Setting group policy to enforce automatic updates

This is a quick how-to for setting automatic updates using group policies in Windows Server 2003.

Start off by opening up Active Directory Users and Computers from the server.

Hopefully you have got a specific OU that you want to apply this group policy to. In my case, there are about 100 computers listed under the Computers OU in Active Directory. My servers are located in a different OU, which is just as well, because I don’t want this policy to apply to the servers.

Right click on the OU you want to apply the Group policy to, and select Properties. From this properties page, select the Group Policy tab. If you already have the Group policy managment snap-in installed, you will see something similar to the screenshot below – in this case just click “Open” to continue.

active-directory-gp

The group policy management window will open. Right-click the OU (In my case Computers), and select “Create and link a GPO here”

create-gpo1

Give the new GPO a name. I called mine “Install automatic updates”

gpo-name

Now, under the Linked Group Policy Objects tab, right click the new policy name, and select “Edit”

edit-new-gpo1

Now the Group Policy Object Editor will open. Under Computer Configuration, expand Administrative Templates, then Windows Components, then Windows Update.

automatic-update-gpo-settings

On the right panel, right-click “Configure Automatic Updates” and select “Properties” Set the status to “Enabled” and choose your automatic update setting – I used option 4, which will download and install updates on a schedule, which I set to 17h00 every day.

Click Apply, then OK.

configure-automatic-updates

You can optionally set the settings for the option “Delay restart for scheduled installations” otherwise the PCs will be given a count down timer of 5 minutes once updates are installed to auto restart. The user can delay this if they are logged in, otherwise configure this setting to set the count down timer up to a maximum of 30 minutes. The user can always click restart later anyway.

Close the policy editor, and group policy management down once you have set your various options for automatic updates. The GPO will now be linked to the OU “Computers” and any PC listed in this OU will have this policy applied the next time they login, or group policies are applied.

You can manually enforce policies on a PC by typing the following in command prompt, or the run dialog box :

gpupdate /force

Hope this helps anyone looking to achieve a similar result!

How to increase the default exchange 2003 SP2 database store limits

This applies to Exchange 2003 SP2.

Today I had a call from a client complaining that their e-mail would sporadically stop working every day or two. They said that by restarting the server, they could temporarily fix the problem.

I connected up, and took a look at the server’s event viewer application logs, around about the times that the client complained this last happened, which was around 07h30 in the morning. At 05h00 in the morning, when the exchange database runs some checks, I found the problem. A warning event that complains that the exchange logical database is now over the default size allowed. Logical size being the physical size of the .edb and .stm files, less the logical free space (also known as white space). Anyway the defaults size for the entire database is 18GB (16GB + 2GB). We need to adjust these now, as our combined mailboxes and public folders are over the 18GB size limit, or are quite close to breaching the limit. If they are over, then your exchange database would have already dismounted following the next check at 05h00 in the morning. If they have not passed the 18GB limit, then you will probably just be getting warning events at the moment, and should still increase the size limits to avoid any downtime.

This is how…

Open the registry editor – Start – Run, and type : regedit
Click Ok

Now navigate to (Note that the GUID is a unique string of numbers for each server) :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\NameOfYourExchangeServer\Private-GUID

Create a new DWORD entry as follows :

Database Size Limit in GB

Right-click and modify the entry once created, and give it a decimal value of anything between 1 and 75 depending on how many GB you want to limit this size to. Make sure you have enough disk space free on the partition your Exchange database is residing, and then enter something higher than 18. For example I used 60 for 60GB.

Modify the exchange 2003 SP2 default database size

Click OK

Now navigate to the next part (This is to modify the public folders database size) :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\NameOfYourExchangeServer\Public-GUID

Do the same as above, by creating the same DWORD value, and give it a size limit (decimal value) higher than the current public database value. For example I used 15 for 15GB.

Click OK.

Now we need to exit the registry editor, and restart the Exchange Information Store.

Go to start – run, and type : services.msc

Press enter, or click OK.

Navigate to the Exchange Information Store service, and right click it. Select the restart option.

Please note that this will now dismount your store. If your mail store is still online, users will be temporarily disconnected while the store re-mounts itself. Once back online, the database sizes will have increased, and you will get some nice notifications in your application log informing you of the new database sizes.

How to view thumbnails for files in Windows 2008 Server

By default, Windows 2008 Server does not show you thumbnails for files when viewing them in Medium, Large or Extra Large Icon modes. To be able to view the thumbnails of images for example, you will need to do the following :

– Open up explorer, or Computer
– Click on Tools, then Folder Options (Or click the Organise drop down, and select folder options)
– Click on the View tab
– Now you can deselect the check box for “Always show icons, never thumbnails”
– Click Apply, then OK.

You should now be able to view your thumbnails. See below for the Folder Options dialog box.

view_thumbnails

Clear outgoing spam problems on your Exchange 2003 server / network

Today I had to sort out a client’s mail server after BT disconnected them from all broadband access. Their server had sent out 108 000 spam e-mails, and the mail queues were full, trying to send more.

They had to contact BT, and ask them to re-connect their broadband service, so that I could remotely login and take a look into the issue.

First thing I did once I got access was disable their SMTP Service. To do this, right-click My Computer, go to “Manage” expand “Services and Applications” Double click on Services, and scroll down to Simple Mail Transport Protocol Service. Right-click it, and select Stop. This will halt all outgoing mail.

From this point, I logged into the router (Which happened to be a Netgear DG834), and checked the firewall logs. I could see tons of SMTP connections from external IP address, first of all I thought let me just secure the firewall – this hadn’t been done on this particular router.

I went to the Firewall settings, and made some rules as follows :
Outbound traffic:
Allow SMTP(25) for single IP address on the internal LAN (192.168.16.2) – this is the IP of the mail server.
Dissallow SMTP(25) for all IP addresses on internal LAN. (The above rule for the server overrides this).

I did a test before enabling these rules by using telnet to test outgoing SMTP connections from a few client PCs on the network first.

From command prompt, type : telnet anymailserver.com 25 (replace anymailserver.com with a mail server address such as mail.google.com). I could make a connection using this before the rule was in place, after the rule was enabled I could not, so this firewall rule was working well to block SMTP traffic from any PCs on the network that we didn’t want to be able to send mail. This by the way, was in case one or more of the PCs had picked up a mass mailing worm that was sending spam directly from the PC. A telnet test from the mail server still worked, as I had explicity allowed SMTP traffic from it’s IP address. So that was the Internal network locked down. You can see if you get a successful telnet on port 25 if the command prompt goes blank, or gives you a mail server welcome message. (See the image below). If you don’t get a connection, the attempt will time out, and say it didn’t manage to connect after a few seconds.

telnet25

Another thing to do at this point, would be to ensure the Anti virus is up to date on all PCs and the server, and scan them to ensure they are all clean.

Next up was the Exchange configuration – I checked that relay access was restricted only to the Mail server itself.

Open Exchange System Manager by going to Start menu – Programs, Exchange, Exchange System Manager.

Expand Servers, select your mail server name (In this case it is SBS2003), expand protocols, expand SMTP, and right click on the Default SMTP Virtual Server icon, then select Properties. (See image below)

Exchange System Manager

Once the properties sheet is open, click on the “Access” tab, then click on the “Relay” button.

Ensure that only localhost (127.0.0.1) – the server itself, and the Server’s IP address internally are in the list. So in this case 127.0.0.1 and 192.168.16.2 are in the list, with the option “Only the computers below” selected. Then untick the check box below that list (Allow all computers which successfully authenticate to relay, regardless of the list above). This makes sure that only the server can relay mail. Obviously the situation depends on how your network is setup, so as long as you don’t have other mail servers connecting to this exchange server then you should be safe un-ticking this option. See image below :

relay_access1

Click Ok, and then Ok once again. Open My computer, and browse to your exchange server’s queue folder. This is usually in C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue

You would probably have thousands of files in here, so re-name the Queue folder to Queue_old or something like that, and create a new folder called “Queue” in it’s place. This will ensure a clear queue for when we re-enable the SMTP service.

Now go to your Services again, and Start the SMTP service, by right-clicking Simple Mail Transport Protocol, and clicking the Start option.

If all goes well, your queues should stay clear of any bad mail, and your network should be able to send mail again.

How to add a user as a local administrator using Windows Server 2008

The computer management console for Server 2008 has changed slightly between now and Windows Server 2003. I was trying to ensure a particular user was setup as a local administrator on a Windows 2008 Small Business Server today, and couldn’t find the option to do this via the GUI. Anyway, for those wondering how this is done using the command prompt, here is the solution.

First you need to run command prompt as an Administrator. Open Computer, go to your C: drive, and navigate to your Windows\System32 directory. Find “cmd.exe” right click on it, and select the run as Administrator option. Once at the command prompt, type the following :

net localgroup Administrators /add (domain)\(username)

(Obviously replace (domain)\(username) with your domainname\username that you want to be the local admin) – That is without the brackets.

You should get a message saying the command completed successfully. If you get an access denied error, you more than likely have not run cmd.exe as an administrator.

Be sure to run cmd.exe as administrator.

Winter is here! Testing the picture gallery plugin.

We went down to the local commons today, to see if the lakes would be frozen. We got there in the early afternoon, and my car temperature was already reading -2 degrees Celsius! I managed to get some decent photos taken, and so did the girlfriend. Today was the first time I had to fully kit myself out in my winter attire. Once at the lake, we were able to walk across the entire expanse of frozen water, and spent a few minutes hitting ice blocks around with sticks on the ice.

Anyway, the main reason for this post was to test my new plugin for uploading mini picture galleries to blog posts. I got it from here.

[PSGallery=1p4cio7rrq]