Friday, September 28, 2012

Exchange 2003 queue states "retry" and will not unfreeze to state "Ready"

My issue in particular related to the decommissioning of a Exchange 2003 server.  This server was turned off; then another Exchange server stopped sending/ receiving emails.  However, all other Exchange instances were working correctly.

Cause was tracked down to the "Smart host" settings entry referring to the decommissioned server.

Exchange server> Protocols> SMTP> Default SMTP Virtual Server > Right click Properties

Delivery Tab > Advanced > "Smart Host" entry

In my case i could simply remove the entry as it was not required.

Thursday, September 27, 2012

"E8535 Failed to receive data from the client agent. (ADDRESS= (DNS (IP Address)), EC=code, COMMAND=0"

Title:  Backup fails in the middle of the job with the error below "E8535 Failed to receive data from the client agent. (ADDRESS= (DNS (IP Address)), EC=code, COMMAND=0"


The universal client agent is a component which can be called by various clients such as client agent for windows, exchange agent and so on and its services are shared. Now this can be accomplished in 2 approaches.

  • In process component.

  • Out process component.

An in-process component is implemented as a DLL, and runs in the same process as its client application, enabling the most efficient communication between client and component. Each client application that uses the component starts a new instance of it.

An out-of-process component is implemented as an EXE, and unlike a DLL, runs in its own process space making the communication between client and component marshaled across the process boundaries. A single instance of an out of process component can service many clients.

The calling approach is environmental specific and can specify the approach to be used in the application.

In Arcserve application, the registry key HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\CA Arcserve Backup\UniversalClientAgent\Options specifies the various clients that can call Universal client agent component.

For example:
\Options\1000 --- Client Agent for windows
\Options\2000\1070 --- Oracle Agent
\Options\2000\1400 --- SQL Agent
\Options\1060 --- Exchange Agent for Document level.

You can get this information from registry.

Go to \options sub key, highlight any folder within the sub key (For example 1000), you would see an registry value product name, which gives the name of client agent. Now the registry value "Executable" within sub key 1000 specifies the way universal client component is being called by the clients. With the value set to '0' it will run the component in 'in process mode'. The value set to '1' will run the component process in 'out of process mode'.

The above error may be resolved by changing the approach the universal client component is being called by various clients due to environmental specifications.

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create a backup of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to backup, restore, edit the registry, please review the relevant Microsoft Knowledge Base articles on


This error is not specific to client agent for windows only; you can see this error for exchange agent, SQL agent and so on.

If the client agent for windows is failing with the above error, go to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\CA Arcserve Backup\UniversalClientAgent\Options\1000

change the value of 'Executable' from 0 to 1 or vice versa.

The sub keys for other agents are:

\Options\2000\1070 --- Oracle Agent
\Options\2000\1400 --- SQL Agent
\Options\1060 --- Exchange Agent for Document level

If the issue is not resolved, you may revert the changes.

Wednesday, September 26, 2012

Powershell Change NTFS permissions

Help i am getting the error: Set-Acl : The security identifier is not allowed to be the owner of this object.

If you were getting this error with your script please see the reason below.

The error is failing to change the folder’s ownership (even though you don't want to)– very frustrating! Microsoft explanation:

“Unfortunately Get-ACL is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s why Set-ACL also wants to write the owner even if you have not changed it. Using the GetAccessControl method allows you to specify what part of the security descriptor you want to read”

The key line is: $acl = (Get-Item $path).GetAccessControl("Access")

How to add 'modify' access to the group 'Users' using Powershell sucessfully

$username = "Users"
$path = "C:\Program Files (x86)\Java"
$acl = (Get-Item $path).GetAccessControl("Access")
$accessrule = New-Object$username, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
set-acl -aclobject $acl $path




Tuesday, September 25, 2012

Windows 7 Offline files will not go Online when connected to network


Several laptop users move between networks, domain, home, etc and when they attempt to access DFS shares explorer status is working offline.  The issue only resolves it self after a reboot. Connecting directly to the share works and i am able to ping network resources.  This behavior occurs for VPN users as well.

Possible Causes

"slow-link mode". In win7 (with default settings) a client will enter slow-link mode if the latency to the server is above 80ms. In slow-link mode all writes are made to the local cache and a background sync only happens every 6 hours.  Depending on your connection the default slow link detection speed is 64,000 bps

On client computers running Windows 7 or Windows Server 2008 R2, a shared folder automatically transitions to the slow-link mode if the round-trip latency of the network is greater than 80 milliseconds, or as configured by the "Configure slow-link mode" policy. After transitioning a folder to the slow-link mode, Offline Files synchronizes the user's files in the background at regular intervals, or as configured by the 'Configure Background Sync' policy. While in slow-link mode, Windows periodically checks the connection to the folder and brings the folder back online if network speeds improve.

If you do not configure the "Configure slow-link mode" policy setting, computers running Windows Vista or Windows Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. To prevent computers running Windows 7 or Windows Server 2008 R2 from using the slow-link mode, disable this policy.

Option 1 Disable it in the Group policy to see if it helps (feedback welcome),
Check the following two policy settings that control the offline file slow-link mode and speed:
Path: Computer Policy\Administrative Templates\Network\Offline Files

*Configure slow-link mode

*Configure slow-link speed

Option 2 Configure Forced silent auto reconnection

1. Click Start, type REGEDIT in search bar, and then click OK.

2. Locate and click the following registry subkey:

3. Click Edit, point to New, and then click DWORD Value.

4. Type SilentForcedAutoReconnect, and then press ENTER to name the value.

5. Double-click SilentForcedAutoReconnect.

6. In the Value data box, type 1, and then click OK.

Option3 Computer Policy\Administrative Templates\Network\Offline Files\Action on server disconnect

Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section.

Also, see the "Non-default server disconnect actions" setting.

Thursday, September 20, 2012

Office 2007/10 Cache installation and re-installation

  1. On the network installation point, open the Config.xml file in a text editor, such as Notepad. For information about the Config.xml file, see Config.xml file in Office 2010.

    By default, Config.xml is located in the core product folder for the Office product that you are installing. For example, if you install Microsoft Office Professional Plus 2010, open the Config.xml file in the ProPlus.WW folder.

  2. Find the LIS element (<LIS>); remove the comment marks in the line by deleting the opening <!-- and closing --> tags.

  3. Set the <CACHEACTION> attribute to "CacheOnly".

    The line in Config.xml should look as shown in the following example.

    <LIS CACHEACTION="CacheOnly" />

  4. Save the Config.xml file.

  5. Run Setup.exe on users' computers; on the Setup command line, specify the path of the modified Config.xml file.

    You must use a fully qualified path. For example: \\server\share\Office14\setup.exe /config \\server\share\Office14\ProPlus.WW\Config.xml

    where Office14 is the root of the network installation point.

How to run another cache install (i.e with a different language).  Best to remove the first cached installed by specifying the RemoveCacheOnly command in the config.xml file.

If you precache the local installation source on users' computers and then later have to remove it, you can set the <CACHEACTION> attribute to "RemoveCacheOnly" and run Setup again. This setting works only if users have not yet installed Office.

Wednesday, September 19, 2012

UAC prompt Java

How to remove the UAC elevation prompt

Install Application Compatability Toolkit

Right click the Database and Create a new Application Fix

Provide a name for the program and vendor, then browser to jucheck.exe
(C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe)

The next page lists the compatibility modes. Locate and select RunAsInvoker from the list and click the Test Run button afterwards to see how the program starts with that new compatibility mode.

Save the database of programs by clicking on File > Save As in the menu, e.g. uac-whitelist.

The Compatibility Administrator saves the database as an sdb file on the local computer system. The database needs to be installed once. This needs to be done from an elevated command prompt. Click the Windows start button, then All Programs > Accessories. Right-click the Command Prompt entry and select to Run as Administrator from the context menu.

Now issue the command

sdbinst pathToUAC-Whitelist.sdb

CA ARCserve Error E12532

The volume shadow service provider was unable to complete the operation as it has insufficient storage space. Check the volume shadow service use limit.

Log onto the server that failed to backup and open a command prompt.

Type: vssadmin list writers

all writers should be in a stable state

If not see

NOTE: check server has suitable disk space.

