Archive for the ‘Documentation’ Category

Exchange Search Mailbox

In order to search a mailbox, the account you are using must be a member of the “Discovery Management” role group.

To check:
[PS] >Get-RoleGroupMember “Discovery Management”

To add somebody to a role:
When you add somebody as follows, you will prompted for the member. For example, Administrator.
[PS] >Add-RoleGroupMember “Discovery Management”

If you are doing this as Administrator and are adding the Administrator account, you will need to restart your EMS (Exchange Management Shell).

Once you have added the role, you will be able to use the Search-Mailbox cmdlet. There are many search options. Below is a simple example searching the subject of a mailbox. The way this works is that the search results are sent to a target mailbox and folder.

[PS] C:\> Get-Mailbox alias | Search-Mailbox -SearchQuery {Subject:”searchfor“} -TargetMailbox mailbox -TargetFolder “foldername

[PS] C:\> Get-Mailbox jim | Search-Mailbox -SearchQuery {Subject:”work rules“} -TargetMailbox mailadmin -TargetFolder “SearchJim

So, in this example, the mailbox jim will be searched for any message with “work rules” in the subject line. Any results, will be put in the mailadmin’s mailbox in a folder called SearchJim.

You can do the same thing for the body of the message:
-SearchQuery {Body:”somethinginthbody”}

Or a date range, except you have to specify sent or received:
-SearchQuery {Received:(1/1/2010..12/31/2010)}
-SearchQuery {Sent:(1/1/2010..12/31/2010)}

Or if you want to search for more than one criteria:
[PS] C:\> Get-Mailbox alias | Search-Mailbox -SearchQuery {Subject:”searchfor” AND Body:”searchsomethingelse” AND Sent:(01/01/2010..12/31/2010)} -TargetMailbox mailbox -TargetFolder “foldername

To search To or From with a date with an estimate instead of copy to TargetMailbox:
Search-Mailbox alias -SearchQuery {Sent:(01/01/2015..12/31/2015) AND AND} -EstimateResultOnly

Moving mysql to a different partition – Ubuntu 12.04

I needed to move my MySQL databases to a different partition, since I was outgrowing the space. I created new space and used a mv command to move the files and preserve the permissions. I moved them to /mysql.

I set the permissions for the new directory:
chown mysql.mysql /mysql
chmod 700 /mysql
Then, I needed to modify the /etc/apparmor.d/tunables/alias file. Note: It is actually documented in the alias file for MySQL.

# vi /etc/apparmor.d/tunables/alias

alias /var/lib/mysql/ -> /mysql/,

# service apparmor restart
# service mysql start

Grant user permission to unlock Active Directory accounts.

OS: Windows 2012 R2

This is the command I used to grant a group permission to unlock accounts.

C:\> DSACLS “ou distinguished name” /i:s /G “group name“:rpwp;LockOutTime;user



Timestamp and lftp

I was using lftp to get a file and do a local listing of the transferred file. The timestamp was days off when I used “local ls”. With some experimentation, I was able to find that if I pass the command a switch I could get the file creation time.

This is what I used:

lftp> local ls -cl

Internet Explorer Group Policy not changing.

I was trying to change the home page policy and the proxy settings for Internet Explorer 11. I had looked at this a couple times but did not resolve the issue. I even started looking toward a registry option when I knew that this had to work. It turns out that is something really stupid, and has been the case for a long time. I just needed to hit the F6 key while the cursor was still on the changed setting. Then, you will see the red line under the setting go from red to green. It turns out that there are few function keys are important so I will note them here.

F5: This will configure and update of the settings.
F6: This will update only the setting you are currently positioned on.
F7: This will ignore only the setting you are currently positioned on.
F8: This will ignore all changes.

Windows 2012 R2 and .Net 3.5 Features

I changed my CD/DVD drive letter after I installed Windows Server 2012 R2 and a couple other features. Then, I wanted to install the .NET Framework 3.5 feature. It kept complaining out not being able to find the source. I had to set the new source location for it to install correctly.

From Server Manager, you add the role as you normally would until you get to the “Confirm installation selections” window:

Click the “Specify an alertnate source path” link and for the path enter the location with the correct directory of your 2012 R2 installation source. Since I changed my drive letter to the Z drive, mine was as follows.


From here, it installed as it normally would.

Note: I also discovered that if you apply some updates and then need to add the .NET 3.5 Framework feature, you might need to uninstall one or two of the updates. In my case, I had to remove update 2966828. I used the method specified here:

Uninstall/Install an Update from the Command Line – Windows Server 2012 R2

To list all installed updates:

c:\>wmic qfe list

To install an update:

c:\>wusa C:\somedirectory\someupdate1234567.msu

To uninstall an update:

c:\>wusa /uninstall /kb:1234567

Windows Group Policy to Run a Script with Privilege.

Sometimes you need to make a change to a lot of desktops, and you need to use an account with administrator level privilege. The best way I found to do this other running a script that would make the changes remotely was to add it to the startup script option in the a Group Policy.

I wrote the script (and tested it, obviously), and saved it with the logon scripts so it would replicate to all the domain controllers.

Then, I identified a current policy and edited it. This is a Computer Configuration policy that causes the script to be run upon reboot. You want to change the properties (add your script/command) for:

Computer Configuration/Policies/Windows Settings/Scripts/Startup
Click Add…
You can run the script from anywhere, but I chose the logon script directory for redundancy and efficiency.

This is where I stored the script and referenced:

Another option is store the script with the policy which might even be a better choice:

Once you’ve added the script, click Ok and close the Group Policy Management Editor.

CentOS 7 – Create encrypted partition

Note: This is to create a new partition that is encrypted. Do not do this on an existing partion, because you will lose all the data on the partition.

Note: I added a summarization to the end of this post to provide a bit more clarity about the volume names, etc.

Add the disk to the system and identify it. I used the following:
See if it is there already:

# fdisk -l

If not, scan for it on all your buses:

# echo “- – -” > /sys/class/scsi_host/host0/scan
# echo “- – -” > /sys/class/scsi_host/host1/scan
# echo “- – -” > /sys/class/scsi_host/host2/scan

Check again:

# fdisk -l

Create a volume:
Add the physical disk:

# pvcreate /dev/sdb

Create a volume group;

# vgcreate centos_test /dev/sdb

Activate the volume group:

# vgchange -a y centos_test

Create the volume:

# lvcreate -l 100%FREE -n test centos_test

Write random data to the partition. This is important when reusing a volume.

# shred -v –iterations=1 /dev/centos_test/test

Install cryptsetup:

# yum install cryptsetup

Initialize the volume and set the passphrase:

# cryptsetup –verbose –verify-passphrase luksFormat /dev/centos_test/test

Open the volume and setup the mapping:

# cryptsetup luksOpen /dev/centos_test test

Create the filesystem:

# mkfs.ext3 /dev/mapper/centos_test-test

Mount it:

# mount /dev/mapper/centos_test-test /mnt

Add the volume to be mounted at boot to the crypttab file:
# vi /etc/crypttab

centos_test-test /dev/centos_test/test none

Add the mount to the fstab:

# vi /etc/fstab

/dev/mapper/centos_test-test /mnt ext3 defaults 1 2

Restore selinux context:

# /sbin/restorecon -v -R /mnt

I was not getting prompted for the passphrase at boot. So, I had to boot into single user mode. When I did, I was prompted for the passphrase and the partition mounted fine. I needed to do remove the rhgb parameter from the boot parameters to be prompted when booting into multi-user mode:

# cd /etc/default

Remove the rhgb parameter from kernel parameters.

# vi grub

I removed the rhgb parameter from this line:

GRUB_CMDLINE_LINUX=” vconsole.font=latarcyrheb-sun16 crashkernel=auto vconsole.keymap=us quiet”

Update grub with the new settings:

# grub2-mkconfig -o /boot/grub2/grub.cfg

When you reboot, you will be prompted for the passphrase you set when prompted in the cryptsetup.

# shutdown -r now

Here is a short summary. Pay particular attention to the luksOpen and mount command and the format of the crypttab and fstab files. Hopefully, these names will make it easier to keep straight.:

# fdisk -l
# fdisk /dev/sdb
# shred -v –iterations=1 /dev/sdb
# pvcreate /dev/sdb
# vgcreate vgtest /dev/sdb
# vgchange -a y vgtest
# lvcreate -l 100%FREE -n lvtest vgtest
# shred -v –iterations=1 /dev/vgtest/lvtest
# cryptsetup –verbose –verify-passphrase luksFormat /dev/vgtest/lvtest
# cryptsetup luksOpen /dev/mapper/vgtest-lvtest lvtest
# mkfs -t ext4 /dev/mapper/lvtest
# mount /dev/mapper/lvtest /mnt

# vi /etc/crypttab

lvtest /dev/mapper/vgtest-lvtest none

# vi /etc/fstab

/dev/mapper/lvtest /mnt ext4 defaults 1 2

IIS Redirect from http to https

Windows Server 2012 fully updated.
IIS version 8.
Exchange 2010 fully updated.

Initially, I tried doing this with the default “HTTP Redirect.” I simply wanted to have a more generic DNS name using HTTP to redirect to the Outlook Web Access URL using HTTPS. This introduced to a couple issues. One, I needed to have SSL not be required for the “Default Web Site”, and two, I created a loop since the redirect will apply to all virtual directories below the “Default Web Site.”

I discovered the “URL Rewrite” module below:

Previously, I had used rewrite rules in Apache to accomplish a similar task, so I knew I was on the right track.

First thing you have to do is get the SSL settings right. For this I used the IIS Manager UI. I wish I had taken the time to find out how to do this with PowerShell, and here is why. For the “Default Web Site”, you open “SSL Settings” and uncheck “Require SSL.”. Now, when you do this, it will change it for all your virtual directories. So, you have select each virtual directory, open “SSL Settings”, and check “Require SSL.” Ugh.

Once that is done, install the “URL Rewrite” module. It is pretty straight forward. Once it is installed, you need to restart IIS using “iisreset”. Back in IIS Manager, select “Default Web Site” and you will notice a “URL Rewrite” icon as been added. Open it up and click “Add Rule..” under the Action menu. You give it a name, and the pattern to match. The “Action type” is “Rewrite”, and the “Rewrite URL” is where you put the HTTPS url.

Here is what I used to redirect http://mail to
Pattern: Matches the Pattern
Using: Regular Expressions
Pattern: http://mail
Ignore case: checked
No Conditions added.
No Server Variables added.
Action type: Rewrite
Rewrite URL:
Append query string: checked
Log rewritten URL: unchecked
Stop processing of subsequent rules: unchecked

Return top