Category: Windows

Windows Operating System

Time Hierarchy in Active Directory

John Leave a comment

Time is more critical in Active Directory than many admins realise. Time inaccuracy can cause logs to mismatch or things like license failures for anything with DRM. Larger time differences can begin to cause authentication failures since Keberos relies on accurate time or affect replication health.

By default, all AD member machines synchronise with any available domain controller, and in turn domain controllers will synchronise with the PDC Emulator of that domain. This article by Microsoft explains most of the above along with a similar overview of setting up Time Sync correctly. Whenever doing a large audit for an on-premise AD customer or have the chance to build out a new AD Forest, we always recommend ensuring that the PDC gets it’s time from an accurate external time source, and I’ll usually go as far as setting up a set and forget GPO to manage this to ensure newer PDCs get this treatment.

To ensure we target only our PDC emulator we can create a WMI filter that we can use against the Group Policy object that we’ll be creating shortly. The following WMI query will filter a PDC Emulator in an AD environment

select * from Win32_ComputerSystem where DomainRole = 5

Next step is to create the Group Policy Object, in this case I’ve create a PDC External Time Sync GPO, open it up and go to Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers. We now want to configure the following settings as follows

Set Configure Windows NTP Client to Enabled
For NtpServer enter your NTP servers details: ntp.nml.csiro.au,0x9 ntp.monash.edu,0xa
For Type set to NTP
Set Enable Windows NTP Client to Enabled
Set Enable Windows NTP Server to Enabled

It’s also important to ensure you’re specifying the correct flags to ensure reliable time, with my example I’ve specified a primary and secondary time source to minimise any potential drift when Windows decides to synchronise. By making the primary NTP server flag 0x9, we made it “Client 0x08 + SpecialInterval 0x01” and as for the second NTP time server.
By making the secondary NTP peer flag 0xa, we made it “0x08 Client + 0x02 UseAsFallbackOnly”.The following options are available to use with w32tm.

0x01 SpecialInterval
0x02 UseAsFallbackOnly 
0x04 SymmatricActive 
0x08 Client

The final GPO should look something like this with the WMI filter attached an linked to an OU with your DCs.

Since I’m based in Australia I’ll tend to use au.pool.ntp.org or use the Australian Governments NMI NTP service, which requires you to get your public IP whitelisted but is unlikely to be poisoned or attacked unlike the NTP Pool project.

Hope that helps.

Bypass Windows 11 TPM Setup Checks

John Leave a comment

Quick one – I’m doing some testing in my home lab environment with Windows 11 and this box doesn’t have a TPM (so it’s not enabled in Hyper-V). Booting up the Windows 11 iso and trying to install will tell you that it’s unsupported. To get around that, load the setup as normal and once you reach the language and time screen press Shift+F10 to bring up the command prompt.  Type regedit and hit enter to launch Reg Edit for the pre-install environment.  Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\Setup registry hive and create a new Key called LabConfig.  Now under LabConfig create two DWROD (32-bit) values, one BypassTPMCheck and the other BypassSecureBootCheck and set both of these to a value of 1.  If you don’t have enough RAM allocated you can also add a DWORD of BypassRAMCheck and value of 1.

Once you’re done close up Regedit and the Command Prompt and you can start the setup process and install as normal.

Copying files from one server to another as a different user (two separate domains) using PowerShell

John Leave a comment

I’ve been working on needed to copy a number of files from one client site to another, my issue is that they have separate Active Directory domains and there is no trust between them. Using PowerShell, we can save a user credential and then use that to map a network drive with them and perform our copy.

We will setup the credential to be stored in a text file, although a cool feature of PowerShell it’s very limited in that it can only be decrypted by the user who created it on the same local machine (which is fine for our needs). The following cmdlet will prompt for a string to encrypt, which in this case is our password.

Read-Host -ASSecureString | ConvertFrom-SecureString | Out-File E:\Scripts\password.txt

Once done, we will build up our PowerShell script that will read the file, map a network drive via PowerShell which will use the secure credentials and then copy across our files.

$password = Get-Content E:\Scripts\password.txt | ConvertTo-SecureString
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\username",$pass

New-PSDrive -Name Z -PSProvider filesystem -Root "\10.15.2.5\Baseline$" -Credential $creds
Remove-Item -Path Z:\ -filter *.bak
Copy-Item -filter *.bak E:\Backup -Destination Z:\ -ErrorAction SilentlyContinue -ErrorVariable A
Remove-PSDrive Z

The script copies files, and is a quick and dirty way to get files from a server in one domain to another without any sort of trust.

Issues Deploying a Custom Windows 10 Start Menu Layout when using an image with a Default Profile

John 4 Comments

So I’m in the final stages of getting our Windows 10 Deployment ready to go and I am currently in the process of branding and customising our image, which includes setting a custom Start Menu Tile Layout.  This is done with the use of two PowerShell commands Export-StartMenuLayout and Import-StartMenuLayout.

I created our preferred start menu, exported on my test computer and then added a Task to our MDT Deployment Task Sequence.

I found that this completed without any errors but Windows was not applying the Start Menu, after a bit of digging around, I found an issue where if you have CopyProfile set to true in your unattend xml answer file then there is another step that you need to complete which is to delete the TileDataLayer folder located in C:\Users\Default\AppData\Local and once I added that line to my batch file the Start Menu appeared.  My complete batch file is as follows;

powershell.exe -ExecutionPolicy Bypass -Command "Copy-Item '%~dp0StartMenu.xml' -destination C:\Windows\Temp; Import-StartLayout -LayoutPath C:\Windows\Temp\StartMenu.xml -MountPath $env:SystemDrive\; Remove-Item C:\Windows\temp\StartMenu.xml -Force"
rmdir C:\Users\Default\AppData\Local\TileDataLayer /q /s

Hope that helps.

How to remove the Open File Security Warning Prompt during Driver Deployment or User Login when using MDT or SCCM

John Leave a comment

Security Warning with DriversDuring a deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs (similar to the one on the right).

This happens because when you download an .EXE, .ZIP, or .CAB Internet Explorer (as well as Firefox and Chrome) saves what is called a Zone Identifier, telling the Operating System the file came from the internet and not a trusted zone.  In certain deployments this can happen several times when a user logs in to load all of the applications into the system tray, some of them being igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.

To get around this we need to remove the ZoneIdentifier, we can use a small utility from SysInternals to do it.  Download Streams, copy it to your MDT or SCCM Server and run the following changing the path to a location containing your drivers;

streams.exe -s -d "E:\MDTDeploymentShare\Out-Of-Box Drivers"

Make sure you run that in an Administrative command prompt and accept the license agreement on the first run. Hope that helps.

Getting a machine product name and serial number using WMIC for use with MDT or SCCM

John Leave a comment

wmic csproduct get name outputQuick post today, I organise my driver folders into manufacturer and model and then use a task sequence to pick machine specific drivers. Getting the exact model name helps and one day to do that is via a WMI query. It’s a command I try to use quite a bit (and tend to forget the command half the time).

wmic csproduct get name

The result should give you the exact name returned by WMI and allow you to use it as a variable in your task sequence. Then, just plug in your model you are targeting into an MDT or SCCM task sequence condition. For an SCCM example;

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%OptiPlex 9020%"

Another useful one is;

wmic bios get serialnumber

This one shows the machine serial number and if you’re not using SCCM can be useful for warranty claims.

The Network Policy Server Service (NPS or IAS) Fails to Start on Windows SBS Server 2008 with an unspecified error (0x80004005)

John Leave a comment

vss registry keySo I was recently helping out a client clean up their Small Business Server environment, one thing they weren’t using was SharePoint, so we decided to remove it from their SBS 2008 server. The removal went smoothly, simply uninstalling SharePoint Services via Add/Remove control panel did the trick. But after a restart we found that clients were no longer connecting to their Wireless network, so I went did some troubleshooting and found that the NPS service hadn’t started since boot-up.

I then tried starting it up but got an error after trying to start the service with an unspecified error 0x80004005 which was very helpful. After some more digging around and Google-Fu I found that this had to do with permissions on a registry entry for VSS. The following key needed to be updated from the value 1 to 0.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Make sure that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is not and set to 0, change it to 1.  Once you have changed the value you can restart or terminate any IAShost.exe that are running via task manager and then start up the NPS service.

This issue has been documented by Microsoft to occur if you remove SharePoint from SBS Server 2008, so just a heads up if you do and rely on NPS for authentication for things like Remote Access or Wireless.

