Skip to main content

Posts

Showing posts from 2010

Happy New Year!!!

Thank you to all my clients who have made 2010 such a good year.  I’m looking forward to spending 2011 with all of you.

How to mount a VHD in Disk Management

To complete this you will need a Windows 7 or Windows Server 2008 R2 client available. Click Start and type Disk Management . In the menu, click Create and format hard disk partitions .  This will open up Disk Manager Click Action \ Attach VHD Next, enter the location of your VHD file and click OK Notice that you can check the box to mount the VHD in Read-only mode. The drive will be loaded and you can open it just like it was an actual hard drive.

Using SConfig to set IP address on Server Core 2008 R2

Microsoft gave us a nice tool to use with the release of Windows Server 2008 R2 when working with server core. To set the IP address on Server Core 2008 R1, you would have to follow this procedure: · Type netsh interface ipv4 show interfaces · Press Enter · Record the name of the interface you want to set a static IP address for. Sample output is below. Idx Met MTU State Name --- --- ----- ----------- ------------------- 3 5 1500 Connected Local Area Connection · Type netsh interface ipv4 set address name=3 source=static address=10.10.1.10 mask=255.255.0.0 · Optionally, you can add a gateway address by appending gateway= address to the end of the command. · In the Name parameter, we used the Idx value. We could have also typed “ Local Area Network” . The above method still works if you need to batch file something. Now with the R2 version, you can use a menu based system thanks to SConfig . On you Server Core 2008 R2, log in and type sconfig . Press 8...

RSAT (Remote Server Administration Tools)

For Windows Server 2000 and 2003, the installation media contained a support tools folder that allowed us to install the server management software on our clients. From Windows Server 2008, you need to download them. Below are the links to RSAT for both Vista and Windows 7. Remember to down load the correct version for both OS and processor. Below are the installation instructions from Microsoft. 1. On a computer that is running Windows 7, download the Remote Server Administration Tools for Windows 7 package from the Microsoft Download Center. 2. Open the folder into which the package downloaded, and double-click the package to unpack it, and then start the Remote Server Administration Tools for Windows 7 Setup Wizard. Important: You must accept the License Terms and Limited Warranty to start to install the Administration Tools pack. 3. Complete all the steps that you must follow by the wizard, and then click Finish to exit the wizard when installation is completed. 4. Cli...

Change Server Core 2008 R2 Windows Update Settings

In Server Core 2008 R1, this was a bit of a mess.  Microsoft provided us with a script.  We had to type: Cscript c:\Windows\system32\scregedit.wsf /AU 4 to turn Automatic updates on. To turn them back off we had to type Cscript c:\Windows\system32\scregedit.wsf /AU 0 . With R2, we have an easier method.  Type sconfig and press Enter Press 5 for Windows Update Settings . Press A for Automatic or M for Manual . You will receive the prompt above to let you know that you disabled Automatic updates or, you will see the one below if you turned them on.

How to tell how long it has been since a computer logged in with PowerShell

This is an easy one liner in PowerShell. Open PowerShell V2. Once open, we need to access the Active Directory objects by typing Import-Module ActiveDirectory . Now Type Get-adcomputer –filter * -properties lastlogondate | Where {$_.LastLogonDate –le [DateTime]::Now.AddDays(-7)} We first use the Get-ADCopmuter cmdlet to access the computer objects in Active Directory. Setting –filter * allows us to work with all the computer objects. Next we added the –properties LastLogonDate . This is done because that attribute is normally now returned with the object. Second, we piped the output of the first command to the Where cmdlet. The $_.LastLogonDate variable looks at each input one at a time and grabs the LastLogonDate attribute for analysis. We then compare it to [DateTime]::Now.AddDays(-7) This command gets the current date/time from the host and subtracts 7 days from it. We then use the –le comparision operator (Less than or equal to) to determine if the dat...

Will a file screen look inside a .ZIP file?

