tag:blogger.com,1999:blog-68206342724347875262024-02-23T11:25:30.021-07:00Mick PutleyMick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.comBlogger184125tag:blogger.com,1999:blog-6820634272434787526.post-88169736218110315952022-08-17T13:52:00.004-06:002022-08-17T14:32:39.142-06:00Get-ADUser Filter Count Incorrect<p> Let's say you have a number of AD records, and you wanted to search for how many of them contain a certain value. You might do something like this:</p><p><span style="font-family: courier;">(Get-ADUser -Filter 'Department -eq "Accounting"').Count</span></p><p><span style="font-family: inherit;">If you have 20 people in the Accounts Department, then this will correctly return 20.</span></p><p><span style="font-family: inherit;">However, let's say there is only one person in that department. That line will return $Null instead of 1</span></p><p><span style="font-family: inherit;">The reason is that the return of one record is not an array and the method 'count' requires an array. The solution is to cast the result to an array. The following will correctly return a '1' for that lonely accountant:</span></p><p><span style="font-family: courier;">([array](Get-ADUser -Filter 'Department -eq "Accounting"')).Count</span></p><p><span style="font-family: courier;">Cheers!</span></p>Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-47225460477180670232021-12-27T14:27:00.003-07:002021-12-27T14:27:58.659-07:00Audio CD name flickers on Apple Music appearing and vanishing<p> Audio CD name flickers on Apple Music appearing and vanishing.</p><p>When you insert an Audio CD into your Mac, the name of the CD appears to appear and disappear continuously every second and you cannot rip the CD.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhEXtt5j6oZgP261Yzl94Z4fSF097qcmMtjSZf7C13_M01VTLdhFPCvLzAxzQzfvpHR3ZYyvBGubucQn21sx-hKgr8W_rBf2FYUmyDh_kGWEbQmbacUwvy4TedO0LfXQ9jIPAaaSZhZoESK1P1XMWcjeDeNt32EcFvZMxQCJq5X2vugOz2-x3chHOc1RA=s1798" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1096" data-original-width="1798" height="390" src="https://blogger.googleusercontent.com/img/a/AVvXsEhEXtt5j6oZgP261Yzl94Z4fSF097qcmMtjSZf7C13_M01VTLdhFPCvLzAxzQzfvpHR3ZYyvBGubucQn21sx-hKgr8W_rBf2FYUmyDh_kGWEbQmbacUwvy4TedO0LfXQ9jIPAaaSZhZoESK1P1XMWcjeDeNt32EcFvZMxQCJq5X2vugOz2-x3chHOc1RA=w640-h390" width="640" /></a></div><br /><p>I am not sure how this condition is created, for me it was after upgrading the Mac OS to Monterey. Any how, it was solved by navigating to ~/Library/Preferences and noticing that I had <i>thousands</i> of 'CD Info.cidb' files.</p><p></p><ul style="text-align: left;"><li>Close the Music App</li><li>Delete all copies of CD Info.cidb</li><li>Restart the Music App.</li></ul><div>Cheers!</div><p></p>Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-1451748110425872992020-02-11T10:37:00.005-07:002020-02-11T10:39:10.600-07:00Find name of AD group after it has been deleted but you have the SID<span style="font-family: inherit;">So you have the SID of a deleted group, but you want to know its name and other details. You can get this information provided the object is still present in the Active Directory Recycle Bin (assuming you have that enabled in your domain).</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">That all being said, here is the PowerShell you need:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">get-adobject -Filter 'isdeleted -eq $true -and name -ne "Deleted Objects" -and objectSID -like "<span style="color: blue;">Enter SID here</span>"' -IncludeDeletedObjects -Properties samaccountname,displayname,objectsid</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Example</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">get-adobject -Filter 'isdeleted -eq $true -and name -ne "Deleted Objects" -and objectSID -like "S-1-5-21-1601936709-1892662786-3840804712-315762"' -IncludeDeletedObjects -Properties samaccountname,displayname,objectsid</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Cheers!</span>Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com1tag:blogger.com,1999:blog-6820634272434787526.post-56130368027365992132020-02-05T14:11:00.002-07:002020-02-05T14:14:12.498-07:00Azure Domain Controller Glue Record Gets DeletedThis somewhat of a corner case, but if it happened to us then it could happen to others. I also regard this as a bug. Losing a Doman Controller's glue record can have a profoundly negative impact on the functionality of an Active Directory Domain. This a scenario where this will happen.<br />
<ol>
<li>Domain Controller is an Azure IAS VM.</li>
<li>The DNS zone for the domain has dynamic updates set to 'Nonsecure & Secure'.</li>
</ol>
<div>
The chain of events:</div>
<div>
<ol>
<li>Because the Domain Controller is in Azure, it cannot have a genuinely static IP address within the OS. You have to set the Azure NIC settings to a 'Static IP,' which is actually under the covers' a DHCP reservation within the Azure DHCP system. In any case, the OS believes it has a dynamic address because that what the NIC tells it. That is why you have to click past the warnings about dynamic IPs when the server was promoted.</li>
<li>Since the OS believes its IP is dynamic, the glue record it creates is also dynamic because it thinks it may have to change the value if the NIC gets a new address.</li>
<li>Assuming that DNS scavenging is enabled</li>
<li>Because the zones set to 'Nonsecure & Secure,' the DHCP server is responsible for the renewal of the server's DNS record when it's DHCP lease is 50% expired.</li>
<li> Azure <span style="color: red;">DHCP leases are hardcoded at 136 years</span>, the default scavenging period is <span style="color: red;">7 days</span>.</li>
</ol>
<div>
Of course, this issue is not just a problem for Domain Controllers it will affect all member servers that are IAS VM's in a DNS zone that allows nonsecure dynamic updates.</div>
</div>
<div>
<br /></div>
<div>
Get those DNS zones set to Secure!</div>
<div>
<br /></div>
<div>
Cheers</div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-79576350440818933952020-02-01T11:43:00.002-07:002020-02-01T11:43:31.658-07:00Mac Time Machine LogsIf you need to view your MacOS Time Machine Logs:<br />
<br />
Open Terminal and use:<br />
<br />
log show --style syslog --predicate 'senderImagePath contains[cd] "TimeMachine"' --info<br />
<br />
of to see them live stream (tail)<br />
<br />
log stream --style syslog --predicate 'senderImagePath contains[cd] "TimeMachine"' --info<br />
<br />
If you want to only see errors you can always add:<br />
<br />
| grep 'error'<br />
<br />
CheersMick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-35791276119557341032019-12-29T14:39:00.000-07:002019-12-29T14:39:12.510-07:00Mac OS Catalina "Can't Be Opened Because Apple cannot Check it for Malicious Software"This message is appearing more and more when trying to open an application on Mac OS Catalina. My understanding is that the message relates to the notarization of software. I'm going to keep this brief because I am not talking about the following common issues which clouds research into this error.<br />
<br />
<ul>
<li>You are attempting to run a 32 bit application.</li>
<li>You are attempting to run a very old application.</li>
<li>You are attempting to run an application that has not followed Apple's publishing guideline.</li>
</ul>
<div>
In the above scenarios you can attempt to get an update from the vendor. You can try going to:</div>
<div>
<br /></div>
<div>
System Preferences | Security & Privacy | General</div>
<div>
<br /></div>
<div>
Look for a 'Run Anyway' option.</div>
<div>
<br /></div>
<div>
I'm talking about recent application where all of the above fails. This is what you can do:</div>
<div>
<br /></div>
<div>
<span style="color: red;">I take no responsibility if you execute software that damages your system.</span></div>
<div>
<br /></div>
<div>
Got to a command terminal prompt. Type:</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo spctl --master-disable</span></div>
<div>
<br /></div>
<div>
Run your application</div>
<div>
<br /></div>
<div>
Type:</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo spctl --master-enable.</span></div>
<div>
<br /></div>
<div>
Cheers!</div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-29394062568312383832019-12-23T11:55:00.002-07:002020-06-10T13:05:21.922-06:00Custom Azure RBAC Roles (Step by Step)Azure provides you the ability to create custom RBAC roles, and the process bears no resemblance to any comparable process in Active Directory. As is typical for me, I am going to explain by example.<br />
<br />
The IT department that I work for has a dedicated process for decommissioning servers, and on premise this is a very mature process which looks something like this:<br />
<ul>
<li>Switch off the VM for a week and see if anyone screams</li>
<li>Delete the VM and associated disk</li>
<li>Delete DNS records</li>
<li>Revoke certificates</li>
<li>etc.</li>
</ul>
<div>
You get the picture. So in order the harmonize that process for Azure VMs we attempted to replicate the process and quickly discovered that the personnel that have been assigned the right 'Virtual Machine Contributor' do not have the ability to delete the associated disks. This is reasonable because unlike VMWare, the disks within a VM in Azure are totally separate objects and totally separate object types. What is not reasonable, and in my opinion stupid, is that there is no inbuilt role with Azure to allow that. So here we go:</div>
<div>
<ul>
<li>For education you can start by grabbing a role that you want to expand upon. In this case it makes sense to start with 'Virtual Machine Contributor'. You could start from scratch, but more of that later. So lets run some PowerShell (as always, excuse my line-wrap)</li>
</ul>
<span style="font-family: "courier new" , "courier" , monospace;">Get-AZRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-Json | Out-File "C:\Temp\Virtual Machine Contributor.json"</span></div>
<div>
<br /></div>
<div>
This will create a file that looks like the following. For clarity I am highlighting the items we will be modifying.</div>
<div>
<br /></div>
<div>
<span style="color: blue;">{</span></div>
<div>
<div>
<span style="color: blue;"> "Name": "<span style="background-color: yellow;">Virtual Machine Contributor</span>",</span></div>
<div>
<span style="background-color: yellow; color: blue;"> "Id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",</span></div>
<div>
<span style="color: blue;"> "IsCustom":<span style="background-color: yellow;"> false</span>,</span></div>
<div>
<span style="color: blue;"> "Description": "<span style="background-color: yellow;">Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.</span>",</span></div>
<div>
<span style="color: blue;"> "Actions": [</span></div>
<div>
<span style="color: blue;"> "Microsoft.Authorization/*/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/availabilitySets/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/locations/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/virtualMachines/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/virtualMachineScaleSets/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.DevTestLab/schedules/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Insights/alertRules/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/applicationGateways/backendAddressPools/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/backendAddressPools/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/inboundNatPools/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/inboundNatRules/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/probes/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/locations/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/networkInterfaces/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/networkSecurityGroups/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/networkSecurityGroups/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/publicIPAddresses/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/publicIPAddresses/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/virtualNetworks/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/virtualNetworks/subnets/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/locations/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupPolicies/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupPolicies/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/usages/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.ResourceHealth/availabilityStatuses/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Resources/deployments/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Resources/subscriptions/resourceGroups/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Storage/storageAccounts/listKeys/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Storage/storageAccounts/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Support/*"</span></div>
<div>
<span style="color: blue;"> ],</span></div>
<div>
<span style="color: blue;"> "NotActions": [],</span></div>
<div>
<span style="color: blue;"> "AssignableScopes": [</span></div>
<div>
<span style="color: blue;"> <span style="background-color: yellow;">"/"</span></span></div>
<div>
<span style="color: blue;"> ]</span></div>
<div>
<span style="color: blue;">}</span></div>
</div>
<div>
<ul>
<li>So now we need to start the modifications. The first step is to provide the name. I strongly suggest the following format: <mycompanyname><rbac name=""><version number=""> so in my case:</version></rbac></mycompanyname></li>
</ul>
<span style="background-color: white;"><span style="color: blue;">"Name": "SLHS-</span><span style="color: blue;">Virtual Machine Contributor v1.0</span><span style="color: blue;">",</span></span><br />
<ul>
<li><div>
Don't forget the JSON comma !</div>
</li>
<li><div>
Next <span style="background-color: yellow;">DELETE</span> the whole ID field. When we create the custom role, Azure will assign a fresh ID for us. If you forget this step, the process will try to over-right the existing role which (a) would be bad but (b) would fail.</div>
</li>
<li><div>
Next we change the 'IsCustom' field.</div>
</li>
</ul>
<span style="color: blue;">"IsCustom":</span><span style="background-color: yellow; color: blue;"> true</span><span style="color: blue;">,</span><br />
<ul>
<li>Next we change the description. In my case I chose:</li>
</ul>
<span style="background-color: white;"><span style="color: blue;">"Description": "<span style="background-color: yellow;">Lets you manage virtual machines, including the deletion of disks.</span>",</span></span></div>
<div>
<ul>
<li><span style="color: blue;">OK now the fun part, we need to add a line to provide the access we want. For this we need to turn to the master recipe list which is provided here:</span></li>
</ul>
<a href="https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" target="_blank">https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations</a><br />
<ul>
<li><span style="color: blue;">This is the list of 'Resource Provider Operations', a compendium of all available rights. You kind of need to know what to search for, but for this purpose we need to be looking at </span><span style="color: blue;">'<span style="color: blue;">Microsoft.Compute/disks</span>'.</span><span style="color: blue;"> If you search the library page for that you will see entries like</span><span style="color: blue;"> '<span style="color: blue;">Microsoft.Compute/disks/read</span>'</span><span style="color: blue;">,</span><span style="color: blue;"> 'Microsoft.Compute/disks/write' </span><span style="color: blue;">and of course</span><span style="color: blue;"> '<span style="color: blue;">Microsoft.Compute/disks/delete</span>'</span><span style="color: blue;">. At this point we can talk a little about structure. You can wildcard each element after the slash, so for example</span><span style="color: blue;"><span style="color: blue;"> '</span><span style="color: blue;">Microsoft.Compute/disks/delete</span>' will allow VM disk deletion, but</span><span style="color: blue;"> '<span style="color: blue;">Microsoft/disks/*</span>'</span><span style="color: blue;"> will allow all actions including delete.</span></li>
<li>So lets run with that and insert that line into our JSON code.</li>
<li>Now here's the stupid part. The 'AssignableScopes' line. I would argue that if you want to create a custom you would want the ability to assign that role to anyone on any object in any subscription. But for custom roles (at the time of me writing this (December 2019) you <span style="color: red;">cannot wildcard the subscription or assign it the tenant root. You must specify a specific subscription.</span> Will show how to create a workaround for this later, but for now I am going to specify a specific subscription. So the resultant edited JSON file end up looking like this (again I have highlighted the delta, and remember we removed the ID line):</li>
</ul>
</div>
<div>
<div>
<span style="color: blue;">{</span></div>
<span style="color: blue;"></span><br />
<div>
<div>
<span style="color: blue;"> "Name": "SLHS-<span style="background-color: yellow;">Virtual Machine Contributor v2.0</span>",</span></div>
<div>
<span style="color: blue;"> "IsCustom":<span style="background-color: yellow;"> true</span>,</span></div>
<div>
<span style="color: blue;"> "Description": "<span style="background-color: yellow;">Lets you manage virtual machines, including the deletion of disks.</span>",</span></div>
<div>
<span style="color: blue;"> "Actions": [</span></div>
<div>
<span style="color: blue;"> "Microsoft.Authorization/*/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/availabilitySets/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/locations/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/virtualMachines/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Compute/virtualMachineScaleSets/*",</span><br />
<span style="color: blue;"> <span style="background-color: yellow;">"Microsoft.Compute/disks/delete",</span></span></div>
<div>
<span style="color: blue;"> "Microsoft.DevTestLab/schedules/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Insights/alertRules/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/applicationGateways/backendAddressPools/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/backendAddressPools/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/inboundNatPools/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/inboundNatRules/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/probes/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/loadBalancers/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/locations/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/networkInterfaces/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/networkSecurityGroups/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/networkSecurityGroups/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/publicIPAddresses/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/publicIPAddresses/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/virtualNetworks/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Network/virtualNetworks/subnets/join/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/locations/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupPolicies/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/backupPolicies/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/usages/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.RecoveryServices/Vaults/write",</span></div>
<div>
<span style="color: blue;"> "Microsoft.ResourceHealth/availabilityStatuses/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Resources/deployments/*",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Resources/subscriptions/resourceGroups/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Storage/storageAccounts/listKeys/action",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Storage/storageAccounts/read",</span></div>
<div>
<span style="color: blue;"> "Microsoft.Support/*"</span></div>
<div>
<span style="color: blue;"> ],</span></div>
<div>
<span style="color: blue;"> "NotActions": [],</span></div>
<div>
<span style="color: blue;"> </span><span style="color: blue;">"AssignableScopes": [</span><br />
<span style="color: blue;"> <span style="background-color: yellow;">"/subscriptions/4a5ce960-87d4-431b-ac1c-67a70cb1516e"</span></span><br />
<span style="color: blue;"> ]</span></div>
<div>
<span style="color: blue;">}</span></div>
</div>
</div>
<div>
<br />
<ul>
<li><span style="color: blue;">So save your work as something like </span>C:\Temp\SLHS-Virtual Machine Contributor v2.0.json".</li>
<li>Next we create the new role using PowerShell:</li>
</ul>
<span style="font-family: "courier new" , "courier" , monospace;">New-AZRoleDefinition -InputFile "C:\Temp\SLHS-Virtual Machine Contributor v2.0.json"</span><br />
<ul>
<li>If you are successful then you will be presented with some output that describes your newly created role:</li>
</ul>
<br />
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">Name : SLHS-VM Contributor v2.0</span></div>
<div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">Id : 4c428c4d-34f9-4e15-9776-2c04ef26f4a3</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">IsCustom : True</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">Description : </span><span style="background-color: yellow; color: blue;">Lets you manage virtual machines, including the deletion of disks.</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">Actions : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*,</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;"> Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines/*...}</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">NotActions : {}</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">DataActions : {}</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">NotDataActions : {}</span></div>
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">AssignableScopes : {/subscriptions/4a5ce960-87d4-431b-ac1c-67a70cb1516e}</span></div>
</div>
<div>
<ul>
<li>That's it for the basic process. You can now assign that role (in this screenshot its v4.0 not v2.0 but you get the idea.</li>
</ul>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvCM52AVYUZMS0xMVQ8_KiPyDOpdzCw6dha4wEk-m2lVNguFmIVECJb2LBQi6DxKLJ9UGdBQMxeu1gE12yJi6qGqXUmE7znO4pmgC_TxG-JwZVo1wfLdumSpCGWgcDJDUOnrl4KkTHMlfW/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="171" data-original-width="434" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvCM52AVYUZMS0xMVQ8_KiPyDOpdzCw6dha4wEk-m2lVNguFmIVECJb2LBQi6DxKLJ9UGdBQMxeu1gE12yJi6qGqXUmE7znO4pmgC_TxG-JwZVo1wfLdumSpCGWgcDJDUOnrl4KkTHMlfW/s320/Capture.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
