Page 1
Standard

Rejoin computers in domain without restart

By On In Powershell, Windows

Method 1:

The trust relationship between this workstation and the primary domain failed.

trust1

Due to this error you cannot login into server or computer with domain credentials. In old days I had to disjoin this server or computer from domain, reboot and rejoin again. This was big headache for Mission Critical servers. If you like using Powershell for system management it is very easy to rejoin computer account to domain without restarting server. You must have at least Powershell version 3 to use this command which is by default there in windows 2012 server version and windows 8.
Once powershell is fired up you have to just run below command to rejoin computer into domain without restart.
 trust2
It will simply repair broken computer account password on your computer. and will give message True. Once this is done and you can logoff and test logging with your Domain account.
Method 2:
Reset-ComputerMachinePassword -Credential (Get-Credential)

Once you execute it will ask for your domain admin username and password.

trust3

 

Standard

Sharepoint 2010: Search DB Crawl Store is to large

By On In Windows

What’s in Search Crawl SQL database anyway?

Inside are information about status, time etc. found by crawling.

average size for crawl = 0,046 * (content SQL DB)

How to reduce size of Crawl Search SQL DB?

From SharePoint 2010 we can use Health Analyzer for reducing big sized Crawl Search DB. If you for any reason stop crawling scheduled job or remove crawled content then sometimes indexing generates too big search database.

Or it might be fragmented indices. In this case just found rule Search in Health Analyzer and set the rule, that will automatically defrag if many fragmented indices are found.

Search Crawl database often have plenty of empty space. If with defragmentation we didn’t get wanted result, than you can restore crawl db in 2 different ways.

In SharePoint admin console:

Central Administration found Search Administration
Stop All Crawl in content Sources
In Index reset undo Deactivate search alerts during reset in click on Reset Now

In SQL server:

Found Search DB Crawl and open All Tasks – Shrink – Database: undo Reorganize files before releasing unused space
Again for All Tasks – Shrink – Files: undo Release unused space files before releasing unused space

Standard

How to manage Office 2013 screens by GPO

By On In Office

How to manage the First Run screens that appear when Microsoft Office 2013 applications are first launched

Microsoft Office 2013 shows the following screens when an application is launched for the first time:

 

office1

office2

office3

office4

 

Group Policy Management Editor

STEP ONE: If you have not already, download the Office 2013 Administrative Template files. These can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=35554

STEP TWO: Copy the ADMX files to %systemroot%\PolicyDefinitions and the ADML files to the language specific folder (such as en-us) under %systemroot%\PolicyDefinitions.

STEP THREE: Using the Group Policy Management Editor go to User Configuration | Policies | Administrative Templates: Policy definitions | Microsoft Office 2013 | First Run

office5

STEP FOUR: Set the Disable First Run Movie to Enabled and the Disable Office First Run on application boot to Enabled

office6

office7

 

How to manage the Opt-in or First things first prompt when Microsoft Office 2013 applications are first launched

Like the Office 2010 Welcome screen, Office 2013 shows the following First things first prompt, when a user launches an application for the first time:

 

office8

Group Policy:

STEP ONE: If you have not already, download the Office 2013 Administrative Template files. These can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=35554

STEP TWO: Copy the ADMX files to %systemroot%\PolicyDefinitions and the ADML files to the language specific folder (such as en-us) under %systemroot%\PolicyDefinitions.

STEP THREE: Using the Group Policy Management Editor go to User Configuration | Policies | Administrative Templates: Policy definitions | Microsoft Office 2013 | Privacy | Trust Center

office9

 

STEP FOUR: Configure each setting under Trust Center that best suits your needs.  If you wish to disable all of these settings, set the first one to Enabled and all the rest to Disabled as shown below

office10

 

How to manage the Start screen for all Microsoft Office 2013 applications

Unlike earlier versions of Microsoft Office, the Microsoft Office 2013 applications, when started, show a Start screen similar to the following, rather than opening the default blank template:

office11

Group Policy:

STEP ONE: If you have not already, download the Office 2013 Administrative Template files. These can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=35554

STEP TWO: Copy the ADMX files to %systemroot%\PolicyDefinitions and the ADML files to the language specific folder (such as en-us) under %systemroot%\PolicyDefinitions.

