During my time as a Microsoft PFE, I contributed to numerous IT Operational Assessments.  While there are many tasks within an Operational Assessment, I wanted to provide a ‘simple version’ by reviewing past tickets/outages over a specified time period.  Of course, there are other, more formal reviews, such as Microsoft Operations Strategic Review, but this one is simple and anyone can do it. 

Why should I care? If done properly, the results allow the (management, operations, engineering, etc) teams to better prepare their staff (ex: Training), anticipate problems (ex: Identifying underlying issues), and manage operations (ex: Improve processes).  As a PFE, I have used this to gain insight around:

• Which IT Service (Product/Solution) is generating the most tickets and consuming the most man-hours to manage
• Determine how well you align to the service level or operating level agreements (SLA & OLA)
• If services are trending in terms of resiliency and availability
• What areas can be improved to reduce time-to-resolution

I recommend this as a quarterly report with an end-of-year review, but you can do it more/less frequently based on your needs and if you have the data available. 

Now there are many ways to do such a review and I ALWAYS encourage engaging the experts in this area because they will often find things that you won't. Besides another set of eyes rarely hurts. But this review is great do-it-yourself starter kit (so to speak) and can often help you identify easily-resolved items which have a meaningful impact and provide justification to accomplish operational health tasks.  Of course this really only works well if the data that you are using is accurate and available.

First, let me explain what this will NOT do:

• Performance analysis of any kind
• How well any specific application, product, or solution is performing in isolation (I prefer to look holistically)
• Provide HR-related fodder if you are trying to build a case to hire/fire someone
• Quantify Service availability numbers (i.e. did you achieve 99.999% availability)

OK, let's get started...

STEP 1: DEFINE YOUR REQUIREMENTS

With any project, you should define your requirements, scope, and definitions to provide those core elements necessary for a comprehensive operational assessment. This may include the following: (see attachments for how I used them)

• Intent of the document/OAR
• Data Collection Frequency: Monthly/Quarterly
• Report Generation Frequency: Quarterly & Yearly
• Scope of Data Collection: Organization vs. specific Product/Solution
• Service Management Categories: People, Process, Environment, Technology, Other, Unknown, etc.
• Severity Levels: 1-Critical/High Impact, 2-Severe/Significant Impact, 3-Moderate/Impact, 4-Nominal/No Impact
• Service Desk Common Resolution Classifications

NOTE: These items will vary between each organization, so be sure to document what each means to you.

STEP 2: DATA COLLECTION

Typically I recommend collecting the data monthly as it provides a good timeline structure without overwhelming me with data, but each person or environment may have their own preference. Start by collecting all trouble tickets, incidents, change/work requests, unscheduled/scheduled maintenance notifications, etc. generated during the time specified. For each item collected, document the following types of data:

• Highest Severity Level
• Current Status (ex: Open-OnHold, Open-Active, Closed-Unresolved, Closed-Resolved, etc.)
• Impacted Technology (ex: Exchange, Active Directory, SQL Server, etc.)
• Impacted Services (ex: Messaging, Directory Services, Database Services, etc.)
• Average time (in hours) to acknowledge/react, resolve, & closure (ex: Ack:1hr, Res:.5hr, CL:1hr)
• Categorize the item based on solution/root cause
• Resources Used (ex: 2 Teams / 2 Staff )
• Scheduled / Expected: Y/N (only applies to approved changes and project implementations)

NOTE: Again, these will vary within your organization and you might include more/less information. For example, some may include Uptime/Downtime, Perf Metrics, Storage Consumption based on department/office/technology, etc. Just don't get garbage data that might 'fudge' the numbers or get lost in mounds of too much data.

STEP 3: INPUT DATA AND PERFORM SUBJECTIVE ANALYSIS

Input the data into the spreadsheet (see attached) and then apply some subjective decisions on the information. For example, the Service Management Category might mean one thing to 1 person and something else to another. Just try to stay consistent and broad. Try not to get too narrow or restrictive, otherwise you'll have 50-100 different paths to choose from.

STEP 4: GENERATE A REPORT BASED ON THE DATA

Consolidate the data into a single spreadsheet and report and provide an analysis of your findings. Attached is a sample report. The key is to not be too subjective, try to keep to the facts. However, when you need to be subjective, try to maintain consistency.

I hope this helps!  Good luck!

Da

So what about Active Directory Permissions on an Object using PowerShell?  There are a number of options and methods to manage Active Directory permissions, but here are some common tasks that I might perform using PowerShell.

NOTE: This blog uses PowerShell with the Active Directory Module (Import-Module ActiveDirectory)
To use Get-ACL, you may want to set the location to Active Directory ( Set-Location AD: ), otherwise you may have to call AD: within the command.

FIND IF USER ACCOUNT HAS ANY DENY PERMISSIONS SET
Using DSACLS:
Get-ADUser UserName | ForEach { DSACLS $_.DistinguishedName } | Where {$_.Contains("Deny")}

Using Get-ACL:
Set-Location AD:
(Get-Acl (Get-ADUser UserName)).access | Where {$_.AccessControlType -eq 'Deny'} | FT IdentityReference, AccessControlType, IsInherited -Autosize

FIND ALL USERS WHO HAVE NON-INHERITED DENY RIGHTS ASSIGNED
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE)}| Select {$X}, IdentityReference, AccessControlType, IsInherited}

FIND ALL USERS WHO HAVE NON-INHERITED DENY WRITEPROPERTY SET
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE) -AND ($_.ActiveDirectoryRights -eq "WriteProperty")}| Select {$X}, IdentityReference, AccessControlType, IsInherited}

FIND ALL USERS WHO HAVE SPECIFIC GROUP/USER LISTED WITH PERMISSIONS
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {$_.IdentityReference -like "DOMAIN\USERNAME"}| Select {$X}, IdentityReference, AccessControlType, IsInherited -Unique}

VIEW PERMISSIONS OF NON-INHERITED USERS ON SPECIFIC ORGANIZATIONAL UNIT (OU)
(Get-ACL "AD:CN=Joe User,OU=Users,DC=Contoso,DC=com").Access | Where {$_.IsInherited -eq $FALSE}| Select IdentityReference, AccessControlType, IsInherited

 
VIEW ACCESS RIGHTS ON GROUP OBJECT
(Get-ACL (Get-ADGroup GroupName)).Access

RESTRICT GROUPX USERS FROM MODIFYING AD ATTRIBUTE ON ALL USERS
Get-ADUser –Filter * | ForEach { DSACLS $_.DistinguishedName /D 'Contoso\GroupX:WP;employeeID'}

There are many other items that you can do with Active Directory permissions but I’d thought that I would start with the above items.  If you want something more, try another blog

Thanks!

Da

Over the years, there has been a request for finding various permissions on Public Folder objects within Exchange.  I figured that I would share how to do some of these tasks, specific to Exchange 2010 and 2013.

NOTE: The following commands use the Exchange Management Shell

Exchange 2010
List All Top Level Public Folders Default Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | Where {$_.User.IsDefault -eq $True} | FT Identity, User, AccessRights -auto -wrap

List All Top Level Public Folders Anonymous Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | ?{$_.User.IsAnonymous -eq $True} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Anonymous is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User.IsAnonymous -eq $True) -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Default is NOT Author
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User.IsDefault -eq $True) -AND ($_.AccessRights -ne 'Author')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where JoeUser is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User -like "*JoeUser*") -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Containing Old/Deleted Users with Permissions
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User -like "*NT User:*"} | FT Identity, User, AccessRights -auto -wrap

Remove Old/Deleted Users from Public Folders (w/ WhatIf)
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User -like "*NT User:*"} | ForEach {Remove-PublicFolderClientPermission -Identity $_.Identity -User $_.User -AccessRights $_.AccessRights -WhatIf

Modify/Add JoeUser to be an Owner of a Folder
Add-PublicFolderClientPermission -Identity "\MyPublicFolder\Reports" -User JoeUser -AccessRights Owner

Exchange 2013
List All Top Level Public Folders Default Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | Where {$_.User.UserType -eq 'Default'} | FT Identity, User, AccessRights -auto -wrap

List All Top Level Public Folders Anonymous Permissions
Get-PublicFolder \ -GetChildren | Get-PublicFolderClientPermission | ?{$_.User.UserType -eq 'Anonymous'} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Anonymous is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ? {($_.User.UserType -eq 'Anonymous') -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where Default is NOT Author
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User.UserType -eq 'Default') -AND ($_.AccessRights -ne 'Author')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Where JoeUser is set to Owner
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{($_.User -like "*JoeUser*") -AND ($_.AccessRights -eq 'Owner')} | FT Identity, User, AccessRights -auto -wrap

List All Public Folders Containing Old/Deleted Users with Permissions
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User.UserType -like "Unknown"} | FT Identity, User, AccessRights -auto -wrap

Remove Old/Deleted Users from Public Folders (w/ WhatIf)
Get-PublicFolder \ -Recurse | Get-PublicFolderClientPermission | ?{$_.User.UserType -like "Unknown"} | ForEach {Remove-PublicFolderClientPermission -Identity $_.Identity -User $_.User -AccessRights $_.AccessRights -WhatIf}

Modify JoeUser to be an Owner of a Folder
Add-PublicFolderClientPermission -Identity "\MyPublicFolder\Reports" -User JoeUser -AccessRights Owner

More information on managing Public Folders can be found on TechNet for Exchange.

Good Luck

Da

Recently I deployed Exchange 2010 SP3 and experienced a few headaches when it came to the LAG copy.  It turns out that this was probably related to the known issue with Exchange 2010 SP3 and 8dot3Name, even though we never activated these copies and with no transaction logs on the active copy containing any 8.3 names (weird!). 

My configuration:

• Exchange 2010 SP2 RU4 on Windows 2008 R2
• Circular Logging enabled (backup-less environment)
• LAG copy containing more than 2 weeks of transaction logs

First, what is 8.3 name and why was it enabled?  This is a legacy naming convention, from the old MS-DOS days.  By default, our Windows 2008 R2 build does not have 8.3 enabled.  However, we discovered that a GPO had been set which overrode that value as a requirement for a government compliance program.  It turns out that lots of older government compliance programs required this to be enabled. 

An example of files with and without 8.3 naming convention:  (dir /x)

How did we discover was enabled?  In our testing, we had a number of LAG database copies go to a FailedandSuspended state.  Our troubleshooting led us to the known issue listed above and we confirmed using the FSUTIL command and DIR /X. 

What problems did we experience? If we upgraded a server from SP2 to SP3 that contained either the LAG copy or was the owner of the Active copy and if the LAG copy contained at least 1 log that had an 8.3 naming convention, then intermittently the LAG copy would go to a failedandsuspended state.  Not all copies failed all of the time.  Nor did we have to activate the DB for it to fail – it just did it whenever the server was rebooted.

What did we do to fix it? We knew that if the LAG copy contained any transaction logs with 8.3 naming convention, the DB would fail.  So we made a change to the server using FSUTIL (FSUTIL 8dot3Name Set 1).  It took us a day later to discover that the setting reverted, thus leading us to an old GPO entry.  After changing the GPO and forcing the update to occur, we could see that newly created transaction logs were not getting 8.3 names. 

Next, we wait for all database copies to get cycle thru the old logs (those containing the 8.3 names) before making any server reboots or significant changes.  We could fail a database over to another copy, this did not do anything. 

We verified that all database copies contained no transaction logs containing these 8.3 files names by running a PowerShell command per server:

Basically, before you upgrade to SP3, check that your server does not have 8.3 naming convention enabled (FSUTIL 8dot3Name Query).  If so, set that to disabled and cycle through all your transaction logs before deployment. 

As you can see, you don’t have to actually activate the DB for this to cause issues. 

Good Luck!

D

Recently I had to install Lync Server 2010 on a repurposed Windows 2008 R2 server within a lab environment. One of the issues that I ran across was preventing me from accessing the Lync Control Panel from the Lync Front End server.

Attempting to open the Lync Control Panel from the Lync 2010 Front End server displayed the following error:

I started by confirming that all of the prerequisites were installed, followed TechNet: Troubleshooting Lync Server 2010 Control Panel, and confirmed the Kerberos was configured and working properly. None of these changed the error.

In the end, the resolution was to enable the DisableLoopBackCheck registry key.

WARNING: This setting should be carefully considered as this can change the security of a server. This scenario was a lab environment with no Internet access. For production environments, you may want to consider using the BackConnectionHostNames registry.

Good Luck!
Doug