Configure a login banner or disclaimer on a FortiGate for Terminal and HTTP admin logins

If like me you work in an environment where you have people who are attempting to circumvent your network security it helps to have a banner or disclaimer to warn them about the trouble they will get into if they’re caught. By default when you attempt to login to a FortiGate there is no warning message or login banner.

To enable the banner or disclaimer on a FortiGate (there is both a pre and post login disclaimer you can use) we firstly need to log into the CLI of the FortiGate and enter the following commands to enable the banner. You can substitute pre with post if you wish;

FG621B # config system global
FG621B (global) # set pre-login-banner enable
FG621B (global) # end

Now log into the web ui of FortiOS and go into System > Config > Replacement Messages once there we need to switch to the extended view and the login banners should be at the top of the list, you can edit the default message if you wish, once done click on Save.

Once you try and get the FortiGate via Terminal or Web Management you should get prompted with the Disclaimer message.

How to Configure SNTP/NTP Time Source on HP ProCurve MSM 765zl Wireless Mobility Controller

I was recently investigating authentication methods for our Wireless system and wanted to test out Active Directory.  Basically, the controller would be checking directly with Active Directory if clients should be allowed to access our Wireless network.  After we started configuring Active Directory Authentication we noticed that the time on our MSM controller was off, going under Management -> Time only shows the time on the controller.  After a bit of Google Fu we found that the MSM Controller will get the time off the zl Chassis it is plugged into but you need to be on or higher.

The below configuration is an example of logging into the MSM zl Module itself and configuring the time, you can also do this directly on your zl Chasis in config mode and using the NTP commands below.

First thing we need to do is find where our MSM module is installed on our zl chasis, we can do this by issuing the below command which outputs the below.

CoreSwitch(config)# show services
                Installed Services
 Slot   Index Description              Name
 B  1. Services zl Module              services-module
 B  2. HP ProCurve MSM765 zl Int-Ctlr  msm765-application

Okay, so now we know where the MSM module is, let’s log into it and get into configuration mode of the zl module by issuing the below commands.

CoreSwitch(config)# services  B 2
CoreSwitch(msm765-application-B)> enable
CoreSwitch(msm765-application-B)# conf

And finally, we need to configure the NTP settings by configuring NTP, using the SNTP protocol and pointing it to an NTP server, which in our case was a Server 2008 R2 PDC.

CoreSwitch(msm765-application-B)(config)# ntp protocol sntp
CoreSwitch(config)# ntp server 1
CoreSwitch(config)# ntp server

Setting item level (Calendar, Tasks etc) permissions for Mailboxes and Users with PowerShell for Exchange 2007, 2010 and 2013

Every so often I get a request to allow people to view someone else’s calendar. Usually I just tell that person to go and ask whom ever the calendar belongs to, to give them permission. This isn’t always possible though as on a few occasions where I’ve had to give access because that other person is away.

With mailboxes you can use the management tools to give access rights, but what if I just want to give the, access to a calendar or tasks for example. This is where the exchange PowerShell console comes in. I can give a user Permission to a particular object. So for example I wanted to give user1 permission to edit manager 1’s calendar, I would do the following

Add-MailboxFolderPermission -identity manager1:\Calendar
-user user1 -accessrights Editor

You can use the following on all of the Outlook Exchanged based folders like so replacing <User> with the identity of the mailbox with the object you want to modify the permissions of and <delegate_user> with the username of the person of who you are giving permission to;

Add-MailboxFolderPermission &lt;User&gt;:\Calendar -User &lt;delegate_user&gt; -AccessRights Editor
Add-MailboxFolderPermission &lt;User&gt;:\Tasks -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Inbox -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Contacts -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Notes -User &lt;delegate_user&gt; -AccessRights None
Add-MailboxFolderPermission &lt;User&gt;:\Journal -User &lt;delegate_user&gt; -AccessRights None

You can also quickly check who has access to an object (like a calendar) by using the following cmdlet, again replacing <user> with the identity of the mailbox;

get-mailboxfolderpermission -identity &lt;user&gt;:\Calendar

Hope that helps someone.

Migrating your whole RADIUS configuration (IAS) from Server 2003 to Server 2012 (NPS)

npsI was recently migrating an environment that ran two 2003 servers to two 2012 R2 servers. One of the challenges of migrations is ensuring there is as little disruption as possible, whether it is during business hours or not. This organization had a single RADIUS server controlling access to their 300+ users for Wireless and Remote Access.

One of the useful tools nestled away in the 2008 R2 / 2012 installation media is a tool called IASmigrader.exe. This invaluable little tool can easily migrate the entire IAS / RAdius configuration from Server 2003 and allow me to import it into NPS (better than mucking around with netsh and then manually editing text files). Fine the executable you need in :\sources\dlmanifests\microsoft-windows-iasserver-migplugin\, copy this onto the source machine where IAS is. Once there, open a command prompt and type iasmigreader.exe relative to where you copied it.

Once ran, the tool will export the configuration to %windir%\system32\ias\ias.txt, copy this file across to your new NPS host and open up the NPS console, right click on NPS and select Import Configuration and browse to the text file (you will need to drop down the file type box) and import the configuration, I generally restart the NPS service for good measure. You can also run netsh nps import filename=”C:\migration\ias.txt” in an elevated command prompt.

Get the username of a person logged onto a computer remotely using PowerShell and WMI

So recently I was out visiting a customer who had issues with someone hammering their internet.  We enabled netflow on their Cisco router to do a show top-talkers.  Once we got an IP address we were able to find the machine, but not who.  So I quickly entered the following into PowerShell and got the person we were after (change COMPUTERNAME to the target machine name).

