showing posts tagged with 'windows'
by lunarg on June 15th 2015, at 11:54
When running multiple scripts in a session, which use and add the same snap-in using Add-PSSnapin, only the first one succeeds. Subsequent attempts to add the same snap-in will result in an error:

Cannot add Windows PowerShell snap-in My.SnapIn because it is already added. Verify the name of the snap-in and try again.

You can resolve this issue by enclosing it in the following if-statement:

if ( (Get-PSSnapin -Name My.SnapIn -ErrorAction SilentlyContinue) -eq $null ){ Add-PsSnapin My.SnapIn}

It (silently) checks the presence of the requested snap-in. If it does not exist (i.e. the check returns $null, then it loads the snap-in.

Note: replace My.SnapIn with whatever snap-in you   ...
by lunarg on June 12th 2015, at 13:14
Attached to this article are scripts to configure proxy settings for Internet Explorer (all versions). As Google Chrome uses the IE settings for their proxy settings, it can be used for that browser as well. I know there are other, far better methods for configuring proxy settings for clients, but continue your read to see why they were not usable in this particular case.

I ran into a customer where they were still using Internet Explorer Maintenance in their group policies to configure proxy settings for their clients. As a result, all users who got more recent computers did not get the proxy settings, as they were running Internet Explorer 10 or newer. Starting from IE10, configuration of  ...
by lunarg on June 10th 2015, at 16:04

When demoting a 2003 domain controller using dcpromo, you may run into the following error:

The operation failed because:

Failed to configure the service NETLOGON as requested

"The wait operation timed out"

The error message is quite misleading as the real cause has got nothing to do with NETLOGON, but is in fact a DNS issue. You will most likely have the server's primary DNS pointing to itself using loopback address ( or its own IP address.

You can correct the issue by having the DNS point to remaining domain controllers, and remove any DNS pointing to itself (i.e. loopback address or any other IP owned by the server being demoted).

by lunarg on June 10th 2015, at 14:29

There are two ways to see which Certificate Authority servers exist in your AD domain.

1. Check the Cert Publishers group

The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.

2. Use certutil

You can use the certutil command to view (and select from) a list of CAs in the current AD domain:

certutil -config - -ping

Note: type the command as-is, including all spaces and hyphens.

A window will appear, listing the CA name and the server it runs on.

by lunarg on June 10th 2015, at 14:20
After migrating AD from 2003 to 2012, I ran into this issue on a RADIUS server running 2008 R2, used for authentication. When attempting to retrieve AD information for a particular user, the following error appeared:

An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.

The solution (at least for Windows 7 and 2008 R2), is to install hotfix 2830145.

The hotfix is only available by request through e-mail.

When attempting to log on to a 2012-based domain controller, the following SIDs are unmappable:

S-1-18-1 : Authentication authority asserted identity

S-1-18-2 : Service asserted identity

2012 introduces two new securit  ...
by lunarg on June 9th 2015, at 10:47

It has always been a bit tedious to manage and customize Internet Explorer through group policies, especially when your network has different versions of Windows and/or different versions of Internet Explorer.

To reduce complexity of maintaining Internet Explorer in a network, since long, Microsoft has made available the Internet Explorer Administration Kit. This tool allows you to exert more control over Internet Explorer, its settings and its behaviour.

More information and downloading the IEAK:

by lunarg on June 8th 2015, at 10:36
Upon unauthorizing a Windows DHCP server, you may get the following error:

The parameter is incorrect.

Most commonly, there are two reasons for this error to occur.

If you have just unauthorized a DHCP server, it may take a while for AD to replicate the change to other domain controllers. As a result, the DHCP server may still think it's authorized, whereas it is not. Either wait for, or trigger AD replication throughout your network.

Another reason for this error to occur is the presence of another DHCP server in AD that no longer exists. You can check this with the netsh dhcp command, available on any server with the DHCP server role installed:

netsh dhcp show server

Run the com  ...
by lunarg on June 5th 2015, at 10:40
If your inter-domain trust is down, and the eventlog reveals the following error:

There are currently no logon servers available to service the logon request. (0x51F)

Then check the following:

Check whether you can still access the DNS servers at the other side: try using the name first, then try through IP. If DNS does not work, there's an issue with your DNS.

Check whether the DNS zones for the domain are still in place. If it exists, try performing a reload from master. If this fails, you either have connection issues, or the other side has removed the required zone delegation, preventing you from retrieving the zone information.

If you can neither connect through DNS or IP, ch  ...
by lunarg on June 3rd 2015, at 16:08
On Windows 8.1 and Server 2012 R2, SMB 1.0 (aka CIFS) is no longer enabled by default. This means clients that don't support at least SMB 2.0 (for Windows: everything predating Vista/2008) can no longer directly connect to a 8.1/2012R2 server, and instead, are presented with an error if they attempt to do so:

The specified network name is no longer available.

You can re-enable SMB 1.0 support by installing the SMB 1.0/CIFS support feature on your server.

Some users reported that even after enabling this feature, they could not access shares on the server. Apparently, the SMB 1.0 driver is not loaded properly, because of a missing dependency on the Server service (aka LanmanServer).
by lunarg on June 3rd 2015, at 15:47
As long as there are 2003 domain controllers in your network, your old NT4 workstations will be able to authenticate against your domain. As soon as you migrate those 2003's out of the network, you'll run into trouble. By default, Server 2008 R2 no longer accepts authentication requests from NT4 because they use cryptography that's too old and unsafe.

The best solution is to get rid of those NT4 machines, but if that's not possible, you can re-enable support for cryptography on your DCs through GPO.

Either edit the Default Domain Controller Policy group policy, or create a new GPO in the Domain Controllers OU.

Edit the GPO and navigate to: Computer Configuration > Administrative Templa  ...
by lunarg on June 3rd 2015, at 15:09
SMB (Server Message Block) is an application protocol, most commonly used for file and printer sharing. Although it was originally designed by IBM for use in OS/2, it has been adopted and improved upon by Microsoft as the primary protocol for file and printer sharing in their Windows for Workgroup. It has been in use ever since on Windows and a myriad of other OS flavours.

Although SMB is proprietary to Microsoft, SMB is also available on linux (through Samba), Apple (first Samba, then later, Apple's own SMBX), and a myriad of other OS vendors. In fact, Apple has replaced their own AFP in favour of SMB in their latest releases of Mac OSX. SMB has become the most commonly used protocol for f  ...
by lunarg on June 3rd 2015, at 11:49

A bit of a hidden feature in Windows 8: you can actually "quit" Windows Explorer.

Right-click the (empty) taskbar while holding down Ctrl+Shift to reveal Exit Explorer as an additional menu item. Clicking it will then end Windows Explorer, leaving you with a blank screen, same as ending explorer.exe from the task manager.

You can then call up task manager (Ctrl+Shift+Esc), and start Windows Explorer again (File > Run > explorer.exe).

by lunarg on May 29th 2015, at 13:24
The old method of disabling Java updates through the registry or GPO, mentioned in this article is no longer valid for Java 7 (1.7) and 8 (1.8), nor does it prevent the UAC prompt from appearing when the updater runs in the background. The method explained here is a better, more up-to-date solution to completely disabling Java updates from running, and includes the required registry change to stop the updater from running, preventing the UAC prompt from ever appearing.

Disabling Java update from control panel is not as straight forward as it seems to be. Java update can only be disabled with administrative rights, so you need to run the Java control panel elevated. Since you can't do this t  ...
by lunarg on May 29th 2015, at 12:46
If you completely want to disable Java Update (which is especially useful on Remote Desktop Servers), you have make a few adjustments to the registry.

EDIT (2015-05-29): this method is depecrated, and only applies to Java 1.6 on Windows XP or older. Only the alternate method is still valid as this prevents the updater program from running.

To disable Java Update, navigate to the key (32-bit and 64-bit differs):

32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy

64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy

Find the value EnableJavaUpdate and set it to 0. This will disable Java Update in the Control Panel.

To prevent the update check  ...
by lunarg on May 28th 2015, at 10:46

When attempting to log on with a domain account on a computer joined to a domain that has both 2012R2 and 2003 domain controllers, you may encounter the following error:

Error message
unknown username or bad password

Additionally, an Event ID 4 on Source: Kerberos is logged. You can only log on using local accounts.


Mixed 2012R2 and 2003 AD environments require hotfix 2989971 to be installed on every 2012R2 DC. See the KB for a full explanation.

The hotfix requires Update 1 (2919355) to be installed first. The hotfix is also included in update rollup 2984006.

by lunarg on May 27th 2015, at 15:47
A collegue ran into an issue with Microsoft Outlook (2010) and the AVG Outlook plugin: when attempting to open mails on a shared Exchange mailbox, the message body would be cleared from that e-mail. The message body would be deleted from Exchange itself as well, resulting in other users accessing the mailbox to also see empty message bodies. If a mail contained attachments, they would be left alone.

After a long search, the culprit seemed to be the AVG Outlook plugin. Upon opening an e-mail, the plugin would scan the e-mail, which somehow went wrong, resulting in clearing the message body (probably because it was marked as bad?). Because of the nature of the mailbox (it's a shared Exchange   ...
by lunarg on May 26th 2015, at 14:49

By default, it is not possible to specify passwords (the SecureString type) directly as a plain-text cmdlet parameter because it is unsecure to do so (and they are right). But sometimes, there's no other way to run a cmdlet without specifying the password as plain text as a cmdlet parameter. Luckily, there's an easy workaround by performing a conversion from plain text and store the password in a SecureString object.

$pw = ConvertTo-SecureString -String "your-pw" -AsPlainText -Force

You can then use the $pw object to specify the password in a cmdlet.

For example: resetting the password of an AD account:

Set-ADAccountPassword -Identity my-account -NewPassword $pw
by lunarg on May 20th 2015, at 14:01
Windows Small Business Server 2003 and 2008 (SBS2003 and SBS2008) are still widely in use, but CALs for these are no longer available for purchase. So, what if you require more CALs but cannot get rid of your old SBS?

SBS 2008 and SBS 2011 work on a trust-based CAL count, so they do not need activation. You can simply purchase SBS 2011 Standard CALs and exercise your downgrade rights. Note that this cannot be done with SBS 2011 Premium CALs as they contain features that are not the same as in SBS2008 Premium.

Unfortunately, for SBS 2003, it's not that simple, as it uses online activation for CALs. In this case, you still have to buy SBS 2011 CALs, which are legally usable on your SBS 2003,  ...
showing posts tagged with 'windows'