Installing Security Development Tool for AX 2012 R3

Today I am installing Security Development Tool in one of our lab environments. First of all you need to download the tool from LifeCycle Services.

When you have the file msi file it is time to do the install

  1. Start by running the msi file… this is an extremely short install which seems to do nothing… but that is OK
  2. When the mis install is done start Microsoft Dynamics AX 2012 Management Shell as an elevated user and run the followingInstall-AXModel -File “c:\Program Files (x86)\Microsoft\Security Development Tool\SecurityDevelopmentTool.axmodel” -Server [servername] -Database [databasename]
  3. Start the AX client and you will get a message that the Model store has been modified. Select Compile and Syncronize and wait for the process to complete
  4. When AX is done compiling and syncing start the AOT (by pressing Crtl + D)
  5. Browse to the Class called SysSecEntryPointmanagerSetup, right-click and select Open
  6. Restart the AX client
  7. When the client is restarted go to Administration and click Security entry point permissionsNote: You might get an error that the tool can only be run in Single-User session mode. In that case goto Administration – Online users and disconnect all users except your own

That is all


Download all Ignite sessions… Using oneget…


Today I will highlite a couple of things…

First of all: If you have not used OneGet (which comes with Windows 10) you should definately take loog at it. It lets you install software and powershell modules from different repositories on the internet (think Apt-get on Linux)

Second of all… My colleagues at AddLevel has created a PowerShell module for downloading the Ignite sessions automatically and it is available from Technet Gallery which makes it downloadable by using OneGet… Here is how you do it:

    1. Start an elevated Powershell prompt on your Windows 10 Computer
    2. Enter Find-Module CH9 | Format-List to have a look at the information about the package. If this is the first time you use Oneget, Powershell will ask you if it is OK to install the NuGet provider.

    1. If you want to install the package use: Find-Module CH9 | Install-Module
    2. Once you have installed the module, use get-command -module CH9 to fund which CMDlets are available

    1. To download all Mikael Nystroms sessions from Ignite 2015 use this:

      Get-CH9EventItem -Speaker “Mikael Nystrom” -EventName Ignite -Region NorthAmerica -Year 2015 | Save-CH9EventItem -StorePath C:\Users\johan.persson\Downloads


Getting started with Desired State Configuration – Part 2

In the first part we got DSC up and running with some custom modules. In this part we will start using some of the built in modules. We start by creating a Configuration. In this case we want to create a configuration for a DC which means that we will need a DHCP Server. We start by installing the DHCP Role:

configuration DC
    # One can evaluate expressions to get the node list
    # E.g: $AllNodes.Where("Role -eq Web").NodeName
    node ("DC01")
        # Call Resource Provider
        # E.g: WindowsFeature, File
        WindowsFeature DHCPServer
           Ensure = "Present"
           Name = "DHCP"


Start-DscConfiguration -Path .\DC

When the configuration is created we run it to create the .mof (the Mof file is created in a folder with the same name as the node in the folder where you are running the configuration block) file for the configuration and then we start the configuration by invoking Start-DscConfiguration.

We continue to build our configuration by using the Service Dsc module. By running:

Get-DscResource Service | select -ExpandProperty Properties

we will get more information about the module and which keywords we can use. We use this to set the State and StartupType

configuration DC
    # One can evaluate expressions to get the node list
    # E.g: $AllNodes.Where("Role -eq Web").NodeName
    node ("DC01")
        # Call Resource Provider
        # E.g: WindowsFeature, File
        WindowsFeature DHCPServer
           Ensure = "Present"
           Name = "DHCP"

        Service DHCP
            State = "Running"
            Name = "DHCPServer"
            StartupType = "Automatic"


Start-DscConfiguration -Path .\DC

To verify that the configuration is applied  and that it has not been changed we use:

Compare-DscConfiguration -Path .\DC

If everything is OK we will see this:

PSComputerName  ResourcesInDesiredState        ResourcesNotInDesiredState     InDesiredState 
--------------  -----------------------        --------------------------     -------------- 
DC01            {[WindowsFeature]DHCPServer... {}                             True           

Try stopping the DHCP Service and run the same command again


PSComputerName  ResourcesInDesiredState        ResourcesNotInDesiredState     InDesiredState 
--------------  -----------------------        --------------------------     -------------- 
DC01            [WindowsFeature]DHCPServer     [Service]DHCP                  False          

As you can see we can now find configuration drift… in the next part we will look at how to enforce the configuration.


Getting started with Desired State Configuration – Part 1

I have been thinking a long time about forcing myself to learn Desired Stat Configuration (DSC), but I haven’t gotten around to it… Now is the time

Desired State Configuration is this super cool technology that appeared in Windows Server 2012 R2 and when Microsoft st6arted talking about it the typical example was the you hade this farm of Web Servers and you wanted to ensure that they were identically configured. The problem is that most of my customers do not have a farm of web servers… so what do I use it for. Well, Microsoft is releasing these new DSC resources on a regular basis for a lot of products which means that it is getting more and more interresting. The latest resource kit is called Wave 9 and it contains the following resources:


As you can see thare are A LOT of them… some that I think are really cool are for instance TimeZone, RemoteDesktopAdmin, BitLocker and more. Note that all DCS recources starting with an X are eXperimental. So lets get started…


DSC is built in to Windows Server 2012 R2 but it needs a patch KB2883200. If this patch is not installed you will net be able to see the modules you have installed.

Installing DSC Resources

There are some default resources installed by default:


If you want to install other modules (for instance Wave 9) you just download them and extract them to the folder C:\Program Files\WindowsPowerShell\Modules

Verifying the install

To verify the install run the following command


In the next part we will look at how you actually use DSC to create server configurations



Geeky Tricks: Replace Cmd with Powershell

Today when I was recording a Podcast, me and my co-hosts got into a discussion about if it was possible to replace cmd with Powershell in Windows (The reason for the discussion is that the keycombination Win + R, cmd, Enter is ingraved in our spine)… turns out it is 🙂

New-Item “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmd.exe” | Set-ItemProperty -Name “(default)” -Value “C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe”

If you want to revert just use:

remove-Item “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmd.exe”

Happy Powershelling


Konstiga beteenden för Get-ADUser

Dagens problem har med Get-ADUsers att göra… De flesta miljöer jag arbetar i är uppgraderade till 2012 eller senare men just denna kund har inte uppgraderat…

Dagens uppdrag var att skapa en CSV export av AD användare så jag började med:

Get-ADUser -Filter * -Properties * –Searchbase “OU=OUn,DC=Domain,DC=se”

Detta spottade ur sig en hel hög med fel… Suck

Jag testade det i min labbmiljö och det funkade… efter lite letande hittade jag att det verkar vara ett problem med Schema versionen… antingen uppdaterar man eller får man testa en workaround:

Get-ADUser -Filter * -Property * –Searchbase “OU=OUn,DC=Domain,DC=se”

verkar fungera (observera Property istf Properties)

Get-ADUser –Filter * –SearchBase “OU=OUn,DC=Domain,DC=se” | get-ADObject -Properties *



Lite kort info om PowerShell moduler

Som ni säkert vet kan man koppla in moduler i Powershell som gör att man får fler Cmdlets. I Windows Server 2012  och 2012 R2 kommer Powershell själv att ladda moduler om de är installerade korrekt… Vad är då korrekt?

Det finns ett antal olika ställen där man kan installera Powershell moduler

Använd variabeln $env:PSModulePath för att ta reda på var Windows letar efter moduler att autoladda. På min maskin är standardsökvägarna förjande:

C:\Program Files\WindowsPowerShell\Modules
c:\Program Files (x86)\Microsoft SQL Server\110\Tools\PowerShell\Modules\

Den första är min personliga sökväg… varje användare har en och där kan man lägga sina egna moduler. Den Andra är en standardsökväg där man kan lägga moduler för alla användare. Nummer tre är reserverad för Windows inbyggda moduler och den fjärde beror på att det finns en SQL server installerad på min maskin.

Nästa punkt på agendan är att lägga till en nu modul… Jag vill installera Michael Niehaus modul för att hantera MDT databasen. Så jag börjar med att ladda ner den och packa upp den. Hur gör man då för att installera den så att Powershell kan ladda den automatiskt? Jo, jag kopierar den till antingen sökväg 1 eller 2 ovan, men för att det skall funka behöver jag lägga den i en mapp som heter samma som modulen. I mitt fall heter modulfilen MDTDB.psm1, alltså skapar jag mappen C:\Program Files\WindowsPowerShell\Modules\MDTDB och lägger filen där.



Too many devices…

Idag har jag stött på ett angenämt problem… Jag har för många tekniska gadgets. En del av er säger säkert att det är omöjligt… men enligt Microsoft Excahnge går gränsen vid 10…


Lösningen är ganska enkelt. Bärja med att skapa en ny ThrottlingPolicy som tillåter det antal enheter du vill öka till:

New-Throttlingpolicy "More Gadgets" -EasMaxDevices 20 -EasMaxConcurrency 20

Knyt policyn till den mailbox du vill skall kunna åtnjuta lyxen av flera enheter:

Set-Mailbox nissehult -ThrottlingPolicy "More Gadgets"

För att ändra den nya policyn till att tillåta ännu fler enheter:

Set-Throttlingpolicy "More Gadgets" -EasMaxDevices 25 -EasMaxConcurrency 25

Mest prylar när man dör vinner…


Check Hyper-V replication status using Powershell

One of my colleges sent me this little snippet today for easily checking replication status on the VMs on our hyper-v host… I modified it for checking multiple hosts:

Get-VMReplication -computername HOST1,HOST2,HOST3 | select-object lastreplicationtime, vmname, computername | Sort-Object -Property LastReplicationTime | ft -AutoSize


How to monitor Windows 2008 R2 Servers from Server Manager in Windows Server 2012

This will be a very short and sweet description on how to monitor Windows Server 2008 R2 from Windows Server 2012

  1. Start by installing .NET 4 Framework on the 2008 R2 Server
  2. Install Windows Management Framework 3.0 in the 2008 R2 server
  3. Run winrm qc in an elevated command prompt on the Windows Server 2008 R2 computer
  4. To be able to use BPA on the 2008 R2 server run Enable-PSremoting –Force from an elevated PowerShell prompt
  5. Done…