Monday, September 17, 2012

WSUS Server result in Error 800B0001

WSUS Error: connection error when starting WSUS

I get a Error: connection error when starting WSUS

First thing to check is the Windows Internal Databse (Microsfot##SSEE) state (service) is running.  If it is running restart it!

Open the SQL Server Configuration Manager and review the SQL Server (2005) serivices node.

WSUS unable to remove

If you are unable to remove WSUS in order to reinstall.
Open regedit and go to the following key :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\"wYukonInstalled"=dword:00000001

Change the value from 1 to 0

Wednesday, September 12, 2012

IIS FTP Hide folders and Files

Create the FTP Folder

  1. Create a folder that you want the FTP service to point to.

  2. Right-click the folder, click Properties, and then click the Security tab. Grant Full Control permissions to only the Administrators group.NOTE: Remove the Everyone group if it is present.

  3. Click Advanced, and then click Add to add a new rule.

  4. In the account selection list, double-click the Anonymous User account or the group that is used for FTP access.

  5. In the Apply Onto drop-down list, select Files Only.

  6. Click to select Allow for the following permissions:

    • List Folder/Read Data

    • Read Attributes

    • Read Extended Attributes

    • Read Permissions

  7. Click OK.

  8. Click Add to add another rule.

  9. Select the account that you selected in step 4.

  10. In the Apply Onto list, click to select This Folder only.

  11. Click to select Allow for the following permissions (note that List permissions are not listed):

    • Create Files/Write Data

    • Create Folders/Append Data

    • Write Attributes

    • Write Extended Attributes

    • Read Permissions

  12. Click OK until you have closed all of the property windows.

It doesn't seem to be working...?

If you are using virtual directories make sure you remove the tick box for virtual directories in "FTP Directory Browsing".  This will now remove the directory from view however, with a complete path you have access to the file without revealing other items in folder.  i.e\TechSales\file.txt

Virtual directories that i want displayed are no longer available?

The use of place holders will help.  Virtual directories have higher priority over physcial paths, as we have told iis not to display VD's a place holder will assist you with redirecting the user neatly.

To display an alias called CustomerDownloads (VD path F:\virtualDirectory\CustomerDownloads) previous displayed in the public folder; create an empty folder as a place holder visible to the anonymous user:  ftproot\LocalUser\Public\CustomerDownload

Hubs, Bridges, Switches, Routers and Gateways


Hubs are used to build a LAN by connecting different computers in a star/hierarchal network topology, the most common type on LANs now a day. A hub is a very simple (or dumb) device, once it gets bits of data sent from computer A to B, it does not check the destination, instead, it forwards that signal to all other computers (B, C, D…) within the network. B will then pick it up while other nodes discard it. This amplifies that the traffic is shared.

There are mainly two types of hubs:

1. Passive: The signal is forwarded as it is (so it doesn’t need power supply).
2. Active: The signal is amplified, so they work as repeaters. In fact they have been called multiport repeaters. (use power supply)

Hubs can be connected to other hubs using an uplink port to extend the network.

OSI Model: Hubs work on the physical layer (lowest layer). That’s the reason they can’t deal with addressing or data filtering.


Switches on the other hand are more advanced. Instead of broadcasting the frames everywhere, a switch actually checks for the destination MAC address and forward it to the relevant port to reach that computer only. This way, switches reduce traffic and divide the collision domain into segments, this is very sufficient for busy LANs and it also protects frames from being sniffed by other computers sharing the same segment.

They build a table of which MAC address belongs to which segment. If a destination MAC address is not in the table it forwards to all segments except the source segment. If the destination is same as the source, frame is discarded.

Switches have built-in hardware chips solely designed to perform switching capabilities, therefore they are fast and come with many ports. Sometimes they are referred to as intelligent bridges or multiport bridges.
Different speed levels are supported. They can be 10 Mb/s, 100 Mb/s, 1 Gb/s or more.

Most common switching methods are:

1. Cut-through: Directly forward what the switch gets.
2. Store and forward: receive the full frame before retransmitting it.

OSI: Switches are on the data link layer (just above physical layer) that’s why they deal with frames instead of bits and filter them based on MAC addresses. Switches are known to be used for their filtering capabilities.

VLANs (Virtual LANs) and broadcast domains: Switches do not control broadcast domains by default, however, if a VLAN is configured in a switch it will has its own broadcast domain.

***VLAN is a logical group of network devices located on different LAN physical segments. However they are logically treated as if they were located on a single segment.


Bridges are used to extend networks by maintaining signals and traffic.
OSI: Bridges are on the data link layer so in principle they are capable to do what switches do like data filtering and separating the collision domain, but they are less advanced. They are known to be used to extend distance capabilities of networks.

In a comparison with switches, they are slower because they use software to perform switching. They do not control broadcast domains and usually come with less number of ports.


Routers are used to connect different LANs or a LAN with a WAN (e.g. the internet). Routers control both collision domains and broadcast domains. If the packet’s destination is on a different network, a router is used to pass it the right way, so without routers the internet could not functions.

Routers use NAT (Network Address Translation) in conjunction with IP Masquerading to provide the internet to multiple nodes in the LAN under a single IP address.

Now a day, routers come with hub or switch technology to connect computers directly.

OSI: Routers work on the network layer so they can filter data based on IP addresses. They have route tables to store network addresses and forward packets to the right port.


Gateways are very intelligent devices or else can be a computer running the appropriate software to connect and translate data between networks with different protocols or architecture, so their work is much more complex than a normal router. For instance, allowing communication between TCP/IP clients and IPX/SPX or AppleTalk.

OSI: Gateways operate at the network layer and above, but most of them at the application layer.

P.S. The term Gateway is used to refer to routers in some articles so beware. In this case, the router has gateway software. And Default Gateway is used to refer to the node (e.g. router) connecting the LAN to the outside (e.g. internet).


Repeaters are simple devices that work at the physical layer of the OSI. They regenerate signals (active hubs does that too).

There is an important rule to obey while using repeaters/hubs to extend a local network and is called the 5-4-3 rule or the IEEE way. The rule forces that in a single collision domain there shouldn’t be more than 5 segments, 4 repeaters between any two hosts in the network and only 3 of the segments can be populated (contain user connections).
This rule ensures that a signal sent over the network will reach every part of it within an acceptable length of time.
If the network is bigger, the collision domain can be divided into two parts or more using a switch or a bridge.

Monday, September 10, 2012

CA ARCserve Error AE9956

V16 SP1 BUILD 6838

AE9956 2012-09-08 02:15:16 Initialization of the COM+ component failed! Please check setting of agent configuration.

Upon opening the job i was unable to expand the "Farm" node under Sharepoint databases.  This error is directly related to this issue.

The Fix  i hopped onto the Sharepoint server with the CA Sharepoint agent installed.  Opened the services console and brought up the properties.  The service was stopped and would fail to start automatically.  This service should have a service account associated under "Log On"; i reentered the credentials and the service started correctly.

Back on the CA ARCserve server the Farm node would now expand and jobs completes without errors.

SCCM 2007/ 2012

SQL installation guide

Configuration Manager required that you configure your SQL Server instance and Configuration Manager site database (if already present) to use the SQL_Latin1_General_CP1_CI_AS collation, unless you are using a Chinese operation system and require GB18030 support.  

If you forgot to select the correct collation, instead of completely removing and re-installing, simple run the command below. More info:


Fail to create SQL Server Certificate, ConfigMgr installation cannot be completed.

Thursday, September 6, 2012

How to install IIS FTP on Server 2008

Work in progress

How to install IIS 7.5 FOR WINDOWS SERVER 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).

  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.

  5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)

  6. Click Next.

  7. On the Confirm Installation Selections page, click Install.

  8. On the Results page, click Close.

How to setup the FTP site

Open IIS Manager > right click on "Sites" > Select "Add FTP Site"
Give the site a name i.e > then point the root of the site to a physical location i.e F:\inetpub\ftproot

Click on the site > Select FTP User Isolation > Select "Username directory (disable global Virtual directories) this will isolate the user and prevent them navigating to other part of the site.  It will however, allow you to create virtual directories to other part of the site.

Isolating users means that the credential used to login will direct them to there designated folder only.  The username and folder name must be the same otherwise your account will not connect.  You can create a local user account of tie it up to a domain login.

