Archive for the 'PeopleProvision' Category

Exchange 2007 PowerShell Errors with New-Mailbox Cmdlet and IIS with ASP.NET

Published February 9, 2012 .NET , .NET , Active Directory , ASP.NET , Exchange , IIS , Microsoft Active Directory , PeopleProvision Leave a Comment
Tags: , , , , , , , , , , , ,

I recently was working on a customer implementation of our PeopleProvision solution and I needed to create a new Exchange mailbox for new user accounts in Active Directory. Our customer uses Exchange 2007 and, after installing the Exchange Management Shell that includes PowerShell cmdlets used to create mailboxes, the system seemed ready to go. I kept running into the following error, though, when trying to create the Exchange mailbox using the PeopleProvision web application and the New-Mailbox cmdlet.

Database "my-exchange-server\First Storage Group\Mailbox Database" was not found. Please make sure you have typed it correctly.

PeopleProvision runs on the ASP.NET 4 framework on IIS, in this case IIS 7.5 on Windows Server 2008 R2. Considering the fact that I could run the exact same mailbox command via a PowerShell command shell and successfully create a new mailbox, I knew this was a permissions issue with the process identity executing PowerShell on behalf of PeopleProvision. Figuring out the exact permissions required to allow the ASP.NET web application to work, though, took some time to figure out. My solution and approach follows.

Our Solution

Note: Be aware that this approach exposes significant security vulnerabilities in the case where the application pool identity is compromised. For this particular instance, our customer is running a completely internal web application that has no public internet exposure outside the DMZ firewall. The only real security risk is from internal users who might be savvy enough to compromise an IIS 7.5 process but the security vulnerability is very low in this case. The discussion at http://forums.asp.net/t/1272317.aspx/1/10 has some very good insight into this issue and actually proposes a slick approach using Microsoft WCF or WF to minimize the exposure of a privileged account.

The first thing to understand is which account is actually executing the Exchange Management Shell’s New-Mailbox cmdlet. In our case, we were using the built-in Network Service account (I prefer the application pool identity normally but we had some other issues that required Network Service) to run the application pool. After futzing around with lots of privilege elevation for the web server’s machine account (the way Windows identifies the Network Service account between two different machines), the Exchange commands still weren’t working.

Since impersonation is impossible with the Exchange 2007 cmdlets (you *can* impersonate in Exchange 2010 using remote PowerShell), the only way to change the execution context is to change the account running the PowerShell process. With an ASP.NET application on IIS 7.5, the execution context is the application pool identity. I created a dedicated service account to use to run the application pool for the web application, then added the service account to the local web server’s IIS_IUSRS group to allow it to properly run ASP.NET apps. I then added the service account to the AD domain’s Exchange Recipient Administrators group. This allows the account to create new mailbox recipients in Exchange 2007.

After a quick IIS restart, the solution allowed for creation of a new mailbox in Exchange using PowerShell running under an IIS application pool identity. In summary, be aware of your security context when working with web applications and work from the bottom up to determine how to apply the proper permissions for your application. Also make sure you restart IIS after changing app pool accounts or adding an app pool account to an AD group. Otherwise, the changes you made may not apply because of IIS and PowerShell caching.

Active Directory Management Gateway Service (ADMGS) Errors and McAfee Anti-Virus Software

Published January 20, 2012 Active Directory , Active Directory Management Gateway Service , Microsoft Active Directory , PeopleProvision , Powershell , Windows 7 , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: , , , , , , ,

I posted last month about an issue with the Active Directory Management Gateway Service (ADMGS) on Windows Server 2008. The ADMGS  (which runs as the Active Directory Web Services, ADWS, service) allows you to use the Active Directory module for Windows PowerShell to manage AD remotely in domains where there are no Server 2008 R2 domain controllers running.

I saw the following error messages when running the “import-module activedirectory” command in PowerShell.

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

I was able to diagnose the ultimate cause based on my previous post but still was receiving errors even after mucking with NTFS directory permissions for temporary .NET files. I finally had the idea to check on anti-virus software to see if that was blocking the communication. Wallah! The domain controller had anti-virus software installed (in this case it was McAfee) and as soon as I adjusted the AV software configuration the AD connection was allowed. The log entries below help pinpoint the cause.

1/19/2012        5:22:05 PM        Blocked by Access Protection rule         NT AUTHORITY\SYSTEM        C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe        C:\Windows\TEMP\t0sggpq5.dll        Common Maximum Protection:Prevent creation of new executable files in the Windows folder        Action blocked : Create

1/19/2012        5:22:07 PM        Would be blocked by Access Protection rule  (rule is currently not enforced)         NT_DOMAIN\SRS-RMRES2-02$        System:Remote        C:\Windows\SYSVOL\domain\Policies\{1C9122E4-78CD-4001-A2E7-8BBCA348C893}\GPT.INI        Anti-virus Outbreak Control:Block read and write access to all shares        Action blocked : Read

So make sure to check your AV software if you have this kind of problem…it just might be the key to a solution!

Diagnose Active Directory Management Gateway Service (ADMGS) Errors

Published December 15, 2011 Active Directory , Active Directory Management Gateway Service , Microsoft Active Directory , PeopleProvision , Powershell , Windows 7 , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: , , , , , , ,

I recently worked on a Windows Server 2008 system with the Active Directory Management Gateway Service (ADMGS) installed. The ADMGS allows you to use the Active Directory module for Windows PowerShell to manage AD remotely in domains where there are no Server 2008 R2 domain controllers running.

The ADMGS service (which runs as the Active Directory Web Services, ADWS, service) worked fine for several months but decided to begin having problems recently. We saw the following error message when running the “import-module activedirectory” command in PowerShell

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

Needing to troubleshoot the source of the issue, I messed with the IncludeExceptionDetailInFaults attribute in the C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config file. However, this proved to be a daunting task for a number of reasons so I moved on to another solution. (View an example of setting the IncludeExceptionDetailInFaults attribute.)

Finally, I located a post that helped break this open. Adding a couple of debug keys in the <AppSettings> section of the config file allowed me to log the ADMGS error on the server and diagnose the real source of the error.

<add key="DebugLevel" value="Info" />
<add key="DebugLogFile" value="C:\Windows\Debug\adws.log" />

Use the following valid string values (not numeric values) for the DebugLevel value.This will add diagnostic info into the debug log at the DebugLogFile path you specify.

  • 0 – No logging
  • 1 – Error (this logs critical errors only)
  • 2 – Warn (this logs warning events as well as error events) – Recommended value to use unless you need full tracing
  • 3 – Info (verbose)

Once I set up debugging and restarted the ADMGS service, I got to the bottom of the problem with the error below and I can now address the permissions issue that is causing connection problems with the “import-module activedirectory” PowerShell command.

ActiveDirectoryWebServices: [xx/xx/2011 6:14:15 PM] [3] Get: Unhandled Exception System.UnauthorizedAccessException: Access to the temp directory is denied. Identity 'YOUR_DOMAIN\YourAccount' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location.

Active Directory management built for MSPs

Published October 3, 2011 Active Directory , Microsoft Active Directory , PeoplePassword , PeopleProvision , PeopleSearch & PeopleUpdate Leave a Comment
Tags: , , , , ,

We have been getting a ton of traffic lately from MSPs that are becoming more and more frustrated with managing data and accounts in Active Directory and the operational costs associated with this menial task. Most of the administrators have been toying with the idea of actually creating their own web applications to delegate out to their customers, but cannot find the time.

The MSPs that do eventually break down and start looking for existing tools find them to be very complicated for their needs and are priced to meet enterprise needs and not theirs (a per-user model).

We have been hit over the head too many times to not make an attempt to satisfy MSP’s needs, so WebAD is now providing tools specific to the MSP market and priced at a low fixed monthly rate.

Call us to learn more about this offering for MSPs and let us show how we can meet the needs of Active Directory account and data management and meet your pricing expectations. You may also ask us how some MSPs are actually turning our tools into a revenue source as well!

Call me at +1 (800)747-3565 or email me at Steve.denney@webactivedirectory.com for more information.

Active Directory Provisioning with PowerShell: Extensibility and Power without Costly Implementation (Part 4 of 4)

Published August 5, 2011 Active Directory , Active Directory Users and Computers (ADUC) , Business Philosophy , Exchange , Microsoft Active Directory , PeopleProvision , SQL Server , User Experience , Windows Server 2008 R2 Comments
Tags: , , ,

We’ve been looking this week at Web Active Directory’s new PeopleProvision solution for automating and delegating the Active Directory account creation process. Today we present the final post of our blog series and look more closely at PowerShell’s role in the PeopleProvision platform. PowerShell empowers PeopleProvision to deliver the most business value by providing extensibility and customization for the unique account creation needs in your organization.

In the first three posts, we looked at common software implementation practices that raise costs through expensive implementation services, examined the PeopleProvision user experience, and discussed the keys to implementing PeopleProvision quickly. Now it’s time to glue together all these pieces with PowerShell.

PowerShell, Microsoft’s command shell and scripting platform for system administration, acts as the engine that makes PeopleProvision go. In essence, the PeopleProvision solution includes a best practice-based web front end with powerful provisioning rules, a simple-to-implement deployment scheme, and a back end work horse comprising PowerShell cmdlets and scripts. Data collected through the front end gets processed through the rules and then passed on to PowerShell to do the real work.

The default PowerShell scripts in PeopleProvision complete a ton of tasks for you during the user creation process.

  • Create Active Directory user accounts
  • Set AD user properties
  • Create Exchange mailboxes
  • Create user home shares and map local drives
  • Set profile and logon script paths
  • Add users to groups

It doesn’t stop there, though. Using PowerShell, you can extend PeopleProvision to accomplish a host of other tasks. Need to create an Active Directory contact for the new account? No problem! PowerShell can do that. Want to send an email to the new user account’s manager once the account is created? PowerShell can handle that, too. In fact, PowerShell enables you to customize PeopleProvision to handle a slew of business processes…you’re only limited by your imagination!

WebAD provides assistance getting you up and running with the default PowerShell scripts shipped with PeopleProvision. You can take it from there or engage WebAD—or any other provider you’d like—to further customize your provisioning process. You don’t have to spend tens or hundreds of thousands of dollars to get powerful provisioning with PeopleProvision and PowerShell on your side!

Active Directory Provisioning with PowerShell: Extensibility and Power without Costly Implementation (Part 3 of 4)

Published August 4, 2011 Active Directory , Active Directory Users and Computers (ADUC) , Business Philosophy , Exchange , Microsoft Active Directory , PeopleProvision , Powershell , SQL Server , User Experience , Windows Server 2008 R2 Comments
Tags: , , ,

This is Part 3 of Web Active Directory’s blog post series highlighting our new PowerShell-enabled platform. We introduced the series with an exam of how other software vendors approach provisioning with costly implementation services and then looked at WebAD’s PeopleProvision solution more closely.

In this post, we look at how easy it is to implement PeopleProvision to help delegate and automate the Active Directory and Exchange mailbox provisioning processes. The final post in our series shows how leveraging PowerShell for easy customization and extensibility allows you to easily model your business logic using a well-known, proven technology platform.

Implementation services can generate a lot of dollars for software companies and many software vendors rely on these services as a key revenue stream. Since companies earn revenue from implementation services, the companies are incented to maximize the money they earn while implementing their software products and the cost for implementation often goes sky high, even approaching the cost of the software itself.

Web Active Directory takes a different approach to implementation services. Throughout our history, we’ve focused on producing useful software that installs quickly and easily without requiring implementation services. Now that we’ve crossed the road into provisioning with the PeopleProvision solution, we plan to preserve the goal of emphasizing software usage over implementation services. PeopleProvision takes less than 30 minutes to install and just an hour or two to configure (after pre-requisites are installed, of course) and we help you with this process.

Better yet, the out-of-the-box PeopleProvision functionality—AD account creation, Exchange mailbox creation, home share creation and mapping, address and organizational AD attribute data population—enables many organizations to get up and running merely by creating a few provisioning rules. Your organization can have a fully-functional AD/Exchange provisioning implementation running in only a few hours!

We do see more complex scenarios where organizations require custom business rules processing when creating new AD accounts and Exchange mailboxes. In these cases, we work with you to analyze your needs and provide a full scope of work before moving forward. This means you know exactly what we’re going to do and how much it will cost so you can decide how to proceed. No long, costly implementation engagements for weeks at a time…just a simple, straightforward bid for only the work you need to get up and running for your custom needs.

Best of all, you can do all your customizations yourself with no implementation services from WebAD since we provide the PowerShell script source code to you. This allows your organization to leverage its PowerShell expertise and save some cash along the way.

We present the final post in our blog series tomorrow where we’ll check out how PowerShell empowers PeopleProvision to go way beyond out-of-the-box provisioning and really energize your organization’s provisioning processes.

Active Directory Provisioning with PowerShell: Extensibility and Power without Costly Implementation (Part 2 of 4)

Published August 3, 2011 .NET , Active Directory , Active Directory Users and Computers (ADUC) , Business Philosophy , Exchange , Microsoft Active Directory , PeopleProvision , Powershell , SQL 2008 , SQL Server , User Experience , Windows Server 2008 R2 Comments
Tags: , , ,

We are taking a look at Web Active Directory’s new PowerShell-enabled platform this week in a series of blog posts. We introduced the series by discussing how many software companies like to squeeze every red cent from their customers by using proprietary technologies that require costly implementation services.

This post introduces WebAD’s PeopleProvision tool to help delegate and automate the Active Directory and Exchange mailbox provisioning processes without requiring complicated implementations or extensive training. The next two posts in the series examine the keys to a quick PeopleProvision implementation and finally—perhaps most important of all—the benefits of exposing business logic in PowerShell for easy customization and extensibility without requiring extensive consulting services.

WebAD introduced PeopleProvision earlier this summer to make it simple and affordable to implement a custom provisioning tool for creating Active Directory accounts and Exchange mailboxes. There are a number of solutions of varying capabilities and price on the market today but our customers kept telling us something was missing. After analysis of the current IdM provisioning playing field, we introduced our PeopleProvision solution with three main goals.

  1. Deliver a solution that doesn’t blow your budget out of the water.
  2. Enforce best practices in provisioning through application design while keeping the application itself very simple to use and administer.
  3. Allow powerful extensibility and customizations using well-known, proven technologies.

With these goals in mind, we spent a significant amount of time analyzing the key activities in most common provisioning processes. This analysis garnered three main pieces of information that determine most AD attribute values for new accounts and PeopleProvision uses this information to help drive the information populated in Active Directory and Exchange when creating accounts and mailboxes.

  1. Office location: Address information as well as distribution and security group membership
  2. Department: Organization information as well as distribution and security group membership
  3. Job title: Very targeted distribution and security group membership

Once we had a feel for the provisioning activities, we began to develop a design approach that puts the users first—both end-users and system administrators—to make the application easy to use and intuitive to administer. This design approach allowed us to produce a simple and elegant user experience that emphasizes form and functionality.

Simple Design Philosophy for PeopleProvision v1.0

PeopleProvision v1.0 UX Design

This simple 10-field form collects all the information necessary to create a new Active Directory user account and Exchange mailbox with the following features.

  • Full attribute population including address, telephones, organization, manager, email address and unique account name
  • Custom profile settings including profile directory path, login script and a mapped user home drive with the user share already created and NTFS permissions applied
  • Group memberships including security and distribution groups
  • Exchange mailbox creation on the correct database with proper limits applied

PeopleProvision can do all this work based on 10 fields or fewer because it understands the key pieces of information along with the rules needed to process that information. The customizable form gathers the key information using a simple interface that enforces data integrity while providing help documentation directly on the page. Check out our PeopleProvision videos to see how easy it is to create a new user and administer provisioning rules used to create AD accounts and Exchange mailboxes.

Tomorrow we’ll look at the simple implementation process that WebAD uses to get PeopleProvision up and running in your environment. And then the fun begins with an examination of how PowerShell really gets the PeopleProvision engine going in the final post of the series.

Active Directory Provisioning with PowerShell: Extensibility and Power without Costly Implementation (Part 1 of 4)

Published August 2, 2011 Active Directory , Exchange , Microsoft , Microsoft Active Directory , PeopleProvision , Powershell Comments
Tags: , , , , , , , , , , , , , ,

Too often, software companies want absolute control of their black box of intellectual property (IP). These companies only want extensibility and customizability if it means more revenue from implementation services. A few companies in our space have even developed their own scripting languages to make customers pay for more services or training to learn yet another proprietary language technology.

We take a much different approach in our software efforts. Our new platform leverages Microsoft’s PowerShell technology to empower system engineers and administrators to extend applications using technology they already understand. We want to keep our solutions easy to deploy, a cinch to maintain and a snap to extend to meet new and ever-changing business needs. While other software companies catch the fish for you and then sell them at a costly markup we prefer to teach you to fish using a platform that you know and use on a regular basis.

PeopleProvision—WebAD’s first application built on our new PowerShell-enabled platform—allows you to delegate and automate Active Directory account and Exchange mailbox creation. PowerShell provides the heavy lifting and you get the benefit of access to the PowerShell source code so you can extend PeopleProvision’s behavior to meet the business requirements of your organization.

Over the next three blog posts, we will examine how PeopleProvision and its accompanying PowerShell toolkit empower you to take control of your provisioning and de-provisioning processes with a minimum of costly software licensing and implementation costs. We look at the PeopleProvision solution itself in more detail in Part 2 tomorrow and then delve into the secrets of a small implementation in Part 3 the next day. Finally, we teach you to fish in Part 4 by linking the PowerShell specifics to the PeopleProvision front end.

Join us for our journey through PeopleProvision and learn how you can automate and delegate your account provisioning and de-provisioning at an affordable cost of money, time and effort.

Sources of Motivation for Creative Types

Published July 6, 2011 Business Philosophy , Customer Service , Development , PeopleProvision Comments
Tags: , , ,

One of the folks at 37signals posted an interesting blog article recently about motivation—or lack thereof—and the sources of motivation. You can reference the entire post here and the excerpt below stimulated interesting conversation here at WebAD among our developers and I’ve included those comments at the bottom of this article.

37signals Blog Post Excerpt

When you’re not working on something you’re inspired by, your efficiency is so much lower. You find more moments in the day to let yourself be distracted by email or reading on the Web or something else. That’s usually the key smell I detect when I’m working on something I don’t really want to be working on: I check email much more frequently and I engage in chats about things that aren’t related to what I should be working on.

On the flip side, when I’m working on something I’m really fired up about, I couldn’t care less about new posts on Twitter or whatever. Instead, I get whatever I’m working on done right away.

-From Whatever interests you naturally is the most important thing to work on 

WebAD Thoughts

Our developers and creative types at WebAD have the same issues the poster mentions. This helps explain a lot about why we sometimes can’t seem to finish—or even start—certain projects that are important but are just not that fun or rewarding to work on. You almost have to lock yourself away from the typical distractions to get any work done and this is also a good time to look for motivation by teaming up on a difficult project with someone else.

Jamison Morrow’s Comments

The article describes the personality type of most creative individuals. Speaking personally, when I’m uninspired by something it takes me at least twice as long… and I tend to procrastinate. However, when something truly has my interest, I’m an unstoppable force. I don’t even really sleep well because my brain never shuts off until I’m finished with the task.

One of the commenters on this article actually had a good point though. Sometimes, it’s beneficial to work with somebody else when powering through uninspired tasks. There were certain portions of PeopleProvision that were knocked out more quickly because I paired up with someone on them.

Slipstick Systems Outlook and Exchange Solutions Center
Utilities, how to's and other solutions for Microsoft Outlook and Microsoft Exchange users, administrators and developers

Share this blog

Facebook Twitter More...

Enter your email address to subscribe to WebActiveDirectory blog via email.

Join 33 other followers

Web Active Directory Products

Download PDF product data sheets: