O R G A N I C / F E R T I L I Z E R: 2013

Dec 30, 2013

top 20 posts of 2013

these posts represent the most visited pages of 2013. i realize the year is not yet closed… but no one is in the office if our office is any indication. :)

  1. understanding the “ad op master is inconsistent” alert
  2. sccm: content hash fails to match
  3. how to retrieve your ip address with powershell...
  4. how to use dropbox to synchronize windows 7 sticky notes
  5. sccm: client stuck downloading package with bit .tmp files in cache directory
  6. executing batch files remotely with psexec …
  7. sccm: custom data discovery records (DDRs) using powershell
  8. using preloadpkgonsite.exe to stage compressed copies to child site distribution points
  9. sccm: integrating dell warranty data into configmgr
  10. search programs and files no longer works in windows 7 (only shows headers)
  11. "get computer/ip status" activity throws raw socket error
  12. sccm clients fail to apply a policy
  13. list active directory subnets with powershell
  14. dsmod bug when using the –c option?
  15. using repeat count to detect a problem in a window of time
  16. using powershell to list active directory trusts
  17. list domain controllers with powershell
  18. sccm: the required permissions for creating collections
  19. sccm: computers with names greater than 15 characters
  20. scom: overloading the consolidation module (and how to avoid it)

maybe my next post will be how to create this list from analytics. ;-)

Nov 7, 2013

improvements to finding things close to you

I am a fountain of technical terms, I know.

in my opinion, one of the most convenient things about active directory is the ability to locate stuff. I don’t mean searching through the directory to find an object exactly. more so, I’m referring to how you can locate things like a DFS server or a domain controller without thinking about it. I don’t have to select which DC I want to use to authenticate me, for example.

if you spend any amount of time managing your active directory sites, you probably want to maximize your return on that work. managing sites is referring to the management of the site containers and objects. for instance, managing the subnets assigned to sites or the costs associated to site links would be an administrative task you might perform.

if all you did was manage the subnets associated to sites, you would get the immediate benefit of clients knowing where to go to get services, but what happens if where they were going is no longer available? well, in the DFS or AD scenario, they would grab something else – randomly.

wow. random. that doesn’t seem beneficial at all. in truth, it’s not. you don’t want your client who was talking to the dfs server next to them in idaho suddenly start talking to one in ireland. clearly this was understood as there were changes in both DFS (version 2003) and AD (version 2008) to address this specific concern.

 

distributed file system

the behavior in dfs is referred to as least expensive targeting (otherwise known as site-costing) and described below:

If you create a stand-alone or domain-based DFS root on a server running Windows Server 2003, and the domain controller acting as the Intersite Topology Generator (ISTG) is also running Windows Server 2003, you can use the /SiteCosting parameter in Dfsutil.exe to enable DFS to choose an alternate target based on connection cost if no same-site targets are available.

Windows Server 2003 uses the site and costing information in Active Directory to determine whether sites are linked by inexpensive, high-speed links or by expensive wide area network (WAN) links.

 

active directory

for AD, this is referred to as the setting try next closest site quoted below:

If you have a domain controller that runs Windows Server 2008 or Windows Server 2008 R2, you can make it possible for client computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 to locate domain controllers more efficiently by enabling the Try Next Closest Site Group Policy setting. This setting improves the Domain Controller Locator (DC Locator) by helping to streamline network traffic, especially in large enterprises that have many branch offices and sites.

This new setting can affect how you configure site link costs because it affects the order in which domain controllers are located. For enterprises that have many hub sites and branch offices, you can significantly reduce Active Directory traffic on the network by ensuring that clients fail over to the next closest hub site when they cannot find a domain controller in the closest hub site.

 

implementing these changes means that when your client can’t access what’s in their site, they will intelligently use services at a location that is closest to them. so that person in idaho? instead of ireland, they might to iowa.

this is stuff that’s been around for awhile but often overlooked. there’s plenty of information on it though. if you haven’t done this yet, it might be something to think about.

Oct 29, 2013

loading up powershell 4.0 on windows 8.1

short answer is, you can't. it already comes with it. you can easily identify this problem by attempting to execute the windows management framework 4.0 installation. the error message you receive looks like this:

image

make sure you read the system requirements closely! as keith hill's blog post points out, you want to make sure you have .net 4.5 installed.

i believe error code 0x80096002 loosely translates to ... "you are a dummy, marcus."

Oct 1, 2013

MVP AWARD 10TH YEAR

i figured it was worthy of raising the CAPS. ;-) my first thought was… wow, i’m getting so old. i am thrilled and honored to be presented with this award again. i have a real privilege. aside from working with microsoft – talking to program managers, developers, leads -- i also have the distinct privilege of working with some of the best talent in system center. 10 years. wow.

if you’re reading this, i hope we’ve had the opportunity to interact – in real life or virtual life. i hope through my blog, user group, forum, or some other type of exchange, i’ve been able to help you in some way (and most likely vice versa.)

anyway, check it out. here’s my recognition letter:

It is with great pride we announce that Marcus Oh has been awarded as a Microsoft® Most Valuable Professional (MVP) for 10/1/2013 - 10/1/2014. The Microsoft MVP Award is an annual award that recognizes exceptional technology community leaders worldwide who actively share their high quality, real world expertise with users and Microsoft. All of us at Microsoft recognize and appreciate Marcus’s extraordinary contributions and want to take this opportunity to share our appreciation with you.

With fewer than 5,000 awardees worldwide, Microsoft MVPs represent a highly select group of experts. MVPs share a deep commitment to community and a willingness to help others. They represent the diversity of today’s technical communities. MVPs are present in over 90 countries, spanning more than 30 languages, and over 70 Microsoft technologies. MVPs share a passion for technology, a willingness to help others, and a commitment to community. These are the qualities that make MVPs exceptional community leaders. MVPs’ efforts enhance people’s lives and contribute to our industry’s success in many ways. By sharing their knowledge and experiences, and providing objective feedback, they help people solve problems and discover new capabilities every day. MVPs are technology’s best and brightest, and we are honored to welcome Marcus as one of them.

To recognize the contributions they make, MVPs from around the world have the opportunity to meet Microsoft executives, network with peers, and position themselves as technical community leaders. This is accomplished through speaking engagements, one on one customer event participation and technical content development. MVPs also receive early access to technology through a variety of programs offered by Microsoft, which keeps them on the cutting edge of the software and hardware industry.

