Bulk Converting Global Groups to Universal and Mail Enabling

We have started trying to better organise our groups into a more role based system, so that membership of one group is based on a role rather than a person. That way if the person holding a position changes (holiday, retirement, etc) we just make one change and the replacement user gets all the correct rights. e.g. <user> -> HT Subject -> Executive, rather than <user> -> Executive.

The problem with this is when an email is sent to a mail enabled group, all the member groups of that group must be mail enabled for their members to receive the email. So I needed to bulk mail enable a container of groups, and also hide these new groups from the Address Book as they don’t need to be visible to staff.

Exchange 2010 only allows you to mail enable a group if it is a Universal group, and then only one at a time from the EMC. To convert all the Global groups in a particular container to universal groups, I used the following Power Shell command.

Import-Module ActiveDirectory
# List Tables
Get-ADGroup -SearchScope Subtree -SearchBase "OU=StaffGroups,OU=Staff,DC=win" -Filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"}  | Format-Table

# Convert Global groups to Universal
Get-ADGroup -SearchScope Subtree -SearchBase "<code>OU=StaffGroups,OU=Staff,DC=win</code>" -Filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"}  | Set-ADGroup -GroupScope Universal

Once converted to Universal groups I wanted to Enable the Groups as Distribution groups in Exchange and hide them from the global Address Book. These groups are role based and need to exist for group expansion in Exchange, but I don’t want them visible to everyone.

# Load AD Modules
Import-Module ActiveDirectory

# Load Exchange Snapins
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
. $env:ExchangeInstallPath\bin\RemoteExchange.ps1
Connect-ExchangeServer -auto

# Get list of Groups not Mail Enabled
$b = Get-ADGroup -SearchScope Subtree -SearchBase "OU=StaffGroups,OU=Staff,DC=win" -Filter {GroupCategory -eq "Security" -and GroupScope -eq "Universal" -and mail -notlike "*"}

# Enable email for each group, use the Group name without spaces as Alias
$b | ForEach-Object { Enable-DistributionGroup -Identity $_.DistinguishedName -Alias ($_.Name -replace '\s|,|\.') }

# Hide the newly created groups from Global Address book
$b | ForEach-Object { Set-DistributionGroup -Identity $_.DistinguishedName -HiddenFromAddressListsEnabled $true}
 

Notes:

  • Details on replacing letters for alias is from here.
  • Mike Pfeiffer’s blog had great instructions on how to load Exchange snap-ins into a normal PowerShell session, such as in ISE.
  • I found a few sites that mentioned using get-group instead of get-adgroup. Not sure why the wrong command is given. Petri
Posted in Active Directory, Exchange | Tagged , , , , , , , | Leave a comment

Encrypt Offline Files – Access Denied

On a Windows 7 laptop I was trying to set up Offline Files with encryption enabled. After syncing the files and going into Manage Offline Files -> Encryption -> Encrypt everything seemed to go OK, but it would then keep reporting Access Denied when it tried to sync any new files.
After some searching I found this post which mentioned an expired Recovery Key in Group Policy. After checking the Group Policy object on the server I discovered there was an old Recovery Key stored in the EFS policy from when it was first set up. After regenerating the key and importing into policy, a gpupdate /force on laptop and reboot fixed the issue.

Posted in Windows | Tagged , , , , , , , | Leave a comment

Fuji-Xerox Network Scanning: Error 027-516

As part of a test for removing legacy protocols from the network I disabled NetBIOS over TCP/IP to see if any system would be adversely affected.

Disabled NetBIOS

After disabling NetBIOS for the server used by our Fuji-Xeros ApeosPort-II 4000 Photocopier, the Network Scanning feature was unable to upload the scanned file to the SMB server. Instead it would return a 027-516 error code.

To verify the problem I Enabled NetBIOS and it immediately started working again.

I contacted Fuji-Xerox to check if they had a fix for the problem. I was advised that this can only be changed in newer versions, ApeosPort >=3, and that is was considered a “Feature”. The only way for an AP-II device to work with a server with NetBIOS disabled is to use the FTP transmit method.

AP-III NetBIOS Setting

After checking on one of our ApeosPort-III C3300, I found the page mentioned that allows the setting to be changed.

It appears that the use of NetBIOS by the APII is hardcoded and although it has DNS settings set, they are ignored for server name resolution. Considering this Photocopier is still being produced and sold I find it interesting that it relies on outdated protocols like NetBIOS. (ApeosPort-II 3000, 4000, 5010, 6000, 7000 are the main black and white photocopiers available to DET NSW Schools)

Posted in Windows | Tagged , , , , , , | 1 Comment

Papercut

I have received a few questions asking about Papercut so here are some of the details about it and what we use it for.

Papercut can run on a Windows Server (2003, 2008 or 2008 R2) using windows print queues or a Novell Linux OES server with iPrint (CUPS & SAMBA), it is written in Java with some wrappers for the OS in use.

We originally ran it on a Server 2003 R2 (x86) but have recently updated to a Windows 2008 R2 (x64)print server. The main reason for the upgrade was to provide up to date drivers for Windows 7 32 & 64bit. We also run the Papercut MF version which costs A LOT more, but allows you to use it with external devices, such as photocopiers.

Papercut has some really useful features, Card recharge allows you to generate top up cards and print them out yourself. Then you just cut them up and given them to the office (or canteen) to sell to the students. Makes recharging much easier and no need for office staff to login to an admin console to top up accounts.

We recently had a student laptop roll-out (NSW DER), these laptops are not on our domain so needed an alternative way to print. Papercut has a feature called WebPrint which allows students to upload MS office or PDF files to a website and have them printed to the chosen printer. You need to run software for it on a windows pc (server or client) which automatically opens the document and prints it to the chosen printer. As our Print server is running Windows and is a virtual machine we just configured it to auto-login as a limited user we created and installed Office, and Acrobat.

We use the reports function for auditing staff accounts and charging printer usage back to faculties. Staff are automatically added to different charge accounts based on their AD group membership.

We have just started using Advanced Scripting to charge staff different prices than students on shared copiers and printers.
The following script is what we use, as it is based on how faculties are invoiced at the end of each term. It is based on the Papercut recipe “Discount for staff” with a few changes.

/*
* Change Pricing for staff
*
* Staff are charged based on cost to school.
*
*/
function printJobHook(inputs, actions) {

var DISCOUNT_GROUP   = "Staff-All";
var COST_COLOUR  = 0.07; // Click Rate of Colour
var COST_BW  = 0.02;  // Click Rate of B/W
var COST_A4  = 0.01;  // Price per page of A4
var COST_A3  = 0.03;  // Price per page of A3

/*
* This print hook will need access to all job details
* so return if full job analysis is not yet complete.
* The only job details that are available before analysis
* are metadata such as username, printer name, and date.
*
* See reference documentation for full explanation.
*/

if (!inputs.job.isAnalysisComplete) {
	// No job details yet so return.
	return;
}

if (inputs.user.isInGroup(DISCOUNT_GROUP)) {
	// Debug messages are written to [install-path]/server/logs/server.log
	actions.log.debug("Cost before discount: " + inputs.job.cost);

	// Initial 0
	var newCost = 0;

	// Includes Duplex
	if (inputs.job.paperSizeName == "A4") {
		newCost = inputs.job.totalSheets * COST_A4;
	}
	else {
		newCost = inputs.job.totalSheets * COST_A3 ;
	}

	newCost += inputs.job.totalGrayscalePages * COST_BW;
	newCost += inputs.job.totalColorPages * COST_COLOUR;

	 actions.job.setCost(newCost);

	actions.log.debug("Staff Pricing on " + inputs.job.printerName + " For " + inputs.job.totalSheets +
		" sheets had " + inputs.job.totalGrayscalePages + " B/W & " +
		inputs.job.totalColorPages + " Colour, Cost after discount: " + newCost);

	// Record that as discount was applied in the job comment.
	actions.job.addComment("Staff Pricing applied. Had " + inputs.job.totalGrayscalePages + " B/W & " +
	inputs.job.totalColorPages + " Colour");
	}
}

Other useful features:

  • Students and staff see a summary of how many pages they are going to print, which helps reduce accidental printing of entire chapters of text instead of just a few pages.
  • Logs and statistics show which printers are getting used, how much is getting printed, and who printed the document but didn’t collect it.
  • Great support. I have contacted them over a number of issues and they have always gotten back quickly with good ideas, or have added features in later versions.

Downsides:

  • Although the price for education version of Papercut NG is not too bad, to get the MF version which supports copiers it costs around twice as much. Also you then need cost recovery devices for the copiers ~AUD$1,800 each, and there are annual support and maintenance costs ~AUD$1,000/year.

If you want to get an idea of how much printing your staff and students or just want to keep a record of who is printing what (like you could do easily with iPrint)  try the free Papercut Print Logger.

Posted in Linux, Novell, Utilities, Windows | Tagged , , , , , , , , , | 1 Comment