Wednesday, December 23, 2009

Deploy OEM versions of Office 2003

Today i had to deploy OEM versions of Office 2003 to around 20 systems. Some needed Office 2003 Pro, some needed Office 2003 Basic. And i didn’t want to do it manually. Normally with VLK’s it’s easy. Now, every computer has it’s own unique installation key. What to do?

First get the installation files to the clients (basic or pro). Then perform an installation. Too bad you must enter a key to perform the installation. Later versions of Office don’t have this limitation.
The following command will do the trick. Just use a valid product code from one of your OEM cd’s for the product you’re installing (in this case Pro). Don’t worry; Office will not be activated yet and the license will be removed later.

start /wait c:\install\office2k3_pro\1-main\SETUP.EXE /qb PIDKEY=12345abcde12345abcde12345

Then apply SP3

start /wait C:\install\office2k3_pro\2-updates\Office2003SP3-KB923618-FullFile-NLD.exe /Q

And why not… Office 2007 Compatibility Toolkit (FileFormatConverters)

start /wait c:\install\office2k3_pro\3-2k7compat\FileFormatConverters.exe /quiet /norestart

Now that everything is installed i’m going to remove the license we’ve used to perform the installation. Note that the GUID may be different based on what product you’re installing.

reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v ProductID /f
reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v DigitalProductID /f

So.. this is the complete script:

@echo off
@echo Install Office 2003 Pro with temp license
start /wait c:\install\office2k3_pro\1-main\SETUP.EXE /qb PIDKEY=12345abcde12345abcde12345

@echo Install Office 2003 SP3
start /wait C:\install\office2k3_pro\2-updates\Office2003SP3-KB923618-FullFile-NLD.exe /Q

@echo Install Office 2007 File Format Converters
start /wait c:\install\office2k3_pro\3-2k7compat\FileFormatConverters.exe /quiet /norestart
@echo Install Office 2007 File Format Converters SP1
rem checking this out later, has some "i agree" button i can't get around
@echo Install Office 2007 File Format Converters SP2
rem checking this out later, has some "i agree" button i can't get around

@echo Remove Office temp license
reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v ProductID /f
reg delete HKLM\SOFTWARE\Microsoft\Office\11.0\Registration\{91110413-6000-11D3-8CFE-0150048383C9} /v DigitalProductID /f


When a user logs in and the first Office application opens, it’ll ask to enter the license key and Office will be registered.

Thursday, December 10, 2009

Full Exchange 2007 database and transaction logs backup

Doing a full backup of an Exchange 2003 database was easy.
Start, run, ntbackup, backup, custom, select the exchange object, select a destination file, create a schedule and there you go: your daily scheduled database dump. This (and this is important as we’re dealing with a database) would also commit all data tot the database and purge the transaction logs.
This would then be backupped by any backup application.
More expensive backup solutions would do these kind of database tricks by default. But as i prefer to use non-intelligent, image-based backups (like V2i, Symantec Backup Exec System Recovery, or Drivesnapshot), this had to be done manually.

Doing the same with Exchange 2007 took me some time to find out. Here’s how.

You’ll need Service Pack 2 for Exchange 2007. This includes a plugin for Windows Backup (wbadmin.exe, the successor of ntbackup) so that it’s Exchange-aware.
Please note that Windows Backup can only create backup on a volume basis (complete drive letters or mountpoints only)! That’s why my Exchange 2007 servers have a dedicated drive for the Exchange Database + System files + Transaction Logs. This keeps the backups as small as possible, without extra data. Allthough it’s better to have the Transaction Logs on another drive aswell in case of serious recovery, but i’m going to test that later.
Backups are on a seperate partition too.

This gives the following scenario:
C: = Windows 2008 + Exchange 2007 installation
D: = dvdrom drive
E: = dedicated to: Exchange Database, System files and Transaction Logs
F: = dedicated to: Exchange backup/dump

To create the backup, the following command is used:

WBADMIN START BACKUP -backupTarget:F: -include:E: -vssfull -quiet

-vssfull is the option that purges the Transaction Logs
-quiet will not ask “are you sure?” but still shows some output (you might want to pipe this to a file as some sort of log)
This can be scheduled with Windows Task Scheduler (Server manager, Configuration, Task Scheduler, Task Scheduler Library).

Only one instance of the backup is kept on F:, but that’s no problem as all partitions are backed up by the regular backup.

Saturday, December 5, 2009

Remotely access Active Directory Repair Mode

Sometimes you need to access Active Directory Repair mode through RDP.
Add this to your boot.ini and reboot:


Make sure you have the restore password though!
After making your desired changes to the system, remove it from boot.ini and reboot again.

Thursday, October 8, 2009

Disable “log on using dial-up connection”

Another happy customer due to the following registry hack:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v RasDisable /t REG_SZ /d "1" /f

Monday, September 14, 2009

simulate smtp session

Having problems with sending mail?
You might want to try to simulate a smtp session to see what goes wrong exactly.

Start a msdos prompt and type:

C:\WINDOWS>telnet 25

Your smtp may be different offcourse.

Connected to
Escape character is '^]'.
220 ESMTP Sendmail 8.13.8/8.13.8; Mon, 14 Sep 2009 15:03:50 +0200 (CEST)

Type “helo” followed by your domain

250 Hello xxxxxxxxx [a.b.c.d], pleased to meet you

Type “mail from:” followed by your email address

250 2.1.0 Sender ok

Type “rcpt to:” followed by your email address

553 5.3.0 Relaying denied,Authenticate with your username and password first

Now we see what is wrong here. This server doesn’t allow me to relay.
Type “quit” to exit.

221 2.0.0 closing connection
Connection closed by foreign host.

If you didn’t get an error after “rcpt-to:”, continue with:

250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
   hello hugo

250 2.0.0 Ok: queued as 60D2A4A24A

221 2.0.0 Bye

Mail should arrive now.

Thursday, September 10, 2009

Set ownership recursively

One of my customers has a directory filled with home directories of all students.
Due to some copying, the ownership of all files was set to “administrator”.
Since quota was enabled, quota usage of all students was practically 0.

They needed a fix to set ownership back a.s.a.p.

I created the following batchfile. You need the subinacl utility from microsoft though.

  • Put the script in the directory you want to make the changes for.
  • Usernames must match the directorynames.
@echo off
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /setowner=%%a

Maybe you want to grant the users (just to be sure)

@echo off 
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /setowner=%%a 
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /grant=YOURDOMAIN\%%a 

Wednesday, September 9, 2009

Hide from Exchange address list

Sometimes you just want people not to show up in your address list.
Here’s a simple vbs script that does the trick.

REM On Error Resume Next

groep = inputbox("Which group?")

set objRootDSE = GetObject("LDAP://RootDSE")
strdomainname = objRootDSE.Get("defaultNamingContext")

set objgroup = getobject("LDAP://cn=" + groep + ",cn=users," + strdomainname)

arrmember = objgroup.GetEx("member")

for each objmember in arrmember
	set objuser = getobject("LDAP://" + objmember)
	objuser.MSExchHideFromAddressLists = TRUE

Wednesday, August 19, 2009

The logon screen turns black after you press CTRL+ALT+DELETE

Today i logged in to a server and this is what i saw:


Microsoft has an article on this matter:

I have no clue what caused this, however the resolution is simple. Import the following .reg file:

Windows Registry Editor Version 5.00 

[HKEY_USERS\.DEFAULT\Control Panel\Colors] 
"ActiveBorder"="212 208 200" 
"ActiveTitle"="10 36 106" 
"AppWorkSpace"="128 128 128" 
"Background"="102 111 116" 
"ButtonAlternateFace"="181 181 181" 
"ButtonDkShadow"="64 64 64" 
"ButtonFace"="212 208 200" 
"ButtonHilight"="255 255 255" 
"ButtonLight"="212 208 200" 
"ButtonShadow"="128 128 128" 
"ButtonText"="0 0 0" 
"GradientActiveTitle"="166 202 240" 
"GradientInactiveTitle"="192 192 192" 
"GrayText"="128 128 128" 
"Hilight"="10 36 106" 
"HilightText"="255 255 255" 
"HotTrackingColor"="0 0 128" 
"InactiveBorder"="212 208 200" 
"InactiveTitle"="128 128 128" 
"InactiveTitleText"="212 208 200" 
"InfoText"="0 0 0" 
"InfoWindow"="255 255 225" 
"Menu"="212 208 200" 
"MenuText"="0 0 0" 
"Scrollbar"="212 208 200" 
"TitleText"="255 255 255" 
"Window"="255 255 255" 
"WindowFrame"="0 0 0" 
"WindowText"="0 0 0"

Big thanks to my friend at Tech Notes for helping me out so quickly.

Friday, August 14, 2009

SSL, Exchange 2007, request a SAN certificate

SSL, the basics:

A SSL certifcate enables secure communication (encryption) between client and server. For this to work, there are 3 checks performed by your client (which can be a computer, pda, smartphone, etc):

  1. Date of the certificate. Is it valid? Isn’t the certificate expired yet?
  2. Trusted Authority. In short: which trusted company sold this certificate? e.g. Verisign, Thawte, etc. Your client has a list of well-known and trusted companys. If this company is on the list, this certificate can be trusted also.
  3. The common name. If the common name on the certificate is and you want to visit through ssl, check 3 fails.

Exchange 2007 and SSL

After installing Exchange 2007, a self-signed SSL certificate is installed by default. This SSL certificate is used to secure communication between both Internet clients (Exchange ActiveSync, Outlook Web Access, Outlook Anywhere, POP3 and IMAP4) and internal clients (Outlook 2007) to the Client Access server.

Exchange Server 2007 also introduces a new Exchange web service called the Autodiscover service. The autodiscover service is used to configure Outlook 2007 clients. More specifically, the Autodiscover service is used by Outlook 2007 client features such as the Availability service (free/busy), Auto Account Setup (automatic profile creation), Out of Office (OOF), Offline Address Book (OAB), and Unified Messaging (UM). This means that in order for these features to work correctly, the Autodiscover service must be properly configured. Since the Autodiscover service is a web-based service, it’s located on the Client Access server (CAS). And since it’s a webbased service, it needs an SSL certificate that is accepted by all clients, internal but also on the internet.

We now have one problem.
As the common name of the server is different, based on where you reside at that moment, you’ll need a SSL certificate with at least 5 different common names, e.g.

  • the netbios name of the computer, lets say: “EXCH2K7SRV02”
  • the fully qualified domain name in the local network; EXCH2k7SRV02.domain1.local
  • the fully qualified domain name on internet;
  • the fully qualified domain name for the autodiscovery in the local network; autodiscover.domain1.local
  • the fully qualified domain name for the autodiscovery on internet;

SAN certificate

With Exchange Server 2007 a new type of certificate is introduced; it’s called a subject alternative name (SAN) certificate. The interesting thing about a SAN certificate is that it allows us to include multiple FQDNs (aka common names) in one single certificate.
So in case you wondered: this SAN certificate has nothing to do with your SAN storage. It’s something different.

Request a SAN certificate

Start the Exchange 2007 Management Shell
In the Powershell we type:

[PS] C:\Windows\System32> New-ExchangeCertificate -DomainName EXCH2k7SRV02, EXCH2k7SRV02.domain1.local,, autodiscover.domain1.local, -FriendlyName Domain1SSLCertificate -GenerateRequest:$True -Keysize 1024 -path c:\certreq.txt -privatekeyExportable:$true -subjectName "c=US, o=My Company,"  -privatekeyExportable:$true

As you see, with the “-DomainName” parameter, i’m requesting a certificate for 5 Subject Alternative Names which makes it a SAN certificate.
Make the “-FriendlyName” something obvious. And remember it, you’ll need it later!
I mark the private key as exportable (”-privatekeyExportable:$true”) in order to re-use the certificate whenever i want to transfer it to another server. I know this is less secure, but i’ve been in a lot of situations where customers didn’t remember where they bought the certificate or didn’t have the appropriate login info etc. So that’s why.
In the “-subjectName”, specify your country “c=US”, organisation “o=My Company” and the domain you are working with “”.
As you see (”-path”) the request is stored in a file called c:\certreq.txt. The content of this file is required to actually request the certificate at your SSL reseller or your own active directory CA.

Import the SAN certificate

Once you’ve got the certificate, save it to c:\certnew.cer.
In the Exchange Management Shell type:

[PS] C:\Windows\System32> Import-ExchangeCertificate -path c:\certnew.cer -friendlyname "Domain1SSLCertificate"

So this is where you’ll need that friendlyname again.
After his command you’ll see a “thumbprint” on your screen. My example: “795E704F73D47F6053A493961CB23DB349731141”
The certificate is now imported.

If you forgot the thumbprint, you can look it up by typing:

[PS] C:\Windows\System32> Get-ExchangeCertificate -DomainName "EXCH2K702"

All you have to do right now is activate the certificate for the required Exchange services. Do this by typing:

[PS] C:\Windows\System32> Enable-ExchangeCertificate -thumbprint 795E704F73D47F6053A493961CB23DB349731141 -services "IIS,POP,IMAP"

Wednesday, August 12, 2009

Timezone and time sync

How to make sure your client is in the right timezone and synchs with your preferred ntp server?

Control.exe TIMEDATE.CPL,,/Z (GMT+01:00) Amsterdam, Berlijn, Bern, Rome, Stockholm, Wenen
net time /
net time /querysntp
w32tm /Resync

Event viewer nicely logs the resync action:

Type gebeurtenis: Informatie
Bron van gebeurtenis: W32Time
Categorie van gebeurtenis: Geen
Gebeurtenis-ID: 35
Datum: 12-8-2009
Tijd: 10:04:10
Gebruiker: n.v.t.
Computer: HUGO7900SSF
De tijdservice is nu bezig met het synchroniseren van de systeemtijd met de tijdbron (ntp.m|0×1|>

Zie Help en ondersteuning op voor meer informatie.