Saturday, September 22, 2012

Filtering for $null Values with Get-ADUser

Get-ADUser includes a -Filter parameter that lets you define queries for users with specific characteristics. Today I was trying to figure out how to filter for $null values.  Here is my example of why you might care to do this......

Let's say that in your organization, that you always set the Department attribute to match the department that users work in. This could be required for dynamic groups or address books. You've just created 100 new users, but forgot to configure the department. You need to make a query for all of the users without a department configured.

My first attempt was this:
Get-ADUser -Filter {company -eq $null}

However, this generates an error. You can't use $null in a filter.

What finally worked was this:
Get-ADUser -Filter {company -notlike "*"}

The gets a list of users where the company attribute is not like anything.

I should also note that if you try to query for not equal (-ne) then it will skip $null values when comparing. The above example is the only way that I know of to get $null values.

Update Apr 2017:
A quick note that the corollary of  the above is that when you want to query objects with any value set, you can filter for -like "*". I recently used this in a script where I only wanted users with values in the proxyAddresses property that I wanted to copy to the UPN.

Monday, September 17, 2012

Windows Server 2012 Editions

The editions for Windows Server 2012 are a lot different than they were for Windows Server 2008. For mid-sized and larger organizations, there are only two editions.
  • Standard Edition license. For up to 2 processors and two virtual machines.
  • Datacenter Edition license. For up to 2 processors and unlimited virtual machines.
The only difference between these two licenses is the number of virtual machines you can use the license on. There is no functional difference between Standard and Enterprise editions. Standard edition now includes features such as failover clustering that were previously included only in Enterprise and Datacenter editions.

There are also no limitations on memory based on edition.

So, if you are going to run Windows Server 2012 directly on hardware, there is no difference between Standard and Datacenter editions. So, it makes sense to use Standard edition.

If you are going to run lots of VMs on a 4 processor server, then it probably makes sense to buy 2 Datacenter licenses (2 processors each) and be licensed for an unlimited number of VMs on that server.

There is some middle ground where it may be worth your while to run two Standard licenses on a 2 processor server for 4 VMs instead of a single Datacenter edition, but you'll need to do the math on that based on pricing from your reseller.

Microsoft has an FAQ here:

Editions for Small Business

There are also two editions for small business:
  • Windows Server 2012 Essentials. This edition is meant to replace Small Business Server 2011. It has some of the nice automated stuff found in SBS, but no longer has Exchange Server. It is assumed that clients will use a cloud-based service such as Office 365 for email. Up to 25 users can connect to and Essentials server. No user CALs are required.
  • Windows Server 2012 Foundations. This edition is available only from OEMs and is limited to 15 users. It is meant to be a basic file and print server that is very inexpensive. It does not support being a Hyper-V host.
A list of editions and the limitations can be found here:

Sunday, September 16, 2012

Importing a PST containing IMAP Folders

I've done lots of work with PST files in the past, but recently got caught by surprise when we imported PST files that had been used by IMAP accounts as part of a migration to Exchange Server 2010. When you import a PST from and IMAP account, there are special IMAP views applied to the folders that prevent cached mailboxes from working properly. Basically, the view prevents Outlook from properly determining the presence of new messages.

We identified this problem because users started to complain about copying items into subfolders and the items were not appearing in the new folders. When we viewed the mailbox in OWA, we could see the items. If you view the properties of the folder in Outlook, on the General tab, it shows that the folder contains IMAP items

The fix for this is to change the type of folder so that Outlook uses the correct view and synchronizes the folder properly. You need to edit the folder properties in the Exchange database by using ExFolders.

