Bringing Paper to the Computer Screen

Two years ago, my office embarked on the road towards reducing the amount of paper we keep on-site and in storage. We have thousands of boxes in storage and easily hundreds just stacked around various places in the office. For a while, it was hard to convince people that it was a good idea to have some kind of backup solution in place for all these hard copies.

We went looking for a solution that was similar to how paper was already organized naturally. We reviewed a few different options, but most were trying to force paper files to be managed in the same way people use Windows Explorer, which isn’t how people organize papers in their file cabinets. ImageRight was designed to line up with the way people use paper – documents in folders or files and then organized in drawers.

While it makes sense when you are touching paper, it’s hard to get your head around the terminology when it directly conflicts with the way Windows uses the same terms. In ImageRight, much like with real paper, a DRAWER stores hanging FILES that hold manila FOLDERS in which the DOCUMENTS are organized, some with multiple PAGES. In Windows Explorer, the FOLDERS hold the FILES (ImageRight is opposite), some of which have multiple PAGES.

So while everyone in my office is working to best utilize ImagRight, there is still a lot of struggle with the terminology.

An Oldie But Goodie

Recently, I rolled out the Client Side Extensions for XP in order to support Group Policy Preferences. The change in the GPO to use preferences instead of scripts for mapping some drive letters was a non-event for the majority of our staff machines. But there were a few reports of the the mappings not taking place. A closer look at these machines proved that they had not recieved the update for the Client Side Extensions.

I’m running WSUS 3.0 SP1 in our office to update client machines. We have a lot of “spare” machine on the floor for use by visitors and consultants, often those machines are powered off for long periods of time. Because of this I don’t worry too much about machines that haven’t reported in to WSUS for 30+ days, unless they appear to be assigned to a regular user. When I checked WSUS for the status of the machines with the policy issue, they had not updated in a long period of time.

Those machines were throwing a “0x8024400e” error in the Windows Update log file. This error was documented a while back in the WSUS Product Team Blog. The fix to the problem is to “decline” (if not already declined) the Office 2003 Service Pack 1 update, un-decline (but not approve) it, and then decline again.

After that, the affected client machines will be able to get updates again. This worked for the all but one of the machines that I saw this problem with. The last box then threw a “80072ee2” error in the Windows Update logs.
This is related to general connectivity to the WSUS server. To solve this, I did a “hard reset” of the WSUS client by stopping the Automatic Update Service, deleting the contents of the C:\Windows\SoftwareDistribution folder and then restarting the Automatic Update service again. Then I used the wuauclt.exe tool with the “/detectnow” switch to kick of an update immediately.

Sometime this week, I’ll have to go around at turn on all those spare computers, to make sure they all report in to WSUS and confirm that no other machines need special handling.

Mark Your Calendar

Mark your calenders, Microsoft has two upcoming Windows 7 and Windows 2008 R2 events planned in San Francisco.
TechNet Presents: Windows 7 and Windows Server 2008 R2 – September 9th.
Topics include: Migrating Windows XP to Windows 7, Securing Windows 7 in a Windows Server 2008 R2 Environment, and New Features in Windows Server 2008 R2 Directory Services
The New Efficiency – Windows 7/Server 2008 R2/Exchange Server 2010 Launch – October 20th.
Several lectures in 3 different tracks, include topics such as: Introducing Windows 7 and the Windows Optimized Desktop, Windows Server 2008 R2 Virtualization Technologies– Saving IT Costs, and Exchange 2010 Archiving and Retention.
Other dates and cities are available as well. See you there!

XP Mode in Action

Today I arrived at the office to find a new workstation ready for me to set up with our volume licensed version of Windows 7. (Kudos to my collegue who makes my hardware wishes come true.) My goal is to replace my primary XP workstation, so I decided to start with our ImageRight client software, since I use/administer that daily and it’s fast become one of our key enterprise applications.

I remembered that I was able to install ImageRight successfully on Windows Vista once before, so I expected success with Windows 7. However, my new box is 64-bit and the ImageRight installer program was not recognizing the 64-bit version of .NET Framework 2.0. I don’t know if this is just an issue with the installer prerequisite check or if the program just won’t run at all on 64-bit, but I guess I’ll save that question for the ImageRight conference at the end of the month.

So I opted to install XP Mode and setup the software there. The ImageRight installation was successful on the XP VM and I was happy to see the program begin to launch. However, it stalled out due to a logon failure. We use the ImageRight Active Directory integration to take advantage of single sign-on, but the XP Mode VM wasn’t part of our corporate domain and automatically logged on as “XPMUser” when launched. Thus, ImageRight could get past the logon screen.

I loaded the desktop of the VM and joined it to our domain. Then I tweaked the registry settings for the automatic logon enough that it now prompts me for my domain credentials. The ImageRight software launched properly, so for the sake of today’s goals I’m happy with having to re-enter my credentials when the VM launches for the first time.

I’d like to refine the authentication issue further and might take a closer look into MED-V, especially if we start planning to roll out Windows 7 in the near future on 64-bit boxes and need a more managed solution. If we are sticking with our existing 32-bit hardware, it’s less likely that we’ll need XP Mode to support this particular application, but we have other legacy application that may need similar handling.

Until then, I’ve got what I need from XP Mode.

What voice mail?

Only had a few days this past work week to get caught up after a short vacation and telecommunications related items seems to percolate to the top of my list at the end of last week. My office runs Shoretel for our phone system and a user reported a problem with her alerts for voice mail, saying all her message are ending up in the “heard” box, so the message waiting indicator doesn’t light up on her phone.

No one else is reporting this issue, but for good measure I restarted some of the voicemail services this weekend. On Monday I’ll need to check her desktop settings to make sure she doesn’t have something conflicting going on with the way Outlook integration handles her voicemail messages, since it’s possible for someone to configure Outlook to automatically move voicemails out of the inbox using a rule and then have them automatically marked as heard, rendering them essentially invisible.

Also, spent part of my Friday down at the Shoretel office in Sunnyvale giving user feedback on some of their future phones. I can’t talk details, but it was certainly fun to be involved. It reminded me that I really need to start planning to upgrade our Shoretel software later this year. We are several (embarrassing!) versions behind at this point and there are some features in the newer versions that I’m sure our office would like to take advantage of.

Getting Busy(er) with Group Policy Perferences

Spent the afternoon away from the office yesterday attending a seminar hosted by BeyondTrust. They had Derek Melber, an MVP for Group Policy, presenting on Enterprise Security and Standardization. It a was great presentation and served to remind me about all the features I was missing out on by not getting around to taking advantage of Group Policy Preferences.

Because you know how it goes. You spend a few thousand company dollars attended TechEd or another conference along the same lines and spend the week in awe of all the things you want to do when you get back to the office. And then you return to a world of help desk calls, a backlog of emails, and series of small fires and – well, you just slip back into the old grind.

I was determined to not let this slide again. Today I got into the office, banged out a few help desk tickets and set myself up a shiny new VM with Vista SP1 and the RSAT tools. Then I popped over to my WSUS server to hunt down the required XP Client Side Extensions. (They are a “feature pack”, which is not something I usually have WSUS sync for, so I needed to make that adjustment.) Then I approved that update for all my XP workstations for the next update cycle.

On Monday, I hope to be able to start putting together some new GPOs that will replace my logon scripts. Assuming there aren’t any fires smoldering, of course.

Stumbling Over AD Intergration in ImageRight

Friday night, I was responsible for a maintenance upgrade to our document imaging system, ImageRight. This upgrade was required to repair a potentially serious data corruption issue that was discovered by the vendor. We weren’t affected by the corruption at the time it was discovered but some functionality had been disabled as a work-around, so we had to schedule time to perform the fix.

First off, let me say that I really like the vendor and I like how the product works overall. However, we always seem to be the client who has issues that the vendor never seems to encounter before. It was almost refreshing when they called about the corruption issue and it wasn’t something we’d found first.

Friday morning, I had exchanged a few emails with the vendor support tech who was going to do the upgrade to firm up the planned roll-back procedures (for our change management documents) and to clarify any last minute items. He mentioned a known bug related to environments with ImageRight users that spanned multiple Active Directory domains, fondly referred to as the “AD dual domain bug” and how the upgrade shouldn’t be performed if we had an environment with those characteristics.

Yes, we have two domains. But no, we don’t have accounts that are used by ImageRight from the second domain. We confirmed those details and I mentioned in one of my reply emails that the AD bug had me a bit worried anyway. I was told my environment wasn’t going to be an issue based on their testing. (Okiedookie then.)

So away we went with the upgrade. That was the easy part. Then came the testing.

Exactly half the program worked – literally half. The program launches two windows when it starts – one window acts as the file manager, for searching and loading image files and the other is the image viewer. I could see and use the file manager portion, but the viewer never loaded, only returning an error that was cryptic overall but referenced active directory about 15 times.

Um, yeah.

So they uninstalled and reinstalled just to make sure some random DLL wasn’t left behind or something. But that didn’t solve the problem. I chilled out on hold for a while. It was already after 7pm here on the west coast, so I felt a little bad for the tech on the east coast. “Are we sure this isn’t a different manifestation of the AD bug?”, I asked.

I chilled out on hold for a while longer while the support tech consults some developers on his cell phone. No, it shouldn’t be the AD bug, we are getting an error “too soon” in the loading of the program, but there is a hotfix for that bug that should be released on Monday. A developer was working on getting a copy for us now if we wanted to try that.

Why not? It’s already broken, might as well toss one more thing at it before we roll everything back. Sure enough the hotfix did the trick, avoiding a roll-back and saving me another late night at the office. I wasn’t surprised that it was yet another instance of something no other client they have has ever experienced.

I’m not sure how I feel about always being the “one-off” case, but it always seems to work out fine in the end. Though I’m thinking of framing my “I’m a bit worried about the AD bug” email that I sent out before we even began.

Where to Get Started with XP Mode for Windows 7

body {margin:8px} .tr-field {font:normal x-small arial}

Thinking about checking out XP Mode for Windows 7? The one-stop shop to get you started is at the Microsoft product area for Virtual PC. Don’t forget to confirm that your PC can run XP mode. Turns out my “lab” desktop machine at the office doesn’t cut it, so I’m going to have see if we have something newer available.

My office runs a variety legacy and homegrown applications that currently work on XP, so the ability to use XP Mode might impact how soon we can consider upgrading to Windows 7.

MS Security Advisory

Keep an eye out for this one since there isn’t a fix yet, outside of a workaround disabling some COM objects in the registry for Windows XP and Windows Server 2003.

Microsoft Security Advisory (972890) – Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

I suspect we’ll see a patch very soon. Vista and Windows Server 2008 are not affected, so those running the Windows 7 RC are likely safe too!

72 Hours of Barracuda

Before I left the office for the weekend, I installed a Barracuda Spam Firewall on the network. We’ve had nagging, random upticks in the amount of spam that was making it past the Antigen software running on our Exchange Server – even with filter updates multiple times a day. The Outlook filters were catching a lot of the additional UCE that was delivered to users, but it’s not an ideal solution. For those of us who have mobile devices, that spam was getting delivered to those devices regardless of how the desktop client handled it later.

I just checked on how the Barracuda was doing and it had blocked over 11,000 messages since Friday evening. Antigen didn’t have the most exciting reporting features without exporting things to a spreadsheet and playing around with pivot tables, so I can’t say for sure how it compares, but I was impressed. I’ll have to export some of the logs from Antigen at some point and make an official comparison.

It also allowed nearly 300 messages through, many of which were bulk mail that was tagged as such. So I’ll have to tweek that a bit tomorrow. It was just nice to have a weekend where I didn’t get spam passed through to my BlackBerry.

Hopefully people in the office will be impressed as well. I’ll let this run for another week or so and then look into turning on the end-user quarantines.