How to setup FTP users accounts 

For local accounts you must create a folder called "LocalUser" on the ftproot level. i.e F:\inetpub\ftproot\LocalUser\%LocalUsername%

Alternatively domain users can login with their AD credentials (not a local user account).  To do this create a folder to match your domain i.e "Contoso" on the ftproot level i.e  F:\inetpub\ftproot\Contoso\%ADUsername% you must create a folder with the same AD account name under Contoso to connect.


If you are unable to see virtual directories for domain or local accounts when loging in using a client i.e FileZilla; check that you have chosen "DISABLE global virtual directories" in order to be able to point the username directory to a virtual directory OUTSIDE ftproot

Windows 7 features

Windows 7 features
To upgrade XP to Windows 7 logistically data will need to be backed up, HDD wiped, reimage with Windows 7 and restore data. Technical reasons such as file system changes are responsible for the logistic hardship.
However; the benefits of Windows 7 include faster than XP-Vista performance especially where the user will notice it the most i.e. wake up speed.
Windows 7 UI is dramatically different from XP or Vista and this document should hopefully explain a few of the difference.

Anatomy of the Taskbar

The Windows 7 Taskbar still resembles the older Windows XP Versions Tool bar but is essential more task-centric, with some great usable features added on.

Old Windows XP Task Bar

New Windows 7 Task Bar

When you open an application, an icon appears along your task bar, the same as XP. However, one of the changes Microsoft has made in Windows 7 is that it is now combining multiple files for the same program under one icon.

Aero Peek
This is a new feature which allows you to quickly locate items on your desktop, or open windows. To view the desktop, slide the mouse to the right end of the task bar where there is a shaded rectangle. The windows you currently have open will become transparent, and you will be able to see directly through to your desktop.

To quickly find a window, hover over the individual icons along your task bar, small windows will pop up showing you a snapshot of that window. You can click on that window to bring it to the forefront. You can also click on the X in the top right corner, and close out of that window completely.

Right-Click Options on Icons
Windows 7 Also gives you a whole new host of options when you right click on an icon.

For example: If you hover over the Internet Explorer Icon, and right click, you will see the following Menu:

(Insert Pic Here.)

Quickly Clear Your Desktop Using Aero Shake

Aero Shake is a great new feature that immediately minimizes all of the windows on your desktop except for the one you choose. To accomplish this, click and hold on the top of any window with your mouse, and give the window a little shake. All the other windows will instantly minimize. To get them back, simply shake that same window again.

Sizing Windows using Aero Snap

Aero Snap is a new feature that allows you to snap windows into a dual paned or maximized view.

To engage snap, simply click and hold your window and drag it to the top or sides of your screen.

* The top edge will maximize the window.
* The left OR right edge will make the window take up half the screen.

Aero Flip 3 D keys: [windows button] + [tab]
By holding down the windows start button next to the alt button, and striking the tab key, you will create a cascading windows affect which will allow you to flip through all currently open windows on your desktop.

Alt + Tab keys: [alt] + [tab]
By holding down the alt button (on either side of the space bar) and clicking the tab key, you can switch between all open files on your desktop. You will see a bar with small icons for each application, each containing the file name or page title when you switch to it.

Using the Task Bar to Organize Your Screen

Windows has made some changes to how your toolbar can automatically organize your screen for you. By right clicking on any empty space on your toolbar, you now have the option to:

* Cascade Windows
* Show Windows Stacked
* Show Windows Side by Side
* Show Your Desktop


Windows XP and Vista used something called Known Folders as a standard set of places for you to store your files. In XP, the primary folder was My Documents.

Windows 7 contains a set of libraries that can take the place of the standard folders found in XP and Vista. A library is displayed in a similar manner to XP's known folders however, it simply references its true directory. Imagine you have the ability to create your own M drive structure. Referencing only your most used folders in any particular hierarchy. (Only network locations that have been indexed, or a folder that has been made available offline can be added to the Windows library)

New Ribbon interface on Wordpad and Paint
Windows Live applications?
Internet Explorer 8.0, Smart screen/In private filters and InPrivate Browsing, Web Slices, Accelerators.
UAC slider
Action centre, UAC control, backup centre
Windows firewall, Public and Private
Bitlocker, Bitlocker to go lock down USB storage devices, which can prevent the copying of unauthorised data or data loss should the drive be compromised.
Applocker, replaces software restriction policies as a means of identifying and controlling which applications can be installed on a system. From a variety of methods, such as file name, path location and or hash calculation. Applocker give IT more granular control over application installations and which scripts can be run.
The credential manager
Problem steps recorder, produces html report
A new troubleshooting link from within control panel.
Media player 12
Windows power shellv2.0
BrancheCache with Enterprise 2008 R2, much faster access time, reduces bandwidth.
DirectAccess with Enterprise 2008 R2
Windows XP mode
Software Assurance, benefits to the user?
Application compatability, detail what has been tested?
Software Assurance can make use of training vouchers.

GPO disable updates

Java , 

Create a registry key or GPO that creates the following registry entries.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Java Update\Policy]

[HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]


Adobe, Silverlight updates

Disable feature of Acrobat Reader.
HKEY_CURRENT_USER\Software\Adobe(product name)(product
bEnableAcrobatHS REG_DWORD 00000000

Disable Adobe Reader Auto updates.
bUpdater REG_DWORD 00000000

Disable Adobe Reader EULA splash screen.
HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\AdobeViewer
Launched REG_DWORD 00000001

Disable WMP Auto Updates.
GPO setting: Computer Configuration => Administrative Templates =>
Windows Components => Windows Media Player.
Prevent Automatic Updates = Enabled

Disable Silverlight Auto Updates.
UpdateMode REG_DWORD 0x00000002


What is Bitlocker?

Bitlocker Drive Encryption allows you to encrypt all data stored on the Windows operating system volume and configured data volumes, and by using a Trusted Platform Module (TPM), it can also help ensure the integrity of early startup components. Bitlocker was updated with the release of Windows 7 and Windows Server 2008 R2.

Backing Up Bitlocker and TPM Recovery Information to AD DS

Backing up recovery passwords for a Bitlocker-protected drive allows administrators to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.

You can configure Bitlocker Drive Encryption to back up recovery information for Bitlocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS). Recovery information includes the recovery password for each Bitlocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to.

How it was implemented?

See for full instructions.

-Extended the Active Directory schema

-Updated the ACE to allow TPM recovery information to be backed up.

- Configure Group Policy to enable backup of Bitlocker and TPM recovery information in AD DS

1.- Computer Configuration\Administrative Templates\Windows Components, click Bitlocker Drive Encryption.
2.enabled - Store Bitlocker recovery information in Active Directory (Windows Server 2008 and Windows Vista).
1.Select Require Bitlocker backup to AD DS if you want to prevent users from enabling Bitlocker on computers that are not currently able to connect to a domain controller.
2.Select Bitlocker recovery information to store, select either Recovery passwords and key package
3.Computer Configuration\Administrative Templates\System, click Trusted Platform Module Services.
1.enabled - Turn on TPM backup to Active Directory Domain Services.
2.Require TPM back to AD DS check box is selected by default
How to recover Bitlocker key?

Open Active directory on a Server 2008 R2 server or via RAST tools for Windows 7. Make sure Bitlocker is a select feature

Right click the domain and click "Find Bitlocker Recovery Password".

You will need to enter the first 8 characters prompted for and it will search AD for the corresponding record.

If you know the computer host name you can search for the computer as normal; open the properties and you will see a Bitlocker Recovery Tab. This will provide the same details in order to gain access to the encrypted drive.

How to populate AD with the Recovery password manually?

This may be necessary should a machine fail to join the domain but the HDD Bitlocker has run.

c:> manage-bde -protectors -get c: Example: Bitlocker Drive Encryption: Configuration Tool version 6.1.7600Copyright (C) Microsoft Corporation. All rights reserved.Volume C: [Old Win7]All Key Protectors External Key: ID: {F1#####2E-22D5-4420-980C-851#####EB30} External Key File Name: F12#####E-22D5-4420-980C-851#####B30.BEK Numerical Password: ID: {DFB###E6-8B3F-4DCA-9576-C19###C71E} Password: 22##31-534171-4####4-445973-13###7-430507-68###2-70###6 TPM And PIN: ID: {EB###D6-D##4-4AFB-84E3-26#######7AA5} If you see results above you should see ID and Password for Numerical Password. Now run the below command, replace id for ID of Numerical Password. c:> manage-bde -protectors -adbackup c: -id {DFB###6-8B3F-4DCA-9576-C19#####C71E} Bitlocker Drive Encryption: Configuration Tool version 6.1.7600Copyright (C) Microsoft Corporation. All rights reserved.Recovery information was successfully backed up to Active Directory.

What causes Bitlocker to start into recovery mode when attempting to start the operating system drive?

The following list provides examples of specific events that will cause Bitlocker to enter recovery mode when attempting to start the operating system drive:

Changing the BIOS boot order to boot another drive in advance of the hard drive.
Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
Failing to boot from a network drive before booting from the hard drive.
Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock Bitlocker. This means that if a portable computer is connected to its docking station when Bitlocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when Bitlocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
Turning off the BIOS support for reading the USB device in the pre-boot environment if you are using USB-based keys instead of a TPM.
Turning off, disabling, deactivating, or clearing the TPM.
Upgrading critical early start-up components, such as a BIOS upgrade, causing the BIOS measurements to change.
Forgetting the PIN when PIN authentication has been enabled.
Updating option ROM firmware.
Upgrading TPM firmware.
Adding or removing hardware. For example, inserting a new card in the computer, including some PCMIA wireless cards.
Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
Changes to the master boot record on the disk.
Changes to the boot manager on the disk.
Hiding the TPM from the operating system. Some BIOS settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS secure start-up is disabled, and the TPM does not respond to commands from any software.
Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including PCR[1] would result in most changes to BIOS settings, causing Bitlocker to enter recovery mode.
Moving the Bitlocker-protected drive into a new computer.
Upgrading the motherboard to a new one with a new TPM.
Losing the USB flash drive containing the start-up key when start-up key authentication has been enabled.
Failing the TPM self test.
Having a BIOS or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each start-up and causing Bitlocker to start in recovery mode.
Changing the usage authorization for the storage root key of the TPM to a non-zero value.
Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
Pressing the F8 or F10 key during the boot process.
Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.


How to query for an application but exclude another defined query.

This would be useful if you want to only target a specific kind of computer. For example when upgrading from Office 2003 to Office 2007 and you want to keep Access 2003 present. You want to target only computer with office 2003 that have no sign of 2007.

Create a query that target all instance of 2007 (collectionid 'S010014D')

select SMS_R_System.ResourceID,SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,

SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Office Professional Plus 2007"

Then create another query searches for all instances of 2003 excluding the previous query results.

select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,

SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Office Professional Edition 2003" and SMS_R_System.ResourceId not in (SELECT ResourceID FROM SMS_FullCollectionMembership WHERE collectionid IN('S010014D'))

Windows 7 Offline Files

How to completely remove Offline files.

1. Navigate to the following location in the registry:

2. Create a new DWORDValue called FormatDatabase , with the value 1
3. Reboot (the new key we created will delete itself after rebooting along with the Offline cache)

Blackberry 9790 Folder Redirection

I am unable to setup folder redirection, the option does not exist.

If you are unable to see the Folder Redirection option you need to enable the "Wireless Reconcile" option.
Basically the "folder redirection" option disappears when the "wireless reconciliation" option is unticked - turn it on and the Folder Redirection appears.

Within your messages click the blackberry button > Options

Email Reconciliation > Make sure the "Wireless Reconcile" option is ticked.

Then Folder redirection can be setup as follows:
Within messages click the blackberry button > Options > email preferences

Then press the Blackberry button again > Select Folder Redirection


How to recycle logs to avoid running out disk space

 Configure BES to rotate log files to avoid server running out of disk space

1 On the computer that hosts the BlackBerry® Manager, on the taskbar, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.
2.Click the Logging tab.
3.In the BlackBerry Service Log Settings pane, click Debug log maximum daily file age for the BlackBerry® Enterprise Server component that you want to change.
4.In the Setting column, double-click the current value.
5.Type the number of days after which you want to delete the BlackBerry Enterprise Server component log files.
6.Click OK.
7.On the computers that host the BlackBerry Enterprise Server components that you changed, in the Windows® Services, restart the appropriate BlackBerry Enterprise Server components.

