Exchange PowerShell tips

Add Full Mailbox permissions to all mailboxes in the exchange organization:

# Matt’s Powershell Script (see tigermatt.wordpress.com) to add Full Mailbox permissions to all mailboxes in the Exchange organization
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue
$userAccounts = get-mailbox -resultsize unlimited
ForEach ($user in $userAccounts)
{
add-MailboxPermission -identity $user -user “your-admin-account-name” -AccessRights FullAccess
}

Delete all messages in specific users' mailboxes with a specific title:

Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue
#$userAccounts = get-mailbox -resultsize unlimited
ForEach ($user in "John Doe", "Jane Doe", "Humpty Dumpty")
{
get-Mailbox -Identity $user | Export-Mailbox -SubjectKeywords "This is the message subject" –DeleteContent –MaxThreads 10
}

Delete all messages in an Exchange organization with a specific title:

Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue
$userAccounts = get-mailbox -resultsize unlimited
ForEach ($user in $userAccounts)
{
Export-Mailbox -Identity $user-SubjectKeywords "This is the message subject" –DeleteContent –MaxThreads 10
}

PowerShell examples

ping an ip address range and report which hosts are down:
PS H:\> for ( $i=200; $i -lt 255; $i++ ) { ping -n 1 -a -w 1000 192.168.0.$i > $null; if (!$?) { echo "192.168.0.$i is
down" }; }

Cisco Router notes

! If telnet is configured and enabled, then telnet to the router; else connect to the serial port

(I use putty for both)

myrouter> enable

myrouter# config terminal

myrouter(config)# password encryption aes
myrouter(config)# service password-encryption


! assign a domain name; this is a prerequisite for ssh key generation
myrouter(config)# ip domain-name mydomain.com

! initialize the authentication, authorization and accounting policy
myrouter(config)# aaa new-model

! configure the authentication source; in this case we'll use a local db
myrouter(config)# aaa authentication login default local

! configure the authorization source; the aaa policy is called "default"
myrouter(config)# aaa authorization exec default local

! create a user, assign a low privilege level (so enable password is still needed) and password
myrouter(config)# username my-username password my-password

! apply the policy to the vty
myrouter(config)# line vty 0 4
myrouter(config-line)# login authentication default
myrouter(config)#


! Enable SSHv2 only (disables SSHv1)

myrouter(config)# ip ssh version 2
myrouter(config)# crypto key generate rsa general-keys modulus 1024

! After verifying that ssh works, do this:
! Enable SSH only on virtual terminals (disables telnet)

myrouter(config)# line vty 0 4
myrouter(config-line)# transport input ssh

! add this to the ACL for your wan interface
permit tcp any host (router-external-ip) eq (some-high-range-port)
! Add this nat to open external access to ssh at the high-range port
ip nat inside source static tcp (router-internal-ip) 22 interface FastEthernet0 (the same-high-range-port)



How to copy router config to ssh server with scp:
enable
copy run scp://my-usename:my-password@backuphostname//path/to/folder/$h-$t

archive
path scp://my-usename:my-password@backuphostname//path/to/folder/$h-config
! the write memory option will cause the archive scheduler to create a copy of the config each

time it's saved to nvram. (it will append an incrementing -# to the end)
write-memory
end
(note that you may need the 'file prompt quiet' command to stop it from prompting whether you want to do it.)

# now compare two configs:
show archive config diff system:running-config

scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1
# now replace the running config with an archived one:
config replace scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1 list



# now log all config changes to syslog:
config t
archive
log config
logging enable
! suppress display of passwords in configuration logs
hidekeys
! enable sending of notifications of configuration changes to syslog
notify syslog
exit


#The ‘do’ command allows you to run exec level commands from config mode.

Examples:
Router(config)#do show run

# Enable syslog logging 
my-router(config)# logging (my-syslog-server-ip)
! The level "notifications" will include emergencies(0), alerts(1), critical(2), errors(3), warnings(4), and notifications(5); but it will exclude informational(6) and debugging(7)
my-router(config)# logging trap notifications
# optionally specify on what interface the logging should originate
my-router(config)# logging source-interface f0/0

LDAP search to get active accounts with no password expiration

To get user account names of all *active* Active Directory *user* accounts with passwords that do not expire, run this command on Linux (substitute your domain, your admin account, and your domain controller):

ldapsearch -b "dc=mydomain,dc=com" -D "cn=myAdminAccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x '(&(objectclass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectclass=Computer)))' sAMAccountName | egrep "^#"

The "1.2.840.113556.1.4.803" is the ldap code for a bitwise compare, and 65536 (decimal) is 0x10000 (hex), which refers to the bit that identifies whether a password will expire. (if "on", password will not expire.) "2" refers to the bit that identifies whether an account is enabled or not.

iSCSI initiator on CentOS 5

yum install iscsi-initiator-utils

vi /etc/iscsi/initiatorname.iscsi

vi /etc/iscsi/iscsid.conf

# In particular, if using authentication:

node.session.auth.username = ISCSI_USER_NAME
node.session.auth.password = Password
discovery.sendtargets.auth.username = ISCSI_USER_NAME

discovery.sendtargets.auth.password = Password

chkconfig iscsi on

service iscsi start

iscsiadm --mode discovery --type sendtargets --portal

or

iscsiadm --mode node --targetname --portal :3260 --login

service iscsi restart

chkconfig iscsid on

service iscsid start

Now the device nodes should be present

fdisk, do whatever, and in /etc/fstab, your entry should look something like this:

/dev/sdb1 /mnt/foo ext3 _netdev 0 0

Note that if you want to use lvm, you should ensure that the iscsi devices are on separate volume groups from your root and system filesystems; else, the system may be non-bootable if the iSCSI targets cannot be reached.

