Windows 2008 R2 ; Update Computer Account Group Membership Online

Useful if you use groups for certificate enrolment etc; you can update the computers group membership without having to reboot the server using the following process:

  1. From an elevated command prompt run the command: klist -lh 0 -li 0x3e7 purge
  2. Then enumerate computer group membership again using: gpupdate /force

Windows ; Disconnected RDP Session Search and Destroy!

Every so often I’ll end up with a disconnected RDP session somewhere which causes chaos come password reset day; locking my account out etc. I came across the following script over at http://www.akaplan.com/blog/ which will search for RDP/RDS sessions on every server in a domain for a particular user. Run using cscript.exe serversessions.vbs. Click Read More for the script.

Continue reading “Windows ; Disconnected RDP Session Search and Destroy!”

WSUS : Enforce SSL Connectivity via Powershell

This simple PowerShell script will convert your WSUS install from HTTP to HTTPS; simply modify the server fully qualified domain name (FQDN). This is also useful for HTTPS-based System Center 2012 Configuation Manager deployments.

Note that you also require the Execution Policy to be set to RemoteSigned (use the command ‘Set-ExecutionPolicy RemoteSigned’ to change this).

 

{code lang:css showtitle:false lines:false hidden:false}Import-Module webadministration

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/APIRemoting30”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/ClientWebService”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/DSSAuthWebService”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/ServerSyncWebService”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/SimpleAuthWebService”

cd “C:\Program Files\Update Services\Tools”

.\WSUSUtil.exe configuressl <server fqdn>

Netsh AdvFirewall Firewall set rule “Windows Server Update Services (HTTPS)” new enable=yes{/code}

 

Now browse to the WSUS Administration site in IIS and edit the HTTPS binding to use the correct certificate.

AD CS : CertSrv Website “No certificate templates could be found”

AD CS : CertSrv Website “No certificate templates could be found”

Recently I deployed two Windows 2008 R2 Enterprse Subordinate Certificate Authorities, whilst these have been issuing certificates requested through Autoenrollment I noticed today that the web interface for requests wasn’t working properly using https://<caname>/certsrv. When clicking on “‘Request a certificate’, then ‘Create and submit a request to this CA” I would then get the following error message:

“No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.”

Aftering digging about it turned out that by this is resolved by using IIS Manager and changing the DefaultAppPool Identity to NetworkService from ApplicationPoolIdentity:

  1. This is available by rt-clicking the DefaultAppPoll under Application Pools and selecting “Advanced Settings..”
  2. Look for the “Identity” value under Process Model and change to NetworkService.
  3. Once completed perform an iisreset on the CA.

IIS : Windows Authentication 401.2 Unauthorised

IIS : Windows Authentication 401.2 Unauthorised

Having deployed a couple of Certificate Authorities recently I ran into an issue with the Web interface http://<caname>/certsrv where despite entering valid credentials I was continually prompted for a username and password, and eventually a 401.2 Unauthorised error.

ca-error

On further investigation it turned out that the Windows Authentication providers were the cause, chaging this from Negotiate,NTLM to NTLM,Negotaite (you could even remove the Negotiate provider) resolves this issue, click read more to see the solution. 

Continue reading “IIS : Windows Authentication 401.2 Unauthorised”

AD DS : Find Users with Specific Home Drive Path

AD DS : Find Users with Specific Home Drive Path

I had to move some users home directories from one server to another recently, the users Mac users had their home drive set in AD DS rather than using folder redirection determined by Group policy.

In AD Users and Computers I used the following customer search to identify all of the users; change *server name* to suit your environment:

{code lang:css showtitle:false lines:false hidden:false}(&(objectClass=user)(objectCategory=person)(homeDirectory=*server name*)){/code}

For example, if your file server waqs called FILESRV1 you would change the query to use *FILESRV1*:

{code lang:css showtitle:false lines:false hidden:false}(&(objectClass=user)(objectCategory=person)(homeDirectory=*FILESRV1*)){/code}

Windows 2008 R2 : Failover Cluster Manager – Move Cluster Group

Windows 2008 R2 : Failover Cluster Manager – Move Cluster Group

You’ve probably noticed that in Failover Cluster Manager you don’t have the option to move the cluster group resources like you did in Windows 2000/2003. It is possible to move this group, however you’ll have to use either Windows Powershell or Command Prompt to achieve this.

Using Windows Powershell:
  Move-ClusterGroup “Cluster Group”
  Move-ClusterGroup “Available Storage”

Using the CLI and cluster.exe:
  cluster group “Cluster Group” /move
  cluster group “Available Storage” /move

Server Core : Query the Event Log from the Command Line

Server Core : Query the Event Log from the Command Line

Use the following command to list events in the SYSTEM event log between 9th March 00:00 to 15:00:

{code lang:css showtitle:false lines:false hidden:false}wevtutil qe system “/q:*[System[TimeCreated[@SystemTime>=’2012-03-09T00:00:00′ and @SystemTime<‘2012-03-09T15:00:00’]]]” /f:text{/code}

Use the following command to query the SYSTEM event log for any event at or after midnight on 12th March:

{code lang:css showtitle:false lines:false hidden:false}wevtutil qe system “/q:*[System[TimeCreated[@SystemTime>=’2012-03-12T00:00:00′]]]” /f:text{/code}

 

Windows 2008 : Export Event Log Using wevtutil

Windows 2008 : Export Event Log Using wevtutil

Use the following command to quickly export the SYSTEM event log from your server, this can also be used in a scheduled task to archive event logs:

wevtutil epl SYSTEM C:\ApplicationLog.evt

To export the APPLICATION event log use the command:

wevtutil epl APPLICATION C:\ApplicationLog.evt

Windows 2008 : Renaming the Local Administrator Account

Windows 2008 : Renaming the Local Administrator Account

Recently I was looking into an issue where a Group Policy Preferences setting to rename the administrator (buil-tin) account was generating the following error message:

Log Name:      Application
Source:        Group Policy Local Users and Groups
Date:          13/02/2012 11:23:34
Event ID:      4098

Description:
The computer ‘Administrator (built-in)’ preference item in the ‘Member_Server_Policy {AF5D1786-0EBF-4C78-BEAA-581F35735016}’ Group Policy object did not apply because it failed with error code ‘0x80070524 The specified account already exists.’ This error was suppressed.

After some initial troubleshooting I opted to modify the way the rename policy was setup by using a more traditional method for changing the administrator user account name

Open Group Policy Object Editor for the policy you want to use to rename the Administrator account, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options. Change the setting titled ‘Accounts: Rename administrator account.’