Wednesday, December 19, 2012

WMI Filter for Windows Operating Systems

You can use the attached queries to apply GPOs only to a specific Operating System. This can prevent problems, like applying a server GPO to a client and vice versa. You can also use this, to only apply mappings on client OS.


Windows Server 2012 DC
select * from Win32_OperatingSystem where Version like "6.2%" and ProductType = "2"

Windows Server 2012   
select * from Win32_OperatingSystem where Version like "6.2%" and ProductType = "3"

Windows 8   
select * from Win32_OperatingSystem where Version like "6.2%" and ProductType = "1"

Windows Server 2008 R2   
select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "3"

Windows Server 2008 R2 DC   
select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "2"

Windows 7   
select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "1"

Windows Server 2008   
select * from Win32_OperatingSystem where Version like "6.0%" and ProductType = "3"

Windows Server 2008 DC   
select * from Win32_OperatingSystem where Version like "6.0%" and ProductType = "2"

Windows Vista   
select * from Win32_OperatingSystem where Version like "6.0%" and ProductType = "1"

Windows Server 2003   
select * from Win32_OperatingSystem where Version like "5.2%" and ProductType = "3"

Windows XP   
select * from Win32_OperatingSystem where (Version like "5.1%" or Version like "5.2%") and ProductType = "1"

Windows Server 2012 Core Network Companion Guide: Group Policy Deployment

Hi guys,

Microsoft released a guide for deploying GPOs via group membership.
"This guide provides instructions for deploying Group Policy settings to a set of client computers or users by using membership groups rather than account location in the OU hierarchy of a domain."
You can download this guide here.

Roaming profile users experience slow logons on Windows 7

SYPTOMS:
Roaming profile users experience slow logons on Windows 7.


RESOLUTION:
- Check the network cables, workstation hardware etc. and change it if required.

- Check the size of the profile (Create Quotas via Policy) and delete some files.

- Check if the correct network card drivers are installed on affected workstations.

- Check if the network path is working in your policy or user object defined for Roaming Profile.

- Check the permissions on the Server are set right.

- Check this hotfix if you implemented the described scenario in the MS article.


 STEPS FOR THE FUTURE:
- Exclude some folders from roaming to reduce the profile size
Apply the following settings via GPO:
GPO Path: "User Configuration/Policies/Administrative Templates/System/User Profiles"
"Exclude directories in roaming profile" set to "Enabled"
For example type in the following: AppData\Roaming\OpenOffice.org

 - Create Quotas via Policy
GPO Path: "User Configuration/Policies/Administrative Templates/System/User Profiles"
Set the settings for the Policy "Limit profile size"

WDS Error: "PXE-E55: ProxyDHCP service did not reply to request on port 4011"

Hi guys,

if you getting this error, on the PXE Boot, it could be that your workstation is saved on a WDS database for rejected and approved devices. To delete this entries you can run the following commands on your WDS server.

Wdsutil.exe /delete-autoadddevices /devicetype:rejecteddevices
Wdsutil.exe /delete-autoadddevices /devicetype:approveddevices


Now you are able to image the affected workstations.



Tuesday, November 27, 2012

Windows Server 2012 and Windows 8 Test Lab Guides

Hi all,

in the MS TechNet Wiki is a cool article for a Windows Server 2012 Test Lab. In this article are helpful testlab guides to demonstrate the new features and functionality in Windows Server 2012 and Windows 8.

You can check it here.

Monday, November 26, 2012

Disable an Active Directory account on a schedule

Every AD Admin knows this thing. Request 891237843 ->Please disable the User XY on next saturday at 12 pm. Its weekend so don´t waste your time with this things... Here is a guide for creating a schedule task that do this job for you!

First create a batch file like this:

dsmod user "CN=Bad Person,OU=Users,DC=companyX,DC=com" -disabled yes

You have to know the users DN. You can find it in Active Directory Users and Computers (ADUC) in the Users Properties. In the properties select the tab "Attribute Editor" tab and go to  "distinguishedName". Double click on it and copy the value. Replace my sample DN CN=Bad Person,OU=Users,DC=companyX,DC=com in the script with your users DN and save it.

On your DC or on a admin workstation that have DSMOD installed, create a schedule task that run the created batch file.

One example for creating a Schedule Task on Windows Server 2008 R2:
Open the "Task Scheduler" that is located in "Administrative Tools". Right-click "Task Scheduler Libary" and select "Create Task...".

Task Settings:
-General tab
Select "Run whether user is logged on or not"
-Triggers tab
Click on "New..", select "On a schedule" and set the time you want to disable the user.
-Actions tab
Click on "New..", select "Start a program" and "Browse" to your created batch file.

Confirm all by clicking "OK" and entering your credentials or credentials from a task user.

Note: The account that run the task need the required rights to disable a User account.

Thursday, October 18, 2012

Explore Google data center

Video: Explore a Google data center with Street View 



You can also explore Googles datacenter on your own in Street View.

Tuesday, October 16, 2012

Windows 7: How to Remove Games link from Start Menu with Group Policy

- Create a new GPO and link it under the OU that the user is located.

- Go to User Configuration, Policies, Administrative Templates, Start Menu and Taskbar and enable "Remove Games link from Start Menu".

...

-  You can also apply the following to prevent the user from acces and hide the A, B , C and D drive from my Computer.

- Go to User Configuration, Policies, Administrative Templates, Windows Components/Windows Explorer. Now enable "Hide these specified drives in My Computer" and Restrict A, B, C and D drives only. Also enable "Prevent access to drives from My Computer" and Restrict A, B, C and D drives only.


Note:
If the user is a administrator the policy will not be set.

Friday, October 12, 2012

Windows 8: Unattend Installation using WDS

---Setup---
 
- Download the ISO file for Windows 8 from the Microsoft Homepage.

- Extract the "Install.wim" and "boot.wim" with 7zip or another tool. The WIM files are located in the "sources" folder.

- Rename the Install.wim i.e. to Win8.ENT.EN and add it to your WDS Server.
Win8 = Windows 8
ENT=Enterprise
EN=English

- Add the boot.wim as boot image also to your server.

- On your server go to "\RemoteInstall\Images\Basic Images\" and create a folder that have the same name that your image have "Win8.ENT.EN".

- In the folder "Win8.ENT.EN" created a folder named "Unattend".

- Open Notepad and copy in the follwoing text and save it as ImageUnattend.xml in the "Unattend" folder. You have to change the domain join ,time zone and locale settings.

 <?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ComputerName>*</ComputerName>
            <TimeZone>W. Europe Standard Time</TimeZone>
        </component>
        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <Credentials>
                    <Domain>YOURdomain.com</Domain>
                    <Password>PW678231bn!8</Password>
                    <Username>domainjoin</Username>
                </Credentials>
                <JoinDomain>YOURdomain.com</JoinDomain>
            </Identification>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>de-de</InputLocale>
            <UILanguage>de-de</UILanguage>
            <UserLocale>de-de</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>1</ProtectYourPC>
            </OOBE>
            <Themes>
                <DefaultThemesOff>true</DefaultThemesOff>
            </Themes>
            <UserAccounts>
                <AdministratorPassword>
                    <Value>AdminPW123!</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Password>
                            <Value>AdminPW123!</Value>
                            <PlainText>true</PlainText>
                        </Password>
                        <Description>Admin Account</Description>
                        <DisplayName>Admin</DisplayName>
                        <Group>Administrators</Group>
                        <Name>admin</Name>
                    </LocalAccount>
                </LocalAccounts>
            </UserAccounts>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="wim:d:/install.wim#Windows 8 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>


- The image will be automatically linked to your xml file.

- For HDD disk configuration settings you have to add a second xml. Save the following XML to "\RemoteInstall\WdsClientUnattend" and name it Unattend64.xml

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
        <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DiskConfiguration>
                <WillShowUI>OnError</WillShowUI>
                <Disk wcm:action="add">
                    <CreatePartitions>
                        <CreatePartition wcm:action="add">
                            <Order>1</Order>
                            <Type>Primary</Type>
                            <Extend>true</Extend>
                        </CreatePartition>
                    </CreatePartitions>
                    <ModifyPartitions>
                        <ModifyPartition wcm:action="add">
                            <Active>true</Active>
                            <Format>NTFS</Format>
                            <Label>System</Label>
                            <Letter>C</Letter>
                            <Order>1</Order>
                            <PartitionID>1</PartitionID>
                        </ModifyPartition>
                    </ModifyPartitions>
                    <DiskID>0</DiskID>
                    <WillWipeDisk>true</WillWipeDisk>
                </Disk>
            </DiskConfiguration>
            <WindowsDeploymentServices>
                <Login>
                    <Credentials>
                        <Domain></Domain>
                        <Username></Username>
                        <Password></Password>
                    </Credentials>
                </Login>
                <ImageSelection>
                    <WillShowUI>OnError</WillShowUI>
                    <InstallImage>
                        <ImageName></ImageName>
                        <ImageGroup></ImageGroup>
                        <FileName></FileName>
                    </InstallImage>
                    <InstallTo>
                        <DiskID>0</DiskID>
                        <PartitionID>1</PartitionID>
                    </InstallTo>
                </ImageSelection>
            </WindowsDeploymentServices>
        </component>
    </settings>
</unattend>


- After this open the WDS console go to the "Client" tab, select "Enable unattended installation" and choose your created xml file for "ia64 architecture" and "x64 architecture". For ia64 change the XML.
















