Category Archives: PowerShell

KHÓA ĐÀO TẠO: XÂY DỰNG HỆ THỐNG THỰC HÀNH LABS OFFICE365


Design Labs for Office 365

I.            Giới thiệu về khóa học

1.   Mục đích:

–          Hiện nay trên thị trường hầu hết các doanh nghiệp, Trường đại học, cao đẳng hoặc phổ thông, các Tổ chức khai thác sử dùng hệ thống quản lý CNTT hầu hết là không tập trung, không có kiến trúc nền tảng về hệ thống PaaS hoặc VDI hoặc không có giải pháp sâu tới người dùng thực tế.

–          Chi phí dịch vụ, đào tạo thường xuyên cao và phải tái đầu tư liên tục.

–          Để chủ động hơn trong việc kiểm soát, cũng như phát triển hệ thống quản lý hạ tầng công nghệ, tạo điều kiện tốt cho sự phát triển của tổ chức. Chúng tôi đưa ra các khoá đào tạo tư vấn giải pháp xây dựng hệ thống thực hành LABs cho nhiều mô hình tổ chức khác nhau.

–          Một trong những nội dung đào tạo của chúng tôi đó là: “Xây dựng hệ thống thực hành LAB OFFICE365”.

2.   Nội dung:

Đến với khóa học các bạn được học và thực hành cách cấu hình, cài đặt, xây dựng, vận hành một hệ thống LAB OFFICE365 trên môi trường ảo hóa của VMware.

Khóa học hướng đến đào tạo cho các học viên những kiến thức tổng quát và xuyên xuốt các vấn đề:

  1. Cách thức, quy trình xây dựng giải pháp.
  2. Hệ thống mạng ảo (vNIC).
  3. Hệ thống máy chủ ảo (VMs).
  4. Thiết kế thành phần vApp.
  5. Quản trị viên CNTT tại  trường Đại Học, Cao đẳng, Phổ thông, Doanh nghiệp những người có nhu cầu muốn thiết lập hệ thống office365 có các chức năng:

II.         Đối tượng tham gia

–          Xây dựng hệ thống quản lý người dùng, phần quyền user.

–          Đồng bộ tài khoản người dùng ADDC cùng với office365 cloud.

–          Thiết lập hệ thống đăng nhập một lần.

  1. Các nhân viên trong phòng CNTT của các tổ chức, công ty: cũng có nhu cầu học cách thiết lập hệ thống office365 cho tổ chức của mình.
  2. Có kiến thức cơ bản về Hệ điều hành Windows / Linux, hệ thống mạng Network.
  3. Kiến thức cơ bản về hệ thống ảo hóa vSphere của VMware, Virtual Box, Microsoft Hyper-V.
  4. Ưu tiên các bạn có kiến thức về hệ thống ADDC.

III.       Yêu cầu với học viên

 

  1. Có kiến thức cơ bản về Hệ điều hành Windows / Linux, hệ thống mạng Network.
  2. Kiến thức cơ bản về hệ thống ảo hóa vSphere của VMware, Virtual Box, Microsoft Hyper-V.
  3. Ưu tiên các bạn có kiến thức về hệ thống ADDC.

IV.      Lợi ích của việc tham gia khóa học:

  1. Học viên có thể chủ động xây dựng hệ thống thực hành LABs Office365: tạo dựng môi trường thực hành phát triển và đào tạo, thực nghiệm các hệ thống quản lý người dùng, đồng bộ hóa tài khoản người dùng với Office365 Cloud, thiết lập đăng ký tài khoản domain.
  2. Phòng/ban CNTT: được đào tạo vững chắc kiến thức nền tảng hệ thống Labs, chủ động trong việc cấu hình, xây dựng hệ thống, đăng ký và triển khai office365 cho doanh nghiệp, tổ chức của mình.
Advertisements

Thông tin về lịch khai giảng tại Viện đào tạo và quản lý CNTT ROBUSTA Hà nội


Nếu quý khách có yêu cầu chương trình học ngoài lịch khai giảng trên xin vui lòng liên hệ với Robusta

STT

Tên khóa học

Ngày KG

Giờ học

Ngày học

Thời lượng

Học phí

Giảng viên

Các khóa đào tạo công nghệ VMware

1

 Triển khai, quản trị hạ tầng ảo hóa với VMware vSphere 5.5

05-05-2014 18h-21h Thứ 2-6 40 giờ Liên hệ Việt Nam
2
10-05-2014 09h-17h Thứ 7,CN 40 giờ Liên hệ Việt Nam
3
12-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
4

VMware vSphere: Optimize & Scale [v5.1]

26-05-2014 09h-17h Trong tuần

40 giờ

Liên hệ Việt Nam

 

5

Ảo hóa máy trạm và ứng dụng VMware [v5.5]

 

19-05-2014

18h-21h

Trong tuần

40 giờ

Liên hệ

Việt Nam

6

09-06-2014

18h-21h

Thứ 2,4,6

40 giờ

Liên hệ

Việt Nam

 

7

VMware vCenter Configuration Manager for Virtual Infrastructure Management [V5.x]

04-06-2014

09h-17h

Trong tuần

40 giờ

Liên hệ

Nước ngoài

8

VMware vCenter Operations Manager: Analyze and Predict [V5.x]

02-06-2014

09h-17h

Trong tuần

16 giờ

Liên hệ

Nước ngoài

9

VMware vCenter Configuration Manager for Virtual Infrastructure Management [V5.x]

04-06-2014 09h-17h Trong tuần 24 giờ Liên hệ Nước ngoài

Các khóa đào tạo Microsoft

1

Office365 Tổng hợp

 

05-05-2014 09h-17h Trong tuần 24 giờ 06 triệu Việt Nam
2 05-05-2014 18h-21h Thứ 2,4,6 24 giờ 06 triệu Việt Nam
3

 

Manage Projects with Microsoft Project 2010

 

12-05-2014
18h-21h

Thứ 2,4,6

24 giờ 05 triệu Việt Nam
4

Phát triển Biztalk Server dành cho người lập trình

12-05-2014 09-17h

Trong tuần

40 giờ Liên hệ Việt Nam
5

Quản trị Biztalk Server

26-05-2014 09-17h

Trong tuần

40 giờ Liên hệ Việt Nam
6 Phát triển Biztalk trong tích hợp ứng dụng doanh nghiệp 02-06-2014 09-17h Trong tuần 40 giờ Liên hệ Việt Nam
7 02-06-2014 18h-21h Thứ 3,5,7 40 giờ Liên hệ Việt Nam
8 Thiết kế và phát triển Ứng dụng Microsoft Sharepoint 19-05-2014 18h-21h Thứ 2,4,6 40 giờ Liên hệ Việt Nam
9 Thiết kế kiến trúc hạ tầng Microsoft Sharepoint 26-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
10

KHOÁ ĐÀO TẠO NÂNG CAO

ĐIỀU CHỈNH SHAREPOINT 2010 CHO HIỆU SUẤT CAO

23-06-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
11 Thiết kế các giải pháp BI với  Microsoft SQL Server 09-06-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
Các khóa đào tạo khác
1 Quản lý CNTT và An toàn thông tin 19-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
2 19-05-2014 18h-21h Thứ 2,4,6 40 giờ Liên hệ Việt Nam
3 IT Management Skills – Các kỹ năng quản lý công nghệ thông tin 16-06-2014 09h- 17h Trong tuần 40 giờ Liên hệ Việt Nam
4 ITIL – Information Technology Infrastructure Library Foundation V3 16-06-2014 18h-21h Thứ 2,4,6
24 giờ Liên hệ Việt Nam
5
Thiết kế Website PHP và HTML5 bằng phương pháp sản xuất công nghiệp
27-4-2014
08h-12h
Chủ nhật
4 giờ
01 triệu
Việt Nam

 

Thông tin ưu đãi:

– Giảm giá đặc biệt cho các học viên đăng ký và thanh toán trước ngày khai giảng tối thiểu 02 tuần hoặc đăng ký nhóm 02 người trở lên.

 

Thông tin chi tiết vui lòng liên hệ:

Lê Trường Sơn (Mr.) – Mobile : (+84) 0904 411 933 – Email: son.le@robusta.vn

Lê Toàn Thắng (Mr.) – Mobile : (+84) 943 851 178 – Email: thang.le@robusta.vn

Xin cám ơn và mong được hợp tác và hỗ trợ Quý Anh/Chị cùng đơn vị trong thời gian tới!

Australian International School implemented Microsoft Live@edu, Saves $ 40,000 in six months.


“Live@edu is a cloud solution which technical jobs are backed end by Microsoft engineers, therefore it reduces implementation, deployment, maintenance time as well as management time. In general, I am advanced from Live@edu…”

 

Tho Le, Manager of Technology, Australian International School

 

AIS is one of the international schools which invested high cost in technology applications for education. To meet the demand of email system for current teachers and students, the school will have to invest a significant cost to the Exchange Server, AD Server. After deploying Live@edu system in the first six months, the school have saved $40,000 cost. It also is improving email reliability and providing teachers a more convenient and collaborative work environment.

 

 

Business Needs

AIS first opened its doors in August 2006, and now have over 500 students in 3 campuses.  Since Day 1, AIS has been recognized for its focus on learning in an environment that is both friendly and supportive.  With excellent teachers and facilities in campuses that are conveniently located, safe and security, AIS has quickly become one of the top international schools in HCMC.

The Australian International School operates from three purpose built campuses.  The well-resourced campuses are located in beautiful, secure and serene

settings with excellent libraries, ICT suites and science labs, visual art and music studio, outdoor swimming pools, basketball courts and age appropriate playgrounds and sport fields.

Information and Communication Technologies are integral to teaching and learning at AIS and the School continually upgrades its facilities to maintain the highest standard of ICT.

The students are equipped with a broad variety of Information Communication Technologies (ICT) to stay abreast with the pace of change in our world.  ICT learning is not separate from traditional areas of

image

Customer: Australian International School

Website: http://www.aisvietnam.com

Customer Size: 100 employees

Country or Region: Vietnam

Industry: Education–K-12

 

Customer Profile

The Australian International School, located at southwest Ho Chi Minh City, The AIS has over 500 students in 3 campuses.

 

Software and Services

·    Services

   Microsoft Live@edu

   Microsoft Office Live

   Microsoft SSO Kit for SharePoint2010

   Microsoft Office Outlook Live

   Microsoft Forefront Online

   Windows Live SkyDrive

For more information about other Microsoft customer successes, please visit: http://www.microsoft.com/casestudies

 

learning, but embedded throughout the curriculum. Students engage in music compositions and use traditional and digital animation editing software; web design and construction; wikis; mathematics software; data probes and analysis software alongside the usual Office suite. They are encouraged to be creative with digital presentation and to stand out from the crowd, which will prepare them for a future where competition in this field will be high.

The School offers a web based learning platform.  The AIS Community Portal allows the whole school community to log in and engage with student learning and school activities globally with internet connection.  In this way ICT provides learning experiences when and where they are needed and allows students to progress at their own pace.

 

Solution

When starting in Vietnam, AIS has focused on developing Information technology to use and support learning system. Base on Microsoft platform, apply Exchange Server 2010 to manage Email and synchronize database of students, faculties, staffs

From March 2012, AIS began attending to Microsoft Live@edu program, setting up Outlook Live and SharePoint services. Now email system has about 520 student accounts and 100 staff accounts which used like one of main application for learning and teaching.

At AIS, SharePoint and Live@edu are working together; SharePoint provides not only a central place to store information, processes but also an environment where staffs can co-works in an effective way. Live@edu gives a reliable way to communicate as well as receive alerts from SharePoint via email. SharePoint together

with Live@edu open a new professional working method in organization.

After nearly 6 monthly using Live@edu, AIS are generally happy with this solution as well as partner’s support (Nova Technologies).

 

Objectives:

1. SharePoint deployment objectives for students, lecturers, parent.
The main objective of deploying SharePoint is to create a central point for documentation as well as a place to facilitate collaboration.
2. Objective deployed Live@edu
The initial goal when implementing Live@edu is to provide a reliable, stable and cost-effective email solution
3. Single Sign On
Upgrade to new version which easily integrate with many other systems such as SSO SharePoint Portal.
Ready for integrating other solutions like SharePoint LMS E-learning, Moodle, Lync Online, Web Office Apps via Skype.

Benefits

By implementing Live@edu, Australian International School is enjoying more reliable email communications, saving significant costs, and giving teachers and staff a work environment that is more convenient and collaborative.

 

Enhanced Reliability

Since the beginning, AIS have noticed reliability improvements from having replaced the AIS’s onsite email infrastructure with Outlook Live.

Live@edu is a cloud solution which technical jobs are backed end by Microsoft engineers, therefore it reduces implement, deployment, maintenance time as well as management time. In general, I am advanced from Live@edu.” Tho le says’ 

Impressive Cost Savings

Yearly savings come from avoiding the licensing costs of email anti-virus and anti-spam software, and the bonus savings in the first year come from avoiding a server hardware replacement.

 

With the savings enabled by moving to Live@edu, AIS are able to preserve other IT initiatives that had been considered for cancellation—such as a web-based video archive that is popular with teachers and students alike.

 

Great Collaboration

With SkyDrive enabling document creation and storage to move to the cloud, teachers and staff enjoy not only more convenience but also more collaboration. Teachers are working on lesson plans and class presentations from home or elsewhere, without having to remember to back up files to a portable drive and carry it around with them, Teachers also are using the cloud for sharing photo- and video-based materials and eventually will use it for collaborating on a common curriculum.

 

The advice AIS would give another school evaluating Live@edu is encourage them to use Live@edu. Moreover, Live@edu is going to be upgraded into office 365 which even provides more great features such as Lync, SharePoint online.

     

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

 

Document edited October 2012

image

Thông báo nâng cấp Live@Edu lên Office 365 for Education


33336_GetEducated_Logo_LAE          33336_GoNow_O365new         NOVADigital_Dr.LeToanThang

Kính gửi: Các đơn vị Phòng, Khoa, Trung tâm, Bộ môn và toàn thể các bạn sinh viên.

Microsoft và NOVA Digital đang tiến hành nâng cấp từ Live@Edu for Education lên Office 365 for Education cho các trường học, do đó sắp tới hệ thống email dành cho sinh viên [@domain.edu.vn] của Trường cũng sẽ nâng cấp mới lên Office 365.

Chúng tôi xin thông báo các đơn vị Phòng, Khoa, Trung tâm … và toàn thể các bạn sinh viên một số thông tin liên quan đến việc nâng cấp như sau:

  1. Hệ thống email sinh viên [@domain.edu.vn] chính thức nâng cấp mới kể từ ..giờ.., ngày .. tháng .. năm 2013 (Thứ ..).
  2. Tiến trình nâng cấp dự kiến kéo dài trong 90 phút, từ ..giờ.. đến ..giờ.., ngày .. tháng .. năm 2013.

Lưu ý: Trong quá trình nâng cấp hệ thống email diễn ra, các dịch vụ không bị gián đoạn hay tạm dừng, nhưng từng tài khoản người dùng sẽ được tách thành hai gồm:

  • 01 tài khoản thuộc nhóm “Office 365 account” dùng để truy cập email Exchange Online.
  • 01 tài khoản thuộc nhóm “Microsoft account” dùng để truy cập các loại dịch vụ khác của Microsoft services như: Skydrive, Messenger, Calendar và không dùng để truy cập email. 

(những vấn đề nâng cấp trên là tự động và người dùng không cần quan tâm và chỉ xảy ra trong quá trình nâng cấp).

Do vậy, từng tài khoản vẫn nhận được thư từ ngoài gửi đến, nhưng không thể gửi hoặc đăng nhập vào hòm thư để lấy thư/gửi thư đi trong lúc đang nâng cấp.

Các trang web để đăng nhập vào hộp thư email của Trường:

http://mail.office365.com

https://www.outlook.com/domain.edu.vn

https://portal.microsoftonline.com

3.  Sau khi hoàn thành việc nâng cấp hệ thống [@domain.edu.vn], giao diện Banner Header, màu sắc và Menu trên hộp thư sẽ thay đổi về Microsoft Office 365, nhưng nội dung hộp thư (thư đến, thư đi, thư chưa đọc, quy tắc, chữ ký, …) vẫn y như cũ, không có gì thay đổi.

Mục đích của thông báo này để giúp các đơn vị Phòng, Khoa, Trung tâm, nhân viên, Giáo viên trong Trường … và toàn thể các bạn sinh viên không bị bở ngỡ khi sử dụng hộp thư, và chủ động hơn trong việc khai thác hộp thư làm công cụ hỗ trợ học tập.

Trân trọng Cảm ơn

Tài liệu tham khảo chương trình nâng cấp lên Office 365:

Cách sử dụng PowerShell can thiệp Windows Registry


Thanks to PowerShells universal “Provider” concept, you can navigate the Windows Registry just as you would the file system. In this chapter, you will learn how to read and write Registry keys and Registry values.

The Registry stores many crucial Windows settings. That’s why it’s so cool to read and sometimes change information in the Windows Registry: you can manage a lot of configuration settings and sometimes tweak Windows in ways that are not available via the user interface.

However, if you mess things up – change the wrong values or deleting important settings – you may well permanently damage your installation. So, be very careful, and don’t change anything that you do not know well.

Using Providers

To access the Windows Registry, there are no special cmdlets. Instead, PowerShell ships with a so-called provider named “Registry”. A provider enables a special set of cmdlets to access data stores. You probably know these cmdlets already: they are used to manage content on drives and all have the keyword “item” in their noun part:

PS> Get-Command -Noun Item*

CommandType     Name                  ModuleName           Definition
-----------     ----                  ----------           ----------
Cmdlet          Clear-Item            Microsoft.PowerSh... ...
Cmdlet          Clear-ItemProperty    Microsoft.PowerSh... ...
Cmdlet          Copy-Item             Microsoft.PowerSh... ...
Cmdlet          Copy-ItemProperty     Microsoft.PowerSh... ...
Cmdlet          Get-Item              Microsoft.PowerSh... ...
Cmdlet          Get-ItemProperty      Microsoft.PowerSh... ...
Cmdlet          Invoke-Item           Microsoft.PowerSh... ...
Cmdlet          Move-Item             Microsoft.PowerSh... ...
Cmdlet          Move-ItemProperty     Microsoft.PowerSh... ...
Cmdlet          New-Item              Microsoft.PowerSh... ...
Cmdlet          New-ItemProperty      Microsoft.PowerSh... ...
Cmdlet          Remove-Item           Microsoft.PowerSh... ...
Cmdlet          Remove-ItemProperty   Microsoft.PowerSh... ...
Cmdlet          Rename-Item           Microsoft.PowerSh... ...
Cmdlet          Rename-ItemProperty   Microsoft.PowerSh... ...
Cmdlet          Set-Item              Microsoft.PowerSh... ...
Cmdlet          Set-ItemProperty      Microsoft.PowerSh... ...

Many of these cmdlets have historic aliases, and when you look at those, the cmdlets probably become a lot more familiar:

PS> Get-Alias -Definition *-Item*

CommandType     Name                  ModuleName           Definition
-----------     ----                  ----------           ----------
Alias           cli                                        Clear-Item
Alias           clp                                        Clear-ItemProperty
Alias           copy                                       Copy-Item
Alias           cp                                         Copy-Item
Alias           cpi                                        Copy-Item
Alias           cpp                                        Copy-ItemProperty
Alias           del                                        Remove-Item
Alias           erase                                      Remove-Item
Alias           gi                                         Get-Item
Alias           gp                                         Get-ItemProperty
Alias           ii                                         Invoke-Item
Alias           mi                                         Move-Item
Alias           move                                       Move-Item
Alias           mp                                         Move-ItemProperty
Alias           mv                                         Move-Item
Alias           ni                                         New-Item
Alias           rd                                         Remove-Item
Alias           ren                                        Rename-Item
Alias           ri                                         Remove-Item
Alias           rm                                         Remove-Item
Alias           rmdir                                      Remove-Item
Alias           rni                                        Rename-Item
Alias           rnp                                        Rename-ItemProperty
Alias           rp                                         Remove-ItemProperty
Alias           si                                         Set-Item
Alias           sp                                         Set-ItemProperty

Thanks to the “Registry” provider, all of these cmdlets (and their aliases) can also work with the Registry. So if you wanted to list the keys of

HKEY_LOCAL_MACHINE\Software, this is how you’d do it:

Dir HKLM:\Software

Available Providers

Get-PSProvider gets a list of all available providers. Your list can easily be longer than in the following example. Many PowerShell extensions add additional providers. For example, the ActiveDirectory module that ships with Windows Server 2008 R2 (and the RSAT tools for Windows 7) adds a provider for the Active Directory. Microsoft SQL Server (starting with 2007) comes with an SQLServer provider.

Get-PSProvider
Name                 Capabilities                 Drives
----                 ------------                 ------
Alias                ShouldProcess                {Alias}
Environment          ShouldProcess                {Env}
FileSystem           filter, ShouldProcess        {C, E, S, D}
function             ShouldProcess                {function}
Registry             ShouldProcess                {HKLM, HKCU}
Variable             ShouldProcess                {Variable}
Certificate          ShouldProcess                {cert}

What’s interesting here is the “Drives” column, which lists the drives that are managed by a respective provider. As you see, the registry provider manages the drives

HKLM: (for the registry root HKEY_LOCAL_MACHINE) and HKCU: (for the registry root HKEY_CURRENT_USER). These drives work just like traditional file system drives. Check this out:

Cd HKCU: 
Dir 
   Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER
SKC  VC Name                           Property
---  -- ----                           --------
  2   0 AppEvents                      {}
  7   1 Console                        {CurrentPage}
 15   0 Control Panel                  {}
  0   2 Environment                    {TEMP, TMP}
  4   0 EUDC                           {}
  1   6 Identities                     {Identity Ordinal, Migrated7, Last ...
  3   0 Keyboard Layout                {}
  0   0 Network                        {}
  4   0 Printers                       {}
 38   1 Software                       {(default)}
  2   0 System                         {}
  0   1 SessionInformation             {ProgramCount}
  1   8 Volatile Environment           {LOGONSERVER, USERDOMAIN, USERNAME,...

You can navigate like in the file system and dive deeper into subfolders (which here really are registry keys).

Provider Description Example
Alias Manages aliases, which enable you to address a command under another name. You’ll learn more about aliases in Chapter 2. Dir Alias:
$alias:Dir
Environment Provides access to the environment variables of the system. More in Chapter 3. Dir env:
$env:windir
Function Lists all defined functions. Functions operate much like macros and can combine several commands under one name. Functions can also be an alternative to aliases and will be described in detail in Chapter 9. Dir function:
$function:tabexpansion
FileSystem Provides access to drives, directories and files. Dir c:
$(c:\autoexec.bat)
Registry Provides access to branches of the Windows registry. Dir HKCU:
Dir HKLM:
Variable Manages all the variables that are defined in the PowerShell console. Variables are covered in Chapter 3. Dir variable:
$variable:pshome
Certificate Provides access to the certificate store with all its digital certificates. These are examined in detail in Chapter 10. Dir cert:
Dir cert: -recurse

Table 16.2: Default providers

Creating Drives

PowerShell comes with two drives built-in that point to locations in the Windows Registry: HKLM: and HKCU:.

Get-PSDrive -PSProvider Registry
Name       Provider      Root                                                      CurrentLocation
----       --------      ----                                                      ---------------
HKCU       Registry      HKEY_CURRENT_USER
HKLM       Registry      HKEY_LOCAL_MACHINE

That’s a bit strange because when you open the Registry Editor regedit.exe, you’ll see that there are more than just two root hives.

If you wanted to access another hive, let’s say HKEY_USERS, you’d have to add a new drive like this:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS
Dir HKU:

You may not have access to all keys due to security settings, but your new drive HKU: works fine. Using New-PSDrive, you now can access all parts of the Windows Registry.

To remove the drive, use Remove-PSDrive (which only works if HKU: is not the current drive in your PowerShell console):

Remove-PSDrive HKU

You can of course create additional drives that point to specific registry keys that you may need to access often.

New-PSDrive InstalledSoftware registry 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall'
Dir InstalledSoftware:

Note that PowerShell drives are only visible inside the session you defined them. Once you close PowerShell, they will automatically get removed again.

To keep additional drives permanently, add the New-PSDrive statements to your profile script so they get automatically created once you launch PowerShell.

Using Provider Names Directly

Actually, you do not need PowerShell drives at all to access the Registry. In many scenarios, it can be much easier to work with original Registry paths. To make this work, prepend the paths with the provider names like in the example below:

Dir HKLM:\Software
Dir Registry::HKEY_LOCAL_MACHINE\Software
Dir Registry::HKEY_USERS
Dir Registry::HKEY_CLASSES_ROOT\.ps1

With this technique, you can even list all the Registry hives:

Dir Registry::

Searching for Keys

Get-ChildItem can list all subkeys of a key, and it can of course use recursion to search the entire Registry for keys with specific keywords.

The registry provider doesn’t support filters, though, so you cannot use the parameter -Filter when you search the registry. Instead, use -Include and -Exclude. For example, if you wanted to find all Registry keys that include the word “PowerShell”, you could search using:

PS> Get-ChildItem HKCU:, HKLM: -Recurse -Include *PowerShell* -ErrorAction SilentlyContinue |
>>
Select-Object -ExpandProperty Name
>>
HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe HKEY_CURRENT_USER\Software\Microsoft\PowerShell HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

Note that this example searches both HKCU: and HKLM:. The error action is set to SilentlyContinue because in the Registry,

you will run into keys that are access-protected and would raise ugly “Access Denied” errors. All errors are suppressed that way.

Searching for Values

Since Registry values are not interpreted as separate items but rather are added to keys as so-called ItemProperties, you cannot use Get-ChildItem to search for Registry values. You can search for values indirectly, though. Here is some code that finds all Registry keys that have at least one value with the keyword “PowerShell”:

PS> Get-ChildItem HKCU:, HKLM: -Recurse -ea 0 | Where-Object { $_.GetValueNames() |
>>
Where-Object { $_ -like '*PowerShell*'
} }

If you want to find all keys that have a value with the keyword in its data, try this:

PS> Get-ChildItem HKCU:, HKLM: -Recurse -ea 0 | Where-Object { $key = $_; $_.GetValueNames() |
>>
ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like '*PowerShell*'
} }

Reading One Registry Value

If you need to read a specific Registry value in a Registry key, use Get-ItemProperty. This example reads the registered owner:

PS> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name RegisteredOwner

RegisteredOwner : Tim Telbert
PSPath          : Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
                  NT\CurrentVersion
PSParentPath    : Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
PSChildName     : CurrentVersion
PSDrive         : HKLM
PSProvider      : Registry

Unfortunately, the Registry provider adds a number of additional properties so you don’t get back the value alone.

Add another Select-Object to really get back only the content of the value you are after:

PS> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name RegisteredOwner | 
>>
Select-Object -ExpandProperty RegisteredOwner Tim Telbert

Reading Multiple Registry Values

Maybe you’d like to read more than one Registry value. Registry keys can hold an unlimited number of values. The code is not much different from before. Simply replace the single Registry value name with a comma-separated list, and again use Select-Object to focus only on those. Since this time you are reading multiple properties, use -Property instead of –ExpandProperty parameter.

PS> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' `
>>
-Name ProductName, EditionID, CSDVersion, RegisteredOwner |
>>
Select-Object -Property ProductName, EditionID, CSDVersion, RegisteredOwner
>>
ProductName EditionID CSDVersion RegisteredOwner ----------- --------- ---------- --------------- Windows 7 Ultimate Ultimate Service Pack 1 Tim Telbert

Or, a little simpler:

PS> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' |
>>
Select-Object -Property ProductName, EditionID, CSDVersion, RegisteredOwner
>>
ProductName EditionID CSDVersion RegisteredOwner ----------- --------- ---------- --------------- Windows 7 Ultimate Ultimate Service Pack 1 Tim Telbert

Reading Multiple Keys and Values

Yet maybe you want to read values not just from one Registry key but rather a whole bunch of them. In HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall, you find a lot of keys, one for each installed software product. If you wanted to get a list of all software installed on your machine, you could read all of these keys and display some values from them.

That again is just a minor adjustment to the previous code because Get-ItemProperty supports wildcards. Have a look:

PS> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' |
>>
Select-Object -Property DisplayName, DisplayVersion, UninstallString DisplayName DisplayVersion UninstallString ----------- -------------- --------------- 0.8.2.232 Microsoft IntelliPoint 8.1 8.15.406.0 msiexec.exe /I {3ED4AD... Microsoft Security Esse... 2.1.1116.0 C:\Program Files\Micro... NVIDIA Drivers 1.9 C:\Windows\system32\nv... WinImage "C:\Program Files\WinI... Microsoft Antimalware 3.0.8402.2 MsiExec.exe /X{05BFB06... Windows XP Mode 1.3.7600.16422 MsiExec.exe /X{1374CC6... Windows Home Server-Con... 6.0.3436.0 MsiExec.exe /I{21E4979... Idera PowerShellPlus Pr... 4.0.2703.2 MsiExec.exe /I{7a71c8a... Intel(R) PROSet/Wireles... 13.01.1000 (...
)

Voilá, you get a list of installed software. Some of the lines are empty, though. This occurs when a key does not have the value you are looking for.

To remove empty entries, simply add Where-Object like this:

PS> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' |
>>
Select-Object -Property DisplayName, DisplayVersion, UninstallString |
>>
Where-Object { $_.DisplayName -ne $null
}

Creating Registry Keys

Since Registry keys are treated like files or folders in the file system, you can create and delete them accordingly. To create new keys, either use historic aliases like md or mkdir, or use the underlying cmdlet directly:

PS> New-Item HKCU:\Software\NewKey1


    Hive: Registry::HKEY_CURRENT_USER\Software


Name                           Property
----                           --------
NewKey1
PS> md HKCU:\Software\NewKey2


    Hive: Registry::HKEY_CURRENT_USER\Software


Name                           Property
----                           --------
NewKey2

If a key name includes blank characters, enclose the path in quotation marks. The parent key has to exist.

To create a new key with a default value, use New-Item and specify the value and its data type:

PS> New-Item HKCU:\Software\NewKey3 -Value 'Default Value Text' -Type String

    Hive: Registry::HKEY_CURRENT_USER\Software


Name                           Property
----                           --------
NewKey3                        (default) : Default Value Text

Deleting Registry Keys

To delete a key, use the historic aliases from the file system that you would use to delete a folder, or use the underlying cmdlet Remove-Item directly:

PS> Remove-Item HKCU:\Software\Test1
Del HKCU:\Software\Test2
Del HKCU:\Software\Test3

This process needs to be manually confirmed if the key you are about to remove contains other keys:

Del HKCU:\Software\KeyWithSubKeys
Confirm
The item at "HKCU:\Software\KeyWithSubKeys" has children and the Recurse parameter was not specified. 
if you continue, all children will be removed with the item. Are you sure you want to continue? 
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

Use the –Recurse parameter to delete such keys without manual confirmation:

Del "HKCU:\Software\First key" -Recurse

Creating Values

Each Registry key can have an unlimited number of values. Earlier in this chapter, you learned how to read these values. Values are called “ItemProperties”, so they belong to an “Item”, the Registry key.

To add new values to a Registry key, either use New-ItemProperty or Set-ItemProperty. New-ItemProperty cannot overwrite an existing value and returns the newly created value in its object form. Set-ItemProperty is more easy going. If the value does not yet exist, it will be created, else changed. Set-ItemProperty does not return any object.

Here are some lines of code that first create a Registry key and then add a number of values with different data types:

PS> New-Item HKCU:\Software\TestKey4
PS> Set-ItemProperty HKCU:\Software\TestKey4 -Name Name -Value 'Smith'
PS> Set-ItemProperty HKCU:\Software\TestKey4 -Name ID -Value 12 -Type DWORD
PS> Set-ItemProperty HKCU:\Software\TestKey4 -Name Path -Value '%WINDIR%' -Type ExpandString
PS> Set-ItemProperty HKCU:\Software\TestKey4 -Name Notes -Value 'First Note','Second Note' `
>>
-Type MultiString >>
PS
> Set-ItemProperty HKCU:\Software\TestKey4 -Name DigitalInfo -Value 4,8,12,200,90 -Type Binary PS> Get-ItemProperty HKCU:\Software\TestKey4 Name : Smith ID : 12 Path : C:\Windows Notes : {First Note, Second Note} DigitalInfo : {4, 8, 12, 200...} PSPath : Registry::HKEY_CURRENT_USER\Software\TestKey4 PSParentPath : Registry::HKEY_CURRENT_USER\Software PSChildName : TestKey4 PSDrive : HKCU PSProvider : Registry

If you wanted to set the keys’ default value, use ‘(default)’ as value name.

ItemType Description DataType
String A string REG_SZ
ExpandString A string with environment variables that are resolved when invoked REG_EXPAND_SZ
Binary Binary values REG_BINARY
DWord Numeric values REG_DWORD
MultiString Text of several lines REG_MULTI_SZ
QWord 64-bit numeric values REG_QWORD

Table 16.4: Permitted ItemTypes in the registry

Use Remove-ItemProperty to remove a value. This line deletes the value Name value that you created in the previous example:

Remove-ItemProperty HKCU:\Software\Testkey4 Name

Clear-ItemProperty clears the content of a value, but not the value itself.

Be sure to delete your test key once you are done playing:

Remove-Item HKCU:\Software\Testkey4 -Recurse

Securing Registry Keys

Registry keys (and its values) can be secured with Access Control Lists (ACLs) in pretty much the same way the NTFS file system manages access permissions to files and folders. Likewise, you can use Get-Acl to show current permissions of a key:

md HKCU:\Software\Testkey4
Get-Acl HKCU:\Software\Testkey
Path                                 Owner                           Access
----                                 -----                           ------
Microsoft.PowerShell.Core\Registr... TobiasWeltne-PC\Tobias Weltner  TobiasWeltne-PC\Tobias Weltner A...

To apply new security settings to a key, you need to know the different access rights that can be assigned to a key. Here is how you get a list of these rights:

PS> [System.Enum]::GetNames([System.Security.AccessControl.RegistryRights])
QueryValues
SetValue
CreateSubKey
EnumerateSubKeys
Notify
CreateLink
Delete
ReadPermissions
WriteKey
ExecuteKey
ReadKey
ChangePermissions
TakeOwnership
FullControl

Taking Ownership

Always make sure that you are the “owner” of the key before modifying Registry key access permissions. Only owners can recover from lock-out situations, so if you set permissions wrong, you may not be able to undo the changes unless you are the owner of the key.

This is how to take ownership of a Registry key (provided your current access permissions allow you to take ownership. You may want to run these examples in a PowerShell console with full privileges):

$acl = Get-Acl HKCU:\Software\Testkey
$acl.Owner
scriptinternals\TobiasWeltner
$me = [System.Security.Principal.NTAccount]"$env:userdomain\$env:username"
$acl.SetOwner($me)

Setting New Access Permissions

The next step is to assign new permissions to the key. Let’s exclude the group “Everyone” from making changes to this key:

$acl = Get-Acl HKCU:\Software\Testkey
$person = [System.Security.Principal.NTAccount]"Everyone"
$access = [System.Security.AccessControl.RegistryRights]"WriteKey"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Deny"

$rule = New-Object System.Security.AccessControl.RegistryAccessRule(`
$person,$access,$inheritance,$propagation,$type) $acl.AddAccessRule($rule) Set-Acl HKCU:\Software\Testkey $acl

The modifications immediately take effect.Try creating new subkeys in the Registry editor or from within PowerShell, and you’ll get an error message:

md HKCU:\Software\Testkey\subkey
New-Item : Requested Registry access is not allowed.
At line:1 char:34
+ param([string[]]$paths); New-Item  <<<< -type directory -path $paths

Why does the restriction applies to you as an administrator? Aren’t you supposed to have full access?

No, restrictions always have priority over permissions, and because everyone is a member of the Everyone group, the restriction applies to you as well. This illustrates that you should be extremely careful applying restrictions. A better approach is to assign permissions only.

Removing an Access Rule

The new rule for Everyone was a complete waste of time after all because it applied to everyone, effectively excluding everyone from the key. So, how do you go about removing a rule? You can use RemoveAccessRule() to remove a particular rule, and RemoveAccessRuleAll() to remove all rules of the same type (permission or restriction) for the user named in the specified rule. ModifyAccessRule() changes an existing rule, and PurgeAccessRules() removes all rules for a certain user.

To remove the rule that was just inserted, proceed as follows:

$acl = Get-Acl HKCU:\Software\Testkey
$person = [System.Security.Principal.NTAccount]"Everyone"
$access = [System.Security.AccessControl.RegistryRights]"WriteKey"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Deny"

$rule = New-Object System.Security.AccessControl.RegistryAccessRule(`
$person,$access,$inheritance,$propagation,$type) $acl.RemoveAccessRule($rule) Set-Acl HKCU:\Software\Testkey $acl -Force

However, removing your access rule may not be as straightforward because you have effectively locked yourself out.

Since you no longer have modification rights to the key, you are no longer allowed to modify the keys’ security settings as well.

You can overrule this only if you take ownership of the key: Open the Registry editor, navigate to the key, and by right-clicking and then selecting Permissions open the security dialog box and manually remove the entry for Everyone.

You’ve just seen how relatively easy it is to lock yourself out. Be careful with restriction rules.

Controlling Access to Sub-Keys

In the next example, you use permission rules rather than restriction rules. The task: create a key where only administrators can make changes. Everyone else should just be allowed to read the key.

md HKCU:\Software\Testkey2
$acl = Get-Acl HKCU:\Software\Testkey2

# Admins may do everything:
$person = [System.Security.Principal.NTAccount]Administrators
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(`
$person,$access,$inheritance,$propagation,$type) $acl.ResetAccessRule($rule) # Everyone may only read and create subkeys: $person = [System.Security.Principal.NTAccount]"Everyone" $access = [System.Security.AccessControl.RegistryRights]"ReadKey" $inheritance = [System.Security.AccessControl.InheritanceFlags]"None" $propagation = [System.Security.AccessControl.PropagationFlags]"None" $type = [System.Security.AccessControl.AccessControlType]"Allow" $rule = New-Object System.Security.AccessControl.RegistryAccessRule(`
$person,$access,$inheritance,$propagation,$type) $acl.ResetAccessRule($rule) Set-Acl HKCU:\Software\Testkey2 $acl

Note that in this case the new rules were not entered by using AddAccessRule() but by ResetAccessRule().

This results in removal of all existing permissions for respective users. Still, the result isn’t right because regular users could still create subkeys and write values:

md hkcu:\software\Testkey2\Subkey

   Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\software\Testkey2

SKC  VC Name                           Property
---  -- ----                           --------
  0   0 Subkey                 {}

Set-ItemProperty HKCU:\Software\Testkey2 Value1 "Here is text" 

Revealing Inheritance

Look at the current permissions of the key to figure out why your permissions did not work the way you planned:

(Get-Acl HKCU:\Software\Testkey2).Access | Format-Table -Wrap

    RegistryRights  AccessControlType IdentityReference IsInherited  InheritanceFlags  PropagationFlags
    --------------  ----------------- ----------------- -----------  ----------------  ----------------
         ReadKey              Allow Everyone                   False              None              None
       FullControl              Allow BUILT-in\Admi       False              None              None
                                      nistrators
       FullControl              Allow TobiasWeltne-PC\T        True ContainerInherit,              None
                                      obias Weltner                           ObjectInherit
       FullControl              Allow NT AUTHORITY\SYST        True ContainerInherit,              None
                                      EM                                      ObjectInherit
       FullControl              Allow BUILT-in\Admi        True ContainerInherit,              None
                                      nistrators                              ObjectInherit
           ReadKey              Allow NT AUTHORITY\REST        True ContainerInherit,              None
                                      RICTED ACCESS                           ObjectInherit

The key includes more permissions than what you assigned to it. It gets these additional permissions by inheritance from parent keys.

If you want to turn off inheritance, use SetAccessRuleProtection():

$acl = Get-Acl HKCU:\Software\Testkey2
$acl.SetAccessRuleProtection($true, $false)
Set-Acl HKCU:\Software\Testkey2 $acl

Now, when you look at the permissions again, the key now contains only the permissions you explicitly set. It no longer inherits any permissions from parent keys:

RegistryRights  AccessControlType IdentityReference IsInherited  InheritanceFlags  PropagationFlags
--------------  ----------------- ----------------- -----------  ----------------  ----------------
       ReadKey              Allow Everyone                False              None              None
    FullControl             Allow BUILT-in\Admistrators   False              None              None

Controlling Your Own Inheritance

Inheritance is a sword that cuts both ways. You have just turned off the inheritance of permissions from parent keys, but will your own newly set permissions be propagated to subkeys? Not by default. If you want to pass on your permissions to subdirectories, change the setting for propagation, too. Here are all steps required to secure the key:

del HKCU:\Software\Testkey2 
md HKCU:\Software\Testkey2

$acl = Get-Acl HKCU:\Software\Testkey2

# Admins may do anything:
$person = [System.Security.Principal.NTAccount]Administrators
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(`
$person,$access,$inheritance,$propagation,$type) $acl.ResetAccessRule($rule) # Everyone may only read and create subkeys: $person = [System.Security.Principal.NTAccount]"Everyone" $access = [System.Security.AccessControl.RegistryRights]"ReadKey" $inheritance = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit" $propagation = [System.Security.AccessControl.PropagationFlags]"None" $type = [System.Security.AccessControl.AccessControlType]"Allow" $rule = New-Object System.Security.AccessControl.RegistryAccessRule(`
$person,$access,$inheritance,$propagation,$type) $acl.ResetAccessRule($rule) Set-Acl HKCU:\Software\Testkey2 $acl

Chương trình nâng cấp từ Live@edu lên Office 365 cho Giáo dục Việt Nam


image

Kế hoạch nâng cấp từ Live@edu lên Office 365 của bạn

trong tháng năm 2013

O365newimage

I. Những việc cần làm ngay:

Các bạn nên chuẩn bị các công việc trước khi nâng cấp từ Live@edu lên Office 365 “Check list to do” như sau:

Hãy dùng tài khoản Administrator và truy cập trang http://eduadmin.live.com

Bước 1. Mở mục: Institution profile

– Hãy thay mã số bưu điện (Zip code/ Post code) thành 100000

image

Bước 2. Hãy kiểm tra mục Contacts for critical notifications và Administrator contact information

hãy thêm 2 địa chỉ email của nhóm hỗ trợ kỹ thuật NOVA Digital , chúng tôi luôn bên cạnh bạn:

thanglt@novadigital.vn ( CIO, chuyên tư vấn giải pháp công nghệ Microsoft Office 365 Cloud and Online Service).

bonnv@novadigital.vn (CTO, chuyên xử lý các tình huống sự cố phức tạp trên Microsoft Office 365 Cloud App, Live@edu services, MOS).

image

Trường hợp cần số điện thoại hỗ trợ: xin hãy nhập thêm 2 số Mobile của NOVA Digital Hotline:

Mobile line 1: +84 912135588 – Mr. Nguyễn Văn Bốn.

Mobile line 2: +84 943851178 – Mr. Lê Toàn Thắng.

Lưu ý: địa chỉ email admin của Trường có thể thêm cả địa chỉ (Alternate mail, không phải địa chỉ live@edu) để đề phòng sự cố không nhận được thông tin từ Edu Admin Live.

 

II. Những việc cần kiểm tra lại hệ thống Live@edu đang dùng:

A. Giới thiệu chung

1. Chương trình nâng cấp từ Live@edu lên Office 365 là bắt buộc, kéo dài thời gian hoàn toàn phụ thuộc theo sự chủ động sắp xếp lịch và thống nhất  kế hoạch của Admin, nhà Trường với NOVA Digital và Microsoft APAC.

2. Hệ thống sau khi được nâng cấp lên Office 365 của khối giáo dục Việt nam là miễn phí và mặc định là Plan 1 (A1)

nghĩa là thuộc nhóm có đăng ký sử dụng: Exchange Online 2010 (Plan 1) dành cho Sinh viên.

3. Bạn là Admin bạn có quyền đăng ký “subscribe” lên Office 365 dành cho giáo dục ở plan 2 (A2) cũng miễn phí, bao gồm:

– SharePoint Online.

– Lync Online.

– Office Web Apps.

(Tóm tắt chức năng: Sinh viên, học sinh, giáo viên, giảng viên có thể dùng audio, hình ảnh, chat với những người khác, chia sẻ tài liệu, văn bản và có thể hội họp, giảng bài trực tuyến trong thời gian thực …)

4. Lưu ý với việc nâng lên Plan 3 (A3) hoặc Plan 4 (A4): đây là các phần đăng ký sẽ bị tính phí (không miễn phí), sẽ bao gồm nhiều tính năng phức tạp, có chi phí dịch vụ … do vậy Admin và Nhà Trường hết sức lưu ý, cần cân nhắc và có kế hoạch cụ thể trong mua licence, sử dụng các phần mềm Office Desktop Pro Plus, Dynamic CRM… trước khi thao tác đăng ký “subscribe” trên hệ thống cổng Office 365.

B. Các bước kiểm tra cụ thể:

Các bạn nên gửi lại cho chúng tôi câu trả lời của các bạn về 2 địa chỉ email: thanglt@novadigital.vn, bonnv@novadigital.vn , sau khi đã xem xét kỹ 7 câu hỏi của chúng tôi để Chuẩn bị trước khi nâng cấp.

1.  Thời gian nào phù hợp để các bạn (Nhà Trường) có thể nâng cấp từ Live@edu lên Office 365 ?

(Giải thích: thời gian nâng cấp tuy không có Downtime “bị dừng dịch vụ” nhưng trong quá trình nâng cấp từng account sẽ được tách thành 2 tài khoản theo hình thức : two separate accounts gồm 1 tài khoản thuộc nhóm “Office 365 account” dùng để truy cập email, và 1 tài khoản thuộc nhóm “Microsoft account” dùng để truy cấp các loại dịch vụ khác của Microsoft services như: skydrive, Messenger, calendar và không dùng để truy cập email. Những vấn đề trên là tự động và người dùng không cần quan tâm.

Do vậy, từng tài khoản vẫn nhận được thư từ ngoài gửi về nhưng không thể gửi hoặc đăng nhập vào hòm thư để lấy thư/gửi thư đi trong lúc đang nâng cấp. thời gian nâng cấp kéo dài phụ thuộc vào số lượng hòm email nâng cấp, thông thường 5 – 15 phút để hoàn thành xử lý nâng cấp ).

2. Bạn hoặc Nhà Trường xem xét có cần phải thực hiện buổi tập huấn hoặc hình thức thông báo cho người dùng biết về việc nâng cấp trên đây ?

(Gợi ý của chúng tôi: Bạn hoặc Nhà Trường nên thông báo ngắn gọn việc nâng cấp hệ thống Live@edu , Exchange mail lên Office 365 sau khi đã có sự thống nhất thời gian hợp lý để triển khai nâng cấp.)

3. Một số thay đổi bạn, Nhà Trường và người dùng nên biết khi nâng cấp hoàn thành ?

– Các banners, Logo còn gọi là “Co-branding” sẽ không được hỗ trợ khi nâng lên Office 365.

– Khi thay đổi thông tin cá nhân, rất có thể Office 365 sẽ yêu cầu bạn khai thêm số điện thoại để bổ sung hình thức bảo mật nhắn tin SMS trực tiếp cho bạn phòng khi bị lộ mật khẩu hoặc bị hacker tấn công.

– Không bao giờ có các quảng cáo hiển thị trên hệ thống email của người dùng (khác với yahoo, gmail…)

– Các username, password để truy cập Office 365 sẽ giống với các tài khoản đã dùng của Live@edu.

– Các tài khoản có thể truy cập vào web thông qua các URL sau:

4. Bạn hoặc Nhà Trường có đang dùng các công cụ để đồng bộ giữa các tài khoản nội bộ AD trong Trường với Live@edu ?

  1. ILM 2007 FP1 của Microsoft ?
  2. IDM 2 hoặc ILM 2010 của Microsoft ? 
  3. MAv3, OLMA, OLSync hoặc Easy Sync ?
  4. PSA (PowerShell Assistant ) phần mềm do NOVA Digital phát triển và cung cấp ?
  5. Live@edu SSO Toolkit
  6. Password Change Notification Service (PCNS)
  7. PSA do nhóm NOVA Team và Live@edu của Nga phối hợp phát triển OpenSource ?
  8. PowerShell script do chính Nhà Trường hoặc đối tác khác cung cấp ?

Lưu ý:

Nếu trong các Chương trình bạn hoặc nhà Trường đang dùng là trường hợp 4. thì chúng tôi (Nova Digital) sẽ hỗ trợ nâng cấp để chuyển đổi phù hợp với hệ thống nâng cấp lên Office 365.

– Nếu các trường hợp còn lại, đều phải disable ngừng sử dụng và huỷ cài đặt.

Sau khi nâng cấp hoàn thành Office 365, chúng tôi sẽ gửi hướng dẫn cụ thể cho giải pháp đồng bộ tài khoản AD server của bạn (Nhà Trường) với Office 365 (với phí dịch vụ tư vấn giải pháp và các hệ thống triển khai, bảo hành hỗ trợ hàng năm thống nhất giữa 2 bên).

– Nếu không dùng hệ thống đồng bộ tài khoản giữa nội bộ và Live@edu cũ nhưng có nhu cầu với hệ thống Office 365, xin hãy trả lời có mong muốn, để lại thông tin của người cần liên lạc phía các bạn tiện cho việc thảo luận…

 

5. Bạn, Nhà Trường và người dùng vẫn đang sử dụng các phần mềm Microsoft Office Outlook client để kiểm tra thư Live@edu ?

Xin hãy lưu ý: sau khi nâng cấp lên Office 365 một số các phần mềm sau không chạy được đều phải nâng cấp hoặc chuyển đổi:

  • Office 2010 RTM không hỗ trợ.
  • Office 2007 phải nâng cấp lên SP3.
  • Office 2010 SP1 và Office Outlook 2011 for MAC PC.
  • Các bản dùng trên Mobile Android, Windows Phone 7,8 vẫn dùng tốt, không ảnh hưởng.
  • Máy laptop, PC cá nhân sẽ phải cài thêm 1 phần mềm “Microsoft Online Services Sign-In Assistant” để hỗ trợ người dùng tự động đăng nhập và xác thực cho tài khoản nhóm Microsoft account, vậy bạn cần lưu ý các máy đã join domain trong DC cần phải cho quyền cài phần mềm này. 

Do vậy, bạn cần phải nâng cấp bản vá lỗi Office theo địa chỉ sau: http://community.office365.com/en-us/wikis/manage/562.aspx  trước khi thực hiện kế hoạch nâng cấp Live@edu sang Office 365.

6. Bạn là quản trị hệ thống của Trường, chúng tôi sẽ thiết lập 1 buổi Workshop tại Văn Phòng Quận 1 – TP.HCMC

Dự kiến vào 1 ngày (14/5 , 16/5, 17/5, 18/5 năm 2013)  hoặc một ngàythuận lợi cho bạn, Nếu các bạn không gần TP.HCMC

vậy thời gian tốt nhất cho bạn là ngày nào ? giờ nào ?

Hãy ghi cụ thể thời gian cho chúng tôi biết chúng tôi sẽ cân nhắc và gửi thông báo lịch tổ chức các buổi WorkShop mới tại Hà Nội hoặc các TP khác.

7. Sau các buổi Workshop do NOVA Digital và Microsoft Office 365 tổ chức, chúng tôi sẽ cùng phối hợp với các bạn, Nhà Trường và đối tác đào tạo, thực hiện đào tạo các khoá học chuyên sâu hệ thống Office 365 dành cho Giáo dục và Doanh Nghiệp thường nhật:

  1. Khoá học M10174: Configuring and Managing Microsoft SharePoint 2010 (Exam 70-667)

  2. Khoá học M10175: Microsoft SharePoint 2010, Application Development (Exam 70-573)

  3. Khoá học M50352: SharePoint 2010 Overview for Power Users

  4. Khoá học 10954: Administering Office 365 (Exam 70-323)

  5. Khoá học 50588A: Office 365: A day in the life of the End-User

  6. Khoá học 10955: Administering Office 365 for Small Businesses (Exam 74-324)

  7. Khoá học 10956: Microsoft Office Specialist (MOS): Microsoft Office 365 (Exam 77-891)

  8. Khoá học 10957: Deploying Office 365 (Exam 70-321)

  9. Khoá học 55010A:  SharePoint Designer 2010 – Customizing and Branding SharePoint 2010 and Office 365

  10. Khoá học M20331: Core Solutions of Microsoft SharePoint Server 2013 (Exam 71-331)

Chi tiết nội dung các khoá học sẽ được đối tác đào tạo của chúng tôi cập nhật liên tục trên trang http://www.robustaglobal.com

Vậy bạn có nhu cầu cần đào tạo khoá học nào ?

hãy ghi danh trong câu trả lời số 7 để chúng tôi giúp bạn nâng cao kiến thức và chất lượng làm việc.

 Xin nhắc lại: Các bạn nên gửi lại cho chúng tôi câu trả lời của các bạn về 2 địa chỉ email: thanglt@novadigital.vn, bonnv@novadigital.vn ,

sau khi đã xem xét kỹ 7 câu hỏi của chúng tôi.

 

Nội dung chương trình chuẩn bị  này hơi dài, mong các bạn đọc và thực hiện chính xác.

Trân trọng cảm ơn !

Lưu ý về cách sử dụng mới: Windows PowerShell for Office 365


Use Windows PowerShell to manage Office 365

Windows PowerShell Command Builder

Use Windows PowerShell in Exchange Online

Install the Office 365 cmdlets

You can install the cmdlets on a Windows 7 or Windows Server 2008 R2 computer.

You must have Windows PowerShell and the .NET Framework 3.5.1 enabled.

You must install the Microsoft Online Services Sign-in Assistant. Download and install one of the following from the Microsoft Download Center:

To install the Microsoft Online Services Sign-in Assistant:

Microsoft Online Services Sign-In Assistant (IDCRL7) – 32 bit version http://go.microsoft.com/fwlink/p/?linkid=236299

Microsoft Online Services Sign-In Assistant (IDCRL7) – 64 bit version http://go.microsoft.com/fwlink/p/?linkid=236300

To install the Microsoft Online Services Module for Windows PowerShell:

Microsoft Online Services Module for Windows PowerShell (32-bit version) http://go.microsoft.com/fwlink/p/?linkid=236298

Microsoft Online Services Module for Windows PowerShell (64-bit version) http://go.microsoft.com/fwlink/p/?linkid=236297

For more information regarding this article, see the information within the link below:

Use Windows PowerShell to manage Office 365

http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh124998.aspx


Download and Install the Microsoft Online Services Module for Windows PowerShell for Single Sign on.

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx#BKMK_CreateOrConvertADomain

Click Start > All Programs > Microsoft Online Services (Folder) and select Microsoft Online Services Module for Windows PowerShell

hoặc Windows Azure Active Directory > Windows Azure Active Directory Module for Windows PowerShell

 

Method 1:

How to connect BOTH PowerShell (MOSMWP) and (PS) in one session using Microsoft Online Services Module for Windows PowerShell and Windows PowerShell to Exchange online (O365).

Copy and paste the commands below:

$LiveCred = Get-Credential
Connect-MSOLservice –Credential $livecred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

Method 2:

How to Connect to Exchange online (O365) using the Microsoft Online Services Module for Windows PowerShell session (MOSMWP)

Import-Module MSOnline
$Creds = Get-Credential
Connect-MsolService –Credential $Creds

Method 3:

$cred=Get-Credential
Connect-MsolService -Credential $cred

How to connect BOTH commands in one session using Regular Windows PowerShell PS (Blue):

Import-module msonline
Connect-MSOLservice
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

To connect to regular Windows PowerShell 2.0 run the command bellow:

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session



1. Additional troubleshooting information:

To Verify the version application, run the command below:

Get-PSSnapin

To Verify that WinRMto connect with O365, run the following commands together:

net start winrm
winrm get winrm/config/client/auth

To Configure WinRM to support basic authentication:
winrm set winrm/config/client/auth @{Basic=”true”}

If The customer was getting some sorts of restriction, the customer enter the following command “

To fix this issue use Run the command bellow:

Set-ExecutionPolicy RemoteSigned

Set-ExecutionPolicy Unrestricted

If the organization has a GPO that has restricted policy, run ther command below:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy unrestricted -force

Additional commands:

Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy unrestricted -force

Set-ExecutionPolicy -Scope MachinePolicy -ExecutionPolicy unrestricted -force

Set-ExecutionPolicy -Scope UserPolicy -ExecutionPolicy unrestricted -force

Set-ExecutionPolicy -Scope Process -ExecutionPolicy unrestricted -force

For more information click here

2. Assign the administrator in the “Organization Management”

If the administrator are having credential issues try the following steps:

In the Exchange Control Panel

1. Select Manage My Organization > Roles & Auditing > Administrator Roles.

2. Click “Organization Management” > details then Add the user as “Member” > Save

Administrator Role Groups in Exchange Online

  • 3. Administrators cannot authenticate to Office 365 by using the following management tools:
    • Microsoft Online Services Directory Synchronization tool (on the directory synchronization server)
    • Microsoft Online Services Module for Windows PowerShell (on a computer on which it is installed)
    • Network connectivity to Office 365 is limited.
    • The firewall, proxy servers, or both require local authentication.
    • Prerequisites of the rich client application are not met.
    • An old version of the Microsoft Online Services Sign-in Assistant is installed.
    • The rich client application is not configured for Office 365.

    Resolution 1: Network connectivity is limited

    Use a browser and try to visit http://www.msn.com

    . If you cannot access this website, troubleshoot network connectivity issues.

    1. At a command prompt, use the ipconfig and ping tools to troubleshoot IP connectivity. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      169790

      How to troubleshoot basic TCP/IP problems

    2. At a command prompt, run nslookup http://www.msn.com to determine whether DNS is resolving Internet server names.
    3. Make sure that the proxy server settings in Internet Options reflect the appropriate proxy server, if a proxy server is used in the local network.
    4. If a Forefront Threat Management Gateway (TMG) firewall is installed on the boundary of the network and the firewall requires client authentication, you might have to install and configure the Forefront TMG client program on the client device for Internet access. Contact your Office 365 administrator for help.

    Resolution 2: Firewall or proxy servers require additional authentication

    To resolve this issue, configure an exception for Microsoft Online Services URLs and applications from the authentication proxy. For example, if you are running Microsoft Internet Security and Acceleration Server (ISA) 2006, create an “allow” rule that meets the following criteria:

    • Allow outbound connections to the following destination: *.microsoftonline.com
    • Allow outbound connections to the following destination: *.microsoftonline-p.com
    • Allow outbound connections to the following destination: *.sharepoint.com
    • Allow outbound connections to the following destination: *.outlook.com
    • Allow outbound connections to the following destination: *.lync.com
    • Allow outbound connections to the following destination: osub.microsoft.com
    • Ports 80/443
    • Protocols TCP and HTTPS
    • Rule must apply to all users.
    • HTTPS/SSL time-out set to 8 hours

    Cấu hình ADFS 2.0 dùng cho Single Sign On for Office 365


    in Office 365. This article takes you through the steps of achieving it.

    First, do remember the following points if you are going ahead with Single Sign-On in Office 365.

    • You need to have ADFS 2.0 on one server & Directory Synchronization (Dirsync) on another server in your on premise environment.
    • You need to make sure that ADFS server is ALWAYS up and running. If it crashes, because of any reason, federated users will not be able to Login to Office 365.

    Keeping the above points in mind, let me start of by taking an example of a typical SMB environment

    Environment Details (each on different server)

    • Domain Controller
    • ADFS 2.0
    • DirSync
    • Exchange 2007 (or 2010)
    • SharePoint 2007 (or 2010)

    Step 1 : Add Host record in your public DNS ( such as godaddy.com) for your ADFS 2.0 Server.

    Step 2: Install ADFS 2.0 (Find the snapshots below)

    • Download ADFS 2.0 on the ADFS Server
    • Install IIS on ADFS Server
    • Get a Enterprise CA Certificate and bind it to Default web site,port 443, in IIS on ADFS 2.0 server.

    NOTE : Register and verification of the domain in Office 365 has to be done before you configure ADFS (not covered in this article)

    Snapshots for ADFS installation and configuration

     

    Leave the check mark as it is and this will start the configuration wizard automatically.

    Click on ADFS 2.0 Federation Server Configuration Wizard.

    Choose New Federation Service as its the first ADFS 2.0 Server in the farm.

    New Federation Server Farm : this is used when you have plans of having more than one ADFS server in your environment. With Office 365, I recommend this option as I mentioned earlier in the post if ADFS 2.0 goes down, none of your federated users will be able to login to Office 365. So have more than one ADFS server & providing High Availability using Load balancing is recommended.

    Stand-alone federation Server : Used in testing environment or small production environment. Cannot add more than servers to make it a server farm.

    Click Next after choosing the appropriate option.


    Verify if this stage shows the right certificate , port and federation service name.

    On the Summary screen click next and then click finish.

    ADFS is now installed and configured.

    Step 3: Download Microsoft Online Services Module for Windows PowerShell

    • To download this tool, login to http://portal.microsoftonline.com, Click On Users under Management.
    • At the right top of the screen, you will see “Single sign-on: Manage | Learn more” ,click on Manage
    • Third step will say “Install the Microsoft Online Services Module for Windows PowerShell
    • Download and install it. Installation is very simple.

    Step 4: After the tool is installed, run the “Office Desktop Apps” wizard

    Click on “Set Up” -> Select the application and then click “I accept”.

    The wizard will configure your Rich Clients to work with Office 365. Once the installation is complete you will see the below screen

    Almost done!!…

    Only thing left is to make the domain federated. To make a domain as federated domain, you will have to first register and verify the domain. (Register and verification of domain in Office 365 has to be done before you configure ADFS)

    Assuming that you have done the domain verification, double click on the shortcut of Microsoft Online Services Identity Federation Management Tool in desktop.

    Run the following commands

      • $cred = Get-Credential
    You will get a prompt to enter credentials. Enter the Admin account of Office 365 (tenant admin account)
      • Set-MSOLContextCredential -MSOLAdminCredentials $cred
    • Add-MSOLFederatedDomain -DomainName <DOMAIN NAME>

      < DOMAIN NAME> = enter your verified domain name which you want to federate.

    To verify that your domain is configured successfully, do the following:

    1. Log on to http://portal.microsoftonline.com using your admin credentials.
    2. Click on Domain under Management
    3. Click on the domain that you just federated
    4. Under the Domain Properties, you should see “Domain Type: Single sign-on: This domain is configured for single sign-on

    Get the users on cloud using DirSync and start using Office 365 services VIA single sign-on.

    Cách cấu hình windows 7, Windows 8, windows server 2008 dùng PowerShell cmdlet điều khiển Exchange Online thông qua mạng có Proxy


    Mạng internet và mạng nội bộ của các Doanh nghiệp và các Trường được quản lý bởi những nhân viên IT Administrator có những trình độ khác nhau, nhưng phần lớn bị mang tiếng là không có tầm nhìn, đôi lúc còn bị tính vụn vặt, và có lúc không kiểm soát được tình hình thì lại giống các cụ lãnh đạo nhà nước ta là “Cấm”…

    Quá khó cho tình hình kiếm soát hệ thống mạng khi không có kiến thức sâu và rộng, có kế hoạch và tầm nhìn để theo đuổi một hệ thống mạng lớn, nhiều người dùng, mật độ và tính phức tạp trong quá trình sử dụng. Thế nhưng đối với quan điểm của Tôi, các tiêu chuẩn về an toàn, tiết kiệm, bảo mật và phù hợp với từng giai đoạn áp dụng công nghệ mạng mới là tiên quyết, bất di bất dịch, và tôi luôn theo đuổi tới cùng quan điểm đó.

    Mạng các Doạnh nghiệp và Trường học thay đổi về giao thức đang từ chính sách tự:

    1. Kết nối máy nhân viên, sinh viên vào mạng nhà Trường là ra được internet, cái đó chỉ tồn tại thời gian ngắn, quá tải, do người dùng không tự bảo trọng.

    2. Đổi sang bắt Join domain, ổn nhưng nhiều việc quá, IT không khoái. Những người dùng cố định thì ổn, còn vãng lai, chỉ đọc, dùng tạm qua mạng của Cơ sở thì chịu mà lượng này lớn hơn, IT lại thay đổi chính sách mạng.

    3. Mọc ra một vài ông Firewall, ISA, NAT , Forefront, Zone Alarm, Check Point, TMG, Symantec End Point, FotiGate FG …. quá nhức đầu luôn, lại lọc cổ ông IT Admin ra mà làm, nhưng hậu quả thật khó lường trước, IT Admin đã làm thay đổi cả các cấu hình sử dụng phần mềm của người dùng. Đằng sau sự thay đổi có tính cách mạng âm thầm cho người dùng này, là một cuộc đảo chính, binh biến của người dùng. sự bực bội không hài lòng của người dùng tăng lên như:

    – Tôi không check mail offline được vì Proxy không có cấu hình cho mail client.

    – PS PowerShell không chạy ra ngoài để điều khiển được Outlook Exchange Online.

    – Các phần mềm cũ kỹ không chạy được với Proxy coi như loại khỏi cuộc chiến, IT yêu cầu nâng cấp đê, tiền đâu ra ?

     

    Tóm lại:

    Cái gì ở ngoài mạng nội bộ là ổn rồi, chúng nó chết cả rồi.

    Thế  Cloud Computing hay SaaS là cái gì ? không cần biết, chúng chết cả trong tay IT Admin rồi.

     

    Gỡ rối phần mềm trên bằng cách giải quyết nhu cầu của Doanh nghiệp, nhà Trường bằng cách sau: Cách cấu hình windows 7, windows server 2008 dùng PowerShell cmdlet điều khiển Exchange Online thông qua mạng có Proxy

     

    Nếu cài đặt Firewall Client không hiệu quả, hãy kiểm tra cài đặt proxy HTTP trên máy tính cục bộ của bạn bằng cách chạy lệnh sau:

    netsh winhttp show proxy
    

    Đầu ra của lệnh này có thể cho biết:

    Current WinHTTP proxy settings:
        Direct access (no proxy server).

    Nếu máy tính cục bộ của bạn chưa chỉ định một proxy HTTP, hãy chỉ định một proxy đó bằng cách chạy lệnh sau:

    netsh winhttp set proxy <proxy server name>:80 "<local>"
    

    Ví dụ: nếu tên máy chủ proxy của tổ chức của bạn là proxy1, hãy chạy lệnh sau:

    netsh winhttp set proxy proxy1:80 "<local>"
    

    Sau khi chạy lệnh để đặt cấu hình máy chủ proxy, bạn phải thấy đầu ra giống như sau:

    Current WinHTTP proxy settings:
        Proxy Server(s) :  proxy1:80
        Bypass List     :  local

     

    Hoặc dùng lệnh gán cho card mạng của máy cá nhân phải chạy qua Proxy của IE:

    Netsh winhttp import proxy source=ie

    Sau khi chạy các lệnh trên bằng CMD / PowerShell (chạy ở chế độ Run as Administrator), hãy chuyển sang dùng các phần mềm như PowerShell, các ứng dụng soạn gửi email client, mailling list và chạy qua mạng có dùng Proxy .

     

    Các bước sửa lai code script trong PowerShell để kết nối được giữa PowerShell (PS) với Microsoft Outlook Live (Exchange Online):

    $webclient = New-Object System.Net.WebClient
    $LiveCred = Get-Credential
    $webclient.Proxy.Credentials = $LiveCred
    $entry = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
    https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $entry

    # cho lệnh xử lý vào đây

     

    # kết thúc các lệnh xử lý tại đây
    Remove-PSSession $entry

    Chúc các bạn thành công.

    Làm thế nào để đồng bộ Active Directory Sync trong khi Username và Password bị mã hoá theo OS 32/64bit ?


    Part 1. Password Filter for OS

     

    Contents

    I.      Password Filters. 1

    1.    Password Filter Functions. 2

    2.    Password Filter Programming Considerations. 2

    3.    Installing and Registering a Password Filter DLL. 3

    To install and register a Windows password filter DLL. 3

    II.     Enforce Custom Password Policies in Windows. 4

    III.        Configuring Security Policy. 5

    IV.       The RegEx Password Filter Sample. 6

    V.    Installing the Password Filter 8

    VI.       Source Code Compiler by VC++. 9

          Download boots link: 9

          Error when Building: 9

          Installation. 9

     

     

    I. Password Filters

    Password filters provide a way for you to implement password policy and change notification.

    When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. The following illustration shows this process.

    clip_image001

    Password change notification is used to synchronize password changes to foreign account databases.

    Password filters are used to enforce password policy. Filters validate new passwords and indicate whether the new password conforms to the implemented password policy.

    For an overview of using password filters, see Using Password Filters.

    For a list of password filter functions, see Password Filter Functions.

    The following topics provide more information about password filters:

     

    1.  Password Filter Functions

    The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.

    Function

    Description

    InitializeChangeNotify

    Indicates that a password filter DLL is initialized.

    PasswordChangeNotify

    Indicates that a password has been changed.

    PasswordFilter

    Validates a new password based on password policy.

     

    2.  Password Filter Programming Considerations

    When implementing password filter export functions, keep the following considerations in mind:

    • Take great care when working with plaintext passwords. Sending plaintext passwords over networks could compromise security. Network “sniffers” can easily watch for plaintext password traffic.
    • Erase all memory used to store passwords by calling the SecureZeroMemory function before freeing memory.
    • All buffers passed into password notification and filter routines should be treated as read-only. Writing data to these buffers may cause unstable behavior.
    • All password notification and filter routines should be thread-safe. Use critical sections or other synchronous programming techniques to protect data where appropriate.
    • Password notification and filtering take place only on the computer that houses the account.
    • All domain controllers are writeable, therefore password filter packages must be present on all domain controllers.

    Windows NT 4.0 domains: Notification on domain accounts takes place only on the primary domain controller. In addition to the primary domain controller, the password filter packages should be installed on all backup domain controllers to allow notifications to continue in the event of server role changes.

    • All password filter DLLs run in the security context of the local system account.

    For information about

    See

    How to install and register your own password filter DLL.

    Installing and Registering a Password Filter DLL

    The password filter DLL provided by Microsoft.

    Strong Password Enforcement and Passfilt.dll

    Export functions implemented by a password filter DLL.

    Password Filter Functions

     

    3.  Installing and Registering a Password Filter DLL

    You can use the Windows password filter to filter domain or local account passwords. To use the password filter for domain accounts, install and register the DLL on each domain controller in the domain.

    Perform the following steps to install your password filter. You can perform these steps manually, or you can write an installer to perform these steps. You need to be an Administrator or belong to the Administrator Group to perform these steps.

    clip_image002To install and register a Windows password filter DLL

    1.       Copy the DLL to the Windows installation directory on the domain controller or local computer. On standard installations, the default folder is \Windows\System32. Make sure that you create a 32-bit password filter DLL for 32-bit computers and a 64-bit password filter DLL for 64-bit computers, and then copy them to the appropriate location.

    2.       To register the password filter, update the following system registry key:

    3.  HKEY_LOCAL_MACHINE
    4.     SYSTEM
    5.        CurrentControlSet
    6.           Control
                Lsa

    If the Notification Packages subkey exists, add the name of your DLL to the existing value data. Do not overwrite the existing values, and do not include the .dll extension.

    If the Notification Packages subkey does not exist, add it, and then specify the name of the DLL for the value data. Do not include the .dll extension.

    The Notification Packages subkey can add multiple packages.

    7.       Find the password complexity setting.

    In Control Panel, click Performance and Maintenance, click Administrative Tools, double-click Local Security Policy, double-click Account Policies, and then double-click Password Policy.

    8.       To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.

     

     

    II.                Enforce Custom Password Policies in Windows

     

    Most people take the easy way out and use the default filter in order to validate passwords. But did you know you can employ authentication modules to customize your password policies to reflect your organization’s unique security requirements? Find out how in this article.

    by Yevgeny Menaker

    Microsoft Windows allows you to define various password policy rules. Specifically, it allows you to enable the “Password must meet complexity requirements” setting using the Policy Editor. This validates user passwords against password filter(s) (system DLL(s)). Usually, people use the default filter. However, many admins say they’d prefer a Linux-style validation, which would allow them to install various pluggable authentication modules (Linux-PAM modules) to filter user passwords (authentication tokens). You can easily adapt these modules to reflect your organization’s security policy with help of Linux configuration text files. The ability to add-on such modules creates more flexibility in composing password policies. With help of such custom modules (of course, these modules should be developed by a Linux programmers), Linux administrators may even author a regular expression for matching user passwords. Go to www.kernel.org/pub/linux/libs/pam/ for more detailed information about Linux-PAM and the available modules.

     

    The Linux model described above may be employed on Windows machines as well.

    What You Need: Windows NT/2000/XP


    In this article, learn how to create a
    Custom Password Filter (DLL in C++) that validates passwords against a configurable regular expression. The RegEx functionality is implemented based on the Boost open source library because it has wide support for regular expressions.

    Let’s start with an overview of the Windows Security system.

    Windows Security
    Windows Security is a policy-based system with a set of rules that compose security settings for a local machine or domain. The work of policy-based systems usually has three major stages:

    1. Creating rules to compose a policy.
    2. Searching for evidences.
    3. Enforcing policy based on the evidences.

    There is a parallel between the above stages and real-life legal systems. Most countries have an authority (usually parliament or senate) that makes laws. This corresponds to the first stage—composing the policy). Police departments are the guards of the legal system, responsible for collecting evidence (e.g. measuring car speed on highways) and enforcing the existing laws based on evidences (e.g. canceling driving license in case of exceeding the speed limit). So, a police force corresponds to the second and third stages.

    In Windows security, system administrators play the role of parliament. They dictate the policy for an organization domain. In some cases, regular users also design security policy (e.g. when choosing their own passwords). The police uniform is given to the local security authority (LSA) Windows sub-system. LSA collects evidences for decision-making and enforces the policies (laws). The LSA sub-system is represented by the lsass.exe Windows process and several system DLLs.

     

    III.             Configuring Security Policy

    System Administrators are usually responsible for configuring Security Policy. Since this article is about password filters, I’ll use configuring Password Policy as the example.

     

    clip_image004

     

    Figure 1. The “Local Security Policy” Management Console: This shows the list of security settings that compose your password policy on the local machine.

     

    As mentioned previously, regular users are involved in composing security settings when they choose their own log-on passwords. However, because a weak password can create vulnerable system and compromise organization security, system administrators need more control over this issue and disallow the use of too simple, short and vulnerable to dictionary attacks passwords. In other words, you need to compose a password policy that meets your organization’s security requirements.

    To edit security policies, you can use either the secedit.exe command line utility or the “Domain Security Policy” graphical console available from Control Panel -> Administrative Tools on the domain controller machine. With this tool, you will govern the security policy for all the computers in the Windows domain. Note that in case of workstation machine, only the “Local Security Policy” console is installed (shown in Figure 1). Local policy affects settings on the local machines and it doesn’t override domain policy. Thus, the security settings will be effective for local machine users, but not for domain users. This article uses the graphical tool to alter security settings on the local machine.

    clip_image006

     

    Figure 2. Editing Password Policy Rules: Double-click the “Minimum password length” item to display the dialog window.

     

    The left pane of the management console contains an Explorer-like tree. Each node represents a different Security Policy. In this example, you’ll make modifications to the Password Policy to require users to choose long enough passwords (at least 10 characters). Here’s how to do it:

    Expand the “Account Policies” node and select “Password Policy.” On the right pane of the management console, you should see a list of security settings (rules) that compose the password policy as shown in Figure 1. Double-click the “Minimum password length” item to display the dialog window (Figure 2). Edit the text field, setting the minimum password length to 10 characters, and click OK.

    Congratulations! The new rule is ready. From now on, LSA will not allow your users to choose passwords shorter than 10 characters.

    An interesting rule from the Password Policy set is “Password must meet complexity requirements.” This rule may be either Disabled or Enabled. In the Disabled state it has no effect. Enabling this rule instructs LSA to validate each password against Password Filters. If you don’t provide any filter, the default is used (which is considered relatively strong). However, the default allows simple passwords, such as Paris123. You definitely want more powerful filters and this is where Custom Password Filters can be helpful.

    What Is a Password Filter?
    A Password Filter plays a primary role in decision-making regarding user passwords. By definition, a Password Filter is a system DLL that exports three functions with the following prototypes (note the
    __stdcall
    calling convention):

    BOOLEAN __stdcall InitializeChangeNotify(void);     // (1)

    BOOLEAN __stdcall PasswordFilter( // (2)

    PUNICODE_STRING AccountName,

    PUNICODE_STRING FullName,

    PUNICODE_STRING Password,

    BOOLEAN SetOperation

    );

    NTSTATUS __stdcall PasswordChangeNotify(    // (3)

    PUNICODE_STRING UserName,

    ULONG RelativeId,

    PUNICODE_STRING NewPassword

    );

    How does LSA interact with Custom Password Filters by means of the above interface? First, assume that the “Password must meet complexity requirements” rule is Enabled. On the system startup, LSA loads all the available Password Filters and calls the InitializeChangeNotify() function. When LSA receives TRUE as a return value, this means that the Password Filter loaded successfully and functions properly. Upon this call, LSA also builds a chain of available Password Filters (those that returned TRUE).

    When you’re giving a password to a new user or modifying an existing user’s password, LSA assures that every link in Password Filters Chain is satisfied with a new password. LSA invokes the PasswordFilter() function of each filter in the chain. If one filter in a chain returned FALSE, LSA does NOT continue calling the next filter. Instead, it asks the user to provide another password. If every call to PasswordFilter on every filter returns a TRUE value, a new password is approved and each filter is notified about it through the PasswordChangeNotify() function.

    As you can see, the Password Filter is a handy tool for LSA (or, the Windows Police), acting as a speed trap for highway patrol, helping to collect evidence from the “field.” These evidences are useful in the third stage, where policies are enforced.

    Before You Implement…
    Consider the following issues before you start coding your own Password Filters:

    *       Treat sensitive data carefully. The PasswordFilter and PasswordChangeNotify functions receive passwords in clear-text format. These passwords should be processed fast and shouldn’t leave any trails in your memory for malicious applications to capture. Introduced in Windows 2003, the SecureZeroMemory Win32 API cleans specified memory. Traditional ZeroMemory may be not enough, since “smart” compilers will optimize your code and remove calls to this API. To make sure there are no such “useful” optimizations, read a random byte from a password string after it was filled with zeros.

    *       Make your filters fast and efficient. When LSA calls into the Password Filter function, most Windows processing stops, so make sure you don’t perform any lengthy operations.

    *       Expect the unexpected. Because LSA loads password filters during start-up, if something goes wrong, your system may become inoperable or go into deadlock. To avoid this, develop and test your DLLs on machines that have at least two operating systems installed. I have Linux and XP on my box and I found it highly useful when preparing this article. When I encountered problems, I booted from Linux and deleted the Password Filter DLL.

    *       Log your actions. Password Filters run in the context of the lsass.exe process. I don’t recommend debugging this process, because after you close the debugger and end the process, your system will shutdown. The best way to debug your already-running filter is to write the log files to disk and follow them to fix the bugs.

    *       Pre-debug your DLL. While lsass.exe debugging is not recommended, you may test your fresh Password Filter by writing a small unit-test program. In this program, load your DLL with a call to LoadLibrary Win32 API and invoke exported functions (after getting their addresses within GetProcAddress Win 32 API calls). This way, you may check that your filter doesn’t crash and functions properly.

     

    IV.            The RegEx Password Filter Sample

    Now that you’re aware of all the possible pitfalls, it’s high time for code action. This section will walk you through the sample provided with this article. I’ve created a VS7 solution with the PasswordFilterRegEx VC project.

    As the Password Filter definition requires, you export three functions. Here’s the code for the DEF file included within the sample project:

    LIBRARY PasswordFilterRegEx

    EXPORTS

    InitializeChangeNotify

    PasswordChangeNotify

    PasswordFilter

     

     
     

    The PasswordFilterRegEx.cpp contains source code for the exported functions. The implementations of InitializeChangeNotify and PasswordChangeNotify are quite simple:

    // Initialization of Password filter.

    // This implementation just returns TRUE

    // to let LSA know everything is fine

    BOOLEAN __stdcall InitializeChangeNotify(void)

    {

    WriteToLog(“InitializeChangeNotify()”);

    return TRUE;

    }

    // This function is called by LSA when password

    // was successfully changed.

    //

    // This implementation just returns 0 (Success)

    NTSTATUS __stdcall PasswordChangeNotify(

    PUNICODE_STRING UserName,

    ULONG RelativeId,

    PUNICODE_STRING NewPassword

    )

    {

    WriteToLog(“PasswordChangeNotify()”);

    return 0;

    }

    The bulk of the work is done in the PasswordFilter function (shown in Listing 1). First, create a zero-terminating copy of a password string and assign it to an STL wstring object (STL is used in conjunction with the boost regex library):

    wszPassword = new wchar_t[Password->Length + 1];

    if (NULL == wszPassword)

    {

    throw E_OUTOFMEMORY;

    }

    wcsncpy(wszPassword, Password->Buffer, Password->Length);

    wszPassword[Password->Length] = 0;

    WriteToLog(“Going to check password”);

    // Initialize STL string

    wstrPassword = wszPassword;

    Next, the regular expression is instantiated. The sample Password Filter reads the regular expression from the RegEx value of the following registry key:

    HKEY_LOCAL_MACHINE\\Software\\DevX\\PasswordFilter

    If the value is not found in registry, the dummy default regular expression (“^(A)$”) is used.

    Finally, validate the password against the regular expression and return the results to the caller (LSA):

    WriteToLog(“Going to run match”);

    // Prepare iterators

    wstring::const_iterator start = wstrPassword.begin();

    wstring::const_iterator end = wstrPassword.end();

    match_results<wstring::const_iterator> what;

    unsigned int flags = match_default;

    bMatch = regex_match(start, end, what, wrePassword);

    if (bMatch)

    {

    WriteToLog(“Password matches specified RegEx”);

    }

    else

    {

    WriteToLog(“Password does NOT match specified RegEx”);

    }

    . . .

    return bMatch;

    Just before you return the results to LSA, perform memory clean-up:

    // Erase all temporary password data

    // for security reasons

    wstrPassword.replace(0, wstrPassword.length(), wstrPassword.length(),

    (wchar_t)’?’);

    wstrPassword.erase();

    if (NULL != wszPassword)

    {

    ZeroMemory(wszPassword, Password->Length);

    // Assure that there is no compiler optimizations and read random byte

    // from cleaned password string

    srand(time(NULL));

    wchar_t wch = wszPassword[rand() % Password->Length];

    delete [] wszPassword;

    wszPassword = NULL;

    }

    return bMatch;

     

    V.              Installing the Password Filter

    Note: In order to filter passwords for domain users, you should use the “Domain Security Policy” console on domain controller machine and install there your password filter. In this example, the entire configuration is done on the local machine. Hence, Password Filter will validate passwords for my local machine accounts. Follow this procedure to activate your fresh Password Filter (the same procedure is applicable for the domain controller):

    *       Enable the “Password must meet complexity requirements” rule of the Password Policy.

    *       Copy the Password Filter DLL to the %SystemRoot%\system32 folder on your machine.

    *       Open the Registry Editor (regedit.exe) and locate the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    *       Modify the “Notification Packages” multi-string value of the above key and add your Password Filter file name without the “.dll” extension. Add the PasswordFilterRegEx string as shown in Figure 3.

    clip_image007

     

    Figure 3. Editing “Notification Packages”: Add the PasswordFilterRegEx string.

     

    *       Close Registry Editor and restart your machine.

    Your Password Filter in Action
    After you’ve installed Password Filter and restarted your machine, you’re ready for testing. The source code includes a simple regular expression for testing purposes. Find it in the
    RegEx value of the HKLM\Software\DevX\PasswordFilter key (the PasswordFilter.reg
    file is provided with the code for your convenience):

    ^([a-zA-Z]+)(\d+)([a-zA-Z]+)$

    In other words, start with letters, have some digits in the middle and end up with letters again. This regular expression is not recommended as a strong Password Regular expression, but it is useful for assessing whether your Password Filter does its job.

    clip_image009

     

    Figure 4. Creating a New User: Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item.

     

    Remember that this filter stands after the default Windows filter in the chain. So, in order to have any effect, you’ll need tougher requirements than the default. The Paris2003 password will validate against the default filter, but the test regular expression won’t match it. To check this, create a new user. If you use Domain Controller, create a user with Active Directory. On the stand-alone Workstation machine, right-click on My Computer and choose the Manage item from the context menu. Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item as shown in Figure 4.

    Fill-in the new user’s details and assign a password. Try a simple one (e.g.: Paris2003) and you will get an error message from LSA (Figure 5). Try a different, more complex password (e.g.: Paris2003A) and it will be accepted.

    The Secret Is Out
    While there are several commercial products that implement Password Filters, it isn’t really all that difficult. Now, that you understand how they work, you can provide your own, customized solution.

    clip_image011

     

    Figure 5. Error!: This password doesn’t meet the complexity requirements.

     

     

     

     

     

     

    VI.            Source Code Compiler by VC++

     

           Download boots link: http://nchc.dl.sourceforge.net/project/boost/boost/1.50.0/boost_1_50_0.zip

     

           Error when Building:

    I writed project which uses <boost/thread/locks.hpp>, i added include directory to Additional Include directories, and lib folder to linker. But when i try to build solution, error:

    Error 1 error LNK1104: cannot open file ‘libboost_thread-vc100-mt-sgd-1_50.lib’

    I searched this file in lib directory, but no file with this name in lib directory. I found file with similar name libboost_thread-vc100-mt-gd-1_50.

           Answer: i built them by guide boost.org/doc/libs/1_50_0/doc/html/bbv2/installation.html

           Installation

    To install Boost.Build from an official release or a nightly build, as available on the official web site, follow these steps:

    1.     Unpack the release. On the command line, go to the root of the unpacked tree.

    2.     Run either .\bootstrap.bat (on Windows), or ./bootstrap.sh (on other operating systems).

    3.     Run

    ./b2 install –prefix=PREFIX

    where PREFIX is a directory where you want Boost.Build to be installed.

    4.     Optionally, add PREFIX/bin to your PATH environment variable.

    If you are not using a Boost.Build package, but rather the version bundled with the Boost C++ Libraries, the above commands should be run in the tools/build/v2 directory.

    Now that Boost.Build is installed, you can try some of the examples. Copy PREFIX/share/boost-build/examples/hello to a different directory, then change to that directory and run:

    PREFIX/bin/b2

    A simple executable should be built.

    %d bloggers like this: