O R G A N I C / F E R T I L I Z E R: 01.10

Jan 27, 2010

using repeat count to detect a problem in a window of time

i realized when someone asked me how to do this that i was totally remiss about posting it.

for the purpose of this exercise, i’m going to walk you through creating an event monitor which will check if a high number (subjective) of bad attempts to logon is detected within a finite period of time.  so follow along… it’s much easier in opsmgr than mom 2005 (as i described in this much earlier blog post.)

here are the steps:

  • create a monitor / unit monitor
  • windows events / repeated event detection

at this point, you have three choices: manual, timer, and windows event reset.  choose the one most appropriate for the situation.  i chose the timer.

  • name it “OH MY GOD!  SOMEONE IS TRYING TO HACK ME!” or something else equally shocking! ;)
  • target your windows domain controller or whichever group makes sense for you
  • i put the rule under the parent monitor of security
  • set the event log name to “Security” and move along
  • in the following area, i specified these values:
    • Event ID Equals 529
    • Event Source Equals Security
    • Parameter 1 (leave it blank if you don't want to specify anything, otherwise, provide a filter that works for you)
    • Parameter 2 Equals “myDomain”


parameter 2 helps cut out some of the chatter from local security context.

  • on the repeat settings tab, i specified the following:
    • Trigger on count, sliding – compare 20
    • Interval – 30 minutes



this is basically stating that if within 30 minutes, i receive the same event 20 times or more, flip this switch.

  • for the auto reset timer, i specified 3 minutes.  all these values you’ll want to slide around to make it work in your environment.




that’s all there is to it.  you can use these sliding window concept to anything else such as chatty script error problems (which kevin will chastise you publicly if you admit to doing this) or repeating indications in a log file of a problem, for instance.  have fun with it.

Jan 26, 2010

how to synchronize sticky notes in windows 7

do you like sticky notes?  when i heard about it, the concept seemed pretty hokey to me.  there are an assortment of ways to capture notes on the desktop.  notepad, remember the milk, outlook, etc.  i thought i’d give it a try to see if i could capture random, short-lived things that you tend to quickly forget.

imageas it turns out, it worked – and i’m hooked.  i don’t just like sticky notes, i love sticky notes.  i keep notes for new music i want to explore later, short errands to run, and topics i want to look further Live_Mesh[1]into later.

the one short coming is that i can’t sync the notes.  i’m sure there are an assortment of ways to making this magic happen, but i decided to use a service i’ve been using for awhile: live mesh.

now really, all you have to know is the path where sticky notes keeps all its information:

C:\Users\<your user profile name>\AppData\Roaming\Microsoft\Sticky Notes


there’s a file called stickynotes.snt.  when synchronized, this file carries all the information from your sticky notes “environment” so to speak.  here’s what you need to do:mesh1_web[1]

  1. install live mesh on all computers where sticky notes synchronization needs to take place.
  2. on the first computer, navigate to the path noted above and choose “add folder to live mesh”.
  3. on the other computers, open up the live mesh program.
  4. in the news feed, locate where you created the live mesh folder.
  5. when you click the folder, it’ll ask to set the synchronization on the computer.  locate the path noted above and insert that as the “location”.

Jan 22, 2010

list domain controller site information with powershell

just a small follow up to a post i did about listing domain controllers with powershell.


to start, let’s grab the forest.

$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()


just for fun, we’ll look at the domains of the forest.



let’s look at all the available sites of the forest.



this will output the domain controllers and the sites they belong to.  this is akin to using nltest /dclist:mydomain.

$myforest.Sites | % { $_.Servers }


might as well know the subnets of those sites, right?

$myforest.Sites | % { $_.Subnets }

Jan 19, 2010

enabling ntlm authentication with firefox

yet another miscellaneous post.  i had no idea it was even possible until a friend sent me some instructions.  it’s quite simple.  here’s the run down:

  • in the address bar, type about:config.  hit enter and swear your life away that you are legitimately smart enough not to break anything.



  • in the filter bar, type network.automatic-ntlm-auth.trusted-uris.



  • double-click the result.  a dialog box will prompt you for a string value.
  • enter your ntlm domain with a preceeding dot.



  • click ok.
  • you’re done!  no restart required!


thanks for the heads up trent.

using psexec to launch processes that survive logoff/logon …

i was reading russinovich’s blog this morning searching for a particular issue and ran across these two gems on how to run an application to survive the logoff/logon sequence.  keep in mind that later operating systems utilize session 0 isolation and requires specifying the session number.


for windows xp and prior operating systems:

psexec –sid <path>\procmon.exe


for later operating systems:

psexec –sd –i 0 <path>\procmon.exe




for reference, the switches resolve to the following:

  • s – run the remote process in the system account
  • i – run interactive (console if no session is specified)
  • d – don’t wait for process to terminate (non-interactive)

Jan 15, 2010

cumulative update 1 for operations manager 2007 r2 released

this is hot off the presses.  the cumulative update 1 is now out for r2.  get testing – or if you have been testing – get deploying.  though the kb article is not published just yet, it will be shortly.

here are the links:


here’s a run down from the article of some of the changes:

  • The Product Knowledge tab is displayed as the Company Knowledge tab after you import a language pack for System Center Operations Manager 2007 R2.
  • An agent cannot be removed successfully from a Windows Cluster service node.
  • The Heathservice.exe process on a Windows Cluster service passive node may have excessive CPU utilization.
  • The Healthservice.exe process may crash when it uses the OLE DB module.
  • The workflows that use the OLE DB data source may unload themselves if the underlying provider returns a null string or an empty string.
  • An instance of the MonitoringHost.exe process may cause a memory leak in nonpaged pool memory.
  • The notification subscriptions do not work if they are configured to parse a CustomField field or an AlertOwner field. – you’re darn tootin’.  it’s about time!
  • The Operations console loses the status as the current object that is in focus when a search filter is applied.
  • The SRSUpdateTool.exe process returns an error that states “Failed while updating registry entry for reporting code MSI component” when you try to upgrade SQL Reporting Services 2005 to SQL Reporting Services 2008.
  • The Operations Manager UI may crash when the Connector column and the Forwarding Status column are added to an Alert view.
  • The agents may re-process old Windows event log entries and then incorrectly generate alerts for these events that are not new.
  • Health state reliability fixes and improvements.
  • The Operations Manager Audit Collection Service (ADTServer.exe) does not start on an ACS Collector if the operating system is upgraded to Windows Server 2008 R2.
  • In a performance report that is exported, the list of object instances is not displayed.

updated: added more links and details.

Jan 12, 2010

multiple-step ole db operation generated errors

i wrote a script awhile back to gather some metrics for tracking ad objects to softgrid clients.  i kept getting some very strange execution behaviors each time i ran it, generating the following error:

Retrieving AD computer objects newer than: 12/6/2009 10:32:55 AM
myscript.vbs(149, 2) Microsoft OLE DB Provider for SQL Server: Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done.


when looking closely at this problem, it turned out that this execution error was happening at the call for retrieving a sms report.  this is the block of code where it was failing.  i noted in red the line where the execution bombs out.

Set oConnection = CreateObject("ADODB.Connection")
Set oRecordSet = CreateObject("ADODB.Recordset")

oConnection.Open("Provider=SQLOLEDB;Data Source=myServer;Trusted_Connection=Yes;Initial Catalog=SMS_XYZ;")
oRecordSet.Open "webreport_approle.wrspSMS00179",oConnection, 3,3

While Not oRecordSet.EOF
iPatchMissing = oRecordSet(0)
iPatchInstalled = oRecordSet(1)
iPatchSaturation = oRecordSet(2)



this shouldn’t be a problem, but as it turns out, this particular report queries against add/remove programs.  as such, the table can be crazy large which means queries can be crazy slow, especially for wildcard searches with like operators.  though, as long as you don’t go above the default timeout, you’ll probably never encounter this error.

the default timeout of the ado connection object is 15 seconds.  i wish i had known this before.  all that’s required is one small update (a single line) to this script and the execution occurs properly.  here’s the revised code snippet.

oConnection.Open("Provider=SQLOLEDB;Data Source=myServer;Trusted_Connection=Yes;Initial Catalog=SMS_XYZ;")
oConnection.CommandTimeout = 120
oRecordSet.Open "webreport_approle.wrspSMS00179",oConnection, 3,3


and now we’re good!


additional information:

Jan 6, 2010

listing the group membership of a computer in opsmgr [part 2]

yesterday, i posted an entry about retrieving a computer’s membership through a very backwards way that i cobbled together.  after talking to pete zerger for a little while, i started poking into how to make boris’ script work.  it was initially only pulling back two groups for me.

well, i managed to increase that count to six.  however, my output and boris’ still doesn’t match up.  it could be an incorrect root class, i’m using.  either way, i wanted to post it to see if you guys could direct me to a better solution.  who knows?

since you can’t seem to use an abstract class directly in boris’ script, i modified it a bit to first get the abstract class object using get-monitoringobject and then pull out the objects into an array.  afterwards, that array is fed into the get-monitoringclass cmdlet.  at that point, we should have a pretty good set of objects we can use.

those objects are sent back down the pipe to get-monitoringobject using the criteria of $computerFQDN to create a new array called $subClasses.  that array is sent down the pipe to finally run the lines in boris’ script that handles getting the related objects of $computerFQDN.

take a look over it if you have a chance, and let me know what you see.  here’s some sample output of a domain controller using my script and the edited boris script:

my script -

Agent Managed Computer Group
All Windows Computers
Windows Server 2003 Computer Group
Windows Server Computer Group
Windows Server Instances Group


edited boris script -

AD Domain Controller Group (Windows 2003 Server)
Windows Server Instances Group
Windows Server Instances Only Group


so you see?  holes.  everywhere.  more playing to do later.  here’s the script:


$ErrorActionPreference = "SilentlyContinue"

function GetGroupNames($computerFQDN)
$containmentRel = Get-RelationshipClass -name:'Microsoft.SystemCenter.InstanceGroupContainsEntities'
$abstractClass = Get-MonitoringClass -name:"Microsoft.Windows.ComputerRole"

$subObjects = Get-MonitoringObject -monitoringClass:$abstractClass
$subObjects = $subObjects | ForEach-Object {
} | Sort-Object -Unique

$subObjects | ForEach-Object {
$subObjects += Get-MonitoringClass -name:$_

$criteria = [string]::Format("Path = '{0}'",$computerFQDN)

$subObjects | ForEach-Object {
$subClasses += Get-MonitoringObject -MonitoringClass:$_ -Criteria:$criteria

$subClasses | ForEach-Object {
$relatedObjects += $_.GetMonitoringRelationshipObjectsWhereTarget($containmentRel,`

foreach($group in ($relatedObjects | Sort-Object SourceMonitoringObject -Unique))


GetGroupNames $computerFQDN

Jan 5, 2010

listing the group membership of a computer in opsmgr

inside of operations manager, groups are utilized in a variety of ways.  at the core of a group, the definition is still the same.  you use it to “group” things together.  you can use groups to define the membership of console scopes, notifications, overrides, views, etc.

since it’s heavily utilized in operations manager, sometimes, you’ll want a way to get that information back out.  a friend on twitter asked the question if it was possible to retrieve the membership list of all groups a computer belongs to.  to begin with, the boris yanushpolsky blogged about doing this very thing over 2 years ago.

by then, i was well into writing my own little thing.  anyway, it’s a work in progress.  i don’t know if it’s actually working as designed yet but so far it appears to be pulling back the expected groups of the one computer name i have tested it with.  if you’d like to give it a go, here’s the script:

param (

# Function
function GetOpsMgrGroups {

Write-Host "`nRetrieving groups for $myComputer..."
$myGroups = Get-MonitoringObject | Where-Object {
$_ -like "*group*" -or $_.pathname -like "*group*"
} | Sort-Object -Unique

$myGroups | ForEach-Object {
$myCounter = 0
$myCurrentGroup = $_.displayname
$_.GetRelatedMonitoringObjects() | ForEach-Object {
if ($_.displayname -like "*$myComputer*") {
if ($myCounter -eq 0) {
Write-Host " $myCurrentGroup"
$myCounter += 1


GetOpsMgrGroups ($myComputer)

just run it with one parameter – the computer you’re interested in.  if you don’t have the opsmgr console loaded but want to use opsmgr scripts, follow the advice in this blog post.

while i’m at it, i ran across this post this morning which will speed up your slow tab expansions in the opsmgr command shell. 


drop some comments!  interested in hearing if this works for you.