Loading...

Change all users to an alternate domain suffix

In Active Directory users and computers, right click Queries> New. Give it a name, click “define query”. Stay on the “Users” tab. Select “Is not” and type an invalid name like testtesttest. Click ok, ok. It should return a result with all users whose name is <<not>> testtesttest. Select all, right click> Properties. Go to Account tab> check “UPN Suffix” and change it to the appropriate suffix. That’s it! There are PowerShell methods to do this too but when handling hundreds of user accounts, you have to be absolutely careful in PowerShell. There are solutions online that work fine that I am not going to post here. This is purely for the GUI. Good luck!

Exchange and AD Powershell Useful Commands

I’ve had a few odd issues & tasks with Exchange 2010 and AD recently and wanted to take a moment to document them as well as the command used to resolve the issue:

The following command was useful to resolve an issue of multiple copies of the same shared mailbox showing where only one would allow access and the other copies would only fail to open.

Add-MailboxPermission -Identity <shared mailbox alias> -User <your mailbox alias> -AccessRights FullAccess -InheritanceType All -Automapping $false

The following will find all active user accounts whose Password Never Expires attribute is set to true formatted in a nice table of username and the value. Value is not really necessary because it should only return true, but everyone loves a sanity check right?

get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true"} | Format-Table -Property Name, PasswordNeverExpires -AutoSize

Set up Blue Iris Surveillance software with IFTTT

I have two cameras in which I’d like to always have a notification for if I’m not home. Initially I set this up to always send me an alert but I’m sure as you can imagine, my phone blew up with me walking around. Blue Iris has a neat feature which is simply a traffic light. If red, it will disable various things including recording (not desired for me in this case), but it can also disable alerts. I selected to only disable alerts if the traffic light is red. In the past, I had never used this feature. So here’s a brief how-to.

Click settings button and modify the settings as illustrated.

Set User Account that will perform this action.

Set Traffic Signal to Alerts Only

Verify web server port & disable Secure only for the web server

  1. On your server computer (Blue Iris Windows machine), install something like WAMP or XAMPP to handle web requests.
  2. After install set up a script similar to this one in PHP (create a php file with the name of your choice and .php extension):
    1. After you’ve created the script, drop it in your HTDOCs directory in WAMP or XAMPP
      1. For example, my directory is here: C:\Bitnami\wampstack-7.1.19-0\apache2\htdocs
<?php
$home = $_GET['home']; //get and set variable for the home status.
$my_file = 'log.txt'; //store logs so we know if our server is being used improperly and by whom

if($home == 'true')
{
	$handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
	$data = date("Y.m.d.h.i.s") . ' on requesting ip: ' . $_SERVER['REMOTE_ADDR'] . ' Request to set RED.' . "\r\n";
	fwrite($handle, $data);
	fclose($handle);
	file_get_contents("http://10.1.1.99:8080/admin?user=admin&pw=password&signal=1");
	echo "home";
}
elseif($home == 'false')
{
	$handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
	$data = date("Y.m.d.h.i.s") . ' on requesting ip: ' . $_SERVER['REMOTE_ADDR'] . ' Request to set GREEN.' . "\r\n";
	fwrite($handle, $data);
	fclose($handle);

	file_get_contents("http://10.1.1.99:8080/admin?user=admin&pw=password&signal=1");
	echo "away";
}
else
{
		
	$handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
	$data = date("Y.m.d.h.i.s") . ' on requesting ip: ' . $_SERVER['REMOTE_ADDR'] . ' FAILED REQUEST!!! Request: ' . $home . "\r\n";
	fwrite($handle, $data);
	fclose($handle);
	echo "invalid";
	//donothing
}
?>
  1. Now let’s explain the URL in there so you can get an idea of what is happening and how Blue Iris is interpreting it. http://10.1.1.99:8080/admin?user=admin&pw=password&signal=1
    1. Where 8080 is the port you’ve set blue iris to
    2. User is the user account you create in Blue Iris
    3. PW is the password for said account (recommended to restrict this account down to admin tasks only not viewing rights or anything else).
    4. Signal is the traffic symbol where 1 is active (green) and 0 is inactive (red).
  2. Now if you browse to your local host URL 127.0.0.1/myphpfile.php?home=false you should have a value returned. In this case, you should see “away” in your web browser. If you see this, that means your PHP script is working. Blue Iris at this point should also change the animation in the traffic symbol.

  3. Let’s take a moment to understand all of what just happened and why. You set up a web server with a script to change the alert status on the local Blue Iris machine. Now you’ll need to expose the web server to the internet (or if your security aware, you may also set it to only work with IFTTT IP addresses). This step I will not outline as there are too many router combinations, but you need to port forward to your web server.
  4. IFTTT is super easy! Just log in, select Location for the “this” (set up an enter an area and set it appropriately for your home) and a “that” with a webhook in which you will put in your IP/ domain so something like x.x.x.x:PORT/myphpfile.php?home=true for enter and home=false for exit. You will create 2 webhook applets, one for enter and one for exit, each with the appropriate URL.

This guide is somewhat advanced as it assumes you know/ can port forward and you have a static IP or a domain set to change with your IP.

InvoiceNinja Install CentOS with Apache

This application is quite useful for tracking payments. This quick tip is going to only go over the app installation for self-hosted versions (not setting up a server from scratch).

What you need to have:

  1. A CentOS server and Apache with PHP updated to version 7 or greater. (By default you usually get PHP 5.6. You may need to manually update this to 7. There are tutorials online for this)
  2. Knowledge or Google-Fu on Virtual Hosts with Apache
  3. Basic knowledge on moving files/ editing files within a Linux system.

What you need to do:

  1. Download the files. You can do this through commands like wget on the box or download it from www.invoiceninja.com on a Windows box and upload it to your web server.
  2. Extract the files either on your linux box or before uploading them through a utility like Filezilla
  3. Move (mv) the files to your web directory (IE: /var/www/html)
  4. I tend to put the application under a folder called ninja and modify permissions/ owner appropriately. Modify/ create a Virtual host for 80 and 443 pointed to the directory /var/www/html/ninja/public.
  5. cd /var/www/html/ninja
  6. composer install
  7. composer update
  8. Now when you navigate to your URL (IE: website.com or web.site.com), you’ll get the setup prompts.

Remember & Note

  • The .env is your settings file. It’s required to connect to any existing database if you are doing an update. If you update, please move this file to the new folder you upload.
  • Composer is a utility that will download necessary dependencies that Ninja will need to run. I tend to run these two commands every time I update the software to get the latest and greatest versions of all the dependencies.

 

Exchange ActiveSync Inheritable Permissions not checked

This issue came up the other day when attempting to get Exchange 2010 ActiveSync profile set up with an iPhone. The behavior was the phone would read the account information and act like it was ready for you to start syncing but when you went into the Mail app, it would say cannot get mail. It turns out this is a very simple permissions issue of the user account not inheriting permissions. This article does an amazing job of explaining it.

Exchange ActiveSync and Inheritable Permissions issue

The Importance of Data Security

Data security is as important now as it has ever been. People don’t realize how imperative it is, and lazy IT personnel don’t care enough to do it right from the beginning. I can’t tell you how many times I’ve been to a Doctor’s office only to see them walk away with their computer unlocked or a network attached storage hard drive array/ enclosure sitting out in the open behind the secretary’s desk. You can’t even begin to imagine how sick it makes me to see these things happen. And the doctor’s response when I point it out? “It’s encrypted”. Ah, okay, so the data at rest is encrypted? The traffic between computer to server is encrypted? And this encryption means that if I fell on the floor and sneakily plugged a flash drive in with malware to compromise your system or a keylogger that I wouldn’t have any useful data? Does this mean if the secretary ran to the restroom leaving the front area unattended that I could grab the NAS and run but I wouldn’t be able to access the data? I feel that at least 1 or 2 questions I just asked have an answer that rhymes with “no”.  This is the same with Equifax’s recent data breach. IT systems are just run and left running because they work. They aren’t reviewed properly and in many cases, finding the right tool to monitor important things is not always easy. Or the tool is there but it is not turned on. Or the tool could be used but produces so much overhead that it doesn’t get turned on at all. Breach after breach, we (as humans) just don’t take the time we should to secure our data.

As the IT for several companies, I do what I can to ensure we aren’t over-exposing our customers and we lock down anything we are able to in order to prevent breaches as much as possible. Hopefully the breach with Equifax will blow over as quickly as possible. Until then, do what you can to protect yourself!

One thing I didn’t see mentioned too well on the sites I was reading about this and “how to protect yourself” is that most banks offer a form of identity theft protection. I’d recommend you take advantage of it. For example, Members Preferred Credit Union offers it for just $1.95 a month (credit union in Idaho Falls).

CNBC Provides a decent infographic of what you can do to protect yourself:

https://www.cnbc.com/2017/09/08/how-to-protect-yourself-after-the-equifax-data-breach.html

To place a fraud alert, these are a couple of the sites you might use:

https://www.experian.com/ncaconline/fraudalert

https://www.transunion.com/fraud-victim-resource/place-fraud-alert

I’d tell you the one for Equifax, but I’m not feeling confident about entering data on any of their forms for some reason. Aside from the obvious large elephant in the room, I’m not sure why anyone would feel that way?

To find your current credit report on any of the 3 agencies, use the following (you should check this periodically anyways to stay in control of your finances) annualcreditreport.com.

Use links above at your own risk.

Why Google’s GSuite?

Google has a ginormous pair of pants. No matter how much you tell it to stop eating, it just keeps getting bigger and bigger. When I was maybe 8 years old, I recall signing up for a Gmail account. This was just after you could sign up without having to have an invitation to do so (yeah, it wasn’t public before, it was invitation only). After signing up, I thought it was plain compared to Yahoo! and I didn’t like the interface. It was the most basic HTML you’ve ever seen (and can still see if you click the link in your Gmail while it’s loading). Over time, I saw chat get added, new tools become available. The interface got a serious face-lift (and has since seen yet another face-lift with even more simplicity). It’s an ever evolving product of products.

The most amazing additions in my opinion were some things by the names of Google Docs and Google Sheets. What’s not to love? As an IT guy, I’m absolutely in love with the fact that it’s browser based (less worry of installing apps), it’s feature rich and getting better all the time. It’s affordable with a Gmail address – FREE and even cheaper than Office365 at just $5 for a basic user. Hosted email, free Office Suite, Drive online storage? How can you really go wrong?

Now admittedly for the power Excel users, you may find some limitations. Even some Word features are lacking a bit. Even still, I don’t take back my comments above about the benefits. I’ve seen bugs in Microsoft Office products that I never see in Google’s suite of products. The products continue to grow. For the fact that it’s purely browser based as well blows me away. So I’ll walk away to buy Google another box of Twinkies to help maintain that large pant size because the days of installing Microsoft Office on hundreds of PCs is dwindling away into a browser based world. And for those true Microsoft Die Hards, the free Office online still does a great job and stacks up nicely against the Google “Office Suite”. They’ve done a great job at carrying that same look and feel of their offline product into the web browser.

VMWare Tools Installer

For the days you don’t want to log in to your VMWare account to download VMWare client:

https://packages.vmware.com/tools/esx/index.html

Usually life runs smoothly, but this can be helpful when there are roadbumps.

Install PFSense on VMWare ESXI with VLAN tagging

I had tried virtualizing my PFSense box in the past and had not been able to get any devices to talk back to the PFSense box. It seemed like a very straightforward setup to me. I recently tackled the project again as my physical hardware was going out on my old box causing PFSense to crash. I won’t get into the details of that box. The good news is that it’s off now. 🙂 Here is an overview of how I did this.

  1. Spin up new virtual machine on VMWare ESXI with PFSense. Set up 2 network adapters within ESXI and the PFSense machine’s settings.
    1. For ease in configuration, I turned on the LAN DHCP within PFSense. That is not required though, there are plenty of ways to accomplish this task.
  2. Download a backup config from existing firewall.
  3. Once installed, restore the backup config to your newly installed PFSense machine.
  4. Modify adapters as necessary. If you didn’t turn on DHCP, another option at this stage is to use the console interface in VMWare to set the interfaces in PFSense. Both methods are very easy to do.
  5. At this stage, if I were to plug my existing WAN into the newly designated port and the existing LAN into the newly designated port, what would happen? Assuming you mapped the ports correctly in PFSense and VMware and everything is plugged into the right spot, you’ll be missing one (quite important) step. In the properties of the adapter in ESXI, you have to set the internal LAN VLAN to 4095. This ID allows VLAN traffic to pass through without being modified. VLAN 0 disregards the tags which is the default.

This process is by no means difficult, but it was tricky. It was obvious why the traffic was not passing in my first attempt but it was not immediately obvious that VLAN 4095 is the one to use to maintain the tagging. That simple change has everything working properly.

VMWare – Formatting a drive

So I have a host with ESXI 6.5. I put in a spare laptop hard drive I had laying around just to store some files on. I wouldn’t recommend a laptop drive in a corporate or production environment, but in my personal “home use” case, this will be just fine. I won’t be streaming from this drive either, just data at rest really. So I powered down the host and put in the new hard drive. I turned it back on and the ESXI web GUI kept crashing when I was trying to add the drive. I searched for a bit and tried deleting partitions. Nothing seemed to work. I found a resolution by completely formatting the drive using mklabel. See below for details. Here was the error:

Error: Both the primary and backup GPT tables are corrupt.  Try making a fresh table, and using Parted's rescue feature to recover partitions.

  1. SSH into your ESXI Host.
  2. Type: ls /vmfs/devices/disks/
  3. Find the disk in question. I’ve found that VMWare does a pretty good job of labeling it by the drive tray it is in, but this may not always be the case. There are some VMWare articles you will want to reference to verify you are making changes to the right disk. This is especially true for a production machine that you have live data on. The last thing you want to do is delete production data.
  4. In my case, this was the disk name: mpx.vmhba1:C0:T1:L0 
  5. Now let’s get to the formatting!
  6. Run this: partedUtil mklabel /vmfs/devices/disks/mpx.vmhba1:C0:T1:L0 gpt

Here are some of the articles I used to determine which drives needed to be formatted:

  • https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1036609
  • https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008886