Fix for missing AD security groups in Lion

A few weeks ago i ran into a weird issue on some of our Mac OS X Lion (10.7) machines. For some reason they weren’t able to see all of our security groups under the Network Groups section. I’ve verified that this issue isn’t present in Leopard (10.5) or Snow Leopard (10.6) so i’m assuming this is a “new feature” of Lion. (As of 10.7.3 at least) 

Anyways, when you open “Get Info” for any file or folder and click the plus (+) sign in the Sharing & Permissions section you’ll see what i’m talking about. Select “Network Groups” and scroll through the list:

Missing a few groups, eh?

Here’s the problem. For some reason Lion only displays security groups from Active Directory that contain the “displayName” attribute. Newly created security groups, by default, do not contain this attribute. In order to get the security group to show up properly in Lion you need to fill in this attribute with the security group’s name. 

Here’s how you fix it. Open up the security group in your favorite Active Directory editor. (I prefer to use the one built into ADUC. You’ll need to check the “Advanced Features” option under the View menu to see it.) You will find that the “displayName” attribute is set to <not set>. Let’s fix that. Select the attribute and hit the Edit button and type in the name. 

Hit okay and then apply. BAM! Go to your nearest Lion machine and you’ll find that the security now shows up properly. 

As always, I contacted Apple regarding this bug “new feature” and have yet to hear back from them. I’ve combed through Lion looking for any hints as to why this is happening. For now you’ll just have to manually set this attribute for security groups you need on Lion until Apple releases a fix. If it really bugs you i bet you could write a powershell script to set the displayName attribute of all security groups in your domain. Just keep in mind that you’ll have to set this attribute by hand for any new security groups you create. 

Update: I just confirmed that new distribution groups created from within Exchange (2010 in my case) actually do have the “displayName” attribute corretly populated. So this may just be limited to security groups created from ADUC. (2003/2008/2008r2) 

18 February Permalink

Plex - My observations and experience

So yesterday i got fed up with the crappy Windows Media Center Netflix app and decided it was time for a change. My first thought was to check on Boxee’s Netflix app and see if they had improved it at all. Nope. It is still shitty as ever. Apparently they have a nice new clean version on the d-link box but aren’t planning to release it to the desktop software for quite a while. Someone on the forum mentioned they had switched to Plex for this very reason. Having never heard of or even used Plex i decided to check it out and see if it was any good. The following is my experience with Plex as well as some of my observations of the product. 

Before i begin, here is my HTPC setup:

My HTPC is a Core 2 Duo 6600 w/ 4gb of ram. It has a AMD/ATI Radeon HD 6450 graphix card. The box also has a Hauppauge WinTV-HVR-1600 capture card for capturing OTA HDTV. The box is running Windows 7 Ultimate 64-bit. I use the builtin Windows Media Center application as my primary HTPC interface. I use WMC mainly for its DVR functionality. From WMC i have several launchers installed that can open Boxee and Hulu. I use Boxee to watch all of my local media as well as media from sites like Crunchyroll and ESPN3. I use Hulu (Rarely) when i’m extremely bored and want to watch low quality commercials. ;) 

I should also mention that i’m spoiled when it comes to Netflix apps. I have a PS3 and used that Netflix app for a year before i setup my HTPC. I have yet to see any other Netflix app compare to the awesomeness of the PS3 Netflix app. 

With that out of the way, here is the rundown of my Plex experience. 

1) Plex doesn’t make it clear what applications you need to download and what these applications actually do.

When you go to their site and click on download (I clicked on the Windows icon) it takes you to a page with three buttons. It doesn’t really say what the three applications do. 

At first i downloaded the Media Server app only to realize it was just the server and not a player or client app like Boxee or XBMC. I immediately uninstalled the app and downloaded the Media Center app. Of course about 20 minutes later i realized that you need BOTH the server app AND the Media Center app for anything to work correctly. I actually stared at the following screen for at least 2 or 3 minutes before i realized i need to reinstall the server app. For some reason i was thinking this meant the app was connecting to a Plex server on the web. Not the case. 

To top things off, the Media Center app completely locked up and wouldn’t respond after I pressed Cancel. I had to end the task via task manager exit the app so i could install the server. 

2) The Channel Directory is completely broken.

Once i had the server app re-installed i launched the Media Center again and went to the Channel Manager to try and install the Netflix plugin/app. I clicked around to all of the different areas (Featured, What’s New, Most Popular, etc) and found the same blank screen everywhere:

The “Check for Updates” button even locked the app up and forced me to end the task and start over. 

3) Lack of documentation and helpful information 

Finding it hard to believe that this nice looking App could be so terrible, i began searching the wiki for answers. The wiki offered no help what so ever. I couldn’t even find a section for the Windows Desktop client. The only place in the Wiki/FAQ that even mentioned channels or plugins simply said “Access the ‘Channel Directory’ section of the client to find the channel you want and install it from there.” As i said, no help. 

I then decided to try the forums. After a bit of searching i finally found a post titled “0.9.5.0 - No Plugins/Channels.” After trying several different user’s suggestions i was finally able to fix the problem by deleting a random XML file from the server app’s Preferences directory. 

4) Inconsistent and broken experience

Upon opening the Media Center app i was pleasantly surprised to find that the Channel Directory was now properly listing apps. I quickly located the Netflix plugin and  installed it. The only problem was that after installing the plugin i couldn’t figure out how to access or even start the plugin. Nothing showed up on the main page. And when i went to the channel directory and selected the Netflix App all i saw this menu:

None of the listed options really did anything. I restarted both the Media Center app and the server app several times as well as the PC. Finally, after the PC restarted, i opened the Media Center and two new items showed up on the main screen. “Video Channels” and “Music Channels.” However, neither option listed the Netflix plugin. (Even when i selected both options to see more than just the recently used channels) They both just listed iTunes. 

At this point i was already 45 minutes into my very first Plex install and was very frustrated. I decided that this software wasn’t ready for public use and promptly uninstalled both the media center and server applications. And that’s where we are today. 

My observations as a geek

The idea of Plex is good. The problem is the implementation. The main problem i see is that the website lacks clear information on what the product is and how to use it. The front page has a bunch of unless marketing mumbojumobo and doesn’t even have a “What is Plex” type of page explaining what it does. 

Similarly, the website doesn’t tell you what applications you need to download or what the difference is between the various applications. Aside from offering a download button for the Media Center and Media Server, i could find nothing that described what they were used for and which i needed to install. And on top of that they didn’t bundle required software together as one would expect. (E.g. bundling the server with the Media Center) This lead to guessing games on my part and really irritated me. (Install, Uninstall, Install, Re-install, etc) 

The other thing that really irritated me were the basic bugs and interface problems as described above. This, to me, signals laziness on the part of the developers. These types of bugs are easily caught and squashed with a simple round of QA. I was able reproduce all of the above errors today on a clean test machine without even trying. (This is where my screenshots came from) It took me all of 10 minutes. 

Perhaps i’ll try Plex in the future when they finally leave beta. For now it doesn’t seem to be ready for the public. It feels more like a late alpha or early beta product meant for dedicated users who are willing to help the developers test and locate bugs. 

27 November 12 Permalink

TIL Apple removed support for exporting uncompressed AVIs from OS X Lion (10.7)

We’ve been struggling with Lion ever since it landed on our machines. From the first day we’ve had nothing but problems with it. First we couldn’t get it bind to our Active Directory correctly, then we ran into issues with it not binding when on DHCP, then it started screwing with DNS (E.g. removing A records for our domain controllers), then we found that there was no support for some of the software we need, and now we find that Apple has, in its infinite wisdom, REMOVED the ability to export videos as uncompressed AVIs. And on top of that, no one at Apple knows ANYTHING about this or WHY it was done. The best answer i got, after spending hours of searching online and talking with Apple tech support reps, was that it was a “Quicktime engineering decision” and that “they aren’t privy to that information.” Give me a fu@%!ng break. Apple’s best suggestion was that we export the projects as a .mov files and then find a 3rd party tool to convert .mov files to .avi files. 

