Monthly Archive


Windows Server 2008

Don’t reinvent the wheel

Way back when I used to take Microsoft certification exams there were often questions of the form “Perform task X with the minimum of administrative effort” Most, if nor all, of the possible answers would be correct but the correct answer was the one that achieved the goal with the minimum amount of work.


Many, if not most, administrators don’t seem to follow that model.


This was brought home to me when I saw a forum discussion about collecting event log information from a bunch of remote servers on a regular basis.


You could set up a scheduled task/job that runs a script against the remote servers – collects the  log information and populates an Excel spreadsheet


You could enable event log forwarding and just interrogate the combined logs as needed.


The second option is the easier to MAINTAIN and will cost you less effort in the long run.


When you start to solve a problem – stop and search for a bit to see if there is a solution already available in Windows server. Bet you’ll be surprised by what you find

Using AccountManagement classes to set local accounts expiry

This is a little more verbose than the WinNT example

function set-expirydate {            
param (            
BEGIN {Add-Type -AssemblyName System.DirectoryServices.AccountManagement}             
PROCESS {               
 switch ($computer){            
  "."    {$computer = $env:computername}            
  "localhost" {$computer = $env:computername}            
 $ctype = [System.DirectoryServices.AccountManagement.ContextType]::Machine            
 $context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext `
    -ArgumentList $ctype, $computer            
 $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($context, $id)            
## set the expiry date            
if ($psCmdlet.ShouldProcess("$id", "Expiry date set ")) {            
    $user.AccountExpirationDate = (Get-Date).AddDays(2)            

Set the context to machine and use the machine name to define which machine.  Find the user and set the AccountExpirationDate property then save

Setting local account expiry dates

Setting expiry dates on AD accounts is a common occurrence and is well documented. Setting expiry dates on local accounts is also possible

$user = [adsi]"WinNT://./Test1, user"            
$expirydate = (Get-Date).AddDays(2)            
$user.Put("AccountExpirationDate", $expirydate)            
$user | Format-List *

This uses the WinNT (remember its case sensitive) ADSI connector to get a local account.  We then set the AccountExpirationDate property to the desired date – in this case two days from now.

Quick call to SetInfo() and we are done

Windows SysInternals Administrators Reference

Windows SysInternals Administrators Reference

Title: Windows SysInternals Administrators Reference

Publisher: Microsoft Press

ISBN: 978-0-7356-5672-7

The SysInternals tool set –  – should be one of a Windows administrator’s best friends. You may not need them every day but when you do they will help dig you out of the hole. The toolset was created, and is still maintained by Mark Russinovich. Originally, offered as an independent set of utilities it is now owned and supplied (as a free download) by Microsoft.  

One of the difficulties, with any troubleshooting toolset, is knowing how to get the best out of the tools, especially if you are only using them now and again. The SysInternals tools can be downloaded as a complete suite or the individual tools (or group of tools) can be downloaded independently. This approach leaves the administrator possibly using, and understanding, part of the toolset because they are used regularly but completely ignorant of the rest of the tools.  Mark Russininovich, and his co-author Aaron Margois, have created the Windows SysInternals Administrators Reference to address that gap

The book is divided into three parts:

·        Part 1 starts with the SysInternals core concepts, including some historical background. Chapter 2 follows on with a look at Windows Core Concepts including administrative rights, process, threads, user and kernel mode, handles, call stacks and sessions.

·        Part 2 is where we dive into the toolset:

o   Process Explorer

o   Process Monitor

o   Autoruns

o   PsTools

o   Process and Diagnostics Utilities

o   Security Utilities

o   Active Directory Utilities

o   Desktop Utilities

o   Network and Communications utilities

o   System Information utilities

o   Miscellaneous Utilities

·        Part 3 looks at using the tools in some real life scenarios

o   Error messages

o   Hangs and sluggish performance

o   Malware

I suspect that many readers will read parts 1 and 3 for the very valuable information. Part 2 is more of a reference which will be dipped into as needed. The breadth of the SysInternals toolset means that you won’t be using all of the tools all of the time but will need the information on using the other tools. I would strongly recommend at least skimming through the chapters in part 2. You may well find something that will help solve an incipient problem. They can also suggest a course of action to help investigate potential problems.

As a very strong advocate of using PowerShell there are some occasions where the two sets of functionality overlap. The SysInternals tools will often take over where the PowerShell functionality finishes so tend to be complimentary rather then competing.

This is a book to which I think every Windows administrator/consultant needs access. I tend to carry a netbook these days with my library of scripts and utilities plus electronic copies of the important reference works I might need. A copy of the latest version of the SysInternals tools plus this book is very definitely included in that content.  

Highly recommended for all Windows administrators and consultants. Don’t leave home without it.



Life is full of surprises and one that has happened to me revolves around the post that seems to get the most attention.  Since moving to one of my mirrors from Microsoft Live to WordPress one of the extra features is a report on the post that gets the most traffic. Surprisingly it is this one from January 2008

I know that the PowerShell support for Windows backup has been changed in Windows 2008 R2 so I think I’d better do an update.  Look for it soon

Book Review: Windows Server 2008 Administrator’s Pocket Consultant

Author: William R. Stanek

Publisher: Microsoft Press

ISBN: 978-0-7356-2711-6

This is the second edition that has been updated for Windows Server 2008 R2.

As usual I am applying my three main criteria for judging a book:

· Is it technically accurate?

· Does deliver the material it claims to deliver?

· Is worth the cost of purchase and the time I spend reading it?

The first thing that struck me was the sheer size of the book. At 8 inches by 5.5 inches by 1.75 inches and 694 pages it is a weighty tome. I don’t know what size pockets you have but mine aren’t that big!

Inside the book is divided into 20 chapters covering:

1. Overview

2. Deployment

3. Managing servers

4. Processes, services and events

5. Automation (GPO)

6. Enhancing computer security

7. Using AD

8. Core AS admin

9. Understanding User and group accounts

10. Creating User and group accounts

11. Managing User and group accounts

12. File systems and drives

13. Volume sets and RAID arrays

14. File screening and storage reporting

15. Data sharing, security and Auditing

16. Backup and Recovery

17. TCP/IP networking

18. Printers and Print services

19. DHCP

20. DNS

I don’t propose to comment on each individual chapter. My remarks will be generic with some specific examples to illustrate the point.

The book sets out to “deliver ready answers for the day-to-day administration of Windows Server 2008 R2”. For the most part it does deliver to that aim with all of the core administration tasks fully covered though the level of detail is not necessarily consistent between topics. The best practice and troubleshooting functionality that ship with Windows Server 2008 R2 are not mentioned, for instance, so I don’t think the book can be viewed as the complete answer to administering these systems.

The book delivers its answers by using the GUI to perform the administrative tasks. It would have been useful to present the PowerShell equivalent where it exists. PowerShell v2 is briefly mentioned but the range of functionality that is now available from a PowerShell prompt is not fully explored. This, I think, is a major missed opportunity.

A quick flick through the book and you would have difficulty telling if it was Windows Server 2003 or Windows Server 2008. This is partly a consequence of the way windows builds on previous versions but I would have liked to have seen more emphasis on the new features of R2. If I had the first edition of the book I’d be hard pressed to justify buying the second edition as the changes don’t stand out.

One issue that I think isn’t clear is the intended audience. My take on the book is that it is aimed at the junior administrator or the part time administrator in the small one/two man IT shop. In that case it would be very useful as a ready reference. When I was working as a consultant attending multiple customer sites in a week I wouldn’t (couldn’t) have carried it - I need something much more technical.

I would like to see a book in this series that contains the information that we occasionally need but is always difficult to remember where it is - for example:

· The meaning of the useraccountcontrol values

· The DHCP scope options

· IPv6 address prefix meanings

There is some of this information in the book but I would like to see more. More of a pocket reference rather than a pocket consultant. That I would buy and use!

I would also like to see the best practice callouts from the book collected and made available as a download.

Judging against my criteria:

· Is it technically accurate? I didn’t spot anything explicitly wrong from a technical view point. In a few places the wording is ambiguous and open to misinterpretation. The level of technical detail is more than sufficient for what I am assuming is the intended audience. I would give the book 8/10 for technical content. I’m reserving a few points because I think there is material that should be covered in greater depth.

· Does it deliver the material it claims to deliver? I think the book more or less delivers on this point. There is a enough depth to the coverage that a junior administrator could use it as his day-to-day guide. On that premise I would have to score it at 8/10.

· Is worth the cost of purchase and the time I spend reading it? From my perspective I would say it isn’t worth the time I spent on it BUT I don’t think I’m in the intended audience. I have been working with Windows since the 1.0 days so I’ve have seen the material that forms the bulk of the book many times. These days I’m only interested in the new features. HOWEVER for someone new to administration or the part time administrator I think it could be a useful purchase so I will score it a t 7/10 (More PowerShell would have upped the score).

Overall this is a book that will either be very useful to you or you will never touch it. It deserves an overall 8/10 because the material covered is the bulk of the day-to-day tasks an administrator will face. It won’t solve all your problems but it will solve a lot of them.

A discount of 40% is available at

Readers can enter the code: MVPT894 at the checkout when they purchase before the end of April 2010.


Technorati Tags: Books,Windows Server 2008 R2

Codeplex AD Replication Module

The other codeplex project that caught my eye was a brand new one to create a PowerShell module to manage AD replication.  This one will be very useful and one I will be using a lot.

There is still time for suggestions as to content for this project – see

Codeplex PowerShell Configurator

I was looking at codeplex (Microsoft’s Open Source site) and decided to do a search for projects relating to PowerShell. 161 projects were returned.  The first 110 had an obvious PowerShell connection.  This is a tremendous number and really does demonstrate the strength of the PowerShell community.

One project that caught my eye was James O’Neill’s PowerShell configurator for Server 2008 R2 Core and Hyper Server R2.  Its done as a PowerShell v2 module with the following functions

Managing installed software , drivers and updates

Add-Driver, Get-Driver
Add-HotFix ,
Add-InstalledProduct ,Get-InstalledProduct , , Remove-InstalledProduct,
Add-WindowsFeature , Get-WindowsFeature, Remove-WindowsFeature
Add-WindowsUpdate, Get-WindowsUpdateConfig , Set-WindowsUpdateConfig

Managing the windows Firewall

Get-FirewallConfig , Set-FirewallConfig, Get-FirewallProfile , Get-FireWallRule

IP Networking

Get-NetworkAdapter, Get-IpConfig , New-IpConfig , Remove-IpConfig, Set-IpConfig


Get-Registration , Register-Computer

Page file

Get-ShutDownTracker , Set-ShutDownTracker

Remote Desktop

Get-RemoteDesktopConfig , Set-RemoteDesktop

Other Windows Configuration



There shouldn’t be any reason why it won’t work on full fat Windows so I’ll definitely be trying it out.  Download from

HP G60

I am currently using a HP G60 laptop.  Runs Windows 7 very well. I created a dual boot environment so I could install Windows 2008 R2 and to my pleasant surprise found Hyper-V runs on it.  Need to enable virtualisation in the BIOS but apart from that slight hiccup it installs and works very well.  Once I get the RTM version it will be time to finally abandon Virtual PC.

Also gives me a chance to play with James’ Hyper-V library.

Technorati Tags: Windows 2008 R2

Password Policy

As I mentioned in an earlier post I am reading the Study Guide for the Exchange 2007 Design Exam (70-237).  There is quite a good section on security that goes beyond the normal Exchange stuff. In fact the book overall is good in that the topic coverage goes beyond the bare exam requirements.

One bit is glaringly, obviously wrong.

It states that in Windows 2008 the password policy can be linked at the site, domain or individual OU level.

No, No and thrice NO.

The password policy can only be linked, and be effective at the domain level.

The new Fine Grained Password Policies enable multiple password policies to be defined but they are linked to groups or individual users.

A full discussion on this topic together with PowerShell scripts to manage the policies is available from the April 2008 issue of Windows Administration in Realtime -