North East Bytes - a Microsoft technology usergroup in North East England.

Powered by Squarespace

Tuesday
Sep302008

Pin a HyperText Application (HTA) to the Vista Start Menu

This is probably obvious to anyone who has done any amount of work with HTAs (which I’ve got to say, I haven’t used much, but quite like for some things), but took a little bit of head scratching here…

If you want to pin a shortcut to an HTA to Vista’s Start Menu, you can’t just create a shortcut to the .hta file. The shortcut has to be to the HTA engine (mshta.exe), with the .hta file as a parameter.

If you want to script the pinning, check out the guidance here and here (thanks to Shepy and stahler for tweeting those links).

Monday
Sep082008

Enumerate Exchange Public Folder Client Permissions for a User/Group

Today I've been consolidating some AD groups as we've unhelpfully accumulated four different groups for the members of our IT department over the years. Seemingly two of these groups have been used to set permissions on various Exchange Public Folders, so I've been looking at which Public Folders each group had permission on. Fortunately, this is very easy to do in PowerShell...

First I'm setting a couple of variables. The first is the name of the group (or you could do the same for a user) that we're interested in. The second is the point in the Public Folder structure where we're starting searching. If you want to look at the whole structure, just use "\", but if you have a lot of Public Folders that's going to take a while, and if you know, like I did here, that the "IT Staff" group is only going to have permissions on folders underneath the IT department's top level folder, you can just look at that branch of the tree.

#requires -pssnapin Microsoft.Exchange.Management.PowerShell.Admin
$groupname = "IT Staff"
$publicfoldersearchroot = "\IT"
get
-publicfolder $publicfoldersearchroot -Recurse |
%{$folder = "$($_.parentpath)\$($_.name)";
Get
-PublicFolderClientPermission $_ |
%{if($_.user -match $groupname){"$folder ($($_.AccessRights))"}}}

 

This results in output like this:

 


\\IT (Reviewer)
\IT\Admin\Health&Safety (Reviewer)
\IT\Admin\Forms (Reviewer)
\IT\Admin\Forms\Payroll (FolderVisible)
\IT\Customer Services (Reviewer)
\IT\Customer Services\Projects (Reviewer)
\IT\Equipment Bookings (Author)
\IT\General Information (PublishingAuthor)
\IT\Mail Lists (Reviewer)

 

This might be all you need, although if you're going to do something programmatically with the output (you'll want to format it differently, but...) be careful with that double \ on the first line of the output. It's there because the parentpath is "\". It's easy enough to trap and remove it.

Friday
Sep052008

Who needs vowels anyway?!

I am, very openly, a gadget fan - always have been - and for a long time, my preferred online source of gadget news has been Engadget. I'm also very much into listening to podcasts, so the Engadget podcast was definitely on my list of must-listen-to shows until it dried up about a year ago, having been not exactly weekly for a while before that. Seems that hosts Peter Rojas and Ryan Block were just too busy to find a matching slot in both their schedules to record it, which was a shame.

Ever since Pandora was blocked for users outside North America, one of my main sources of music in the office has been Peter Rojas' ad-supported online record label - RCRD LBL. I'm a big fan of the site (and one of my favourite tracks of the last couple of years has come from there - George Pringle's Carte Postale). If you like music, you've got to check out RCRD LBL - it's all free to download, so there's no reason not to!

Following on with the theme of scrapping the vowels, the two guys are back to working together with a new venture called gdgt.

In their own words: "gdgt is the new consumer electronics site by Peter Rojas and Ryan Block -- the guys behind Engadget and Gizmodo. We're still prepping things (no, this isn't the final site!), but we've got a weekly podcast you can listen to in the meantime." Peter says gdgt isn't a gadget blog, so it'll be interesting to see what the site turns into!

I listened to the first episode of the gdgt podcast this morning on the way to work and it was instantly like the last year without the Engadget podcast never happened. :-) Peter and Ryan said that episode 2 will be netbook-heavy, which is great because I'm toying with the idea of getting one - I'm putting off my decision until I've had a chance to listen to what they say.

Glad I didn't miss @Veronica's tweet about this!

Tuesday
Aug262008

Setting AD logon hours in PowerShell

Or "How to disable an AD user account and still allow delivery to their Exchange mailbox"...

I'd meant to blog about this some time ago, but was eventually reminded when Richard beat me to the punch last week with his post about setting AD logon hours in PowerShell - read Richard's post first, then come back here... ;-)

We make extensive use of logon hours on our accounts, but rather than using Richard's method of setting the value, we have a collection of what I call template accounts, and we copy the values from them. We've got one template that's setup for "always allowed", one for "never allowed" and another template for "custom" logon hours.

To use those, I do something like this: (NB. THIS CODE NO LONGER WORKS. SEE THE UPDATE BELOW)

#requires -pssnapin Quest.ActiveRoles.ADManagement
#
Get template user logon hours
$userLogonHoursEnabled = Get-QADUser enabledtemplate | Select LogonHours
$logonHours = $userLogonHoursEnabled.logonHours
# Set logon hours on user in variable $username
Get-QADUser $username | Set-QADUser -ObjectAttributes @{logonHours = $logonHours}

 

So, why would we do that? Well, two reasons really...

We never actually disable a user account; instead we'll set the logon hours to never allow logon when we want to block someone's access. The reason for that is that disabling a user in the traditional way stops delivery to their mailbox. That may be desirable in some organisations, but we only disable for disciplinary reasons and they usually get access back pretty quickly, and we don't want them to miss some vital message that was sent in the meantime.

Secondly, by using that third, "custom" template, we can give someone permission to alter the logon hours on that template account using the GUI, so that they don't have to work out the numbers for the bytes and, more importantly, don't need access to change the PowerShell script; they can just run the script to apply the custom template to a collection of accounts.

 

UPDATE!
The PowerShell code above was written with an old version of Quest's AD cmdlets. While I'd noticed this, I hadn't got round to changing my code before Jonathan Medd from the Get-Scripting Podcast contacted me and said that he'd discussed the above example with some of the excellent folk from the PowerShell community on the PowerGUI.org forums. Together they've come up with solutions that work with the current version of the Quest AD cmdlets (1.1.2.761) in both PowerShell version 1 and V2 (as it currently stands at CTP2).

 

Rather than me re-posting here, check out the thread on the PowerGUI.org forums so you can see where the credit should lie (with Shay, Aleksandar and Andrey).

Friday
Aug222008

New PowerShell Book

My good friend Richard Siddaway, PowerShell MVP and founder of the UK PowerShell User Group, is writing a new book called PowerShell in Practice, aimed at systems administrators to show them how PowerShell can make their life easier.

The publisher, Manning, has started making chapters available through their Early Access Program, so you get the sections as they become ready. The first chapter, PowerShell Fundamentals, is available to read for free, so definitely go and check it out!