How to track deleted files

October 21st, 2014 No comments

I am often asked to restore files on fileservers and also look for user who deleted files. By default there is no auditing for files enabled on fileservers. I will write how I do enable it and how it works for me.

First of all you need to enable audit policy Audit object access. This audit policy handles auditing for files, registry keys, shares, … To enable this audit policy you need to set it in GPO Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – Audit Policy – Audit object access and set it to Success, Failure.

Audit object access

This audit policy enables auditing for lots of objects to audit. I want to audit only File System. To find out what audit policy settings are applied on computer use following commnad auditpol.exe /get /category:*. To enable only wanted auditing I have dumped settings using auditpol.exe command and set same auditing in GPO, but under Object Access I just enabled File System auditing. You can set this settings under Computer Configuration – Policies – Windows Settings – Security Settings – Advanced Audit Configuration.

Advanced Audit Configuration

When these settings in GPOs are applied there are new events in security event log. We need to look for event number 4659 and make some reporting out of it. I’ve created powershell script which I run every day right after midnight and it creates HTML report and also CSV files which can be used in some powershell manipulation. Here is a powershell script:

#
# Get-DeletedFileLog
#  This function gets events 4659 about delted files and generate HTML reports
#

#
# Declaration
#

[datetime]$Yesterday = ((Get-Date) - (New-TimeSpan -Day 1)).date
[datetime]$Today = (Get-Date).date
[int]$EventID = 4659
[string]$Path = "D:\Logs\Deleted Files"
[int]$Limit = (Get-Date).AddDays(-180)

Try
{
    #
    # Get events from security eventlog
    #
    [array]$EventList = Get-WinEvent -FilterHashtable @{Logname='Security';Id=$EventID;StartTime=$Yesterday} -Oldest -ErrorAction Stop

    #
    # Extend Event by XML data fields
    #
    foreach ($Event in $EventList)
    {
        $EventXML = 1$Event.ToXML()
        For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
        {
            Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name DateFileDeleted -Value $Event.TimeCreated
            Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name UserName -Value $EventXML.Event.EventData.Data[1].'#text'
            Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name DeletedFile -Value $EventXML.Event.EventData.Data[6].'#text'
        }
    }
    #
    # Generate HTML report
    #
    $EventList | Select DateFileDeleted, UserName, DeletedFile | ConvertTo-Html | Out-File "$($path)\$($Today.Year)$($today.Month)$($Yesterday.Day)_DeletedFiles.html"
    $EventList | Select DateFileDeleted, UserName, DeletedFile | ConvertTo-Csv | Out-File "$($path)\$($Today.Year)$($today.Month)$($Yesterday.Day)_DeletedFiles.csv"
}
Catch
{
    # If there is a problem
    Write-Host "No events $EventID to record."
}

#
# Remove old reports
#

Get-ChildItem -Path $Path -Recurse -Force | Where-Object { !$_.PSIsContainer -and $_.CreationTime -lt $Limit } | Remove-Item -Force

# EOF

This script also cleans up files older than 180 days. In HTML file you can see when, who and what deleted. I didn’t excluded files started with “~”, which are also known as temporary Office files, which are created during opening Office documents. This is because now I know who opened which files and when.

Enjoy,

 

Microsoft Windows 7 Embedded and RDP 8.1

October 16th, 2014 No comments

At one of our customers we deployed RDS RemoteApp server farm. Customer bought thin clients HP T510. When they connected to RemoteApp using Windows XP and Windows 7 on normal computers there were no problems with RemoteApps. When they connected to RemoteApp using Windows 7 Embedded on thin clients, they had problems with RemoteApp windows. RemoteApp windows were not displayed right. There was one extreme problem: User opened Microsoft Outlook, opened message and pressed Reply. Starte to type, but no characters were displayed. When you clicked on some part of the window all the text appeared. So RDP client sent all key strokes to RDP server, but RDP client didn’t refresh content of the window.

After some investigation I found out that Windows XP and Windows 7 had RDP client version 6.3.9600 (RDP 8.1 supported), but Windows 7 Embedded had only 6.2.9200 (RDP 8.0 supported). I’ve tried to google for some path or some HP image with RDP 8.1 for Windows 7 Embedded. No success. When you look on Remote Desktop Service Blog website, you can even find informaction that there is no RDP 8.1 for Windows Embedded.

But I found five hotfixes which are required for Windows 7 Emedded to have RDP client version 6.3.9600 (RDP 8.1 supported):

  • KB2574819-v2-x86
  • KB2592687-x86
  • KB2857650-x86
  • KB2830477-x86
  • KB2913751-x86

When you install all those updates you need to reboot machine and you will have nice RDP client version 6.3.9600 (RDP 8.1 supported):

rdp

That’s all for now,

Categories: Microsoft, Windows Tags:

Powershell script: Invoke-CommandOnADComputers

October 13th, 2014 No comments

Sometimes I need to run some command on bunch of computers. So I’ve created little bit more advanced function to be able to run script block on computers list created from domain:

 


<#
.Synopsis
   This function provides you way to run scriptblock on remote machines in the domain.
.DESCRIPTION
   This function is extension to Cmd-Let Invoke-Command. This function lists computer names in domain
   based on ADSearchBase and Filter parameters. In invoke scriptblock on those computers in the list.
.EXAMPLE
   To restart service "Windows Time" on all machines in domain:
   Invoke-CommandOnADComputers -SearchBase "DC=domain,DC=local" -ScriptBlock { Restart-Service W32Time; }
.EXAMPLE
   To restart service "Windows Time" on all machines which containt number 7 in name:
   Invoke-CommandOnADComputers -SearchBase "DC=domain,DC=local" -Filter 'Name -like "*7*"' -ScriptBlock { Restart-Service W32Time; }
#>

Function Invoke-CommandOnADComputers
{
    [CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
    Param
    (
        # This is Active Directory Search Base to limit selection for computer accounts in domain.
        # It can be for example "OU=Computers,OU=Company Name,DC=domain,DC=local"
        [parameter(Mandatory=$true)]
        [string]
        $SearchBase,

        # Active Directory filter to merge your computer selection in to the detail.
        # It can be for example 'Name -like "Desktop*"'
        [string]
        $Filter = "*",

        # This is scriptblock which should be run on every computer.
        # For example { Restart-Service W32Time; }
        [parameter(Mandatory=$true)]
        [scriptblock]
        $ScriptBlock
    )
    Begin
    {
        #
        # Get list of computer accounts
        #
        Write-Verbose "Getting list of computer from $ADSear"
        try
        {
            [array]$ADComputersList = Get-ADComputer -SearchBase $SearchBase -Filter $Filter -ErrorAction Stop
        }
        catch
        {
            Write-Error -Message "Couldn't search in $SearchBase" -ErrorAction Stop
        }
        #
        # Write number of found computers
        #
        Write-Host "Found $($ADComputersList.Count) computers"
        #
        # If in debug, write list of computers
        #
        Write-Verbose "List of machines:"
        If (!$PSDebugContext)
        {
            foreach ($item in $ADComputersList)
            {
                Write-Verbose " $($item.Name)"
            }
        }
        Write-Verbose "Done with domain computer list"
    }
    Process
    {
        #
        # Let's invoke command on remote computer
        #
        foreach ($ADComputer in $ADComputersList)
        {
            Write-Host $ADComputer.Name
                try
                {
                    Write-Verbose "Invoking scriptblock on computer"
                    Invoke-Command -ComputerName $ADComputer.Name -ScriptBlock { $ScriptBlock } -ErrorAction Stop
                    Write-Host " Scriptblock invoked successful."
                }
                catch
                {
                    Write-Host " Scriptblock invoked UNSUCCESSFUL."
                }
        }
    }
}

You can run it using

Invoke-CommandOnADComputers -SearchBase “DC=domain,DC=local” -ScriptBlock { Restart-Service W32Time; }

and it will read all computer accounts from domain and restart Windows Time service.

Enjoy,

vExpert 2014

October 5th, 2014 No comments

This year VMware granted me a non-technical certification vExpert. I helped out on VMWare Thinapp forum.

vExpert

I’m so happy ;-)

Categories: ThinApp, VMWare Tags: , ,

Quickie: Clean up your bash history

September 30th, 2014 No comments

Sometimes when you work on linux in bash you don’t want to leave commands in bash history (.bash_history). Easy way to clean it up it’s to run following command:

HISTSIZE=0

Now your bash history will be not accessible and not saved when you logoff.

 

Quickie: Hyper-V ready or not

September 30th, 2014 No comments

If you want to know if your computer is ready to host Hyper-V role you can check it quickly using old command systeminfo.exe with new feature. This new feature is in systeminfo.exe which is included in Windows 8 and higher and Windows Server 2012 and higher.

When you run it you can see the last output lines about Hyper-v Requirements:

System info hyper-v

That’s all for today,

Quickie: Pipe output into Clipboard

September 24th, 2014 No comments

I just found one cool utility. It’s called clip.exe. You can use this utility to input the content from pipline into clipboard and then paste the content of clipboard where ever you want.

Here a example:

ipconfig /all | clip

When you run this all the output from command “ipconfig /all” is stored into windows clipboard. Now you can Paste (CTRL+V) this into any application you want.

When you want to read the content of any file into windows clipboard you can use following command:

clip < C:\kukuc.txt

This cool utility came with Windows Server 2003 (not in Windows XP) and stayed there until Windows 8 and Windows Server 2012 R2.

Have a good day,

 

 

Categories: Quickie, Windows Tags: , , ,

PowerShell: Script to check for logged users

September 16th, 2014 No comments

I’m creating couple powershell scripts which I use in my work. I want to share couple of them with you. So here is a script which look for domain computers and then check who is logged on those online machines.

$ADSearchBase = "OU=Computers,DC=domain,DC=local"
$ADFilter = "*"

Function Get-LoggedUsersOnComputers
  {
  $ADComputersList = Get-ADComputer -SearchBase $ADSearchBase -Filter $ADFilter
  foreach ($ADComputer in $ADComputersList)
    {
    Write-Output $ADComputer.Name
    Try
       {
       $ExplorerProcesses = Get-WmiObject -ComputerName $ADComputer.Name -Class win32_process -Filter "Name='explorer.exe'" -ErrorAction Stop
       }
     Finally
       {
       If ($?)
         {
         foreach ($ExplorerProcess in $ExplorerProcesses)
           {
           Write-Output "  $($ExplorerProcess.GetOwner().User)"
           }
         }
       Else
         {
         Write-Output "  <<< Could not connect"
         }
       }
    }
  }

Get-LoggedUsersOnComputers

If you have any remark on my script, please, let me know. I will be happy to make it more cute :-)

Powershell Web Access

September 8th, 2014 No comments

I was playing today with new feature called PowerShell Web Access. This feature was brought in Windows Server 2012. It is very easy to install and easy to use. You need to select one server which will act as Web Access PowerShell gateway server. You will be connecting to this server using SSL and this server will use PowerShell remoting to access computers inside your network. So let’s make it work.

First you need to run PowerShell as a admin on gateway server:

PowerShell

Let’s look for Windows features which contain word “shell”:

PowerShell

Windows PowerShell Web Access is the feature we want to install. So let’s install it:

PowerShell

Now we can look at this website to lear more, but let’s play more. Now we have new cmdlets containig word “pswa” (PowerShell Web Access):

PowerShell

We installed pswa feature, but this feature didn’t install its web component into the server. So let’s install pswa Web application using cmdlet Install-PswaWebApplication with parameter -UseTestCertificate. This parameter creates self-signed SSL certificate for this new site, you can use your own certificate. Be aware that this certificate expires in 90 days.

PowerShell

New website was created:

PowerShell

By default no one can use Powershell access gateway. You need to define explicit rules who, where and what can do. For easy test you can use following rule for domain group called GRP_PowerShell_Remote to access all computers with all permissions:

PowerShell

Now everything is prepared. We need to make some changes in network (routers and NAT) to be able to access 443 port on server from Internet. Now when we open site, we can see:

PowerShell Web Access

And now you can work on machines inside your network. It’s secure and reliable:

PowerShell

This is very nice and cute feature.

I hope you will start to use and enjoy it.

Have a nice day.

 

Storage Explorer

August 27th, 2014 No comments

Hello folks

Today I found one really nice utility at Windows Server 2008 R2 and up. It’s called Storage Explorer. It’s MMC snap-in which enables you to see what your fiber optic cards (HBAs) on fiber optic fabrics.

You can see information about your HBAs:

Storage Explorer

This utility somehow connected into fibre optic switch and listed its ports and WWNs connected to it:

Storage Explorer

And also found some information about optical switch (for example management IP address):

Storage Explorer

I know this tool is not as powerfull as Brocade SANHealth, but it’s bettern than nothing :-)

That’s all folks for today,

Quickie: Default Synology Console password

July 10th, 2014 No comments

I had little problem with Synology 814+ and I couldn’t get into Web management. So I connected to console (speed of serial console is 115200). I was able to see a console, but I was not able to login into console. I was looking for default password and I found out that Synology generates password for admin and root by actucal date. More about is here. When your Synology doesn’t have access to Internet’s NTP server, it has local date 01/01/2001. So it means default console password is 101-0101 if Synology doens’t have access to Internet.

I hope this saves at least hour of your time :-)

DFSR not copying all temporary files

June 6th, 2014 No comments

I implemented DFSR replication in our customer between two locations. There are people opening same files on both locations and they want to use Office document locking feature. This locking mechanism is based on creation of temporary files (~*). So I removed file exception (~*) from DFSR Replicaiton Group and allowed to replicate temporary Office files. When I create and open Word document on one location two files are were: WORD.docx and ~$WORD.docx. And when I created new Excel document two files were created: EXCEL.xlsx and ~$EXCEL.xlsx.

Creation of temporary filesOn other location only two files were replicated (created): WORD.xlsx and ~$WORD.xlsx:

Replicated filesWhen I closed Word and Excel temporary files dissapeared and docx and xlsx files replicated correctly.

So let’s look why those files were not replicated. In some Technet articles I found that DFSR doesn’t replicate temporary files. More info is here and here.

It’s nice to know that DFSR doesn’t replicate files marked as temporary. So let’s look at those opened Word and Excel files.

WORD.docx

File attrib

- Only archive attribute set (0x20)

~$WORD.docx:

File attrib- Archive attribute (0x20) and Hidden (0x02)

EXCEL.xlsx

File attrib- Only archive attribute set (0x20)

~$EXCEL.xlsx

File attrib

So utility fsutil cannot open data from this file. It looks that Excel opens its files different way as Word does. And that’s why file ~$EXCEL.xlsx didn’t copy to other location, because DFSR cannot access this file while it’s opened in Excel.

This Excel behaviour causes that Office locking mechanism is not working over DFSR.

Let’s hope Microsoft will fix this in other release Office :-)

Have a nice day,

Quickie: How to delete registry using reg file

June 6th, 2014 No comments

I always used .reg files to import registry keys and values. I started to think if it’s possible to delete registry key or value using .reg file.

To create key and value you can use following .reg file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\test]
“test_value”=dword:00000010

 

To delete only value “test_value” you can run following .reg file (minus sign after the equal sign):

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\test]
“test_value”=-

 

To delete whole key you can run following .reg file (minus sign in front of key name):

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\test]

 

That’s all for now,

 

Problem with issuing certificate to domain controllers

June 6th, 2014 No comments

I have experienced same problem in two customers within four days. I had server with operating system Windows Server 2012 R2. I installed role Active Directory Certificate Services with default settings. Also default certificate templates were installed. One of the default certificate templates is called Domain Controller and it should be enrolled automatically to all domain controllers using autoenrollment method.

Certification Template

Certificates didn’t autoenroll to domain controllers so I tried to enroll certificate manually. I received following error:

Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

CA Error

After couple of minutes of debugging I found out that it should have something to do with security of accessing DCOM object. When I have looked on DCOM security settings I found some domain group called CERTSVC_DCOM_ACCESS. I tried to google for this and I found out that this group should contain all domain members that want to enroll certificate using DCOM. And it was missing “Domain Controllers” group:

certsvc_dcom_access

I just inserted group “Domain Controllers” into domain group CERTSVC_DCOM_ACCESS. Rebooted domain controllers, they had to get new group membership, and everything started to work as expected.

More info here and here.

That’s all for today,

Thumbs.db locked DFSR

May 21st, 2014 No comments

Problem

I had one problem with DFSR. I had two servers. Server01 in located in Location01 and Server02 located in Location02. There is DFSR Replication Group configured between those two servers. Replication worked in one direction – from Server01 to Server02, but it didn’t work from Server02 to Server01.

Findings

When I looked into backlog of Server02 using command:

dfsrdiag backlog /rgname:Rep_Group /rfname:Rep_Folder /SendingMember:SERVER02 /Receivingmember:SERVER01

I found out that there is lots of files stuck in queue – backlog. All of them were called Thumbs.db. These files are used by Windows Explorer to store thumbnails of files in directories.

Solution

I fixed issue by clearing conflict directory using following commands. I had to find out GUID for my replication folder:

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderconfig get replicatedfolderguid,replicatedfoldername

And then run procedure to clear conflict directory:

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo where “replicatedfolderguid=’GUID’” call cleanupconflictdirectory

After directory clearance replication stared to work.

But I wanted to prohibit to create Thumbs.db files on network shares. I don’t know about any setting that would disable it on client machines so I had to restrict creation on servers. I decided to create File Screen to prohibit Thumbs.db creation on servers.

1. On server go to Server Manager — Roles — File Services — Share and Storage Management — File Server Resource Manager — File Screening Management:FS01

2. Right-click on File Groups and create new File Group:

- Name it

- Include file “Thumbs.db” into list

FS02

3. Right-click on File Screen Templates and create new screen template:

- Name it

- Make sure you have selected Active screening

- Select new created group “Thumbs.db”

FS03

4. Enable file screening on directory. Right-click on File Screens and create file screen.

- Select Path where File Screen should apply

- Select new created File Screen Template

FS04

And screen file is sucessfully set.

One more step I took was delete all Thumbs.db files from server’s disk. I run following powershell command in share directory:

Get-ChildItem -Force -Recurse | where { $_.Name -like “Thumbs.db”  } | Remove-Item -Force

And that’s all for today play with DFSR.

Quickie: Couple helpful command for DFSR

May 21st, 2014 No comments

Today I was solving issue with not replicating DFSR server in Full Mesh topology. Here are couple helpful commands to work with DFSR:

To look if any replication is in progress:

dfsrdiag replicationstate

To look if there is anything in backlog:

dfsrdiag backlog /rgname:Rep_Group /rfname:Rep_Folder /SendingMember:SERVER01 /Receivingmember:SERVER02

To disable debug logging:

wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set enabledebuglog=false

To set maximum debug files:

wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set maxdebuglogfiles=2000

To set maximum lines in one log file:

wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set maxdebuglogmessages=400000

To look for replication folder GUID:

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderconfig get replicatedfolderguid,replicatedfoldername

To clean up conflict directory:

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo where “replicatedfolderguid=’GUID'” call cleanupconflictdirectory

That’s all folks for today,

Categories: Microsoft, Quickie, Windows Tags: , ,

Quickie: Right click using keyboard

April 29th, 2014 No comments

In my class today we needed to do right-click in Windows using keyboard. I just found out that Shift + F10 simulates right-click :-)

That’s all for today,

How to implement Web Proxy Auto-Discovery Protocol

April 8th, 2014 4 comments

Web Proxy Auto-Discovery Protocol known as WPAD is protocol used by web browsers to locate URL of configuration file using DHCP or DNS.

How does it work?

Computer running web browser must be configured to detect settings automaticaly. It can be turned on in Internet Explorer:

When this browser starts it detects WPAD URL. If browser supports DHCP discovery it will send DHCPINFORM query on network asking for WPAD option. If client doesn’t get DHCP answer it will try DNS query. Let’s assume we have local domain expo.domain.local. Client will try following URLs:

  • http://wpad.expo.domain.local/wpad.dat
  • http://wpad.domain.local/wpad.dat

When this DNS is not successful browser will try URL with NetBios name http://wpad/wpad.dat.

This behaviour can depend on WPAD implementation in browser. Some browser doesn’t use DHCP detection. Some will try also http://wpad.local/wpad.dat URL. I will write only about Internet Explorer behaviour.

Finally when browser gets wpad.dat file from WPAD URL it will parse this file and set proxy settings described in wpad.dat file.

How to make it work?

Let’s assume we have DHCP and DNS services running on Windows Server. We also need IIS installed on server. First of all we need to create new IIS Website:

We will bind this website to port 80 and Host name will be set to wpad.domain.local. We will create new directory C:\inetpub\wpad where website will point. Second, we need to define new MIME type in IIS. Click on IIS server name in IIS console. Then click on MIME Types:

On right side click on action Add.. and define new MIME type (.dat – application/x-ns-proxy-autoconfig):

In directory C:\inetpub\wpad create new file called wpad.dat with following content:


function FindProxyForURL(url, host) {

if(shExpMatch(url,"*intranet/*")) { return "DIRECT"; }

if(shExpMatch(url,"*.domain.local/*")) { return "DIRECT"; }

if(shExpMatch(url,"10.0.*")) { return "DIRECT"; }

if(shExpMatch(url,"192.168.*")) { return "DIRECT"; }

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.

return "PROXY 10.0.0.100:8080";

}

This file is in format Proxy auto-config (PAC file) and it is self-explanatory. It’s kind of fucntion which says if URL is “*intranet/*, “*.domain.local/*,… browser will go directly to this URL. Those are proxy exceptions. Other not defined traffic will be send to proxy server 10.0.0.100 and its port 8080. This script can be more advanced. Be aware, if you make some mistake some stupid browsers (including Internet Explorer) will skip whole script and not use it :-)

Now when we have our wpad.dat file ready we can try if we are able to download it using browser. Just try if you can download file http://wpad.domain.local/wpad.dat.

If everything works let’s inform browsers we have published autoconfiguration file.

Publish in DHCP

We need to create new DHCP Option 252 first:

  • Open DHCP Console
  • Right click on DHCP server and select Set Predefined Options and then click Add
  • In Name type wpad, Data type select String and Code type 25

  • Click OK
  • Enter value http://wpad.domain.local/wpad.dat in Value String field
  • Click OK
  • Right-click on Scope Options in DHCP scope where you want add DHCP value 252 and select Configure Options…

  • Scroll all the way down and select DHCP value 252 and click OK

This is all for DHCP setup. Let’s look on DNS setup.

Publish in DNS

You need to create DNS A record wpad.domain.local and point it to IP where WPAD Website runs. Windows servers will not answer on DNS A “wpad” requests. It’s basically for security reason. “wpad” is blocked in DNS by default. In default DNS block list are two records: wpad and isatap. To enable wpad we need to left only isatap in block list. You can do it by command dnscmd /config /globalqueryblocklist isatap.

Remember

  • If browser has DHCP discovery and get some DHCP Option 252, it will not do DNS discovery
  • Some browsers don’t support DHCP discovery. Only Internet Explorer and Konqueror support both the DHCP and DNS discovery functions

That’s all folks for today :-)

Remote Powershell in domain environment

March 21st, 2014 3 comments

Sometimes you need to run some command on remote computer. If you don’t want to bother user using Remote Assistance or user is not at the computer you can try Remote Powershell. Powershell was new feature when Windows Vista and Windows Server 2008 came. So we can divide operating systems into three categories. Each category requires some things and some requirements.

Windows 7 / Windows Server 2008 R2 and higher

  • Needs to open ports in firewall (is your firewall is not open all the way)
  • Needs to enable and configure WinRM
  • Needs to configure WinRM service to run

Windows Vista / Windows Server 2008

  • Needs everything from first group
  • Needs to install PowerShell 2.0

Windows XP / Windows Server 2003

  • Needs everything from second group
  • Needs to install .NET Framework

Probably your environment will be mixed of all three types of operating systems. So let’s look how to configure it. I will use GPOs everywhere it can be used.

Enable Remote PowerShell for Windows Vista and Windows Server 2008

Create GPO and set following:

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow automatic configuration of listeners (Allow Remote Server management through WinRM):

Firewall exceptions

Firewall exceptions for Windows 7 / Windows Server 2008 and higher

If you have Microsoft firewall closed and you need to make exception using GPO in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions:

Firewall exceptions for Windows XP / Windows Server 2003

You have to define New Firewall rule under Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules and create new Inbound rule with predefined type “Windows Remote Management”:

Configure Service

To enable Remote Powershell I need to configure service. WinRM service has to start automatically. Create new setting in GPO in Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Setup service Windows Remote Management (WS-Management) following way:

Let’s change startup for this service using GPO settings under Computer Configuration > Preferences > Control Panel Settings > Services. Create new Service setting with following settings:

Windows XP / Windows 2003 specialities

To make Powershell work remotely on older operating systems you need to make sure your operating systems have installed two hotfixes: KB968930 and KB951847. These hotfixes are distibuted via Windows Updates so if you use WSUS, there updates are already on your older operating systems.

To enable PowerShell for remote connection you need to enable it using startup script. So you need to create new GPO which will run only on older OS. You can use following WMI filter to make this GPO apply only on older OS:

You can use following script as a startup script to enable Powershell Remote for Windows XP.

To test it you can run following command:

Enter-PSSession -ComputerName COMPUTER_NAME

Active Directory Users and Computes Implementation

To make it look better you can implement connection to computer using Active Directory Users and Computers.

On location \\domain.local\NETLOGON create new Powershell.vbs file:

' ' Script to run Remote Powershell on domain computer '

Set wshArguments = WScript.Arguments Set objComputer = GetObject(wshArguments(0))

' ' Check if Remote Assistance is installed '

Set fso = CreateObject("Scripting.FileSystemObject") 
If (fso.FileExists("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe")) Then  
' Is istalled  
   Set objShell = WScript.CreateObject("WScript.Shell")  
   Return = objShell.Run("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit \\domain.local\NETLOGON\Remote_Session.ps1" & objComputer.dNsHostName, 1, false) 
Else  
   ' Is not installed, error.  
   Wscript.Echo "Microsoft Remote PowerShell is not enabled on this machine." 
End If

On location \\domain.local\NETLOGON create new Remote_Session.ps1 file:

[CmdletBinding()]
Param(
  [Parameter(Mandatory=$True,Position=1)]
   [string]$computerName
)

Enter-PSSession -ComputerName $computername

 When files are ready, you need to create new record in Active Directory using adsiedit.msc. Connecto to configuration partition of your domain:

Go to Configuration > CN=Configuration,DC… > CN=DisplaySpecifiers > CN=409 > CN=computer-Display and edit property called adminContextMenu.

Add another record into existing list of records. I used following record:

3, &PowerShell Remote,\\domain.local\NETLOGON\Powershell.vbs

which means:

3 – order of record in the list of records (if you have only one existing record, your number will be 2)

&PowerShell Remote – name of the item in context menu

\\domain.local\NETLOGON\Powershell.vbs – path to vbs script you created

Here is how it looks in one of the environments:

When all is done, your Active Directory Users and Computers console has to be reopened and you will find new record under computer account:

When you click on this new item in context menu new powershell window opens. This powershell window is remote powershell windows from remote computer.

I hope people start using powershell more often,

Broken ForestPrep

March 19th, 2014 1 comment

Friend of mine tried to promote Windows Server 2012 into Windows Server 2003 SBS environment. He had installed Windows Server 2012 Server. He also installed role Active Directory Domain Services. When he tried to promote new installed Windows Server 2012 into existing SBS domain he received following error:

Error was generated while Windows Server 2012 tried to do preparation of AD forest. So I have tried to do it using command line:

So same error (Adprep could not retrieve data from the server through Windows Managment Instrumentation WMI). Some problem with WMI on existing domain controller. I have tried to rebuild WMI from scratch using this article. No luck. Message saying “Access is denied” was not true, because account used to run setup.exe /forestprep was Enterprise, Domain and Schema Admin. When I read this article I found out that DCOM has to be enabled and accessible when doing domain controller promotion. So I looked into configuration of old domain controller following way:

Run command dcomcnfg.exe

Browse down to Component Services -> Computers -> My Computer. Right click and select Properties. I found that DCOM was disabled:

So I enabled it with following settings:

…and I was able to promote Windows Server 2012 as a new domain controller. No more access or WMI errors.

This was really hard one to find out :-)