I have a friend that is moving from Outlook 2003 to 2010, and who had trouble figuring out how to move their mail to a PST (offline mail store).  In case anyone else is looking to do this, here we go:

In the top left of Outlook, click on “File”.

Click on the Account Settings drop down, and then click “Account Settings…”

In the window that pops up, click the second tab “Data Files”

Click on the “Add…” icon, and then give your PST file a name (they call it “Outlook Data File, which makes much more sense to end users), choose where it goes, and then hit “OK”.  By default in Windows 7, it goes into your My Documents folder into a folder called “Outlook Files”. 

I’m not sure what Outlook 2010 does on earlier versions of Windows, but Outlook 2007 and earlier defaulted to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook.  I know that because I used to have a job upgrading PC’s in a large enterprise to Windows XP, and I had to manually move over the PST files that people forgot to back up.  That path is burned into my brain :)

Close the Account Settings window, and you will be back to the main Outlook window.  Your new PST (Outlook Data File) will be over on the left, and you can create new folders and drag mail into them (or setup rules).

As you have probably seen on every blog under the sun, Hyper-V has released.

Rather than rehash the announcement, I thought I would try something fun.  How hard is it to get various Linux distributions up and running in Hyper-V?

The official list of supported operating systems on Hyper-V is available here: http://www.microsoft.com/windowsserver2008/en/us/hyperv-supported-guest-os.aspx.  While there are a ton of supported Operating Systems, you will notice only one supported Linux distro:

Linux Distributions (VMs configured with 1 virtual processor only)

• SUSE Linux Enterprise Server 10 with Service Pack 2 x86 Edition

• SUSE Linux Enterprise Server 10 with Service Pack 2 x64 Edition

• SUSE Linux Enterprise Server 10 with Service Pack 1 x86 Edition

• SUSE Linux Enterprise Server 10 with Service Pack 1 x64 Edition

Before we go any further, I want to clarify "supported" (and this is my own paraphrasing, not the Official Microsoft Support Policy).  Supported means that we have thoroughly tested a specific configuration.  If you have a problem, you can call up Microsoft Support, and we will troubleshoot and resolve the problem, and release a fix if necessary.  If the problem is with somewhere in SUSE, we can work with the fine folks at Novell to have a fix released on their end.  In other words, if you are running SUSE Linux Enterprise Server 10 on top of Hyper-V and encounter a problem, between Microsoft and Novell, we will support you. If you are running your company on Hyper-V virtualized instances of BeOS or Ubuntu... you do so at your own risk.  Is it because we hate BeOS or Ubuntu?  Heck No!  It's just that we can't do a whole lot to fix a problem when a linux kernel update breaks compatibility.  Can you imagine the slashdot story if we released updates to the Linux kernel?  Good grief!

<double-negative alert!>

Just because something isn't "supported", however, doesn't mean that it won't work.

</double-negative alert!>

If you are running servers in a production environment, you want to be in a supported configuration (see above). If you are a an IT-Pro geek that just likes playing with things to see how they work, then you can throw caution to the wind and try things out that haven't been tested :)  With that... let's load a few distros up on Hyper-V!

(by the way, Hyper-V has a really cool "Capture screen" option that is awesome for taking screenshots :)

#1 OpenSuse 11

On Virtual PC 2007, OpenSuse 10.2 installed like a champ.  OpenSUSE 11 was somewhat touch-and-go.  On Hyper-V, OpenSUSE 11 installs and runs like a champ.  The following screenshots are all from the installation:

The only thing that did not work when I hit the desktop was the network adapter.  By default, Hyper-V uses a synthetic network adapter, which requires you load integration components.  From the read-me for the Linux integration components (downloadable from http://connect.microsoft.com):

When installed into a virtual machine running a supported Linux operating system, the Linux Integration components provide the following functionality:

· Driver support for synthetic devices: The Linux integration components include support for both the synthetic network controller and synthetic storage controller that have been developed specifically for Hyper-V. These components take advantage of the new high-speed bus, VMBus, which was developed specifically for Hyper-V.

· Hypercall adapter: The Hypercall adapter is a thin layer of software that sits underneath the Xen-enabled Linux kernel, and translates the Xen-specific virtualization function calls to Microsoft Hyper-V hypercalls. This results in faster performance for the Linux virtual machine.

· *BETA* Mouse Support: Support for the synthetic mouse device has been added in the form of an early “preview” driver. This new mouse support allows the mouse to move in and out of the window without having to use the CTRL-ALT-LEFTARROW key command to break out.

· *BETA* Fastpath Boot Support: Support for faster single disk configurations has been added to the RC2 release. Boot devices now take advantage of the storage VSC to provide enhanced performance.

In other words, it makes everything go faster.  I don't know if these components only work with SUSE Linux Enterprise Server 10, but the read-me does mention that "Integration Components for Red Hat Enterprise Linux 5 will be available in a future update." 

The install procedure looked too complex for a Saturday evening, so I will give you the workaround that (should) work on all distributions, whether or not integration components are available.  Shut down the VM, go into the properties, and add a legacy network adapter. 

Once back in the running OS, I had to run the two following commands to get an IP address, and then networking worked fine:

sudo /sbin/ifconfig eth0 up

sudo /sbin/dhclient

The other thing that does not work is sound, but that is because Hyper-V is a server product, and in the datacenter, no-one can hear you beep.  With Windows, you can get sound by RDP-ing into the VM (steps courtesy of James O'Neill here), but beats the heck out of me how you might get it to work on Linux.  Other than that, OpenSUSE 11 works like a champ, with no wrangling needed to get it up and running.

#2 Ubuntu 8.04 x64

I've done a ton of installs of Ubuntu (for the last several versions) in Virtual PC 2007 here: http://blogs.technet.com/seanearp/search.aspx?q=ubuntu&p=1.  All have had varying levels of success, and all of them have required a ton of tweaking to get running.  In Hyper-V, install was a snap.  The only snag was the fact that Ubuntu defaulted to a screen resolution of 1600x1200, which was much larger than my physical monitor, so I had to scroll around quite a bit during initial setup.  Once I logged on, I was able to change the resolution through the GUI, and all was well.  As with OpenSUSE, requires the Legacy Network Adapter to be able to browse the Internet.

#3 Fedora 9 x64

You can read about my attempts to install various version of Fedora on Virtual PC 2007 here: http://blogs.technet.com/seanearp/search.aspx?q=fedora&p=1.  All of them have required tweaking to get things like the mouse to work or the kernel to boot.  On Hyper-V, Fedora 9 x64 installs (just like OpenSUSE and Ubuntu) with no problems at all.  Like Ubuntu, it defaulted to a strange screen resolution (1152x864), but I was able to change the resolution in the GUI with no problems.  Fedora x64 works just fine on Hyper-V as well!

Yaaaay.

I will leave you with a screenshot of the Hyper-V manager showing me running with a mix of 32-bit and 64-bit virtual machines, both Linux and Windows, and all working like a champ.  How's this for the ultimate geek playground?!?!?  I can setup and tear down machines at will, play with them, and practice setting up networks, all on a quite-responsive Hypervisor.  Good times!

Remember... just because it isn't supported, doesn't mean it won't work. (Just don't call Microsoft looking for support ;)

Just noticed two really nice Windows Vista Ultimate wallpapers over on the official Windows Vista Ultimate site.  You can set them as the desktop background on any OS (Vista or otherwise), but... why would you?

Back in March, I wrote about one of the important new features in Windows Server 2008, the Fine-grained password policy (also a great post for learning more about passwords in general).  In any case, there has been an increase in available documentation and tools relating to FGPP (I don't know if that's a real acronym, I just wanted to save myself some typing ;)

• AD DS: Fine-Grained Password Policies
• Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Some Microsoft MVPs have also created some nice GUI tools to configure Fine Grained Password Policies:

• Christoffer Andersson created the Fine Grained Password Policy Tool.
• Dmitry Sotnikov created the PowerGUI, available here.
• Arlindo has a nice overview of the above tools (with screenshots).

As I am busy procrastinating (and avoiding work on a presentation I need to give on Monday), I thought I would walk through the official Microsoft way of creating the password policies.  In case you have installed the Release Candidate of Windows Server 2008 and plan on following along, you will want to make sure that you are running at the 2008 functional level, and that you have the Active Directory Domain Services role loaded.

Let's go...

1. Start --> Run --> gpmc.msc
2. Expand Forest: yourforest.com.
3. Expand Domains\yourdomain.com.
4. Right Click Default Domain Policy and Click Edit.
5. Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

Here you can see your default domain-wide password policy.

