Deployment: Adobe goes Complete nuts!

Not only they keep us jumping around in Deployment for almost 10 years now.

Just by the time they Release a new unsecure Flash Player each 2 weeks they decide to cancel

the open Download portal and exist that every customer signs the Enterprise Agreement. 75%

of the people who use that Link have Millions and Billions of Adobe Acrobat and Photoshop running.

You not gone get any more customer Adobe!

 

 

I like Flash and in switzerland there where companys who Made Great Flash Games 15 years ago

…But enough is enough now….

 

http://www.butsch.ch/post/Deployment-Flash-22-Juni-2016-Release.aspx

 

https://www.adobe.com/products/flashplayer/distribution3.html

 

GPO: WSUS Patches June 2016 disabled security filtered GPO

Important change for all GPO-Admin | Change in way GPO's are applied and filtered.

 

The Windows Updates JUNE 2016 bring up a change in how POLICY GPO (Gruppenrichtlinien) should be filtered to Active Directory Security Groups. You can't anymore JUST remove "Authenticated users" and add a security group under Security Filtering. The Policy will not pull because Microsoft has changed the concept.

German:

GPO welche auf Usergruppen gefiltert sind gehen nach dem Update der Patche nicht mehr wenn Authenticatedusers oder Domaincomputers KEIN read unter Delegation hat.

June 2016 Patches:

KB 3163018

KB 314913

KB 3159398

 

https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

http://www.gruppenrichtlinien.de/artikel/sicherheitsfilterung-neu-erfunden-ms16-072-patchday-14062016/

This is a normal policy which is not affected by the patches:

Please make a backup of your GPO before changing anything:

Here so see one where we removed the "Authenticated Users" or "Authentifizierte Benutzer" and this needs to get corrected. Leave it as IT IS under security filtering. The place to change it would be under Delegation.

First How NOT to do it (> This would make the POLICY PULL for all!)

Correct way to make it June 2016 Patchday compatible

Make a backup of the GPO before you even think about changing it!

 

Powershell from listed by Stepan Kokhanovskiy on Social MSDN

 

I changed this to a READ only and LIST only version so you can check first if you have SUCH GPO's

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Above Version which will only LIST / Report / Nur lesen

 

Below Version which will Change / Correct / Aenderung

Change version from Posting in Social adapted to German Active Directory with Domänencomputer

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Add the `"Read`" permission for the `"Domänencomputer`" group."

Set-GPPermissions -Guid $Gpo.Id -PermissionLevel GpoRead -TargetName 'Domänencomputer' -TargetType Group -ErrorAction Stop | Out-Null

Write-Debug "Permissions changed successful."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Deployment: Flash 22 Juni 2016 Release

It's time to Update Flash to latest Release:

https://www.adobe.com/products/flashplayer/distribution3.html

https://helpx.adobe.com/flash-player/release-note/fp_22_air_22_release_notes.html

See on how to migrate from an old Post from us. And check the Flag, Filenames and Versions to check from below for June 2016 Version 20.06.2016.

http://www.butsch.ch/post/Adobe-Flash-11-1101152-Siletn-Install-and-Migration-from-Vetrsion-10X.aspx

Release

OLD: 21.0.0.242

NEW: 22.0.0.192

OCX File

OLD: Flash32_21_0_0_242.ocx

NEW: Flash32_22_0_0_192.ocx

OCX File

OLD: Flash64_21_0_0_242.ocx

NEW: Flash64_22_0_0_192.ocx

Filename Installer

OLD: install_flash_player_21_active_x.exe

NEW: install_flash_player_22_active_x.exe

Exchange: Addresslist and Dynamic Distribution Groups in Shell

All you need are working samples not thousands lists and Technet Articles. So here we go with some Exchange Powershell we daily use.

Maybe you want a lists of all fields so you can choose one to use for the filter first.

