Sophos AV : The user is not assigned to any sub-estates

I came across this today on a fresh install of Sophos 4.7 on Windows Server 2008 R2. I confirmed:

User was a member (indirectly) of the SophosAdministrator group in AD DS, and a member (indirectly) of the the local security group “Sophos Full Administrators.” Note indirect. The issue here was caused by nested group membership; the user was a member of a role-based group which was in turn member of a service type group which was used to delegate permissions in Sophos.

There is a known issue where launching the Sophos Enterprise Console as a user who inherits membership of the Sophos Full Administrators group via nested groups fails.  Ensure the launching user is a direct member of the group.

More information available here: http://www.sophos.com/support/knowledgebase/article/67106.html

XCOPY : Copy Folders and Files with Permissions

Use the following command to copy a folder/subfiles to a new destination maintaining all of the attributes, owevership and ACL’s:

xcopy c:\olddocs c:\newdocs /O /X /E /H /K

Active Directory : Shadow Groups

If you’ve ever wanted to base user group membership on a container within Active Directory, i.e. Organisation Unit’s, you’ll know this is not possible. Using a simple script you can create ‘Shadow Groups’ and even automate the update of their membership to reflect changes in the Active Directory structure.

First create a new group, in this case ‘UK Computer Objects‘.

Next execute the following commands, changing the OU containging the security group as highlighted in green, and the seach scope for the objects you wish to add to the group in question as highlighted in red. The -chmbr option clears the membership of the group and re-writes it, therefore be careful if there are any existing members!

dsquery computer -limit 0 “OU=Sites,OU=UK,DC=domain,DC=local” | dsmod group “CN=UK Computer Objects,OU=Shadow Groups,DC=domain,DC=local” -chrmbr

If you need to add additional objects to the group without wiping it membership use the -addmbr option:

dsquery computer -limit 0 “OU=Administrators,OU=UK,DC=domain,DC=local” | dsmod group “CN=UK Computer Objects,OU=Shadow Groups,DC=domain,DC=local” -addmbr

This script can be sceduled to run froma  server on a daily or weekly basis, ensure it is executed as a user with sufficient AD DS permissions to write membership to the group object.

Oracle 10.2.0.5 64-bit Client Install on Windows 7 / 2008 R2

In order to install the Oracle 10.2.0.5 64-bit client on Windows 2008 R2 (or Windows 2008 64-bit) you’ll need to execute setup using the following arguments:

setup.exe -ignoreSysprereqs -ignorePrereq

Note; This is CASE SENSITIVE

Thanks to ORACLE Note 1061272.1/aleys.net for this tip 😉

BO XI : Internet Explorer Issues

I came across an interesting issue with a BO XI deployment today, essentially users were unable to use Internet Explorer to connect to the Web Application; when trying to open the logon page they receieved an IE error stating that ‘Internet Explorer cannot display the page’. Further investigation showed that Firefox and other browsers worked.

The environment was BO XI running on Windows Serevr 2008 R2 (therefore IIS7/Tomcat)

This led me to look at Windows Authentication as IE would use NTLM whereas the other browsers would not.

After a dig around on the SAP support portal I cam across SAP 1292826 – Error: Internet Explorer cannot display the page. Essentially the solution was to modify the server.xml file located under \Program Files (x86)\Business Objects\Tomcat55\conf

1. Search for ‘maxHttpHeaderSize‘ – this will likely be set to 8192.
2. Change this to equal 32768 then restart the Apache Tomcat Service.

HP Dataprotector 6.0: Backup SQL Server 2008

In order to backup SQL 2008 using DP 6.0 you must use the DataProtector 6.11 Agent (as well as installing the SQl 2005 Backwards Compatibility Pack), if you do not use the 6.11 agent you will receive the following error on the Cell Manager Session logs:

[Critical] From: @demhpdb01.domain.local “”  Time: 08/06/2011 13:47:13
    Virtual Device Interface reported error:
The object was not open.

    See also Data Protector debug.log and SQL Server error log for details.

[Normal] From: [email protected] “MHP”  Time: 08/06/2011 13:47:14

Completed OB2BAR Backup: demhpdb01.domain.local:/MHP/model/0 “MSSQL”

[Major] From: [email protected] “MHP”  Time: 08/06/2011 13:47:14

[Normal] From: [email protected] “MHP”  Time: 08/06/2011 13:47:41

[Critical] From: @demhpdb01.domain.local “”  Time: 08/06/2011 13:47:42
    Virtual Device Interface reported error:
The object was not open.

    See also Data Protector debug.log and SQL Server error log for details.

From: @ “”  Time:

From: @ “”  Time:

[Major] From: [email protected] “CDC-WIN-DEMHPDB01-SQL 2”  Time: 08/06/2011 13:46:49

Bad catalog access – FormatMessage() failed with 1813Bad catalog access – FormatMessage() failed with 1813Bad catalog access – FormatMessage() failed with 1813

The Application Event Log on the client will also log:

SQLVDI: Loc=IdentifySQLServer. Desc=MSSQLSERVER. ErrorCode=(1060)The specified service does not exist as an installed service.
. Process=3208. Thread=3912. Client. Instance=. VD=.

cClass Blades: Windows 2008 R2 Boot for SAN

In order to facilitate a boot fom SAN installation of Windows 2008 R2 the following process must be adhered to:

1. Configure only a single path in your initial zone for the blade, Windows setup does not support multipathing, if this is missed you will end up with an error ‘Setup was unable to create a new system partition or locate an existing system partition.’
2. Configure only a single port on the HBA, ensure its BIOS is enabled and that the boot LUN is configured. Ensure the second port is disabled/has no configuration.
3. Ensure you have downloaded the HBA’s driver from the HP Support website – this may not be necessary, but have it ready just in case.
4. Boot from the Windows 2008 R2 DVD using the iLO (you may find you recieve an error regarding a missing CD/DVD drive driver, if so try the Windows 2008 R2 vanialla DVD without SP1 integrated)