Tuesday, January 26, 2016

How to Find the MAC Address

This article describes a quick method to find the MAC  Address(Media Access Control).
1- What is MAC Address ?
– A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces
for communications on the physical network segment.
2- What is ARP?
Address Resolution Protocol (ARP) is the protocol that maps Ethernet MAC address to IP address.
To determine the MAC address of computer:
start – Run – type  ARP -a (local computer IP)

Note : If you not determine the IP the command will give you MAC Address for all subnet network.

How to (Enable or Disable) Remote Desktop via Group Policy Windows 2008

1 We can use Group Policy setting to (enable or disable) Remote Desktop
  • Click StartAll programs – Administrative Tools – Group Policy Management.
  • Create or Edit Group Policy Objects.
  • Expand Computer Configuration – Administrative Templates – Windows Components – Remote Desktop Services – Connections.
  •  Allow users to connect remotely using Remote Desktop Services (enable or disable)

2- We can use Group Policy Preferences to (enable or disable) Remote Desktop 
  • Click StartAll programs – Administrative Tools – Group Policy Management.
  • Create or Edit Group Policy Objects
  • Expand Computer Configuration PreferencesWindows Settings.
  • Right click RegistryNew Registry Item.
  • General Tab.
  • Action :Update
  • Hive :HKEY_LOCAL_MACHINE
  • Key path : SYSTEM\CurrentControlSet\Control\Terminal Server
  • Value name : fDenyTSConnections
  • Value type  : REG_DWORD
  • Value date   : 00000000 enable OR 00000001 disable

Step-by-step guide to Install an Additional Domain Controller by Using IFM

You can create an additional domain controller in a domain by installing Active Directory Domain Services (AD DS) on a server computer. When you are placing the additional domain controller in a remote site, you can install AD DS on the server either before or after you ship it to the remote site, as follows:
  • Ship the computer as a workgroup computer, and install AD DS on it in the remote site. If you do not have administrative support in the remote site, enable Remote Desktop on the computer before you ship the computer so that you can perform the installation remotely. In the remote site, you can either:
    • Install AD DS from installation media that has been shipped to the site on removable media.
    • Install AD DS over the network.
  • Install AD DS on the server in a hub or staging site, and then ship the installed domain controller to the remote site.
What is tool used to create media (IFM) for an additional domain controller?
– Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller.
Note:
– Objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation.
Advantages of using IFM to install a domain controller in a remote site:
  • You can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller.
  • You can install many domain controllers from a single source of installation media.
  • You do not have to disconnect a functioning domain controller from the replication topology. Therefore, you can avoid the disadvantages that are associated with a domain controller that does not replicate.
  • You can avoid having to either replicate the entire Active Directory replica over a wide area network (WAN) link or disconnect an existing domain controller while it is being shipped to the remote site.
  • If you enable Remote Desktop on the server before you ship it, you do not have to employ an administrator with Domain Admins credentials in the remote site. You can also use Remote Server Administration Tools (RSAT) to manage AD DS remotely.
IFM has the following requirements:
  • You cannot use IFM to create the first domain controller in a domain. A Windows Server 2008–based domain controller must be running in the domain before you can perform IFM installations.
  • The media that you use to create additional domain controllers must be taken from a domain controller in the same domain as the domain of the new domain controller.
  • If the domain controller that you are creating is to be a global catalog server, the media for the installation must be created on an existing global catalog server in the domain.
  • To install a domain controller that is a Domain Name System (DNS) server, you must create the installation media on a domain controller that is a DNS server in the domain.
  • To create installation media for a full (writable) domain controller, you must run the ntdsutil ifm command on a writable domain controller that is running Windows Server 2008 or Windows Server 2008 R2.
  • To create installation media for a read-only domain controller (RODC), you can run the ntdsutil ifm command on either a writable      domain controller or an RODC that runs Windows Server 2008 or Windows Server 2008 R2. For RODC installation media, Ntdsutil removes any cached secrets, such as passwords
  • You can use a 32-bit domain controller to generate installation media for a 64-bit domain controller; the reverse is also true. The ability to mix processor types for IFM installations is new in Windows Server 2008 and Windows Server 2008 R2.
  • The IFM process creates a temp database in the %TMP% folder. You need at least 110% of the size of the AD DS or AD LDS database free on the drive where the %TMP% folder is in order for the operation to succeed. You can redirect the %TMP% folder to another disk on the server in order to use more space.
Task requirements
The following tools are required to perform the procedures for this task:
  • Ntdsutil.exe
  • Dcpromo.exe
  • Robocopy.exe
  • Enable Remote Desktop on the destination server
To create installation media for IFM
  1. click Start. In Start Search, type Command Prompt.
  2. right-click Command Prompt, and then click Run as administrator
  3. At the command prompt, type the following command, and then press ENTER:
Ntdsutil
  1. At the ntdsutil prompt, type the following command, and then press ENTER:
activate instance ntds
  1. At      the ntdsutil prompt, type the following command, and then press ENTER:
ifm
  1. At the ifm prompt, type the command for the type of installation media that you want to create, and then press ENTER. For example, to create installation media for a writable domain controller with SYSVOL, type the following command:
create sysvol full :\

You can save the installation media to a network shared folder or to removable media. The IFM process creates a temp database in the %TMP% folder. You need at least 110% of the size of the AD DS or AD LDS database free on the drive where the %TMP% folder is in order for the operation to succeed. You can redirect the %TMP% folder to another disk on the server in order to use more space.
Important
If you create installation media with SYSVOL, use Robocopy.exeto copy the installation media from where it is saved to the destination domain controller that you want to add to the domain.
 
To copy the installation media with SYSVOL to a destination domain controller
  1. click Start. In Start      Search, type Command Prompt.
  2.  right-click Command Prompt, and      then click Run as administrator.
  3. At the command prompt, type the      following command, and then press ENTER:
robocopy.exe /E /COPYALL
Example:
robocopy.exe /E /COPYALL c:\InstallationMediaFolder \\RODC01\IFM
Important :
The next steps are required to   change the SYSVOL folder security settings. These steps change the file hash,   which will become the same file hash as in the IFM. If you use DFS   Replication, SYSVOL will keep the presided data only if the file hash on the   source domain controller and the destination server are the same
  1. On the destination server, right-click the SYSVOL folder, and then click Properties.
  2. Click the Security tab, and then click Advanced.
  3. Click the Auditing tab, and then click Edit.
  4. Clear the Include inheritable auditing entries from this object’s parent check box, and then select it again.
  5. Click Apply, and then click OK.
          
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

To install AD DS from IFM media by using the Windows interface:

  1. Click Start, and then click Server Manager.
  2. In Roles Summary, click Add Roles.
  3. Review the information on the Before You Begin page, and then click Next.
  4. On the Select Server Roles page, click Active Directory Domain Services, and then click Next.
  5. Review the information on the Active Directory Domain Services page, and then click Next.
  6. On the Confirm Installation Selections page, click Install.
  7. On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
  8. Select Use advanced mode installation.
  9. Select the install from media option and provide the location of the installation media.
  10. The Source Domain Controller page appears. Click Let the wizard choose an appropriate domain controller or click Use this specific domain controller to specify a domain controller that you want to provide as a source for replication to create the new domain controller, and then click Next. If you do not choose to install from media, all data will be replicated from this source domain controller.
  11. After the installation operation completes successfully and the computer is restarted, remove the folder that contains the IFM media from the local disk.
  12. On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 domain controllers, and then click Next.
  13. Click Existing forest, click Add a domain controller to an existing domain, provide the user name and password for an account that can install the additional domain controller.
  14. Select the domain of the new domain controller, and then click Next.
  15. Select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address, and then click Next.
  16. Make the following selections, and then click Next.
  17. type or browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click Next.
  18. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Services Restore Mode (DSRM) for tasks that must be performed offline.
  19. On the Summary page, review your selections. Click Back to change any selections, if necessary.
  20. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
  21. You can select Reboot on completion to have the server restart automatically, or you can restart the server to complete the installation of AD DS when you are prompted to do so.

How to Repair Windows System Files with System File Checker (SFC)

What is System File Checker (SFC)?
System File Checker is a utility in Microsoft Windows that allows users to scan for and restore corruptions in Windows system files like DLL files. This utility is available in all Windows family of operating systems.
In Windows 7, System File Checker is integrated with Windows Resource Protection, which protects registry keys and folders as well as critical system files.
How to use SFC
1- Start – Search – type Cmd – right click Cmd icon and run as administrator

2- Type  SFC /Scannow then Enter

Important:
  • You must run Command Prompt as an administrator in Windows 7.
  • If it finds a problem, it will attempt to replace the problematic files from the DLL Cache
  • If the file is not in the DLL Cache or the DLL Cache is corrupted you may need access to your original Windows DVD to allow file repairs.
  • To repair important Windows files usually takes 5 to 10 minutes.
  • May be prompt you to restart.

3-      When the scan is complete. The log file was generated in the path
C:\Windows\Logs\CBS\CBS.log

Automatic creation of user folders for home, roaming profile and redirected folders.


Home directory:
Home folders are created automatically when the user’s account is created and an administrator has enabled the use of home folders. You change the home folders for the user afterwards, but we are all about making the Admin’s life easier.

Create the folder and enable sharing

image
As you can see we create the share name and added a dollar sign ($) to the end.
Next, we’ll configure the share permissions. It is important to note that there is a difference in the default permissions for a share between Windows NT/Windows 2000 and Windows Server 2003. By default, Windows 2000 gives the Everyone group Full Control permissions. Windows Server 2003 gives the Everyone group Read permissions. However, we’ll change this to:
Administrators: Full Control
System: Full Control
Authenticated Users: Full Control

image
If you expect or want users to be able to select their home directory to be available while they are not connected to the network (also known as Offline Files), then you’ll want to make sure you turn on Offline file caching of the HOME$ share. You do this by:
1. Click Offline Settings on Windows 2000 or Caching on Windows Server 2003 or later, which is located on the Sharing tab.
2. Click Only the files and programs that users specify will be available offline. If you would like more information on the different options and what they mean you can click here.
3. Then click OK.
NOTE: You should consider configuring Offline Files settings even if you do not want users to work with files while they are not connected to the network—you’ll want to disable Offline Files by clicking Files or programs from the share will not be available offline.

Configuring NTFS Permissions

Now we need to configure the NTFS permissions, so we need to be on the “Security” tab of the folder we created earlier.
1. Turn off inheritance on the folder and copy the permissions. You do this by:
a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.
2. Click OK to return to the Security tab. Ensure we have the following permissions set:
Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Authenticated Users: Read & Execute, List Folder Contents, Read

3. Change permissions for Authenticated Users so they cannot access other users’ folders. You do this by:
a. Click Advanced on the Security tab.
b. Click Authenticated Users, and then click Edit.
c. On the Permissions Entry for HOME dialog box, drop down the Apply onto and select This folder only.
d. Click OK twice.
Here is a screen shot of this step:
image
We now have the permissions configured properly. Next, let’s create a user and specify the home folder location. This is done by going to the Profile tab of the user account in Active Directory Users and Computers. In the following screen shot shows an example of a drive mapping.
image
Yep, the TOM folder got created without a problem:
image
When we look at the permissions of the TOM folder we see the following:
image
We see that only Administrators, System, Tom, and Creator Owner have permissions to the folder. Other users do not.
Roaming Profile:
Configuring roaming profiles uses the same procedure as the home folder share, except for one difference. You should disable Offline Files and you should always hide the profile share using a dollar sign ($).
Since the setup is pretty much exactly the same (except for the share name) so I’m not going to bore you with the same steps as earlier.
The main difference between the roaming profile folder and the home folder is that the roaming profile folder is not created until the user logs on and then logs off. Windows creates the profile directory and copies the profile to the share once the user has completed one successful logon and logoff.
You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers. Type a UNC path to where Windows should create the user profile. The following screen shot gives you an example a user account configured with a profile path.
image
Folder Redirection:
For the most part the share and NTFS permissions are the same as the Home folder configuration except we need to replace Authenticated Users with the Everyone group. This is required for Windows to automatically create the redirected folders. These two KB articles provide more information:
291087 Event ID 101 and Event ID 1000 Messages May Be Displayed When Folder
http://support.microsoft.com/?id=291087
274443 How to dynamically create security-enhanced redirected folders by using
http://support.microsoft.com/?id=274443

Create the folder and enable sharing

So, we need to create a folder on a file server and enable it for sharing, again I would recommend that you hide the share using the dollar sign ($) at the end of the share name.
image
If you expect or want users to be able to select their home directory to be available while they are not connected to the network (also known as Offline Files), then you’ll want to make sure you turn on Offline file caching of the HOME$ share. You do this by:
1. Click Offline Settings on Windows 2000 or Caching on Windows Server 2003 or later, which is located on the Sharing tab.
2. Click Only the files and programs that users specify will be available offline. If you would like more information on the different options and what they mean you can click here.
3. Then click OK.
We will also need to set the following permissions for the share:
Administrators: Full Control
System: Full Control
Everyone: Full Control

image

Configuring NTFS Permissions

We need to configure NTFS permissions for the newly created folder. You’ll want to remove inheritance from this folder, as we did when configuring home folders.
1. Turn off inheritance on the folder and copy the permissions. You do this by:
a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.
2. Click OK to return to the Security tab. Ensure we have the following permissions set:
Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Everyone: Read & Execute, List Folder Contents, Read

3. Now we need change the permissions a bit for “Everyone” so that they do not have any permission to other users’ folders. This is done by doing the following:
a. Click Advanced on the Security tab.
b.Click Everyone, and then click Edit.
c. On the Permissions Entry for FldrRedir dialog box, drop down Apply onto and select This folder only.
d. Click OK twice.
Here is a screen shot of this step:
image
4. Configuring Folder Redirection settings within Group Policy:
a. Use the Group Policy Management Console (GPMC) and edit the GPO containing the Folder Redirection settings you want modified. Configure each from the following list to use the Basic – Redirect everyone’s folder to the same location Folder Redirection setting. Type the UNC path listed in the table into the Root Path setting for each folder listed in the following table.
Redirected Folder

UNC Path

Application Data

\\contoso-rt-mem1\FldrRedir$

Desktop

\\contoso-rt-mem1\FldrRedir$

My Documents

\\contoso-rt-mem1\FldrRedir$

Start Menu

\\contoso-rt-mem1\FldrRedir$

Here is a screen shot of Application Data being redirected:
image
You can see that Windows shows you the entire path used for the Folder Redirection. So although we didn’t specify the user’s name in the Root Path, the redirection example shows the folder path as: \\contoso-rt-mem1\FldrRedir$\Clair\Application Data
b. By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: "Grant the user exclusive rights to" on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.

image

How to Make a Domain User the Local Administrator for all PCs

You can create GPO and link the GPO to domain or OU containing all the computers.

Step 1 : Creating a Security Group

First you need to create a security group called Local Admin
  • Log onto a Domain Controller, open Active Directory Users and Computers (dsa.msc)
  • Create a security Group name it Local Admin. From Menu Select Action | New | Group

  • Name the group as Local Admin.

  • Add the Help Desk members to Local Admin group. I will add two users say Tom and Bob.

 
Step 2: Create Group Policy.
Next you need to create a group policy called “Local Admin GPO”
  • Open Group Policy Management Console ( gpmc.msc )
  • Right click on Group Policy Objects and select  New. 

  • Type the name of the policy "Local Admin GPO"

Step 3: Configure the policy to add the “Local Admin” group as Administrators

Here you will add the Local Admin group to the Local Admin GPO policy and put them in the groups you wish them to use.
  • Right click “Local Admin GPO” Policy then select Edit.
  

  • Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  • In the Left pane on Restricted Groups, Right Click and select “Add Group


  • In the Add Group dialog boxselect browse and type Local Admin and then clickCheck Names

  • Click OK twice to close the dialog box.

  • Click Add under “This group is a member of:”
  •  Add the “Administrators” Group.
  •  Add “Remote Desktop Users”
  •  Click OK twice

NOTE# When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Local Admin” in that group.

Step 4: Linking GPO

  • In Group policy management console, right click on the domain or the OU and select Link an Existing GPO

  • Select the Local Admin GPO

Step 5: Testing GPOs


Log on to a PC which is join to the domain and then run gpupdate /force and check the local administrators group. You should see Local Admin in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Tom and Bob domain users can now access all PCs remotely as a local administrator.

Disable Windows thumbs.db files from being created

Disable Windows thumbs.db files from being created

Thumbs.db fileAlthough you can safely delete any thumbs.db file, Windows will automatically recreate it unless the option to create thumbs.db files is disabled. The following sections detail how to stop thumb.db files from being generated in different versions of Windows. Select your version from the menu below and follow the steps.

Windows XP

  1. Open My Computer.
  2. Click Tools and then Folder Options.
  3. Within the Folder Options window click the View tab.
  4. In the View tab, under Advanced Settings, check the box Do not cache thumbnails.
  5. Click OK.

Windows Vista and Windows 7

  1. Press the Windows Key + E.
  2. In the window that appears, click Organize in the top left-hand corner.
  3. From the dropdown menu, select Folder and search options.
  4. In the Folder Options window that appears, select the View tab.
  5. Locate the Advanced settings: section of the window.
  6. Under Files and Folders, check the box next to Always show icons, never thumbnails.
  7. Click Apply, then OK.
  8. (Optional) Run a Disk Cleanup to clear any pre-existing thumbs.db files.
Note: If you do run the Disk Clean utility, make sure the box next to Thumbnails is checked.

Windows 8

  1. Press the Windows Key + E.
  2. In the window that appears, select the View tab in the top left-hand corner.
  3. Locate and click Options on the right-hand side.

    Windows 8 Folder Options
  4. In the Folder Options window that appears, select the View tab.
  5. Locate the Advanced settings: section of the window.
  6. Under Files and Folders, check the box next to Always show icons, never thumbnails.
  7. Click Apply, then OK.
  8. (Optional) Run a Disk Cleanup to clear any pre-existing thumbs.db files.
Note: If you do run the Disk Clean utility, make sure the box next to Thumbnails is checked.

Sunday, January 3, 2016

Managing calendar permissions in Exchange Server 2010

In legacy versions of Exchange Server we could use PFDAVAdmin to manage calendar permissions, or alternatively the 3rd party tool SetPerm.
With Exchange Server 2010 calendar permissions can be managed using the *-MailboxFolderPermission cmdlets. While these cmdlets can be used to manage permissions on any mailbox folder, well focus on calendar permissions.
In fact we got 4 *-MailboxFolderPermission cmdlets in Exchange Server 2010:
Since Ill be focusing on managing default permissions , which is an existing ACL on the calendar folder, we need to use the Set-MailboxFolderPermission cmdlet:
image
To grant “Reviewer”-permissions for the “Default” user, we would run the following:
image
Some companies have a policy that everyone must share their calendars with all users. Since its now possible to manage calendar permissions using PowerShell, Ive written a script to accomplish this task; Set-CalendarPermissions.ps1.

While this script could be scheduled to run on a regular basis, a better approach for managing calendar permissions for new mailboxes are the use of the Scripting Agent which is a part of the Cmdlet Extension Agents, a very useful feature introduced in Exchange Server 2010.