As a recipient of this year’s Microsoft MVP award, Marcus joins an exceptional group of individuals from around the world who have demonstrated a willingness to reach out, share their technical expertise with others and help individuals maximize their use of technology.

Sep 27, 2013

system center orchestrator 2012 unleashed

i completely forgot to blog about this on its release. you’ve probably already seen all my hassling about it on linkedin or twitter already so this is old news anyway, right? :)

the orchestrator book is finally released. it’s available on amazon in both paperback and kindle edition. if you don’t know orchestrator yet, it’s time to learn. it’s pretty neat stuff. quite happy it’s finally out!

here’s a complete description:

Using System Center 2012 Orchestrator, you can capture and document processes across your entire IT organization, establishing the automation you need to deliver advanced cloud services and self-adjusting computing resources.

Authored by five leading System Center experts, this comprehensive reference and technical guide brings together all the knowledge you’ll need to architect, install, implement, integrate, and maximize the value of your own Orchestrator solutions. The authors introduce current best practices based on large-scale enterprise implementations they’ve personally led or participated in.

This up-to-date guide shows how to apply Orchestrator’s major improvements to implement IT process automation in any environment, including private clouds. You’ll start with context: what Orchestrator does, how it has evolved, how it works, and essential architecture and design techniques. Next, the authors help you make crucial up-front decisions about activities, runbooks, security, and administration. Finally, you’ll find expert guidance for integrating Orchestrator with the rest of System Center and with Windows Azure cloud services—including advanced automated workflows that encompass both data center and cloud.

Detailed information on how to…

  • Understand System Center 2012 Orchestrator’s capabilities, evolution, architecture, and design, including SP1 improvements and R2
  • Successfully install System Center 2012 Orchestrator and migrate smoothly from Opalis Integration Server 6.3
  • Take full advantage of Orchestrator’s advanced new runbook automation capabilities
    Configure activities associated with runbook control, systems, scheduling, monitoring, files, email, notification, and data handling
  • Design runbooks for fault tolerance and optimal performance
  • Enforce strong security using roles, permissions, and auditing
  • Deliver integration capabilities for Operations Manager, Service Manager, Configuration Manager, Virtual Machine Manager, and Data Protection Manager
  • Automate end-to-end data center/ cloud workflows with integration packs and PowerShell
    Create your own integration packs with Orchestrator Integration Toolkit (OIT.SDK)
  • Support Orchestrator 2012, troubleshoot problems, and discover the best web and third-party resources

Sep 24, 2013

PowerShell: Accessing the Clipboard

Every time I do something in PowerShell, I find something else new to love. I’m pretty familiar with using “mycommand | clip” to send something directly to the clipboard. Found out that retrieving stuff from the clipboard is almost as easy:

> Write-Output "crap" | clip
> [System.Windows.Forms.Clipboard]::GetText()
  crap

 

UPDATE: Added the below statement because I run into this constantly when working with arrays. This splits your array on whitespaces.

$myVar -split '\s+'

Thank you to PowerShelladmin.com for this goodness on split operators.

Sep 12, 2013

orchestrator: ftp integration pack error

i was recently assigned some work that required automating some ftp tasks. i thought what a perfect opportunity to try out the ftp integration pack (IP) in orchestrator! after configuring the ftp options, i tried to use one of the activities and hit a problem: failed to initialize configuration object.

image

 

YOU DON’T HAVE TO READ THIS PART

i don’t normally look at stack traces and know what the hell is going on so i immediately went to my crutch and starting searching the entire world of knowledge and finally landed on this post describing the exact same problem. in the end, the original poster (OP) fixed the issue by uninstalling all of his IPs and reinstalling them. that seemed like total crap to me so i dismissed it and forgot about it until yesterday when i found some time to really look at this problem.

 

(OR THIS) THE ANALYSIS

i had two environments to work with, both not working. the first thing i tried was the OP’s fix. i uninstalled everything and reinstalled the ftp IP. it worked. miraculous. well, now that i had one working environment, i ran some directory comparisons followed up by file version comparisons. everything matched up. nauseating.

after that came up empty, i took a comparison of the ftp installation log that gets generated when deploying the IP. after pouring over the working and broken deployment logs, i came across what appeared to be the most valid problem in the broken deployment.

MSI (s) (5C:80) [18:52:25:455]: skipping installation of assembly component: {E62B04EA-3903-4E06-B59E-D59C65E4E993} since the assembly already exists
MSI (s) (5C:80) [18:52:25:455]: skipping installation of assembly component: {EC4186F1-7361-4BDE-94CD-977F7423BD4C} since the assembly already exists
MSI (s) (5C:80) [18:52:25:455]: skipping installation of assembly component: {359797A9-050F-48EA-9E50-8B293510AB2D} since the assembly already exists

when compared to the working deployment, i couldn’t find these lines. that was the giveaway. i searched for the GUIDs in the broken deployment logs and was able to locate the lines that detailed the exact assembly components. here’s an example:

Line 853: MSI (s) (DC:44) [17:58:12:205]: Executing op: AssemblyCopy(SourceName=6zp65wgq.dll|Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core.dll,SourceCabKey=OITFrameworkCore.B2E2426B_5261_46EB_A61F_C536FB02167D,DestName=Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core.dll,Attributes=512,FileSize=51040,PerTick=65536,,VerifyMedia=1,,,,,ComponentId={E62B04EA-3903-4E06-B59E-D59C65E4E993},IsManifest=1,,,AssemblyMode=0,)

 

by the way, if you’re interested, here’s the log location and name:

location: <program files>\common files\microsoft system center 2012\orchestrator\management server\components\logs
filename: 20130912122320952_{F5D3B6E7-3286-487D-BE06-27A0D69AC367}.log

i was able to trace back the original installation stemming from the exchange mail IP available on codeplex. that doesn’t mean anything but did show up in all of the environments with the same thing.

 

THE FIX

the assembly components and filenames mapped as indicated below. the directories all start at <windir>\assembly\gac_msil.

guid assembly directory
E62B04EA-3903-4E06-B59E-D59C65E4E993 Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core.dll

Microsoft.SystemCenter.Orchestrator.I
ntegration.Framework.Core\7.0.0.0__31bf3856ad364e35

EC4186F1-7361-4BDE-94CD-977F7423BD4C Microsoft.SystemCenter.Orchestrator.Integration.Framework.dll

Microsoft.SystemCenter.Orchestrator.I
ntegration.Framework\7.0.0.0__31bf3856ad364e35

359797A9-050F-48EA-9E50-8B293510AB2D Microsoft.SystemCenter.Orchestrator.Integration.dll

Microsoft.SystemCenter.Orchestrator.I
ntegration\7.0.0.0__31bf3856ad364e35

 

please exercise caution and test this in your own environment since this is completely unsupported. also, the safest method is to follow what the OP suggested and uninstall all IPs and reinstall them. this works because it removes the assemblies that the ftp IP installation will not overwrite.

  • uninstall the ftp integration pack. do this first to clear the path of the installation that will happen after dealing with the assemblies.
  • unregister the assemblies. this requires the use of regasm which is in your .net framework directory. i found mine under <windir>\microsoft.net\framework\v4.0.30319. with administrative credentials, run regasm. it should look pretty similar to the following:


    regasm /u "C:\windows\assembly\GAC_MSIL\Microsoft.SystemCenter.Orchestrator.Integration\7.0.0.0__31bf3856ad364e35\Microsoft.SystemCenter.Orchestrator.Integration.dll"


    regasm /u "C:\windows\assembly\GAC_MSIL\Microsoft.SystemCenter.Orchestrator.Integration.Framework\7.0.0.0__31bf3856ad364e35\Microsoft.SystemCenter.Orchestrator.Integration.Framework.dll"

    regasm /u "C:\windows\assembly\GAC_MSIL\Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core\7.0.0.0__31bf3856ad364e35\Microsoft.SystemCenter.Orchestrator.Integration.Framework.Core.dll"
  • delete the assemblies. now that they are unregistered, delete the assemblies in the table above. trying to install over them after unregistering doesn’t seem to work since the installer still detects they exist.
  • reinstall the ftp integration pack. at this point, reinstall the IP. if you look at the deployment log, you should no longer see the “skipping installation” lines mentioned earlier.

and now… it works.

image

Sep 10, 2013

winnate: upgrading a windows 8.1 preview version to rtm

you might have missed the news, but windows 8.1 and server 2012 r2 rtm versions are available for download now. in celebration of this occasion, i draw upon your memory. remember this FULLY UNSUPPORTED little gem when you upgraded your beta version of windows 8 to rtm? uh huh. yes, you do. use at your own risk. feeling like living dangerously?

here’s how it’s done:

  1. expand the installation media or copy to a writeable location
  2. open the directory “sources”
  3. locate the file named “cversion.ini”
  4. modify the content, changing the values to:
[HostBuild]
MinClient=9431.0
MinServer=9431.0
image

now away you go. when you install, it’ll treat it as if you’re installing over windows 8, not windows 8.1 preview. :)

Sep 3, 2013

searching for an object by guid in active directory

before we get started, why the need for this? well, you can’t straight up search active directory for an object with a guid that looks like this: {af966e8e-7aee-4c0f-b0c8-1985de37c276}. this is referred to as “registry format.” there are two ways to do this as i will illustrate below.

 

the short way

adfind -binenc -f "objectguid={{GUID:af966e8e-7aee-4c0f-b0c8-1985de37c276}}"

handles all the conversions quite nicely as long as you specify the correct type.

 

the long way

$myGUID = [guid]'af966e8e-7aee-4c0f-b0c8-1985de37c276'
$myGUIDhex = –join ($myGUID.ToByteArray() | % { $_.tostring("X").padleft(2,"0")})
$myGUIDhex = $myGUIDhex -replace '(..)','\$1'
get-qadobject –ldapfilter "(objectguid=$myGUIDhex)"

switches the guid to hex and builds an value that looks like 8E6E96AFEE7A0F4CB0C81985DE37C276 and eventually \8E\6E\96\AF\EE\7A\0F\4C\B0\C8\19\85\DE\37\C2\76 which is used in the search filter.

 

learned a few things here. first, adfind continues to rock. never used the –binenc switch before. second, never used –join in powershell. third, never had the occasion to use $1 variables in regex. all great stuff.

thanks to this article.

2012 r2 series: enhancements to iaas

oh man, a two-part post! that means twice the reading, twice the summarizing and twice the condensing. :/ oh well. at least all this typing will help warm up my new sculpt keyboard. :) this is the fifth post in the series. read the full post composed of iaas innovations and service provider & tenant iaas experience whenever you get around to it. this covers the first part.

r2 enhancements in networking

Figure1.2

 

r2 enhancements in compute

  • quality of service controls on virtual machine storage while machine is running
  • clustered virtual machines with virtual disks on a separate file server
  • cluster aware updating allows deployment of updates to clustered environments with no downtime
  • exported copies of running virtual machines
  • live migration with compression provides 2x to 3x faster migration, smb direct even faster
  • 2nd gen virtual machines, uefi-based reduces use of emulated legacy devices
  • full remote desktop capabilities (sound, graphics, and most importantly – copy/paste!)
Figure2

 

r2 improvements in storage

  • optimized smb direct which takes advantage of rdma-enabled network cards
  • optimized rebalancing of scale-out file server – smb session transitioned seamlessly to optimal node
  • live migration over smb
    • faster migration over rdma-enabled nic
    • multi-channel capable to stream live migration across multiple nics
  • capability to define different bandwidth limits per category of smb traffic
  • data automatically moved between tiered storage media based on performance need
  • writes to storage satisfied by ssd tier and later written to hdd tier (write-back caching)
  • deduplication available on running virtual machine and cluster shared volumes
  • storage spaces integrated into scvmm
  • storagement management api (sm-api) provides unified management for sans, storage spaces, etc
  • scvmm can deploy/configure clustered scale-out file servers
Figure3.1

Aug 22, 2013

2012 r2 series: open source

i keep catching myself getting far wordier than intended in these “summaries.” i’m going to work on that! catching up though. this makes 4 of 9 in this series. remember the days when microsoft was all about NOT developing for competing platforms to edge them out of the market? well, this post titled enabling open source software is all about the loving embrace of open source.

 

open source with windows

common engineering criteria (cec) drives consistency across products by requiring engineering compliance on a variety of factors with goals such as integration, manageability, security, reliability, etc. this same concept extends to all things cloud – private, hybrid, or public.

so what’s all this cec stuff do for open source, you say? well, it means having the same goal. single pane of glass administration, things that work in one environment should translate pretty easily to another, etc. here’s things microsoft has been up to:

  • linux community. microsoft has been pretty involved lately. in fact, they’re even checking in their stuff into the main kernel source code base. i guess “lately” isn’t exactly fair. they started doing work with this kind of stuff back with opsmgr.
  • drivers. ms has created what is called linux integration services (lis). basically, it’s a set of drivers for virtual devices. it contains stuff that allows such things as network and disk operating at near bare hardware performance and support for time sync, shutdown, heartbeat, live backups, and live migrations.
  • r2 updates. supports dynamic memory allocation based on guest need, 2d video drivers, vmbus updates to spread interrupts across multiple virtual cpus, and kexec to support the ability to grab crash dumps.

data center abstraction layer (dal) is a common management abstraction for everything in the datacenter. it’s os agnostic, uses existing dmtf standards-based management. open management infrastructure (omi) is basically the implementation for linux. what started off as a movement in opsmgr has grown to configmgr, vmm, and dpm.

  • opsmgr. nothing new here really. if you are an administrator of opsmgr, then you’re probably already aware of opsmgr’s ability to manage more platforms than just windows.
  • configmgr. i knew this work had extended to managing platforms in configmgr but only recently learned that anti-virus protection is also available.
  • vmm. personalize linux during deployment. deploy from templates (think of sysprep with linux), use a mix of linux and windows in service templates.
  • dpm. live backups of linux guests. file system consistent snapshots (buffers are flushed, capable by linux integration services).
  • powershell cmdlets. these cmdlets actually let you manage any cim based system.

CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Cmdlet          Get-CimAssociatedInstance                          cimcmdlets
Cmdlet          Get-CimClass                                       cimcmdlets
Cmdlet          Get-CimInstance                                    cimcmdlets
Cmdlet          Get-CimSession                                     cimcmdlets
Cmdlet          Invoke-CimMethod                                   cimcmdlets
Cmdlet          New-CimInstance                                    cimcmdlets
Cmdlet          New-CimSession                                     cimcmdlets
Cmdlet          New-CimSessionOption                               cimcmdlets
Cmdlet          Register-CimIndicationEvent                        cimcmdlets
Cmdlet          Remove-CimInstance                                 cimcmdlets
Cmdlet          Remove-CimSession                                  cimcmdlets
Cmdlet          Set-CimInstance                                    cimcmdlets

 

open source on windows

  • common open source application publishing platform (coapp). essentially a package management system like the advanced packaging tool (apt) on linux. coapp packages can be included in visual studio projects.
  • community collaboration. check out the azure gallery. it contains open source apps. also, recently, php was released on the same day for windows which included some significant performance improvements. the real story though is that a windows-version of php was released on the same day other os versions were.
  • oracle. on hyper-v? yup. not just database… but java and weblogic, too.
  • azul systems. jdk will be made available allowing customers to deploy java apps on windows azure using open source java – on both windows and linux.

Aug 20, 2013

2012 r2 series: three scenarios of pcit

 

pcit. there’s that term again. it doesn’t mean personal computer though. it actually means people-centric IT. as more and more devices are born to consume cloud-based services, it makes sense for management of such devices to be cloud-based as well. part 3 – people-centric IT in action – end-to-end scenarios across products – (coincidentally) looks at three scenarios of pcit.

 

scenario 1: company access, personal device.

company access already exists today through technology such as vpn. this is really more about giving users the ability to get to their work files on a personal device. it address some of the risks around compliance by utilizing authentication (ad fs) and encryption (work folders).1 of course, remote wipe is a part of the scenario.

the core component to scenario 1 is work folders. think of work folders as a skydrive pro for file servers. (skydrive pro is for sharepoint, in case you were curious.) work folders requires both a server2 and a client. windows 8.1 will be the first to get it with windows 7 and ios following shortly thereafter. work folders runs over https so if you are so inclined, you can publish it via the web application proxy – which integrates with ad fs.

for those IT admins that yearn for more control in their life, configmgr + intune delivers the ability to provision devices with work folders settings. group policies can be used for those pesky domain-joined machines. configmgr r2 has work folders support so you can use all of the familiar targeting capability to deliver policies.

1 optionally, use dynamic access control (dac) and rights management services (rms) can provide additional security/control. complexity is already super high, though.

2 basically, it’s a file server role in windows 2012 r2.

this statement will have you locked away in a cave by your executives for months:

Back to Hypothetical Joe: Suppose Joe buys a new Surface RT and wants to access files from work. He simply has to Workplace Join his device and enroll for management. As part of enrollment, his Work Folder configuration will be automatically provisioned and his files will start to sync to an encrypted folder. Joe now has all his work files available to him. As he makes changes to these files on his Surface RT, the changes synchronize to his desktop at work and vice-versa. As he creates sensitive documents, they are automatically classified and RMS protected.

Later, when Joe leaves the company, the IT team removes his devices from management and Joe’s Surface RT automatically wipes (rendered inaccessible) his Work Folders data while leaving all his personal data intact.

 

scenario 2: register to win!

unified device management (udm) requires azure AD, configmgr, and intune. once your environment is set up, the user will have to go to their respective “store” and download the company portal app. the cool thing is the device will show up in configmgr associated with the user.

granting access to company resources requires web application proxy and ad fs. unregistered devices will be denied access but will be provided links on how to get registered (to win!).

 

scenario 3: managing vpn

windows 8.1 has ms and third party vpn support built in, including new capabilities for profile management and on-demand vpn. let’s start with profile management:

  • configmgr + intune = provision vpn profiles and certs (intune for devices)
  • provision vpn profiles via powershell

automatic vpn (what i refer to as on-demand vpn) is managed by rules that are delivered to the device. when a user tries to connect to a company resource, vpn fires up. if any additional information is required, the user is prompted.

here’s a list of the powershell cmdlets from my 8.1 preview tablet:

Add-VpnConnection
Add-VpnConnectionRoute
Add-VpnConnectionTriggerApplication
Add-VpnConnectionTriggerDnsConfiguration
Add-VpnConnectionTriggerTrustedNetwork
Get-VpnConnection
Get-VpnConnectionTrigger
New-VpnServerAddress
Remove-VpnConnection
Remove-VpnConnectionRoute
Remove-VpnConnectionTriggerApplication
Remove-VpnConnectionTriggerDnsConfiguration
Remove-VpnConnectionTriggerTrustedNetwork
Set-VpnConnection
Set-VpnConnectionIPsecConfiguration
Set-VpnConnectionProxy
Set-VpnConnectionTriggerDnsConfiguration
Set-VpnConnectionTriggerTrustedNetwork

 

technologies involved with pcit architecture:

Aug 16, 2013

2012 r2 series: productive users and protected information

this morning’s read: part 2 of 9, titled making device users productive and protecting corporate information. here’s my summary of another incredibly long and detailed post. don’t forget to go back and get the full read. away we go.

  • people-centric IT (pcit). addresses four key areas.
    • users. expect to have access to all of their corporate resources from anywhere.
    • devices. diversity is not just about controlling which models of a particular brand to use. diversity of device type continues to grow as well. diversity = complexity.
    • apps. complexity in cross-platform management and deployment of apps.
    • data. provide data access without while staying compliant and secure.
  • bring your own device (byod). byod is not a trend so much as a turning point. there’s no going back. diversity of devices will continue to climb which positions companies to have to fight the trend or embrace the trend. that’s what pcit is about.
  • user productivity. embracing byod effectively means having a healthy balance of access to corporate resources coupled with the right amount of security. with pcit, access policies can be enabled against the following criteria:
    • user’s identity
    • user’s device
    • user’s current network
  • common engineering criteria. engineers with server, configmgr, and intune shared common engineering milestones. focused on three key areas:
    • empowering users. users can have access to a variety of apps and data across a spectrum of devices – desktops, laptops, phones, tablets. windows, ios, and android are all supported (though it sounds like android might not get all the features initially.)
      • simple registration and enrollment.
        • workplace join. offers users a simple way to opt-in to IT services. creates user@device record in AD. governs access to resources and enables sso only. does not allow any IT control.
        • intune. users can enroll for management. wifi/vpn profiles, settings, side loading, etc.
      • consistent access to company resources. users can access apps, manage their own device, and access data via work folders.
      • automatically connect to internal resources. only works with enroll for management. vpn profiles launch on demand.
      • access resources from anywhere. data will be accessible via work folders and web application proxy.
    • unifying environment. single pane of glass management for apps and devices across scenarios from on-premise to cloud-based, including malware protection.
      • single console. the configmgr console is the basis of all management. cloud based management added through an intune connector.
      • user-centric app management. uses the user-centric model in configmgr to determine which app to deploy based on device and capability.
      • multiple delivery mechanisms. includes msi, app-v, remote apps, web links, windows store, app store, and google play.
      • cross-platform settings management. manage certifies, vpn, and wireless network profiles, apply compliance policies (to the extent of the platform, of course), receive inventory data, push installs, remote wipe and unregistration.
      • single identity. common identity from on-premise to cloud-based. ad fs tightly integrated to web application proxy is a key component.
    • protecting data. information access controlled by user, device, and location. shutdown access from devices no longer used.
      • control data. ability to selectively wipe data while leaving personal data intact. (see the original post for a table detailing device to capability.)
      • policy-based access control. made possible by ad fs, dynamic access control, web application proxy and work folders. obviously the implementation will be very complex.
        • web application proxy. provides ability to publish access to internal resources with optional multi-factor authentication.
        • work folders. file sync that allows syncing from corporate file server to user device over https. data is stored encrypted, locally on the device. files can be removed when device is un-enrolled from management.

Aug 15, 2013

2012 r2 series: customer scenario centricity

well, guess what? r2 is coming. you knew that already. what you might not know yet is r2 is coming october 18, along with windows 8.1. brad anderson has also been releasing a series of blog posts to highlight all of the forthcoming changes.

it’s a lot of material to read! figured i’d read along and post the high points. obviously i’m way behind since it’s a 9-part series which started at the beginning of july and is up to part 7 already. enough exasperation. let’s get started with part 1 titled beginning and ending with customer-specific scenarios.

  • cloud-first approach. build and deploy in their cloud first then deliver to customers and partners. ms currently operates > 200+ cloud services.
  • unified planning. client, server, system center, azure and intune all planned and prioritized together, including common release schedules and milestones.
  • three core pillars. centric to the support and inspiration behind r2 products:
    • empower people-centric IT (pcit). a move toward answering consumerization. users work anywhere on any device while operating in a secure and managed fashion. push to greater self-service capability. single pane of glass for device management.
    • transform the datacenter. technology which provides consistency in datacenter and public cloud platforms (investment, skillset, etc.)
    • enable modern business apps. new capabilities for both existing and new applications.
  • scenario-centric engineering. customer scenarios incorporated into all phases of development to prove the product operates as expected for customers instead of operating to an exact design specification, driven by focusing on:
    • plan based on customer needs.
    • design great products.
    • implement the software/service.
    • review scenarios frequently.
    • stabilize the software/service.

Aug 13, 2013

misc: spotting a fake

this isn’t so much a technical post. it’s just an explanation of how to spot check a profile before you decide to accept an invitation.

let’s say you get a mysterious invitation from someone on linkedin. at one point it was pretty easy to spot these but as all feats of engineering goes, things usually get better – including social. :) the new thing seems to be female profiles using attractive photos as a means of getting someone to accept the invitation. this is the easiest way i know how to spot a fake:

  • make a copy of the photo. in windows land, you can just drag the image off the browser and drop it to the desktop. like so:

image

  • next, go to google’s image search and drag the photo to the search bar – don’t think bing supports this – as illustrated below:

image

  • voila. 83 results.

image

hope you found that useful.

Jul 3, 2013

orchestrator: overwriting existing global configurations

if you're familiar with importing and exporting runbooks, you have most likely seen the unintrusive little checkbox under the export settings labeled "export global configurations" and under the import settings labeled "import global configurations". how about "overwrite existing global configurations"? any idea what that does?

resorting to the help file, it explains the overwrite option as:

Select Overwrite existing global configurations to replace any current settings with the settings in the imported runbook or runbooks.
Overwriting replaces the entire set of configurations for a particular group. For example, if an imported runbook contains an SNMP activity, any current SNMP settings will be overwritten and any currently configured SNMP activities will be deleted.

all this did was provide more confusion for me so i tested a few things to see exactly what i was dealing with. when you export the ois_export file, it's actually exported as xml. cool. let's see what's inside it… but first, some basic information.

 

reviewing the sample runbook

here is my simple runbook i tested. as you can see, it has three activities and only one that points to an actual configuration – scale tier in. this will keep things simple. it doesn’t provide any useful functionality, if you were wondering.

image

i created a configuration under virtual machine manager for the scale tier in activity to use called “imextest” (import-export-test… yeah, original).

image

image

 

stepping through the test

okay, now that our little lab test is configured, let’s run a couple of scenarios. here are the steps i used when importing the global configuration with and without the runbook:

  1. export the test runbook folder with all options disabled other than “export global configurations”. cleverly, i called mine myGlobalConfig.
  2. go to options / sc 2012 virtual machine manager in runbook designer.
  3. edit “imextest” changing the following:
    • name from “imextest” to “imextest-modified”
    • vmm administrator console from “idk” to “iono”
  4. modify the scale tier in activity:
    • point configuration from “imextest” to “imextest-modified”
    • change service name from “x” to “x-modified”
  5. check in the modified runbook.
  6. import the exported runbook with all options disabled other than “import global configurations” and “overwrite existing global configurations”.
  7. examine the results.

for the second test, i wanted to see what happens if i import the runbook as well as the global configurations.

  1. import the exported runbook with the same steps as step 6 but choose “import runbooks” as well.
  2. examine the results.

and lastly, i wanted to see the outcome of modifying a configuration outside of those used by any activities in the runbook.

  1. modify another configuration, such as sc 2012 configuration manager.
  2. i added a new configuration entry to mine.
  3. import the exported runbook with the same settings as step 6.
  4. examine the results.

note: make sure you do not import a runbook at the same level you exported it. otherwise, you’ll create a new one under the same folder. instead, import the runbook from the root or the level above where you exported it. make sense?

 

looking at the results

for the first test, i imported just the global configurations. as expected, the sc 2012 virtual machine manager settings i had for imextest-modified reverted back to imextest. the activity, scale tier in, remained untouched. it still pointed to the imextest-modified configuration.

after the second test where i imported the runbook, the activity, scale tier in, is modified to point to the previous configuration. the third test, showed that even global configurations outside of what would appear to be the scope of the runbook are modified.

 

examining the xml to back up the results

the nice thing about these exported runbooks are that they’re actually xml files. in other words, you can open it up and see exactly what you just exported. there are two ways of going about doing this. you can either open it up in your text or xml editor of choice (horrible idea), or you can try using ryan andorfer’s utility parseorchestratorexport.exe.

much better

if you insist on searching the xml, look under the exportdata / policies / globalconfigurations section. i found a faster way to identify areas with content is to search for the <configurations> node.

woah, help me!

sorry for the side track. as you can see, the global configurations contain more than just what is related or relevant to the runbook exported – thus global. the only configuration tied to the activities in the runbook should have been “sc 2012 virtual machine manager”. instead, it picked up sc 2012 configuration manager and microsoft active directory domain configuration.

 

okay, so now what?

the bottom line is be careful. if you import global configurations with your runbook, you run the very high probability that you will overwrite something you hadn’t intended to.

when exporting global configurations, you get them all. it doesn’t matter what node you’re at. it doesn’t matter which runbook you export. if you choose this option, there isn’t a choice in which ones you get. now, that said, you can edit the exported xml  to remove the entry node that you do not want to import.

importing global configurations without overwriting does nothing for the existing configurations. if the configuration objects exist on the management server, they will not be modified. don’t exactly know what would happen if you imported a global configuration for a configuration that doesn’t yet exist. if you know the answer or try this, let me know what you find out in the comments.

importing global configurations with overwrite replaces everything you had with values from the exported runbook. let’s say you export global configurations. at some point in time after, global configurations are modified. you go to import what you exported with overwrite turned on. all of your changes are wiped out.

the context of the help file is not accurate and at best misleading/confusing. let’s break down why:

  • Select Overwrite existing global configurations to replace any current settings with the settings in the imported runbook or runbooks – it doesn’t matter if you import one runbook or the whole tree. you get all of the global configurations.
  • Overwriting replaces the entire set of configurations for a particular group – what exactly is a group? i don’t know. I find importing global configurations replaces everything for that orchestrator management server.
  • For example, if an imported runbook contains an SNMP activity, any current SNMP settings will be overwritten and any currently configured SNMP activities will be deleted – yes, this is true if you import a runbook. however, you can import a runbook without global configurations. you can also import global configurations without the runbook itself. in either case, if the activity or configuration is out of sync, then you will potentially have an activity point to an incorrect configuration.

 

drop a comment, and let me know what you think. :)

Jul 2, 2013

ds: modifying security and the default max size limit for pictures in active directory

i started investigating storing pictures in active directory and came to the understanding that while the default size is 100kb, exchange limited uploads to 10kb. i did a little testing with my own pretty face and realized that a 96x96 image that is less than 10kb is sufficient. anyway, here's a couple of things i dug up. props to wrj for the schema location info.


DEFAULT PERMISSIONS
another interesting thing to note is that the picture attribute (otherwise known as thumbnailphoto) is a part of the personal information property set. this matters because, by default, the self security principal is granted rights to modify attributes in the personal information property set. oh no!


SOLUTIONS
at this point, paths diverge based on what matters to you:

  • users can manage their own photos
  • users adding photos will bloat the AD database
if your concern is the capability of users managing their own photos, you can modify the permissions associated with the self security principal. if all that matters to you is blocking the file size of the image, you can modify the max size limit.



warning: i haven't tried either of these so proceed at your own peril.

STEPS TO MODIFY PERMISSIONS
appropriate permissions are required to make this modification (generally domain admins or a privileged assignment that can change object acls).
  1. open active directory users and computers (dsa.msc)
  2. navigate to the base container you wish to apply the changes
  3. open the properties, switch to the security tab and click advanced
  4. under the permissions tab, click add and find the self oject
  5. on the permission entry dialog box, switch to properties
  6. switch the focus to user objects on the apply onto section
  7. scroll down to find write thumbnailphoto and click deny



STEPS TO MODIFY MAX SIZE LIMIT

to make this modification, you need permission to modify the schema.
  1. open adsiedit.msc and connect to the schema naming context
  2. open the schema tree (ex: cn=schema,cn=configuration,dc=mydomain,dc=com)
  3. locate the cn=picture node and open the properties
  4. modify the rangeupper value to the new value (stored as bytes)

Jun 27, 2013

powershell: reducing processing time (niche case)

why the caveat? it's important to note that my savings is based on switching out just a simple little thing. there's no magic here. there's no fountain of knowledge. those accolades are for the likes of snover and wilson.

BACKGROUND
the synopsis is simple. i was asked to create a very specific user list. the specifications were such that i had to consider custom objects to store the information. here are the requirements:
  • must be a csv formatted file
  • must have headers that match a specified string
  • must contain columns even if the value is empty
  • must decode the manager dn to the manager's employee id
after spending a little time getting formatting right, i realized that performance was just terrible. i admit i created it in the laziest way possible. i mean that is what scripting is about right? saving time? 

DEFINING CRAZY
for processing a thousand users and creating a thousand custom objects, it was okay since the span of time was relatively short. when i raised it to 30000ish the performance issue became evident. i did the most logical thing... which was to consult the expansive, ever-reaching power of the internet and found an assortment of suggestions for speeding up custom objects -- from select method to hashtable method to out-of-my-range complicated c# methods.

i tried a few different things over the next few days when i had time. i broke up the collection of users into smaller chunks, streamlined my ldap filters, tried rearranging things... none of them impacted the performance -- at all. i even removed the custom object requirement entirely (or so i thought since piping to select-object is a way to create custom objects).

i finally spent some time trying to understand where else i could be having performance hits. i narrowed it down to one other place -- the conversion of the manager dn to the manager employee id. some background: active directory stores a user's manager as a forward link to the manager's user object. this means all you have to do is follow the link. so in essence, once i know the manager value of a user, i can just query for the manager object and retrieve the employee id of that object. easy! unfortunately, each time i did this, it would take a few ticks for it to come back.

i don't know for certain how many "a few" is. in desperation, i blamed my old desktop and sought out something more powerful, a performance-purpose desktop with 4 cores and 16gb/ram. i tried running it there. i kicked it off around lunch time. i came in the next morning and checked to see how it was doing. still running. finally after another hour or so, it stopped, presenting these cheery results:

Days              : 0
Hours             : 18
Minutes           : 40
Seconds           : 20
Milliseconds      : 306
Ticks             : 672203068902
TotalDays         : 0.778012811229167
TotalHours        : 18.6723074695
TotalMinutes      : 1120.33844817
TotalSeconds      : 67220.3068902
TotalMilliseconds : 67220306.8902
i had been pondering the idea of switching out what i was using for the ldap lookups to something else to see if the cmdlet itself was the problem. i forgot to check it more often than i remembered (if that's possible, otherwise reverse what i said). well, after the results above, i was finally at the place where you couldn't look away. i had no more excuses or distractions. after searching around for all of 47 seconds, i found the information i needed, switched out the call, and ran it. i would periodically look over so ... when i realized it was done before my lunch break ended, i was -- amazed. results:
Days              : 0
Hours             : 0
Minutes           : 19

Seconds           : 56
Milliseconds      : 468
Ticks             : 11964681595
TotalDays         : 0.0138480111053241
TotalHours        : 0.332352266527778
TotalMinutes      : 19.9411359916667
TotalSeconds      : 1196.4681595
TotalMilliseconds : 1196468.1595
yeah! that's right. i dropped the execution time by 5600%. :) i think it's also significant to indicate that the method that took 18 hours also utilized just about all available ram on my old desktop (beyond 12gb on the performance machine) and at least 30-40% cpu the entire time. so what was it i switched out, you ask? watch your wordwrap... 

the original:
(get-qaduser $_.manager -searchroot "dc=mydomain,dc=com" -DontUseDefaultIncludedProperties -includedproperties employeeid).employeeid

the new:
([adsi]"LDAP://mydomain.com:389/$($_.manager)").get("employeeid")


CONCLUSION
that is my very long winded way of saying that get-qaduser was the culprit. it's not that it's bad. it's great when you're pulling objects in one fell swoop. calling it repeatedly to go after an object one at a time proved inordinately slow. in this case, using adsi directly won out -- in a big way.

powershell: retrieving warranty data

...or as dell would say ... "entitlements".

first of all, check this out: http://xserv.dell.com/services/assetservice.asmx. dell has a webservice that you can use to pull down warranty information on your system. there are three arguments you have to provide to make this work:

  • guid
  • application name
  • service tag
the only key piece of information is the service tag. the other two arguments will accept any piece of data as long as it's the right type. let's examine each of these for a quick second.


guid
the easiest way to generate a guid is by using the newguid() method as such:
$guid = [guid]::parse("11111111-1111-1111-1111-111111111111")

application name
set this to whatever string value strikes your fancy. (do people say that anymore?)


service tag
this is the part actually drives the context. provide your service tag (some call it asset tag, some call it serial number, etc) as the third argument and away you go. if you want to pull the service tag from your system, you could do it like this:
$servicetag = get-wmiobject win32_systemenclosure | select serialnumber

now that you have all of the pieces together, here's how you'd put it together (watch wordwrap):
$guid = [guid]::newguid()$servicetag = get-wmiobject win32_systemenclosure | select serialnumber$dell = new-webserviceproxy 'http://xserv.dell.com/services/assetservice.asmx'$dell.GetAssetInformation($guid, "script", $serial) | select -expand entitlements

when you run it, it looks like this:

ServiceLevelCode        : CC
ServiceLevelDescription : P, COMPLETE CARE
Provider                : DELL
StartDate               : 9/17/2012 12:00:00 AM
EndDate                 : 9/18/2015 12:00:00 AM
DaysLeft                : 813
EntitlementType         : Active

Jun 25, 2013

powershell: an array of alphabets

i wish i could remember where i found this particular gem. as you know, it's crazy easy to create an array of values if they're integers such as:
[1] {C:\temp} > $a = 1..10[2] {C:\temp} > $a12345678910
but what about when you want an array of alphabetical characters like a through z? it's not as simple as defining the range as a..z. instead, you have to call the char type as shown below:

[7] {C:\temp} > $alphabet = [char[]]([char]'a'..[char]'z')
[8] {C:\temp} > $alphabet
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z

Jun 10, 2013

powershell: retrieving directories in the current path

hard -- obscure if you don't know the calls, aren't familiar with programming (basically, me)

[io.directory]::GetDirectories($(get-location))


medium -- not so bad when you know what to look for

get-childitem | where-object { $_.mode -eq "D----" }
get-childitem | where-object { $_.PSISContainer -eq $true }
get-childitem | where-object { $_.Attributes -eq 'Directory' }


easy -- at least there's no bracketing or positional parameters to worry about

get-childitem | where-object psiscontainer -eq $true


easiest -- near parity with cmd shell, provided you use shortcuts

get-childitem -directory

May 22, 2013

misc: snmp device simulator (free, yes free!)

in case you missed it, jalasoft just dropped a new tool called the xian snmp device simulator. going by the details, it might take you longer to type the name than to run the utility -- especially since most of the configuration is all wizard-driven. it supports snmp v1, v2 and v3, and it simulates myriad devices including:


  • Cisco Switches
  • Cisco Router
  • Cisco Firewalls
  • Cisco VPN Concentrators
  • Cisco Wireless devices
  • 3Com Switches
  • HP Pro curve Switches
  • F5 Big Ip Nortel
  • APC UPS


whether you're an operations manager 2007 shop, an operations manager 2012 shop, or don't use operations manager at all, this tool will still be valuable for testing snmp. over the years, simulating snmp has come up many times so it's great to see something this nice -- for free! if you want details, click HERE to check out their blog post.


May 13, 2013

misc: diffie-helman key exchange

while in a cert authority class, the instructor mentioned the diffie-helman key exchange and showed us this picture using paint colors as a way of expressing how this works. the math just makes me dizzy. anyway, the paint color thing kind of makes sense …

May 9, 2013

atlanta techstravaganza 2013

greetings. ATLSMUG (atlanta systems management user group) is proud to be one of the co-hosts of the atlanta techstravaganza event once again! we have well over a hundred attendees which makes a great networking opportunity. hope to see you there!

 

here’s a few things of note:

  • Keynote speaker Mark Minasi – The New Windows: What to Do and When to Do It
  • 16 great sessions in 4 tracks — System Center, Windows Server Infrastructure,
    PowerShell, and Hands-on-Labs for Hyper-V and Azure
  • Speakers — Ed Wilson, Greg Cameron, Brian Huneycutt, Butch
    Waller, Tommy Patterson & other Microsoft experts
  • Breakfast, lunch, and snacks provided!
  • Great prizes to be won — including the grand prize of a Microsoft
    Surface RT!

Friday June 21, 2013 8AM to 4PM
Microsoft Campus, 1125 Sanctuary Pkwy, Alpharetta, GA

 

more information and registration link is available at: http://www.ATLTechStravaganza.com

May 1, 2013

microsoft desktop optimization pack 2013

i am well aware I should have not missed this but somehow overlooked it. a service pack was released with mdop 2013 that addresses some issues with agpm (advanced group policy management) 4.0. it’s been a long time coming. it looks to be more functional than actually addressing some of the deficiencies in agpm. it’s still good news since i was under the impression ms would scrap agpm at some point since its adoption rate is low.

if you missed it, here are some other products that were updated:

  • AGPM 4.0 SP1: Brings powerful change management for Group Policy to Windows 8, making it easier for organizations to keep enterprise-wide desktop configurations up to date, enabling greater control, less downtime, and lowering total cost of ownership (TCO).
  • DaRT 8.0 SP1: Accelerates desktop repair by adding support for 10 additional languages. It also includes a new Defender engine to better assist organizations in discovering malware.
  • App-V 5.0 SP1: Helps organizations use virtually any application anywhere by adding support for Office 2010. This will give end users a consistent experience with virtualized Office that they saw with previous versions of App-V. SP1 also adds support for the sequencer and client in 24 languages while App-V 5.0 server will be supported in 11 languages.
  • UE-V 1.0 SP1: Makes it easier for users to change devices, but keep their experience with support for Office 2007, a heavily requested addition. The product now supports 24 languages, allowing more organizations to use UE-V in their native language.

MBAM 2.0 seems to be the giant frontrunner in this list of applications (not shown above). it looks like the only application that was a version upgrade, not just a service pack. you can read the entire article here: http://blogs.windows.com/windows/b/business/archive/2013/04/10/making-windows-8-even-more-manageable-with-mdop-2013.aspx.

Apr 30, 2013

scep: tampering with anti-tampering

i understand both sides of why people believe this needs to be done. this article outlines a measure microsoft implemented to keep service controls outside of administrative fingers for endpoint protection to keep people from messing around with services.

image

as you might know, this is very silly wall to put around a service. as an administrator, you own the box. if you understand how to read SDDLs and change them to suit your needs, then you can very easily modify it with your administrative credentials to remove that paper wall, -and- coincidentally, you might want to pick up this skill since in some scenarios (read as: mine) the very product that manages endpoint protection (system center configuration manager) fails to update to CU1 because of its inability to stop the microsoft antimalware service. <sigh> i guess you could uninstall the product. that seems safer. :/

this is akin to putting in safeguards such as making sure i am running an installation with my domain admin account! really?! that’s supposed to be safe? even when you have the proper credentials, surgically applied, you fail to meet the minimum requirements of a security group check.

my point is, administrators should not be prevented from managing their services – both from a practical perspective as well as philosophical. from a practical perspective, as an admin, you PWN the box. you can do just about anything you want which means you can take over permissions which gets you around the anti-tampering easily.

philosophically speaking, if you are a designated administrator, it should be with understanding that you know what you’re doing when doing elevated permissions tasks – such as disabling core services. it seems counterintuitive to present this with any seriousness as an anti-tampering method and also makes windows look like a child-safe medicine bottle. windows, for all of it’s massive pretty, “next next finish”, and other enhancements to ease the administrative experience – is still a very serious server operating platform. it’d be nice to get treated like i know how to run it.

Apr 26, 2013

sccm: the required permissions for creating collections

i had modeled a concept for how i wanted to lay out permissions only to find out the permissions i created for managing collections was wrong – specifically, the creation of collections. after spending some time messing around with sccm 2012 (configmgr for you purists), i was able to work out the exact requirements for creating collections. what a pain since there is no documentation for what the permissions actually perform! (admittedly, most of it is self-explanatory just by the permission name itself.)

after doing a little digging (referred to some as trial and error), it turns out that a specific permission, modify folder, is required. by all appearances as blogged by others, it seems this is a bug. i didn’t bother to go into the bug tracker to figure out where this was in the development cycle. at any rate, keep that in mind. you’ll need it.

so, with the following permission set:

  • create
  • read

you basically get a slap across the face. there is no visible dialog to create a collection. however, once you add modify folder you will get the familiar create collection option. the permissions are defined as such:

  • create
  • modify folder
  • read

if you work with folders, the story is not yet complete. you will notice you are only able to create collections from the root. if you attempt to do so from a folder, you get another face slap. it turns out, you also need another obscure right. this one is move object. after adding move object, you get the permission to create the collection when you click on a folder. permissions are defined as such:

  • create
  • modify folder
  • move object
  • read

and now you can create collections at the root, on folders, etc. here’s a screenshot that shows the applied permissions. hope it helps.

image