Thursday, July 26, 2012

Unable to Filter Get-ADUser Based on Distinguished Name

When you are using the Get-AD* cmdlets to generate a list of users or other objects, it is a best practice to use the Filter parameter. When you use the Filter parameter, you pass a filter directly to Active Directory when you run the cmdlet. This is more efficient than retrieving a large list of objects and then filtering them with Where-Object.

I was working through a query with Get-ADUser that would obtain a list of all disabled users from Active Directory except for two or three OUs. To do this, I was trying to use the Filter parameter as shown below.
Get AD-User -Filter {(enabled -eq $false) -and (distinguishedname -notlike "*cn=users,dc=contoso,dc=com)}

Looks good right? Unfortunately, the filtering based on the distinguished name didn't work. It turns out that you cannot use wildcards when filtering based on the distinguished name. I also tried using the CanonicalName property, but it is a calculated property generated by Get-ADUser. So, CanonicalName cannot be used for a filter. The answer is to use Where-Object.
Get AD-User -Filter * | Where-Object {($_.enabled -eq $false) -and ($_.distinguishedname -notlike "*cn=users,dc=contoso,dc=com)}

**Note that a standard OU would start with ou= rather than cn=. Both the Users container and the Computers container are technically not OUs.

Tuesday, July 24, 2012

Query Recently Created Mailboxes or Users

You may at some point have a need to query recently created mailboxes. This script queries mailboxes created within the last seven days.

Get-Mailbox –Filter {WhenCreated –gt $date}
The logic of the script is this:
  • Set the variable $date equal to the current date minus 7 days.
  • Get a list of mailboxes with a WhenCreated attribute greater than the date 7 days ago
You can use the same basic structure for other objects such as Active Directory users by substituting the Get-ADUser cmdlet for the Get-Mailbox cmdlet.

Get-ADUser –Filter {WhenCreated –gt $date}
Update (Dec 2015):
The above syntax actually doesn't work. Not sure how I missed it when I first wrote the post. Today when I was writing a script using this syntax, it returned all mailboxes no matter what. So, the $date variable wasn't being properly evaluated. I'm leaving the above example so that people can see what syntax not to use.

Use the following syntax instead:
Get-Mailbox –Filter "WhenCreated –gt '$date'"
Apparently when building a filter with a variable, you need to enclose the whole filter in double quotes and the variable in single quotes. This syntax worked properly for me.

Wednesday, July 18, 2012

Virus Created Its Own Partition

I ran into a first yesterday. As seems to happen on a somewhat regular basis, a client had a virus infected computer. One of tools I normally rely on is TDSSKiller.exe from Kaspersky. It removes most rootkits that infect the boot sector of a hard drive. And is one of the few that checks the boot sector of non-boot drives. So, you can use it when a drive is externally attached.

In this case, TDSSKiller.exe identified Rootkit.boot.SST.b. When the software attempted to clean it, it didn't display an errors, but if you looked at the log it indicated that it couldn't be cleaned.

Some web sites suggested downloading Kaspersky Rescue Disk to remove it. This is a bootable linux CD/USB image. Basically, it accomplishes the same thing as placing the drive in an external case. It prevents any malware on the drive from loading in the boot process. This tool also found the rootkit, but couldn't remove it.

I also tried booting up in the XP recovery console and using FixMBR, which appeared to work, but the rootkit was still there.

The final fix was referenced by a few web sites. This rootkit created its own partition that it inserted into the boot process. None of the repair tools understood the boot process and therefore could not repair it.

On this computer, the OS partition was 40GB and a 100 MB parition was created after that. The 100MB partition was marked active and therefore was used to start the boot process. When viewed from within Disk Management, the partition type was unknown. The fix was to remove the extra 100 MB partition and then mark the OS partition as active. After this, the rootkit was gone.

Based on reading other web sites, the size of this partition may vary. I saw references to a small partition that is only a few MB. I'm guessing the virus authors changed it to be 100 MB to make it confusing with the 100 MB partition used by Windows Vista and Windows 7. Also, I can only assume that a larger partition provides more space to hide malware that is introduced during the boot process.

After removing the rootkit, there was still a bunch of other malware that I removed with MalwareBytes and SuperAntiSpyware. In the end the only thing lost was some Start Menu shortcuts.

Realistically, I should have just wiped it and rebuilt it, but after putting in an hour or so, it became competitive and I just wanted to win.

Tuesday, July 17, 2012

Exchange 2013 Preview Released

Microsoft has publicly released Exchange 2013 Preview for download. I'll try to review some of the more interesting new features over the next few weeks. However, for those of you that like to play.

Exchange 2013 Preview download:
Exchange 2013 Preview resources:
 Exchange 2013 online help:
I shouldn't need to say this, but do not deploy this software in a production environment. This software is for testing only. Who knows what these schema extensions impact when you want to deploy the release version of the product.

Multi-Mailbox Search No Longer Requires Enterprise CAL

The licensing for Exchange 2010 has been changed to allow multi-mailbox search with standard CALs instead of enterprise CALs. Previous to this change any mailbox searched with multi-mailbox search required an enterprise CAL.

This is a pretty big deal for a few reasons. First, it's handy to use multi-mailbox search when recovering items for single item recovery. Much nicer interface than straight PowerShell. Secondly, it's also nice when users complains that they've lost a message and you can go a search their mailbox without connecting directly to their mailbox.

You still need an enterprise CAL for personal archives, legal hold, per user/group journaling, and custom retention policies.

The Exchange 2010 licensing page ( has been updated to show the change.

Friday, July 13, 2012

SBS 2008 RWW Error 50331688

I recently updated the certificate for OWA on an SBS 2008 installation. That went fine and I deleted the old certificate. A few weeks later, we were informed that Remote Web Workplace was not working. When users attempted to connect to their computer they got a Javascript dialog box with error 50331688.

The cause of the issue is a certificate not being installed for the Terminal Services gateway. The Terminal Services gateway is used by RWW. The fix is to select a valid certificate and then all is good.

To fix the issue:
  1. Open TS Gateway Manager from Administrative Tools.
  2. In the left pane, right-click the server and click Properties.
  3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption and click Browse Certificates.
  4. Select a valid certificate and click Install.
  5. Click OK to close the properties of the server.
All done. It should begin working immediately.

Thursday, July 12, 2012

How to Join Dell ISO Files

Apparently a few years back, Dell started splitting large ISO files into smaller pieces to make downloading easier. The page I was downloading from said they needed to be joined, but did not provide the instructions.

Here are the instructions for joining two DVD files (OM_6.5.0_SMTD_A01.iso.001 and OM_6.5.0_SMTD_A01.iso.002):
  1. Place the files to be joined in a separate folder.
  2. Open a command prompt and change to the folder containing the files.
  3. At the command prompt, type copy /b om* OM_650_SMTD_A01.iso and press Enter.
This copies the two existing files into a single new file. Based on the file names, they should be selected in the correct order. However, if they are not, you can use this modified command that specifies the order:
copy /b OM_6.5.0_SMTD_A01.iso.001+OM_6.5.0_SMTD_A01.iso.002 OM_650_SMTD_A01.iso

Tuesday, July 10, 2012

Exchange 2010 Backups - The Details

The Exchange Team has posted a nice series of blog articles about the details of backing up Exchange Server 2010. The articles discuss exactly how VSS backups work, backups of active database copies, and backups of passive database copies.

The articles are here:

Exchange 2010 Mailboxes Quarantined Randomly

If you downloaded the most recent version ( of the Exchange 2010 Management Pack released in June of 2012, it can cause mailboxes to be randomly quarantined. As of June 27th, the Management Pack has been pulled and will be released again when it is fixed.

If you have already installed this management pack, there are some workarounds to disable the function that is quarantining the mailboxes.

Information about version of the management pack:
Information about the problem and workarounds if you've installed it:

Friday, July 6, 2012

HP LaserJet Pro 400 MFP M425 Scans All Black

One of our guys was on site today installing a new HP M425 for a client. He unpacked the printer and everything worked great except for the scanning. All scanning was 100% black.

He rechecked the whole unit and there was no packing material blocking the scanner. Nothing left to do but call HP support.

HP support had him flash the firmware to the latest version and scanning began to work fine. Very very weird. I would never have guessed in a million years.

User Sending as Multiple Email Addresses

Many organizations want a single user to have multiple email addresses and would like the user to be able to select which email address to send as. In Exchange 2010 (and earlier versions) it's very easy to add multiple email addresses for a user. However, the sending is a problem.

When multiple email addresses have been configured for a user, only one email address can be set as the primary/Reply To address. The primary address is the From address when sending a message. The user cannot select an alternate From address from their list of addresses.

You can buy commercial software that enables this functionality ( However, for the cheap (ahem, cost sensitive) among us there is a workaround.

  1. For any secondary address you want to assign to a user, create a distribution group with that address.
  2. Make the user the only member of that group.
  3. Assign the user Send As permission for the group.
It's not very scalable, but easy to do.

Enable Remote Management for Windows 7

Windows 7 is more secure than Windows XP. That is a good thing. However, it's also annoying when you want to remotely manage a domain joined computer and it's not allowed by default.

Windows Firewall in Windows 7 does not allow remote management even on domain joined computers. You need to create the exceptions that allow remote management of Windows.

You generally want to:
  • Allow ping. I'd like to see if the computer is up or not.
  • Connect with Remote Desktop. It's nice to fix up desktop computers without going on site.
  • Connect with Computer Management. Nice to see event logs remotely without logging on.
  • Connect to the registry remotely. Nice to do reg edits without logging on locally and bothering the customer.
In SBS 2011, much of this is done automatically by a Group Policy object created during installation. However, if you are using a normal edition of Windows Server then you need make the Group Policy object yourself.

A blog post ( by David Stein provides the details on how to do it. He lists the specific Group Policy settings to enable and configure. And if you are not familiar with the Group Policy Management Console, he also provides some detailed steps on how to use it.

Thursday, July 5, 2012

Installing SQL 2005 on Windows 2008 R2

As part of a performance test for an application at a client, we needed to setup a temporary server running Windows Server 2008 R2 and SQL Server 2005. When you install SQL 2005, it indicates that IIS must be installed. Back in Windows Server 2003 this was easy because IIS was installed as a single lump. Starting in Windows Server 2008, IIS is installed as multiple role services. This makes it difficult to determine which role services are required.

Here is a list of the IIS 7 role services that must be installed for SQL 2005:
  • Common HTTP Features
    • Static Content - Common HTTP Features
    • Default Document
    • HTTP Redirection
    • Directory Browsing
  • Application Development
    • ASP.NET
    • ISAPI Extension
    • ISAPI Filters
  • Security
    • Windows Authentication
  • Management Tools
    • IIS Metabase
    • IIS 6 WMI