Skip to main content

Posts

Showing posts from August, 2010

Can you have a client update from Microsoft when it is not on the network?

Microsoft’s recommendation is to have your roaming clients get their updates from an internet facing WSUS server if they normally do not connect to your network. If you have users who are about to depart for an extended period of time, it may be beneficial to have an alternate GPO that changes the WSUS server they are using from the internal WSUS server to one facing the internet in your DMZ. Just make sure they have an opportunity to get the changed GPO before departing. When they return, remove the alternate GPO and let the primary location take over. http://technet.microsoft.com/en-us/library/cc720525(WS.10).aspx

Can you mange Action Center pop ups in GPO?

Unfortunately, you cannot choose which notifications pop up using Group Policy. You however prevent them from popping up. Configure a Group Policy with the following settings: User Configuration / Policies / Administrative Templates / Start Menu and Task Bar Configure the Hide the notification area to Enable will only allow the Start button, taskbar buttons, custom toolbars, and system clock to be displayed. Pop-ups will be gone. http://www.howtogeek.com/howto/4339/customize-the-notification-area-in-windows-7-using-local-group-policy/

How to prevent a user from using the sticky key command from exposing the command prompt without logging in.

First off, several things would have to fail before this vulnerability is exposed. The organization in question would not be following the Defense-in-Depth concept that we discussed listed below. In particular, the first level “Policies, Procedures, & Awareness” would not be followed. In order to be able to change the Sethc.exe file, the user would have to both take ownership and give themselves rights to this application. A standard user account cannot do this. If the users are given local admin rights, this vulnerability could be exploited. By copying the CMD.EXE application and remaining it to Sethc.exe, a command prompt could be brought up under the system context without a user logging in. For your IT Staff, a rogue member could easily exploit this vulnerability. To prevent this from happening, execute the procedure on this link to remove the user’s ability to use a command prompt. The key to this is the Software Restriction Policy. Since it is created using a hash,...

How to add a user or group to the Remote Desktop Users group on Server Core

On a standard installation of Windows Server 2008, you can easily add users to the Remote Desktop Users group to allow them to access the server with Remote Desktop. In Server Core, you do not get the nice GUI to work with. You have two options for adding users; command line and Group Policy. Command Line option: Log into Server Core To see a list of users currently in the Remote Desktop Users group, type: net localgroup “Remote Desktop Users” To add a user, type: net localgroup “Remote Desktop Users” /add Group Policy Option: The command line option works well if you are only setting it for one or two servers. For many servers, Group Policy is the option of choice. In particular, we are going to be looking at the GPO for Restricted Groups. For this to work you need to make sure this policy setting applies only to your Server Cores, or other systems that you want this setting . Open Group Policy Management Create and GPO and give it the name of your cho...

What is the process for resolving computer names?

In class we had a discussion on the exact order of name resolution for Windows 7. The Name Resolution order presented to us was: - Local Host Name - DNS Resolver Cache - DNS Server - NetBIOS Name Cache - WINS Server - Broadcast - LMHOST Below is a portion of an article that explains why we did not see the HOST file in the list above: 1. An application uses the DnsQuery() API or the GetAddrInfo() or GetHostByName() Windows Sockets APIs to resolve a name. If the name is a flat name, the DNS Client service creates an FQDN using configured DNS suffixes. 2. The DNS Client service checks the DNS resolver cache for the FQDN, which contains the entries in the Hosts file and the results of recent positive and negative name queries. If an entry is found, the result is used and no further processing occurs. 3. The DNS Client service passes the FQDN through the NRPT to determine the rules in which the FQDN matches the namespace of the rule. 4. If the FQDN does not match any rules, or matches a si...

Can a batch file with the command “command” or “CMD” launch a command prompt even if it is blocked by GPO?

A question about a vulnerability came up in class on how to stop users from opening a command prompt. The method used what to create a batch file with the command command. com in it. After following the procedure to prevent the RUN command from working (Click Here for this article) ), the batch file with COMMAND.COM in it will not execute. I was still able to run a batch file with NET USE and successfully mapped a drive. This indicated that logon scripts should still run OK. Test thoroughly before using.

How to enable WINRM Listener in Group Policy?

WinRM is intended to help improve your ability to manage your hardware in a network environment. You can use WinRM to help collect data from remote computers. In order to utilize WinRM, you need to run the command WimRM Quickconfig on each client. Well, if you do not want to go to each client you can use group policy to turn on the WinRM listeners. Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Manager (WinRM) / WinRM Service Depending on which port you need to listen on, you can enable Turn On Compatibility HTTP Listener for port 80 and Turn On Compatibility HTTPS Listener for port 443. These are for backward compatibility purposes. WinRM2.0 uses port 5986.

How much time does 2008 give you to activate?

Windows Server 2008 gives you 30 days to activate the OS. If you change hardware on the physical server, Windows may require re-activation. You will get 3 days for this activation grace period. For those with evaluation copies, your grace period is 60 days. You can re-arm the grace period by following the procedure below. 1. Click Start , and then click Command Prompt . 2. Type slmgr.vbs -dli , and then press ENTER to check the current status of your evaluation period. 3. To reset the evaluation period, type slmgr.vbs –rearm , and then press ENTER. 4. Restart the computer. http://support.microsoft.com/kb/948472 http://www.microsoft.com/windowsserver2008/en/us/r2-product-activation.aspx

Can you use AD Recycle bin with 2003 DCs.

The Active Directory Recycle Bin is the newest, and most reliable way of restoring objects into active directory. In the past, you could use an Authorative Restore of the object. The big problem here is that you would have to take a domain controller offline to do it. You also had the ability to re-animate tombstoned objects. When you delete an object from Active Directory, it is tombstoned. That means that it is no longer available for normal Active Directory operations and nearly all of its attributes are cleared. Recovering these objects meant that you had to manually re-apply the attributes like group membership. With AD Recycle Bin, you have up to 180 days to bring it all back. For many, the draw back is going to be the requirement of all Domain Controllers running Windows Server 2008 R2 and the forest functional level of Windows Server 2008 R2. http://technet.microsoft.com/en-us/library/dd391916(WS.10).aspx

On an RODC, is the GC writable?

The answer is yes. RODC (Read Only Domain Controller) is Microsoft’s solution to a branch office or other area where the security of the server may be questionable. It contains a read only copy of Active Directory and DNS. Should the server be stolen, only the passwords, if any, that you designate to be cached on that server need to be changed. The TGT (Ticket Granting Ticket) on a RODC is different than the one actually used by the domain. Therefore, a stolen RODC cannot be used to infiltrate a network. The Global Catalog (GC) contains a subset of all objects in a forest. In a single domain environment, the domain controllers are aware of all objects in Active Directory. You can search for users, computer, printer, etc. The problem lies when you are in a multi-domain environment. The information on objects is not shared between domains. To help mitigate this issue, Domain Controllers can also be Global Catalog servers. The data contained in GCs only contains th...

How to enable Remote Desktop on Server Core

Since Server Core does not have a GUI, you need to manage it via command line. To help with this, Microsoft included a script to help configure certain settings. Windows Server 2008 has two separate modes for remote acess depending on the client that you will be using. For Windows XP/2003, we have the tried and true version of Remote Desktop. For Vista and Windows 7, we have the Network Level Authentication version available for a more secure terminal session. To set the desired level, we would go to the Remote tab of the System Properties page as seen below. Since this is not an option in Server Core, we have to use the SCRegEdit.wsf script that is included in server core. Notice that there is an additional step if you are using an XP or 2003 client to establish the connection. Enable Remote Desktop for Administrators · Enable Remote Deskop from Windows Vista/2008: o Cscript %windir%\system32\SCRegEdit.wsf /ar 0 · Enable Remote Desktop from Windows XP/2003 and earli...

Create a new public folder using PowerShell

Public folders are a common way people exchange information in an exchange environment. Even though the GUI is simple to use, you may need to create or work with public folders in mass. The example below will create a public folder using the PowerShell cmdlet New-PublicFolder . We are going to create a new public folder called HR on the server Exch04. · On your Exchange 2010 server, open the Exchange Management Shell . · Type New-PublicFolder –Name HR –server Exch04 If you check the Public Folder Management Console (look for it in the Tools of the Exchange Management Console) you will see your new public folder. For a complete description of the New-PublicFolder cmdlet, type Get-Help New-PublicFolder -Full in your Exchange Management Shell.

How to add a DNS Server to Server Core Network Configuration

This is not as hard as what you might think. From a previous blog, I showed you how to add a Static IP address to server core. netsh interface show interfaces Record the index number of the interface you want to work with. In this case, let's say it is 3. netsh interface ipv4 set address name=3 source=static address=10.10.1.10 mask=255.255.0.0 To add an address for your DNS server: netsh interface ipv4 set dnsservers name=3 source=static address=10.10.1.1 primary . The above example assumes that you set your network interface card to an IP address of 10.10.1.10 and then set interface to use the address of a DNS server at 10.10.1.1

6420 : Fundamentals of Windows Server 2008 Network and Applications Infrastructure, is now availible

For those training centers who need a basic fundamentals class for Server 2008, I am now available to instruct 6420: Fundamentals of Windows Server 2008 Network and Applications Infrastructure. This is a 5 day, level 100 class for those individuals who need to show some type of certification or specialized study for that first job. We stay at a very high level as we talk about the various technologies and techniques to administer a Windows Server 2008 environment and prepare the delegates for more advanced training. As always, I'll keep an eye on your training schedules and direct students to that more advanced class based on their interest.

Do you need an extra license for AD RMS?

Yes you do. http://www.microsoft.com/windowsserver2008/en/us/licensing-rights-management.aspx I contacted Matt Gerber at ENS Group in Fort Wayne, IN and confirmed it with this email from Matt: RMS Licensing Basics To use RMS, organizations need the following licenses: · Windows Server 2008 R2 Server License · Windows Server 2008 Client Access Licenses (Windows Server CALs) · Windows Rights Management Services 2008 Client Access Licenses (RMS CALs) A Windows Server 2008 R2 Server License is required, since RMS is a component of Windows Server. A Windows Server 2008 CAL is required for every user who accesses or uses the server software. In addition, every user who creates or views rights-protected information through Rights Management Services requires an RMS User CAL. As an alternative to User CALs, customers may acquire RMS Device CALs for the devices used to create or view rights-protected content. Both user and device CAL options are av...