Calling all Technical Women – We want your C.V.

•May 16, 2010 • Leave a Comment

World Wide Online Event


Hi Ladies,

We have an World Wide online event happening very soon here which gives you an opportunity to meet and talk to Technical Women working in in Services at Microsoft and find out what the job is actually like. Plus we are interested in you too. We would love to have lots of women who are considering job roles at Microsoft to send us your c.v. by simply clicking on the bottom link to register for the Webinar. So come on Ladies especially EMEA we want to hear from you !captured_Image.png[4]


Optimizing and reducing the noise on Admin Packs Scom

•May 14, 2010 • Leave a Comment

I have been working with my customer around reducing the noise and also optimising SCOM 2007 R2. The main emphasis of my work has been around the Active Directory Managment pack, but some of the techniques that I have highlighted and the links that I have used can be used more generic

Check whether you have Configured for any Clusters, Active Directory, & Exchange “Agent Proxying” The reason this should be set is as follows;

When deploying the AD or Exchange management packs you need to enable proxying on agents in order for discovery to work properly. This is further detailed in the blogs below. There is also listed a tool that can be used to enable this across multiple Domain Controllers at once, otherwise you have to go to each individual server.






2. Another good technique to reduce noise is to run the following reports from the ODR Reporting Library .


3. In addition we can be more specific by focussing in on a particular Management Pack.

By choosing the following under the Generic Report Library.



These above reports can then enable us to identify the most noisiest errors .We can then take this information and then go to the specific Monitor and modify or disable it in the following way;




4. Also certain Alerts even though their health has been restored do not close down the Alert view thus creating unnecessary noise. Therefore you can carry out the following to address this.


5. Also you may or may not be aware of this , which can cause noise from Domain Controllers if the agent is deployed manually . OOMADS

OOMADS.MSI which is the active directory helper object.
From Technet – "If an agent is manually deployed to a domain controller, and
an Active Directory management pack is later deployed, errors might occur
during deployment of the management pack. To prevent errors from occurring
before deploying the Active Directory management pack, or to recover from
errors that might have already occurred, you will need to deploy the Active
Directory management pack helper object. This is done by deploying the file
oomads.msi on the affected domain controller. The file oomads.msi can be
found on the computer hosting the agent at C:\Program Files\System Center
Operations Manager 2007\HelperObjects.
After an agent has been manually deployed to a domain controller, locate the
oomads.msi file and double-click the file to install the Active Directory
management pack helper object.
You need to manually deploy oomads.msi only to domain controllers that will
host an agent and will be monitored via the Active Directory management
pack. The Active Directory management pack helper object is automatically
installed when the agent is deployed using the Discovery Wizard."
Although the article talks about Domain Controllers, it will apply equally
to computers you want to use as Clients for AD monitoring as they also use

Installation Checklist for Active Directory Managment Pack

1.Import the Active Directory Server Pack
Create a Management Pack in which to store customizations, such as overrides (for details on why, see this post)
2.(Optional) Import the Active Directory Client Management Pack and override the AD Client 3.Monitoring Discovery Rule
4.Enable the Agent Proxy Setting on all Domain Controllers
5.Configure an account for Replication Monitoring (associated with the Active Directory 6.Management Pack Account Profile)
7.Create a RunAs account and associate it with the AD MP Account Profile

Optional Configuration
1.Configure the maximum time allowed for change to replicate across a forest
2.Disable collection of warnings, performance data, and miscellaneous noncritical events to decrease network traffic.

3. Enable data collection for the Replication Latency Report
Set parameters for tasks

Common Problems

  • Oomads not installed
  • Oomads 64-bit issues
  • Agent proxy settings enabled on all Domain Controllers
  • AD MP Account Profile Run As Account Password is not validated by the application when entered

Floppies 101 uses for plus other Random thoughts

•May 4, 2010 • Leave a Comment


We have just had Long Bank holiday weekend in the U.K. so I have taken the opportunity to carry out some spring cleaning and have  been clearing out a load of boxes . I came across a long forgotten box of floppy disks. It took be another 20 minutes to locate my USB Floppy drive reader. After going through the floppies which seemed so sloooow, as I was carrying this out I sat there reminiscing about my old dual floppy 720k non hard disk phillips pc , then my old 286 Olivetti pc came flashing into my brain. Then suddenly I started getting all romantic about my 520k ? orginal IBM pcs I used to support in a previous life, plus the excitement I felt when I took delivery of my first IBM PS2 machine with 4 mb of Ram and a 40mb hard drive. By this time I had looked through all my floppies and found some old photos and Sibelius arrangements my husband had done years ago. Then I realised with a start how long I had been working in this fascinating , changing, frustrating  and exhilarating industry and then plugged in my shiny new 32gb USB stick to transfer the contents of my floppies to :)…..Happy days !

The following link will make you smile

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

•April 30, 2010 • Leave a Comment

Apologies for not blogging for sometime. I have been away on vacation, out of the country on training plus work commitments so add that up and it equals and enforced hiatus. Plus of course do not forget the Volcano :).

Well I am back now and have an interesting information around Event Log access and the way thing have changed in Windows 2008 . This comes out of some work I have been doing with my customer.

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

I have extrapolated the information contained in the following two KBarticles. It is not easy as it is using service discretionary access control lists. plus  .

This works for both Domain Controllers and Member servers. Therefore when it talks in the body of the steps around Default Domain Group Policies , this can be supplanted with the relevant Group Policy object.

You will also need to download a Name to Sid type utility. Details of this here.

There are others around externally and internally to Microsoft. The internal one would only be available to you if you raise a Premier Support Call as part of your premier contract if you have one.

Plus of course you have the Windows Sysinternals 

As per the article follow the below steps;

Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory

Important: To view the group policy settings that are described in this article in  the Group Policy editor, first complete the following steps, and then continue to the "Use Group Policy to Set Your Application and System Log Security" section:

1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf


2. Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2


MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

3. Add the following lines to the [Strings] section:

AppCustomSD="Eventlog:Security descriptor for Application event log"

SecCustomSD="Eventlog:Security descriptor for Security event log"

SysCustomSD="Eventlog:Security descriptor for System event log"

DSCustomSD="Eventlog:Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32  scecli.dll command.

5. Start Gpedit.msc, and then double-click the following branches to expand them:

Computer Configuration Windows Settings Security Settings Local Policies Security Options

6. View the right panel to find the new "Eventlog" settings.

7. Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings

3) Use a  name2sid utilitily to find the SID of the group for which you want to give access to

the event viewer.

4) Open “Eventlog: Security descriptor for Application event log”. Click on Define

this policy setting.

Copy the following registry key:



Service\CustomSD etc…

Copy the above value for each of the event logs (like application, system, security

etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above


Here 0x3 indicates read & write privileges. The write privileges are required only

if the group needs to write events into the event logs (like an application service

using this user account)

Replace 0x3 with 0x1 – if this group needs only READ access to the event viewer

5) Run GPupdate

As an FYI see below for the explanation of the codes;

Replace 0x3 with 0x1 – If this group needs only READ access to the event viewer
5) Run GPupdate on the DC
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL,
WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.
The specific event log access mask bits are:
0x0001 ELF_LOGFILE_READ Permission to read log files.
0x0002 ELF_LOGFILE_WRITE Permission to write log files.

However for Windows 2008 Life gets much easier

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

However if you do not want to give access to ALL event logs you still have to resort to using SDDL

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility.

For Example

If you need to define access to just the System event log on our Windows 2008 Server.

1. open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

2. Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

3.  Copy the Interactive User (IU) rights and add your user or group  to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

In addition you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

Women in Technology Microsoft Career Webcast

•April 7, 2010 • Leave a Comment


About the Event

Meet up to 12 different women from Microsoft Services and learn how they are helping our customers succeed. We are holding four webcasts to accommodate four different time zones on the three roles below. We hope you will join the one that works best for you.

The Consultant:  Meet new customers. Help them assess their business needs. Design and deliver Microsoft technical solutions that allow them to get the maximum value for their business. Be a technical consultant. View job description.
The Technical Account Manager:  Support a Microsoft Premier customer. Deliver Microsoft technical solutions that allow them to have the best operational health possible. Be a technical liaison across Microsoft. View job description.
The Premier Field Engineer:  Active travel to reach many Enterprise customers. Provide proactive and reactive support to the most technically complex and business critical situations. Be the technical expert. View job description.

Who should attend

We are looking for women with great technical experience who have a passion for working with customers.  While our event is open to anyone interested in considering roles at Microsoft, our focus on the above three roles is targeted to those individuals with strong technical expertise, 3-5 years in the technology industry, a Computer Science/Engineering degree or equivalent experience. You must have a proven record of delivering business value to customers preferably on the Microsoft platform, technologies, and products.

REGISTER TODAY for the webcast which best fits your region and time zone:

Looking for a New Career – How about Premier Field Engineering

•April 7, 2010 • Leave a Comment

Hi Everyone,

I am really excited to tell you that due to our continued success Premier Field Engineering in the U.K. is looking to recruit some more Engineers to join our ranks.

If you are interested in joining a dynamic and exciting team, and working for a great Company, and love working with a wide variety of Enterprise Customers then we are looking for Engineers with experience in the following technologies.

Premier Field Engineers Role
SCOM (System Centre Operations Manager
SCCM (System Centre Configuration Manager)
Platforms (Application Virtualisation)
Platforms (Active Directory)

These roles will be posted on our Official U.K. Website over the next week or so, so keep your Eyes peeled. Alternatively you can also contact me direct on with your C.V, which I can then forward on to the relevant hiring managers.

Carry out a search for Premier Field Engineer

Microsoft Desktop Player This has potential !

•April 6, 2010 • Leave a Comment

Apologies for not blogging recent weeks. I have been tremendously busy plus working out of the country

My good friend Justin Zarb showed me this the other day.

Microsoft Desktop Player


This is a great utility that gives you a platform to search for technet content based around . You can either use the online version or download the desktop client version. It is currently in Beta so not all the features such as putting in your postcode to find local Technet events are available as yet outside USA


Kevin Remde gives a great explanation of the tool