Author Archives: Thomas.Marcussen

About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

How to Use TZUtil to Set or Display Time Zone

Posted on by
Reply
  1. Click on Start -> All Programs -> Accessories, and click on Command Prompt, or simply type Cmd in Start Search and hit Enter.
  2. Use the following TZUtil syntax to construct the command:TZUTIL <? | /g | /s TimeZoneID[_dstoff] | /l>

    Parameters available is /? (displays usage information), /g (displays the current time zone ID), /s (sets the current time zone using the specified time zone ID, with the _dstoff suffix disables Daylight Saving Time adjustments for the time zone), and /l (lists all valid time zone IDs and display names).

    For example:

    TZUTIL /g
    TZUTIL /s “Pacific Standard Time”
    TZUTIL /s “Pacific Standard Time_dstoff”
    TZUTIL /s “GMT Standard Time”

    The last command will set the PC time zone to Greenwich Meridian Standard Time (GMT or UTC).

    Tip: To get a list of available time zone IDs, type TZUTIL /l. – would have been nice in XP!

Some examples to trigger SMS/SCCM Client Actions from command line

Posted on by
Reply

Disable Software-Distribution:
WMIC /namespace:\rootccmpolicymachinerequestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName=”Disable SWDist”,Enabled=”false”,LockSettings=”TRUE”,PolicySource=”local”,PolicyVersion=”1.0″ ,SiteSettingsKey=”1″ /NOINTERACTIVE

Re-Activate Software-Distribution:
WMIC /namespace:\rootccmpolicymachinerequestedconfig path ccm_SoftwareDistributionClientConfig WHERE ComponentName=”Disable SWDist” delete /NOINTERACTIVE

Trigger Hardware Inventory:
WMIC /namespace:\rootccm path sms_client CALL TriggerSchedule “{00000000-0000-0000-0000-000000000001}” /NOINTERACTIVE

Trigger Software Inventory:
WMIC /namespace:\rootccm path sms_client CALL TriggerSchedule “{00000000-0000-0000-0000-000000000002}” /NOINTERACTIVE

Trigger DataDiscoverRecord (DDR) update:
WMIC /namespace:\rootccm path sms_client CALL TriggerSchedule “{00000000-0000-0000-0000-000000000003}” /NOINTERACTIVE

Force a FULL HW Inventory on next HW-Inv Schedule:
WMIC /namespace:\rootccminvagt path inventoryActionStatus where InventoryActionID=”{00000000-0000-0000-0000-000000000001}” DELETE /NOINTERACTIVE

Repair SMS/SCCM Agent on a remote client:
WMIC /node:%MACHINE% /namespace:\rootccm path sms_client CALL RepairClient

Repair a list (all clients listed in clients.txt) of remote SMS/SCCM Agents:
WMIC /node:@clients.txt /namespace:\rootccm path sms_client CALL RepairClient

Setup BPOS Active Directory synchronization

Posted on by
Reply

To synchronize your AD Domain with your BPOS environment, follow the steps below.

  • Log in on your Microsoft Online Services Administration Center, Click the [Migration] tab and then click the [Configure] button in the “Directory Synchronization” Section.
    BPOS Directory Synchronization
  • Read the  “Plan for Directory Synchronization” and check the checkbox, confirming that you read it.
  • Press the [Enable] button in step 2, to enable BPOS for the synchronization.
  • Press the [download] button in step 3. This will open a where you can download the synchronization tool.
  • Now you should install the synchronization tool, but mind the following restrictions:
    – Supported OS: Windows Server 2003 Service Pack 2; Windows Server 2008
    – Can’t be installed on a domain controller
    – Can’t be installed on x64
    Powershell v1.0 has to be installed
  • Execute the file you downloaded in the previous step (dirsync.exe).
    – do not interrupt the installer
  • The installation is a Next, Next, Finish installation. You will be staring at a progress bar for quite a long timeinstallatie_ADSyncTool
  • After the initial install you can start the Configuration Wizard.
    Before you proceed be sure, you have the following things:
    – An user account who is an BPOS Administrator (probably the one you used to login with in step 1)
    – An Enterprise Administrator Account
    If you have these then the configuration is again almost, Next, Next, Finish.
  • At the end of the configuration, choose “”Synchronize directories now”
    – do not create any user object in your BPOS environment during this sync.
  • Within a few minutes, you can then view your imported users in your BPOS environment, they are all imported under the “Disabled User“ view (Tab [Users] > [User List], under view select “Disabled Users”).

From here you can now enable the users. A bit annoying is the fact that the list doesn’t use paging, you can only go 1 step through the list or to the end (or is that because I only had 2 pages?)

