Friday, October 28, 2016

How to completely uninstall Google Apps Sync for Microsoft Outlook (GASMO)

This post will talk about how to completely uninstall Google Apps Sync for Microsoft Outlook (hereafter referred to as GASMO).

You might want completely uninstall GASMO for several reasons.  If you're experiencing instability in Outlook, creating a new GASMO profile is typically the first step by re-running "Set up a Google Apps Sync user" and then setting the new profile as the default.  Should the new profile prove to be unstable, sometimes you need to completely remove GASMO.

Here is how I do remove GASMO completely.

Close Outlook
Uninstall GASMO via add/remove programs.
Delete the folder C:\Program Files (x86)\Google\Google Apps Sync
Delete the folder C:\Users\%username%\AppData\Local\Google\Google Apps Sync

Monday, October 3, 2016

Step by step - restore active directory objects from Windows backup

I accidentally deleted some active directory objects when I was deleting some Exchange mailboxes.  Chaos ensued, but I had to restore the active directory users.

Here's what Microsoft helped me do (step by step).

Boot into Directory services restore mode.  (see here for how:

Log in

Open an elevated command prompt

type "wbadmin get versions"
This will give you all the backups that you can restore from.
Pay attention to the version identifier as this will define what backup you're working with.

type "wbadmin start systemstaterecovery -version:10/01/2016-04:30" where 10/01/2016-04:30 will vary based on the actual version that you are restoring from that you found when you ran "wbadmin get versions"

Choose yes twice.

Now, you'll need to wait 45 to 90 minutes while the system preps itself.  Ugh.

Next, you'll restore organization units (OUs) as a whole to the version the the OUs were at the time of the backup.  So for example, if I have an OU named accounting and I'm doing a restore on October 3, 2016 where the backup I'm restoring from is October 1, 2016 - all changes from 10/1/16 to 10/3/16 will be lost.

This gets less intuitive here.  After the system has loaded the backup, the system will ask you to reboot the server.  Don't do it.

Instead, launch a command prompt, type ntdsutil, and then press Enter.
1 .           Type activate instance ntds and press Enter.
2.            Type authoritative restore and press Enter.
3.            At this point, determine whether you're restoring an OU or an object. The previous table showed the syntax to restore either an OU or an object. Type the restore command and press Enter.
For example, to restore a user object, use the following format:
•             restore object dn
•             restore object "cn=Sally,ou=sales,dc=pearson,dc=pub"
Or, to restore an OU, use the following format:
•             restore subtree dn
•             restore subtree "ou=sales,dc=pearson,dc=pub"
This increments the update sequence number (USN) so that all other DCs consider it the most recent change.
4.            Type quit and press Enter twice to exit ntdsutil.
5.            Restart the DC normally.

As an example. if you were restoring an OU called distribution groups which sits under an OU called MyBusiness, you'd type:

restore subtree "OU=distribution groups,OU=MyBusiness,DC=contoso,DC=local"
if you're not familiar with LDAP syntax (which I'm not), some googling and trial and error will help you find what you need.  If you type in the wrong values, the process willl just fail.

This is what a successful restore looks like.  Look at "successfully updated records"

What's weird for me in the two times I've tried this is that I rebooted once, and my 2008 R2 server had no internet connectivity and no restored AD items on first reboot.  I had reboot again to get my items and to get internet connectivity.  So weird.

Configuring VPN to work without regard to dial in policy

Per this page:

  1. Click Start, click Administrative Tools, and then click Network Policy Server. The NPS console opens.
  2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.
  3. In the policy Properties dialog box, on the Overview tab, in Access Permission, select the Ignore user account dial-in properties check box, and then click OK.

You can enable NPS (Network Policy Server) to work without regard to the user's dial-in setting.  For years, I've been manually marking people with Allow for Dial-in as in below.