Bart's Weblog

Just a blog…

Archive for the ‘Microsoft’ Category

Group Policy Management MMC problem: ‘Wired Network Policy Management’

Posted by bartvdw on 0101/0606/2018

After testing membership of the ‘Protected Users’ security group (introduced in Windows Server 2012 R2), I was getting following error after expanding ‘Computer Configuration\Policies\Windows Settings\Security Settings’:

mmc error protected user gpo wired config

Keep this in mind when using this group! Unfortunately I’m unable to find documentation about this effect, or have proper logs pointing to this group…

 

References (‘Protected Users’  security group)

Protected Users Security Group
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

How to Configure Protected Accounts
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

 

Advertisements

Posted in Active Directory, GPO, Group Policy, Microsoft, Security, Windows, Windows Server 2012 R2, Windows Server 2016 | Leave a Comment »

Windows Server 2016 and Windows Defender

Posted by bartvdw on 3030/0505/2018

Recently I was working on a recently deployed Windows Server 2016 and opened Task Manager for some reason. Windows Defender processes were taking away quite some CPU, and upon checking in the Settings panel noticed that all AV scanning features were enabled. The server had third-party AV installed though…

By default Windows Defender is installed on Windows Server 2016, but unlike Windows 10, it doesn’t disable the AV if a third-party AV is detected. Why this is, no idea.

In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.

 

Remove Windows Defender AV using PowerShell:

Uninstall-WindowsFeature -Name Windows-Defender,Windows-Defender-Gui -IncludeManagementTools -Restart:[$false|$True] [-Remove]

* A restart is required after the operation. If you use the -Remove switch, payload will be removed from the system as well.

 

This removes the Windows Defender AV from the system. Another approach could be to control the functionality through GPO.

 

References

Windows Defender Antivirus on Windows Server 2016
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016

 

 

Posted in AV, Microsoft, Security, Windows, Windows Defender, Windows Server 2016 | Leave a Comment »

Windows UAC and (mostly) file servers challenge…

Posted by bartvdw on 2727/0505/2018

Not only on file servers, but on any server hosting data, when you login and try to access a folder you could get following popup, even though your are either member of the local ‘Administrators’ group or the ‘Domain Admins’ (which is nested in local ‘Administrators’ by default):

uac file server prompt

When you try to view/edit the security:

uac security

This is caused by UAC, on by default and recommended to keep it turned on. You could disable the Admin Approval mode, or disable UAC, but why not make it work as it should without disabling any of the UAC settings?

Create a new AD group, don’t nest it into ‘Domain Admins’ or the local ‘Administrators’ group of the target server, as you’ll be facing it again.

Add NTFS ACL’s for this group as follows:

uac ntfs acl

Afterwards you should be fine to access the folder, edit permissions, and so on without the UAC prompt. Alternatively you can always manage the folder remotely using the UNC path without being prompted as well! So no need to turn off UAC at all 🙂

 

Posted in Microsoft, UAC, Windows | Leave a Comment »

SearchOCR.admx error after importing Windows 1803 ADMX files

Posted by bartvdw on 2727/0505/2018

After you import Windows 1803 ADMX files, you’ll get an error about ‘searchocr.admx’:

Resource ‘$(string.Win7Only)’ referenced in attribute displayName could not be found.
File %path_sysvol%\…\Policies\PolicyDefinitions\searchocr.admx, line 12, column 69

It appears that the Windows 1803 ADMX files do contain a newer version of the ‘SearchOCR.adml’ file, but not of the ADMX itself, which breaks the functionality. Although editing the ADML file can solve the issue, here some other options:

  • Copy back the ADML from your backup (you backup your ‘PolicyDefintions’ prior updating, right?)
  • Copy the ADML from Windows 1511 ADMX files
  • Install ‘Windows TIFF IFilter’ (TIFFIFilter) on a Windows10/Server 2016 and fetch the ADMX/ADML from there
  • Remove both the ADMX and ADML at once if you haven’t got GPO’s for Windows TIFF Filter

According to a post somewhere there are some other ‘orphaned’ ADML files as well, need to have a closer look at those later.

Microsoft published a KB for this on May 22, 2018.

References

“Resource ‘$(string id=Win7Only)’ referenced in attribute displayName could not be found” error when you open gpedit.msc in Windows
https://support.microsoft.com/en-us/help/4292332/error-when-you-open-gpedit-msc-in-windows

How to fix SearchOCS.ADMX Error after upgrade to Windows 1803 ADMX files
https://www.grouppolicy.biz/2018/05/how-to-fix-searchocs-admx-error-after-upgrade-to-windows-1803-admx-files/

Administrative Templates (.admx) for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=48257

Posted in Active Directory, ADMX, GPO, Group Policy, Microsoft, Windows, Windows 10, Windows Server 2016 | Leave a Comment »

DFS and FQDN in referrals

Posted by bartvdw on 1818/0505/2018

Recently learned something new, at least is was to me, about DFS and FQDN in referrals.

“The default behavior of DFS is to use NetBIOS names for all network shares that are configured in the DFS Namespace.”

That one I didn’t know… And yes this has a huge performance impact when working for example with Mac OS X clients. After configuring DFS (domain namespace) the time it took to just display the list of folders was extremely slower than connecting directly to the file server share. After changing the DFS behavior to use FQDN in referrals, the performance was dramatically improved.

Next there are some more Mac OS X specific configurations to optimize SMB though, testing those as well, but no further changes on DFS level as far as I know today.

 

References

Configure DFS-Namepaces to use Fully Qualified Domain Names – (It’s not the default).
https://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/

How to configure DFS to use fully qualified domain names in referrals
https://support.microsoft.com/en-sg/help/244380/how-to-configure-dfs-to-use-fully-qualified-domain-names-in-referrals

Posted in DFS, Microsoft | Leave a Comment »

Best practices for DNS settings on DC and domain members

Posted by bartvdw on 1717/0707/2013

Very good and to the point summary!

http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Posted in Active Directory, DNS, Microsoft, Windows | Leave a Comment »

WSUS: PoshPAIG (PowerShell Patch Audit/Installation GUI)

Posted by bartvdw on 0606/0505/2013

PoshPAIG (PowerShell Patch Audit/Installation GUI)
http://poshpaig.codeplex.com

Posted in Microsoft, PowerShell, WSUS | Leave a Comment »

WSUS: Approve all needed updates for a computer group using a member as reference

Posted by bartvdw on 0606/0505/2013

Approve updates for a computer group using a member as reference (computer using as reference must be member of that group); adapt variables in the beginning of the script to suit your needs (this is not for WSUS on Windows Server 2012!!):

[reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”) | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer(‘wsus.domain.local’,$false,80);
$groupName = “Servers”
$computerName = “reference.domain.local”
$approveUpdates = $false

$group = $null
$computer = $wsus.GetComputerTargetByName($computerName)
$groups = $computer.GetComputerTargetGroups() | foreach-object {
If ($_.Name -eq $groupName) {
$group = $_;
}
}
Function GetComputerGroupByName ($group) {
$wsus.GetComputerTargetGroups() | foreach-object {
if ($_.Name -eq $group) {$_;}
}
}
if ($group -eq $null) {throw new-object System.Exception($computerName + ” doesn’t below to group ” + $groupName)}

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
$updateScope.IncludedInstallationStates = “NotInstalled”
#$updateScope.ApprovedStates = “NotApproved”

$action = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install;
$updates = $computer.GetUpdateInstallationInfoPerUpdate($updateScope);
$updates | foreach-object {
$u = $wsus.GetUpdate($_.UpdateId);
If ($approveUpdates) {
$u.Approve($action,$group);
} else {“Need to approve ” + $u.Title}
};

Approve Needed Updates
http://gallery.technet.microsoft.com/e3b33372-1e7f-41ea-ad83-ecc10ba5f0f6

Posted in Microsoft, WSUS | 2 Comments »

Microsoft SQL Server 2005: Display Fragmentation Information of Data and Indexes of Database Table

Posted by bartvdw on 0202/0505/2013

SQL SERVER – 2005 – Display Fragmentation Information of Data and Indexes of Database Table
http://blog.sqlauthority.com/2008/01/10/sql-server-2005-display-fragmentation-information-of-data-and-indexes-of-database-table/

Posted in Microsoft, SQL | Leave a Comment »

Microsoft Exchange 2010: How to limit memory usage

Posted by bartvdw on 0202/0505/2013

How to limit Exchange 2010 memory usage
http://www.bursky.net/index.php/2012/05/limit-exchange-2010-memory-use/

Posted in Exchange, Microsoft | Leave a Comment »