So now some things that are interesting to know:

  • The tool creates a service account named MSOL_AD_Sync. This will be a domain account with directory replication permissions on your AD.
  • A service will be installed on your ”sync station”.
  • The time needed for a synchronization depends on how many objects you have.
    500 objects will take about 5 min. to sync the first time, after the about 30 sec.
    1000 objects will take 10 min, after that 1 min.
    500o objects will take 45 min, after that 5 min.
    15000 objects will take 2.5h, after that 10 min.
    All depending on your bandwidth of course, for more than 20.000 objects contact Microsoft.
  • An uninstall of the tool, will not delete the MSOL_AS_Sync account, you have to do this manually.
  • The tool will sync every user in your complete forest, so whenever you must delete a domain in your forest this will impact your BPOS environment. To delete the domain, you must complete some “in-between” steps.
  • Every 3 hours there will be a scheduled sync.

This error will appear “049: LDAP injection characters were found in the user alias” if you have used invalid characters like & and !

User state migration fails on a SCCM 2007 SP1 or SP2 client after you install security update 974571 – SCCM Hotfix available: KB977203

Posted on by
Reply

The actually workaround before this hotfix came out, was is to uninstall the 974571 hotfix on computers before running USMT task sequence. This workaround works fine but was not sufficient for many customers (The opposite would have been funny ).

Consider the following scenario:

  • You install the System Center Configuration Manager 2007 Service Pack 1 (SP1) client or the System Center Configuration Manager 2007 Service Pack 2 (SP2) client.
  • You install security update 974571 on this computer.
  • A SCCM task sequence runs on this client. This task sequence includes the Capture User State task sequence step and the Restore User State task sequence step.

In this scenario, user state migration fails. At the same time, the following error message is logged in the Ccmexec.log file:

Failed to import the client certificate store (0x80092024) OSDSMPClient

For all the details including a download link to the hotfix see the following new Knowledge Base article:

KB977203 – User state migration fails on a SCCM 2007 SP1 client or on a SCCM 2007 SP2 client after you install security update 974571

Microsoft System Center Configuration Manager 2007 SP2 Evaluation

Posted on by
Reply
Brief Description
Configuration Manager 2007 SP2 Evaluation is a full version of the product that is valid for 180 days from the time of installation.

Overview

Service Pack 2 for Configuration Manager 2007 delivers new platform support for Windows 7 client, Windows Vista SP2, Windows Server 2008 R2 and Windows Server 2008 SP2. In addition, Service Pack 2 delivers continued innovation with Intel vPro technology, support for Branch Cache enabled environments, and continued development for 64 bit architectures.
Feature Summary

  • New Operating System Support
    • Windows 7
    • Windows Vista Sp2
    • Windows Server 2008 R2
    • Windows Server 2008 SP2
  • New Features in Out of Band Management
    In addition to providing feature parity with SP1 and AMT firmware versions 3.2.1, 4.0 and 5.0, the following new features are supported:

    • Wireless management with up to 8 wireless profiles
    • End point access control: 802.1x support
    • Audit logging
    • Support for different power states
    • Power control options at the collection level
    • Data storage
    • Scheduling configuration for in-band provisioning
  • Asset Intelligence Certificate Requirement Removal
    Configuration Manager Service Pack 1 introduced Asset Intelligence v1.5. This version allowed customers to configure an online synchronization to ensure that their catalog was up to date with the latest Microsoft inventory for both hardware and applications. This initial release required a certificate. With Service Pack 2, the requirement to have the certificate has been removed, so any customer can configure their Asset Intelligence capabilities to connect online and update their catalog. Software Assurance is not required for this functionality.
  • 64-bit Architecture Development
    Service Pack 2 will also continue to deliver new support for x64 architectures, including the following:

    • X64 support for Operations Manager 2007 Client Agent
    • Update to Management Packs for 64-bit operating systems – SP2 will ship 64-bit performance counters (the management pack is a separate release)
    • Remote control support added for x64 XP and x64 Server 2003
  • Improved Client Policy Evaluation
    • Faster policy processing
    • More efficient software distribution configured to run at user logon
  • Branch Cache Support
    Support for scenarios where Windows Server 2008 R2 and Windows 7 Client are present and Branch Cache is enabled

System Requirements

  • Supported Operating Systems: Windows 2000 Advanced Server; Windows 2000 Service Pack 4; Windows 7; Windows Embedded for Point of Service ; Windows Server 2003; Windows Server 2003 R2 (32-Bit x86); Windows Server 2003 R2 Enterprise Edition (32-Bit x86); Windows Server 2003 Service Pack 1; Windows Server 2003 Service Pack 2; Windows Server 2008 Datacenter; Windows Server 2008 Enterprise; Windows Server 2008 R2; Windows Server 2008 Service Pack 2; Windows Vista Ultimate
Download at: http://www.microsoft.com/downloads/details.aspx?FamilyID=3318741A-C038-4AB1-852A-E9C13F8A8140&displaylang=en

10 Ways to Secure Windows 7

Posted on by
Reply

Use the Windows 7 Firewall

The firewall in Windows 7 is a spin off of Windows Vista and is easy and is very secure and powerful. With features to secure you and step by step instructions, Windows 7’s firewall is a very powerful firewall that allows a detailed configuration giving the end user true protection from malicious threats.

Backup Your Data

Windows 7 allows you an easier to use backup option that allows you to walk through a step by step backup of your critical data. This option is often over looked by home users. The simple and easy to use backup allows the end user to backup their data in the event of a system crash. Microsoft Windows 7 allows for a system image to be created as well as files to be backed up.

Use Internet Explorer 8

A recent study showed Internet Explorer 8 beat out Firefox and other major browsers in protecting your computer. With SmartScreen Filter, this addition allows users to surf websites that are labeled in Microsoft’s database as legitimate or malicious. Go to the Safety menu for more information on how to enable this option. Cross-site scripting and other websites that are vulnerable are noted.

Enable BitLocker

This encryption can allow the entire volume of your computer to be secured. With BitLocker, you can encrypt the boot system and any removable media on your computer. With USB thumbdrives being portable, this is one of many ways you can encrypt your system. Third party software such as Truecrypt, blah and blah which are all Windows 7 compatiable, Windows 7 can be further encrypted to provide a strong barrier against data theft. Always save your encrypted information and passwords / phrases. Loss of these items can result in you losing your valuable information.

Updates and Patches

Microsoft years ago set aside security dates monthly to ensure computers had hotfixes / patches to ensure your computer is protected. Although these patches are for Windows, you should look at SUMo or Secunia to ensure your computer’s applications are also patched.

Antivirus / Antimalware

Ensuring your computer has protection against viruses and malware is essential. With the dozen or so applications that are free to use, these applications provide protection against the malicious injection of viruses or malware on your system. With zero day threats along with malicious activities found on thousands of websites, antivirus and antimalware protection allows further protection against these threats from infecting your computer.

Keep the UAC

Keeping the ‘what users call’ annoying UAC prompts helps you make the critical descisions in and when installing software. With smarter malware and viruses, the UAC helps you decide on what is legitimate and what may be a dangerous piece of software. Windows 7 allows you to adjust this protection agent. The UAC in Windows 7 is less annoying than Windows Vista. Microsoft has adjusted this feature to help the end user.

Sharing Information

When sharing out files or folders, make sure you only allow specified users to assess your data. With Windows 7 Folder and File sharing being easier than ever, you must specifiy individual users whom you wish to share the data. Never allow all users to veiw data and avoid appications such as P2P file sharing programs to share out information on your hard drive. Research has shown that using such software leaves users vulnerable to accidently placing files in the shared folder and users across the globe have access to the data in the shared folder.

Restricting User Access

Physical security plays an important role in computer security. Many homes and business allow the sharing of a common computer. Setup individual accounts to ensure users are logging in and creating their own sessions. Assign a user role to the computer user. Do not allow everyone to be an administrator of a common computer. This can result in many logistical nightmares from the addition of users you are unaware of, removal or addition of software and many other security nightmares. Always lock your computer when away from it for any period of time. You can do this by holding down the Windows key and hitting the ‘L’ key to lock it.

Using Email and the Internet Wisely

Many articles have been written warning users not to click fishy and unknown ads on the web, opening unknown email or going to websites that are malicious in nature. All of the information stated in these articles are true. Don’t open any email that you don’t know where it came from and don’t surf the web without surfing wisely. Restrict children from surfing the internet and control their surfing habits by using Windows 7’s Parental Controls with Web Filtering.

Conclusion

In conclusion, Windows 7 is secure out of the box. Using the above tips, the end user can further secure their system. By using antivirus, antimalware, UAC and other items, you can enhance the security of Windows 7 or any operating system.

Error creating MDT Boot Image

Posted on by
Reply

The error occurred after upgrading from SCCM SP1 to SCCM SP2.


I did a clean install of the SCCM with SP1 and after that i upgraded with SP2.

Seems to be related to the WAIK installtion that comes with SCCM SP1.
Remove the already install WAIK, Reinstall the latest WAIK.
That solved my problem.

the error shown in smsprov.log :
e:nts_sms_fresmssiteserversdk_providersmsprovsspbootimagepackage.cpp(2948) : Failed to read image property from the source WIM file due to error 80004005