Last July I changed employers, and one of my tasks in the past year was to deploy a new file server to replace a very badly configured, poorly deployed virtual machine file server. In addition, I discovered five different naming conventions were used when previous accounts were created in Active Directory. So, to get to a place where I can also prepare for an Exchange migration, I had a lot of account clean up.

Step one was to establish a new naming convention. What’s worked well in the past is firtname.lastname, so obviously home folders would be named identically. When I ran my original cacls script, server 2008 r2 offered me a wonderful alert: “cacls is now deprecated, please use icacls”. Odd, I remember running cacls on server 2008, without issue. R2 is full of surprises

I am of the firm belief that giving users FULL access to their home folders is a really, really bad thing. I have learned over the years that 1) folks out there don’t understand why “Administrator” (or domain admins) has access to their private data in their home folder and 2) when given the power to set permissions themselves, they often remove the Administrator (or group) from their folder, wreaking havoc on backups etc. Anyway, I set MODIFY perms for all home folders for end users…

So, it turns out that a simple:

ICACLS.exe  /GRANT MyDomain\user:M /GRANT MyDomain\Domain Admins:F

won’t work on SOME folders. Digging in a bit, I noticed I needed the /grant:r , with the “r” meaning to “replace” the permissions if the ACL is already set for that particular user SID. Great, I thought. And off I went, only to discover that the /grant:r does not replace the ACL as advertised. This really baffled me for a bit and after an early morning awakening (yeah, I dream about this stuff sometimes), I had an epiphany.

In Checking the standard security tab I saw that a user still had FULL access, indicating the script did not work. But when clicking on the advanced button, there it was…the user also had a separate ACL with MODIFY access. So, to make the process work correctly, I had to break it into two separate scripts, one to remove all ACL’s assigned to the user, then add the ACL back with the correct perms. Obviously, running the below scripts should be done OFF hours, as the first one removes ALL access for users to their home folders.

Script 1: For /D %%I in (*) DO ICACLS.exe %%I /remove MYDOMAIN\%%I

Script 2: For /D %%I in (*) DO ICACLS.exe %%I /GRANT:r MYDOMAIN\%%I:(CI)(OI)M  /GRANT:r MYDOMAIN\Domain Admins:(CI)(OI)F

Now, I am not sure if it was my mistake in the first place when I ran a simple /GRANT or if ICACLS just doesn’t remove the ACL’s on Server 2008 R2 (as purported), but the above is what worked for me. Hope this helps someone else out there when it comes to the inconsistent processing of ICACLS.

The script to create the folders is as follows:

Create a Room or Equipment Mailbox in the EMC

Allow Publishing: Go to properties of the new mailbox, then Mailbox Setting Tab, then Sharing. Change the policy to the sharing policy created using the method published here (enter URL of published Document Here)

Convert to a shared mailbox using EMS:

Set-Mailbox “mailboxname”  -Type Shared

Add Permissions:

Add-MailboxFolderPermission –identity mailboxname:\calendar –user designatededitorusername -accessrights editor

Repeat command substituting designated editor username accordingly

Enable Publishing:

Before performing this step, you must add the customized sharing policy previously created.

Set-MailboxCalendarFolder –identity mailboxname:\calendar –detaillevel fulldetails –publishdaterangefrom oneyear –publishdaterangeto oneyear –publishenabled $true

Check/Get the published URL:  Get-MailboxCalendarFolder mailboxname:\calendar

Add permissions for editor to load the mailbox and alter sharing permissions or republish if necessary:

Add-MailboxPermission –identity mailboxname –user designatedfullaccessuser –AccessRights FullAccess

Add permissions so designated user can send links out via email:

Add-ADPermission –identity ‘mailboxname’ –user ‘designatedsendasaccessuser’ –ExtendedRights ‘Send As’

Once this is setup, the designated user would load the shared mailbox and publish the calendar. Once published, the URL is viewable, which can be sent out via an email.

