Using Workgroup Manager on Mac OS X Server to set the homepage for a group of Macs in your Apple environment

So my first post about managing Macs.  We have a lab of them, not a large amount but it would take a considerable amount of time to log onto each one and change the settings on each one (which we’ve done in the past mind you).  So to add to the blog I will also share every now and then tips and tricks on performing administration tasks on Macs.  So let’s begin. Today I’m going to show you how to go about setting a homepage for the browser (typically safari) on your Mac environment from Workgroup manager (this works like Group Policy on windows in concept but is a little different under the hood).

So first off we need to add in some extra features to Workgroup Manager. Why these aren’t included to begin with is beyond me, but alas, it’s easy once you know what to do. Start-up Workgroup Manager, click on the preferences tab, click on the details tab and at the bottom left click on the Plus button.  This will load up an add dialog, we need navigate to /System/Library/CoreServices and under this path find and select ManagedClient.app and add this to the Workgroup Manager.

So now how do we go about setting the home page.  Under the Details pane, click Internet Configuration.  Now select the Pen button towards the bottom and click to highlight the Always line.  Now we want to add a new key so click the New Key button at the top and select Home Page. Simply enter the desired location and click add.

How to convert Hex Colour Codes into RGB Colour Codes using PHP

I was recently working on a web based piece of software that had some colour settings stored in a database table which were stored as hexadecimal colour code values. I needed a quick way to convert them into RGB (Red, Green, Blue) values so that I could use them in creating an image using PHPs builtin GD so after a quick search on Google found nothing that I was really after I decided to write my own. The difficulty was that colours were inputted by both other developers and a jQuery colour picker which meant that there was a mix of both shorthand and standard hexadecimal colour codes. I get past this little hiccup by simply counting the length of the hex string and running either a bitwise operation or a hexadecimal conversion. Anyway onto the function.

Firstly, we need to define the function.  We will have two variables, one being the actual hexadecimal colour code and the other whether we wish to return as a String or Array.

function hex2RGB($hexStr, $returnAsString = false) {
    $hexStr = preg_replace("/[^0-9A-Fa-f]/", '', $hexStr);
    $rgbArray = array();

After this we simply grab the variable of the function which should be our Hex colour code and check the length.  If the length is 6 then we are able to use PHPs bitwise operators to quickly convert the colour codes into the RGB values we are after. Using bitwise operators results in lower overhead and therefore leads to a faster output.

    if (strlen($hexStr) == 6) { // Proper Hex convert using bitwise operation
        $colorVal = hexdec($hexStr);
        $rgbArray['red'] = 0xFF & ($colorVal >> 0x10);
        $rgbArray['green'] = 0xFF & ($colorVal >> 0x8);
        $rgbArray['blue'] = 0xFF & $colorVal;
    }

Or if it is a shorthand hex colour code (ie: #FFF) then we can perform manipulation on the string to first extend it and then perform a conversion.

elseif (strlen($hexStr) == 3) { // If shorthand perform string manipulations
        $rgbArray['red'] = hexdec(str_repeat(substr($hexStr, 0, 1), 2));
        $rgbArray['green'] = hexdec(str_repeat(substr($hexStr, 1, 1), 2));
        $rgbArray['blue'] = hexdec(str_repeat(substr($hexStr, 2, 1), 2));
    }

or else if our string matches neither of the above then return nothing (false).

else {
        return false; // Invalid hex color code
    }

Now that we have our converted code, we need to return it back to what called for the code with the following in either an array or as a string.

    // Returns the rgb string or the associative array as specified
    return $returnAsString ? implode(",", $rgbArray) : $rgbArray;
}

We can call the above function in two ways

hex2RGB(“#FF0”) would output array( red =>255, green => 255, blue => 0)
or
hex2RGB(“#FF0”, true) would output 255,255,0

So there we have a completed function to convert hex colour values into RGB.

Visio Shape packs for HP, Aruba, IBM and Other Vendors and Products, great for use in technical documentation

Just a quick one today.  I was in the middle of documenting some of our storage and server setups and wanted some more accurate shapes for our HP Storage arrays and Servers and stumbled upon Visiocafe who have a treasure trove of shapes for Visio 2003, 2007 and 2010. I’ve been using the HP ones and can I tell you that they are VERY accurate. If you are after HP Shapes (for networking, storage, SANs and Servers) visit http://www.visiocafe.ca/hp.htm

Applying inherit rights (inheritable) for permissions to a large number of Active Directory objects

I was recently involved in a project to help secure a School’s Active Directory environment.  After sitting down and planning what we wanted to achieve in terms of account security we went to work.  After setting up all of the IT based security groups and assigning and delegating the appropriate rights and permissions we found that somethings wern’t working as they should.  The permissions gave us the rights to do what we needed on the Student user objects but not on the staff.  After taking a quick look we found that the majority of Staff didn’t have their inherit permissions from parent ticked, which prevented the delegation from flowing through to these user objects.

Looking at PowerShell there are Get-ADUser and Set-ADUser which allow us to get and set certain properties on user objects but still didn’t allow us to set inherit rights on objects.  I then happened to stumble upon a management pack of PowerShell scripts from Quest Software which are available from this link. The pack contains some useful scripts which extend on the original Microsoft provided scripts.  The pack also contains a PowerShell cmdlet dealing specifically with Object Security which is what we are after. So I went ahead and downloaded the 64 bit version to one of the domain controllers (after testing it out myself) and worked out we needed to filter for users who didn’t have the inherit permissions enable. The following is a snippet which will list all of the users in your AD environment with inherit permissions disabled (watch the word wrap):

Get-QADUser -SizeLimit 0 |
Where-Object {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

If you are after a particular Organizational Unit simply replace -SizeLimit 0 with -SearchRoot ‘Distinguished name of OU’.

Now we are able to find the users, but what about setting the inherit right.  Using the ObjectSecurity cmdlet we can now set the Inheritance flag. So the following is the complete command to run on l (again, watch the word wrap):

get-QADUser -SearchRoot 'Distinguished Name of OU' |
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} |
Set-QADObjectSecurity -UnLockInheritance

After running that cmdlet on the offending User Objects, we were then able to successfully do what the security groups allowed us to do. I still need to go back and check out what else the pack from Quest can do as I looked quite interesting so I will be sure to blog about my findings.

When viewing Public Folders in Outlook you recieve the following error, Cannot expand the folder. Microsoft Exchange is not available.

So there have been quite a few posts about Exchange 2010 lately, I guess it’s mainly because that has been my focus for the last few months at my current job. So here is another one regarding an error message when you try to access public folders in outlook and how to fix it.

We were receiving calls that users were unable to access their public folders (which contains our global calendar) We were able to replicate the issue on our own accounts and received the following message.

Cannot expand the folder. Microsoft Exchange is not available.
Either there are network problems or the Exchange server is down
for maintenance. (/o=First Organization/ou=Exchange
Administrative Group (DOMAIN)/cn=Configuration/cn=Servers/cn=SERVERNAME

So we quickly remoted into our server which published our Public Folders, started the public folder tool and could see them all there, also running the get-publicfolder PowerShell cmdlet ran and listed all of the available public folders.  I then decided to take a quick look at the services which were running.

Public Folders are pushed to Outlook clients via Microsoft Exhcnage RPC Client Access Service, and if stopped you are unable to browse for public folders and get the above error.  In our case we were able to simply start the Service and the Public Folders were vieable in Outlook again.  I’ve heard of some isntances where the service no longer starts, if that is the case then you may need to check on permissions in the Bin folder inside Exchange.

 

Browsing to Companyweb May Fail with HTTP Error 503 on SBS 2011 Standard after installing an Exchange 2010 update rollup

I was recently updating a client’s SBS Server and after giving it a restart I wasn’t able to browse their SharePoint 2010 site. After having a quick look at IIS I could see the SharePoint Application pool was stopped, so I started it up and after about 10 seconds, it stopped. So I went and looked in the Event Log and found the following error in the Application Event Log:

Log Name: Application
Source: Microsoft-Windows-User Profiles General
Event ID: 1509
Level: Warning
User: DOMAIN\spwebapp
Computer: SBSSERVER.domain.local

Description:
Windows cannot copy file C:\Users\Default\AppData\Local\Microsoft\Exchange Server\v14\Configuration5212_100.sqm to location C:\Users\TEMP.DOMAIN\AppData\Local\Microsoft\Exchange Server\v14\Configuration5212_100.sqm. This error may be caused by network problems or insufficient security rights.

To fix the issue, we need to fix the permissions of the folder stated in the event log error above. We can do that by opening up Windows Explorer to the following location C:\Users\Default\AppData\Local\Microsoft\Exchange Server\v14. and then for each file in this folder identified in the matching event (Configuration5212_100.sqm in the error above), open its Properties and select the security tab. Then click Advanced and click on the Continue button to allow us to change the properties on the current window.  We then simply want to enable Inheritable permissions from this object’s parent.

This issue was caused by being a part of the Customer Experience Improvement Program which is what the SQM files are part of, for Exchange 2010 and subsequently installing an Exchange update rollup using automatic updates, in my case it was Update Rollup 5 for Exchange Server 2010 Service Pack 1 (KB2582113).

Exchange Management Console not setting Permissions for Receive Connectors, fixing 5.7.1 Client was not authenticated issues with inbound e-mails

I was recently helping out on a migration from Exchange 2003 to Exchange 2010. The organisation was moving from two servers, a front end and back end server to four with two Mailbox servers running in a DAG (Database Availability Group) configuration and two Client Access Servers in an array and along with Hub Transport roles on the two CAS Servers.  They had been running their Exchange 2003 server for a while with routing connectors setup so the 2003 machine was handling all of the external mail and it had finally come time to decommission the old server and tell the firewall to push e-mail to the two new Hub Transport servers.

By default, Exchange 2010 sets up two connectors, one Client SERVERNAME and Default SERVERNAME with the default connector handling your external e-mail. For external servers to connect to the connector we need to enable anonymous authentication for the connector. So we went ahead, opened up the connector and ensured the Anonymous was ticked, clicked apply for good measure and then Ok. After using telnet to remotely connect to the e-mail server (via 3G) we recieved a Client not autenticated message after giving it the mail from command. So it was clear to me that the EMC (Exchange Management Console) wasn’t saving the authentication settings. So we resorted to powershell to configure the connector. I opened up the Exchange Management Shell and issued the following command

Get-ReceiveConnector -identity "Default SERVERNAME" | list

The list contained everything that was ticked bar the Anonymous that we had just enabled. So we decided to run a Set command to update the permissions list for the Default connector. I issued the following command with SERVERNAME being the name of the Exchange Server hosting the connector

Set-ReceiveConnector "Default SERVERNAME" -PermissionGroups:
"ExchangeUsers, ExchangeServers, ExchangeLegacyServers, AnonymousUsers"

We then ran the Get command again and the Anonymous entry was listed. So after a few minutes we used 3G and telnet to connect back into the e-mail server and after getting passed the mail from command we were relieved that the issued was resolved and that the servers could now accept incomming external e-mail. Microsoft have a good article up on Tech Net regarding Exchange 2010 and the Receive connectors (as well as the defaults Exchange setup creates) at the following article Understanding Receive Connectors.

Note that you won’t recieve this issue if your transport server is an Edge transport server as Exchange setup automatically configures the connectors for external connections.

Using the Google Maps API with PHP to display a Map and place a Marker on the map using Geocoding

So I was recently developing a new feature for a client’s website where we wanted to display an interactive Google Map with the address of a particular item (in this case a customer) along with a marker to show where it was on the map. So I set about looking around on the Internet for some information, not coming up with a lot apart from Google’s own API Documentation. So I decided to piece a few things together with what I already knew and make my own little script to do what I wanted.

The following code is quite crude, but should get you started on the right foot. I will eventually update this stuff to use the v3 of the API but since Google is still supporting v2, why bother. So first off is building the address we are going to use to query Google, which is the following code:

define("MAPS_HOST", "maps.google.com");
define("KEY", "abcdefg"); // Place your API Key here...
// Get our address (from a database query or POST
$address = "100+Flinders+Street+Melbourne+VIC+3000";
// Build our URL from the above...
$base_url = "http://" . MAPS_HOST . "/maps/geo?q=" . $address . "&output=csv" . "&key=" . KEY;

So we now have the URL to query google and you can actually paste that into your web browser and you will get an output similar to:

200,8,-37.8161165,144.9714606

So now lets move on to getting PHP to actually process the URL and get us some location data. I decided to use CURL simply because it is quick and simple (was rushing to get this together). So the following code basically initialises CURL and will retrieve the data from URL and save into our $csvPosition.

// Initalise CURL
$c = curl_init();
// Get the URL and save the Data
curl_setopt($c, CURLOPT_URL, $base_url);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
// Save location data
$csvPosition = trim(curl_exec($c));
// Close the connection
curl_close($c);

You will probably want to add some error checking here just in-case your server can’t reach the URL.

The final piece of PHP will spilt the result, which was requested and returned in CSV format into a variables as defined by the following line of code:

// Split pieces of data by the comma that separates them
list($httpcode,$elev, $lat, $long) = split(",", $csvPosition);

Now that we have performed the Geocoding of the address and have it split up and ready, we can create our map.  So firstly we need to include the Google Maps API with the following HTML:

<script type="text/javascript"
    src="https://maps.googleapis.com/maps/api/js?sensor=false">
</script>

With the API included we can now build the map, with PHP giving us our Latitude and Longitude values by querying the Geocoding Web Service previously with CURL which we have done previously. So we initalise the API, build our Map with some basic settings like Zoom and Drop in a marker with the Latitude and Longitude provided by the Geocoding.

  function initialize() {
    var latlng = new google.maps.LatLng(<?php echo $lat; ?>, <?php echo $long; ?>);
    var addressMarker = new google.maps.LatLng(<?php echo $lat; ?>, <?php echo $long; ?>);
    var myOptions = {
      zoom: 16,
      center: latlng,
      mapTypeId: google.maps.MapTypeId.ROADMAP
    };
    var map = new google.maps.Map(document.getElementById("map_canvas"),
        myOptions);

	marker = new google.maps.Marker({ map:map, position: addressMarker });
  }

We are placing the Latitude and Longitude we retrieved with CURL from the Google Maps Geocoding service into the JavaScript function above with the variables $lat and $long. Now we have those functions in place, we can create a div in the body of the page to display our map. In this case called map_canvas. I have already defined a style to limit the width and height to 512 pixels. So we want to insert a body onload event with the following line of code, so insert this into your body tag.

onload="initialize()"

and as well we need to insert our div map_canvas so the previously defined JavaScript can actually draw a map. So create a Div layer with id map_canvas.

And that is about it. You should now be able to see a map with a red marker in the center with the address we specified being marked.  It’s location being determined by Google’s Geocoding and Google Maps API and sorted with the help of PHP. This could easily be improved by making the marker click-able and storing data on it. Adding multiple markers, animations and customising the map view itself.

To view a demo of the completed script, click here.

Update: You can also Download the complete sample by clicking here.

Thoroughly cleaning up a WSUS server

I was recently tasked with performing a clean-up of some of our servers, removing old files/software installations as well as a clean-up of our WSUS server.  After a quick look I could see that our previous administrator had set it to download Driver updates as well, which was taking up quite a large amount of space and something that we wern’t really looking at using (no driver updates were approved).

So I ran the WSUS clean-up wizard, which removed some old computers, but the driver updates remained. I wanted them gone.  So I quickly made sure that driver updates category wasn’t selected and ran the following PowerShell script on the WSUS machine.

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$cleanupScope = new-object Microsoft.UpdateServices.Administration.CleanupScope;
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates         = $true
$cleanupScope.CleanupObsoleteUpdates     = $true
$cleanupScope.CompressUpdates                  = $true
#$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupManager = $wsus.GetCleanupManager();
$cleanupManager.PerformCleanup($cleanupScope);

This script took about an hour to run but worked like a charm. It basically cleaned up the whole WSUS database, removing old computers, obsolete and unneeded updates (including the drivers I no longer wanted) as well as removing the associated update files which cleaned up a lot of space. The script above is modified so as not to remove computers from the database but that can be simply uncommented and included in the script.

Let me know in the comments if you found this useful.

Procurve Switches and Windows Network Load Balancing in Multicast Mode causing high collision and drop rates

Over the last few days we have been looking at getting a Client Access Array going for our Exchange 2010 setup for basic redundancy and load balancing. I thought I would outline an issue we discovered with using Windows Network Load Balancing in a HP switching environment.

The first is whether to use Unicast or Multicast modes for the NLB Traffic. It is important to remember that Exchange does not care if you use Unicast or Multicast and is entirely dependent on your switching environment. At first we were confused as to which to choose due to the myriad of documentation suggesting either protocol. So we decided to give multicast a go.

After a few minutes our core switch (an 8212zl) started dropping packets for our services VLAN. We shut off the NLB and everything had returned to normal.  After a bit of digging we found that ProCurve switches are not compatible with multicast mode NLB due to their inability to have static ARP tables (they can only cache). But this can be remedied somewhat by issuing the following command on some models of switches:

ProCurve(config)# ip arp-mcast-replies

The command is supported on HP ProCurve E8200zl series, E5400zl series, E3500yl series, E6600 series and E6200yl series switches support Microsoft Windows NLB in Multicast mode.  Simply ensure that these switches are running K.15.03.0007 or greater firmware.