STEP THREE: Using the Group Policy Management Editor, locate the “Disable the Office Start screen for all Office applications” under User Configuration | Policies | Administrative Templates: Policy definitions | Microsoft Office 2013 | Miscellaneous:

office12

STEP FOUR: Enable the “Disable the Office Start screen for all Office applications” setting:

office13

 

Standard

Create KMS SRV records in DNS

By On In Windows

This post’s goal is to show you how you can configure the DNS SRV records in order for clients to be able to automatically detect the KMS server in the environment.

  1. Open the DNS mmc.
  2. Expand the DNS Zone to the domain required.
  3. Right-click on the “_tcp folder”, select “Other New Records”.
  4. As new record type, pick Service Location (SRV).
  5. Fill in the following information for the new record:
  • Service: “_VLMCS” (Not in the drop down list, type it in and be sure to include the underscore.
    Protocol: _tcp
    Port: 1688
    Priority: # (Can be left at 0 or changed according to your needs)
    Host offering the service: your_servers’_FQDN. (IMPORTANT: Be sure to include the dot at the end of the FQDN.

This procedure is also for a second KMS host. Let’s say you have dynamic updates in your DNS, and your first KMS host actually created the records automatically and everything in the environment is working.

In case you would like to add a seconday KMS host for redundancy, you will have to create the second KMS host manually.

Standard

How to open the firewall port for SQL Server

By On In Firewall, Windows

This script opens the firewall ports for SQL Server.

To create the script, follow these steps:

Start Notepad.
Copy and paste the following code into Notepad:

netsh advfirewall firewall add rule name=”Open Port 80″ dir=in action=allow protocol=TCP localport=80

@echo ========= SQL Server Ports ===================
@echo Enabling SQLServer default instance port 1433
netsh advfirewall firewall add rule name=”SQL Server” dir=in action=allow protocol=TCP localport=1433
@echo Enabling Dedicated Admin Connection port 1434
netsh advfirewall firewall add rule name=”SQL Admin Connection” dir=in action=allow protocol=TCP localport=1434
@echo Enabling Conventional SQL Server Service Broker port 4022
netsh advfirewall firewall add rule name=”SQL Service Broker” dir=in action=allow protocol=TCP localport=4022
@echo Enabling Transact SQL/RPC port 135
netsh advfirewall firewall add rule name=”SQL Debugger/RPC” dir=in action=allow protocol=TCP localport=135
@echo ========= Analysis Services Ports ==============
@echo Enabling SSAS Default Instance port 2383
netsh advfirewall firewall add rule name=”Analysis Services” dir=in action=allow protocol=TCP localport=2383
@echo Enabling SQL Server Browser Service port 2382
netsh advfirewall firewall add rule name=”SQL Browser” dir=in action=allow protocol=TCP localport=2382

Save the file as a .bat file by using the following name: OpenSqlServerPort.bat

Standard

Import PFX Certificate via Group Policy Preferences

By On In Uncategorized

I have a vendor with a web-based service that requires a password encrypted .PFX certificate to be imported into the user’s Personal certificate store.

Group Policy

When I opened up Group Policy Management and navigated to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies, I found several certificate stores that I could import the .PFX file into. The Trusted Root Certification Authorities or Trusted Publishers stores would seem like good places to import this vendor certificate, but neither are the correct store that the vendor requires.

User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies also had a few stores I could target, but none contain the User’s Personal store. The correct store can be found via Internet Explorer -> Internet Options -> Content -> Certificates -> Personal. Unfortunately, Group Policy isn’t able to target this certificate store.

Scripts

Since Group Policy and Group Policy Preferences didn’t offer a way to import a .PFX certificate into a user’s Personal certificate store, I turned to scripting the solution.
I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).
Next I created a .BAT script named import-certificate.bat which runs this command:

certutil -f -user -p “CertificatePassword” -importpfx “%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx” NoRoot

Then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

Set oShell = CreateObject (“Wscript.Shell”)
Dim strArgs
strArgs = “cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat”
oShell.Run strArgs, 0, false

Group Policy Preference Schedule Tasks

I then returned to Group Policy Management and navigated to User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks. I created a Scheduled Task that runs 30 seconds after the user logs in. The schedule task runs %LOGONSERVER%\netlogon\certificates\import-certificate-silently.bat.

The result is that when Citrix user who belongs to the security group in Active Directory logs into their virtual desktop, the required SSL Certificate is automatically installed in their User -> Personal certificate store.

Standard

How to enable Remote Desktop remotely using Powershell

By On In Roles and Features, Windows

In Windows Server 2012, remote management is enabled by default but not Remote Desktop. To enable RDP on the server, add the target server to the Server Manager and run remote Powershell console.

On the remote Powershell console, enable remote desktop and firewall using the following cmdlets:

1) Enable Remote Desktop
set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0

2) Allow incoming RDP on firewall
Enable-NetFirewallRule -DisplayGroup “Remote Desktop”

3) Enable secure RDP authentication
set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1

Standard

Configure Internet Explorer IE 11 Home Page / Proxy Settings in Group Policy Preferences

By On In Group Policies, Preferences

1) Open up Group Policy Management Console. Branch out until you get to the Group Policy Objects folder. Right click on it and click new.

ie11 pref 01

2) In the box that appears enter the name “Internet Explorer 11 Settings” and click ok.

3) Right click on the GPO you just created and click edit.

4) Branch out User, Configuration, Preferences, Control Panel Settings. Then click on Internet settings.

ie11 pref 02

 

5) Right click on the right hand side and then click new Internet Explorer 10 (Dont worry. If editing from a 2012 R2 server or a Windows 8.1 machines this also means IE11)

6) You will be prompted with the box below. Notice each field has green lines and red lines underneath it.

ie11 pref 03

 

7) Type a URL in for the home page. Notice how its still red. This means it wont take effect.

ie11 pref 04

 

8) With the cursor still in the text box press the F6 key. This will then make the line go green. This will now be part of the policy. Dont forget if you want this page to always launch you need to change IE10 / IE11 default behaviour and select “Start with home page”.

ie11 pref 05

 

9) If you want to set the proxy information go to the connections tab, then click the LAN settings button at the bottom.

ie11 pref 06

 

10) Tick the use a proxy server for your LAN option. Then enter your address and port number. Note how the options again are red.

ie11 pref 07

 

11) Once happy press the F6 Key to make them green. Click ok.

ie11 pref 08

 

Apply the GPO to your relevant OU and your good to go.

Standard

Configuring Domain Controller and Standalone Server To NTP Server

By On In Windows

What Was doing is that to point the PDC Emulator to NTP Time Server. In some large environment, by identifying the Server that hold PDC Emulator of domain controller is vital.

To point the domain controller to NTP Time Server is either to edit the Registry or using Command.

By Using Command is simple,

w32tm /config /syncfromflags:manual /manualpeerlist:192.168.1.10

However, I prefer to edit Registry. Before I modify the registry, I backup the servers and export the registry. This is to restore back if something failure.

1. Run Regedit

2. Expand the tree and find the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters\Type

Change from NT5DS to NTP

3. change the Announce Flags at the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

Edit the DWORD Value to 5. notice that the default value is “a”

4. Enable the NTP Server at the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProvides\NTPServer\Enabled

Change the value from 0 to 1

5. Change the NTPServer IP at the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters\NtpServer

Change from time.windows.com,0x1 to the IP address of NTP time Server. For example,  192.168.1.1,0×1

6. Stop and Start the Service

Net Stop W32time

Net Start W32time

Here is the result below:

NTP1

For synchronizing the time on the domain members and other domain controller / child domain controller, you need to wait 15-30 minutes to update or you can manually sync using command below:

w32tm /resync

For Standalone Workgroup Server, There are 2 option: 1. Point Directly to NTP Time Server or 2.Point and Synchronize to the PDC domain controller. So,  I just need to point not directly to NTP Time Server because in my environment, it has the domain controller.

how and I going to do it?

1. Edit and Modify the Registry at

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters\NtpServer

Change from time.windows.com,0x1 to the IP address of NTP time Server. For example,  my domain contrller is 192.168.1.10, so therefore I just put as 192.168.1.10,0×9

Here is the result I get,

NTP2

I wasn’t expected this output above. The source should be 192.168.1.10,0×9

I got so many tested this thing where I also tried to change from “0x9″ to “0x8″ and suddenly it works. and when I reverted back to 0x9, it did not work.

The funny thing also I put FQDN of the domain controller (192.168.1.10 dcexc.netoverme.info) in to the host file (c:\windows\system32\drivers\etc\hosts) and it works.

then I remove the FQDN dcexc.netoverme.info from the Hosts File and it did not work. well, that’s funny. I suspect is that connectivity problem and having delay updating and synchronise to the domain controller, after I kept repeating running the

“w32tm /query /status ” and then it works..

the output should be like below:

NTP3

Also check the Event viewer (Event ID 37) where it validates the time synchronization.

NTP4

 

Standard

How to use Group Policy to control Services

By On In Group Policies, Preferences

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

In the examples below I am going to show you how to enable the “Applications Identification” service that is required to be enabled to make AppLocker work in Windows 7. If you want to learn more about AppLocker then check out my other post

Using Group Policy to configured a Service

Even since Group Policy was introduced to Windows 2000 you have been able to configured some aspects of services using native group policy.

Now that you can control service using Group Policy Preference there are only two reason that you will still want to use this method.

  1. You want to control services on Windows 2000 or a computer that does not have the client side extensions installed.
  2. You want to configure the security so that non-administrators can start,stop and pause the service.

Step 1. Edit a computer Group Policy Object that is targeted at the computer that you want to configure

Step 2. Select the services that you want to configure.

Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. This is a painful restriction of controlling services this way and

GPO Service 01

Step 3. From the menu click on Action > Properties then tick “Define this policy setting” and then configured the service startup mode to what you want it configured.

GPO Service 02

Step 4. If you click on the “Edit Security…” button you can also configured who has control over the service. This would be useful if you want to give end users the ability to start and stop specific services. Tip: Tick “Start, stop and pause” for INTERACTIVE if you want the logged on user to control the services.

GPO Service 03

Now that you have configured the services via group policy you will need to reboot the computer for the new startup mode to take affect. This means if you are disabling a service then it will not stop until your next reboot which could be may days, weeks or even months after you made the policy change.

Using Group Policy Preferences to configure a Service

The newer and almost always better way to configure service now is to you the Group Policy Preference Services options. As opposed to the native method which only allowed you to control the startup and security of service, preference now allows you much greater control.

The only reasons you would not want to use Group Policy Preference to control services are:

  1. You need to configured the startup mode of a service on a computer running Windows 2000 or one that is not running the client side extensions.
  2. You want to be able to configured the security to allow non-admin to start, stop or pause the service.

Always remember that when you do configure a service startup mode using the native method that this will take precedence over Group Policy Preferences and you can use the security options in conjunction with preferences.

Step 1. Edit a computer Group Policy Object that is targeted to the computers that you want to control the service.

Step 2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services

GPO Service 04

Step 3. In the menu click on Action > New > Service and now click on the “…” button next to the Service Name field.

Note: From here you can either type in the service name in the “Service Name” field or click on the “…” button to chose the service from a predefined list of services.

GPO Service 05

Step 4. Select the service name that you want to configured and then click “Select”

GPO Service 06

Step 5. Now you can configure the Startup mode from the Startup mode drop down box and you can configure a service action.

GPO Service 07

Service Action will take place each time there is a group policy refresh so that you do not need to wait for the computer to reboot for the latest startup mode to take affect. This can also be handy to configure if you want a service to start if it crashes or if you have a pesky service that requires restarting on a regular basis to keep running properly.

Step 6. Click on the “Recovery” tab to configure the recovery options of the service as you would configure in the service control panel.

GPO Service 08

Step 7. As this is a preference you can also configure the standard “Common” options from such as item level targeting which will allow you to granularly control what computer you target this setting.