Parallelizing Tasks in Unix/Linux

From Ian C. Blenke, The easiest way is with parallelized xargs:

$ find . -name '*.jpg' | sed -e 's/.jpg$//' | xargs -P4 -l1 -i
convert {}.jpg {}.png

The -P flag for xargs is a _wonderful_ thing to learn. Do it now, it
will forever save you time. I use it daily in our huge farm of linux
servers, makes for far more bearable adminning.

CentOS NFS permission denied on mount

NFS mount results in a permission denied error. Check the export permissions, and those are right.

The solution is to add (on the exporting host):

nfsd /proc/fs/nfsd nfsd auto,defaults 0 0

to /etc/fstab and then type:

$mount -a

on the client.

not sure why this error exists.

Solution found here: http://www.centos.org/modules/newbb/viewtopic.php?forum=28&topic_id=6891&viewmode=thread

Remote execution on Windows

I've been trying to have a poor man's backup: from my scsi-tape-attached linux box, remote execute ntbackup on each of my windows boxes, then dump those backups to tape.

In the past, I've had separate scheduled tasks on each windows server; the problem is, there's not central error reporting mechanism; the idea of the new approach is to have all of the backup reporting (and exit statuses) in one cron log report.

I've been using winexe, which is pretty cool. It lets you run remote windows commands from Linux. It appears to be part of Samba4, although you don't need all of Samba4 to make it work.

...It hasn't worked properly.

This thread appears to say why:

'Any process you can access or create on a remote machine will not be able to "touch" any other machine in the network. Only an "interactive" session can do this by default.

'You would need to tell Active Directory to "Trust" the machine for "Delegation" to make this work. This is usually not a good idea as it can present a considerable security risk if not managed closely.'

If true, then that might have something to do with it.

...the selection lists, the backup scripts, and the backup targets are located on a linux samba server. Then again, it appears to be able to see and execute those files. Hmm... too tired, need to think about this more.

OpenSolaris Notes

I'm primarily a linux guy (used Solaris between 96-2002), so here are some notes to self:

Service log files are stored under /var/svc/log

There are a few problems getting printing to work in 2009.06:
http://defect.opensolaris.org/bz/show_bug.cgi?id=2656
http://defect.opensolaris.org/bz/show_bug.cgi?id=6366

patch /etc/dbus-1/system.d/hal.conf

pkg install SUNWsmmgr
svcadm enable network/device-discovery/printers:snmp

svcadm refresh svc:/system/dbus:default
svcadm restart svc:/system/dbus:default
svcadm disable snmp
svcadm enable snmp
svcadm clear printers:snmp
svcs printers:snmp

tail -f /var/svc/log/*print* to see what's happening.

Centos AD Authentication and users and groups

To configure your linux workstation to pull user and group, and authentication information, from AD, run these commands. They do the dirty work of configuring pam, samba+winbind, nscd, and Kerberos.

..substitute your admin user account where mine is used below (admin-username), your AD dns domain/realm where domainname.com is used, and the netbios domain name where domainname is used.

yum install samba pam_krb5.x86_64 pam_smb.x86_64 nscd

authconfig --enableshadow --passalgo=sha512 --disablenis --disableldap --disableldapauth --disableldaptls --disablesmartcard --disablerequiresmartcard --enablekrb5 --krb5kdc=dc1.domainname.com --krb5adminserver=dc1.domainname.com --krb5realm=DOMAINNAME.COM --enablekrb5kdcdns --enablekrb5realmdns --disablesmbauth --smbworkgroup=DOMAINNAME --smbservers=dc1.domainname.com,dc2.domainname.com --enablewinbind --disablewinbindauth --smbsecurity=ads --smbrealm=DOMAINNAME.COM --smbidmapuid=10000000-20000000 --smbidmapgid=10000000-20000000 --winbindseparator=\\ --winbindtemplatehomedir=/home/%D/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=admin-username --disablewins --disablehesiod --enablecache --enablelocauthorize --enablepamaccess --disablesysnetauth --enablemkhomedir --updateall

Note that all users on the domain will now be able to log in to your computer over the network, unless you either:

1. Set up a ssh AllowUsers or AllowGroups parameter in /etc/ssh/sshd_config (see man page for sshd_config); or

2. 2. Use pam_access (see man page for pam_access)