Wednesday, October 27, 2010

Cool Link for Active Sync Related issues

Thursday, October 14, 2010

Mastering Exchange Management Shell commands

Cool Link about Exchange Management shell Commands

PowerShell basics for the Exchange admin

.If you've done any work with Exchange Management Shell commands, you know that many of them can be lengthy and complex -- especially when you pipe multiple commands together. Since certain administrative tasks in Exchange Server 2007 and Exchange 2010 must be performed from the command line, familiarity with EMS cmdlets isn't optional.

Having to type long and complex commands isn't always a good use of your time. If, for example, there's a specific administrative action that you perform regularly, it's a waste of time to manually issue the same command every time you need to perform the action. Additionally, certain administrative tasks can be destructive if performed incorrectly. Manually coding long commands can greatly increase your chances for making a mistake. In these situations, it's better to create a PowerShell script.

Historically, scripting has earned a bad reputation among admins. But PowerShell scripts deserve a second chance. Since a PowerShell script is simply a text file that contains one or more PowerShell commands, writing one is as easy as issuing individual PowerShell commands.

For example, let's create a simple PowerShell script by adapting the following command into a script:

Get-Mailbox | Format-Table Name, ServerName

This command retrieves a list of all Exchange mailboxes in the organization. The results are piped into the Format-Table command, which instructs Exchange to create a table displaying the name of each mailbox and the name of the server hosting each mailbox. To convert this into a script, let's break it into two separate commands. The break will occur at the pipe symbol:

Get-Mailbox  |
Format-Table Name, ServerName

To turn these commands into a script, save them to a file by typing the commands into Microsoft Notepad and then saving the document with a .ps1 extension. For this example, I saved the text file as Sample.ps1.

How you execute the script depends on where it's launching from. In most cases, you'll launch scripts from within EMS.

Before you run a script you need to know the name of the script and its location. In my example, I took the Sample.ps1 script and placed it in the C:\scripts folder that I created on my Exchange Server .

Even though we assigned the script with the .ps1 file extension, Windows won't execute the script automatically. You need to tell Exchange to run the script by typing a period (.), then a slash (/) and the name of the script. For example, if you wanted to run the Sample.ps1 script, you would type:


This example is simple since I haven't taken the script's location into account. This method will only work if the script is located in the C:\scripts folder . If it is not the same in your example, you need to switch to the correct folder before calling the script.

To switch to the C:\Scripts folder and run the Sample.ps1 script, open Exchange Management Shell and enter the following commands:

CD \Scripts

If you want to include the script's location in the call, open Exchange Management Shell and enter this command:


The command doesn't include the dot slash (./) because EMS doesn't require it if you supply the script's location within the call. In fact, the script won't run if you use (./).

Window desktop features you didn't know you had

When defining a Windows desktop configuration, many administrators start with a default Windows deployment and then lock down the settings and features they don't want users to access. While this approach works, it's based on the assumption that a default installation includes all of the features available for that particular version of the operating system.

This isn't necessarily the case.

Windows 7 has several useful features that are not installed by default; some of them could benefit your organization.

To access these nondefault features, open the Control Panel and click on Programs. In the Programs and Features section, click the Turn Windows Features On or Off link. When you do this, Windows will display a dialog box where you can enable or disable several features.

While you may not want to enable all the features, here are a handful of nondefault components to consider.

  • The Indexing Service
  • Internet Information Services
  • Internet Information Services Hostable Web Core
  • Microsoft Message Queue Server
  • RIP Listener
  • Microsoft Services for Network File System
  • Simple Network Management Protocol
  • Simple TCP/IP services
  • Subsystem for Unix-based Applications
  • Telnet Server
  • TFTP Client
  • Windows TIFF IFilter

 While some of these nondefault components are outdated or relatively obscure, others may be useful in your environment.

