Search This Blog
Showing posts with label Windows2012. Show all posts
Showing posts with label Windows2012. Show all posts

Tuesday, September 05, 2017

Deploy .pfx cert embedded in script (a sort of 'cat << EOF' for windows)

@echo off
::
::  
:: In order to prepare the certificate please run
:: 'certutil -encode the_pfx_cert base_64_cert`
:: then paste the base_64_cert in the section below
:: Please note that the certificate password has to be given as start paramater to this script!
:: (eq: "cert-inst.bat S3cr3tPassw0rd")

:: If the cert was already installed, exit
REG QUERY HKCU\SOFTWARE\neXt /v CertInstalled
If %errorlevel%==0 goto :eof

:: define the temp name of the extracted cert
set extractedfile=%temp%\extract-%random%.txt

:: set the password needed to decode the cert
set certpasswd=%~1

:: separate the cert from this script
call:extractembedded embeddedfile %extractedfile%

:: process the extracted file
certutil -decode %extractedfile% %extractedfile%.pfx

certutil -f -user -p %certpasswd% -importpfx %extractedfile%.pfx

:: clean-up
::del %extractedfile% %extractedfile%.pfx

:: leave a trace in the registry, so the cert will not be installed again and again
REG ADD HKCU\SOFTWARE\neXt /v CertInstalled /t REG_DWORD /d 1

:: clean exit
exit /b

:: begin of the embed cert & extraction procedure
:: After the next line, please paste the "base_64_cert" created by certutil -encode
goto:embeddedfile
-----BEGIN CERTIFICATE-----
MIIMngIBAzCCDGQGCSqG
[...]
k05EzAQIFXJaGHOuxZcCAggA
-----END CERTIFICATE-----
:embeddedfile
:: before the previous line you can find the end of the "base_64_cert"

:: cert extraction procedure
:extractembedded
setlocal EnableDelayedExpansion
set embedbegin=goto:%~1
set embedend=:%~1
set embedcert=%~2
if exist %embedcert% del %embedcert%
set tmprndfile=%temp%\%random%.%random%
findstr /n ^^ "%~f0" > %tmprndfile%
call :seekembed < %tmprndfile%
del %tmprndfile%
exit /B
:seekembed
set oneline=:eof
set /P oneline=
if !oneline! == :eof goto nostart
set oneline=!oneline:*:=!
if not !oneline! == %embedbegin% goto seekembed
:getline
set oneline=:eof
set /P oneline=
if !oneline! == :eof goto nostop
set oneline=!oneline:*:=!
if !oneline! == %embedend% goto :eof
echo/!oneline!>> %embedcert%
goto getline
:nostart
echo Error finding start delimiter %embedbegin%
goto :eof
:nostop
echo Error finding stop delimiter %embedend%
goto :eof

at 1 comment:
Labels: , , , , , , ,

Tuesday, January 03, 2017

TS - FR keyboard by default

Keyboard
Data collected on: 4/21/2015 1:44:16 PM
General
Details
Domain
domain.local
Owner
DOMAIN\Admins du domaine
Created
4/21/2015 1:32:00 PM
Modified
4/21/2015 1:42:44 PM
User Revisions
18 (AD), 18 (sysvol)
Computer Revisions
1 (AD), 1 (sysvol)
Unique ID
{0E240A4C-8A26-4761-8907-DB164F024AFC}
GPO Status
Enabled
Links
Location
Enforced
Link Status
Path
TS
No
Enabled
domain.local/Member Servers/TS

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
Name
Allowed Permissions
Inherited
NT AUTHORITY\Authenticated Users
Read (from Security Filtering)
No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Read
No
NT AUTHORITY\SYSTEM
Edit settings, delete, modify security
No





No
Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
System/Group Policy
Policy
Setting
Comment
User Group Policy loopback processing mode
Enabled
Mode:
Merge
User Configuration (Enabled)
Preferences
Windows Settings
Registry
2 (Order: 1)
General
Action
Update
Properties
Hive
HKEY_CURRENT_USER
Key path
Keyboard Layout\Preload
Value name
2
Value type
REG_SZ
Value data
00000409
Common
Options
Stop processing items on this extension if an error occurs on this item
No
Run in logged-on user's security context (user policy option)
No
Remove this item when it is no longer applied
No
Apply once and do not reapply
No
1 (Order: 2)
General
Action
Update
Properties
Hive
HKEY_CURRENT_USER
Key path
Keyboard Layout\Preload
Value name
1
Value type
REG_SZ
Value data
00000c0c
Common
Options
Stop processing items on this extension if an error occurs on this item
No
Run in logged-on user's security context (user policy option)
No
Remove this item when it is no longer applied
No
Apply once and do not reapply
No
ShowStatus (Order: 3)
General
Action
Update
Properties
Hive
HKEY_CURRENT_USER
Key path
Software\Microsoft\CTF\LangBar
Value name
ShowStatus
Value type
REG_DWORD
Value data
0x4 (4)
Common
Options
Stop processing items on this extension if an error occurs on this item
No
Run in logged-on user's security context (user policy option)
No
Remove this item when it is no longer applied
No
Apply once and do not reapply
No
Label (Order: 4)
General
Action
Update
Properties
Hive
HKEY_CURRENT_USER
Key path
Software\Microsoft\CTF\LangBar
Value name
Label
Value type
REG_DWORD
Value data
0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this item
No
Run in logged-on user's security context (user policy option)
No
Remove this item when it is no longer applied
No
Apply once and do not reapply
No
AutoAdjustDeskBand (Order: 5)
General
Action
Update
Properties
Hive
HKEY_CURRENT_USER
Key path
Software\Microsoft\CTF\MSUTB
Value name
AutoAdjustDeskBand
Value type
REG_DWORD
Value data
0x0 (0)
Common
Options
Stop processing items on this extension if an error occurs on this item
No
Run in logged-on user's security context (user policy option)
No
Remove this item when it is no longer applied
No
Apply once and do not reapply
No

at No comments:
Labels: , , , , , ,

Monday, July 04, 2016

Your system administrator does not allow the use of saved credentials to log on to the remote computer RDP terminal server because its identity is not fully verified.

In order to use saved RDP or Terminal Server credentials you need to do the following:

1. On the local machine, Open Group Policy Editor via Run -> gpedit.msc
2. Navigate to Local Computer Policy>Computer Configuration>Administrative Templates>System>Credentials Delegation

3.Open Setting Allow Delegating Saved Credentials with NTLM-only Server Authentication, set it to Enabled click on button Show... and in Show Contents window add Value TERMSRV/*. Close the windows by pressing OK.

*Repeat step 3 on the following settings:
Allow Delegating Default Credentials
Allow Delegating Saved Credentials
Allow Delegating Default Credentials with NTLM-only Server Authentication

4. Open comman prompt and enter gpupdate /force command to update your policy.


at No comments:
Labels: , , ,

Monday, April 04, 2016

Space "Magically" missing on Win 2012 drives

An apparently (almost) empty drive might show low space but looking at the files found that only a few GB was being consumed. Upon checking on the drive turned on show hidden on the server in a folder called System Volume Information.

The System Volume Information folder is a hidden system folder that the System Restore tool (XP, Vista/7/8) uses to store its information and restore points, it is also used by shadow copies for  backups and other purposes on Windows 2003/2008 and 2012. There is a System Volume Information folder on every partition on your computer.

So how do you reclaim the space? Well there are two ways either through the GUI or the command line to recover space that system restore is not using. Special Note: if you do this on SQL servers it will stop the MSSQL service.

CLI Method

Open a command prompt with the “Run as Administrator” option. Type in vssadmin list shadowstorage

As you can see the output shows used Space, Allocated Space and Maximum Space.

We can also see what available restore information is available by running vssadmin list shadows

So now let’s get to reclaiming the space on one of the drives. In the issue I had with disappearing space was with the F:\ drive. So to reclaim it I want to resize the maximum allocated space setting to 1 GB. The syntax is:

vssadmin resize shadowstorage /on=[here add the drive letter]: /For=[here add the drive letter]: /Maxsize=[here add the maximum size]

For Example:

vssadmin resize shadowstorage /on=F: /For=F: /Maxsize=1GB


To validate the changes took run vssadmin list shadowstorage.


Repeat the steps to make the changes to other drives and the space will be recovered.

GUI Method

Double click on Computer to see your drives. Right click on the drive in question and select Properties. Click on the shadow copies tab.


Select the drive in the list and click on the settings button. Check the Use Limit box and type in the amount in MB to which you want to set (1024 for 1GB) and click OK. Repeat for other drives until completed.


You are all done and now have more space.
at No comments:
Labels: , ,

Wednesday, January 06, 2016

Exchange2010 on Windows2012 - my way 

Install-WindowsFeature RSAT-ADDS, AS-HTTP-Activation, Desktop-Experience, NET-HTTP-Activation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

reboot 

install
http://www.microsoft.com/en-us/download/details.aspx?id=17062
http://www.microsoft.com/en-gb/download/details.aspx?id=26604
http://www.microsoft.com/en-us/download/details.aspx?id=34992

merge this into registry:

--- CUT HERE ---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{770ca594-b467-4811-b355-28f5e5706987}\ChannelReferences]
"Count"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{770ca594-b467-4811-b355-28f5e5706987}\ChannelReferences\0]
@="Add Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
"Id"=dword:00000010
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{770ca594-b467-4811-b355-28f5e5706987}\ChannelReferences\1]
@="Add Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
"Id"=dword:00000011
"Flags"=dword:00000000

--- CUT HERE ---


cdrom:\setup.exe /preparead

when runing setup DO NOT check "Automatically install Windows Server roles and features required for Exchange Server"

DO NOT REBOOT!
DO NOT START Exchange Management Console yet!

Install Exch2010 SP3

reboot

You may find that on Server2012 you can launch the Exchange Management Console, but are unable to expand any of the objects in the left hand pane.
Exchange 2010 Exchange Management Console was built with CLR (Common Language Runtime) version 2.0. Windows 2012/8 by default runs its MMC snap ins with CLR version 4.0.
to fix it, start cmd and type:

set __COMPAT_LAYER=RUNASINVOKER
set COMPLUS_Version=v2.0.50727
"C:\Program Files\Microsoft\Exchange Server\V14\Bin\Exchange Management Console.msc"


Now you can do the usual stuff.

BTW: Don't be an idiot (like me), don\t install Eset RA Server before installing Exchange, that will put the Exchage RA web console on ports :80 and :443 and IIS will never start. 
netstat -a -b -n -p tcp is your friend in this case, run it and you will see who occupies your ports.
at No comments:
Labels: , ,

Thursday, October 01, 2015

Authentify linux users to a windows 2012 R2 domain controller

As root type:
rpm –Uvh  samba-winbind samba-winbind-clients pam_krb5 krb5-libs

Then:
authconfig --enablekrb5 --krb5kdc=2k12srv.domain.local --krb5adminserver=2k12srv.domain.local --krb5realm=DOMAIN.LOCAL --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=DOMAIN.LOCAL --smbservers=2k12srv.domain.local --smbworkgroup=DOMAIN --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablemkhomedir --enablewinbindusedefaultdomain –update && net ads join -U administrator -D DOMAIN

vi smb.conf
[global]
   workgroup = DOMAIN
   password server = 2k12srv.domain.local
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true

Restart and enable winbind:
chkconfig winbind on
service winbind restart

-----------------------------------------------------------------------------------------------------------------------------






The old way, for a 2008 Server was:
rpm -Uvh samba-winbind-clients samba-winbind samba-client

service winbind start
chkconfig winbind on

authconfig --enablewinbind --enablewinbindauth --enablelocauthorize --enablemkhomedir --updateall

vi smb.conf:
# Any modification may be deleted or altered by authconfig in future
   workgroup = DOMAIN
   password server = 2008dc 2008R2dc
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true
#--authconfig--end-line--


vi /etc/openldap/ldap.conf:
TLS_CACERTDIR   /etc/openldap/cacerts
SASL_NOCANON    on

cp shared_DOMAIN_cert.cer /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts/

net join -w DOMAIN -S 2008dc.domain.tld -U Administrator
systemctl restart winbind.service

In order to allow certain AD Groups to login:
vi /etc/login.group.allowed
A_CERTAIN_AD_GROUP

vi /etc/pam.d/sshd
auth       required     pam_listfile.so item=group sense=allow onerr=fail file=/etc/login.group.allowed

vi /etc/pam.d/login
auth       required     pam_listfile.so item=group sense=allow onerr=fail file=/etc/login.group.allowed

cd /home
mkdir DOMAIN

at No comments:
Labels: , ,

Thursday, February 05, 2015

RD Shadow in 2012 R2

PS:>
Import-Module RemoteDesktopServices
Get-RDUserSession | select UserName,SessionId,UnifiedSessionId
mstsc /shadow:%UnifiedSessionId” /control /noConsentPrompt

the SessionId and UnifiedSessionId might have to be used, depending on how the wind blows and at what angle the Sun is on the sky :)
at No comments:
Labels: , , ,

Tuesday, November 04, 2014

Windows Shell for TS - without Domain Controller

On the RD Session Host Configuration ,the following (compiled as c:\windows\tssession.exe) script is executed as initial shell:

;(c)2014  sorinakis@g**il.com

;msgbox, Username: %A_UserName%
AuthUsers = Administrator|administrator
Loop Parse, AuthUsers, |
{
 ifEqual, A_LoopField, %A_Username%
 {
  Sleep, 500
  Run, explorer.exe
  ;MsgBox EXPLORER Executed.
  GoTo, End
 }
else
 {
  ;MsgBox In the ELSE branch.
  Sleep, 500
  Run, D:\Partages\apps\LCM\Bin\wrun32.exe -ws -c D:\Partages\apps\LCM\etc\CBLCONFI-RZ_APP.ini utmenu
  Sleep 500
  WinMaximize, ahk_class AcucobolWClass
  IfWinExist, Cie(01)
  {
   WinMaximize,  Cie(01)
   Sleep, 500
   WinWaitClose, Cie(01)
   Sleep, 500
   Run, shutdown /l
  }
  Return
 }
}
End:
Sleep, 100
;MsgBox At the END.
at No comments:
Labels: , , , , , , ,

Sunday, August 10, 2014

Tune UP (in fact down) Windows 2008 R2

sssc config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc config mrxsmb20 start= disabled

 netsh int tcp set global rss=disabled
netsh int tcp set global chimney=disabled
netsh int tcp set global autotuninglevel=disabled
netsh int ip set global taskoffload=disablednetsh int tcp set global autotuninglevel=disablednetsh int tcp set global ecncapability=disablednetsh int tcp set global timestamps=disablednetsh advf set allp state off


:: reg add "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v DisableTaskOffload /t REG_DWORD /d "1" /f

reg add "HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters" /v DisableBandwidthThrottling /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v TcpAutotuning /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v TcpAutotuning /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings" /v TcpAutotuning /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v EnableTCPA /t REG_DWORD /d "0" /f

at No comments:
Labels: , , , , ,

Thursday, May 01, 2014

Delete old printers and change the default

'Change default Printer and delete the old ones
'(c)2014 s@xxxxxxxx.com
' defaultlist example: service Client,\\2K12SRV\HP 4050 P005



PrintServer = "2K8SRV" 'Old Print server name goes here - case sensitive
listfile = "\defaultlist.txt"
lockfile = "\defaultprt"
Set objNetwork = CreateObject("WScript.Network")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objShell =  CreateObject("WScript.Shell")
userprrf = objShell.Environment("PROCESS")("UserProfile")
strComputer = "."
'strCurPath = CreateObject("Scripting.FileSystemObject").GetAbsolutePathName(strComputer)
strCurPath = "\\2k12srv\netlogon\deploy" ' relpath doesn't seems to work on UNC
 wscript.echo strCurPath
If (objFSO.FileExists(userprrf & lockfile)) Then
 'Debug
 'with createobject("wscript.shell")
 '.popup userprrf & "Lockfile EXIST!" , 1 , "Info"
 'end with
 Wscript.Quit
End If

'On Error Resume Next
strName = objSysInfo.UserName
' Split full username by comma (warning: comma is a valid char in OU, verify personally that it doesn't exist in your OU!)
arrUserName = Split(strName, ",")
' remove OU= or DC= for the last 2 OU's
arrOU = Split(arrUserName(1), "=")
arrOU2 = Split(arrUserName(2), "=")
'put those OU toghether
strOU = arrOU2(1) & " " & arrOU(1)
' open the list of OU vs printers pairs
Set objFile = objFSO.OpenTextFile(strCurPath + listfile, 1)
 Do Until objFile.AtEndOfStream
 ' they are separated by comma, first is OU second is printer
 defaultArray = split(objFile.ReadLine,",")
 readOU=defaultArray(0)
 defaultprt=defaultArray(1)
 ' Debug
 'with createobject("wscript.shell")
 '.popup "Check: """ & strOU & """ = """ & readOU & """ Choose """ & defaultprt & """. " , 1 , "Info"
 'end with
 If strOU = readOU Then
  ' Debug
  'with createobject("wscript.shell")
  '.popup "Found: """ & strOU & """ = """ & readOU & """ Printer: """ & defaultprt & """. " , 5 , "Info"
  'end with
  ' first ensure that the printer is installed, then set it default
  objNetwork.AddWindowsPrinterConnection defaultprt
  objNetwork.SetDefaultPrinter defaultprt
  exit do
 End If
Loop
objFile.Close

'Remove old printers
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colInstalledPrinters =  objWMIService.ExecQuery _
    ("Select * from Win32_Printer")

For Each objPrinter in colInstalledPrinters
    'Debug
    'with createobject("wscript.shell")
  '.popup "Name: " & objPrinter.Name , 1 , "Info"
  'end with
  'Wscript.Echo "Name: " & objPrinter.Name
    i = 0
    ReDim Preserve arrPrinterName(i)
    arrPrinterName(i) = objPrinter.Name
        If InStr(arrPrinterName(i), PrintServer) Then
            Set objNetwork = WScript.CreateObject("WScript.Network")
            'Debug
        'with createobject("wscript.shell")
      '.popup "Removing: " & arrPrinterName(i) , 5 , "Info"
      'end with       
            objNetwork.RemovePrinterConnection arrPrinterName(i)
            i=i+1
        Else
            'Debug
        'with createobject("wscript.shell")
      '.popup "Skipped: " & arrPrinterName(i) , 5 , "Info"
      'end with       
        End If

Next

' Leave a lockfile in user's home
Set objFile1 = objFSO.CreateTextFile(userprrf & lockfile)
Wscript.Quit
at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)