Office 2010 GPO Nincompoopery
Posted by on April 17, 2012
Whilst configuring group policy for Office 2010, I came across an interesting bug. The “Options” option in the file menu of all Office programs will be grayed out if you set the following policy to “Enabled” and place a checkmark next to “Office Center”:
User Configuration\Policies\Administrative Templates\Microsoft Office 2010\Disable Items in User Interface\Disable commands under File tab | Help
Oddness when creating a dynamic distribution list in Exchange 2007 with custom filters
Posted by on October 4, 2011
I recently ran into an interesting bug in Exchange 2007. I was creating a dynamic distribution list in the Exchange Management Shell. I set up a custom filter so that if a user’s AD account description had the word “common” in it, that user would be excluded from the distribution list.
Here’s the code for the DL:
New-DynamicDistributionGroup "EveryoneBlah" -OrganizationalUnit "blah.com/DL" -RecipientContainer "blah.com/blah/Lewiston/blah" -IncludedRecipients MailboxUsers
Here’s the code for the filter:
Set-DynamicDistributionGroup EveryoneBlah -RecipientFilter {(((RecipientType -eq 'UserMailbox') -and -not (description -like 'common'))) }
When I tried to test the filter by viewing the filtered list of recipients using the Exchange Management Console or by using the Exchange Management Shell, I would be shown a list of the users that the filter had been applied to BUT that list would not be limited by the RecipientContainer that had been specified.
So I did some searching and asking around and was pointed to this guy’s blog. He found out that this is actually a bug in Exchange 2007! The dynamic distribution group and the filter work just fine. It’s Exchange 2007′s functionality to SHOW the correct list of users that the DL is applied to that’s wonky.
Further Reading:
http://www.zerohoursleep.com/2010/03/bug-revealed-in-dynamic-distribution-groups-on-exchange-2007/
Citrix Provisioning Services + VMWare VMXNet3 NIC Drivers = Fail
Posted by on September 16, 2011
Assume that you’re setting up a new XenApp Farm with Provisioning Services in your ESX environment. You’ve meticulously set everything up: your image is fully configured, you’ve created the vdisks, configured your provisioning servers, and you’ve created your provisioned VMs from the template that you created from the VM that you used to create your image. The VM that the template is based on runs perfectly. You bring up one of your provisioned servers only to be SLAPPED ACROSS THE FACE with a BSOD.
Turns out that provisioned Citrix VMs and the VMXNet3 NIC driver are not BFFs.
What are your options? Well my friend, it appears you can do one of two things:
1.) Switch network adapters on your VMs to the E1000 (I cannot vouch for this one as I haven’t tried it)
2.) Install the Hotfix CPVS56SP1E011 from Citrix. You’ll probably want to install it on the VM that you are using to create your image, then v to v it, and ensure that the resultant files are copied to your vdisk.
Download Hotfix CPVS56SP1E011 Here: http://support.citrix.com/article/CTX128160
A quick note: Should you ever need to update the VMware tools on your provisioned servers, you’ll want to uninstall the hotfix and the Provisioning Services target device software. Once you have installed the updated tools, you’ll want to install thew PVS target device software and the hotfix.Looking for an AD account that is associated with an email address?
Posted by on August 12, 2011
From time to time I find myself looking for an account that is associated with a specific email address. If the email address in question is an alias, a simple search in Exchange won’t turn up any results. Running a query in Active Directory Users and Computers can locate the information easily.
To run this query, take the following steps:
- Open the Active Directory Users and Computers mmc.
- Right-click on the domain and select the “Find” option.
- Select the “Custom Search” option from the “Find:” drop down menu.
- Click on the “Advanced” tab.
- In the field under “Enter LDAP query:” type the following: “(proxyAddresses=smtp:example@example.com)”.
- Hit the “Find Now” button and prepare for win.
I really have to find better examples to support my instructions.
Further Reading:
The Malformed MIME Dilemma
Posted by on July 28, 2011
The company that I work for has an anti-virus gateway. The anti-virus gateway is a server which is positioned between our internal email servers and the outside world. It filters out SPAM emails and viruses while it allows legitimate emails to pass through it to the internal email servers so that they can be delivered to their intended recipients. If the anti-virus gateway cannot fully scan an email for viruses, it filters the email out and often sites “malformed_MIME” as the cause.
Obviously, its this guy's fault.
MIME stands for Multipurpose Internet Mail Extensions. MIME is used to describe information about the content of an email and how it is formatted. There are standards that determine how a MIME email should be composed. One of these standards is RFC 5322 (formerly RFC 822 and RFC 2822). When an email is created in a fashion that doesn’t comply with RFC 5322, anti-virus software is often unable to effectively scan the entire email for viruses.
The company that I work for receives emails from hundreds of vendors each week. Some of those vendors use custom or specialty software to automatically create emails. The vendor’s email software may not create emails in a way that conforms to RFC 5322. When this happens, the email gets filtered out by my company’s anti-virus gateway and business is hampered.
Some companies in this situation have decided to allow unscannable emails with malformed MIME types to be delivered normally. This behavior is risky, as the bad guys have found ways to use emails with malformed MIME types to crash email servers and hide viruses in emails so that anti-virus software has a hard time detecting it. It is also common for SPAM to have malformed MIME types. By not blocking emails with malformed MIME types, these companies may be delivering more SPAM to their users as well.
At this time, my organization is still blocking unscannable emails. We are also working with vendors who send us emails with malformed MIME types when they request information to investigate the matter further.
Has this ever been a concern for your organization? What do you think about this issue? Participate in the poll and post a comment!
Further Reading:
How to publish a network share in Citrix XenApp 4.5
Posted by on July 11, 2011
Pictured above: A Citrix user who can't find his files.
From time to time, a Citrix user may need convenient access to a shared folder on the network. The easiest way to provide this access is to publish an icon that acts as a shortcut to that specific folder. The problem is that in XenApp, you can’t just publish a share or directory; you have to publish explorer.exe with the specific UNC path to the folder that you want to make available. Creating the icon is simple enough but this article serves as a quick reference for those who may not do this often.
The process:
- Open up the Citrix Access Management Console and expand “Citrix Resources – XenApp – (Your Farm Name) – Applications“.
- Right-click on “Applications” and select “New – Publish Application”.
- Click on the “Next” button to skip past the welcome screen.
- In the field under “Display name:” type in the name of the folder that you are publishing. In the field under “Application description: “ type whatever you like then click on the “Next” button.
- Make sure that the radio button next to “Application” under “Choose the type of application to publish.” is selected. The radio button next to “Accessed from a server” under “Application type” should be selected as well. The drop-down box under “Server application type:” should have the “Installed application” option selected. When the settings match the picture below, click on the “Next” button.
- In the field under “Command line:” enter “%windir%\explorer.exe “\\UNC\Path\To\Folder”“. You can leave the “Working directory:” field blank. Once you have entered in the appropriate information, click on the “Next” button.
- Click on the “Add…” button to choose which Citrix server(s) explorer.exe will be available to run on when the user clicks on the icon for the published application (the folder/share that we are publishing). The “Select Servers” dialog box will pop up with a list of the Citrix servers in your farm that you can add to the list of servers to run the application from. When you have completed the list of servers, click on the “OK” button then the “Next” button.
- The radio button next to “Allow only configured users” should be selected as well as the “Citrix User Selector” option from the “Select directory type:” drop-down box. Click on the “Add…” button to bring up the “Select Users or Groups” dialog box. From here, you can click on the “Add List of Names… “ button to type in your user’s names manually. You can also put a check mark in the box next to “Show users” then navigate and double-click on the user that you would like to add. Once you have selected all of the users that you would like to allow access, click on the “OK” button, then click on the “Next” button.
- Note: At this point you may get an error message “Failed to read icons from file: %windir%\explorer.exe”. This is okay. Click on the “OK” button.
From this screen, you can change the icon for the published application, and determine where it will appear for the user. For the sake of brevity, you can accept the defaults and click on the “Next” button. - Click on the “Finish” button to publish the application immediately. If you need to fine tune your options, you can always go into the published application’s properties by right-clicking on it in the Citrix Access Management Console and selecting the “Properties” option.
Your newly published application should appear in your Applications folder in the Citrix Access Management Console . The application shortcut should also appear for the users that you allowed access to the published application when they log in to the Citrix environment. 
UPDATE:
If you have done this from a XenApp 6/6.5 farm, you may notice that when you launch the published share, it immediately disconnects/closes. This can be fixed by adding an entry the registry on the XenApp server. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI and create a new DWORD called LogoffCheckerStartupDelayInSeconds and give it a value of 10.
Further Reading:
http://zenapp.blogspot.com/2010/11/publishing-explorerexe-in-xenapp-6.html
Exchange 2007 SP3 Rollup 3 – Unforseen Consequences
Posted by on July 3, 2011
Did not see that coming.
If you have installed Rollup 3 on your Exchange 2007 SP3 email server then you might experience the following: When Mac users who send emails with .tiff or .pdf attachments to Windows users, the Windows users won’t be able to view the attachments! Sometimes Windows users who receive the attachment laden email, won’t even see the telltale paperclip symbol on these emails. It is only when the email is viewed from OWA or another Mac client that it’s attachments are made apparent.
Even though the rollup was released in April, Microsoft still hasn’t released a publicly available patch for it. At this time, you’ve got three things that you can do to try and resolve this issue:
- Uninstall Rollup3
- Call 1-800-microsoft and talk Microsoft support into giving you the hotfix
- Entering the following command in power shell on your Exchange server has reportedly helped some people: set-OrganizationConfig -ShowInlineAttachments:$true
Further Reading:
Outlook 2011 and the really low email attachment size limit
Posted by on June 20, 2011
No. Not really.
Anyone with an Exchange 2007 email account who recently upgraded from Office 2008 to 2011 on the Mac might find themselves unable to send emails with attachments that are over 10MB in size. While Entourage used WebDAV, Outlook 2011 uses Exchange Web Services (EWS) for email access. The default size limit for sending emails using EWS is 10MB. To fix this, you’ll need to edit a few files named “web.config” on the Exchange server, run a few commands and then reboot the sucker just because its a good time.
Here’s what you do:
- On your Exchange server go to “C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\ews”
- Make a copy the “web.config” file – just in case you break something.
- Open up the “web.config” file in notepad or Notepad++ (if you’re badass)
- Find the line with the following “httpRuntime maxRequestLength=”13280″”
- Change the 13280 value to whatever you want. Note that this value is in KB.
- Save and close the file
- Next, you’ll want to repeat steps 1-6 with the “web.config” files in the “\ClientAccess\owa” and “\ClientAccess\sync” folders.
- Open up the command prompt and enter “CD %windir%\system32\inetsrv”
- Enter the following commands:
“appcmd set config “Default Web Site/ews” -section:requestFiltering -requestLimits.maxAllowedContentLength:#########”
“appcmd set config “Default Web Site/owa” -section:requestFiltering -requestLimits.maxAllowedContentLength:#########”
“appcmd set config “Default Web Site/Microsoft-Server-Activesync” -section:requestFiltering -requestLimits.maxAllowedContentLength:#########”
Note: Replace the # with the values you entered in in the web.config files but this time in bytes. If you entered 100000 in the web.config file, enter 100000000 for the value in the command line. - Enter the “iisreset” command
- Take a moment to reflect on how awesome you are for winning.
- http://edmckinzie.wordpress.com/2009/11/30/max-message-size-increase-owa-imap-ews-maxrequestlength-and-maxallowedcontentlength/
- http://ministry-it.blogspot.com/2009/08/entourage-ews-attachment-limits.html
- http://social.technet.microsoft.com/Forums/en/exchange2010/thread/958ba423-a069-4d29-afef-ebe5f986605a
Create an SPF record like a boss
Posted by on June 17, 2011
What’s an SPF Record?
Well friend, an SPF record helps to provide verification that an email came from a legitimate source. Why would you care about that? You see, most SPAM comes from illegitimate sources (go figure). Spammers can make it look like an email came from a certain email address even though it didn’t; which is a reason why SPAM sometimes gets past SPAM blockers.
Quite inconspicuous.
This is where the SPF record comes in: the SPF record is actually just a listing of the addresses of a domain’s email servers. Basically, a domain like abnergoodwin.com has a set of email servers that it uses to send it’s emails through. The SPF record for abnergoodwin.com will contain a list of those email servers that I use to send emails. If abner@abnergoodwin.com sends an email to you, your email service can make sure that the email actually came from the abnergoodwin.com domain by checking abnergoodwin.com’s SPF record.
If a spammer tried to send SPAM email and make it look like it came from an abnergoodwin.com email address any email server that received that email could check abnergoodwin.com’s SPF record and confirm that the email was illegitimate. If all email services used SPF records, it would make it much harder for spammers to waste our time and resources with their inane, offensive, junk.
That’s cool. How do I set one up?
There’s a wizard over at openspf.org that can guide you through the record creation process. Before you get all click-happy on that link, there is some information that you’ll need to gather first. You’re going to need:
- A list of all of your domains – even the ones that you don’t send email with
- A list of all of your outgoing email servers
- Access to change your domain’s DNS records
Now you can go to http://old.openspf.org/wizard.html and plug your domain/server info into the wizard. The wizard generates your SPF record for you which you can then add to your DNS records. Once you’ve generated your own SPF record, you might want to run it through this nifty SPF Record Checker to make sure that it works.
If your email is hosted by a service like Google Apps, the email service may provide information on creating SPF records for your domain. Check out these links for SPF record information for the following email hosting services:
Aaannd yeah, you can pretty much find this information on your own by searching for a minute or two on Google.
Pro Tip: search for the name of your hosting service + SPF record. Works like a charm.IP Office – Routing hunt group calls to a specific voicemail box without Voicemail Pro
Posted by on June 16, 2011
The caller can either dial 3 and leave a message or 0 and leave a message on the Main Hunt Group voicemail box if both Office workers are unavailable.
The company that I work for has a field office with a basic IP Office phone system that only has Embedded Voicemail. There are two support people in the office that act as operators. When the system was originally set up, the Auto Attendant would give the caller the option to press 3 to leave a message or 0 to go to the operator. When a caller pressed 3, they would go to an empty hunt group called “General Mail”, with voicemail on so that the caller could leave a message. When the caller would press 0, it would go to a hunt group called “Main” with the two office workers in it. The problem was, if no one in the Main Overflow hunt group answered the call, the caller had to leave a message. This would mean that the two office workers would have to check for voice mail in two separate voicemail boxes.
This was not an ideal situation. The consensus was that if a caller left a message after dialing 3, or 0, the voicemail should end up in the same voicemail box. After a fair amount of tinkering, I got this to work pretty well. Here’s how I did it:
1. Set up a forwarding user
Calls that go to a hunt group cannot be set up to forward to another hunt group’s voice mail. A hunt group can be set as an “overflow” hunt group but if a call ends up in the overflow group, the phone system won’t dump the caller into the overflow hunt group’s voicemail box; it will ring until the caller hangs up. However, a user can be set up to automatically forward all calls to any short code or extension.
The phone system that I was working on had several unused users with extensions already set up. I renamed one of the users “FWDGeneral Mail”.
2. Create a short code that allows the caller to leave a voicemail message in a specific voicemail box
This short code sends the caller to the voicemail of extension 275 (The General Mail hunt group.)
Create a new short code. Set the code to one that is not already taken. I set mine to *23. Set the feature to “Voicemail Collect”. Set the Telephone Number to “#Ext”. Be sure to include the quotation marks and change Ext to the extension number of the hunt group that you want to direct the caller to so that they can leave a message.
3. Set the user to forward to the new short code
In the user’s settings, select the “Forwarding” tab and add a check mark next to “Forward Unconditional”, “Forward Hunt Group Calls”, and “Forward Internal Calls”. In the field next to “Forward Number”, type in the short code number that was set up in step 2.
User's settings for forwarding to a short code.
4. Add the user to the hunt group that you want to route the call from
This is the hunt group that you want to set up so that if no one answers the call, the caller is redirected to the extension that the short code points to. Create or modify an existing hunt group. Set the ring mode to “Sequential” and add your new user to the bottom of the User List.
Add your new user to the hunt group.
So now that you’ve set everything up, this is how it should work:
When the caller ends up in the Main hunt group, the phone system will route the call to each person on the list in sequence. If no one in the hunt group answers the call, the call is routed to the last user in the group (the one that was created in step 1) and is automatically forwarded to the voicemail box that was specified in the short code.
While the solution is far from elegant, it’s the best one that I could find outside of coughing up the extra money for Voicemail Pro.
