windows

Linux and DHCP reservations aren’t working

This is something I just came across myself. While deploying an Ubuntu Linux VM the DHCP reservation did not work. This was mixed up with a Windows 2016 DHCP server.

After looking at the wrong DHCP lease I quickly saw an extremely long MAC address and figured that the Linux VM used some kind of randomization for the interface.

IFCONFIG on the system showed the correct hardware MAC address.

It took me a few minutes of research and testing till I found the root cause and rather simple solution.

Linux replaced their NIC handling on many distributions with a newer system called NETPLAN.

I read that a 2019 Windows DHCP would likely handle this correctly, did not have time to test this out. But the following worked for me:

List the contents /etc/netplan
- ls /etc/netplan
- there should be a file ending in .yaml
Edit this .yaml file
- sudo nano /etc/netplan/<filename>.yaml

The file is structured like this:

network:
	renderer: networkd
	version: 2
	ethernets:
		nicdevicename:
			dhcp4: true
			dhcp-identifier: mac

network:

renderer: networkd

version: 2

ethernets:

nicdevicename:

dhcp4: true

dhcp-identifier: mac

Under your NICDEVICENAME add the line dhcp-identifier: mac and save (CNTRL+O) and exit (CNTRL+X) the file.

Now you can either try to apply the netplan config via sudo netplan apply or simply reboot.

This should solve the issue.

June 28, 2022 by Florian Rossmark configuration solutions

Useful registry keys to supplement settings not available in standard GPO templates

This blog entry will list some registry keys to control computer and user settings via GPO but aren’t available in the standard ADMX GPO templates.

Below you find always the same data format:

Computer Configuration or User Configuration
HIVE
Kay Path
Value Name
Value Type
Value Data
Short explanation
Link if available

Over the years I also always tried to leave a comment in the GPO’s, especially for the Registry Keys, so I could later identify them quickly and possibly even leaving a link so others could read up on these settings and options without doing long research.

Show Drive Letters first in Windows Explorer

This Registry value is set in two areas – Computer Configuration and User Configuration. See both keys below.

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ShowDriveLettersFirst
REG_DWORD
0x4 (4)
Defines if the drive letter is shown first in Windows Explorer
- 0 = After
- 1 = Mixed
- 2 = No drive letter
- 3 = Before

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer
ShowDriveLettersFirst
REG_DWORD
0x4 (4)
Defines if the drive letter is shown first in Windows Explorer
- 0 = After
- 1 = Mixed
- 2 = No drive letter
- 3 = Before

Support URL

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
SupportURL
REG_SZ
URL to your support system
Set the Windows Support URL shown in the Computer Properties in the Support section – Link is behind the Online Support Website.

Support Hours

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
SupportHours
REG_SZ
e.g.: 0800-1700 Pacific Time
Set the Windows Support Hours shown in the Computer Properties in the Support section.

Support Hours

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
SupportPhone
REG_SZ
your helpdesk phone number
Set the Windows Support Phone Number shown in the Computer Properties in the Support section.

Support Manufacturer

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
Manufacturer
REG_SZ
Suggest to put in your Company name here
Set the Manufacturer Name / Company Name shown in the Computer Properties in the Support section.

Hide Drives with no Media

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideDrivesWithNoMedia
REG_DWORD
00000000
If set to 0x0 (0) it will not hide empty drives, if set to 0x1 (1) it will hide empty drive letters from Windows Explorer.

Expand folders to current folder

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
NavPaneExpandToCurrentFolder
REG_DWORD
0x1 (1)
This will expand all folders to the current folder in the navigation panel of Windows Explorer, by default it will only navigate to the folder but not expand the path to it in the Navigation Panel. The behavior on this changed back in Windows Vista or Windows 7. This sets it back to a more Windows XP like behavior, what makes it easier to navigate Windows Explorer.

Fast Boot Enabled

Computer Configuration
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager\Power
HiberbootEnabled
REG_DWORD
0x0 (0)
Turns off Windows 10 Fast Startup – meaning a real reboot is done rather then a quick reboot that is actually not a real Windows reboot. A real reboot is slower, but much cleaner.

Office 365 – Update Channel

There is a settings in the Office ADMX files under Microsoft Office 2016 (Machine)/Updates for:

Enable Automatic updates
Update Channel
Update Deadline

Additionally this settings should be set to make sure everything is configured the same and installs the same:

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Office\ClickToRun\Configuration
CDNBaseUrl
REG_SZ
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
This will set the Office 365 channel to current for the click to run installation.

Allow Print Driver Installation

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators
REG_DWORD
0x0 (0)
Microsoft released KB5005652 which requires admin rights to install printers, and affects some existing printers that will require an admin to install driver update. Work around is to add the registry key below, which disabled this new security feature.
- Value: 0
  - Allow non-admin users to install Point and Print printer drivers
- Value: 1
  - Blocks non-admin users from installing Point and Print printer drivers. If this registry key does not exist, the default with KB installed will be same as Value 1, blocking non-admins from installing Point and Print printer drivers.
https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

Ensure Outlook is the default mail client

User Configuration
HKEY_CURRENT_USER
Software\Clients\mail
(Default)
REG_SZ
Microsoft Outlook
Ensures Microsoft Outlook is the standard mail client

Set Microsoft Teams as the default IM application

See this blog entry as well about this.

User Configuration
HKEY_CURRENT_USER
Software\IM Providers
DefaultIMApp
REG_SZ
Teams
Sets Microsoft Teams as the default Instant Messenger Application.

Set Microsoft Office to read User information from Active Directory

Make sure you set both registry keys for this.

Set this to “Apply once and do not reapply” as well.

This will cause Microsoft Office applications read any user information fresh from Active Directory, as it cleans the current values.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Office\Common\UserInfo
UserName
(not set)
(not set)
This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Office\Common\UserInfo
UserInitials
(not set)
(not set)
This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.

Disable the Network Sharing Wizard in Windows Explorer

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SharingWizardOn
REG_DWORD
0x0 (0)
Disables the Sharing Wizard in Windows Explorer.

Remove the Network form Windows Explorer

Probably one of the more important security measures you can do, to avoid the standard user browsing other systems on the network to much. It does not really prevent it, but makes it a lot less easy for regular end users, as the network area in Windows Explorer simply vanishes.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
REG_DWORD
0x1 (1)
Remove Network from Windows Explorer.

Remove Administrative Tools from the Start Menu

This is made out of two combined registry keys. You will need to apply both for this to take affect.

Highly recommend to make sure it does not apply to any administrator accounts, as this can be contra productive.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_AdminToolsRoot
REG_DWORD
0x0 (0)
Removes administrative tools from the start menu.

User Configuration
HKEY_CURRENT_USER
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
StartMenuAdminTools
REG_DWORD
0x0 (0)
Removes administrative tools from the start menu.

Windows Update Restart Notifications for End Users

Please apply both Registry Keys for this to take affect.

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
RestartNotificationsAllowed
REG_DWORD
0x1 (1)
Will display Restart Notifications to End Users.

Computer Configuration
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
RestartNotificationsAllowed2
REG_DWORD
0x1 (1)
Will display Restart Notifications to End Users.

Windows 11 and SQL (Express) issues

Due to a change on how Windows 11 presents the disk sector size, you can have issues with SQL or SQL Express after your upgrade or even on brand new installations.

SQL might just fail to start after an upgrade, with the Event Viewer Application Log Error 1000 similar to the below one:

Faulting application name: sqlservr.exe, version: 2019.150.2080.9, time stamp: 0x5fa6009b
Faulting module name: sqllang.dll, version: 2019.150.2080.9, time stamp: 0x5fa60189
Exception code: 0xc0000005
Fault offset: 0x0000000000361bf5
Faulting process id: 0x670c
Faulting application start time: 0x01d846287c712ec8
Faulting application path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqlservr.exe
Faulting module path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqllang.dll
Report Id: 10227658-21ca-4bd0-9121-9bf328003574
Faulting package full name:
Faulting package-relative application ID:

Faulting application name: sqlservr.exe, version: 2019.150.2080.9, time stamp: 0x5fa6009b

Faulting module name: sqllang.dll, version: 2019.150.2080.9, time stamp: 0x5fa60189

Exception code: 0xc0000005

Fault offset: 0x0000000000361bf5

Faulting process id: 0x670c

Faulting application start time: 0x01d846287c712ec8

Faulting application path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqlservr.exe

Faulting module path: C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS_2019\MSSQL\Binn\sqllang.dll

Report Id: 10227658-21ca-4bd0-9121-9bf328003574

Faulting package full name:

Faulting package-relative application ID:

This is especially true for Samsung SSD 980 – be aware – the SSD 980 Pro does not have this issue, just the SSD 980. There are other OEM versions of it that have the same issue and actually a bunch of other disks.

The root cause is that the devices report the true sector size, what causes SQL to fail. This is still true with SQL Express 2019 – earlier versions as well.

As described in this Microsoft article, you can add a registry key and reboot to make Windows 11 behave like Windows 10 and earlier Windows versions.

Of course, alternative you can either install SQL on another disk drive or replace the drive with one that does not have these compatibility issues.

It remains unclear if there will be updates to this in the future from either Microsoft of the disk vendors like Samsung in the future. For now, this simple registry adjustment fixes the issue.

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\stornvme\Parameters\Device" -Name   "ForcedPhysicalSectorSizeInBytes" -PropertyType MultiString -Force -Value "* 4095"

1	New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\stornvme\Parameters\Device" -Name "ForcedPhysicalSectorSizeInBytes" -PropertyType MultiString -Force -Value "* 4095"

Reboot after the registry adjustment for the change to take effect.

April 1, 2022 by Florian Rossmark configuration server solutions windows

Windows 10 Build 2004 / 20H1 – SMBv1 network drives not connecting

The newest builds and updates can possibly break some Windows 10 network connections. Saw this specifically in a situation with a SMBv1 drive that was connected via FQDN per GPO.

Windows was not able to connect to the drive, looking at NET USE all you saw was reconnecting.

Connecting to the same share via HOSTNAME and/or IP worked just fine, as well as engaging the UNC path.

The solution to this eventually is a simple registry adjustment, that has to be done in the user-profile HKCU area, so no advanced rights are needed.

Steps:

open REGEDIT
go to HKCU\Network
select the key with the drive-letter you have issues with
add a new REG-DWORD
1. PROVIDERFLAGS
2. Decimal 1 or DWORD 00000001
Reboot

Your network drive should work normal again.

Background and Explanation:

The PROVIDERFLAGS instruct Windows to reconnect the SMBv1 network drive, more or less. It eventually did not matter if it was connected per FQDN, IP or HOSTNAME – is was the reconnect that the GPO implied, respective the NET USE /PERSISENTENT:YES switch. If you would use a script – netlogon script – you could just determine the drive as /PERSISTENT:NO and not see the issue either as well as solve it.

Eventually this is specific to SMBv1 and I can’t warn enough about the security risks this protocol has. Still – there are here and there systems that still need to stick around – hopefully secured by firewalls and even sandboxes etc..

May 18, 2021 by Florian Rossmark configuration server solutions windows

ActiveDirectory/LDAP result limits – MaxPageSize

ns a website from a systems administrator for systems administrators Home IT-Admins CMDB IT-Admins tool IT Search EOL Solutions Blog Contact Links ActiveDirectory/LDAP result limits – MaxPageSize

ActiveDirectory, respective LDAP, has a result limit setting, MaxPageSize. Those are set by default to 1000 rows per query.

This is primarily important if you use some kind of programming language to get results from LDAP, this code must compensate those limits and engage paging.

Your LDAP query does not need to provide the limit, only the code needs to do the paging as you always just get the max. amount of results set in the current settings.

In order to check your settings do the following commands in a command prompt / cmd window:

ntdsutil
ldap policies 
connections
connect to domain YOURDOMAIN.LOCAL
quit
show values

ntdsutil

ldap policies

connections

connect to domain YOURDOMAIN.LOCAL

quit

show values

In theory you could set different values now as well, assuming you have the permission level to do so. But this is not recommended and you should engage paging instead, as you otherwise risk to overload your DCs – even if your commands won’t cause it, a possibly DoS attack could happen – malicious or not, so leave the limits, but be aware of them.

April 7, 2021 by Florian Rossmark configuration server solutions

Reset or Remove the Windows Hello PIN

Windows 10 offers various ways to logon to your device. All of them have their pro’s and con’s. One thing is for sure, Microsoft loves the Windows Hello PIN. Even on an Active Directory Domain joined system – if you want to e.g. set up a Finger-Print login, you will be forced to generate a Windows Hello PIN, at least by default.

Funnily it can happen that you don’t even have the option to reset the PIN. What if the user forgot his PIN? No big deal? Well… it actually is a big deal. By default Windows goes back to the PIN if the Finger-Print reader does not work, what is especially common with the Microsoft Surface Keyboards, sure you can rip them off and re-attach to make it work again, but still your user-base / employee-base will say it asks for a PIN and I forgot it..

Fingerprints and PINs are stored locally on the device, in a secured vault. You can’t really alter it, but you can remove it.

In order to remove all locally stored PINs and possibly even Finger-Prints, you must delete all contents of %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.

The quickest way to accomplish this is using the two following commands in an elevated Command Prompt / CMD (run as administrator).

takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y

icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y

icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

The first one will take ownership of the folder, the second one then will grant administrators rights to it.

Once this is done, you need to delete all contents of the folder. If you are logged on as an administrator you can just use Windows Explorer. If you are logged on as a regular user, you need to do it either more manual in CMD or use e.g. a tool like 7-zip in elevated mode and navigate to the folder, be aware that 7-zip might not be able to handle %windir%, either navigate manually to the folder or use C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC to get to the path. Delete all contents.

Reboot.

This sledgehammer method will delete all stored PINs and other information for all accounts known by the device. They will need to logon with their Active Directory password and start from scratch. You might also need to click on e.g. REMOVE in the Finger-Print configuration to start over.

