Category Archives: Uncategorized

Office 2010/2013 admin install with Office Customization Tool

Copy Office 2010/2013 ISO contents to new folder and share
Replace contents of admin subfolder with the latest service pack version downloaded from
Run setup.exe /admin

Setup | Install Location
Add organization name

Setup | Licensing and UI
Enter in VLK MAK product key, accept license agreement
Display level: none
Supress modal

Setup | Modify Setup Properties
Value: Never
Value: 1

Features | Modify user settings
Outlook | Account Settings | RSS Feeds
Synchronize Outlook RSS: disabled

Word | Word Options | General
Open email attachments in reading view: disabled

Office | Privacy | Trust Center
Disable opt-in wizard on first run: enabled
Enable customer experience improvement program: disabled

Additional Content | Configure shortcuts
Add desktop shortcuts to Excel, Outlook, and Word
If you receive an error about an invalid start in folder, place a single open bracket into the start in field ( [ )

Save customization changes to 1+name.msp and place in the “updates” folder, i.e. Office2013\updates\1clientname.msp
The 1 in front guarantees that the MSP file customizations take place during the install and before the service pack files present in the folder

Files not appearing in scan folder

This appears to happen more frequently with copiers and other devices scanning to SMB shares, where a scanned document does not appear in the folder for several minutes for the end-users, however on the server-side it appears instantly.

Browse to the registry key below on the workstation, create a new DWORD value called DirectoryCacheLifetime and give it a value of decimal 0.

 DirectoryCacheLifetime = 0

Alternatively, you can create a group policy to set the registry using

Computer Configuration > Preferences > Windows Settings > Registry


Additional info: SMB2 Client Redirector Caches Explained

521 Could not deliver message over TLS for domain

A recent Exchange 2010 deployment was not able to receive email over TLS, even though a valid SAN certificate (UCC) was installed and assigned as the default for SMTP services.  Additionally, the server would log event ID 12014 every 15 minutes with the following message:eventid12014x

The error message states a certificate for the server’s internal FQDN, rather than the as listed on the certificate, could not be found.  Since the “Default SERVER” receive connector’s EHLO name can’t be changed from the actual FQDN of the server to the external name to match the certificate, the problem likely stemmed from when the default self-signed certificate was deleted in lieu of the new valid UCC one.

Here’s how to fix it.

Open the Exchange Management Shell and type New-ExchangeCertificate
Press “n” to skip overwriting the existing default SMTP certificate when prompted.  A new self-signed certificate will be recreated with both the hostname and internal FQDN of the server.

Mail started being delivered securely via TLS encryption and the event log errors ceased.

Moral of the story is don’t delete the default self-signed certificate when installing your valid certificate!

SonicWALL SSO Bypass for Windows Update

If you have a SonicWALL configured with LDAP + single sign on and content filtering, you may run into an issue where a server is not able to get out to Windows Update.  Using the SonicWALL Directory Connector diagnostic tool, a check on the server’s IP came back with a locally logged on user, specifically “Acronis Agent User” rather than the domain administrator account that was currently logged in.  This local user name was keyed into the SonicWALL’s SSO config under “User names used by Windows services”, which then allowed the Windows Update agent to successfully connect out.


WSUS Offline Automation

The following scripts and utilities will streamline the automation of pushing out Windows Updates to several machines at once without an internet connection using WSUS Offline.

1. Download PsTools and extract to X:\PsTools on your server.

2. Download the WSUS Offline zip file and extract it to X:\wsusoffline

3. Run X:\wsusoffline\UpdateGenerator.exe, select your Windows and Office Updates and click Start to generate the update folder.  This will take several minutes depending on the selections you’ve made.

4. Share the wsusoffline folder as \\SERVER\wsusoffline.

5. Create the RunUpdate.bat initiation script using the command below and save it to the server’s desktop.


X:\pstools\psexec.exe \\computername1,computername2,computernameN -d -u DOMAIN\user -p password -i \\SERVER\wsusoffline\update.bat
  • The -d switch tells psexec to not wait for the client to return from the script.  This allows you to update multiple machines at once, rather than one at a time.
  • The -i switch tells psexec to run the script interactively, or in other words, on the current user’s desktop, allowing you to monitor the progress of the update.bat script run (below).
  • The update.bat file is the script the workstations will run to connect to the server and call the wsusoffline updater script.

6. Create the update script that the target computers to update will run.


@echo off
net use w: \\SERVER\wsusoffline /persistent:no
cd client\cmd
call doupdate.cmd /nobackup /updatercerts
shutdown -r -t 30

7. Run the script from the server to start the update.

8. The clients will run update.bat and begin automatically installing updates, then reboot upon completion.

9. Run the RunUpdate.bat script on the server after each update and reboot cycle to fully patch the target workstations, as it will do certain updates in batches.

SonicWALL SSL-VPN 200 locking up

SonicWALL’s SSL-VPN 200 remote access appliances have worked flawlessly for years for a number of clients until recently we started seeing a rash of lockups.  At first a power cycle was all it took to get them back up and running, but shortly afterwards they would not stay online more than a few seconds, before becoming unresponsive to all but a ping.

One unit in particular that was configured to email alerts started sending out messages every hour with the following error:

"License Manager Peer Identity failed - Check certs and time."

I then disconnected it from the network, power cycled it again and connected directly to it.  This time, it booted up just fine and allowed me to log into it.  Researching the error message from before led me to a SonicWALL article detailing possible causes for the message, one of which was:

"The License Manager server or the signature database server may not have a valid SSL Certificate."

I know SonicWALL is requiring some firmware upgrades on currently supported devices that resolves some certificate warnings, so I figured the SSL-VPN 200 was calling home and locking up during its bootup routine.  Why not disallow it from calling home?

Here’s how to fix it:

Boot the SSL-VPN 200 offline, connect a PC to the X0 port, assign yourself a static IP on the same subnet and login to the device

Go to Network | Host Resolution
Create a new host resolution object
IP address:

Save the new host, reconnect to your production network and enjoy!

Robocopy Example

The following robocopy command will transfer C:\Data to E:\Data with the following options:

robocopy C:\Data E:\Data /e /dcopy:t /sec /r:0 /np /xo /tee /log:c:\robocopy.log /mt:16
  • /e — copy subdirectories, including empty ones
  • /dcopy:t — copy directory timestamps
  • /sec — copy files with security (equivalent to /COPY:DATS (Data, Attributes, Timestamps, Security))
  • /r:0 — number of retries on failed copies: 0
  • /np — no progress (don’t display percentage copied in the log)
  • /xo — exclude older files (i.e. don’t overwrite newer files already in the destination)
  • /tee — output to console window, as well as the log file (skip if using /mt)
  • /log — output status to LOG file (overwrite existing log)
  • /mt — Do multi-threaded copies with n threads (default 8)