Now let's create a custom password policy that can be assigned directly to a user or group.  We're going to be using adsiedit, so prepare to roll your sleeves up!  Close out of all open windows, and:

1. Start --> Run --> adsiedit.msc

2. Right-click on ADSIEdit, connect to:

3. Hit Ok.

4. Expand to Default Naming content\DC=yourdomain,DC=com\CN=System\CN=Password Settings Container\

3. Right-Click Password Settings Container and click New – Object.

4. Select msDS-PasswordSettings, click next.

5. Value: SeansPasswordSettings, click next. (or whatever you want to name your Password Settings Object (PSO)

The next set of options are all EXTREMELY cryptic.  I will put a brief explanation next to each, but if you are doing this in real life, you will want to consult the settings reference on step 1 of the Step-by-Step Guide.

6. Under msDS-PasswordsSettingsPrecedence set the value of 10, click next. (This value needs to be a number larger than zero.  If you have multiple PSOs, the PSO with the lowest priority takes precedence).

7. Fill in the following attributes for password settings:

· msDS-PasswordReversibleEncryptionEnabled (self explanatory)
Value = False

· msDS-PasswordHistoryLength (Also self explanatory... you can keep up to 1024)
Value = 15
(domain default: 24)

· msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah)
Value = True

· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)

Value = 12
(domain default(chars): 7)

Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.

To quote from TechNet:

When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.

When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.

You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values.

Time unit

Multiplication factor

m minutes

-60*(10^7) = - 600000000

h hours

-60*60* (10^7) = -36000000000

d days

-24*60*60*(10^7) = -864000000000

For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).

· msDS-MinimumPasswordAge
Value = -864000000000 (Nine zeroes)
(domain default: 1 day = -864000000000)

· msDS-MaximumPasswordAge
Value = -36288000000000 (Nine zeroes)
(domain default: 42 days = -36288000000000)

8. Fill in the following attributes for account lockout settings:

· msDS-LockoutThreshold

Value = 0
(domain default: 0 = don‘t lockout accounts after invalid passwords)

· msDS-LockoutObservationWindow

Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)

· msDS-LockoutDuration

Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)

9. Click Finished.

If you get an error message about improper values, you probably forgot to add a "-" before some of the numbers listed above.  Don't feel bad if you did, I manage to do it every time I run through this :)  If you did everything right, it should look something like this:

Go ahead and hit "OK" and then close out of all open windows.  Now that you have created a password policy, we need to apply it to a user/group.  In order to do so, you must have "write" permissions on the PSO object.  We're doing this in a lab, so I'm Domain Admin.  Write permissions are not a problem :)

1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.

7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.

To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.

Voila!  Hit "OK" a couple of times, and your users/groups now have a custom password policy assigned to them.  No longer do you have to have separate domains for your developers and standard users.  Good times :)

Fedora 9 was released last week, which you can download here: http://fedoraproject.org/get-fedora.html.  What's new?  Highlights from the release notes include:

• GNOME 2.22. GNOME now includes a webcam photo and video creation utility called Cheese, improved network filesystem support, a new international clock applet, Google Calendar support and custom email labels in Evolution, a new Remote Desktop Viewer, improved accessibility features, and PolicyKit integration.

• KDE 4.0.3

• Xfce 4.4.2

• NetworkManager 0.7 provides improved mobile broadband support, including GSM and CDMA devices, and now supports multiple devices and ad-hoc networking for sharing connections.

• The Fedora installer, Anaconda, now supports partition resizing for ext2/3, NTFS filesystems, creating and installing to encrypted file systems, improved Rescue Mode with FirstAidKit, independent locations for the second stage installer and the software packages. A redesigned, larger netboot.iso image now features a second stage installer partly for this reason.

• PackageKit, a new set of graphical and console tools, with a framework for cross-distribution software management, has replaced Pirut in this release of Fedora. The PackageKit graphical updater is available instead of Pup. Behind PackageKit, the performance of yum has been significantly improved.

• Ext4, the next version of the mature and stable ext3 filesystem is available as a option in this release. Ext4 features better performance, higher storage capacity and several other new features.

• This release of Fedora uses Upstart, an event-based replacement for the /sbin/init daemon.

• Firefox 3 brings a number of major improvements including a native look and feel, desktop integration, the new Places replacement for bookmarks, and a re-worked address bar.

• OpenOffice.org 2.4, with many new features, is available as part of Fedora 9.

• Fedora 9 features a 2.6.25 based kernel.

• Kernel crashes can be more automatically reported to http://www.kerneloops.org/ and diagnosed in a friendly way via the kerneloops package installed by default. Crash signatures are commonly referred to as oopses in Linux.

• Work on the start-up and shutdown in X has yielded noticeable improvements.

Will this be the installation that "Just Works" out of the box?  Nope.  Same problem that Ubuntu 8.04 has within Virtual PC... "An unrecoverable processor error has been encountered.  The virtual machine will reset now."  Good times!

Fortunately, from our work with Ubuntu, we know the solution.  On the main boot screen, hit [Tab] to edit the options. Add noreplace-paravirt to the end of the boot parameters, and hit enter.

There we go... Fedora is able to boot the kernel and start up anaconda.  The problems I noted in my previous Fedora Posts (Fedora Core 6, Fedora 7, and Fedora 8)  of no mouse and messed up graphics seems to have been fixed.  Very Nice!

Stepping through the installer options is relatively plain-jane, until you get to the hard drive partitioning screen.  Is that an "Encrypt system" checkbox I see?  Why, yes it is!  I am guessing that this is a Bitlocker-esque feature, although I can't make heads or tails of how exactly this feature works on the Fedora Encrypted Filesystem Support page. Enabling the feature is easy enough, you just check the box and enter a passphrase twice. 

Does it work with a TPM? Backup to a USB key? Escrow your key into your LDAP directory for safekeeping?  Beats the heck out of me... I wasn't ever prompted for anything relating to those safeguards.  I don't even know what encryption algorithm it uses.

After hitting "Next" a few more times, Fedora finishes installing with no problems.  After rebooting, however, unless you are SUPER-quick on the keyboard, you will hit the unrecoverable processor error. You'll need to hit any key, and then "a".  As before, add noreplace-paravirt to the end of the boot parameters, and hit enter to continue booting.

As mentioned before, I chose the option to encrypt my boot drive.  The screenshot below is the highly intuitive user interface asking me to enter my passphrase.  What else could "Enter LUKS passphrase for /dev/sda2" possibly mean?

Finally... the hallowed Fedora boot screen.  Looks pretty nice!

After a final few questions (creating user, re-confirming my time preferences), I am asked to send my Hardware Profile to Fedora.  This is actually a great idea!  Perhaps if enough people send a profile showing that they are running on Virtual PC/Virtual Server, some of these silly bugs requiring workarounds (such as Fedora 8 requiring "i8042.noloop" and Fedora 9 requiring "noreplace-paravirt") could be fixed before the OS releases.  Heck, Virtual PC is free.  No incremental cost is involved in adding it to the test matrix!

After logging into the desktop, and checked for updates.  A mere 5 days after release, there are already 22 bug fixes and 4 security updates, including a network-exploitable remote memory leak in the kernel.  Good times.

Looking around, it seems that I must have missed the option during the initial install of the OS to include KDE, which I prefer to Gnome.  To be honest, I have absolutely NO idea where to install KDE once Fedora is up and running.  I went into Administration --> Add/Remove Software, but it finds no software at all to install.  You would think it has something to do with the Repository Sources, but my only options there are various Fedora ones. (Fedora 9 - i386, Updates, etc). 

According to the Software sources help, "At this time, PackageKit does not offer a way to add new repositories to your system.  It only allows you to enable or disable known repositories".

Oh well.  No KDE for me.

Other than that, Fedora seems quite plain-jane (as I mentioned earlier with the installer).  The simplicity is nice, but nothing really stands out that would make anyone want to switch from Vista (or Ubuntu, or Mac OS X).  I wonder if this is a side effect of the fact that Red Hat is leaving the desktop Linux business.

One final reminder... to make sure that you do not have to enter the noreplace-paravirt each time you boot up, go edit your /etc/grub.conf file to add that parameter at the end of the line that looks something like kernel /vmlinuz-2.6.25.3-18.fc9.i686 ro root=dev/VolGroup00/LogVol00 rhgb quiet.  If you ever update your kernel, you'll have to do it again.  Oh well... maybe Fedora 10 will fix this issue.  I'll keep my fingers crossed...