Go through link for more information,289483,sid192_gci1520579,00.html?track=NL-1108&ad=787188&asrc=EM_NLT_12535528&uid=6118318

Thursday, September 2, 2010

Throttling PowerShell command usage in Exchange 2010

Throttling PowerShell command usage in Exchange 2010

Administrative actions are based on PowerShell. Some administrative actions, like running large scripts, can be resource intensive. Throttling PowerShell can help lessen the strain on a server's performance.

Exchange's Web services (EWS) rely on remote shell sessions. Because of this, throttling PowerShell can help prevent a user from overloading Exchange by performing concurrent actions through multiple browsers.

Exchange Server 2010 provides several different parameters you can use to throttle PowerShell command usage. One such parameter is PowerShellMaxConcurrency. This parameter can be tricky because its function varies depending on the context.

When a user establishes a remote shell, the PowerShellMaxConcurrency parameter defines the maximum number of simultaneous remote shell sessions that a user can have open. This parameter may also be applied to EWS. In this case, the parameter controls the maximum number of cmdlets that a user can simultaneously run.

Where PowerShell throttling and throttling policy parameters differ

Unlike the PercentTimeIn parameter, PowerShell throttling parameters don't automatically assume that you want to throttle commands based on percentages of a minute. Instead, you must explicitly define your desired throttling time period by assigning a period of time (in seconds) to the PowerShellMaxCmdletsTimePeriod parameter. After doing this, you can control the maximum number of PowerShell cmdlets that are allowed to run within the designated period by assigning a value to the PowerShellMaxCmdlets parameter.

One PowerShell throttling parameter that I recommend avoiding is PowerShellMaxCmdletQueueDepth, which controls the total number of PowerShell cmdlets that can be simultaneously queued. Using this parameter can have several side effects.

Modifying the PowerShellMaxCmdletQueueDepth parameter affects PowerShellMaxCmdlets and PowerShellMaxConcurrency settings, both of which already skew cmdlet depth. The PoweShellMaxConcurrency parameter limits the number of concurrent remote shell sessions that a user can have open, so it also limits the number of simultaneous cmdlets that can run. The parameter can also limit the number of browser sessions that a user can have open.

When you're using the PowerShellMaxCmdletQueueDepth parameter, it has the same effect as decreasing the PowerShellMaxConcurrency setting by two. If you do decide to use this parameter, Microsoft recommends that you set its value to at least three times the value of the PowerShellMaxConcurrency parameter.

Note: Throttling the PowerShellMaxCmdletQueueDepth won't affect the Exchange Control Panel or EWS.

Sunday, July 25, 2010

Administrative Shares inaccessible using Local Administrator Account

Good Link for a problem Wndows-7 -Unableto access Administrative Shares using Local Admin account

Exchange 2003 Queue Directory Corrupt

For one of our client, we have received an alert stating that “The Microsoft Exchange Information Store service terminated with service-specific error 0 (0×0)”.

The error seems to simple and everyone would just suggest to start the service back. But the root cause was different.

One of our colleague started working on the alert and here is the chronology of steps followed in resolving the issue. found that the Information Store service was in stopped state and started the service. Started verifying queues , encoutered error stating that “Default SMTP Virtual Server is unavailable”. Verified and found that SMTP Service was in started mode.

Escalated call to me and I’ve started working on the issue.

Upon further analysis, found that the SMTP Virtual Instance was stopped in ESM (Exchange System Manager). Tried to start the instance, encountered error stating that “Queue Directory is corrupted , hence the instance could not be started”.

Error logged in Eventlog & Error pop-up when accessed Queue Directory from explorer.

Executed following Steps to resolve issue:

1. Uninstalled existing Antivirus (AVG)

2. Executed chkdsk on volume in which the exchange database is stored. Found disk errors.

3. Executed chkdsk /f on the volume and restarted the server

4. Created new Queue Directory and pointed the path from ESM to the new folder.

5. Started SMTP Virtual Instance & Information Store Services.

Mails started flowing fine.

Happy Learning!!!

