problems.

The PBCMenu folder is also the name of the feature.

Install the feature using StsAdm.exe:

"C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12BINSTSADM.exe" -o installfeature -filename PBCMenuFeature.xml" –force

Reset the web server: IISReset from the command prompt (not required for the initial installation).

The feature can now be activated in the Features Settings page. (see figure 1)

Test the feature by returning to the home page and open the Action menu and see the new item (see Figure 2).

In the next blog I will be building a custom document library and also provide a download link for the code mentioned above.

Figure 1 – Activating a newly installed feature

Figure 2 – Custom Action menu in……..action

Exchange 2003 User Email Quotas based on Mail Stores:

Aaron Steele — Mon, 02 Oct 2006 15:04:00 +0000

When you first install Microsoft Exchange Server, users have unlimited storage quotas by default. This presents several risks to the users on the same exchange server. To prevent these risks, consider setting a business policy on mailbox storage limits. Base this on user needs, departments, and position. Here are some of the identified risks:

Risks:

· Application errors and/or poor performance due to over utilized disk sub-system

· Application Failure as a result of low percentage of available free disk space

· Local Outlook client performance problems due to inflated mailbox sizes

· Recovery time efforts are extended

· Client side search abilities become more difficult due to an inflated local PST and/ or OST

Considerations:

· Create a mail store structure, which includes different types of users. (I.E. Basic, Standard, Extended, or Extreme Users)

· Create multiple mail stores and define different quotas for each mail store based on the types of users homed to that mail store (See point before this one)

· Create Quota Policies with these considerations:

o Issue Warning: When a user’s mailbox reaches a specified size, they are notified that they are over their quota. In Microsoft Outlook 2002 and later, users can run the Mailbox Cleanup Wizard (available from the Tools menu) to help clean out their mailboxes.

o Prohibit Send: When a user’s mailbox reaches a specified size, that user no longer can send mail.

o Prohibit send and receive: When a user’s mailbox reaches a specified size, that user no longer can send or receive mail. Other users who send mail to that user are notified that their message could not be delivered.

· Educate users on the best ways to maintain an organized mailbox and avoid using it as a file storage (Maintaining Deleted and Sent items will go a long way)

· Find other means to send large attachments or cleanup mail items that contain large attachments.

Windows Vista RC1 Impressions

Aaron Steele — Sun, 01 Oct 2006 15:33:00 +0000

As everyone knows, Windows Vista is the next generation client operating system for both the business and home computing environments. It has a long checkered history of feature cuts, delays, and both good and bad press. I don’t think people realize what a major re-write of the operating system Vista is.

For example, the following subsytems have massive changes:

1. Network stack – Totally brand new with integrated IPv6 and SMBv2, with many performance enhancements for WAN connections.

2. Graphics- Totally new engine, called the Windows Desktop Manager (WDM) which enables Aero glass, and other features. Video drivers are now re-startable should they crash, among other improvements.

3. Security – Huge laundry list of security improvements, including User Account Control (UAC) which only elevates your rights when required, otherwise you run without Administrator rights. The list of improvements here is very long and well covered on the internet.

4. Audio- Totally re-written subsystem that now allows per-application volume controls.

5. Kernel – Numerous improvements in security, performance, and stability.

6. IE 7 Protected Mode – IE 7 runs in a protected mode in which it has extremely few rights, even less than a normal user. It can only write to a couple of directories, and is otherwise barred from accessing the system. This should be a major step forward in preventing spyware.

Shortly after beta 2 was released this summer, I installed it on my home PC. I didn’t want to chance it with my production laptop that I depend on heavily for my job. My home PC only has 512MB of RAM, so I knew it would be slow. I ran the Vista compatability wizard and it found that my old video card would not support Aero. Since Aero was a major enhancement in the user interface, I ran out to my nearest comptuer store and picked up a cheapo card that would support Aero. The card set me back about $75.

After I got Vista installed, I realized beta 2 was very bloated! A clean boot took almost 800MB of memory. Doing anything, even opening an IE session was paaaiiinnnffffuuuulllllyyyyyyy sllllooooooowwwwwwwww. Stability wise I didn’t have any crashes, although I had several power related issues (sleeping, hibernation, monitor sleeping, etc.). I also had several application compatability issues.

The day after Release Candidate 1 came out I did an upgrade on my home PC. The upgrade took well over two hours, but in the end it was well worth it. Memory usage on a clean boot was just over 300MB, a 500MB decrease! Applications were snappy, and performance seemed pretty on par with XP.