Anyways, the short of the long story is that Apple OS X Lion (10.7) no longer supports exporting anything as an uncompressed AVI. This goes for pretty much any application. We confirmed this for Final Cut Pro 7, all of the final cut studio apps, and all of the adobe creative suite apps. I’m not really an expert with Apple products (Though I’m slowly becoming one…) but it appears that all of these apps (FCS and Adobe CS) use the same underlying functionality to export AVIs. The interface that comes up when you actually go to configure the AVI settings is identical across all of these apps. The Apple tech support rep i spoke with confirmed that the interface used to configure these codec settings was indeed an operating system component and not something specific to the application.

This just confirms what i’ve always thought of Apple. They make beautiful well designed products that computer-illiterate people can use and they also push the industry forward by continually innovating. But they do all of this without the slightest concern or care for how it will affect their customers. While this may work in the consumer world, it won’t last long in the business world. Businesses can’t afford to invest in a platform which will continually force them to alter their business processes and spend money just because the vendor decides it doesn’t want to support certain features anymore. In today’s business world, supporting legacy features is a must. And if Apple refuses to do so, they will eventually lose business to friendlier competitors who will. 

And if you don’t believe me, just look at the Final Cut Pro X iMovie Pro X debacle and the major push back Apple received from the industry. You can’t just go cutting out this and that because you don’t think anyone needs it anymore. That’s not how businesses work. 

Now, if i could just find that damn stress ball… 

And yes, i ripped off the TIL (Today I Learned) idea from Reddit… along with the rage meme.  

6 September 6 Permalink

Things that are stupid…

… “Christian” gaming servers.

I’m not saying Christians are stupid. You can be christian and play games. I see no problem with that. I’m just saying, specifically, that “christian gaming servers” or servers that define themselves as “christian” are stupid. I find it a bit of an oxymoron that a gaming server, consisting of virtual soldiers ruthlessly killing each other over and over for fun, will label itself as “Christian.” The last time i checked, Jesus taught Love and Peace not war and death. It would be kind of like a butcher labeling itself as a vegan restaurant. It just doesn’t make any sense. 

I’ve actually been banned from two so called “Christian” COD: Black Ops gaming servers. One of the servers actually had some douchebag “preaching” from the bible while we were all killing each other.  I casually pointed out it was a bit of an oxymoron to preach about love and peace while pretending to violently kill each other. I was instantly kicked and banned without so much as a warning. So much for forgiveness huh? 

3 September 7 Permalink

Exchange 2010 Autodiscover Issue

So the other day at work i ran into a very usual problem with Exchange 2010 and the Autodiscover service. We discovered the problem when a user submitted a ticket claiming his blackberry wasn’t synchronizing correctly. He said his email was working fine but his contacts and calendar items were not. He also mentioned that he was getting a username & password dialog box when he opened Outlook.

We tried the usual troubleshooting. The first thing we ran into was that when he would open Outlook and enter his username and password it would immediately lock his account. (Still not sure why. Could be related to this problem discussed below. Not really sure) We logged into his account from another workstation and had the same issues. Juts for fun, we logged onto his workstation with a valid test account and didn’t have any the above problems.  

One of the things we noticed when setting up his Outlook profile on the test workstation was that for some reason Outlook wasn’t able to autoconfigure his profile using Autodiscover. We tested this on a few other computers and got the same result. When we would try the same thing as a test user (or any other valid user) autoconfigure/autodiscover worked fine. The autodiscover service didn’t like his account for some reason. 

So now i went from thinking there’s something wrong with this guy’s account to there’s something wrong with AutoDiscover in general. I immediately pulled up the EMS and ran a Test-OutlookWebServices test on his account. (Test-OutlookWebServices -Identity:[username]) I got the following result:

Obviously we have a problem here. Fearing we might have a larger issue on our hands, I immediately tried the same command on a few other users and found that Autodiscover was working for most of our users but not for all. The issue only seemed to affect certain people. 