Thursday, July 8, 2010

Export DNS records to Excel to read time stamps and static records

How to get list of static DNS records...

Ask a DNS administrator and he’ll tell you there is no such thing as being “too careful” with DNS data! One of the dreaded things is to check the box for Auto Scavenging. A slight mis-configuration can lead to useful DNS entries getting deleted.

Some of the common questions that may come to an Administrator’s mind when thinking about scavenging is – How many static records do I have? Do I really have aged records lingering? Well, the answers to these questions are easy to find. Just open each record in the DNS console and look at the time stamp. This is easy if you have 20 records. That’s far from practical in the real world, though.

What one really needs is data in an organized form, say in Excel. Unfortunately the format of “dnscmd enumrecords” is not exactly ready to be imported as data. Let’s look at a sample output of “dnscmd /enumrecords @ /Type A /additional”:

We do get the name of the record, time stamp, TTL, type & IP address. This data cannot be directly imported into Excel, however; it needs to be formatted with delimiters so that Excel can import it. We have chosen to use a “,” (comma) in this case.

Some points to keep in mind are:

1.Observe the first few lines of the data in the example above. Each “Same as parent folder” is on a separate line with the Record name missing in subsequent lines.

2.For static records, the text “[Aging:xxxxxxxx]” is missing.

3.We have tried to accommodate more types of records like SRV, NS, SOA, MX, and CNAME, though typically one would be interested in the A records.

We will achieve the desired result in two steps using two VBScripts. The scripts perform the following functions:

1.Put in the delimiter “,” to separate the data on each line. In our example, the script is named “changetocsv.vbs”.

2.Perform a calculation to convert the “Aging” number to a readable date format and then open the file in Excel, provided Excel is installed on the machine being used. We will name this script “openexcel.vbs”.

Note that both scripts manipulate contents of the file. Each script should be run only once on a file. Here is a summary of how the overall process will work:

•Create a directory/folder to hold the exported DNS data and script files.

•Copy the contents of both scripts given below and place them in the folder created.

•Export the data from DNS using the dnscmd.exe utility included with Windows Server.

•At a Command Prompt in the folder created, run each script against the exported data to format it for and import it into Excel.

Detailed steps:

1. Create a folder, such as C:\dnsdata, in which to store each of the scripts below. Eg: changetocsv.vbs and openexcel.vbs.

2. At a Command Prompt, run the following command:

dnscmd /enumrecords @ /Type A /additional > c:\dnsdata\dns.csv

Note: For more information on dnscmd.exe, run ‘dnscmd /?’ at a Command Prompt.

3. Save the below script as “changetocsv.vbs” in the directory created. This script will read the raw output taken from dnscmd command, format it by inserting comma delimiters, and then save it as the same filename specified at the command prompt when it is run.

Const ForReading = 1

Const ForWriting = 2

strFileName = Wscript.Arguments(0)

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(strFileName, ForReading)

strText = objFile.ReadAll


strNewText = Replace(strText, " [Aging:", ",")

strNewText1 = Replace(strNewText, "] ", ",")

Set objFile = objFSO.OpenTextFile(strFileName, ForWriting)

objFile.WriteLine strNewText1


'please modify Rtype array as per the record requirements

Rtype = Array("A", "SRV", "NS", "SOA","MX","CNAME")

For i = 0 To UBound(Rtype)

rrtype = " "+Rtype(i) +" "

Set objFile = objFSO.OpenTextFile(strFileName, ForReading)

strText = objFile.ReadAll


strNewText = Replace(strText, rrtype, ","+Rtype(i)+",")

Set objFile = objFSO.OpenTextFile(strFileName, ForWriting)

objFile.WriteLine strNewText



Set objFile = objFSO.OpenTextFile(strFileName, ForReading)

strText = objFile.ReadAll


strNewText = Replace(strText, " ", ",,")

Set objFile = objFSO.OpenTextFile(strFileName, ForWriting)

objFile.WriteLine strNewText

objFile.Close4. The script takes one argument. At the command prompt while in the directory created earlier, run the following command:

C:\dnsdata> changetocsv.vbs dns.csv

This command modifies the content of dns.csv and overwrites the same file.

5. (optional) View the modified dns.csv.

Thanks to the new formatting, the file could now be easily opened in Excel as a csv file. However, the “aging” number (second column) needs to be converted to a readable date. The Aging number in the DNS data gives hours since 1/1/1600 00:00, while Excel is configured with 1/1/1900 00:00 as starting point. So we need to remove a constant from the aging number to normalize it and then specify the format. In the following script, we remove constant 2620914.50 and divide the result by 24 since Excel understands “days” rather than “hours”.

6. Save the script file below to “openexcel.vbs”. This script will modify the comma delimited file, dns.csv in our example, to convert the number mentioned for Aging to a date format and opens the file in Excel automatically.

Const ForReading = 1

Const ForWriting = 2

strfile= wscript.Arguments(0)

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(strfile, ForReading)

Do Until objFile.AtEndOfStream

strLine = objFile.ReadLine

If not strLine = "" Then

arrItems = Split(strLine, ",")

intDatevalue = 0

If not(arrItems(1))="" Then

intDateValue = (arrItems(1) - 2620914.50)/24

End if

intItems = Ubound(arrItems)

ReDim Preserve arrItems(intItems + 1)

If intDateValue > 0 Then

arrItems(intItems + 1) = intDateValue


arrItems(intItems + 1) = ""

End If

strNewLine = Join (arrItems, ",")

strNewText = strNewText & strNewLine & vbCrLf

End If



Set objFile = objFSO.OpenTextFile(strfile, ForWriting)

objFile.Write strNewText


Set objExcel = CreateObject("Excel.Application")

objExcel.Visible = True

Set objWorkbook = objExcel.Workbooks.Open(strfile)

Set objRange = objExcel.Cells(1, 6)

Set objRange = objRange.EntireColumn

objRange.NumberFormat = "m/d/yyyy hh:mm:ss AM/PM"7. The script takes one argument. At the command prompt, run the following command:

C:\dnsdata> openexcel.vbs c:\dnsdata\dns.csv

The script modifies the content of dns.csv and overwrites the same file with modified content. The above script opens the resultant file in Excel, provided Excel is available J.

IMPORTANT: Please give full path name of the file otherwise the Excel will give an error while attempting to open the file dns.csv.

The columns are Name, Aging, TTL, Type, IP address & Time Stamp. Blanks in Time Stamp indicate a static record. Below is the result after running both scripts on our example data:

8. Once the file is open, save the resultant as dns.xls and use that for all future reference.

DNS Zone Information CSV collector

This script takes command line arguments of a remote dns server, uses dnscmd to collect all the zones and some extended information about them and outputs to a csv file with the name of the remote server. You can input multiple remote servers. I have only tested this with windows 2003 server, if 2008 dnscmd output is the same format it should work as well. I wrote this to collect information on scavenging settings, so the output is more focused on that. You will need to know what the numeric values of the /zoneinfo results mean in order to interpret the csv file output.

Script Code (Perl)

#dns zone enumeration and detail gathering

#run the command with arguments of the dns servers hosting the zones. This script enumerates

#all zones, collects some of the extended details and outputs to CSV format. Requires dnscmd.exe and

#appropriate rights on the remote machine

foreach (@ARGV) {

my $filename = $_ . ".csv";

open OUTFILE, ">$filename"

die "Can't open output file\n";

print OUTFILE "Zone Name,Type,Storage,Updates,DS Integrated,Aging On,Refresh Aging,No Refresh Aging,Scavenge Available\n";

my $dnsserver = $_;

$output = `dnscmd $dnsserver /enumzones`;

@outputarr = split(/\n/,$output);

$beginning = 0;

foreach (@outputarr) {

if (!($beginning)) {

if ($_ =~ /Zone name/) {

$beginning = 1;


} else {


$_ =~ s/^\s//;

my @temparr = split(/\s+/,$_);

if ($temparr[0] =~ /\./) {

#proper zone found,

#Format: Name, Type, Storage, Properties(multiple)

# properties Secure Rev Aging

my $details = getdetail($dnsserver,$temparr[0]);

my $outline = "$temparr[0],$temparr[1],$temparr[2],$details";

print OUTFILE $outline;



} #end of all output from enumzones

close OUTFILE;

} #end foreach server's passed as args

sub getdetail {

my ($dnsserver,$zone) = @_;

my $zoneinfo = `dnscmd $dnsserver /zoneinfo $zone`;

my @zonedetails = split(/\n/,$zoneinfo);

my ($zoneupdate, $dsintegrated, $aging, $agerefresh, $age_no_refresh, $scavenge_avail) = "";

foreach (@zonedetails) {

my $line = $_;

if ($line =~ /update/) {

$zoneupdate = parsevalue($line);

} elsif ($line =~ /aging/) {

$aging = parsevalue($line);

} elsif ($line =~ /DS integrated/) {

$dsintegrated = parsevalue($line);

} elsif ($line =~ /refresh interval/) {

$agerefresh = parsevalue($line);

} elsif ($line =~ /no refresh/) {

$age_no_refresh = parsevalue($line);

} elsif ($line =~ /scavenge available/) {

$scavenge_avail = parsevalue($line);


} #end details

my $retval = "$zoneupdate,$dsintegrated,$aging,$agerefresh,$age_no_refresh,$scavenge_avail\n";

return $retval;


sub parsevalue {

my $val = @_[0];

my @temparr = split(/=/, $val);

$val = $temparr[1];

$val =~ s/ //g;

chomp $val;

return $val;


RPC Service Not Getting Started after recovering Server from OS Crash

Issue: RPC Service Not Getting Started after recovering Server from OS Crash

  • All Automatic services fail to start
  • RPC Service Not starting
  • Unable to view description of Services in extended mode in services console.
  • Unable to view properties of eventlogs
  • Repeated userenv errors in eventlogs
  • Open MMC (Start--Run--MMC)
  • Go to File--Add/Remove Snap-In
  • Add  'Security Configuration and Analysis'
  • Right click on 'Security Configuration and Analysis' & select 'Open Database'
  • Open C:\Windows\Security\Database
  • Type a name for database (Ex: test)
  • Now select  execute File--'Setup Security.inf' (C:\Windows\Security\Templates).
  • Right Click on 'Security Configuration and Analysis' and select 'Configure Now'
  • Reboot the server
All Automatic Services will be up and running and the server is restored to normal position.

Happy Learning!!!

Friday, June 11, 2010

OWA inaccessible..WMI Corrupt

Issue Statement: OWA is not working with an error "outlook web access did not initialize


 Checked the Event logs found an event id 10005

DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

 Tried to open wmimgmt.msc but got an error

Number: 0x8004100a
Facility: WMI
Description: Critical error

 Re-Register all WMI DLLs. Stop and Disabled the WMI service from the command prompt "for /f %s in ('dir /b /s *.dll') do regsvr32 /s %s"

 Then we ran the following commands

wmiprvse /regserver"
wmimgmt /clearadap
wmimgmt /resyncperf.

 Downloaded and installed WMIDiag.exe from the following link

 Checked the log and found

Checked the logs and found the following information:

.1522 11:49:49 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!.

.1523 11:49:49 (0) **

.1524 11:49:49 (0) ** WMIDiag v2.0 ended on Saturday, May 29, 2010 at 11:49 (W:31 E:12 S:1).

.1453 11:49:49 (0) ** WMI service DCOM setup: ............................................................................................. OK.

.1454 11:49:49 (0) ** WMI components DCOM registrations: .................................................................................. OK.

.1455 11:49:49 (2) !! WARNING: WMI ProgID registrations missing: .......................................................................... 7 ProgID(S)!

 From command prompt ran successfully ran the following command 'REGSVR32.EXE C:\WINDOWS\SYSTEM32\WBEM\WBEMDISP.DLL' as recommended in the logs

 Copied all the 54 Dll files from a working server and put them under c:\windows\system32\wbem

 Ran the following commands again

sc config winmgmt start= disabled
net stop winmgmt /y
cd %windir%\system32\wbem
for /f %s in ('dir /b *.dll') do regsvr32 /s %s
regsvr32 %windir%\system32\tscfgwmi.dll
wmiprvse /regserver
winmgmt /regserver
net start winmgmt
for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s

 Able to access outlook web access successfully

Saturday, May 8, 2010

Unable to install SQL..WMI Error

Issue - The SQL Server System Configuration Checker cannot be executed due to WMI configuration on the machine Error: 2147749904 (0x80041010)



                2147749904 (0x80041010) Specified class is not valid

Resolution: If you encounter above error while installing SQL please follow below steps to resolve the same.

• Use the following command to detect and repair a corrupted WMI Repository:

                          rundll32 wbemupgd, RepairWMISetup

• Re-registering the WMI components

The .DLL and .EXE files used by WMI are located in %windir%\system32\wbem. You might need to re-register all the .DLL and .EXE files in this directory. If you are running a 64-bit system you might also need to check for .DLLs and .EXE files in %windir%\sysWOW64\wbem.

  • To re-register the WMI components, run the following commands at the command prompt:
                                         •cd /d %windir%\system32\wbem
                                         •for %i in (*.dll) do RegSvr32 -s %i
                                         •for %i in (*.exe) do %i /RegServer

Friday, April 16, 2010

WMI Access Denied.. Windows Server 2008

Below are the steps performed to fix this issues.

1. Enabled DCOM compoment
2. regsvr32 %windir%\system32\atl.dll
3. regsvr32 %windir%\system32\netshell.dll
4. regsvr32 %windir%\system32\hnetcfg.dll
5. regsvr32 %windir%\system32\netcfgx.dll
6. regsvr32 %windir%\system32\netman.dll

Note: After performing above task, need to restart the server

Thursday, April 1, 2010

"The local policy of this system does not permit you to logon interactively" error message when you try to log on to a computer that is running Windows Small Business Server 2003 by using an Administrator account

Today one more interesting issue..

Even though an user account have Domain Administrator Rights, was unable to logon to Console of the DC.

Encountered error "The local policy of this system does not permit you to logon interactively". But was able to logon through terminal services

Verified GPOs, Local Security Policy..etc..etc but no clue found. To my interest, found that the user account was explicitly added to "Logon Locally" list under Security --> User Rights Management of the Domain Controller Policy.

Upon some more reasearch & googling found a MS article, which helped me in resolving the issue.

After removing the User Account from "Domain Power Users Group", was able to logon to DC console.

Here is the article link:

Happy Learning!!!

Friday, March 26, 2010

Never Disable IPV6 on SBS 2008!!!

Today I worked on a interesting issue.

One of my client holds a SBS Server with all roles like DNS, AD & Exchange 2007.

Actual issue: WMI not connecting from Monitoring Server. Getting error "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)"

In order to resolve this issue, rebooted SBS Server which caused another problem.
The server got stuck during booting, on “Applying Computer Settings" and was never booted up completely. Connected to Computer Management console from another comupter and verified eventlogs and services. Identified that Exchange Services were not started. Hence computer stuck on Applying Computer Settings.
 Tried booting the server in "Safe Mode with Networking", but all efforts were gone in vain.
After researching alot (for more than 2 hours) found that IPV6 was disabled on this SBS 2008 box.
Apparently, that’s what an SBS Server does ,when you kill some of it’s most critical services. I quickly learned that disabling IPV6 on an SBS 2008 server is extremely dangerous.

Stopping IPV6 leads to multiple failing services, and will cause your server to hang during booting as a result

The Solution

So, I had to re-enable IPV6. The fastest – and probably only – way was to boot the server into Safe Mode with networking services enabled. It’ll allow you to re-enable the protocol. Start the server again, and give it some time. Booting will take a few minutes longer than usual, but all your problems caused by
disabling IPV6 should be fixed now.

And reboot fixed DCOM/WMI Errors too..

Happy Learning!!!

Thursday, March 4, 2010

How to enable Remote Desktop remotely

To enabling Remote Desktop using regedit, follow these steps:

  1. Run REGEDIT from Start>Run
  2. Click on File, then select Connect Network Registry
  3. Type the remote computer IP or host name in the Enter the object name to select and the click OK
  4. If you don't have permission to access the remote computer, the logon screen will show up. Type the username and password for the remote computer. Then click OK.
  5.  Now, the remote computer is listed in the Registry Editor.
  6. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server, in the right panel, seelct fDenyTSConnection (REG_DWORD). Change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled).
  7. Close the registry

Saturday, February 27, 2010

To allow DCOM traffic through ISA Server


Many of us could have encounterd problem while executing VB Scripts or WMI Queries from ISA Server and got "RPC Unavailable" error.

In order to allow DCOM traffic, you can create a rule in ISA to "Allow RPC to ISA from trusted servers".

Disable "RPC strict compliance (to allow DCOM)" after which WMI Queries and VB Scripts execution will be successful.
Happy Learning!!!

Thursday, February 25, 2010

Windows 2003 Account Management Security Events

As System Administrators, we want to capture few events such as Account Created, Account Deleted, Account lockout etc for audit and security compliant purpose. I'm hereby providing details of few security events which are mostly useful.

Event ID--OS--Eventlog Source--Description

539--Win NT,DC--Security--Account Lockout (In WinNT)

624--Win2000, Win2003--Security--User Account Created

630--Win2000, Win2003--Security--User Account Deleted

631--Win2000, Win2003, DC--Security--Global security group created

634--Win2000, Win2003, DC--Security--Security global group deleted

634--Win2000, Win2003, DC--Security--Security global group deleted

635--Win2000, Win2003, DC--Security--Local security group created.

638--Win2000, Win2003, DC--Security--Security local group deleted

644--Win2003,DC--Security--Account Lockout (In Win2k3)

647--Win2000, Win2003, DC--Security--Computer Account Deleted

648--Win2000, Win2003, DC--Security--Distribution local group created

652--Win2000, Win2003, DC--Security--Distribution local group deleted

653--Win2000, Win2003, DC--Security--Global distribution group created

657--Win2000, Win2003, DC--Security--Distribution global group deleted

658--Win2000, Win2003, DC--Security--Security universal group created

662--Win2000, Win2003, DC--Security--Security universal group deleted

663--Win2000, Win2003, DC--Security--Distribution universal group created

667--Win2000, Win2003, DC--Security--Distribution universal group deleted

Saturday, February 13, 2010

Unable to install any Application

The issue could be with ePO for McAfee VirusScan

1.Click Start > Run.
2.Type cmd and press Enter.
3.Type cd\ and press Enter.
4.Type cd program files and press Enter.
5.Type cd mcafee and press Enter.
6.Type cd common framework and press Enter.
7.Type frminst /remove=agent and press Enter.
8.The McAfee Agent and Updater Setup window will open and begin removing ePolicy Orchestrator

1.Make a backup of your registry before you begin. Proceed with these instructions only if you are confident about what you are doing.

2.Click Start > Run.
3.Type regedit and press Enter. This will open Registry Editor.
5.Locate the McAfee registry key and the Network Associates registry key. You may have one or both of these.
6.Expand the McAfee and Network Associates registry keys to inspect their contents and sub-keys.
 If you have McAfee or Network Associates software installed on your computer apart from McAfee VirusScan and McAfee ePO, then you should use caution when considering whether or not you want to delete these registry keys. If you delete these registry keys, you may find that other McAfee or Network Associates software no longer functions as expected. If you are sure that you do not have any additional McAfee or Network Associates software installed, delete the McAfee registry key and the Network Associates registry key.

Friday, February 12, 2010

WMI Test fails with error 0x80070005


If WMI Test fails with below error.

     \root\cimv2 Remote WMI access test FAILED
     Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

1. Ensure that Windows Management Instrumentation (WMI) Service is running on Remote System
2. Ensure that all Firewalls are turned off (Windows Firewall, Personal Firewall etc) or allow exception for RPC traffic
3. Execute WMI Diag and check for Error Codes, Reasons and solutions for the issue. Most of the times, WMI Diag result itself gives solution to all errors.

For above error, the reason could be as below in WMI Diag result.

32104 00:05:58 (1) !! ERROR: DCOM Status: ................................................................................................. ERROR!
32105 00:05:58 (1) !! ERROR: => The DCOM configuration on this computer is DISABLED

This prevents WMI to work correctly.

You can fix the DCOM configuration by

1. Executing the 'DCOMCNFG.EXE' command.
2. Expanding 'Component Services' and 'Computers' nodes.
3. Editing properties of 'My Computer' node.
4. Editing the 'Default properties' tab.
5. Activate the 'Enable Distributed COM on this computer' checkbox.

From the command line, the DCOM configuration can be corrected with the following command:

'REG.EXE Add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ

Friday, January 8, 2010

Client not reporting to WSUS Console.

 The first thing to check is whether the client computer is using the latest Automatic Update client version.

The current version of the Windows Update Agent (the WSUS client component in AU) is determined by the version of the WUAUENG.DLL, located in %systemroot% \system32 folder. If the version of WUAUENG.DLL is 5.4.3790.1000 or greater, the WSUS client (or WUA) is installed. A version less than 5.4.3790.1000 indicates that SUS or earlier AU version 1.0 is installed.

If you have an earlier version of the AU client, it must be updated in order to work with WSUS. Computers running Windows XP with Service Pack 2 (SP2) already have the WSUS client installed.

The AU client, when contacting the WSUS server, will automatically update itself to the latest WSUS version if the self-update files are properly setup on the server. When connected to Windows Update or Microsoft Update, the AU client will also be able to self-update if it is not running the latest version. In addition, the AU client can also be updated by using a signed stand-alone, installation package that is available from Microsoft.

For further instructions on how to detect the need for, and or download the standalone latest release version of WUA, see the Updating the Windows Update Agent section of the

Windows Update Agent API portion of the WSUS SDK at:

On the left navigation, from Windows Server Update Services -> Windows Update Agent API -> Using the Windows Update Agent API -> Updating the Windows Update Agent.

 Imaged clients with a duplicate client ID will only appear once in the WSUS Admin Console. Each AU client must have a unique id which is created for each individual install. When imaging systems it is recommended always to use SysPrep. The WSUS admin console will only display one client for each unique ID. If you have multiple clients created from one image which are sharing the same ID, only one will appear in the WSUS admin console. All clients will check in and download updates, but only one will appear and display status in the WSUS admin console. In cases where clients are not checking in, and they were created from images without running SysPrep, the following steps will reset the existing duplicative client IDs.

a. Run regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

b. Delete the PingID, SUSClientID and the AccountDomainSID values

c. Stop and start the Wuauserv Service

d. From the command prompt run: wuauclt /resetauthorization /detectnow


From the command line, once you are sure the AU client is properly configured and not disabled, you could run a batch file (which might look something like this sample) and get the same results:

rem Fixes problem with client machines not showing up on the server due to imaging method

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f


@echo Triggering detection after resetting WSUS client identity

net stop wuauserv

net start wuauserv

wuauclt /resetauthorization /detectnow