Blog - IT-Admins

Linux and DHCP reservations aren’t working

This is something I just came across myself. While deploying an Ubuntu Linux VM the DHCP reservation did not work. This was mixed up with a Windows 2016 DHCP server.

After looking at the wrong DHCP lease I quickly saw an extremely long MAC address and figured that the Linux VM used some kind of randomization for the interface.

IFCONFIG on the system showed the correct hardware MAC address.

It took me a few minutes of research and testing till I found the root cause and rather simple solution.

Linux replaced their NIC handling on many distributions with a newer system called NETPLAN.

I read that a 2019 Windows DHCP would likely handle this correctly, did not have time to test this out. But the following worked for me:

List the contents /etc/netplan
- ls /etc/netplan
- there should be a file ending in .yaml
Edit this .yaml file
- sudo nano /etc/netplan/<filename>.yaml

The file is structured like this:

network:
	renderer: networkd
	version: 2
	ethernets:
		nicdevicename:
			dhcp4: true
			dhcp-identifier: mac

network:

renderer: networkd

version: 2

ethernets:

nicdevicename:

dhcp4: true

dhcp-identifier: mac

Under your NICDEVICENAME add the line dhcp-identifier: mac and save (CNTRL+O) and exit (CNTRL+X) the file.

Now you can either try to apply the netplan config via sudo netplan apply or simply reboot.

This should solve the issue.

June 28, 2022 by Florian Rossmark configuration solutions

Check your webpage for mobile friendly readiness

One of the issues I came across again and again was the e.g., the Google Search Console error with “Text too small to read” and/or “Clickable elements too close together“.

This might hit you all of a sudden and can have multiple reasons.

The best way to start is using the F12 key in your browser and looking at the indicated page emulating a mobile device using the Toggle Device Emulation function. See if you can visually identify the issue right away. If not, it becomes trickier.

You can engage the Google Mobile-Friendly Test page and/or the Bing – Mobile Friendliness Test Tool to see if you can find out more. But as a matter of fact, they might not even find anything. Still, validating the fix, what will take days, might fail especially if you didn’t change anything.

You will quickly discover that there is a lot of talk about the html header tag “<meta name=”viewport” content=”width=device-width, initial-scale=1″>“, of course if you do not have this one yet, implement it, but if you use a current CMS like WordPress it is likely already there.

In my case it came down to the TAG CLOUD that showed a lot of TAGS and because of the sheer amount some of them became rather small und therefor closer together when it comes to clickable items. This seemed to be no issue visually but still, Google interpreted it as one.

Needless to say, that ignoring any errors thrown by the Google Search Console might cost you valuable ranking or simply cause Google to not index certain pages. Especially since Google is primarily focusing on mobile usability.

June 15, 2022 by Florian Rossmark Uncategorized web

Tools for WebAnalytics and SEO

SEO and Web Analytics are a very important part of successful web pages and blogs, like this page as well.

You want to use SEO tools and plugins on your website, read up on how to use key phrases and other tools in this constantly changing world of web pages and search engines as well as now mobile first development. Having been in IT over 25 years, I saw a lot of changes.

When creating a website, make sure you engage some tools right away, make sure you have small images, JPG is still a very good idea, engage image optimizer plugins and don’t over-size them – I am guilty of this as well.

Caching or your pages with plugins and other techniques and systems is highly recommended, because SEO judges you also on render time and things like LCP – Largest Contentful Paint.

Keep all the overhead CSS and JavaScript under control, especially side loading is a huge problem when it comes to lagging speed to load websites.

To get a good overview – use Google PageSpeed Insights to see how your page is performing and where you should start improving.

Another important tool Google Analytics – it recently changed to GA4 which you can simply switch too. The data there can give you a good idea how people finding your website and where you should improve your marketing efforts.

Now, marketing is not necessarily spending money on Google Ads, find out where people interested in your page collaborate and exchange and interact with them, if there you have e.g., a good blog entry about a topic, you might be able to link it and get more visitors.

And then there is the Google Search Console – the easiest way to find out how your page is ranking on various search requests and also making sure your page has no issues – what is critical. Make sure Googles algorithms are happy with especially the mobile version of your website, that it is deemed readable and fast. Only then you will get a good SEO rating. Ignoring issues there can cause Google to stop indexing your webpage, what will result in less clicks and a decline in visitors.

Of course, there are other tools and search engines out there, but let’s face it – the DeFacto standard is Google. This does not mean you can ignore the others, but I found that Googles free tools are most of the time already very sufficient.

All of this is just a quick overview, this topic is huge and a whole industry stays behind the SEO and web marketing – my only goal was to give owners of smaller website a good overview and some tips on how they can improve without spending a fortune.

Finally, you also should make sure your website is secured and monitored for threads. Not just the incoming threads, also that your website is not unintentionally causing a thread to your visitors due to malicious plugins or altered content. Engage third party firewalls and scan systems. Yes they will cost you money, but they will save your reputation with your visitors.

April 21, 2022 by Florian Rossmark recommendations web

Useful registry keys to supplement settings not available in standard GPO templates

This blog entry will list some registry keys to control computer and user settings via GPO but aren’t available in the standard ADMX GPO templates.

Below you find always the same data format:

Computer Configuration or User Configuration
HIVE
Kay Path
Value Name
Value Type
Value Data
Short explanation
Link if available

Over the years I also always tried to leave a comment in the GPO’s, especially for the Registry Keys, so I could later identify them quickly and possibly even leaving a link so others could read up on these settings and options without doing long research.

Show Drive Letters first in Windows Explorer

This Registry value is set in two areas – Computer Configuration and User Configuration. See both keys below.

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ShowDriveLettersFirst
REG_DWORD
0x4 (4)
Defines if the drive letter is shown first in Windows Explorer
- 0 = After
- 1 = Mixed
- 2 = No drive letter
- 3 = Before

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer
ShowDriveLettersFirst
REG_DWORD
0x4 (4)
Defines if the drive letter is shown first in Windows Explorer
- 0 = After
- 1 = Mixed
- 2 = No drive letter
- 3 = Before

Support URL

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
SupportURL
REG_SZ
URL to your support system
Set the Windows Support URL shown in the Computer Properties in the Support section – Link is behind the Online Support Website.

Support Hours

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
SupportHours
REG_SZ
e.g.: 0800-1700 Pacific Time
Set the Windows Support Hours shown in the Computer Properties in the Support section.

Support Hours

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
SupportPhone
REG_SZ
your helpdesk phone number
Set the Windows Support Phone Number shown in the Computer Properties in the Support section.

Support Manufacturer

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
Manufacturer
REG_SZ
Suggest to put in your Company name here
Set the Manufacturer Name / Company Name shown in the Computer Properties in the Support section.

Hide Drives with no Media

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideDrivesWithNoMedia
REG_DWORD
00000000
If set to 0x0 (0) it will not hide empty drives, if set to 0x1 (1) it will hide empty drive letters from Windows Explorer.

Expand folders to current folder

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
NavPaneExpandToCurrentFolder
REG_DWORD
0x1 (1)
This will expand all folders to the current folder in the navigation panel of Windows Explorer, by default it will only navigate to the folder but not expand the path to it in the Navigation Panel. The behavior on this changed back in Windows Vista or Windows 7. This sets it back to a more Windows XP like behavior, what makes it easier to navigate Windows Explorer.

Fast Boot Enabled

Computer Configuration
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager\Power
HiberbootEnabled
REG_DWORD
0x0 (0)
Turns off Windows 10 Fast Startup – meaning a real reboot is done rather then a quick reboot that is actually not a real Windows reboot. A real reboot is slower, but much cleaner.

Office 365 – Update Channel

There is a settings in the Office ADMX files under Microsoft Office 2016 (Machine)/Updates for:

Enable Automatic updates
Update Channel
Update Deadline

Additionally this settings should be set to make sure everything is configured the same and installs the same:

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Office\ClickToRun\Configuration
CDNBaseUrl
REG_SZ
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
This will set the Office 365 channel to current for the click to run installation.

Allow Print Driver Installation

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators
REG_DWORD
0x0 (0)
Microsoft released KB5005652 which requires admin rights to install printers, and affects some existing printers that will require an admin to install driver update. Work around is to add the registry key below, which disabled this new security feature.
- Value: 0
  - Allow non-admin users to install Point and Print printer drivers
- Value: 1
  - Blocks non-admin users from installing Point and Print printer drivers. If this registry key does not exist, the default with KB installed will be same as Value 1, blocking non-admins from installing Point and Print printer drivers.
https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

Ensure Outlook is the default mail client

User Configuration
HKEY_CURRENT_USER
Software\Clients\mail
(Default)
REG_SZ
Microsoft Outlook
Ensures Microsoft Outlook is the standard mail client

Set Microsoft Teams as the default IM application

See this blog entry as well about this.

User Configuration
HKEY_CURRENT_USER
Software\IM Providers
DefaultIMApp
REG_SZ
Teams
Sets Microsoft Teams as the default Instant Messenger Application.

Set Microsoft Office to read User information from Active Directory

Make sure you set both registry keys for this.

Set this to “Apply once and do not reapply” as well.

This will cause Microsoft Office applications read any user information fresh from Active Directory, as it cleans the current values.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Office\Common\UserInfo
UserName
(not set)
(not set)
This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Office\Common\UserInfo
UserInitials
(not set)
(not set)
This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.

Disable the Network Sharing Wizard in Windows Explorer

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SharingWizardOn
REG_DWORD
0x0 (0)
Disables the Sharing Wizard in Windows Explorer.

Remove the Network form Windows Explorer

Probably one of the more important security measures you can do, to avoid the standard user browsing other systems on the network to much. It does not really prevent it, but makes it a lot less easy for regular end users, as the network area in Windows Explorer simply vanishes.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
REG_DWORD
0x1 (1)
Remove Network from Windows Explorer.

Remove Administrative Tools from the Start Menu

This is made out of two combined registry keys. You will need to apply both for this to take affect.

Highly recommend to make sure it does not apply to any administrator accounts, as this can be contra productive.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_AdminToolsRoot
REG_DWORD
0x0 (0)
Removes administrative tools from the start menu.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
StartMenuAdminTools
REG_DWORD
0x0 (0)
Removes administrative tools from the start menu.

Windows Update Restart Notifications for End Users

Please apply both Registry Keys for this to take affect.

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
RestartNotificationsAllowed
REG_DWORD
0x1 (1)
Will display Restart Notifications to End Users.

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
RestartNotificationsAllowed2
REG_DWORD
0x1 (1)
Will display Restart Notifications to End Users.

April 7, 2022 by Florian Rossmark configuration recommendations windows

Windows 11 and SQL (Express) issues

Due to a change on how Windows 11 presents the disk sector size, you can have issues with SQL or SQL Express after your upgrade or even on brand new installations.

SQL might just fail to start after an upgrade, with the Event Viewer Application Log Error 1000 similar to the below one:

Faulting application name: sqlservr.exe, version: 2019.150.2080.9, time stamp: 0x5fa6009b
Faulting module name: sqllang.dll, version: 2019.150.2080.9, time stamp: 0x5fa60189
Exception code: 0xc0000005
Fault offset: 0x0000000000361bf5
Faulting process id: 0x670c
Faulting application start time: 0x01d846287c712ec8
Faulting application path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqlservr.exe
Faulting module path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqllang.dll
Report Id: 10227658-21ca-4bd0-9121-9bf328003574
Faulting package full name:
Faulting package-relative application ID:

Faulting application name: sqlservr.exe, version: 2019.150.2080.9, time stamp: 0x5fa6009b

Faulting module name: sqllang.dll, version: 2019.150.2080.9, time stamp: 0x5fa60189

Exception code: 0xc0000005

Fault offset: 0x0000000000361bf5

Faulting process id: 0x670c

Faulting application start time: 0x01d846287c712ec8

Faulting application path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqlservr.exe

Faulting module path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqllang.dll

Report Id: 10227658-21ca-4bd0-9121-9bf328003574

Faulting package full name:

Faulting package-relative application ID:

This is especially true for Samsung SSD 980 – be aware – the SSD 980 Pro does not have this issue, just the SSD 980. There are other OEM versions of it that have the same issue and actually a bunch of other disks.

The root cause is that the devices report the true sector size, what causes SQL to fail. This is still true with SQL Express 2019 – earlier versions as well.

As described in this Microsoft article, you can add a registry key and reboot to make Windows 11 behave like Windows 10 and earlier Windows versions.

Of course, alternative you can either install SQL on another disk drive or replace the drive with one that does not have these compatibility issues.

It remains unclear if there will be updates to this in the future from either Microsoft of the disk vendors like Samsung in the future. For now, this simple registry adjustment fixes the issue.

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\stornvme\Parameters\Device" -Name   "ForcedPhysicalSectorSizeInBytes" -PropertyType MultiString -Force -Value "* 4095"

1	New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\stornvme\Parameters\Device" -Name "ForcedPhysicalSectorSizeInBytes" -PropertyType MultiString -Force -Value "* 4095"

Reboot after the registry adjustment for the change to take effect.

April 1, 2022 by Florian Rossmark configuration server solutions windows

MeshCentral – Certificate installation

MeshCentral is a remote support OpenSource platform. It runs on Windows or Linux and needs to be self hosted.

While it supports Let’s Encrypt (letsencrypt.org) certificates, this is not always a possible option. Issues you can run in to are:

port 80 incoming is blocked by your internet provider
your DNS provider does not support the ACME protocol needed

Of course, you also could just simply want to create your own certificate. To do so you go to your regular CA (certificate authority) provider and get your certificate issued. You can do so by simply engaging Windows IIS, request a new certificate per CSR, have it issued and finalize the request in IIS. Your last step is to export it including the private key.

Transfer this file now to your MeshCentral server (just use MeshCentral to transfer the file). Next you will need OpenSSL – what is often pre-installed on Linux and Raspberry, on Windows you will need to download it separately.

OpenSSL is used on the command line to extract the unencrypted key and the separate the certificate so MeshCentral can use it. Follow the next steps – while we assume your source certificate file is named source.pfx.

openssl pkcs12 -in source.pfx -nocerts -out encryptedkey.key
1. this will ask for the password for source.pfx
2. it will also ask and have you confirm a new password (can be the same) for the destination file
openssl rsa -in encryptedkey.key -out webserver-cert-private.key
1. it will ask your for the new password of the file you created in step 1
2. this will overwrite the webserver-cert-private.key file with a passwordless key-file as needed by MeshCentral
openssl pkcs12 -in source.pfx -clcerts -nokeys -out webserver-cert-public.crt
1. this will ask for the password for source.pfx
2. it will overwrite the webserver-cert-public.crt file with the public part of your certificate

Now reboot the MeshCentral service/server and open a new browser window, you certificate should work now.

June 14, 2021 by Florian Rossmark configuration solutions

Windows 10 Build 2004 / 20H1 – SMBv1 network drives not connecting

The newest builds and updates can possibly break some Windows 10 network connections. Saw this specifically in a situation with a SMBv1 drive that was connected via FQDN per GPO.

Windows was not able to connect to the drive, looking at NET USE all you saw was reconnecting.

Connecting to the same share via HOSTNAME and/or IP worked just fine, as well as engaging the UNC path.

The solution to this eventually is a simple registry adjustment, that has to be done in the user-profile HKCU area, so no advanced rights are needed.

Steps:

open REGEDIT
go to HKCU\Network
select the key with the drive-letter you have issues with
add a new REG-DWORD
1. PROVIDERFLAGS
2. Decimal 1 or DWORD 00000001
Reboot

Your network drive should work normal again.

Background and Explanation:

The PROVIDERFLAGS instruct Windows to reconnect the SMBv1 network drive, more or less. It eventually did not matter if it was connected per FQDN, IP or HOSTNAME – is was the reconnect that the GPO implied, respective the NET USE /PERSISENTENT:YES switch. If you would use a script – netlogon script – you could just determine the drive as /PERSISTENT:NO and not see the issue either as well as solve it.

Eventually this is specific to SMBv1 and I can’t warn enough about the security risks this protocol has. Still – there are here and there systems that still need to stick around – hopefully secured by firewalls and even sandboxes etc..

May 18, 2021 by Florian Rossmark configuration server solutions windows

ActiveDirectory/LDAP result limits – MaxPageSize

ns a website from a systems administrator for systems administrators Home IT-Admins CMDB IT-Admins tool IT Search EOL Solutions Blog Contact Links ActiveDirectory/LDAP result limits – MaxPageSize

ActiveDirectory, respective LDAP, has a result limit setting, MaxPageSize. Those are set by default to 1000 rows per query.

This is primarily important if you use some kind of programming language to get results from LDAP, this code must compensate those limits and engage paging.

Your LDAP query does not need to provide the limit, only the code needs to do the paging as you always just get the max. amount of results set in the current settings.

In order to check your settings do the following commands in a command prompt / cmd window:

ntdsutil
ldap policies 
connections
connect to domain YOURDOMAIN.LOCAL
quit
show values

ntdsutil

ldap policies

connections

connect to domain YOURDOMAIN.LOCAL

quit

show values

In theory you could set different values now as well, assuming you have the permission level to do so. But this is not recommended and you should engage paging instead, as you otherwise risk to overload your DCs – even if your commands won’t cause it, a possibly DoS attack could happen – malicious or not, so leave the limits, but be aware of them.

April 7, 2021 by Florian Rossmark configuration server solutions

Reset or Remove the Windows Hello PIN

Windows 10 offers various ways to logon to your device. All of them have their pro’s and con’s. One thing is for sure, Microsoft loves the Windows Hello PIN. Even on an Active Directory Domain joined system – if you want to e.g. set up a Finger-Print login, you will be forced to generate a Windows Hello PIN, at least by default.

Funnily it can happen that you don’t even have the option to reset the PIN. What if the user forgot his PIN? No big deal? Well… it actually is a big deal. By default Windows goes back to the PIN if the Finger-Print reader does not work, what is especially common with the Microsoft Surface Keyboards, sure you can rip them off and re-attach to make it work again, but still your user-base / employee-base will say it asks for a PIN and I forgot it..

Fingerprints and PINs are stored locally on the device, in a secured vault. You can’t really alter it, but you can remove it.

In order to remove all locally stored PINs and possibly even Finger-Prints, you must delete all contents of %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.

The quickest way to accomplish this is using the two following commands in an elevated Command Prompt / CMD (run as administrator).

takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y

icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y

icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

The first one will take ownership of the folder, the second one then will grant administrators rights to it.

Once this is done, you need to delete all contents of the folder. If you are logged on as an administrator you can just use Windows Explorer. If you are logged on as a regular user, you need to do it either more manual in CMD or use e.g. a tool like 7-zip in elevated mode and navigate to the folder, be aware that 7-zip might not be able to handle %windir%, either navigate manually to the folder or use C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC to get to the path. Delete all contents.

Reboot.

This sledgehammer method will delete all stored PINs and other information for all accounts known by the device. They will need to logon with their Active Directory password and start from scratch. You might also need to click on e.g. REMOVE in the Finger-Print configuration to start over.

March 22, 2021 by Florian Rossmark configuration solutions windows

VMware hosts network speed tests with iperf

Ever needed to run speed-tests between your VMware hosts? There is an CLI command iperf3 for this.

This command runs as a server and client command. One host will be the server and the other the client. There is further the possibility that some storage vendors even support the iperf3 command.

Example scenario with two VMware ESX hosts:

IT-ESX-01P – will act as server
- IP: 10.0.0.1
IT-ESX-02P – will act as client
- IP: 10.0.0.2

Steps and commands to execute the network speed test:

Enable SSH on both hosts and connect with e.g. Putty to it, logon as well.
IT-ESX-01P will act as our server
1. disable the firewall
  1. esxcli network firewall set –enabled false
  2. The ESX firewall needs to be disabled temporarily to execute the tests – on client and server
2. List the kernel network IP addresses
  1. esxcli network ip interface ipv4 get
  2. choose the interface IP that is on the network you want to test, only kernel-IPs will work
3. go to the directory that holds the iperf3 command
  1. cd /usr/lib/vmware/vsan/bin
4. start the iperf server on this host on the kernel IP you need it on
  1. ./iperf3.copy -s -B 10.0.0.1
  2. this command starts the server respective listener on the host on the specified IP address
IT-ESX-02P will act as our client
1. disable the firewall
  1. esxcli network firewall set –enabled false
  2. The ESX firewall needs to be disabled temporarily to execute the tests – on client and server
2. go to the directory that holds the iperf3 command
  1. cd /usr/lib/vmware/vsan/bin
3. execute the speed test against the server IP address
  1. ./iperf3 -c 10.0.0.1 -t 10 -V
  2. this will start sending packets to the server – you will see the flow on both sides
  3. cancelling this command – cntrl + c – can take a minute, be patient, especially if you mistyped the IP or forgot to disable the firewall etc..
Review the results on the speed test
1. Below are result samples for a 1 GB kernel network, a 10 GB kernel network and a 25 GB kernel network.
2. Sample results – 1 GB
3. Sample results – 10 GB
4. Sample results – 25 GB
5. Be aware, those results will vary and depend on the network bandwidth available in the moment of the test, respective the current load on the network cards of client and server.
IT-ESX-01P exit server mode and enable firewall
1. cntrl + c will exit the server mode and go back to the CLI
2. enable the firewall
  1. esxcli network firewall set –enabled true
3. EXIT SSH
IT-ESX-02P enable firewall
1. enable the firewall
  1. esxcli network firewall set –enabled true
2. EXIT SSH
Done

Additional links to this topic:

March 9, 2021 by Florian Rossmark configuration server

Windows Print Server Aliases

Windows Print Server Aliases – what is that and why would you even need to think about it?

For File-Servers, you can set up DFS structures and have a single point of entry as from the perspective of the client. It’s a simple named path and works rather flawless if set up right and monitored e.g. with PRTG. But what about your print server? Is it a defined hostname and the printers sit on this host? What happens when you want to upgrade the host to a new windows version or theoretically even do some special DNS routing (that’s very advanced and has hurdles, I will not address this in this posting).

Well – you can sure set up an ALIAS name in your DNS, but soon you will discover you can’t connect to the printers on this server. This is because you are missing some registry tweaks. At this point I also want to make you aware, I saw Windows updates removing those keys, so keep this article handy to reconstruct the registry in case of any issues.

You will need a total of three registry keys added, as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\DnsOnWire=dword:00000001

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\DnsOnWire=dword:00000001

This first key will enable DNSOnWire for the Print-Server itself. This is needed to make the print-server aware that you might use DNS ALIAS / CNAME entries to access him. More can be found e.g. here: Windows couldn’t connect to the printer – Windows Server | Microsoft Docs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableStrictNameChecking=dword:00000001

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableStrictNameChecking=dword:00000001

This key, DisableStrictNameChecking, we need to configure the SMB server / LANManServer – he needs to be aware as well that we will use CNAMES to access the shares on the server. You can find some more information at the following link: Can’t access SMB file server – Windows Server | Microsoft Docs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\OptionalNames=reg_sz:YourCNAMEEntry

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\OptionalNames=reg_sz:YourCNAMEEntry

And last but not least, the OptionalNames – this is the one key that’s most hidden but still so important. You can also make it REG_MULTI_SZ key. But it works with a simple REG_SZ key and the short CNAME alias that you have specified, you don’t even need use the FQDN.

There are many ways on how to accomplish this one last key, it changed throughout the Windows versions, it was possibly even renamed. Worst I saw on a Windows 2016 server was it vanished after a update session and reboot. So be prepared for that. A simple recreation and reboot fixed the issues.

Also, make sure you reboot after those changes, otherwise it won’t work.

January 13, 2021 by Florian Rossmark configuration server solutions windows

Bypassing Windows 10 UAC for Unknown Publishers

It happens that some programs alert you in Windows 10 about Publisher: Unknown and expect you to possibly provide administrative credentials to even execute it.

Especially in corporate networks users likely don’t have this level of permissions and surely the IT department respective IT-Administrators going to be reluctant to grant administrative privileges when they are not absolutely necessary.

For this specific case, there is a possible workaround – try to start the program with the following CMD-command and see if you might be able to bypass this issue. I sure don’t recommend doing this just for any program, be sure that what you want to start is safe, but there are cases where this is necessary, cause you won’t want to alter the UAC (User Account Control) or permission level or the employee.

%windir%\System32\cmd.exe /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Program Files\Path\To\Your\Program.exe""

1	%windir%\System32\cmd.exe /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Program Files\Path\To\Your\Program.exe""

Of course, adjust the path to your program. Eventually the parameter __COMPAT_LAYER=RUNASINVOKER is likely to bypass this specific issue.

Note that this also depends on a few more variables, but it sure is worth a try.

December 8, 2020 by Florian Rossmark configuration security windows

Make Microsoft TEAMS the default IM application

Having multiple applications that act as chat respective IM application but you want Microsoft TEAMS to be the default Instant Messenger application especially so Outlook e.g. shows the correct online/offline as well as free and busy status for employees and so they can start a conversation directly from there, you will need to make sure that Microsoft TEAMS is the default IM Provider.

This came up especially in combination with Cisco Jabber, that is often used as the software phone client for a Cisco phone system. This application might overrule the user settings and take presence especially in Microsoft Outlook. Cisco has an article about this here that talks about various registry keys. But this is actually not the direct solution for this issue.

In order to set TEAMS, if installed, the default application for your employees, it is easiest to engage Group Policies, GPOs, for this. Simply follow the below steps. Those settings will find out if Microsoft TEAMS is available and if so set it as default IM Provider. Close Microsoft Outlook and open it again and you will see the status icons and message box being associated with Microsoft TEAMS.

Of course, you could slightly adjust the suggested GPO settings and engage e.g. Cisco Jabber or any other IM provider available instead. Just have a look at the registry path HKEY_CURRENT_USER\Software\IM Providers and see what is available and set the GPO accordingly. All you need is the name of the sub key for the DefaultIMApp value.

Steps for the user GPO

Create a new GPO (or chose an existing GPO)
1. This will be a User Configuration
Navigate to User Configuration\Preferences\Windows Settings\Registry
Create a new Registry Item
Settings on General tab
1. Leave the Action settings to Update
2. Hive: HKEY_CURRENT_USER
3. Key Path: Software\IM Providers
4. Value name: DefaultIMApp
5. Value type: REG_SZ
6. Value data: Teams
Settings on Common tab
1. Check Run in logged-on user’s security contact (user policy option)
2. Check Item-level targeting
3. Click on Targeting and apply the following settings
  1. The following steps make sure that this is only applied if Microsoft TEAMS is available as a IM provider
  2. Click on New Item and chose Registry Match
  3. Match type: Key exists
  4. Hive: HKEY_CURRENT_USER
  5. Key Path: Software\IM Providers\Teams
4. It is good practice to provide a Description for this item – e.g.: This will set Microsoft TEAMS as default IM Provider for e.g. Outlook – if available as IM Provider.

Make sure the GPO applies to your users and you should be all set. This will make sure that even if a new application is installed and takes the IM Provider role over, that your clients will still fall back to Microsoft TEAMS. Of course, it will depend on when the GPO was reapplied and that the user actually closes and reopens Outlook.

October 15, 2020 by Florian Rossmark configuration solutions windows

Monitor group memberships in Active Directory with PRTG

There is at least one group you want to monitor for any membership changes in Active Directory / LDAP – the Domain Admins group. This is so important, as any changes to this group could cause great harm to your whole system. Of course there are other ways in but you for sure want to monitor at least the basic information of the amount of users in this group.

In order to do so, I wrote a PowerShell script that provides you the amount of members of any given group in Active Directory, as well as a text response (under the probe name and in some alerts if activated) of the sAMAccountName of each member in the group. This way you can hopefully right away determine the changed object, assuming you know what should be in there and what not.

If you have nested groups, you might wanna monitor them as well till you reach a user only level.

Create the script as always on your PRTG probing server in C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML and add a new EXE/Advanced XML sensor in PRTG. Select the script and provide at a bare minimum the parameter MonitoredGroup.

Parameter samples:

-MonitoredGroup “Domain Admins”
-MonitoredGroup “Domain Admins” -Server “MyDC.domain.local”

If you do not provide a server name, the system will try determine it on it’s own – default Domain-Membership etc..

Once the first run was successful you should review the results and set the upper and lower error limit on the PRTG sensor to the current amount of members. Any change then will cause the sensor to go in to error status and inform you therefor about the change.

param(
	[string]$Server = "",
	[string]$MonitoredGroup = ""
)
Import-Module ActiveDirectory

If ($Server.Length -gt 0) {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server
} Else {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup 
}

[string]$LDAPGroupMembers = ""
Foreach ($Member in $LDAPGroup){
    If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}
    $LDAPGroupMembers += $Member.SamAccountName
}

$XML = "<prtg>
            <result>
                <channel>Amound of Users in Group</channel>
                <value>"+ $LDAPGroup.count +"</value>
            </result>			
            <text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>
        </prtg>"
 
Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...
{
	$StringWriter = New-Object System.IO.StringWriter;
	$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
	$XmlWriter.Formatting = "indented";
	$xml.WriteTo($XmlWriter);
	$XmlWriter.Flush();
	$StringWriter.Flush();
	Write-Output $StringWriter.ToString();
}
 
WriteXmlToScreen $XML;

param(

[string]$Server = "",

[string]$MonitoredGroup = ""

)

Import-Module ActiveDirectory

If ($Server.Length -gt 0) {

$LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server

} Else {

$LDAPGroup = Get-ADGroupMember $MonitoredGroup

}

[string]$LDAPGroupMembers = ""

Foreach ($Member in $LDAPGroup){

If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}

$LDAPGroupMembers += $Member.SamAccountName

}

$XML = "<prtg>

<channel>Amound of Users in Group</channel>

<value>"+ $LDAPGroup.count +"</value>

</result>

<text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>

</prtg>"

Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML;

October 13, 2020 by Florian Rossmark monitoring prtg scripts security server

Auditing network users against HR lists etc.

Auditing network users against HR lists – a topic that is often overlooked or causes some headache due to e.g. name variations, while it is so important to make sure that your Active Directory is a clean and up to date as possible.

There are big paid solutions out there, but unless you have the budget, resources and processes in place, you will need a simpler approach. Having worked in various sized businesses, let me make some suggestions here. Keep in mind, not all of it might be applicable or best for you, but I hope it will at least provide you some ideas and help to improve your network security.

Structured groups and rights

Before we begin – you should always make any effort to have a very well structured rights base. Avoid cross use of e.g. groups for mail distribution and NTFS file system access. It seems like a good idea until someone needs access to the NTFS path and boom he/she receives the group based communication as well. This is of course just one example. Structure your file systems and right assignments well. All of it can make all the difference. Don’t complicate things, keep it simple.

Monitoring Active Directory activity

What you want is something that constantly looks for any changes to Active Directory, at a bare minimum new users and deleted users as well as group-membership changes. There is some software out there to do this, some is free, often with limited functionality, some you need to buy. Personally I was working on a Windows Service to monitor Active Directory changes, but my time is limited and to this day I did not finish it. Having said this, the IT-Asset Management Database on this website actually has a module that does just this, it monitors the most important activities while it does actually a compare of gathered SQL data against current Active Directory information and eventually sends you a daily report about changes.

Such reports might not be perfect, as they don’t real-time monitor such activity, rather then only send you daily summary reports. Paessler PRTG in combination with either some default sensors or custom scripts like Group Membership change and password reset monitoring or the more specific script for group-membership monitoring are more then helpful. Monitor especially e.g. Domain Admins groups and other groups that would allow access to sensitive areas and data of your network. Such active alerts due to a network monitoring solutions might give you the chance to act fast.

Auditing your user base against HR (Human Resources) data

Again, there is software and solutions out there that can do this automatically or help you with your efforts. But often HR is simply using their Payroll platforms and depending on what they have, it won’t have the functionality you need or they are reluctant to implement such processes or possibly provide you access after all.

The main issue I came across is that there is a difference between the HR data and what the full name in your Active Directory (e.g.) is. You can’t further not just automate user name prediction based on any HR export data you have, cause there likely will be duplicate names as well, depending on how you create user names.

HR normally has an employee number, they should be able to provide this in any employee export to you. Now, Active Directory has actually some attributes that you easily can engage: EmployeeID, employeeNumber and employeeType. PowerShell is your friend, if you want to set them. I highly recommend to use PowerShell to some extend if you create new users. Look at the CheckLists in combination with employees in the IT-Asset Management Database as well for some hints and automation. Microsoft’s Set-ADUser PowerShell command will be helpful as well.

Eventually use a tool like the IT-Admins tool to read your users from your Active Directory and export to Excel. Once you have this, you compare the HR list against the Active Directory export. Don’t bother with VLOOKUP – research the use of INDEX/MATCH in Excel. Format both tables as tables in Excel and document your process, as this might depend a bit on what tools you engaged and how the eventual data looks like. You should end up comparing the HR employee number against the HR employee number stored and exported from Active Directory. This should give you a quick and clean overview. What you should be on the lookout for are those N/A error in Excel in the compare column, as well as possibly HR data that indicates a termination or change. You can go as far as compare the department information, again there are Active Directory attributes for this as well. Department names and department IDs.

If you want to go another step, start comparing group-membership as well. Export all the groups and members, again the IT-Admins Tool can help you here. View it possibly from both sides, the group and members view as well as user is member of groups view. Have the department owners take a look at it as well, they might want to see this.

And step three will be an NTFS rights review. Never ever should there be a user account directly used to assign rights in NTFS. This always should be done via groups. How ever, to review this I again recommend using the IT-Admins Tool, as this is actually designed to help you with the process and is able to export the needed data rather quick and simple.

Don’t forget your ERP systems and systems with Active Directory independent user bases

It is not always possible to rely on Active Directory as only source for your user base. Even if you can, the right assignment in e.g. your ERP system to functions likely is independent from Active Directory. Look in to any possibility of your ERP, either API’s or possibly dig in to the database (or where ever the data is stored), to find out about right changes (groups) and review those lists as well against HR information periodically.

Office 365

Oh – it is synchronized with Active Directory, right? Well – review it anyways. There might be a user object that is not synchronized and exists only in Office 365, groups as well. Review the rights to access certain administrative areas within Office 365.

You should definitive review third party users – especially Microsoft TEAMS and sharing e.g. SharePoint or OneDrive files and folders with outside of the organization will likely create some guest accounts. Keep an eye on those.

And then the third party applications – you need to keep an eye on those, as they can cause possible harm or gain access to sensible data. Users/Employees often will install them without reviewing them thoroughly, or they simply don’t realize they might have been there and share confidential data.

Account breach / compromise and API keys in Office 365 should also be something you want to keep a good eye on. Clicking on the wrong link (it will happen!), entering the password and it is to late. Don’t think a simple password reset will solve the issue. Don’t only rely on your MFA. Review does API keys especially in Office 365. What can happen is that the password is used right away to install an API based access to Office 365 that will then independently from password changes have access to the data. Keep an eye on those things as well!

September 25, 2020 by Florian Rossmark monitoring prtg security server

Monitoring relative printer page counts with PRTG

PRTG has many standard sensors, but one I was always missing is a daily page count compare. The standard printer sensor gives you a total page count – but this to some extend will always be a graph that only will go up. You can only estimate the total page counts in those graphs.

If you ever looked in to the IT Assets database project, you will see that in the Printers area there is a possibility to enable detailed graphs for relative page counts.

Why is this important you might wonder. The answer is simple, as an IT Manager you need to know if a certain kind of a printer makes sense at a certain location. If you have a low end printer for only casual print-outs but you have a total over e.g. 10,000 pages printed every month, you might need to reconsider the printer model. The reasons would likely be:

higher cost per page
- constant toner exchange of a compared more expensive toner cartridge
maintenance cost
- you might need to constantly maintenance the printer
- the cost for the maintenance kit are relatively high
downtime issues
- due to toner empty
- printer needs maintenance again
- less pages in paper tray

On the other hand, a printer might also be overkill for a certain area and not be cost efficient. Those conditions also might change over time of course. Further is there often the question – is a single area printer (copier) better or multiple smaller printers. This of course can go pretty far and you want to consider Lean processes, Six Sigma guidelines and others along with this data.

How ever, I started a first draft of a script that provides me at least the total page count relative to each day in PRTG. This sure is not as efficient yet as I do this in the IT Assets database printer module, where I collect data e.g. every 30 minutes in a huge table and then later calculate all the data in a daily range respective monthly range while collecting total page counts and possibly counts per copy vs. print outs and additionally color vs. black and white print. But at least it is a start.

Below you find the first draft of this script.

One thing to know – you will need to run the following command in order to install the PowerShell SNMP module on your PRTG probing server:

Install-Module -Name SNMP

1	Install-Module -Name SNMP

The current version of the PRTG script:

#For PRTG - default parameter list: 
#-deviceID %deviceid -targetHost '%host' -OID '1.3.6.1.2.1.43.10.2.1.4.1.1' 
#find a list with OID examples at the following link as they differ by vendor and partly model
#https://www.it-admins.com/it-assets-database/online-manual/printers/
param(
    [Parameter(
        Mandatory = $true
    )][int]$deviceID,

    [Parameter(
        Mandatory = $true
    )][string]$targetHost,

    [Parameter(
        Mandatory = $true
    )][string]$OID = "",

    [string]$Community = "public"
)

Import-Module -Name SNMP

[string]$ErrorText = "" #will hold error information to be returned to PRTG text field / sensor message
[int]$ErrorValue = 0 #default no errors initiated with 0 (0 = OK | 1 = Warning | 2 = Error)

[string]$LogFile = "$PSScriptRoot\PrinterLog_$deviceID.log"

[int]$result = -2 #standard response would be negative 2 as initialized integer value

try{
    $result = (Get-SNMPdata -IP $targetHost -OID $OID -Community $Community).Data
    #if no error occured, we have the current page count as a result
} catch {
    $result = -1 #if any error happened, we now have the result set to negative 1
    $ErrorText += "error: can't read SNMP OID value from device "
    $ErrorValue = 2
}

[int]$returnValue = 0 #default return value, integer, initialized with 0
[string]$LogFileContent = -1 #default logfilecontent is integer, intialized with negative 1
[string]$LogFileDate 
[int]$LogFileCount = -1

if ($result -gt 0) {
    #we seem to have a page count from SNMP

    if (Test-Path $LogFile -PathType Leaf){
        #we do have an exisiting LogFile
        try{
            $LogFileContent = Get-Content $LogFile -Raw
            if ($LogFileContent.Length -gt 0){
                $LogFileDate = $LogFileContent.Split("|")[0] 
                $LogFileCount = $LogFileContent.Split("|")[1]
            } else {
                #LogFile empty
                $LogFileCount = 0
                $ErrorText += "warning: initial run or no logfile yet "
                $ErrorValue = 1
            }
        } catch {
            $LogFileCount = -2 #negative 2 as error catch
        } finally {
            if ($LogFileCount -gt 0){
                #no error occured as for the LogFile reading
                if (($result - $LogFileCount) -gt -1){
                    #it should be either the same value or higher then the last logfile value
                    $returnValue = $result - $LogFileCount
                } else {
                    #LogFile value is higher then current count - this is weird
                    #still returning this - but it will show a negative count and should raise a flag
                    $returnValue = $result - $LogFileCount
                    $ErrorText += "error: logfile value higher then current printer read "
                    $ErrorValue = 2
                }
            } else {
                #there was some kind of error in the LogFile read - not an integer value or new Logfile started and result was 0
                $ErrorText += "error: can't read logfile for data compare "
                $ErrorValue = 2
            }
        }

    } else {
        #no LogFile yet - will need one but return value as difference initially will stay 0
        #we set the LogFileContent to 0 as this is the current status
        $LogFileCount = 0
        $ErrorText += "warning: initial run or no logfile yet or wrong data format "
        $ErrorValue = 1
    }

    #we need to write the positive SNMP OID result to the LogFile 
    #but only if the date differs more then 1x day

    [bool]$WriteLog = $false
    [string]$CurrentDate = (Get-Date -Format yyyy-MM-dd)

    if ($LogFileDate.Length -gt 0){
        try{
            if ((New-TimeSpan -Start $LogFileDate -End $CurrentDate).Days -gt 1){ 
                #date difference more then 1 day 
                $WriteLog = $true
            } else {
                #date difference not sufficient - same day? Future?
                if ((New-TimeSpan -Start $LogFileDate -End $CurrentDate).Days -lt 0){ 
                    #LogFile newer then current date? That's just wrong
                    $WriteLog = $true
                    $ErrorText += "warning: Logfile date above current date $LogFileDate - rewriting log"
                    $ErrorValue = 1
                } else {
                    #not greater then 1 day (0 and 1) or less must be equal as a result...
                    #nothing to do as WriteLog is initialized false
                }
            }
        } catch {
            #couldn't compare the date - let's write the Log to be save
            $WriteLog = $true
        }
    } else {
        #LogFileDate length 0 means we need to write a logfile as it might not exist
        $WriteLog = $true
    }

    if ($WriteLog){
        try {
            Set-Content -Path $LogFile -Value "$CurrentDate|$result"
            $LogFileDate = $CurrentDate
        } catch {
            #there was an issue writing to the LogFile
            $ErrorText += "error: can't write to logfile "
            $ErrorValue = 2
        }
    }

} else {
    #no pagecount available due to errors or issues
    #uncomment the next line for debugging only
    #$returnValue = $result
    #the returnValue will now show the current result value and point therefor to the error section
    $ErrorText += "error: no pagecount available "
    $ErrorValue = 2
}

#Assuming no errors - the text result will be the last LogFile date
if ($ErrorText.Length -eq 0){
    $ErrorText = "Last LogFile write date: $LogFileDate"
}

$XML = "<prtg>
            <result>
                <channel>last relative Page Count</channel>
                <value>$returnValue</value>
            </result>
            <result>
                <channel>last total from Printer</channel>
                <value>$result</value>
            </result>
            <result>
                <channel>last total from LogFile</channel>
                <value>$LogFileCount</value>
            </result>
            <result>
                <channel>Script Error Status</channel>
                <value>$ErrorValue</value>
                <LimitMode>1</LimitMode>
                <LimitMaxWarning>0</LimitMaxWarning>
                <LimitMaxError>1</LimitMaxError>
            </result>
            <text>$ErrorText</text>
        </prtg>"
 
Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...
{
	$StringWriter = New-Object System.IO.StringWriter;
	$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
	$XmlWriter.Formatting = "indented";
	$xml.WriteTo($XmlWriter);
	$XmlWriter.Flush();
	$StringWriter.Flush();
	Write-Output $StringWriter.ToString();
}
 
WriteXmlToScreen $XML;

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

#For PRTG - default parameter list:

#-deviceID %deviceid -targetHost '%host' -OID '1.3.6.1.2.1.43.10.2.1.4.1.1'

#find a list with OID examples at the following link as they differ by vendor and partly model

#https://www.it-admins.com/it-assets-database/online-manual/printers/

param(

[Parameter(

Mandatory = $true

)][int]$deviceID,

[Parameter(

Mandatory = $true

)][string]$targetHost,

[Parameter(

Mandatory = $true

)][string]$OID = "",

[string]$Community = "public"

)

Import-Module -Name SNMP

[string]$ErrorText = "" #will hold error information to be returned to PRTG text field / sensor message

[int]$ErrorValue = 0 #default no errors initiated with 0 (0 = OK | 1 = Warning | 2 = Error)

[string]$LogFile = "$PSScriptRoot\PrinterLog_$deviceID.log"

[int]$result = -2 #standard response would be negative 2 as initialized integer value

try{

$result = (Get-SNMPdata -IP $targetHost -OID $OID -Community $Community).Data

#if no error occured, we have the current page count as a result

} catch {

$result = -1 #if any error happened, we now have the result set to negative 1

$ErrorText += "error: can't read SNMP OID value from device "

$ErrorValue = 2

}

[int]$returnValue = 0 #default return value, integer, initialized with 0

[string]$LogFileContent = -1 #default logfilecontent is integer, intialized with negative 1

[string]$LogFileDate

[int]$LogFileCount = -1

if ($result -gt 0) {

#we seem to have a page count from SNMP

if (Test-Path $LogFile -PathType Leaf){

#we do have an exisiting LogFile

try{

$LogFileContent = Get-Content $LogFile -Raw

if ($LogFileContent.Length -gt 0){

$LogFileDate = $LogFileContent.Split("|")[0]

$LogFileCount = $LogFileContent.Split("|")[1]

} else {

#LogFile empty

$LogFileCount = 0

$ErrorText += "warning: initial run or no logfile yet "

$ErrorValue = 1

}

} catch {

$LogFileCount = -2 #negative 2 as error catch

} finally {

if ($LogFileCount -gt 0){

#no error occured as for the LogFile reading

if (($result - $LogFileCount) -gt -1){

#it should be either the same value or higher then the last logfile value

$returnValue = $result - $LogFileCount

} else {

#LogFile value is higher then current count - this is weird

#still returning this - but it will show a negative count and should raise a flag

$returnValue = $result - $LogFileCount

$ErrorText += "error: logfile value higher then current printer read "

$ErrorValue = 2

}

} else {

#there was some kind of error in the LogFile read - not an integer value or new Logfile started and result was 0

$ErrorText += "error: can't read logfile for data compare "

$ErrorValue = 2

}

} else {

#no LogFile yet - will need one but return value as difference initially will stay 0

#we set the LogFileContent to 0 as this is the current status

$LogFileCount = 0

$ErrorText += "warning: initial run or no logfile yet or wrong data format "

$ErrorValue = 1

}

#we need to write the positive SNMP OID result to the LogFile

#but only if the date differs more then 1x day

[bool]$WriteLog = $false

[string]$CurrentDate = (Get-Date -Format yyyy-MM-dd)

if ($LogFileDate.Length -gt 0){

try{

if ((New-TimeSpan -Start $LogFileDate -End $CurrentDate).Days -gt 1){

#date difference more then 1 day

$WriteLog = $true

} else {

#date difference not sufficient - same day? Future?

if ((New-TimeSpan -Start $LogFileDate -End $CurrentDate).Days -lt 0){

#LogFile newer then current date? That's just wrong

$WriteLog = $true

$ErrorText += "warning: Logfile date above current date $LogFileDate - rewriting log"

$ErrorValue = 1

} else {

#not greater then 1 day (0 and 1) or less must be equal as a result...

#nothing to do as WriteLog is initialized false

}

} catch {

#couldn't compare the date - let's write the Log to be save

$WriteLog = $true

}

} else {

#LogFileDate length 0 means we need to write a logfile as it might not exist

$WriteLog = $true

}

if ($WriteLog){

try {

Set-Content -Path $LogFile -Value "$CurrentDate|$result"

$LogFileDate = $CurrentDate

} catch {

#there was an issue writing to the LogFile

$ErrorText += "error: can't write to logfile "

$ErrorValue = 2

}

} else {

#no pagecount available due to errors or issues

#uncomment the next line for debugging only

#$returnValue = $result

#the returnValue will now show the current result value and point therefor to the error section

$ErrorText += "error: no pagecount available "

$ErrorValue = 2

}

#Assuming no errors - the text result will be the last LogFile date

if ($ErrorText.Length -eq 0){

$ErrorText = "Last LogFile write date: $LogFileDate"

}

$XML = "<prtg>

<channel>last relative Page Count</channel>

<value>$returnValue</value>

</result>

<channel>last total from Printer</channel>

<value>$result</value>

</result>

<channel>last total from LogFile</channel>

<value>$LogFileCount</value>

</result>

<channel>Script Error Status</channel>

<value>$ErrorValue</value>

</result>

<text>$ErrorText</text>

</prtg>"

Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML;

June 17, 2020 by Florian Rossmark monitoring prtg recommendations scripts server

Office 365 licenses and activated features per user

Ever wondered which user has what license activated and e.g. which specific feature is activated? Recently I was challenged to see who has the Exchange mailbox feature enabled and who not out of the active user base. Due to the huge user-base this would have taken hours to review manually. Using PowerShell for this, connecting to Office 365, exporting the data eventually to a CSV file and filtering it in Microsoft Excel made this way easier.

The challenge here is that Microsoft uses SKU’s – or licenses – that again can have various features enabled or disabled. Let’s say you have a E5 Plan (license) assigned to your user, you still can disabled various features within this plan, e.g. Microsoft Exchange.

If you take a look at the following website, you find a whole list of GUIDs / IDs of all those various features.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

In case of the Microsoft Exchange Mailbox feature – we are talking about this GUID: efb87545-963c-4e0d-99df-69c6916d9eb0

Once I had identified the GUID the next step was to grab users from a specific on premise Active Directory OU and query them against Microsoft Azure on the Office 365 environment as for their assigned licenses/features. The results then are collected in a PowerShell object and eventually saved in a defined file name in a CSV format that you easily can filter in Excel afterwards.

Please keep in mind that you will need RSAT tools (PowerShell) and Azure/Office 365 connectivity, rights etc. in order for this to work.

#script looks for all users in a base OU path
#it checks for the license defined per user
#it will write a CSV file in the path the script is in: O365UserMailboxList.csv 

#Base OU path - needs to be set
$BaseOU = "DC=domain,DC=local"


#Exchange mailbox license ID - see link for full list
#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference
$ExchangeMailboxId = "efb87545-963c-4e0d-99df-69c6916d9eb0"


#Script starts below - no additional changes should be needed - besides the last line for the output file name
$tbl = New-Object System.Data.DataTable "Results"
$col1 = New-Object System.Data.DataColumn UserPrincipalName
$col2 = New-Object System.Data.DataColumn ADUserEnabled
$col3 = New-Object System.Data.DataColumn ExchangeMailboxEnabled
$col4 = New-Object System.Data.DataColumn ErrorMessage
$tbl.Columns.Add($col1)
$tbl.Columns.Add($col2)
$tbl.Columns.Add($col3)
$tbl.Columns.Add($col4)

$ADUsersFromOU = Get-ADUser -SearchBAse $BaseOU -filter * 

Connect-AzureAD

ForEach ($ADUser In $ADUsersFromOU) {
    $i += 1
    $p = [math]::Round(($i/$ADusersFromOU.Count*100),0)
    Write-Host "..processing $i of"$ADusersFromOU.Count"- $p% - "$ADUser.UserPrincipalName
    $MailboxEnabled = $false
    $ErrorMessage = ""
    try {
        $UserLicenses = Get-AzureADUser -objectid $ADUser.UserPrincipalName | Select -ExpandProperty AssignedPlans | Where {$_.CapabilityStatus -eq "Enabled"}
    } catch {
        $ErrorMessage = $Error[0]
        #Write-Host "....Error: "$Error[0]
    }
    ForEach ($ULicense In $UserLicenses) {
        If ($ULicense.ServicePlanId -eq $ExchangeMailboxId)
        {
            $MailboxEnabled = $true
            break;
        }
    }
    $row = $tbl.NewRow()
    $row.UserPrincipalName = $ADUser.UserPrincipalName
    $row.ADUserEnabled = $ADUser.Enabled
    $row.ExchangeMailboxEnabled = $MailboxEnabled
    $row.ErrorMessage = $ErrorMessage
    $tbl.Rows.Add($row)
}

$tbl |ft

#adjust this export-file name if you want to
$tbl | Export-Csv -Path .\O365UserMailboxList.csv

#script looks for all users in a base OU path

#it checks for the license defined per user

#it will write a CSV file in the path the script is in: O365UserMailboxList.csv

#Base OU path - needs to be set

$BaseOU = "DC=domain,DC=local"

#Exchange mailbox license ID - see link for full list

#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

$ExchangeMailboxId = "efb87545-963c-4e0d-99df-69c6916d9eb0"

#Script starts below - no additional changes should be needed - besides the last line for the output file name

$tbl = New-Object System.Data.DataTable "Results"

$col1 = New-Object System.Data.DataColumn UserPrincipalName

$col2 = New-Object System.Data.DataColumn ADUserEnabled

$col3 = New-Object System.Data.DataColumn ExchangeMailboxEnabled

$col4 = New-Object System.Data.DataColumn ErrorMessage

$tbl.Columns.Add($col1)

$tbl.Columns.Add($col2)

$tbl.Columns.Add($col3)

$tbl.Columns.Add($col4)

$ADUsersFromOU = Get-ADUser -SearchBAse $BaseOU -filter *

Connect-AzureAD

ForEach ($ADUser In $ADUsersFromOU) {

$i += 1

$p = [math]::Round(($i/$ADusersFromOU.Count*100),0)

Write-Host "..processing $i of"$ADusersFromOU.Count"- $p% - "$ADUser.UserPrincipalName

$MailboxEnabled = $false

$ErrorMessage = ""

try {

$UserLicenses = Get-AzureADUser -objectid $ADUser.UserPrincipalName | Select -ExpandProperty AssignedPlans | Where {$_.CapabilityStatus -eq "Enabled"}

} catch {

$ErrorMessage = $Error[0]

#Write-Host "....Error: "$Error[0]

}

ForEach ($ULicense In $UserLicenses) {

If ($ULicense.ServicePlanId -eq $ExchangeMailboxId)

{

$MailboxEnabled = $true

break;

}

$row = $tbl.NewRow()

$row.UserPrincipalName = $ADUser.UserPrincipalName

$row.ADUserEnabled = $ADUser.Enabled

$row.ExchangeMailboxEnabled = $MailboxEnabled

$row.ErrorMessage = $ErrorMessage

$tbl.Rows.Add($row)

}

$tbl |ft

#adjust this export-file name if you want to

$tbl | Export-Csv -Path .\O365UserMailboxList.csv

March 24, 2020 by Florian Rossmark o365 / m365 scripts

PRTG and Cisco ASA VPN monitoring

The default PRTG sensor for VPN connections on a Cisco ASA has a limited of 50 users connected, actually less. This is due to the limit of 50 channels per sensor.

These days IT departments everywhere likely exceed 50 VPN users everywhere.

Since I do not need to know who is connected, rather then the amount and load on the FW, I came up with a simple sensor and MAP in PRTG to show me the essentials.

Add a snmp custom sensor to your FW in PRTG and use the OID

1.3.6.1.4.1.9.9.392.1.3.1.0

This will give you a number of VPN connection. I am not 100% certain about the OID only being used for Cisco AnyConnect or other VPNs as well. I found it as a valid SNMP OID as I only use Cisco AnyConnect and my VPN tunnels aligned with this number.

Further did I add sensors for CPU / RAM and on the external interface of the FW to the map in PRTG to see the overall status and load.

Detailed information on the bandwidth are a different story, since this is more a passive point in time configuration, I don’t pull that in this map – I care about an average load picture not single pikes that only are temporarily. For this I have different approaches and sources. Mentioning this only for the big picture and cause you need to be aware of that.

Hope some find this helpful.

If you want the users that are online and offline – what is actually a big of a questionable thing due to data privacy concerns and a user not always needing to be on VPN in order to do work – you could create scrips to access more detailed SNMP data and balance this in various sensors. This is possible, but I do not recommend it. Another approach would be using the TEXT value in XML sensors and put the info there. Still, I think you might get to much data and need to ask yourself if this is even something you should collect/monitor.

Here a picture of my map as we barely started getting more home office people online.

PRTG Cisco ASA VPN users

Backlink to the Paessler PRTG KB, where this was discussed as well: https://kb.paessler.com/en/topic/64053-my-snmp-cisco-asa-vpn-users-sensor-shows-a-user-limit-error-why-what-can-i-do

March 19, 2020 by Florian Rossmark monitoring prtg security solutions

Amount of locked out accounts

It is a good to know how many of your user accounts are locked out right now… I would go as far as saying you should monitor this and have alert levels on it, cause this could indicate and reveal a brute-force like attack against your system.

Doing it manually in a PowerShell (assuming you have RSAT / Active-Directory PowerShell modules installed) can be done with the following command that will show you who is locked out and the calculated amount as well..

$s=Search-ADAccount -LockedOut |ft
$s
'CurrentCount: ' + $s.count

$s=Search-ADAccount -LockedOut |ft

'CurrentCount: ' + $s.count

Using PRTG you can add the following advanced script

Import-module activedirectory
$Count=-1

$Accounts = Search-ADAccount -LockedOut
$Count=$Accounts.Count

$Users = ""
foreach ($user in $Accounts) {
	if ($Users.Length -gt 0) {
		$Users += " / "
	}
	$Users += $user.SamAccountName
}

$XML =  "<prtg>"
$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"
$XML += "<text>$Users</text>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Import-module activedirectory

$Count=-1

$Accounts = Search-ADAccount -LockedOut

$Count=$Accounts.Count

$Users = ""

foreach ($user in $Accounts) {

if ($Users.Length -gt 0) {

$Users += " / "

}

$Users += $user.SamAccountName

}

$XML = "<prtg>"

$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"

$XML += "<text>$Users</text>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML

After adding it as a sensor, it will create a single channel with the amount of locked out users. You should set error limits:

minimum error limit: 0
- the script returns -1 if an error occurred
maximum error limit: this depends on your user base – I would say about 5% of your users – no more.. depends as well on the lockout-duration in your security policy…

The advantage of the script in PRTG is – it always reports back additional text – the currently locked out SamAccount names.. respective user-names.. so in case it generates an error – you will see some more information…

Assuming there is a brute-force, you might see this sparking and going down – meaning someone tries to find an entry account… since the lockout attribute causes an emergency-replication of your domain-controllers (this attribute bypasses the regular replication interval) you can fire it relatively simply against your domain, the script just uses the current logon domain of the executing user.

October 25, 2019 by Florian Rossmark monitoring prtg security server

RDS – Fix broken local RDS links in start menu

RemoteApp and Desktop Connections are quite powerful. Still, it happens that RDS icons configured through your Windows Remote Desktop Application broker either won’t update or vanish. This can have various reasons. Out of experience, the easiest way is to manually clean up and then configure the source again – as explained step by step below…

Open REGEDIT as the current user (DO NOT run as!)
1. Navigate to:
  1. Computer\HKEY_CURRENT_USER\Software\Microsoft\Workspaces
2. Delete the whole key WORKSPACES (just delete it! no worries)
In Windows Explorer
1. Navigate to:
  1. %appdata%\Microsoft\Workspaces
  2. Delete the whole WORKSPACES folder (yes – delete it!)
2. Navigate to:
  1. %appdata%\Microsoft\Windows\Start Menu\Programs
  2. If there is a folder “RDS Farm Name (RADC)” then delete it completely
(see footer note) Open Control Pannel
1. Navigate to “RemoteApp and Desktop Connections” or type in search box: remote
2. There should be nothing in the connections, add a new one while clicking on “Access RemoteApp and desktops” in the left hand menu
  1. use your RDS URL
3. If asked for credentials, use the users credentials or have them type em in
4. This should finish successfully
You now should see the applications in the start menu again

Note: If you have a GPO or script configured to auto-configure the Control-Panel, you could just reboot as well instead of manually configuring the Control Panel again.

October 3, 2019 by Florian Rossmark configuration scripts server solutions windows

Show Drive Letters first in Windows Explorer

Support URL

Support Hours

Support Hours

Support Manufacturer

Hide Drives with no Media

Expand folders to current folder

Fast Boot Enabled

Office 365 – Update Channel

Allow Print Driver Installation

Ensure Outlook is the default mail client

Set Microsoft Teams as the default IM application

Set Microsoft Office to read User information from Active Directory

Disable the Network Sharing Wizard in Windows Explorer

Remove the Network form Windows Explorer

Remove Administrative Tools from the Start Menu

Windows Update Restart Notifications for End Users

Example scenario with two VMware ESX hosts:

Steps and commands to execute the network speed test:

Additional links to this topic:

Structured groups and rights

Monitoring Active Directory activity

Auditing your user base against HR (Human Resources) data

Don’t forget your ERP systems and systems with Active Directory independent user bases

Office 365

Recent blog posts

Blog Archives

Tags