Management Server Maintenance Mode in SCOM 2012

Another nice enhancement in SCOM 2012 !

In SCOM 2007 (R2) you had a problem when you put  your RMS into Maintenance Mode,

because this meant the workflow ‘Stop Maintenance Mode’ which ran on the RMS,

was actually unloaded 🙂

So this meant your RMS actually would never come out of Maintenance Mode ;-(

You had to manually get it out of Maintenance Mode, normally using the “End Maintenance Mode” Console Task.

In SCOM 2012, because of its more distributed architecure, the “Stop Maintenance Mode” workflow will actually be moved to another Management Server, when the MS that currently runs this, is put into Maintenance Mode.

The only thing you need to do, is make sure you never put more then 50% of your Management Servers into Maintenance Mode, because this makes your Resource Pool unusable.

Here’s a slide from the CEP Presentation I attended:






So yet another nice new feature to expect!

Add Permissions on Files and Folders using PowerShell

Seems very simple, but I had to puzzle a little to get it working,

here’s a small function I came up with, maybe it will save you some time,

it will Add  permissions, not replace the ACL.


Function GrantFullControl ($File)


 $acl = $file.GetAccessControl()

$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule (“Administrators”,”FullControl”,”Allow”)




So you can call it like this:

$MyFile = Get-ChildItem “Myfile.txt”

GrantFullControl $MyFile


Handy Operations Manager 2012 Control Panel applet

I’ve started to evaluate the recently released SCOM 2012 Beta.

I took a look at a new Agent side feature, a Operations Manager Agent Control Panel applet, to be found under  the ‘System and Security ‘ node:

When the applet is opened you see a list of all configured Management Groups for the Agent:

Here you can Add/Edit/Remove Management Groups.

In the ‘Edit…’ Mode you can change the Action Account easily.

You can also enable/disable the ‘Automatically update management group assignments from AD DS.

When disabling this the applet will ask you for confirmation to remove the AD Assigned Management groups:

When manually adding a Management Group, you can easily configure settings in one windows as following:

In short: A handy new Agent feature, that enables you to quickly and clearly configure Management Group assignments on an Ops Mgr Agent.

Crashing Spoolers ? Printer Driver Isolation is coming!

Another nice 2008 R2 feature, I hadn’t paid attention to yet, is Printer Driver Isolation.
If, like me, you have (non pleasant) experiences with crashing Spoolers,
especially notorious on Terminal/Citrix Servers or high volume Print Servers with loads of diffent (3rd party) printer drivers,
you will probably be delighted by this new feature!
I haven’t seen it used in a production environment yet, but from what it looks like, it’s very promising.
Here’s some history of using Printer Drivers in the Real World:
In the Old Days (Pre W2K), Printer Drivers (called version-2) used to run in Kernel mode and could easily BSOD a printserver.
Beginning with W2K, Version-3 Printer Drivers were introduced, which run in User-Mode and can not BSOD a server,
“only” the Printing Subsystem (=Spooler Service=spoolsv.exe) in which the drivers were loaded.
As you probably know this is still a major concern for Print Servers, on which a spooler crash can have large impact,
if it hosts hundreds or even thousands of Print Queues, or if it happens regularly in Citrix farms where dozens of
users can be working on a server at the same time.
In Windows Server 2008 R2 (and Windows 7), Printer Driver Isolation (PDI) is introduced,
which means a bad behaving Printer Driver can only affect itself!
The isolation can be configure on a Per Driver basis, in three modes:
"None – in this mode, print driver components are loaded into the spooler process.  This is essentially the model found in previous versions of Windows
Shared – multiple drivers that are set for isolation are loaded into a single shared process space that is separate from the spooler process (PrintIsolationHost.exe) .  Although this protects the spooler process, the drivers that are in shared mode can affect one another
Isolated – each driver is loaded into its own process space.  This protects the spooler from individual driver failures, and also protects drivers from each other "
Basically the idea is this, at least this is probably how I would set it up:
-Run all well behaving drivers as ‘Shared’ (default)
-Run bad drivers as ‘Isolated’ if no suitable replacement is available
-Don’t run drivers in ‘None’, if necessary move those to separate server if you want a stable solution !
One approach for new drivers would be to start them off as ‘Isolated’,
and when proven innocent, ‘upgrade’ them to shared.
(The shared mode saves system resources as fewer isolation processes are needed).
On systems that don’t host a lot of print queues you could consider running them all isolated,
if resources are a non-issue.
Not all drivers will support isolation, I hope all companies that create Windows printer drivers will make them
compatible asap, so we can use it for all printers, to prevent problems, and have more control over our Print Servers.
The global settings can be managed using GPO, where you can disable or enable PDI,
and configure compatibility settings (override behaviour of compatible and incompatible drivers).
The PrintIsolationHost processes are only started when needed.
And there are registry settings that you can use to configure timeouts for the processes,
especially an option for restarting the Isolated processes after a certain amount of time,
so you can even handle drivers that are known to leak memory!
Of course, you shouldn’t use these, that’s why I said in the ‘Real World’ above 😉
There are often political, financial, historical or other non-technical reasons,
that some printers and especially their drivers have to be used, most of you probably know this.
At least know you have a way to handle these!
O yeah, the isolation settings are set per driver, and you can do so using the update PMC (Printer Management Console):
Have fun!


Use PowerShell to enumerate info from your Certificate Server

To enumerate certificate info from your Certificate Server using PowerShell,
there’s a COM interface you can use to collect it.
This script was based on the VBScript you can find at:

Thanks to Steve Patrick (Spat)  from Microsoft and his excellent blog post for the example!


The script below returns output in a csv file format you can save to file and use to process the info further,

but as always feel free to customize or comment…

Function Get-CertInfo($server) {
$CaView = New-Object -Com CertificateAuthority.View.1
$Index0 = $CAView.GetColumnIndex($False, "CommonName")
$Index1 = $CAView.GetColumnIndex($False, "Email")
$Index2 = $CAView.GetColumnIndex($False, "NotAfter")
$Index3 = $CAView.GetColumnIndex($False, "Country")
$Index4 = $CAView.GetColumnIndex($False, "Organization")
$Index5 = $CAView.GetColumnIndex($False, "OrgUnit")
$Index6 = $CAView.GetColumnIndex($False, "DistinguishedName")
$Index7 = $CAView.GetColumnIndex($False, "Disposition")
$RowObj= $CAView.OpenView()
$Cert= $Cert + $srv + ","
$ColObj = $RowObj.EnumCertViewColumn()
Do {
$Cert = $Cert + $ColObj.GetValue(1) + ","
} Until ($ColObj.Next() -eq -1)
Clear-Variable ColObj
} Until ($Rowobj.Next() -eq -1 )
Return $Cert

Starting Out

I’m going to use this Blog to write hopefully interesting stuff for you guys out there
who like me work as an IT Pro and often use the Internet as a huge knowledge base
trying to create solutions or fix or even better -prevent- problems..
I do this for a living and these days I work a lot with Windows Server, PowerShell and lots of other Microsoft products.
When I find some stuff worthy or useful enough to mention on the blog, I will post it for other IT folks to find