Login Info – collected!

Posted by: Justin

I have issues at clients with disparate home folder settings, manually re-directed special folders (i.e. My Documents or My Pictures), etc.

When trying to suddenly standardize such settings – perhaps for terminal server projects – there is difficulty and questions surrounding what should be changed and whom it will affect…

This script is something I threw together on my own time to address these questions – I would suggest just setting to be a login script for all domain users and create a share with everyone having full control (share permissions) and everyone having modify rights (ntfs permissions)…just modify the “strFile” to match where you wish to have the document saved. This script appends a record for each logon.

Some of the more clever readers may notice that a conflict could occur if two people logging in hit the script to append to the file at the same time – correct! Since this txt file is single-user, that issue does exist. In reality, I haven’t seen any issues since the script runs so quickly.

VBS code below – I would suggest leaving the “on error resume next” so users are none the wiser if you have a typo!

‘*******

On error resume next

strFile = “\\fastcodc\login-info\login-info-vbs.txt”

Set objShell = Wscript.CreateObject(“Wscript.Shell”)

Set objFso = CreateObject(“Scripting.FileSystemObject”)

‘the 8 is for append, 2 is write…

Set objFile = objFso.OpenTextFile(strFile, 8, True)

Set objNetwork = WScript.CreateObject(“WScript.Network”)

strMyDocs = objShell.RegRead(“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal”)

strDesktop = objShell.RegRead(“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop”)

strMyPics = objShell.RegRead(“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures”)

strMyMusic = objShell.RegRead(“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Music”)

strCompName = objNetwork.ComputerName

strUser = objShell.ExpandEnvironmentStrings(“%USERNAME%”)

strHomeDrive = objShell.ExpandEnvironmentStrings(“%HOMEDRIVE%”)

strHomePath = objShell.ExpandEnvironmentStrings(“%HOMEPATH%”)

objFile.WriteLine (“Time: ” & Now & vbTab & “MyDocs: ” & strMyDocs & vbTab & “Desktop: ” & strDesktop & vbTab & “MyPics: “& strMyPics & vbTab & “MyMusic: ” & strMyMusic & vbTab & “Comp: ” & strCompName & vbTab & “User: ” & strUser & vbTab & “HomeDrive: ” & strHomeDrive & vbTab & “HomePath: ” & strHomePath)

objFile.Close

‘*******

TS 2008 R2 and Windows XP RDP clients…some kind of disconnect?

Posted by: Justin

I recently was working with a client that had an odd, yet steady issue – remote control of desktop sessions from the 2008 R2 Remote Desktop Services Manager mmc console would disconnect the remote user when the administrator ended the session shadow.

After some research related to the issue, I found this to only occur with Windows XP RDP clients. Vista or 7 clients had no such issue.

Furthermore, it seemed to be related to some sort of RDP compression algorithm change. The default in R2 doesn’t play well with XP clients unless a hotfix is applied.

Instead of the hotifx from Microsoft (sorry…can’t remember the KB at this time!), just set the RDP listener to use a different compression method. Set it as shown below – click the thumbnail for the complete image.

After the change is applied, you will once again be able to shadow and disconnect from RDP sessions with no troubles!

A “Friday job” perhaps?

Posted by: Justin

Just when you believed you could trust that Microsoft stuff was case-insensitive when it came to virtually all kinds of sys admin tasks, MS dev guys show you a thing or two.

Recently ran into this bizarre error message when a user utilizing TS 2008 RemoteApp Office 2007 applications (namely Word, Excel) – “This RDP file has settings that cannot be overridden by command line. The remote connection cannot be started.”

What does that mean, you ask? Good question. This is Microsoftease for “we decided not to accept any extensions for remoteapp association other than those listed in the .rdp file”.

If you break open a .rdp file association for RemoteApp (i.e. the “fancy” icon created for Excel that really just launches Excel on an RDP session), you will see a list of extensions which get created when you publish an MSI package for the RemoteApp. This creates the magic for launching a local Word document and having it really open on the TS box when you have no local installation of Word.

Here is a sample of a published .RDP via MSI – note the “remoteapplicationfileextensions” section:

...
full address:s:remote.rivercitymech.com
alternate shell:s:||OUTLOOK
remoteapplicationprogram:s:||OUTLOOK
remoteapplicationfileextensions:s:.msg,.oft
gatewayhostname:s:remote.rivercitymech.com
remoteapplicationname:s:Microsoft Office Outlook 2007
remoteapplicationcmdline:s:
...

The file extensions section allows the association to take place, while the MSI package actually creates the association. The problem is that if you have a similar setup with Word or Excel, your RemoteApp associations won’t work if the file’s extension is not all in lower-case. So if your Word document you are trying to launch via RemoteApp is “Doc.DOC”, it won’t work and will give you the above, strange error message that will thoroughly confuse end users!

Fortunately, MS is aware of this… http://support.microsoft.com/kb/971508/EN-US

But they do not have a workaround other than renaming file extensions with lower-case letters.

Note that this article at the time of writing only listed this problem with 2008 – perhaps 2008 R2 is fixed. I have only seen it in the field on 2008 TS remoteapp – not R2.

We have become complacent with MS treating case as a non-issue for many server admin things (obviously C# language is another story).

Wheres the quality control with this one?

Remote Desktop Administrator is finished…

Posted by: Justin

OK – I made it through the Master of Science degree program…was not easy, but nothing worthwhile ever is.

With only the book binding left, I reflect upon my progress.

I would like to count myself lucky as being able to be dangerous with both system administration and development tasks. I believe it was quite valuable to step outside my traditional system administration role and put on the “hat” of a software coder for a bit.

For any that are interested, I will be posting my source code, along with a compiled version on https://sourceforge.net/projects/remotedesktopad/

An almighty command…

Posted by: Justin

A useful trick for running commands as the NT AUTHORITY\SYSTEM account – launch a command prompt as the system.

This is useful for testing certain install processes or for killing some tasks that belong to the system. SCCM installation simulation is a good example.

Here’s how:

  1. Open a command prompt as an administrator.
  2. Create a scheduled task to launch the “other” command window
    1. at [time in the future] /interactive cmd
  3. At your future time, if all is well, a new command window will appear, ready for use.
  4. Remember that the SYSTEM account is only powerful on the local machine!
  5. Remember to close the command window when finished…if you log out, it will stick for the next user that logs in!

Active Setup – how to fight HKCU and other profile-specific battles

Posted by: Justin

I’m sure every sys admin has been there – some kind of software needs to be installed and it has blasted settings that need to get applied for every local or roaming profile that uses the application. The upside to storing app settings in the HKCU hive or the %appdata% area is that you can be 100% certain a user has access to read and write to those areas. The downside is that managing how settings get placed there becomes a challenge in certain cases. Most admin tasks I deal with (and the easiest to pull off) are machine-specific – meaning we aren’t worried about who logs on – everyone gets treated equally. Trouble arises when you have a special app that writes to a user-specific area to store preferences, activation settings, licensing info, etc. that are needed by potentially more than one user on a system or when a user moves to another machine.

One way to address this is by using Microsoft Active Setup. Remember the little box that appears in the upper left corner during logon on Windows XP saying something about customizing settings for IE or the like? That’s it! And…it’s not hard for mere mortals to use (it’s not just for Microsoft folks you know)!

  1. Identify what you want to accomplish….perhaps the most important part…what settings & where they should go…
  2. Break open the following key in registry editor (use caution and edit the registry at your own risk) – “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components”
  3. Beneath this key lies the secret – various GUIDs represent commands that run for each profile at logon – note that you don’t need a GUID, as you can name the key you will make anything you want – as long as it is unique for that machine…I would just use a GUID – get one here – http://www.guidgen.com/ – then make a new key at the level mentioned in step 2 and name it after your GUID (or custom name).
  4. Under your new key – you will need to add at least 2 values – StubPath (REG_EXPAND_SZ) and Version (REG_SZ). See shot below…
  5. StubPath refers to the command you wish to run (i.e. import a reg key with the /s option, call a custom exe, as in this case, copy a file, etc.)
  6. Version should be set to 1 to start, but the nice thing is that if you need to rerun your StubPath for each user when they log in, simply update the Version (like to “2″). This gives you a way to ensure you can re-run your command if update or rollback is needed.
  7. As a bonus, you can change the (Default) value to make it something descriptive so users will have a nice title to watch while your wizard-like command churns away…

All in all, this should present no challenge to the technically inclined while giving you great flexibility over what gets placed into user-specific areas in order to support various applications – a useful weapon for the IT warrior.

For more information, check my source – http://www.appdeploy.com/articles/activesetup.asp

And so it begins…

Posted by: Justin

Working hard to finish up my grad program @ Ferris State University…posting may be erratic for awhile – bear with me.

.NET, C#, and COM will be me life for a bit – will work to post some information about useful tidbits…

For example, my first challenge of my project (creating an interface for managing multiple remote desktop sessions – similar to tsmmc.msc – back from Windows 2000/2003 days) was finding exactly what allowed me to “tap in” to the RDP library. Lo and behold – eventually I found it after some scrounging around…

Microsoft Terminal Services Active Client 1.0 Type Library – found when adding a reference to your VS project, under the COM tab – this will enable the magic VS Intellisense feature to pick up the MSTSCLib namespace…more as it develops…

Props to this guy for tipping me off via open source – http://www.codeproject.com/KB/cs/Palantir.aspx

Also working on a Microsoft System Center Configuration Manager (SCCM) tool (.NET, C#) that will produce a basic report on package/program chains (i.e. prerequisites). This is being done via WMI. Again, more as develops…

My good buddy is working on a new theme for the site – should be interesting – stay tuned.



IPv6 & company – sometimes cool…sometimes not

Posted by: Justin

I’ve been in an automating mood lately – old school, batch script style.

Here’s another one I cooked up to relieve you of tedious steps needed to turn off all advanced networking features in
Windows 2008/Vista/7.

As a bonus, I added before and after logging for fun.

As a side note, I was not able to cook up a way to dynamically enumerate network connections and uncheck the IPv6 protocol for you…this is still done manually. Perhaps with more time, I could fix this.

Regardless, this little batch file has saved me a bit of time already.

Again, use all but the asterisks for the batch file…

***

rem http://support.microsoft.com/kb/951037

rem Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008

rem this batch file disable all three advanced settings….

echo ************************** >> c:\pre-disable.txt

echo %date% >> c:\pre-disable.txt

netsh int tcp show global >> c:\pre-disable.txt

netsh int tcp set global chimney=disabled

netsh int tcp set global rss=disabled

netsh int tcp set global autotuninglevel=disabled

netsh int tcp set global congestionprovider=none

netsh int tcp set global ecncapability=disabled

netsh int tcp set global timestamps=disabled

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableTCPA /t REG_DWORD /d 0 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0xffffffff /f

echo ************************* >> c:\post-disable.txt

echo %date% >> c:\post-disable.txt

netsh int tcp show global >> c:\post-disable.txt

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableTCPA >> c:\post-disable.txt

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents >> c:\post-disable.txt

echo …RESTART REQUIRED… >> c:\post-disable.txt

echo …verify ipv6 is unchecked in all interfaces… >> c:\post-disable.txt

start c:\pre-disable.txt

start c:\post-disable.txt

pause

***

Microsoft IT Environment Health Scanner

Posted by: Justin

This tool was mentioned to me by another consultant – it is a fantastic way to get a quick overview of an unfamiliar environment.

Scans for replication, ntp, site, subnet, dns, and all kinds of issues!

Find it here -

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dd7a00df-1a5b-4fb6-a8a6-657a7968bd11

Finally…a quick way to solve that pesky NTP issue on domain controllers…

Posted by: Justin

Ever muddle through Microsoft KB 816042?

Ever wish there was an easy way to make all those registry edits?

I have…so I did something about it - a simple batch file will do nicely.

Tested this just the other day…batch file dump below (minus the ***s)

***

@echo off

rem http://support.microsoft.com/kb/816042

rem How to configure an authoritative time server in Windows Server

rem Uses pool.ntp.org – feel free to replace with any you like (time.nist.gov is another big one)

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /t REG_SZ /d NTP /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v AnnounceFlags /t REG_DWORD /d 5 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled /t REG_DWORD /d 1 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v NtpServer /t REG_SZ /d pool.ntp.org,0×1 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 900 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t REG_DWORD /d 3600 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t REG_DWORD /d 3600 /f

net stop w32time && net start w32time

pause

***

PS – your windows domain members should automatically look to the PDC emulator for time sync by default.

You can also use the following command in a login script to force the issue (older hack, but still works)…

net time \\[server name] /set /yes

for more info see – http://support.microsoft.com/kb/120944