<b>Now we have to deal with the single subscription malarkey.</b> For this example we are going to start from scratch and create a role specifically for the task at hand (deleting VM disks). Essentially what we need is a script that takes a base name for our role, in the following example <i>"SLHS-VMDiskDestroyer-v1.0"</i>, a description <i>"Allows holder to delete VM disks"</i>, the RBAC Role from the Microsoft dictionary <i>"Micrsoft.Compute/disks/delete"</i> and the name of a pre-created (wait for the sync) AD group <i>"CustomRBAC-VMDiskDestroyers-U_GG_IA"</i><br />
<br />
When the script runs it will cycle through every subscription, add the role using the base name + the subscription GUID (each role in the tenant must have a unique name) and assign the role to the specified AD group. <span style="color: red;">As with any script that <i>does something</i> to <i>every</i> subscription - take care!</span><br />
<span style="color: red;"><br /></span>
<br />
<div class="WordSection1" style="page: WordSection1;">
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"># Will add custom role to all subscriptions<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"># Complete the three top variables if you have cloned this script.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><span style="color: blue;">#######################################################</span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"># Constants for easy cloning of script<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">$BaseRBACName = "SLHS-VMDiskDestroyer-v1.0"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">$Desc. = "Allows holder to delete VM disks"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">$Role = "Microsoft.Compute/disks/delete"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">$ADGroup = "CustomRBAC-VMDiskDestroyers-U_GG_IA"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">#######################################################<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-size: xx-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">$JSONName = $RBACName + ".json"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">If($JSONName -Like "* *")<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">{<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Write-Host "Error: JSONName must contain no spaces"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Exit<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">}</span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">Get-AZSubscription | ForEach-Object `<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;">{<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> $SubID = $_.ID<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> $SubName = $_.Name<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> $RBACName = $BaseRBACName + "-" + $SubID<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> If(Test-Path "c:\temp\$JSONName")<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> {<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Remove-Item "c:\temp\$JSONName" -Force<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> }<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> # Make JSON file<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" "{"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"Name`": `"$RBACName`","<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"IsCustom`": true,"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"Description`": `"$Desc`","<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"Actions`": ["<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"$Role`""<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " ],"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"NotActions`": [],"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"AssignableScopes`": ["<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " `"/subscriptions/$SubID`""<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" " ]"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Add-Content "c:\temp\$JSONName" "}"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Write-Host "Adding role definition to $SubName"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Try<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> {<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> $RoleObj = New-AZRoleDefinition -InputFile "c:\temp\$JSONName" -ErrorAction Stop</span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: blue; font-size: xx-small;"> }</span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Catch<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> {<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Write-Host "Did not add role definition, probably already exists" -ForegroundColor Yellow</span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: blue; font-size: xx-small;"> }</span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> # Add AD group<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> $GroupID = (Get-AzADGroup -SearchString $ADGroup).ID<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> $SubScope = "/subscriptions/$SubID"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Write-Host "Adding $ADGroup to $RBACName"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Try<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> {<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> New-AZRoleAssignment -ObjectID $GroupID -RoleDefinitionName $RBACName -Scope $SubScope -ErrorAction Stop<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> }<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Catch<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> {<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> Write-Host "Did not assign role to group, group already has that role" -ForegroundColor Yellow<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> }<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><span style="color: blue;"> Write-Host "`n`n"</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: xx-small;">}</span><o:p></o:p></span></div>
</div>
</div>
<div>
Cheers!</div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-43038299641984550472019-10-01T15:33:00.000-06:002019-12-29T15:35:02.611-07:00Using an old iPod 3rd Gen on a modern MacI have seen a lot of tears flowing in different forums from people that cannot get their original iPod 3rd generation on a modern Mac. I recently decided to resurrect mine for nostalgia. Here is the summary.<br />
<br />
<b><span style="color: blue;">Battery is screwed</span></b><br />
I highly recommend the following hit from iFixIT and they have good instructions. However, are you sure your battery is dead? See section on 'cannot charge'.<br />
<br />
<a href="https://www.ifixit.com/Store/iPod/iPod-3G-Replacement-Battery/IF192-015?o=3" target="_blank">https://www.ifixit.com/Store/iPod/iPod-3G-Replacement-Battery/IF192-015?o=3</a><br />
<br />
<br />
<span style="color: blue;"><b>Cannot charge</b></span><br />
The first thing to realize about this iPod is that you cannot charge by USB. Don't listen to anyone tell you otherwise. You MUST change by Firewire. So, you have two choices. You can either search ebay for a Firewire charger or since you will want to sync your iPod with your Mac, you can follow the last section here for syncing, successfully attaching the iPod to your Mac for syncing will also allow your Mac to change your iPod.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCREyab4D90BEJFlm6mhQsVGz70Vom-sZdVTDieGQ3I8U75ikVCpzjQRq5HQNo3Mhi_3-oa4iMjnyqKYa2rXyZYU6k0kbqJlWV-9Te34_WdA7tMo3p4zvzZUzSpZD0GtPEt3E6onaXE0Gx/s1600/s-l1600.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCREyab4D90BEJFlm6mhQsVGz70Vom-sZdVTDieGQ3I8U75ikVCpzjQRq5HQNo3Mhi_3-oa4iMjnyqKYa2rXyZYU6k0kbqJlWV-9Te34_WdA7tMo3p4zvzZUzSpZD0GtPEt3E6onaXE0Gx/s320/s-l1600.jpg" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
Note the Firewire port, not a USB port.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><span style="color: blue;">Cannot sync</span></b><br />
<span style="caret-color: rgb(0, 0, 255);">This is where things are going to cost you a little money. Modern Macs have USB-C ports. A USB-C port is also called a ThunderBolt 3 port. Here is what you need:</span><br />
<span style="caret-color: rgb(0, 0, 255);"><br /></span>
<span style="caret-color: rgb(0, 0, 255);"><i>1 - Purchase a USB-C/ThunderBolt 3 to ThunderBolt 2 adapter.</i></span><br />
<span style="caret-color: rgb(0, 0, 255);">Apple Part Number A1790. At time of writing it costs $49 from Apple, less on ebay.</span><br />
<a href="https://www.apple.com/shop/product/MMEL2AM/A/thunderbolt-3-usb-c-to-thunderbolt-2-adapter?afid=p238%7CsXJVdwN9q-dc_mtid_1870765e38482_pcrid_246386725857_pgrid_14874603490_&cid=aos-us-kwgo-pla-btb--slid-----product-MMEL2AM/A" style="caret-color: rgb(0, 0, 255);" target="_blank"><span style="color: blue;">Thunderbolt 3 to Thunderbolt 2</span></a><br />
<br />
<i>2 - Purchase a ThunderBolt 2 to Firewire 800 Adapter</i><br />
Apple Part Number A1463. At time of writing it costs $29 from Apple. less on ebay.<br />
<a href="https://www.apple.com/shop/product/MD464LL/A/apple-thunderbolt-to-firewire-adapter?afid=p238%7Cs9NB5Sr2n-dc_mtid_1870765e38482_pcrid_246386725857_pgrid_14874603490_&cid=aos-us-kwgo-pla-btb--slid-----product-MD464LL/A" target="_blank">ThunderBolt 2 to Firewire 800</a><br />
<br />
<i>3 - Purchase a Firewire 800 to Firewire 400 adapter</i><br />
Elago Part Number EL-FW-ADAP. At time of writing it costs $9.99 from Amazon<br />
<a href="https://www.amazon.com/gp/product/B003L4P872/ref=ppx_yo_dt_b_asin_title_o01_s00?ie=UTF8&psc=1" target="_blank"><span style="color: blue;">Firewire 800 to Firewire 400</span></a><br />
<br />
<i>4 - Purchase a Firewire 400 to 30 pin iPod cable.</i><br />
These are as rare as rocking horse poop. You may already have one. If you have trouble locating one, you might consider buying one of the charging adapters as described above because they should really come complete with this cable.<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUc0VFqwcWBjJt5V4qG3I9nmsyWxn3VW3iEQktxKCwrQhSLkvEyQ1GC4035u58r0BKSFut7xzCnHK-LIcQJaH3eovfbvTEW7ATlABeqpzwko0ZPZBIF2PrHk4R4HtWXMmPOrdExALyl0tK/s1600/s-l500.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUc0VFqwcWBjJt5V4qG3I9nmsyWxn3VW3iEQktxKCwrQhSLkvEyQ1GC4035u58r0BKSFut7xzCnHK-LIcQJaH3eovfbvTEW7ATlABeqpzwko0ZPZBIF2PrHk4R4HtWXMmPOrdExALyl0tK/s320/s-l500.jpg" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<ul>
<li>Connect the USB-C--TB2 adapter to you Mac.</li>
<li>Connect the TB2--FW800 adapter to the USB-C---TB2 adapter</li>
<li>Connect the FW800---FW400 adapter to your (hopefully existing) iPod FW400 to iPod 30 pin iPod cable.</li>
<li>Connect the FW400--iPod 30 pin cable to your iPod.</li>
</ul>
<b>Other matters</b><br />
If you, like me, purchased the iPod when you were using Windows. Your first step will be to restore the iPod to factory defaults with iTunes.<br />
<br />
Cheers!<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-77362622861196567602019-06-12T12:21:00.000-06:002019-06-12T12:30:07.593-06:00LM Hash<span style="color: blue;">LM Hash</span><br />
<br />
LM Hashes are weak and archaic, an LM hash does not use a salt, and therefore any identical passwords will have identical hash values. Additionally, the LM hash doesn't process the password as a whole. Instead, it null-pads it to 14 characters (if needed), then splits that value into 7-character chunks and hashes each before sticking them back together. Thus, if the first 7 characters are identical to the last 7, the first 8 bytes of the LM hash will match the last 8.<br />
<br />
<span style="color: blue;">Example</span><br />
