O R G A N I C / F E R T I L I Z E R: 2016

Oct 18, 2016

How to Check for Expiring Certificates in PowerShell

This one I’m saving for later. Don’t confuse this with actually managing certificates via the PKI module. This is really about finding information on certificates already deployed.

First of all, remember that Cert:\ is a PS drive. Try something like this when you open a PS prompt:

cd cert:\
cd currentuser\my

PS C:\> cd cert:\
PS Cert:\> cd currentuser\my
PS Cert:\currentuser\my> dir

    Directory: Microsoft.PowerShell.Security\Certificate::currentuser\my

Thumbprint                               Subject                     
----------                               -------

So with that in mind, you can do the typical kind of listing/sorting/displaying. One of the interesting switches that shows up when you’re in the certificates drive is the –ExpiringInDays. This is extremely useful if you’re trying to get a return of certificates that are about to expire (think alerting.)

get-childitem -path Cert:\CurrentUser\My -ExpiringInDays 180

By doing this, you can treat this as a boolean return. If something pops up, fire an alert.

Sep 22, 2016

Max Group Membership Limits for Active Directory

While exploring the concept of maximum membership limits for groups, I ran into a number of posts which offered contradicting information. To set the record straight, we will start with with ancient history.

When Windows 2000 was released, the recommended number of members in a group was 5000. This corresponds with the number of changes that could be written in a single replication cycle (if I have my facts straight.) Remember, back in those days, every time you changed the membership of a group, you caused the entire group and all its membership information to replicate.

With the release of Windows 2003 came the concept of Linked Value Replication. This enabled you to make membership changes to a group and only replicate the changes in membership – adds, deletes, etc. Because of this, Microsoft hasn’t issued a new recommended limit. Here’s a snippet from a document titled Windows Server 2003 R2 and Windows Server 2003:

Recommended Maximum Number of Users in a Group

For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction. Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR).To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000. So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.

So there you have it. The next time someone asks you about membership limitations of a group, you can happily tell them – it doesn’t exist (because you aren’t on Windows 2000, right? RIGHT?)

Jul 5, 2016

ATLSMUG Meeting 07/22/2016



Hi everyone.

If you’re familiar with Atlanta TechStravaganza, you’re probably used to having seen an announcement by now. Well, we had some logistical challenges this year so it looks like we have to push back until later this summer.

This is typically where we hold our 2nd quarter meetings for ATLSMUG. In the absence of that event, we are moving forward with our own meeting to keep things going. I hope you will find yourself available to join us.

We’ll be back at the Microsoft Alpharetta campus (thank you Microsoft – Jim & crew are great!) looking to start our first presentation at 10 AM and ending around 3 PM. Hopefully this will solve the traffic challenges that I know many of you face getting to the event.

We’ve got some good stuff cooking up – Orchestrator, ConfigMgr, etc. However, if you have any urgent topics, we might still have time to work them in. Just drop us a note at leaders@atlsmug.org. Any other comments, suggestions, topics, etc are welcome, too.

And of course, if you want to be a presenter, we’re always looking for people. It’s a great environment for it! Round-table style presentations, open forum. Get your ideas heard and validated in a meeting of your peers. Great way to practice for larger venues for those of you wanting to break into the presentation circuit.

Where else in Atlanta are you going to get a day of systems management learning for free? With free lunch? And a prize giveaway? Only here, everyone. :)

Hope to see you there!


More details and registration -- http://www.atlsmug.org/events/register-now-july-22


P.S. Thank you Flexera for sponsoring us!

Apr 4, 2016

Excel and the Mysterious Hang

Sometimes, it’s hard just to figure out which needle you’re looking for in haystack. Once you got it figured out though, that needle will look like a big stick.

Question Mark 2My wife came home tonight asking me to look at her laptop. In the last week, her Excel program would hang trying to open Hyperion but would eventually find its way back home. She might have mentioned that Outlook was also opening slowly but having mistook the rest of her sentence as something related to finance, I promptly ignored it – my eyes fixed on the real prize: a chance to tinker.

When you don’t know where the problem is, sometimes it’s best to get all the information and start sifting it for signals. When I started off, I was SURE it was some kind of timeout problem so I immediately started with a packet trace.1 #NOPE There was nothing evident of a long or delayed response.

Well, I knew Excel was problematic (you know, since I forgot about Outlook) and decided to hone in on the processes involved with it. I fired up the handy little Sysinternals Process Monitor and had my wife run through her steps again. I captured the specimen and moved it into the laboratory for closer examination.


What I was looking for now was a gap. I knew there was some kind of delay or timeout and was hoping something in the procmon trace would show me. If you don’t use any filters to limit the information, no amount of hope is going to make it show up. I had to keep excluding things which was only marginally helpful. I gave up and went all in. I excluded anything that wasn’t Excel and hid all SUCCESS results.

By slowly dragging the net across the screen, I finally managed to see the little tear I was looking for. The time values jumped. That’s significant. It went from 6:42:48 to 6:43:27. It was nearly 40 seconds. That was when I knew what needle I was looking for and when that needle became a big stick.


The events immediately before and after showed reg key calls related to wpad. Hmm. Wpad. That’s familiar. In fact, it probably stands for Windows Proxy Auto Detect. #NOPE #2  According to Wikipedia, it actually stands for Web Proxy Autodiscovery Protocol.

The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

If that’s really the problem coming out of Excel, I was willing to bet that Excel was using the proxy settings of Internet Explorer. I fired up IE. It hung. HELLZ YEAH. Looking at the LAN settings1 revealed all. While my wife was onsite at a different company, the local IT staff reconfigured her browser to use their proxy.


I unchecked the Use automatic configuration script setting. IE worked. Excel worked… and uhhh, yeah. So did Outlook. ;-)

Hope that helps you out! Happy hunting.


1 Did you know you can capture packets from a cmd prompt without Netmon, Message Analyzer, or Wireshark installed? Oh, yes, you can. http://marcusoh.blogspot.com/2014/10/using-netsh-to-capture-packets.html

2 You can view the LAN settings by navigating to the following path: Internet Explorer / Internet Options / Connections tab / LAN settings.

Mar 25, 2016

03.11.2016 User Group Survey

Hello everyone. I hope that you were able to make the Q1 Atlanta Systems Management User Group (ATLSMUG) meetup! For those that weren’t able to make it, it was a pretty fun event.

bigpiehome1We had some good stuff on Windows 10 from Bruce and Stephen, had a great selection of fantastic beer, had these amazingly large slices of pizza from Big Pie in the Sky, and had a turn out of over 30 people from three different user groups!

It was great to see so many familiar faces and to meet with new people from ATLPUG and WINVUG.

Now, we need some help from you. If you made the event, would you mind filling out our little survey? It’ll take you less than 2 minutes but will be immensely powerful in helping us understand what you like and want to get out of these events in the future.

Here’s the link: https://www.surveymonkey.com/r/HRLWFCT



Oh, by the way, if you’re looking for the content from the event, here are the slides:

Bruce Lyon’s Presentation
Stephen Owen’s Presentation 1/2
Stephen Owen’s Presentation 2/2


Mar 14, 2016

Accessing a Protected Domain Administrator Account

door, green, closed

As a good practice measure, the default domain administrator account which comes pre-installed with every Active Directory should be guarded from misuse. We all know this. To follow in this good practice, the account should be renamed from the default name and disabled.

So what happens if this account is the one you have to use to recover from a problem? Let’s say, for example, that all of your usual domain administrative accounts are somehow not accessible for use and requires you to get to this account. If it’s disabled, what do you do?

Should you find yourself in the scenario that you have a disabled administrator account AND know the password --

  • Boot up the domain controller to Safe Mode (make sure it is not Safe Mode w/ Networking.) This quasi-enables the account. You can at least log on with it.
  • Using the account and password, log in.
  • Open a command prompt and issue the following:

net user administrator /active:yes

Now you have an enabled default domain admin account. You can reboot the DC and presume as normal on what will probably be the worst day in your life. :)


Note: When you change the account password as a part of your routine process, make sure you verify that DCs receive the password change, in case you need it in a disaster scenario. You can easily validate replication by issuing the following command:

repadmin /showobjmeta <dc name> <admin account distinguished name>

Mar 1, 2016

03.11.2016 ATLSMUG Meet Up!

Hi everyone! Just a reminder of the upcoming 3/11 meet up which is just around the corner. We partnered with Microsoft and joined up with the Atlanta PowerShell User Group and the Windows Infrastructure and Virtualization User Group to bring you some special Windows 10 content.

Sorry it took so long to get the details out. We had some challenges rounding up some speakers as it looks like there are some other events going on around the same time. Well, that might be the case, but no other event is going to be doing a pizza and beer get together for you and your closest geeks while you learn some great Windows 10 info. Hope you’ll join us!

Bruce Lyons and Stephen Owens has graciously offered to present Windows 10 and other related content. Here’s what’s coming up:

+ browsers & apps
+ identity & security
+ configuration management
+ continuous innovation
+ implementation tips & tricks

Register for the event HERE. The condition for the funding is that we need 40 people registered so if you’re thinking of coming, don’t wait until the last minute. Every person counts! Also, we need your help to get the word out so please let your friends and coworkers know about this awesome event! SEE YOU THERE! :)

Feb 17, 2016

Community Roadshow 3.11.2016

Doing something a little bit differently this time. We’ve partnered with Microsoft to bring you timely content on Windows 10! I don’t have a complete schedule yet as we are still bringing in speakers for the event.

Mark your calendars now though and go register so you can get the clearance to show up! March 11, 2016.

At some point, Flatiron City will be a venue which opens up and becomes available for events like these. In the meantime, we’re still hosting out of Alpharetta. All of the details are going to show up here as we put it together. http://www.atlsmug.org/events/iti-community-roadshow-registration


So what’s different you ask? Well, a few things. First of all, we’re being joined by the Windows Infrastructure and Virtualization User Group as well as the Atlanta PowerShell User Group. Pretty cool, right? If nothing else, you’ll get exposure to the great folks in the other communities here in Atlanta.

Secondly, we typically do a full day meetup. Instead of that format, we are opting with a 12ish to 4ish configuration. Instead of the usual breakfast/lunch scenario, we’re going to do a PIZZA & BEER event! (and maybe some wine if you really want that…)

So bring your appetite for food and knowledge! Look forward to seeing you there. Drop me a personal note if you have any questions. My UG email is marcus.oh@atlsmug.org.

Jan 11, 2016

Microsoft Azure Tour in Atlanta

Sometimes I wonder about the effectiveness of Microsoft’s marketing engine. At any rate, if you haven’t already heard, the Azure Tour is happening right now. Atlanta’s turn is up this week, Thursday, 1/14/2016.

Still getting caught on up Azure?
Have some burning questions you need answered from experts?

It’s not too late to attend! Details below.

The Microsoft Azure Tour provides a free one day technical training event for IT professionals and developers to help you be more successful in using cloud.

Our top engineers from Redmond and independent experts from around the world will present 12 technical sessions and 3 unique hands-on opportunities covering the breadth of the Azure platform and the wealth of developer features including security, networking, big data, storage, identity, web, mobile, hybrid, containers, DevOps, open source, management, and the Internet of Things.

Featured speaker:  James Staten – General Manager of Cloud and Enterprise Strategy, Microsoft

Thursday, January 14, 2016

Hyatt Regency Atlanta
265 Peachtree Street NE
Atlanta, Georgia, USA, 30303

Continental breakfast, lunch and coffee breaks.

Registration opens at 7:30am. A reminder e-mail will be issued on December 29 with details.