Friday, March 2, 2012

Password Expire Email - Powershell

Here's one for you Group Policy Administrators out there. We have a good number of remote users in our organization, and the helpdesk is contantly getting calls about expired passwords. Basically, because they log into their laptops first, then VPN, they never get the prompts warning them their password will expire. So, I created a simple powershell script that runs on a server at noon every day.

I'm not a powershell guru, so there might be better ways to write this, but this is what I came up with. Basically it searches an OU that you can choose and it finds all accounts where the password will expire in the next 14 days. It will send them an email every day at noon until they change it. The script has a few variables that you will need to put in your own information, like $smtpserver, $to, $from, and -searchroot. Also, make sure the folders are created before you try to run it.

Just copy the text below into a txt file and rename it with a ps1 extension (and take word wrap's easier to read). Then set up a scheduled task that calls the script. Have fun! If you have better ways to do this I'd love to learn!

$today = (get-date)
$days_before_expire = 14

new-item -path c:\scripts\passwordexpiredemails\expiredpasswords.txt -type file
$users_to_be_notified = get-qaduser -searchroot 'enter your domain/ou path here' -Enabled -passwordneverexpires:$False | where {($_.passwordexpires -lt $today.adddays($days_before_expire))}
foreach ($user in $users_to_be_notified) {
$days_remaining = ($user.passwordexpires - $today).days
$resetby = $'MM/dd/yyyy')
$to = $
$from = '<sender's email address>'
$smptserver = EmailServerFQDN
$subject = "Reminder - Password is expiring in $days_remaining day(s)."
$body = "<html>
                Your password will expire in $days_remaining days(s). Please change it by $resetby.<BR><BR>
                To reset your password, press CTRL-ALT-DEL and choose 'Change Password'<BR><BR>
                If you have a MobileDevice, please be sure to change your password on the device as well. You can find instructions for changing it on your device here: 'Path To Document in UNC format'<BR><BR>
                If you have any issues, please submit a ticket at 'URL of Ticket System if applicable'<BR><BR>
                Thank You!<BR>
                Help Desk
if ($days_remaining -le 0) {
add-content -path 'c:\scripts\passwordexpiredemails\expiredpasswords.txt' -value $user

if ($days_remaining -gt 0) {
send-mailmessage -bodyashtml -to $to -from $from -subject $subject -body $body -smtpserver $smtpserver

$to = '<AccountManagementGroupEmailAddress>'
$subject = "The following accounts have expired passwords"
$body = "Please see the attached file for the accounts with expired passwords."
send-mailmessage -bodyashtml -to $to -from $from -subject $subject -body $body -attachment 'c:\scripts\passwordexpiredemails\expiredpasswords.txt' -smtpserver $smtpserver

remove-item c:\scripts\passwordexpiredemails\expiredpasswords.txt

Symantec Endpoint Protection - Change Parent Server

This is just a quick post for changing the parent server of a Symantec Endpoint Protection client.  In the past, the parent server could be modified by changing a few registry keys, but since Symantec Endpoint Protection came out, Symantec relies on xml files.  The quickest way to make this change is:

  1. Click on Start-Run
  2. Type in smc -stop (type in the password if you have SEP set up for it)
  3. Navigate to C:\Program Files\Symantec\Symantec Endpoint Protection
  4. Rename Sylink.xml to Sylink.old
  5. Copy an updated Sylink.xlm file from the new parent server (or another client that is pointing to the new server)
  6. Click on Start-Run
  7. type in smc -start
You should be all set.

Thursday, March 1, 2012

Device42 - IP Address Management

For those of you out there relying on Excel spreadsheets to document your companies IP addresses...check this out:

View 5 Security Gateway - SSL

Ok, after a few months of working with VMWare View 5 internally, it was time to get our View Security Gateway up and running.  After doing some research, the build of the View Security Gateway is pretty straightforward and VMWare has some really good documentation so I'm not going to go through all the steps to getting the server up and running. What I do want to go over is how to set up the Certificate for SSL on the secure gateway. There really isn't a lot of consistent documentation on this, so here's how I got it working...

1.) The first thing we need to do on the View Security Gateway server is to modify the Path environmental variable to include the path to the keytool tool.  Keytool is what vmware uses to create, import, and modify Vmware certificates.
  • Right click My Computer and select properties
  • Choose Advance System Settings
  • Click on Environmental Variables
  • Under System Variables, select Path and choose Edit
  • Put a ; after the last entry, then add install_directory\VMware\VMware View\Server\jre\bin
  • Click Ok 3 times
2.) Open a command prompt with elevated privelages
3.) Run the following command to create a key
  •  keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360 -keysize 2048
  • When prompted, create a password for the new key file
  • When prompted for your first and last name, enter in the external dns name that will be used to access the view security gateway
  •  Continue to enter in your OU, City, State, Country
4.) Generate the Cert Request
  • keytool -certreq -file filename.csr -keystore keys.p12 -storetype pkcs12 -storepass password (from step 3)
5.) At this point you will need to send your csr file to CA
6.) Once you have the new cert from the CA, you will need to convert the cert to a p7b file. This is where I ran into some issues.  I had to do this on an XP machine, then copy the p7b file to my 2008 server wouldn't recognize the cert path when I tried to do this...even after importing the root and intermediate certs...weird
  • Open the cer file and click on the Details Tab
  • Click Copy to file
  • Click Next
  • Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (p7b)
  • Also select Include all certificates in the certification path
  • Give the file a name and save it
  • Copy the file to your server
7.) Now that you have a p7b file, you can import it via keytool
  • keytool -import -keystore keys.p12 -storetype pkcs12 -storepass password -keyalg "RSA" -trustcacerts -file filename.p7b
  • you should receive a message stating "Certificate reply was installed in keystore"
8.) Copy keys.p12 to C:\Program Files\VMware\Vmware View\Server\sslgateway\conf
9.) Create a file called
10.) Open with a txt editor and add the following lines
  • keyfile=keys.p12
  • keypass=password
11.) You can either restart the services or restart the box
12.) You should be all set now.

Tuesday, October 25, 2011

View Composer 5 - Error 1920

We are a VMWare shop.  No other way to put it. I would say about 95% of the servers that I'm responsible for run on VMWare.  The other 5% need to be physical for one reason or another.  Recently, we decided to start the process of upgrading our environment to VMWare View 5. 

I built two 2008R2 to be used as the View Connection Server, the other to be used as the Virtual Center/View Composer server.  For those of you new to VMWare, View Composer needs to be run on the Virtual Center server.

Everything was going along fine until the View Composer installation.  It got to the point of starting services, then would give me "Error 1920 - Service VMWare View Composer (svid) failed to start. Verify that you have sufficient privileges to start system services."  Hmmm...ok...let's look at Event Viewer.  Event ID 0 - Failed to perform VMWare View Composer module initialization.  It was trying to pass a SQL query to my SQL server, but it didn't like the syntax.  Ok...let's go to Google and see if anyone else had this problem.

Since View 5 is still pretty new, not a lot out there.  I ran across a few articles saying to run the service as a domain accout, make sure the service can interact with the desktop, check DB permissions, etc...  Needless to say, none worked.

Here is how I fixed the issue:  I had a feeling the problem lied somewhere with the ODBC SQL driver.  SO, I decided to not use the default SQL driver installed with 2008R2.  Instead, I installed the SQL Native client for 2008R2.  I set up a new ODBC connection using that...and just like that, the install finished with no issues.


Ok, so this is my first post.  Let me start off by introducing myself and maybe explain what I'm doing here.  My name is Chris and I've been in the IT field for about 10 years now...ok, really 9 1/2 but who's counting.  To be honest, I didn't even think about computers until after college.  Up to that point, the only thing I knew how to do was write a word document for school and print it out.  If the computer wasn't working...Oh well!  So after college I took my Mass Communications degree and decided to go work at a truck wash...washing trucks ironically.  VERY glamorous, I know!! About 3 months into that I had it...I had to make a change.  So, I went back to school to learn computer networking at The Chubb Institute...which is now The Anthem Institute from what I understand. From there I was able to get a job with a small company in CT (about 200 employees or so) as a help desk technician.  I've been at that company for about 10 years now, and I've worked my way up to Network Engineer. 

Ok, enough of my background...I'm sure you're all half asleep!  The reason I'm here is this: Working for a small company, in a small infrastructure group, you're thrown into a lot of situations where you need to learn the ins and outs of a product quickly...and by quickly I mean yesterday! The upside of this is that you get your hands on a lot of new and exciting technology, and have the opportunity to learn it from all angles.  The downside is that there isn't enough time in the day to get everything done that NEEDS to be done! You're almost always pulled in 25 different directions at any given moment, so trying to keep your head above water can be, for lack of a better word, interesting.

What I'd like to do is post some of the challenges I face on a daily basis, and maybe a few things I do to make my life just a little bit easier.

So, here we go!