Windows Default Account Picture Logo Image | Server 2019 vs 2012/2016

Quickest way to customise the Windows logon logo/image/icon is to drop the images in this hidden folder. Images are in bmp and png format.

C:\ProgramData\Microsoft\User Account Pictures

Note: There are some subtle differences between Windows Server 2012 R2 & Server 2019

  1. Windows Server 2019 (doesn’t apply to 2016) has a symbolic link as the folder is actually called “Default Account Pictures” which redirects to “User Account Pictures”
  2. Windows Server 2019 appears to have some additional images with different sizes to Server 2012 & 2016
  • user-32.png
  • user-48.png
  • user-192.png
  • REMOVED user-200.png

Server 2012 R2

Server 2019

The icons can be set using “group policy preferences” and copying images over from a share.

 

Remove “Windows.old” using Cleanmgr CLI | Windows 10

PowerShell Script for removing the “Windows.old” folder using cleanmgr.exe command line

New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files' -PropertyType 'DWORD' -Force -Name 'StateFlags1337' -Value 0x2
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations' -PropertyType 'DWORD' -Force -Name 'StateFlags1337' -Value 0x2
cleanmgr.exe /SAGERUN:1337

Great post on the syntax of “Cleanmgr.exe”

https://winaero.com/blog/cleanmgr-exe-command-line-arguments-in-windows-10/ 

Migrate Folder Shares | PowerShell

Basic objective, we’ve got a ton of shares which we need to move to a new server. The data has already been replicated but we need to re-share.
There are methods of doing this by exporting the registry but being a little scared of messing up the current shares and requiring a reboot I decided to do this manually…

Export list of shares on source server:

get-WmiObject -class Win32_Share -computer servername.fqdn.com | Export-Csv -Path "C:\Shares.csv"

Create shares on destination server:

Powershell:

Need the powershell command here

CMD Net Share

net share "ShareName"="D:\Path\FolderName" /grant:everyone,FULL

Reference:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-6
https://gallery.technet.microsoft.com/scriptcenter/Creates-New-Share-with-fb22d905
http://www.tomsitpro.com/articles/use-fileshare-powershell-cmdlets-server-2016,2-1053.html

VMware ESX 6.0 to 6.5 Upgrade | vSphere CLI commands

I’ve been working on a project to upgrade vCentre from 6.0 to 6.5. This meant that multiple Dell (R530, R630, R730) hosts required an update of ESX (using Update Manager). Unfortunately these upgrades failed (first time around) due to the custom VIBs within previous Dell Customized Images of ESXi conflicting with native drivers within ESX6.5. Below is the cheat-sheet of commands to remove these. 

vSphere CLI commands. These can be executed by enabling SSH on ESX host and connecting via Putty

List VIBs (Matching “QLC”)

esxcli software vib list | grep QLC

List VIBs (All)

esxcli software vib list

List VIBs (Network) (Check you don’t disconnect yourself)

esxcli network nic list

Remove VIBs (example scsi-mtip32xx-scsi)

esxcli software vib remove -n scsi-mtip32xx-scsi

Host Maintenance Mode

esxcli system maintenanceMode set --enable true

Host Reboot (Needs to be in maintenance mode)

esxcli system shutdown reboot --reason Upgrades

Notes: The vSphere CLI has been superseded by PowerCLI. PowerCLI is distributed as a Windows PowerShell snapin (PowerCLI 6.0 introduced PowerShell module), and includes over 500 PowerShell cmdlets for managing and automating vSphere and vCloud, along with documentation and samples. 

Reference: https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.upgrade.doc/GUID-7FFEBD91-5D82-4E32-93AB-F10D8BFFECAA.html

SQL Firewall Rules | PowerShell

Add Windows Firewall exclusions for Microsoft SQL using PowerShell

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
#Enabling SQL Server Ports
New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
#Enabling SQL Analysis Ports
New-NetFirewallRule -DisplayName “SQL Analysis Services” -Direction Inbound –Protocol TCP –LocalPort 2383 -Action allow
New-NetFirewallRule -DisplayName “SQL Browser” -Direction Inbound –Protocol TCP –LocalPort 2382 -Action allow
#Enabling Misc. Applications
New-NetFirewallRule -DisplayName “HTTP” -Direction Inbound –Protocol TCP –LocalPort 80 -Action allow
New-NetFirewallRule -DisplayName “SSL” -Direction Inbound –Protocol TCP –LocalPort 443 -Action allow
New-NetFirewallRule -DisplayName “SQL Server Browse Button Service” -Direction Inbound –Protocol UDP –LocalPort 1433 -Action allow
#Enable Windows Firewall
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True

