Get list of users in a group thats very large
$grp = get-adgroup groupname -properties members $grp.members | get-aduser | Select Name | Export-csv C:exportsgroupmembers.csv
How to set up users to edit groups
Create or Locate the Group in question
Give each user that needs to manage the group full control in the security tab
Add the user and group they can manage (use the display name of the group, not the email address)
Click Submit, if its sucess you will see a message that says "Successful!"
Have the user goto http://pages.emerson.edu/myaccount/groupmanagement to manager group members.
To manage the group:
Log in to http://pages.emerson.edu/myaccount/groupmanagement
All groups that you have permission to manage will show up in this list.
Select the group you want to manage, and click edit group
On the next screen, Enter the usernames (firstname_lastname) and click "add"
To delete click the check box next to the name and click "remove"
Exchange Permissions that do not migrate
Full Access
Import-Csv c:\temp\mailboxes.csv | Get-MailboxPermission | where {($.user.tostring() -ne "NT AUTHORITYSELF") -and ($.IsInherited -eq $false) -and -not ($.User -like "NT AUTHORITY\SELF")} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $.AccessRights)}} | Export-Csv -NoTypeInformation C:\temp\FullAccess-Audit.csv
Send As
Import-Csv c:\temp\mailboxes.csv | Get-ADPermission | where {($.ExtendedRights -like "Send-As") -and ($.IsInherited -eq $false) -and -not ($.User -like "NT AUTHORITY\SELF")} | Export-Csv -Path C:\temp\SendAs-Audit.csv -NoTypeInformation
Send on Behalf
Import-Csv c:\temp\mailboxes.csv | Get-Mailbox| Select-Object Name, @{Name="GrantSendOnBehalfTo";Expression={[string]::join(";",($.GrantSendOnBehalfTo))}} | Export-Csv -Path C:\temp\SendOnBehalf-Audit.csv -NoTypeInformation
Delivery Restrictions
AcceptMessagesOnlyFrom
AcceptMessagesOnlyFromDLMembers
RejectMessagesFrom
RejectMessagesFromDLMembers
Get-DistributionGroup | Select Name, Alias, @{Name="AcceptMessagesOnlyFrom";Expression={[string]::join(";", ($_.AcceptMessagesOnlyFrom))}} ,@{Name="AcceptMessagesOnlyFromDLMembers";Expression={[string]::join(";", ($_.AcceptMessagesOnlyFromDLMembers))}} ,@{Name="RejectMessagesFrom";Expression={[string]::join(";", ($_.RejectMessagesFrom))}} ,@{Name="RejectMessagesFromDLMembers";Expression={[string]::join(";", ($_.RejectMessagesFromDLMembers))}} ,RequireSenderAuthenticationEnabled, @{Name="GrantSendOnBehalfTo";Expression={[string]::join(";",($_.GrantSendOnBehalfTo))}} | Export-Csv C:\temp\DistGroup-DeliveryRestrictions-Test.csv
Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like "*Send-As*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | Select Identity, User, Deny, | Export-CSV c:\temp\test.csv
Get-Mailbox -resultsize unlimited | Where {$_.GrantSendOnBehalfTo -ne $null} | select Alias, @{Name="GrantSendOnBehalfTo';Expression={[string]::join(";", ($_.GrantSendOnBehalfTo))}} | Export-CSV C:SendOnBehalf.csv "
Get-mailbox cdalumni | Get-MailboxPermission | ?{($_.IsInherited -eq $False) -and -not ($_.User -match "NT AUTHORITY")} |Select User,Identity,Alias,@{Name="AccessRights";Expression={$_.AccessRights}},@{Name="GrantSendOnBehalfTo';Expression={[string]::join(";", ($_.GrantSendOnBehalfTo))}} | Export-csv C:\mailboxPermission.csv "noTypeInformation
Get Alais from Fully Qualified Account Name
Clear-Variable list
$list = import-csv .\Book1.csv | Select-Object -ExpandProperty AcceptMessagesOnlyFrom
foreach ($l in $list) {get-mailbox -identity "$l" | Select name, Alias, userprincipalname | Export-csv .\results.csv -Append}
foreach ($l in $lists) {get-mailuser -identity "$l" | Select name, Alias, userprincipalname, emailaddress | Export-csv .\results.csv -Append}
$mailboxes = Invoke-Command -Session (Get-PSSession) -ScriptBlock {Get-Mailbox -ResultSize Unlimited | Select-Object -Property Identity,DisplayName}
foreach($m in $mailboxes) {Get-ADPermission $m.Identity.ToString() | Where { ($.ExtendedRights -like "Send-As") -and ($.IsInherited -eq $false) -and -not ($.User -like "NT AUTHORITY\SELF")}; Start-Sleep -Milliseconds 500} | Export-Csv c:\temp\Send-As-BOLT.csv -noTypeInformation
foreach($m in $mailboxes) {Get-ADPermission $m.Identity.ToString() | Where { ($.ExtendedRights -like "Send-As") -and ($.IsInherited -eq $false) -and -not ($.User -like "NT AUTHORITY\SELF")}; Start-Sleep -Milliseconds 500} | Export-Csv c:\temp\Send-As-BOLT.csv -noTypeInformation
Set "Full Access" to mailbox (Delegate access)
gam user testshared delegate to corey_davis
Set Post-As group All members (Send-As)
gam update group email_group@emerson.edu members_can_post_as_the_group true
Set Post-As group Managers and Owners
Set Send-As rights for a user to a user mailbox
gam user corey_davis add sendas email_group "email test group"
Set Send-As rights for a user to a user mailbox (Send on behalf of)
gam user corey_davis add sendas email_group "email test group" treatasalias true
Give user delegate access to other mailbox (testshared)
gam user testshared delegate to corey_davis
All emerson.edu domain the ability to email groups (default)
gam update group email_group@emerson.edu who_can_post_message all_in_domain_can_post
Groups with the exchange permission AcceptMessagesOnlyFromDLMembers set
gam update group email_group@emerson.edu who_can_post_message all_members_can_post
Groups with exchange permission AcceptMessagesOnlyFrom set
gam update group email_group@emerson.edu who_can_post_message all_managers_can_post
Groups that need the world to email it (i.e. helpdesk)
gam update group email_group@emerson.edu who_can_post_message anyone_can_post
Set Email forwards
gam user <username> add forwardingaddress <email address>
Enable Email Forwarding (mard incoming emails as read in inbox)
gam user <username> forward on <email address> markread
https://github.com/jay0lee/GAM/wiki/BulkOperations
Set "Full Access" to mailbox (Delegate access)
gam user michaele_whelan delegate to corey_davis
Delete "Full Access" to mailbox (Delegate Access)
gam user michaele_whelan delete delegate corey_davis
Grant delegate access to a list of of mailboxes or add list of users to mailboxes
$list = Import-Csv "C:\Users\corey_davis\Box Sync\Documents\Projects\Gmail Email Migration\lists\FullAccess-Gmail.csv"
foreach ($entry in $list){ gam user $($entry.Alias) delegate to $($entry.user); echo $($entry.Email) updated }
Set Post-As group All members (Send-As)
gam update group email_group@emerson.edu members_can_post_as_the_group true
Set Post-As group Managers and Owners
Set Send-As rights for a user to a user mailbox or group
gam user corey_davis add sendas email_group "email test group" gam user <user> add sendas <email address> "email address description"
Allow group members to send-as the group
gam group aa_stars sendas aa_stars "Academic Affairs Divisional Recognition Committee"
Add a list of users to be able to send as a mailbox in poowershell
$list = Import-Csv Sendas-Gmail.csv
foreach ($entry in $list){ gam user $($entry.user) add sendas $($entry.mailbox); echo $entry.user updated }
Set Send-As rights for a user to a user mailbox (Send on behalf of)
gam user %Sendas add sendas %mailbox "%name" treatasalias true
$sblist = Import-Csv SendOnBehalfOf-Gmail.csv
foreach ($entry in $sblist){ gam user $($entry.sendas) add sendas $($entry.mailbox) "$($entry.name)" treatasalias true; echo $entry.mailbox updated }
Give user delegate access to other mailbox (testshared)
gam user testshared delegate to corey_davis
All http://emerson.edu domain the ability to email groups (default)
gam update group email_group@emerson.edu who_can_post_message all_in_domain_can_post
Groups with the exchange permission AcceptMessagesOnlyFromDLMembers set
gam update group email_group@emerson.edu who_can_post_message all_members_can_post
Groups with exchange permission AcceptMessagesOnlyFrom set
gam update group email_group@emerson.edu who_can_post_message all_managers_can_post
Groups that need the world to email it (i.e. helpdesk)
gam update group email_group@emerson.edu who_can_post_message anyone_can_post
Find email my msgid for all users
gam.exe all users show messages query rfc822msgid:CAJF3RVsSf2+diuvivd2YWyNDJuO3eXTWjPMgCGvHvcVK0Y7u7Q@mail.gmail.com
=VLOOKUP(A2,'FullAccess-Aliases2.csv'!$B:$C,2,FALSE)
Linux commands
sudo chgrp -hR www-data /var/www
sudo chmod -R ug+rw /var/www
https://access.redhat.com/solutions/29095%60
Extend Root Partition
fdisk -l /dev/sda - show current listing
fdisk -l - check to see if the OS can see the newly added disks, if missing add necessary disk to VM
fdisk /dev/sda
n {new partition}
p {primary partition}
3 {partition number}
t {change partition id}
3 {partition id}
8e {Linux LVM partition}
w
partprobe - Probes and update partition tables
fdisk -l /dev/sda - Double check partitons
pvcreate /dev/sda2 - Create physical volume
vgdisplay - confirm volume groups
vgextend rhel /dev/sda3 - Extend volume group to new partition
vgdisplay - confirm partition is extended
lvextend /dev/rhel/root /dev/sda3 - Extend logical volume
xfs_growfs /dev/rhel/root - Extend root filesystem
df -h - Confim new space is added and OS can see it
Add new Partition
fdisk -l - List disks and partitions, use this to find the added volume(s)
fdisk /dev/sdb (repleace with new disk) (repeat for each disk)
n {new partition}
p {primary partition}
1 {partition number}
t {change partition id}
8e {Linux LVM partition id}
w
fdisk -l - Confirm partitions are added correctly
mkfs.xfs -L /u01 /dev/sdb1 - format partition
mkdir /(folder) /(added drive)- create mount points
mount /dev/sdb1 /u01 - mount partitions
df -h - confirm mountpoints and filesystems
nano /etc/fstab - add entrty to fstab so that the mount can survive a reboot
Add Swap Space
swapoff -v -a (Disable ALL swap volumes)
swapoff -v /dev/mapper/rhel-swap (disable specific swap volume)
lvm lvresize /dev/mapper/rhel-swap -L +4M (Extend swap volume by 4MB - change to size needed)
lvm mkswap /dev/mapper/rhel-swap (format newly added swap space)
swapon -v -a (Enable ALL swap volumes)
swapon -v /dev/mapper/rhel-swap (enable specific swap volume)
yum install system-storage-manager - install if you want to make this easier
sssm list - list disks, pools, and volumes
Grow XFS mount when the filesystem uses entire disk (no partitions)
check mounts
dh -f
check partitions beforehand
fdisk -l
List scsi bus
ls /sys/class/scsi_device/
scan for changes on scsi bus, change the numbers to match the output of the command above
echo 1 > /sys/class/scsi_device/1:0:0:0/device/rescan
echo 1 > /sys/class/scsi_device/1:0:0:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:0:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:1:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:2:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:3:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:4:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:5:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:6:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:7:0/device/rescan
echo 1 > /sys/class/scsi_device/0:0:8:0/device/rescan
echo 1 > /sys/class/scsi_device/2:0:0:0/device/rescan
check fdisk to see if the scsi bus scan see the expanded disk
fdisk -l
Grow xfs mount to use full disk
xfs_growfs /u01
Confirm filesystem has grown
df -h
Reset wordpress user password
UPDATE wp_users SET user_pass = MD5('new_password') WHERE wp_users.user_login = "username";
Powershell Ask for username and Password obfuscated
$username = Read-Host "Type in your administrative account" $password = Read-Host -assecurestring "Please enter your password" $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
Batch File - Create timestamped filenames
@echo Creating Date:Time code Rem Create FileName with datatime :: this is Regional settings dependent so tweak this according your current settings Echo %DATE% %Time% for /f “tokens=1-8 delims=::./ ” %%A in (‘echo %DATE% %TIME%’) do set FileDateTime=%%D%%C%%B-%%E%%F%%G ECHO FileDateTime IS %FileDateTime% @echo %temp%AutoBootBackup-%filedatetime%.bak Echo This is a test file > %temp%AutoBootBackupTemp-%FileDateTime%.bak rem BCDEDIT /export %temp%AutoBootBackup-%FileDateTime%.bak dir %temp%AutoBootBackup*
Scritping goals
additional proxyaddress attribute, add additional email addresses
Set-ADUser j.rhodes -Add @{ProxyAddresses="james.rhodes@mydomain.co.uk"} - Add new proxyaddress to a user
get-aduser -identity corey_davis -Properties proxyaddresses - show what in proxy addresses
GYB Notes
WIKI: https://github.com/jay0lee/got-your-back/wiki
GYB (Got Your Back) Lives on gadmin.emerson.edu. You RDP to this server. It is set up to use both http://elab.emerson.edu and emerson.edu service accounts
Directory: c:\gyb
Service account creds: c:\gyb\login creds
How to use serivce account: First you copy "oauth2service.json" file from C:\GYB\LOGIN CREDS and copy it to C:\GYB, overwriting the current json file in the directory. Make sure you use the --service-account flags
Service Account Syntax: c:\gyb\gyb.exe --email <users email address> --service-account
If --service-account is omittied it will attempt to use teh credentials of the user specified in --email. This will open up a browser authorization session.
How to restore emails: gyb --email youremail@gmail.com --action restore --local-folder "c:\my_gmail_backup" --label-restored "Old email"
you can append --service-account in order to restore the email to http://emerson.edu . Remember to copy the proper json file.
AD Recycle Bin: List deleted objects
Get-ADObject -SearchBase "CN=Deleted Objects,DC=emerson,DC=edu" -ldapFilter "(objectClass=*)" -includeDeletedObjects | Format-List Name,ObjectClass,ObjectGuid
Get list of AD accounts based on EmployeeID
Import-CSV "C:\temp\adUsers.csv" | ForEach-Object {
$ID = $_.SPRIDEN_ID
get-aduser -filter {employeeid -eq $ID} -Properties EmployeeID | select-object Name, sAMAccountName, UserPrincipalName, EmployeeID
} | Export-csv c:\temp\userresults.csv
Ask for creds and obfuscate password
$username = Read-Host "Type in your administrative account" $password = Read-Host -assecurestring "Please enter your password" $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
Enable Active Directory recycle bin
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=emerson,DC=edu' –Scope ForestOrConfigurationSet –Target 'http://emerson.edu '
Export List of Deleted AD Objects
Get-ADObject -SearchBase "CN=Deleted Objects,DC=emerson,DC=edu" -ldapFilter "(objectClass=*)" -includeDeletedObjects | Select-Object Name,ObjectClass,ObjectGuid | Export-csv c:\temp\deleted-objects.csv -NoTypeInformation
Bulk Delete AD Users
Import-CSV "C:\temp\2-21-18-student-deletions_FINAL.csv" | ForEach-Object {
get-aduser $_.GOBTPAC_EXTERNAL_USER |
remove-aduser -confirm:$false |
Export-Csv -NoTypeInformation -Append -Force C:\temp\Deleted-Users-7.23.2018.csv}
GYB - Bulk Backup users to folder
Import-CSV "C:\temp\Elab Migration - Migration List.csv" | ForEach-Object {
$email = $.email
gyb --email $.email --action backup --service-account --local-folder "e:\backups\email\ELAB$email" --spam-trash}
Querty AD for XP Computers
Get-ADComputer -Filter {OperatingSystem -like "Windows XP Professional"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemVersion,LastLogonDate -Wrap -Auto | Export-csv c:\temp\WinXPMachines.csv
Get-ADComputer -Filter {OperatingSystem -like "Windows 7*"} -Property * | Select Name,OperatingSystem,OperatingSystemVersion,LastLogonDate | Export-csv c:\temp\Win7Machines.csv
How to reset user account for authentication issues in LastPass
Logon to K2ADFS and stop the service ADSERVICE
Delete user from lastpass admin console
Delete lastPassID from the user in AD
Restart Service "Microsoft Active Directory Federated Services" on K2ADFS
Start service ADSERVICE on K2ADFS
Wait for sync, once the user is back up on admin console the will get another email and then they can login
Get Ad group members and Employee ID
get-adgroupmember "eCommon StudentNotIncoming" -recursive | % {
$group=$_
get-aduser $_ -Properties Employeeid | select @{n="Group";e={$group}},Name,SurName,GivenName,Employeeid} | Export-csv "c:\temp\eCommon StudentNotIncoming.csv"
get-adgroup "eCommon StudentNotIncoming" -Properties members | % {
$group=$_
get-aduser $_ -Properties Employeeid | select @{n="Group";e={$group}},Name,SurName,GivenName,Employeeid} | Export-csv "c:\temp\eCommon StudentNotIncoming.csv"
Ask for user credentials
$username = Read-Host "Type in your http://emerson.edu account credentials" $password = Read-Host -assecurestring "Please enter your password" $credential = New-Object System.Management.Automation.PSCredential($username,$password)
Send email using powershell
$EmailFrom = “Ivanti System Alert Monitor” $EmailTo = “corey_davis@emerson.edu” $Subject = “Hard drive nearly full on TestServer” $Body = “What do you want your email to say” $SMTPServer = “relay.emerson.edy” $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25); $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body) $SMTPClient.EnableSsl = $true $SMTPClient.Credentials = New-Object System.Net.NetworkCredential(“usr”, “pass”);
Change FULL NAME attribute in powershell
get-aduser test_user -properties name | rename-adobject -newname "test1 user2"
Remove VIB from ESX Host
esxcli software vib list - find vibs
esxcli software vib remove --vibname=scsi-ethdrv
Enable Syslog on ESX Host
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refreshrefresh
esxcli system syslog reload
Add Custom Fiurewall Entry for Splunk
ssh to host
esxcli network firewall ruleset list vi /etc/vmware/firewall/alternatesyslog.xml
paste:
<!-- Firewall configuration information for Alternate Syslog-->
<ConfigRoot>
<service>
<id>AlternateSyslog</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>20514</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
save file
esxcli network firewall refresh esxcli network firewall ruleset list
Add Custom Firewall entry for Splunk and survive a reboot
https://kb.vmware.com/s/article/2008226
chmod 644 /etc/vmware/firewall/service.xml chmod +t /etc/vmware/firewall/service.xml vi /etc/vmware/firewall/service.xml
paste: (change rule id to something that does not conflict with existing rules)
<!-- Firewall configuration information for Alternate Syslog-->
<service id="0044">
<id>AlternateSyslog</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>20514</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
chmod 444 /etc/vmware/firewall/service.xml
chmod -t /etc/vmware/firewall/service.xml
esxcli network firewall refresh
esxcli network firewall ruleset list
Add modifed service.xml to the bootbank
tar -cvzf vnasfw.tgz /etc/vmware/firewall/service.xml
BootModuleConfig.sh --add=vnasfw.tgz
If you need to remove it
BootModuleConfig.sh --remove=vnasfw.tg
Join a Linux Server to Active Directory
Install supporting Software
yum -y install realmd sssd krb5-workstation krb5-lids samba-common-tools
Discover Emerson.edu domain
realm discover -v http://emerson.edu
Join Machine to the domain
realm join --verbose http://emerson.edu -U corey_da@emerson.edu
Deny all groups login access (This is for both console and ssh)
realm deny -a
Allow linux-login-sudo group login access
realm permit -g linux-admins@emerson.edu - add quotes around group name if there is a space in the name "Group Name"@emerson.edu
Allow linux-login-nosudo login access - These users can only login, they do not have sudo access
realm permit -g linux-login-nosudo@emerson.edu
Add linux-login-sudo group to Sudoers
visudo
Add these lines under wheel group - Line 121 - (## Allows people in group wheel to run all commands)
# Allow users in the linux-login-sudo group to run all commands
%EMERSON.EDU\linux-login-sudo ALL=(ALL) ALL
%EMERSON.EDU\linux-admins ALL=(ALL) ALL
Allow Kerberos Authentication for ssh
sudo nano /etc/ssh/sshd_config
Change PasswordAuthentication no to PasswordAuthentication yes.
Log off ssh session as root and test as your DA account
ssh EMERSON\corey_da@linuxpatchtest1
*depending on the shell you may need to escapse the , do that by putting 2 \ so it looks like this
ssh EMERSON\corey_da@linuxpatchtest1
Add your normal user account to linux-login-nosudo group and test login and that you have no duo access
ssh EMERSON\corey_davis@linuxpatchtest1
SentinelOne Site Token
eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS0wMTEuc2VudGluZWxvbmUubmV0IiwgInNpdGVfa2V5IjogIjM1NjIyNDBiZjAxODAwMWYifQ==
Flush DNS Cache on powerdns
You SSH to lb-dns.emerson.edu
And you run “rec_control wipe-cache bannertestdb.erp.emerson.edu”
or whatever the server name
Certificate operations
extract cert from pkcs12
convert pfx to pem - openssl pkcs12 -in ws1-dss-certreqkey.pfx -nocerts -out ws1-dss-key.pem
extract private key from cert - openssl rsa -in ws1-dss-key.pem -out ws1-dss.key
Add prvate key to cert - openssl pkcs7 -in ws1-dss_emerson_edu.p7b -inform DER -out ws1-dss.pem -print_certs
Convert P7b to pfx - openssl pkcs12 -export -inkey ws1-dss.key -in ws1-dss.pem -name ws1-dss.emerson.edu -out ws1-dss.emerson.edy.pfx
Upgrade SentinelOne with old sentinelagent installed
#Stop SentinelOne services
systemctl stop sentineld
systemctl daemon-reload
#Uninstall old sentinelone agent
rpm -ev --noscripts sentinelagent
#Install New sentinelone
rpm -i --nodigest SentinelAgent_linux_v21_7_4_22.rpm
#Set Management Token
/opt/sentinelone/bin/sentinelctl management token set eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS0wMTEuc2VudGluZWxvbmUubmV0IiwgInNpdGVfa2V5IjogIjM1NjIyNDBiZjAxODAwMWYifQ==
#start sentinelone service
/opt/sentinelone/bin/sentinelctl control start
#retireve UUID confimr with management console
/opt/sentinelone/bin/sentinelctl management uuid get
How to fix root password in mysql
How to re-take control of the root user in MySQL.
DANGER: RISKY OPERATTION
Start session ssh (using root if possible).
Edit my.cnf file using.
sudo vi /etc/my.cnf
Add line to mysqld block.*
skip-grant-tables
Save and exit.
Restart MySQL service.
service mysql restart
Check service status.
service mysql status
Connect to mysql.
mysql
Using main database.
use mysql;
Redefine user root password.
UPDATE user SET authentication_string = PASSWORD('myNewPassword') WHERE User = 'root';
or
UPDATE mysql.user SET Password=PASSWORD('myNewPassword') WHERE User='root'
Edit file my.cnf.
sudo vi /etc/my.cnf
Erase line.
skip-grant-tables
Save and exit.
Restart MySQL service.
service mysqld restart
Check service status.
service mysql status
Connect to database.
mysql -u root -p
Type new password when prompted.
This action is very dangerous, it allows anyone to connect to all databases with no restriction without a user and password. It must be used carefully and must be reverted quickly to avoid risks.
Sendmail config to have email send thru Relay
nano /etc/mail/sendmail.mc
add
define(RELAY_MAILER_ARGS',TCP $h 25')
define(SMART_HOST',[relay.emerson.edu]')
Postfix config ro have email send thru relay
postconf -e relayhost=[relay.emerson.edu]
Jason's file permissions in linux-admins@emerson
Add jasons group the ability to log into the server
sudo realm permit -g "Web Service Administrators"
Check folder and file permissions
ls -ls /var/www/html
ls -ls /var/www/html/wordpress/
Check for local user assigned to local groups
id jason_beals
Apply local group memberships to AD user
sudo usermod -a -G apache jason_beals@emerson.edu
sudo usermod -a -G jason_beals jason_beals@emerson.edu
sudo usermod -a -G www-maint jason_beals@emerson.edu
Check AD user group match local account
id jason_beals@emerson.edu
Add license administrators to ABBYY Fine Reader
Notes for ITG:
To manage ABBYY License Administrators, use the group admin tool to add or remove them from the ABBYY License Administrators group.
Group admin tool: https://pages.emerson.edu/MyAccount/groupmanagement/
Adding things to this group, Also Adds them to the local group "ABBYY Licensing Administrators" on the RDSH6 server and it will allow the user to see the Application called ABBYY FineReader PDF 15, ABBYY FineReader 14, and ABBYY FineReader License Manager.
Notes for Infrastructure:
ABBYY Fine Reader 14 and 15
ABBYY License Administrators are managed using the group "ABBYY License Administrators"
In AD you must add them the the "ABBYY License Administrators" group,
Adding things to this group, Also Adds them the the local group "ABBYY Licensing Administrators" on the RDSH6 server and it will allow the user to see the Application called ABBYY FineReader PDF 15, ABBYY FineReader 14, and ABBYY FineReader License Manager.
On the RDS Server RDSH6, you must add them to the local group called
SQL Query for connections
SELECT
DB_NAME(dbid) as DBName,
COUNT(dbid) as NumberOfConnections,
loginame as LoginName
FROM
sys.sysprocesses
WHERE
dbid > 0
GROUP BY
dbid, loginame
;
Check if LDAP is working (secure and non-secure)
LDAPTLS_REQCERT=never ldapsearch -D corey_davis@emerson.edu -W -b dc=emerson,dc=edu -H ldaps://yakko.emerson.edu samaccountname=corey_davis proxyAddresses -V
Check to see what certificate is presented by a server
openssl s_client -showcerts -verify 5 -connect yakko.emerson.edu:636
Grab certificates and generate certificate files
openssl s_client -showcerts -verify 5 -connect yakko.emerson.edu:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
Generate Public Cert for Domain Controllers in Linux
nano servername.cnf - Cartificate SAN config file
Add this to the servername.cnf file, change server names as needed
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = pesto.emerson.edu
DNS.2 = http://emerson.edu
close and save file
Generate Key
openssl genrsa -out domain_controllers.key 4096
Generate certificate request
openssl req -out doamin_controllers.csr -newkey rsa:2048 -nodes -keyout domain_controllers.key -config domain_controllers.cnf
Confirm private key and certificate request and certificate are the correct set
openssl req -noout -modulus -in ivanti.emerson.edu.csr | openssl md5
openssl rsa -noout -modulus -in ivanti.emerson.edu.key | openssl md5
openssl x509 -noout -modulus -in ivanti01_emerson_edu_cert.cer | openssl md5
Combine certificate and key into a pfx certificate
openssl pkcs12 -export -out ivanti01_emerson_edu_cert.pfx -inkey ivanti.emerson.edu.key -in ivanti01_emerson_edu_cert.cer
Send email using smtp commands
EHLO
MAIL FROM "
How to manage the spf record for emerson.edu
Emerson.edu uses a non-standard spf record because we use an excessive amount of email services. We use a combination of a fake spf (fakespf.emerson.edu) that holds the text records of the authorized email services and a semi-flattened spf record that is used as our real spf record.
The official spf record is tracked in an excel spreadsheet
https://emerson.box.com/s/6225cr3j9mq5jb3sswidjuecsb0dqtbp
To add a record to our spf.
log into micetro and go into DNS > Emerson.edu
search for “fakespf”
Open the excel document “Emerson’s SPF Record List.xlsx - Link is above
Click on the “List of Approved Senders” tab
add the same of the service and the spf record entry to the last line, remove if its needed
Click on the “Master - fakespf record”
add the include, ip4 or ip6 statement to the end of the record, before the “-all”
Copy the contents of “Master - fakespf record” to “Old Master - fakespf record”
In micetro, go into DNS > Emerson.edu
Search for spf and then copy the records to the “Old Official SPF record” tab in the excel spreadsheet
Please use notepad to help remove micetro formatting before adding it to the spreadsheet
Goto the “Official SPF record” tab and copy its contents to the “Old Official SPF record” tab
open a web browser and goto www.dmarcian.com and click on “Resources”, then “SPF Surveyor”
https://dmarcian.com/spf-survey/?domain=fakespf.emerson.edu - will get you there faster
Enter “fakespf.emerson.edu” into the search field and click “survey domain”
you will see an error that says “THERE IS SOMETHING WRONG WITH YOUR DOMAIN” you can ignore it, what we need is below that.
Scroll down the listing of spf and ips till you see the section called “Record Flattening”
Copy the contents from fakespf.emerson.edu to spf#.fakespf.emerson.edu, and paste into the spreadsheet listed above, in the Official SPF Record,
You MUST keep the include statement part of the 1st spf record for emerson.edu. Just add that to the end of the spf record
exists:%{i}._spf.mta.salesforce.com include:spf1.emerson.edu -all
Remember to replace “spf3.fakespf.emerson.edu” with spf#.emerson.edu
Once it looks good and is formatted properly, In micetro you can now edit the official SPF record with the content of the “Official SPF record” tab
Make sure to put in ITCM and reference the spreadsheet
Then use DMARCIAN to double-check the SPF records for errors.
Microsoft Professional Support
https://support.microsoft.com/oas - Services Hub
You've gotta go through https://support.microsoft.com/oas and select Windows Server and AD.
Login to it with a personal account instead of a business account. Otherwise, the site will tell you that it's not available.
Archives Space
(daylight savings time issue)
If you get an 503 error to the URL https://archspace-prod.emerson.edu/
and in the error log you see the error “Java::JavaSql::SQLException: HOUR_OF_DAY: 2 -> 3”
That means that the indexer is using a time that doesn't exist due to the time change,
Log into Mysql and run this query:
use archivesspace;
UPDATE user set user_mtime = NOW(), system_mtime=NOW() where username='search_indexer';
Then restart the service
systemctl restart archivesspace