Windows 7 Elevation UAC

How to Create a Elevated Program Shortcut without a UAC Prompt

 The use of a schedule task to elevate priviledges works well with programs required within the Startup folder.


Create a Dword, named the path to the executable:  C:\windows\regedit.exe

Set it value to: RUNASINVOKER

Babylon Virus

Babylon toolbar removal manual

Remove from Add/remove programs

DISCLAIMER: Modifying REGISTRY settings incorrectly can cause serious problems that may prevent your computer from booting properly. Microsoft cannot guarantee that any problems resulting from the configuring of REGISTRY settings can be solved. Modifications of these settings are at your own risk.
1. Click Start
2. In 'Start Search' type regedit, press Enter (provide administrative credentials if prompted)
3. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
64bit : HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs
4. Right-click Tabs, then click Modify...
5. Change the "Value data:" to: res://ieframe.dll/tabswelcome.htm
6. Click OK Now go back into Internet Explorer and make sure that under Tabs settings and under the category "When a new tab is opened, open:" you have it set for "The new tab page".

Search registry for "Babylon" delete all instances.


Description of Application Virtualization

  • Deployed in real-time to any client from a virtual application server.

  • It removes the need for local installation of the applications.

    • updates with no user interruptions

  • Streamed or locally cached from the application server on demand and run locally.

    • No reboots

  • Does not make changes to the client itself (OS File System and/or Registry).

  • App-V applications are also sandboxed from each other, so that different versions of the same application can be run under App-V concurrently.

  • Centralized installation and management of deployed applications.

  • Policy based access control; administrators can define and restrict access to the applications.

  • Moving to a new PC or a new version of Windows? Simply sign on to your new computer and your applications are available on demand

  • Track application licensing and meter usage.

  • Integrates with System Center Configuration Manager

Transparent Caching

Windows 7 keeps a cached copy of all files that a user opens

When you enable transparent caching, Windows 7 keeps a cached copy of all files that a user opens from shared folders on the local volume. The first time a user opens the file, the file is stored in the local cache. When the user opens the file again, Windows 7 checks the file to ensure that the cached copy is up to date and if it is, opens that instead. If the copy is not up to date, the client opens the copy hosted on the shared folder, also placing it in the local cache. Using a locally cached copy speeds up access to files stored on file servers on remote networks from the client. When a user changes a file, the client writes the changes to the copy of the file stored on the shared folder. When the shared folder is unavailable, the transparently cached copy is also unavailable. Transparent caching does not attempt to keep the local copy synced with the copy of the file on the remote file server as the Offline Files feature does. Transparent caching works on all files in a shared folder, not just those that you have configured to be available offline.

Transparent caching is appropriate for WAN scenarios and has several similarities to BranchCache. Some significant differences are that clients on the local area network do not share the cache and that file servers hosting the shared folders do not need to be running Windows Server 2008 R2 to support transparent caching. It is also possible to use transparent caching on clients running Windows 7 Professional and on clients that are not members of an AD DS domain, something that is not possible with BranchCache. Windows 7 triggers transparent caching when the round-trip latency value exceeds the amount specified in the Enable Transparent Caching policy

Before Windows 7, to open a file across a slow network, client computers always retrieved the file from the server computer, even if the client computer had recently read the file. With Windows 7 transparent caching, client computers cache remote files more aggressively, reducing the number of times a client computer might have to retrieve the same data from a server computer.

The first time a user opens a file in a shared folder, Windows 7 reads the file from the server computer and then stores it in a cache on the local disk. The second and subsequent times a user reads the same file, Windows 7 retrieves it from disk instead of reading it from the server computer.

To provide data integrity, Windows 7 always contacts the server computer to ensure the cached copy is up-to-date. The cache is never accessed if the server computer is unavailable, and updates to the file are always written directly to the server computer. Transparent caching is not enabled by default on fast networks.

IT Professionals can use Group Policy to enable transparent caching, to improve the efficiency of the cache, and to save disk space on the client, configuring the amount of disk space the cache uses and preventing specific file types from being synchronized.

These benefits are transparent to end-users and provide an experience for users at branch offices that more closely resembles the experience of being on the same LAN as servers. Additionally, the improved cache efficiency can reduce utilization across WAN links.

Microsoft TechNet Web page: