Category Microsoft Server 2016

WSUS – GPO and Windows 10 / Server 2016 Registry Settings

You create a WSUS GPO and apply it to the Computers.

Now how do you validate its working

Open the registry and browse to :
computer\HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

 

The GPO for WSUS should populate the registry with following values

WUServer …updates server
WUStatusServer…update
UpdateServicesURLAlternate

These values should match the GPO settings for WSUS.

WSUS and Windows 10 – Clients not checking in or checking in and then disappearing

Clients not checking in or checking in and then disappearing

Cloned images – SUSCLIENTID is not reset with Sysprep!!!

This needs to be done if your creating a template for Windows 2016 and Windows 10 in a virtual environment.

So if you have deployed servers from template already, do the following fix. Or if you realised before deployment, just delete the reg keys before converting the virtual machine to a template.

Solutions / Fix

Stop Windows Update service

 

Open up regedit

Browse to  : computer\hklm\software\microsoft\windows\currentversion\windowsupdate

Delete susclientID
Delete susclientidvalid

Start Windows Update service

Open up command prompt as admin on the effected Window 2016 or Window 10 client, if the image has already been deployed

type

c:\windows\system32\UsoClient.exe RefreshSettings

The clients should then check in and create a new SusClientId and SusClientIdValidation

 

WSUS and Windows 10 Clients – UsoClient.exe

So, you deploy a GPO to Window 10 clients, but your in a hurry to get the clients to check in…

As a SysAdmin for many years I would log on to a client, open command prompt and type :

wuauclt /detectnow  (Windows 7 / Windows Server 2008/2012 clients)

 

In Windows 10 you will notice that it doesn’t do anything and doesn’t show you anything. (As shown above)

(confirmed on https://blogs.technet.microsoft.com/yongrhee/2017/11/09/wuauclt-detectnow-in-windows-10-and-windows-server-2016/)

An example of “Whats New” in Windows 10, and Windows Server 2016 To check or scan “Windows Update” from the command prompt :
CMD (Run As Administrator)
c:\windows\system32\

UsoClient.exe startscan

And there is more switches….

  1. StartScan – Used To Start Scan
  2. StartDownload – Used to Start Download of Patches
  3. StartInstall – Used to Install Downloaded Patches
  4. RefreshSettings  – Refresh Settings if any changes were made
  5. StartInteractiveScan  – May ask for user input and/or open dialogues to show progress or report errors
  6. RestartDevice – Restart device to finish installation of updates
  7. ScanInstallWait – Combined Scan Download Install
  8. ResumeUpdate – Resume Update Installation On Boot

List Computer Object in an Active Directory OU using PowerShell

How to get a list of computer objects in an active directory OU ( tested against Windows 2016 Active Directory )

A quick PowerShell script using Get-ADComputer  command, a wild card filter and a search base pointing to a specific OU

 

First import modules for active directory in powershell

 

Copy and edit the script below:

## cmd

## dsquery computer -name servername (server name in the OU to get the OU path)

#Example lists domain controller in test.com

#Export list of names to CSV

Get-ADComputer -Filter * -SearchBase “OU=Domain Controllers,DC=test,DC=com” | Select Name | export-csv C:\temp\DCs.csv

 

( Like the post click and advert of interest to give us support)

Sysinternals – Permissions, LoggedOn, Endpoints

How to Get the permission on folders:
PowerShell:
Get-ChildItem | Get-ACL
Path | Owner | Access

or more in depth use:

GUI based : Run AccessEnum against the drive or folder – (SysInternals tool) and save to text file (Run as administrator or a specific user)

Who is logged on via the resource shares:
Launch cmd and run PSLoggedon (SysInternals tool)
Displays :
1) Users logged on locally
2) Users logged on via resource shares

List TCP and UDP Endpoints connected
Run TCPView application (SysInternals tool) and save to text file

Ever need to identify the before and after changes in Active Directory
Use : ADExplorer (SystInternals tool)

Download Sysinternals 
https://docs.microsoft.com/en-gb/sysinternals/downloads/sysinternals-suite

Suggested top 10 sysinternals tools
https://www.techrepublic.com/blog/10-things/10-sysinternals-tools-you-shouldnt-be-without/
See an advert of interest, CLICK IT!  This site is funded by AD clicks.

Client failed to RDP to RDS server following Windows Server Patching – CredSSP updates for CVE-2018-0886

CredSSP updates for CVE-2018-0886

That Monday morning issue when servers were patched on a Sunday… All Windows 10 clients fail to RDP to the RDS server following Windows Server Patching.

The cause?

“By default, after this update is installed, patched clients cannot communicate with unpatched servers. Use the interoperability matrix and group policy settings described in this article to enable an “allowed” configuration.”

https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Temp Solution until clients are patched

Create a registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters

CredSSP and Parameters keys had to be created
Create the AllowEncryptionOracle DWORD and give it a value of 2

or Command lined:

REG  ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

 

Tested on Windows 7 and Windows 10.
No reboot required.

Note this reduces the security the patch was put in to fix

See an advert of interest, CLICK IT!  This site is funded by AD clicks.

Check / Set / Sync Time Source for Windows Servers

To set the time ( Tested against Windows 2016)

Launch CMD as administrator
exampled c:\time 09:00:00 AM   – This will set the time to 9am

Note a time source if domain joined will up date the time clock again
Check the source
c:\w32tm /query /status Will show the time “Source”

To set an internet based NTP

c:\w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org
3.pool.ntp.org”

This will take effect after stopping and starting the W32Time service

Powershell….
stop-service w32time
start-service w32time

for settings to take effect

check status
c:\w32tm /query /status Will show the new time “Source”

To check sync is working
c:\w32tm /resync (Check the time sync)

 

See an advert of interest, click it, this site is funded by ad clicks.

Get-AdUser -Filter {Multiple Filters Complex } -Properties | Export to CSV

#Import AD modules

import-module servermanager
Add-WindowsFeature -Name “RSAT-AD-PowerShell” -IncludeAllSubFeature

#List AD user accounts and show DisplayName, Email, Title and export to CSV

Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title | select DisplayName, EmailAddress, Title | Export-CSV “C:\temp\Email_Addresses.csv”

#List AD user accounts and show DisplayName, Email, Title and export to CSV. Advanced filter to show ENABLED accounts only

Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | select DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | Export-CSV “C:\temp\Email_Addresses_allusers.csv”

#List AD user accounts and show DisplayName, Email, Title and export to CSV. Advanced filter to show ENABLED accounts only and email address ending @test.com

Get-ADUser -Filter {(Enabled -eq $true) -And (EmailAddress -Like “*@test.com”)} -Properties DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | select DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | Export-CSV “C:\temp\Email_Addresses_testdomain.csv”

Get a list of inactive computers which have not logged on to the domain in the last 12 weeks

# Inactive computers ( this will include systems not regularly used)

# Launch command prompt as administrator and run the following commands

Dsquery computer -inactive 12 -limit 500

# Lists computers inactive for over 12 weeks and returns a limit of 500 results

Dsquery computer -inactive 12 -limit 500 | dsmod computer -disabled

# Lists computers inactive for over 12 weeks and returns a limit of 500 results and disables the computer accounts

 

# Similar command can be done for users.

 

Get a list of active computers which have logged on to the domain in the last 7 days

# Trying to work out is servers, laptops or desktops have been decommissioned
# Try this script
# Get a list of active computers which have logged on to the domain in the last 7 days

$Date = (Get-Date).AddDays(-7)
Get-ADComputer -Filter {LastLogonDate -gt $Date} | Select distinguishedName

# https://social.technet.microsoft.com/Forums/windows/en-US/4d412730-5937-48c2-bf17-0dc9db013241/list-active-computers-in-ad?forum=winserverDS
# Credit to Richard Mueller – MVP Enterprise Mobility (Directory Services)