Happy Thanksgiving 2015

Wishing everyone near and far a Happy Thanksgiving.

Be thankful for those who can gather near to you on this wonderful day and give thanks to those who have and are sacrificing for your safety.

Google Apps for Education / Work: Life Saver

Today's post takes a step back to look at a recent solution we discovered for managing our Chromebooks at current employer.  We currently have 900+ devices scattered through many organization units (OUs).

We recently received an order of 140 units that were to be white gloved from a new vendor.  We were looking for a way to quickly move and update this lot at one time.

From a recent post on GAFE Admin (https://plus.google.com/u/0/communities/114001660438094131273?cfem=1) lead us to a Google Add-On: Chromebookinventory (http://cloudlab.newvisions.org/add-ons/chromebookinventory)

Chromebook Inventory allows you to pull chromebooks from your Google Domain into a Google Sheet.  You choose time frame based on enrollment.  This in itself is a great benefit.  But the greatest feature of Chromebook Inventory is the ability to push changes in the Google sheet back into your domain.

We were able to use this tool to update the Organization Path, Annotated Location and even add notes to each of the 140 units we received.

Highly recommend this add-on for any Google Apps for Education / Work admin.

Resources:

Chromebookinventory (http://cloudlab.newvisions.org/add-ons/chromebookinventory)
GAFE Admin (https://plus.google.com/u/0/communities/114001660438094131273?cfem=1)

Apple Tips and Tricks Vol 4

We are in the midst of deploying 650 Apple MacBook Airs out to our staff so today's post is short and simple.

Below you will find a handy table containing some of the most commonly used Apple Keyboard Commands.

Keyboard Commands	Actions
SHIFT + COMMAND (⌘) + H	Open Finder @ Home Folder
SHIFT + COMMAND (⌘) + L	Open Finder @ Root Level
SHIFT + COMMAND (⌘) + R	Open Air Drop
SHIFT + COMMAND (⌘) + D	Open Desktop
COMMAND (⌘) + K	Open Connect Server (Network Mapping)
SHIFT + COMMAND (⌘) + G	Open Go to Folder
SHIFT + COMMAND (⌘) + O	Open Documents
SHIFT + COMMAND (⌘) + 3	Screen Capture – Whole Screen
SHIFT + COMMAND (⌘) + 4	Screen Capture – Targeted with Mouse
SHIFT + COMMAND (⌘) + SPACEBAR	Screen Capture – Active Window

PowerShell: Password Alert & Report

This is first of three posts in regards to how admin team at current employer manage expiring password alerting and reporting.  We use 3 versions of PowerShell scripts:

• Password Alert
• Password Expiration based on OU Report
• Report mailer to execute each OU Report and mail all out to admin team

This post will focus on the password alert script.

The script is composed of x number of segments.

• Capturing max Password age from AD
• Create function to send email users
• Gather users not disabled with expiring passwords
• Send email alert

First part of the script captures max password age from AD.  This is accomplished by maxpwdage from domain controller(s) then dividing it by nano seconds in a day (8.64e13 or 864000000000)

###################################
# Get the max Password age from AD 
# This Section pulls domains maximum password age from your domain controller(s)
###################################
function Get-maxPwdAge{
$root = [ADSI]"LDAP://DOMAIN.COM"
#Change DOMAIN.COM to target your domain
$filter = "(&(objectcategory=domainDNS)(distinguishedName=DC=DOMAIN,DC=COM))"
#Change Distinguished name to target your domain
$ds = New-Object system.DirectoryServices.DirectorySearcher($root,$filter)
$dc = $ds.findone()
[int64]$maxpwdage = [System.Math]::Abs( $dc.properties.item("maxPwdAge")[0])
$maxpwdage/864000000000
#Pulls maxPwdAge from domain for comparison later
}

Next part is to assemble function to email users

Key points to remember here are to update the following variables:

• $SmtpClient.Host
• Should be your mail server
• $mailmessage.from
• From email address you want messages to appear as
• $mailmessage.Subject
• Tweak the subject line of your message as desired

In addition you will want to update the body of the message to instruct your users on ways to reset their passwords.

###################################
# Function to send HTML email to each user
###################################

function send_email ($days_remaining, $email, $name ) 
{
 $today = Get-Date
 $today = $today.ToString("dddd (yyy-MMMM-dd)")
 $date_expire = [DateTime]::Now.AddDays($days_remaining);
 $date_expire = $date_expire.ToString("dddd (yyy-MMMM-dd)")
 $SmtpClient = new-object system.net.mail.smtpClient 
 $mailmessage = New-Object system.net.mail.mailmessage 
 $SmtpClient.Host = "ENTER YOUR MAIL SERVER HERE" 
 $mailmessage.from = "Technology <expiringpassword@donotreply.com>" 
 $mailmessage.To.add($email)
 $mailmessage.Subject = "$name, Your DOMAIN Password will expire soon."
 $mailmessage.IsBodyHtml = $true

 $mailmessage.Body = @"
<font face=Calibri (Body)>Dear $name, </font><br /><br />
<font face=Calibri (Body)>Your password will expire in <font color=red><strong>$days_remaining</strong></font> days on <strong>$date_expire</strong>.<br />
To prevent access issues ensure you change your password prior to $date_expire.<br /><br />

Your domain password is required for Computer Login, Infinite Campus, Email Access, Google Services (Drive, gMail), etc.<br /><br /><br />

You will receive this message until password is changed.<br /><br />


To change your password follow below processes:<br /><br />

<ul>
    <li type=square>Remote User
        <ul>
            <li>Must come onsite to change when connected to District network (Desktop or SaberSecure[WiFi])
        </ul>    
</ul>
<ul>
    <li type=square>PC/Windows User
        <ul>
            <li>Logon to system and press CTRL-ALT-DEL and choose Change Password.
        </ul>    
</ul>
<ul>
    <li type=square>PASSWORD REQUIREMENTS<br /><br />
        <ul>
            <li>must be 8 or more characters long and<br />
            <li>cannot be one of last 7 password used<br />
            <li>contain a mix of THREE of the following FOUR properties:<br />
                <ul>
                    <li type=disc>uppercase letters (A-Z)<br />
                    <li type=disc>lowercase letters (a-z)<br />
                    <li type=disc>numbers (0-9)<br />
                    <li type=disc>symbols (!"£$%^&*)
                </ul>
        </ul>
</ul>    
<br /><br />
Once your password has been changed you will need to update on all mobile devices (ex: cellphone / iPad / etc).  Failure to update could result in your account becoming locked repeatedly due to failed account access.
<br /><br /><br />

If you have any questions, please contact the IT Helpdesk on 
<br /><br />
 Generated on : $today

</font>
"@

 $smtpclient.Send($mailmessage) 
}

Next step is to query your domain for Non-Disabled and expiring users

###################################
# Search for Non-disabled AD users that have a Password Expiry.
###################################

$strFilter = "(&(objectCategory=User)(logonCount>=0)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$colResults = $objSearcher.FindAll();

# how many days before PW expiry do we start sending reminder emails?
$max_alert = 14


# Get the maximum password lifetime
$max_pwd_life=Get-maxPwdAge

$userlist = @()
foreach ($objResult in $colResults)
   {$objItem = $objResult.Properties; 
   if ( $objItem.mail.gettype.IsInstance -eq $True) 
      {      
         $user_name = $objItem.name
         $user_email = $objItem.email
         #Transform the DateTime readable format
         $user_logon = [datetime]::FromFileTime($objItem.lastlogon[0])
         $result = $objItem.pwdlastset 
         $user_pwd_last_set = [datetime]::FromFileTime($result[0])

         #calculate the difference in Day from last time a password was set
         $diff_date = [INT]([DateTime]::Now - $user_pwd_last_set).TotalDays;

   $Subtracted = $max_pwd_life - $diff_date
         if (($Subtracted) -le $max_alert) {
            $selected_user = New-Object psobject
           # $selected_user | Add-Member NoteProperty -Name "Name" -Value $objItem.name[0]
            $selected_user | Add-Member NoteProperty -Name "Name" -Value $objItem.Item("displayname")
            $selected_user | Add-Member NoteProperty -Name "Email" -Value $objItem.mail[0]
            $selected_user | Add-Member NoteProperty -Name "LastLogon" -Value $user_logon
            $selected_user | Add-Member NoteProperty -Name "LastPwdSet" -Value $user_pwd_last_set
            $selected_user | Add-Member NoteProperty -Name "RemainingDays" -Value ($Subtracted)
            $userlist+=$selected_user
         }
      }
   }

Lastly we send the email alert to the user

We are almost ready to send out our alerts now.  In this last bit of code we pull together the email message and list of expiring users.  We then send a message to each one.  Now for testing update ENTER_ADMIN_EMAIL_HERE to direct all messages to a single account.  This allows for review and tweaking of alert message.

###################################
# Send email to each user
###################################
   foreach ($userItem in $userlist )
   {
    if ($userItem.RemainingDays -ge 0) 
       {
     #Remove Comment (#) below to perform normal process / email user
     #send_email $userItem.RemainingDays $userItem.Email $userItem.Name
     #Update and remove comment below for testing / troubleshooting.  Allows for mailing a single user all expiring user alerts
     # send_email $userItem.RemainingDays ENTER_ADMIN_EMAIL_HERE $userItem.Name
       }
   }

# END

Download the PowerShell file here:
https://drive.google.com/open?id=0B1fwreWrAZioZW5fYlRxb3BCQms&authuser=0

Apple Tips and Tricks Vol 3

Continuation of Apple Tips and Tricks.  In this volume will be covering Apple File structure (OS X).  This one is a little more in depth as such only topic for this post.

Apple File structure (OS X)

As we deploy more and more Apple devices in our enviroment understanding the file structure has become a huge need.  Understanding Apple OS X is a necessity when deploying software or troubleshooting user issues.

   Structure

• Four (4) key areas or domains to remember
• Per-User (~) / User's home directory: /users
• Contains folder for each user that has been setup on machine
• Per-Machine (local/root): / 
• Top level of hard drive
• Local Area network: /Network
• As it states networked devices / drives
• Apple-provided/managed: /System
• Should only contain Apple files / folders
• Similar to Window's System folder

   Per-User (~) / User Domain

• Location: /users
• Folder for each setup user on machine
• Note the use of "~" represents current logged in user
• User's folders consists of: 
• Applications, Desktop, Documents, Downloads, Movies, Music, Pictures, Public
• Similar to Window's Users folders
• Default location for Apple to store user files
• Contains hidden folder that contains user's preference folder: /users/[username]/library
• Two ways to access: 
1. Go To Folder
• Open Finder
• Click "Go" on menu bar
• Click "Go To Folder"
• Enter directory path: /users/[username]/library
• e.g. /users/admin/library
2. Go + Option
• Open Finder
• Click "Go" on menu bar
• Hold down Option key
• Click Library
• Huge thing to remember about User's Preferences (/users/[username]/library/preferences) is it trumps Per-Machine / Network and even System preference lists (plists)
• Apple start plist search here and stops if match is found
• Opposite of Window's Group Policy where Domain trumps local

   Per-Machine / Local Domain

• Location: /
• Top level of hard drive
• Displays contents of hard drive
• Similar to Window's C:\
• Key folder to remember here is the Library
• Just like User folder above contains Preferences folder (plists)
• Remember trumped by user's Preferences but trumps Network and system
• Sometimes referred to as the "Public" Library

   Local Area Network / Network Domain

• Location: /Network
• As it states networked devices / drives
• If present can contain Library folder
• Just like User and Machine folder contains Preferences folder (plists)
• Remember trumped by user's and machine Preferences but trumps system
• Sometimes referred to as the "Public" Library

   System / System Domain

• Location: /System
• Should only contain Apple files / folders
• Similar to Window's System folder

References:

• Basics of the OS X Folder Structure
• http://www.dummies.com/how-to/content/basics-of-the-os-x-folder-structure.html

• File System Basics
• https://developer.apple.com/library/mac/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html

• What happened to my System Folder?
• http://www.mactech.com/articles/mactech/Vol.17/17.08/Aug01MacOSX/index.html

Nagios

At current employer we are currently reviewing systems to monitor or enviroment.  We need to monitor network (Cisco), Virtual Enviroment (VMware / EMC), Services (GAFE/O365), and even some websites (Canvas / Infinite Campus).

Up for review first is Nagios.  We downloaded the 60 day trial appliance and even had a 25 min quick start with Nagios support to ensure we can get the most from the tool.

Following series will cover areas we need to monitor and how Nagios was configured to achieve them.

--------------------------------------------Update Feb 16, 2017-----------------------------------------------------

Unfortunately this project was canceled before we even finished the installation of Nagios.

Apple Tips and Tricks Vol 2

Continuation of Apple Tips and Tricks.  In this volume will be covering preferences (plists), display  iPad on Macbook via QuickTime, Hidden User Account

Preferences (plist)

• plists are basically the configuration for applications
• Control all sorts of aspects of applications
• Work in reverse of Windows GPO as first match wins
• Starts at User Library > Root library > Network Library (if present) > System Library
• Apple plist manual definition:
• https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/plist.5.html
• Many do not exist until a default value has been changed in the program
• preferences are cached in a process called "cfprefsd"
• Recommend to force quit when trying to fine tune preference imports to ensure fresh pull from plist and not cache
• Exercises
• Safari - Homepage
• [Link to Google Doc with steps]

iPad display on Macbook via QuickTime

• Desire to record or display iPad screen on Macbook to projector or to record video

1. Cable iPad to Macbook
2. Ensure both devices are powered on
3. Open Quicktime on Macbook
4. Start "New Movie Recording"
• File > New Movie Recording
5. Press drop arrow next to record button
6. Select Camer > iPad

Hidden User Account

• Hide management / local admin user on Macbooks
• Prevent confusion and attempts at unauthorized access
• User accounts below 500 are hidden from Users and Groups
• Utilize feature to hide managed accounts and test users

1. System Preferences
2. Users and Groups
3. Create new account (+)
4. Use following settings
• New Account: Administrator
• Full Name: [Friendly Account Name]
• Account Name: [User Name]
• Password: [Desired Password]
• Verify: [Desired Password]
• Password Hint: [Something to remember password by]
5. Click Create User
6. Double-Click or Control-Click on new user
7. Click "Advanced Options"
8. Change User ID to below 500
9. Click "OK"

Folder Permission Nightmare (CJWDEV's NTFS Permissions Reporter)

This post focuses around a nightmare of a week I had with Technology team and file servers.

The day was Tuesday March 3rd, 2015, the day was seeming to start of slow as we were wrapping up some issues with our aging Exchange server (2007 on 2k8 platform).  We began to get calls that staff could no longer access the StaffShare folders and files.  As we began to receive the calls and research we soon discovered for whatever reason (have not had time to research more) our file server had dropped all but local admin on the staffshare.  

Some background our staffshare consists of 800 GB some 58,000 folders to be shared across 12 buildings with over 1000 users.  You would think something like this would be documented but I soon found out it was not.  For the past week we have been slowly restoring access as users request and are vetted.  We are trying to hold meetings with departments to become proactive and create groups before someone reports the issue but that process is slow.

Out of all this we have learned that NTFS permissions must be documented and audited now and then, we believe a student / teacher may have some how changed the permissions.  To complete this task we thought about using just your standard spreadsheet but realized quickly the hours to complete would a) far out way the benefit b) never be available to complete.  It was only when one of the admins asked me if only there was a software to do this for us do my somewhat mushy brain recall such a program.  This is when we rushed out and purchased CJWDEV's NTFS Permissions Reporter.
CJWDEV's NTFS Permissions Reporter - Full Version
http://cjwdev.com/Software/NtfsReports/Info.html

Installation was quick and easy.  Setting up to scan and report on a drive or even specific folder is simple.  But the greatest power lies in the export ability the reports into multiple formats.  We choose to use the NTPR format native to the program.  This allows for you to compare between either recent scan or other saved reports.  Our plan is to create baselines and audit changes quarterly via comparison.

Going forward in my career I will always purchase a copy of CJWDEV's NTFS Permissions Reporter - Full Version.  It will be the best $150-$600 dollar system software investment.

Apple Tips and Tricks Vol 1

As my current employer moves to a dual platform of Apple and Windows I have found I need to learn Apple shortcuts. Below is list of tips and tricks Vol 1 we use on a regular basis.

• OS X

• Quit Apps (Force Close)

• Option-Command (⌘)-Esc

• Force close stalled / hanging apps

• Screen shots

• MacBooks offer 3 keyboard varieties and a simple program

• Grab (Windows Snipping Tool)

• Allows capturing screen via 4 options

• Allows previewing of capture before saving

• Selection

• Click and drag the selection box to form a rectangle around the desired screen area. Release the mouse cursor to capture the image.

• Window

• Captures any window that you choose

• Screen

• Saves a snapshot of the entire display

• Timed Screen

• Set a time delay before the screen shat is captured. Use this option if you wish to perform a task, such as opening a menu, before capturing the screen shot.

• Keyboard shortcuts

• Command-Shift-3

• Capture a screen shot of the entire screen

• Image is automatically saved to the clipboard

• Command-Shift-4

• Capture a specific area of the screen

• Click and drag the selection box over the desired area, release the mouse cursor to capture the image.

• Command-Shift-Spacebar

• Create a screen shot of an entire window

• Click the window you want to capture

Nesting Hyper-V with VMware ESXi 5.5

This weeks posting focuses on the setup of my home virtual lab.  I recently setup my home lab consisting of the following specs:

• Supermicro X7DAL
• 2 - Quad Core Intel Xeon E5440 @ 2.83 GHz (8 vCPUs)
• 2 - NICs
• 24 GB of RAM
• 2 - 1 TB Hard drives
• Evaluation version of ESXi 5.5

Most of my experience has been with VMWare so I choose this as my base system.  Now I wanted to learn more about Hyper-V and have read it could be nested within ESXi.  The following will guide you through configuring a ESXi 5.5 system to allow for nested Hyper-V usage.

In some places there are multiple ways to accomplish the same process through the vSphere client, CLI, or using a tool like WinSCP.  The end result is to modify the config files so how ever you feel comfortable.  I will be utilizing WinSCP to access the files and modify using a Windows text editor.  You can download WinSCP here: http://winscp.net/eng/index.php

1. To start we need to ensure SSH access is enabled.  I configured mine through vSphere client but you could do this through local access also.
• Launch vSphere and connect to ESXi system
• Ensure your system is select in left navigation box
• Click "Configuration" tab in right navigation box
• Under software click "Security Profile"
• Click "Properties" for "Services"
• Select "SSH" and click "Options"
• Select desired startup policy
• I choose to automatically start
• Click Okay until back at main vSphere page
2. Now we need to modify our ESXi config file.  This file is located at /etc/vmware/config.
• Launch WinSCP
• Connect to your ESXi server through a SFTP connection
• Navigate to root level and then to /etc/vmware/
• Select config and Edit
• Add the following
• vhv.allow = “TRUE”
• Save and close the editor
3. Next we need to create the Hyper-V system profile, we will not be installing yet.
• Go and create a new VM with specs you desire
• I configured mine with following:
• VM Hardware version 8
• 4 vCPUs
• 12 GB of RAM
• 2 NICs
• 40 GB Thin Hard drive
• 100 GB Thin Hard drive
4. Now we need to edit the VM Profile
• In WinSCP navigate to VM location
• /vmfs/volumes/[DateStore]/[VM Name]
• Select [VM].vmx file and Edit
• Add the following lines:
• monitor.virtual_exec = "hardware"
• hypervisor.cpuid.v0 = "FALSE"
• Save and close the editor
5. Before we install our OS we still need make some changes to our VM settings
• Within vSphere access your VM's settings
• Select "Options"
• Enable CPU/MMU Virtualization for our VM
• Under Advanced Select "CPU/MMU Virtualization"
• Select "Use Intel VT-x/AMD-V for instruction set virtualization and Intel EPT/AMD RVI for MMU virtualization"
• Expose CPUID to guest
• Under Advanced Select "CPUID Mask"
• Select "Expose the NX/XD flag to guest"
• Click "Advanced"
• Locate line ecx and modify to following:
• ---- ---- ---- ---- ---- ---- --H- ----
• Okay back to main vSphere window
6. Finally we can install our Hyper-V OS
• Proceed to install as normal and enjoy creating Hyper-V VMs within ESXi environment.

Following resources we used:

• Veam blog: Nesting Hyper-V with VMware Workstation 8 and ESXi 5
• http://www.veeam.com/blog/nesting-hyper-v-with-vmware-workstation-8-and-esxi-5.html
• WinSCP
• http://winscp.net/eng/index.php

Dual Platform Woes - Password Alerts

As my current employer moves to a dual platform of Windows and Mac systems we have ran in to issues with users not being aware of password expiration.  As such the Technology team has had to look for ways to ensure both Windows and Mac users are aware of upcoming password expiration.

To accomplish this we have deployed the following:

1. PowerShell Script
• Password Alert
• Runs daily at 7AM
• Starts 14 days from expiration and continues until password reset
• Provides links and directions on how to reset password
• Password Expiration Report
• Sends single email with OU Expiration reports attached
• Use Windows Task Scheduler to execute scripts daily
• Run on DC


2. ADPassMon
• Version 1
• Can be found here: 
• https://yourmacguy.wordpress.com/adpassmon/
• Version 2 (Forked)
• Can be found here: 
• https://macmule.com/2014/04/01/announcing-adpassmon-v2-fork/
• Deployed via MDM (Casper Suite)
• Preference file locked to prevent user from tampering
• Application set to relaunch daily at 10am, in case user force closes

We have just implemented both of these into our environment.  Will include complete write ups on setup of each option in the near future.

Office 2016 Beta Release

Well, hello digital world.  Long time now chat.

So much has happened in my life I will have to provide a couple post to catch you all up.  But this post is to focus on Office 2016 for Mac.

Available for download here: http://products.office.com/en-US/mac/mac-preview

From my limited experience with Office 2011 for Mac I have been severally disappointed.  I will be downloading the beta in the morning for review personally.  I am hoping that MS has incorporated more features that are standard to PC version into the Mac version.

Stay tuned for my review within the next week.

In the mean time head over to Spiceworks and join the discussion there:

http://community.spiceworks.com/topic/825685-free-public-beta-preview-of-office-2016-for-mac-is-now-available