Security Group Management Script

Over at eNow Consulting’s blog, I submitted an article and script on Exchange Group Management. It’s been working great for me, and hopefully will help others. I had a similar requirement around Security Groups, and this is the result.

The script itself is barely different at all, but I wanted to share it anyway. I think it’s a great demonstration that you can really customise a script for whatever purpose you have. If you want to know how the script works generally, read my post at eNow, but there’s only one line different.

Instead of creating a New Distribution Group, it’s creating a New AD Group. The whole command is a bit different, but it’s still doing the same thing – creating a group. If you only wanted to manage existing groups, and removed the line altogether, you could manage both email and security groups from the single script (assuming a since csv file contains everything you want).

Here’s the script:

# Script to populate members of Security Groups
Start-Transcript -path C:\Scripts\Admin\Logs\securitygroups.txt
$data = import-csv C:\Scripts\Admin\securitygroups.csv
foreach ($group in $data){
New-ADGroup -name $group.GroupName -GroupCategory Security -GroupScope Universal -Path “OU=Security Groups,DC=mydomain,DC=com,DC=au” -Description “Automatically Managed by  @AdamFowler_IT’s Script”
$users = Get-ADUser -SearchBase “ou=Users,dc=mydomain,dc=com,dc=au” -Filter $group.filter
Get-ADGroup -Identity $group.groupname | Set-ADObject -clear member
Add-ADGroupMember -Identity $group.groupname -Members $users
}
Stop-Transcript

My recommendation on how to use this script is around the ideology that you should intelligently create security groups based on criteria around how the business functions. For example, the Finance department can have their own security group, if their department is Finance. Makes sense right?

The catch though, is to NOT link any actual security to this group. You don’t want 30 different things (e.g. files, folders, sharepoint sites, anything you’d use a security group for) pointing to one group. What if the Finance folder needs to be accessed by the CEO of your company? You shouldn’t just add them to the group by adjusting the filter in the script’s CSV, because they’ll get access to the 29 OTHER things pointed at this group.

The way around this is to have a security group for every single separate thing you apply security to. Have a Finance drive? Then create an AD security group with a descriptive name, and then add the original Finance security group as a member. This way, if someone joins or leaves the Finance team, security will automatically apply. On top of that, if you need to give the CEO access to the Finance drive by this secondary group, knowing you’re only giving them access to that one thing.

The one to one relationship on a security group and what it applies to, will make managing it in the future much easier. You could extend this even further, and have a security group for each job function – this would mean there is a CEO security group that contains the CEO, and you can then add that security group to anything they need. The biggest benefit of this is when your CEO quits and another one comes along, you can just add him to that CEO group and they’ll get the same access as the last CEO. Not sure what access the CEO gets? Check what the CEO security group is a member of, and all your smartly named security groups will be listed.

My last tip around security groups is to note down who’s in charge of the group in either the notes or description field. If a query comes up a year later, you may not remember who originally asked for the security. Having a person or a job title listed means you can quickly get approval for making membership changes to the group.

Thinking about how you’re going to manage things in the future and planning around it might be a bit more painful at the time, but it really pays off in the end.

Excel and Word Macros Broken with Windows Update

A problem popped up recently where an Excel Macro file wasn’t working – there was a button to run the macro, but the button wouldn’t even click. This is despite all the security settings being their lowest – e.g. Enable all macros (not recommended; potentially dangerous code can run).

A friend pointed me in the right direction for this one, and the cuprit was Windows Update KB2553154 which I don’t think has actually been pulled yet (although InfoWorld reports others have). The patch is designed to fix a vulnerability.

There’s a great post on StackOverflow about this, along with a fix from user John W  that I can confirm works:

From other forums, I have learned that it is due to the MS Update and that a good fix is to simply delete the file MSForms.exd from any Temp subfolder in the user’s profile. For instance:

C:\Users\[user.name]\AppData\Local\Temp\Excel8.0\MSForms.exd

C:\Users\[user.name]\AppData\Local\Temp\VBE\MSForms.exd

C:\Users\[user.name]\AppData\Local\Temp\Word8.0\MSForms.exd

Of course the application (Excel, Word…) must be closed in order to delete this file.

I actually just deleted everything in the Temp folder. The user didn’t need to log off or anything, just opened up the Excel Macro template and it instantly worked.

You could use group policy preferences to delete these .exd files if you don’t want to manually remove it, but hopefully you don’t have too many people in your company affected by this. Otherwise, it might be a good idea to hold off on 2553154 as MS may release a hotfix or re-patch the patch.

Updated: Affects Word also.

 

Lumia 830 vs Lumia 930 Review

Microsoft have provided me with a new Nokia Lumia 830 to roadtest, so I was keen to compare it against the current flagship model – the Nokia Lumia 930. The 830 is a mid-range phone though, so there are many differences between the two. I reviewed the Lumia 930 a few months ago, so we’ll cover the 830 mostly with some comparisons to the 930.

OS
The Lumia 830 is one the first phones to ship with Lumia Demin, following on from the Lumia Cyan release (they go up alphabetically, like Ubuntu releases). Microsoft list the features here, and there’s a few nice additions. For Australians such as myself, along with Canadians and Indians, we have alpha Cortana support.  I’ve started to test this, and speech recognition is definitely better than it was previously. The other more important benefits relate to certain Lumia phones only, which mostly focus on camera improvements, as well as features for the glance screen.

Screen
Yes, the glance screen is back! This was one of the biggest features missing from the Lumia 930, but due to the 830 using an LCD screen rather than the 930’s OLED. Grabbing your phone out your pocket and just looking at it to know the date/time along with a second piece of information is simple but efficient. I’d like to see more options around this – I don’t like choosing between weather OR my next meeting, I’d like to see both. Hopefully as glance screen matures, it will become even more customisable.

Despite both phones having a 5 inch screen, resolution wise, the 830 runs at 720 x 1280, which is much lower than the 930’s 1080 x 1920. I couldn’t visibly tell the difference in general day to day use, so although more pixels is better, I’d be happy enough with the lower res (which is still quite high).

Hardware
Physically this is a lighter, less robust phone than the 930. There’s only 17 grams of difference between the two, but the 830 is also thinner. The micro usb port has moved to the top left of the phone, rather than the bottom middle. I’m not sure which is a better spot – I’m tending to believe that the top is more convenient, so you can lean the phone upright against something if you had to, while charging or copying data. Wireless is where it’s at though, and just like the 930, wireless charging is built into the native backplate. I have mentioned this in previous reviews, but once you are set up for wireless charging, you’ll miss it when you don’t have it.

The battery is removable in the 830, along with an internal micro sd card slot – neither of which the 930 has. I prefer these options as it gives flexibility in being able to swap things around, but also allows for sleeker protective covers due to the back plate clipping completely off – a complaint I had about the official Nokia 930 cover making the phone too bulky.

Camera
The inbuilt camera for the 830 runs at 10 megapixels, much less than the 930’s 20 megapixels. Camera quality is still good as per any decent smart phone these days, and there’s plenty of people who have made comparison shots in details, so look those up if you’re interested. The camera doesn’t really extrude out the back of the phone (unlike the Lumia 1020’s 43 megapixel beast), but the cover does curve slightly to protect it, not that it bothered me.

One interesting thing I found was under Settings > Applications > photos+camera, you can choose which application launches by default when pressing the camera button. This was set to Nokia Camera, but changing it to Microsoft Camera resulted in a much faster loading time when pressing the camera button, as well as quicker pictures being taken. I’m not sure how this relates to the Lumia Camera app that’s also due for release very soon, but they do seem to be different programs:

wp_ss_20141202_0006Nokia Camera

wp_ss_20141202_0005Microsoft Camera

 

 

Photos in a darkened environment aren’t terrible – they’re nowhere near as good as the 930, but they’re passable. Washed out, but still better than what I’d expect without a flash being used. Here’s an example of a photo in a reasonably dark room:

WP_20141202_19_20_33_Pro

Other bits
For Australians and possibly others, the Lumia 830 has the new 700Mhz band which Optus and Telstra are in the process of releasing. This should give better coverage and faster 4G speeds. The Lumia 930 doesn’t have this band, which is a consideration.

Should I Buy One?
If you’re trying to decide between the Lumia 830 and 930, then you need to pick between the main factors. The 830 is reasonably cheaper, has a swappable battery and micro sd slot, and glance. The 930 is faster cpu wise, has a higher res screen and a much better quality camera. Those are the selling points between the two, so pick the one that makes the most sense to you.

If you’re thinking of upgrading from an older Lumia handset, then unless it’s so old that it won’t run Windows Phone 8.1, then there’s no huge benefit in upgrading. I had to use a Lumia 920 for the last few weeks while my 930 was repaired, and it didn’t feel like I was going backwards.

This is a really nice solid phone, it’s light to hold and smooth to use. I don’t have any complaints about it, which shows that Microsoft/Nokia seem to know what they’re doing now. If I had bought this outright, it’s definitely not something I would regret.

 

 

How to unlock a linked iPhone/iPad

Apple in their wisdom, have implemented a way of reducing iPhone and iPad theft – by linking an iOS device to an Apple ID (aka iTunes account, or iCloud account). This is good, because there is no way to wipe and reuse the device without providing the correct Apple ID username and password. eBay is full of these too, selling them for parts only.

iphone lockedAn example locked iPhone from eBay

This is also bad though, particularly for businesses. You can dish out iPhones to all your staff, but unless you disable the use of Apple IDs, or manage the credentials with email accounts you have access to, this is out of your control. Staff can use their personal Apple ID on a device, and when they leave for whatever reason, you get handed back a completely useless device.

Some companies can enforce this as part of someone’s contract or terms of employment; return the phone in working order, or you’ll be charged for it. This is a big hassle to chase up though, and you can still be left with a non-functioning phone at the end of it.

After researching the locked iOS device problem, and calling around… there is a way you can reset these phones to be in working order again. The problem with this process is that you need Apple to press a magic button, and will have to convince them to do so.

Here’s a step by step on how I managed to get a few phones unlocked

1. Call Apple. You don’t need a valid AppleCare support or anything like that, and tell them you have a locked device, along with saying if it’s business or personal. They’ll then transfer you through to the local area that looks after locked devices

2. The local area will raise a case for you, and want to know the IMEI or serial number of the device.

3. You’ll then receive an email from a ‘do not reply’ Apple address, similar to this:

Please review the Form below and complete or correct any needed information. Afterwards please copy and send to xxx@apple.com using “xxx” as the subject, and attach any and all Proof of Purchase documents, unless confirmed by advisor. A reply will be sent within 2 to 10 business days.

To be considered valid, the receipt must include the following information:

1. Reseller’s name
2. Reseller’s address, phone number or website URL
3. Date of purchase when the product was originally sold
4. Product serial number, IMEI number or MEID number

The serial number can be typed or handwritten. If the reseller didn’t provide the serial number on the receipt, you can write the number on the receipt before you send it. For help finding your product’s serial number, see this article:

How to find the serial number of your Apple hardware product
http://support.apple.com/kb/HT1349

4. Find your proof of purchase (receipt or invoice). For me, there was no IMEI or Serial number referenced, so I handwrote the serial number on the invoice and scanned it in.

5. Email your invoice to the address provided on the last email

6. For businesses at least, you’ll then receive an email like this:

Hi Adam,

Thanks for contacting AppleCare for your unlock request for Find My iPhone: Activation Lock. To complete your request, we’ll need more information. Please fill out the following Statement of Ownership and Authority.

UNLOCK AUTHORIZATION STATEMENT: “I [CUSTOMER NAME] representing [BUSINESS/INSTITUTION NAME] authorize Apple, Inc. to unlock the devices listed.”

Reply to this email with the completed form. We’ll confirm we received your email within 2 business days and continue to work on your request. For faster turnaround time, please keep the case number in the subject line of your reply.

We look forward to hearing from you.

For consumer, you may need to have a signed declaration from a Justice of the Peace (J.P.).

7. Send back your one liner ‘unlock authorization statement’, then wait a few days. 2 business days for companies, but I was told it’s a week or longer for consumers.

8. If all goes well, you’ll then get the final email stating that the lock has been removed:

Thanks for sending the proof of purchase for this product:

Product: IPHONE XXX
Serial number: XXX

After reviewing the provided documentation, we have turned off Find My iPhone Activation Lock on your device. You can now perform a recovery-mode restore to erase the device and set it up with a different Apple ID.

For more information on how to perform a recovery-mode restore, see this article:

iOS: Unable to update or restore
http://support.apple.com/kb/HT1808

Warning: When you restore the device and remove the current Apple ID, all data associated with that Apple ID will be deleted from the device and will not be restored when you set up a different Apple ID. This includes, but is not limited to, iTunes and App Store purchases, content stored in iCloud, and any iMessage conversations.

Please contact us by phone if you have any other issues or questions. To find the right phone number, see this article:

http://support.apple.com/kb/HE57

Thanks for contacting AppleCare.

9. Try your phone again, and it should check with the Apple servers and be completely unlocked.

Please comment if this process has worked or failed for you.

Azure Live for Australia

Today I logged onto Azure with my MSDN account, and considered setting up a Terraria server. That’s just the sort of fun I have on a Sunday afternoon.

To my surprise, I noticed that there were two new regions available on the virtual machine I was about to create: Australia East and Australia Southeast. If my primary school geography had taught me correctly, that would be Sydney for East, and Melbourne for Southeast.

I of course immediately tweeted about it to share the good news.

Creating a few VMs seemed to be a very quick process, particularly compared to creating VMs in other regions. I’m going to guess that this is because there aren’t too many people creating VMs right now, but come tomorrow it may have a bit of load – especially due to TechEd Australia starting in Sydney where I’m sure they’ll share the news.

Speed wise, it also seems much more responsive to RDP to – makes a lot of sense when the data doesn’t have to travel overseas and back – so I thought I’d ping one of the new VMs to see what sort of roundtrip difference there was.

It was at this stage I found out that you can’t ping an Azure VM from the public internet, which makes sense due to load balancers and other infrastructure smarts getting in the way. I could have set up a VPN, but this solution was much easier; using psping from Sysinternals. This works by using TCP and letting you specify which port. By default, Windows VMs are created with two ports forwarded: 3389 for RDP, and 5986 for PowerShell. I first tried this with port 3389 but didn’t get a response, but 5986 worked:

azureping1Adelaide to Sydney ping

Sub 40ms from my home Telstra Cable internet connection in Adelaide to Australia East (Sydney). Is it any better if my VM is hosted in Melbourne?

azureping3Adelaide to Melbourne ping

That… seems about the same. I would have expected Melbourne to have less latency, but it’s still quite decent.

For comparison, how does the region East US look in Azure?

azureping2Adelaide to East US ping

Huge difference. Above what I’d want clients to be connecting to a server at, as many applications can get a bit funny above 150ms or so. Still usable in many scenarios of course!

Azure going live in Australia will be the green light that many Microsoft based businesses have been waiting for to give the cloud a real chance, and I’m sure there will be interesting times ahead for those who start playing with Azure.

Quick Update:

David O’Brien was unable to see the Australian datacentre options, and came up with this explanation:

“only available for australian subscriptions. Every other region is available for everybody, not Australia.”  https://twitter.com/david_obrien/status/526339016245800961

So, if you can’t see the Australian options either you might have the same problem. Hopefully it will be available to all regions soon?

People Don’t Care About Security

Someone dumped hundreds of Dropbox uernames and passwords today, with the claim that they are just a small sample of the 7 million hacked accounts. One of the pastebins with this information is located here  http://pastebin.com/Ntgwpf  containing the following intro:

Dropbox Hack third Teaser.

Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on pastebin for the term Dropbox hack.

According to Dropbox, most of the credentials shared so far (roughly 400) don’t actually work. Dropbox are also saying they weren’t hacked, but an unrelated service had these credentials stolen instead. That’s actually very likely, but Dropbox themselves don’t have the best track record. In 2012, they were hacked when someone used credentials of Dropbox staff members to gain access. Maybe this has happened again, but you’d hope that they forced two form authentication onto their staff members, rather than making it optional for outside users of their service.

Looking back further to 2011, Dropbox was under heat about their security practises and ability to actually protect data. It was reading that news that first made me very concerned about the company Dropbox, and their ability to protect documents.

Jumping forward to 2013, it was then shown that the two form authentication could be reverse engineered, yet again pointing out Dropbox’s insecurities. This one required access to the victim’s Dropbox client, and if they’ve gotten that far the victim is in a world of trouble anyway.. so not as scary as previous incidents, but not ideal.

Despite this, Dropbox has over 200 million users. It would be an article in itself to see how they got to this stage, but the two main reasons are: They were free, and simple to use. Security is not a consideration for most people, and the general idea that a well known corporate entity should know what they’re doing is more than enough assurance for the general user of their services. The latest breach, regardless of who was at fault, will not see a mass exodus of users from their service.

I believe this comes down to the lack of caring from people. Most out there wouldn’t know that Dropbox ever had an issue. They probably started using it when someone shared a file with them, and seeing how easy it was, they used it to share another file. It is easy, and that’s really all that matters (the free part matters greatly, but really adds to the ‘easy’ label). Dropbox gets used in businesses all the time, by people who just need to get work done. The chance that someone else might read a confidential document doesn’t even cross their minds – they’ve emailed things around for years, so why not upload a document and share it with one person?

For most people reading this, I’ve probably just stated the obvious. My point on this though, is that the mindset of people won’t change anytime soon, possibly ever… so you shouldn’t expect it to. ytplasy Anyone who had a Playstation 3 account in 2011 lost their credentials due to a hacker, but the PS4 is the best selling console of the current generation. Xbox 360/Wii didn’t have this, but people just don’t care about their personal information enough to actually *not* get something they want.

If people found out that the government was actually recording every single phone call made, people would be up in arms. But along with that, would be everyone else still using their phones and not caring. You can be walking down the street and hear someone read out their credit card number over the phone for the same reason.

What is the solution to this lack of caring? For a business, it’s generally enforcing rules. Strong password requirements, RSA tokens, lock down of settings and USB devices on computers – whatever the business can justify to itself to protect it’s own data. In the consumer world though, nobody else is going to protect the consumer’s data without a financial reason to do so. Should a company like Dropbox force two factor authentication upon all their users? If they’d done this from the start, would they be as successful as they are now, or would everyone have signed up to another service that just used a username and password – easier to use?

So, in the consumer space all we have to work with is education. “Don’t use the same password for everything you do” is a simple tip, but again do people actually care enough to follow? Usually not – so something has to change. Maybe it will be government legislation around security and user requirements for services, and put the onus on the companies providing the services to meet these requirements.

Feel free to comment if you disagree or have an amazing solution, and we’ll go halves in selling it to the world. For me, I’m just going to use a fake name and password for everything I do, and add an extra layer to the tin foil hat.

Signing Out,

Mr X

 

Western Digital Make Backup Devices?

Western Digital (WD) is well known for it’s hard drives. They’re one of the few remaining manufacturers and have a reasonable reputation in this market. They’ve also made great media players which again have a good reputation of ‘just working’. Being a storage company though, it makes sense that they make backup devices too, namely the Arkeia range of WD products. I’ve had a chance to check out theWD Arkeia DA2300 that they sent out to me, and it’s turning out to be a decent piece of kit.

Hardware – The Box
Physically, the WD Arkeia DA2300 is a modern and functional looking cube (almost a cube at least, it’s slightly longer). It measures roughly 16cm H  x 21 W x 22cm L which seems pretty small for what it’s packing.

arkeia2 The LCD screen shows the device name and IP address, and below it has a lockable front door which conceals the four hot swappable drive bays. One of the nice things about this is that there’s no screws required which some other 4 bay devices have, you just slide in a raw SATA drive. Looking at the back of the device, there’s an abundance of ports. 6 USB ports, with 4 being USB3 should cover any USB connectivity requirements. Below the USB ports are two gigabit NICs and a 3rd port which you can ignore… it’s not functional, and doesn’t appear in any spec sheets. There’s also a single VGA port, and two power holes. Two power packs are provided with the unit, so if one either fails or accidently gets unplugged, the device itself continues to stay up. As you can see from the photo, I just plugged one in and it worked perfectly fine:arkeiaSpecifications – What’s Inside?

Firstly, there’s two options depending on your requirements. You can either go the 2 x 4TB size option (which has 16GB RAM), or the 4 x 4TB option (which has a bit extra RAM, 24GB). The disks are configured in RAID 1, so you’ll either get 4TB or 8TB of usable space with redundant mirrored disks. The disks themselves are WD SEs which are Western Digital’s Datacenter flavour of spinning disks which are the most reliable of the WD series. Usable space is a different story though, due to the deduplication technology used in the software, WD claim you’ll be able to store 5x the amount of usable space. There’s also a 128gb SSD inside which is used for caching to speed up common data reads and writes. All of this is powered by an impressive Intel Xeon E3-1265Lv2 2.5ghz Quad Core CPU.

Software

As with most devices these days, it’s a web driven interface. After logging in, you’re greeted with a dashboard that does quite a decent job of showing you what’s going on with the device. It’s a reasonably clean interface to navigate, but will probably take a bit of clicking around to find all the configuration and options you need (As you can see, I had a failed job and a successful job):

wd1

Clients

For the Arkeia to do it’s job, the clients it will connect to need the Arkiea Agent installed. This lets the WD Arkeia Applicance connect to the client and backup the relevant data. The client itself is easy to install, and packages are available for a large amount of operating systems including many flavours of Windows, Linux and OS X. The client itself seems very lightweight, and I didn’t have any issues with it running.

Backup Options

The options available are one of the biggest selling points of this device. You could buy a cheap NAS with the same amount of disks for a lot less, but the Arkeia’s software lets you back up a lot of different types of data. There’s all the common file level backups, but there’s also VM support for both VMWare and Hyper-V. Being able to back up VMs to a central point easily is a huge value-add in my opinion. There’s also support for Domino and Exchange database backups (not mailbox level), SQL Server/MySQL, VSS snapshots and others. Bare Metal Recovery is also available, where you can restore by creating an ISO and booting off of it from the affected server to start the restoration process.

Also supported are both Cloud backups to CloudStorage, as well as Tape (based on providing your own tape drive) which again gives users of the device enough choice on where they want to keep their data long term. There’s also the ability to seed to another WD Arkeia device which may be suitable if you have multiple sites.

Bells and Whistles

Apart from the above features, there’s also a few other nice features the WD Arkeia 2300 has. Inbuilt reports can be generated and scheduled on backups, restores, disk and tape replication, tape drives etc giving you visibility on how your backups went, without needing to log on to the device daily and checking. The data deduplication also gives you storage saving benefits of being able to back up a lot more data than the raw 4tb available.

Conclusions

The WD Arkeia DA2300 is aimed at small to medium businesses who have more complicated backup requirements than just a file share, but also don’t have a highly complex environment. Having this device set up once and making sure backup reports are OK is all you need to have a reliable backup system that supports both full backups and incremental, and is easy enough to use without needing to study or sit a course like more sophisticated and complicated backup solutions may require. WD have provided sufficient redundancy options in the device too, which some lower end devices ignore. There are other flavors in the Arkeia range depending on your storage and performance requirements too. The device can be purchased from many resellers, or online stores such as Amazon