Backtrack:  
Blog
 
showing all posts
Required minimal permissions to backup Microsoft SQL Server using Veeam
edited by on December 9th 2020, at 10:27
To backup Microsoft SQL Server, the account used for VM-side processing (application aware processing) requires certain permissions. Veeam recommends assigning the sysadmin role on the SQL Server but it is also possible to assign minimal permissions on the databases it needs to backup, which is the preferred method for security hardening.

The User Guide for VMware vSphere outlines the required permissions as well but for convenience, I've listed them here as well.

Instance-level roles:

Assign these roles:public

dbcreator

Database-level roles:

Assign these roles:

System databases master and model:db_backupoperator

db_datareader

public



System database msdb:db_backupoperator

db_dat  ...
 
Replace the SSL certificate of a VMware Horizon View Composer
edited by on December 8th 2020, at 11:52
If the SSL-certificate on your VMware Horizon View Composer server is about to expire, it will have to be replaced. The process is pretty straight forward.

Import the new certificate (in PFX-format) in the Computer certificate store. You can use the MMC snap-in or certutil to accomplish the task. If it's not a publicly signed certificate, you will also need to make sure the intermediate and trusted root CA is imported.

Open an elevated command prompt.

Stop the VMware Horizon Composer service:net stop svid



Navigate to the install location of View Composer. The default location is C:\Program Files (x86)\VMware\VMware View Composer. On a 32-bit machine, leave out "(x86)".

Run t  ...
 
Mass-unblock files via Powershell
edited by on December 3rd 2020, at 21:21
When downloading files from the internet or copying them from a (foreign) server, these files will be marked as blocked by default.



Each file can be unblocked by right-clicking the file and manually selecting unblock, but what if you have a whole bunch of files to unblock? In that case you can use Powershell:

Get-Item -Path "$env:windir\Fonts\*" -Stream "Zone.Identifier" -ErrorAction SilentlyContinue | % { Unblock-File -Path $_.FileName }

The oneliner above consists of two parts:

The flag that says whether or not a file is blocked is stored in a hidden NTFS-stream called Zone.Identifier, which is stored for each individual file. By looking for those hidden streams,   ...
 
GPO not applying on Windows 10 machines due to UNC hardening
edited by on November 30th 2020, at 16:45
A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

You are able to succesfully log on using a domain account you'  ...
 
Verifying the syntax of a Powershell script
edited by on November 25th 2020, at 10:12

There are many ways to verify the syntax of a Powershell script (other than running it of course), but the most simple and useful is this one:

Get-Command -Syntax 'path\to\script.ps1'

If the syntax is valid, it will simply return the name of the script. If there are errors, it will provide a detailed syntax error report.

 
Verify AD replication using Powershell
edited by on November 16th 2020, at 15:31

Using Powershell, you can quickly verify the status of the replication between domain controllers in Active Directory. This can be used in monitoring to verify a healthy AD replication. This can be run on any domain controller or on another system with RSAT or ActiveDirectory Powershell module.

Get-ADReplicationPartnerMetadata -Target "$env:USERDNSDOMAIN" -Scope Domain | FT -Auto Server,LastReplication*

To see forest-wide replication, replace -Scope Domain with -Scope Forest.

 
Turn off trial and other offers in Adobe Reader DC via Registry/GPO
edited by on November 13th 2020, at 16:52
By default, Adobe Reader DC pummels you with all kinds of offers for trial versions and cloud accounts, which can be annoying for yourself and your users. Luckily, it can be turned off through a few well-placed registry keys, as described in the Enterprise Toolkit.

Create the following key(s):HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM (for 32-bit app on 64-bit Windows)



Create these DWORD-values and set them to zero:bDontShowMsgWhenViewingDoc (DWORD) = 0

bShowMsgAtLaunch (DWORD) = 0

bAllowUserToChangeMsgPrefs (DWORD) = 0



Note that the value for bDontSh  ...
 
Enable SMB1 protocol through Powershell
edited by on November 13th 2020, at 13:30
While heavily deprecated and frowned upon, sometimes you'd still need to use the SMB1 protocol in Windows 10. You can effortless enable this through the GUI (Control Panel → Add/Remove Programs), it may be necessary to install it through scripting (e.g. for automated install). One of the methods is through Powershell.

Enabling the SMB1 client but not the server (or vice versa) is a multi-step process, as it's not possible to "only" enable the SMB1 client. First, you need to enable everything of SMB1, then disable the unneeded sub-features. An important item to disable is the SMB1 Deprecation option, as leaving this enabling could result in the automatic removal of all SMB1 fe  ...
 
Direct editing of policy files (registry.pol)
edited by on November 11th 2020, at 14:40
I ran into an issue where a local group policy had settings that were not accessible or editable using the conventional Local Group Policy editor (gpedit.msc), causing unwanted settings to be re-applied each time the group policy was refreshed. After a bit of searching around on the internet, I found a Powershell module with the ability to add, edit and remove individual items directly from Registry.pol policy files.

The module PolicyFileEditor can be downloaded and installed easily through Powershell:

Install-Module -Name PolicyFileEditor

As with everything from PSGallery, you need to have NuGet installed and updated.

The module comes with examples on how to use it. It can also be viewe  ...
 
Connect to Exchange Online PowerShell by using MFA
edited by on November 9th 2020, at 16:43
If you are using multi-factor authentication, it is not possible to use the old method of connecting to Exchange Online. You will have to install the Exchange Online PowerShell Module, and use the Connect-ExchangeOnline cmdlet to connect.

With the deprecation of Internet Explorer, the old method below no longer works. Use the method described here to install: Installing Exchange Online Management Powershell cmdlets

Old instructions
Log on to Exchange admin center.

In the left menu, click on hybrid.

Click the configure button for the Exchange Online Remote PowerShell Module. This will start the installation.

In the Application Install that appears, click the Install button.



When using  ...
 
Installing Exchange Online Management Powershell cmdlets
edited by on November 9th 2020, at 16:34

With the deprecation of Internet Explorer, it is currently no longer possible to install the Exchange Online Powershell module via ECP. But you can also install the Exchange Online Powershell module via Powershell itself:

First install the dependencies:

Install-PackageProvider -Name NuGet -Force
Install-Module -Name PowerShellGet -Force

Next install the Exchange Online Management module:

Install-Module -Name ExchangeOnlineManagement
 
Get the CPU/Memory Hot-add/remove status via PowerCLI
edited by on November 4th 2020, at 09:57
Using PowerCLI, you can easily retrieve the status of CPU/Memory hot-add/remove. After logging in (use Connect-ViServer), run this cmdlet:

(Get-VM | Select ExtensionData).ExtensionData.config | FT -Auto Name, MemoryHotAddEnabled,CpuHotAddEnabled,CpuHotRemoveEnabled

If you only want a list of VMs which have hot-add/remove enabled for either CPU or memory, you can use filters to filter on this:

(Get-VM | Select ExtensionData).ExtensionData.config | ? {$_.MemoryHotAddEnabled -eq $true -or $_.CpuHotAddEnabled -eq $true -or $_.CpuHotRemoveEnabled -eq $true} | Select Name, MemoryHotAddEnabled,CpuHotAddEnabled,CpuHotRemoveEnabled | FT -Auto

To export the result to CSV, replace the FT -Auto in t  ...
 
Enrollment fails with NullReferenceException when installing Intune Certificate Connector
edited by on November 2nd 2020, at 13:45
The Intune Certificate Connectors provides users and devices managed by Intune (joined in Azure AD) to (auto-)enroll certificates in an Active Directory Certificate Authority, either on-premise or in Azure. The connector is a piece of software which allows Intune to enroll and issue certificates on behalf of users/devices that aren't joined directly in the local AD but are joined in Azure AD instead, and needs to be installed on a server in the same AD domain as the Certificate Authority.

The installation is outlined here, but it isn't entirely complete as it omits a few requirements. After the installation, you are required to enter the credentials of an account with Azure Global administr  ...
 
Reset 120 days RDS grace period
edited by on October 29th 2020, at 09:19
When installing the Remote Desktop Session Host role on a Windows Server, you get a 120 days grace period where you do not need to specify a license server and/or have licenses installed. After the grace period, it is no longer possible to log in with even a single session through RDP, unless you use the admin console (/admin option). Luckily, you can reset this counter by getting rid of a specific key which gets created at the start of the grace period, effectively resetting the grace period counter. This can even be done if the grace period isn't completely over.

Log in directly on the server (or use the /admin option) and fire up regedit.

Navigate to the key: HKEY_LOCAL_MACHINE:\SYSTEM\  ...
 
A list of most common SIP responses
edited by on October 22nd 2020, at 16:52

When troubleshooting VoIP, it is useful to know the most common responses in SIP messages. Similarly to HTTP, each response to a request contains a response code indicating the status/result of the request. A list of the most common response codes is found here:

https://www.3cx.com/pbx/sip-responses/

 
Black Manticore moved to new server
edited by on October 22nd 2020, at 15:12

Black Manticore has recently been moved to a new webserver. The biggest change was the migration from PHP 5 to PHP 7, which, because of the code's age, broke quite a few things. Because of this, the website has been offline for a good while in September, for which we apologize. Most things have been patched since and we expect everything to operate as expected.

Another issue with the tags was discovered lately, causing tags to be absent from new posts. This has been fixed as of today and all affected posts have been updated. Because of the high amount of different tags, we're planning on performing a reorganization and cleanup of the tags in the very near future.

 
Allow wallpaper selection in a VDI with OSOT applied
edited by on October 22nd 2020, at 14:39
When running the VMware OS Optimization Tool (OSOT), a lot of optimalization is performed to get the best possible performance out of your VDI environment. This also means certain items will be disabled of which you don't want them to be disabled, including some personalization aspects such as setting a wallpaper or a background color.

It is not possible to revert the change from outside the VDI-build: any settings applied through GPO or DEM do not get applied. This is because the local group policy takes precedence and OSOT sets several optimizations through the local group policy. By changing the local group policy in the golden image itself, you can get rid of some of the lockdowns.

To   ...
 
Unable to install NuGet provider for PowerShell (on older OS'es)
edited by on October 22nd 2020, at 14:37
When attempting to install modules from the Powershell Gallery, you may get errors on older versions of Windows Server (2008-2012R2), even after updating PowerShell to more recent versions. The errors are concerning unable to install the NuGet provider, required to download packages from PSGallery.

Errors are similar to:

WARNING: Unable to download from URI.

WARNING: Unable to download the list of available providers. Check your internet connection.

Unable to find package provider 'NuGet'. It may not be imported yet.

The reason for this is a problem with the cryptographic providers enabled on your system. PowerShell 5.1 enables SSL 3.0 and TLS 1.0 for secure HTTP connections, which are  ...
 
Convert OVF to OVA and vice-versa
edited by on October 22nd 2020, at 14:37

You can use VMWare's OVFTool to convert from OVF to OVA and vice-versa.

  1. Download and install OVFTool. Versions for Windows, Mac and linux are available. You'll need a (free) VMWare Account.
  2. Collect your OVF (and dependent files) and place them on the machine you've installed OVFTool on.
  3. Open a command prompt/Terminal and navigate to the folder where the files are located.
  4. Perform the conversion (adjusting command and paths according):
    For OVF to OVA (note that all files referenced in the OVF must be in the same folder):
    install-path\ovftool.exe C:\path\source.ovf C:\path\dest.ova
    For OVA to OVF:
    install-path\ovftool.exe C:\path\source.ova C:\path\dest.ovf
 
Switch to VMXNET3 in VMWare Fusion
edited by on October 22nd 2020, at 14:36
A not so documented feature is the support of VMXNET3 in VMWare Fusion. It cannot be configured through the UI but by manually editing the VM configuration file (VMX-file), you can leverage it (assuming you have installed VMWare Tools and/or are running a supported guest OS).

Open the file with your favourite text editor, but avoid using Apple's TextEdit as it has a tendency to replace regular quotes with opening/closing quotes, which will break your VMX-file. You can use Terminal and open the file using Nano if you want to be sure.

Network adapters are specified with ethernet*. as the starting line, where * = the number of the network adapter (0 is the first, 1 is the second, and so on).   ...
 
showing all posts
 
 
« November 2024»
SunMonTueWedThuFriSat
     12
3456789
10111213141516
17181920212223
24252627282930
 
Links
 
Quote
« Have you tried turning it off and on again? »
The IT Crowd