Latest Entries »
1.0 Introduction
This solution Helps only when you complete/fix the Error shown/flagged by IDFix tool.
This solution is about to prepare/update AD user which you want to sync with Azure AD. Steps to perform.
1-: Export all users from active directory. Power shell script is provided for the task. You only need to update “Distinguished Name” of the OU hierarchy in power shell script where user account resides in AD.
2-: Clean the Exported CSV files. You may need to clean the exported CSV files to remove below given entries. This is a manual task based on administration organisation experience.
- Service Accounts
- non-personal accounts
- _ account (privilege or admin accounts)
- Junk accounts/garbage account
- Test Accounts
- Accounts which don’t have first and last name.
- Internet Guest Account (Ex. IUSR_ZA_CPT1B_DC001)
- Duplicate UPN
- UPNs which have space or special character
3-: IMport users from modified CSV files. Power shell script is provided for than. Script will ask you to provide “Distinguished Name” of the OU hierarchy and CSV file which you want to import.
2.0 Prepare/Clean on premise AD to for AD sync.
2.1 Requirements
Note: We need to sync “all users” of British Council BO Active Directory domain objects with Azure AD. There are few challenges to achieve this.
- There is a lot of Junk, Duplicate and unsupported AD objects are present in AD. We need to identify and clean them before migration/ADsync.
- User Email ID and UPN (User Login name) should be same. We will follow the standard like:Firstname.lastname@britishcouncil.org.
- Need to identify and list down the users which don’t have Email and UPN in the format lastname@britishcouncil.org
- Need to standardise the Email and UPN name for the users and inform him prior and after the change. Update user for his new email or new UPN or both.
Question: If there are two users with same name, what naming convention, we need to follow to create second user Email ID and UPN.
Example: There are two users with same name “Mat Prior”
For first “Mat Prior” we will create:
Email ID: Mat.prior@britishcouncil.org
UPN: Corporate\mat.prior
For Second “Mat Prior”, can we create?
Email ID: Mat.prior2@britishcouncil.org
UPN: Corporate\mat.prior2
Or we need to take suggestion from branding team about this?
- Need to exclude the user accounts like:
- Service Accounts
- non-personal accounts
- _ account (privilege or admin accounts)
- Junk accounts/garbage account
- Test Accounts
- Accounts which don’t have first and last name.
- Internet Guest Account (Ex. IUSR_ZA_CPT1B_DC001)
- Duplicate UPN
- UPNs which have space or special character
Note: We only need to match the Mail ID and UPN (UPN need modification and communication to the users). After modifying UPN we need to communicate to the users because UPN authentication based application will get impacted.
Note2: SAM account name should remain as it is. If we changes SAM account name it will create problems for many old applications like: SAP, Service now etc…
2.2 Method to full fill the Requirements
We need to follow both below given steps to achieve desired outcome. IDfix tool will flag the bad AD object which cannot sync with AzureAD. We need to categorised those problems and fix them. Manually or by IDfix.
But, once Active Directory is prepared to sync and all IDFix raised error have been resolved. It is suggested to make users Email and UPN name prefix identically same. This is Microsoft recommendation to prepare Robust Office 365 infrastructure and SSO. You need to follow the below given steps to update Active directory users UPN and its attributes to prepare users for ADsync.
2.2.1 Exporting the User Account information in CSV from British council Active directory
Script will fetch AD user’s information with selected attributes in a CSV file format file. Each site users will be placed in separate CSV file.
Note: Please check the section 3.2 for Power Shell Export script. All sites users and its attributes information will be stored the in folder “\Scricptdirectory\Temp_reports\Splited” on the system where we will run Export script.
- Script (Please check the section 3.0 for PowerShell scripts) to fetch user accounts information from AD
AD attributes Information we are fetching:-
userPrincipalName,mail,givenname,surname,title,displayname,manager,streetAddress,telephoneNumber,otherTelephone,mobile,l,st,postalCode,c,co,countryCode,msExchUsageLocation,extensionAttribute9,extensionAttribute15,msRTCSIP-PrimaryUserAddress,distinguishedName,lastLogon
- Navigate the Path “\Scricptdirectory\Temp_reports\Splited” and check the CSVs.
2.2.1.1 Clean-up steps for CSVs
It is required to clean CSV file to make them ready to import with updated AD attributes.
- Navigate the Path “C:\temp\Temp_reports\Splited” and open CSV.
- Clean the mail attribute Column by removing blank Email ID.
- Clean the userPrincipalName attribute column by removing _UPN name.
- Remove Blank givenname & surname attributes by filtering.
- Sorting mail and userPrincipalName attributes by the name a-z.
- Save the file.
- Follow the steps 2 to 5 for each CSV located in the folder “C:\temp\Temp_reports\Splited”.
2.2.2 Ready the CSV to import into British council Active directory
- Sorting mail and userPrincipalName attributes by the name a-z.
- Copy Mail attribute column in different excel sheet.
- Update the Domain information of each user by using replace button of excel sheet.
Note: All users should have the value “@britishcouncil.org” value in the end of their name.
- Replace the updated (updated in above step 3) column in the original excel sheet`s userPrincipalName attribute column.
2.2.3 Importing the cleaned/updated CSV information back into British council Active directory
Note: Please check the section 3.1 for Power Shell scripts.
- Run the Import script to import the Attribute Values. Only 3 attribute will be updated by the script.
userPrincipalName: Same as Mail ID
msExchUsageLocation: Same as country code
extensionAttribute15: O365Sync
- Script will ask to enter Distinguished Name of the site OU.
- Provide the value and click OK
- Script will ask to enter Path of Updated CSV file. Which was modified in step 2.2.2.
- Provide the value and click OK
- Click OK.
- Check the path for Logs and more details. Scricptpath\ErrorLogs\
Note: This script will take the backup of the AD attributes which are going to modify in AD before and after modification attributes Data. You can restore the user atributes back by using “useraccounts_BeforeUpdate.csv” file through Power shell scricpt given in Section 3.3.
Files present at the location “scricptpath\ErrorLogs”:
1-: useraccounts_AfterUpdate.csv
2-: useraccounts_BeforeUpdate.csv
3.0 User Account Export and Import Script.
3.1 Import Script
# PowerShell File
#Author: Manish Kumar
#Date: 20-dec-2016
# Ver: 2
# Detail: This file will replace the AD attributes of users in active directory. This will read a .csv file about user and its attribute to replace/modify in Active directory.
# Importing Required Modules
#————————————————————
<#
.SYNOPSIS
Update-ADUsers is a PowerShell function that updates Active Directory users with information in a CSV file.
.DESCRIPTION
Update-ADUsers is a PowerShell function that updates Active Directory users with information in a CSV file.
The function has full error logging, and onscreen information display informing what task is performing at any point in time. User running this script must have admin rights (rights to modify the AD attributes).
.EXAMPLE
This Script require input from users about site DN and CSV (Cleaned CSV) file path.
DN = ou=AUH1,ou=AE,ou=user Accounts,dc=ABC,dc=org
CSV File Path = C:\test_mk\CSV_File\AE_AUH1.csv
#>
Add-Type –AssemblyName System.Windows.Forms
#——————————————-
#Log Writing Started
#——————————————
# Get script Start Time (used to measure run time)
$startDTM = (Get-Date)
#$Cred = Get-Credential $Credential
#Define script path
$Scriptpath = (Split-Path $script:MyInvocation.MyCommand.Path) + “\”
#$Scriptpath = “c:\bc_ogs\”
$logpath = $Scriptpath + “\Errorlogs”
If (!(Test-Path $logpath)) {New-Item -ItemType Directory -Path $logpath | Out-Null} #Out-Null suppreses console info
$Logfiletime = (Get-Date).ToString(‘dd-MM-yyyy’)
$datestamp = ((Get-Date).ToString(‘dd-MM-yyyy(hh:mm:ss)’))
$logfile = $logpath + “\logfile_$Logfiletime.txt”
“” | Out-File $logfile -append #appends a space on top each time for easy reading
“Update-ADUsers errors logged ” + $datestamp + “: ” | Out-File $logfile -append
“—————————————————” | Out-File $logfile -append #appends a line beneath each log stamp for easy reading
#——————————————-
#Input Box function
#——————————————
[void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Drawing”)
[void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)
$objForm = New-Object System.Windows.Forms.Form
$objForm.Text = “Distinguished Name”
$objForm.Size = New-Object System.Drawing.Size(500,200)
$objForm.StartPosition = “CenterScreen”
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq “Enter”)
{$x=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq “Escape”)
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = “OK”
$OKButton.Enabled = $false
$OKButton.Add_Click({$x=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = “Cancel”
$CancelButton.Add_Click({$objForm.Close()})
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(880,20)
$objLabel.Text = “Please enter OU Distinguished Name of the site where you need to modify user account attributes:”
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(20,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objTextBox.add_TextChanged({ $OKButton.Enabled = $true })
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate()})
[void] $objForm.ShowDialog()
$x
#———–
$objForm1 = New-Object System.Windows.Forms.Form
$objForm1.Text = “CSV file Path”
$objForm1.Size = New-Object System.Drawing.Size(900,200)
$objForm1.StartPosition = “CenterScreen”
$objForm1.KeyPreview = $True
$objForm1.Add_KeyDown({if ($_.KeyCode -eq “Enter”)
{$x1=$objTextBox.Text;$objForm1.Close()}})
$objForm1.Add_KeyDown({if ($_.KeyCode -eq “Escape”)
{$objForm1.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = “OK”
$OKButton.Enabled = $false
$OKButton.Add_Click({$x1=$objTextBox.Text;$objForm1.Close()})
$objForm1.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = “Cancel”
$CancelButton.Add_Click({$objForm1.Close()})
$objForm1.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(880,20)
$objLabel.Text = “Please enter CSV file Path of previously given OU Distinguished Name user base:”
$objForm1.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(20,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objTextBox.add_TextChanged({ $OKButton.Enabled = $true })
$objForm1.Controls.Add($objTextBox)
$objForm1.Topmost = $True
$objForm1.Add_Shown({$objForm1.Activate()})
[void] $objForm1.ShowDialog()
$x1
Write-Host “Distinguished Name = $x” | Out-File $logfile -Append
Write-Host “CSV file Path = $x1″ | Out-File $logfile -Append
$x + ” Distinguished Name” | Out-File $logfile -Append
$x1 + ” CSV file Path” | Out-File $logfile -Append
#[System.Windows.Forms.MessageBox]::Show(“You provided OU DN name of Site.”)
#[System.Windows.Forms.MessageBox]::Show($x)
#[System.Windows.Forms.MessageBox]::Show(“You provided CSV fiel name of Site”)
#[System.Windows.Forms.MessageBox]::Show($x1)
#———————————————————————————–
Write-Host “Importing Active Directory Modules and performing pre-tasks…” -ForegroundColor Red
#import the ActiveDirectory Module
Import-Module ActiveDirectory -WarningAction SilentlyContinue
#$csvfilepath = $Scriptpath + “\CSV_File\useraccounts_AE_AUH1_modi.csv”
$csvfilepath = $x1
$users = Import-Csv -Path $csvfilepath
#——————————————-
#——————————————-
“Messagebox” | Out-File $logfile -Append
#——————————————
$OUTPUT=[System.Windows.Forms.MessageBox]::Show(“We are going to modify AD Attributes. Please make sure you are Authorised for this.” , “Status” , 4)
#0: OK
#1: OK Cancel
#2: Abort Retry Ignore
#3: Yes No Cancel
#4: Yes No
#5: Retry Cancel
if ($OUTPUT -eq “YES” )
{
#[System.Windows.Forms.MessageBox]::Show(“We are Backing up the data which will be modified for O365 Sync requirement. Please check the ErrorLog folder for More details and Logs.” , “Backup” , 0)
#——————————————-
“Backing up the data which is going to modify in useraccounts_BeforeUpdate.csv ” | Out-File $logfile -Append
#——————————————
#Get-ADuser -searchbase “ou=AUH1,ou=AE,ou=user Accounts,dc=ABC,dc=org” -filter * -Properties * | Select userPrincipalName,mail,msExchUsageLocation,extensionAttribute15 | Export-CSV ($logpath +”\useraccounts_BeforeUpdate.csv”) -notypeinformation
Get-ADuser -filter {enabled -eq “True”} -searchbase $x -Properties * | Select samaccountname,userPrincipalName,mail,msExchUsageLocation,extensionAttribute15 | Export-CSV ($logpath +”\useraccounts_BeforeUpdate.csv”) -notypeinformation
#—————————————–
}
else
{
“Scricpt aborted by User” | Out-File $logfile -Append
Break
}
#————————
#——————————————-
“Modification Started” | Out-File $logfile -Append
#——————————————
foreach ($user in $users)
{
” user are updating “, $user | Out-File $logfile -Append
#$users + ” updating each user” | Out-File $logfile -Append
Get-ADuser -filter “sAMAccountName -eq ‘$($user.sAMAccountName)'” -Properties * -SearchBase $x | Set-ADUser -userPrincipalName $($user.userPrincipalName) -replace @{“msExchUsageLocation”=$user.msExchUsageLocation; “extensionAttribute15″=$user.extensionAttribute15} | Out-File $logfile -Append
#Get-ADuser -filter “sAMAccountName -eq ‘$($user.sAMAccountName)'” -Properties * -SearchBase $x | Set-ADUser -userPrincipalName $($user.userPrincipalName) -clear msExchUsageLocation,extensionAttribute15 | Out-File $logfile -Append
}
#————————
#——————————————-
“Updating useraccounts_AfterUpdate.csv which has User Account data after modification” | Out-File $logfile -Append
#——————————————
Get-ADuser -filter {enabled -eq “True”} -searchbase $x -Properties * | Select samaccountname,userPrincipalName,mail,msExchUsageLocation,extensionAttribute15 | Export-CSV ($logpath +”\useraccounts_AfterUpdate.csv”) -notypeinformation
if ( $x -ne $null )
{
if ( $x -ne $null )
{
” !!!!Success!!!!Script has been run successfully Please check the useraccounts_AfterUpdate.csv file in this folder for updated values of the all users. ” | Out-File $logfile -Append
echo “Script has been run successfully Please check the useraccounts_AfterUpdate.csv file in this folder for updated values of the all users. ”
}
}
else
{
” !!!!Error!!!!Script Failed DN or File path not provided. ” | Out-File $logfile -Append
echo “Script Failed DN or File path not provided.”
}
” ———————————————————————————————————————————————– ” | Out-File $logfile -Append
#————————————————————————————————————————–
3.2 Export Script
# PowerShell File
#Author: Manish Kumar
#Date: 20-dec-2016
# Ver: 1
# Detail: Fetch User Attribute information from AD.
#————————————————————
<#
.SYNOPSIS
This Scricpt will fetch only Active users from Active Directory OU (User Accounts). All information of certain user Attributes will be fetched in the file C:\temp\Temp_reports\UserAccountsOUUsers.csv
Furthermore, this script will split the “UserAccountsOUUsers.csv” into multiple files per Site user base. Please check the “C:\temp\Temp_reports\Splited folder” for each sites user accounts information
We will modify each CSV located in the folder C:\temp\Temp_reports\Splited for certain attributes and import it back into AD to enable user account for AD Sync (Office 365 Tool).
#>
Add-Type –AssemblyName System.Windows.Forms
#Variables
$Scriptpath = (Split-Path $script:MyInvocation.MyCommand.Path) + “\”
$output = $Scriptpath + “\Temp_reports”
$Filename = “UserAccountOUUsers”
$path2 = $Scriptpath + “\Temp_reports\Splited”
If (!(Test-Path $output)) {New-Item -ItemType Directory -Path $output | Out-Null} #Out-Null suppreses console info
If (!(Test-Path $path2)) {New-Item -ItemType Directory -Path $path2 | Out-Null} #Out-Null suppreses console info
$searchbase = “OU=User Accounts,DC=ABC,DC=Org”
$Country_Code = Get-ADOrganizationalUnit -filter * -searchbase $searchbase -SearchScope onelevel -Properties *
$(foreach ($country in $Country_Code) {
$OUs = Get-ADOrganizationalUnit -filter * -searchbase $country.distinguishedName -Properties * -SearchScope onelevel
foreach ($ou in $OUs) {
#$results = Get-ADuser -filter {enabled -eq “True”} -searchbase $OU.distinguishedName -Properties * | Select userPrincipalName,mail,givenname,surname,samaccountname,displayname,distinguishedName,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString(‘yyyy-MM-dd_hh:mm:ss’)}},@{Name=’memberof’;Expression={[string]::join(“;”, ($_.memberof))}}
$results = Get-ADuser -filter {enabled -eq “True”} -searchbase $OU.distinguishedName -Properties * | Select samaccountname,userPrincipalName,mail,givenname,surname,title,displayname,manager,streetAddress,telephoneNumber,mobile,l,st,postalCode,c,co,countryCode,msExchUsageLocation,extensionAttribute9,extensionAttribute15,”msRTCSIP-PrimaryUserAddress”,distinguishedName,@{Name=’memberof’;Expression={[string]::join(“;”, ($_.memberof))}}
ForEach ($r in $results){
New-Object PSObject -Property @{
samaccountname = $r.samaccountname
userPrincipalName = $r.userPrincipalName
mail = $r.mail
givenname = $r.givenname
surname = $r.surname
title = $r.title
displayname = $r.displayname
manager = $r.manager
streetAddress = $r.streetAddress
telephoneNumber = $r.telephoneNumber
mobile = $r.mobile
l = $r.l
st = $r.st
postalCode = $r.postalCode
c = $r.c
co = $r.co
countryCode = $r.countryCode
msExchUsageLocation = $r.msExchUsageLocation
extensionAttribute9 = $r.extensionAttribute9
extensionAttribute15 = $r.extensionAttribute15
“msRTCSIP-PrimaryUserAddress” = $r.”msRTCSIP-PrimaryUserAddress”
distinguishedName = $r.distinguishedName
memberof = $r.memberof
OU_Name = $country.description
Country = $country.Name+”_”+$OU.Name
}
}
}
}) | EPCSV $output\$filename.csv -NoTypeInformation
# Split CSV into multiple CSVs country wise
ipcsv $output\$filename.csv | Group-Object -Property “Country” |
Foreach-Object {$path=$_.name+”.csv” ; $_.group |
Export-Csv -Path $path2\$path -NoTypeInformation}
3.3 Restore Script
# PowerShell File
#Author: Manish Kumar
#Date: 20-dec-2016
# Ver: 2
# Detail: This file will replace the AD attributes of users in active directory. This will read a .csv file about user and its attribute to replace/modify in Active directory.
# Importing Required Modules
# Note: This script replace the userPrincipalName attributes from input CSV file and Clears 2 AD attributes “msExchUsageLocation,extensionAttribute15”.
#————————————————————
<#
.SYNOPSIS
Update-ADUsers is a PowerShell function that updates Active Directory users with information in a CSV file.
.DESCRIPTION
Update-ADUsers is a PowerShell function that updates Active Directory users with information in a CSV file.
The function has full error logging, and onscreen information display informing what task is performing at any point in time. User running this script must have admin rights (rights to modify the AD attributes).
Note: This script replace the userPrincipalName attribute from input CSV file and Clears 2 AD attributes “msExchUsageLocation,extensionAttribute15”.
.EXAMPLE
This Script require input from users about site DN and CSV (Cleaned CSV) file path.
DN = ou=AUH1,ou=AE,ou=user Accounts,dc=ABC,dc=org
CSV File Path = C:\test_mk\CSV_File\AE_AUH1.csv
#>
Add-Type –AssemblyName System.Windows.Forms
#——————————————-
#Log Writing Started
#——————————————
# Get script Start Time (used to measure run time)
$startDTM = (Get-Date)
#$Cred = Get-Credential $Credential
#Define script path
$Scriptpath = (Split-Path $script:MyInvocation.MyCommand.Path) + “\”
#$Scriptpath = “c:\bc_ogs\”
$logpath = $Scriptpath + “\Restorelogs”
If (!(Test-Path $logpath)) {New-Item -ItemType Directory -Path $logpath | Out-Null} #Out-Null suppreses console info
$Logfiletime = (Get-Date).ToString(‘dd-MM-yyyy’)
$datestamp = ((Get-Date).ToString(‘dd-MM-yyyy(hh:mm:ss)’))
$logfile = $logpath + “\logfile_$Logfiletime.txt”
“” | Out-File $logfile -append #appends a space on top each time for easy reading
“Update-ADUsers errors logged ” + $datestamp + “: ” | Out-File $logfile -append
“—————————————————” | Out-File $logfile -append #appends a line beneath each log stamp for easy reading
#——————————————-
#Input Box function
#——————————————
[void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Drawing”)
[void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)
$objForm = New-Object System.Windows.Forms.Form
$objForm.Text = “Distinguished Name”
$objForm.Size = New-Object System.Drawing.Size(500,200)
$objForm.StartPosition = “CenterScreen”
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq “Enter”)
{$x=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq “Escape”)
{$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = “OK”
$OKButton.Enabled = $false
$OKButton.Add_Click({$x=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = “Cancel”
$CancelButton.Add_Click({$objForm.Close()})
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(880,20)
$objLabel.Text = “Please enter OU Distinguished Name of the site where you need to modify user account attributes:”
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(20,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objTextBox.add_TextChanged({ $OKButton.Enabled = $true })
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate()})
[void] $objForm.ShowDialog()
$x
#———–
$objForm1 = New-Object System.Windows.Forms.Form
$objForm1.Text = “CSV file Path”
$objForm1.Size = New-Object System.Drawing.Size(900,200)
$objForm1.StartPosition = “CenterScreen”
$objForm1.KeyPreview = $True
$objForm1.Add_KeyDown({if ($_.KeyCode -eq “Enter”)
{$x1=$objTextBox.Text;$objForm1.Close()}})
$objForm1.Add_KeyDown({if ($_.KeyCode -eq “Escape”)
{$objForm1.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = “OK”
$OKButton.Enabled = $false
$OKButton.Add_Click({$x1=$objTextBox.Text;$objForm1.Close()})
$objForm1.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = “Cancel”
$CancelButton.Add_Click({$objForm1.Close()})
$objForm1.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(880,20)
$objLabel.Text = “Please enter CSV file Path of previously given OU Distinguished Name user base:”
$objForm1.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(20,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objTextBox.add_TextChanged({ $OKButton.Enabled = $true })
$objForm1.Controls.Add($objTextBox)
$objForm1.Topmost = $True
$objForm1.Add_Shown({$objForm1.Activate()})
[void] $objForm1.ShowDialog()
$x1
Write-Host “Distinguished Name = $x” | Out-File $logfile -Append
Write-Host “CSV file Path = $x1″ | Out-File $logfile -Append
$x + ” Distinguished Name” | Out-File $logfile -Append
$x1 + ” CSV file Path” | Out-File $logfile -Append
#[System.Windows.Forms.MessageBox]::Show(“You provided OU DN name of Site.”)
#[System.Windows.Forms.MessageBox]::Show($x)
#[System.Windows.Forms.MessageBox]::Show(“You provided CSV fiel name of Site”)
#[System.Windows.Forms.MessageBox]::Show($x1)
#———————————————————————————–
Write-Host “Importing Active Directory Modules and performing pre-tasks…” -ForegroundColor Red
#import the ActiveDirectory Module
Import-Module ActiveDirectory -WarningAction SilentlyContinue
#$csvfilepath = $Scriptpath + “\CSV_File\useraccounts_AE_AUH1_modi.csv”
$csvfilepath = $x1
$users = Import-Csv -Path $csvfilepath
#——————————————-
#——————————————-
“Messagebox” | Out-File $logfile -Append
#——————————————
$OUTPUT=[System.Windows.Forms.MessageBox]::Show(“We are going to modify AD Attributes. Please make sure you are Authorised for this.” , “Status” , 4)
#0: OK
#1: OK Cancel
#2: Abort Retry Ignore
#3: Yes No Cancel
#4: Yes No
#5: Retry Cancel
if ($OUTPUT -eq “YES” )
{
#[System.Windows.Forms.MessageBox]::Show(“We are Backing up the data which will be modified for O365 Sync requirement. Please check the ErrorLog folder for More details and Logs.” , “Backup” , 0)
#——————————————-
“Backing up the data which is going to modify in useraccounts_BeforeUpdate.csv ” | Out-File $logfile -Append
#——————————————
#Get-ADuser -searchbase “ou=AUH1,ou=AE,ou=user Accounts,dc=ABC,dc=org” -filter * -Properties * | Select userPrincipalName,mail,msExchUsageLocation,extensionAttribute15 | Export-CSV ($logpath +”\useraccounts_BeforeUpdate.csv”) -notypeinformation
Get-ADuser -filter {enabled -eq “True”} -searchbase $x -Properties * | Select samaccountname,userPrincipalName,mail,msExchUsageLocation,extensionAttribute15 | Export-CSV ($logpath +”\useraccounts_BeforeUpdate.csv”) -notypeinformation
#—————————————–
}
else
{
“Scricpt aborted by User” | Out-File $logfile -Append
Break
}
#————————
#——————————————-
“Modification Started” | Out-File $logfile -Append
#——————————————
foreach ($user in $users)
{
” user are updating “, $user | Out-File $logfile -Append
#$users + ” updating each user” | Out-File $logfile -Append
#Get-ADuser -filter “sAMAccountName -eq ‘$($user.sAMAccountName)'” -Properties * -SearchBase $x | Set-ADUser -userPrincipalName $($user.userPrincipalName) -replace @{“msExchUsageLocation”=$user.msExchUsageLocation; “extensionAttribute15″=$user.extensionAttribute15} | Out-File $logfile -Append
Get-ADuser -filter “sAMAccountName -eq ‘$($user.sAMAccountName)'” -Properties * -SearchBase $x | Set-ADUser -userPrincipalName $($user.userPrincipalName) -clear msExchUsageLocation,extensionAttribute15 | Out-File $logfile -Append
}
#————————
#——————————————-
“Updating useraccounts_AfterUpdate.csv which has User Account data after modification” | Out-File $logfile -Append
#——————————————
Get-ADuser -filter {enabled -eq “True”} -searchbase $x -Properties * | Select samaccountname,userPrincipalName,mail,msExchUsageLocation,extensionAttribute15 | Export-CSV ($logpath +”\useraccounts_AfterUpdate.csv”) -notypeinformation
if ( $x -ne $null )
{
if ( $x -ne $null )
{
” !!!!Success!!!!Script has been run successfully Please check the useraccounts_AfterUpdate.csv file in this folder for updated values of the all users. ” | Out-File $logfile -Append
echo “Script has been run successfully Please check the useraccounts_AfterUpdate.csv file in this folder for updated values of the all users. ”
}
}
else
{
” !!!!Error!!!!Script Failed DN or File path not provided. ” | Out-File $logfile -Append
echo “Script Failed DN or File path not provided.”
}
” ———————————————————————————————————————————————– ” | Out-File $logfile -Append
#————————————————————————————————————————–
1.0 Overview
This document has the detailed information about the Dell driver’s issue. Everyone generally face this issue when drivers in the driver package (.cab) provided by dell is not working when we package and use them with SCCM OSD. This is a well-known issue faced by various organizations around the globe.
Solution describe here with work only with MDT and SCCM OS deployment.
2.0 Instructions
2.1 Problems
• LAN/NIC driver is not working with Boot image.
• Operating system Deployment Build burst and we cannot locate which exact driver cause the issue out of all those coming in .CAB package file provided by Dell.
• Other drivers (Network, chipset…. Etc) does not work when we integrate them with SCCM and start using them in Operating System Deployment Build.
2.2 Solutions
• Check the Boot image and OS format first. Always add the drivers in the boot image or OS image which are compatible with the images.
Example-: Add 32bit driver in 32 bit boot and OS image and vice versa.
• We get around 100 to 150 drivers with each model of Dell. If any of the driver will have problem out of all available (Audio, Video, Network, controller, chipset, management, communication, input, storage) drivers then you cannot complete your OS deployment using SCCM until you find out the all faulty drivers and through them out.
If you face such kind of issue please follow the guidelines given below.
o Do not import all the drivers available in the Cab in a single folder.
o Import drivers’ category vice in separate folders.
o Package drivers’ category vice in separate packages. Use all the packages in SCCM TS for installation.
For Example-: create a separate package for Chipset and separate package for Communication drivers Etc..
o When you find out that which category has the problem then you need to check the all available drivers in the category. Category may have 10 to 20 drivers and some or one of them may be faulty.
o Divide the drivers available the faulty category into two groups and add only one group in the package and check the build. If it works fine then use the same method with the remaining drivers.
Note-: You may need to build the system multiple times to find out the correct set of working drivers. Once you identify the faulty drivers you can remove them and finalize/seal your build.
• Once you identify the drivers. Which are creating problem update Dell about them?
• Check your System after installing OS with all working drivers. Check Device manager, if you see any of the drivers is not installed, then you have to create a SCCM package for the missing drivers to install all the drivers with SCCM OS deployment.
• Download the Setup file of the identified faulty drivers and create a silent installation package.
• Add the package in the SCCM OS installation task sequence and install the drivers.
o Note-: while working with Dell on these kind of issue. I came to know there are very few L1, L2 and L3 support Engineers knows that Dell also support SCCM (System management).
o Dell may rectify the drivers issue in the coming driver’s versions.
o In my understanding, we usually face these problems if dell does not test the drivers with all installation methods. Some time it works with Setup.exe and does not work when we install this using Driver.INF.
3.0 Glossary
Driver Category-: There are multiple categories of drivers. For Ex-:
Bios
Cache Solutions
Chipset
Diagnostic
Firmeware
Network
Power
System management
Video
Storage
Serial ATA
1-: Ishk agar jurm ha to iski koi saja baki na ho!
Han magar Pathar vohi maare jo Papi na Ho!!
In IIS6-: the limit to upload content through any we application is 4 Mb by default.
