My notes, things I have learned, and documentation I have created.

Enough is enough. I’ll turn it on when I need it or have infinitely resources to manage the logs when I have Filtering Platform logging enabled. In my case, I was getting a lot messages for event ID 5157 (“The Windows Filtering Platform has blocked a connection.”). For now, how do you turn this off in Windows Server 2012 R2?

To list all the categories:

C:\>auditpol /list /category
Category/Subcategory
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System

To get a list of any sub-categories for a category:

auditpol /get /category:”Account Logon”
auditpol /get /category:”Account Management”
auditpol /get /category:”Detailed Tracking”
auditpol /get /category:”DS Access”
auditpol /get /category:”Logon/Logoff”
auditpol /get /category:”Object Access”
auditpol /get /category:”Policy Change”
auditpol /get /category:”Privilege Use”
auditpol /get /category:”System”

I have picked on the sub-categories under the “Object Access” category, because that is where the Filtering Platform settings exist. To see the current settings for a sub-category:

auditpol /get /subcategory:”Filtering Platform Packet Drop”
auditpol /get /subcategory:”Filtering Platform Connection”
auditpol /get /subcategory:”IPsec Driver”
auditpol /get /subcategory:”IPsec Main Mode”
auditpol /get /subcategory:”IPsec Quick Mode”
auditpol /get /subcategory:”IPsec Extended Mode”

Example:

C:\>auditpol /get /subcategory:”Filtering Platform Connection”
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection Success and Failure

To disable all audit logging for some sub-categories:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Driver” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Main Mode” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Quick Mode” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Extended Mode” /success:disable /failure:disable

C:\>auditpol /get /subcategory:”Filtering Platform Connection”
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection No Auditing

Or to enable all audit logging for some sub-categories:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:enable /failure:enable
auditpol /set /subcategory:”Filtering Platform Connection” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Driver” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Quick Mode” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Extended Mode” /success:enable /failure:enable

Outside IP: aaa.bbb.ccc.ddd
Inside IP: www.xxx.yyy.zzz
Port: pppp
Identifier for access-list: NAME

This is a simple one to one NAT example. Traffic will go from aaa.bbb.ccc.ddd port pppp to www.xxx.yyy.zzz.

c-asa01(config)# static (inside,outside) aaa.bbb.ccc.ddd www.xxx.yyy.zzz
c-asa01(config)# access-list NAME permit tcp any host aaa.bbb.ccc.ddd eq pppp
c-asa01(config)# access-group NAME in interface outside

Or if you want to NAT and PAT:

Outside IP: aaa.bbb.ccc.ddd
Inside IP: www.xxx.yyy.zzz
Outside Port: pppp
Inside Port: qqqq
Identifier for access-list: NAME

c-asa01(config)# static (inside,outside) tcp aaa.bbb.ccc.ddd pppp www.xxx.yyy.zzz qqqq
c-asa01(config)# access-list NAME permit tcp any host aaa.bbb.ccc.ddd eq pppp
c-asa01(config)# access-group NAME in interface outside

Environment: VMware ESXi 5.5.x, Windows 2003 VM, Windows 2012 R2 VM.

I needed to expand the system disk of a Windows 2003 VMware virtual machine. I was able to easily extend the disk using vSphere, and Windows displayed the new size. However, I was unable to extend the filesystem using DISKPART. I would receive the following message, when I tried:
“Diskpart failed to extend the volume. Please make sure the volume is valid for extending.”

To get around this, I shutdown my Windows 2003 server. Then added the virtual disk to a Windows 2012 R2 VM. I opened up the Disk Management console via Computer Management. Made the newly added disk Online by right mousing clicking on the disk name (on the left) and selecting Online. Then, I right mouse clicked on the logical disk, in my case the C: drive, and selected Expand. Then, I took the disk offline, but right mouse clicking on the disk name (on the left again) and selecting Offline. Next, I removed the disk from my Windows 2012 R2 VM WITHOUT deleting the file from disk.

Then, all I to do was boot my Windows 2003 VM, and let the chkdsk do its thing.

Version: Exchange 2010

To list all the rules a mailbox has saved to the Exchange server:

[PS] C:\>Get-InboxRule -Mailbox mailboxname

The group policy can block access to reset Internet Explorer which seems to need it much more than it should. To bypass this and reset the settings back to the default:

From a command prompt:

C:\> RunDll32.exe InetCpl.cpl,ResetIEtoDefaults

This will pop up the Reset Internet Explorer Settings window. Click Reset to reset everything except you personal settings. Obviously, you can check the “Delete personal settings” box if you want to delete you personal settings as well.

In order to search a mailbox, the account you are using must be a member of the “Discovery Management” role group.

To check:
[PS] >Get-RoleGroupMember “Discovery Management”

To add somebody to a role:
When you add somebody as follows, you will prompted for the member. For example, Administrator.
[PS] >Add-RoleGroupMember “Discovery Management”

If you are doing this as Administrator and are adding the Administrator account, you will need to restart your EMS (Exchange Management Shell).

Once you have added the role, you will be able to use the Search-Mailbox cmdlet. There are many search options. Below is a simple example searching the subject of a mailbox. The way this works is that the search results are sent to a target mailbox and folder.

[PS] C:\> Get-Mailbox alias | Search-Mailbox -SearchQuery {Subject:”searchfor“} -TargetMailbox mailbox -TargetFolder “foldername”

Example:
[PS] C:\> Get-Mailbox jim | Search-Mailbox -SearchQuery {Subject:”work rules“} -TargetMailbox mailadmin -TargetFolder “SearchJim”

So, in this example, the mailbox jim will be searched for any message with “work rules” in the subject line. Any results, will be put in the mailadmin’s mailbox in a folder called SearchJim.

You can do the same thing for the body of the message:
-SearchQuery {Body:”somethinginthbody”}

Or a date range, except you have to specify sent or received:
-SearchQuery {Received:(1/1/2010..12/31/2010)}
-SearchQuery {Sent:(1/1/2010..12/31/2010)}

Or if you want to search for more than one criteria:
[PS] C:\> Get-Mailbox alias | Search-Mailbox -SearchQuery {Subject:”searchfor” AND Body:”searchsomethingelse” AND Sent:(01/01/2010..12/31/2010)} -TargetMailbox mailbox -TargetFolder “foldername”

To search To or From with a date with an estimate instead of copy to TargetMailbox:
Search-Mailbox alias -SearchQuery {Sent:(01/01/2015..12/31/2015) AND To:user1@domain1.com AND From:user2@domain2.com} -EstimateResultOnly

I needed to move my MySQL databases to a different partition, since I was outgrowing the space. I created new space and used a mv command to move the files and preserve the permissions. I moved them to /mysql.

I set the permissions for the new directory:
chown mysql.mysql /mysql
chmod 700 /mysql
Then, I needed to modify the /etc/apparmor.d/tunables/alias file. Note: It is actually documented in the alias file for MySQL.

# vi /etc/apparmor.d/tunables/alias
…
alias /var/lib/mysql/ -> /mysql/,

# service apparmor restart
# service mysql start

OS: Windows 2012 R2

This is the command I used to grant a group permission to unlock accounts.

C:\> DSACLS “ou distinguished name” /i:s /G “group name“:rpwp;LockOutTime;user

Example:

C:\> DSACLS “OU=MyOU,DC=MYDOMAIN,DC=MYTLD” /i:s /G “MYDOMAIN\MYGROUP“:rpwp;LockOutTime;user

I was using lftp to get a file and do a local listing of the transferred file. The timestamp was days off when I used “local ls”. With some experimentation, I was able to find that if I pass the command a switch I could get the file creation time.

This is what I used:

lftp> local ls -cl

I was trying to change the home page policy and the proxy settings for Internet Explorer 11. I had looked at this a couple times but did not resolve the issue. I even started looking toward a registry option when I knew that this had to work. It turns out that is something really stupid, and has been the case for a long time. I just needed to hit the F6 key while the cursor was still on the changed setting. Then, you will see the red line under the setting go from red to green. It turns out that there are few function keys are important so I will note them here.

F5: This will configure and update of the settings.
F6: This will update only the setting you are currently positioned on.
F7: This will ignore only the setting you are currently positioned on.
F8: This will ignore all changes.