Blog

I’ve recently been migrating to a Windows 7 laptop using BitLocker for full disk encryption.  Many of my co-workers have extensive experience with BitLocker, but I’ve had a desktop for a couple years and before that my laptop used GuardianEdge Encryption Anywhere.  This is my first experience with BitLocker.  To access the BitLocker Manager application go to Start -> Control Panel -> System and Security -> BitLocker Drive Encryption.  That interface is pretty much limited to allowing you to turn off/on BitLocker, suspend protection, save or print a recovery key, and reset your PIN for each of your drives. [more]

I found the “manage-bde.exe” command line utility is also useful in addition to the GUI.  The “bde” in the application’s name stands for “BitLocker Disk Encryption” and knowing that makes it a easier to remember the name.  I like running “manage-bde.exe -status” because it displays more details like the conversion status, percentage encrypted, and encryption method.  The manage-bde.exe documentation can be found at http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx.

There is also two other command line tools available. Repair-bde.exe can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker.  This would be useful if your system has a hard disk failure or if Windows exits unexpectedly.   Bdehdcfg.exe is used to prepare a drive with the partitions necessary to BitLocker Drive Encryption.  In most cases you will not need this tool because the BitLocker setup includes the ability to prepare and repartition drives as required.  The documentation for these two tools can be found at http://technet.microsoft.com/en-us/library/ee706528(WS.10).aspx and http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx respectively.

A co-worker pointed out another BitLocker tip to me.  Typically, if you make any BIOS upgrades you should suspend BitLocker, do the upgrade, and then resume BitLocker.  If you forget to do these steps the PC will constantly boot into BitLocker recovery mode.  Suspending and resuming BitLocker after the BIOS upgrade appears to reset BitLocker so it boots normally.

I was recently troubleshooting a problem where a terminal server, that happened to be a VMware virtual machine, could not browse the network.  Opening Explorer when drives were mapped would hang Explorer.  Opening Explorer with no drives mapped, but attempting to browse to a network location would hang Explorer.  Troubleshooting was complicated by this being a production server.

First, I cloned the server in VMware, renamed it, and rejoined the domain under the new name.  This allowed me to troubleshoot without further disrupting the users. [more]

Next, after extensive testing (resetting TCP/IP, cleaning DNS, running HijackThis, C-Cleaner, removing a bunch of software, etc.), I found that the Network Provider Order was incorrect.  VMware shared folders was listed first, followed by terminal services and then Windows Networking.  I reordered the list so that Windows Networking was first in the list, logged off and back on, and everything started working normally.  I replicated the fix to the production TS2 and users are able to browse the network.

After some updates were installed on an SBS 2008 server, Outlook started prompting for credentials from time to time.  Searching the Internet for this was futile.  Many incidents of this happening with many different solutions exist, but none of these worked.  A $99 case with Microsoft was opened and the tech that called back knew exactly what the cause of the problem was.  This update (http://support.microsoft.com/kb/973917) enabled kernel mode authentication with IIS and it was causing Outlook’s user mode authentication to fail. This article:

http://blogs.technet.com/b/sbs/archive/2010/02/16/outlook-2007-credential-prompts-in-small-business-server-2008.aspx

explains what broke and how to fix it by running this command as an admin:

%windir%\System32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useKernelMode:false

A while back I started receiving unwanted automated calls on my Motorola Android phone at night.  It was an automated service calling my number frequently.  It was only a recorded voice on the other side.  I didn't want to turn off my ringer incase a call I was expecting came through.  It's easy to effectively block a number on your android phone without installing any apps.  Just follow these steps: [more]

1. Add the number as a contact.
2. Edit the contact.
3. Tap the menu button and then select "Options".
4. Select "Send calls directly to voicemail".

That's it.

If you haven't looked at Google's browser Chrome, now is a great time. Google wants Chrome to be the fastest, most secure and stable browser available to get more users of Google sites and viewers of Google ads. Chrome is available for Windows, OS X, and Linux. After you install Chrome from http://google.com/chrome, the program will update automatically when a new version is available. The goal of the automatic update is to not only to fix bugs as soon as possible, but to introduce new features quickly. Two new and useful features are searchable options and browser sync.  [more]

A major problem with any program is where to find the settings or options you want to change. The standard practice is to arrange the most settings/options in groups that seem to be related. Unfortunately most programmers have a different idea about what 'related' features go together compared to normal users. Chrome has implemented a search box for settings and options that makes finding what you need amazingly fast and simple. For example if you want to check the options for managing stored passwords, just enter "password" in the Options search and you will see all the settings for passwords.

The search even tells you when the searched term in on a dialog.

After getting Chrome to work just the way you want, it's a major pain to remember all the extensions and preferences when you setup another computer. That's where Chrome's Sync function comes in handy. If you have a Google account, you can save any installed Apps, form auto-fill values, bookmarks, extensions, passwords, preferences, and themes on Google's servers. Then when you choose to sync another Chrome installation on another computer, the new browser will look and act just like the one you configured. The sync works across different operating systems as well. You can chose to only sync some data. For example you might not want to sync passwords across different browsers.

MobileNoter is an iPhone App which makes Microsoft OneNote notebooks and notes available on the iPhone.

It offers two synching options, cloud and WiFi.  I chose the WiFi version because auditors use OneNote for customer notes and information.  It  costs $15, a lot for an App, not much for business software.

WiFi allows you to synch between the Microsoft OneNote application on your computer and MobileNoter on the iPhone.  Both devices must be on the same WiFi network.  You install MobileNoter on the iPhone and a synch application on the computer.  You then pair the devices to setup the connection between the two.  With that done, you select items from OneNote to be available for synching.  Then you launch MobileNoter on the iPhone and select synch. You can view and edit on the iPhone.

Microsoft has been developing a method for you to get to your notebooks seemingly anywhere. Simply upload your notebook into the cloud (under your Microsoft Live) username and you can log into to a web portal running a lite version of OneNote. If that isn’t quite good enough (and you’re an Apple iPhone user), there’s an MS developed app that can help you out. [more]

This app with sync to your cloud account and let you view a read-only copy of your notebooks. Simply search the app store for Microsoft OneNote.

I was utilizing a new USB headphone/microphone set instead of my normal devices which plug into the jacks on the side of the computer.  Everything worked great when the computer detected the new USB audio device and installed the driver.  Unfortunately, when I was done with the USB device and attempted to connect the old set of headphones, the computer would not detect them.

Upon further investigation, the computer told me there was no audio jack installed on the computer at all!  Evidently the USB device driver had disabled the audio jack completely to where it could not even be detected.  To regain sound, I had to uninstall the USB audio device driver.  This allowed me to access my audio jack settings again.

Beware of what certain device drivers can do!

I had a user that was trying to access OWA from home.  The user had the correct website and the credentials were being entered correctly, however they kept getting an error message about insufficient access.  This error was preventing the user from using OWA at all.  I could see the user account showed that they had logged in successfully by looking at the timestamps on the Active Directory User object. 
 
The problem turned out to be caused from non-inherited permissions in Active Directory.
 
The following information explaining why this happened was found from a Technet forum thread.

If your Exchange 2007 OWA is failing for a user after the mailbox is migrated from Exchange 2003 to Exchange 2007, the user account should be checked on the security tab under advanced to see if it has "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here."

1. Open up Active Directory Users and Computers
2. Go to the View menu, Advanced.
3. Locate the user in AD, right click, properties.  Jump to the security tab.
4. Click "Advanced" next to the "For special permissions or for advanced settings, click Advanced.
5. Click "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here." Check box and apply.
6. Click OK and OK again.

Once changed and replicated OWA works. This is checked by default but is turned off for accounts with administrative privileges.
 
So how does this get turned off? Well if the account is an administrative account or was ever an administrative account previously. It will be turned off automatically.
 
Reference the following.
XADM: Do Not Assign Mailboxes to Administrative Accounts http://support.microsoft.com/kb/328753 which says
 
By not assigning mailboxes to accounts with administrative permissions, you avoid security issues related to "elevation of privilege" attacks. For example, in an elevation of privilege attack, a security hole exists in which Group X is made a member of the Domain Administrators group, and access control lists (ACLs) exist on Group X that permit Group Y to modify Group X. In this situation, members of Group Y can make themselves members of Group X and so become a member of the Domain Administrators group.
 
To help guard against such security issues, the Administrator account and accounts that are members of these security groups are not permitted to inherit permissions. On the Security tab of the group or account's properties page, you can see that the Allow inheritable permissions from parent to propagate to this object check box is not selected. Moreover, if you click to select this check box, a Microsoft Windows 2000 system task soon clears it automatically. Clearing the check box is a function of Windows 2000 intended to prevent hackers from playing with security and inappropriately increasing their permissions to the level of administrator.
 
As a side effect of this inheritance setting, if you do try to use a mailbox assigned to an administrative account, you may not be able to log on to or resolve the mailbox. Also, in Exchange System Manager, although the Administrator account can have an Exchange 2000 alias and an Exchange 2000 mailbox, it does not have e-mail addresses. The Recipient Update Service, which updates the e-mail addresses and several other attributes, does not have the authority to update objects if the Allow inheritable permissions from parent to propagate to this object check box is not selected.

The other day I was setting up a scheduled task on a 2008 server using Microsoft's "new" task scheduler.  The task scheduler is pretty robust with lots of bells and whistles, but I ran into a subtle problem with the "Start-in" field on the "application to run" section.  When setting up my task, I had used the Shift+Right Click feature to "Copy as path" the folder where my script was located.  When using this feature the copied path is contained within double quotes (regardless of if there are spaces in the path).  The problem is the "Start-in" field cannot contain quotes.  If it does, your scheduled task will fail to start.

Thankfully, the error code returned quickly led me to the following article: http://www.arcomit.co.uk/support/kb.aspx?kbid=000058.  Once I removed the double quotes everything worked great.