Sunday, November 15, 2009

Local Account Manipulation

I had a request the other day from someone who knows some of my work. He had seen my scripts for manipulating local accounts on machines but couldn't make sense of them. (This was essentially because he was only seeing half of the system.) He asked if I could explain them in my blog, so here goes...

There are many different methods for manipulating local accounts on machines. Some companies make a profit from selling software that will go and talk to all of the machines and change passwords, accounts, group memberships, etc. Surprisingly, Microsoft has not yet integrated any system for easy management of local computer accounts into their own domain management systems. (Edit: Of course Microsoft has finally done something about this and you can now use Group Policy Preferences to manage local accounts quite easily. I thoroughly recommend using Group Policy instead of the method described here!)

Anyway, one way to achieve this is to use the Group Policy system. Computers run the Computer Startup Scripts with system administrative rights (Computer Configuration / Windows Settings / Scripts / Startup.) This enables the savvy administrator to run a script that can be used to manipulate local accounts.

What about the fact that the passwords may be exposed in the script? Some administrators will suggest that you do it in VBScript and then encrypt it. This is not a good idea because it is far too easy to decrypt these files. IMHO, it is much better to let Microsofts domain security protect it for you. (I can't believe I just said that. Scary but true!)

You can place these 'scriptlets' below in your scripts folder and pass the required parameters to them from your GPO. You secure your GPO by removing Authenticated Users from having read and apply group policies rights and giving Domain Computers read and apply group policy rights. Using this method, the users cannot see the new passwords, but the computers which are running the scripts can.

There is a caveat. The computers have to be processing group policies in order to run the scripts. This may be prevented by slow link detection, the behaviour of which can be modified. It may also not be processed by computers coming into the network by remote access. A user logging into the computer by remote access can process the scripts, but a user logging into your VPN or dial-up after logging in the computer using cached credentials will not process the scripts.

IDCHPASS.BAT: Used to Change a local user identity password.

REM USAGE: IDCHPASS username newpassword
NET USER %1 %2

IDCREATE.BAT: Used to create a local identity.
REM USAGE: IDCREATE username password

IDDELETE.BAT: Used to delete a local identity.

IDENABLE.BAT: Used to enable or disable a local identity.


IDGROUP.BAT: Used to change the group membership of a local identity, or to create or delete local groups.


A shoutout goes to ripvankip for giving me something to write about! ;)


Wednesday, November 11, 2009

How to differentiate a VM from a physical machine

My company wanted to apply a policy to Virtual machines to change the screen saver to the blank one. Makes sense right? Why waste shared CPU cycles on a screen saver nobody is ever actually going to see because the machine has no screen?

The issue was, how to differentiate a VM from other machines. (Personally, I would just have forced a blank screen saver on a 10 minute idle timer on everything and save a little money on the energy bills. You then create an exception group in Active directory, give it deny apply permissions on the policy and put computer accounts of machines that must always have the display running such as wall monitors for call queues or network monitoring, etc in the exception group..... but I digress from the topic at hand.)

So to get back to the topic, how can we differentiate a VM from a physical machine? A little walk through WMI Explorer gave me the answer. A WMI query:

Select * from Win32_ComputerSystem WHERE Manufacturer LIKE "VMWare%"

Add that as a filter to your GPO and it'll only apply to VMWare machines.

"What about Microsoft Virtual Server?" I hear you ask. I don't know. We don't use them, but I suspect if you look through WMI, you'll find a similar marker that can be used to identify them.

It's also worth noting that the LIKE filter in the statement will only work on XP and later machines.


Wednesday, November 4, 2009

How to use ROMON to recover from a bad boot image on a Cisco ASA

Note that this can be applied to other Cisco devices, but commands will vary from device to device. The specific commands here apply to the Cisco ASA 5500 series.
Connect a computer to the console port of the device using a Cisco console cable. Use a terminal emulator such as Putty set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Power cycle the device.
During startup, press the Escape key when you see the prompt to enter ROMMON mode.
It is always a good idea to retain the previous boot image on the device during an upgrade, if space permits. If there is an alternative image available on the flash memory you can issue the boot command as follows:
rommon #1> boot asa821-k8.bin
Launching BootLoader...
Boot configuration file contains 1 entry.

Loading disk0:/asa821-k8.bin... Booting...
Platform ASA5505

If you don't have a local copy of an alternative boot image and need to copy an image from a network location, define the interface settings as follows:

rommon #1> ADDRESS= #2> SERVER= #3> GATEWAY= #4> IMAGE=asa821-k8.binrommon #5> PORT=GigabitEthernet0/1GigabitEthernet0/1 Link is UP
MAC Address: 0021.a09a.bf89

Test connectivity using the ping server command.
rommon #6> ping serverSending 20, 100-byte ICMP Echoes to server, timeout is 4 seconds:

Success rate is 100 percent (20/20)

Load the software image using the tftp command. This assumes that you have a TFTP server running on the target address and a copy of the required image in the target directory.
rommon #7> tftpROMMON Variable Settings:

asa821-k8.bin@ via
Received 16275456 bytes
Launching TFTP Image...

After the image is loaded the device automatically exits ROMMON.

Sunday, October 25, 2009

Cannot start Microsoft Outlook. Cannot open the Outlook window.

I had an interesting problem over the weekend... on my HOME computer!! O_o

Trying to launch Outlook, I was receiving the error message “Cannot start Microsoft Outlook. Cannot open the Outlook window.”

It appears that the configuration file for the Navigation Pane can get corrupted and this will prevent Outlook from launching successfully.

This can be remedied by running OUTLOOK.EXE with the /RESETNAVPANE switch.

Thursday, September 10, 2009

How to Edit an INI file using VBScript

Modify the highlighted sections with the appropriate changes.

Note that you can use environment variables to ensure that it will work on all systems. eg. If you use %SystemRoot% it will work whether windows is installed in C:\WINNT or D:\Windows.

' This script can be used to edit entries in ini files
' Written by Sean Bradley
' Version 1.0
' Last modified 11/09/09
Const ForReading = 1
Const ForWriting = 2
Set oShell = CreateObject( "WScript.Shell" )

'Set the target file and backup directory.
'Note that I've used an environment variable here to ensure it works on all systems.
targfile=oShell.ExpandEnvironmentStrings("%SystemRoot%") + "\editthisfile.ini"
backdir=oShell.ExpandEnvironmentStrings("%TEMP%") + "\"
Set objFSO = CreateObject("Scripting.FileSystemObject")

'Make sure the file exists to prevent errors.
if objFSO.FileExists(targfile) then
'Copy it to the backup directory then open the file.
objFSO.CopyFile targfile, backdir, true
Set objTextFile = objFSO.OpenTextFile(targfile, ForReading)

'Read through each line of the file for the entry you want to set
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
intLineFinder = InStr(strNextLine, "IniFileEntrytoEdit")
If intLineFinder <> 0 Then

'Set your new entry here.
strNextLine = "IniFileEntrytoEdit=My Entry in the File"
End If
strNewFile = strNewFile & strNextLine & vbCrLf


'Write the file with the new entry
Set objTextFile = objFSO.OpenTextFile(targfile, ForWriting)

objTextFile.WriteLine strNewFile
End If

Monday, August 17, 2009

Log File Cleanup

I needed a tool to clean up log files that exceed a certain age and I remembered a simple executable that I used to have called deleteifolderthan.exe that did just what was required, but when I went looking for it, I couldn't locate it anywhere.

Giving up on that, I decided to write my own script. I needed something that would delete log files over a month old in subdirectories of a parent directory. This is what I came up with:

Const ParentFolder = "E:\Logs"
Const MaxDays = 31
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(ParentFolder)
Set colSubFolders = objFolder.SubFolders
For Each objDir in colSubFolders
Set colFiles = objDir.Files
For Each objFile in colFiles
If DateDiff("d",objFile.DateCreated,now) >= MaxDays Then
End If

If you wanted to delete old logs in a single folder, you could simplify this to:

Const WatchFolder = "E:\Logs"
Const MaxDays = 31
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDir = objFSO.GetFolder(WatchFolder)
Set colFiles = objDir.Files
For Each objFile in colFiles
If DateDiff("d",objFile.DateCreated,now) >= MaxDays Then
End If


Tuesday, August 11, 2009

JDE IE Recommended Settings

I just got back from the snow! Had an awesome time snowboarding in Thredbo.

I thought I'd quickly post this Group Policy ADM Template that I developed to configure Internet Explorer with some settings recommended by Oracle and JDE for running their OneWorld Web Client.

; This policy template has been written to optimise the IE web client
; with Internet Explorer due to a limitation in this browser and the
; number of connections to the web server as per recommendations from
; Oracle for IE to interact with JDE
; The IE changes are used to change the number of connections to the
; server which can help to improve the performance of the web client
; and rendering of the menus.
; The CSV MIME Type is used to fix an issue when opening CSV files in
; the web client (please see Oracle documentation for further details).
; This is a System Policy template and does not use the preferred
; Group Policy method
; Refer to Microsoft TechNet article Q323639 for further information.
; Therefore these registry settings are permanent.
; When viewed via a Group Policy Object Editor, you must enable the view for system
; policies, which will appear as red icons as oppose to the standard blue ones.
; Windows 2000 Active Directory Group Policies:
; Click on Administrative Templates
; Righ click
; View >
; Select Show Policies Only so that it removes the tick.
; Windows 2003 Active Directory Group Policies:
; Click on Administrative Templates
; Righ click
; View >
; Select Filtering...
; Deselect Only show policy settings that can be fully managed

; so that it removes the tick.
; Select OK
;Developed by: Sean Bradley
;Contact info: Contact via
;Date last modified: 07/07/2009
;version: 1.0
;This file is provided AS IS for informational purposes to help assist other
;administrators in maintaining a high degree of client manageability.
;Be sure to fully test this in a lab environment PRIOR to implementation.
;The author makes no guarantee or warranty. IE: Use at your own risk.

CATEGORY "JDE Web Client Policies"
KEYNAME "Software\Classes\MIME\Database\Content Type\application/csv"
EXPLAIN "Setting this policy fixes an issue when opening CSV files in the JDE web client."
VALUENAME "Extension"
VALUEON ".csv"

CATEGORY "JDE Web Client Policies"
POLICY "Increase Max Connections per Server"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
EXPLAIN "Setting this policy changes the number of connections to the server which can help to improve the performance of the web client and rendering of the menus in the JDE Web Client. Note that existing Internet Explorer Maintenance Policy Objects can be used to permit HTTP 1.1 over proxy conenctions."
PART "Increase Max Connections values" CHECKBOX DEFCHECKED
VALUENAME "MaxConnectionsPerServer"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "MaxConnectionsPer1_0Server" VALUE NUMERIC 10
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "MaxConnectionsPer1_0Server" VALUE NUMERIC 3

Monday, July 27, 2009

RSA Server IP Address Change

A gotcha discovered while changing the IP address of an RSA Authentication server.

To change the address of the server, you need to use the rsautil command from the command line:

rsautil update-instance-node --old-host Current_IP_Address --new-host New_IP_Address --instance primary

Current_IP_Address is the current IP address of the instance, for example,
New_IP_Address is the new IP address of the instance, for example,

That's all well and good and is in the administrative guide. Of course, you'll need to reconfigure any devices that are pointing to the IP address of the server as well, such as an authentication agent on your Aventail or ASA.

However, you may see failed authentications and start noticing this in your logs:
Node secret mismatch. Cleared on agent but not on server.

In order to fix this, you'll have to get CLI access to your Aventail or ASA and delete the node secret files from the device. On an Aventail, these will be ststatus.12, securid ( delete them from /var/ace then restart the policy server using /etc/init.d/policyserver restart ). On the ASA it will be 192-168-111-123.sdi. Then connect to your RSA Security Console and manage the existing Authentication agents. You should then be able to select "Manage Node Secret" from the drop-down menu and clear the node secret. The secret will then be renegotiated on first use.


Tuesday, July 7, 2009

VMWare View Client Silent Installation

I've been having some trouble figuring out how to prevent VMWare View Client from rebooting a machine upon completion of a silent installation. The standard /norestart switch that you normally pass to msiexec simply results in an error.

In the end, I found two answers. One answer was to perform an administrative installation of the product. Then, you are able to call an installation using the msi file directly and use the normal msiexec command line parameters.

msiexec /qn /norestart /i "VMware View Client.msi" ADDLOCAL=Core DESKTOP_SHORTCUT=0 QUICKLAUNCH_SHORTCUT=0

The second, simpler answer was to pass the property REBOOT=ReallySuppress:

VMware-viewclient.exe /s /v"/qn DESKTOP_SHORTCUT=0 QUICKLAUNCH_SHORTCUT=0 REBOOT=ReallySuppress"


Wednesday, July 1, 2009

Sophos Anti-virus

I just cannot recommend Sophos Anti-virus as a corporate grade protection system. The product just has too many design flaws and bugs.

I also find their support method of providing support only over email vaguely disturbing. Sure, you can call them and try to get your assigned support person onthe phone to discuss the case, but they will never call you and will only send you emails. Most of the time I prefer to talk to somebody in a support situation and use email for the transfer of raw data. Maybe that's just me though.

When getting their overpriced professional services out for a "Health Check" and general fixing session, the guy broke as much as he fixed and weeks later I'm still trying to fix issues that have been plagueing us for months. The results of the "Health Check" were very meager and mostly consisted of data recorded or exported from the system that I could have obtained myself.

Their AD synchronisation will not clean up computers removed from AD and their client/server system cannot handle this because thousands of message files build up and fill the hard disk!

The inability to assign a policy to a machine that registers as "Unassigned" just makes me shake my head in awe and mutter "What were they thinking?"

Some of their error message make no sense! What the heck does "Requested value '.' doesn't exist" mean? The current directory doesn't exist?

The reporting is almost non-existant**, providing reports only on alerts. No reports on versions, last contact or anything really useful. Let's face it, if the machine has reported an alert, you know it's working. It's the machines not reporting in that I would worry about. I had to write my own SQL code to get useful information straight from the database.

Even their competitor removal tool is flawed, forcing me to script around its failings. That should've been my first warning. (I'm picturing the robot from 'Lost in Space' shouting 'Warning Will Robinson!")

Their remote installer relies on scheduled tasks, which would be cool if that didn't have
bugs of it's own that can prevent it from functioning correctly.

Almost worst of all is their flawed distribution system, which has no method to allow a mobile machine to detect its closest distribution point. If I take my notebook from Sydney to Brisbane, do you think it will update from Brisbane? Nope, it'll update over the WAN from Sydney. Their solution to this is to suggest we use DFS, which is a valid solution, but doesn't make me think their product is robust when their competitors offer inbuilt solutions to this issue.

"Warning Will Robinson!"


** Edit: Sophos now have a new updating system that uses "Fixed Versions" representing the previous three monthly releases for each operating system that are updated with new threat detection data, and have new labels that incorporate "Recommended", "Previous" and "Oldest" versions of the software. They also have more reports available in version 4.0 of their Enterprise Console.


Tuesday, June 16, 2009

Windows Installer: Logging

These handy reg files for increasing the logging level of Windows Installer came in useful today:


Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]


Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]

In most cases, the Windows Installer log starts with msi, ends with a .log extension, and
includes a group of characters. For example, the Windows Installer log will have a file name that resembles the following:


You should be able to find it in the %temp% path.

The letters in the value field can be in any order. Each letter turns on a different logging mode. Each letter's actual function is as follows for MSI version 1.1:

v - Verbose output

o - Out-of-disk-space messages

i - Status messages

c - Initial UI parameters

e - All error messages

w - Non-fatal warnings

a - Start up of actions

r - Action-specific records

m - Out-of-memory or fatal exit information

u - User requests

p - Terminal properties

+ - Append to existing file

! - Flush each line to the log

x - Extra debugging information. The "x" flag is available only on Windows Server 2003 and later operating systems, and on the MSI redistributable version 3.0, and on later versions of the MSI redistributable.

"*" - Wildcard, log all information except for the v and the x option. To include the v and the x option, specify "/l*vx".


Wednesday, May 27, 2009

SCCM: Machines that have failed an advertisement

I get tired of sifting through the standard reports that restrict you to a particular deployment, a particular advertisement, a particular collection, a particular state, etc. I often like to see details at a more global level, even if those details run to hundreds or thousands of lines, so I often write my own reports in WQL.

I decided it would be a good idea today if I could see all machines that have failed an advertisement... or more particularly, failed any advertisement. As usual, the standard report requires you to specify an advertisement and a state.

So I spent a half hour or so working out how I could get a report of any machines that had failed any advertisement. I decided it would be a good idea to optionally filter the results using an Advertisement ID in case I wanted to narrow it down. Here's the result:

The Prompt Query for the Variable @AdvertID (defaults to %) is:

if (@__filterwildcard = '')
select AdvertisementID, AdvertisementName, Comment from v_Advertisement order by AdvertisementName
select AdvertisementID, AdvertisementName, Comment from v_Advertisement
WHERE AdvertisementID like @__filterwildcard
order by AdvertisementName

The main SQL Statement for the report is:

select sys.Netbios_Name0, sys.User_Domain0, sys.User_Name0,site.SMS_Installed_Sites0, Client_Type0, ainfo.AdvertisementName, LastStatusMessageID, LastStatusMessageIDName, DATEADD(ss,@__timezoneoffset,LastStatusTime) as LastStatusTime, stat.AdvertisementID, LastExecutionResult, LastExecutionContext
from v_ClientAdvertisementStatus stat
join v_AdvertisementInfo ainfo on stat.AdvertisementID=ainfo.AdvertisementID
join v_R_System sys on stat.ResourceID=sys.ResourceID
left join v_RA_System_SMSInstalledSites site on stat.ResourceID=site.ResourceID
where stat.LastState='11' /* 11 = failed */
and stat.AdvertisementID LIKE @AdvertID

I hope someone else finds this useful.


PS: I've extended this concept into a collection, The WQL Query for the collection is:

select sys.ResourceID, sys.ResourceType, sys.Name,
sys.SMSUniqueIdentifier, sys.ResourceDomainORWorkgroup, sys.Client
from SMS_R_System as sys
join SMS_ClientAdvertisementStatus as adstat
on adstat.ResourceID=sys.ResourceID
where adstat.LastState='11'

Tuesday, May 26, 2009

Excel: Listing Distinct Elements in a List

I found this info over at which is an absolutely awesome Excel reference. I wanted to copy these bits here so that I wouldn't lose them.

You can use a simple formula to extract the distinct elements in a list. Suppose your list begins in cell C11. In some cell, enter


Eliminating Blank Cells from a list

You can use a formula to return only the non-blank cells from a range. The following function will return all the cell values in a range named BlanksRange that are not empty.

Create a range name, with the same number of rows as BlanksRange called NoBlanksRange. The range NoBlanksRange must have the same number of rows as BlanksRange but it need not be in the same row numbers. Enter the following Array Formula in the first cell of NoBlanksRange, and then use Fill Down to fill out the range:


The first N rows of NoBlanksRange will contain the N non-blank cells of BlanksRange. Note that this is an array formula, so you must press Ctrl+Shift+Enter rather than just Enter when you first enter the formula and whenever you edit it later. If you do this properly, Excel will display the formula enclosed in curly braces { }.

Note that if you do not use named ranges and enter the actual cell references, you must use absolute cell references (e.g., $B$1) rather than relative cell references (e.g., B1).

Wednesday, May 13, 2009

File Recovery

I had to attempt to recover a PST file from a hard disk that had massive numbers of bad blocks. How to copy the file off though? A straight file copy wouldn't work... it just kept giving me CRC errors because the 2.84GB email archive file sat across some of the bad blocks.

I knew if I could get most of the file, I'd probably be able to use the repair tool to recover most of what was in the archive.

JFileRecovery came to the rescue, recovering all but 19MB of the email archive. One of the best parts was that I didn't even need to install anything! It runs as a Java applet straight off the web page.

This one's definitely going in my bookmarks.

Tuesday, April 28, 2009

WSUS: Clients overwriting each other

I discovered an interesting issue recently where a number of machines that were clones of each other were using the same IDs to report to WSUS and were therefore constantly overwriting each other in the WSUS database.

A quick run of this script against the machines was able to force a change of those IDs and set a registry entry flag so that if the script were run again (such as from a computer startup GPO), it wouldn't reset the IDs again.

Set oShell = CreateObject("WScript.Shell")

sRegKey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate"

' suppress error in case values does not exist
On Error Resume Next

' check for marker

sIDDeleted = oShell.RegRead( sRegKey & "\IDDeleted")

' to be sure values is only deleted once, test on marker
If sIDDeleted <> "yes" Then
' delete values
oShell.RegDelete sRegKey & "\AccountDomainSid"
oShell.RegDelete sRegKey & "\PingID"
oShell.RegDelete sRegKey & "\SusClientId"

' Stop and start the Automatic updates service
oShell.Run "%SystemRoot%\system32\net.exe stop wuauserv", 0, True
oShell.Run "%SystemRoot%\system32\net.exe start wuauserv", 0, True

' Run wuauclt.exe with resetauthorizations
Cmd = "%SystemRoot%\system32\wuauclt.exe /resetauthorization /detectnow"
oShell.Run sCmd, 0, True

' create marker
oShell.RegWrite sRegKey & "\IDDeleted", "yes"
End If

We actually chose to run the script on the target machines using SCHTASKS.EXE from the Support Tools. I created a text file containing the names of all of the target machines and simply ran this script:

@echo off
FOR /F %%i IN (WSUS_Fix_Targs.txt) DO (
schtasks /create /tn "%%i_WSUS_SID_Fix" /tr "wscript.exe \\server\share\WSUS_Fix.vbs" /sc once /st 15:00 /ru domain\adminuser /rp userpassword /z /s %%i

Monday, April 20, 2009

SCCM: selecting objects not in a collection

Although SCCM provides a way of restricting a result set to a collection, it doesn't provide a way of excluding another collection from your collection.

It's not that hard, if you get the Collection ID of the collection that you want to exclude, which you'll find in the properties of your collection and use WQL to rule out the membership of that collection.

select sms_r_system.resourceid,
from sms_r_system
where resourceid not in
select sms_r_system.resourceid
from sms_cm_res_coll_[ID], sms_r_system
where sms_r_system.resourceid = sms_cm_res_coll_[ID].resourceid

You can also chain them together. So, for example, to execute a query for a collection that you want to patch and automatically reboot the machines, but you want to exclude your 2 collections for manual patching and suppressed reboots and for reporting purposes you want to exclude the machines that don't have a client:

select sms_r_system.resourceid,
from sms_r_system
where resourceid not in
select sms_r_system.resourceid
from sms_cm_res_coll_sms00001, sms_r_system
where sms_r_system.resourceid = sms_cm_res_coll_sms00001.resourceid
and resourceid not in
select sms_r_system.resourceid
from sms_cm_res_coll_sms00002, sms_r_system
where sms_r_system.resourceid = sms_cm_res_coll_sms00002.resourceid
and resourceid not in
select sms_r_system.resourceid
from sms_cm_res_coll_sms00003, sms_r_system
where sms_r_system.resourceid = sms_cm_res_coll_sms00003.resourceid


PS: If anyone can tell me how I can place a comment in WQL code, I'd love to know!

PPS: It looks like the SQL convention of using /* comment */ works as I found it in some of the inbuilt reports. I could have sworn I'd tried this and it didn't work, but maybe I had them the wrong way around. /* embarrassed grin */

Saturday, March 21, 2009

Cisco: Password Recovery

Ever lost the password to a Cisco device? I've had to do this about 4 times so far during my career (Not because I lost the password personally!). The steps are similar for many Cisco devices. These are the steps to reset the enable password on an ASA5505 Security Appliance.

The following steps were designed using a Cisco ASA 5505 Security Appliance. They are not appropriate for a Cisco PIX Firewall appliance.

1. Power-cycle your security appliance by removing and re-inserting the power plug at the power strip.
2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon #0>).
3. At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg
4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes to the configuration register. Answer no when prompted.
5. You must change the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41
6. Reset the appliance with the boot command: rommon #2>boot
7. Notice that the security appliance ignores its startup configuration during the boot process. When it finishes booting, you should see a generic User Mode prompt: ciscoasa>
8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press (at this point, the password is blank): ciscoasa>enable Password: ciscoasa#
9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename [running-config]?
10. The previously saved configuration is now the active configuration, but since the security appliance is already in Privileged Mode, privileged access is not disabled. Next, in configuration mode, enter the following command to change the Privileged Mode password to a known value (in this case, we'll use the password system): asa#conf t asa(config)#enable password system
11. While still in Configuration Mode, reset the configuration register to the default of 0x01 to force the security appliance to read its startup configuration on boot: asa(config)#config-register 0x01
12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version
13. At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)
14. Save the current configuration with the copy run start command to make the above changes persistent: asa#copy run start Source filename [running-config]
15. Reload the security appliance: asa# reload System config has been modified. Save? [Y]es/[N]o:yes
Cryptochecksum: e5f81433 5493266b 4e24072 d71d5cbf
2157 bytes copied in 1.490 secs (2157 bytes/sec) Proceed with reload? [confirm]
When your security appliance reloads, you should be able to use your newly reset password to enter privileged mode.

Monday, March 9, 2009

Sawmill Report Analyser

I have discovered today that
Sawmill is a really cool tool for slicing and dicing data to produce useful analytical reporting information. Well worth a look if you want to produce reports from logged data from Proxies, RADIUS servers, Firewalls, Mail Server logs... you name it.

It has a bunch of
preconfigured plug-ins for just about everything, will munch just about any log file you throw at it with quite reasonable performance and is very versatile in its configurability. Pretty cheap too!

I've known about the tool for a while, but never had a reall good play with it until today.

Disclaimer: I am in no way affiliated with Sawmill.

Thursday, March 5, 2009

SCCM: Distribution Points

It seems that if a Distribution Point in the SCCM distribution model exceeds its configured retries, it doesn't appear to run a maintenance task in order to get those packages. The maintenance task essentially checks what packages the server is meant to have against the packages it finds already on the disk. (You can copy the files in there manually and it will be quite happy).

In order to force the Distribution Points to run a maintenance task, I acquired this handy little script from Microsoft and have scheduled it to run nightly against a collection of machines that has the Distribution Point role. Sit back and you can watch the network activity jump at the scheduled time.

' Set required variables.
actionNameToRun = "Peer DP Maintenance Task"

' Create a CPAppletMgr instance.
Set controlPanelAppletManager = CreateObject("CPApplet.CPAppletMgr")

' Get the available ClientActions object.Set availableClientActions = controlPanelAppletManager.GetClientActions()

' Loop through the available client actions. Run matching client action when found.
For Each clientAction In availableClientActions
If clientAction.Name = actionNameToRun Then
wscript.echo "Ran: " & clientAction.Name
End If

Wednesday, March 4, 2009

SCCM: Distribution Error and the Ampersand

I came across an interesting problem in SCCM today. A branch distribution point ( BDP ) wasn't replicating a package and it turns out it was because one of the files in the package had an ampersand ( & ) in the file name.

I was seeing this in the ContentTransferManager.log on the BDP:

Unable to enumerate files in E:\BDPTmpWrkFldr\PDP2B6A.tmp (0x80070003)

I came across a Microsoft Knowledge Base article
KB967648 that matches the error:

Consider the following scenario:

  • Distribution points and branch distribution points exist in a Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1) site.
  • A package is saved on distribution points and on branch distribution points.
  • A file name in this package contains an ampersand (&).
  • A property of this package is changed on the distribution points.In this scenario, branch distribution points cannot update this package, and an error is encountered. Additionally, package distribution fails, and the package folder on branch distribution points cannot be accessed because of security permissions issues.

There is a hotfix available from Microsoft that is linked from the KB article.


Just kidding. This blog which I've left untouched for three years is going to undergo a redesign and be used for blogging information about esoteric technical stuff I've come across in my career as a computing professional.

if you find any of the information that is to follow useful, please drop me a line or leave a comment and let me know!