Friday, August 1, 2014

Windows 8.1 and 100% Disk Usage

Directly after I updated to Windows 8.1, my Lenovo AIO started slowing to a crawl. It would fluctuate between 60% and 100% disk usage, even when I wasn't doing anything.

Searching was painful, opening apps was painful and you could tell when it was running at 100%.


I read online a few different people having issues with the Skype App - since I don't use it, I simply uninstalled it. They reported that if you simply open it, the issue dissipates.

Other suggestions were:
Disable windows search - I tried that but it did not help, plus I use it...alot.

What finally did it?
Disable and remove all the apps that are pinned to your start menu that contain "live" data (the live tiles). I actually went ahead and uninstalled them, since I don't spend much time on the start screen anyway and if I'm there, it's not to read live tiles, it's to open an app.

So far, it's been running between 3 and 8 %.

Fingers crossed, I really didn't want to have to reimage my entire computer.

Update: 11/10/2015 - It didn't work. See post here for resolution.

Thursday, July 31, 2014

Site to Site VPN with Cisco ASA and Sonicwall NSA Series

Set up three site to site VPN tunnels recently for a project.  One was a Cisco ASA and the other a Sonicwall NSA series.

We ran into two issues:
Problem 1: While setting up the tunnel with the ASA, we couldn't get the second IKE phase to agree. We were seeing an error that looked something like "destination host does not match remote host" or some business.

Problem 2: Users at the main site (Site A) couldn't connect to the other two sites (Site B, Site C) when connecting over Sonicwall Global VPN Client.

Our Solutions:
Problem 1:
Cisco and Sonicwall notate subnets differently.  If you have a LAN range defined in the Sonicwall but something like notated in the Cisco, they will not translate.
The solution is to create a network in the Sonicwall with the matching netmask ( with the netmask of or applicable netmask).
They will then agree.

Problem 2:
Even if you were able to connect before to the other sites, but after setting up the tunnel you can no longer, there is an easy fix to this which I found all over the internet unasnwered, but logging into Sonicwall's site - you get the following KB article:

Add the site to site remote network to the GVC user's VPN access list in the UTM web management GUI.  Or, you can do this for an entire local users group and users will inherit this VPN access permission when they connect with GVC the next time.  Please follow the procedure as below:

1) Log into the firewall web management GUI, go to the Users > Local Users screen.

2) Click the configure button of the GVC user or user Group that you want to modify

3) Navigate to VPN Access tab inside the Edit window for the user.

4) Select the Remote VPN network and move it to right.

5) Click OK to complete.

 6) Now when GVC user connects to WAN GroupVPN on the SonicOS Enhanced UTM appliance, they will have access to networks at two locations. 

There is one additional step - on the ASA you need to make sure that the VPN subnet has access in NAT0.

Monday, July 7, 2014

Sharepoint 2010 All Day Events are 12 hours off

Sharepoint 2010 doesn't adjust for timezones, so all day events usually show on the wrong day. This is because of the UTC time and Sharepoint.  The short answer is - sort by "end time" instead of writing lots of code - it's not a perfect solution but it's better.

Wednesday, June 4, 2014

Why I'm Sick of the BYOD Propaganda

I have some gripes about this whole BYOD ongoing discussion so I thought I would throw my two cents in the mix.

I believe there is a place in the business world for BYOD. That being said, I'm about done with being inundated by articles on every LinkedIn page, G+ community and "whitepaper" slinger out there.
I see such headlines as:

"Danger! BYOD Ahead"
"Don't miss the BYOD train or your organization is dated and you are obviously a worthless CEO/CIO/IT person"
"BYOD Security Flaws"
"Let Staff Go Rogue on Tech"

and the list goes on...

What I'm getting at here is twofold. All at once, the internet is saying "CEO's: Demand BYOD or Die" and the other side (mostly retailers of BYOD products) says "BYOD too Dangerous to Use".

BYOD - by definition means to allow users to bring their own devices to work. It is important to note that there are different risk-levels for the different types of devices and information that can be accessed on them. This can occur in the form of a smart phone, laptop, tablet, desktop etc.  I tend to think that you would be hard-pressed to make a business case in most organizations that BYOD for primary work devices gives your company some sort of competitive advantage when talking about replacing that with organizationally standardized equipment.

Scenario 1:
Take for instance an organization that has four standardized models of computers available by business need. Perhaps one needs to run CAD or some graphically intense program and one does just basic Office apps and lets assume you need to have a laptop version of these specs and a desktop version. So you've got 4, predefined options at set costs which are predictable, able to be budgeted and optimized for the type of work the user will be doing. This cost includes the licensing which is tracked and manged by IT.

Scenario 2:
Now, imagine a world in the same organization that says "here's $1,500 - buy yourself a computer".

In scenario 1- the user gets exactly what they need for the type of work they will be expected to do, the equipment is known, the warranty is known, IT in the organization can report on licensing and keep an inventory of spare parts (eventually) that will assist every user.

In scenario 2 - the user gets whatever they want -  maybe they consider their work, maybe they don't. Maybe the computer doesn't have the specs it needs to perform optimally. IT has a hard time walking through issues because they don't know where the wifi switch is, or if it has a DVD drive or how the Fn keys are laid out. There is no enforceable time limit on age of machines either. You can't guarantee a warranty for x number of years.

I realize that in scenario 2 - there can be policies in place to deal with some of those issues, guidelines to work inside, but it seems to me that there is no REAL calculable benefit to allowing users to BYO-PrimaryWorkDevice.

I have users come in all the time and ask if they can bring in their iSomthing or their Android something or their Kindle something and connect to wifi. My answer is "No".  I know, that makes me a big meanie. But lets think about this. If I have provided you with a work machine that is designed to do what you need for your job and is protected appropriately, what are you going to use your personal device for? You're going to use it to stream music or movies or watch youtube (the last one you can do on your work machine) maybe play games or read a book. So don't give me any business about it making people more efficient because honestly, it's not going to.

BYOD for A Specific Purpose

There is a HUGE difference between allowing users to access their email via a smart phone/tablet/laptop via webmail/push and allowing it to be plugged directly into the corporate network.  We need to narrow the scope and define BYOD a little better before we go ahead and classify plugging your work computer into the network directly vs accessing corporate webmail from a personal device.  The risks are different, the exposure is different and honestly, one is more controllable than the other.
I propose banning the term BYOD and replacing it with: BYOP (phone), BYOC (computer), BYOS (software), BYOED (email device).

Lets face it - most corporations and organizations have had webmail available for use forever. This wasn't considered BYOD even though you can access the webmail from any computer in the world and there is no more exposure for corporate data on a push design smartphone than there is a user forwarding attachments/emails to their home email account to work on on their home computer - which is what happens.

So really, you're better off controlling the access by at least having the email/few documents on a device that has enforceable policies rather than having users forward documents via email to their aol account and opening them at home and sending them back.

These are a few of my half-baked ideas on BYOD which I will edit as I form a more coherent opinion on the subject. The discussion is out there, lets talk about it frankly instead of hiding behind acronyms and incalculable "efficiency" data from vendors.

Friday, May 16, 2014

Outlook 2013 "Exchange administrator has made a change that requires you to quit and restart outlook"

Environment - just moved from Exchange 2007 to 2013.
PC: Win 8.1
Office: 2013
Exchange: 2013 SP1

Please note that this was only happening to the Office 2013 users, Office 2010 did not have the same symptoms.

I would get a message consistently that "the exchange administrator has made a change that requires you to quit and restart outlook".
I tried a few things - namely - turning off cached exchange mode, tweaking some settings in my account.

What finally fixed it you ask?

1. Delete email Profile in Control Panel, Mail (32-bit).
2. Delete this folder: C:\Users\Username\AppData\Local\Microsoft\Outlook
3. Delete this folder: C:\Users\Username\AppData\Roaming\Microsoft\Outlook

Restart Outlook, rebuild profile, error message gone!

Hope you find it useful.

Thursday, March 13, 2014

Financial Edge and Mapped Drives

Financial Edge has a few "quirks" shall we call them?
This one was a lot of fun. I had a user who exported lots of reports from FE. The user, while connected to the network, would export a report from FE and browse file explorer (as it prompts) to save.  The network drives she had mapped would all show with red x's over them (while in Computer they look fine) and one specific drive wouldn't come up at all.

Blackbaud support told me to contact my IT person - because there must be a setting there that they had set.
My response was: I am the IT person and can you tell me exactly what kind of setting I would choose to make sure that ONLY Financial Edge could not access a personal drive and that the other drives show with red x's?

At any rate, the long story short, this user had UAC set on their machine - to a mid-level I might add, and that was causing all the issues.

Raiser's Edge & Patron Edge Inte-not-so-greation

Working in a nonprofit organization tends to come with its own set of challenges. One of which is working with Blackbaud's software.  I don't want to talk a bunch of smack - but I do want to say that their core packages could use an upgrade from oh, I don't know, DOS? 

Without futher ado. Here is an issue we ran into with Patron's Edge and Raiser's Edge "integration". 

1.       PE matches funds not based on their ID’s in RE but based on the description (which is ridiculous).
2.       PE has a 50 character limit on the Fund Description Field in PE
3.       RE has no character limit on the Fund Description
4.       When integration runs, PEUser is disabling Funds, but only the same 4 specific funds – why?
a) Our Funds in RE were named something like “111222333 - Donor Name and Specific Purpose for 2014 and beyond" and "111222333 - Donor Name and Specific Purpose for 2014 and beyond - Notes"
a.       As you can see – the issue is that since PE only looks at the first 50 Characters and they are exactly the same, it’s disabling one.
b.      Renaming the fund so that something is different within the first 50 characters resolves the issue.

So i'm not sure if any of you out there are using RE this way with PE integration, but it took me 6 months of random troubleshooting and finally turning off integration (at TopTix's request) to figure it out. So if I save you even a few minutes, I've done my duty!

Tuesday, January 21, 2014

McAfee SAAS and Server 2012 R2

I have a bunch of freshly minted Microsoft Server 2012 R2 virtual machines up and raring to go. During my initial setup, I install antivirus. We are currently using McAfee SAAS AV for our environment. So far, it's been working out pretty well.
The issue began with these new Server 2012 R2 boxes.
Got on the phone with McAfee - and about an hour later here's what to do. You can thank me for your time saved by letting me know if this was useful to you.

Error: Unable to create event sink object. Agent may not be installed properly.

1. If you've already tried, make sure to run McAfee's uninstall agent.
2. Reboot.
3. Download the silent version of your installer.
4. Store on root of C:\ (ie: dont run from downloads folder or network share).
5. Install McAfee with silent version of installer.
6. Try to update it (right click on shield, update)
7. If the error persists:
7a. Open command prompt as admin - type following: net stop myagtsvc (enter), net start myagtsvc (enter), net stop mcshield (enter), net start mcshield (enter).
7b. Reset Internet Explorer to default settings.
7c. Try updating defs again.

Hope that saves someone somewhere some trouble.