Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Tuesday, November 30, 2010

How to require a password to unlock the SAM database

Windows already protects your account passwords by first storing only a hash of the password, and then encrypting that hash.  You an increase protection of the database by either removing the SAM database encryption key to removable media, or by requiring a start-up password to unlock the database.  A word of caution, you will need a trusted administrator at the console of the server when you restart it to insert the media or type the password.  This document looks at setting up a password to unlock the SAM Database

 

On you Windows Server or client, click Start.

Type SYSkey and press  Enter

If User Access Control (UAC) is enabled, you may need to provide the proper credentials.

Encryption Enabled should already be selected for you.  Click Update.

image

Select Password Startup.

Provide and confirm the password you want to lose.

Warning: If you lose this password, you lose access to this computer.

Click OK.

image

Click OK at the confirmation screen.

image

 

Now, reboot the server/client.

The computer will go through the normal boot process, but it will stop at the screen below.

image

Type in the Password you choose and click OK.

At this point, the system will complete the boot.

 

To remove this password from the startup, you will need to return the key to the local system

Click Start, type SYSkey and press Enter.

If User Access Control (UAC) is enabled, you may need to provide the proper credentials.

Encryption Enabled should already be selected for you.  Click Update.

image

 

Select System Generated Password.

Verify that Store Startup Key Locally is selected

Click OK.

image

Type in the password you used to unlock the database and click OK.

Click OK at the confirmation screen.

image

A restart of the machine will let it boot normally.

Monday, November 29, 2010

Basic Baseline of a Server

A server baseline allows us to so how changes we make to our servers affect the performance of the server. it also allows us to be, dare I say “proactive” in managing our servers. Creating a baseline involves collecting data that could lead to a bottleneck. A bottleneck is a point in the path that data travels in which it has to wait. If your data is stuck, so are your users. The data the you need to collect for a baseline will vary depending on what you have on that server. This document covers just the basics.

For a basic baseline, we need to look at 4 areas: Processor, Network Interface Card (NIC), RAM, and the hard drives. We will be using the Windows Performance Monitor to collect this information for us. A baseline is taken over a period of time. Because of this, we will be using the Data Collector Sets in the Performance Monitor to do our collection.

To start the Performance Monitor, click Start, type Perfmon and press Enter

Expand Data Collector Sets.

Right click User Defined and then click New \ Data Collector Set

image

Provide a name for the baseline.

Click Next

Select Basic and click Finish.

Click Baseline.

Double click Performance Counter

Click Remove to remove the \Processor(*)\* entry.

We are now ready to add our basic counters to collect our performance data.

Processor

The processor is the brains of the computer. Like us humans, our brains can only do so much before it starts to slow down. We need to take a good look at the activity of the CPU to see if we are asking to much of it. When reading the data for the processor, remember that spikes to 100% are normal and should be expected. Sustained activity above 75% shows a potential bottleneck. If you have this sustained activity, take a close look at what is being done on this server and consider offloading some of the applications to another, less utilized server.

Let’s add in our counters:

Click Add

Expand Processor

Select %Processor Time

Notice in the Instances of selected object box, you may have more than 1 processor. I the example below, there are 4 processors labeled 0-3.

image

You may want to monitor each processor individually. Click each processor and then click Add.

Physical Disk

The Physical Disk represents each physical hard drive on your server. You may have several logical disks. That is a physical disk with several partitions. To get an accurate look at the disk usage, we need to look at the physical disk. We are interested in the %Disk Read Time and %Disk Write Time. This tells us how often our disk is being used. We also want to look at the Average Disk Queue Length. Should this number stay above 4, you may have a bottle neck. With today's high speed devices, that number can be much higher before users notice anything.

Memory

For more than a decade now, your PC has been able to use more memory than what you have installed in the computer. PCs and servers use a technology called virtual memory. WHen the physical memory is full, but the system needs to load more information into memory, the server will look at the contents of its physical memory that has not been used in a while, and write it to the hard disk. When it needs to use that content again, it copies more information from RAM to the hard disk and then grabs the information it needs off the hard disk, and stores it in RAM. RAM is fast, disk is slow. Anytime you need to do this swap, it is called a Page Fault. Because Page Faults require the use of a disk, they slow things down. A lot of Hard Page Faults/Sec indicates that you need to add more RAM to your server. In the Memory object, add the Page Faults/Sec counter.

Network Interface Card (NIC)

The next item to take a look at is the NIC. We must allow Fantasy Foot to be played without delay! Two things to look at here is how much data is waiting to travel out of the computer, and how many errors does that card receive. The Output Queue Length will tell us if there is a traffic jam trying to get out of your computer. This can indicate that your network connection is not fast enough. You may need to upgrade the NIC, the infrastructure, or both. Another option may be to add an additional NIC to the server. The Packets Received Errors will tell you if there is a bad NIC on your network.

