Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Thursday, July 28, 2011

Install NAVFit98A on Windows 7 64-bit or 32-bit

NAVFIT98a Version 28 Installation instructions for Windows 7
Author: IT1 J. Yoder
Microsoft Certified Trainer
NR Chinhae HQ
NOSC Indianapolis

This instruction is provided without warranty or support.

This document will explain how to get NAVFIT98A to work on all editions of the Windows 7 operating system without using virtualization.

This procedure should work on both home and business editions of Windows 7.

Last fall I published an article on how to get NavFIT98A to install on Windows 7 using Windows XP mode.  To this day it is one of the most popular articles on my blog.  At the request of many, I am providing instructions below on how to get NavFIT98A to work on Windows 7 64-bit (or 32-bit) without using virtualization.  I was happy to find a test deployment of NAVFIT98A using App-V at Microsoft.  Application virtualization is one of the methods at our disposal for handling application compatibility problems that often arise during an operating system upgrade.  I’ll be testing the App-V method later. 

A word of caution.  I’ve noticed that problems can occur in different areas depending on your system and the software installed on your computer.  This is the method that allowed me to install on a virtual machine in a test environment.  I have another physical machine that allowed the installation, but will not save to the database.  I also have another physical machine that the setup program will not run on.  In short, there are a variety of potential problems that can occur. 

The virtual machine that this is tested on is completely up to date.  Part of the procedure below came from a comment on the original post.  I terminated the discussion with the other individual because his professionalism deteriorated even after I gave him praise for his contribution.  For this reason, I cannot take full credit for the final product.  It would be unprofessional for me to not at last give partial credit to the other party.

Open the installation files for NAVFIT98A.
Click Start.

Type Notepad.
Right click Notepad from the menu and select Run as administrator.
If User Action Control is turned on, you may be prompted to supply the credentials of a user account that is a member of the local administrators group on this computer.  If you are logged in with an account that is a member of the local administrators group on this client, you may see the prompt below or be asked for credentials.  Click Yes if you see the screen below.

Open the File Setup.LST
Since this is a setup for a 64-bit installation on NAVFIT98a, we need to change the default installation directory to match the location in Windows 7 64-bit for the installation of 32-bit applications.
DefaultDir=”c:\Program Files (x86)\NavFit98A”

If this is a 32-bit edition of Windows 7, change the line to this:
DefaultDir=”c:\Program Files\NavFit98A”

Click File –> Save.
In the Save As drop down box, select All Files
Click Save
Click Yes at the Confirm Save As window.

At this point, you can proceed with the NavFit98A installation.
You will get messages during the installation about Setup trying to replace a newer file with an older version, just click Yes to keep the newer version.

A few notes on this procedure.
This worked perfectly fine in a virtual environment.  On My Windows 7 Ultimate computer sitting on my desk, the Roxio Creator LJ software kept trying to run during the NavFit98A program initialization.  Clicking Cancel a few times took care of that. 

The other contributor to this article also added a few instructions that were not required on my setup.  Again, your setup experience may be different.  Below are the additional notes.
remove the following lines in the STL file:
File26=@expsrv.dll,$(WinSysPathSysFile),,,9/26/03 8:12:38 PM,380957,
File27=@vbajet32.dll,$(WinSysPathSysFile),,,9/26/03 8:12:31 PM,30749,
File29=@dao350.dll,$(MSDAOPath),$(DLLSelfRegister),$(Shared),4/27/98 7:15:06 PM,570128,3.51.1608.0
those 3 files listed above are located in the cab file ""
you can either copy the 3 files manually or you can extract all the files to the directory you are installing from and then make a batch file out of the code below:

]-----begin code text-----[
start /wait %~dps0setup.exe /silent
start /wait xcopy %~dps0navfit98a\expsrv.dll c:\windows\system32
start /wait xcopy %~dps0navfit98a\vbajet32.dll c:\windows\system32
start /wait xcopy %~dps0navfit98a\dao350.dll "C:\Program Files\Common Files\microsoft shared\DAO\"
start /wait regsvr32 /s "C:\Program Files\Common Files\microsoft shared\DAO\dao350.dll"
start /wait REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers /v "C:\Program Files\NavFit98A\navfit98A.exe" /d "WINXPSP2 RUNASADMIN
]-----end code text-----[

The easier fix for all of us would be for the authors of this application to upgrade it to a 64 bit version that works on Windows 7.

Wednesday, July 27, 2011

Scope issue with Windows PowerShell ISE

Although I like the Windows PowerShell ISE, I came across a problem related to scope.  For many months, I’ve been fighting issues of elements in my scripts not clearing out between runs.  What I have come to find out is that when you run a  script in the ISE and the script completes, its scope is not destroyed.  Here is an example.




In the above example, in the shell, I set a variable to the value of 100.  Since this is done in the shell, this variable is stored in the global scope.  By executing Get-Variable, I can see the value of a is 100.



Now let’s do the same thing in the ISE.



If I run Get-Variable in the ISE, I receive this:



So far, all is as expected.  Now let’s execute a script in the ISE that changes the value of $a to 500 and then displays it:




Now let’s run Get-Variable again inside the ISE.



The Value of $a is still 500.  I suspect this behavior is what has caused me a lot of head aches over the past few months.  I now program with the ISE, but test in the shell by Dot Sourcing the function into the shell.  When using the Shell, the Script scope is destroyed and you start with a blank slate each time you run your function.

Tuesday, July 26, 2011

Some notes about Hyper-V Snapshots

Snapshots allow you to capture the current state of a VM, and return it to that point-in-time at your convenience. Snapshots are the closest thing that we have to the Restore Points we had in Windows XP. There are a few things that you need to know about snapshots.
  • They do not affect a running virtual machine. If a snapshot is taken and a change to the state of the VMs memory is made, Hyper-V will intercept that change and hold it until the snapshot is complete.
  • The virtual machine cannot be in a paused state.
  • If you take a snapshot while logged in, when you return to that snapshot, it will be right were you took it. This includes being logged in and applications running.

Here is the snapshot process:

1. Pauses the virtual machine.

2. Creates differencing disks associated with all VHDs configured in the virtual machine, and then associates them with the virtual machine.

3. Makes a copy of the virtual machine’s configuration file.

4. Resumes the running of the virtual machine.

5. Saves the contents of the virtual machine to disk.

The snapshot will create some files and store them in the Virtual Machines folder

.xml: virtual machine configuration files

.vsv: virtual machine saved state files

.bin: virtual machine memory contents

.avhd: snapshot differencing disks

Above is a looking inside a virtual machines folder. Notice the many .AVHD files. Each one of these is for a single snapshot.

Opening up the snapshots folder, we seethe .xml files that hold the configurations from each of the snapshots. If we open up one of the folders, notice the highlighted on above is a GUID that matches the last .xml file, we see the files containing the memory state and the saved state of the VM snapshot.


Monday, July 25, 2011

Minimum Forest Functional Level for AD Recycle Bin

In class, I discovered the hard way, that we not only need our Domain functional at Windows 2008 R2, but also the forest functional level to use the AD Recycle Bin.  In raising our 2003 forest function level to 2008, we gain no new functionality.  We do however gain the AD Recycle bin when raising our forest from 2008 to 2008 R2.  Below is a list of the features that are enable with each domain and forest level from Microsoft.

Domain Functional Levels

Windows 2000 native
All default Active Directory features and the following features:
  • Universal groups are enabled for both distribution groups and security groups.
  • Group nesting.
  • Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
  • Security identifier (SID) history.

Windows Server 2003
All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features:
  • The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
  • Update of the logon time stamp. The lastLogonTimestampattribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set theuserPassword attribute as the effective password oninetOrgPerson and user objects.
  • The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts.
  • Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
  • Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
  • Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008
All default Active Directory features, all features from the Windows Server 2003 domain functional level, and the following features:
  • Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
  • Last Interactive Logon Information, which for a workstation that runs Windows Server 2008 or Windows Vista or later, displays the times of the last successful and failed logons, and the number of failed logon attempts since the last successful logon. For more information, see Active Directory Domain Services: Last Interactive Logon(
  • Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Windows Server 2008 R2
          All default Active Directory features, all features from the Windows 2000 native, Windows Server 2003, and Windows Server 2008 functional levels, plus the following features:
          • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon, and the total number of failed logon attempts.
          • Automatic SPN management for services running on a particular machine under the context of a Managed Service Account when the name or DNS host name of the machine computer account changes.

          Forest Functional Levels
          Windows 2000
          All default Active Directory features.

          Windows Server 2003
          All default Active Directory features, and the following features:
          • Forest trust.
          • Domain rename.
          • Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
          • The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
          • Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
          • An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
          • The ability to create instances of the dynamic auxiliary class calleddynamicObject in a domain directory partition.
          • The ability to convert aninetOrgPerson object instance into a Userobject instance, and the reverse.
          • The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
          • Deactivation and redefinition of attributes and classes in the schema.

          Windows Server 2008
          All the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

          Windows Server 2008 R2
          All the features that are available at the Windows Server 2003 forest functional level, plus the following feature:
          • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while Active Directory Domain Services (AD DS) is running.
          All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.
          If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.

                    Friday, July 22, 2011

                    Can a user use an old copy of their registry to override Group Policy?

                    This is a real interesting one from my 6419B class in May.  During our discussion on Group Policy, I was asked a “hacking question” as it was put.  If the user had a copy of their registry before a GPO was applied, can they import that copy and override the GPO?

                    To test this one out I exported a copy of a client GPO that had a standard user logged in on it and saved it to the desktop.  I then created and applied a GPO the removed the Recycle Bin from the desktop.  Once applied, the Recycle Bin was removed from the desktop.  We then imported the backed up registry and received this error:

                    Cannot import C:\Users\adam\Desktop\MyReg.reg: Not all data was successfully written to the registry.  Some keys are open by the system or other processes.

                    The GPO held and the registry was unaltered.

                    Thursday, July 21, 2011

                    PowerShell function to confirm if a module is present on a client.

                    PowerShell is designed to be expanded.  For example, by adding the Group Policy module, you can utilize PowerShell to help manage the GPOs in your environment.  Not all modules are installed on every Windows client/server.   The function below is designed to help you determine if a module is present.  To use it, simply call the Confirm-Module cmdlet with the name of the module as the parameter.  The function will return a $TRUE if the module is present and a $FALSE if it is not.

                    Confirms if a module is available.

                    Confirms if the provided parameter is available on
                    the local client.

                    .PARAMETER ModuleName
                    The name of the module who’s presence is being checked.

                    Confirm-Module ActiveDirectory

                    Checks to see if the ActiveDirectory module is
                    present on the local machine

                    Returns True is present and False if not.


                    Author: Jason A. Yoder, MCT

                    Function Confirm-Module
                    Param ($ModuleName = $(Throw "You need to provide a module name."))

                    # Place the name of the module from Get-Module into
                    # the variable $Data
                    $Data = (Get-Module -ListAvailable -Name $ModuleName).name

                    # If the contents of $Data is equal to the variable
                    # $ModuleName, the module is present, return
                    # True.  If not, return $False.
                    If ($Data -eq $ModuleName){Return $True}
                    Else {Return $False}   

                    Wednesday, July 20, 2011

                    Error when enabling Active Directory Recycle Bin

                    While attempting to access the Active Directory Recycle Bin, I received the following error:


                    Enable-ADOptionalFeature: The specified method is not supported.

                    At line:1 char:25

                    +Enable-ADOptionalFeature <<<<  -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service, CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestorConfigurationSet –Target ‘’

                      +CategoryInfo          : NotSpecified: (CN=Recycle Bin ..=contoso,DC=com:ADOptionalFeature) [Enable-ADOptionalFeature], ADException

                      + FullyQualifiedErrorID : The specified method is not supported,Microsoft.ActiveDirectory.Manegment.Commands.EnableADOptionalFeature

                    This is caused by either your domain or forest functional level not being set to WIndows2008R2Domain or Windows2008R2Forest or higher.


                    To determine your current levels, type the following commands in PowerShell.

                    Import-Module ActiveDirectory



                    To set the domain mode, type:

                    Set-ADDomainMode –Identity (Get-ADDomain) –DomainMode Windows2008R2DomainTo set the forest mode, type:

                    Set-ADForestMode –Identity (Get-ADDomain) –ForestMode Windows2008R2Forest

                    Tuesday, July 19, 2011

                    How to change the Default RemoteInstall folder for Windows Deployment Services

                    While reconfiguring my WDS servers storage, I inadvertently changed a drive letter that contained my RemoteInstall folder.  This prevented the WDS service from starting.  Below is the event log error that I received:


                    Log Name: Application

                    Source: ESENT

                    Date: 6/23/2011 12:07:13 PM

                    Event ID: 494

                    Task Category: Logging/Recovery

                    Level: Error

                    Keywords: Classic

                    User: N/A


                    Description: svchost (1116) DDP: Database recovery failed with error -1216 because it encountered references to a database, I:\RemoteInstall\Stores\Drivers\Metadata\DdpDb.mdb', which is no longer present. The database was not brought to a Clean Shutdown state before it was removed (or possibly moved or renamed). The database engine will not permit recovery to complete for this instance until the missing database is re-instated. If the database is truly no longer available and no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message. Event Xml: 494 2 3 0x80000000000000 123686 Application svchost 1116 DDP: -1216 I:\RemoteInstall\Stores\Drivers\Metadata\DdpDb.mdb

                    The new drive letter is now J:.  To fix this I opened a command prompt with administrative credentials and executed the following commands.

                    wdsutil /Uninitialize-Server

                    wdsutil /Initialize-Server /REMINST:"J:\RemoteInstall"

                    A refresh of the WDS console showed the WDS server was back online.

                    Monday, July 18, 2011

                    Can a local RODC administrator add another user as a local administrator?

                    For this test I created an RODC.  I added a user named Adam.Carter to the local administrators group using this procedure.

                    Log on with an administrator account

                    Open a command prompt.

                    Type Dsmgmt and press Enter.

                    Type Local Roles and press Enter.

                    Type Add <UserName> Administrators where <UserName> is the name of the domain account that you want to assign as a local administrator on the RODC.

                    Once Adam was logged in I repeated the process by trying to add a user named Aaron.Lee.  Aaron was added to the local administrators group.  I was also able to still log on locally with both accounts and use AD Users and Computers with both.  This is in contrast to Microsoft's Documentation on the topic.
                    Remember, an RODC local administrator cannot manage other DCs or Active Directory.  They can:
                    • Install hardware devices, such as network adapters and disk drives
                    • Manage disk drives and other devices
                    • Install software updates and drivers
                    • Stop and start Active Directory Domain Services (AD DS)
                    • Install and remove other server roles and features
                    • View logs in Event Viewer
                    • Manage shares and other applications and services

                    Friday, July 15, 2011

                    Can DFS replication partners exist in different domains?

                    Yes they can.  The forest is the boundary for DFS.  the link below will take you to TechNet where you can get additional information

                    Click here to go directly to the section pertaining to this question.

                    Thursday, July 14, 2011

                    P2V online conversion with VMM 2008

                    One of the processes you will undertake in virtualizing your environment is the conversion of a physical machine to a virtual machine.  There are many considerations that you must research prior to executing a P2V conversion.  This article deals with the actual process.

                    We are going to use a VMM server named 2008Server to do an physical to virtual conversion of a Windows Server 2008 R2 machine called Lab1.
                    First off, open the System Center Virtual Machine Manager Administrator Console.

                    Next, click Convert physical server in the Actions pane.

                    In the Select Source window, provide the name or IP address of the server or client that you want to run the conversion on.  I find that I have more success using the IP address. Also, you need to provide local administrative credentials.  Click Next once you have entered the proper information.

                    In the Virtual Machine Identity window, provide a name for the VM to be created.  Also, provide a description if you wish.  Click Next to continue.

                    In the System Information click Scan System to gather information about the client to be converted.  This process will install the VMM agent software on the client.  This software will be removed at the end of the P2V conversion.

                    Once the scan is complete, you can review the data that it obtained. Click Next to continue.

                    In the Volume Configuration, you can configure the volumes that you want to virtualize and what types of VHD files that you want to create.  For the sake of this demonstration, I am going to uncheck everything that is not required.  Notice that the Lab2: (C:) drive and the System (Disk 0, Partition 0) are greyed out.  That means they are required.  I’m also setting the C: VHD size to 300,000. Click Next to continue.

                    The next screen is the Virtual Machine Configuration settings.  Here you specify the processor and RAM settings for the VM.  Click Next

                    On the Select Host window, you select which host you want this VM to be placed.  In the example below, there is only one host available.  Select the host that you want to use and click Next

                    If you do not see the host that you want to use, use the VMM console to add the host.

                    At this point, you may receive some errors based on your configuration and the available resources of the host that the VM will run on.  Two possible errors are for the amount of RAM you requested exceeds the available RAM on the host,  The other may be that there is not enough drive space available on the host.  For the RAM issue, just click the back button and set the RAM lower.  Remember, performance will drop if you do this.  As for disk space, you could go through the target client and remove old data.  The VMM server will initially copy the target hard drive and then save it to a VHD.  The best bet would be to select a different host with adequate resources if available.

                    The Select Path screen will allow you to choose the storage location of this VM.  Click Next.

                    The Select Networks screen will allow you to choose which virtual network you want each of the physical servers NIC cards to be connected to.  In this case, the target server has two physical NICs.  During the conversion process, the VM configuration will have 2 NICs by default.  You can add more later if you need to.  Click Next when you are finish configuring the NICs.

                    The Additional Properties window allows you to determine the start up and shut down properties of this VM. 

                    Your Start up options are:
                    • Never automatically turn on this virtual machine
                    • Always automatically turn on the virtual machine
                    • Automatically turn on this virtual machine if it was running when physical server stopped.

                    Your shut down options are:
                    • Save State
                    • Turn off virtual machine
                    • Shut down guest OS
                    I find the defaults the most useful in produce because they ensure the VM starts in the event that the physical server shut down.

                    In the Conversion Information window, correct any issues that you discover.  Click Next.

                    In the Summary window, click Next to start the conversion.

                    The Jobs window will allow you to monitor the progress of the conversion.
                    The length of time that this takes will vary depending on many factors including the number and size of hard drivers to convert and the network speed and utilization between the two servers.

                    When the process is completed, be sure to shut down or disconnect the source computer before starting the VM.  This is because the VM will have the same SID as the original computer.  No two objects in your domain can have the same SID.

                    Another consideration to be prepared for is that you may need to install the Hyper-V integration services into this VM.  Follow this link to a blog article that explains how to install the integration services.

                    Wednesday, July 13, 2011

                    What Architecture will Windows 8 Support?

                    In my 6294 class from Portland, ME, we had a individual concerned about Windows 8 and their investment in the 32 bit architecture.  I still advise organizations to purchase the 64 bit platforms.  The 32 bit architecture is next on the technology chopping block. 


                    At the Consumer Electronics Show (CES) in Las Vegas, Microsoft demonstrated their work on Windows 8. They also announced support for Intel, AMD, and ARM chips. This included the x86 architecture. That means 32 bit will be around for another edition of windows. Below are two articles from Microsoft that talks about the platforms that Windows 8 will run on.




                    Tuesday, July 12, 2011

                    Delegate Administration of Hyper-V

                    In small environments, one individual may be charged with managing your Hyper-V environment.  In larger organizations, the tasks of maintaining Hyper-V may need to be distributed.  In order to stick to the Principal of Least Privilege, you have the ability to delegate out the management tasks of Hyper-V to multiple users.


                    To do this log into your 2008 server that is hosting Hyper-V.


                    · Click Start, type MMC and press Enter


                    · Click File and then click Add/Remove Snap-in…


                    · In the Available snap-ins: list, click Authorization Manager.


                    · Click Add and then OK.


                    · In the MMC console, right click Authorization Manager and select Open Authorization Store…


                    · Verify that XML file is select and type %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store name:



                    · Click OK


                    From here we can define scopes to limit the Hyper-V servers that users can manage.  We can also define roles that users can participate in and what those roles can do. Below is a list of the possible delegations and a short description of each:

                    • Allow Input to Virtual Machine
                    • Allow Output from Virtual Machine
                    • Allow Virtual Machine Snapshot
                    • Bind External Ethernet Port
                    • Change Virtual Machine Authorization Scope
                    • Change VLAN Configuration on Port
                    • Connect Virtual Switch Port
                    • Connect Internal Ethernet Port
                    • Create Virtual Machine
                    • Create Virtual Switch
                    • Create Virtual Switch Port
                    • Delete Internal Ethernet Port
                    • Delete Virtual Machine
                    • Delete Virtual Switch
                    • Delete Virtual Switch Port
                    • Disconnect Virtual Switch Port
                    • Modify Internal Ethernet Port
                    • Modify Switch Port Settings
                    • Modify Switch Settings
                    • Pause and Restart Virtual Machine
                    • Read Service Configuration
                    • Reconfigure Service
                    • Reconfigure Virtual Machine
                    • Start Virtual Machine
                    • Stop Virtual Machine
                    • Unbind External Ethernet Ports
                    • View External Ethernet Ports
                    • View Internal Ethernet Ports
                    • View LAN Endpoints
                    • View Switch Ports
                    • View Switches
                    • View Virtual Machine Configuration
                    • View Virtual Switch Management Service
                    • View VLAN Settings


                    Creating a Scope


                    · Expand Authorization Manager \ InitialStore.xml.


                    · Right click Hyper-V Services and then click New Scope…


                    · In the New Scope window, provide a name and a description of up to 1024 characters for this scope.


                    · Click OK.


                    I called this scope, View Hyper-V Configurations.


                    We now need to define the different Role Definitions and Task Definitions. Both definitions allow you to determine what a user, or a group of users are able to do.  With Role Definitions, you can use inheritance just like in NTFS permissions.  Another difference is that you can assign both a task, and an operation to a Role Definition.  In a Task Definition, you can only assign a operation.



                    To create a new Role to Task Definition, expand the scope you just created.


                    · Expand Definitions.


                    · Right click either Role Definition or Task Definition and select New.


                    · Expand Authorization Manager \ Hyper-V Services \ Definitions


                    · Right click Role Definitions and select New Role Definition.


                    · Click Add…


                    · Click the Operations tab.


                    · Provide a name and a description for this Role.


                    · Click Add…


                    You can add the Role Definitions you have already created and inherited those rules into this definition.




                    In our case, no roles other than administrator have been created.  Do not check Administrator.  This will allow the users to do everything.


                    · Click the Tasks tab.


                    · If you have created any tasks, they will be available to add to this role.  Otherwise just click OK and at the warning.


                    · Click the Operations tab.


                    · Select the operations that you would like the users to perform and then click OK.




                    · Click OK once again.



                    We now need to assign the role to the scope and add users and groups into the role.


                    · Expand the Role Definition that you created and then right click Role Assignments


                    · Click New Role Assignment…




                    · Check the box of the Role Definitions that you want to assign to this definition.


                    · Click OK




                    · Right click the assigned definition and click Assign Users and Groups and then From Windows and Active Directory




                    · Add in Users and groups and then Click OK




                    Those users and groups are now authorized to perform the delegated tasks on that host.

                    Monday, July 11, 2011

                    Understanding NTFS and Share permissions

                    Recently, I instructed a Microsoft Class (6292: Installing and Configuring Windows 7 Client).  During a presentation about the effective permissions of a user when considering NTFS and Share permissions, one student sat up and said "I finally understand that concept.  Nobody has been able to explain that to me before."

                    I decided to put a little bit of that presentation here for everyone's benefit.

                    We use the security model of Microsoft NTFS format to determine what a user is able to do with a file or folder.  We have several different permissions to choose from:

                    • Full Control: Users can do anything to the resource.
                    • Modify: Users can modify the files and their properties.  Users cannot take ownership or change permissions.
                    • Read & Execute: Users can run executable files and scripts.
                    • List Folder Contents: Users can view a list of a folder’s contents.
                    • Write: Users can write to a file.
                    • Read: Users can view files and the files properties.
                    • Deny: Absolutely no access.
                    NTFS permissions need to be taken into consideration when a user accesses a file or folder either locally, or remotely.

                    Share permissions come into the equation when a file or folder is being accessed remotely through a share.  Share permissions include:
                    • Full Control: Allows all Read and Change permissions.
                    • Change: Allows all Read permissions plus:
                      • Adding files and subfolders
                      • Changing data in files
                      • Deleting subfolders and files
                    • Read: Viewing the contents of folders, data, and running programs.
                    If a user is a member of multiple security groups. those groups may grant the user multiple levels of permissions.  When just looking at NTFS or Share permissions alone, the users effective permission is the least restrictive one.  For example, if a user is a member of Group A with NTFS Read permission and Group B With NTFS Modify permission, the effective permission is Modify.  Even though the user is a member of a group with lesser privileges, the user is also a member of a group with greater privileges, Windows uses the higher level of permissions.

                    When you combine NTFS and Share permissions, there is a simple formula to follow to determines a users effective permissions while accessing a resource remotely.
                    1. Discover the lest restrictive NTFS permission when looking at the user’s security groups, and/or the user account, that has access rights assigned to the resource.
                    2. Discover the least restrictive share permissions for that user and all the security groups that users is assigned to that have a share permission assigned to it.
                    3. Now, take the most restrictive of the NTFS and Share permissions.  That is the users effective permission.
                    In the below example, the user is a member of Group A and Group B.  Group A has the NTFS permission of Modify and the share permission of Change.  Group B has the NTFS permission of  Full Control and share permission of Read.
                    Group NTFS Share
                    Group A Full Control Full Control
                    Group B Modify Change
                    Write Read
                    Read Deny

                    We first determine the least restrictive permission for NTFS and the least restrictive permission for share.

                    Group NTFS Share
                    Group A Full Control Full Control
                    Group B Modify Change
                    Write Read
                    Read Deny

                    We can see that for NTFS, our effective permission is Full Control.  For the share permissions, our effective permission is Change.  Now, we need to take the most restrictive of those two permissions to determine the effective permission for this user when accessing the resource remotely.  In this case, the effective permission is Change.

                    Remember that the share permissions are only considered when the resource is being accessed from another client.  If the resource is being accessed on the same client as the one the user is logged into, we only take the NTFS permissions into consideration.

                    Friday, July 8, 2011

                    DHCP Renewal Interval

                    In class we had a discussion on a slide that seems to present the time when a DHCP client at 87.5% of the lease period instead of 50%.  Below is an excerpt for TechNet that should help clear up the confusion.


                    Renewing a lease

                    The DHCP client first attempts to renew its lease when 50 percent of the original lease time, known as T1, has passed. At this point, the DHCP client sends a unicast DHCPRequest message to the DHCP server that originally granted its lease. If the server is available, and the lease is still available, the server responds with a unicast DHCPAck message, and the lease is renewed.

                    If the original DHCP server is available, but the client’s current lease is no longer available, the DHCP server responds with a DHCPNack message, and the client immediately starts the process to obtain a new lease. This can happen if the client has changed subnets or if the DHCP server cannot fulfill the lease request for some other reason.

                    If there is no response from the DHCP server, the client waits until 87.5 percent of the lease time, known as T2, has passed. At T2, the client enters the rebinding state, and broadcasts a DHCPRequest message to attempt to renew the lease from any available DHCP server. If no DHCP server is available by the time the lease expires, the client immediately unbinds itself from the existing lease and starts the process to obtain a new lease, beginning with a DHCPDiscover message.

                    Thursday, July 7, 2011

                    Create a Self-Service User in VMM

                    A self-service user role enables users to create and manage their own virtual machines within a controlled environment by using the VMM Self-Service Portal or the Windows PowerShell VMM command shell. A self-service user cannot create or modify user roles and cannot perform administrative functions on hosts and library servers.


                    To create a Self-Service User, open System Center Virtual Machine Manager.


                    In the menu bar, click Go \ Administration.


                    In the menu bar, click Actions \ User Role \ New user role



                    Provide a name and a description for the user role.


                    In the User role profile: drop down menu, choose Self-Service User


                    Click Next


                    In the Add Members window, click Add…


                    Add in the users or groups that will be part of this role.


                    Click Next.


                    In the Select Scope window, select the host group that these users will be able to utilize for their virtual machines.


                    Click Next


                    In the Virtual Machine Permissions window, you have the ability to set what each of the users who are a part of this role can do. They can:


                    · Start virtual machines

                    · Stop virtual machines

                    · Pause and resume virtual machines

                    · Create and manage virtual machine checkpoints

                    · Remove virtual machines

                    · The can be granted local administrator rights on their virtual machines

                    · They can be allowed to remotely connect to their virtual machines

                    · Shut down virtual machines.


                    Check the appropriate boxes and click Next.


                    In the Virtual Machine Creation Settings you can determine if the users can create virtual machines. You can also provide them with a list of templates (Pre-created VMs) to choose from.


                    To limit the number of running VMs the users can have, check Set quota for deployed virtual machines:


                    VMs can have different quota values assigned to them. This quota system will help prevent a user from accidentally, or intentionally, create a Denial-of-Service situation on your host servers.


                    Click Next


                    The Share quota across user role members setting will set the quota for the role members as a group. In other words if the quota is 5 and one user has 5 VMs started, no other member of that group will be able to start a VM until a VM is shut down.


                    In the Library Share window, you can select which library will store the VMs and ISO files created by the users of this role.


                    Click Next.


                    Click Create.

                    Wednesday, July 6, 2011

                    How make sure the Firewall rules for both Public and Private networks are the same

                    Originally this question was “How to force all new wireless networks to be Public.”  I had very little luck with this one.  I started looking into a PowerShell option for this, but that code was turning into a complex process.  It then hit me, just make the two profiles the same in the firewall.


                    To do this, we are going to use the firewall on a Windows 7 client. 


                    Open the Windows Firewall with Advanced Security.

                    Right click Windows Firewall with Advanced Security and then click Export Policy.



                    Save the policy to a network location.


                    Open Group Policy Management on a Windows 2008 R2 server or a Windows 7 Client with RSAT installed.


                    Create a new GPO, or used one that is scoped to reach all of your clients.  I named my GPO Firewall.


                    Edit the GPO and expand Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Windows Firewall with Advanced Security.


                    Right click Windows Firewall with Advanced Security and select Import Policy.




                    Click Yes at the warning.


                    Import the policy that you exported with the previous steps.


                    Now, go through the inbound and outbound rules.  Anywhere you see the profile as only listing Private, mark it as also being set for Public.  To do this, double click on a setting that is only set for Private.




                    Click the Advanced tab.


                    Check Public and then click OK.




                    Do this for all the inbound and outbound rules.


                    Now apply the GPO to the clients and the Public firewall profile will be just as restrictive as the Private profile.  Should your user accidently click Private, no problem.  They will have the same settings as the Public profile.


                    You will need to use this GPO to make any future firewall updates and remember to apply any changes to the Public profile to also include the Private profile.

                    Tuesday, July 5, 2011

                    Create a Delegated Administrator in VMM

                    A Delegated Administrator has the ability to perform all the functions of an administrator in VMM, but is limited to only certain groups of hosts or library servers.


                    To create a Delegated Administrator, open System Center Virtual Machine Manager.


                    In the menu bar, click Go \ Administration.


                    In the menu bar, click Actions \ User Role \ New user role



                    Provide a name and a description for the user role.


                    In the User role profile: drop down menu, choose Delegated Administrator


                    Click Next




                    In the Add Members window, click Add…


                    Add in the users or groups that will be part of this role.


                    Click Next.


                    In the Select Scope window, check the hosts, hosts groups, and library servers that this group will have administrative control over for VMM.


                    Click Next.




                    In the Summary window, click Create.

                    Monday, July 4, 2011

                    On the printer sharing properties, what does Render Print Jobs on Client Computers do?

                    While in class, a student noticed the Render Print Jobs on Client Computers while we were discussing shared printers.




                    On legacy versions of Windows, it was assumed that the print server would have more processing capability than the clients. For this reason, print jobs were processed on the print server. Now that we have faster, multi-core processors, clients are just as powerful as most print servers. This option is the default setting on Vista and Windows 7.


                    Some other advantages are CSR (Client Side Rendering) such as the elimination of driver mismatches and better support for Offline Printing. Since the same computer that spooled the print job also rendered the EMF-format data, there are no inconsistences between the client and server print drivers. Also, the print out can be spooled even if there is not a connection to the computer that is hosting the printer. The print job is automatically transmitted when a connection is established.

                    Friday, July 1, 2011

                    What is the WINSXS folder?

                    The WINSxS folder (also known as Windows Side by Side) holds the code for installing the roles and features of Windows and the installation files for other applications that you install on your client.  This folder allows you to install additional components without asking you for the installation media.  This is a good thing as we move closer to the day when DVD drives will be found only in museums.

                    The big thing here if the number of GB that this folder consumes.  Microsoft suggest not deleting anything from this folder as it could hinder your ability to add additional functionality.

                    The following link to the blog site for Microsoft Enterprise Platforms Support: Windows Server Core Team will give you some options on how to possibly reduce the size of the WinSxS folder safely.

                    As always, backup and test before putting their procedure into production.