I just thought i'd do a quick one on Powershell, and how it can be used to modify Active Directory attributes, especially regarding multi-valued ones. In this example, i'm using the [ADSI] accelerator for direct access to AD. I'm also utilizing the .putex method, for more granular control. For more information on .putex, please see http://support.microsoft.com/kb/260251.

And there you go....

------------------------------------------------------------------------------

#Scripting example of using PS and [ADSI] accelerator to modify AD attributes
#This example reads, modifies and deletes all the values in the "proxyaddresses"-attribute of an user object.
#
#USE THIS CODE AT YOUR OWN RISK. DO PROPER LAB TESTS. NO WARRANTIES IMPLIED. LEGAL BLAH.
#(c) 2009, Georg Hinterhofer

#Clear Screen
cls

#Dim array to hold multi-valued attributes
[array] $proxy

#Set LDAP path
$LDAPPath ="LDAP://CN=test,CN=Users,DC=forest1,DC=local"
$ADUser = [ADSI]"$LDAPPath"

#Read multi-valued properties
$proxy = $aduser.proxyAddresses

#Delete a multi-valued properties
$ADUser.putex(1,"proxyAddresses",$null)
$ADUser.setinfo()

#Set a multi-valued property
[Array] $newProxy = "SMTP:test@microsoft.at","smtp:test2@test.at"
$ADUser.putex(2,"proxyAddresses",$newProxy)
$ADUser.setinfo()

#Add a property to multi-valued
[array] $smtpToAdd = "smtp:test3@test.at"
$ADUser.putex(3,"proxyAddresses",$smtpToAdd)
$ADUser.setinfo()

#Remove a property from multi-valued
[array]$smtpToRemove = "smtp:test2@test.at"
$ADUser.putex(4,"proxyAddresses",$smtpToRemove)
$ADUser.setinfo()

------------------------------------------------------------------------------

So enjoy this one,

Regards,

Georg

 "In what way do Exchange and the PDC Emulator relate?" Well, before starting this topic you should know what the PDC Emulator is.

The PDC Emulator is one of the 5 Active Directory FSMO Roles (in Full - "Flexible Single Master Operation Roles"). The others are Schema Master, Domaining Naming master, Infrastructure Master and the RID Master.

What are the duties of the PDC Emulator:

• The PDC Emulator emulates a Windows NT 4.0 Primary Domain Controller - so that NT 4 Backup Domain Controllers can successfully replicate Directory Information (of course, in a pure Win2k/2k3 enviroment, this feature becomes obsolete).
  
  
• When a User changes his/her password on another DC, the password change is preferentially replicated to the PDC Emulator before any other DC.
  
  
• Furthermore, if a user tries to log on to a DC and the DC didn't receive the password change it will forward the logon request to the PDC Emulator (as mentioned before, the PDC Emulator gets preferential treatment on password changes).
  
  
• Account lockouts are processed by the PDC Emulator.
  
  
• When modifying or creating GPO's, this is always done on the SYSVOL - Share of the PDC Emulator.
  
  
• The PDC Emulator is the authoritive source of time in the domain - all other servers and clients will try to obtain time information from the PDC Emulator (for that reason, the PDC Emulator should always be configured with an external accurate time source).
  
  

So the PDC Emulator is a pretty important role within a domain. But what's up with Exchange? More...

Well, i usually don't like bragging, but here goes... i've successfully completed the above mentioned exams (each > 950 points). As i also own the MCSA/MCSE Credentials for 2000/2003, i'am proud to announce that i have completed all necessary exams to be recognized as a

Microsoft Certified IT-Professional: Enterprise Administrator

As of now, i hold the following Microsoft Credentials: MCP, MCSA 2000/2003, MCSA+M,MCSE 2000/2003,MC:TS,MCITP:EA

I would like to thank everyone who made this possible, especially my employer, iT-Austria.

If you would like to learn more about Microsoft Certifications, i suggest you visit Microsoft Certification Overview.

I'am pretty sure you saw it before: User xy calls, his mailbox is over his size limit, but he must send or receive this one important piece of mail just now. You head to Active Directory, change the mailbox size limits. The User tries again, still not working.

You take a look into Exchange System Manager, and see that the new values have not been read by Exchange.

So what happens here?

Exchange 2000/2003 uses cached mailbox configuration data to determine the enforced mailbox size limits. By default, the cache has a TTL of 2 hours, meaning it can take as much as two hours for you changed size limits to be enforced. More...

You are using System Center Operations Manager 2007? You installed SP1? Great, it's a nice piece of software.

However, one thing you might have noticed is that SCOM SP1 is generating a large ammount of Alerts on "Performance Module could not find a performance counter". A quick search on the net takes you to Ops Mgr Product Team Blog, where you are adviced to disable the alerting rule. 

This is working just fine, but as with any workaround, it should be fixed - Microsoft released KB951979 for SP1, in which this and a view other errors are fixed for good (see list below).

Unfortunately, the original article on the Ops Mgr Product Team Blog was not updated to reflect this change.

Errors fixed in this package: More...

So you ask: What is tar pitting?

IMHO,  tar pitting is a very suitable way to stop misuse of your Windows 2003 / Exchange 2003 SMTP Virtual Server by delaying SMTP responses for 5.x.x errors. This efficiently stops DoS and harvesting attacks on your SMTP servers.

For example: Hacker A continously sends mail to your server, named yourserver.mail.net, the simple purpose being to gather valid e-mail-addresses from your domains. This Brute-Force-Attack is called a "Directory Harvest Attack". 

Have a look at this telnet-screenshot, where a simple SMTP-communication is depicted: 

Normally, this kind of communication would just take a view milliseconds of time on your SMTP server. With tar pitting enabled, SMTP Virtual Server will freeze the connection for a configurable  amount of time before returning "550 5.7.1 Unable to relay". More...

Tired of Outlook Web Access blocking that attachment you would need most urgently, just because it has some weird extension?? Fear not, for this behaviour is customizable.

Fire up regedit on your OWA Server, and head for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA

It should look pretty much like the screenshot here: 

More...

Imagine the following scenario: A User using Lotus Notes Client sends a mail to an user who is using Outlook/MS Exchange 2003. Furthermore, this mail is routed via SMTP and not over a Notes Connector. In this scenario, the received mail has an attached .ics-File instead of being displayed as a regular Outlook-Appointment (see Screenshot below) More...