Category Microsoft Windows Server 2008

Check / Set / Sync Time Source for Windows Servers

To set the time ( Tested against Windows 2016)

Launch CMD as administrator
exampled c:\time 09:00:00 AM   – This will set the time to 9am

Note a time source if domain joined will up date the time clock again
Check the source
c:\w32tm /query /status Will show the time “Source”

To set an internet based NTP

c:\w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org
3.pool.ntp.org”

This will take effect after stopping and starting the W32Time service

Powershell….
stop-service w32time
start-service w32time

for settings to take effect

check status
c:\w32tm /query /status Will show the new time “Source”

To check sync is working
c:\w32tm /resync (Check the time sync)

 

See an advert of interest, click it, this site is funded by ad clicks.

Get a list of inactive computers which have not logged on to the domain in the last 12 weeks

# Inactive computers ( this will include systems not regularly used)

# Launch command prompt as administrator and run the following commands

Dsquery computer -inactive 12 -limit 500

# Lists computers inactive for over 12 weeks and returns a limit of 500 results

Dsquery computer -inactive 12 -limit 500 | dsmod computer -disabled

# Lists computers inactive for over 12 weeks and returns a limit of 500 results and disables the computer accounts

 

# Similar command can be done for users.

 

Hide Folders Under Share with Access Based Enumeration

So todays challenge. Hide visible folders under share to users who don’t have access.

Example

We create some new shares. Folders are then created under the share and NTFS permissions set.

Share Name : Shared Folder

Folder :

  • IT (NTFS Permissions – IT group Only)
  • HR (NTFS Permissions – HR group Only)
  • PAYROLE (NTFS Permissions – Payrole group Only)
  • ALL USERS (NTFS Permissions – HR Only)

I created a share. When logged in as a user, i could see all the folders under the shared folder.
As you would expect, I could only open the folders I had access to.

So, is this suitable? It doesnt let users in to folders they dont have access to, but it does tell them which folders are there.

So this is where “Access Based Enumeration” might come in. This feature hides folders from users that do not have permission to that folder.
Access based enumeration (ABE) came out in Windows Server 2008.

How to setup Access Based Enumeration:

  • Launch “SERVER MANAGER” (Server 2012 or Server 2016)
  • Click on “FILE AND STORAGE SERVICES”
  • Click on “SHARES”
  • Right click on each share you want to set ABE, select “PROPERTIES”
  • Click “SETTINGS”
  • Click “ENABLE ACCESS BASED ENUMERATION”

The next time a user logs in and views the share only users that have permissions to that folders under the share will be able to see them. The folders they dont have permission to will not appear.

—Always try things in a lab environment, always seek further information before implementing from the vendor i.e Microsoft.com —

Differences between Roaming Profiles and ProfileimagePath

We have and RDS cluster everythings is working fine.

We use roaming profiles, redirection to a share is working as well.

When a user logs on to any RDS node we can see a user folder appear in E:\Users\ of the RDS Server.

When I checked the registry, and i can see 2 keys about profiles :
– you can see that the redirection is OK : Centralprofile (in my exemple \\Sharename\…)
– you can see a ProfileImagePath to E:\Users

So what is :
– A ProfileImagePath ?
– A CentralProfile ?

E:\Users\<username> is the local cache of the roaming profile.  I’ve never seen a setting to avoid caching of the profile on the local system entirely.

There is a group policy setting to automatically delete the cached copy upon user logout. It’s under Computer Configuation->Policies->Administrative Templates->System->UserProfiles->Delete cached copies of roaming profiles.

Plus side : This avoids disk space from caching the users profiles

Down side
It will probably increase the logon time as the full profile will have to copy every time.
When testing, this also cleared out the cache from a custom application which didnt right back to the roaming profile.

Group Policy –Add the Administrator security group to roaming users profiles

Tested on Windows 2008 R2

Create a GPO – “Add the Administrator security group to roaming users profiles”

Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.

Add the Administrator security group to roaming users profiles

This setting adds the administrator ACL to the users roaming profile path on the server when it is first created.

Administrator are able to view users profiles without the need to take ownership

Enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when  it is created on the server for the first time.

Original detail posted by Alan Burchill

 

Check if an AD user has a roaming profile configured (PowerShell) – OneScript Team

Check if an AD user has a roaming profile configured (PowerShell)

This script can query specified active directory users whether or not a roaming profile was configured.

Scenarios

IT admins may care about which users has a roaming profile was configured. This script can help IT admins check whether or not a roaming profile was configured.

Script

Step 1: Run the script in the Windows PowerShell Console, type the command: Import-Module <Script Path> at the prompt.  For example, type Import-Module C:\Script\CheckIfProfileExists.psm1

This is shown in the following figure.

Step 2: Type the command Get-Help Get-OSCADUserRoamingProfile -Full to display the entire help file for this function, such as the syntax, parameters, or examples.

OneScript Team

Temp Profile issue 2008 R2 RDS using roaming profiles

Issue
Some of our users keep getting logged on with a temporary profile.

Scenario
We have an RDS cluster using Window 2008 R2 x64 and users are setup with roaming profiles.

Profiles going to \\server\users\%username% Intermittently the folder is being created in the profile share but the folder is empty.

Permissions checked ok Shares checked ok

Cause
Possibly caused by a server crash corrupting the profiles instead of a natural logoff allowing the profile to write back.

Solution
Browse the registry on your terminal server under :  LM\software\Microsoft\Windows NT\CurrentVerision\ProfileList

Look for any keys under ProfileList with an extension “.bat”
Select key and click delete (export or backup any keys before making changes or deletions first.)

Solution found here : http://www.brianmadden.com/

 

Change user command to switch a Terminal Services server to Install mode.

KB 320185

How to put a Terminal Services server in Install mode.

You will need to switch to install mode, to install or remove programs on a terminal server.

The method I use the most is :
Open command prompt as administrator

Type:         change user /install
This will change the server to install mode.

Now your ready to install applications.

Switch Terminal Services to Execute Mode, when you are finished adding or removing programs.

Open command prompt as administrator

Type:         change user /execute

Users can now log in and start using the new applications

For Loop command to list users with sessions on servers

Problem :  Users/Admins disconnect from sessions on servers. How to get a list of users logged on to server active and disconnected

Simple Solution!

Create a file call servers.txt   – save in c:\temp

(possibly dsquery computer -name * >servers.txt    note your will need to delete all detail except server name)

Create a batch file call : listloggedinUsers.bat   – save in c:\temp

In the listloggedinUsers.bat type the following

for /f %%s in (servers.txt) do (echo %%s & qwinsta /server:%%s)

Save the bat file

Load command prompt as administrator.

Type
c:\temp\listloggedinusers.bat >> users_date_time.txt

This out put shows all 3389 connections. ie. RDP sessions

 

Create or Remove A Static Route in a Microsoft Windows OS

Route traffic via a specific NIC and IP in most Microsoft Windows operating systems.

Quick guide to create a static route in windows or remove a static route in a windows OS.

List static routes
Administrator command prompt
route print

Create a Static Route
Administrator command prompt
Add example :
route add -p 192.168.10.31 mask 255.255.255.255 192.168.1.1 if 2 metric 5

“if” is the network card number to route through.
metric is calculating the fastest, most reliable, and least expensive routes
-p Persistent
ipconfig /all (Shows the NIC for “if” number.)

Deleting a Static Route
Administrator command prompt
Delete example :
route delete 192.168.10.31