Get all user info from a certain OU

Starting OU would be:

 

OU=Active,OU=Users_W7,OU=BUTSCH,DC=butsch,DC=ch

Get-ADUser -filter * -SearchBase "OU=Active,OU=Users_W7,OU=BUTSCH,DC=butsch,DC=ch" -Properties * | select-object givenname, sn, displayname, description,office, streetaddress,city,st,postalcode,country, title, Department, company | ConvertTo-Csv –NoTypeInformation

 

Exchange 2010 Addresslist and Dynamic Distribution Groups (E-Mail Distribution)

 

Exchange 2010 Addresslist

Generate Exchange Addresslist with starting OU, OPATH filter for CITY and STREET

new-AddressList -Name 'Mitarbeiter Nestle Suisse – W110' -RecipientContainer 'butsch.ch/BUTSCH/Users_W7/Active' -IncludedRecipients 'MailboxUsers' -Container '\' -DisplayName 'Mitarbeiter Nestle Suisse – W110'

set-Addresslist -identity 'Mitarbeiter Nestle Suisse – W110' -RecipientFilter {(ObjectClass -eq 'user' -and City -eq 'Lausanne' -and StreetAddress -eq 'Roberstenstrasse 133' )}

 

Remark: DO not try to add other additional GAL-addresslists because they will appear in the ROOT of the Adressbook. You can't filter all you can with regular Addresslist and you will be limited when you migrate those to later Exchange versions.

Dynamic Distribution Groups

 

Generate Exchange Dynamic Distribution Groups with OU, OPATH filter for CITY and STREET

This will generate a DynamicDistributionGroup which is located in "'butsch.ch/BUTSCH/Groups/Mail'" and will list all members of OU 'butsch.ch/BUTSCH/Users_W7/Active'. With the second command we filter to show ONLY the employees who have the field city and Streetaddress with a certain value.

 

 

This is a TWO part and it ONLY works in two commands. Forget it and don't try.

 

new-DynamicDistributionGroup -Name 'Alle Mitarbeiter Nestle Suisse' -RecipientContainer 'butsch.ch/BUTSCH/Users_W7/Active' -IncludedRecipients 'MailboxUsers' -OrganizationalUnit 'butsch.ch/BUTSCH/Groups/Mail' -Alias 'Alle_Mitarbeiter_Nestle Suisse'

 

set-DynamicDistributionGroup "Alle Mitarbeiter Nestle Suisse" -RecipientFilter {(ObjectClass -eq 'user' -and City -eq 'Lausanne' -and StreetAddress -eq 'Roberstenstrasse 133' )}

 

If you want to change the FIELD you search for check:

Filterable properties for the -RecipientFilter parameter

https://technet.microsoft.com/de-de/library/bb738157(v=exchg.150).aspx

Manage the Members of Distribution Groups

https://technet.microsoft.com/en-us/library/hh859493(v=exchg.141).aspx

Upgrade Custom LDAP Filters to OPATH Filters

https://technet.microsoft.com/en-us/library/cc164375(v=exchg.141).aspx

 

Exchange 2013: 451 4.7.0 Temporary Server errors. Please Try Again Later. PRX

Problem: Exchange 2013 Mail Stuck and can't get delivered to other Exchange 2013 or WAN.

Error you see: 451 4.7.0 Temporary Server error. Please Try Again Later. PRX

 

 

This is related to some DNS resolution bug. Solving it may include "Old days" HOSTS File ;-)

  1. Check name resolution with nslookup
  2. Check the your Exchange Server has two correct DNS on the NIC-card of the OS (One does not solve it) Use external if you don't have two DC
  3. Change the Default frontend Connector to use fixed DNS
  4. Change the Exchange Server itself to user fixed DNS
  5. Add the exchange to the c:\windows\system32\drivers\etc\hosts File as Short and FQDN (See below)

Start ECP

Message Flow

Change the Default Frontend YOURSERVERNAME (With the pencil)

Down below change "All unassigned" to your Exchange 2013 Server IPV4 address"

Change the DNS that Exchange USES (Make it hard coded).

 

ABOVE the one or two Internal DNS and maybe 8.8.8.8 or your providers Uplink DNS

Below your one or two internal DNS

 

This MAY sound confusing but sometimes there is no other way:

Adapt the HOSTS file:

Do this is CMD so you find it ;-)

Add or Change the HOSTS file to:

192.168.X.X Yourexchange2013            [ sample : 192.168.1.20 exc2013-16cas) ]

192.168.X.X YourexchangeFQDNname        [ sample: 192.168.1.20 exc2013-16cas.butsch.ch) ]