Thursday, 24 September 2015

Sign .pem certificate with Windows CA without WB using command line

  1. Run certreq -submit -attrib "CertificateTemplate:WebServer" "c:\path of the file"
  2. Select CA when asked, click OK
  3. After signing the certificate, you will be asked to choose path to save the cert.

Wednesday, 17 June 2015

Cannot start HP Event Notifier service

When this service works, then it's OK, it rather not hangs itself.
But sometimes, after servers patching and restarts it can just not want to start.
If you have monitoring solutions configured with use of HP Event Notifier then it can be important to track actual problem quickly.
From my experience problems with this service can be connected with two things:

  • wrong installation folder - which is not consistent with service settings and
  • SMTP connection failure.

So, check first, if when starting from cmd you will see some error information which could narrow the problem, and second : check connectivity with SMTP server from the server that cannot start CIMNotify service.
Maybe SMTP service on another server not responds or network guys block you SMTP port?

Friday, 10 April 2015

AD Powershell: Count AD Users with OU structure


In order to count users in specified OU's it is needed to create an empty matrix and add value any time that user account appears in the search loop.
I must admit that part of this script is borrowed from some other admin, but don't remember the link now.

In $filepath choose output file path, in Line 4 ($ou=) change searchbase filter to your root OU.
THANKS to David (see comments below-changes bold in the text), the script is little modified, to work better.

Import-Module ActiveDirectory
$outmatrix = @()
$ou=Get-ADOrganizationalUnit -searchbase "OU=RootOU, DC=Domain, DC=Com" -filter * -searchscope 1
foreach ($o in $ou)
{$count=@(Get-ADUser -searchbase $o -filter * |Where-Object {$_.enabled -eq "true"}).count

#Construct an object
        $matrix = "" | Select "ou", "count"
        $matrix.ou = $o
        $matrix.count = $count
        $outmatrix += $matrix
$matrix = $null
$outmatrix |export-csv $filepath -notypeinformation


Saturday, 10 January 2015

Benefits of migrating Workgroup to Active Directory domain

During making decisions about company's infrastructure decision-makers face the problem of managing users and equipment located in various locations. Users possess different knowledge about IT things, mainly adapted to their workplace environment. Software, hardware, operating systems, sometimes means nothing for them. Employees are part of departments that can work together or on the contrary - they should not be part of the team. To prevail on this diversity and to ensure an adequate level of security, Microsoft introduced Active Directory, which catalogs users data, computers, peripherals and allows for easier and automated management.
There are many companies which started their work on one or few computers, grew slowly and suddenly bloomed to be businesses with hundreds of users. On the other hand the IT environment was not changed accordingly to company needs. Computers was still the part of working group, being really just a collection of independent units. This made it difficult to manage them as a resources. In this article, I will present the differences between the working group and the Active Directory domain and the advantages of the latter solution.

What the Workgroup is?

This is a group of computers, which are working independently in the company, but can share some elements, like documents. They could work in the same physical network or in the other company's location. They are not managed centrally.


How the Workgroup works?

Typically, the company begins operations on several computers, which are not interrelated. Over time, their number is growing. They have different hardware and software configurations. Each user can do all on its own computer or administrator locks a person access to install programs on that particular computer.

Sharing in the workgroup

  • To share files or printers from another computer or server, you as an administrator or user must know the exact name of the other computer and its user
  • Sharing on the principles of group of users is very difficult and often impossible
  • If the user changes his computer, sharing must be set once again from the scratch

Benefits of the workgroup

  • Having only several computers, it's relatively easy to administer. Microsoft talks about the safe limit of 10 computers for the workgroup.
  • Workgroup does not require installation of additional hardware (server) and software (Windows Server) and has low maintenance costs

Disadvantages of the workgroup

  • Lack of central management and control over permissions which users possess
  • Any changes need to be made on each of the machines
  • No possibility of tracking the actions of users
  • Possibility of spreading of viruses when administrative privileges was granted on the computer 
  • Lack of automation of processes, e.g. Remote software installation
  • Lack of users mobility - documents stored on a single computer are not available to others without sharing, in case of computer crashes - they are lost
  • No possibility of blocking and tracing a person who stole the data
  • Obtaining data about other user is very limited, you cannot easily check his or her e-mail address or telephone number

The workgroup - more computers and users. What happens when a company already has dozens of computers in a workgroup?

  • Any change is made only on one computer at the same time - this means large administrative effort and time needed to change settings for a large number of machines = higher costs
  • Problems with security, for example no control over changing user passwords = low corporate data security
  • Difficult access to other computers by the same user - lack of central control over privileges

What the Active Directory is?

  • Windows Server operating system service,
  • The central database of objects - computers, users, groups, logon credentials, printers, network shares (shared folders with files),
  • The database can be replicated to branches in other locations using encrypted network connections,
  • It can be used to integrate with external systems in other businesses that rely on Active Directory, for example. SQL databases, file servers, mail servers, CRM systems, WEB servers,
  • It integrates with Exchange mail services and Exchange Online. For example you can use it to create an account that will be synchronized with the mail server,
  • Groups objects for one common domain.

Active Directory domain

  • All Computers share the same naming space called domain. A domain can be local one, acting only inside the company-internally, with the example name company.internal and recognizable from the Internet, for example.
  • Each computer within the same domain will have domain name in the same namespace

Active Directory domain structure

  • Active Directory has a tree structure with permissions flow down from the top to the bottom of the tree
  • Thanks to this structure, permissions assigned on a higher level will be applied at a lower level,
  • This access is of course adjustable, you can also stop inheriting permissions,
  • The domain is the inheritance border 
  • In the Active Directory database it can be only one domain
  • In can be used multiple domains within the same forest,
  • Forests can connect with each other to create the trusts.
                                               Active Directory domain in the forest
The administrator manages the domain, creates policies that govern the operation of computers, servers and printers, and control the permissions of computers, users, and groups.
Advantage: Centralized management of infrastructure allows you to automate processes and setting sets of standard actions by applying domain policies.

Trusts between Active Directory forests

Trusts between domain forests can create one-way and two-way relationships, depending on which forest should have access to the resources of the second one.
Advantage: You can use other company's data if the company has also implemented Active Directory.

Tree structure of the Active Directory forest:

  • allows for central configuration of the most important settings through the policy, ie. Windows settings, security level, access to the servers and computers,
  • allows the distribution of permissions by assigning the objects of computers, users, and groups to separate organizational units and groups,
  • enables remote installation on selected devices,
  • Inherited permissions allow the use of once prepared configuration for new objects,
  • by grouping objects in organizational units each department or business unit can use specific settings only for itself
                                                     Trust between Active Directory forests

Examples of Active Directory use:

  • change logon password for group of users,
  • blocking access for fired person,
  • automatically assigns a network printer for a selected group of users, eg. sales,
  • set Windows firewall settings centrally for the whole company or each department separately,
  • access to a shared folder on your network by mapping for a group of people, for example. Drive F: \ for the finance department,
  • roaming profiles -  user data kept on the server that follow the user regardless of the computer,
  • VPN - access from outside the company to file resources granted under the user name,
  • Documents and Desktop folder redirection - keeping user data on the server. Files from the desktop and documents folders can be kept on the server and connected to the user's session automatically when he or she logs in to computer,
  • automatic installation of the software,
  • using Active Directory credentials in other systems based on AD authentication, for example. SQL Server, CRM applications, file systems,,
  • block access to USB devices,
  • tracking attempts of unauthorized access,
  • centralized management of the Windows operating system updates,
  • adaptation of Internet Explorer, for example adding selected sites to the trusted zone,
  • one login  - use the same Windows login to view e-mail in Outlook,
  • regulate access to the corporate network computers - allowing or blocking based on rules such. computers without current anti-virus updates should not be able to connect.

Migration of workgroup to Active Directory domain - general requirements:

  • installation of the server with Windows Server operating system and promote it to a domain controller
  • users computers with one of the operating systems: Windows XP Professional, Windows Vista Business, Windows 7 Professional, Windows8, Windows 8.1,
  • add computers to the domain,
  • create domain user accounts,
  • migrate user profiles from the local workgroup to the domain on all computers added to the domain.


The implementation of Active Directory has many advantages compared to the use of the workgroup. Thanks to the AD domain, the company can more accurately and securely manage its IT environment, adjust the operational requirements, plan and make changes to a much greater pace.