My "Running Linux in Virtual PC" posts seem to be some of my more popular reading, so let's have a go at the recently released Fedora 8 (It's no longer Fedora Core).

As with most distributions, if you try to install it right off the ISO, you will rapidly hit the "screwed up graphics".  Virtual PC 2007 does not support 24-bit color, and guess what mode is used by most Linux installers?  Good times :)  You could install in text mode, but as it is no longer 1992, let's do this in graphics mode.  Unfortunately, the tricks I list for installing Ubuntu do not work for Fedora.  Oh well...

First off, you will want to download the ISO here: http://fedoraproject.org/get-fedora

Create a new virtual machine, and at the first screen hit "tab" for additional options.  You will want to add "vesa" to the end of the boot parameters to fix the screwed up video problem.  Booting at this point will introduce you to the other problem plaguing recent distros in Virtual PC... a non-functional mouse.  Fortunately, I have the fix for this as well :)  Add "i8042.noloop"

Hit enter, and you will end up in Anaconda (the Fedora installer) with functional graphics and a working mouse.  WOOHOO!

The next few options (language, keyboard layout, etc) are all quite standard.  It appears that the Fedora team has decided to go with a knock-off of Apple's Aqua glowing orb circles.  Interesting...

We get the standard option to choose what packages are installed (Office and Productivity, Software Development, or Web Server).  You can select the checkbox for "Additional Fedora Software" to get packages that were not chosen for inclusion on the DVD. 

If you are not up for an hour of hand-picking which packages are installed, Fedora 7 introduced the concept of "spins" (special ISOs of the distribution with custom package sets).  At the time of this writing, the available spins (http://spins.fedoraproject.org/) are:

• Fedora 8 Live Games i686
• Fedora 8 Live Developer i686
• Fedora 8 Live FEL i686

Next comes "grab some coffee" time while Fedora installs. Avoiding a problem that has plagued installers since the beginning of time, Fedora doesn't even bother to estimate how much time is left.

When you are done installing, go ahead and reboot.  Graphics will work fine, but the mouse will not work again.  <sigh...>  make sure to stop the reboot at grub, press "e" to edit, and add our hallowed i8040.noloop parameter to the 2nd line (the one that starts with kernel).  After editing the line, hit enter and then "b" to boot.  We'll have to do this one more time later to save the change for good.

Now you can finish booting and walk through the first-run setup wizard!

After walking through the options, you will finally be at the (somewhat funky looking) Fedora login screen.

After logging in, let's fix that mouse problem for once and for all.  Well... until Fedora updates the Kernel, then you'll have to repeat these steps. 

Go to Applications --> System Tools --> Terminal

Normally, I would do the following commands with Sudo, but I get a message that I am not in the sudoers file.  Wierd... feel free to fix that if you'd like and do the following with sudo.  I'm just going to violate security best practices and elevate to root with SU.  So:

1. "SU"
2. nano /boot/grub/menu.lst
3. Arrow down to the line starting with "kernel".  Arrow to the end of the line and add i8042.noloop
4. ^O to write out
5. Enter
6. ^X to exit
7. Type exit and hit enter (twice).  Once to exit your elevated root prompt, and once to exit the terminal.

Hooray!  You should have a working mouse from now on :)

So what is new in Fedora 8?  Ars has a great writeup here, and the official feature list can be found here: http://fedoraproject.org/wiki/Releases/8/FeatureList.

• New PulseAudio sound daemon (which allows users to set the volume for each application individually, just like Vista
• New Codeina utility that allows users to purchase proprietary codecs
• New PolicyKit authentication system
• New Look/Feel (I much prefer it to Ubuntu)
• Compiz (although it is not enabled by default, and which likely does not work on Virtual PC's anemic emulated video card, although I have not tried it)

Taking a look through the UI, I see that only FireFox and Evolution are in the quicklaunch.  OpenOffice has been relegated to a menu, where even the OpenOffice branding has been removed.  I wonder if there's a story behind that?

In any case, once you get the mouse and video working, Fedora 8 works like a champ and runs great.  It sure would be nice if they did a bit of testing on Virtual PC (as that is a platform that is baked) so that we did not have to diddle around with the video and mouse, but unfortunately that is a bar that only Novell/Suse seems to be able to hit.  All in all, great distro!

A picture is worth a thousand words...

"An unrecoverable processor error has been encountered.  The virtual machine will reset now."

It looks like Ubuntu isn't the only one with this problem... Fedora 9 releases tomorrow and according to this post, it has the same error in Virtual PC.  Whatever happened to Linus' Law? (given enough eyeballs, all bugs are shallow).  I guess enough eyeballs writing kernel code are not doing so on Virtual PC.  ;)

Fortunately, the fix is covered in the comments (and summarized by Robert) from Arcane Code's excellent article, aptly named Installing Ubuntu 8.04 under Microsoft Virtual PC 2007.

Using guidance from a number of participants on this blog I’ve successfully managed to install Ubuntu 8.04 on two separate PC’s running VPC 2007 and I have it running at 1152 X 768 @ 55Hz with working sound.

The notes below are nothing original, they are just summarized from previous entries and maybe clarified.

To get the CD to load,
Press F4 to select an alternate starting mode. When it pops up, change to Safe graphics mode and press Enter.
Select F6 and add “noreplace-paravirt” to the end of the command line and press Enter.
Now pick “Try Ubuntu…” (should already be selected) and press enter. Do NOT pick the Install Ubuntu option,

Once Ubuntu is loaded from CD, select install from the desktop and it’ll build the system on the VPC disk.
After you press restart, it just kind of hangs there. I shut the VPC session down and told it to save state, then started it again and it booted fine.

Once it gets to GRUB, interupt the boot and add the “noreplace-paravirt” to the kernel boot line.

1. Press “esc” while grub is visible.
2. You should now see 3 entries to select from. Leave the first one “Ubuntu 8.04, kernel 2.6.24-16-generic” selected and press “e”.
3. On the next page, select the second entry that reads “kernel /boot/vmlinuz…” and press “e” again.
4. You will see a command line that ends with “xforcevesa”. Hit “space” and add “noreplace-paravirt” (without the quotes) to that line and press “enter”.
5. You are now back at the previous selection screen with the entry “kernel /boot/vmlinuz…” still selected. Now press “b” and it should boot correctly.

Once Ubuntu has loaded, open a terminal window (Applications. Accessories, Terminal) and on the command line enter “sudu nano /boot/grub/menu.lst”
Enter your password and page down to near the bottom and locate the “kernel /boot/vmlinuz… in the “Ubuntu 8.04, kernel 2.6.24-16-generic” section

Move the cursor to the end of the line after xforcevesa and add “noreplace-paravirt” (no quotes)
Ctrl + O to write out, enter to accept the name, Ctrl + X to close

While you’re editing, you might as well fix the sound while you’re at it.

sudo nano /etc/rc.local

At the end of the # lines, but before “exit 0″, type on a new line (again without quotes) “modprobe snd-sb16″
Ctrl + O to write out, enter to accept the name, Ctrl + X to close.

Reboot Ubuntu. The reboot should be clean, and the sound icon should come up without an error indication.

Screen size is a little tricky. Go to http://arcanecode.wordpress.com/2008/04/07/installing-ubuntu-804-beta-under-virtual-pc-2007

Find the entry from pb dated April 27 and cut the xorg.conf file from this entry and past it into the Ubuntu text editor. (Applications, Accessories, Text Editor). Save the file as xorg.conf in your user folder.

Open a terminal window.

Backup the old version of xorg.conf
sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.backup

Copy the new one you created to the same location
sudo cp xorg.conf /etc/X11/xorg.conf

Reboot.

When Ubuntu reboots, your get a black screen with a X in the middle, then you’ll get a dialog message to saying “Ubuntu is running in low graphics mode, screen and graphics card coud not be detected”.

Take the option to configure graphics mode.
In the drop down where it says plug & play, select “Monitor 1280 X 1024″.
Select 1280 X 1024 @ 60Hz as your resolution.
Select Test
You should get a larger ‘gray’ window with option to keep the confguration. Select the option to keep it.

Ubuntu will start as normal and will be exactly the same size as before. Before you reboot, take alook at /etc/X11/xorg.conf …. it’s not the one you just created. Creating the new one appears to force Ubuntu to create a new one with more options.

Reboot again and you shold have a Ubuntu session runing at 1152 X 768 @ 55Hz.

Last couple of things…. in System, Preferences, Sound, set the playback options to ALSA. It’s pretty crappy but works better than OSS and certainly better than Auto detect which generates a stream error when you try to play MP3’s or movies.

Whew!  That's a lot of text.  I'll leave you with the new Ubuntu desktop background, which is pretty cool in a orange-brown-must-be-the-new-black kind of way.

In my previous post, I mentioned that TechNet Magazine has their past issues available in HTML Help format (.chm) here.  If you navigate to that page (with a fully patched Vista or Windows XP box) and open one of the referenced files from directly within IE, you will get something that looks a bit like the following: "The address is not valid".

The reason for this problem is addressed in the following KB article: You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

SYMPTOMS

After you install security update 896358 or Microsoft Windows Server 2003 Service Pack 1 (SP1), you may experience one or both of the following symptoms after you click a link to an HTML Help .chm file in Internet Explorer:

• Topics in the .chm file cannot be viewed when you click Open instead of Save in the File Download dialog box.
• Topics in the .chm file cannot be viewed when you click Save in the File Download dialog box, and you then try to open the file.

CAUSE

Security update 896358 and Windows Server 2003 SP1 include changes to the InfoTech protocol that block the ability to view remote content. These changes were introduced to reduce security vulnerabilities in HTML Help. After you install 896358 or Windows Server 2003 SP1, files in the Temporary Internet Files folder are treated as content from the Internet zone. Therefore, files may be blocked when you click Open in the File Download dialog box. Additionally, after you install 896358 or Windows Server 2003 SP1, Attachment Manager may treat a downloaded .chm file as an untrusted file. Therefore, you may not be able to open the file. These effects are expected and intended effects of installing the security update and of installing Windows Server 2003 SP1.

RESOLUTION

Warning If you are prompted to open or to save a .chm file from a Web site, you should do so only if you need the file and if you trust the Web site that is providing the file.

In the File Download dialog box, click Save, and then choose where you want to save the .chm file. Then, use one of the following methods:

Method 1

1. Double-click the .chm file.
2. In the Open File-Security Warning dialog box, click to clear the Always ask before opening this file check box.
3. Click Open.

Method 2

1. Right-click the CHM file, and then click Properties.
2. Click Unblock.
3. Double-click the .chm file to open the file.

*Note: This problem (and resolution) is also covered in Chris Crowe's Blog.

Are you one of those geeks that likes checking out the capabilities of your router?  Do you run the various Internet Speed Tests available just for fun?  If so, head over to the new Microsoft Internet Connectivity Evaluation Tool.  You will only be able to run the test on a computer with Windows XP or Windows Vista (it uses an ActiveX Control).

Tests include:

Network Address Translator Type

One primary function of most home Internet routers is Network Address Translation (NAT). Routers providing NAT support assign private IP addresses on the local network. NAT maps these private addresses on the inside network to a public IP address on the outside network so that computers behind the Internet router can communicate with the rest of the Internet. Since Network Address Translators can work in different ways, this test uses Microsoft servers to identify your router's NAT type. Some protocols work better through routers that act as cone-type NATs than routers that act as symmetric-type NATs.

Traffic Congestion Test

Internet routers sometimes lose information that is being transferred across the Internet when they experience congestion (full router queues). This loss of information is known as packet loss. Internet protocols like the Transport Control Protocol (TCP) can use packet loss as a congestion indicator. Explicit Congestion Notification (ECN) is a mechanism that provides routers with an alternate method of communicating network congestion. This notification effectively reduces TCP retransmissions and increases throughput. This test attempts to download a short Web document, first with ECN enabled and then again with ECN disabled. If both downloads succeed, the test passes, which indicates that your Internet router successfully allows packets through with ECN options set.

TCP High Performance Test

Window scaling is a Transport Control Protocol (TCP) option introduced for addressing performance problems. Some Internet routers cause TCP data transfers that use window scaling to fail, particularly when there's a mismatch between the scales chosen by two computers transferring the data. This test downloads a series of Web documents of increasing length until either an incomplete download is encountered or all downloads succeed. Success indicates that your router allows Windows Vista to negotiate the best data transfer rate and help improve download speeds.

UPnP Support Test

Many applications need to open ports (allow incoming traffic) through an Internet router, particularly when both communicating endpoints are behind different NATs. Modern routers allow hosts to create such open ports using Universal Plug and Play (UPnP). This test ensures that the router has UPnP enabled, can support a reasonable number of open ports, and can maintain these settings.

Multiple Simultaneous Connection States Test

This test creates 80 concurrent TCP connections to external Web servers and keeps them alive over the period of two minutes by attempting continuous data download using HTTP. Passing this test indicates that your router robustly supports multiple computers or programs accessing the Internet simultaneously.

If you have ever wanted to obtain the Visio Stencils used by the Microsoft User Assistance teams in all of our TechNet documentation… look no further, as they are available for free download.

• Visio stencils for IT Pro posters
• Microsoft Office Visio Stencil Containing Shapes for Microsoft Exchange Server 2007
• Office Communications Server 2007 and 2007 R2 Visio Stencils

• Software and Database Shapes for Microsoft Visio

• Geographic Map Shapes for Microsoft Visio

Nearly 10 years ago, I went to Marine Corps Boot Camp at MCRD San Diego.  Those were good times...

A few weeks ago, I went back to Boot Camp, this time loading up Windows Vista  on my new MacBook Pro.  The process by-and-large is quite simple, and is documented in many places on the intarwebs.

I did run into two interesting problems, and thought I would share them with you.

1st... The oldest Windows OS that you can install on Boot Camp is Windows XP SP2.  Soon after Boot Camp was released a year ago, I tried loading up Windows XP RTM (and later SP1) on my wife's MacBook (ignoring the "unsupported" notices throughout the documentation).  I figured that once I hit the desktop, I could update to SP2, and all would be fine in the land of Sean.  I was wrong.  I can tell you with MUCH certainty that Windows XP RTM and SP1 DO NOT WORK with Boot Camp.  I had blue screens, hangs, lockups...  It just doesn't work.  Once I tried a slipstreamed XP SP2 CD, everything worked flawlessly.

The easiest way I have found to create an installation CD for Windows with SP2 is via NLite.  You can even make a CD that integrates your product key, hotfixes, and the works.  (NOT a Microsoft utility BTW, so use common sense, your mileage may vary... it may eat all the cookies in your house, kick your dog, or erase your term paper on the last day of school for all I know).  It worked fine for me :)

But... back to my new computer and Windows Vista.

When I went to partition my hard drive to add an NTFS partition (using the Boot Camp Assistant), I got a strange error message:

The disk cannot be partitioned because some files cannot be moved.

Back up the disk and use Disk Utility to format it as a single Mac OS Extended (Journaled) volume.  Restore your information to the disk and try using Boot Camp Assistant again.

?!?!?!  I tried rebooting and re-running the Boot Camp Assistant, but ran into the same problem.  At this point, the tool is attempting to move all my files to the beginning of my disk so that it can create the new Windows partition.  For some reason, some files could not be moved.  Apple could theoretically allow me to create a bootable DVD that could do the file move(s) while booting to external media.  Unfortunately, rebooting did not solve the problem, and Boot Camp is not currently integrated into Apple's Disk Utility on the installation media.

I was not about to do a backup of my hard-drive and re-install OS X, so I went searching for the solution.  Found it here.  It turns out that if you have some large files on your hard drive (I had several multi-gigabyte movie files and some DV video of the kiddoes), Boot Camp will time out (then error out) while moving the files.

How best to find these ginormous files? (Hey... it's officially a word in the dictionary ;)  On the Windows side, WinDirStat is a great (free) utility that shows you graphically what is on your hard drive.  It works really well for finding the large files.  There is a Mac version of this utility (Disk Inventory X), and I was able to quickly find those large files and move them. 

Move them where?  Windows Home Server works GREAT.  OS X can connect to the shares on WHS with NO tweaks needed at all.  I'll cover the ins-and outs in an upcoming post.

Once I moved the large files off my laptop hard drive (probably not the best place to keep them in the first place), the Boot Camp assistant was able to successfully repartition my hard drive, and Vista installed like a charm.  The Windows key maps to the Apple/Command key, performance is snappy, and I am able to use the best applications on both platforms (iLife on OS X, and Office 2007 & Windows Live Writer on Windows Vista).

