Generate a new SID on Windows Server 2008 and Windows 7

With the NewSID tool no longer supported by Microsoft for more recent versions of Windows, you may find yourself in a situation where you need to generate a new SID on a Windows Server 2008 or Windows 7 computer, and wonder which tool you need to use. I myself have run across an issue in the past in our development environment where duplicate SIDs caused a problem. Care needs to be taken when cloning Windows virtual machines, particularly if they will later be used as domain controllers.

In order to avoid any issues like this, the new preferred method to set a new SID on a Windows machine is to use Sysprep. Before running Sysprep, you may wish to verify the current SID on the sytem that you wish to modify. This can easily be done by running the psgetsid utility, which is part of the excellent Pstools developed by Mark Russinovich. The output of the psgetsid command can be seen below, showing the current machine SID:

Output of psgetsid before running Sysprep on Windows Server 2008 R2

 Next you can sysprep by running the following command:


Running Sysprep
On the Sysprep, screen make sure that you tick the ‘Generalize’ tick box as shown below:

Choose settings for the System Preparation Tool

 The Sysprep process will take a few minutes to run, and will automatically reboot the system if you chose to do so. On reboot, the following screen will be displayed. Click ‘Next’ to continue:


Click next to continue the Sysprep process

 After the sysprep process is complete, you can run psgetsid again to verify that a new SID has been generated for this computer:

Output of psgetsid after running Sysprep on Windows Server 2008 R2



Find an active directory users organizational unit (OU) using Powershell

Have you ever forgotten which organizational unit an active directory user resides in? You can use ‘Active Directory Users and Computers’ to quickly find the user using the ‘Find’ function but this doesn’t easily tell you which OU they belong to. Here is a very quick command to find the organizational unit (OU) that a user belongs to using Powersell, where USERNAME is the username  of the user you wish to examine. Simply run the Powershell, and then enter:


This will return the users details, including the Distinguished Name of their account, which will show which OU they belong to.

Using Get-ADUser to obtain OU information

If you don’t know their username, you can use the filter option to search by firstname or surname. Here is an example filtering by surname where USER_SURNAME is the users surname:

Get-ADUser -filter {Surname -like “USER_SURNAME“}

Back Up All Group Policy Objects using Backup-GPO and the Group Policy Management Console

Here are a couple of quick methods to backup all of your group policy objects in one hit. The first uses the Powershell cmdlet Backup-GPO. On a Windows Server 2008 domain controller fire up Powershell, and issue the following command, where C:\PATH_TO_BACKUP is the path where you want to save the backup:

Backup-GPO -All -Path C:\PATH_TO_BACKUP

The second method uses the Group Policy Management Console. Fire up gpmc.msc, and then expand your domain. Right click on ‘Group Policy Objects’ and then choose ‘Back Up All’ as shown below:

Backing up all GPOs using the Group Policy Management Console

Browse for a location to back up to, and give a description if you need one, then click Back Up and you’re done:

Choose a location and description for the GPO backup



Changing logging level using the Exchange Management Shell and Exchange Management Console

In this post I will describe how to set logging levels on your various Exchange logs. Earlier, I received event id 9327, with a source of MSExchangeSA in the event log on our Exchange server that is responsible for generating the offline address list. In order to find the offending entries in the address list, it was necessary to change the logging level for OAL generator:

Event ID: 9327 Source: MSExchangeSA Task Category: OAL Generator

There are 2 methods you can use to set this. The first is via the Exchange Management Shell. You can check the current logging levels for your various exchange logs by issuing the following command in the Exchange Management Shell:


This will list logging levels for all Exchange logs, but will also give you the identities of all of the different Exchange logs, which you will need for the next step.

Output from the Get-EventLogLevel command

In this instance, we are interested in the OAL Generator which can be found towards the bottom of the list under ‘MSExchangeSA\OAL Generator’, which is also the identity which we will need for the next command. The logging level for this entry was set to lowest:

OAL Generator showing a logging level of lowest

To change the logging level you can issue the following command using the identity that you discovered in the step above:

Set-EventLogLevel -Identity “MSExchangeSA\OAL Generator” -Level Medium

You can then verify that the new logging level has been set by issuing the Get-EventLogLevel command again:

OAL Generator showing a logging level of medium

If you feel more at home using the Exchange Management Console GUI, the same result can be achieved by doing the following. First open EMC and expand ‘Mailbox’, under ‘Server Configuration’. Next right click on the server that you want to set the logging level for and choose ‘Manage Diagnostic Logging Properties’ as shown below:

Choosing 'Manage Diagnostic Logging Properties' using the Exchange Management Console

Finally, in the ‘Manage Diagnostic Logging Properties’ screen, find the service that you are interested in and set the necessary logging level as appropriate, as show below, then click ‘Configure’, and you’re done.

Setting the logging level using the Exchange Management Console

Back Up a Certificate Authority in Windows Server 2008

Here are 2 manual methods to easily back up a Certificate Authority in Windows server 2008. The first method uses the ‘certutil’ utility from the command line. Simply open ‘cmd’ and type the following, where C:\CA_BACKUP is the path which you want to save the backup to:

certutil -backup C:\CA_BACKUP

You will see something like the output shown here:

Using the certutil -backup command

Notice that you are required to enter a password for the backup file in order to keep your CA data secure. Your backup files will now be found in the location you specified.

The second method uses the ‘Certificate Authority’ console. Using this method open the ‘Certificate Authority’ console and then right click on your CA and choose ‘All Tasks’ and then ‘Backup CA’ as shown:

Choosing 'Back up CA'

The first page of the Certificate Authority Backup Wizard is displayed, click ‘Next’:

The CA Backup Wizard

Choose which items you wish to back up, and then choose a location for your backup, then click ‘Next’:

Choose a backup location

Provide a password for the backup, and click ‘Next’:

Provide a password for your backup

Click ‘Finish’ complete the wizard and make your backup:

Complete the CA backup Wizard

As mentioned earlier these are manual methods for backing just the Certificate Authority data on a CA machine. You can always use schedule full system state backups using wbadmin, or your chosen third party backup tool, which will also backup this information.

Get a users mobile device details using the Exchange Management Shell

Here is a quick command to get the details of a particular users mobile device or smartphone, including the device ID and the time it last synced, etc, using the Exchange Management Shell. When you type the command replace Username, with the name of the user that you wish to examine:

Get-ActiveSyncDeviceStatistics -Mailbox Username | Format-List

Display mobile device statistics using get-activesyncdevicestatistics