Get-WmiObject Win32_ComputerSystem -ComputerName "COMPUTERNAME" |
Select-Object -ExpandProperty UserName

You will need to have admin rights on the target machine for the above to work.

Another way you can do it is to use wmic to achieve the same result, enter the below into a command prompt window, changing COMPUTERNAME to the target machine;

wmic.exe /node:COMPUTERNAME computersystem get username

Hope that helps someone out.

Wireless Projection / Miracast option disappears from Microsoft Surface Pro 3 / Windows 8.1 after joining a Active Directory Domain

We recently deployed some Microsoft Surface Pro 3s (love these devices) for our Executive team along with some new equipment in meeting / board rooms with Wireless Display capabilities. During testing with my personal SP3 (not domain joined) the wireless display worked a treat, so I expected it to work fine on the ones we would be deploying.

After about a week, one of the managers shot me an e-mail saying he couldn’t see the option for wireless display, that night he had performed a reset of the device, came in and had the option, but once we joined it back to the domain, it disappeared. I started digging around Group Policy to see what was causing it to disappear and found that these devices were getting an old “XP” based Wireless Network Policy.  I upgraded the policy which then gave us some extra options, including allowing / disallowing Wi-Fi Direct.upgraded policy

Computer Configuration > Policies > Windows Settings >Security Settings > Wireless Network (IEEE 802.11) Policies

The setting Don’t allow Wi-Fi Direct groups which needs to be disabled can be found under the “Network Permissions” tab. From what I can see, any Wireless policy configured for XP doesn’t have this option and a machine will simply disallow it.

How is Miracast or WiDi related to Wi-Fi Direct?  Well basically Wi-Fi Direct allows devices to connect directly to each other, without the need for a Wi-Fi AP, which is exactly what your surface is doing when attempting to stream the display straight to a TV / Projector.

Once we had this option turned off, ran a gpupdate on the machine and viola, wireless display showed up and began working.


How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

TMG-EditSystemPolicyThere seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set.  This Computer set is used in a number of System Policies and if you ever do an IP address change of a DC contained in this group (which is what I needed to do), it needs to be changed for things to continue to function correctly.  Firstly, we will need to get into the Registry to verify the GUID of the Computer Set (be default it is generally {F77C3B63-0DD8-440B-9921-A9341533A9C6}).  Navigate to HKLM\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\RuleElements\ComputerSets and find the Domain Controllers computer set and note down the GUID.

Now we need to start-up ADSI Edit on the TMG / ISA machine.  Connect to localhost on port 2171 with the Naming Context CN=FPC2. Expand to the following CN=FPC2, CN=Array-Root, CN=Arrays, CN={3E5A92A0-0C54-4BD5-A8EB-1A0F1E77FF79}, CN=RuleElements, CN=ComputerSets.  Locate the GUID we found before and right-click and select properties.  Now under the Attribute Editor find msFPCPrefined attribute and set it from True to False.

Restart the TMG / ISA Console (no need to restart any services) and you should now be able to go into the Domain Controllers Computer Set and perform changes as required.

Default printer changes after Terminal Server (or print spooler service) restart

Just a quick post today.  I was troubleshooting an issue where a user would set a default network printer (say Printer01) in their user profile, upon a server restart (which happens nightly) their printer would be set back to the Adobe PDF local printer.  After going through event logs and some basic troubleshooting through Group Policy I quickly came to the conclusion that this was more of a user profile issue than a deployment one.

After a bit of Google-foo, I found that Windows stored user based printer connection details in the registry under HKEY_USERS\<user SID here>\Printers\Connections.  It also stored local settings for each printer under HKEY_USERS\<user SID here>\Printers\Settings.  I went through the printer keys under each registry key and found printers that no longer existed.

Simply deleting printers that were no longer available let the user set a default printer and the setting stayed after a server or print spooler service reboot.

How to protect all existing Organizational Units (OUs) in your Active Directory domain from Accidental Deletion by using PowerShell

We recently took on a new hire, although I was confident in their ability in managing Active Directory I wanted to take an extra step in protecting Organizational units from deletion.  I was sure that I could do this quickly using PowerShell instead of right-clicking each of our 80 odd OUs and going into their properties.

To do this we need to open the Active Directory Module for Windows PowerShell as an administrator.  Since I began in my System Admin role, I was creating OUs that were protected, so I only really needed to do this to the ones that were already here.  So first we need to work out what OUs are not protected from this list using PowerShell I can easily pipe it into the command we need to issue to protect the OUs

The first command below will output a list of all OUs currently not protected.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | 
where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft

This command does the above but also sets the ProtectedFromAccidtenalDeletion to True.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | 
where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit 
-ProtectedFromAccidentalDeletion $true

Once this command is issued, all the Organizational Units in our Active Directory have become protected and should help prevent you from getting into those sticky situations where someone (could be you) from deleting one by mistake.

Remove all disabled user from an Active Directory Group with Power Shell using Quest Active Roles AD Management

The following code snippet which I ran through PowerShell ISE (learn how to get it on Windows Server) will remove all disabled users from a particular group.  Useful for the end of year / start of year clean up in a school environment.

You will need the ActiveRoles Management Shell for Active Directory, available by clicking here which were made by Quest Software, now DELL.

Add-PSSnapin Quest.ActiveRoles.ADManagement

Get-QADGroup -SearchRoot "" | Foreach-Object {
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Foreach-Object{
         Write-Host "Removing '$($_.Name)' from group '$group'" -Foreground Green
         Remove-QADGroupMember -Identity $group -Member $_ 

Swap out with a distinguished name of the group you want to remove disabled users from.  Once you execute it, it will run through the group and remove any user objects that are disabled.