The LM hash value for 7 null characters is AAD3B435B51404EE. Therefore a password less than 8 characters long will end with AAD3B435B51404EE, and an empty password will always (since LM hashing doesn't use salt) be exactly AAD3B435B51404EEAAD3B435B51404EE.<br />
<br />
<span style="color: blue;">Also</span><br />
There is one more caveat, however. LM hashing does not at all support passwords of 15 characters or greater. When this is encountered, the user may receive a prompt asking them to confirm they want to use a password that will be incompatible with older (LM hash dependent) software. Then, the system will store a null LM hash for that user. I personally recommend that people use 15+ characters in their passwords for precisely this reason.<br />
<br />
It is recommended that LM Hashes are disabled thus (this course can also be a GPO)<br />
<br />
<ul>
<li>Locate and then click the following key:</li>
<li>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa</li>
<li>On the Edit menu, click Add Key, type NoLMHash,, set the value to 1</li>
<li>Quit Registry Editor.</li>
<li>Restart the computer, and then change your password to make the setting active.</li>
</ul>
<br />
<span style="color: blue;">Salt</span><br />
In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards developed to protect a user's password against being read from the system. A salt is one of those methods.<br />
<br />
A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after Key stretching) are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking the plaintext password in the event that the authentication data store is compromised.<br />
<br />
Salts defend against dictionary attacks or against their hashed equivalent, a pre-computed rainbow table attack. Since salts do not have to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.<br />
<br />
CheersMick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-9098544523732225362019-06-12T09:54:00.000-06:002019-06-12T09:54:33.240-06:00Azure Subscription and Registering Resources<span style="font-family: inherit;">There is an issue with Azure Role Based access (RBAC). Depending on who you listen to, this is a bug (I agree, it is a bug).</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: blue; font-family: inherit;">Scenario</span><br />
<br />
<ul>
<li><span style="font-family: inherit;">You create a subscription and a resource group within it.</span></li>
<li>You assign someone as a contributor of the RG but not a contributor to the subscription (for a long list of reasons.</li>
<li>The user cannot create a resource in the resource group, the wizard complains about the subscription not having permissions to register the resource provider.</li>
</ul>
<br />
<span style="background-color: white; color: blue; font-family: inherit;">Reason</span><br />
<span style="font-family: inherit;">•<span style="white-space: pre;"> </span>When one attempts to create a resource two things must be true (1) the user must have the correct permissions (they do, contributor to the resource group is more than sufficient) (2) The subscription impersonates the user using their access rights to register the resource type (e.g. a Virtual Machine, Disk, Whatever) as an allowable type of resource within the subscription (this is what fails).</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">It’s a bug because:</span><br />
<span style="font-family: inherit;">•<span style="white-space: pre;"> </span>The Wizard should be registering the resource type at the RG level not the subscription level.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Solution</span><br />
<span style="font-family: inherit;">•<span style="white-space: pre;"> </span>When you create a new subscription for a team, you need to pre-register the resource types as being allowable.</span><br />
<span style="font-family: inherit;">•<span style="white-space: pre;"> </span>Logon to your tenant in PowerShell</span><br />
<span style="font-family: inherit;">•<span style="white-space: pre;"> </span>Select the relevant subscription thus:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Select-AZSubscription “MyCoolSubscriptionName"</span><br />
<br />
<span style="font-family: inherit;">•<span style="white-space: pre;"> </span>Register the resource types thus:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Get-AzResourceProvider -ListAvailable | ForEach-Object{Register-AzResourceProvider -ProviderNameSpace $_.ProviderNameSpace}</span><br />
<span style="font-family: inherit;"><br /></span>
Cheers!<br />
<br />Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-15004388048154374462019-06-07T10:39:00.003-06:002019-06-07T10:39:31.649-06:00WebSSOLifetime versus TokenLifetime<div align="justify">
<strong><u><span style="font-family: inherit;"><br /></span></u></strong></div>
<div align="justify">
<strong><u><span style="font-family: inherit;"><br /></span></u></strong></div>
<div align="justify">
<span style="font-family: inherit;"><b>What is the difference between WebSSOLifetime versus TokenLifetime</b></span></div>
<div align="justify">
<b><br /></b></div>
<div align="justify">
The trick to understanding this is to think of WebSSOLifetime like a Kerberos TGT.</div>
<div align="justify">
<b><br /></b></div>
<div align="justify">
<b><span style="color: blue;">WebSSOLifetime (Default 480 minutes = 8 hours)</span></b></div>
<div align="justify">
This parameter is server-wide. Meaning if you configure it, it’s active for all of the ADFS relying parties. Whenever a user asks a token for a given RP he will have to authenticate to the ADFS service first. Upon communicating with the ADFS service he will receive two tokens: a token which proves who he is (let’s call that the ADFS Token) and a token for the RP (let’s say the RP Token). All in all this seems very much like the TGT and TGS tickets of Kerberos.</div>
<div align="justify">
Now the WebSSOLifetime timeout determines how long the ADFS token can be used to request new RP Tokens without having to re-authenticate. In other words a user can ask new tokens for this RP, or for other RP’s, and he will not have to prove who he is until the WebSSOLifetime expires the ADFS token.</div>
<div align="justify">
<br /></div>
<div align="justify">
<b><span style="color: blue;">TokenLifetime (Default 0 which means 10 hours!)</span></b></div>
<div align="justify">
The TokeLifetime is now easy to explain. This parameter is configurable for each RP. Whenever a user receives a RP Token, it will expire at some time. At that time the user will have to go to the ADFS server again an request a new RP token. Depending on whether or not the ADFS Token is still valid or not, he will not have to re-authenticate. </div>
<div align="justify">
One argument to lower the TokenLifetime could be that you want the claims to be updated faster. With the default whenever some of the Attribute Store info is modified, it might potentially take 10 hours before this change reaches the user in its claims.</div>
<div align="justify">
<br /></div>
<div align="justify">
The TokenLifetime can be read using PowerShell</div>
<div align="justify">
<br /></div>
<div align="justify">
<span style="font-family: Courier New, Courier, monospace;">PS > Get-ADFSRelyingPartyTrust -Name "relying_party"</span></div>
<div align="justify">
<br /></div>
<div align="justify">
The WebSSOLifetime can be accessed from the ADFS management interface</div>
<div align="justify">
<br /></div>
<div align="justify">
Cheers!</div>
<div align="justify">
<br /></div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-80481042427687594722019-01-14T09:39:00.003-07:002019-01-14T09:39:51.859-07:00Filter Out Events in Windows Event LogsDid you know you can filter *out* events in the Windows Event Logs by Event ID? Just open the 'Filter Current Log" like you usually would and put a minus in front of the event you want to hide.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIaunfXADvmx3RBGsvNkTb8jnKQcJHPAy14VJPY7hbsvfun6Sg1V5GXjT-mJDNKQCMbgxteh5aKrXK-I4LjSNBoB2-XSNri0EzKcAYjU1VieDmN1PsRaPaitlaKmiZGKlPbyZRwNS5jqqK/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="728" data-original-width="848" height="547" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIaunfXADvmx3RBGsvNkTb8jnKQcJHPAy14VJPY7hbsvfun6Sg1V5GXjT-mJDNKQCMbgxteh5aKrXK-I4LjSNBoB2-XSNri0EzKcAYjU1VieDmN1PsRaPaitlaKmiZGKlPbyZRwNS5jqqK/s640/Capture.PNG" width="640" /></a></div>
<br />
CheersMick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-1639112238883397152018-06-27T14:02:00.003-06:002018-06-27T14:02:46.120-06:00Find DN for AD Integrated Forest DNS record<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">With ADUC it is easy to find the distinguished name of an AD object. DNS records are a little more hidden. Here would be an example:</span><br />
<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span>
<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span>
<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">dc=ServerName,DC=MyDomain.org,CN=MicrosoftDNS,DC=ForestDnsZones,DC=</span><span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">STLU</span><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">KES-INT,DC=ORG</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">Note the weirdness, the first two sections:</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">dc=ServerName,dc=FullDomainName combines to make an FQDN and yet section two would normally be broken up. Say you have a parent domain and a child domain. Normally a DN would look something like this</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">cn=ServerName,dc=ChildDomain,dc=ChildDomain,dc=Org</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">but for this we have</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">dc=ServerName,dc=ChildDomain.ParentDomain.Org</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">Weird!</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;">Also if you want to look at application metadata, don't forget to include the name of a domain controller that belongs to the same domain as the machine you are running this command from:</span></span><br />
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"><br /></span></span>
<div class="MsoNormal">
<span style="background-color: white;"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">repadmin
/showobjmeta sl1dc1
dc=xxsql01,dc=sl2.stfreds-int.org,cn=MicrosoftDNS,DC=ForestDnsZones,DC=stfreds</span><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">-int,dc=org</span></span></span><o:p></o:p></div>
<br />
<div class="MsoNormal">
<span style="background: yellow; mso-highlight: yellow;"><br /></span></div>
<div class="MsoNormal">
<span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial;">Cheers!</span></div>
<span style="background-color: white;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; font-family: Calibri, sans-serif; font-size: 11pt;"></span></span>Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-15062911765919527202018-06-01T17:09:00.003-06:002018-06-01T17:09:46.942-06:00Windows 2008 RTM Network Performance Tuning<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Windows 2008 RTM Network Performance Tuning:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<o:p><span style="font-family: inherit;"><span style="font-family: inherit;">These NIC options are collectively known as </span>the "TCP Chimney". Originally these options were designed to alleviate a servers compute CPU(s) from some of the stress of networking by offloading some functionality to the CPU on the NIC itself. Circa. 10 years ago, this caused issues because the NIC vendors made a bad job of leveraging the Microsoft APIs. In more recent times, this improved but the Microsoft APIs themselves were poorly implemented on Windows 2008 RTM (Vista kernel). I am not sure I would recommend baking the following recommendations in to a build image, but certainly for troubleshooting poor performance or dropped packets, these parameters can be useful. Note:</span></o:p><br />
<o:p><span style="font-family: inherit;"><br /></span></o:p>
<br />
<ul>
<li><span style="font-family: inherit;">You may need to experiment.</span></li>
<li><span style="font-family: inherit;">These <i>specifically worded</i> parameters apply to the VMWare VMXNet3 NIC but should be found on all NICS.</span></li>
<li>Offloading networking traffic to the compute CPU assumes that the compute CPU is powerful enough</li>
</ul>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<o:p><span style="font-family: inherit;"><br /></span></o:p></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="color: blue; font-family: inherit;">IPv4 Checksum Offload</span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;">When data comes in through a network, the data is checked against a checksum (or validation code) in the headers in the packets it was delivered in. If the data and checksum don't match, the packet is determined to be bad and has to be retransmitted. To speed things up, some network cards can "offload" the checksumming, i.e., perform the checksumming on the network card itself, rather than leave the job to the CPU. This frees up the CPU to do that much more work on its own, and on a server with extremely high network throughput, that much CPU savings can add up.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">Disable</span><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="color: blue; font-family: inherit;">IPv4 TSO Offload<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;">Using TSO and LRO on physical and virtual machine NICs improves the performance of ESX/ESXi hosts by reducing the CPU overhead for TCP/IP network operations. The host uses more CPU cycles to run applications. If TSO is enabled on the transmission path, the NIC divides larger data chunks into TCP segments. If TSO is disabled, the CPU performs segmentation for TCP/IP.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;">Note: TSO is referred to as LSO (Large Segment Offload or Large Send Offload) in the latest VMXNET3 driver attributes.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">Disable</span><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="color: blue; font-family: inherit;">Large Send Offload V2 (IPv4)<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;">Is a feature on modern Ethernet adapters that allows the TCP\IP network stack to build a large TCP message of up to 64KB in length before sending to the Ethernet adapter. Then the hardware on the Ethernet adapter — what I’ll call the LSO engine — segments it into smaller data packets (known as “frames” in Ethernet terminology) that can be sent over the wire. This is up to 1500 bytes for standard Ethernet frames and up to 9000 bytes for jumbo Ethernet frames. In return, this frees up the server CPU from having to handle segmenting large TCP messages into smaller packets that will fit inside the supported frame size<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">Disable</span><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><b><span style="color: blue;">Offload IP Options</span></b><o:p></o:p></span><br />
<span style="font-family: inherit;">Miscellaneous IP options</span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">Disable</span></span></b><br />
<span style="color: red; font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: inherit;"><b>Offload TCP Options</b></span><br />
<span style="font-family: inherit;">Miscellaneous TCP Options</span><br />
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">Disable</span></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="color: blue; font-family: inherit;">Receive Side Scalling<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;">RSS enables driver stacks to process send and receive-side data for a given connection on the same CPU. Typically, an overlying driver (for example, TCP) sends part of a data block and waits for an acknowledgment before sending the balance of the data. The acknowledgment then triggers subsequent send requests. The RSS indirection table identifies a particular CPU for the receive data processing. By default, the send processing runs on the same CPU if it is triggered by the receive acknowledgment. A driver can also specify the CPU (for example, if a timer is used).<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommended: <span style="color: #6aa84f;">Enable</span><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="color: blue; font-family: inherit;">TCP Checksum Offload (IPv4)<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;">The TCP header contains a 16-bit checksum field which is used to verify the integrity of the header and data. For performance reasons the checksum calculation on the transmit side and verification on the receive side may be offloaded from the operating system to the network adapter. <o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">Disable</span><o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><br /></span>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="color: blue; font-family: inherit;"><b>Rx Ring #1<o:p></o:p></b></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><o:p> </o:p>Modern and performance/server grade network interface have the capability of using transmit and receive buffer description ring into the main memory. They use direct memory access (DMA) to transfer packets from the main memory to carry packets independently from the CPU. The usual default buffering values for regular desktop NICs are 256 or 512 bytes. High performances NICs can achieve up to 4096 and/or 8192 bytes.</span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<span style="font-family: inherit;"><o:p></o:p></span></div>
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">4096</span></span></b><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: blue; font-family: inherit;"><b>Small Rx Buffers</b></span><br />
<span style="font-family: inherit;">Where Rx Ring #1 defines the size of each buffers, 'Small Rx Buffers' defines how many buffers there are.</span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt;">
<b><span style="font-family: inherit;">Recommendation: <span style="color: red;">8192</span></span></b><br />
<b><span style="font-family: inherit;"><span style="color: red;"><br /></span></span></b>
<b><span style="font-family: inherit;">Cheers!</span></b></div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-24743898083537943072018-04-12T18:32:00.001-06:002018-04-12T18:32:28.449-06:00Need to check secure channel on serverIf Need to check secure channel on a server (or indeed a workstation) you can use this command:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">nltest /sc_query:MyCoolDomainName</span><br />
<br />
Cheers!Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-54233760356412356462018-04-12T10:15:00.000-06:002018-04-12T15:33:04.141-06:00Domain Controller has incorrect account flags<span style="font-family: inherit;">DCDIAG may reveal the following warning:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: blue; font-family: inherit;">Starting test: MachineAccount</span><br />
<span style="color: blue; font-family: inherit;">Warning: Attribute userAccountControl of SL1CDC4 is:</span><br />
<span style="color: blue; font-family: inherit;"> 0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )</span><br />
<span style="color: blue; font-family: inherit;"><br /></span>
<span style="color: blue; font-family: inherit;">Typical setting for a DC is</span><br />
<span style="color: blue; font-family: inherit;"><br /></span>
<span style="color: blue; font-family: inherit;">0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )</span><br />
<span style="color: blue; font-family: inherit;"><br /></span>
<span style="color: blue; font-family: inherit;">This maybe affecting replication</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="background-color: white; color: #333333;"><span style="font-family: inherit;">It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC or with the following PowerShell</span></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">get-adobject -filter "objectcategory -eq 'computer'" -searchbase "ou=domain controllers,dc=contoso,dc=loc" -searchscope subtree -properties distinguishedname,useraccountcontrol|select distinguishedname,name,useraccountcontrol|where {$_.useraccountcontrol -ne 532480}|%{set-adobject -identity $_.distinguishedname -replace @{useraccountcontrol=532480} -whatif}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;">Also, this can also involve the Primary Group IDs. Here is the full summary:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">RW DC</span><br />
<span style="font-family: inherit;">if you have RODCs then the values should be:</span><br />
<span style="font-family: inherit;"><br /></span>
<div class="MsoNormal" style="caret-color: rgb(33, 33, 33); color: #212121; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;">
Useraccountcontrol = 0x82000</div>
<span style="font-family: inherit;"></span><br />
<div class="MsoNormal" style="caret-color: rgb(33, 33, 33); color: #212121; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;">
PrimaryGroupID = 516</div>
<div class="MsoNormal" style="caret-color: rgb(33, 33, 33); color: #212121; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;">
</div>
<div class="MsoNormal" style="caret-color: rgb(33, 33, 33); color: #212121; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;">
RO DC</div>
<div class="MsoNormal" style="caret-color: rgb(33, 33, 33); color: #212121; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;">
Useraccountcontrol = 0x5001000</div>
<div class="MsoNormal" style="caret-color: rgb(33, 33, 33); color: #212121; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;">
<span style="font-size: 11pt;">PrimaryGroupID = 521</span></div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-72587051629132218732018-04-10T14:41:00.000-06:002018-04-10T14:42:20.267-06:00DNS Resolution<br />
<b>DNS Resolution</b><br />
DNS processes and interactions involve the communications between DNS clients and DNS servers during the resolution of DNS queries and dynamic update, and between DNS servers during name resolution and zone administration. Secondary processes and interactions depend on the support for technologies such as Unicode and WINS.<br />
<br />
<b>How DNS queries work</b><br />
When a DNS client needs to look up a name used in a program, it queries DNS servers to resolve the name. Each query message the client sends contains three pieces of information, specifying a question for the server to answer:<br />
<br />
A specified DNS domain name, stated as a fully qualified domain name (FQDN).<br />
<br />
A specified query type, which can either specify a resource record (RR) by type or a specialized type of query operation.<br />
<br />
A specified class for the DNS domain name. For DNS servers running the Windows operating system, this should always be specified as the Internet (IN) class.<br />
<br />
For example, the name specified could be the FQDN for a computer, such as “host-a.example.microsoft.com.”, and the query type specified to look for an address (A) RR by that name. Think of a DNS query as a client asking a server a two-part question, such as “Do you have any A resource records for a computer named ‘hostname.example.microsoft.com.’?” When the client receives an answer from the server, it reads and interprets the answered A RR, learning the IP address for the computer it asked for by name.<br />
<br />
DNS queries resolve in a number of different ways. A client can sometimes answer a query locally using cached information obtained from a previous query. The DNS server can use its own cache of resource record information to answer a query. A DNS server can also query or contact other DNS servers on behalf of the requesting client to fully resolve the name, and then send an answer back to the client. This process is known as recursion.<br />
<br />
In addition, the client itself can attempt to contact additional DNS servers to resolve a name. When a client does so, it uses separate and additional queries based on referral answers from servers. This process is known as iteration.<br />
<br />
In general, the DNS query process occurs in two parts:<br />
<br />
A name query begins at a client computer and is passed to a resolver, the DNS Client service, for resolution.<br />
<br />
When the query cannot be resolved locally, DNS servers can be queried as needed to resolve the name.<br />
<br />
<br />
Both of these processes are explained in more detail in the following sections.<br />
<br />
<b>DNS Resolution Overview</b><br />
<br />
As shown in the initial steps of the query process, a DNS domain name is used in a program on the local computer. The request is then passed to the DNS Client service for resolution using locally cached information. If the queried name can be resolved, the query is answered and the process is completed.<br />
<br />
The local resolver cache can include name information obtained from two possible sources:<br />
<br />
If a Hosts file is configured locally, any host name-to-address mappings from that file are loaded into the cache when the DNS Client service is started.<br />
<br />
Resource records obtained in answered responses from previous DNS queries are added to the cache and kept for a period of time.<br />
<br />
If the query does not match an entry in the cache, the resolution process continues with the client querying a DNS server to resolve the name.<br />
<br />
Overview of DNS Query Process<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioOuRS6wR_btdUWHDDgqEoBgD9jLogkwttoPhnZFwJRtVx5stIk_AxMM7-pNn17_NG1-r_jb-_llO6fI2Hu1Hpp0Pp8ZGmsGvLc1yBYc4n3AYvs0vt4-JbYRUscKhTJnb1BQk05egt3Y0x/s1600/DNS1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="322" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioOuRS6wR_btdUWHDDgqEoBgD9jLogkwttoPhnZFwJRtVx5stIk_AxMM7-pNn17_NG1-r_jb-_llO6fI2Hu1Hpp0Pp8ZGmsGvLc1yBYc4n3AYvs0vt4-JbYRUscKhTJnb1BQk05egt3Y0x/s1600/DNS1.gif" /></a></div>
<br />
<br />
As indicated in the preceding figure, the client queries a preferred DNS server. The server used during the initial client/server query is selected from a global list.<br />
<br />
When the DNS server receives a query, it first checks to see if it can answer the query authoritatively based on resource record information contained in a locally configured zone on the server. If the queried name matches a corresponding RR in local zone information, the server answers authoritatively, using this information to resolve the queried name.<br />
<br />
If no zone information exists for the queried name, the server then checks to see if it can resolve the name using locally cached information from previous queries. If a match is found here, the server answers with this information. Again, if the preferred server can answer with a positive matched response from its cache to the requesting client, the query is completed.<br />
<br />
If the queried name does not find a matched answer at its preferred server — either from its cache or zone information — the query process can continue, using recursion to fully resolve the name. This involves assistance from other DNS servers to help resolve the name. By default, the DNS Client service asks the server to use a process of recursion to fully resolve names on behalf of the client before returning an answer.<br />
<br />
In order for the DNS server to do recursion properly, it first needs some helpful contact information about other DNS servers in the DNS domain namespace. This information is provided in the form of root hints, a list of preliminary RRs that can be used by the DNS service to locate other DNS servers that are authoritative for the root of the DNS domain namespace tree. Root servers are authoritative for the domain root and top-level domains in the DNS domain namespace tree.<br />
<br />
By using root hints to find root servers, a DNS server is able to complete the use of recursion. In theory, this process enables any DNS server to locate the servers that are authoritative for any other DNS domain name used at any level in the namespace tree.<br />
<br />
For example, consider the use of the recursion process to locate the name “host-b.example.microsoft.com.” when the client queries a single DNS server. The process occurs when a DNS server and client are first started and have no locally cached information available to help resolve a name query. It assumes that the name queried by the client is for a domain name of which the server has no local knowledge, based on its configured zones.<br />
<br />
First, the preferred server parses the full name and determines that it needs the location of the server that is authoritative for the top-level domain, “com”. It then uses an iterative query to the “com” DNS server to obtain a referral to the “microsoft.com” server. Next, a referral answer comes from the “microsoft.com” server to the DNS server for “example.microsoft.com”.<br />
<br />
Finally, the “example.microsoft.com.” server is contacted. Because this server contains the queried name as part of its configured zones, it responds authoritatively back to the original server that initiated recursion. When the original server receives the response indicating that an authoritative answer was obtained to the requested query, it forwards this answer back to the requesting client and the recursive query process is completed.<br />
<br />
Although the recursive query process can be resource-intensive when performed as described above, it has some performance advantages for the DNS server. For example, during the recursion process, the DNS server performing the recursive lookup obtains information about the DNS domain namespace. This information is cached by the server and can be used again to help speed the answering of subsequent queries that use or match it. Over time, this cached information can grow to occupy a significant portion of server memory resources, although it is cleared whenever the DNS service is cycled on and off.<br />
<br />
<br />
The following three figures illustrate the process by which the DNS client queries the servers on each adapter.<br />
<br />
<br />
Querying the DNS Server, Part 1<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1qGQuR31Mw081YHNGZ-Cuc2lplA1Z5-bDRjTzFCFThfWHYCS57dAonqLoUrzE6cuB5KQSSRbHJzuerqXNuSTVNxmLAYZbbuIzQD0jiAH4eJs7ioKKL4ardNcHk3ZyF5eHirHKj8673MvG/s1600/DNS2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="791" data-original-width="547" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1qGQuR31Mw081YHNGZ-Cuc2lplA1Z5-bDRjTzFCFThfWHYCS57dAonqLoUrzE6cuB5KQSSRbHJzuerqXNuSTVNxmLAYZbbuIzQD0jiAH4eJs7ioKKL4ardNcHk3ZyF5eHirHKj8673MvG/s1600/DNS2.gif" /></a></div>
<br />
<br />
Querying the DNS Server, Part 2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrSCgbDNvEFnGoCs_izpZ_dFpb6tXWh2H3UNnW-4Ukvgy7dZQ1sCJHEad6ksT9lG4qKDto-gCxMBWuURDs2L3mtdkvE1jDxPaXDJf31yShxrEHH91ihR9nhWZ3b2ovebz3QJcn6B8N7gZi/s1600/DNS3.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="649" data-original-width="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrSCgbDNvEFnGoCs_izpZ_dFpb6tXWh2H3UNnW-4Ukvgy7dZQ1sCJHEad6ksT9lG4qKDto-gCxMBWuURDs2L3mtdkvE1jDxPaXDJf31yShxrEHH91ihR9nhWZ3b2ovebz3QJcn6B8N7gZi/s1600/DNS3.gif" /></a></div>
<br />
<br />
Querying the DNS Server Part 3<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkSdSLMYX3DNJu5qZ3gBhf3dSQpZz_vlkXj0cfuG1fCoHbfyzP86oxX5Fm2BZRss4ZC4vA5z8dwxPeSRDZQ6TZvWJ2ozMblZjRlF0iMo9X7Kmso3TZkCmL2zbUQ8mQSw4_lBaJwrp6g5th/s1600/DNS4.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="629" data-original-width="593" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkSdSLMYX3DNJu5qZ3gBhf3dSQpZz_vlkXj0cfuG1fCoHbfyzP86oxX5Fm2BZRss4ZC4vA5z8dwxPeSRDZQ6TZvWJ2ozMblZjRlF0iMo9X7Kmso3TZkCmL2zbUQ8mQSw4_lBaJwrp6g5th/s1600/DNS4.gif" /></a></div>
<br />
<br />
The DNS Client service queries the DNS servers in the following order:<br />
<br />
The DNS Client service sends the name query to the first DNS server on the preferred adapter’s list of DNS servers and waits one second for a response.<br />
<br />
If the DNS Client service does not receive a response from the first DNS server within one second, it sends the name query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.<br />
<br />
If the DNS Client service does not receive a response from any DNS server within two seconds, the DNS Client service sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.<br />
<br />
If the DNS Client service still does not receive a response from any DNS server, it sends the name query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.<br />
<br />
If it the DNS Client service does not receive a response from any DNS server, the DNS client sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.<br />
<br />
If the DNS Client service receives a positive response, it stops querying for the name, adds the response to the cache and returns the response to the client.<br />
<br />
If the DNS Client service has not received a response from any server within eight seconds, the DNS Client service responds with a timeout. Also, if it has not received a response from any DNS server on a specified adapter, then for the next 30 seconds, the DNS Client service responds to all queries destined for servers on that adapter with a timeout and does not query those servers.<br />
<br />
If at any point the DNS Client service receives a negative response from a server, it removes every server on that adapter from consideration during this search. For example, if in step 2, the first server on Alternate Adapter A gave a negative response, the DNS Client service would not send the query to any other server on the list for Alternate Adapter A.<br />
<br />
The DNS Client service keeps track of which servers answer name queries more quickly, and it moves servers up or down on the list based on how quickly they reply to name queries.<br />
<br />
The following figure shows how the DNS client queries each server on each adapter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiX1hB0kpr0GO_yww26e0JZzUmA8p8GuSu00V7m8EkptSAipc0moih_YeZMyZ1G6YyTQFeUE5osnzzEZbRmZQpFdOcAENXo1AsSt2Ac53Lc6GXeYSC3DInveFUIsykVdaN4vRGLXqZApIw/s1600/DNS5.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="501" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiX1hB0kpr0GO_yww26e0JZzUmA8p8GuSu00V7m8EkptSAipc0moih_YeZMyZ1G6YyTQFeUE5osnzzEZbRmZQpFdOcAENXo1AsSt2Ac53Lc6GXeYSC3DInveFUIsykVdaN4vRGLXqZApIw/s1600/DNS5.gif" /></a></div>
<br />
Alternate query responses<br />
The preceding description of DNS queries assumes that the process ends with a positive response returned to the client. However, queries can return other answers as well. These are the most common query answers:<br />
<br />
<ul>
<li>An authoritative answer</li>
<li>A positive answer</li>
<li>A referral answer</li>
<li>A negative answer</li>
</ul>
<br />
An authoritative answer is a positive answer returned to the client and delivered with the authority bit set in the DNS message to indicate the answer was obtained from a server with direct authority for the queried name.<br />
<br />
A positive response can consist of the queried RR or a list of RRs (also known as an RRset) that fits the queried DNS domain name and record type specified in the query message.<br />
<br />
A referral answer contains additional RRs not specified by name or type in the query. This type of answer is returned to the client if the recursion process is not supported. The records are meant to act as helpful reference answers that the client can use to continue the query using iteration. A referral answer contains additional data such as RRs that are other than the type queried. For example, if the queried host name was “www” and no A RRs for this name were found in this zone but a CNAME RR for “www” was found instead, the DNS server can include that information when responding to the client. If the client is able to use iteration, it can make additional queries using the referral information in an attempt to fully resolve the name for itself.<br />
<br />
A negative response from the server can indicate that one of two possible results was encountered while the server attempted to process and recursively resolve the query fully and authoritatively:<br />
<br />
An authoritative server reported that the queried name does not exist in the DNS namespace.<br />
<br />
An authoritative server reported that the queried name exists, but no records of the specified type exist for that name.<br />
<br />
The resolver passes the results of the query, in the form of either a positive or negative response, back to the requesting program and caches the response.<br />
<br />
If the resultant answer to a query is too long to be sent and resolved in a single UDP message packet, the DNS server can initiate a failover response over TCP port 53 to answer the client fully in a TCP connected session.<br />
<br />
Disabling the use of recursion on a DNS server is generally done when DNS clients are being limited to resolving names to a specific DNS server, such as one located on your intranet. Recursion might also be disabled when the DNS server is incapable of resolving external DNS names, and clients are expected to fail over to another DNS server for resolution of these names. If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.<br />
<br />
By default, DNS servers use several default timings when performing a recursive query and contacting other DNS servers. These defaults include:<br />
<br />
A recursion retry interval of 3 seconds. This is the length of time the DNS service waits before retrying a query made during a recursive lookup.<br />
<br />
A recursion timeout interval of 8 seconds. This is the length of time the DNS service waits before failing a recursive lookup that has been retried.<br />
<br />
Under most circumstances, these parameters do not need adjustment. However, if you are using recursive lookups over a slow-speed wide area network (WAN) link, you might be able to improve server performance and query completion by making slight adjustments to the settings.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-80816240588586533542018-01-17T08:28:00.000-07:002018-01-17T08:28:07.492-07:00Windows Firewall, determining required portsJust a quick note on using Microsoft SysInternal utilities with the Windows firewall log.<br />
<br />
For this worked example I am going to communicate with the target server (the server with the firewall) using PSEXEC for remote execution. You could just as easily work on the sever console or use PowerShell.<br />
<br />
As usual, I like to explain by real-life example.<br />
<br />
A colleague is setting up a Windows Print Server and Microsoft have provided the required protocols and ports to be opened, surprise, surprise the information is incomplete.<br />
<br />
Step One<br />
Examine the Windows Firewall Log. By default is resides at:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">\\MyServerName\c$\Windows\System32\LogFiles\Firewall </span><br />
<br />
We can see that when the engineer tries to remotely install a driver, packets are dropped. In the log it looks like this (I have removed the date and time for brevity)<br />
<br />
You can look at the heading in the firewall log, but I have highlighted the destination port.<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">DROP TCP 10.150.85.240 10.20.68.183 12387 <span style="background-color: yellow;">9001</span> 48 S 4157967098 0 8192 - - RECEIVE</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">DROP TCP 10.150.85.240 10.20.68.183 12388 <span style="background-color: yellow;">9001</span> 48 S 3357802324 0 8192 - - RECEIVE</span><br />
<br />
<span style="font-family: inherit;">In this imaginary scenario, it looks like we are dropping TCP 9001 (if you already know what that is, pretend you don't for the sake of this tutorial). So the next step would be to track down what that port is being used for and whether we should be opening it. We need to get onto that server, either:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<ul>
<li>PowerShell</li>
<li>Console</li>
<li>RDP</li>
<li>PSEXEC</li>
</ul>
<br />
<span style="font-family: inherit;">First we will run the built-in Windows tool 'NetStat' using the syntax:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">netstat -an -o</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Which will display all the ports on which the server is listening. </span><span style="font-family: inherit;">The '-an' means supress the resolution of the IP address to which to the server may have a connection. This makes the command run much faster. The '-o' means display the running process which is what we want. The output will look something like this:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">Active Connections</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">Proto Local Address Foreign Address State PID</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 992</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 3812</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:8092 0.0.0.0:0 LISTENING 4</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:8495 0.0.0.0:0 LISTENING 3812</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 680</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 884</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1320</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 2212</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 760</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49699 0.0.0.0:0 LISTENING 752</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49710 0.0.0.0:0 LISTENING 3812</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 0.0.0.0:49713 0.0.0.0:0 LISTENING 760</span><br />
<span style="background-color: yellow; font-family: "courier new" , "courier" , monospace;">TCP 10.150.210.201:9001 0.0.0.0:0 LISTENING 42</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 10.150.210.201:50495 10.20.104.6:443 ESTABLISHED 10744</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 10.150.210.201:50496 10.20.104.6:443 ESTABLISHED 10744</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">TCP 10.150.210.201:50497 10.20.104.6:443 ESTABLISHED 10744</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;">We can see (highlighted) that port 9001 is being listened to by a process with PID (Process ID) 42. We now need to know what that process is. We can use the SysInternals tool 'tasklist', just run it and it should produce an output something like this (I have trimmed the output for clarity):</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">Image Name PID SessionName Session# Mem Usage</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">==================== ==== ============= ======= ===========</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">System Idle Process 0 Services 0 4 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">System 4 Services 0 2,764 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 836 Services 0 23,516 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 884 Services 0 16,544 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 1104 Services 0 26,160 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">WUDFHost.exe 1184 Services 0 2,984 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 1320 Services 0 65,344 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">dasHost.exe 1744 Services 0 6,912 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 2020 Services 0 6,648 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">hpservice.exe 1256 Services 0 1,144 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 1080 Services 0 4,808 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">svchost.exe 2156 Services 0 9,364 K</span><br />
<span style="background-color: yellow; font-family: "courier new" , "courier" , monospace;">spoolsv.exe 42 Services 0 16,140 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">wrapper.exe 2408 Services 0 2,336 K</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">mDNSResponder.exe 2424 Services 0 2,832 K</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">If we examine this list we can see (highlighted) that PID 9001 is 'spoolsv.exe' so this all provides us with a set of clues:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<ol>
<li>When we investigate the origin of the dropped traffic in the firewall log we discover that the IP belongs to the workstation we are testing our PrintServer from.</li>
<li>Researching port 9001 reveals it to be the HP JetDirect printing port.</li>
<li>Spoolsv.exe is the Windows Print Spooler.</li>
</ol>
<div>
So good bet this is something we need to open on the firewall of the printserver.</div>
<br />
<br />Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-6354505124985536252017-10-30T14:39:00.000-06:002017-10-30T14:39:17.060-06:00Copy DACL from one folder to anotherIf you ever need to copy the access rights from one folder to another, this will help. This is also useful in cases where you need to duplicate the permissions from a folder to a recently re-created junction link.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">Get-Acl -Path SourceFolder | Set-Acl -Path DestinationFolder</span><br />
<br />
Here is an example:<br />
<br />
Original State<br />
<br />
<ul>
<li>There is a folder on the G: drive called 'Medicine'</li>
<li>There is a junction point on 'E:\Shared\Medicine' which points to the folder.</li>
<li>The permissions on the junction point are identical and complex</li>
</ul>
<div>
<br />
Some hero then deletes the junction point. This is then recreated thus:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">mklink /j "E:\Shared\Medicine" "G:\Medicine"</span></div>
<div>
<br /></div>
<div>
