Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, January 31, 2011

Prevent DNS Cache Corruptions

DNS Cache corruptions occurs when a malformed query is accepted from a remote name server.  To make sure your DNS servers are protected, follow this procedure:

Open DNS Manager.

Right click the DNS server and then select Properties.

Click the Advanced tab.

Make sure to check Secure cache against pollution and click OK.

Friday, January 28, 2011

How to find out which clients in your domain were added by an Authenticated User

In a Windows domain, all Authenticated Users have the ability to add up to 10 clients to the domain without contacting a Domain Admin. Here is how to find out which computers were added to your domain by your users.

On the Windows Server 2008 R2 Domain Controller, open PowerShell

Type Import-Module ActiveDirectory and press Enter

Type get-ADComputer –filter * –property ms-DS-CreatorSID where {‘$’ –like ‘*’} and press Enter.

Each computer that is listed has a value in the ms-DS-CreatorSID attribute. If the computer account was pre-created in Active Directory Users and Computers or manually joined by a Domain Administrator, a SID would not be present here. The SID is the SID of the user account that joined the computer to the domain.

OK, that was informative. You may be asking “How do I find out who added what?” The answer is in PowerShell. Sure, you could manually search each Computer account in Active Directory and record any ms-DS-CreatorSID attributes that you find. You could then manually look at the SID for each user and compare them. I would not waste my time that way. Here is a script that will do it for you. This is a PowerShell V2 script. Do not forget to run Import-Module ActiveDirectory into the PowerShell ISE before running this.

$CompList = Get-AdComputer –filter * –property ms-DS-CreatorSID | Select name, ms-DS-CreatorSID
$UserAccounts = Get-ADUser –Filter *
ForEach ($Comp in $CompList) {
ForEach ($User in $UserAccounts) {
$Test = $User.SID.Value
If ($Comp –like ‘*’ + $Test + ‘*’) {
Write-Host $User.Name Created $Comp.Name

The first line enumerates all the computer accounts in Active Directory. It includes the property ms-DC-CreatorSID since this attribute is not normally returned in this query. The data is the piped to the Select cmdlet so only the name and the SID is left.

Line 2 Enumerates all the user accounts in Active Directory and stores all the objectys in the variable $UserAccounts.

Line 3 cycles through each record from line 1 and examines them one at a time.

Line 4 cycles through each record of user accounts one at a time.

Line 5 creates a variable called $Test. This variable holds the value of the SID for the User account that is currently being examined.

Line 6 Compares the SID recovered from the creator of the computer account, and the users SID. The data from the computer account has some extra data in it. for that reason, we used wild card characters around the $Test variable so this extra data will not be of concern.

Line 7 writes who installed what to the display.
The remaining lines are syntax for closing the ForEach loops.

Thursday, January 27, 2011

How to deploy an ACT Data Collection Package to a large number of clients.

Microsoft’s Application Compatibility Toolkit (ACT) Allows you to collect hardware and software inventory information in your domain to help assist you in preparing for client upgrades.  The idea is for you to be able to collect the types of software that are running on your clients so you can test and mitigate any compatibility issues before deploying the images of Windows 7.  This is a very nice, useful, and free application
In using the ACT, I needed to manually install the Data Collection Package on each client using administrative permissions.  For a small organization, this may be acceptable. In larger organizations, you may need a more automated deployment method.

An easy way to deploy these packages to your clients is through Group Policy.  Before we begin, I need to point out a drawback of a GPO software deployment.  You have no idea if it worked or not.  System Center Operations Manager allows you to do software deployments and provide reports so you know if all went well.  Of course, this comes at a price.  When doing application compatibility testing, you only need a sampling of the clients and applications in your environment. The important thing is to just make sure you have a sampling of every application.

For this demonstration, I created an Organizational Unit in Active Directory called Clients.  I placed a Windows Vista and Windows 7 client in this OU.  I also created a data collection set in ACT 5.6 called MCTExpert_Data_Collection_PKG and placed it in a shared folder called Data.

Next I open Group Policy Management Console on my domain controller.

Expand Forest \ Domain Name \ Group Policy Objects.

Right click Group Policy Objects and click New

Provide a name for this GPO.  I called this one ACT_Data_Collection Click OK.

Right click ACT_Data_Collection and select Edit.

To ensure that this package is installed without a UAC prompt, we are going to assign it to the Computer Configuration.  Expand Computer Configuration \ Policies \ Software Settings.

Right click Software Installation and click New \ Package.

Browse to the shared folder and select your package. Make sure you browse by UNC path.  Click Open.

On the Deploy Software page select Assigned and then click OK.

Close the Group Policy Management Editor window.

In the Group Policy Management window, link the policy ACT_Data_Collection to the GPO containing the clients that you want to collect data on. Click OK

You will need to reboot your clients for this to take effect.

A quick check after the reboot using GPResult /r shows that the policy did apply. Remember that 2 reboots may be necessary before you begin to receive reports.

In the Application Compatibility Manager, refresh your reports and you will being to see the reports on your clients begin to populate.

Wednesday, January 26, 2011

How to change what is stored in the Global Catalog

The Global Catalog (GC) is used for searching objects in other domains in your forest.  Also some applications, like Exchange, use the Global Catalog to help provide their services.  The Global Catalog contains a Partial Attribute Set (PAS) of all the objects in a domain that users generally search for.  The GC is configurable in that you can choose to add properties of objects to be replicated in the GC.  Below is the step by step procedure to do so.

Step 1 – Locate the Schema Operations Master
You should perform this step on the Domain Controller that holds the Schema Operations Master Role.  It is true that Windows Domain Controllers are multi-master.  This means that a change on one will replicate to all.  However, there are certain functionalities that can only be performed by one DC at a time.  To get a list of the current FSMO (Flexible Single Master Operation) role holders:

Click Start.

Type CMD and press Enter.

Type netdom query fsmo and press Enter.  You will get a list like the one below:

Notice that the Schema Master is being held by a Domain Controllers called MCT-1.

Step 2 – Register the Schema Snap-in
The Schema Snap-in is one, if not the least used of all the Active Directory Snap-ins.  Generally you only modify the schema when upgrading a domain or adding a major product like Exchange.  These products modify the Schema for you.  In this situation, we need to access it for manual modifications.  Just a word of caution, improperly modifying your Schema can cause problems.  Be careful.

Log into the Domain Controller holding the Schema Master role.
Click Start.

Type CMD and press Enter.

Type regsvr32 schmmgmt.dll and press Enter.
This will register the Active Directory Schema

Step 3 – Specify the properties that you want to be a part of the PAS.

On the Schema Master Domain Contoller, click Start.

Type MMC and press Enter.

Click File \ Add-Remove Snap-ins…

Click Active Directory Schema and then Add.

Click OK.

Expand Active Directory Schema (DomainName).

Click Attributes.

Locate the attribute that you want to replicate in the PAS.  For this example, we will select Title

Double click Title to open its properties.

Check Replicate this attribute to the Global Catalog.

Click OK.

Once replication has completed, your users will be able to search by title for objects in other domains inside your forest.  Remember, this is a forest wide replication, it may take some time before it is in effect in all domains.

Tuesday, January 25, 2011

Can you copy and paste the Active Directory Database from one DC to another to recover it?

Warning!!! Do not do this.

This is an interesting question from class.  To set this up I added a second Domain Controller into virtual network.  I then stopped the AD DS server on the new DC and deleted the contents of c:\Windows\NTDS.
The next step was to copy the contents of the database folder from the good DC to the target DC.  To do this, I also had to stop the NDTS service on the source DC.

Once the copy was completed, I restarted the AD DS service on the source DC. I then attempted to restart the AD DS service of the target DC.  It did not like it very well.  As a matter of fact, while attempting to restart the AD DS service, the DC went into reboot. As a matter of fact, the system was not able to boot after that. 
This is a good example of why we test these ideas on virtual machines with snapshots, and not actual production servers.

Monday, January 24, 2011

Can you both audit a file screen and enforce another one on the same folder?

This question came about when a student was wondering about enforcing a file screen for one type of file, but auditing for another type. I first tested this by attempting to apply two separate file screens to the same folder. I received the following error:

Can't create file screen in the given path as a file screen already exists for that path.

I then created a child folder inside the original one and then apply a different file screen to it. In this configuration, I was able to get FSRM to block one type of file, and audit the other. Set up your share on the child folder. This one will have both screens being applied to it and is the one that we want users to store their data in.

Friday, January 21, 2011

Prevent Authenticated Users from adding Computers to the domain.

I never really understood the logic behind this one. By default, members of the Authenticated Users group can add up to 10 clients to your domain. I’ve tested this and it is true. I created a new user in my domain without given the user any special privileges and added a client to the domain without any issues. This is why it is so important to make sure you have redirected your default computer container to an OU that is heavily locked down.

Another avenue to think about is if you are deploying software by user account. The user will be able to steal company software. Also, any malware on this rogue client will now be on your network.
To change the default computer container that new computer objects will be placed, log into your Domain Controller and type this:

Redircmp container-dn contain-dc

For example
redircmp OU=MyComputers,DC=Contoso,DC=com

The burning question here is how to stop this from happening. On your Windows Server 2008 Domain controller, click Start.

Type ADSI Edit and press enter.

Right click ADSI Edit and the click Connect to.

In the Connection Settings window, click OK

Expand Default naming context.

Expand the Distinguished Name of your domain.

Right click the Distinguished Name of your domain and click Properties.

Select the property named ms-DS-MachineAccountQuota and then click Edit.

Set the value to 0 and then click OK

Your Authenticate Users can no longer attach a client to your domain.

Thursday, January 20, 2011

Configure IPv6 for DHCP in your entire domain

The network adapters on a Windows 7 client are configured for router discovery for automatic IP addressing for the IPv6 protocol.  To configure your clients to for DHCPv6, you need to disable the router discovery and enable the Managed Address flag on the NIC.  To do this, you must log into each client and execute the following commands.

netsh int ipv6 set int Interface_Index RouterDiscovery=Disabled
netsh int ipv6 set int Interface_Index ManagedAddress=Enable

Scale this for domains with thousands of clients of multiple NICs and you have a management problem.  This clearly presents a challenge.  The set of tasks below will help you to set this configuration across your entire domain in a much more time efficient manner.

To accomplish this, we are going to use a combination of Group Policy and PowerShell V2. What this task entails is to configure your servers to allow you to utilize the PowerShell remoting features to connect to each client, and then run the necessary commands to configure each NIC on each client for DHCPv6.

Step 1, Allow your servers to receive PowerShell remote commands
You can do this in one of two ways. For just a few clients, you can log in as an Administrator and run WinRM QuickConfig. Press Y and Enter when prompted.

For many clients, you will want to do this via group policy.

Open up Group Policy Management.

Expand your Forest / Domains / DomainName

Right Click Group Policy Object and click New.

Provide a name for this GPO. For this demonstration, I named mine PSRemoteSetup.

Right click your GPO and click Edit.

Expand Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service.

Open Allow automatic configuration of listeners
- Set this policy to Enable
- Enter * in IPv4 filter:
- Enter * in IPv6 filter:
- Click OK

Expand Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Windows Firewall with Advanced Security
- Right click Inbound Rules and select New Rule.
- Select Predefined.
- In the drop down box, select Windows Remote Management
- Click Next
- Check only Windows Remote Management (HTTP-In)
- Click Next.
- Select Allow the connection.
- Click Finish

If this policy is going to be applied to only Windows Server 2008 servers, exit Group Policy Management Editor and move on to step 2.

If this policy is going to be applied to Windows Vista or Windows 7 clients, we need to enable one more Group Policy.

- Expand Computer Configuration / Policies / Windows Settings / Security Settings / System Services
- Double click Windows Remote Management (WS-Management)
- Check Define this policy setting
- Select Automatic
- Click OK
- Exit Group Policy Management Editor and move on to step 2.

Step 2
Now, link this GPO to the OUs that contain the servers and clients that you want to be able to remotely manage with PowerShell. You can do this by right clicking the OU you want this GPO to manage can click Link an Existing GPO…

Click PSRemoteSetup and click OK

Step 3 involves creating PowerShell code that first extracts the list of servers from Active Directory

Open the PowerShell ISE. This can be done by typing in PowerShell on the Windows 7/Server 2008 R2 search line. It is also located at Start \ Accessories \ Windows PowerShell. Right click Windows PowerShell ISE and select Run as administrator.  This is because you must have administrative access to execute the commands in the script we will be using.

The ISE allows us to easily build multi line scripts with ease as compared to the script building process of PowerShell v1.0

We also need to enable the execution of scripts. For now, type Set-ExecutionPolicy Unrestricted and then click Yes. This allows for this ISE to execute any script we give it.  Of course, follow the security guidelines of your organization when it comes the Execution Policy for PowerShell.

We are now ready to start scripting. Type this code in the ISE

# ===================================================
# Script Name: IPv6_Config_Domain.ps1
# Author:  Jason A. Yoder, MCT
# Website:
# Blogsite:
# Script Purpose:
# This script will allow network administrators
# to access the client in their Windows Domain
# and set the IPv6 attributes on all network
# adapters to use DHCP for their configuration.
# Requirements:
# - OS: Windows 7, Windows Server 2008 R2
#   Vista if PowerShell V2 is installed.
# - The ISE (or shell environment) must be
#   started with administrative rights.
# - All Clients must have PowerShell V2 installed.
# - All clients must be configured for PowerShell
#   remote management.
# - Client or server that this is ran from must have
#   RSAT installed.
# ===================================================
$ErrorActionPreference ="stop"
#$ErrorActionPreference ="SilentlyContinue"

# Import in the Active Directory module.
Import-Module ActiveDirectory

# Display script title information on the screen.
Write-Host "Script: IPv6_Config_Domain.ps1.....Starting"

# Add to this comma separated list, the FQDN of each OU
# that holds clients that you want to configure.
[array] $OUList = "OU=clients,DC=MCTNET,DC=com"

#Begin cycling through the list or OUs.
ForEach ($OUPath in $OUList){

#Create a list of clients from the OU to configure.
[array] $ServerList = Get-ADComputer -Filter * -SearchBase $OUPath
# Cycle through the list of clients and execute the
# configuration changes.
ForEach ($Name in $ServerList){

Invoke-Command -ScriptBlock{
    # Enumerate the list of all NICs on the client.
    [array] $IndexList = invoke-Command {netsh int ipv6 show int}

    # Determine the number of text lines returned from
    # the previous command.  The data starts on record
    # number 3.
    $SizeOfList = $IndexList | Measure-Object

    # Begin cycling through the returned data and
    # extract the NICs Index numbers
    For($i=3; $i -le $SizeOfList.count-2; $i++)

        # Split each line of the returned array into an array
        # of characters
        [array] $CharArray = $IndexList[$i].ToCharArray()
        # Join the 2nd and 3rd records into a integer. This
        # integer represents the Index value for the NIC
        # that is being examined.
        $Int = $IndexNum[1]+$IndexNum[2]
        $Int = [int]$Int

        # Use this set of code to enable Router Discovery
        #$IPv6String1 = invoke-command {netsh int ipv6 set int $int RouterDiscovery=enable}
        #$IPv6String2 = Invoke-Command {netsh int ipv6 set int $int managedaddress=disabled}       

        # Use this set of code to disable Router Discovery and
        # turn on DHCPv6.
        $IPv6String1 = invoke-command {netsh int ipv6 set int $int RouterDiscovery=Disabled}
        $IPv6String2 = Invoke-Command {netsh int ipv6 set int $int managedaddress=enable}       

        # Execute the code in the strings.
        Write-Host "Adapter: $Int"


} -ComputerName $ -AsJob -JobName "IPv6 Configuration"

If ($? -eq $False) {
Write-Host -fore Red -back Yellow "$ is offline"}
Write-Host Script: IPv6_Config_Domain.ps1...Completed

In the opening comments section, take note of the requirements.  They must be met before this script will run.  This script utilizes the new remoting functionality of PowerShell V2.  Two items you should note here.  This script will configure each network interface on each client that it touches.  If this is not desirable, you will have to add the intelligence into the code to change only the NICs that you want to change.  Also, if a client is offline, it will not receive the configuration.  After the script completes, look through the output to see any clients that were offline.  They will be displayed with red text on yellow.

Should you have clients that were not online when this script was executed, you can execute it again later.  There will not be any adverse effects if it is ran on a client that it has already configured.  Notice that there is code to enable Router Discovery should you want to switch back.  Just enable that code and comment out the code to enable DHCPv6.

Wednesday, January 19, 2011

How to force replication of all Domain Controllers by command line

Here is an easy one.  Just open a command prompt and type Repadmin /syncall.  Use the GPOTool on your 2008 server to monitor the progress of the replication, should you be replicating GPO changes.

Tuesday, January 18, 2011

MCTExpert Blog is now on your Kindle

Today, MCTExpert is announcing that our blog site is now available for subscription to users of Amazon's Kindle electronic book.  The MCTExpert blog contains the more detailed questions that get asked in my classes that I want to provide a more in depth response to.  These are real questions from real Network Administrators in the field.  I've had comments from former students that my responses to their questions have helped them pass the Microsoft certification exams.  There is a 14 day free trail subscription.  Get your daily dose of what other IT professionals are asking about.  Click here to go to the Kindle Store.

Monday, January 17, 2011

How to add a shared printer on a server using Group Policy Preferences

Group Policy Preferences is a great place to add a printer to your clients.  The question here is how to do it for a printer that is shared on a server.  For this example, I created a printer on my server called Network Printer 1.  I also shared this printer and then made it searchable by listing it in Active Directory.  To list your printer in Active Directory:
Open the Control Panel \ Hardware \ Devices and Printers.
Right click the printer and click Printer Preferences.
Click the Sharing tab.
Check the box for List in the directory.
You can test the publishing in Active Directory by going to your client (Windows 7 client in this case).
Click Start \ Devices and Printers.
Click Add a Printer on the menu bar.
Select Add a network, wireless, or Bluetooth printer.
The printer that you published should appear.
That is nice, but the objective here is to be able to share this printer using group policy.
We are going to create a new Group Policy Object for this deployment.  On your Windows 2008 R2 Server, click Start \ Administrative Tools \ Group Policy Management.
If needed , expand the hierarchy until you see a container called Group Policy Objects.  Go ahead and expand it.
Right click Group Policy Objects  and select New.
Give the policy a name. In this case, we will call it SharedServerPrinters.
Click OK.
You will see the GPO listed under the Group Policy Objects container.  Right click it and select Edit.
Expand User Configuration \ Preferences \ Control Panel Settings
Right click Printers \ New \ Shared Printer
In the Action drop down list, select Create.
In the Share Path, click the […] button.
Here is where publishing the printer in Active Directory helps out.  The Find Custom Search windows opens.  Instead of having to search for the printer, look in the box at the bottom of the Find Custom Search window.  It list the printer that we want to share.  Click that printer and then click OK
You can set this as the default printer for the user by checking the Set this printer as the default printer check box or just add the printer to the list of printers available to this user.
Click OK
Close the Group Policy Management Editor
Now for a best practice.  Since we only configured a portion of the User configuration, we are going to disable the computer portion of this GPO.  Click under Group Policy Objects, the gpo you just created.
Click the Details tab
In the GPO Status drop down box, select Computer configuration settings disabled.
Click OK.
We now need to link this GPO to an Organizational unit that contains a user account that you want this printer to be made available to.  To do this, simply drag and drop the GPO onto an OU that holds your users.  Remember, you can link this GPO to multiple OUs. Click OK to confirm the link.
It is now time to log into your Windows 7 client with one of the user accounts that you linked the GPO to.
Now, click Start \ Devices and printers
You should now see the printer listed on your client.
If not, open a command prompt and type GPUpdate / force.  If this did not work, it may mean the replication of the group policies have not yet reached the domain controller that your client is pulling its group policies from.  This can take up to 2 hours, but more than likely will happen faster.

Friday, January 14, 2011

My 2010 report card

One thing that I look forward to is the evaluations from my classes.  Microsoft utilizes Metrics That Matter to allow students to provide feedback about the course, content, training provider and yours truly.  Below is the summary data of my performance as compared to other MCTs for 2010.  As you can all see below, I am well above average.

Statistically speaking, that is a 96% approval from my students.

Student comments from 2010:
“Jason has presented classes I have attended in the past and he is a good instructor and knows his material well.”

“I don't know how he could have improved. He really was great at providing examples, and his understanding was excellent.”

“If Jason doesn't know the answer to any of my questions he will find out and I will get "the email". I am always happy with his answers.”

“I appreciated Jason's control in a trying environment. He was able to walk us through keeping the Hyper-V environment working for these labs. Jason also brought real world examples to each of the modules to explain many of the concepts.”

“Jason was an excellent instructor.”

“Excellent instructor and very knowledgeable!”

“He did extremely well. One of the better instructors that I've taken classes from.”

“Listened, responded, tried to involve the group. Researched questions relating to the topics of the class. Involved teaching style.”

“Very pleased with the instructors knowledge and presentation skills. I felt that his ability to provide real life examples allowed me to learn more about this subject, opposed to just standing up there and giving a power point presentation. Even though this was only a 3 day course, the instructor was very personable and very willing to help or find a solution to a question.”

“Jason did a great job. He was very helpful and you can tell he really loves his job.”

“Did a great job!”

“Excellent, as usual”

“He knows his stuff and was able to engage in a conversation/discussion as needed for clarification.”

“Great Instructor.”

“Maybe the best instructor I have ever had.”

“Very good teach style. Highly recommend.”

“One of the only issues I had with this course was that it was not a server 2008 R2 environment. Jason was able to help me overcome this by stating how you would do a task in both R1 and R2 scenarios.”

If you want to see comments like this from your clients, become one of mine.  Click here to find out how to contract me.

Thursday, January 13, 2011

How to Combine WIM images

One of the neat features of Microsoft WIM format is Single Instancing and the ability to hold more than 1 image in a single WIM file.  In Single Instancing, you only need to have one copy of a file for multiple images.  Let’s say I have 3 Windows 7 images.  Each one has 3 different configurations.  They all have windows in common.  Why keep a single copy of Notepad.exe?  The first image will contain every file that it needs.  Each additional image will contain a reference to identical files in the first image. Anything the previous images do not have will be contained in the image.  This will greatly reduce your image storage requirements.

This blog article looks at combining two separate images into one.  For this example, I have two images.  One called Lab1.wim, which is my base image for a Windows Server 2008 R2. The second is the setup for course 10215 called Lab1-10215.wim.  The base image is 2.90 GB and the class setup is 64.6 GB.  OK, we will not see much of a space savings here but you will get the idea.

We are going to apply the smaller image to the larger one to save some time.
To do this we need to mount one of the images.  First create an empty folder to mount the image in.  For my example, I am going to use a folder called MountedWim on the M: drive.

Open a command prompt with administrative rights.

We will mount the image using Deployment Image Servicing and Management command line tool.
DISM /mount-wim /wimfile:M:\lab1.wim /name:”Basic Image” /mountre:M:\Mount

Now that we have mounted the image, we can append it to the larger image. I copied the ImageX program from the Windows Automated Installation Kit to my M: drive.  If you have images to work with, you more than like already have a copy of ImageX.

Imagex /append m:\Mount m:\Lab1-10215.wim “Lab1 Images”

The imaging process will begin.
Once the process is completed, type ImageX /info Image_file_name. You will see the XML file for the WIM file.  It now will show two image indexes (In green below)

ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.

WIM Information:
GUID:        {52583ec7-4f82-4810-84a6-c91532d045a9}
Image Count: 2
Compression: LZX
Part Number: 1/1
Attributes:  0x8
             Relative path junction

Available Image Choices:
    <NAME>10215 Setup</NAME>
      <PRODUCTNAME>Microsoft« Windows« Operating System</PRODUCTNAME>
    <NAME>Lab1 Images</NAME>
      <PRODUCTNAME>Microsoft« Windows« Operating System</PRODUCTNAME>

Now, let’s look at the file sizes. The original WIM file sizes is 2.90 GB and 64.4 GB.  A file combination of those two files without Single Instancing is 67.3 GB.  The new, combined WIM file is 64.6 GB.  Only a .2 GB increase in files size.  Again, this is a very basic demo but it goes to show the hard drive savings that storing more than one image in the same WIM file can bring to your storage system.
Do not forget to unmount the wim file.

dism /unmount-wim /mountdir:m:\Mount /commit

Wednesday, January 12, 2011

How to add a user to the Local Administrators group in Server Core 2008 R2

Here is an easy way to add a new user into the Local Administrators group on your Windows Server 2008 R2 box.
Log in as a member of the Local Administrators group.
Type Sconfig and press Enter.
Press 3 for Add Local Administrator
In the example above, you can see the two ways to define a user account depending if this Server Core is in a domain, or a workgroup.  This particular one is in a workgroup.
Type the new of the new user and press Enter.
You will be prompted for a password and then to confirm it.
You will see the prompt above informing you of the accounts creation.
Type 10  to log off the server core.
You should now be able to log on with the new user account.

Tuesday, January 11, 2011

Set Directory Access Changes through Group Policy


Directory Access Changes allows your servers to record (when possible) both the old and the new values of an object after a change.  This means that if a value was incorrectly changed, the old value may be record in your audit log.  To configure this, you would have to log into each server and type:

Auditpol /set /subcategory:”Directory Service Changes” /Success:Enable

For one or two servers, this is OK.  For hundreds, this is a problem.  You can utilize Group Policy to configure this on each of your servers/clients.

Either create a new GPO, or use an existing one that is scoped to your requirements.

Expand Computer Configuration \ Policies \ Windows Settings \ Advanced Audit Policy Configuration \ Audit Policies \ DS Access

Double click Audit Directory Service Changes.

Check Configure the following audit events.

Check Success and/or Failure

Click OK.


Once this policy is applied and your clients/servers refresh their Group Policies, you can test this GPO.

On a client/server that had this policy applied, click Start.  Type cmd and press Enter.

Type auditpol /get /subcategory:”Directory Service Changes” and press Enter.

You should see the configuration that you set.


Monday, January 10, 2011

How to use PowerShell to scan a server for a specific file type?

This is an easy one liner:

Get-WMIObject Win32_LogicalDisk -filter "DriveType = 3" | Select-Object DeviceID | ForEach-Object {Get-Childitem ($_.DeviceID + "\") -include *.wav -recurse}

Let’s break this one down into its individual parts.

Get-WMIObject Win32_LogicalDisk –filter “DriveType = 3”

In the above line, we are using WMI to access all the logical drives on the server.  We are using logical drives because we do not know how the drives are partitioned.  We are also looking for Drive type #3. Here is a list of the different drive types:

1 - Drive could not be determined

2 - Removable drive

3 - Local hard disk

4 - Network disk

5 - Compact disk (CD)

6 - RAM disk


Select-Object DeviceID

The Select-Object cmdlet allows us to focus just the DeviceID. The DeviceID is the drive letter.

ForEach-Object {Get-Childitem ($_.DeviceID + "\") -include *.wav -recurse}

The ForEach-Object cmdlet allows us to examine one object at a time in an array of objects.  The Get-Childitem is functionally the same as DIR in dos.  By using the $_.DeviceID we are simply saying “get the drive letter of the hard drive we are looking at.”  Adding the “\” sets up the correct syntax for our search. the –include parameter tells PowerShell what we are interested in.  In this case, we are looking for all files with a .wav extension. The –recurse parameter gets the items in a location, and in all child locations.  It is what allows us to search through each folder, and sub folder on each hard drive.

We can take this one step forward.  The remove the files found, add this to the end of the command line above

| Remove-Item

Be careful with this. You can do some damage if you are not careful. If you want to confirm each deletion, uses this line instead:

| Remove-Item – confirm

Friday, January 7, 2011

In PowerShell, can you have the disk size reported in MB or GB?

In PowerShell V2, you can have data values returned as KB, MB, GB, etc… In the example below, the information is going to be returned in bytes:

GWMI Win32_LogicalDisk | Select DeviceID, Freespace | FL

The output will look like this:


The first section will call the WMI object to enumerate the properties of all the logical disks on the system. The second portion will select ot display only the DeviceID (Drive letter), and how much free space is left. The third section is just for controlling the format of the output.

In PowerShell V2, you can have PowerShell reformat the data to reflect MB or GB.

GWMI win32_logicaldisk | Select deviceID, @{Label=’Freespace(GB)’;Expression={$_.freespace/1GB}} | FL


In the above example, we slightly changed what we entered.  First we changed the label that was going to be displayed for the data.  The default is Freespace.  We changed it to Freespace(GB) to better represent the format that data was going to be in.  Next we did the math to convert the value from bytes to Gigabytes.  PowerShell understands what MB, GB, and TB mean.  In the example below, I simply typed in a value and PowerShell told me what the value is in bytes.


When the code in red above is entered, the result is below.


Our data is being represented in GB.

Thursday, January 6, 2011

Boot from a VHD file

Windows 7 and Windows Server 2008 R2 has a really neat testing feature.  It is called boot from VHD.  A VHD stands for Virtual Had Disk.  It is the file type that is used in Hyper-V virtual machines.  What this boot option does for you is it allows you to test an image on the actual hardware, before you deploy an image of the VHD to your clients and servers.  Here is how you set up a Boot from VHD on Server 2008 R2.

First, open Server Manager.

Expand Storage and click Disk Management. Give it a few seconds to load.

Right click Disk Management and select Attach VHD.

In the Attach Virtual Hard Disk window, click Browse.

In the Browse Virtual Disk files window, browse the the VHD file and click it.

Click Open.

Click OK.

Take note of the drive letter the VHD mounted as. In my example, the drive letter is W.  You will also notice that its icon is a light blue as opposed to a light grey for actual physical drives.


Close Server Manager.

Open a command prompt as an Administrator.  To do this click Start.  Type CMD.  If the Programs list, right click CMD and select Run as Administrator.  You may be prompted for credentials.

Type bcdboot w:\windows and press enter.  You will see the output as Boot files successfully created.

Type bcdedit /set {default} Description VirtualComputerName.  This will change the descripting listed on your boot options.  Since my host and this VM are both Windows Server 2008 R2 installations, they both say Windows Server 2008 R2.  Not exactly very descriptive. 

Once this change is made, click Start.

Right click Computer and select Properties.

In the System window, click Advanced System Settings.

In the Advanced tab, under Startup and Recovery, click Settings…

Clicking on the Default operating system drop down box will allow you to choose the OS that will start each time this host boots unless the user selects another OS.

Check the Time to display list of operating systems box to set a timer that will pause the boot sequence and allow the user to choose an alternate OS to boot to.  Click OK when you are done.

Go ahead and boot into your VHD.


Wednesday, January 5, 2011

How to move a Server Core 2008 R2 from a Domain to a Workgroup

From time to time you may need to remove a server from your domain.  For what ever the reason may be, now you have a much simplified way for doing it in Server 2008 R2.  This procedure assumes this is a member server and not a domain controller.

Log into your server core with credentials that will allow you to remove a server from the domain. 

Type sconfig and press enter.


Press 1 for Domain/Workgroup.


Press W for Workgroup.


You will get a confirmation prompt.  Click Yes.


You will be asked for a user account that can perform this operation.  Enter the user name and press Enter.


Next you will be prompted, in a new window, for this users password.  Enter it and press Enter.


Click Yes to restart your computer.  Your server core will now be in a Workgroup.

Tuesday, January 4, 2011

Reset Internet Explorer Settings (REIS) Feature

As our users, or us, browse the Internet and freely click away, we may inadvertently install many different add-ons into Internet Explorer.  I was volunteering for an organization this past weekend that provided the volunteer with a desktop.  This desktop had:
  • Bing Search
  • Google Search
  • Yahoo Search
  • Lexmark Status
  • Search
  • And something else that I never heard of.
With all these add-ons (and what else I did not see) performance of IE can start to become an issue.  One way to get a clean slat for IE to work on is to use the REIS feature.  REIS will reset the following IE components to their default settings:
  • Home Pages
  • Search scopes
  • Browsing history
  • Form data
  • Password
  • Appearance settings
  • Toolbars
  • ActiveX controls.
Doing this procedure will help provide a more stable browsing experience for your users and prevent messages such as “Internet Explorer has encountered a problem and needs to close.”  Here is who you do it.
Exit all programs
Launch just one instance of Internet Explorer
In Internet Explorer, click Tools \ Internet Options.
Click the Advanced tab.
In the Reset Internet Explorer settings at the bottom of the Internet Options window, click Reset.
Click Reset
Click Close
Click OK.
Now close IE and then open IE again.  You should be at the default configuration. 
You can set Internet Explorer to clean even more information.  Before you clicked reset above, you were presented with the option to Delete personal settings.  This option Resets home pages, search providers and Accelerators to default settings. Deletes temporary Internet files, history, cookies, web form information, passwords and InPrivate Filtering data.

Monday, January 3, 2011

Why is the “User Must Change Password at next Login” box grayed out?


When you are trying to change the password of a user account in Active Directory Users and Computers, you might see a situation like the one below:


In this case, you cannot tell the user to reset their password at their next login.  This is not a good situation for a network administrator.  At no time should both you and the user know the users password.  At this point, you have lost accountability for the actions taken with this users account. This is a simple fix though. 

Open the properties of the user in Active Directory Users and Computers.

Click the Account tab.

Uncheck Password Never Expires and then click OK.


Now you should be able to reset the users password and force them to change it the next time they log in.