Month: June 2010

Exchange 2010: How to prohibit some users/Group from sending emails outside the organization

I received a request to limit some users to send and receive internal emails only,

as these users are not allowed to send or receive emails from outside the organization.

the users are already grouped in a Group called: deny_outside_email


Since we are using Exchange 2010, so there’s no need to get down to denying prmissions on connectors as we used to do in Exchange 2003 days,

Here a couple of Transport Rules are enough to get the work done as:

  • To prohibit sending to External Domains:


  • To prohibit receiving from External Domains:



Hack to Remove/Uninstall Symantec Norton Antivirus (SAV) Client without Password

(not tested by meh)

Norton AntiVirus Clients or Symantec AntiVirus Clients especially Corporate Edition Clients can be installed as managed network setup type by a Symantec AntiVirus Server. When a Symantec AntiVirus Client is managed, it will prompt for password when uninstalling client via local computer Control Panel Add or Remove Program applet. If you don’t know or forget the password, then the client is not able to uninstall or remove. And the SAV client uninstall password won’t work with server group password too, as if you enter that password, you will receive an invalid password message.

The client uninstallation password is different from the server group password, and it can be set by the administrator through the Symantec System Center for the client that is managed. If the client uninstallation password has not been set or changed specifically, it will still be the default password. Thus, first thing to try in order to successfully uninstall a Symantec Client Security program is by using the default password for the uninstalling clients, which is symantec.

In the cases where Symantec AntiVirus server has been taken down and no longer exist, or the client computer has no access to company network, or the default client uninstall password does not work, the following hack will enable you to remove Symantec Antivirus without using a password:

1. Open Registry Editor (regedit).
2. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Administrator Only\Security\
3. Change the value for useVPuninstallpassword key from 1 to 0.
4. Exit Registry Editor and now you can uninstall Symantec AntiVirus Client.

The trick should work on most version of Symantec AntiVirus client or Norton AntiVirus Client, including version 7, 8, 9 or 10.


Create Antivirus Reports Using Symantec Antivirus Corporate Edition

Create AntiVirus Reports Using Symantec AntiVirus Corporate Edition

“First off, credit where credit is due! I got most all of this info compliments of Chris Mosby! Thanks, Chris!

This is a quick overview of how I capture AV alerts that are generated by my managed AV clients using the Alert Management System (AMS) that is included with the AV “Parent” installation. It assumes the reader has a basic understanding of that tool, including its setup and configuration.

Background: Any seasoned Symantec AV admin is very familiar with the SSC. We see all those bright red icons alongside our clients on a regular basis. Trying to find out exactly which virus (or virii – is that a real word??) is the root cause of the problem is the real challenge. Enter AMS and a Microsoft tool called EventCombMT!

Requirements: AMS must be installed on at least one server in the Symantec group. This is the Parent server that will now assume the task of collecting and forwarding the red alerts generated by clients assigned to (or under) this folder. You also need a system to designate as the recipient of the events collected by AMS.


Configure AMS to generate an alert based on VIRUS FOUND. Configure this alert action to “Write to EVENT Log”. Specify the desired machine to receive these alerts. Be sure to configure the Application Event Log on that system to be large enough to hold all the data that will be sent from AMS

Download and install EventCombMT from Microsoft DOWNLOADS page at:

This tool is used to parse the designated event log to retrieve desired alerts, and write the results to a delimited text file. Configure the tool to pull alerts from the source “Intel AMS II”. (TIP: once configured and tested, SAVE your search setup for future use!)

Once you have AMS set up and sending alerts to the event log of the designated system, and EventCombMT is pulling in the desired data as expected, fire up Excel!


1. Run EventCombMT
2. Open Excel and import the comma-delimited TXT file created in Step 1
3. Delete columns A-E (they are junk)
4. do a SEARCH/REPLACE using [space][space] as the source; and a “comma” as the replacement. Replace ALL
5. Select Column “A”
6. Select DATA/Text-to-Columns tool
7. Select data type DELIMITED/Comma; then
8. Select column “E” – format as data type DATE (mm/dd/yyyy)
9. Select column “F” – Format as data type TIME (hh:mm:sec AM)
10. Deal with any overflow into column “I” – delete data or edit USER name info and move into adjacent column value in column “H” (I simply delete it as needless info)
11. ADD a row “1″ for column headers
13. Create a PIVOT TABLE report
a – select DATA/Pivot Table & Chart Report to launch the wizard
b – on screen 1 of 3 in the wizard
c – Select (or verify that it’s already selected) the entire worksheet data range on screen 2 of 3
d – Select a location for the pivot table result set. I use cell “I2″ in the current worksheet
e – Select “Layout” button on screen 3 of 3
f – drag the object “VIRUS” (assuming this is the name you gave the virus name column) to DATA area to get a COUNT of each virus; and to the ROW location to get the virus name into the result table
g – click on 3 of 3 to place the pivot table into cell I2, and the resulting chart into a new worksheet
14. Doctor up the chart as desired (Bar, pie, etc)

You are DONE!! I suggest capturing this data on a weekly and monthly basis. When the desired data is collected into Excel, feel free to purge the original event log entries from the designated machine to keep the log size to a manageable size, for example on the 1st of the month. You can then start collecting data anew for the next month”


Change Default Location of the i386 Folder

1.Open the registry editor and go to

2.Highlight the Setup folder.

3.On the right pane, locate the SourcePath.

4.Double-click the SourcePath and replace the drive letter in the box to C:\ (if you copied the files to your C:\ drive). Make sure it’s C:\ and not C:\i386.

5.Close the registry editor.

6.If the system ever needs files from the i386 folder, it will automatically look in the C:\i386 folder.

Disable Printer sharing ( Redirection ) when a client connect to a server using RDP ( Remote Desktop )



On the server(s) (that aren’t terminal servers), open the Terminal Services Configuration MMC from Start Menu; open the properties of the Rdp-tcp protocol. On one of the tabs there , probably “Client Settings”, you can define which client devices are mapped when an RDP client connects. You can uncheck the printer connection there and won’t be bothered ever again with the event id.


Solution 2:

You could apply a GPO to disable printer mapping to the servers you do not want to map printers to and apply the GPO to the said servers only. This GPO setting is located under Computer Config, Admin Templates, Windows Components, Terminal Service, Client/Server data redirection. The Setting itself is called “Do not allow client printer redirection, and set it to enabled.