- The user who start the installation, have to enter his credentials and to choose the uploaded Windows 8 image. You can also point to an image and provide the credentials in the XML.


---Settings that will be applied----

Admin Account => PW = AdminPW123!, Name = admin 
LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Password>
                            <Value>AdminPW123!</Value>
                            <PlainText>true</PlainText>
                        </Password>
                        <Description>Local Admin</Description>
                        <DisplayName>Admin</DisplayName>
                        <Group>Administrators</Group>
                        <Name>admin</Name>
                    </LocalAccount>

</LocalAccounts>

Computer name => Random
<ComputerName>*</ComputerName> 
For using the prestaged computer object in Active Directory use the following
<ComputerName>%machinename%</ComputerName>

Locale/Language => Germany for other locations see Windows Locale Codes
<InputLocale>de-de</InputLocale>
<UILanguage>de-de</UILanguage>
<UserLocale>de-de</UserLocale>


---Notes---

You can created your own XML with encrypted user passwords etc. using Windows ADK


Friday, September 21, 2012

WDS: WDS can not start Error 0x2740

Error message:
An error occurred while trying to start the Windows Deployment Services server.

 Error Information: 0x2740


This error could be occured because your site is using a DC without a GC role.

You can solve the issue by:

Make your local DC to a GC.
or
Pointing to your local DC and to a GC.
-Open the WDS console and right-click on the servername.
-Select properties and choose the advanced tab.
-Type in your local DC and a GC that can be reached from the local site.

Tuesday, August 21, 2012

Windows Server 2008: E-MAIL AD Account Lockout Notification

Hi,
today I want to show you one way for Account Lockout Notification, with a schedule task on a event, starting a batch file thats send a mail via blat.exe.

-Download the blat.exe

-Set the Mail server settings with the blat.exe on your server. For help type in blat.exe /?

-Create the LockoutALL.bat and copy the blat.exe to "c:\EventLogs" on your DC.
AccountLockoutSend.bat
del c:\EventLogs\4740.txt
wevtutil.exe qe Security /q:*[System[EventID=4740]] /rd:true /c:1 /f:text >> c:\EventLogs\4740.txt
c:\EventLogs\blat.exe c:\EventLogs\4740.txt -to Tim@companyX.com -subject "Account Lockout Company X"

-Create a schedule New task and set Run whether user is logged on or not




















-Go to the "Trigger" tab and Select "New", choose "Begin the task: On an event" Event details -> Log: Security,Source Microsoft-Windows-Security-Auditing,Event ID: 4740























-In the "Actions" tab choose the "LockoutALL.bat".



















-Save the task.

Tuesday, July 17, 2012

User Provisioning App for Exchange mailbox, Active Directory and Lync accounts

Hi guys,

this is a cool tool for User Account provisioning in your Microsoft environment.
"Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts and Office 365 cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory and Lync accounts will be created simultaneousy. This app can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT accounts with the option for custom scripts. Z-hire will increase your account deployment time by 600%, without the need for complicated and expensive identity management solutions. Some of the features include:
- Environment Auto discovery (AD/Exchange/Lync)
- Support for Active Directory, Exchange, Lync 2010 and Office 365 accounts
- Template based deployment (allows consistency for all user accounts)
- Office 365 account creation with major attributes
- Active Directory account creation with major attributes
- Active Directory group selection
- Active Directory duplicate SamAccountName verification
- Lync 2010 account creation supporting all policies
- Faster performance (compared to previous version)
- Best of all, it's freeware!"
Download Link:
Z-Hire-Employee-Provisionin App

Tuesday, June 26, 2012

Remote Server Administration Tools (RSAT) for Windows 8

"Remote Server Administration Tools for Windows 8 Release Preview includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell cmdlets and providers, and command-line tools for managing roles and features that run on Windows Server 2012. In limited cases, the tools can be used to manage roles and features that are running on Windows Server 2008 R2 or Windows Server 2008. Some of the tools work for managing roles and features on Windows Server 2003"

Thursday, June 21, 2012

ADUC: Add the Remote Install Tab in Win7/Vista and the option to add the GUID by creating Computer

After installing RSAT...
Copy the following files from a Windows Server 2008 or Windows Server 2008 R2 if you using a 64bit system:
imadmui.dll
imadmui.dll.mui

Save the following as RemoteTab.bat

@echo off

echo This program will add the option to type in the GUID by adding Computer accounts with ADUC and add also the Remote Install tab hf TIM
echo.

xcopy imadmui.dll "%systemroot%\system32\" /e /y > nul:
xcopy imadmui.dll.mui "%systemroot%\system32\EN-US\" /e /y > nul:
regsvr32 "%systemroot%\system32\imadmui.dll" /s

exit


Put the three files in the some folder and doubleclick the "RemoteTab.bat".
If you get a Access Denied message turn off the UAC and reboot the system and try again.

Friday, June 15, 2012

Free ebooks from Microsoft Press

Free ebook: Introducing Windows Server 2012 (based on Beta)
http://go.microsoft.com/FWLink/?Linkid=251464

Free ebook: Introducing Microsoft SQL Server 2012
http://blogs.msdn.com/b/microsoft_press/archive/2012/03/15/free-ebook-introducing-microsoft-sql-server-2012.aspx

Free ebook: Introducing Microsoft SQL Server 2008 R2
http://blogs.msdn.com/b/microsoft_press/archive/2010/04/14/free-ebook-introducing-microsoft-sql-server-2008-r2.aspx

Free ebook: Introducing Windows Server 2008 R2
http://blogs.msdn.com/b/microsoft_press/archive/2009/10/20/free-ebook-introducing-windows-server-2008-r2.aspx

Free ebook: Understanding Microsoft Virtualization Solutions (Second Edition)
http://blogs.msdn.com/b/microsoft_press/archive/2010/02/16/free-ebook-understanding-microsoft-virtualization-r2-solutions.aspx

Free eBook: Microsoft Office 365: Connect and Collaborate Virtually Anywhere, Anytime
http://blogs.msdn.com/b/microsoft_press/archive/2011/08/17/free-ebook-microsoft-office-365-connect-and-collaborate-virtually-anywhere-anytime.aspx

Free ebook: First Look Microsoft Office 2010
http://blogs.msdn.com/b/microsoft_press/archive/2010/01/20/free-ebook-first-look-microsoft-office-2010.aspx

Free ebook: Security and Privacy for Microsoft Office Users
http://blogs.msdn.com/b/microsoft_press/archive/2012/02/29/free-ebook-security-and-privacy-for-microsoft-office-users.aspx

Free ebook: Deploying Windows 7, Essential Guidance
http://blogs.msdn.com/b/microsoft_press/archive/2009/10/16/free-e-book-deploying-windows-7-essential-guidance.aspx

Free ebook: Moving to Microsoft Visual Studio 2010
http://blogs.msdn.com/b/microsoft_press/archive/2010/09/13/free-ebook-moving-to-microsoft-visual-studio-2010.aspx

Free ebook: Programming Windows Phone 7, by Charles Petzold
http://blogs.msdn.com/b/microsoft_press/archive/2010/10/28/free-ebook-programming-windows-phone-7-by-charles-petzold.aspx






Tuesday, June 5, 2012

WDS: Error Code 0xc1420127 by try to adding drivers the boot image

If you trying to add a driver to your boot image and you recieve the following error:

Error Occurred while trying to execute this command.
Error Code: 0xc1420127


The following steps have to solve the issue:
-Clear temp directories
-Open registry and go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WIMMount\Mounted Images" and delete keys below
-If the error appears as before, restart the WDS service

Tuesday, May 8, 2012

Powershell: Get a list with Username and Mail address from AD

Get a list with Username and Mail address. The output of the query will be saved in "c:\mail.txt".

Download-Link:
http://gallery.technet.microsoft.com/Get-a-list-with-Username-9a908c37/file/57193/1/GetUserMail.txt

(Import-Module ActiveDirectory required)

Sample Output:

SamAccountName          Mail
--------------                       ----
User1                            User1@corp.de
User2                            User2@corp.nl
User3                            User3@corp.fr

Tuesday, April 24, 2012

Windows: Can´t minimize Windows 7 RDP window

To solve this problem, do the following steps:

Go to "System Properties/Advanced", "Performance" and click on "Settings".
On "Visual Effects", select "Custom:" and deselect "Animate windows when minimizing and maximizing".













Regards,
Tim

AD: Map a printer via Group Policy Preferences (GPP)

Hi,
find attatched a short manual for Mapping a printer via GPP.

-Create a printer object on print server i.e. P_X555
-Create a local group "lg-prt-P_X555 Users" and give them Print acces on the printer object on the server.
-Create a global group "gg-prt-Map P_X555" and nist "lg-prt-P_X555 Users" in it.
-Create a GPO for printers i.e. "ALL Printers Location1"
    -Delete Authenticated Users from GPO scope and add "lg-prt-P_X555 Users"
-Go to the server, right-click the printer P_X555, select "Deploy with Group Policy..." and browse to the created GPO "ALL Printers Location1"

Finally add users to "gg-prt-Map P_X555" and the printer will be mapped.

NOTE: For XP you must download the pushprinterconnection.exe and built a policy that points to the exe. Then add the local group to the scope of the policy. Download and install or push via WSUS the following KB to using GPP with XP http://www.microsoft.com/download/en/details.aspx?id=3628 . For Vista: http://www.microsoft.com/en-us/download/details.aspx?id=15198

Wednesday, April 11, 2012

Windows: Rename a computer locally and remotely


You can rename a Computer by logging on to the computer or via your admin workstation remotely.

LOCALLY:
1. Open System Properties from Control Panel.
2. In the Computer Name, Domain, And Workgroup Settings section, click "Change
Settings".
3. If you are prompted by User Account Control, click "Continue".
4. On the "Computer Name" tab, click "Change".
5. Type the new name and click "OK" twice to close the dialog boxes.
6. Restart the computer to allow the change to take effect.


REMOTELY:
In Command Prompt, you can use the NetDom command with the following syntax:
netdom renamecomputer machinename /newname:newname  /reboot:30


EXAMPLE:

C:\>netdom renamecomputer PC00100 /NewName:PC00010
This operation will rename the computer PC00100
to PC00010.

Certain services, such as the Certificate Authority, rely on a fixed machine
name. If any services of this type are running on PC00100,
then a computer name change would have an adverse impact.

Do you want to proceed (Y or N)?
y
The computer needs to be restarted in order to complete the operation.

The command completed successfully.

Tuesday, March 27, 2012

Windows Server 2008 R2: KMS for Windows and Office


KMS for OfficeOffice 2010

-Download the KeyManagementServiceHost.exe
-Open KeyManagementServiceHost.exe
-Type in the KMS key

Client VL for Win 7
Vista Business / Vista Enterprise, Win7 Professional / Win7 Enterprise

KMS A
Windows Web Server 2008 / Windows Server 2008 HPC Edition / Client VL

KMS B
Windows Server 2008 Standard / Windows Server 2008 Enterprise / Client VL

KMS C
Windows Server 2008 Datacenter /Windows Server 2008 für Itanium-based Systems / Client VL


Showing status for Office only:
slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864



KMS for Windows
Type in the KMS key with the paramaeter:
slmgr.vbs /ipk 12345-12345-12345-12345-12345

Activate the KMS key:
slmgr.vbs /ato



Showing status for Windows KMS Hosts:
slmgr.vbs /dlv
slmgr.vbs /dlv all


You can also check the KMS Events in the Eventviewer:

Monday, March 26, 2012

WDS: Integrate a languagepack with DSIM


Showing the index you have to use!
Dism /get-wiminfo /wimfile:C:\images\Win7.Ent.EN-EN.WIM


Dism /Mount-WIM /WimFile:C:\Images\Win7.Ent.EN-EN.WIM /Index:"1" /MountDir:C:\mount


Now download the language pack you want to integrate and create a directory C:\Scratch, because the files have to save temporally.


Dism /Image:C:\mount /ScratchDir:C:\Scratch /add-package /packagepath:C:\Languagepacks\lpGER.cab


Command to show information about the installed language packs.
Dism /Image:C:\mount /get-Intl



Optional you can add some other Language Packages, if you want.

To save the changes you have to unmount the Image.
Dism /Unmount-WIM /MountDir:C:\mount /Commit

------------------------------------------------------------------------------------------------------------
Set a standard Input System and User-Locale in the XML file
For a standard Input-, System- and User-Locale edit the ImageUnattend.xml:


For German 32bit

<component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>de-DE; en-US</InputLocale>
<SystemLocale>de-DE</SystemLocale>
<UserLocale>de-DE</UserLocale>
</component>



For English 32bit

<component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>en-US; de-DE</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UserLocale>en-US</UserLocale>
</component>

WDS: Integrate a hotfix using DSIM



1.Check Index of the wim file
Dism /get-wiminfo /wimfile:c:\images\install.WIM


2.Mount image
Dism /mount-wim /wimfile:c:\images\install.wim /mountdir:c:\mount /index:1


3.Expand the Hotfix with 7zip and extract the cab file



4.Add the cab file to the wim
Dism /image:c:\images\install.wim /add-package /Packagepath:c:\hotfix\Windows6.1-KB2028749-x86.cab


5.Unmount image and commit changes
Dism /unmount-wim /mountdir:c:\mount /Commit

AD: MSI Software Rollout via GPO with groups


In ADUC
Create a global group named "GG-Workstations Department X"
Create a local group in ADUC named "LG-Software XY 9.1.0" and add it to "GG-Workstations Department X"
Add the local group "LG-Software XY 9.1.0" to the Software folder.

In GPO management
Create a gpo for the Software and link it to the right OU
Under tab Scope, Security Filtering and Remove Authenticated Users and add the local group
Right click on the policy and click Edit
Expand Computer Management>Policies>Software Settinsgs>Software installation
Right click Software installation click New> package
Browse to the package
Click Advanced
General Tab: Type in the Software Name, Version, language and location
Deployment: Set "Uninstall this application when it falls ou of the scope of management", Click Advanced and set "Ignore language when deploying this package"
Modifications: For MST files
Security: Remove Authenticated users(Click Advanced,Choose Authenticated Users and deselect Include inheritable… Click Add, After this Aplly and click Yes), add the local group

ADUC: Additional account info in Active Directory Users and Computers

Hi guys,
for getting additional account info in ADUC following the following steps:

Downloading the files:
-acctinfo.dll
-lockoutstatus.exe

Create a shortcut for ADUC runs in 32bit context:



















Save the files to the same location.

For 32bit using the following cmd

@echo off


echo This program will register the Acctinfo tab Add-on to AD Users and Computers and integrate the lockoutstatus.exe hf TIM
echo.


xcopy lockoutstatus.exe "%systemroot%\system32\" /e /y > nul:
xcopy acctinfo.dll "%systemroot%\system32\" /e /y > nul:
regsvr32 "%systemroot%\system32\acctinfo.dll" /s


exit


For 64bit using this

@echo off


echo This program will register the Acctinfo tab Add-on to AD Users and Computers and integrate the lockoutstatus.exe hf TIM
echo.


xcopy dsa32.lnk "%systemdrive%\Users\%username%\desktop\" > nul:
xcopy lockoutstatus.exe "%systemroot%\syswow64\"/e /y > nul:
xcopy acctinfo.dll "%systemroot%\syswow64\" /e /y > nul:
regsvr32 "%systemroot%\syswow64\acctinfo.dll" /s


exit



After you run the cmd restart ADUC and it will give you a new tab:




Thursday, March 22, 2012

AD: GPO Disable Games in Windows XP


Open GPO Management, create a new GPO and go to:
Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies
Rightclick "Additional Rules" and click on "New Path Rule..."




















Now type in the following paths:
%SystemRoot%\system32\freecell.exe
%SystemRoot%\system32\mshearts.exe
%SystemRoot%\system32\sol.exe
%SystemRoot%\system32\spider.exe
%SystemRoot%\system32\winmine.exe
C:\Program Files\MSN Gaming Zone
C:\Program Files\Windows NT\Pinball\PINBALL.EXE

AD: Powershell cmdlets


Add-ADDomainControllerPasswordReplicationPolicy
Add-ADGroupMember
Clear-ADAccountExpiration
Disable-ADOptionalFeature
Enable-ADOptionalFeature
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADComputerServiceAccount
Get-ADDomain
Get-ADDomainControllerPasswordReplicationPolicy
Get-ADFineGrainedPasswordPolicy
Get-ADForest
Get-ADGroupMember
Get-ADOptionalFeature
Get-ADPrincipalGroupMembership
Get-ADServiceAccount
Get-ADUserResultantPasswordPolicy
Move-ADDirectoryServer
Move-ADObject
New-ADFineGrainedPasswordPolicy
New-ADObject
New-ADServiceAccount
Remove-ADComputer
Remove-ADDomainControllerPasswordReplicationPolicy
Remove-ADFineGrainedPasswordPolicySubject
Remove-ADGroupMember
Remove-ADOrganizationalUnit
Remove-ADServiceAccount
Rename-ADObject
Restore-ADObject
Set-ADAccountControl
Set-ADAccountPassword
Set-ADDefaultDomainPasswordPolicy
Set-ADDomainMode
Set-ADForest
Set-ADGroup
Set-ADOrganizationalUnit
Set-ADUser
Unlock-ADAccount

AD: Active Directory Tools

Onboard


Event Logs

DCDIAG
Domaincontroller Diagnostic Tools

NETDIAG
Showing issue for the DC network

DNSLINT
For checking DNS

NETSH
DHCP, Network options

Repadmin
Replication tool


Data Collector Sets
Performance Diagnostics for AD, System and more.




FREE Third Party Tools


AD Topology Diagrammer(Visio required)

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13380

AD Tidy Free Edition
Query AD for last logged on Attributes of User/Computer accounts. Move Delete  and more options available.
http://www.cjwdev.co.uk/Software/ADTidy/Info.html

AD Info Free Edition
Query AD for Information about AD objects
http://www.cjwdev.co.uk/Software/ADReportingTool/Info.html

LIZA
Analyse ACL on Active Directory
http://www.ldapexplorer.com/en/liza.htm

LUMAX
LDAP Explorer and Maintenance
http://www.ldapexplorer.com/en/lumax.htm

ADUC: Create a custom LDAP Query


To create a custom Saved Query, follow these steps.

  1. Right-click Saved Queries and click the New-Query option
  2. Type in a name for your saved query, such as "Search"
  3. Click the Define Query button
  4. Under the Find drop-down list, select Custom Search
  5. Click the Advanced tab
  6. Type in your query
 

Some example for LDAP Queries:

Finds all disabled User Accounts

Finds all groups that have no members

Finds all locked out User Accounts

Windows Server: Printserver Migration from 2003 to 2008


For a Migration do the following steps:

1. Cleanup the old server.
2. !!!Update all Drivers to x86 and x64 on the old server!!! The x86 and x64 drivers must be the same. Use Universal Print Driver if you can.
Link HP:
http://h20271.www2.hp.com/SMB-AP/cache/380442-0-0-14-121.html
Link Lexmark:
http://www1.lexmark.com/en_US/software/upd/index.shtml
Link Brother:
http://welcome.solutions.brother.com/BSC/public/us/us/en/faq/faq/000000/002700/000074/faq002774_000.html?reg=us&c=us&lang=en&prod=mfc9010cn_us
3. Expand the tree, then right click on Print Servers and click on Add/Remove Servers .
4. Enter the name of the print server you want to migrate the printers off of and select Add to List, then click Apply.
5. Right Click on the server and select Export Printers to a File and save that file.
6. After the export is complete, right click on your new server in the tree.
7. Select Import Printer from a File, and select the export.
8. Follow the wizard…

AD: Well known SIDs in Active Directory


---FOR USERS---



User Well known SID

Creator Owner S-1-3-0
Administrator S-1-5-21domain-500

Guest S-1-5-21domain-501

KRBTGT S-1-5-21domain-502
Interactive S-1-5-4

Anonymous S-1-5-7





---FOR GROUPS---



Group Well known SID

Everyone S-1-1-0

Enterprise Domain Controllers S-1-5-9

Authenticated Users S-1-5-11

Domain Admins S-1-5-21domain-512

Domain Users S-1-5-21domain-513

Domain Computers S-1-5-21domain-515

Domain Controllers S-1-5-21domain-516

Cert Publishers S-1-5-21domain-517

Schema Admins S-1-5-21domain-518

Enterprise Admins S-1-5-21domain-519

Group Policy Creator Owners S-1-5-21domain-520

Administrators S-1-5-32-544

Users S-1-5-32-545

Guests S-1-5-32-546

Account Operators S-1-5-32-548

Server Operators S-1-5-32-549

Print Operators S-1-5-32-550

Backup Operators S-1-5-32-551

Replicators S-1-5-32-552

Pre-Windows 2000 Compatible Access S-1-5-32-554

Remote Desktop Users S-1-5-32-555

Network Configuration Operators S-1-5-32-556

Incoming Forest Trust Builders S-1-5-32-557

Enterprise Read-only Domain Controllers S-1-5-21domain-498

Read-only Domain Controllers S-1-5-21domain-521

Allowed RODC Password Replication Group S-1-5-21domain-571

Denied RODC Password Replication Group S-1-5-21domain-572

Event Log Readers S-1-5-32-573





Wednesday, March 21, 2012

AD: Create a Fine-Grained Password Policy

Req.: Windows Server 2008


-Open ADSI Edit
-Go to CN=System, CN=Possword Settings Container
-Right click select New>Object
-Select the class msDS-PasswordSettings and click Next
-Enter the values msDS-Minimum PasswordAge (format Days:Hours:Minutes:Seconds)01:00:00:00
-Assign this policy to a group:

Rightclick object
Got to Attribute msDS-PSOAppliesTo
Click Edit and select Add Windows Account. Type in the group name.



WDS: Setup WDS with wdsutil

After you adding the WDS role to your Windows Server 2008 R2 you can Setup the WDS using a cmd file.Copy your images and unattend files to the server.

WDSUTILSetup.cmd

cmd = "wdsutil /initialize-server /reminst:F:\RemoteInstall"

cmd = "wdsutil /Set-Server /AnswerClients:all"

cmd = "wdsutil /Add-Image /ImageFile:"C:\boot.wim" /ImageType:Boot"

cmd = "wdsutil /add-image /Imagefile:"C:\capture.wim" /ImageType:Boot"

cmd = "wdsutil /add-Imagegroup /Imagegroup:BasicImages"

cmd = "wdsutil /Add-Image /ImageFile:"C:\Install.wim" /ImageType:Install /ImageGroup:BasicImages"

cmd = "WDSUTIL /Set-Server /WdsUnattend /Policy:Enabled /File:Unattendx86.xml /Architecture:x86"

WDS: Integrate drivers into a WIM file with DISM


1. Download and install WAIK



2.Mount the Image
Create folders "Images" and "mount" on c:\
BOOT.WIM=>
dism /mount-wim /WimFile:c:\Images\boot.wim /index:2 /MountDir:c:\mount

INSTALL.WIM=>

 dism /mount-wim /WimFile:c:\Images\Install.wim /index:1 /MountDir:c:\mount


3. Administrate drivers
-3.1 Get drivers
-dism /image:c:\mount /get-drivers


-3.2 Add drivers
-3.2.1 with *.inf
-dism /image:c:\mount /add-driver /driver:c:\HP7700\heki.inf
-3.2.2 add drivers in a specified folder
-Type in /recurse to install all drivers in one folder
Example:
dism /image:c:\mount /add-driver /driver:c:\drv /recurse


-3.3 Delete driver

-3.3.1 info driver
- dism /image:c:\mount /get-driverinfo /driver:oem1.inf

-3.3.2 delete driver
-Dism /Image:c:\mount /remove-driver /Driver:oem1.inf



4. Image unmount
Dism /unmount-wim /MountDir:c:\mount /commit



5. Adding the Image to the WDS
Delete the old Image and add the new.
If you only replace the old image sometimes the changes will not be applied.

WDS: Skiprearm in Win7 Sysprep Process

Normally you can only capture a Windows 7 Image three times, with the following XML you can skip the rearm process and you can capture unlimited times!



skiprearm.xml:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="generalize">
<component name="Microsoft-Windows-Security-Licensing-SLC" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SkipRearm>1</SkipRearm>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:c:/Tims/install.wim#Windows 7 ENTERPRISE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>



Save the script to c:\Windows


Invoke sysprep like:
sysprep /generalize /oobe /shutdown /unattend:c:\Windows\skiprearm.xml

WDS: Activate Office 2010 after Imaging

This works for an english OS. For other languages change "Program Files".



For Win XP
Create "actOffice10en.bat" under D:\RemoteInstall\Images\ImageGroup\WinXP\$OEM$\$1\adm


actOffice10en.bat
net start "osppsvc"
cd c:\windows\system32\cscript
cscript.exe C:\"Program Files\Microsoft Office\Office14\OSPP.VBS" /act



Aadd the entry in sysprep.inf
[GuiRunOnce]
Command1=c:\adm\actOffice10en.bat



For Win7
Create the SetupComplete.cmd under D:\RemoteInstall\Images\ ImageGroup \Win7\$OEM$\$$\Setup\Scripts


SetupComplete.cmd
net start "sppsvc"
cd c:\windows\system32\cscript
cscript.exe C:\"Program Files\Microsoft Office\Office14\OSPP.VBS" /act

Windows: Create a custom MMC for Administration




Type in the start search box mmc.exe
Click on File and select Add/Remove Snap-in...
Select the Snap-Ins you want to use.

Click Save As to save your custom console.