After running a week on RC1 and using it daily, I decided to take the plunge and reload my production Dell D810. I did a fresh install of RC1, loaded Office 2007 Beta 2 (TR hadn’t come out yet). Amazingly, Vista picked up *ALL* my hardware including the wireless card. No need to install additional drivers. I did go to the ATI site and download the latest video drivers, so I could get enhanced performance and more control options over the card.

After running RC1 for several weeks on my home PC and my laptop, I must say over all I’m quite impressed. Overall, I think this will be a killer operating system. That’s not to say there aren’t problems. I submitted nearly 100 problem reports and usability suggestions to MS via their beta client feedback tool.

Problems I’ve found relate to power issues (monitor sleeping, slow hibernation, etc.), application compatability (Nero 7.x won’t install), and a laundry list of GUI fit and finish issues. I’ve also found several reproducable bugs relating to the Remote Desktop Client, Live Messenger and other programs. Hopefully Microsoft can squash most of these bugs before RTM.

I think for the computing industry in general, Vista will be a major step forward. In terms of security alone, it leaves XP in the dust. That’s not to say there won’t be critical patches, buffer overflows, or other problems. But Microsoft has incorporated many layers of defence that when added together, provide the potential for a much more secure environment.

For our corporate customers that place a high value on client computer security, Vista will provide a compelling story. Additional group policy control also gives the IT department more control over the client environment.

You might also find it surprising that Longhorn Server and Vista share the same code base. Longhorn server isn’t due to be released until late 2007, which is a significant period after Vista ships. Microsoft has stated that their intent is to ship a service pack for Vista which will bring the changes made to the codebase post-Vista RTM that made it into Longhorn server.

Bottom line is that I would recommendig installing RC1 and start to get hands-on time with Vista. It’s such a major departure from previous client OS releases, that it will take time wrap your brain around all of the new features. Any time that you put into learning Vista should also translate to Longhorn server, since they will share a common code base.

Reporting on potential conflicting accounts before migration

Aaron Steele — Sat, 30 Sep 2006 15:15:00 +0000

Let’s say you’re consolidating your Active Directory domains or merging with another company’s AD environment and you want to know if it’s possible to keep their same login IDs, etc. Sometimes it’s useful to know ahead of time whether or not this is possible. Some migration tools have mechanisms included to test for this, but if you cannot afford such tools and have to use cheaper (free) means the following script might help.

The input file is a spreadsheet with the desired information of the users you wish to migrate. In this example the header line starts on A3 and contains the sAMAccountName, displayName and mail attributes of the users.

sAMAccountName displayName mail

jdoe John Doe jdoe@contoso.com

Option Explicit
On Error Resume Next
Dim objExcel, objSheet, objFile, objFSO, objUser, objDIC
Dim objConnection, objCommand, objRecordSet

‘ Strings declared :
Dim strNTSam, strPathExcel, strDisplayName, strMail, strProxyAddr, strUser
Dim LogFile, flag, arrProxyAddresses, email

‘ Integers declared :
Dim intNumusers, intRow, intCol, intMatch

‘ Path to migration spreadsheet
‘ You may change the name and path of this spreadsheet file in the following line
strPathExcel = "D:migrationfindDuplicates.xls"

‘ Create log file
‘ You may change the name and path of this log file in the following line
LogFile = "D:migrationfindDuplicates.log"
Const ForWriting = 2
Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(LogFile) Then
Set objFile = objFSO.OpenTextFile(LogFile, ForAppending)
objfile.WriteLine
objFile.Writeline "Beginning search session " & Now
Else
Set objFile = objFSO.CreateTextFile(LogFile)
objFile.Close
Set objFile = objFSO.OpenTextFile(LogFile, ForWriting)
objfile.Writeline "Beginning search session " & Now
End If

‘ Connect to spreadsheet where users are stored
Set objExcel = CreateObject("Excel.Application")

‘ Open the Speadsheet (Error Handling Section).
On Error Resume Next
Err.Clear
objExcel.Workbooks.Open strPathExcel
objExcel.Visible = True
If Err.Number <> 0 Then
Err.Clear
On Error GoTo 0
Wscript.Echo "Edit the path to YOUR spreadsheet " & strPathExcel
Wscript.Quit
End If
On Error GoTo 0
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)

‘ Create ADODB Connection
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

‘ LDAP query information
objCommand.CommandText = _
";(&(objectCategory=person)(proxyAddresses=*));

_AdsPath,proxyAddresses,displayName,samAccountName,distinguishedName,mail;subtree"

‘ Increase page size for > 1,000 user objects
objCommand.Properties("Page Size") = 100000

‘ Execute the search
Set objRecordSet = objCommand.Execute

‘ Initialize variables
intRow=4
intMatch=0

‘ Loop through the spreadsheet until there are no more records
Do
flag=""
strNTSam = Trim(objSheet.Cells(intRow, 1).Value)
strDisplayName = Trim(objSheet.Cells(intRow, 2).Value)
strMail = Trim(objSheet.Cells(intRow, 3).Value)
WScript.Echo "Trying to find a match on…"
WScript.Echo
Wscript.Echo "samAccountName: " & strNTSam
WScript.Echo "displayName: " & strDisplayName
WScript.Echo "email address: " & strMail
WScript.Echo
‘ Check for any missing fields
If strNTSam = "" Then
WScript.Echo "Missing samAccountName in spreadsheet. Please populate all fields and execute script again."
WScript.Echo
cleanup
WScript.Quit
else if strDisplayName = "" Then
WScript.Echo "Missing displayName in spreadsheet. Please populate all fields and execute script again."
WScript.Echo
cleanup
WScript.Quit
else if strMail = "" Then
WScript.Echo "Missing email address in spreadsheet. Please populate all fields and execute script again."
WScript.Echo
cleanup
WScript.Quit
End If
End If
End If
‘ This is where we start comparing the values in the spreadsheet with those found in AD to see if there are
‘ any matches on the fields we’re interested in.If there are matches, they are written to the logfile and
‘ are displayed on the screen.
While Not objRecordSet.EOF
‘ Check for duplicate samAccountName
If strNTSam = objRecordSet.Fields("samAccountName") Then
objfile.writeline "Found matching samAccountName in AD: " & strNTSam &";"& objRecordSet.Fields("distinguishedName")
WScript.Echo "Found matching samAccountName in AD: " & strNTSam
‘objfile.writeline "DN of matching object: " & objRecordSet.Fields("distinguishedName")
WScript.Echo "DN of matching object: " & objRecordSet.Fields("distinguishedName")
WScript.Echo
intMatch=intMatch+1
flag="Found match"
End If
‘ Check for duplicate displayName
If strDisplayName = objRecordSet.Fields("displayName") Then
objfile.writeline "Found matching display name in AD: " & strDisplayName &";"& objRecordSet.Fields("distinguishedName")
WScript.Echo "Found matching display name in AD: " & strDisplayName
‘objfile.writeline "DN of matching object: " & objRecordSet.Fields("distinguishedName")
WScript.Echo "DN of matching object: " & objRecordSet.Fields("distinguishedName")
WScript.Echo
intMatch=intMatch+1
flag="Found match"
End If
objRecordset.MoveNext
Wend
‘ Check for duplicate email address
Dim rootDSE, domainContainer, conn, LDAPStr, rs, oPerson

Set rootDSE = GetObject("LDAP://RootDSE")
domainContainer = rootDSE.Get("defaultNamingContext")
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"
email = "smtp:" & strMail
LDAPStr = ";(&(objectCategory=person)(proxyAddresses=" & email & "));adspath,distinguishedName;subtree"
Set rs = conn.Execute(LDAPStr)
If rs.RecordCount = 1 Then
Set oPerson = GetObject(rs.Fields(0).Value)
objfile.writeline "Found matching email address in AD: " & strMail&";"& objRecordSet.Fields("distinguishedName")
WScript.Echo "Found matching email address in AD: " & strMail
objfile.writeline "DN of matching object: " & rs.Fields("distinguishedName")
WScript.Echo "DN of matching object: " & rs.Fields("distinguishedName")
WScript.Echo
intMatch=intMatch+1
flag="Found match"
End If

‘ If no matches are found for any of the search criteria, echo no matches found to the screen
If flag = "" Then
WScript.Echo "No matches found for samAccountName: "& strNTSam
WScript.Echo "No matches found for displayName: "& strDisplayName
WScript.Echo "No matches found for email address: "& strMail
WScript.Echo
End If

‘ Move to the first record of the AD search and continue the search with the next user
objRecordset.MoveFirst

‘ Increment to next user in the spreadsheet.
intRow = intRow + 1
intNumusers = intNumusers + 1

Loop Until objSheet.Cells(intRow, 1).Value = ""

‘ Summarize results of search
WScript.Echo "There were " & intMatch & " matching records out of " & intNumusers & " users in the spreadsheet."
WScript.Echo
WScript.Echo "End of search session. Please review " & LogFile & " for details."
WScript.Echo
objfile.writeline
objfile.writeline "There were " & intMatch & " matching records out of " & intNumusers & " users in the spreadsheet."
objfile.writeline "End of search session " & Now
objfile.WriteLine

‘ Clean up and quit
CleanUp
WScript.Quit

‘ Clean up
Sub CleanUp
intRow=0
intMatch=0
intNumusers=0
flag=""
objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
objConnection.Close
objFile.Close
End Sub

Rename home directories

Aaron Steele — Sat, 30 Sep 2006 15:14:00 +0000

Let’s say as part of a migration you are changing login IDs for everyone but you want to continue to use the %USERNAME% variable to map their home drives, etc. Here’s an easy way to rename the existing home directories without losing rights assigned to them.

The input file is a CSV file with the old and new sAMAccountNames. Change the server and login info below. This is assuming you’re connecting from a different domain and want to use a Domain Admin account that has rights to the file server that the home directories are on. You could exclude the login info and just map a drive if you are already logged in with the appropriate permissions.

Option Explicit
On Error Resume Next
Dim arrTxtArray()
Dim oldnewDir
Dim SearchString
Dim objTextFile
Dim strNextLine
Dim intSize
Dim objFSO1
Dim objFSO2
Dim wshNet
Dim i
Dim newArray
intSize = 0
oldnewDir = "E:migrationhomedirs.csv"
SearchString = ","
Const ForReading = 1
Set wshNet = CreateObject("WScript.Network")
wshNet.MapNetworkDrive "S:","\serverusers",False,"domainusername","password"
If objFSO.FolderExists("S:") Then
WScript.Echo("S: drive mapped successfully.")
WScript.Echo()
Set objFSO1 = CreateObject("Scripting.FileSystemObject")
Set objFSO2 = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO1.OpenTextFile(oldnewDir, ForReading)
Do Until objTextFile.AtEndofStream
strNextLine = objTextFile.ReadLine
If InStr (strNextLine, SearchString) Then
ReDim Preserve arrTxtArray(intSize)
arrTxtArray(intSize) = strNextLine
intSize = intSize +1
End If
Loop
objTextFile.Close
For i = LBound(arrTxtArray) To UBound(arrTxtArray)
If InStr (arrTxtArray(i), ",") Then
newArray = Split (arrTxtArray(i),",")
‘WScript.Echo "Old Directory Name: " & newArray(0)
‘WScript.Echo "New Directory Name: " & newArray(1)
‘WScript.Echo(" ")
End If
‘Check to make sure old directory exists and change the name
If objFSO.FolderExists("S:"& newArray(0)) Then
WScript.Echo "Old Directory Name Exists:" & newArray(0)
objFSO2.moveFolder "S:" & newArray(0),"S:" & newArray(1)
‘Check to make sure new directory exists
If objFSO.FolderExists("S:"& newArray(1)) Then
WScript.Echo "Home Directory Name Change Successful For: " & newArray(1)
WScript.Echo(" ")
Else
WScript.Echo "Home Directory Name Change Unsuccessful For: " & newArray(1)
WScript.Echo(" ")
End If
Else
WScript.Echo "Old Directory Name Does Not Exist:" & newArray(0)
WScript.Echo(" ")
End If
Next
WScript.Echo("All done!")
WScript.Echo(" ")
Else
WScript.Echo("S: drive did not map correctly. Check permissions or login ID and try again.")
End If

Hello? Who’s Calling, Please? APTC

Aaron Steele — Wed, 20 Sep 2006 17:44:00 +0000

Summary: AllowPartiallyTrustedCallers is often a necessary assembly attribute if you are developing SharePoint applications. Read about this uncommon but powerful Code Access Security related attribute.

A quick look at the AllowPartiallyTrustedCallers attribute

One can write .NET code for a long time without bumping into the AllowPartiallyTrustedCallers (APTC) assembly-level attribute, but once encountered it is rarely forgotten. My introduction was while writing a Windows SharePoint Services 2003 webpart a few years ago, and I suspect most will encounter this attribute or more specifically the need to use this attribute when writing webparts – either for SharePoint or ASP.NET 2.0.

Background

Microsoft’s .NET Code Access Security (CAS) provides a very powerful and sophisticated set of mechanisms that allow developers and system administrators to control resource access by managed code. For a quick overview of CAS see my forthcoming blog; to access Microsoft’s documentation on CAS start here: CAS . Think of CAS settings as the analog of ACLs/ACEs for code as opposed to users. It’s not a perfect analogy but it’s close enough for present purposes. There are many, many means of limiting or allowing resource access using CAS. The bottom line is that if the code attempting to access a resource does not have the required permission, either inherently or through some external augmentation, an exception will be thrown and the code will not execute and most likely — not even load. Figures 1 and 2 show the permission sets for two different types of assemblies. Those in the My Computer zone, Figure 1, have full trust. Those in the Local Intranet zone, Figure 2, have very restricted permissions, for example Read ony access to only the USERNAME environment variable. CAS works just like ACL/ACE permissions; if not explicitly granted (or inherited) the permission is implicitly denied.

Figure 1 Figure 2

The Global Assembly Cache (GAC)

All assemblies in the GAC have Full Trust by default (the default could be modified by changes to machine.config, but that’s another story for another day). Full Trust means full access to all system resources. A potential security problem exists if code outside the GAC, possessing say limited permissions or sited in a non-trusted location, makes a call into a class contained in a GAC-installed assembly. Potentially malicious code could indirectly gain access to resources. CAS handles this possibility by having all GAC-installed assemblies perform a demand of full trust for all externally calling code. This addresses the security weakness but presents another problem. What if less than fully trusted code requires, legitimately, access to classes located in GAC-installed assemblies? Meet AllowPartiallyTrustedCallers.

The AllowPartiallyTrustedCallers Attribute

Again, this code attribute decorates an assembly only; it cannot be applied to classes, class members or any other program elements. Also, assuming the default security policy has not been tightened up, it only makes sense to use this attribute with assemblies that are intended to be GAC-installed and any other assemblies that would be granted full trust, yet called from less than fully trusted code. An example would be, a class located in a windows services assembly yet called from and ASP.NET assembly. Applying the attribute is straight forward. The class is in the System.Security namespace so either a using(imports) statement or the fully qualified class name is required. Figure 3 shows the attribute being applied. Visual Studio 2005 includes a setting on the property pages of a project that allow you to set this with a checkbox.

Figure 3

Final Notes

Since it is assumed that the assembly decorated with the APTC attribute is itself fully trusted, it must be strong-named. Applying the attribute to an assembly that is not strong-named has no effect.

Using the APTC attribute results in a co-opting of the default security policy defined by the .NET framework. Microsoft included the attribute, reportedly as a last minute inclusion, in 1.0 and has carried it forward since because there are situations that require circumvention of the default policy. Make certain that your APTC decorated assembly does not open any security holes. One of the best ways to do this is to use a LinkDemand. More on that in another blog.

You might be wondering how this might all fit together for your specific situation. Here are a few possible scenarios.

Your packaging requires multiple dlls deployed in multiple unsafe locations. You also have a set of classes you want to share and so will be GAC-installed. Apply the APTC attribute to your shared assembly.
You need to use .NET framework classes (all of these are GAC installed) from assemblies that are not fully trusted. Create an assembly that can be used as a wrapper for these calls. Apply APTC to that assembly and drop it in the GAC.
You have written a SharePoint webpart that uses .NET framework classes. The webpart’s assembly is located in the _app_bin (bin in 2003) folder of the SharePoint virtual directory. You’ll either need to GAC-install the webpart’s assembly or use a solution like the second one here.

Finally, you might be scratching your head, “Wait a minute!” you are saying to yourself. “I have written many ASP.NET applications that call classes in the .NET framework and they work just fine. I have never needed to use APTC.”

At the top of this blog I mentioned that one could write a lot of .NET code without needing to know about APTC. Microsoft applies the APTC attribute to the assemblies listed in the table below. Looking at the list one sees many of the most commonly referenced .NET framework assemblies which explains why you might not have yet run into this attribute, or better said, the requirement for it. Figure 4 shows the ILDASM Manifest for the System.Data.dll assembly; note the APTC attribute.

Accessibility.dll	System.Web.dll (available only in version 1.1)
IEExecRemote.dll	System.Web.Mobile.dll (available only in version 1.1)
Microsoft.VisualBasic.dll	System.Web.RegularExpressions.dll (available only in version 1.1)
Mscorlib.dll	System.Web.Services.dll
System.dll	System.Windows.Forms.dll
System.Data.dll	System.XML.dll
System.Drawing.dll

Figure 4