PowerShell: A Colourful Experience

4214_Powershell20blore-logo_png-550x0.pngOne of the topics I inject into every one of my classes (and frankly, most of my customer conversations) is how to do whatever we are doing in PowerShell.  Scripting is one of the ways I make my life easier, and I recommend my students and customers use the knowledge I share to make their lives easier.

One of the differences between a Command Shell window and a PowerShell window is the colours.  Command Shell is white type on a black background.  PowerShell is a blue background, with the type colours varying depending on the context… Yellow for cmdlets, red for errors, and so on.

One of my students recently told me that because of the issues he has with his eyes, he has trouble reading the red writing on the blue background, and asked if there was a way to change it.  I honestly had never thought of it… so I decided to do some research.

It turns out, according to what I discovered, it is possible to change a lot of the colours in PowerShell.  Let’s start by changing the colour of the error messages:

$host.PrivateData.ErrorForegroundColor = “Green”

So let’s see what that does:

image

Okay, that is much better.  We can also change the background colour of the error text (black by default), by using this:

$host.PrivateData.ErrorBackgroundColor = “DarkCyan”

image

Granted, I hate the colour, but once you know the command, you can play with the colours that you want.

As well, if you want to change the colour scheme of the entire console, you can use the following:

[console]::ForegroundColor = “Yellow”

[console]::BackgroundColor = “black”

Now we have the entire console in black, and the default text in yellow.

If you want to use these colours persistently, you can insert them into your profile… or just create a .ps1 file that you run every time you open PowerShell.

Jeff Hicks wrote a number of great scripts a few years ago that will let you manage your colour schemes, and they can be found here.  Unfortunately it is an older article and the images are gone, but the scripts are intact, and that is the important part.

Have fun!

Advertisements

Windows 7 End of Life and Extended Support

win7-logoWhen Microsoft released Windows 7 in October, 2009 the vast majority of users (both corporate and home) were still running Windows XP.  While they had released Windows Vista three years earlier, it was never widely accepted.  The improvements over the then six-year-old operating system were revolutionary, especially for the vast majority of users who eschewed Windows Vista.

Windows 8 came and went, and although Windows 8.1 was, to many, a great alternative to Windows 7, most people did not appreciate the changes that Microsoft made with the first modern operating system, and it too was not as widely adopted as some at Microsoft would have liked.  Windows 7 reigned supreme.

In 2015 Microsoft announced that Windows 10 would be the last desktop operating system they would release, adopting a Software as a Service (SaaS) model with minor improvements coming with the monthly patch cycle, and major improvements being released in a biannual release cycle, delivered via the same patch channels as the monthly updates.  This would be great for end-users, but corporations would still have to run the same application tests on these ‘milestone’ releases as they would have to do with any operating system update.  Let’s not fool ourselves… they may all be called Windows 10, but Microsoft is now effectively releasing a new operating system every six months.  Corporations understand this, and Windows 7 is still the operating system installed on at least forty percent of Windows endpoints.

It is easy for Microsoft to tell home and small-businesses that they will end support for Windows 7 on January 14, 2020 – they made that announcement years ago, and the date has not changed – but if a large number of those Windows 7 endpoints are corporate devices, they have to find a solution to keep the corporate customers happy.  Last week they announced what their solution will be.

Microsoft will now be releasing Windows 7 Extended Security Updates (ESU) for volume license customers only as a paid subscription effective January, 2020, and has committed to offering these for three years – through January, 2023.  These updates will be available for Windows Professional and Windows Enterprise, as a paid offering, increasing in price each year.  This is reminiscent of the model used with previous operating systems (such as Windows NT 4).  This ESU will be offered (and charged) per computer.  For customers who have invested large sums for Windows 7 solutions, this is important.  Despite the fact that Microsoft claims that 99% of Windows 7 applications are now compatible with Windows 10, that does not mean that companies are going to be ready to change over so fast.  Yes, they will, by the end of regular support, have had five years to upgrade; yes, by the time regular support ends Windows 7 will have been around for over a decade; neither of these facts change the reality that looking at the field today – some sixteen months before End Of Life (EOL) for Windows 7 – where forty percent of computers running Windows are still running that (by computer standards) ancient legacy OS.  You can say what you will about Microsoft, but they are a company that does not like to turn its back on its customers.

(By the way, Windows 8.1 Support will go through January, 2023)

Okay, so the corporate clients are covered, but what about home users?  Sorry to say it folks, but they are SOL – Something Out of Luck.  With the free upgrade offer a distance memory (officially… there are still ways to get it), Windows 7 Home users, as well as those using Windows 7 Pro without a volume license agreement, will no longer be supported.

What does that mean?  Unsupported operating systems may still run whatever software you need, but there will no longer be security updates.  It means that if (really when) a new vulnerability is discovered, unsupported operating systems will be vulnerable to hackers, along with everything that entails.  Simply put, your computer will not be safe.

In 2010 I started tweeting (nearly) every weekday how many days were left until #EndOfDaysXP.  I did it for nearly 1400 days.  Today I am launching a similar initiative, #EndOfDaysWin7.  The current count is 489 days.  That is how long you have to not only plan but also to implement your Windows 10 migration strategy.  If your company needs help, either with developing or evaluating your strategy, or to design and implement it, you should contact Cistel Technology Inc. to see how we can help.  Our Cistel Advanced Microsoft Team has the expertise and experience to help, and we will be glad to explain how.  Migration is not quick and easy, but we can help to make sure it is painless.  Reach out and ask us how!

Don’t be caught unsupported and unsecure.  Let Cistel help!

Domain Controller Ports

Active Directory

Recently I was asked by a client to produce a list of firewall ports that are used by Active Directory Domain Services (AD DS), specifically those for domain controllers.  This is what I came up with:

TCP and UDP 389 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP
TCP 636 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP GC
TCP 3269 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest-Level
Trusts
Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution,
Trusts
DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group
Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR,
SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Computer Authentication, Group
Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR,
FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Computer Authentication,
Trusts
Kerberos change/set password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram
Service
TCP 9389 AD DS Web Services SOAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication,
Replication
DFSN, NetBIOS Session Service,
NetLogon

One of the sites I polled for this information also listed the ports for DHCP (which is not an AD component, but is often installed on domain controllers).  Another listed that there are more ports for Azure AD and Office 365.  I am not including all of these.  I just set out to list the ports required for on-premises Active Directory in Windows Server 2016.

Rosh Hashanah 5779

Dear friends, family, and readers,

Sunday evening we will be celebrating the Jewish New Year – the year 5779. Rose Hashana is a time of reflection. We are meant to ask forgiveness of those we have wronged, and forgive those who have sought our forgiveness. When these traditions were introduced, probably until the mid-nineteenth century, that was an easier concept to execute – forget email, most people had never left their shtetl… the circle of people they might have wronged was much smaller than in this day and age where communication with thousands of people on a daily basis is not unheard of.

Over the past decade I know I have wronged many people, and did not realize it at the time. Many of these are people I have lost contact with, and the prospect of seeking them out to apologize for a transgression they have long since likely forgot seems like an inefficient use of my time. If I were in a twelve-steps program I might have to do it, but fortunately I am not.

Forgiveness in one form or another is a component of most religions. The Catholics (the very name of which would offend some of my Anglican friends) have confession – they must confess their sins to G-d before their souls may be cleansed. Yes, I am likely over-simplifying the concept, but being Jewish I never studied catechism. It is likely this practice led over the millennia to to priests, who listen to the confessions on G-d’snbehalf, having tremendous power based on the information they were given. Imagine this fictional but possible interaction:

Henry VIII: Father, the Pope refuses to let me divorce my wife, and I rather like this one so I’d rather NOT behead her… forgive me, but I am thinking of leaving the Church and taking all of England with me.

Priest: Say five Hail Mary, go forth, and sin no more.

(Later)

Priest (to Pope) Hey Pope, Henry VIII is going to leave the church… you might want to do something about that! Just don’t ask the French… they are not known for winning wars. The Saxons in what will one day be Germany are pretty fierce though…

The Catholic Church understood early on that knowledge is power, and they built in a sure-fire way to amass as much of it as they could.

The Jewish tradition of having to make good with the people you have wronged before G-d could forgive you is likely a better way to promote true forgiveness. While in both of our traditions G-d is all-powerful, it seems more productive to have to face the person you have wronged, rather than someone who likely has no skin in the game. Confession, to me, seems one step removed from walking up to a stranger and saying “Hey, I just pushed someone you’ve never met into the bushes. Will you forgive me?”

As I have spent much of the last decade trying to become a better person, I have given the concept of asking forgiveness a lot of thought. I have met with two friends from high school that I had mistreated and asked (and received) their forgiveness. I felt better for having received their forgiveness, but in order to ask it I had to humble myself, an important lesson in and of itself. Humility was never (until the past few years) one of my stronger traits.

So who have I wronged this year? I do not think I have wronged anyone intentionally. Unintentionally and without realizing I had done so? That is a harder question to answer… what we do without realizing we have done in ignorance. I try to be honest with the people I deal with, and that helps. I know I cheat at golf, but I am not cheating anyone but myself. Self, I apologize for cheating at golf. Forgiven? Ok.

How about the others? I am sure I have wronged others, but do not realize or remember it. If you feel I have wronged you please reach out (privately) and explain… I will be happy to ask forgiveness for actual (if not imagined) transgressions.

You may notice that I am intentionally using the word “wronged” and not “insulted” or “offended.” It is near impossible for someone who expresses an opinion to not offend. We live in a society where people are too easily offended – by religion, politics, pronouns, by the choice of hockey teams. If my opinions on any of these are offensive to you then perhaps it is not me who should be apologizing and trying to change. I know that my religion offends some people, as does my strong affiliation with the State of Israel. I know some are offended by my position on gun control in the US. I wore my Hans jersey to an Ottawa Senators game and heard about it from a number of people. Life happens. Move on. Life is too short for us to be offended by every little thing.

In short: on the precipice of the year 5779, if you feel that I have wronged you in the past, please know that I am sorry and ask your forgiveness. If you feel that what I did warrants an individual discussion then please reach out to me and we can have that.

And again, I would like to wish my family, friends, co-workers, and readers a very happy, healthy, and sweet New Year! לְשָׁנָה טוֹבָה תִכָּתֵבוּ וְתֵּחָתֵמוּ

Worms Shana Tova (Tapuach uDvash)

Fountainheads Rosh Hashana (Shana Tova)

IPv6: Be gone!

Let me start this piece by stating that I am not advocating that we all ignore IPv6.  There are many reasons to use it, and there is nothing wrong with it.  Sure, it is more complicated than we may like… but then again, so was IPv4 when we were first introduced to it.

But alas, if you and your organization are not using IPv6, then there is no reason to have it bound to your workstations, let alone to your servers.  Let’s get rid of it… for now, knowing we can come back and re-enable it with a simple cmdlet.

First, we need to see which network cards have IPv6 bound to it, with the following:

Get-NetAdapterBinding | where {$_.ComponentId -eq ‘ms_tcpip6’}

That will return a list of NICs that have IPv6 enabled, like so:

Get-IPv6

We can remove the binding from each adapter individually, like so:

Disable-NetAdapterBinding -Name “Wi-Fi 2” -ComponentID ms_tcpip6

Of course, then we would have to do it for each of our NICs.  Rather than doing that, it would be simpler to just use a wildcard, thus disabling it for all of our NICs simultaneously:

Disable-NetAdapterBinding -Name “*” -ComponentID ms_tcpip6

Of course, in order to do this, you must open PowerShell with elevated credentials, so make sure you Run As Administrator.

Once you have done that, you can then go back and get the same list.  Notice that the listings under Enabled all read False now.

Disable-IPv6

Now, as you may have heard me say before, PowerShell is very easy to understand… it is almost as if it were post-troglodyte grammar.  Get-Thing! Disable-NetAdapterBinding!  So it stands to reason that the reverse of the Disable-NetAdapterBinding cmdlet would be… yes, you guessed it! Enable-NetAdapterBinding!  But this time, rather than using the wildcard, let’s just do it for the NIC that I am currently using:

Enable-NetAdapterBinding -Name “W-Fi 2” -ComponentID ms_tcpip6

From this, we will now get the following results:

Enable-IPv6

…and just like that, we can now enable and disable a protocol on demand.

By the way, if you are not fond of ComponentIDs, you can also use the actual display names:

Get-Bindings

Of course, that is too much typing for a lot of people, so you could shorten it with wildcards… or you can just cut and paste the ComponentID cmdlets.

Have fun guys, and script on!

 

 

A PowerShell Gotcha

powershell1_thumb.jpgI was bulk-creating users for a test environment today, and in doing so, I borrowed a script from an article online, which set the password for all users to ‘Pa$$word’  I usually use a variation on the same for test environments, but I opted to leave this one as it was.  The script worked.

A few minutes later, I went to log on as one of the newly created users, and the computer returned ‘The password is incorrect.  Try again.’

I spent a few minutes troubleshooting, until I realized… PowerShell uses the dollar sign ($) for variables.  I deleted the users, then changed the script to use a password like ‘P@ssw0rd’.  Sure enough, it worked.

The moral of the story… When using PowerShell, remember that the $ means something, and might break things if you use it for other things.

Have fun!

Server 2016 Versions & Builds

When Microsoft introduced the Operating System as a Service with Windows 10, a lot of people got started getting confused because of the different version numbers and build numbers, all the while Microsoft was telling us it was really the same operating system.  Okay, I think we have it clear now… three years later.

So just to make things fun, Windows Server 2016 is offered as an OS as a Service as well… although mercifully we do not have to update our servers nearly as often to stay current.

It is one thing to mess around with our desktops.  Messing around with our servers could be disastrous on an entirely different level.  So, unlike Windows 10, monthly updates (or Cumulative Updates, if you are just catching up) will not change the version of the OS.  If you installed a Windows Server from the original release (Version 1607), it will remain Version 1607.  The only thing that will change is the OS Build.

Notice the different build… the original reads OS Build 14393.1884, and after applying Cumulative Update for Windows Server 2016 for x64-based Systems (KB4093119) it kicks up to OS Build 14393.2189.

Some of us in the know feel that calling every release of Windows 10 the same operating system is like saying that a 2013 Ford Mustang is the same as a 2018 Ford Mustang; just because they have the same name does not make them the same car.  Similarly, Windows 10 Version 1607 is hardly the same as Windows 10 Version 1803.  They look the same for day-to-day operations, but under the hood there are real differences (i.e.: look for your Control Panel in the Windows Menu in 1803).

The team at Microsoft understood that you cannot just upgrade versions with servers.  There are too many things that could go wrong.  As such, Windows Server 2019 is currently in pre-release testing (we used to call it beta testing… I can’t keep up with the current names).  When the time is right, you can upgrade.

In the meantime, should you be upgrading all of your servers that are Version 1607 to Version 1803?  In general I wouldn’t, but there may be use cases where you would want to.

I hope this clears some things up for you!

April Updates Bring May Frustrates

Okay, I know the grammar in my title is terrible, but I know so many people (including myself) who have had a number of frustrating issues that arose from Microsoft’s April patch cycle.  I will not go into all of them, but one in particular has been annoying me of late.

image

Okay… but this is my corporate laptop, and I don’t remember having a D Drive.  I know my C Drive is running low, but that is only as a percentage… My actual free space is still over 13GB free.  But… where did that 489MB D Drive come from?

image

Most computers running any modern version of Windows is likely going to have a hidden partition… or two.  One of them, the ESP Partition, is used by computers adhering to the Unified Extensible Firmware Interface (UEFI).  It should be around 500MB in size, and before you ask, do not think about deleting this partition… unless you are partial to non-bootable system devices.

The Recovery Partition is usually a 450MB partition that has some information that Windows would need if you decide to clean up… I leave it there because what’s the harm, right?  Until April that is…

If this partition was there in March (and September, for that matter), and nothing has written to it since, why are these Low Disk Space warnings coming up all of a sudden… and every five minutes, just to make matters more annoying?  The answer is simple… and so is the solution.  For some reason there was a  drive letter assigned to the volume all of a sudden… and yes, it has to do with one of the April patches from Microsoft.

Solution:

1) Open the Disk Partition Tool (diskpart.exe).  If your current user is not a member of the local administrators security group, you will have to provide administrative credentials.

2) Type list volume.

image

Here we see a list of partitions (volumes) on the computer.  Volume 0 is obviously my active partition… it is 237GB, the Label is OS, and the Info says Boot.

Volume 1 is my Recovery Partition… 490MB, with no Label, no Info, and the Drive Letter is D… but there is absolutely no reason for this volume to have a drive letter.  Let’s get rid of it.

3) Select the volume in question by typing Select Volume # (where # is the number of the affected volume)

4) Type Remove Letter=”X” (where X is the Drive Letter in question)

5) Type List Volume

image

The affected volume should no longer have a Drive Letter assigned… and your problem should be resolved.

6) Exit DiskPart immediately.  (Type EXIT)

**IMPORTANT NOTE: I have two things to say here:

  1. If you are not an IT Professional, you should really consult a professional before doing this yourself.  DiskPart.exe is possibly the most dangerous tool that Microsoft provides you with Windows, and should be used very carefully.
  2. If you are planning on doing this on your corporate machine, STOP RIGHT THERE!  There is a very good chance that even if you know what you are doing, and even if you have the administrator credentials needed to perform these actions, that doing so without consulting your IT Help Desk will result in a policy violation, and can be grounds for serious disciplinary actions.

If this is your personal computer, and if you are comfortable using DiskPart, this should solve your problem.  If you are concerned, you should let a professional do it for you.  However, if you are comfortable doing it yourself, this should have solved your problem.  Thanks for reading!

image

Deleting User Profiles

“How do I delete old users from a Windows 10 computer? I log in as an administrator, navigate to c:\Users\, and delete their tree.”

NO!  In fact, HELL NO!

There are several reasons why you might want to delete a user profile from a computer. ranging from termination of employment to reallocation of systems to… well, you get the picture.  There are a few of ways you can do it, but there are only a couple of ways of doing it right,

Recently I was working with a client who encountered a situation where a few of his domain users’ local profiles were corrupted on a corporate system.  I told him that the simplest way of fixing the issue was to delete the user profile, so that when the user next logged on, it would re-create the profile for them.  They called me back a few minutes later reporting that they were now receiving the following message when the affected users logged in:

We can’t sign in to your account.  This problem can often be fixed by signing out of your account then signing back in.  If you don’t sign out now, any files you create or changes you make will be lost.

Okay, that led me to believe they had simply deleted the c:\Users\%username% directory, and we had to clean up that mess in the registry (under “KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”, delete any entries that have the .BAK extension).

Okay… now that we have learned how NOT to do it, here’s how you should do it:

1) Open Control Panel > System and Security > System in the affected machine.  The simplest way to do this in the more recent releases of Windows 10 is to click Run – sysdm.cpl.

3) In the Advanced tab of the System Properties window, in the User Profiles section, click Settings…

image

4) In the User Profiles window, click on the user you want to delete, and click Delete.

image

**NOTE: You will not be able to delete the account you are logged in as, nor the default Administrator account.

Of course, you will be asked if you are really really sure that you want to delete the account, and you can click Yes or No as you wish.

There are ways to do it in PowerShell… but they don’t seem to be very clear or very easy.  For this one time, I strongly suggest the GUI.

Stored Passwords–Beware, and know.

How many passwords do you have?  How many of them are unique?  How many of them would cause you, should they fall into the wrong hands, grief, hardship, financial loss?

Now what would you say if I told you that anyone with a very little bit of knowledge could access all of those passwords, and it would be your fault?

lock.jpgThe world has gotten a lot busier since I was a kid.  Back then, the only password I really had to know was the locker combination to my school locker.  Today, as I peruse my password manager vault, I have over two hundred (200) individual passwords stored.  It is impossible for anyone to remember all of those, so Microsoft decided to help us out.  A lot of the passwords for the web sites we visit on a regular basis are stored in the Windows Credential Manager, so that we do not have to remember them every time.  Every time you click ‘Remember my password’ an entry is made into the Windows Credential Manager, and most people will forget that it is there… if they ever knew it was there in the first place.

if this is your personal computer, and you never give it to anyone else to fix, then it is really not that big a deal.  But what happens when you give your computer to a tech to fix it?  What happens if you leave your job, and the company takes back the computer?

The following guidance is not comprehensive, and it is in no way meant to be a way to protect your passwords; this is more a question of opening your eyes to the dangers of using your online passwords on shared computers.

1) Open the Windows Credential Manager.  From the Start Menu, type netplwiz.  If you are not a member of the local administrators group, you will be prompted to provide elevated credentials.  The User Accounts window opens.

2) Click the Advanced tab.

3) In the Passwords context, click Manage Passwords.

At this point you have a couple of options.  The Web Credentials context appears by default, but the Windows Credentials context is there too.

image

In the Web Credentials context, you will see a list of the sites for which you have stored your passwords.  You can expand any of them to see something like this:

image

You see that blue word ‘Show’?  That means that if you click there, your password will be displayed in clear text.  It is small consolation that you are required to enter your Windows password for that to work, because if you handed your computer to a technician then you probably handed them your password as well.  Worse, if you left your job, the IT department can very easily change your password to anything they want, and have access to this.

It is again of little consequence that on the Windows Credentials side, you do not have the ‘Show’ option.

image

So yes, for the people who are looking for complete convenience with little regard to security, this is a great feature.  If you are so inclined, you can even click on the Back up Credentials button at the top and save all of your credentials to port them to another machine (It does encrypt this file, and you must provide a password for it).  However, if you are at all concerned about security, and especially if you are one of those people who tends to reuse the same passwords (hey, I thought of a great password to use for online banking… let’s use the same password for my Recipes Sharing forum!) then you should be aware of why you should not do that… and rather than using the Windows Credential Manager to store your passwords, look into a password vault solution (See article), and possibly even pair it with a multifactor authentication solution (I have a few, including my Yubikey).

Passwords stored in clear text are never a good idea, and the fact that Windows still does it for websites baffles me, especially since I remember learning about non-reversible encryption algorithms back in my Windows 2000 Server classes.  Now that you know that Windows does it, you might take a few extra precautions.

Recovery Image Oopsie…

In a recent article I told you all how I had to recover my Surface Pro, and downloaded a Recovery Image from Microsoft in order to do so (See Surface Woes). As I went through the process of finding that image download, I could not help thinking that so much of the process seemed… outdated.  Don’t get me wrong, it worked… but it just felt like somewhere around the Surface Pro 2 era someone at Microsoft just gave up keeping up the information.

So how funny was it when I realized this morning that the Recovery Image, downloaded directly from Microsoft, was actually based on Windows 10 1703, released fifteen months ago?  I know Microsoft wants people to use their latest and greatest, especially when it comes to Windows 10.  Two builds have been release since (1709 and, most recently, 1803), so I wonder how difficult it would have been to update the Recovery Image to one of those.  My Surface Pro had been upgraded to Windows 10 1803 a few weeks ago, before the crash.

And so, having already done so once, and having spent several hours restoring my on-the-brink-of-dead device back to functionality, I have to spend another couple of hours watching the spinning circles of boredom before I can go back to using the device happily.

image

Delegating Control in Active Directory

I have been saying for years that a good IT department in a secure, well-managed infrastructure will give their end users the tools they need to do their job… and nothing more.

If that is true for end users, shouldn’t it also be true for the IT department themselves?  It is frustrating to see the number of shops I go into where there are fifteen or twenty members of the Domain Admins group, and for the silliest reasons.

Windows ServerBy using the Delegation of Control Wizard, you can assign very granular permissions to regular user accounts to perform several common tasks.  In Windows Server 2016 these include:

  • Create, delete, and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Modify the membership of a group
  • Join a computer to the domain
  • Manage Group Policy links
  • Generate Resultant Set of Policy (Planning)
  • Generate Resultant Set of Policy (Logging)
  • Create, delete, and manage inetOrgPerson accounts
  • Reset inetOrgPerson passwords and force password change at next logon
  • Read all inetOrgPerson  information

These permissions can be set either at the domain level, or at the Organizational Unit (OU) level (except Join a computer to the domain, which must be set at the domain).  In order to do it:

  1. Open Active Directory Users and Computers (ADUC)
  2. Right-click on the domain (or OU) where you want to assign the permission
  3. Click Delegate Control…
  4. On the Welcome to… window click Next
  5. On the Users or Groups window click Add… and select the security group (or individual) that you want to affect.  Click Add, then click Next
  6. On the Tasks to Delegate window select the tasks from the list, and then click Next
  7. On the Completing the Delegation of Control Wizard window click Finish.

Remember, if you have multiple sites across slow links this might take a while to propagate, but you are done.  That’s it!

I hope this helps.  Really, it has not changed much in fifteen years, but sometimes it is important to refresh knowledge, especially for the newer generations of IT Admins!

Surface Woes

Earlier this year I opened a ticket with Microsoft to replace my Surface Pro 4 under warranty.  There was an intermittent problem, and I was hoping to be able to get it fixed.  Unfortunately the problem went away, and I continued to use my device as normal.

imageThis week I turned on the device, and it would not boot.  It turned on alright, but it spent hours in the ‘dots spinning in a circle’ pattern.  When I say hours, what I should say is overnight.  I hoped that the drive was self-repairing.  I don’t know what in the world possessed me to think that – something akin to a doctor hoping that a sick liver just regrows.  Yesterday I went to work troubleshooting.

The first place I went was Microsoft’s Surface Support.  It was there that I discovered that, like so many companies out there, Microsoft doesn’t even want to talk to you once the warranty is over.  I’m sure they would be happy to speak to me if I gave them my credit card… but I was not quite there yet. 

The one thing I did get out of that experience (and a bit of surfing and fishing around) was a link to download a Recovery Image for the Surface Pro, as well as instructions on how to use it.  More on that later.

From the research I did online, it looks like my hard drive is either (hopefully) corrupt or (nooo!) dead.  I boot into my trusty Windows To Go key (see any of the articles I have written on it here).  I open Disk Manager, and bring the internal drive online.  So far, so good.

I try to navigate to it.  Access Denied.  Crap.  That can mean a number of things went wrong, but I am not concerned with Ransomware; they haven’t asked me for anything, it is just not booting.

My big concern is that if the drive is not accessible, then there may be something wrong with the hardware… but all signs point away from that, and I expect that somehow something just went terribly wrong.

Fortunately, I have Easeus Data Recovery Pro on my Windows To Go key, so I am able to recover lost files.  Hey, wait a minute!  If I can do that, then chances are the drive is not dead, right?

Okay, great… I have recovered my files, and now it is time to try to restore the device to useable.  I go back to Microsoft’s Support page to download the Recovery Image.  You can only download the image once you have signed in with your Microsoft Account, and then only if you have a Surface Pro registered to your account.

image

Great… I have the Recovery Image.  Now what I need is another computer to create the Recovery Drive with.  Unless you actually have another Microsoft Surface Pro 4, you are going to have to have Windows create a Recovery Disk for itself, and then copy over the files with the ones I downloaded.  That isn’t a problem for me – I have several computers at my disposal, and I know that my corporate Dell laptop recently received the latest build of Windows 10 Enterprise.  It works just fine.

A word to the wise: You are going to need a 16 GB USB key for this to work.  It will work with a USB 2.0 device, but it……..will……..be……..very……..slow.  I don’t just mean rebuilding your computer either – it will be slow as molasses to create the device.  Proof? I started building on a USB 2.0 device.  I waited fifteen minutes, and then started the same process on a USB 3.0 device.  The USB 3.0 device was done before the USB 2.0 was halfway done.

Okay, it is time.  The moment of truth.  I connect the USB device to my Surface Pro 4, and I boot (holding down the Volume Down button.  The menus are a bit confusing, but I finally get to the button that says ‘Restore my PC to Factory Image.’  It goes through the motions, all the while keeping me appraised of just how many percent done it is (pretty useless, as long as there is forward progress), and when it gets to 100%, it reboots my device…

GETTING READY…

Hello Cortana!  I never thought I would actually be happy to hear your voice! 

So now, I have to re-install all of my software, but that is more time consuming than difficult, since most of my software and licenses are available from the cloud, and the rest are on one of my external USB drives.

…and for the fun of it, what are the first applications I re-installed (in order)?

  • Microsoft Intune
  • Microsoft Office 365
  • LastPass
  • Techsmith Snagit
  • Techsmith Camtasia Studio
  • Open Live Writer
  • Google Chrome

Yes, it is entirely possible that I no longer have my installable source file for Windows Live Writer (see article), and it looks like my newly formatted Surface Pro 4 will no longer have that trusted blogging software that I have been using for a decade (or longer).  In truth, I probably have it one one of my computer at home, but I don’t think it is worth the hassle to look, because Open Live Writer is just fine.

Management Packs: Keep Up!

Congratulations! You have your System Center Operations Manager up and running.  You have imported the Management Packs that you need to monitor your organization.  All that’s left is to watch your dashboards and make sure everything is green, right?

Wrong.

imageManagement Packs are updated all the time.  That’s why they have version numbers.  As an example, the Windows Server 2016 and 1709+ Operating System (Discovery) Management Pack that I downloaded for a client in March was version 10.0.17.0, and is now at version 10.0.19.0.  Is it a big difference?  I don’t know… that is why we check the documentation and the web for clues.  According to the document Management Pack Guide for Windows Server 2016 and 1709 Plus.docx (available online, but also through your SCOM Console):

Changes in Version 10.0.19.0

  • Process monitoring is disabled by default: upon a “clean” installation of the management pack, the monitoring is disabled for all existing and newly added monitored servers, except for the case when the monitoring had been configured before via the wizard in the previous version of the management pack.
  • The following rules are disabled by default:
    • Process Monitoring: Health State Collection
    • Process Monitoring: Process Health State Subscription
    • Process Monitoring: Performance Collection
    • Process Monitoring: Process Performance Metric Subscription
    • Process Monitoring: Network Port State Collection
    • Process Monitoring: Process Network Port Subscription
    • Process Monitoring: High Handle Count
    • Process Monitoring: High Memory Percentage
    • Process Monitoring: High Processor Time Percentage
    • Process Monitoring: Number of Processes Collection
  • Elaborated a workaround for Handle Count increase issue (see details in Troubleshooting and Known Issues section).

Alright… Maybe these changes are important to you, and maybe they aren’t… but there is someone out there who spends his life writing SCOM Management Packs who thought they might be handy, and knowing about them is part of your job as a cloud administrator.

So it may be our job to know about these changes, but exactly how, short of spending our days combing the web, are we supposed to know when new Management Packs are released, and what changes have been made that may (or sometimes may not) be relevant and useful to our organizations?  Here’s how:

image

  1. From your SCOM Console, click on the Administration context.
  2. In the Navigation Pane, expand Management Packs.
  3. Click on Updates and Recommendations.

You will see a list of available updates and recommendations, and when the installed Management Packs were last updated.  In the Actions Pane there is an option to Get All MPs… This is one of those ‘Are you really sure?’ moments.  I prefer to see what each Management Pack update do before going that route.

In the Actions Pane there is another option to View Guide.  It is greyed out until you click on an individual Management Pack in the main window.  That is how you end up with the document that I mentioned earlier (Management Pack Guide for Windows Server 2016 and 1709 Plus.docx ).

Once you have decided that you do indeed want to install a new version, you can click on Get MP, and the Import Management Packs window pops up, downloading the new MP.

image

Once you have downloaded the new Management Pack, you still have to install them.  In the same window, click Install.  It will go through the process, and let you know when you are ready to go.

Unfortunately, in the Updates and Recommendations console you cannot select multiple updates to apply.  You can either download a single Management Pack, or you can click Get All MPs.  There is no in between.  However, in the Import Management Packs window you can look at the properties of an individual MP (you will see tabs for General, Knowledge, and Dependencies in the Properties window).  You can thus remove individual packs from the whole, rather than having to install everything.

Once you click Import, you can click STOP if you change your mind… but only until the individual pack you are importing is done.  Once it is important, you would have to roll back by re-importing the previous version (which I hope you kept somewhere!).

image

So now you know.  Management Packs are updated more often now in the days of Windows as a Service, so you are likely to see more updates to Management Packs than you might have a few years ago, but that does not mean you have to do this on a weekly basis.  For most organizations, every couple of months should do fine.  Remember… even if you are using an older Management Pack, you are still monitoring.

A BossDock PHEW! Moment…

USB-C-5K-BossDOCK-1I got to my office this morning and realized that my screens were unresponsive, as were my external keyboard and mouse.  Assuming the issue was with my external docking station, I disconnected it from my laptop and then reconnected it; I unplugged it from the power source, waited a few seconds, then plugged it in again.  Still nothing.  Crap.

…And then I realized that a docking station is only useful when it is connected to a functional computer.  I switched to my laptop keyboard and got the same response.  I performed a cold boot of my laptop, and sure enough, the dock worked fine.  It was my laptop (which I cannot recall when the last time I rebooted) that was the problem.

Phew!

(For those of you who are wondering why I would rather the $1500 laptop be the problem rather than the $200 docking station, it is simple… the computer belongs to my company, and if it stops working our Service Desk takes it for an hour to fix it while I go outside for a cigar.  Have a great weekend!)