what did you learn today? (part 2)

[ronelson]

I did just dig down and found out we have "Domain-> Workstations-> location->2nd floor-> 2nd floor west-> IT Department" as an OU structure. I am going to break so much shit trying to sort this out.

Nuke it from orbit. It's the only way to be sure!

 

[hawkbox]

ronelson[/url]":1c0qpyu8]

I did just dig down and found out we have "Domain-> Workstations-> location->2nd floor-> 2nd floor west-> IT Department" as an OU structure. I am going to break so much shit trying to sort this out.

Nuke it from orbit. It's the only way to be sure!

I'm seriously considering it. I might just build new OUs and migrate things as I go and deal with the fallout. Considering every single GPO setting has it's own policy I get to sort through a dozen policies just to find out what favourites were set.

 

[Big Wooly Mammoth]

That is no longer the case with domains with a functional level of 2008 R2--maybe even 2008.

We do apply password policy at the domain level; everything else is by OU, site, etc., sometimes restricted by security group.
Loopback processing is also very helpful for applying user settings to specific sets of computers.

 

[Arbelac]

Big Wooly Mammoth[/url]":24gi4yzx]That is no longer the case with domains with a functional level of 2008 R2--maybe even 2008.

We do apply password policy at the domain level; everything else is by OU, site, etc., sometimes restricted by security group.
Loopback processing is also very helpful for applying user settings to specific sets of computers.

If you've got a link, that would be helpful. I can't find anything on MS's site about not creating PSO items and binding them to groups.

 

[hawkbox]

Arbelac[/url]":2e3xv15o]

Big Wooly Mammoth[/url]":2e3xv15o]That is no longer the case with domains with a functional level of 2008 R2--maybe even 2008.

We do apply password policy at the domain level; everything else is by OU, site, etc., sometimes restricted by security group.
Loopback processing is also very helpful for applying user settings to specific sets of computers.

If you've got a link, that would be helpful. I can't find anything on MS's site about not creating PSO items and binding them to groups.

Same, it would be awesome to see some examples. There are >200 security groups here in a corp of less than 500 full time staff, I've found 15 security groups that are empty already.

 

[PaveHawk-]

Sometimes setting up the simplest of things can take way longer than it should.

Was setting up SQL Async Mirroring across 2 DCs (Rackspace managed infrastructure) and it wouldnt work. Tried everything (recreated the endpoints with different ports, user accounts, manually created etc) and no go.

Just before I go out for lunch, try it again and it worked. No idea what I did differently.

 

[Xon]

I'm really annoyed about TechNet subscriptions going away. It will make it significantly harder for self-directed learning and the ability to setup legacy enviroments at a sane price point.

Time limited trials are worthless if you are having to rebuild an entire domain enviroment to just play with an AD-integrated technology over time. Especially when it can't be as part of a full-time job, that trivially cuts down those 30 days to 180 days trials to a very short time before a rebuild is required.

PaveHawk-[/url]":1at3ther]Just before I go out for lunch, try it again and it worked. No idea what I did differently.

Where you using AD credentials rather than an SQL login? If so, my first stab would be cross-site AD replication lag.

 

[ronelson]

There are >200 security groups here in a corp of less than 500 full time staff, I've found 15 security groups that are empty already.

For the love of God, please tell me you're using PSH, not double-clicking on each one. I feel your pain, but at least you have such a tool - things like Checkpoint policies don't even often the option, you have to right-click -> Where Used and make sure repeat on any groups it's a member of. Fucking insane.

 

[hawkbox]

ronelson[/url]":n9rv81wu]

There are >200 security groups here in a corp of less than 500 full time staff, I've found 15 security groups that are empty already.

For the love of God, please tell me you're using PSH, not double-clicking on each one. I feel your pain, but at least you have such a tool - things like Checkpoint policies don't even often the option, you have to right-click -> Where Used and make sure repeat on any groups it's a member of. Fucking insane.

Yeah I have been, I've been trying to figure out a way to Powershell it like I did with inactive accounts and users but that Quest stuff seems out of date and the new version of powershell seems to have changed enough for most of the blogs out there to not be accurate.

 

[Fulgan]

TIL that, according to our maketing dep, our SaaS service has actually "migrated to a private vCloud infrastructure". I'm not sure what it means (if anything) but that's apparently how they translated "we moved from using our own servers to using VMs rented from an IaaS that uses VMWare and vCloud director".