I am in the process of installing SQL Server 2005 on a new Windows 2008 Server, and ran into the following warning about missing some required components of IIS:

- IIS Feature Requirement (Warning)
Messages
IIS Feature Requirement
Microsoft Internet Information Services (IIS) is either not installed or is disabled. IIS is required by some SQL Server features.  Without IIS, some SQL Server features will not be available for installation. To install all SQL Server features, install IIS from Add or Remove Programs in Control Panel or enable the IIS service through the Control Panel if it is already installed, and then run SQL Server Setup again. For a list of features that depend on IIS, see Features Supported by Editions of SQL Server in Books Online.

Fortunately, I was able to find the solution here: http://support.microsoft.com/kb/920201

The solution is simply to enable the following role services of IIS 7 (right click on Web Server (IIS) in Server Manager, and choose Add Role Services).  Then add the role services from the following table:

 The Windows media team has been hard at work on an updated plugin for FireFox that will enable you to watch Windows Media files within FireFox, which has now been released through Port 25 (the team at Microsoft that works on interoperability with Linux, FireFox, and the like).

Now when you go to a website with an embedded .wmv file, FireFox should automatically prompt you to install the missing plugin.  That didn't work for me (install failed), so I had to install manually, but now everything is working like a champ.

The plug-in is designed to support the following Windows platforms:

• Windows XP SP2 (x86)
• Windows XP SP2 (x64)
• Windows Vista (x86)
• Windows Vista (x64)

If you're using Mac OS X, we have had a plugin available for quite a while (thanks to the development efforts of Flip4Mac) here: http://www.microsoft.com/windows/windowsmedia/player/wmcomponents.mspx

Eric Anderson (the PM in charge of this project) has some more information up on his blog about the changes, saying:

In a nutshell, here’s what we did with the new one:

• New robust design that addresses all of the known issues with the old plug-in
• WMP will now work in Firefox in Windows Vista
• Support for the WMP OCX scripting interfaces

Download the FireFox Plugin Now!

Why is this important?  Let me walk you through an applied example.  Out of the box on SharePoint 2007, Blogs allow for only a single category.  This, of course, sucks.  If I write a post about installing SharePoint 2010 on Windows 7, I would like to categorize it as “SharePoint 2010” and “Windows 7”.  The workaround is simple and documented (in a video no less) by Lawrence Liu (who has since moved on to Telligent) here: Configuring SharePoint to allow multiple categories per blog post.

This works great, but let’s say that the Sales, Legal, and Marketing teams at Contoso have all established blogs (with multiple categories) on their own web sites, and we would now like to aggregate some of their posts (any posts with a category of Foo) on the front page of our Intranet portal.  To do so, we add a Content Query Web Part to the front page, set the scope to our site collection, and filter to show items when Category is equal to Foo.

While this works fine with blogs that only allow a single category, here’s what we get if the Marketing blog has a category of “Foo” and “Bar”.

Frustrating.  Waldek Mastykarz (a SharePoint Server MVP out of the Netherlands) has some workarounds to this problem that include custom multi lookup fields or custom XSLT functions.

Enter… SharePoint 2010.  First of all, right out of the box you can add multiple categories to a post.  The UI below is what you get when creating a post through the web interface, but I still prefer using Windows Live Writer.

What does this do to content queries? Let’s add a content query web part to our front page.

As with 2007, set our source scope to the site collection, with a list type of “Posts”.

We’ll filter to only show blog posts where the category is equal to foo (as before), and we’ll also filter out those “Welcome to your Blog!” posts that nobody remembers to delete.

Voila!  The content query (which is being run against a multi-value lookup field) successfully completes.  Sweet!

* Disclaimer: SharePoint 2010 is in beta.  I’m not on the product team, and for all I know this capability may or may not make it to RTM. This functionality qualifies for Jeff Atwood’s “works on my machine” certification.

*Update: I spoke with a Dev on the SharePoint team, and this will only work in narrow circumstances.  The CQWP in SharePoint 2010 will support querying multi-value lookup fields against a single list, or single-value fields in multiple lists, but not both at the same time.  It appears that the Category field used by blogs may be an exception to this rule.

Today’s entry in the “Sean’s simple question about why a KB article had not been updated leads to a lot of research and learning” post is courtesy of managed accounts and password changes with SharePoint 2010.

History

With SharePoint 2007, instructions on changing service accounts and passwords could be found in the appropriately named KB article:

How to change service accounts and service account passwords in SharePoint Server 2007 and in Windows SharePoint Services 3.0

The steps in the KB article would walk you through the individual STSADM commands that were necessary to update the password for the following accounts on every server in the SharePoint Farm:

• Farm account
• Application pool account(s)
• Windows SharePoint Services Help Search Service
• Content access account (used by the Windows SharePoint Services Help Search Service)
• Shared Services Provider (SSP) account(s)
• Office SharePoint Server Search service

Other accounts had to be changed from within Central Administration:

• Microsoft single sign-on password
• Default Content Access account used by the Office SharePoint Server Search service
• Content Access accounts used by crawl rules

The KB article included a sample script that could be used to automate password changes; combining the given stsadm commands into a batch script that accepted a username and password as input parameters. The script assumed that all services on the farm were running with the same domain account, which may be a standard configuration for a standalone development server, but is not realistic in a production SharePoint Farm. As there was no centralized management and deployment of passwords across a SharePoint 2007, the password updates for service accounts had to be entered on every server in the SharePoint farm.

Imagine a scenario where a SharePoint Administrator is asked to improve security and ensure application isolation so that all web applications and services running on the farm machines are using different domain accounts (for a total of 10 accounts, used across 5 separate servers in the SharePoint farm). In this scenario with SharePoint 2007, password changes required the SharePoint Administrator to:

• Reset the password for each service account in Active Directory
• Store the passwords for each service account (ideally long, random, secure passwords) in an accessible but secure location
• Manually update the password for each service account on each server.

In this scenario, with 10 accounts to be updated on 5 servers, there are 50 passwords that need to be updated with STSADM or through Central Administration. This required a significant amount of manual work, and was prone to human error in entering the STSADM commands required. As a result, it was tempting for SharePoint administrators to check the “password does not expire” box for the service accounts in Active Directory (which is a bad idea from a security perspective), or to use a single Active Directory account for all services running on the SharePoint farm. Neither option is a good idea from a security or isolation perspective.

A Better Way

There is not a SharePoint 2010 equivalent to the “How to change service accounts and service account passwords in SharePoint Server 2007 and in Windows SharePoint Services 3.0” article, due to some significant improvements that have been introduced to allow service accounts and passwords to be easily managed in SharePoint farms of all sizes. In short, assuming all SharePoint service accounts for a SharePoint 2010 farm are using a single account, the entire script from the KB article could be replicated with the following Windows PowerShell command:

Set-SPManagedAccount –Identity domain\user –NewPassword “password”.

Benefits of Managed Accounts

• Managed accounts (mapped to one or many services as above) can have their passwords updated from a single location, and have the changes rolled out to all servers in the farm that use that managed account
• Password changes can be scheduled to automatically take place, either according to a schedule, or based on the password expiry policy set in Active Directory.
• SharePoint can generate very long, cryptographically random passwords for all accounts

Note: Windows Server 2008 R2 includes managed accounts at the operating system level. Do not use Windows Server 2008 R2 managed accounts for managing SharePoint accounts. They are not compatible with SharePoint Server managed accounts. Although the concept is similar, SharePoint has no way of knowing when a password has been changed for an account managed by Windows Server 2008 R2, and will not roll the password change to all servers in the farm.

Using Managed Accounts

Managed Accounts on SharePoint 2010 can be mapped to one, many, or all of the following on SharePoint 2010:

• Farm Account
• Windows Services used by SharePoint
• Web Applications
• Service Application Pools

The following screenshot shows an example of accounts that would be mapped to managed accounts on a typical SharePoint 2010 farm.

Passwords for the following cannot be mapped to managed accounts, and must be manually changed when necessary:

• SQL Server services (which should be changed from within SQL Server Configuration Manager. Read more in the following MSDN article: SQL Server Configuration Manager)
• The default content access account, or any content access accounts used with SharePoint Search crawl rules
• Credentials that are used to access external data sources and are stored in the Secure Store service application. (See Configure the Secure Store Service (SharePoint Server 2010) for more information about how to change credentials to access external data sources.)

Configuring New Managed Accounts

The steps to configure managed accounts and automatic password changes can be found in the TechNet article: Configure automatic password change (SharePoint Server 2010):

To configure managed account settings by using Central Administration

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

2. On the Central Administration Web site, select Security.

3. Under General Security, click Configure managed accounts.

4. On the Managed Accounts page, click Register Managed Account.

5. In the Account Registration section of the Register Managed Account page, enter the service account credentials.

6. In the Automatic Password Change section, select the Enable automatic password change check box to allow SharePoint Server 2010 to manage the password for the selected account. Next, enter a numeric value that indicates the number of days prior to password expiration that the automatic password change process will be initiated.

7. In the Automatic Password Change section, select the Start notifying by e-mail check box, and then enter a numeric value that indicates the number of days prior to the initiation of the automatic password change process that an e-mail notification will be sent. You can then configure a weekly or monthly e-mail notification schedule.

8. Click OK.

Mapping Managed Accounts to Service Accounts

1. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

2. On the Central Administration home page, click Security, and then in the General Security section, click Configure service accounts.

3. On the Service Accounts page, in the Credential Management section, in the upper drop-down list, click the service for which you want to update credentials.

4. In the Select an account for this component list, click the domain account that you want to associate with this service.

5. If you want to register the account that you selected on the SharePoint Server 2010 farm, click Register Managed Account.

6. Click OK.

Credential Management

Once managed accounts have been registered and mapped to services, there are four ways to update the password. Automatic Password Change was discussed in the Configuring New Managed Accounts section above, and now we will discuss:

• Generating a new (long and cryptographically random) password
• Setting the account password to a new value
• Updating the account password in SharePoint if it has been changed elsewhere (such as directly in Active Directory)

To configure managed account settings by using Central Administration

1) Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

2) On the Central Administration Web site, select Security.

3) Under General Security, click Configure managed accounts.

4) Click the Edit button next to the account that you want to change.

In the Credential Management section of the resulting page, there are 3 options:

If the Change password now checkbox is checked, then additional controls in the section are enabled which can be used to select of one of three password change mechanisms outlined below:

Generate new password

If the administrator wants the password changed to an automatically generated password, the “generate new password” option will immediately initiate the password creation and roll process upon page submit.

Set account password to new value

If the administrator wants to manually change the service password to a specific value, selecting the “set account password to new value” option and then entering the password will immediately initiate the password change process using the specified service account password upon page submit.

Use existing password

If the administrator has already manually changed the service password, selecting the “use existing password” option and then entering the password will immediately initiate the password roll process using the specified service account password upon page submit.

Common Error

Many organizations have the “Minimum password age” password policy set to a value greater than 1.

As discussed in the TechNet Article Enforcing Strong Password Usage Throughout Your Organization

Minimum password age determines how many days a user must keep new passwords before they can change them. This setting is designed to work with the Enforce password history setting so that users cannot quickly reset their passwords the required number of times and then change back to their old passwords. The value of this setting can be between 0 and 999; if it is set to 0, users can immediately change new passwords. The Microsoft recommendation for this value is 2 days.

If a password already been changed in Active Directory, updating the managed account value under “Set account password to new value” section will often trigger the following error. This is due to the fact that SharePoint is attempting to update a password that has already been updated within the “Minimum password age” policy.

Error: The password does not meet the password policy requirements.  Check the minimum password length, password complexity and password history requirements.

The solution to this problem is enter the updated password in the “Use existing password” section of Credential Management.

Account Information

Directly underneath the Automatic Password Management section of the Managed Account page is Account Information. The account information section displays information about the last and next password change and the list of farm components currently mapped to this managed account.

Removing Managed Accounts

The managed account can be removed only if no items are set to use the account within the farm. When an administrator chooses to remove a managed account, they will be presented with the Remove Managed Account page. The administrator has the option of changing the password before removing the account in order set it to a known value. This page does not actually delete an account in active directory or on the local machine, but it instead only allows an existing account to be removed from registration in the SharePoint farm.

If you attempt to remove a managed account that is still mapped to a SharePoint component, you will receive an error like the following. In order to remove the managed account, you must unmap the managed account from any associated services.

Managing Managed Accounts with Windows PowerShell

<note:  The samples below are courtesy of my non-developer brain.  While they work fine for me, they may eat all the cookies in your house,  erase your SharePoint farm, or date your girlfriend behind your back.  They probably need to be modified to work in your environment, and appropriate caution should be exercised before copying and pasting code from any website, especially anything written by me.  The scripts below and require you to manually enter the domain\user of the managed account. If there is someone that knows Powershell better than me, it would be nice to have the script to run get-SPManagedAccount, pipe the results to a screen allowing you to choose the account, rather than having to manually type it in, and then loop at the end to ask if there are any more accounts you would like to change the password for.  If you figure out how to do that, please post the solution in the comments!>

Managed Accounts can be created, removed, and updated with Windows PowerShell, using the following cmdlets. I have provided some samples of managed account credential management, which can be tweaked to fit your situation. The TechNet reference for the Windows PowerShell cmdlets are available at the following links:

• New-SPManagedAccount
• Get-SPManagedAccount
• Set-SPManagedAccount
• Remove-SPManagedAccount

Note: the sample scripts below must be run from the SharePoint 2010 Management Shell (which adds the SharePoint cmdlets to Windows PowerShell). From your Start menu select “SharePoint 2010 Management Shell” or Start, “Microsoft SharePoint 2010 Products”, “SharePoint 2010 Management Shell”.

If running Windows PowerShell natively, the following lines should be added to the beginning of the script:

$ver = $host | select version

if ($ver.Version.Major -gt 1) {$Host.Runspace.ThreadOptions = "ReuseThread"}

Add-PsSnapin Microsoft.SharePoint.PowerShell

Set-location $home

Set a new password for Managed Account

#Input the Managed Account 

#If there is only one managed account, the following line could be written as: 

#$inputManagedAcct = Get-SPManagedAccount

$inputManagedAcct = Read-Host "Enter managed account as Domain\User"

#Input the desired new password

$inputPasswd = Read-Host "Enter new password for managed account" –AsSecureString

#Change the password for the managed account to the new value

Set-SPManagedAccount -Identity $inputManagedAcct -NewPassword $inputPasswd

Set-SPManagedAccount –Identity domain\user -AutoGeneratePassword $true

Update the password for a Managed Account that has already been reset through Active Directory

If the password for a managed service account has been manually changed outside of SharePoint (such as directly in Active Directory), you can update the password to the new value in SharePoint 2010 as follows

#Input the Managed Account 

#If there is only one managed account, the following line could be written as: 

#$inputManagedAcct = Get-SPManagedAccount

$inputManagedAcct = Read-Host "Enter managed account as Domain\User:"

#Input the Managed Account

$inputPasswd = Read-Host "Enter password from Active Directory for managed account:" –AsSecureString

#Change the password in SharePoint for the managed account to the new value

Set-SPManagedAccount -Identity $inputManagedAcct -ExistingPassword $inputPasswd –UseExistingPassword $true

Command-line confusion

This is the command-line equivalent to the password policy error shown in the Graphical User Interface (GUI) above. Specifically, the error occurs when choosing between the –NewPassword and –ExistingPassword options for the Set-SPManagedAccount PowerShell cmdlet, if a password has already been changed in Active Directory.

The resulting error message is:

Set-SPManagedAccount : The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

If the password has already been reset in Active Directory and just needs to be updated in SharePoint, use the –ExistingPassword parameter. If the password needs to be changed in both SharePoint and Active Directory, use the –NewPassword parameter.

References and More Reading

• How to change service accounts and service account passwords in SharePoint Server 2007 and in Windows SharePoint Services 3.0
• Plan for administrative and service accounts (Office SharePoint Server)
• Administrative and service accounts required for initial deployment (SharePoint Server 2010)
• Windows PowerShell cmdlet reference: Get-SPManagedAccount
• Windows PowerShell cmdlet reference: Set-SPManagedAccount
• Stsadm to Windows PowerShell mapping (SharePoint Server 2010)
• Plan automatic password change (SharePoint Server 2010)
• Configure automatic password change (SharePoint Server 2010)
• Change passwords used for administration accounts (SharePoint Server 2010)
• Change passwords for SQL Server services (SharePoint Server 2010)
• Change the password for the default content access account (SharePoint Server 2010)
• Managed Accounts in SharePoint 2010 (Bill Baer TechNet Blog)

I ended up having to do quite a bit of cleanup on the profiles associated with a team SharePoint server, and learned a bit in the process that doesn’t seem to be on the Internet in one place, so I thought I’d share.

Note: I will touch on several related areas in this post, so I apologize if I jump all over the place.  All buckled in?  Let’s go!

Ideally, in SharePoint, you have profiles (and maybe My Sites) for users that actually use the site (or that you want to search).  For the most part, you do not want profiles of users that are disabled in Active Directory, users who have left the company, etc.

Most of the work that y0u do with profiles as an Administrator is within the SSP, under “User Profiles and My Sites”.

By default, when setting up Profile Import, SharePoint imports all users from your current domain.  This is fine as a default, but you may end up pulling profiles that are not needed and/or wanted in two cases (off the top of my head):

1) You have a bunch of user/service accounts that are disabled in Active Directory.

2) You only want accounts from a particular group or OU to be imported into your SharePoint profiles.

In either of these cases, you will have to customize the LDAP query that SharePoint does on the backend to pull users out of AD. By default, the query searches for (&(objectCategory=Person)(objectClass=User)).  In other words “Pull all users”. 

SharePoint does not distinguish whether they are active or not.  KB 827754 gives us the modified query we need to use if only pulling active users:

(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

If you want to import users just from a particular group or OU, the query will look something like:

(&(objectCategory=Person)(objectClass=User)(memberOf=[distinguished name of the group]))

Wayne Hall’s post here is the definitive source on how to find the Distinguished Name of the group you are looking for, and how to write the query.  If you want to go completely buck-wild, you can read all about LDAP Search Query Syntax on MSDN.

All right.  Now if you ran the full profile import before modifying the query, and have a bunch of disabled users in AD, or imported all AD users instead of a specific group, those extra profiles now exist in SharePoint where they are not doing a lot of good.

How can you delete them?

The answer is that you have to do a Full (not incremental) profile import.  This does not delete the users, but marks them as “Profiles Missing from Import”.  On the “User Profiles and Properties” page of the SSP, click on “View User Profiles”

From here, there is a drop down box that lets you choose between “Active Profiles” and “Profiles Missing from Import”

Don’t laugh at the difference between my Total number of user profiles and Number of active user profiles in the picture below.  Long story, no happy ending ;)

In any case, if you select “Profiles Missing from Import”, it will show all profiles that exist in SharePoint that did NOT get pulled/updated from AD in your last full crawl.  This could be because someone left the company, or because your modified query now pulls less people.  In any case, once you verify that that user no longer exists (or shouldn’t have a profile on the server), check the box next to their profile/account name and hit delete.  You can also wait for SharePoint to run three full (not incremental) imports, after which it will delete the profiles on its own. *Update: Although this is how it worked in SPS 2003, it is not how it works in MOSS 2007.  It is actually the “My Site Cleanup Job” that does the dirty work.  Gyorgy covers how this works here: http://blogs.msdn.com/b/gyorgyh/archive/2009/11/13/how-it-works-moss-2007-automatic-user-profile-removal.aspx

A few other considerations to be aware of…  If the user is no longer with the company, but somebody explicitly assigned them permissions to a site, list, or library… they will continue to have permissions if they ever come back (This is an issue at Microsoft as vendors may do work for one team and then come back some months later to do work for another team using the same AD account).  Removing explicit permissions is a manual process (and is the reason why explicit user permissions should be the exception and not the rule).  Use (and do not break) permission inheritance where ever possible.  I usually put Active Directory groups within SharePoint groups, and assign SharePoint permissions to SharePoint groups.  That way, if any given person joins or leaves the company, I assign/remove them from the appropriate AD group and their permissions accordingly come or go in SharePoint.

The other consideration is My Sites.  How do you delete My Sites that belong to people that left the company?  Once SharePoint no longer has a profile for a user with a My Site (see above), it will (by default) send an e-mail to that user’s Manager (assuming their profile has a manager listed) saying:

The My Site of Joe Blow is scheduled for deletion. As their manager you are now the temporary owner of their site. This temporary ownership gives you access to the site to copy any business-related information you might need. To access the site use this URL:  http://servername/mysite/personal/joeblow

The manager is then added as the secondary site collection administrator for the user’s My Site, and any important documents can be copied off before the My Site is deleted.  The wording of the e-mail itself is hardcoded and the wording cannot be changed.  As well, this My Site cleanup is NOT part of or related to the “Site Use confirmation and deletion” feature of SharePoint.  It takes place as part of the “My Site Cleanup Job” which runs hourly (you can find it under Central Administration –> Operations –> Timer Job Definitions).  There were some problems with this job in RTM, but they were fixed in SP1 (in case you are still running RTM and old My Sites are still hanging around). (update to the paragraph above… commenter Chris reminded me that I was not quite right about the My Site deletion.  While the e-mail itself is not related to the “Site Use confirmation and deletion” feature, sites are not actually deleted unless that feature is turned on.  The e-mail to the manager is telling a fib.  If the “Site Use confirmation and deletion” feature is enabled, the site is deleted due to the fact that the user never confirms the e-mail checking to see if they are still using the site; not due to the My Site Cleanup Job itself.  I also came across another great resource on My Sites and disabled/deleted users from Phil Wicklund that is well worth reading: http://philwicklund.com/whitepapers/Documents/My%20Site%20Concerning%20Scenarios%20Study%20and%20Strategy.pdf)

I hope the information above helps someone if they ever end up trying to figure out how to clear out 75,000 profiles from a SharePoint server that is only used by a few hundred people :) (yes, I think I am the very definition of an edge case)

-Sean

 I see that we released the Microsoft Active Directory Topology Diagrammer today.  I'm working from home today, so I can't run it in AD and attach a screenshot, but this should be helpful for documenting your AD infrastructure.  According to the product description:

The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration using ActiveX Data Objects (ADO), and then automatically generates a Visio diagram of your Active Directory and /or your Exchange 200x Server topology. The diagramms include domains, sites, servers, administrative groups, routing groups and connectors and can be changed manually in Visio if needed.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX® Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.

This feature used to exist in Visio many years ago, so I'm glad it's available again (even if not built directly into Visio).  Actually, I see that this is version 2.0.2745.  Maybe it previously existed and I just didn't know about it. Hmmm... Try it out and let me know how well it works!

*Update: Björn has posted some screenshots on his blog.

If you want SharePoint to, well, not look like SharePoint… we just released 10 themes that look awesome!

Download them here.

They are packaged as SharePoint Solutions so you don’t have to do the messy work of going to all of your front end web servers and horking around with your C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\THEMES folder. Seriously… install them as solutions. It will save you from breaking something.

The themes are sample code. To use them you need to have:

• Windows SharePoint Services 3.0 SP1 – available here:
  https://www.microsoft.com/downloads/details.aspx?FamilyID=ef93e453-75f1-45df-8c6f-4565e8549c2a&displaylang=en
• Visual Studio 2008
• Visual Studio 2008 extensions for SharePoint – available here:
• V1.2 http://www.microsoft.com/downloads/details.aspx?familyid=7BF65B28-06E2-4E87-9BAD-086E32185E68&displaylang=en
• V1.3 CTP http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=fb9d4b85-da2a-432e-91fb-d505199c49f6

Learn SharePoint Development here:

http://MSSharePointDeveloper.com

Ran into an interesting issue when trying to upload a spreadsheet from Excel 2007 into SharePoint 2007.

To do so, you would normally click on Site Actions --> Create --> Import Spreadsheet.  In the past, I have found this to be the easiest way to create and populate a SharePoint List.  however, when doing so today, I got the following:

Import to Windows SharePoint Services list

Method 'Post' of object 'IOWSPostData' failed.  ?!?!?!

Fortunately, I found the solution over on Travis' blog.

Importing lists from Excel 2007 returns a Method 'Post' of object 'IOWSPostData' failed dialog. Again, not really a problem with WSS 3.0 but rather the result of a failed Application.SharePointVersion() call in the Excel Add-In which results in Excel attempting to use the IOWSPostData.Post() method to publish the Excel range which is used with SharePoint Team Services 1.0. By forcing the version lookup result variable to 2 or greater, Excel will use SOAP to communicate with WSS 3.0 and the publish request will be successful. To make this change, open the Excel Add-In EXPTOOWS.XLA locate in C:\Program Files\Microsoft Office\Office12\1033 by default*. Press Alt+F11 to display the Visual Basic code editor and search (Ctrl+F) for the line lVer = Application.SharePointVersion(URL). Comment out that line with a single quote and add the line lVer=2 so your Intialize() method should now look like this:

Sub Initialize(List, Title, URL, QuickLaunch)
    strQuickLaunch = QuickLaunch
    aTarget(iPublishURL) = URL
    aTarget(iPublishListName) = List
    aTarget(iPublishListDesc) = Title
    'lVer = Application.SharePointVersion(URL)
    lVer = 2
End Sub

If the Application.SharePointVersion(URL) method is successful then lVer for WSS 3.0 will equal 3. Save your changes and try importing your list in to WSS 3.0 again.

*Note: If you are using 64-bit Windows, the XLA file is actually under: C:\Program Files (x86)\Microsoft Office\Office12\1033\. If you are running Windows Vista, you will need to run Excel as administrator in order to save the modified file back.

After doing so, I am now able to import a spreadsheet into a SharePoint list with no problems.  Huzzah!

That having been said, I now see that there is an Excel Add-on that will specifically allow for two-way-synchronization between spreadsheets in Excel and Lists in SharePoint.  In fact, I blogged about it previously (maybe I should ready my own posts!).  After installing the add-in, there is a new "Export Table to SharePoint List" option in Excel:

The resulting table in SharePoint is actually an Access Web Datasheet as opposed to a SharePoint List.  It works great as a datasource (especially with the two-way synchronization), but is plug-ugly for customer-facing lists.

Depending on your needs (whether you need a datasource or a customer-facing list), you may use either of the options above.  Enjoy!

One of the coolest features of Office 2007 is SmartArt.  It makes it incredibly easy to create great looking diagrams to show a process, cycle, hierarchy, or relationship.

During some business planning recently, however, I had the need to actually COMBINE two different diagrams to show a relationship between two related processes.  However, in Word, I found that I could not combine the two.  The "Segmented Cycle" was exactly what I needed on the inside of my chart, and the "Block Cycle" was exactly what I needed on the outside.  However, when I dragged one over the other, they would NOT overlap. Both diagrams would just swap places.

It turns out that this is expected behavior. Each diagram type knows what type of shapes belong there and how the shapes related to each other, so adding other arbitrary shapes or diagrams isn’t possible. 

Fortunately, there are two possible workarounds.  The first is to use PowerPoint, where you can overlap Smart Art all day long, and group/ungroup with no problems. 

The second is to position two Smart Art objects, or a Smart Art object and other shapes, in a way that they appear together on a page (just fine for my needs)which requires both objects to be floating. To make the Smart Art floating, right click it (its border, not an individual shape) and change the Text Wrapping to something other than Inline (e.g., Square or Tight).  Once the images are “floating”, you can size them and position them over each other. 

Just a quick solution in case you ever get the following message when trying to open a SharePoint Document Library in explorer view from Windows Server 2008

Your client does not support opening this list with Windows Explorer.

This is due to the fact that Explorer view uses the WebDav protocol to connect to SharePoint from the client.  As Windows Server is not designed to be a client, the WebDav client is not installed or enabled by default.  

In order to enable the WebDav client (along with other client features such as Windows Media Player and Desktop Themes) on a server (you’re not doing this on a production server, right?), simply enable the Desktop Experience feature.

(thanks to Troy on the SharePoint team for this tip!)

Update: This can also happen if you are using Internet Explorer 6 and the URL to the Document Library is longer than 100 characters (covered in KB 923906), but you're not using IE 6 are you? It's time to upgrade! http://www.microsoft.com/windows/internet-explorer/default.aspx

If you are performing a greenfield or clean install of SharePoint, it is a good idea to install the latest version (which as of today would be Service Pack 2 with the April Cumulative Update).  The latest install media for SharePoint, however, only has SP1 integrated, so today I will show you how to slipstream the latest updates into your install media.

To get started, you will need a copy of the SharePoint 2007 install media, the SP2 installers for both Windows SharePoint Services and Office SharePoint Server, and the latest Cumulative Updates for both WSS and MOSS.  You can download them all here:

• SharePoint Server Install Media (Note… you will be able to use your own product key, so don’t worry about the fact that this is the “Trial Version”.  You will want to download the OfficeServer.exe file and not OfficeServerwithSP1.exe  file, or else you will have the additional step of deleting the SP1 files that were slipstreamed in).
• Windows SharePoint Services 3.0 Service Pack 2 (SP2)
• The 2007 Microsoft Office Servers Service Pack 2 (SP2)
• Windows SharePoint Services 3.0 cumulative update package: April 30, 2009
• SharePoint Server 2007 cumulative update package (MOSS server package): April 30, 2009

Edit: October cumulative updates have been released.  Follow the same steps, but use the two following CU files instead of those released for April:

• SharePoint Server 2007 Cumulative Update Server Hotfix Package (MOSS server-package): October 27, 2009
• Windows SharePoint Services 3.0 Cumulative Update Server Hotfix Package (WSS server-package): October 27, 2009

First, create a folder that will hold the slipstreamed installer.  In my case I’ll call it c:\SP2Slipstream.

Next, extract the install media into that folder as follows:

OfficeServer.exe /extract:c:\SP2Slipstream (there are no spaces after the /extract switch).  You will end up with the folder structure below. 

The Updates folder is where we are going to extract all up the SP2 and Cumulative Update files, and setup.exe will be smart enough to integrate the updates at install time.

Next, extract the four update files as follows:

wssv3sp2-kb953338-x64-fullfile-en-us.exe /extract:c:\sp2slipstream\updates

officeserver2007sp2-kb953334-x64-fullfile-en-us.exe /extract:c:\sp2slipstream\updates

wss-kb968850-fullfile-x64-glb.exe /extract:c:\sp2slipstream\updates

office-kb968851-fullfile-x64-glb.exe /extract:c:\sp2slipstream\updates

When you are done, the Updates folder will be full of msp files. 

One last step before you burn the SP2Slipstream folder to a CD… Delete Wsssetup.dll from the updates folder because it conflicts with Svrsetup.dll. Having both Wsssetup.dll and Svrsetup.dll in the updates folder for a slipstreamed installation source is not supported.

Burn your SP2Slipstream folder to a CD and you are all set to go!

*Update: I had someone ask me if the above steps will work if you are starting out with SP1 Media instead of RTM, and the answer is yes.  I just like using the RTM Media as it starts out with a clean Updates folder instead of being full of SP1 updates that are superseded in SP2.

I had a customer recently ask about the memory limits for various editions of Windows, and thought that I would share the answer with everyone (as it took me a little while to find it). As 64-bit drivers are becoming more common from the OEMs, it is more and more tempting to use 64-bit editions of Windows (I just switched from 32-bit to 64-bit on my work computer, and have not yet run into any incompatibilities) J

http://msdn2.microsoft.com/en-gb/library/aa366778.aspx

I've been playing around with Entourage on my Mac for the last couple of days (in order to access my Email from Exchange while I am out of the office).

It turns out that there is a curious feature missing from Entourage... You can't highlight a word and then insert a hyperlink. (Don't ask me why, I have no idea ;)

There are two workarounds that I got from a tester in the MacBU:

Just type out your hyperlink (e.g. www.apple.com). When you send it, Entourage turns it into a hyperlink.

If you want to link some text to a website (e.g. here) it’s a bit more difficult. There is no “native” Entourage solution to do that. You can still do it however. You need to boot Word, create your email there, then go File | Send To | mail recipient (as HTML). This will create a email using the word doc, and this email can be as complex as you like (tables, multi-level bulleted lists, linked text, etc).

Great writeup by Daniel Petri:

Ever have a performance problem, but don't know what performance counters to collect or how to analyze them? The PAL (Performance Analysis of Logs) tool is a new and powerful tool that reads in a performance monitor counter log (any known format) and analyzes it using complex, but known thresholds (that are provided). The tool comes out-of-the-box with some predefined thresholds defined as high according to the Microsoft consulting/development but those can be adjusted to whatever you like.

The tool generates an HTML based report which graphically charts important performance counters and throws alerts when thresholds are exceeded. The thresholds are originally based on thresholds defined by the Microsoft product teams and members of Microsoft support, but continue to be expanded by this ongoing project. This tool is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time.

Features

• Thresholds files for most of the major Microsoft products such as IIS, MOSS, SQL Server, BizTalk, Exchange, and Active Directory.
• An easy to use GUI interface which makes creating batch files for the PAL.vbs script.
• A GUI editor for creating or editing your own threshold files.
• Creates an HTML based report for ease of copy/pasting into other applications.
• Analyzes performance counter logs for thresholds using thresholds that change their criteria based on the computer's role or hardware specs.

Read the rest of the article (with screenshots) here: http://www.petri.co.il/analyze-windows-performance-logs.htm

Downloads are available here: http://www.codeplex.com/PAL

PAL Requirements: