Rolling out a certificate authority in Windows 2003 and Windows 2008 is a relatively trivial task if you are deploying a stand-alone CA, Enterprise CA’s are a bit more complex, but that’s a post for another day. The web interface (http://server.domain.local/certsrv/) is pretty limited and doesn’t provide the greatest interface for manually requesting certificates, it even relies on cookies for managing requests. It would be really nice to see Microsoft build this into a truly useful application like what you get with the Thawte Certificate Center.

One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.

This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.

To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.

More information and a download link is after the break…
Read more…

Update 2010-03-03: Keep in mind that this was fixed in vSphere 4 Update 1. Although if you can’t move to Update 1 for some reason, this will still work.

Update 2009-09-08: I just updated the script because I received a report from wohali (Joan) over at VMware communities that they had a problem when the vSphere client was installed on a different drive and I have now fixed that problem.  I also added in support for making the host update utility work as well.  Lastly, I added a few output messages so you can see what’s going on and know what is getting done.

The past few months I have been enjoying Windows 7 quite a bit (both the RC and now the RTM), but at the office we use VMware for many of our clients and the vSphere Client unfortunately has an issue with Windows 7 due to an incompatibility with a .Net 2.0 library dll that comes installed on Windows 7.  When you install the vSphere client, you will be able to get through the install without an issue usually (If you have J# already installed you may encounter issues installing the vSphere client), but once you try to connect to your vSphere server you get an error stating “Error parsing <server> clients.xml file  Login will continue contact your system administrator” followed immediately by another error “The type initializer for “VirtualInfrastrcture.Utils.HttpWebRequestProxy” threw an exception” which then brings you back to the login screen and you are unable to connect in.

There’s big thread over at VMware Communities that discusses this problem and ways to fix it.  Unfortunately, it’s a manual process and deploying this out to all of our Windows 7 employee workstations is a bit of a hassle, so I have created a Powershell script that will do the necessary work for you, and create a shortcut on your desktop as well.

By default, powershell security options may prevent you from executing the script, so you may have to change a setting temporarily to get it to work.  If you type “Get-ExecutionPolicy” from a powershell window you will most likely see “Restricted” but there are a few others as well which will all prevent you from executing the script.  You can read more about this over at dotnetvj.com where he goes into a little more detail about these execution policies and what they mean.  All you need to do though is type “Set-ExecutionPolicy Unrestricted”  Just remember that you should probably set the execution policy back to its previous value after you run the script for security purposes.  Lastly, you will also need to run powershell as an administrator if you have UAC turned on because this script has to add files to the installation folder of your vSphere client.

Launch Powershell as Administrator

Once you have powershell running as an administrator and change the execution policy, it is a simple process to run this script, simply CD to the folder that you have extracted the script, and run it by typing “.Windows7vSphere.ps1” and it will do the work of copying over the System.dll and creating the necessary files to launch vSphere client in development mode so it can use the System.dll.

Change execution policy and execute Windows7vSphere.ps1

You should now have an icon on your desktop called “VMware vSphere Client (Windows 7)” which you then simply run as administrator to launch the vSphere client.  The reason you have to launch it as administrator is because it creates an environment variable that lets the vSphere client know that you are giving it a different System.dll to work with.  This is something also discussed in detail in the thread over at VMware Communities.

For anyone interested in powershell, this script also shows a few cool things such as reading from the registry, writing to an xml document, as well as creating a windows shortcut using pretty simple commands.

Hopefully this will help a few people streamline the process of getting the vSphere client installed on your Windows 7 machines.  If you notice any problems with the script, feel free to comment and let me know and I’ll try to fix it as soon as possible.

Download the script and the dll needed here: Windows7vSphere.zip

A reader sent in a question asking how to enumerate groups that have spaces in them and this lead me to realize I didn’t follow the specifications for valid distinguished names as well as I thought I had.  If you take a look at RFC 2253 and the Microsoft page that defines security group names, you will see what the allowed characters are for these names.  At this point the validation is a lot better, but it still isn’t perfect.

If you encounter a situation where you need to enumerate members of a group that my validation does not allow, you can scroll down to line 271 in the script and change the $rx variable to “.+” to make it simple which will allow you to pass any characters.  If you pass invalid characters you will get some funny errors happening, but it should work.  You may have to use quotes around the name if you are looking to use spaces or other allowed special characters.

Taking another look at the code, I also found a small bug that was causing the display of notes associated with a group to print out an error about null strings.  This should be fixed now.  If anyone notices any other problems, feel free to comment and let me know and I will try to fix it or add in the change as soon as possible.  I’ll be posting another update soon that goes the other direction of this script, one that enumerates group membership for a specific user.

Thanks again to Darren from Brisbane(?), Australia for pointing this out.

Here is the updated script download link: enumerate_groups.ps1

Note: Script updated on 2009/07/17 to fix two bugs.  Read more here: http://www.tinyint.com/index.php/2009/07/17/enumerate-distribution-groups-script-updated/

In my organization, we make use of many different groups to separate departments and sub-groups of each department, and many groups build off of this. We also make use of Dynamic Distribution Groups to make things a bit easier on the admin side of things. When tasked with cleaning up these distribution groups and making them easier to manage, it was a bit difficult determining who was supposed to receive mail for what group.

This is because the Get-DistributionGroupMember cmdlet doesn’t have a parameter like –expand which will give you all of the child groups and their members as well. If you have a group called “Engineering” which then has 4 child groups for each department and then each of those groups has each individual mailbox, when you perform “Get-DistributionGroupMember -Identity Engineering”, you will only see the four child groups, not each member of those as well. This became a big issue because of how much we rely on sub-groups in our organization, and after a lot of investigation it turned out there was no way to do this built in directly to any cmdlet, so I wrote a script that would do this for me.  If you need to recursively enumerate distribution group members you are unfortunately out of luck with built in cmdlets.

There are a number of scripts out there that serve a similar purpose as the one I have created, but most do not handle mail contacts or dynamic distribution groups, so I figured if I am going to have to add functionality, I might as well write it myself from the ground up. So now, if you are ever in need of getting child members of a distribution group you can use this script to help you out.

One nice feature here is if you specify “-showTree” as a parameter, it will display a treeview of all the groups. Without -showtree it will just grab all child members and display them in a flat view. The script is pretty long because I included help text that displays if you run the script without any parameters, and for that reason I am just posting it as a download link. Hope this helps a few people out there who went through the same trouble I did finding out that there is no built in way to do this!

Download Link: enumerate_groups.ps1