Admin SVC Error when trying to install SharePoint solutions (WSP) and how to fix it

Short and sweet post about deploying SharePoint solutions.  You usually do this by invoking Install-SpSolution under the SharePoint PowerShell, but sometimes you’ll get the following error:

Install-SPSolution: Admin SVC must be running in order to 
create deployment timer job

All you need to do is to go to the Services section in Control Panel\System and Security\Administrative Tools and look for the service called SharePoint 2010 Administration and start it. You might also find that the service is on manual start-up, you can optionally change it to automatic to make sure that the service is always available and ready. Simple isn’t it!

Upgrading your current KMS Server (Server 2008 R2) to support Windows 8 and Server 2012 activation

If you’re in an enterprise environment, chances are that you have a KMS server running (usually either Windows 7 or Server 2008 R2).  So now that Windows 8 and Server 2012 has hit VLSC for SA customers you’ll most likely want to begin testing and performing pilot deployments but we need to get our Key Management Server to accept these new clients.  If you have tried to activate your KMS keys with existing KMS hosts you will receive the following error message:

Error: 0xC004F050 The Software Licensing Service reported that the product 
key is invalid.

Thankfully for us, Microsoft has released an update that will upgrade Windows 7 or Server 2008 R2 KMS Hosts to support Windows 8 and Windows Server 2012, you can view the KB article by clicking here (KB2691586).  You will need to request the hotfix from the KB.  Once downloaded, open up an elevated command prompt and execute the update (which acts as a windows update package).  When it finishes installing you will need to restart your server.

Now that our server is back up, we need to replace the KMS Host key with one for 2012 or Windows 8.  Open an elevated command prompt and enter slmgr.vbs /upk which will show us Uninstalled product key successfully when complete.  Now we install our new key with slmgr.vbs /ipk product-key-here

You should now be presented with a product activated successfully window.  You can also run
slmgr.vbs /dlv and under description you should see VOLUME_KMS_2012.  Now you can start to activate your new Windows 8 and Server 2012 clients.

Allowing anonymous relay on Exchange 2007/2010 on connectors for programs to send via SMTP using your Mail servers and how to secure it for internal use only.

I was recently helping out a colleague at another school as they were having difficulty in a specialised application sending e-mails to external addresses.  After a bit of investigating we found that the send connector configured for internet e-mail wasn’t allowing anonymous connections to it (which is dangerous) but since this particular application didn’t allow us to specify authentication details we were forced to enable anonymous relay for this connector.

I will first show you the PowerShell command that we used to grant the anonymous permissions for the connector that you specify:

Get-ReceiveConnector “Default SBSSERVER” |
Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON”
-ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Now the above is really one command getting piped into another, so first of all we are specifying a particular receive connector, in this case Default SBSSERVER (change this to reflect the connector you want to modify).  We are then simply giving rights to anonymous logons (anyone) telling exchange to accept any recipient.

Now as for securing this connector, I would strongly suggest creating a separate one for this particular application (for example Sales App Connector).  We then add incoming IP restrictions, by editing the properties of the receive connector and adding entries to Receive mail from remote servers that have these IP addresses using either specific IP addresses or IP ranges in CIDR notation (so 10.1.0.0/16).

And there you have it, allowing anonymous connections / relay for internal applications to use.

Getting a list of users in Active Directory as well as their Logon Script using dsquery and dsget

So I’m preparing on doing a clean-up of our NETLOGON/SYSVOL folder containing about 50 or so different logon scripts (plenty of which I know are no longer used).  I wanted to create a list of all of our active directory users along with what logon script they were assigned (I could then feed this list into excel and play around).  I realised that I could get this information using dsquery, but how exactly do I build a query to get a logon script.  The following command is what I used, I will then break it down for a better understanding.

dsquery user -name * | dsget user -display -loscr > C:\users_script.txt

So we’ve got our dsquery, which is really looking for AD object types of user with a name of anything, so basically ALL user objects in Active Directory (you can also optionally specify a limit using -limit).  We then pass on this list to dsget which will use this information to obtain the objects’ display name (with -display) and logon script (-loscr).  I am then simply piping the output to a text file.

So that is a quick and easy way of getting a list of all users in AD along with their logon script.

Installing the PowerShell ISE (Integrated Scripting Environment) on Windows Server 2008 R2

I was recently looking at modifying our SharePoint warm-up script as we had found out that it wasn’t working as it should be.  So I went to fire up the small but useful PowerShell ISE and found that it wasn’t available.  So there are two ways to go about getting it installed.

First off is running the Windows Add Feature under Server Manager.  You will find the Windows PowerShell ISE and be able to tick and install the feature.  The other method which is quite easy is to use PowerShell.

First off we need to import the ServerManager module into PowerShell and then we can go ahead and add the ISE feature.  The following snippet will do it all for you via PowerShell.

Import-Module ServerManager
Add-Windowsfeature PowerShell-ISE

And that is all you have to do to get the wonderful PowerShell ISE going under Windows Server. Hope that helps.

Deploying printers via Group Policy and getting them pushed out the right way as well as solving driver installation issues (0x80070bcb Specified printer driver was not found and needs to be downloaded)

So we recently upgraded our printing infrastructure with a whole new lot of printers and software (along with a shiny new version of PaperCut MF) and have implemented a global queue or better known as Follow Me Printing.  So how do we go about pushing out all the new global printers to our users.  Well along with the 50 other projects we have on the go, one of them is a clean up of our group policy, so after removing around 15 GPOs related to our old printers I got to work.

So for starters I’ve created a GPO which will contain all of our Follow Me Printing settings, including deploying the PaperCut Client and Global Queue Printers. In our environment we have a mix of Windows XP, Windows Vista and Windows 7 which will all handle printers being deployed via Group Policy differently (Microsoft make things so easy, don’t they).  For XP, things are simple, simply add the printer to be deployed either by user or computer preference under control panel > printers. For Vista and 7 however this is where it gets tricky.  If you are using a driver which has been loaded on the machine before, the printer will deploy, otherwise you will receive an error in the event log such as the following:

The user 'Printer Name Here' preference item in the 'Group Policy Object
{GUID-GOES-HERE}' Group Policy object did not apply because it failed with
error code '0x80070bcb The specified printer driver was not found on the system
and needs to be downloaded.' This error was suppressed.

This basically means that the client couldn’t download the driver, but the real reason is because of UAC and the computer not requesting permission to install a driver. Thankfully there is a Policy that we can enable that will allow us to set the permission requirements during printer driver installation.

Using the Point and Print Restrictions Policy we can enable printer driver installation without it getting hassled by UAC. Under Windows Vista it is a User Policy and on Windows 7 it is a Computer Policy (I have both enabled for good measure). So enable toe Point and Print Restrictions Policy and change the following options:

  • When installing drivers for a new connection: Do not show warning or elevation prompt
  • When updating drivers for an existing connection: Show warning only

Once we have configured the Point and Print Restrictions Policy printers will download and install on any client computer that the Object is targeting.

Hope that helps a few people out when setting up and configuring their Group Policy Printer Distribution, any queries please comment.

Getting back the OneNote 2010 Printer by Installing a generic printer driver, and then configure it for Microsoft Office OneNote 2010

So we had a few users delete their OneNote printer from the Printers List in Windows.  OneNote is a great program and is bolstered by the use of the printer allowing you to push pretty much anything into OneNote. We ran an office repair but the printer didn’t actually return for our users, so I started looking at how the OneNote printer is configured and created a new instance of the printer.  The following is basically a walk through of installing and configuring a local printer for OneNote 2010 (also applies to OneNote 2007).

First off we need to install the generic printer driver in Windows. To do this, follow these steps:

  1. Click Start, type printers in the Start Search box, and then click Devices and Printers in the Programs list.
  2. On the left side of the page near the top, click Add a printer.
  3. In the Add Printer dialog box, click Add a local printer.
  4. Click to select the Use an existing port option, select the appropriate port, and then click Next. For example, you can select LPT1.
  5. Under Manufacturer, select Generic, select Generic / Text Only under Printers, and then click Next.
  6. If you receive a message about drivers, click to select the Use the driver that is currently installed (recommended) option, and then click Next:
  7. Click Next, and then click Finish.

So now how do we go about configuring this newly installed generic printer for use with OneNote, follow these instructions for doing that:

  1. In the printer list, right-click the Generic / Text only printer, and then click Printer Properties.
  2. Click the Ports tab, and then click to select the Send To Microsoft OneNote Port check box.
  3. Click the Advanced Tab, select Send to Microsoft OneNote Driver in the Driver list, and then click Print Processor.
  4. Under Print processor, select winprint, select RAW under Default data type, and then click OK.
  5. Click the General tab, change the name of the printer to Send To OneNote 2010, and then click OK.

And now we can finally use the printer to submit pretty much anything to OneNote 2010.  We didn’t really learn why the Office repair didn’t re-add the printer as the research we found on the internet led us to believe that it would add the printer, but just in case it doesn’t you now know how to manually add it.

Applying inherit rights (inheritable) for permissions to a large number of Active Directory objects

I was recently involved in a project to help secure a School’s Active Directory environment.  After sitting down and planning what we wanted to achieve in terms of account security we went to work.  After setting up all of the IT based security groups and assigning and delegating the appropriate rights and permissions we found that somethings wern’t working as they should.  The permissions gave us the rights to do what we needed on the Student user objects but not on the staff.  After taking a quick look we found that the majority of Staff didn’t have their inherit permissions from parent ticked, which prevented the delegation from flowing through to these user objects.

Looking at PowerShell there are Get-ADUser and Set-ADUser which allow us to get and set certain properties on user objects but still didn’t allow us to set inherit rights on objects.  I then happened to stumble upon a management pack of PowerShell scripts from Quest Software which are available from this link. The pack contains some useful scripts which extend on the original Microsoft provided scripts.  The pack also contains a PowerShell cmdlet dealing specifically with Object Security which is what we are after. So I went ahead and downloaded the 64 bit version to one of the domain controllers (after testing it out myself) and worked out we needed to filter for users who didn’t have the inherit permissions enable. The following is a snippet which will list all of the users in your AD environment with inherit permissions disabled (watch the word wrap):

Get-QADUser -SizeLimit 0 |
Where-Object {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

If you are after a particular Organizational Unit simply replace -SizeLimit 0 with -SearchRoot ‘Distinguished name of OU’.

Now we are able to find the users, but what about setting the inherit right.  Using the ObjectSecurity cmdlet we can now set the Inheritance flag. So the following is the complete command to run on l (again, watch the word wrap):

get-QADUser -SearchRoot 'Distinguished Name of OU' |
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} |
Set-QADObjectSecurity -UnLockInheritance

After running that cmdlet on the offending User Objects, we were then able to successfully do what the security groups allowed us to do. I still need to go back and check out what else the pack from Quest can do as I looked quite interesting so I will be sure to blog about my findings.

When viewing Public Folders in Outlook you recieve the following error, Cannot expand the folder. Microsoft Exchange is not available.

So there have been quite a few posts about Exchange 2010 lately, I guess it’s mainly because that has been my focus for the last few months at my current job. So here is another one regarding an error message when you try to access public folders in outlook and how to fix it.

We were receiving calls that users were unable to access their public folders (which contains our global calendar) We were able to replicate the issue on our own accounts and received the following message.

Cannot expand the folder. Microsoft Exchange is not available.
Either there are network problems or the Exchange server is down
for maintenance. (/o=First Organization/ou=Exchange
Administrative Group (DOMAIN)/cn=Configuration/cn=Servers/cn=SERVERNAME

So we quickly remoted into our server which published our Public Folders, started the public folder tool and could see them all there, also running the get-publicfolder PowerShell cmdlet ran and listed all of the available public folders.  I then decided to take a quick look at the services which were running.

Public Folders are pushed to Outlook clients via Microsoft Exhcnage RPC Client Access Service, and if stopped you are unable to browse for public folders and get the above error.  In our case we were able to simply start the Service and the Public Folders were vieable in Outlook again.  I’ve heard of some isntances where the service no longer starts, if that is the case then you may need to check on permissions in the Bin folder inside Exchange.

 

Browsing to Companyweb May Fail with HTTP Error 503 on SBS 2011 Standard after installing an Exchange 2010 update rollup

I was recently updating a client’s SBS Server and after giving it a restart I wasn’t able to browse their SharePoint 2010 site. After having a quick look at IIS I could see the SharePoint Application pool was stopped, so I started it up and after about 10 seconds, it stopped. So I went and looked in the Event Log and found the following error in the Application Event Log:

Log Name: Application
Source: Microsoft-Windows-User Profiles General
Event ID: 1509
Level: Warning
User: DOMAIN\spwebapp
Computer: SBSSERVER.domain.local

Description:
Windows cannot copy file C:\Users\Default\AppData\Local\Microsoft\Exchange Server\v14\Configuration5212_100.sqm to location C:\Users\TEMP.DOMAIN\AppData\Local\Microsoft\Exchange Server\v14\Configuration5212_100.sqm. This error may be caused by network problems or insufficient security rights.

To fix the issue, we need to fix the permissions of the folder stated in the event log error above. We can do that by opening up Windows Explorer to the following location C:\Users\Default\AppData\Local\Microsoft\Exchange Server\v14. and then for each file in this folder identified in the matching event (Configuration5212_100.sqm in the error above), open its Properties and select the security tab. Then click Advanced and click on the Continue button to allow us to change the properties on the current window.  We then simply want to enable Inheritable permissions from this object’s parent.

This issue was caused by being a part of the Customer Experience Improvement Program which is what the SQM files are part of, for Exchange 2010 and subsequently installing an Exchange update rollup using automatic updates, in my case it was Update Rollup 5 for Exchange Server 2010 Service Pack 1 (KB2582113).