How to log into ASDM for a Cisco ASA when you get the Unable to launch device manager error

John Leave a comment

I like to keep my client’s devices up to date to prevent any issues from arising and have access to the devices latest features. Unfortunately not everyone is happy to pay that little extra to have an on-going support / maintenance agreement.  I was recently out at a customer who had an ASA 5505 which had been running for years but needed some new NAT translations added in.  So I fired up my laptop and loaded up ASDM Launcher, after typing in the credentials I got Unable to launch device manager on ASA-5505 error.  One thing I like to do when this happens is to check why, click on the Java icon in the login window and you will be prompted with the Java console, I saw the following;

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

java_securityThe main thing sticking out to me was Java couldn’t trust Server to fix this I needed to load up the Java control panel once open navigate to the Security tab > Edit Site List… > Add > Enter the URL of ASDM.  In my case that was https://192.168.1.254/ once I added that, click Ok and Apply and close out of your browser / ASDM Launcher.  Now if you try to log in again it should let you through into ASDM and allow you to make the changes you need.

Another method to resolve this error is to export the certificate of the device to your computer (use firefox and navigate to the appliance web page and export the SSL certificate) then import it into Java using the control panel method above but hit Manage Certificates…

If you’re running a new version of ASDM, this doesn’t happen, also some say downgrading Java to 1.6 will remove the issue also.  Hope that helps someone out.

Getting a list of users in Active Directory as well as their Logon Script using dsquery and dsget

John Leave a comment

So I’m preparing on doing a clean-up of our NETLOGON/SYSVOL folder containing about 50 or so different logon scripts (plenty of which I know are no longer used).  I wanted to create a list of all of our active directory users along with what logon script they were assigned (I could then feed this list into excel and play around).  I realised that I could get this information using dsquery, but how exactly do I build a query to get a logon script.  The following command is what I used, I will then break it down for a better understanding.

dsquery user -name * | dsget user -display -loscr > C:\users_script.txt

So we’ve got our dsquery, which is really looking for AD object types of user with a name of anything, so basically ALL user objects in Active Directory (you can also optionally specify a limit using -limit).  We then pass on this list to dsget which will use this information to obtain the objects’ display name (with -display) and logon script (-loscr).  I am then simply piping the output to a text file.

So that is a quick and easy way of getting a list of all users in AD along with their logon script.

Deploying printers via Group Policy and getting them pushed out the right way as well as solving driver installation issues (0x80070bcb Specified printer driver was not found and needs to be downloaded)

John 10 Comments

So we recently upgraded our printing infrastructure with a whole new lot of printers and software (along with a shiny new version of PaperCut MF) and have implemented a global queue or better known as Follow Me Printing.  So how do we go about pushing out all the new global printers to our users.  Well along with the 50 other projects we have on the go, one of them is a clean up of our group policy, so after removing around 15 GPOs related to our old printers I got to work.

So for starters I’ve created a GPO which will contain all of our Follow Me Printing settings, including deploying the PaperCut Client and Global Queue Printers. In our environment we have a mix of Windows XP, Windows Vista and Windows 7 which will all handle printers being deployed via Group Policy differently (Microsoft make things so easy, don’t they).  For XP, things are simple, simply add the printer to be deployed either by user or computer preference under control panel > printers. For Vista and 7 however this is where it gets tricky.  If you are using a driver which has been loaded on the machine before, the printer will deploy, otherwise you will receive an error in the event log such as the following:

The user 'Printer Name Here' preference item in the 'Group Policy Object
{GUID-GOES-HERE}' Group Policy object did not apply because it failed with
error code '0x80070bcb The specified printer driver was not found on the system
and needs to be downloaded.' This error was suppressed.

This basically means that the client couldn’t download the driver, but the real reason is because of UAC and the computer not requesting permission to install a driver. Thankfully there is a Policy that we can enable that will allow us to set the permission requirements during printer driver installation.

Using the Point and Print Restrictions Policy we can enable printer driver installation without it getting hassled by UAC. Under Windows Vista it is a User Policy and on Windows 7 it is a Computer Policy (I have both enabled for good measure). So enable toe Point and Print Restrictions Policy and change the following options:

  • When installing drivers for a new connection: Do not show warning or elevation prompt
  • When updating drivers for an existing connection: Show warning only

Once we have configured the Point and Print Restrictions Policy printers will download and install on any client computer that the Object is targeting.

Hope that helps a few people out when setting up and configuring their Group Policy Printer Distribution, any queries please comment.