The high level process is:
  1. Give yourself FullMailbox access to all mailboxes that need to be fixed.
    • For a single mailbox use the Exchange Management Console.
    • For all mailboxes use the Exchange Management Shell: Get-Mailbox -RecipientTypeDetails usermailbox | Add-MailboxPermission -user (YourAccount) -AccessRights FullAccess
  2. Run ExFolders and connect to the database
  3. Select the Mailboxes you want to update
    • For a single mailbox, select only that mailbox
    • For all mailboxes, select the Mailboxes node
  4. From the Tools menu open the Custom Bulk Operation window.
  5. Search for folders with the PR_CONTAINER_CLASS property (0x3613001E) with a value of IPF.Imap and replace this property with a value of IPF.Note.
    • Overall Filter: (&(0x361001E=IPF.Imap))
    • Operation: Other folder properties, Modify, Property: PR_CONTAINER_CLASS 0x3613001E, Value: IPF.Note
  6.  Remove your FullMailbox permissions from the mailboxes.
    • For a single mailbox use the Exchange Management Console.
    • For all mailboxes use the Exchange Management Shell: Get-Mailbox -RecipientTypeDetails usermailbox | Remove-MailboxPermission -user (YourAccount) -AccessRights FullAccess
After the property is updated, the folders should begin working immediately. You can verify by copy some items around and verifying that they are visible in the new location.

In Outlook 2010 (perhaps other versions also) there is a synchronization tab in the Properties of a cached mailbox folder. The tab will not appear for the fixed folders, but synchronization will be successful. A brief test indicated that if the cached mailbox is recreated then the synchronization tab will be added. However, for most scenarios, I consider this only cosmetic and not worth the effort.

I'm not sure whether this will apply to all installations, but on the server I was working with, when I viewed the properties of the folders, the PR_CONTAINER_CLASS property actually had a value of 0x361001F instead of 0x361001E as most documentation indicates. The 0x361001F property is the same property but a unicode version. When you query and modify 0x361001E, you actually query and modify 0x361001F which is what you seen when browsing the database.

I figured out a lot of this based on the following web page. It has nice detailed step-by-step instructions on how to do this. However, there is a typo where he indicates that the value to search for 0x36100iE, when in fact it is 0x361001E.
Download ExFolders from this link.  Note that it must be installed in the Exchange 2010 bin folder (C:\Program Files\Microsoft\Exchange\v14\bin). There is also a .reg file that needs to be imported.

Tuesday, September 4, 2012

Exchange 2010 Build Numbers

You can use the Exchange Management Console to view the build number for an Exchange 2010 server. This is visible in the Server Configuration node.

Unfortunately, there is no easy pattern to know what service packs or rollup updates have been installed. Fortunately, a list of build numbers and the corresponding service packs and rollup updates is maintained in the Exchange Server documentation.

Exchange Server Build Numbers and Release Dates
 There is also a Technet Wiki article with similar information that seems to be updated a bit faster

Configuring Time Synchronization for Domain Joined Computers

A Windows-based network with Active Directory relies on time synchronization to allow authentication between computers. All of the domain members must have their time reasonably close to the domain controllers to allow for authentication. In early versions of Active Directory the limit was 20 minutes. I believe it may have been changed to 5 minutes.

In most cases, a domain joined computer is automatically configured to obtain time from the PDC emulator in the domain. This is generally desired and simple. You can verify this configuration by using:
w32tm /query /status
The value listed for Source will be the name of the PDC emulator. If it is configured to use static time sources instead of the PDC emulator, you can reset it to use the PDC emulator with the following:
w32tm /config /syncfromflags:domhier /update
The PDC emulator should be configured to use a reliable time source. In most cases, this will be an NTP time source on the Internet.

The NTP Pool project provides a set of NTP servers that are publicly available as time sources. The benefit of using a pool is that a single NTP server in the pool being offline will not affect your time synchronization. Some of the available pools are:
  • ca.pool.ntp.org
  • us.pool.ntp.org
  • mx.pool.ntp.org
  • uk.pool.ntp.org

To manually specify a timesource on your PDC emulator use the following command:
w32tm /config /syncfromflags:manual /manualpeerlist:"ca.pool.ntp.org" /update
Other useful time resources: