1. From an elevated command prompt run the command: klist -lh 0 -li 0x3e7 purge
2. Then enumerate computer group membership again using: gpupdate /force

{code lang:ini showtitle:false lines:false hidden:false}’ServerSessions.vbs
‘Lists and optionally resets a user’s server sessions
‘Alan dot Kaplan at VA dot Gov.
’10/24/2011. 10/26 version fixed logging when list only

Option Explicit
dim wshShell
Set wshShell = WScript.CreateObject(“WScript.Shell”)
Dim retval
Const ADS_CHASE_REFERRALS_ALWAYS = &H20
Dim oConn, oCmd, oRS
Dim strADSPath, strADOQuery
Dim strDomainCN
Dim fso,logfile, appendout
Dim strUser, strSessionID

‘Get the default ADsPath for the domain to search.
Dim root: Set root = GetObject(“LDAP://rootDSE”)
strADSPath = root.Get(“defaultNamingContext”)
    
Const ForAppend = 8
Set fso = CreateObject(“Scripting.FileSystemObject”)
    
If (Not IsCScript()) Then         ‘If not CScript, re-run with cscript…
    dim quote
    quote=chr(34)
    
    WshShell.Run “CScript.exe ” & quote & WScript.ScriptFullName & quote, 1, true
WScript.Quit     ‘…and stop running as WScript
End If

If InStr(1,MyOS,”Server”,1) = 0 Then
    MsgBox “You must run this from server OS”,vbExclamation + vbOKOnly,”Error”
    ‘WScript.Quit
End If

retval = MsgBox(“This script will identify and optionally logoff disconnected sessions for a user on all of the servers ” & _
    “in AD within a domain. Do you want to continue?”,vbYesNo + vbQuestion,”Get List of all Servers”)
    If retval = vbNo Then WScript.Quit
    
strADSPath = InputBox(“Get server list from what domain”,”Domain”,strADSPath)
    If strADSPath = “” Then WScript.Quit

strUser = InputBox(“Search for what username?”,”User Name”,wshShell.ExpandEnvironmentStrings(“%USERNAME%”))
If strUser = “” Then WScript.Quit

dim message
message =     “Do you want to:” & VbCrLf & _
            “1) Get list only” & VbCrLf & _
            “2) Reset disconnected sessions” & VbCrLf & _
            “3) Reset all sessions for user” & VbCrLf & _    
            “0) Quit”    

Dim iActionType
iActionType = InputBox(message,”Choose Action”,1)
iActionType = CDbl(iActionType)
If iActionType = 0 Then WScript.Quit

GetServerList
wshShell.Run “notepad.exe ” & quote & logfile & quote

‘ =========== Functions and Subs ==========

Sub GetServerList()

    ‘— Set up the connection —
    Set oConn = CreateObject(“ADODB.Connection”)
    Set oCmd = CReateObject(“ADODB.Command”)
    oConn.Provider = “ADsDSOObject”
    oConn.Open “ADs Provider”
    Set oCmd.ActiveConnection = oConn
    oCmd.Properties(“Page Size”) = 50
    ocmd.Properties(“Chase referrals”) = ADS_CHASE_REFERRALS_ALWAYS
    
    logfile = Replace(strADSPath,”,”,”_”)
    logfile = Replace(logfile,”DC=”,””)
    logfile = wshShell.ExpandEnvironmentStrings(“%userprofile%”) & “\desktop\” & strUser & ” In ” & logfile & “.txt”
    
    If fso.FileExists(logfile) Then fso.DeleteFile logfile,True
    set AppendOut = fso.OpenTextFile(logfile, ForAppend, True)
    strDomainCN = DomainCN(strADSPath)
    
    ‘— Build the query string —
    strADOQuery = “<LDAP://” & strDomainCN & “/” & strADSPath & “>;” & “(&(OperatingSystem=*Server*)(objectClass=computer))” & “;” & _
     “Name;subtree”
    oCmd.CommandText = strADOQuery
    
    ‘— Execute the query for the object in the directory —
    Set oRS = oCmd.Execute
    If oRS.EOF and oRS.Bof Then
         MsgBox “No Servers AD entries found!”,vbCritical + vbOKOnly,”Failed”
         appendout.WriteLine “Query Failed”
    Else
     While Not oRS.Eof
         SessionQuery oRS.Fields(“Name”)
     oRS.MoveNext
     Wend
    End If
    
    oRS.Close
    oConn.Close
End Sub

Sub SessionQuery (strServer)
    WScript.Echo “Checking ” & strServer
    dim objEx, data
    Set objEx = WshShell.Exec(“QWinsta /server:” & strServer)
    ‘one line at a time
    While Not (objEx.StdOut.AtEndOfStream)
        data = objEx.StdOut.ReadLine
        If InStr(1,data,strUser,1) Then
            strSessionID = GetSession(data)
            if iactionType = 1 then
                EchoAndLog strServer & “,found session for ” & strServer
            Else
                Wscript.echo strServer & “,found session for ” & strServer
            End if
            ‘always logoff
            If iActionType = 3 Then ResetSession strServer, strSessionID

            ‘Logoff disconnected
            If iActionType =2 And InStr(1,data,”disc”,1) Then
                ResetSession strServer,strSessionID
            End If
        End If
    Wend    
End Sub

Sub ResetSession(strServer, ID)
    Dim strCommand, oExec
    strCommand = “reset session ” & id & ” /server:” & strServer
    Set oExec = WshShell.Exec(strCommand)
    wscript.sleep 500
    
    ‘this is typically empty
    While Not (oExec.StdOut.AtEndOfStream)
        EchoAndLog oExec.StdOut.ReadLine
    Wend
    
    If oExec.ExitCode <> 0 Then
     EchoAndLog strServer & “,Problem resetting session ” & ID & ” on server ” & strServer & “, Non-zero exit code, ” & oExec.exitcode
    Else
        EchoAndLog strServer & “,Reset session ” & ID & ” on server ” & strServer
    End If
End Sub

Function DomainCN(strPath)
    DomainCN = Replace(strPath,”,”,”.”)        
    DomainCN= Replace(DomainCN,”DC=”,””)
End Function

Function MyOS()
    Dim oWMI,ColOS,ObjOS, OSver
    Set oWMI = GetObject(“winmgmts:\\.\root\cimv2”)
    Set ColOS = oWMI.ExecQuery(“SELECT Caption, version FROM Win32_OperatingSystem”)

    For Each ObjOS In ColOS
         MyOS = objOS.caption & Space(1) & objos.version
    Next
End Function

Function GetSession(text)
    text = strip(lcase(Text))
    Dim tArray, i

    tArray = Split(text,Space(1))
    i = 0     
    While tArray(i) <> lCase(strUser)
         i = i +1
    Wend
    
    GetSession = tArray(i+1)
End Function

Function Strip(text)
    text = Replace(text,vbtab,Space(1))
    While InStr(text,Space(2)) > 0
        text = replace(text,Space(2),Space(1))
    Wend
    Strip = text
End Function

Sub EchoAndLog (message)
    ‘Echo output and write to log
    Wscript.Echo message
    AppendOut.WriteLine message
End Sub

Function IsCScript()
If (InStr(UCase(WScript.FullName), “CSCRIPT”) <> 0) Then
IsCScript = True
Else
IsCScript = False
End If
End Function

{/code}

Note that you also require the Execution Policy to be set to RemoteSigned (use the command ‘Set-ExecutionPolicy RemoteSigned’ to change this).

{code lang:css showtitle:false lines:false hidden:false}Import-Module webadministration

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/APIRemoting30”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/ClientWebService”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/DSSAuthWebService”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/ServerSyncWebService”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “Ssl” -PSPath IIS:\ -Location “WSUS Administration/SimpleAuthWebService”

cd “C:\Program Files\Update Services\Tools”

.\WSUSUtil.exe configuressl <server fqdn>

Netsh AdvFirewall Firewall set rule “Windows Server Update Services (HTTPS)” new enable=yes{/code}

Now browse to the WSUS Administration site in IIS and edit the HTTPS binding to use the correct certificate.

Recently I deployed two Windows 2008 R2 Enterprse Subordinate Certificate Authorities, whilst these have been issuing certificates requested through Autoenrollment I noticed today that the web interface for requests wasn’t working properly using https://<caname>/certsrv. When clicking on “‘Request a certificate’, then ‘Create and submit a request to this CA” I would then get the following error message:

“No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.”

Aftering digging about it turned out that by this is resolved by using IIS Manager and changing the DefaultAppPool Identity to NetworkService from ApplicationPoolIdentity:

1. This is available by rt-clicking the DefaultAppPoll under Application Pools and selecting “Advanced Settings..”
2. Look for the “Identity” value under Process Model and change to NetworkService.
3. Once completed perform an iisreset on the CA.

Having deployed a couple of Certificate Authorities recently I ran into an issue with the Web interface http://<caname>/certsrv where despite entering valid credentials I was continually prompted for a username and password, and eventually a 401.2 Unauthorised error.

On further investigation it turned out that the Windows Authentication providers were the cause, chaging this from Negotiate,NTLM to NTLM,Negotaite (you could even remove the Negotiate provider) resolves this issue, click read more to see the solution. 

To modify the providers open up IIS Manager navigate o the CerSrv virtual directory and double click Authentication:

Select “Windows Authentication,” then from the Action Pane select “Providers…” 

Finally increase the priority of the NTLM provider by selecting it and clicking “Move Up”

I had to move some users home directories from one server to another recently, the users Mac users had their home drive set in AD DS rather than using folder redirection determined by Group policy.

In AD Users and Computers I used the following customer search to identify all of the users; change *server name* to suit your environment:

{code lang:css showtitle:false lines:false hidden:false}(&(objectClass=user)(objectCategory=person)(homeDirectory=*server name*)){/code}

For example, if your file server waqs called FILESRV1 you would change the query to use *FILESRV1*:

{code lang:css showtitle:false lines:false hidden:false}(&(objectClass=user)(objectCategory=person)(homeDirectory=*FILESRV1*)){/code}

You’ve probably noticed that in Failover Cluster Manager you don’t have the option to move the cluster group resources like you did in Windows 2000/2003. It is possible to move this group, however you’ll have to use either Windows Powershell or Command Prompt to achieve this.

Using Windows Powershell:
  Move-ClusterGroup “Cluster Group”
  Move-ClusterGroup “Available Storage”

Using the CLI and cluster.exe:
  cluster group “Cluster Group” /move
  cluster group “Available Storage” /move

Use the following command to list events in the SYSTEM event log between 9th March 00:00 to 15:00:

{code lang:css showtitle:false lines:false hidden:false}wevtutil qe system “/q:*[System[TimeCreated[@SystemTime>=’2012-03-09T00:00:00′ and @SystemTime<‘2012-03-09T15:00:00’]]]” /f:text{/code}

Use the following command to query the SYSTEM event log for any event at or after midnight on 12th March:

{code lang:css showtitle:false lines:false hidden:false}wevtutil qe system “/q:*[System[TimeCreated[@SystemTime>=’2012-03-12T00:00:00′]]]” /f:text{/code}

Use the following command to quickly export the SYSTEM event log from your server, this can also be used in a scheduled task to archive event logs:

wevtutil epl SYSTEM C:\ApplicationLog.evt

To export the APPLICATION event log use the command:

wevtutil epl APPLICATION C:\ApplicationLog.evt

Recently I was looking into an issue where a Group Policy Preferences setting to rename the administrator (buil-tin) account was generating the following error message:

Log Name:      Application
Source:        Group Policy Local Users and Groups
Date:          13/02/2012 11:23:34
Event ID:      4098

Description:
The computer ‘Administrator (built-in)’ preference item in the ‘Member_Server_Policy {AF5D1786-0EBF-4C78-BEAA-581F35735016}’ Group Policy object did not apply because it failed with error code ‘0x80070524 The specified account already exists.’ This error was suppressed.

After some initial troubleshooting I opted to modify the way the rename policy was setup by using a more traditional method for changing the administrator user account name

Open Group Policy Object Editor for the policy you want to use to rename the Administrator account, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options. Change the setting titled ‘Accounts: Rename administrator account.’