From my testing, it does not. I set up a file screen to prevent .TXT files from being copied into a folder. In another folder that was not screened, I created two text files and then sent them to a compressed (.zip) file. I was able to copy the .zip file to the screen folder. To help prevent blocked files from being saved to restricted locations, you may want to consider also blocking .ZIP files.

Making sure your OUs have Deletion Protection

Deletion Protection is a feature that prevents an OU from being accidently deleted.  This is a feature of Windows Server 2008.  For those servers upgraded from Windows Server 2003, Deletion Protection is not turned on.  Until now the only way to turn on the Deletion Protection is manually.  Well, now you can use PowerShell V2 to take care of this for you. Windows PowerShell V2 comes installed on Windows 7 and Windows Server 2008 R2. For previous versions of Windows, you can download PowerShell V2 from here: http://support.microsoft.com/kb/968930 You will also need to make sure the Active Directory Module for Windows PowerShell is installed.  This can be found as a feature in the Remote Server Administrator Tools . The First step is to launch the PowerShell environment.  If you do not have an icon on the screen, you will find it is  Start \ All Programs \ Accessories \ Windows PowerShell \ Windows PowerShell Once the Shell loads, you need ...

How to prevent users from shutting down the PC

There may be situations in which you do not want to allow a user to shut down a client. This is an easy one to fix. In Group Policy expand User Configuration \ Policies \ Administrative Templates \ Start Menu and Taskbar . Enable the policy for Remove and Prevent access to the Shut Down , Restart, Sleep, and Hibernate commands . Or you can set it in the local policies on the client. User Configuration \ Administrative Templates \ Templates \ Start Menu and Taskbar . Enable the policy for Remove and Prevent access to the Shut Down , Restart, Sleep, and Hibernate commands .

Rename a Server Core 2008 R2 Server

This is now a very easy task over the R1 version.  The R1 method involed using the NETDOM command.  It went something like this: netdom RenameCOmputer Old-Name /NewName:New-Name you then had to manually reboot the machine by typing Shutdown /r /t 0 . In Server Core 2008 R2, you can use the sconfig command. Log into your server core server. Type sconfig and press enter . Type 2 for Computer Name: and the press Enter . Enter the computer name and press Enter . You will then be asked for the username of a user who has the rights to change this servers name and then press Enter .. A new window will open up asking for that users password.  Enter it and press Enter . You will need to click Yes to reboot the server.

How to clear the print queue when the user logs off (Domain Version)

A common problem with using a client that multiple users log into is that a sensitive document could be stuck in the local print queue. With law suit heavy lawyers running around, you do not want to put your organization at risk. The below procedure will help to mitigate this issue. (Note: The following procedure is performed and tested on Windows 7) This procedure will set up your clients to clear their print queues when a user logs off. This prevents the printer from coming online and printing sensitive information when another user logs on. On your Windows 7 client, click , type Notepad and press Enter . Copy and past the following code: net stop spooler del %systemroot%\system32\spool\printers\*.shd del %systemroot%\system32\spool\printers\*.spl net start spooler Click File \ Save As In the Save as Type: dropdown box, select All FIles . In the File name: box, type C:\DeletePrinJobs.cmd . In a production environment, you may want to put this somewher...

Can you use a file screen to prevent files from being redirected?

Yes you can. The scenario here is we have set up our clients, through Group Policy, to redirect the desktop to a server. I have also set up a files screen on the shared folder that will host the data. This file screen is configured to block .TXT files. When the user tries to create a .TXT file on their desktop, they are prevented from doing so. Below is the setup procedure to do this. Step 1: configure the folder to hold the user data. I created a folder on my server Next I shared it by right clicking the folder and selecting Properties .   Click Advanced Sharing . Click Permissions . Click Add In the Enter the object names to select box, type Authenticated Users and click Check Names. Click OK Click Authenticated Users Check Full Control . Click OK Click OK Click Close The folder is not set up for your users to have their desktops redirected to this location.   Step 2 We now need to create the Group Policy that will redirect the use...

How to require a password to unlock the SAM database

Windows already protects your account passwords by first storing only a hash of the password, and then encrypting that hash.  You an increase protection of the database by either removing the SAM database encryption key to removable media, or by requiring a start-up password to unlock the database.  A word of caution, you will need a trusted administrator at the console of the server when you restart it to insert the media or type the password.  This document looks at setting up a password to unlock the SAM Database   On you Windows Server or client, click Start. Type SYSkey and press   Enter If User Access Control (UAC) is enabled, you may need to provide the proper credentials. Encryption Enabled should already be selected for you.  Click Update . Select Password Startup . Provide and confirm the password you want to lose. Warning: If you lose this password, you lose access to this computer. Click OK . Click OK at the confirmatio...

Basic Baseline of a Server

A server baseline allows us to so how changes we make to our servers affect the performance of the server. it also allows us to be, dare I say “proactive” in managing our servers. Creating a baseline involves collecting data that could lead to a bottleneck. A bottleneck is a point in the path that data travels in which it has to wait. If your data is stuck, so are your users. The data the you need to collect for a baseline will vary depending on what you have on that server. This document covers just the basics. For a basic baseline, we need to look at 4 areas: Processor, Network Interface Card (NIC), RAM, and the hard drives. We will be using the Windows Performance Monitor to collect this information for us. A baseline is taken over a period of time. Because of this, we will be using the Data Collector Sets in the Performance Monitor to do our collection. To start the Performance Monitor, click Start , type Perfmon and press Enter Expand Data Collector Sets . Right ...

How to Add Server Core 2008 R2 to a domain

This task is now much easier than it was in Server Core 2008 R1. First, log into server core. Type Sconfig and press Enter . Press 1 for Domain/Workgroup and press Enter Press D for Domain and then press Enter . Type the name of the domain that you want to join. Type the name of a user account in that domain that has the rights to add clients to the domain. A new Window will open up to ask you for the users password and then to confirm it. Once joined to the domain, type 11 to Restart Server . You should now see this server core as part of your domain.

Where are the GPO settings for a printer GPO created in Print Manager?

On a Windows Server 2008 Server with the Print and Document Services role installed, you can deploy printers via group policy. The question in class is where in group policy is this stored. By opening the Group Policy Management program and selecting the GPO you created to deploy the printer, you can see the changes made. With the GPO selected, click the Settings tab. You should see something like the image below. To see the changes in Group Policy, open the GPO itself. Expand User Configuration \ Windows Settings \ Deployed Printers Above you can see the deployed Canon printer.

How to determine the effective Fine Grain Password Policy on a user account.

When your domain is at least at Windows Server 2008 R1 level, you have the option of using Fine Grain Passwords.  In previous implementations of a Windows domain. You were given only only password policy for every users.  This was the policy stored in the Default Domain Policy GPO.  Now you can have users of different security groups have different password policies that are more fitting to the security of their positions and the data they have access to.  One problem that comes up is when a user is a member of multiple security groups, all of which have different PSOs (Password Settings Object – aka Fine grain password policy) assigned to them.  The Precedence value assigned to each PSO determines the one in effect.  Of all the PSOs the user recieves from their respective PSOs, the User Object only uses the PSO with the lowest precedence value.  Here is how to determine which one a user account is using.   On your Domain Controller, open Ac...

Setting Remote Desktop Encryption Levels

The following article has instructions on how to set the encryption level for your clients. Below is an excerpt. http://technet.microsoft.com/en-us/library/bb457106.aspx Setting Encryption Levels Data encryption can protect your data by encrypting it on the communications link between the client and the Windows XP Professional–based computer. Encryption protects against the risk of unauthorized interception of transmitted data. By default, Remote Desktop sessions are encrypted at the highest level of security available (128-bit). However, some older versions of Terminal Services client software do not support this high level of encryption. If your network contains such “legacy” clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client. There are two levels of encryption available: · High This level encrypts data sent from the client to the remote computer and from the remote comput...

Conserve Bandwidth when using the Droid 2 Mobil Hotspot.

One of the disadvantages of my job is that I have a constant need to access the internet.  In most locations that I go to, I usually can find a hot spot.  On occasion, I find myself without a connection.  This posses a few problems. My mother lives in a one blinking stop light town.  Internet?  Hey, we are lucky to have electricity here.  Well, tonight I am blogging from Mom’s house.  I have my new Google Droid 2 phone with its mobile hot spot on.  AWESOME!  Yes, I know.  I’ll probably be kicked off the Microsoft Born To Learn blog list for owning one.  Sorry Bill. I was holding out for a Windows 7 phone but I my old smart phone was being held together by tape. Now, for the down side.  You get 2 GB of data per month on the hot spot for $20…and then they begin to charge you more.  Being the power user that I am, I need to squeeze as much data as I can out of this phone.  I decided to try a trick that I learned years ...

Does IPCONFIG /FLUSHDNS do anything other than clear the cache?

According to Microsoft Documentation, no it does not.  Below is a list of the functions of IPCONFIG.  Noticed that FlushDNS only clears the cache. /all : Displays the full TCP/IP configuration for all adapters. Without this parameter, ipconfig displays only the IP address, subnet mask, and default gateway values for each adapter. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. /renew [ Adapter ] : Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the Adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. /release [ Adapter ] : Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP...

When using WET, dos it transfer your credential manager data?

You can use User State Migration tool to migrate your Credential Manager data. To do this you are going to have to create a Custom.xml file. The following link gives you more information on how to create a custome XML file for USMT: http://technet.microsoft.com/en-us/library/cc749416(WS.10).aspx#Creating . The link below gives you an example of a custome.xml file: http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/ab8d6d70-9d1b-419c-8149-37387d4eba6d In our case, we are interested in the following line: < component displayname = " Microsoft-Windows-Credential-Manager-DL " migrate = " no " ID = " http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-credential-manager-dl/microsoft-windows-credential-manager-dl/settings " /> component > By setting the Migrate=”yes” option, your credential manager will migrate.

What does 2>&1 mean in Powershell?

In class 50025, we noticed some odd code on page 9-2. This code 2>&1 did not come with any good description. It is a redirection operator. Below is some information on the different Powershell redirectors. > Redirects output to specified file. If the file already exists, current contents are overwritten. >> Redirects output to specified file. If the file already exists, the new output is appended to the current content. 2> Redirects error output to specified file . If the file already exists, current contents are overwritten. 2>> Redirects error output to specified file. If the file already exists, the new output is appended to the current content. 2>&1 Redirects error output to the standard output pipe instead of to the error output pipe.

If you restrict a user to a single session, what happens if they log into another computer?

In class, I performed a quick demonstration using Remote Desktop Services in Windows Server 2008 R2. I set up a Remote Desktop Server and applied a Group Policy that restricted the users that logged into this Remote Desktop Server to a single session. The policy was located at: Computer Configuration / Policies / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Sessions / Connections / Restrict Remote Desktop Services users to a single Remote Desktop Services Session Once this policy was enabled, users were restricted. To test what happens when they connect on two different clients, I use the Remote Desktop Connection on two separate Windows 7 clients. On the first connection, I created a folder on the desktop so we can confirm that a single session was being used. I connected on the second client, and we saw the desktop with the folder. I then went back to the first client and we were notified that the Remote Desktop Session was ...

Getting Server 2008 to return a PING

Windows Server 2008 is deployed in a secured configuration.  As a result, a basic troubleshooting, the PING command, is not able to function.  This is a simple fix involving the firewall.  This article will focus on how to change this setting using Group Policy so you only have to do it once in a multi server environment. Log onto one of your Windows Server 2008 domain controllers. Click Start / Administrative Tools / Group Policy Management Either select a GPO to use, or create a new GPO.  To create a new GPO, right click Group Policy Object and select New .  Give the GPO a new and click OK . Right click the GPO you want to use and click Edit . Expand Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Inbound Rules Right click Inbound Rules and select New Rule . Select Predefined and then select File and Printer Sharing from the drop down list. Click Next .   Check...