One of my clients had the problem of users being excessively prompted to update Firefox

A new version of Firefox is available:
It is strongly recommended that you upgrade Firefox as soon as possible

It then shows the "Download and Install Now" button but eventually fails when a normal users runs it because they are not local admins. This prompt repeats over and over until IT gets a phone call about how they hate Firefox and are going to go back to using IE.

It's actually as simple as you may think. If you change "C:\Program Files\Mozilla Firefox" to allow "YOURDOMAIN\Domain Users" write access, a normal user can update Firefox.

You can go around to each workstation but where is the fun in that? The builtin program "cacls" with the help of PSExec will let you update all of the computers on a site. This idea was put together by my friend with a little tweaking on my part. Basically you just create a list of computers, and then run the command remotely on each one.

Create a List of Computers

You can do this however you'd like but for me I like to export a list of computers them from ADUC. This will only help if your computers are in the same folder or OU. You could always just write down the names of the computers but that's boring.

1. Open Active Directory Users and Computers
2. From the menu bar choose View > Add / Remove Columns
3. Remove all columns that are not Name [Type, Description] and click OK
4. Open the folder or OU that contains the computers you would like to update
5. Right-click on the folder or OU and choose "Export List..."
6. Save the file as "computer_list.txt" somewhere logical to you

Create the Script

Here is the entire command all together. Hopefully it's obvious to change the YOURDOMAIN\ADMIN_ACCOUNT to an account that is a member of the Domain Admins group and change YOURDOMAIN\Domain Users to whatever your domain is.

psexec @computer_list.txt -u YOURDOMAIN\ADMIN_ACCOUNT cacls “%SYSTEMDRIVE%\Program Files\Mozilla Firefox” /E /G “YOURDOMAIN\Domain Users”:W

You will want to put this into a batch file because you'll have to run it again or on a regular basis if some of your computers are turned off or not on the network when you're running the script.

External Links

http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html/trackback - link to my friend's website who actually did the testing and put everything together

I just learned today that you cannot force the user of SSL on any part of an Exchange enabled website in IIS. You can still use SSL but apparently turning on the "Require Secure Channel(SSL)" option makes OMA not work. Here was the error I was getting:

If you have recently changed your password, the system may not yet have completed the change. Please wait a short time and try again. If this is not the case, your Exchange server mailbox has not been created. Please access your account via Microsoft Outlook or Microsoft Outlook Web Access to create your user mailbox. Please contact your system administrator for additional assistance.

I have to admit I've only set up the OMA site a half dozen times so there may be something out there that explains this issue better than I but I've found a bunch of websites that support this claim. One site makes a reference to a KB article that no longer exists.

The Steps

1. Open the IIS Management Console on the back-end Exchange 2003 server.
2. Right click the Exchweb virtual directory under the default Web site, and then click Properties.
3. Click the Directory Security tab.
4. Click Edit in the Secure Communications area.
5. Click to clear the "Require secure channel (SSL)" check box, and then click OK for all windows.

But I To Force SSL

The problem remains "What if you actually want to force SSL?" I had a hard enough time trying to have 50 users understand what the "S" in HTTPS meant. What I did was create a second site that was Exchange enabled. This site I forced SSL while the first site I left it optional. I sent an update to the end users explaining that there was a new mail website "https://www.website.com/mail" and made a few minor modifications [adding company logo] so that they could tell the difference in the hopes that they would think that new = upgrade. This way, if they used http instead of https, I could redirect them automatically.

External Links

http://www.petri.co.il/forums/showthread.php?t=10208 - Daniel Petri's website forum http://www.webservertalk.com/archive128-2004-3-166297.html - Forum article that makes a reference to the problem.

I found this script from the site www.rlmueller.net which has a ton of other handy scripts that are free anyone to hack as long as you don't blame him for screwing something up.

This script searches through each domain controller of whichever domain your computer is a member of and outputs the "lastlogon" attribute of the account. Very useful in finding old accounts that are unused. Just be careful because some service accounts that you may have created on the domain will not show a lastlogon event at all

' LastLogonTimeStamp.vbs ' VBScript program to determine when each user in the domain last logged ' on. Domain must be at Windows Server 2003 Functional Level. ' ' ---------------------------------------------------------------------- ' Copyright (c) 2007 Richard L. Mueller ' Hilltop Lab web site - http://www.rlmueller.net ' Version 1.0 - March 24, 2007 ' Version 1.1 - July 6, 2007 - Modify how IADsLargeInteger interface ' is invoked. ' ' The lastLogonTimeStamp attribute is Integer8, a 64-bit number ' representing the date as the number of 100 nanosecond intervals since ' 12:00 am January 1, 1601. This value is converted to a date. The last ' logon date is in UTC (Coordinated Univeral Time). It must be adjusted ' by the Time Zone bias in the machine registry to convert to local ' time. ' ' You have a royalty-free right to use, modify, reproduce, and ' distribute this script file in any way you find useful, provided that ' you agree that the copyright owner above has no warranty, obligations, ' or liability for such use. Option Explicit Dim objRootDSE, adoConnection, adoCommand, strQuery Dim adoRecordset, strDNSDomain, objShell, lngBiasKey Dim lngBias, k, strDN, dtmDate, objDate Dim strBase, strFilter, strAttributes, lngHigh, lngLow ' Obtain local Time Zone bias from machine registry. Set objShell = CreateObject("Wscript.Shell") lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _ & "TimeZoneInformation\ActiveTimeBias") If (UCase(TypeName(lngBiasKey)) = "LONG") Then lngBias = lngBiasKey ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then lngBias = 0 For k = 0 To UBound(lngBiasKey) lngBias = lngBias + (lngBiasKey(k) * 256^k) Next End If Set objShell = Nothing ' Determine DNS domain from RootDSE object. Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") Set objRootDSE = Nothing ' Use ADO to search Active Directory. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" adoCommand.ActiveConnection = adoConnection ' Search entire domain. strBase = "<LDAP://" & strDNSDomain & ">" ' Filter on all user objects. strFilter = "(&(objectCategory=person)(objectClass=user))" ' Comma delimited list of attribute values to retrieve. strAttributes = "distinguishedName,lastLogonTimeStamp" ' Construct the LDAP syntax query. strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" ' Run the query. adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 100 adoCommand.Properties("Timeout") = 60 adoCommand.Properties("Cache Results") = False Set adoRecordset = adoCommand.Execute ' Enumerate resulting recordset. Do Until adoRecordset.EOF ' Retrieve attribute values for the user. strDN = adoRecordset.Fields("distinguishedName").Value ' Convert Integer8 value to date/time in current time zone. On Error Resume Next Set objDate = adoRecordset.Fields("lastLogonTimeStamp").Value If (Err.Number <> 0) Then On Error GoTo 0 dtmDate = #1/1/1601# Else On Error GoTo 0 lngHigh = objDate.HighPart lngLow = objDate.LowPart If (lngLow < 0) Then lngHigh = lngHigh + 1 End If If (lngHigh = 0) And (lngLow = 0 ) Then dtmDate = #1/1/1601# Else dtmDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _ + lngLow)/600000000 - lngBias)/1440 End If End If ' Display values for the user. If (dtmDate = #1/1/1601#) Then Wscript.Echo strDN & ";Never" Else Wscript.Echo strDN & ";" & dtmDate End If adoRecordset.MoveNext Loop ' Clean up. adoRecordset.Close adoConnection.Close Set adoConnection = Nothing Set adoCommand = Nothing Set adoRecordset = Nothing Set objDate = Nothing

Save this text as a .vbs file and run it something like this:
cscript LastLogon.vbs > LogonTimes.txt

External Link:
http://www.rlmueller.net/Last Logon.htm - the site which I found this script and where you should go if you like it.