In IIS7-: the limit to upload content through any we application is 28.6 Mb by default.
we can increase it by making some changes in the config file. IIS6 uses the maxRequestLength config setting under the system.web section to specify maximum file upload size with a default of 4 MB. IIS7 uses the maxAllowedContentLength config setting under the system.webServer section to specify maximum file upload size with a default of 28.6 MB. This is something to watch out for when migrating your web application from IIS6 to IIS7. Read on for more information how I found out about this new config setting for IIS7…. I have migrated several sites from IIS6 to IIS7 without much problems. One gotcha that I did get caught on is the new IIS7 config settings section (system.webServer) and those settings for specifying the maximum file size to be uploaded to the website. After migrating a certain web application from IIS6 to IIS7 everything appeared fine until a few customers began complaining about issues when uploading files to the website… in particular these were large files around 50MB. In IIS 6.0 there is a config setting (attribute) called maxRequestLength located under the httpRuntime section in system.web that you can use to specify the maximum allowed request length (in other words the maximum uploaded file size). In IIS 6.0 the default is 4096 which is number of kilobytes allowed… so a 4MB file is the default file upload size under IIS 6.0. A 4MB is pretty small these days so it is quite common to need to override the default and put in a different value here. For the web application that I was migrating to IIS7, we had increased the maximum file size to 200MB (and told our customers 200MB was the max upload too).
We have to make this entry in web config of the application by which we are uploading more then 28.6 in iis7.
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength=”209715200″></requestLimits>
</requestFiltering>
</security>
</system.webServer>
We had known that httpHandlers in IIS7 were now to be specified in the system.webServer/handlers section but what we did not know (and did not find out until our customers ran into it) was that the maximum request length setting for IIS7 is also in a new location. In IIS7 you specify the maximum size of a file to be uploaded to the website by using the maxAllowedContentLength setting (system.webServer/security/requestFiltering/requestLimits >> maxAllowedContentLength).
I hope it will solve your issues.
Regards,
Manish Kumar
How to install a certificate on a Microsoft ISA server ?
** This article assumes that you have already requested and installed a certificate on your Web server.
Computer A – is the web server
Computer B – is the ISA server
To set up ISA Server to host Web sites by using the SSL protocol, you must export the SSL certificate of the Web site with the associated key. If you do not have this key, you cannot use this certificate for SSL with ISA Server.
Export your Entrust SSL Server Certificate from IIS 5.0 performed on server A
Step 1: Performed on server A
The Certificates snap-in utility must be added first.
Snap-In Configuration:
Management Console (MMC) and add the Certificates snap-in:
Click Start, and then click Run.
Type in “MMC” (without the quotation marks) and click OK.
Click Console in the new MMC you created, and then click Add/Remove Snap-in.
In the new window that appears, click Add.
Highlight Certificates, and then click Add.
Choose the Computer account option and click Next.
Select Local Computer on the next screen, and then click Finish.
Click Close, and then click OK.
Step 2: Perform on server A
Exporting your keypair (private and public keys):
From the MMC Console opened in the above steps: Expand the ‘Certificates’ tree in the left preview panel
Expand the ‘Personal’ tree in the left preview panel and highlight ‘Certificates’
Select and Right-click your certificate from the right preview panel
Select All Tasks/ Export – The Certificate Export Wizard appears
Select Next to continue.
Select Yes, to export the private key
Select Next to continue.
Ensure ‘Enable Strong Protection’ is checked, click Next
Supply and confirm a password for your keypair back up.
N.B. It is very important that you remember this password. If you forget it you will not be able to gain access to your Private Key.
Supply a file name and location for your keypair back up. This will create a PFX file.
N.B. Store your PFX keypair backup onto some form of removable media to ensure it is not lost.
Select Next to continue.
Select Finish.
Select OK to complete the Export.
You have successfully backed up your keypair (private and public key).
NOTE: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
Finally, copy the PFX file that you created to ISA Server.
Install the Certificate to ISA – Performed on Computer B (ISA Server)
The Certificates snap-in utility must be installed. See Step 1 for Snap-In Configuration.
From the MMC console opened in the above process:
Expand the ‘Certificates’ tree in the left preview panel
Right-click ‘Personal’
Select All Tasks/Import – The Certificate Import Wizard appears.
Select Next to continue.
Browse to, and Select your PFX keypair file.
Select Next to continue.
Supply the password which was provided during the creation of the PFX keypair file.
N.B. Be sure the ‘Mark the key as exportable’ option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
Select Next to continue.
Select Next to continue.
Select Finish.
Select OK to complete the Import.
You have successfully imported your PFX keypair into the Windows certificate store.
Examine the Intended Purposes field of the certificate. If this field is set to All instead of listing specific purposes, you must perform the following steps before ISA Server can recognize the certificate:
- In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate.
- Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all the items, and then click Apply.
Configure the Certificate in ISA – Performed on Computer B
Open the ISA Manager and complete the SSL installation:
- Right-click the server that is going to accept the incoming connection, and then click Properties.
- Click the Incoming Web Requests tab.
- Click the Internet Protocol (IP) address entry for the site that you are going to host, or the all IP addresses entry if you do not have individual IP addresses set up.
- Click Edit.
- Click to select the Use a server certificate to authenticate to web users check box.
- Click Select.
- Select your previously imported certificate.
- Click OK.
- Click to select the Enable SSL listeners check box.
- Expand the Publishing folder, and then click Web Publishing Rules.
- Double-click the Web publishing rule that will route the SSL traffic.
- On the Bridging tab, locate Redirect SSL requests as, and then select HTTP requests (terminate the secure channel at the proxy).
- Click OK.
- Restart ISA Server.
Thanks
Manish Kumar
How to disable “ask me later” problem in Internet explorer IE
Greeting from my side friends,
Method-:1
1. Use the Registry Editor (Regedit.exe) and navigate to the following branch: HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Internet Explorer \ Main
Note: The above branch does not exist by default, and have to be created manually or by running the REG file available at the end of this article.
2. Create a REG_DWORD value named DisableFirstRunCustomize
3. Double-click DisableFirstRunCustomize and set its value data to 1.
4. Exit the Registry Editor.
Note-: To automate the steps, copy the given line and copy them into a txt file. And change its extenton to .reg and run this. You have done all the steps given by a single click.
Windows Registry Editor Version 5.00 ;
Disable IE8 Tour for all users
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main] “DisableFirstRunCustomize”=dword:00000001
To Undo all changes-: copy the given line and copy them into a txt file. And change its extenton to .reg and run this
Windows Registry Editor Version 5.00
;Enable IE8 Tour for all users
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“IE8RunOnceLastShown”=-
“IE8RunOncePerInstallCompleted”=-
“IE8RunOnceCompletionTime”=-
“IE8TourShown”=-
“IE8TourShownTime”=-
“IE8RunOnceLastShown_TIMESTAMP”=-
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main]
“DisableFirstRunCustomize”=-
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main]
“DisableFirstRunCustomize”=-
Method-:2
1. Launch the Group Policy Editor (gpedit.msc).
2. Expand the following branch: Computer Configuration | Administrative Templates | Windows Components | Internet Explorer
3. Computer Configuration | Administrative Templates | Windows Components | Internet Explorer
4. Double-click Prevent performance of First Run Customize Settings.
5. Enable this.
6. Choose the option to go to the home page directly.
Thanks,
Manish Mishra
This will help you if in case one application is creating problem again and again and crashing worker process. with the given process you can set orphaning (worker process will not close until you will close it manually.)
Create a batch file to execute when a worker process is orphaned
- Start Notepad
- Paste the following code into Notepad.
3. @if “%_echo%”==”” echo off
4. setlocal
5. set TIMESTAMP=%DATE:~-9%_%TIME%
6. set TIMESTAMP=%TIMESTAMP:/=_%
7. set TIMESTAMP=%TIMESTAMP::=_%
8. set TIMESTAMP=%TIMESTAMP:.=_%
9. set TIMESTAMP=%TIMESTAMP: =_%
10.set FILENAME=c:\crash_PID_%1_%TIMESTAMP%.dmp
11.set LOG=c:\log.txt
12.set COMMAND=c:\debuggers\cdb.exe -c “.dump /o /ma %FILENAME%;q” -p %1
13.
14.echo %COMMAND% > %LOG%
15.%COMMAND%
16.
endlocal
- Save the file as FileName.cmd. For this example, we will name the file Action.cmd. However, you may name the file as you want.
Note You may have to modify the location of the debuggers and the location where you want the resulting dump file to be generated.
Configure the Orphan Worker Process settings
- At the command prompt, type the following command, and then press ENTER:
cd \Inetpub\adminscripts
- To enable the Orphan Worker Process feature, type the following command at the command prompt:
3. adsutil.vbs SET W3SVC/AppPools/DefaultAppPool/OrphanWorkerProcess TRUE
- At the command prompt, set the executable to run when a process is scheduled to be recycled. For example, in this case use the batch file that was created in the “Create a Batch File to Execute When a Worker Process Is Orphaned” section:
adsutil.vbs SET W3SVC/AppPools/DefaultAppPool/OrphanActionExe “c:\action.cmd”
adsutil.vbs SET W3SVC/AppPools/DefaultAppPool/OrphanActionParams “%1%”
Note Make sure that the OrphanActionExe option points to the location of the batch file that was created in the “Create a Batch File to Execute When a Worker Process Is Orphaned” section. Also make sure that the identity of the W3wp.exe process has Read and Execute permissions to this file.
Note If you enable IIS to debug worker processes that are reported as unhealthy, make sure that you monitor these released worker processes. IIS does not automatically remove these worker processes from memory. If you do not correctly handle these worker processes, many failed worker processes may be running on your computer. These worker processes can tie up resources that are needed by other processes. You must end these worker processes quickly to free those resources. In some conditions, these worker processes may block metabase access. This causes problems with other worker processes or with the World Wide Web service itself.
Thanks
MK
Isolate users using Active Directory (AD) isolation mode By – Manish
Here are the steps for AD isolation mode. It is not meant for local users account and only for Active directory users. Please follow the steps carefully since AD isolation mode issues can be a bit tricky to resolve 🙂
Here below add the domain admin account and make sure you click on Browse to select the user account and not just manually type it.. I have a reason for asking that.
Create Virtual directories for each of the domain accounts that will be used for accessing the FTP site. Be sure to name the virtual directory identical to the
username of the user who will be logging in. For instance, the user account of User1 will need a virtual directory named User1. Please remember that it is not a must to have a separate virtual directory for all the users under the root FTP site. Based on the commands mentioned below, users will be automatically taken to their respective folders and they need not have a Virtual directory created under the FTP site.
Then, Run the IISFTP.vbs script as below:
In a command prompt, navigate to C:\windows\system32 and run the VBScript iisftp.vbs twice (with different arguments shown below) for each user that will need access to the FTP site. This will do the necessary changes to the user account in AD’s LDAP database.
[Words underlined are your variables]
For user1:
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser1 ftproot C:\ftproot\adroot
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftproot for user domainuser1 has been set to C:\ftproot\adroot
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser1 ftpdir folder1
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftpdir for user domainuser1 has been set to folder1
[Remember in the above command for ftpdir you need to set the folder name for the user account and not the complete path i.e. although the user’s directory is set to C:\ftproot\adroot\folder1, you should mention “folder1” in the command as mentioned above and not the complete path].
ftproot specifies the complete path for the parent folder (root) and ftpdir specifies the name of the user’s folder. Here if you had a remote UNC share for the FTP contents you can change the command to, Cscript iisftp.vbs /setadprop domainuser1 ftproot \\ftpserver\ftproot\adroot
Similarly for user2:
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser2 ftproot C:\ftproot\adroot <— [It can be a different location other than the ftproot for user1]
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftproot for user domainuser2 has been set to C:\ftproot\adroot
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser2 ftpdir folder2
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftpdir for user domainuser2 has been set to folder2
Now before you try accessing the site using account domain\username ensure that you have the necessary folder hierarchy in place as set up in the above commands, i.e. if you do not have an existing path C:\ftproot\adroot\folder1 you will get the following error message:
User Saurabh1\domainuser1 cannot log in, home directory inaccessible.
Login failed.
Also in an AD isolation mode you won’t see the option to allow anonymous connections. Check the difference between an AD isolated site and a non-AD isolated site. Notice the number of tabs in each.
If you already have an FTP site and you don’t know the isolation mode for it you can open the metabase.xml file from C:\windows\system32\inetsrv and search for the tag UserIsolationMode and check its value.
FTP site having mode as:
- Do not isolate users (this is same as the only mode available in IIS 5.0) ———> will have UserIsolationMode set to 0
- Isolate users (this is applicable for local as well as domain users) ———–> will have UserIsolationMode set to 1
- Isolate users using Active Directory (also called Active directory user isolation mode, applicable only for Active directory users) —–> will have UserIsolationMode set to 2.
Checklist:
When you try to visit an AD isolated FTP site from a command prompt, you may receive the following error message:
530 User <Domain>\<UserName> cannot log in, home directory inaccessible.
Login failed.
This problem can occur because of any one of the following reasons:
- The msIIS-FTPDir or msIIS-FTPRoot properties for the User Account that is trying to access the FTP site are not configured in the Active Directory.
Make sure that msIIS-FTPDir and msIIS-FTPRoot properties for the user account are configured properly. To do this, open up a command prompt on the IIS server and browse to C:\Windows\system32 folder. Run the following commands:
C:\WINDOWS\system32>cscript iisftp.vbs /GetADProp username FTPRoot
C:\WINDOWS\system32>cscript iisftp.vbs /GetADProp username FTPDir
If you get a valid FTPDir and FTPRoot returned as a result of this command, which means these properties are set correctly. The actual path of the user’s folder will be\. If the result of either of the commands is something like
The value of FTPDir for user is:
null
This means that the FTPDir and FTPRoot are not set correctly. You can set them as mentioned some way above.
- The account that is set in the IIS Metabase as the ADConnectionsUserName key for the FTP site is having some issues.
It may have been locked out or is not having enough permissions to query the Active Directory. The password for account connecting to AD in ADConnectionsPassword may be incorrect.
Make sure that the password is correct and that the account is not locked out. Also ensure that the account that is configured here has enough permissions to query the Active Directory.
To check the username and password set in the metabase, run the following commands:
C:\Inetpub\AdminScripts> Cscript adsutil.vbs get msftpsvc//ADConnectionsUserName
C:\Inetpub\AdminScripts> Cscript adsutil.vbs get msftpsvc//ADConnectionsPassword
[You may find the password in encrypted format like ************. In such a case you need to modify the adsutil.vbs file to get the exact password. Open Adsutil.vbs in notepad from the above location and search for the function “IsSecureProperty(ObjectParameter,MachineName)”.
In this function IsSecureProperty(ObjectParameter,MachineName), you will find the following code:
Function IsSecureProperty(ObjectParameter,MachineName)
On Error Resume Next
Dim PropObj,Attribute
Set PropObj = GetObject(“IIS://” & MachineName & “/schema/” & ObjectParameter)
If (Err.Number <> 0) Then
ReportError ()
WScript.Echo “Error trying to get the property: ” & err.number
WScript.Quit (Err.Number)
End If
Attribute = PropObj.Secure
If (Attribute = True) Then
IsSecureProperty = True <——–
Else
IsSecureProperty = False
End If
End Function
In the highlighted line above, change the value to False, save and now rerun the adsutil.vbs command and you should see the actual passwo}
Please refere link given below.
http://technet.microsoft.com/en-us/library/cc782944%28WS.10%29.aspx
FTP AD Isolation Setting in in IIS7 server-:
On w2003 IIS6 server you can use the iisftp.vbs script to set and get ftp AD properties FTPRoot (DS_msIIS_FTPRoot) and FTPDir (DS_msIIS_FTPDir) from a command line.
On w2008 IIS7 I can’t find this script.
There is a utility made by rakkimk: FTPADPropSetting, you can find it at http://blogs.msdn.com/rakkimk/archive/2008/06/04/iis7-command-line-tool-managed-to-set-ftp-properties-in-active-directory.aspx
Rakkimk has also a GUI for this (at http://blogs.msdn.com/rakkimk/archive/2007/11/28/iis7-ui-module-for-setting-ftp-active-directory-user-isolation-properties.aspx ) but I did not succeed in getting this work.
I could install the iisftp.vbs script:
copy from a w2003 IIS6 server from c:\windows\system32\dllcache
the files iisftp.vbs, iisschlp.wsc and cmdlib.wsc
to your w2008 iis7 ftp7 server
you need to register both *.wsc files
do this by this command:
regsvr32 /i:”cmdlib.wsc ” %SystemRoot%\system32\scrobj.dll (if commands not runs then pls copy cmdlib.wsc to c:\windows\system32)
and
regsvr32 /i:”IIsScHlp.wsc ” %SystemRoot%\system32\scrobj.dll ( if this command does not run due to regsrc32 error pls user this command “C:\Windows\SysWOW64\regsvr32.exe cmdlib.wsc”)
Thanks
Manish Kumar
This error is a generic IIS error produced so that potential users don’t get detailed information on the sites architecture.
In order for me to get more details on the actual issue, the site needs to be set in development mode. To do this you need to find the file ss_environment.php in the parent directory of the web root. change the first line of this config to say ‘dev’ rather than ‘live’.
After you have done this, you should try re-building the site’s database. Do this by appending /dev/build/?flush=all to the end of the beta site’s URL.
You should get a page similar to screenshot-1.png (attached).
Once this has happened, then try re-visiting the homepage. If you still get an error please screen shot it and then send that over. I will have a look.
Once you have done all this, please ensure that you set ss_environment.php config back to ‘live’, this is VERY important.
It now appears that it is affecting every computer in this Domain. So far I
have been unable to install Office 2003, Group Policy Management Console, MS
Installer Cleanup Utility, Financial Edge, and Raiser’s Edge. On the
workstations it seems that the following registry key has been modified.
HKLM\Software\Policies\Microsoft\Windows\Installer\disableMSI
The value on the workstations is set to 2.
This value is not present on my servers. When I change the value on the workstations from 2 to 0 I am then able to install whatever I like.
I have added the desableMSI key to a server and made the value 0 but I am still unable to install anything.
Regards,
MK
ManishMishra's Blog 