Lost in translation indeed.

 

[hawkbox]

TIL that my director is worried about Windows Updates breaking things. I personally am not worried about that, I am terrified of our AD structure.

 

[Cookie.Monster]

hawkbox[/url]":2fipixmf]

ronelson[/url]":2fipixmf]

Yeah I have been, I've been trying to figure out a way to Powershell it like I did with inactive accounts and users but that Quest stuff seems out of date and the new version of powershell seems to have changed enough for most of the blogs out there to not be accurate.

Get-Command, Get-Member, and Get-Help are your friends : )

Get-Command -Module ActiveDirectory #get all commands from AD module
Get-Command *group* #get all commands with group in the name
Get-Help *group* | select Name, Synopsis | sort Name #Get the command name and synopsis for any command with *group* in the name.  Filter by Category if needed (e.g. not HelpFile to skip about_ files)
Get-Help Get-ADGroup -online #get most up to date help for Get-ADGroup command
Some-Command | Get-Member #get properties and methods for whatever Some-Command returns
Some-Command | Format-List -Property * #view properties from whatever Some-Command returns

I keep a list of PoSH resources here - will look for some AD references, just realized I don't have any in here!

Quest commands should still work. Definitely out of date, and I tend to run the native AD commands now, but when I need them I haven't had any issues with the Quest AD snapin.

 

[hawkbox]

I'm trying out the powergui they have now.

The big problem I'm running into is knowing what modifiers to use for filters, etc... there don't seem to be any examples that make sense to me for most of t.

 

[Cookie.Monster]

Was curious about our own groups : )

Get-QADGroup -Empty $true -SizeLimit 0 | Select-Object -ExpandProperty Name

Side note: If you're using Windows Management Framework 3 (inc. PowerShell 3), the PowerShell ISE is generally 'good enough'. I haven't touched PowerGUI or the other alternatives since.

On Topic: TIL some people still don't use Intellisense or tab completion in PS ISE. Was helping out a coworker yesterday and they would slowly type the entire command out. To make matters worse, they would misspell things throughout. Now I understand the complaints about the length of command names... They are, or have to deal with, folks who don't know how to use the interfaces they work with.

 

[hawkbox]

Cookie.Monster[/url]":cke854tn]Was curious about our own groups : )

Get-QADGroup -Empty $true -SizeLimit 0 | Select-Object -ExpandProperty Name

Side note: If you're using Windows Management Framework 3 (inc. PowerShell 3), the PowerShell ISE is generally 'good enough'. I haven't touched PowerGUI or the other alternatives since.

On Topic: TIL some people still don't use Intellisense or tab completion in PS ISE. Was helping out a coworker yesterday and they would slowly type the entire command out. To make matters worse, they would misspell things throughout. Now I understand the complaints about the length of command names... They are, or have to deal with, folks who don't know how to use the interfaces they work with.

That sounds like me.

 

[jshiplett]

TIL no overlapping VLAN IDs with disjoint layer 2 networks in Cisco UCS

 

[ronelson]

Yeah I have been, I've been trying to figure out a way to Powershell it like I did with inactive accounts and users but that Quest stuff seems out of date and the new version of powershell seems to have changed enough for most of the blogs out there to not be accurate.

Use the first answer, it uses Get-ADGroup, not Get-QADGroup. You're going to get a lot of built-ins but it's a place to start, tune it down with some selects, export as csv, load into excel, go.

Now I understand the complaints about the length of command names...

Or you have to type a lot of the command out for uniqueness, like "import-m<tab> active*". What's worse to me is when you don't know the command, you type import<tab> and it goes to Import-Aword, tab again to Import-Bword. Give me the fucking list. Is there a way to do that, like esc-\ on shitty nix shells?

 

[ronelson]

Hawkbox, just found this while bookmarked that PSH link from Cookie Monster, it might help: http://policelli.com/blog/archive/2011/ ... -topology/ Haven't used it myself, though.

 

[hawkbox]

ronelson[/url]"cyp7tov]Hawkbox, just found this while bookmarked that PSH link from Cookie Monster, it might help: http://policelli.com/blog/archive/2011/ ... -topology/ Haven't used it myself, though.

Thanks, I'll check that out.

And I thoroughly agree that a list would be great. ? doesn't work !? doesn't work -help doesn't work...

 

[dlp]

afidel[/url]":2x8ml42x]

dlp[/url]":2x8ml42x]

afidel[/url]":2x8ml42x]

dlp[/url]":2x8ml42x]TIL that if you change the CPU count of a Windows VM running on VMware, the CPU Usage % in task manager will cease to follow the rules of math.

If you close task manager and restart it it works (for 2008 R2 Enterprise at least). Note that existing processes will not schedule on the newly added processor (which can be a good thing at times like when you are trying to recover from a tight loop in an app that is making the machine unresponsive) so you will need to stop and restart an app/service if you want it to take advantage of the newly added resources.

Is that even if you do it with the VM shutdown? I don't have hot add in Essentials Plus (I don't think I do...).

Whenever there's any activity, usually the task manager will show system idle at 95% but CPU usage at 12% or something odd. I'm used to those numbers lining up usually.

That sounds like a precision/clock skew issue where you're getting different numbers reported at slightly different times shown on the screen at the same time. Do you have the VMWare tools installed? Also what is the CPU %RDY for the VM you are monitoring?

Yes to VMware tools.
%RDY seems steady at 0.20 to 0.21.

You may be right about it being a timing issue. When mostly idle, it seems accurate. I've just never noticed that before.

 

[Sulimo]

hawkbox[/url]":kx27cyln]

ronelson[/url]":kx27cyln]Hawkbox, just found this while bookmarked that PSH link from Cookie Monster, it might help: http://policelli.com/blog/archive/2011/ ... -topology/ Haven't used it myself, though.

Thanks, I'll check that out.

And I thoroughly agree that a list would be great. ? doesn't work !? doesn't work -help doesn't work...

ronelson[/url]":kx27cyln]

Yeah I have been, I've been trying to figure out a way to Powershell it like I did with inactive accounts and users but that Quest stuff seems out of date and the new version of powershell seems to have changed enough for most of the blogs out there to not be accurate.

Use the first answer, it uses Get-ADGroup, not Get-QADGroup. You're going to get a lot of built-ins but it's a place to start, tune it down with some selects, export as csv, load into excel, go.

Now I understand the complaints about the length of command names...

Or you have to type a lot of the command out for uniqueness, like "import-m<tab> active*". What's worse to me is when you don't know the command, you type import<tab> and it goes to Import-Aword, tab again to Import-Bword. Give me the fucking list. Is there a way to do that, like esc-\ on shitty nix shells?

To get a list of commands try this:

get-command import*

Replace Import with any Verb (or Noun) you need.

I should add, for nouns, you should probably use *<noun>, since powershell does verb-noun for commands.


You could also try these (the second one is just to illustrate how to get commands for particular nouns):

get-command -verb import

get-command -noun service

Just replace either import or service with the appripriate verb or noun, and you'll get all commands with the indicated verb or noun.

There is also a way to see what verbs are approved, then you can use this to find the commands associated with a particular verb.

get-verb *

 

[Danger Mouse]

hawkbox[/url]":3pl6hhg2]

ronelson[/url]":3pl6hhg2]Hawkbox, just found this while bookmarked that PSH link from Cookie Monster, it might help: http://policelli.com/blog/archive/2011/ ... -topology/ Haven't used it myself, though.

Thanks, I'll check that out.

And I thoroughly agree that a list would be great. ? doesn't work !? doesn't work -help doesn't work...

I think that's in some of the third party Powershell GUI development environments. Some are very interesting. That's one of the few articles from TechRepublic that I've found useful. They had screenshots and a few comparison bits.

 

[ronelson]

To get a list of commands try this:

Code:
get-command import*

This doesn't help when you've done "correctly-typed-command Shitload.Of.Options | uh-what-command-is-next<tab>". I just want tab completion that shows you the full list of options, rather than each tab swapping through the list. It's especially annoying when you went a letter too far and now have to backspace even further to get back to the level you wanted (i.e. get-ad<tab> populates to Get-ADAccountAuthorizationGroup and you really wanted get-ac which would have given you Get-Acl). Real tab completion pls, kthxbai!

 

[Danger Mouse]

Arbelac[/url]":3ab1da2o]

Big Wooly Mammoth[/url]":3ab1da2o]That is no longer the case with domains with a functional level of 2008 R2--maybe even 2008.

We do apply password policy at the domain level; everything else is by OU, site, etc., sometimes restricted by security group.
Loopback processing is also very helpful for applying user settings to specific sets of computers.

If you've got a link, that would be helpful. I can't find anything on MS's site about not creating PSO items and binding them to groups.

What does PSO stand for in this context?

---

GPP with item level targeting of security groups is very straight forward, so I'm going to assume you're not talking about that.

 

[Sulimo]

ronelson[/url]":2ud04m2b]

To get a list of commands try this:

Code:
get-command import*

This doesn't help when you've done "correctly-typed-command Shitload.Of.Options | uh-what-command-is-next<tab>". I just want tab completion that shows you the full list of options, rather than each tab swapping through the list. It's especially annoying when you went a letter too far and now have to backspace even further to get back to the level you wanted (i.e. get-ad<tab> populates to Get-ADAccountAuthorizationGroup and you really wanted get-ac which would have given you Get-Acl). Real tab completion pls, kthxbai!

Well, you could use the PowerShell ISE:

 

[Arbelac]

Danger Mouse[/url]":1j66f29o]

Arbelac[/url]":1j66f29o]

Big Wooly Mammoth[/url]":1j66f29o]That is no longer the case with domains with a functional level of 2008 R2--maybe even 2008.

We do apply password policy at the domain level; everything else is by OU, site, etc., sometimes restricted by security group.
Loopback processing is also very helpful for applying user settings to specific sets of computers.

If you've got a link, that would be helpful. I can't find anything on MS's site about not creating PSO items and binding them to groups.

What does PSO stand for in this context?

---

GPP with item level targeting of security groups is very straight forward, so I'm going to assume you're not talking about that.

Password Setting Object.

I've always used this guide: http://technet.microsoft.com/en-us/libr ... 10%29.aspx

If there's something new in 2008R2 or 2012 that doesn't require the manual configuration, I'm all ears...

 

[Cookie.Monster]

Sulimo[/url]":1pq1o1i1]

ronelson[/url]":1pq1o1i1]

Well, you could use the PowerShell ISE:

Once PowerShell 3 hit, I didn't touch the console. The ISE is far more flexible and helpful.

If you write many functions or modules, you can work with the ISE itself. Open-ISEFunction and Open-ISEFile are two of the more handy commands I use (open definition for a function or file in a new ISE tab).

ronelson - the co-worker I mentioned who was hand typing everything was in the ISE and had the commands and parameters he needed to type displayed below his cursor. The commands are a little longer than other languages, but I think the tools provided prevent this from being an issue, provided you know and use them.

 

[Danger Mouse]

Arbelac[/url]":7h48s8v1]

Danger Mouse[/url]":7h48s8v1]

Arbelac[/url]":7h48s8v1]

Big Wooly Mammoth[/url]":7h48s8v1]That is no longer the case with domains with a functional level of 2008 R2--maybe even 2008.

We do apply password policy at the domain level; everything else is by OU, site, etc., sometimes restricted by security group.
Loopback processing is also very helpful for applying user settings to specific sets of computers.

If you've got a link, that would be helpful. I can't find anything on MS's site about not creating PSO items and binding them to groups.

What does PSO stand for in this context?

---

GPP with item level targeting of security groups is very straight forward, so I'm going to assume you're not talking about that.

Password Setting Object.

I've always used this guide: http://technet.microsoft.com/en-us/libr ... 10%29.aspx

If there's something new in 2008R2 or 2012 that doesn't require the manual configuration, I'm all ears...

Thanks, that's very helpful. Looking at that link, I think that's the same one I used to adjust password policy on one of my two domains.

 

[Technarch]

Fulgan[/url]":xrobazew]TIL that, according to our maketing dep, our SaaS service has actually "migrated to a private vCloud infrastructure". I'm not sure what it means (if anything) but that's apparently how they translated "we moved from using our own servers to using VMs rented from an IaaS that uses VMWare and vCloud director".

Lost in translation indeed.

This is exactly why I enjoyed doing marketing on the side while acting as a sales engineer. Seriously, if I'm going to have to rewrite all the copy myself, I might as well just do it myself and save everyone some time and money. Beats the hell out of having a customer wave a piece of collateral in your face saying "but this clearly says you can host infinite virtuals on a single CPU partition!"

 

[flameboy]

Xon[/url]":11jfg0rf]Time limited trials are worthless if you are having to rebuild an entire domain enviroment to just play with an AD-integrated technology over time. Especially when it can't be as part of a full-time job, that trivially cuts down those 30 days to 180 days trials to a very short time before a rebuild is required.

I have been thinking about scripting a build for an entire domain with dummy users etc. Doesn't look too hard and it would be an interesting learning exercise.

 

[Cookie.Monster]

That folks still have trouble determining the appropriate page file size.

Had a server with 64 GB RAM set up with a static size page file, maybe 3 GB, and no crash dumps. More than enough for the page file, haven't seen peak commit ever match RAM. When some performance issues popped up, someone decided to increase the page file to 64 GB....

 

[PaveHawk-]

Xon[/url]":2kr0rw7m]

PaveHawk-[/url]":2kr0rw7m]Just before I go out for lunch, try it again and it worked. No idea what I did differently.

Where you using AD credentials rather than an SQL login? If so, my first stab would be cross-site AD replication lag.

gMSAs, and I gave it a week to replicate. Both servers are using the same credentials for this reason. I'm starting to wonder if it was a case of the Rackspace guys changing a config on the firewall whilst I was doing my work.

[edit]

Wow, I never played with the Powershell ISE - I've been using console, since I tend to memorise the commands I use. This is awesome.

 

[lwong]

We just started adding photos to our GAL and I discovered a great tool to make the head sizes consistent.

SNFaceCrop
http://deteksiwajah.blogspot.com/

It does face recognition on a photo and then automatically exports the detected face(s) to a separate file(s).

It also supports batch mode through command line arguments. This is what I ended up using:

SNFaceCrop.exe -d Cphotos -f *.* -ex 75 -ey 75

The -ex and -ey arguments specify how much the area of the detected face should extend.

Fortunately, HR already had the employee names in the filenames so I was able to easily resize and bulk import them into AD using the free Exclaimer Outlook Photos
http://www.exclaimer.com/outlook-photos.

I'm really happy with the results and how easy this was to do.

 

[ronelson]

Wow, I never played with the Powershell ISE - I've been using console, since I tend to memorise the commands I use. This is awesome.

I'm liking it. Still doesn't resolve all of my issues with tab completion, but it resolves plenty of others. Now, if only cross-domain auth wasn't such a pain in the ass...

 

[jshiplett]

Cookie.Monster[/url]":25wnyhl8]That folks still have trouble determining the appropriate page file size.

Had a server with 64 GB RAM set up with a static size page file, maybe 3 GB, and no crash dumps. More than enough for the page file, haven't seen peak commit ever match RAM. When some performance issues popped up, someone decided to increase the page file to 64 GB....

Lol. My last job they were still doing 1.5x physical memory for page file... even on 144GB boxes. There was no talking the powers that be out of it, either.

 

[Matt Wallis]

euri[/url]":1cabhupk]

Cookie.Monster[/url]":1cabhupk]That folks still have trouble determining the appropriate page file size.

Had a server with 64 GB RAM set up with a static size page file, maybe 3 GB, and no crash dumps. More than enough for the page file, haven't seen peak commit ever match RAM. When some performance issues popped up, someone decided to increase the page file to 64 GB....

Lol. My last job they were still doing 1.5x physical memory for page file... even on 144GB boxes. There was no talking the powers that be out of it, either.

Had similar issues with users of a Windows HPC wanting me to allow the nodes to manage their own memory after I capped them at 8GB (48GB of RAM per node). I told them that if I was going to let them hit swap that hard, I was also going to replace all the Nehalem Xeon CPUs with 486s because obviously they weren't concerned with performance. They took another look at their code and figured out how to make it work without using up all the RAM, and realised a significant performance increase.

 

[Rick25]

That we've finally got a MS Technology Center in Toronto

 

[SomeHandleThatStartsWithS]

Rick25[/url]":29butvmf]That we've finally got a MS Technology Center in Toronto

About time..

 

[Entegy]

Canada's only full MS Store is in Toronto too.

 

[Toxic MeatLoaf]

The biggest thing that I learned today....lets see.
SCCM 2007 LIES!!!!

It's default report will throw up false positives.
I wouldn't object to this so much if I had known about it, but I have been basing decisions for the last month on the, now wrong, assumption that Microsoft's own management server could inventory Microsoft software properly.