VBS Script to add Lync Contacts to all users who are a member of a Group

This is based off and extends the LyncAddContacts.vbs script found here: http://www.expta.com/2011/01/introducing-lyncaddcontacts.html

After much searching on the web I was unable to find a script to meet my needs with Lync, so I put this together and cleaned it up a bit. This of course requires the LyncAddContacts script with the dbimpexp.exe tool pulled from the Lync install DVD or iso. You will also need a template user (which can be created with a mailbox, account hidden from exchange addressbook, and account diabled after adding all the contacts and groups to the Lync). You will also need to run and probably schedule task this with an account that has all the permissions needed to pull export and import contacts for your lync users.

To use this script place in same directory as your other scripts on the Lync server and change the 3 const variables located near the top of the script. Enjoy

Update: I changed the script a little, turns out I should not use a @ symbol in a string so I replaced it with chr(64). Also another gottcha I ran into was that run in path needs to be your scripts folder with exe and both vbs scripts if you are using the task scheduler. Also this can be resource intensive as it updates all the users directly through SQL. So ether adjust your resources acordingly or only run this during early morning or late evenings.

'Script Used to import Contact Groups to all users in Lyncmplate
'Author: Paul Cardelli
'Date last Modified: 3/17/12
 Option Explicit
 Dim objRootDSE, strDomain, objGroup, objUser, WShell, arrMemberOf, strMember, strSIPTemplate

 strSIPTemplate = "LyncTemplateUser" & Chr(64) & "domain.com"
 Const strGroupCN = "LDAP://CN=All Users,ou=User Groups,"
 Const strLyncScriptPath = "d:\Scripts\"

 Set WShell = WScript.CreateObject("Wscript.Shell")

 WShell.Run "cscript " & strLyncScriptPath & "LyncAddContacts.vbs /backup backup.xml", 0, False
 WShell.Run "cscript " & strLyncScriptPath & "LyncAddContacts.vbs " & strTemplateSIP, 0, False

' Retrieve domain information
 Set objRootDSE = GetObject("LDAP://RootDSE")
 strDomain = objRootDSE.Get("DefaultNamingContext")
 Set objGroup = GetObject(strGroupCN & strDomain)
 arrMemberOf = objGroup.GetEx("member")

'Pull all e-mail Addresses into an array, and apply Template to each User
 For Each strMember in arrMemberOf
     Set objUser = GetObject("LDAP://" & strMember)
     WShell.Run "cscript " & strLyncScriptPath & "LyncAddContacts.vbs /import " & objUser.mail, 0, False


Installing SCCM

Last week I was able to configure and setup System Center Configuration Manager SCCM at work. Here is a good online guide incase anyone wants to know what is involved: http://www.ahmedgroup.co.uk/articles/47/1/Step-by-step-guide-installing-SCCM-2007-Part-1/Page1.html

I would have to say a multi-site SCCM configuration is a beast compared to Lync to setup. You need to follow a guide to the T when installing, otherwise it is really hard to troubleshoot. The most important parts to remember on both site and secondard site servers is IIS, WSUS, WEBDAV, BITS, Remote Compression. Configuring WEBDAV is not hard but it has to be perfect or else you will end up chasing your own tail later. The Microsoft installer for SCCM does not check these components during the pre-check, so this is why I bring it up.

Anyways Deploying software packages and updates for now, later I’ll have to figure out the rest of SCCM and the other modules that fit in.

Lync 2010

This week I installed Lync 2010 Standard edition, and I was plesently surprised at just how easy Lync is to setup then previous versions of Office and live communicator. For the most part Lync 2010 requires just Active Directory Domain with a CA, and a server to call its own. Keep in mind users also have to be mail enabled so Exchange may be needed but upgrading to Exchange 2010 is not required (only added benefit in 2010 is lync itegrated with OWA).

The next part was the hardest to get over for me, which is adding contacts automatically for lync enabled users. The best way I have found to do this is to use the script I found on The Expta {Blog}. Here a script leverages a utility to export a users contacts and you can import them to a number of users or to individual users.

Also as a side tip, after your address book syncs which should take 60 seconds or less, you should be able to lookup and add distrobution groups to your link (which will dynamically add any lync enabled users that are a member of that group).

For those “Domain Admin” users to enable those accounts in Lync you first need to open AD computer and users, enable “advanced view”, open each domain admin user, click on the security tab, click advanced, check inherited permissions and close out the user in AD and enable right away in the Lync control panel. If you wait until later to enable like I did then you have to go through the whole process again. Best practice in AD is to use Domain Admin account as secondary accounts and not your primary account, so if thats the case this should not be an issue.

I only have standard installed right now, so my knowledge of Lync is limited to that scope, also I have not enabled all the voice features yet although audio and video compture to computer seem to work out of the box, just not dialing out.

More to come, but until then I recommend reading Microsoft’s deployment blogs on lync, and the Technet library, both very helpful.  Also check out this video if you want step-by-step base installation instructions for Lync 2010 Standard.

Upgrading Procurve switch firmware from USB

The ProCurve 5400zl series have a USB port on them that you can use to transfer files, in addition to TFTP and SCP/SFTP. Since I had a few of these to upgrade and they were in a lab environment (e.g. not connected to any “real” networks), I didn’t want to bother with setting up a TFTP server. The upgrade process is pretty straightforward and is similar to doing an upgrade via TFTP.

We can find the latest software for our ProCurve switches on the “Software for switches” page. Software (“firmware”) updates do not require that you have a valid login or service contract, unlike Cisco. I grabbed the latest version (at the time of writing), which is K.13.45 (be sure to read the Release Notes that accompany each release as well, prior to performing an upgrade). Save the .downloaded file to your USB flash drive and plug the flash drive into the switch.

To check what version of the software is currently running, issue the “show version” command:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Aug 4 2008 15:08:24
Boot Image: PrimaryWe can see that we’re running version K.13.25 and that we booted from the primary flash. We can see the current contents of flash, as well as our USB drive:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : PrimarySW1# dir

Listing Directory /ufa0:
-rwxrwxAwx 1 0 0 7442476 Nov 3 2008 K_13_25.SWI
-rwxrwxAwx 1 0 0 7494786 Oct 30 2008 K_13_45.SWI
SW1#Because I’ve been running K.13.25 and it’s been stable, I’m going to copy it to secondary flash and then overwrite the primary with the new software. We’ll then reboot the switch with the new software (keeping the previous version in secondary as a “backup” in case anything goes wrong).

SW1# copy flash flash secondaryThis command isn’t real intuitive (and it takes a while as well), but here we’re basically copying from flash, to flash, with the secondary as our destination. In this case, the contents of the primary flash will be copied to the secondary. “copy flash flash primary” would copy the contents of the secondary into the primary. Let’s verify what we have now:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 7442476 08/04/08 K.13.25
Boot Rom Version: K.12.12
Default Boot : PrimaryWe can see that the contents of the primary have now been copied to the secondary as well. Let’s copy the K_13_45.SWI image from the USB drive to primary flash:

SW1# copy usb flash K_13_45.SWI primary
The Primary OS Image will be deleted, continue [y/n]? yAfter a moment, we’ll see this message:

Validating and Writing System Software to the Filesystem …When the copy has completed, we need to reload the switch with the new software:

SW1# boot system flash primary
System will be rebooted from primary image. Do you want to continue [y/n]? yThe switch will take a minute to reboot (I won’t bother pasting the complete bootup process) and then we can, again, use “show version” to verify that we’re now running the latest software:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Oct 17 2008 20:03:02
Boot Image: PrimarySee, wasn’t that easy!? We’ve successfully upgraded the firmware, and we’ve also kept a backup copy of the previous software in case things go badly. If that happens, just issue the “boot system flash secondary” command to reload the switch with the previous software.

HP Procurve and Protecting VLANs with ACLs

How to protect a OOB Management VLAN from access, or protect a VLAN from being directly plugged into by a switch from another VLAN (with another subnet, or  another DHCP server)

Now some of this is still under testing, but I feel that I have pretty much mastered the art of ACLs to protect a VLAN such as one used to manage a bunch of devices such as routers, switches, firewalls, UPS, environmental monitors, or just traffic that you would rather not see have access to a VLAN or devices plugged into a Procurve switch.

Now, it is a best practise network wise to use ACLs to block traffic at the source. So this may seem a little backwords, but I want to use this ACL as a last line of defence to block traffic on the port as it leaves out of the vlan to the device. So we will be using the “out” and not the “in” for the first part.

Another important thing to remember to about ACLs, is that if you do not list a permit or deny statement anything not on the list will be blocked. So as a best practise I will only list those IP addresses that need access. Also you have the option of using an extended or a standard ACL list. Again I will keep this simple, if you want more flexability to block only certain protocols or even access to only a portion of a subnet then you should look into extended ACLs, for this exercise we will only be permiting source IP addresses (all protocols) using a standard ACL.

Note: these ACLs are considered RACLs, and are only applied if IP Routing is enabled on the switch (Layer 3), if this is just a Layer 2 switch then you may want to try a VACL instead. I will probably post information on a VLAN ACL later, but it controls all traffic entering a switch from a particular VLAN. So with that said I’m assuming you will be using a Layer 3 enabled switch for this exercise.

 Here is the ACL I will create for access to devices on my Out Of Band (OOB) Mangement Interfaces on my devices:

ip access-list standard "OOB-Access-out"
   1 remark "OOB subnet"
   2 permit
   10 remark "NPM System"
   11 permit host
   20 remark "IT Department"
   21 permit
   30 remark "Managemnet Workstation"
   31 permit host

Now the “Out” part means as the packet leaves out a port on the switch it will be applied. This can mean a number of things but again it is important to keep it simple. so now and just focus on the primary goal of only allowing authorized subnets access to management devices.

Applying to your vlan is simple

vlan 6 ip access-group OOB-Access-out out

Observe I used out instead of in. In our next example I will use an “in” so that I block and avoid multinetting my vlan with unauthorised traffic.

ip access-list standard "OOB-Access-in"
1 remark "OOB subnet"
2 permit

Applying the VLAN is the same but remember the “in” instead of the out

vlan 6 ip access-group OOB-Access-in in

The above Standard ACL should only allow devices configured with an IP address to access this VLAN, you may need to modify this a bit to allow other traffic, but with a little testing this could protect your network from for example someone pluging a cable in one jack for one network into the other network with another VLAN causing all sorts of strange traffic such as a DHCP handing out the wrong IP addresses.

There is a lot more you can do with ACLs, and extended ACLs offer much more, but I would recommend getting used to how standard ACLs first, then work with extended ACLs.

Windows Filtering Platform Audit Noise

Did you know that Windows Server 2008 and 2008 R2, as well as Vista can pump out just as many audit logs as your standard hardware firewall. I can understand some audit trails for file access and user account changes but every single TCP and UPD connection is a little over considering windows is already logging this in the firewall log. If your tracking down security issue on you network and you have an SIM trying to correlate all these logs then most of these additional logs are just noise.

There are a couple of ways of dealing with this little issue, the one machine at a time or the GPO. For me the Group Policy option is a must as I don;t have time to go through every server and every workstation that might have these audit logs turned on. The main one I want to focus on is called the “Audit Filtering Platform Connection”

After much searching on the internet I found a pretty good blog that pointed me in the right direction:

computer configuration –> policies –> windows settings –> security settings –> advanced audit policy configuration –> audit policies –> object access. Then double-click “Audit Filtering Platform Connection” and check only the box next to “configure the following audit events.” DO NOT CLICK THE OTHER TWO BOXES. Repeat for “Audit Filtering Platform Packet Drop”

For the one system solution use these command line options:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable


NetApp Reallocate Volumes and Aggregates

When adding disks to a NetApp array it is usually to add prefomance and capacity. Unless you reallocate the WAFL system will actually not preform much better unless you reallocate your volumes and drives over the newly increased disk space on your aggregate. Otherwise WAFL will only use the new disks until they are as saturated as the existing disk in an attempt to level out the disks. If you only added a couple of disks this can lead to hot spots and lower then expected IO. So reallocating effectively tells wafl to move some of the existing data to the new disks and frees up space equally over all disks.

So here are a few helpfull cammands that you will need to complete this simple optimization task. Depending on the size of your existing volumes and the number of disks you have added this can take some time.

You must be in priv advanced to complete this command:

FILER1> priv set advanced

You need to run the following on each volume within the aggregate before your run this on the aggregate, and this will take some time depending on the size of the data and the numebr of new disks.

FILER1*> reallocate start -f -p /vol/volumename

Here is the command to check the Reallocation status, you can do only one volume or aggr at a time so by using the following command you can see if it is time to move on to the next reallocate

FILER1*> reallocate status -v


Reallocation scans are on
        State: Reallocating: Inode 677805, block 40384 of 10490701 (0%)
        Flags: doing_force,whole_vol,keep_vvbn
    Threshold: 4
     Schedule: n/a
     Interval: n/a
 Optimization: n/a

For snapmirror targets you will need to run the following to break the mirror, after the entire process is complete resync the mirror.

FILER1*> snapmirror break volumename
FILER1*> reallocate start -f -p /vol/volumename

For the aggregate reallocation you will run the following command only after running reallocate on all volumes within the aggregate.

FILER1*>reallocate start -A arrgname
FILER1*> reallocate status -v

Just remember on any volume that is a snapmirror target you will need to resync after this is complete. I usually do so in the filerview, but this can be done in the command line as well.

To get out of priv advanced:

FILER1*> priv set admin