Sending vCard – “You can’t send a message on behalf of this user unless you have permission to do so … ” – Outlook 2010

Posted on December 12, 2011

If you run into this message while trying to forward a vCard using Outlook 2010 (likely 2007 as well), you are dealing with a hidden x400 "FROM" address inside the contact metadata. When a contact is created, outlook will cache the "from" address and reference it instead of the actual account being used to send. You will see this when contacts are imported and exported between exchange services, and apparently POP3 as well.

Sadly, there are only 2 resolutions and neither of them are global.

1) When you see the “FROM” field appear while forwarding a contact, manually click "From" -> "other e-mail address" -> and choose your name from the list.
This will change the “from” address to your correct address, hit send, and life is good.

2) You can manually create new contacts and copy the information from the old to the new.
DO NOT right click and copy a contact, you need to make a new contact and copy each field over individually.
If you copy a contact, it will transfer the x400 metadata.
I strongly feel this is a bug and Microsoft should look at removing the reference to the old address.

 

How to find all users in active directory with the “password expires” setting enabled or disabled

Posted on October 12, 2011

Just quick tip for those running into the need to query users who's passwords are set to expire, or vice versa.
Open up the Windows PowerShell and use the two following commands:

1) To show your list of users and their settings
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsget user -email -pwdneverexpires

2) To update all users to yes or no
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsmod user -pwdneverexpires yes

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes.

Posted on October 7, 2011

I ran into a unique situation where removing an exchange database was testing my sanity and I definitely want to post the solution for anyone else that runs into the same issue.

Here's the scenario: Exchange 2010. You are looking to move all mailboxes out of a particular database. After moving all the mailboxes you request exchange to remove the database through the EMC or shell, when suddenly:

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database <Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -Archive. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID> -Database <Database ID>.

As you are a brilliant IT wizard, you immediately remember to check if you moved all the archive and arbitration mailboxes.

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Archive
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Arbitration
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes"

No results are returned ... why does exchange think there are mailboxes left inside?
Good question!

When the database removal request begins a validation process is completed to ensure no user mailbox attributes are linked to the database. In very rare instances, you may find a particular attribute has failed to update or be reset and thus ... it fails. In our particular case, an existing mailbox had the "online-archive" feature removed and during the process, the "msExchArchiveDatabaseLink:" attribute was still referencing this old database. So how did we find it?

Easy!

1) Load the command prompt and run "dsquery * domainroot -attr * -limit 0 > results.txt"

This will dump the attributes for every object in AD to a text file you can search through.

2) Open the text file with notepad and search for a unique string from your database name. In our case, "Testing" worked out great from "Staff & Testing mailboxes"

3) We found the single attribute that was causing the removal process to think there were still active mailboxes in the database.

msExchArchiveDatabaseLink: CN=Staff & Testing Mailboxes,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=XXXXXXX,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=XXX

If you look directly above this row, you will find a few values that will help you identify the user account in question that has this attribute set.
In our case, we found these records a few lines above:

sAMAccountName: jon
userPrincipalName: jon@doe.com
mail: jon@doe.com

Now we know which user has a reference to the old database, and which attribute.

4) Load ADSIEDIT.MSC and browse to the user object under the default naming context. Right click the object, properties, scroll down until you find "msexcharchivedatabaselink" and clear it. After you save it should be "<not set>".

If you're not familiar with ADSIEDIT, open it, choose the default naming context and you will be provided with a list of objects similar to your active directory users/computers. When you find the user that had the bad link, right click their object and select properties. Within is a fantastic list of all sorts of attributes ... including the one you need to change (msexcharchivedatabaselink).

BE CAREFUL USING ADSIEDIT ... you can do SERIOUS damage. You've been warned!

After you reset this value, try removing the database again and you should find success. If not, run the dsquery again and look for other objects referencing the old database.

 

Some other things to mention ... although likely not necessary ... during the process, I also:

- Deleted the System Mailbox record for this database using the DSQUERY Results and ADSIEDIT ... not sure if this was another contributing factor to the success.

- With SP1, mailboxes are moved and the existing copy is left in the old database as a disconnected "SoftDeleted" status. I manually removed these as well, not sure it this was another contributor factor to the success.

If you want to remove all disconnected mailboxes from a database, run the following command

Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Disabled”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Disabled }

If you want to remove all soft-deleted mailboxes from a database, run the following command

Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Softdeleted”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Softdeleted }

Thanks to: http://www.howexchangeworks.com/2010/09/purge-disconnected-or-soft-deleted.html
For the softdelete info!

Trend Micro – Worry Free Business Security – Firewall Port Ranges Failing/Not Working

Posted on July 18, 2011

We recently applied an upgrade from Worry Free Business Security 6.0 SP3 to 7.0. After the upgrade we noticed whitelisted Ephemeral and other port ranges in the firewall policies were not allowing traffic in. After numerous hours verifying everything was correctly setup we got in touch with Trend Micro and they sent back a patch to resolve the issue. We haven't seen this online yet, so I figure this may help a few of you.

--------------------------------------------------------------------------------

Good Day.

Please apply the attached Hotfix to the WFBS Server. Unzip password: novirus
Let the agents update afterwards then observe if the issue persists.

We are looking forward to your reply.

Technical Support – Worry-Free Products and Services Trend Micro, Inc. “Securing Your Journey to the Cloud”

--------------------------------------------------------------------------------

Download: http://www.sirk.ca/downloads/WFBS_70_WIN_All_HFB1461.zip

After applying this patch and allowing the update to propagate down to the clients, the port ranges started allowing traffic through.

Windows 2008 R2 – cryptosvc – the service name is invalid – windows backup fails – sfc fails – windows updates fail

Posted on July 11, 2011


The title of this article sounds ... well just terrifying. If you run into a system with this many issues, its likely easier to just rebuild it from scratch, right? WRONG! I'm stubborn and figure some things are worth the challenge. Ultimately, this was a fairly critical exchange server that would take a lot of work to rebuild.

To approach a problem like this, we follow the trail of issues.

First noticed issues: Windows Backups are failing and Windows Updates will not install.
The system is Windows 2008 R2 64bit Enterprise Edition with Exchange 2010 SP1.

1) Verify the system filesystem integrity using SFC

C:\>sfc /scannow
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

From this you would normally interpret corruption and seek out the affected files by using the following command:

C:\Windows\system32>findstr/C:"[SR] Cannot repair member file" %windir%\Logs\CBS\CBS.log

The interesting thing in our case was the "findstr" command returned nothing. So we skipped this step and moved onto the next one for the time being. Who wants to dig through tens of  thousands of lines? not me!

2) Diagnose and attempt to repair the Windows Backup issues

The Windows Backup utility was failing with "The operation was stopped. Detailed Error: The System Writer is not found in the backup". System State Backup Failed. 

First thing to check is THAT exactly.

c:\> vssadmin list writers

You're looking for this:

Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Instance Id: {05407ce0-b537-4973-a731-e7ed614a9a9e}
   State: [1] Stable
   Last error: No error

If your list does not include the "System Writer", that's a problem. A fairly common one at that. The windows backup utility requires this tool.

If you dig around online you'll find an arsenal of articles outlining permission errors on a specific set of windows folders that cause the System Writer to fail. We've done the research for you. The following script will reset permissions on those folders back to default.

Create a batch file called "fixPermissions.bat" and copy/paste the following:

------------------------------------------------------------------------------------------------------------
Takeown /f %windir%\winsxs\filemaps /a

icacls %windir%\winsxs\filemaps  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps  /grant "Administratoren:(RX)"
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.*  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.*  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "Administrators:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant "BUILTIN\Users:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames\*.* /a
icacls %windir%\winsxs\temp\PendingRenames\*.*  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "BUILTIN\Users:(RX)"

net stop cryptsvc && net start cryptsvc
------------------------------------------------------------------------------------------------------------

Run it from an elevated command prompt to ensure you have adequate permissions. As the impressive matrix like text runs down your screen, take notice to the very last command when it all finishes.

"net stop cryptsvc && net start cryptsvc"

You should see this:

The Cryptographic service is stopping..
The Cryptographic service was stopped successfully.
The Cryptographic service is starting.
The Cryptographic service was started successfully.

At this point reboot your system and run "vssadmin list writers" to verify if the "System Writer" is now listed. If so, you can test your backup again and it's likely to be working. If the VSS Writer is NOT Listed, but the "Net start cryptsvc && net start cryptsvc" was successful, you are experiencing a different issue and the following steps are not applicable (Please contact our support team if you require assistance).

In our case, the "cryptsvc" doesn't appear to be registered correctly. Instead or returning the successful stop/start on the Cryptographic service, we received:

The service name is invalid.
More help is available by typing NET HELPMSG 2185.

3) Verify the Cryptographic service is enabled and operating correctly

Start -> services.msc

Wait! "The service name is invalid" actually means it's not registered and you'll likely realize that when you can't find the service in the services list.

At this point you'll likely start wondering how the? where did it go? We honestly couldn't tell you, but it's really easy to fix. Using another Windows 2008 R2 System, export the missing registry values .

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc

If you load regedit and browse to this location, you'll notice the CryptSvc is missing. On your secondary system, right click the CryptSvc and export it to a file. You can then double click this file on your problematic system to import the missing values.

If you do not have access to another system, copy the content below into a registry file and double click to load.

File Name: cryptsvc.reg (use whatever you want as long as it ends in .reg)
------------------------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc]
"DisplayName"="@%SystemRoot%\\system32\\cryptsvc.dll,-1001"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
"ObjectName"="NT Authority\\NetworkService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
  00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
  00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
  00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="CryptServiceMain"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Security]
"Security"=hex:00,00,0e,00,01

------------------------------------------------------------------------------------------------------------

Once you've loaded the registry file and repaired the missing data, reboot your system. You should now see the "Cryptographic Services" running in the "services.msc" list, "sfc /scannow" will return no errors, the "System Writer" will show up in the "vssadmin list writers" list, and your Windows Backup and Windows Updates will complete successfully.

Hopefully this helps you avoid a complete re-installation!

 

The session setup from the computer %% failed to authenticate. The following error occurred: Access is denied.

Posted on May 7, 2011

Event ID: 5805
The session setup from the computer %computername% failed to authenticate. The following error occurred:
Access is denied.

We ran into a client with PCs that would not authenticate to his domain controllers.
After further investigations, the client had configured an RODC for a remote office and had not yet added the specific user or computer groups to the trusted list.

Just for those how are not aware, EVERY COMPUTER in a domain has an account (just like a user account, except it ends with $).

Add User & Computer Security Groups to the RODC Cache:
Active Directory Users & Computers ->  Right Click -> Properties of the RODC ->  Password Replication Policy -> Add
Choose the Computers individually or add the entire "Domain Computers" security group, or even better, create a new security group for the specific computers you would like this RODC to authenticate.

Once you've added them to the "allow" status in this window, reboot the PC and allow 15+ minutes for replication to the RODC to complete.

Voila!

Sharepoint Foundation 2010 Search returns no results

Posted on April 20, 2011

SharePoint foundation 2010 includes basic searching features. Despite all rumors and recommendations to upgrade to higher level searching packages, the basic SharePoint search works quite well ... and it's very useful.

If your SharePoint server is not returning search results, the following may help you resolve the issue. It's important to create the right accounts, enable the right services, assign the accounts to these services and finally attach the search server to your web applications.

Let's begin ...

1) You need to create (2) domain accounts for Searching and Crawling. Using the Farm Account (or default accounts) is not recommended. In our example we will use "spSearch" and "spCrawl". Use complex passwords!! These domains accounts should only be standard users, no administrative privileges should be applied.

2) Log into the SharePoint Central Administration Page

3) CA > Security > General Security > Configure Managed Accounts > Register Managed Account.

  • Enter in "domain\spSearch" and the password you chose
  • Click "OK".
  • You should now see this account in the Managed Account list

3) CA > System Settings > Servers > Manage Services on Server > SharePoint Foundation Search -> Start.

  • Service Account -> "Domain\spSearch"
  • Content Access Account (Crawl) -> "Domain\spCrawl" and the password you chose
  • Leave everything else as defaults (you can change the Database Name if you are having issues)

4) CA > Security > General Security > Configure service accounts

  • Choose "Windows Service -> SharePoint Foundation Service"
  • Choose "Domain\spSearch" for the account selection
  • Click "OK"

5) CA > Application Management > Manage Content Databases

  • This is important! For each site you want automatically crawled, you must assign the search server.
  • In the top right corner under "Web Application", choose the web applications to be crawled, one at a time followed by a click on the "database name" column once they are loaded.
  • In the profile page, change the "Search Server" and "Preferred Server for Timer Jobs" to your server.
  • Click "OK"
  • Repeat for any other Website Applications you wish crawled

6> CA > Monitoring > Timer Jobs > Review Timer Jobs > SharePoint Foundation Search Refresh

  • Choose "Run Now" to begin indexing your web applications (sites)
  • This can take several hours depending on the size of your database(s). Please be patient.

7> If you're feeling eager and have a background in SQL, you can use the SQL Management Studio to check the progress. If you are not familiar with SQL, don't be a hero ... this can cause major damage.

  • Load the SQL Management Studio
  • Expand the search database created in the earlier steps (typically WSS_Search_%hostname%)
  • Right click the database -> new query
  • Enter in the following Query:select * from msscrawlhostlist
    (execute)

    You will be presented with a table of results including a column for Hostname and SuccessCount.
    SuccessCount increases as it indexes each page.

  • You can also lookup the crawl summary with:select * from MSSCrawlURLLog
  • And should there be any error codes in the MSSCrawlURLog, they can be referenced with:select * from MSSCrawlErrorList where ErrorID = '<ERRORID>'

If you run into issues where things are still not being crawled, i would suggest deleting the spCrawl and spSearch from SharePoint and Active Directory, re-creating them from scratch, repeating this entire process, and changing the "database" value in step 3). This will re-create the crawling database from scratch.

Good luck!

PDF icon missing in Sharepoint 2010

Posted on April 13, 2011

The default installation of SharePoint 2010 does not include an icon for PDF documents.
Here's how to fix that:

  • Log onto the sharepoint server
  • Browse to "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IMAGES"
  • Save the following image into this folder: (right click to save to your PC)
  • Browse to "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\XML"
  • Edit "DOCICON.XML"
  • Add the following line '<Mapping Key=”pdf” Value=”icpdf.png”/>' into the existing items
  • Save the modified XML file
  • Start -> Run -> iisreset /noforce

That's it!

PDF icon will now show up whenever a PDF document is listed.

Win XP RDP client fails to print Calibri font correct when connected to Win 2008 Server

Posted on April 11, 2011

Windows XP users using RDP to a Windows 2008 server may experience issues printing documents that contain Calibri. Locations that are not formatted with Calibri will print normally. This issue persists when using the Easy Print feature with XPS.

This is a known issue and Microsoft has released a hotfix for it.
Sadly, as you read the attached hotfix info you will notice that you have to call them to get the file.

http://support.microsoft.com/kb/946411

We located it here:

http://thehotfixshare.net/board/index.php?autocom=downloads&showfile=9930

(although we recommend calling microsoft to get it, you can likely find it online somewhere)

After installation, the RDP clients were printing Calibri correctly.

(BES) Blackberry Enterprise Activations – SMTP/Whitelist for in-bound activation e-mails

Posted on March 14, 2011

When adding a new user to your Blackberry Enterprise Server, a very specific e-mail is sent to the user's inbox with an activation password. The e-mail is NOT sent locally within your network. Your local BES server will issue the request through one of the many external blackberry servers housed all over the world. To ensure the mail arrives, add the following networks to your spam whitelist to allow delivery.

IP Address Netmask
206.51.26.0 / 24 255.255.255.0
193.109.81.0 / 24 255.255.255.0
204.187.87.0 / 24 255.255.255.0
216.9.240.0 / 20 255.255.240.0
93.186.16.0 / 20 255.255.240.0
68.171.224.0 / 19 255.255.224.0
206.53.144.0 / 20 255.255.240.0
67.223.64.0 / 19 255.255.224.0
74.82.64.0 / 19 255.255.224.0
173.247.32.0 / 19 255.255.224.0
178.239.80.0 / 20 255.255.240.

If you do not whitelist these networks and you do filter spam, don't say we didn't warn you!