We can then restore the junction link's missing DACL using PowerShell thus:</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Get-Acl -Path "G:\Medicine" | Set-Acl -Path "E:\Shared\Medicine"</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Cheers!</span></div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-65200846243932212912017-08-02T09:11:00.000-06:002017-08-02T09:11:45.066-06:00Dump or Search for SPN recordsHere you go:<br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">#########################</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$SearchCriteria = "CX" # ----- What you search for</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">#########################</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$search.filter = "(servicePrincipalName=*)"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$results = $search.Findall()</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Foreach($result in $results)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">{</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>$userEntry = $result.GetDirectoryEntry()</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>If($($userEntry.name) -like "*$SearchCriteria*")</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>{</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>Write-host "DN = " $userEntry.distinguishedName</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>Write-host "Object Cat. = " $userEntry.objectCategory</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>Write-host "servicePrincipalNames"</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>$i=1</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>foreach($SPN in $userEntry.servicePrincipalName)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>{</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>Write-host "SPN(" $i ") = " $SPN $i+=1</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>}</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>Write-host ""</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="white-space: pre;"> </span>}</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">}</span><br />
<div>
<br /></div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-73616325780907187052017-07-22T01:30:00.001-06:002017-07-22T01:30:26.609-06:00Switch off ellipses in Scrivener<br />
So you want Scrivener to stop converting three periods into an ellipses? You think you need to switch off them bottom of the to options in the picture below? No - you have to switch off BOTH of the options below because the two are linked within the Apple API. This in not a Scrivener issue.<br />
<br />
Cheers!<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrg8cKmtUZxyXm5eoJH_UAaojGa11q67z8uRtbJFvqlB6NtHd4CQJrFpaY6tpbHUyggSYMb2tPX7p_ttkg6XYLUZeC71czI_v6e1NSW2JvnH0xXSZ22Z94SVSk2FxQpiNc7CN8yxCgf-qq/s1600/Dots.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1194" data-original-width="1594" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrg8cKmtUZxyXm5eoJH_UAaojGa11q67z8uRtbJFvqlB6NtHd4CQJrFpaY6tpbHUyggSYMb2tPX7p_ttkg6XYLUZeC71czI_v6e1NSW2JvnH0xXSZ22Z94SVSk2FxQpiNc7CN8yxCgf-qq/s640/Dots.jpeg" width="640" /></a></div>
<br />Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-67279510234535736702017-07-12T13:05:00.003-06:002017-07-12T13:07:18.191-06:00Event ID 7023 "The Data Sharing Service service terminated with the following error: %%3239247876"You may see this on Server 2016 which may shutdown all file shares.<br />
<br />
This is caused by the UAL Service ('User Access Logging Service'), which is responsible for logging access requests to the Security Event Log coming into conflict with the DS Service ('Data Sharing Service'), which is obviously responsible for file sharing.<br />
<br />
They are conflicting as they try so share certain system DLLs.<br />
<br />
The solution is to reconfigure both services to reserve their own (tiny) memory space. This can be achieved using the Service Configuration Tool (sc.exe) thus:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">Sc config ualsvc type=own </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Sc config dssvc type=own</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Cheers!</span>Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com1tag:blogger.com,1999:blog-6820634272434787526.post-19460420419217550172017-07-11T10:41:00.000-06:002017-07-11T10:41:37.420-06:00Default Permissions Issues in Server 2016<span style="color: red; font-family: "courier new" , "courier" , monospace;">* This article published in a hurry, will tidy later *</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">This error:</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">Log Name: System</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Source: Microsoft-Windows-DistributedCOM</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Date: 7/11/2017 9:04:32 AM</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Event ID: 10016</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Task Category: None</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Level: Error</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Keywords: Classic</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">User: SYSTEM</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Computer: SL2TDC4.MyDomain.ORG</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Description:</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">{<span style="color: blue;">8D8F4F83-3594-4F07-8369-FC3C3CAE4919</span>}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> and APPID </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">{<span style="color: blue;">F72671A9-012C-4725-9D2F-2A4D32D65169</span>}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
So this is a permissions issue related to the 'Connected Devices Platform' and can cause the NIC to fail during Windows updates. Here is now to fix:<br />
<br />
<br />
<br />
<ul>
<li>Open REGEDIT navigate to HKEY_CLASSES_ROOT\CLSID\{<span style="color: blue;">8D8F4F83-3594-4F07-8369-FC3C3CAE4919</span>}</li>
<li>Right-Click, select permissions</li>
<li>Click Advanced</li>
<li>Change Ownership to Administrators</li>
<li>Check the "replace all child object permissions entries with inheritable permissions from this object' checkbox</li>
<li>Click OK</li>
<li>Click YES</li>
<li>Edit permissions to provide Administrators FULL CONTROL if it is not already set.</li>
</ul>
<div>
<ul>
<li>Now go to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\<span style="color: blue;">{F72671A9-012C-4725-9D2F-2A4D32D65169}</span></li>
<li>Right-Click, select permissions</li>
<li>Click Advanced</li>
<li>Change Ownership to Administrators</li>
<li>Check the "replace owner on subcontainers and objects' checkbox</li>
<li>Click OK</li>
<li>Click YES</li>
<li>Edit permissions to provide Administrators FULL CONTROL if it is not already set.</li>
</ul>
<div>
<br /></div>
</div>
<div>
<ul>
<li>Next, run COMEXP from an admin cmd prompt</li>
<li>Navigate down to Component Services\My Computer\DCOM Config\{F72671A9-012C-4725-9D2F-2A4D32D65169}</li>
<li>Right-Click select properties then the Security tab</li>
<li>Select Customize on the 'Launch and Activation Permissions'</li>
<li>Select Edit</li>
<li>Add Local Service from the local SAM</li>
<li>Check 'Local Activation'</li>
<li>OK, OK</li>
<li>Reboot</li>
</ul>
<div>
Repeat for all instances of EventID 10016 (System Event Log)</div>
<div>
<br /></div>
<div>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><b>Connected Devices Platform (NIC Disconnects)</b></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: blue;">CLSID {</span><span style="color: blue;">8D8F4F83-3594-4F07-8369-FC3C3CAE4919</span><span style="color: blue;">}</span></span></div>
</div>
<br />
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">APPID {F72671A9-012C-4725-9D2F-2A4D32D65169}</span><br />
<span style="color: blue; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><b>RuntimeBroker (Memory Leak)</b></span><br />
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160}</span><br />
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;"></span><br />
<div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}</span></div>
<span style="color: blue; font-family: "courier new" , "courier" , monospace;">
</span></div>
<br />
<div>
<br /></div>
<br />
<div>
<div>
<br /></div>
</div>
<br />Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0tag:blogger.com,1999:blog-6820634272434787526.post-86740952908411049572017-07-08T15:30:00.003-06:002017-07-08T15:30:59.654-06:00Icons wrong on Microsoft Office Documents (Mac OS)Delete /Library/Caches/com.apple.iconservices.store.<br />
<br />
You will need to enter your administrator password for this<br />
<br />
Reboot<br />
<br />
Cheers!<br />
<div>
<br /></div>
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com1tag:blogger.com,1999:blog-6820634272434787526.post-52490302831139730712017-07-07T15:27:00.000-06:002017-07-07T15:27:05.334-06:00Redirect HOME folders on a MacI have always liked to separate my data from the system files on my Mac. That way I can use TimeMachine to restore an earlier version of my system drive without worrying about reverting my documents and vice-versa. Call it personal style, but this is how you do it:<br />
<br />
I will take you through processing the DOCUMENTS folder, then you can rinse and repeat for MUSIC, PICTURES or whatever you want.<br />
<br />
* DON'T BE A MORON, BACKUP YOUR DATA FIRST *<br />
<br />
<ul>
<li>Create your target folder on your separated data drive. In my case a folder called 'Documents'</li>
<li>Now we need to maintain the icon the easy way before we lose it by deleting the original folder. So, open a Get-Info window for both the original and the new folders. At the tippy-top of the Get-Info window is a miniature version of the icon. We are going to copy and paste it from the original to the new. Its a little weird because don't bother right-clicking for a context menu, there isn't one. This is what you do - click the miniature version of the original and the icon will have a glow around it. CTRL-C. Go to the miniature icon in the Get-Info for the new folder, click it until it glows. CTRL-V.</li>
<li>The next step is to replace the existing 'Documents' folder with a junction link. Since it will replace the existing 'Documents' folder we need to delete it. (Repeat) we will be deleting the documents folder, so BACK IT UP!</li>
<li>Launch a terminal window and enter</li>
</ul>
<span style="font-family: Courier New, Courier, monospace;">chmod -R -N ~/Documents</span><br />
<br />
<ul>
<li>That will change the permission on that folder to allow you to delete it, now we will delete it.</li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;">rm -rf ~/Documents</span></div>
<div>
<ul>
<li>You should see your regular Documents folder vanish. It may come back after a few seconds as some Apple watchdog process corrects what it thinks is an error condition. Don't worry just run it again and move on to the next command as quickly as you can, and that is to create the junction link that replaces the regular folder and points to your new folder:</li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;">ln -s /Volumes/Data/Documents</span></div>
</div>
<div>
<ul>
<li>Replace the word 'Data' with the name of the drive that contains your new Documents folder.</li>
<li>Job done, you should now have a redirect in place. You can prove that by manually placing a file in the new folder, then navigate to your Documents folder using the 'GO' menu on the taskbar.</li>
</ul>
<div>
Cheers!</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<br />
Mick Putleyhttp://www.blogger.com/profile/17265754590877768307noreply@blogger.com0