KB: User’s print jobs showing as coming from another domain user

We’ve just had a strange problem where print jobs for one of our users were printing out and showing up on the printer as coming from a different username.

Normally, probably wouldn’t matter too much, but they use PaperCut account selection – meaning the popups to select the printer account were displaying on the other users’ screen.

After checking the event logs we noticed Explorer and Spoolsv were connecting to the print server as a different user’s account.

I remembered recently coming across the Windows Credential Manager – so opened up Credential Manager and sure enough, there was a saved network credential for this network server.

Deleting the credentials then restarting the computer has thankfully resolved the issue. First time I’ve run into this problem!

Posted in Admin Tips, Research | Leave a comment

Veeam announces free Time Machine equivilent for Windows

Veeam, known for being one of the leading providers of enterprise virtual backups have just announced they will be releasing a free backup tool for desktop users, providing automatic backups to a NAS or other hard drive.

Veeam Endpoint Backup FREE looks like it will be a great set and forget solution, allowing both simple file recovery or bare metal recovery. Using Mac OS X at home with Time Machine, I often wish there was a good free equivalent to recommend for Windows users. I’m sure there are options out there, but I really trust Veeam and it looks like it will be a nice simple product with no pressure to upsell to a paid version (there is none).

Don’t forget you still need an offsite backup – so team this up with a cloud backup, have another hard drive which you rotate offsite or buy a pair of NASes- setup replication and distribute among your family (those 50Mbps upload UFB plans have to be good for something right?).

If backing up to NAS, very good idea to setup another shared folder & separate user account on the NAS specifically for the backups to be saved to. Never ‘map’ this backup folder to My Computer, and your own user account should have read only access to the folder. Hopefully we will be able to configure a UNC path and credentials within Veeam directly. This is to help minimise the possibility of ransomware or other malware which might scan your network for files to delete. I haven’t heard of anything doing this yet, but there is definitely malware out there which deletes or encrypts files on mapped network drives.

First beta will be released in November and scheduled for release in early 2015.

Posted in Uncategorized | Leave a comment

Next phase of UFB rollout for Greymouth

Chorus have updated their maps in the last week to show UFB is now available in more areas in Greymouth.
It is still unclear which ISPs will be providing UFB in Greymouth – Snap is probably your best bet currently for home and basic business use; DTS can do business connections and apparently HD are offering both residential and business connections.  I assume Spark will also provide access here soon if they aren’t already. New fiber-only ISP, MyRepublic looks interesting, but they said they need a few interested people to sign up at once before they would install the required equipment in Greymouth.

Darker blue showing UFB availability October 2014

Darker blue showing UFB availability October 2014

Ultrafast broadband really changes the whole way we can think about how we use technology at home and business. At a ~50 user site, the changes we are looking at immediately once UFB is installed include:

    • Moving our email (Exchange) over to Office 365, instead of having to maintain an email server on-site
    • Using Windows Updates directly from Microsoft instead of caching them all on a server locally
    • Switching from a traditional web content filtering + caching solution to a fast, NGFW (Next-generation firewall) to reduce potential points of failure and bottleneck
    • Shifting more phone lines across to Voice over IP
    • Making more use of online backup services

Providing better remote access for staff wanting to work from home

Caution is also required going into the future. If your phone line is switched over to being provided through UFB instead of Chorus copper, you will lose phone access during power cuts. One thing that Telecom (Spark) have been fantastic at in the past is providing an incredibly reliable phone network, even in a power cut corded phones would still work, and even with a cable/fiber cut you were still able to at least call people locally.

Of course this is less important for some people these days with most people having cell phones, but we know from the Christchurch earthquake that cellphones a) also need power and b) get overloaded so can’t be relied upon.

The good news is that Spark currently aren’t requiring you to give up your landline, this will change in the future. When it does change, make sure you buy a good quality UPS (uninterruptible power supply) which could at least keep your phone running for a few hours. Let’s hope that they come up with a good quality, affordable UPS at the time that Spark start switching people over.

 

Posted in Uncategorized | Leave a comment

Roomie Remote IP control for PJ-Link compatible projectors

We finally got our new Epson EB-4650 (unsure on exact model) projector connected to the network this week, allowing me to complete our Roomie Remote setup: controlling a projector, Marantz receiver, DVD and Freeview box.

EpsonSS

EPSON Projector web interfac

Although Roomie Remote had a one-size-fits-all Epson projector definition, I couldn’t get it working with IP control.

Knowing the projector supports PJ-Link, I set out to see how easy it would be to implement the well documented PJ-Link protocol in Roomie.

Without further ado:

  • Back up your Roomie settings to Dropbox
  • Download plistEditor Pro (it is either trialware or shareware)
  • Open the Dropbox\Roomie\RoomieCodes.plist file. If it doesn’t exist, create one
  • Add in the code below. We only need to switch between LAN and HDMI1, so I haven’t tested the other inputs, but feel free to tweak the Gist below.
  • Save, restore the settings from Dropbox into Roomie
  • Create a new device, entering the projector IP and PJ-link port 4352, select ‘Generic’ – ‘PJ-Link Compatible’


I’m not sure why PJ-Link isn’t included in Roomie, but until it is this should let you control a decent number of auditorium/installation projectors over IP.

We can now leave our four remotes in the drawer where they belong, instead able to use one touch actions to power up the devices and choose the right inputs – all from an iPod touch or iPad.

P.S. This will only work for projectors not requiring PJLink authentication, I didn’t look into seeing how to do that.

Posted in Projects, Research, Tech | Leave a comment

Dynamics CRM TextaHQ SMS Integration

Over the past six months I’ve been developing a Student Management System based on Dynamics CRM 2011 for one of the new Trades Academies. I’ll talk about why we chose Dynamics CRM in a later post, but this post is about the integration I built with the TextaHQ SMS Messaging service.

TextaHQ was attractive for no monthly fees, low per message cost and a two way API allowing SMS replies. When replies come back the gateway sends the reply to a Callback URL allowing us to save the message straight into CRM. Not so great if your server goes down for a few hours, but it does mean we don’t have to be running a service to poll for new messages like some APIs.

I would love to have published this up into a nice how to guide but probably not going to have time to do that for a while, so I thought I’d code dump for now instead.

My solution consists of three parts, the SMS Message entity, the plug-in assemblies for sending the messages and a ASP.NET form to save the messages back into CRM.

SMSMessagingTest

SMS Message Entity

A new ‘activity’ entity named SMS Message

  • Add a field named characters remaining (see the Magnetism blog for how to implement the Javascript to count your characters remaining)
  • Add a field named sendernumber – this is where the sender number of mobile replies will be put
  • These are the status codes I am using:
    • Open
      • Draft (1) – Default Value
      • Failed (352,400,004)
    • Completed
      • Pending Send (352,400,002) – Default Value
      • Sent (352,400,000)
      • Delivered (352,400,006)
      • Received (352,400,001)
    • Cancelled
      • Cancelled (3) – Default Value
  • Setup the form – this is what mine looks like
    SMS Message Form

Plug-in Assemblies

Create a  Web Resource called ‘smsconfig’ – an XML file. Format it like below with the URL and API key from your TextaHQ account

<configuration>
<url>http://app.nz.textahq.com/api/sendSMS.php</url>
<key>123456789012345678901234567890</key>
</configuration>

 

Download the source code for the Dynamics CRM plug-in assemblies SMS Messaging source code

There are four files in the source code –

Utilities.cs

Contains a (rather bad) phone number cleaning method; a method to read the url & key from the configuration XML file; code for querying the ‘smsconfig’ web resource and the code to post the message to the gateway

StatusCodes.cs

Contains the definitions of the statuscodes I defined above

SendSMS.cs

The code that should be triggered when the statuscode of the smsmessage entity is updated

It basically:

  • Checks if the status code is in ‘Completed_Pending’ send state (user clicks ‘Save and Complete’ on the SMS Message activity’)
  • Retrieve the needed data from fields, check the message isn’t blank
  • If the regarding entity is a contact, sends the message to the contact
  • If the regarding entity is a course (you can delete this functionality if you like), it sends the message to all of the contacts enrolled in the course with a mobile phone
  • Updates the SMS Message record to the Completed – Sent status (or Open Failed if it doesn’t manage to send any messages)

We send the Guid of the contact the message is being sent to as well as the Guid of the creator of the message to allow as user data to the TextaHQ API – this data is stored with the message and if a reply comes back the data is fed back to us. That allows us to assign the reply back to the original sender and set it regarding the correct contact.

SendSMSActivity.cs

This cool bit of code lets you send SMS messages from workflows! It takes the following parameters

  • Recipient number
  • Message
  • Regarding contact
  • User to assign replies to (system user/owner)

Then returns a MessageSent boolean to let you know if it sent or not.

In fact, if you wanted you could actually just register this workflow activity and forget about the SendSMS.cs – but I needed SendSMS.cs to allow me to send a SMS message to a whole course full of students.

(You would just setup a workflow to trigger when statuscode of sms message is set to completed – pending, then send SMS with the appropriate variables, then if it manages to send update the status code to completed – sent or open – failed)

Registering Plug-in assembly

Build the plug-in assemblies and register – this is what the step looks like for me for SendSMS.cs

PluginRegistration

 

 

Conclusion

You should now in theory be able to send SMS messages. I’ve added a ‘Save and Complete’ button to the toolbar for SMS Message activities, and renamed it ‘Send SMS’.

Sorry I don’t have time to tidy this up and write a proper instruction, but there are some other good posts online which I used to help me get this far.

I would have liked to implement party lists to allow sending to multiple contacts, but don’t really need it at this stage.

Hopefully you might find some useful code snippets that you can adapt for use in your project.
One day I might release it all packaged up as a solution!

I’ll post my SMS reply processing ASP.NET form soon to complete the puzzle.

Posted in Uncategorized | Tagged , , | Leave a comment

Security Tip: Automatic application updates with Ninite

NiniteThis isn’t a free tip, but works well for the networks I manage. One of the challenges for any Systems Administrator is keeping software up to date. I’m not so concerned about actually having the latest version of software so much as making sure if there are any security updates these are taken care of in a low effort way.

In your network documentation you should consider every application you have installed on your workstations and determine a software update strategy for each. Our Microsoft products are taken care of by Server Update Services, our Antivirus looks after itself and now we have Ninite for the rest.

If you haven’t come across Ninite before, it is a neat wee tool to install your favourite applications with a couple of clicks.

Ninite Pro adds some awesome features which allow this, such as a command line/silent mode, one touch software updates and caching software downloads. I subscribed to the $20/month plan for up to 100 computers.

There are lots of cool things you can do with the command line reference etc, but all I need is the update mode (which updates any of the Ninite supported software which you have installed on your computer), and to set it up to run on a regular basis. In my case, every time a computer is turned on.

Here is my standard configuration for Ninite

  1. Setup a service account with a secure password for Ninite in Active Directory and document the password in LastPass. It will require permissions to install software on your workstations.
  2. Setup a network share for Ninite and add permissions for the Ninite service account.
  3. Put your copy of NiniteOne.exe in the share and create a Logs folder
  4. Setup a Scheduled Task in Group Policy > Control Panel Settings > Scheduled Tasks
    1. Run whether the user is logged on or not, run tasks as your service account. Configure for Windows 7.
      Currently investigating a better option for this. That would require storing the user credentials for Ninite service account in Group Policy which is actually easily accessible by malicious users.
    2. Triggers – At system startup. You may wish to delay task for 10 minutes, I have it running immediately.
    3. Actions – Start a program
      \fileserverNinite$NiniteOne.exe /silent \fileserverNinite$Logs%ComputerName%.txt /updateonly /disableshortcuts
    4. Conditions – Start only if the computer is on AC power
  5. Test it out, when you restart your test workstation a log file should be created for the workstation in the Logs folder, and any software supported by Ninite should be updated and cached in the network folder for a quick install on other machines.

 

Posted in Admin Tips | Leave a comment

Security Tip: Block Internet Explorer invocation of Java with Group Policy

Given the non-stop barrage of security vulnerabilities being found and exploited in Java, every Systems Administrator should disable Java for Internet Explorer or have a really good reason not to. (Don’t worry, we can still cater for you if you have specific sites that require Java!)

Unfortunately it is notoriously hard to do. Microsoft had a go but US CERT found Microsoft’s method didn’t block it completely. US CERT’s KB article provides a registry file which blocks the invocation of Java Web Start for non-trusted sites.

I’ve converted the registry file into xml files ready for importing into Group Policy registry preferences. You’ll need two, one in a user policy and one in a computer policy.
For your convenience you can download them below.

Please test before using at your own risk!

https://dl.dropbox.com/u/1683671/Group%20Policy/DisableJava_ComputerRegistry.xml

https://dl.dropbox.com/u/1683671/Group%20Policy/DisableJava_UserRegistry.xml

Then just add any business sites that require Java to your trusted sites list. If you want to do it through Group Policy check out Alan Burchill’s article on IE Site Zone mapping but in my experiences only a couple of people have needed sites with Java and I add them on a per-user basis.

This is a low effort, maximum gain security tip for your organisation (just make sure you test that it actually is disabling it as it should!)

Posted in Admin Tips | Leave a comment

Avaya SIP Trunking with 2talk New Zealand

SIP Trunking is a great option to lower the cost of your phone calls. We installed a new Avaya IP Office 500 phone system at the beginning of last year, so of course I was keen to get VoIP setup quickly through 2talk to cut the cost of calls going over our ISDN lines.

The Avaya system doesn’t seem to be particularly common in New Zealand so I couldn’t find much in the way of resources about setting up a SIP trunk on the IP 500.

A year on and we have used SIP Trunking with 2talk for the majority of our outgoing calls. Here is a configuration guide with the settings I’m using. If you know a better way of doing it, please let me know!

2talk & Firewall Configuration

Make sure your 2talk account is setup for SIP trunking, with your firewall configured to forward SIP traffic through to the phone system.
We are using the 2talk Plus SIP Trunking service, (trunk.plus.2talk.co.nz which uses the IP 27.111.14.66). Works great in that we can lock down the firewall to that one IP, helping prevent SIP fraud and spam.

Our firewall forwards the following traffic through to the phone system:

Source Internal IP Ports Description
27.111.14.66/32
(trunk.plus.2talk.co.nz)
192.168.1.X TCP 5060, UDP 5060 VoIP SIP
27.111.14.66/32 192.168.1.X UDP 49152 – 53246 VoIP RTP

IP Office Line Configuration

1. Fire up the IP Office Manager and add a new SIP Line to the line groups. Here are the settings I used:
(Note, leave the ITSP domain name as 2talk.co.nz if you aren’t using 2talk Plus)

2. Transport Tab

3. Under SIP URI, add at least a URI for your pilot number.
Click add, set the Local URI & Contact to your pilot 2talk number, such as, 03281XXXX.
Display name can be set to whatever you like, I have it set to Use Internal Data.

A sidenote on Line Groups

We have a bunch of ISDN & SIP channels. All of our lines are set to incoming group 0. ISDN lines are set to outgoing group 0, my pilot SIP URI is set to outgoing group 1, and the rest of the SIP URI’s are set to outgoing group 9.
This lets us route calls nicely – we want all incoming calls to be dealt with the same using Incoming Call Routing, so they all use the same group. Outgoing calls, by default I want to send those over VoIP, so our primary ARS puts outgoing calls over line group 1. Emergency calls, 0800 numbers etc, go over line group 0, ISDN.

Either add URIs in the same method for your other 2talk phone numbers, or if you are running IP Office 5.0 or higher you can setup a wildcard URI as pictured above to accept calls for any number.

5. Under the VoIP tab I have the call initiation timeout set to 2.

 

IP Office ARS Configuration

We have IP Office configured so we don’t have to dial any number to get an outside line – just dial the phone number straight away. This is possible because we use extension numbers starting with 7, and there are no local numbers in Christchurch beginning in 7. We also have the ISDN lines setup as a failover if VoIP is down.

To simply things I would suggest one of the following; either get the users to dial a different prefix to make a call if it isn’t working normally, or you can set up an automatic failover to PSTN using two ARS routes as shown below.

User initiated manual failover

If you dial 9 to get out, set that shortcode to go over VoIP. Then, setup another short code ‘8N’ (or similar), which forces calls over a normal phone line, so if VoIP is down people can just dial 8 to get out instead of 9. This won’t be an option for some people though, so I’ll share our configuration below.

Automatic PSTN Failover

  1. Create two ARS routes called Main and PSTN
    1. For the main ARS (VoIP), see my earlier post, IP Office New Zealand Dial Plan
    2. For PSTN, set it up like this, with line group 0 being the outgoing line group of your PSTN or backup phone lines
    3. Setup the Out of Service Route on the Main ARS to go to the PSTN ARS plan.
  2. Setup the main outgoing call shortcode, i.e. ? to Dial to the VoIP ARS line group (i.e. 50)

Now, if VoIP stops working for whatever reason the calls will go out over PSTN. Unfortunately they will take longer to go through and there will be some horrible beeps in the process which I haven’t worked out how to disable yet!

Posted in Uncategorized | 2 Responses

Avaya IP Office New Zealand Dial Plan (ARS)

Here is the Avaya ARS dial plan we are using with our 2talk SIP trunk.

Please note the following:

  • Line group 0 is our PSTN group, you’ll see below emergency calls and Telecom service numbers are set to go over PSTN. Freephone numbers also go over PSTN because they are free.
  • 3XXXXXX & 9XXXXXX are to allow local Christchurch calls, see Telephone numbers in New Zealand to find out the prefixes you need to add to allow local calling in your region.
  • 00XN; is for international calls, XN is a wildcard for when a number isn’t recognized – but it will wait for the 4 second timeout before the call goes through.
Code Telephone Number Feature Line Group Id
00XN; .”@2talk.co.nz” Dial 1
03XXXXXXX .”@2talk.co.nz” Dial 1
04XXXXXXX .”@2talk.co.nz” Dial 1
06XXXXXXX .”@2talk.co.nz” Dial 1
07XXXXXXX .”@2talk.co.nz” Dial 1
09XXXXXXX .”@2talk.co.nz” Dial 1
3XXXXXX .”@2talk.co.nz” Dial 1
9XXXXXX .”@2talk.co.nz” Dial 1
0800XXXXXX . Dial 0
0508XXXXXX . Dial 0
028XXXXXXXX .”@2talk.co.nz” Dial 1
1XX . Dial Emergency 0
01X . Dial 0
027XXXXXXX .”@2talk.co.nz” Dial 1
022XXXXXXX .”@2talk.co.nz” Dial 1
029XXXXXXX .”@2talk.co.nz” Dial 1
0210XXXXXXX .”@2talk.co.nz” Dial 1
0212XXXXXX .”@2talk.co.nz” Dial 1
021XXXXXX .”@2talk.co.nz” Dial 1
0211XXXXXX .”@2talk.co.nz” Dial 1
083XXX . Dial 0
01XX . Dial 0
XN . Dial 0
Posted in Uncategorized | 1 Response

Installing the SQL from SBS 2008 Premium along side SBS 2003

Background: SBS 2003 Premium is running on one box. Performance is becoming poor due to increasing SQL demands, so we need to run it on a separate server. Can achieve this by purchasing A) SBS Workgroup 1 Processor Edition, or B) SBS 2008 Premium Edition & 25 CALs, (which entitles you to run SQL on a separate server) for about the same cost. But, I would prefer not to rebuild the SBS 2003 box at this stage.

After several hours of research I came across two opinions on whether we could buy SBS 2008 Premium, use the ‘second’ server part of it for a new server while leaving the existing server untouched. Read More »

Posted in Admin Tips, Research, Tech | Leave a comment