Upon examining the results of the OutlookWebServices test a bit further, one particular error stood out. “Autodiscover returned the error: 603:The Active Directory user wasn’t found.” I went straight to the source of all knowledge, Google, and looked the error up. Unfortunately there wasn’t much to be found. The two things i did find suggested that the only solution they knew of was to disable the user’s mailbox, delete their AD account, recreate the AD account, and then reconnect the mailbox. They claimed this fixed the issue but also said that they had no idea why this fixed the problem. 

Seeing as i really hate solutions to problems that offer no explenation as to WHY the problem occured or WHAT fixed the problem, i kept looking.

The first thing i did was pull up AdExplorer (ADSIEdit works too) and look at the AD account of one of the affected users. One of the first things i noticed was a key called “msExchDelegateListBL” that contained a link to several AD users that no longer had exchange mailboxes. 

Ahah! So it appears that Exchange/Outlook is trying to connect to those mailboxes even though they’ve been deleted. This is the problem! you see, our standard practice when asked to deactivate an account is to delete the mailbox but keep the AD account. I really don’t know why we do this but that’s the policy. So it sounds like Exchange isn’t cleaning up after itself when we delete or disable mailboxes. (Pesky M$ bugs…) 

To fix the problem, the first thing i tried was opening the key and removing the non-existent mailboxes. I promptly received the error “Unable to update attribute: A constraint violation occured.” After another google search i found out that the msExchDelegateListBL attribute (BL meaning back link) is linked to the msExchDelegateListLink attribute. So in order to remove the entries from the msExchDelegateListBL attribute of the current user you have to open the AD account of the user mentioned and remove the entry from that user’s msExchDelegateListLink attribute. This will remove the entry from the original user in question. 

As soon as i removed the links to non-existent accounts, Autodiscover magically started working again, the outlookwebservices test stopped erroring, the user’s blackberry began syncing contacts and calendar items and we were able to configure his Outlook profile via autoconfiguration/autodiscover. (The username and password dialog also stopped showing up.) Problem solved!

The last thing i did, to ensure that this problem didn’t exist/happen to anyone else, was an ldifde dump for all of the AD accounts that no longer have mailboxes but still exist in AD. (We move all of these types of accounts to a specific OU so it was fairly easy) I then filtered the results for any accounts that contained data in the msExchDelegateListLink attribute. Fortunately there were only a handful so I was able to go through those accounts and removed the links. 

Anyways, the main reason for writing this is to put it out there on the interwebs for others to find. I wasn’t able to find a definitive solution to this problem that both fixed the issue and explained why it occurred. I hope this post sheds some light on the problem and helps those of you who are having the same issue get it resolved. Hopefully Microsoft squashes this bug in an update sometime soon. 

15 August 3 Permalink

I saw the last Harry Potter movie yesterday…

And i have to say that was the longest drawn out movie I’ve ever seen in my life. Seriously. Does it really take 11 years to tell the story of a child trying to kill the bad guy who killed his parents? I THINK NOT!

Hah. That said, the final movie was pretty good. I think splitting the final book into two movies was a bit of a cheap money grab (Sort of like the whole 3D movie thing) but then again i’m not sure i would have wanted to sit through a four or five hour movie. 

I remember seeing the first one in like… 2001 I think?. My friend Daniel and I went to see the movie around midnight one weekend. (Not opening night… To many screaming tweens) It also happened that a major winter storm was due to roll in that night. By our calculations we figured we’d be out of the movie and home before the storm actually hit. Aparently we miscalculated becuase when we got to the parking lot at around 2am we couldn’t see our hands in front of our face. It took us about 20 minutes to actually find our cars and then another two hours to scrape off the ice that had accumulated. The ice was so bad that for the first 30 minutes we couldn’t even get into our cars. All we had was Daniel’s pocket knife multi-tool. To make matters worse we didn’t have any gloves or heavy clothing either. It was a nightmare. 

So yeah, that’s how i remember the first Harry Potter movie. A giant ice storm that almost killed me. :)

14 August Permalink