1. Create the Resource (room mailbox, equipment mailbox).
2. On Resource Policy Tab, select delegate, check “forward meeting requests to delegates”.
3. On Resource General Tab, check the box for booking attendant.
4. On the Resource In-Policy Requests Tab, check radio buttons:
   1. Selected Recipients (automatic approval), leave blank.
   2. All Users (subject to approval)

On the Resource Out-of-Policy Requests Tab, check “Selected recipients”. Leave blank

*Note: My goal was to have all meeting requests forwarded properly to the delegate(s) for approval, whether it’s in policy or out-of-policy. The above steps accomplish this however, if you desire to have only out-of-resource policy requests forwarded to a delegate AND all in-policy requests auto-accept, then use the Microsoft suggested defaults.

With Exchange 2010 SP1, a new virtual directory was added specifically for calendar sharing and the default settings should be set accordingly. To verify the settings prior to proceeding, open an EMS and type:

Get-OwaVirtualDirectory |select name, server, calendar*

This will provide the output verifying that all CAS servers have the CalendarPublishingEnabled flag set to True.

Next, an Internet Calendar Sharing Policy needs to be created:

1. Open EMC, go to Organization Configuration, Mailbox
2. Click the Sharing Policies Tab
3. From the right Actions pane, select “New Sharing Policy…”
4. The New Sharing Policy Wizard starts. Give the new policy a name, then click the Add button in the Assign Actions section. By default the checkbox to enable the policy is set.
5. The Add Action to Sharing Policy Domain window pops up
6. **This is important** -type Anonymous in the top line, and then select “Calendar sharing with free/busy information plus subject, location, and body.

Click Ok, then next, and next on the New Sharing Policy Wizard window. The policy will be created.

Next, open the properties on any global shared calendar  you want to enable publishing on under Recipient Configuration.

Select the Mailbox Setting tab and then Sharing.

Apply the sharing policy that you just created by clicking Browse… and select it from the list.

That’s it, you have now created a new internet calendar sharing policy and have assigned it to a global shared calendar.

Cmdlets used:

Get-MailboxFolderPermission

Add-MailboxFolderPermission

Remove-MailboxFolderPermission-(this cmdlet is used to remove an existing coworker who was added before discovering it cannot be done in OWA).

Examples:

Get-MailboxFolderPermission –identity david.bolton:\calendar

Remove-MailboxFolderPermission –identity david.bolton:\calendar –user my.coworker

Add-MailboxFolderPermission –identity david.bolton:\calendar –user my.coworker –accessrights editor

AccessRights Parameter = roles assigned

Roles Assigned:

•  
  • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
  • Reviewer   ReadItems, FolderVisible
  • Contributor   CreateItems, FolderVisible

The first piece of this process was to get the terminal server up and running. Once that was done (in short time thanks to our VMWare environment) and proper permissions were setup for access to it, I moved on to create the custom MMC’s. When I say custom, I mean an MMC that gives the user an interface that shows only that section of Active Directory which they need access to in order to complete specific tasks such as disable accounts, reset passwords, or view properties of an account. I will not go into details here on how to create customized MMC’s as there is a ton of information out there on the net for such. However, I will say that I simply author an MMC in a new taskpad view and assign only those tasks needed for the individuals, then lock the entire MMC down at completion.

Once the set of MMC’s was created for multiple folks at multiple locations, I needed a way to launch only that MMC on the terminal server when they login. For each location, an assigned user should get only their MMC. Thus, a simple script to run at login, called from the local group policy was the solution. The following is the script syntax, customize for your situation:


@echo off
REM Launch MMC according to user’s group membership

:SITE1
ifmember “site1 student admins”
if not errorlevel 1 goto SITE2
start c:\MMCs\SITE1.msc

:SITE2
ifmember “site2 student admins”
if not errorlevel 1 goto SITE3
start c:\\MMCs\SITE2.msc

:SITE3
ifmember “site3 student admins”
if not errorlevel 1 goto TechSvcs
start c:\\MMCs\SITE3.msc

:TechSvcs
ifmember “technology services staff”
if not errorlevel 1 goto quit
start c:\\MMCs\Tech.msc
start c:\\MMCs\AdminGuest.msc

:quit

As you can see, you can call multiple MMC’s at one time (the tech services section), giving folks further access into Active Directory as needed. The last piece of this is to name this script something like LauchMMC.bat, and add it as a login script (User Configuration) through the local Group Policy editor.

“Skipping ‘lang/php5-extensions’ (php5-extensions-1.3) because a requisite package ‘php5-zip-5.2.12′ (archivers/php5-zip)
failed (specify -k to force)
** Listing the failed packages (-:ignored / *:skipped / !:failed)
- devel/automake110 (port directory error)
- devel/automake19 (port directory error)
! devel/autoconf (autoconf-2.62) (install error)
* devel/autoconf (autoconf-2.67)
* lang/php5 (php5-pcre-5.2.12)
* lang/php5 (php5-spl-5.2.12)
! security/php5-filter (php5-filter-5.2.12) (missing header)
! archivers/php5-zip (php5-zip-5.2.12) (missing header)
* lang/php5-extensions (php5-extensions-1.3)”

At first, I needed to resolve the autoconf issue and a pkg_info *auto yeilded some interesting information-four different versions of each with separate wrappers. Apparently devel/autotools has had some ongoing cleanup taking place, which AHEM (yes, I make bonehead sysadmin mistakes too , I failed to catch while reading the /usr/ports/UPDATING file prior to running portugrade…

Specfically, the UPDATING file reads:

“IMPORTANT: if you have either devel/autoconf-wrapper or
  devel/automake-wrapper installed on your system (and you most likely do)
  PLEASE update these ports to their new versions before updating anything
  else — Bad Things[tm] are likely to happen otherwise.”

So off to Google I went in an effort to resolve the issue. Well, not much help there so based on my past experience, I know autoconf/automake are required packages on many other ports. I uninstalled the autoconf and automake ports and will let package dependencies resolve the issue on future upgrades.

After dealing with autoconf/automake, it was on to the php5 errors. Noticing that the errors originally had to do with pcre, and after checking the /usr/ports/MOVED file I noticed this little entry on php5-filter:

“security/pecl-filter|security/php5-filter|2008-12-11|Now bundled in php5″.

Hmmm, maybe I am on to something here. I noticed also that pecl-filter was its own package previously (pkg_info) and listed as such.

To finally resolve the pcre and pecl-filter issue, and to get to the point of fixing the php5 issue, I did the following:

1. pkg_delete -f pecl-fileinfo-1.0.4
2. pkg_delete -f php5*
3. accordingly I added WITH_BUNDLED_PCRE=”YES” in my make.conf file (http://forums.freebsd.org/showthread.php?t=13191)
4. cd /usr/local/
5. rm /etc/php.*
6. rm -r lib/php/
7. rm -r /include/php/
8. cd /usr/ports/lang/php5/
9. make rmconfig
10. make install clean, selecting options I needed for re-install of php5
11. cd ../php5-extensions/
12. make install clean
13. and finally, pkgdb -Fu to remove any outstanding port dependencies (which no fix was necessary)

No further errors were thrown and our production blog server is back to being  very happy

The first thing I noticed was the fact that you can setup different groups (to be used as a lab manager) or you can add an entire server list as I did. A great feature of this tool is that credentials can be inherited directly from the top of the server list (global), as well as local resource settings, gateway, file, connection, security, and display settings.
 
This tool really rocks, and I probably won’t ever go back to using the standard “remote desktops” tool. I love the thumbnail view and at a moments glance can view all servers that are either in a connected or disconnected state, as you can see from this screenshot:

One quirk I noticed though is that in thumbnail view you can actually click inside an open server, which is live in thumbnail view. The problem I see with this is that one could easily open, close, or delete items without being fully aware of their actions. I quickly learned this as my first inclination was to double-click to expand the thumbnail window and noticed I was about to remove a database! The resolution is simply to click on the live server in the left pane.

Check out some more details here: http://msexchangeteam.com/archive/2010/06/11/455115.aspx 

and you can download the tool here:  http://www.microsoft.com/downloads/details.aspx?FamilyID=4603c621-6de7-4ccb-9f51-d53dc7e48047&displaylang=en

Enjoy!

The VMWare cluster implementation is complete and I will add some posts about that. As I move towards a full IMAP to Exchange 2010 implementation, I will add posts regarding those processes as well.  I moved from my iPhone to Droid recently and quite honestly, will probably never go back . I will post my findings on that as well.

Stay tuned…