Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, August 30, 2010

Can you have a client update from Microsoft when it is not on the network?

Microsoft’s recommendation is to have your roaming clients get their updates from an internet facing WSUS server if they normally do not connect to your network. If you have users who are about to depart for an extended period of time, it may be beneficial to have an alternate GPO that changes the WSUS server they are using from the internal WSUS server to one facing the internet in your DMZ. Just make sure they have an opportunity to get the changed GPO before departing. When they return, remove the alternate GPO and let the primary location take over.

Friday, August 27, 2010

Can you mange Action Center pop ups in GPO?

Unfortunately, you cannot choose which notifications pop up using Group Policy. You however prevent them from popping up. Configure a Group Policy with the following settings:

User Configuration / Policies / Administrative Templates / Start Menu and Task Bar

Configure the Hide the notification area to Enable will only allow the Start button, taskbar buttons, custom toolbars, and system clock to be displayed. Pop-ups will be gone.

Wednesday, August 25, 2010

How to prevent a user from using the sticky key command from exposing the command prompt without logging in.

First off, several things would have to fail before this vulnerability is exposed. The organization in question would not be following the Defense-in-Depth concept that we discussed listed below. In particular, the first level “Policies, Procedures, & Awareness” would not be followed.

In order to be able to change the Sethc.exe file, the user would have to both take ownership and give themselves rights to this application. A standard user account cannot do this. If the users are given local admin rights, this vulnerability could be exploited. By copying the CMD.EXE application and remaining it to Sethc.exe, a command prompt could be brought up under the system context without a user logging in.

For your IT Staff, a rogue member could easily exploit this vulnerability. To prevent this from happening, execute the procedure on this link to remove the user’s ability to use a command prompt. The key to this is the Software Restriction Policy. Since it is created using a hash, changing the name and location of the CMD.EXE file will still not allow the user to run it. Be careful not to apply this policy to those who actually need to use a command prompt. You may want to keep this policy on the client machines to help prevent standard users from working outside their job descriptions. Also, on the servers but for only the IT staff who do not need to use a command prompt.


Monday, August 23, 2010

How to add a user or group to the Remote Desktop Users group on Server Core

On a standard installation of Windows Server 2008, you can easily add users to the Remote Desktop Users group to allow them to access the server with Remote Desktop. In Server Core, you do not get the nice GUI to work with. You have two options for adding users; command line and Group Policy.

Command Line option:

Log into Server Core

To see a list of users currently in the Remote Desktop Users group, type: net localgroup “Remote Desktop Users”

To add a user, type: net localgroup “Remote Desktop Users” /add

Group Policy Option:

The command line option works well if you are only setting it for one or two servers. For many servers, Group Policy is the option of choice. In particular, we are going to be looking at the GPO for Restricted Groups.

For this to work you need to make sure this policy setting applies only to your Server Cores, or other systems that you want this setting .

Open Group Policy Management

Create and GPO and give it the name of your choice.

Edit the policy.

Expand Computer Configuration \ Windows Settings \ Security Settings \ Restricted Groups.

Right mouse click Restricted Groups and select New Group.

Click Browse.

Type Remote and click Check Names.

Click OK

Click OK. You should see the window below.

In the Members of this Group section, click Add.

Add the users or groups that you want to ensure they are a member of the Remote Desktop Users Group. Click Browse if you need help finding the users or groups.

This will also ensure that only these users and groups are the only accounts listed in this group To add others later or to remove them, you will have to edit the list in this Group Policy.

Make sure you link the group policy to the OUs that hold the computer accounts of the Server Cores.

Friday, August 20, 2010

What is the process for resolving computer names?

In class we had a discussion on the exact order of name resolution for Windows 7. The Name Resolution order presented to us was:

- Local Host Name
- DNS Resolver Cache
- DNS Server
- NetBIOS Name Cache
- WINS Server
- Broadcast

Below is a portion of an article that explains why we did not see the HOST file in the list above:

1. An application uses the DnsQuery() API or the GetAddrInfo() or GetHostByName() Windows Sockets APIs to resolve a name. If the name is a flat name, the DNS Client service creates an FQDN using configured DNS suffixes.

2. The DNS Client service checks the DNS resolver cache for the FQDN, which contains the entries in the Hosts file and the results of recent positive and negative name queries. If an entry is found, the result is used and no further processing occurs.

3. The DNS Client service passes the FQDN through the NRPT to determine the rules in which the FQDN matches the namespace of the rule.

4. If the FQDN does not match any rules, or matches a single rule that is an exemption rule, the DNS Client service attempts to resolve the FQDN using interface-configured DNS servers.

5. If the FQDN matches a single rule that is not an exemption rule, the DNS Client service applies the specified special handling.

6. If the FQDN matches multiple rules, the DNS Client services sorts the matching rules for precedence—in order: FQDN, longest matching prefix, longest matching suffix [including IPv4 and IPv6 subnets], any—to determine the rule that most closely matches the FQDN.

7. After determining the closest matching rule, the DNS Client service applies the specified special handling.

Essentially the client will try to use its local resources first (with exception to the LMHOST file.) I looks at its cache from DNS queries, which also contain the contents of the HOST file. Next it will utilized the more desirable network resources. Since DNS is a requirement for and Active Directory network, DNS should be available. Next it looks at the WINS resources. First its NetBIOS Cache and the WINS. These Flat names for network resources are still supported, but on their way out. Next a broadcast across the local subnet will be made. Finally, it will look at and static entries in the LMHOST file. This file will hold flat names like WINS.

Wednesday, August 18, 2010

Can a batch file with the command “command” or “CMD” launch a command prompt even if it is blocked by GPO?

A question about a vulnerability came up in class on how to stop users from opening a command prompt. The method used what to create a batch file with the command in it. After following the procedure to prevent the RUN command from working (Click Here for this article)), the batch file with COMMAND.COM in it will not execute. I was still able to run a batch file with NET USE and successfully mapped a drive. This indicated that logon scripts should still run OK. Test thoroughly before using.

Tuesday, August 17, 2010

How to enable WINRM Listener in Group Policy?

WinRM is intended to help improve your ability to manage your hardware in a network environment. You can use WinRM to help collect data from remote computers. In order to utilize WinRM, you need to run the command WimRM Quickconfig on each client. Well, if you do not want to go to each client you can use group policy to turn on the WinRM listeners.

Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Manager (WinRM) / WinRM Service

Depending on which port you need to listen on, you can enable Turn On Compatibility HTTP Listener for port 80 and Turn On Compatibility HTTPS Listener for port 443. These are for backward compatibility purposes. WinRM2.0 uses port 5986.

Monday, August 16, 2010

How much time does 2008 give you to activate?

Windows Server 2008 gives you 30 days to activate the OS. If you change hardware on the physical server, Windows may require re-activation. You will get 3 days for this activation grace period. For those with evaluation copies, your grace period is 60 days. You can re-arm the grace period by following the procedure below.

1. Click Start, and then click Command Prompt.

2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period.

3. To reset the evaluation period, type slmgr.vbs –rearm, and then press ENTER.

4. Restart the computer.

Friday, August 13, 2010

When does Windows 7 use HOST and when does it use LMHOST?

LMHost is used for NetBios name to IP address resolution. This functionality is similar to WINS. HOST is used for Fully Qualified Domain Names to IP address resolution and is more similar to DNS. As for the exact order of resolution methods, I’m finding documentation that is all over the place.

Can you use AD Recycle bin with 2003 DCs.

The Active Directory Recycle Bin is the newest, and most reliable way of restoring objects into active directory. In the past, you could use an Authorative Restore of the object. The big problem here is that you would have to take a domain controller offline to do it. You also had the ability to re-animate tombstoned objects. When you delete an object from Active Directory, it is tombstoned. That means that it is no longer available for normal Active Directory operations and nearly all of its attributes are cleared. Recovering these objects meant that you had to manually re-apply the attributes like group membership.

With AD Recycle Bin, you have up to 180 days to bring it all back. For many, the draw back is going to be the requirement of all Domain Controllers running Windows Server 2008 R2 and the forest functional level of Windows Server 2008 R2.

Wednesday, August 11, 2010

On an RODC, is the GC writable?

The answer is yes.

RODC (Read Only Domain Controller) is Microsoft’s solution to a branch office or other area where the security of the server may be questionable. It contains a read only copy of Active Directory and DNS. Should the server be stolen, only the passwords, if any, that you designate to be cached on that server need to be changed. The TGT (Ticket Granting Ticket) on a RODC is different than the one actually used by the domain. Therefore, a stolen RODC cannot be used to infiltrate a network.

The Global Catalog (GC) contains a subset of all objects in a forest. In a single domain environment, the domain controllers are aware of all objects in Active Directory. You can search for users, computer, printer, etc. The problem lies when you are in a multi-domain environment. The information on objects is not shared between domains. To help mitigate this issue, Domain Controllers can also be Global Catalog servers. The data contained in GCs only contains the attributes that are normally searched for. In a multi-domain environment, it is recommended to make every Domain Controller a Global Catalog server as well.

In respect to the question, the GC will not hold any sensitive data should the RODC be stolen. On a record which domain the objects are stored in.

Monday, August 9, 2010

How to enable Remote Desktop on Server Core

Since Server Core does not have a GUI, you need to manage it via command line. To help with this, Microsoft included a script to help configure certain settings. Windows Server 2008 has two separate modes for remote acess depending on the client that you will be using. For Windows XP/2003, we have the tried and true version of Remote Desktop. For Vista and Windows 7, we have the Network Level Authentication version available for a more secure terminal session. To set the desired level, we would go to the Remote tab of the System Properties page as seen below.

Since this is not an option in Server Core, we have to use the SCRegEdit.wsf script that is included in server core. Notice that there is an additional step if you are using an XP or 2003 client to establish the connection.

Enable Remote Desktop for Administrators
· Enable Remote Deskop from Windows Vista/2008:
o Cscript %windir%\system32\SCRegEdit.wsf /ar 0

· Enable Remote Desktop from Windows XP/2003 and earlier
- Cscript %windir%\system32\SCRegEdit.wsf /ar 0
- Cscript %windir%\system32\SCRegEdit.wsf /cs 0 and press Enter

Friday, August 6, 2010

Create a new public folder using PowerShell

Public folders are a common way people exchange information in an exchange environment. Even though the GUI is simple to use, you may need to create or work with public folders in mass. The example below will create a public folder using the PowerShell cmdlet New-PublicFolder.

We are going to create a new public folder called HR on the server Exch04.

· On your Exchange 2010 server, open the Exchange Management Shell.

· Type New-PublicFolder –Name HR –server Exch04

If you check the Public Folder Management Console (look for it in the Tools of the Exchange Management Console) you will see your new public folder.

For a complete description of the New-PublicFolder cmdlet, type Get-Help New-PublicFolder -Full in your Exchange Management Shell.

Wednesday, August 4, 2010

How to add a DNS Server to Server Core Network Configuration

This is not as hard as what you might think. From a previous blog, I showed you how to add a Static IP address to server core.

netsh interface show interfaces
Record the index number of the interface you want to work with. In this case, let's say it is 3.
netsh interface ipv4 set address name=3 source=static address= mask=

To add an address for your DNS server:
netsh interface ipv4 set dnsservers name=3 source=static address= primary.

The above example assumes that you set your network interface card to an IP address of and then set interface to use the address of a DNS server at

Tuesday, August 3, 2010

6420 : Fundamentals of Windows Server 2008 Network and Applications Infrastructure, is now availible

For those training centers who need a basic fundamentals class for Server 2008, I am now available to instruct 6420: Fundamentals of Windows Server 2008 Network and Applications Infrastructure.

This is a 5 day, level 100 class for those individuals who need to show some type of certification or specialized study for that first job. We stay at a very high level as we talk about the various technologies and techniques to administer a Windows Server 2008 environment and prepare the delegates for more advanced training. As always, I'll keep an eye on your training schedules and direct students to that more advanced class based on their interest.

Monday, August 2, 2010

Do you need an extra license for AD RMS?

Yes you do.

I contacted Matt Gerber at ENS Group in Fort Wayne, IN and confirmed it with this email from Matt:

RMS Licensing Basics

To use RMS, organizations need the following licenses:

· Windows Server 2008 R2 Server License

· Windows Server 2008 Client Access Licenses (Windows Server CALs)

· Windows Rights Management Services 2008 Client Access Licenses (RMS CALs)

A Windows Server 2008 R2 Server License is required, since RMS is a component of Windows Server. A Windows Server 2008 CAL is required for every user who accesses or uses the server software. In addition, every user who creates or views rights-protected information through Rights Management Services requires an RMS User CAL. As an alternative to User CALs, customers may acquire RMS Device CALs for the devices used to create or view rights-protected content. Both user and device CAL options are available for RMS and Windows Server 2008.

In addition, organizations have the option to acquire an RMS 2008 External Connector (EC) license. The RMS EC license gives organizations the right to permit an unlimited number of external users to access or use a single, licensed copy of the RMS server software without the need to acquire CALs for each external user. The EC is an alternative to CALs when, for example, an organization creates rights-protected information or documents and needs to allow customers or business partners to view this information. Each copy of RMS server software being used by external users requires its own EC license.

Since external users must also be licensed to access Windows Server 2008 R2, the Windows Server 2008 EC license may be used as an alternative to Windows Server 2008 CALs.

But this link gives more details: