Category Archives: Microsoft

All Microsoft Products (Exchange, SQL, Windows, Server)

Exchange 2007 Self-Signed Certificate

This will probably never come up in my ventures as the Administrator here at my job, but it has come up with one of our customers. They do not have a Certificate Authority (CA) and do not pay for an outside certificate. They also use Exchange 2007. I’m not privy to all the ins and outs of their network, but they’re a standard small business with 4 or 5 servers. And it’s been 53 weeks since they installed Exchange 2007.

Why is 53 a number you should scoff at? Every 52 weeks (365 days, 12 months, 1 year, 1/10th of a decade…) you have to resign the self-signed certificate that Exchange gives itself. Why do I even need a certificate, you ask. The certificate is required for all TLS communication. Anything that’s even remotely secured uses TLS. Outlook uses TLS. If the certificate is invalid or non-existent, Outlook will refuse to send and receive emails from your Exchange server. Not good. I’m not sure why their server lasted 53 weeks and not 52, but maybe the guy got it wrong (he’s fairly technical though).

Here’s a quick and easy way of renewing your certificate:
1.) On your Exchange 2007 server, open up the Exchange Management Shell
2.) Type “get-exchangecertificate” and hit enter. This will show all installed certificates.
Type “get-exchangecertificate | fl *” to show everything about the installed certificates.
Type “get-exchangecertificate | fl services, thumbprint” to show only the services with the thumbprint for each certificate.
3.) Type “get-exchangecertificate -thumbprint thumbprint_of_cert | new-exchangecertificate
4.) Type “enable-exchangecertificate -thumbprint thumbprint_of_new_cert -services “IMAP,POP,SMTP,IIS”
5.) Test the services
6.) Remove the old certificate. Type “remove-exchangecertificate – thumbprint thumbprint_of_old_cert

You’ll have to do this every year if you use the self-signed certs. If you use a CA, the issued certificate will last anywhere from 1 to 5 years. You can also use your internal CA to issue new signed-certificates. You can use the standard website template, and then use the Exchange Management Shell to add the services to the new certificate (enable-exchangecertificate -thumbprint thumbprint -services “imap,pop,smtp”. You can leave out IIS since it *should* already be there.

**** EDIT ****

New-ExchangeCertificate -SubjectName "DC=domain, DC=com, CN=server.domain.com" -DomainName server.domain.com,mail.domain.com -IncludeAcceptedDomains -IncludeAutoDiscover -Services "SMTP" -PrivateKeyExportable $true
This updates the certificate to cover all domains used by Exchange. You can also specify other domains like mail.domain, webmail.domain etc.

Get-ExchangeCertificate
Get-ExchangeCertificate | FL
These allow you to find the thumbprint of the certificate you created.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,IMAP,POP,IIS
This will turn on the services for your thumbprinted certificate. Obviously you can choose which services to allow.

Export-ExchangeCertificate -Thumbprint THUMBPRINT -BinaryEncoded:$true -Path C:\SSCert.pfx -Password:(Get-Credential).password
This exports your personal certificate PFX file with the password you choose at the prompt. This can then be pushed out to users to trust this file. Check for root certificate installations for other details.

OR, if you have your own Certificate Authority:

New-ExchangeCertificate -GenerateRequest -SubjectName "o=My, o=Site, cn=MyServer.MyDomain.com" -IncludeAcceptedDomains
-Path c:\MyServer.MyDomain.com.req

Open this file using notepad or the like, and copy the information between the start and end of the certificate.
Now log into your Certificate Authority
http://CAServer/certsrv
Click Request a certificate
Submit an advanced certificate request
Submit a certifcate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Paste the certificate information from earlier
Change the Certificate Template to Web Server
Click submit

You should now have a certificate issued. You’ll probably want to download it – so select Base64 encoded and download the certificate. I always choose to download the full path AND the general cert.

Copy your newly issued/downloaded certificate to your Exchange server.
Import-ExchangeCertificate -Path c:\2009mycert.cer | Enable-ExchangeCertificate -Services SMTP,POP,IMAP,IIS

If you already have a certificate that’s the default one on Exchange, you’ll notice that the SMTP and IIS settings DO NOT STAY.
You’ll have to:
Enable-ExchangeCertificate -Thumbprint MYTHUMBPRINT -Services SMTP,IIS
Exchange will ask if you want to overwrite the current certificate with Y for yes.
You’re done!

Forgotten Passwords

I can’t tell you the number of people that come up to me and ask if I can retrieve their password. For certain devices I can either reset the password or I can figure out a way to reset the password. Several websites give options to reset your password. Several Instant Messaging programs give the option to reset your password. I’m really just trying to see how many times I can type “reset your password”.

So here’s the lowdown on what can be reset, and a mostly “how-to” do it:

Mac OS 6.* – 8.5: If you set up a password you’re a fool. The OS doesn’t support native passwords and is a single user OS. You set one? Reformat and start from scratch. Or just live with it.
Mac OS 8.6 – 9.*: Read above. The OS was meant to be a single user Operating System, but somewhere along the line someone decided it would be a good idea to include basic password login protection. Usually a reboot will yield an “auto login” situation where you can change the preferences of a screen saver password. Otherwise you’ll have to reformat once again.
Mac OS X.*: Here’s the really easy part – Apple has included the utility to reset the password for you. It’s on the Apple Installation Disc. Don’t have the disc? You’ll have to download or buy one then. Have the disc? Boot off of it (press and hold C while turning on the computer), and then when you see a menu at the top of the screen click on Utilities. You’ll now see a “reset password” option. You can get the rest from there.

Windows 95/98: Press ESC instead of trying to login.
Windows ME: Burn your computer and that crappy Operating System and buy a new one.
Windows 2000/NT/XP/2003/Vista: Find a linux boot disc (knoppix should work) that can edit SAM files and reset administrator passwords.

Ubuntu: Press ESC at the grub prompt, Press E for edit, Select the line that begins with Kernel and press E, Go to the very end of the line and add “rw init=/bin/bash” without the quotes, Press enter and then B to reboot. This will give you full root shell access, so then type “passwd ” to reset that user’s password.

A lot of people work in corporations with Active Directory Microsoft Windows computers. Here’s a couple things that people should know:
1.) Administrators do NOT know your password for your login to the computer. We can reset it, but we can’t retrieve it (with normal means)
2.) Administrators do NOT know your password for your personal chatting application. We, like EVERY OTHER PERSON, can go to the provider’s website (ie yahoo.com/aim.com/msn.com) and have them send a reset password email to the registered email address.
3.) Administrators do NOT know the POP server or IMAP settings to your personal email. I actually block access to POP and IMAP so I don’t have to hear this one daily.

Virus EXE Rundll32 Issue

I love it when people bring in their virus-laden machines for me to look at. They always come up with some silly excuse for why it’s not working or how it’s broken: “I let [insert name of child here] play on it the other day and now it’s running slow” or “I haven’t been able to use email for the last few months but thought nothing of it until the computer started deleting my files and randomly rebooting”. GOLD!

I’m usually pretty good at getting rid of a virus if it’s in the early stages. Adware, malware, popups, backdoor trojans, they’re all pretty easy to dispose of. Some of the hijack programs that take over the homepage for IE are pretty tough though.

The steps I go through are usually the same:
1.) MSconfig and remove all non-microsoft programs
2.) Install nod32 and kick the crap out of whatever was installed

Although a lot of times I’m not able to run any commands. Recently I couldn’t open any EXE files on a system. It kept looking for rundll32.exe and not finding it (windows\system32\rundll32.exe). So then msconfig, add remove programs (control appwiz.cpl), and even the system information (windows key + pause/break) didn’t work. I couldn’t even open cmd.exe without problems – lucky for me it was an associated filetype for exe files.

So then, with the command line open:
1.) Download The EXE Registry Fix and import it into your registry
2.) SFC /scannow (this requires either the i386 folder or the windows installation media to check and see if all the required microsoft files are in place)
3.) MRT (microsoft’s malicious removal tool)
4.) msconfig and uncheck any non-microsoft related items

Someone also told me that the exe file associated could have broken this computer. I didn’t try it since I only imported the registry key and it worked. But here’s the steps to do that too:

1.) CMD
2.) assoc.exe=exefile

Exchange 2007 Mailbox Statistics

If only Microsoft would realize that it’s pretty easy to add a single column known as “size of mailbox” when searching through the GUI exchange management tool. Instead, we have to open up the Command prompt tool. Big deal.

Here’s the quick and easy way to list the name of the mailbox, size of said mailbox, and number of emails:
Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()}},ItemCount

And apparently you can get it to email you if you write a script as follows:
###Send mailbox statistics script
###First, the administrator must change the mail message values in this section
$FromAddress = "MailboxReport@ngh.net"
$ToAddress = "administrator@ngh.net"
$MessageSubject = "Mailbox Size Report"
$MessageBody = "Attached is the current list of mailbox sizes."
$SendingServer = "e2k7.ngh.net"
###Now get the stats and store in a text file
Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()}}, ItemCount > mailboxes.txt
###Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress,
$MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment("./mailboxes.txt")
$SMTPMessage.Attachments.Add($Attachment)
###Send the message
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer
$SMTPClient.Send($SMTPMessage)

But I couldn’t get it to actually attach the txt document.

EDIT!!!

11.11.2008

I got it to work – the problem was with a couple issues we had.

1.) In the Windows PowerShell, you must Set-ExecutionPolicy Unrestricted
2.) I wrote a bat file to open this once a week:
C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command ". 'C:\sendstats.ps1'"
3.) I wrote a ps1 file to run the actual commands (see above for the code)
4.) If you get an error, see if the following command helps:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
5.) MAKE SURE the get-mailboxstatistics is all on one single line – I can’t tell you how much word-wrap in notepad screwed me out of 20 minutes of time.

***EDIT 05.23.2011***
So Exchange 2010 screwed me a little bit on this – it requires another flag:
Get-MailboxStatistics -server SERVERNAME | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()}},ItemCount

You can use -Identity MAILBOXORUSERNAME, -Database DATABASEHERE, or -Server SERVERNAMEHERE. I chose server as it’s exactly what I needed.

Exchange 2007 Remove Disconnected Mailboxes

If you delete a user on Exchange 2007, it will delete the user in Active Directory. It will not, however, delete the mailbox that was associated with the user. This mailbox will then move onto bigger and better things – namely just taking up storage space on your Exchange server.

Quick and easy way:
On your Exchange server, open up the Exchange Management Shell
Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null } | Select DisplayName,MailboxGuid – This will show all the disconnected mailboxes AND their associated MailboxGuid (which is needed to delete the boxes)
Remove-Mailbox -Database [Database-Name] -StoreMailboxIdentity [MailboxGuid] – This will delete a single line item.

EDIT 11.13.2008:
You can run the Get-MailboxDatabase command to find out the name of the database and what server it resides on. The final delete command will be something like the following:
Remove-Mailbox -Database "servername\mailbox database" -StoreMailboxIdentity 2ae3c6f1-848e-4892-923c-614f9b3838f7
Then it will ask if you want to really remove the GUID from the database.

Show and Hide Hidden Formatting Word

Sometimes people complain that they are seeing the hidden formatting characters on emails they’re trying to send. And then they are worried that their customers will also see said formatting marks. While I can explain that the customer will only see the text and not the marks, it’s actually much easier to just solve the problem.

Word 2003 had it nice and easy – just click on the standard toolbar Paragraph Mark. But with 2007, everything is hidden or moved. Don’t get me wrong – I like 2007 so far, but finding various tasks that used to be easy to explain are now hidden away somewheres.

And finding the key combination to reset this is difficult because NO ONE WRITES ABOUT IT.

So here’s the key combination:
Alt + Shift + 8. Just press the magic keys somewhere in your word document (or in the body of an email) and like magic (sense a theme going on?) they show/hide at your command.

Set Static IP Remotely

Because I rule, I decided to be able to change people’s IP addresses remotely. This usually requires a Domain Administrator account (which I have/am). Here’s the code for my remote script:

intValue = InputBox("Please enter a computer name:")
intValue2 = InputBox("Please enter an IP address:")
strComputer = intValue
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colNetAdapters = objWMIService.ExecQuery _
("Select * from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE")
strGateway = Array("10.1.3.1")
strIPAddress = Array(intValue2)
strSubnetMask = Array("255.255.255.0")
strGatewayMetric = Array(1)
For Each objNetAdapter in colNetAdapters
arrDNSServers = Array("10.1.1.124", "10.1.1.241")
objNetAdapter.SetDNSServerSearchOrder(arrDNSServers)
errGateways = objNetAdapter.SetGateways(strGateway, strGatewaymetric)
errEnable = objNetAdapter.EnableStatic(strIPAddress, strSubnetMask)
If errEnable = 0 Then
WScript.Echo "The IP address has been changed."
Else
WScript.Echo "The IP address could not be changed."
End If
Next

Basically this script asks for the current computername (or IP address) and then the future IP address. I hardcoded the netmask and the DNS server IPs (as well as the default gateway) already because those never change for my needs. Obviously you should change the above numbers to what you require.

But then, after installing a new version of windows, I realized I was getting errors. The exact error is VBScript runtime error: 800A0046 Permission Denied: ‘GetObject’. Somehow I was being denied the ability to impersonate the local administrator using my script. I thought maybe it was a “new system” issue, so I tried it on an older machine (from my machine though) and it still failed. That narrowed it down to an issue on my machine.

It all boils down to DCOM not being enabled on the computer. DCOM, if disabled, makes for a more secure system (I’m basing that on all the trojans and viruses written to overflow the DCOM stack and take over systems – as well as all the patches written specifically to fix DCOM errors). However, DCOM is required by impersonation scripts like the one above.

Fix:
Open Control panels
Open Administrative Tools
Open Component Services
Navigate to Console Root >> Component Services >> Computers
Right Click My Computer and select Properties
Click on the Default Properties Tab
Click on Enable Distributed COM on this computer

Some people will require a reboot, but my script works just fine after clicking OK.

[EDIT]

It has come to my attention that a lot of people would like to do this remotely. And by a “lot of people” I mainly mean me.
Here’s how:
Open up regedit (start >> run >> regedit)
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
You will see a REG_SZ key with the name EnableDCOM
Change the value of the key to Y for yes, or N for no. Then reboot the remote system.