An optional metric to monitor is in the Server object. Take a look at the Server Sessions to get an idea about how many users are using this server.

Click OK to save the counters.

Right click Baseline and select Properties.

Click Schedule tab. Here you can schedule when this performance counter starts. Under the Stop Condition tab, you can control how long the sampling takes place.

After a period of time, or after you deploy new functionality to the server, you will want to re-run this baseline and see what the effect has been. By knowing the utilization state of your servers, you can make a more informed decision about what can, and cannot be added to a servers work load.

Friday, November 26, 2010

How to Add Server Core 2008 R2 to a domain

This task is now much easier than it was in Server Core 2008 R1. First, log into server core.

Type Sconfig and press Enter.

Press 1 for Domain/Workgroup and press Enter

Press D for Domain and then press Enter.

image

Type the name of the domain that you want to join.

image

Type the name of a user account in that domain that has the rights to add clients to the domain.

A new Window will open up to ask you for the users password and then to confirm it.

Once joined to the domain, type 11 to Restart Server.

You should now see this server core as part of your domain.

Wednesday, November 24, 2010

Where are the GPO settings for a printer GPO created in Print Manager?

On a Windows Server 2008 Server with the Print and Document Services role installed, you can deploy printers via group policy. The question in class is where in group policy is this stored. By opening the Group Policy Management program and selecting the GPO you created to deploy the printer, you can see the changes made. With the GPO selected, click the Settings tab. You should see something like the image below.



To see the changes in Group Policy, open the GPO itself. Expand User Configuration \ Windows Settings \ Deployed Printers



Above you can see the deployed Canon printer.

Tuesday, November 23, 2010

How to determine the effective Fine Grain Password Policy on a user account.

When your domain is at least at Windows Server 2008 R1 level, you have the option of using Fine Grain Passwords.  In previous implementations of a Windows domain. You were given only only password policy for every users.  This was the policy stored in the Default Domain Policy GPO.  Now you can have users of different security groups have different password policies that are more fitting to the security of their positions and the data they have access to.  One problem that comes up is when a user is a member of multiple security groups, all of which have different PSOs (Password Settings Object – aka Fine grain password policy) assigned to them.  The Precedence value assigned to each PSO determines the one in effect.  Of all the PSOs the user recieves from their respective PSOs, the User Object only uses the PSO with the lowest precedence value.  Here is how to determine which one a user account is using.

 

On your Domain Controller, open Active Directory Users and Computers.

Click View and make sure there is a check mark beside Advanced Features.

image

Next browse to the users account object.  Right click it and select Properties.

Click the Attribute Editor tab,

Click the Filter button and make sure there are checks by Show Attributes: Optional and Show read-only attributes: Constructed.

image

Look for the attribute msDS-ResultantPSO.  The name of the PSO being applied to this user is the value of this attribute.

image

Monday, November 22, 2010

Setting Remote Desktop Encryption Levels

The following article has instructions on how to set the encryption level for your clients. Below is an excerpt.

http://technet.microsoft.com/en-us/library/bb457106.aspx

Setting Encryption Levels

Data encryption can protect your data by encrypting it on the communications link between the client and the Windows XP Professional–based computer. Encryption protects against the risk of unauthorized interception of transmitted data. By default, Remote Desktop sessions are encrypted at the highest level of security available (128-bit). However, some older versions of Terminal Services client software do not support this high level of encryption. If your network contains such “legacy” clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.

There are two levels of encryption available:

· High

This level encrypts data sent from the client to the remote computer and from the remote computer to the client by using strong 128-bit encryption. Use this level only if you are sure that your client computer supports 128-bit encryption (for example, if it is running Windows XP Professional). Clients that do not support this level of encryption will not be able to connect.

· Client Compatible

This level encrypts data sent between the client and the remote computer at the maximum key strength supported by the client. Use this level if your client computer does not support 128-bit encryption.

You can set the encryption level of the connection between the client and the remote computer by enabling theSet client connection encryption level Terminal Services Group Policy setting.

Friday, November 19, 2010

Conserve Bandwidth when using the Droid 2 Mobil Hotspot.

One of the disadvantages of my job is that I have a constant need to access the internet.  In most locations that I go to, I usually can find a hot spot.  On occasion, I find myself without a connection.  This posses a few problems. My mother lives in a one blinking stop light town.  Internet?  Hey, we are lucky to have electricity here.  Well, tonight I am blogging from Mom’s house.  I have my new Google Droid 2 phone with its mobile hot spot on.  AWESOME!  Yes, I know.  I’ll probably be kicked off the Microsoft Born To Learn blog list for owning one.  Sorry Bill. I was holding out for a Windows 7 phone but I my old smart phone was being held together by tape.

Now, for the down side.  You get 2 GB of data per month on the hot spot for $20…and then they begin to charge you more.  Being the power user that I am, I need to squeeze as much data as I can out of this phone.  I decided to try a trick that I learned years ago when I needed to cache web pages on my Pocket PC.  The only way that I could get a web page on my Pocket PC was to have it cradled.  I would cache pages to read while I was on a plane.  This worked OK, but back then we did not have a lot of storage on those things.  The solution was not to cache the images.  The same potential solution applies to using your mobile hot spot.

This may be a bit odd for most. The internet without pictures!!! What is this? 1995?  You can get any one of these images when ever you want.  The idea is to not download any extra data to conserve bandwidth.  Most of the information you read is in text anyway, right?  Here is how my website looks with, and without text.

 image

image

OK, not very pretty, but I just reduced my bandwidth utilization by around 90% as well as accelerated my web surfing experience. If I wanted to view an image, just right click it and select Show Picture.

image

 

Here is how to do it in Internet Explorer 8

Click Tools / Internet Options

Click the Advanced Tab

Scroll down to the Multimedia section.

Uncheck Show Pictures.

Click OK

image

Tuesday, November 16, 2010

Does IPCONFIG /FLUSHDNS do anything other than clear the cache?

According to Microsoft Documentation, no it does not.  Below is a list of the functions of IPCONFIG.  Noticed that FlushDNS only clears the cache.

/all : Displays the full TCP/IP configuration for all adapters. Without this parameter, ipconfig displays only the IP address, subnet mask, and default gateway values for each adapter. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

/renew [Adapter] : Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the Adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.

/release [Adapter] : Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the Adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.

/flushdns : Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically.

/displaydns : Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.

/registerdns : Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS.

/showclassid Adapter : Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of Adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically.

/setclassid Adapter [ClassID] : Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place ofAdapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed.

/?: Displays help at the command prompt.

Monday, November 15, 2010

When using WET, dos it transfer your credential manager data?

You can use User State Migration tool to migrate your Credential Manager data. To do this you are going to have to create a Custom.xml file. The following link gives you more information on how to create a custome XML file for USMT: http://technet.microsoft.com/en-us/library/cc749416(WS.10).aspx#Creating.
In our case, we are interested in the following line:
<component displayname="Microsoft-Windows-Credential-Manager-DL" migrate="no" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-credential-manager-dl/microsoft-windows-credential-manager-dl/settings"/>
component>
By setting the Migrate=”yes” option, your credential manager will migrate.

Friday, November 12, 2010

What does 2>&1 mean in Powershell?

In class 50025, we noticed some odd code on page 9-2. This code 2>&1 did not come with any good description. It is a redirection operator. Below is some information on the different Powershell redirectors.

>

Redirects output to specified file. If the file already exists, current contents are overwritten.

>>

Redirects output to specified file. If the file already exists, the new output is appended to the current content.

2>

Redirects error output to specified file. If the file already exists, current contents are overwritten.

2>>

Redirects error output to specified file. If the file already exists, the new output is appended to the current content.

2>&1

Redirects error output to the standard output pipe instead of to the error output pipe.

Wednesday, November 10, 2010

If you restrict a user to a single session, what happens if they log into another computer?

In class, I performed a quick demonstration using Remote Desktop Services in Windows Server 2008 R2. I set up a Remote Desktop Server and applied a Group Policy that restricted the users that logged into this Remote Desktop Server to a single session. The policy was located at:

Computer Configuration / Policies / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Sessions / Connections / Restrict Remote Desktop Services users to a single Remote Desktop Services Session

Once this policy was enabled, users were restricted. To test what happens when they connect on two different clients, I use the Remote Desktop Connection on two separate Windows 7 clients. On the first connection, I created a folder on the desktop so we can confirm that a single session was being used. I connected on the second client, and we saw the desktop with the folder. I then went back to the first client and we were notified that the Remote Desktop Session was disconnected. Reconnected with the first client caused the second client to lose its connection.

Tuesday, November 9, 2010

Getting Server 2008 to return a PING

Windows Server 2008 is deployed in a secured configuration.  As a result, a basic troubleshooting, the PING command, is not able to function.  This is a simple fix involving the firewall.  This article will focus on how to change this setting using Group Policy so you only have to do it once in a multi server environment.

Log onto one of your Windows Server 2008 domain controllers.

Click Start / Administrative Tools / Group Policy Management

Either select a GPO to use, or create a new GPO.  To create a new GPO, right click Group Policy Object and select New.  Give the GPO a new and click OK.

Right click the GPO you want to use and click Edit.

Expand Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Inbound Rules

image

Right click Inbound Rules and select New Rule.

Select Predefined and then select File and Printer Sharing from the drop down list.

Click Next.

image

 

Check File and Printer Sharing (Echo Request – ICMPv4-In) and click Next

If you are using IPv6, check File and Printer Sharing (Echo Request – ICMPv6-In)

image

Select Allow the connection  and then click Finish.

image

Close the Group Policy Management Editor.

Any OU that you will apply this policy to will set the Windows Firewall to allow the PING request to be responded to.

Monday, November 8, 2010

RDC client upgrade for Windows XP

The following link will take you to the Microsoft article concerning upgrading your XP RDC clients to the Windows 7/Server 2008 R2 compatible version. Take note of the known issues section. The download link for each version is at the bottom. As always, make sure you test before deploying to your clients.

http://support.microsoft.com/kb/969084

Saturday, November 6, 2010

Unable to view the DNS event log

To set up the senerio for this question. A user had installed a DNS server on a Winodws Server 2008 Server Core installation and was managing it from a graphical interface on another server. When an attempt was made to look at the log files, the user received the error:

Unable to complete the operation on “DNS Events”.
The file size exceeds the limit allowed and cannot be saved.

Upon further investigation, I found that the log file was actually empty.






I also noticed that there were no zones configured for this DNS server. Once I created a forward lookup zone, I was able to open up the log.




Friday, November 5, 2010

How to clear the print queue when the user logs off (Workgroup Version)

A common problem with using a client that multiple users log into is that a sensitive document could be stuck in the local print queue. With law suit heavy lawyers running around, you do not want to put your organization at risk. The below procedure will help to mitigate this issue. (Note: The following procedure is performed and tested on Windows 7) This procedure will set up your clients to clear their print queues when a user logs off. This prevents the printer from coming online and printing sensitive information when another user logs on.

On your Windows 7 client, click image , type Notepad and press Enter.

Copy and past the following code:

net stop spooler
del %systemroot%\system32\spool\printers\*.shd
del %systemroot%\system32\spool\printers\*.spl
net start spooler

Click File \ Save As

In the Save as Type: dropdown box, select All FIles.

In the File name: box, type C:\DeletePrinJobs.cmd.

In a production environment, you may want to put this somewhere other then the C: drive. The above batch file will clear out any stuck printouts in the print queue on the local client when it the batch file is ran. To test this, I created two fictitious printers. One is the default printer, the other is not.

image

I sent test pages to both. Right now we have documents pending in both queues. When the batch file was ran, both queues emptied. To get this to happen each time a user logs off, you need to place it in a log off script.

Save this script to a location on the hard drive that all users have access to.

Next, we need to configure the local policy on the client to run this script as a log off script.

Click image , type MMC and press Enter.

Click File \ Add Remove Snap-in…

Select Group Policy Object, click Add

Click Finish  and then click OK

Expand User Configuration \ Windows Settings

Click Scripts (Logon/Logoff)

image

Click Double click Logoff

Click Add

Click Browse

Browse to the location where you stored the script.

Click the script that you created and then click Open

Click OK

Close the policy.

From here you will have to apply the GPO according to your company policies.

Once the GPO is applied, each time you users log off the client, any printouts in the local print queue will be deleted.

Thursday, November 4, 2010

Moving from the DS DOS commands to PowerShell V2

In the original implementation of PowerShell, I was very discouraged with the lack of Active Directory support. SUre, you can create user accounts and Organizational units, but it was not easy.  With PowerShell V2, that all changed with the addition on the Active Directory module. For the Microsoft Exam 70-640, I’m seeing a couple of changes. In the Maintaining the Active Directory Environment, I’m seeing PowerShell listed with no mention of the DS commands that are taught in The instructor lead course 6425B.  Here are some tips on how to do the PowerShell equivalent of the DS commands.

 

DSQuery returns objects out of Active Directory.  With DSQuery you can return information on objects in Active Directory

DSGet returns specified attributes of an object.

DSMod modifies specified attributes of an object.

DSAdd creates an object in the directory.

DSMove moves an object to a new container or OU.

DSRM removes an object, all multiple objects, from the directory.

 

PowerShell, with the Active Directory module installed, you can do all these things.  So why make the change?  Well, Microsoft is making the change.  With the force the Microsoft is placing behind PowerShell, and how frequently it is listed on exam topics.

The first requirement is to install PowerShell V2.  V2 is installed by default on Windows 7 and Server 2008 R2.  This can be downloaded from Microsoft (http://support.microsoft.com/kb/968929). Once you have installed PowerShell V2, you also need to install the Remote Server Administrator Tools onto your client:

RSAT for VISTA :http://www.microsoft.com/downloads/details.aspx?familyid=9ff6e897-23ce-4a36-b7fc-d52065de9960&displaylang=en

RSAT for WINDOWS 7:http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

 

OK, now that all that work is done, start PowrShell.  Type Import-Module ActiveDirectory.  This will add 76 new cmdlets specifically for active directory into your PowerShell session.  These cmdlets have a verb-noun syntax. For the verbs, you have:

Add – add an object to another object.

Enable – Enables an object

Get – returns an Active Directory object

Move – Moves an object

New – Creates as object.

Remove – Removes an object from Active Directory.

Set – Modifies the properties of an object.

For the Noun portion you have a lot more choices.  Here are a few of them:

Computer

Group

OrganizationalUnit

User

The DS commands were designed for command line / batch file management of Active Directory.  For daily use, the GUI is still the best method, unless you have a very specific need.  For example, let’s say you needed to move all the users from 5 different OUs to a single OU.  There are 500 user objects in each OU, but only about 15 of them are in the SalesTeam group.  How would you accomplish that with a GUI?  That is why we still use a shell environment.  For the sake of demonstration, the OU we want the user objects to end up in is called Indianapolis.  It does not matter what OU they reside in.  The group we want to filter on is called SalesTeam_GG.  Here is the PowerShell command that will make this happen:

Get-ADGroupMember –identity SalesTeam_GG | Move-ADObject –Targetpath “OU=Indianapolis,DC=MCTNET,DC=com”

 

That’s it! PowerShell will first enumerate all the users in Active Directory that are members of the SalesTeam_GG group.  Then those objects are sent to the Move-ADObject cmdlet and are sent to the Indianapolis OU.  Try that in a GUI!

How do you know what each of these PowerShell cmdlets can do?  Well, first let’s find them.  Type Get-Command *-AD* and press Enter  Most of the cmdlets listed here are Active Directory commands.  PowerShell also has a very good built in help structure.  Type in Get-Help Get-ADGroupMember –full.  This will give you a description of the cmdlet, its syntax, parameters, and examples on how to use it.

Here is a simple comparison of some of the PowerShell commands vs an equivalent DS command:

DSQuery

DS Command PowerShell (not all of them)
DSQuery Get-ADComputer
Get-ADUser
Get-ADGroup
Get-ADGroupMember
DSGet Same as above
DSAdd New-ADComputer
New-ADUser
New-ADGroup
New-ADOrganizationalUnit
DSMod Set-ADComputer
Set-ADUser
Set-ADGroup
DSRM Remove-ADComputer
Remove-ADUser
Remove-ADGroup
Remove-ADOrganizationalUnit

 

It would be a good idea to review these commands prior to taking the exam just to be safe.

Tuesday, November 2, 2010

Enabling Remote Desktop on Server Core 2008 R2

On a GUI version of Windows, you have this nice graphical way of turning on Remote Desktop. Just open the Server Manager and click Configure Server Manager.

image

Click Configure Remote Dekstop and you see the nice GUI below.

 

 

Not so for Server Core.  One nice thing is that with the R2 version, we can do this without called a long, cryptic script.

Log into Server Core R2.

Type sconfig and press Enter.

Press 7 for Remote Desktop and the press Enter.

Press E to Enable and then Enter.

image

You now get two options.  With WIndows Vista and WIndows 7, you can connect to a remote desktop session more securely than you could with Windows 200 or XP.  If you are only going to connecting with Windows Vista/7/2008, then select option 1.  If you will be connecting to this remote desktop session with Windows XP, click option 2.

image

When you see the above prompt, then Remote Desktop is enabled.

Monday, November 1, 2010

Can AD RMS be used to prevent usage of Print Screen?

According to Microsoft’s documentation, you can prevent the transfer of data by using AD RMS to restrict the Print Screen functionality. Here is an excerpt from that documentation:

Microsoft Sharepoint is not required to install or use AD RMS. Using AD RMS with Microsoft Sharepoint can provide the following benefits:

  • Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
  • Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
  • Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
  • Helps to enforce corporate policies that govern the use and dissemination of content within your organization

For additional information, see Microsoft Office SharePoint Server (MOSS)(http://go.microsoft.com/fwlink/?LinkId=154664).