March 22, 2021 by Florian Rossmark configuration solutions windows

Windows Print Server Aliases

Windows Print Server Aliases – what is that and why would you even need to think about it?

For File-Servers, you can set up DFS structures and have a single point of entry as from the perspective of the client. It’s a simple named path and works rather flawless if set up right and monitored e.g. with PRTG. But what about your print server? Is it a defined hostname and the printers sit on this host? What happens when you want to upgrade the host to a new windows version or theoretically even do some special DNS routing (that’s very advanced and has hurdles, I will not address this in this posting).

Well – you can sure set up an ALIAS name in your DNS, but soon you will discover you can’t connect to the printers on this server. This is because you are missing some registry tweaks. At this point I also want to make you aware, I saw Windows updates removing those keys, so keep this article handy to reconstruct the registry in case of any issues.

You will need a total of three registry keys added, as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\DnsOnWire=dword:00000001

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\DnsOnWire=dword:00000001

This first key will enable DNSOnWire for the Print-Server itself. This is needed to make the print-server aware that you might use DNS ALIAS / CNAME entries to access him. More can be found e.g. here: Windows couldn’t connect to the printer – Windows Server | Microsoft Docs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableStrictNameChecking=dword:00000001

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableStrictNameChecking=dword:00000001

This key, DisableStrictNameChecking, we need to configure the SMB server / LANManServer – he needs to be aware as well that we will use CNAMES to access the shares on the server. You can find some more information at the following link: Can’t access SMB file server – Windows Server | Microsoft Docs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\OptionalNames=reg_sz:YourCNAMEEntry

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\OptionalNames=reg_sz:YourCNAMEEntry

And last but not least, the OptionalNames – this is the one key that’s most hidden but still so important. You can also make it REG_MULTI_SZ key. But it works with a simple REG_SZ key and the short CNAME alias that you have specified, you don’t even need use the FQDN.

There are many ways on how to accomplish this one last key, it changed throughout the Windows versions, it was possibly even renamed. Worst I saw on a Windows 2016 server was it vanished after a update session and reboot. So be prepared for that. A simple recreation and reboot fixed the issues.

Also, make sure you reboot after those changes, otherwise it won’t work.

January 13, 2021 by Florian Rossmark configuration server solutions windows

Bypassing Windows 10 UAC for Unknown Publishers

It happens that some programs alert you in Windows 10 about Publisher: Unknown and expect you to possibly provide administrative credentials to even execute it.

Especially in corporate networks users likely don’t have this level of permissions and surely the IT department respective IT-Administrators going to be reluctant to grant administrative privileges when they are not absolutely necessary.

For this specific case, there is a possible workaround – try to start the program with the following CMD-command and see if you might be able to bypass this issue. I sure don’t recommend doing this just for any program, be sure that what you want to start is safe, but there are cases where this is necessary, cause you won’t want to alter the UAC (User Account Control) or permission level or the employee.

%windir%\System32\cmd.exe /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Program Files\Path\To\Your\Program.exe""

1	%windir%\System32\cmd.exe /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "C:\Program Files\Path\To\Your\Program.exe""

Of course, adjust the path to your program. Eventually the parameter __COMPAT_LAYER=RUNASINVOKER is likely to bypass this specific issue.

Note that this also depends on a few more variables, but it sure is worth a try.

December 8, 2020 by Florian Rossmark configuration security windows

Make Microsoft TEAMS the default IM application

Having multiple applications that act as chat respective IM application but you want Microsoft TEAMS to be the default Instant Messenger application especially so Outlook e.g. shows the correct online/offline as well as free and busy status for employees and so they can start a conversation directly from there, you will need to make sure that Microsoft TEAMS is the default IM Provider.

This came up especially in combination with Cisco Jabber, that is often used as the software phone client for a Cisco phone system. This application might overrule the user settings and take presence especially in Microsoft Outlook. Cisco has an article about this here that talks about various registry keys. But this is actually not the direct solution for this issue.

In order to set TEAMS, if installed, the default application for your employees, it is easiest to engage Group Policies, GPOs, for this. Simply follow the below steps. Those settings will find out if Microsoft TEAMS is available and if so set it as default IM Provider. Close Microsoft Outlook and open it again and you will see the status icons and message box being associated with Microsoft TEAMS.

Of course, you could slightly adjust the suggested GPO settings and engage e.g. Cisco Jabber or any other IM provider available instead. Just have a look at the registry path HKEY_CURRENT_USER\Software\IM Providers and see what is available and set the GPO accordingly. All you need is the name of the sub key for the DefaultIMApp value.

Steps for the user GPO

Create a new GPO (or chose an existing GPO)
1. This will be a User Configuration
Navigate to User Configuration\Preferences\Windows Settings\Registry
Create a new Registry Item
Settings on General tab
1. Leave the Action settings to Update
2. Hive: HKEY_CURRENT_USER
3. Key Path: Software\IM Providers
4. Value name: DefaultIMApp
5. Value type: REG_SZ
6. Value data: Teams
Settings on Common tab
1. Check Run in logged-on user’s security contact (user policy option)
2. Check Item-level targeting
3. Click on Targeting and apply the following settings
  1. The following steps make sure that this is only applied if Microsoft TEAMS is available as a IM provider
  2. Click on New Item and chose Registry Match
  3. Match type: Key exists
  4. Hive: HKEY_CURRENT_USER
  5. Key Path: Software\IM Providers\Teams
4. It is good practice to provide a Description for this item – e.g.: This will set Microsoft TEAMS as default IM Provider for e.g. Outlook – if available as IM Provider.

Make sure the GPO applies to your users and you should be all set. This will make sure that even if a new application is installed and takes the IM Provider role over, that your clients will still fall back to Microsoft TEAMS. Of course, it will depend on when the GPO was reapplied and that the user actually closes and reopens Outlook.

October 15, 2020 by Florian Rossmark configuration solutions windows

Find user account lockout events

There are various ways and tools to tackle this – in the end it boils down to a few facts

account lockouts are logged per domain controller – to be more specific – only on the DC where the lockout happened
- this can be complicated in bigger environments
the lockout event 4771 does not necessarily reveal the initial reason – but it should give you enough information about where it occurred to further investigate

The manual way via Eventlog / Eventviewer in Windows on a DC

right click on the SECURITY eventlog
select Filter Current Log
go to the register card XML
check the box Edit query manually
Insert the XML code below – make sure you replace the USERNAMEHERE value with the actual username
1. no domain
2. exact username
3. NOT case sensitive

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select>
  </Query>
</QueryList>

<Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select>

</Query>

</QueryList>

This results in to a filtered eventlog view for the event id 4771 and the username you specified.

Using PowerShell to automate this

PowerShell can execute a script that would give you the same output – I wrote the script below. It expects at least the parameter UserName – see below for more information.

UserName
- this parameter is mandatory – the exact username without the domain, this is NOT case sensitive
DomainController
- specify this to narrow it down to a single DC – otherwise all domain controllers will be contacted (might take a while)
FullDetails
- set it to $true if you want to see details – otherwise you get only the table format
Example
- Find-AccountLockoutOnDCForUser.ps1 -FullDetails $true -UserName JDoe

param(
    [string] $DomainController = "",
    [string] $UserName = "",
    [bool]   $FullDetails = $false
)

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select>
  </Query>
</QueryList>
"@

If ($DomainController.Length -eq 0) {
    Import-Module ActiveDirectory
    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
    ForEach($DC In $DomainControllers) {
        Write-Host "checking DC: $DC"
        If ($FullDetails) {
            Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl
        } Else {
            Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft
        }
    }
} Else {
    If ($FullDetails) {
        Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl
    } Else {
        Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft
    }
}

param(

[string] $DomainController = "",

[string] $UserName = "",

[bool] $FullDetails = $false

)

$Query = @"

<Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select>

</Query>

</QueryList>

If ($DomainController.Length -eq 0) {

Import-Module ActiveDirectory

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

ForEach($DC In $DomainControllers) {

Write-Host "checking DC: $DC"

If ($FullDetails) {

Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl

} Else {

Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft

}

} Else {

If ($FullDetails) {

Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl

} Else {

Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft

}

February 20, 2019 by Florian Rossmark scripts security server

Windows Search Index monitoring

While rolling out Windows Search Indexing I bumped in to quite a few issues and things I wanted to monitor. One of the main information I actually was after is the amount of files in the Windows Search Index. I could see this information in the Indexing Options of the system and it was constantly updating, but I was not able to find the same information per WMI, PowerShell cmdlets, Performance Counters etc.

This caused me headache cause it was clear that the index a) had to grow till it reached a fully indexed system and b) if the index-size dropped below a certain amount (once finished) I surely had an issue – I saw the database rebuilding out of no where – due to pagefile-issues or space on the partition where the index-database resided.

All of this made it clear that monitoring was inherent – but I did not want to play around with EventIDs – clearly the amount of files in the index was a way better indicator.

This caused me to write the following PowerShell script – it will invoke a command to a target system and count the files currently in the index. This has to be invoked, though the OLEDB provider of the Search Index allows remote-requests, it does not give you accurate numbers for the overall scope of the index on the system using remote requests. Getting to a point to even get this information was quite a challenge, I am certain who ever finds this here will know already, assuming you did some research. Hope it helps, though.

param(
    $TargetServer
)
Invoke-Command -Computer $TargetServer -ScriptBlock {
    $value = 0;
    try{
        $objConn = New-Object System.Data.OleDb.OleDbConnection("Provider=Search.CollatorDSO;Extended Properties='Application=Windows'")
        $sqlCommand = New-Object System.Data.OleDb.OleDbCommand("GROUP ON workid [0] AGGREGATE COUNT() as 'Total' OVER (SELECT workid FROM systemindex)")
        $sqlCommand.Connection = $objConn
        $objConn.open()
        $reader = $sqlCommand.ExecuteReader()
        try{
            $ignore = $reader.Read() #will cause an error but we can ignore it... without this we won't have data
        } catch {}
		$value = $reader[2]
	} catch {}
	$XML = "<prtg>"
	$XML += "<result>"
	$XML += "<channel>indexed files count</channel>"
	$XML += "<value>$value</value>"
	$XML += "</result>"
	$XML += "</prtg>"

	Function WriteXmlToScreen ([xml]$xml) #just to make it clean XML code...
	{
		$StringWriter = New-Object System.IO.StringWriter;
		$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
		$XmlWriter.Formatting = "indented";
		$xml.WriteTo($XmlWriter);
		$XmlWriter.Flush();
		$StringWriter.Flush();
		Write-Output $StringWriter.ToString();
	}

	WriteXmlToScreen $XML;
}

param(

$TargetServer

)

Invoke-Command -Computer $TargetServer -ScriptBlock {

$value = 0;

try{

$objConn = New-Object System.Data.OleDb.OleDbConnection("Provider=Search.CollatorDSO;Extended Properties='Application=Windows'")

$sqlCommand = New-Object System.Data.OleDb.OleDbCommand("GROUP ON workid [0] AGGREGATE COUNT() as 'Total' OVER (SELECT workid FROM systemindex)")

$sqlCommand.Connection = $objConn

$objConn.open()

$reader = $sqlCommand.ExecuteReader()

try{

$ignore = $reader.Read() #will cause an error but we can ignore it... without this we won't have data

} catch {}

$value = $reader[2]

} catch {}

$XML = "<prtg>"

$XML += "<result>"

$XML += "<channel>indexed files count</channel>"

$XML += "<value>$value</value>"

$XML += "</result>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml) #just to make it clean XML code...

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML;

}

An update to this or what I learned

Of course you wouldn’t just monitor the amount of indexed files with the script above. You likely have a dedicated drive / partition where the index resides. You definitive want to monitor the used or free drive space there as well. What you will discover especially in the beginning but as well later if many files are moved or copied to the server, is that the Windows Search Index database will grow after the indexing of huge amounts of files is done and shrink again. As far as I understand this, there is some maintenance and deduplication going on.

On a server with about 14 million files that took about 1 week to index, I ended up with a 250 GB index database, the second it finished it took another 12 hours while the database grew another 100 GB and then shrunk back to actually 200 GB.

Don’t let those numbers scare you, we talk about 10 TB (terra byte) of data in those 14 million files. This is quite a bit. Most other file servers won’t have such huge databases and you won’t see such huge increases while the index database is doing some kind of clean up, nor will it take a week for the initial index to finish.

What I wanted to show with this is simply that you really want to monitor all those information and keep a close eye on it. I saw the database make huge jumps in size in very very short periods of time. If the drive then is full your index possibly would get corrupted and Windows will start from zero again. You want to avoid this. Once the index is finished and no huge incoming file operations take place you won’t see to many jumps anymore. It will calm down. But still, always make sure you have enough space on the partition where the index database resides and proper monitoring on it to be able to react quickly (going as far as automating a service stop for the Windows Search index while the space goes down to avoid database corruption).

February 20, 2019 by Florian Rossmark monitoring prtg scripts server

Setting up Windows Search Index

The Windows Search indexing is a solution from Microsoft that will index your file servers and their files full text and allow your end users to get results quickly while actually engaging the fulltext search database seamlessly.

This is accomplish by just using the search box in the upper right of the Windows Explorer while residing on a network share or mapped network drive.

Many people say that the Windows Search does not work right, but my experience is that quite the opposite is true and it only depends on the right set up. This I will explain here further.

Before we go in to details – there is a challenge that goes along with DFS namespaces. I found a way to bypass this, look here to understand how it works.

add an additional drive to your file servers
- I roughly recommend about 10% of the total use size of your file shares that you want to index
- you might be able to go with less or more – but expect 10% to be more on the safe side
give the new drive a drive-letter (e.g. I: for Index) and name it INDEX (to make clear that this is only to be used for the INDEX database)
add the following path to this drive
- I:\ProgramData\Microsoft
- The path above mirrors the default path on the C: drive where the index will reside by default, I recommend to mirror this path on the new target drive to keep things simple and clear
add the feature Windows Search to your server
download the Microsoft Filter Pack 2.0 and install it on your server
- yes – this is a Office 2010 SP2 filter pack and yes that’s okay
- just download the x64 bit version of it and install it
- this will add a iFilter pack to Windows that allows Windows to understand DOCX and XLSX files (and others) and full text index them
enable the new service Windows Search
- set it to start type automatic
- start the service
from your start menu (or Control Panel) open the Indexing Options
- click on ADVANCED
  - select the earlier created path I:\ProgramData\Microsoft as new path for the index
  - after you click on OK Windows will stop the service and move the existing index
    - you might need to manually start the service again
- click now on MODIFY and select the server shares respectively local paths you want to index
- if you leave the Indexing Options open you will see that Windows updates the count constantly
  - Windows will slow down indexing if you work on the console or via RDP on the server Desktop
  - You will see the message INDEXING COMPLETED once all files have been index
    - this can take many days – don’t be surprised and be patient
think about monitoring the index and the partition the index resides on

One challenge resides – if your indexing drive becomes full, Windows Search indexing will crash the index database and likely determine it as corrupt and start from scratch. This can happen within minutes, even before any of your monitoring solutions might warn you about the full drive. There are eventlog entries about and you would easily see that the number of indexed files dropped to a very low number again. The drive becomes suddenly pretty empty as well again. This is sure one of the downsides of how Microsoft implemented this, but if you provide plenty of space in the first place, you likely won’t experience this issue.

iFilters for PDF files seem not to be necessary on current Windows versions. In the past I downloaded a iFilter for PDF files from Adobe but I experienced many issues with temporary files on the C:\ of my file servers. This is a known bug with the Adobe iFilter – as for Windows 2016 those files are full text index, but the same restrictions as in the past apply – PDF file can hold editable text that can be indexed or they hold pictures – what is often due to scans of documents – as long your scanner didn’t due OCR and translate the image to text, those files can’t be full text indexed.

Monitoring

It is almost essential to have proper monitoring in place for this. Actually, you want to monitor everything within your network, but that’s another story. I faced the same challenges and even was able to find out more about how the index database grows and why many people aren’t happy with it. Eventually it comes down to improper configurations and bad or nor monitoring at all. I highly recommend you have a look at this additional blog article about Windows Index Monitoring.

February 9, 2019 by Florian Rossmark configuration recommendations server

Shadow copies aren’t accessible – advanced VSS configuration

Most file servers are configured to use the Windows internal shadow copies / VSS to allow administrators or even users to quickly restore files.

Microsoft allows you to extend the default maximum of 64 shadow copies to a total of up to 512 as described here: https://docs.microsoft.com/en-us/windows/desktop/Backup/registry-keys-for-backup-and-restore#maxshadowcopies

It is pretty easy to implement this – no restart needed (if running, restart the volume shadow copy service).

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Settings
MaxShadowCopies DWORD
official maximum: 512 (decimal, NOT HEX!!!) (HEX: 0x200)

Now – we detected in January 2019 a bug that at least affects Windows 2016 servers, if not even more. We could not see the shadow copies of the current day. Any shadow copies of the previous day seemed to be fully available. The cut off was literally before midnight. After about 12 subsequent shadow copies they started to triple in.

Once we adjusted the maximum to 500 (decimal – HEX: 0x1f4) and restarting the service respective waiting till the next scheduled shadow copy executed (plus a few minutes to process a cleanup) we eventually could see the most current shadow copy from the Windows Explorer menu.

This seems to work way better then the 512 that is the defined maximum. There seems to be some kind of a bug that started with some update. We couldn’t determine it in detail and simulating this would take a lot of time.

NirSoft has a great tool to investigate your shadow copies as well here: http://www.nirsoft.net/utils/shadow_copy_view.html

This is a GUI based tool that partly lets you look in to your shadow copies. Only, if you try to open the most current paths while the 512 maximum was set, Windows Explorer still couldn’t handle it. But it was a nice detailed proof to see that the current shadow copies where as a matter of fact there.

Similar results could be determined while using PowerShell and command line commands like VSSadmin – we saw the shadow copies where there.

WMI provided the same information as well – for an example see the script here what uses WMI and PowerShell to gather information about shadow copies: https://www.it-admins.com/monitoring-shadow-copies-with-prtg/

Suggestions to configure shadow copies:

set a maximum of 500 instead of 512
do them e.g. hourly – as you need them
- this is all a calculation, straight hourly provides you 500 copies / 24 hours a day = +/- 20 days back
- if you go e.g. 5 AM to 9 PM and no Sundays you extend this: 500 / 17 snaps a day (hourly) = +/- 29 days => add the removed Sundays in the equation and you easily bypass a whole month
  - this would allow you while doing full virtual machine backups (VHD level backups) to keep the month end tape of every month and still be able to restore files from the shadow copies in theory – I had cases where I had to dig that deep..
volume configuration on your file servers (the drive letters don’t matter much)
- C: System – Windows OS etc.
- D: Data – this is where your shares resides – preferred DFS as described here
- E: Shadow Copies
  - configure the shadow copies to be saved on their own volume / vhd / so they don’t take away space and you gain more control over how much space they actually can take
  - configure them so they can use 100% of this separate volume
  - do not use the volume for anything else (of course)
  - Microsoft article about the steps involved: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd364933(v=ws.10)
add monitoring to your VSS – like described here with PRTG

January 23, 2019 by Florian Rossmark configuration server solutions windows

SNMP was deprecated

Microsoft deprecated the SNMP in Windows 2012 (R2). As of Windows 10 1809 respective Windows 2016 this feature is pretty much hidden. The decision likely was made due to security risks related to SNMP, in any case – as of right now it is still available if you really need it – but not via the good old Control Panel – Add Remove Features function. The following should even work on Windows 2019, since there is no indication that Microsoft finally removed the feature itself.

The following link is for Windows Server 2012 (R2) – it clearly states that SNMP is deprecated: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)

Windows client and server operating systems share the same kernel in the background – for the most part.

Alternate ways to enable the feature:

using Apps & Features will help you getting SNMP via Optional Features
- then use Add a feature
PowerShell commands:
- Either those commands
  PowerShell
  Get-WindowsCapability -Online -Name "SNMP*" Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"
  1
  2
  Get-WindowsCapability -Online -Name "SNMP*"
  Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"
- or the following version of commands
  PowerShell
  Get-WindowsCapability -Online | ? Name -like 'SNMP.Client*' Add-WindowsCapability -Online | ? Name -like 'SNMP.Client*'
  1
  2
  Get-WindowsCapability -Online | ? Name -like 'SNMP.Client*'
  Add-WindowsCapability -Online | ? Name -like 'SNMP.Client*'
or you use DISM on a command prompt
MS DOS
DISM /online /add-capability /capabilityname:SNMP.Client~~~~0.0.1.0
1
DISM /online /add-capability /capabilityname:SNMP.Client~~~~0.0.1.0

In all cases – you will run in to an possible issue if you use WSUS – you might need to temporarily bypass it in order to install this feature. It is possible that you need to restart the Windows Update service on the system for this setting to take effect.

Open Regedit and adjust the following key
Microsoft Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key: UseWUServer new / temp value: 0
1
2
3
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
key: UseWUServer
new / temp value: 0

It is pretty obvious that this feature will be removed at one point – but as of now it is still available.

Let’s talk about a few things in regards to SNMP on Windows – or even in general when it comes to all your switches, firewalls, routers and other network components.

using SNMP on a Windows OS is a potential security risk – actually – SNMP itself is in general, cause it is standardized in often not locked down while having as well just limited security features
- see here for a more official statement on this by the US government: https://www.us-cert.gov/ncas/alerts/TA17-156A
I personally don’t see a reason to use SNMP to monitor a Windows Server – the system itself can easily be monitored by WMI and other methods – that might have pro’s and con’s – but it generally works
There are circumstances then you need SNMP enabled – I had this while coming across mostly UPS software that only allowed to interact with it via SNMP – the UPS itself was connected per USB and the software on a Windows server/client allowed no API calls or similar – you had to enable SNMP on Windows and then use SNMP through Windows to grab data for e.g. UPS monitoring
- having said this – this is actually a flaw by the vendor in such a case and should by addressed with the vendor
- there is possibly more then just an UPS software that does behave like this

December 27, 2018 by Florian Rossmark server solutions windows

Read the UEFI stored Windows key and activate Windows

Ever wanted to read out the UEFI stored Windows key and probably automatically try to activate Windows with a single script?

The UEFI stored Windows license key is essential due to the fact that you don’t have a physical license anymore and you should keep it just in case for situations like your motherboard was exchanged and the key not transferred properly. I came across similar situations and was glad that I had the key.

But the script below does more then just reading and displaying the key – it will try to activate Windows as well.

Please note – it is wise to combine the read out of the key with an export and save method – like writing it to a database – this script will only show the basic functionality – but this is the most important part already.

$service = get-wmiObject -query 'select * from SoftwareLicensingService'
if($key = $service.OA3xOriginalProductKey){
	Write-Host 'Product Key:' $service.OA3xOriginalProductKey
	$service.InstallProductKey($key)
}else{
	Write-Host 'Key not found.'
}

$service = get-wmiObject -query 'select * from SoftwareLicensingService'

if($key = $service.OA3xOriginalProductKey){

Write-Host 'Product Key:' $service.OA3xOriginalProductKey

$service.InstallProductKey($key)

}else{

Write-Host 'Key not found.'

}

The next two lines help additionally – if you create this batch file as well and store both files in the same directory, you simply can right click the .CMD file and execute it with elevated rights (run as administrator) and it will make your live even easier. This is just a simple trick to bypass some restrictions that you might encounter while trying to execute a PowerShell script with elevated rights and bypassing the execution policy for scripts at the same time.

powershell.exe -executionpolicy unrestricted -file "%~dp0\ReadUEFIWindowsKeyAndActivateWindows.ps1"
pause

1 2	powershell.exe -executionpolicy unrestricted -file "%~dp0\ReadUEFIWindowsKeyAndActivateWindows.ps1" pause

December 11, 2018 by Florian Rossmark recommendations scripts web

Read the UEFI stored Windows key and activate Windows

The following script will read the UEFI stored Windows licensing key and show it – it then will attempt to activate Windows and probably even e.g. your Microsoft Office installation – this is not necessarily intentional by the script, rather then a coincidence that I discovered by using this script to activate Windows after it was automatically deployed from an image that had a pre-injected volume license key. Office likely got activated along with Windows.

In any case – it helps you to activate Windows or simply read out your license key.

$service = get-wmiObject -query 'select * from SoftwareLicensingService'
if($key = $service.OA3xOriginalProductKey){
	Write-Host 'Product Key:' $service.OA3xOriginalProductKey
	$service.InstallProductKey($key)
}else{
	Write-Host 'Key not found.'
}

$service = get-wmiObject -query 'select * from SoftwareLicensingService'

if($key = $service.OA3xOriginalProductKey){

Write-Host 'Product Key:' $service.OA3xOriginalProductKey

$service.InstallProductKey($key)

}else{

Write-Host 'Key not found.'

}

October 4, 2018 by Florian Rossmark scripts

Gathering profile information from computer

Every now an then you might need to know who logged on and when was the last logon of which user to a specific workstation as well as the size of each user profile. For this I once wrote the PowerShell script you can find below. It does a WMI query against a list of one or more target computers and reads out the information reporting it back.

As input parameter use a comma separated list of computer names – those must be reachable and administrative accessible (you need at least admin rights on the target system). You then get a output set per profile.

The output can e.g. be transformed with the parameter |ft to see it in table format – like typical in PowerShell.

Output values are:

ComputerName
ProfileName
ProfilePath
ProfileType
- Temporary
- Roaming
- Mandatory
- Corrupted
- local
IsinUse
IsSystemAccount
Size
- this needs to most processing time – it is a manual size check including even temp files.. – other then what Windows shows you
LastUseTime

[cmdletbinding()]
[cmdletbinding()]
param (
[parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
[string[]]$ComputerName = $env:computername
)            
 
foreach ($Computer in $ComputerName) {
 $Profiles = Get-WmiObject -Class Win32_UserProfile -Computer $Computer -ea 0
 foreach ($profile in $profiles) {
  try {
      $objSID = New-Object System.Security.Principal.SecurityIdentifier($profile.sid)
      $objuser = $objsid.Translate([System.Security.Principal.NTAccount])
      $objusername = $objuser.value
  } catch {
        $objusername = $profile.sid
  }
  switch($profile.status){
   1 { $profileType="Temporary" }
   2 { $profileType="Roaming" }
   4 { $profileType="Mandatory" }
   8 { $profileType="Corrupted" }
   default { $profileType = "LOCAL" }
  }
  $size = 0
  try{
    $profilepath=$profile.localpath -replace "C:","\\$Computer\C$"
    $size=(dir $profilepath -recurse -force -ea silentlycontinue | Measure-Object ‘length’ -sum -Maximum).sum
    $size=[math]::Round(($size/1GB),2)
    #$size={{0:n2} -f $size}
    $size2=[string]::Format("{0:0.00} GB", $size)
  } catch {
    $size = -1
  }

  $User = $objUser.Value
  try {
	$ProfileLastUseTime = ([WMI]"").Converttodatetime($profile.lastusetime)
  } catch {
	$ProfileLastUseTime = ""
  }
  $OutputObj = New-Object -TypeName PSobject
  $OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer.toUpper()
  $OutputObj | Add-Member -MemberType NoteProperty -Name ProfileName -Value $objusername
  $OutputObj | Add-Member -MemberType NoteProperty -Name ProfilePath -Value $profile.localpath
  $OutputObj | Add-Member -MemberType NoteProperty -Name ProfileType -Value $ProfileType
  $OutputObj | Add-Member -MemberType NoteProperty -Name IsinUse -Value $profile.loaded
  $OutputObj | Add-Member -MemberType NoteProperty -Name IsSystemAccount -Value $profile.special
  $OutputObj | Add-Member -MemberType NoteProperty -Name Size -Value $size2
  $OutputObj | Add-Member -MemberType NoteProperty -Name LastUseTime -Value $ProfileLastUseTime
  $OutputObj
  
 }
}

[cmdletbinding()]

param (

[parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]

[string[]]$ComputerName = $env:computername

)

foreach ($Computer in $ComputerName) {

$Profiles = Get-WmiObject -Class Win32_UserProfile -Computer $Computer -ea 0

foreach ($profile in $profiles) {

try {

$objSID = New-Object System.Security.Principal.SecurityIdentifier($profile.sid)

$objuser = $objsid.Translate([System.Security.Principal.NTAccount])

$objusername = $objuser.value

} catch {

$objusername = $profile.sid

}

switch($profile.status){

1 { $profileType="Temporary" }

2 { $profileType="Roaming" }

4 { $profileType="Mandatory" }

8 { $profileType="Corrupted" }

default { $profileType = "LOCAL" }

}

$size = 0

try{

$profilepath=$profile.localpath -replace "C:","\\$Computer\C$"

$size=(dir $profilepath -recurse -force -ea silentlycontinue | Measure-Object ‘length’ -sum -Maximum).sum

$size=[math]::Round(($size/1GB),2)

#$size={{0:n2} -f $size}

$size2=[string]::Format("{0:0.00} GB", $size)

} catch {

$size = -1

}

$User = $objUser.Value

try {

$ProfileLastUseTime = ([WMI]"").Converttodatetime($profile.lastusetime)

} catch {

$ProfileLastUseTime = ""

}

$OutputObj = New-Object -TypeName PSobject

$OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer.toUpper()

$OutputObj | Add-Member -MemberType NoteProperty -Name ProfileName -Value $objusername

$OutputObj | Add-Member -MemberType NoteProperty -Name ProfilePath -Value $profile.localpath

$OutputObj | Add-Member -MemberType NoteProperty -Name ProfileType -Value $ProfileType

$OutputObj | Add-Member -MemberType NoteProperty -Name IsinUse -Value $profile.loaded

$OutputObj | Add-Member -MemberType NoteProperty -Name IsSystemAccount -Value $profile.special

$OutputObj | Add-Member -MemberType NoteProperty -Name Size -Value $size2

$OutputObj | Add-Member -MemberType NoteProperty -Name LastUseTime -Value $ProfileLastUseTime

$OutputObj

}

August 20, 2018 by Florian Rossmark recommendations scripts solutions

Prevent ScreenSaver coming up with a PowerShell script

In our daily business, we often have the issue that a GPO enforces a screensaver after a certain amount of time. This can become very annoying and actually even be an issue if you are remote in on a end-user system and don’t know their password. After doing quite some research I found out that PowerShell actually is able to help here and I wrote a script to prevent the screensaver from coming up.

First I thought, let’s see if I can control the mouse cursor, cause I thought it would be less invasive, this is actually possible – but interestingly did not have the expected effect and the screensaver kept coming up. So I did go with keystrokes, but of course I was worried about what key would be save to send. Doing some research on Microsoft websites (here the link), I found the F16 – testing around with it I found it the least invasive key to send periodically to a system – it does not even exist on a regular keyboard and can only be simulated with a key-combination. To simulate F16 you need to press SHIFT + F4 – there might be a Windows 10 (may be even earlier) combination out of WINDOWS + SHIFT + F4 respective WINDOWS + F16 what would cause a shutdown. Once I found out about that, I decided to adjust the script to F17 what seemed to bypass even that small chance of an issue that would be more problematic then the screensaver itself – you sure don’t want the system to shutdown :-).

The script you find below can be simply executed. It has a setting $minutes that you could add as a parameter and therefor adjust it when you start it – by default it will use 9999 what is a pretty long time. To be clear – this is actually not a minute interval, it is a 30 second interval and ends up in half minutes. Why? Simple – Windows has a minimum setting of 1 minute that an screensaver can come up. If the script would fire in a minute interval, there is a theoretical chance the screensaver would still win.

This is further not pure PowerShell code – well it is but actually the key stroke is send via a Windows Scripting Host WSH / WScript command SendKeys. The PowerShell only surrounds to command. It has the nice habit of having a PowerShell window open that you simply can close to end the script. If you would do the same in WSH you would need to execute the script more manual with CSCRIPT rather then just double-clicking the file what would execute it via VBSCRIPT instead causing a hidden window / process and you would need to identify it in the task-manager to kill the process. Therefor, PowerShell was the best choice in the end to accomplish the task.

param($minutes = 9999)

$myShell = New-Object -com "Wscript.Shell"

for ($i = 0; $i -lt $minutes; $i++) {
Start-Sleep -Seconds 30
$myShell.sendkeys("{F13}")
}

param($minutes = 9999)

$myShell = New-Object -com "Wscript.Shell"

for ($i = 0; $i -lt $minutes; $i++) {

Start-Sleep -Seconds 30

$myShell.sendkeys("{F13}")

}

Additionally you could use the below more advanced script that will control the screensaver only during a defined time window. This is a more advanced way and more usable in certain situation, cause it would automatically allow the screensaver to come up outside the defined time window and minimize the exposure of the system more. It is also more effective then completely disabling any screensaver GPO settings, cause it is more specific and adjustable.

Update: As of 10/202 I updated the script below from F13 to F10, as this works better for most situations. Be aware, it all depends on what your foreground windows will react too. Make sure the keystroke you use does not cause you any harm.

param($minutes = 9999)

$myShell = New-Object -com "Wscript.Shell"

for ($i = 0; $i -lt $minutes; $i++) {
  $min = Get-Date "05:30"
  $max = Get-Date "17:30"
  $now = Get-Date
  if ($min.TimeOfDay -le $now.TimeOfDay -and $max.TimeOfDay -ge $now.TimeOfDay) {
    Write-Host "$now - Time between $min and $max - preventing screensaver" -ForegroundColor DarkGreen -BackgroundColor White
    $i = 0
    $myShell.sendkeys("{F10}")
  } else {
    Write-Host "$now - Time outside off $min and $max - allowing screensaver" -ForegroundColor DarkRed -BackgroundColor White
  }
  Start-Sleep -Seconds 30
}

param($minutes = 9999)

$myShell = New-Object -com "Wscript.Shell"

for ($i = 0; $i -lt $minutes; $i++) {

$min = Get-Date "05:30"

$max = Get-Date "17:30"

$now = Get-Date

if ($min.TimeOfDay -le $now.TimeOfDay -and $max.TimeOfDay -ge $now.TimeOfDay) {

Write-Host "$now - Time between $min and $max - preventing screensaver" -ForegroundColor DarkGreen -BackgroundColor White

$i = 0

$myShell.sendkeys("{F10}")

} else {

Write-Host "$now - Time outside off $min and $max - allowing screensaver" -ForegroundColor DarkRed -BackgroundColor White

}

Start-Sleep -Seconds 30

}

June 29, 2018 by Florian Rossmark scripts solutions windows

Solution for VSS exceptions with VMware guests / VM tools

Today’s blog is about “Solution for VSS exceptions with VMware guests / VM tools” and was initially posted by myself here: https://vox.veritas.com/t5/Backup-Exec/Solution-for-VSS-exceptions-with-VMware-guests-VM-tools/td-p/829072 – it actually became a KB entry for an as of today older version of Veritas Backup Exec – but I did not want to leave it out of my blog.. Here is the link to the KB article: https://www.veritas.com/docs/000009506

Here is the article I wrote – starting with a description of the actual issue:

We have been experiencing VSS issues with VMware guests in regards to the installed Backup Exec Agent and a previously installed VMware Tools VSS option.

Uninstalling the VMware Tools VSS option in various ways including restarts did not fix our issues. If you search the internet for solutions, you find many attempts but no real solution or explanation.

One of our admins spend several hours with the Veritas support without a solution, he was about to escalate the issue with them, when we found the root cause and could actually fix our issues.

First the steps to solve this:

Uninstall the VMware Tools VSS option (no restart will be requiered)
Make sure VMware VSS service was deleted
1. If this is not the case, you might need to do so manually and remove additional DLL’s etc. as well as restart the system, but this is independent from this solution
You might have already done steps 1 and 2 but you still get VSS exceptions from the backup that says you have more than one VSS agent installed:
1. V-79-8192-38331 – The backup has detected that both the VMware VSS Provider and the Symantec VSS Provider have been installed on the virtual machine ‘hostname’. However, only one VSS Provider can be used on a virutal machine. You must uninstall the VMware VSS Provider.
2. Now you wonder what causes this and you get stuck
3. You could uninstall the Veritas/Symantec Backup Exec Agent and only back the system up per VMDK
4. You would lose the GRT / granular backup / restore capabilities
Check your registry for the following reg key
1. HKLM\System\CurrentControlSet\Services\BeVssProviderConflict
2. If this key exists, but your VMware VSS provider is uninstalled, you need to follow up with step 5
Open a notepad as administrator
Open this file in the notepad
1. C:\ProgramData\VMware\VMware Tools\manifest.txt
Search for the following two entries:
1. Vcbprovider_2003.installed
2. vcbprovider.installed
Make sure both of them are set to FALSE, most likely one of them is TRUE
Run a test backup
1. This test backup now should not show the exception anymore
2. The registry key should vanish (refresh/press F5) without you taking action

So what happened?

You uninstalled the VMware Tools VSS provider, but this manifest file did not get updated. We actually could see that it sometimes does get updated and sometimes does not. This seems to be some kind of issue with the VMware Tools uninstalled/installer.

But why this manifest.txt file?

As we found out, there scripts that get executed by Symantec/Veritas Backup Exec before the backup. You might find them in two locations, and it seems to depend a bit on the Windows version which script is executed (at which location). You could edit them both and just undo the checks in the scripts, but this wouldn’t be correct. It is more correct to update the manifest.txt file. If you want to, you can check the date/time of the manifest.txt file before you change it – you might see it was not updated while you uninstalled the VMware Tools VSS provider (assuming you did only do this and not do additional installs/uninstalls within the VMware Tools / please note as well that this only is true when you still experienced those issues).

Now, back to those scripts, you find them here:

C:\Windows
C:\Program Files\Symantec\Backup Exec\RAWS\VSS Provider

The name of the script that matters:

pre-freeze-script.bat

This script checks several DLLs, registry entries, paths and on Windows 2008 and newer the ProgramData-Path for this specific manifest.txt file and the two entries mentioned.

Once you uninstall the VMware VSS provider, and the file did not get updated, you might see this issue and wonder how to solve it. The solution is to simply update it to mirror the uninstallation of the VMware VSS provider (vcbprovider). We double checked this with several installations and could see if the file actually gets updated, those two values are set to FALSE, if it doesn’t, at least one of the values remains true, what causes the pre-freeze-script.bat to write the registry key mentioned earlier and therefor causing the issue in the backup – exceptions.

If you still have the same issues after updating the manifest.txt, simply check all the DLL’s that are mentioned in the script and make sure they don’t exist. You might also consider to manually delete the registry-key (it seems to be just a dumy-key) to make sure there is no issue that prevents the script from deleting it. Make sure it does not re-appear after a backup! Otherwise you might still have some DLLs left on your system that cause the script to re-create the registry key.

Hope this helps a few of you out there. This was an ongoing issue for a while and I came accross those issues many times ever since Windows 2008. This applies to Windows 2008 R2, Windows 2012, Windows 2012 R2 and pretty sure to Windows 2016 as well.

It helped us getting rid of those issues completely and actually not even needing a single restart of the guest VM to solve the issues (removing the VMware VSS provide did not need a restart).

June 25, 2018 by Florian Rossmark configuration scripts server solutions

windows

Linux and DHCP reservations aren’t working

Useful registry keys to supplement settings not available in standard GPO templates

Show Drive Letters first in Windows Explorer

Support URL

Support Hours

Support Hours

Support Manufacturer

Hide Drives with no Media

Expand folders to current folder

Fast Boot Enabled

Office 365 – Update Channel

Allow Print Driver Installation

Ensure Outlook is the default mail client

Set Microsoft Teams as the default IM application

Set Microsoft Office to read User information from Active Directory

Disable the Network Sharing Wizard in Windows Explorer

Remove the Network form Windows Explorer

Remove Administrative Tools from the Start Menu

Windows Update Restart Notifications for End Users

Windows 11 and SQL (Express) issues

Windows 10 Build 2004 / 20H1 – SMBv1 network drives not connecting

ActiveDirectory/LDAP result limits – MaxPageSize

Reset or Remove the Windows Hello PIN

Windows Print Server Aliases

Bypassing Windows 10 UAC for Unknown Publishers

Make Microsoft TEAMS the default IM application

Find user account lockout events

Windows Search Index monitoring

Setting up Windows Search Index

Monitoring

Shadow copies aren’t accessible – advanced VSS configuration

SNMP was deprecated

Read the UEFI stored Windows key and activate Windows

Read the UEFI stored Windows key and activate Windows

Gathering profile information from computer

Prevent ScreenSaver coming up with a PowerShell script

Solution for VSS exceptions with VMware guests / VM tools

Recent blog posts

Blog Archives

windows

Show Drive Letters first in Windows Explorer

Support URL

Support Hours

Support Hours

Support Manufacturer

Hide Drives with no Media

Expand folders to current folder

Fast Boot Enabled

Office 365 – Update Channel

Allow Print Driver Installation

Ensure Outlook is the default mail client

Set Microsoft Teams as the default IM application

Set Microsoft Office to read User information from Active Directory

Disable the Network Sharing Wizard in Windows Explorer

Remove the Network form Windows Explorer

Remove Administrative Tools from the Start Menu

Windows Update Restart Notifications for End Users

Monitoring

Recent blog posts

Blog Archives

Tags