Windows Server 2016 | Remove WSUS (Completely)

Trying to completely remove WSUS isn’t as straight forward as uninstalling the role.
These steps are based on WSUS using the WID database (Not SQL)

In Summary:

  • Remove Windows Update Servers (WSUS) role & Windows Internal Database (WID)
  • Remove WSUS cache & Update Services directories
  • Remove WSUS website in IIS
  • Reboot

PowerShell:

Uninstall-WindowsFeature -Name UpdateServices,Windows-Internal-Database
Remove-Item –path D:\WSUS, C:\Windows\WID –recurse
Remove-Item –path C:\Users\MSSQL$MICROSOFT##WID
Remove-Item –path C:\Scripts, C:\Temp –recurse

Remove-Item –path C:\Program Files\Update Services –recurse 

Remove-WebSite -Name "WSUS Administration"
Restart-Computer

References: ServerFault

DFS | DFSR Removal of Staging Directory

After removing DFS shares on a server there may be some leftover files in the “DFSR” cache, this is a hidden location within the “System Volume Information”. This can be tricky one to delete but can be completed using some CLI.

Take Ownership of folder

icacls "e:\system volume information" /grant Administrator:F

[singlepic id=244]

Remove Directory (Silent & whole directory tree)

rd "e:\system volume information\dfsr" /s /q

[singlepic id=245]

Dell PowerEdge Servers | Internal Dual SD Module (IDSDM) Failure

We are running Dell R620/630 servers with “Internal Dual SD Module” (IDSDM) for the VMware ESX installation.
Unfortunately SD card 1 recently developed a fault.
As the IDSDM is configured in a fail-over SD1 copies to SD2 therefore we had to swap the cards before performing the rebuild.

It is important to note a few IDSDM module behaviors: IDSDM White Paper

Mirror State Stored on the IDSDM module

The SD cards mirror state, along with the Disabled or Mirror mode for modular servers, is stored on the IDSDM module itself. This means that it is possible to move an IDSDM module between two systems and preserve the mirror; the BIOS will read the states from the cards during boot up and will reflect the state of the card in setup.

Master SD Card

The module design allows that either SD card slot can be the master; in the event of a tie between the two cards, then SD1 is picked as the master. For example, if two new SD cards are installed in the IDSDM while AC power is removed from the system, SD1 is considered the Active or master card in the mirror. SD2 is the backup card, and all file system IDSDM writes will go to both cards, but reads will occur only on SD1. If at any time SD1 fails or is removed, SD2 will automatically become the Active (master) card. The IDSDM module should not be serviced while AC power is present.

 


Continue reading

Windows 7/10 | Remotely logoff user (Instantly)

Useful in the event of having to log someone off remotely. (i.e. if a users AD account has been disabled and you want to prevent them from using the system urgently)

You must have local administrator access to complete this. This process will logoff the user instantly.

Run CMD (As Administrator)
Obtain the session ID:

quser /server:COMPUTERNAMEHERE

Logoff session ID:

logoff ID /server:COMPUTERNAMEHERE

Example
[singlepic id=243]

Creating AD Trust Relationship

Ports required for trust relationship:

  • 389 (TCP and UDP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP
  • 636 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP SSL
  • 3268 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP GC
  • 3269 (TCP) – Directory, Replication, User and Computer Authentication, Group Policy, Trusts – LDAP GC SSL
  • 88 (TCP and UDP) – User and Computer Authentication, Forest Level Trusts – Kerberos
  • 53 (TCP and UDP) – User and Computer Authentication, Name Resolution, Trusts – DNS
  • 445 (TCP and UDP) – Replication, User and Computer Authentication, Group Policy, Trusts – SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

Reference:

  • https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
    https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

Draytek VPN to iPhone/iOS Setup

There’s a fairly quick and simple method to configure VPN from the Draytek to iPhone.

I’m configuring this on a Draytek 2860n-Plus but the same process applies to most Draytek interfaces.

If you don’t have a static IP then you can configure using a free DynDNS name from no-ip.org (Other dynamic DNS providers are also available)

This method is using L2TP with IPSEC. A guide to the various VPN types can be found on HowtoGeek

Draytek 2860 Setup

VPN and Remote Access -> VPN and Remote Access -> Remote Access Control”

Enable “IPsec” & “L2TP” VPN Services (These may already be enabled by default)

Continue reading

Windows 7 | Delete Offline File Cache CSC Folder

After carrying out a domain migration on a PC the “offline files cache” still retains a local cache for the previous domain.

Within “Offline Files” (Control Panel) there is an option to “Delete temporary files” but this does not remove the “All offline files” cache located in the “C:\Windows\CSC” folder

The workaround to fully remove these files (and start a new offline sync) is to add the “FormatDatabase” registry entry which forces deletion.

This command will add the registry entry. After which reboot the system and all offline files will be removed:

reg add HKLM\SYSTEM\CurrentControlSet\services\CSC\Parameters /v FormatDatabase /t REG_DWORD /d 1

DFS | Site Links, Server Target Prioritization & Reference Info

DFS Setup and Configuration Notes

I like DFS, the main issue I found is setting it up, tailoring it to your needs, debugging and configuring which can be a bit troublesome. I’ve spent a while trying to implement and tweak it for a large scale network (17 x Sites using DFS-N & DFS-R) I’ve list a number of articles/URLs which have proven useful on my DFS internet travels…


Continue reading

Obtaining local Passwords from Memory Dump

Outputting memory dump of Windows security sessions. (Obtaining passwords stored locally in cache). This can be run against a remote system to obtain password credential information. This requires “local administrator” rights on the remote PC being targeted.

Requires: PsExec & ProcDump

psexec \\computername -accepteula -s -c procdump -accepteula -ma -o lsass.exe \\server\logs\computername.log

Reference: https://cyberarms.wordpress.com/2015/03/16/grabbing-passwords-from-memory-using-procdump-and-mimikatz/

Remove Sharepoint Login Prompt in IE

We have a company SharePoint site which requires authentication information before logging on. This is a pain as the information displayed on the initial screen of SharePoint does not need to be restricted (Company Intranet).

Login “Annoying” Prompt:

[singlepic id=224]

In order to remove this you can modify the option in I.E. to use local logon credential (domain PCs):

  1. Tools/Internet Options/Security/Local Intranet/Sites
  2. Add the site in the list, click OK.
  3. Still in Local Intranet, click on “Custom Level”, scroll all the way to the bottom to User Authentication/Logon
  4. Click on “Automatic Logon with current user name and password”
  5. When the user logs to the site, make sure to select the checkmark “remember username/password” when the site asks for credentials

Windows 10 | .Net Framework Install Error 0x800F081F

Ran into this problem while trying to install .NET Framework 3.5 on Windows 10 “Windows Features” – most likely the result of a blocked update due to domain join machine and WSUS.

Error message displays when adding from “Turn Windows Features on or off”

“Windows couldn’t complete the requested changes Error code: 0x800F081F”

[singlepic id=218]
Continue reading

Trent AV | Tools & Commands

Transferring Trend OfficeScan Client from One Trend Console to Another

\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831

Transferring Trend OfficeScan Client from One Trend Console to Another REMOTELY

Download PSEXEC and copy to to C:\Windows\System32

psexec \\LaptopName -u Domain\ADMUSER -p Passw0rd -i "\\TrendAV01.domain.com\Trend_Antivirus\Tools\TrendClientMove_x86.bat"

TrendClientMove_x86.bat

@ECHO OFF
REM Modifies Trend Update Policy Server to use TRENDAV01.domain.com
\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831
Echo Update is now Complete!
Echo Click to Close 
Pause

TrendClientMove_x64.bat

@ECHO OFF
REM Modifies Trend Update Policy Server to use TRENDAV01.domain.com
\\TrendAV01.domain.com\ofcscan\Admin\Utility\IpXfer\ipxfer.exe -s TrendAV01.domain.com -m 1 -p 8080 -c 49831
Echo Update is now Complete!
Echo Click to Close 
Pause

Reseting OfficeScan Password:

Reference: Reset Officescan Password

Trend Uninstall Tools: