Remote Symbolic Links – Redirecting fileserver data

So we had this problem, several of our Windows 2008 R2 fileservers were running full and due to technical issues (old hardware) replacing the disks became VERY expensive.

So alternatives, I started to thing – hey, lets create an “ISCSI drive” on a remote datacenter server, mount the ISCSI drive into the directory structure as a mountpoint named “Archive” or something.  Now users could put “old” archival data here, thus removing it from the server but still being available – clever 😀  A few issues crept up however, when creating an ISCSI target on a Windows 2008 R2 server this is “terminated” as a VHD file – this proved annoying (eg for backup etc), besides a friend of mine pointed out that they had tried something similar once – sadly if connectivity was sketchy this could cause the fileserver to hang as it was unable to connect to the iscsi target.

My friend however pointed out that he had had success with using “Links”, right – I have heard of these Junction points and symbolic links, but never really found any real good use for it.  But it turn out you can create a symbolic link from the directory structure on one server, pointing to a share on a different server.

So eg. O:\ could have a lot of directories, however we also make a Symbolic Link there named “Archive” – if you now perform a dir you will find all the subdirectories, however you will also find O:\Archive which looks just like a directory (the icon gets a screwy arrow but thats all) however it’s not, it is instead a “pointer” to a share on a different server (this share we can easily backup and maintain).

So the command to use is;

MKLINK /D <NAME> \\<SERVERNAME>\Sharename

2017-02-04 23_22_50-mRemoteNG - confCons.xml

eg,  MKLINK /D HyperVisor5 \\SECRETSERVER\aarhus

HyperVisor5 is the name the directory will get locally the /D indicate it is a directory junction, and the link will point to \\SECRETSERVER\aarhus (aarhus is the share name on the SECRETSERVER)..

2017-02-04 23_23_46-mRemoteNG - confCons.xml

Ohh that was easy you say, yeah – well – it did not work 🙁

2017-02-04 23_18_39-mRemoteNG - confCons.xml

When a workstation attempted to access a mapped drive (eg. O:\Archive) it would get the above error.

A bit of googleing let to;
https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/

And the solution was simple enough, you need to execute this command on the workstation that has the problem;

2017-02-04 23_46_00-mRemoteNG - confCons.xml

(the command above the yellow one show the state of your computer)

And now your workstation can browse the directory (which is actually a pointer to a share on a different server) just like it was on the local server.

This should also be controllable via Group Policy, however I have not had the chance to test it yet;

https://technet.microsoft.com/en-us/library/5c7ffdb9-7066-4bdf-bc7d-eded8db2ce82
The symlink evaluation settings can also be controlled via Group Policy. Go to Computer Configuration > Administrative Templates > System > Filesystem and configure “Selectively allow the evaluation of a symbolic link”.

 

 

FREE – Mobile Device Management (MDM)

MDM1MDM or Mobile Device Management has become increasingly popular over the last few years. I was surprised to find, that when we implemented it in the company I work for we discovered that there actually was a few users without a pin or password on their mobile device (to be expected out of a few thousand users I guess, but still – NO PIN on your phone, REALLY!!!)!?

Anyhow, there are several reasons to dive into this area – AND the good news is that (depending on the size of your setup) you can actually do much for ZERO $ (Free).

Create Policies;

  • Require that users (or family) have a PIN
  • Deploy APPS to phones or tablets
  • Keep track of installed APPS
  • Create geo-fencing – be warned if the device leave a defined area (sadly this does not work well in Denmark as the matching of IP’s to addresses is very limited due to privacy legislation)

You can even choose to implement it in your household to keep track of what apps etc are installed be the kids etc.

So are there great skills required? no not really, perhaps a little in setting it up initially – and there are some minor challenges, especially with the certificate part (which need to maintained/updated yearly), but in general – if you have experience with IT operations it’s more or less a breeze.

To get started here are a few links.

Several free or cheap services exist, to name a few;

The first one “Meraki” I actually tried and is still using (free for up to 100 devices as I recall)
https://account.meraki.com/login/new_account
You can even get a free cloud managed WiFi Access Point if you attend one of their online seminars.
Additionally you can install Windows Clients on Windows PC’s and thus now also have free inventory of your Windows PC’s.
You can see a demo of a related Meraki mobile management pack, it’s not quite the same as the free MDM solution – but it can give you some idea of what is possible.
https://youtu.be/fa95GJZQ0fQ

Another one is Spiceworks, I have not tried their MDM solution – but the “Spiceworks framework” (free IT operations software) in general is quite good and capable.
https://www.spiceworks.com/free-mobile-device-management-mdm-software/

 

Bitlocker – free diskspace

bitlockericonhero-100301743-largeWe recently enabled Bitlocker in the install process of all laptops in the company I work for, and everything seem to work fine..

However one of our local IT supporters had a problem preparing a new pc, the thing is that Bitlocker encrypts in the background so the installation continue even while bitlocker is encrypting – and here the problem arose, see Bitlocker is clever – it know that it is a waste to encrypt empty space so what it does is to start by reserving all but 6gb of diskspace (as seen below), Bitlocker now encrypts the USED part of the disk and then proceed to write garbage on the reserved portion of the disk (the “free” part) – once done it again free the reserved part and the entire free disk space is again available to the user.

bitlocker2

Well it so happens that our IT Supporters sometime need to install additional software after the initial installation of windows, and then it may become a problem with the only 6gb free space.

What to do, well it is actually quite easy you just pause the encryption process which will free up the reserved part, and once done preparing the pc you restart the encryption process.

To pause the Bitlocker encryption you goto an elevated command prompt and type;

manage-bde –pause driveletter :

once done with whatever you needed done you restart the process with this command;

manage-bde –resume driveletter :

https://technet.microsoft.com/de-de/library/ee449438(v=ws.10).aspx#BKMK_FreeSpace

 

KMS – increase count manually

So you have installed a Microsoft KMS server, but it tell you that it cant serve your clients as the count is too little!?

See the thing is that Microsoft has decided, that in order to make a KMS server only work for corporations, a KMS server need to recieve a certain number of activation requests before starting to issue licenses.  The idea is (from my understanding) that if some home user got his/her hands on a KMS server key he/she could not make the KMS server work as he/she did not have 25 machines (25 being the number of Windows 7 requests needed to jumpstart the KMS server for Winows 7), and hence a KMS server would only work for companies.

Well, in a perfect world (like the one Microsoft dream up) you would just wait, and eventually the count on your KMS servers would go up and the KMS would start activating clients – however if you like us have 2 kms servers and want to be sure both are working, well the wait approac was not my first choise as I would then need to revisit the process later to check up on it.

So what to do, well I googled it and found;
http://blog.thinkdigitalsolutions.com/manually-increase-kms-count/

They have a neat tool that seem to take care of this problem.
http://thinkdigitalsolutions.com/blog/files/IncreaseCount.zip
http://www.readmydamnblog.com/downloads/IncreaseCount.zip (Mirrored file)

The tool will actually submit enough key-activation requests to your server that it will start the activation process.

Now a cautious person may thing uhhh do I want to run some third party tool on my KMS server, hmm I would not – so I ofcause ran the tool on a non-admin workstation after checking on VirusTotal.com (it had a few hits on VirusTotal but I would expect this from a tool like this and no direct links to any know malware was found, so I my stomack said ok as long as it was run on a test machine as a non-admin).
https://www.virustotal.com/en/file/3b3eea879b5a35ac78afebb70406b6a95c42256d237ca49c5f7892ec73ecbd60/analysis/1430123999/

KMS01 KMS02

 

 

 

 

Worked like a charm, I could test both our KMS servers instead of having to wait.

Furthermore, check this site for some valuable debugging tips;

https://technet.microsoft.com/en-us/library/ee939272.aspx

Alternate solution (Script);

I afterwards found a different approach, a script that does more or less the same – quite clever if it works (I did not test this), but I dont see why it should not..

http://woshub.com/how-to-increase-kms-server-current-count/

Script below;

In the place where you run the script place two empty files;

7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

 

— <SCRIPT – You need to modify it so it reflects your KMS server and the directory run in> —

@echo off
set skms=kmssrv1.woshub.com
for %%i in (. . . . . . . . . . . . . . . . . . . . . . . . . .) do call :Act %skms%
slmgr /ato
sc stop sppsvc
goto :end
:Act
sc stop sppsvc
xcopy “7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0” “%systemroot%\system32\*” /H /R /K /Y
xcopy “7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0” “%systemroot%\system32\*” /H /R /K /Y
sc start sppsvc
cscript.exe “%systemroot%\system32\slmgr.vbs” /skms %1
cscript.exe “%systemroot%\system32\slmgr.vbs” /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
cscript.exe “%systemroot%\system32\slmgr.vbs” /ato
sc stop sppsvc
:end

Lync 2013 to become Skype for Business this month.

Lync 2013 to become Skype for Business this month.

The Windows client for Lync will presumable be updated this month to Skype for Business as part of the regular Office 2013 updates.  The update will add new functionality to Lync (Skype for Business) but will more importantly come with a slightly updated (and more Skype like) interface, acording to this blogpost.  You may want to considder if you wish to control the deployment of this new client/layout as to not totally confuse your users in a corporate environment.

You should also be able to force a “Lync 2013” look-a-like look for Skype for Business, read more here;
https://technet.microsoft.com/library/dn954919.aspx
You can basically create a new “GroupPolicy Preference” that blocks the SkypeUI, and this sounds like the right approach as this would work from first launch where as the server patch will “only” display a user dialog offering users to switch back to the LyncUI.

SkypeForBusiness

Blogposting;
http://blogs.office.com/2015/04/01/whats-new-in-skype-for-business-and-how-you-can-take-control-of-updates/

YouTube video;

USB Tree View

USB Device Tree ViewerIf you ever need to debug some USB driver or device, then this utility seem like a nice utility to have in your backpack.

It is not soo much better than the devicemanager but still it seem a bit more accessable.

Download it here;

http://www.uwe-sieber.de/usbtreeview_e.html

Direct link;
http://www.uwe-sieber.de/files/UsbTreeView.zip

SCCM 2007 clients PXE problems

So we had some problems at work with PC’s not wanting to PXE boot, they just stopped right before the pxe boot..

The problem was discovered to be with the DHCP settings we had added “Option 43” for our HP Wireless Accesspoints to be able to find the management server – but somehow this confused some client PC’s…  Tried to add option 66+67 to resolve it, but this was not enough – option 43 had to go before client pc’s could PXE boot again..  We have an idea though that it is not all models that have this problem seeing that we had a number of sites that had no problem with the option 43.

Stop Being Admin – the easy way :-D

logo-512x5123Just a quick heads up on a cool new utility (free even) …

Working as an IT specialist within a large international corporate entity, we had the challenge regarding “Administrative/Non administrative” user rights on our corporate Windows machines.  We likely have all faced this question/challenge, we WANT to tighten the machines down to gain the added security and subsequently lower the support need, however the hurdle of preparing for this (as well as maintenance) puts great demand on the planning and deployment of corporate machines/software – especially if you like us have many people in the field.

See if we removed all administrative rights from users, then they would have to call the ServiceDesk whenever they needed administrative rights- this could be to install a printer, software, drivers etc. Now for some very “static” machines this would not be a real big problem, but for a large segment of our users, this would be very annoying and troublesome – especially for users in the field where the ServiceDesk may have problems connecting.

On the other hand, having users not be local administrators is a huge gain when it comes to protection against malware and exploits, according to a podcast “Security Now” on the twit network you can minimize the risk/impact of IE exploits by up to 99+% by being a non-administrative user. In other words, there is a heavy tradeoff here.

Then again, perhaps not anymore – there now seem to be a way to both “have your cake and eat it” at the same time.

One of the very talented external consultants we use on a regular basis “Thomas Marcussen”, recently told me about a FREE cool utility they developed called “Access director for Windows”.  What this “Access Director” does is actually simple yet still quite clever, after you install the utility users will have the opportunity to grant themselves temporary administrative rights whenever needed. Therefore, the user account will normally have no administrative rights, however by right clicking the utility icon in your status bar, users can grant themselves a limited period (eg. 2 min) where their user rights are elevated to local admin. Now they will be able to install that printer/driver etc. that they may need to work, and after this period then the local admin rights are automatically revoked and the machine is again secured against malware and exploits.

The optimal implementation of a utility like this would probably be to have a group of “trusted machines” (eg. traveling sales persons, management etc.) where this utility is installed, on these machines users can elevate themselves as needed. Then have another base of “regular” machines (eg. production/office pc’s) where the administrative rights are removed, and the users will still need to contact the ServiceDesk in case administrative rights are required.

Oh yeah, did I remember to mention it is a free utility 😀

 

I talked to Thomas about corporate use of this utility, and he assured me that several corporate initiatives were on the way like; Ability to customize settings via registry settings, Ability to control who can elevate (via groups) plus a manual.  He said that the reason for the lacking documentation was that the release was slightly rushed due to TechEd.  There is a little info on some registry settings here; http://sl.klogmand.dk/RZdo7J

Anyway, enough talk – take a look at the YouTube video and it will all be clear 🙂

Download site is (look for “Download Access Director”);
http://sl.klogmand.dk/1oj6KVi

YouTube Video here;
http://sl.klogmand.dk/1qXwECv

Thanks to Thomas Marcussen for this nice utility.

Check if a specific KB update is installed in Windows

With Windows XP/2003 and earlier you could often just look in C:\windows for installed patches there would be a KBxxxxxxx folder, however life moved on..

Today I had the need to see if a patch was installed and I found this quite useful;
http://serverfault.com/questions/263847/how-can-i-query-my-system-via-command-line-to-see-if-a-kb-patch-is-installed

I ended up using the command;

wmic qfe | find "KB2744129"

You ofcause exchange the KB number with the one you are looking for..

This worked like a charm for me 🙂  tnx Jscott.

WSUS on a stick – Windows Update Downloaded

In the good old days you could install SUS on your “home” server and have your own Windows update repository, however after WSUS version “whatnot” the requirements for WSUS has by far outgrown what I wish to allocate on my home/test rig..  Hell I only have 3 machines and a few servers anyhow….

Never the less, when installing new test VM’s etc it would be nice to avoid all the patching since SP1 :-/ well, now you can 🙂

 

Martin over at Ghacks.net has reviewed an excellent utility that will do JUST that 🙂

http://www.ghacks.net/2013/01/03/windows-offline-update-8-0-released/

http://www.ghacks.net/2011/02/25/wsus-windows-offline-update-updated/

 

Further uses is as he describe that you can download all patches for an OS (pt. Win 7 = 1.8GB since SP1) and put it on a stick so you can patch your friends and family’s machines with minimal Internet impact.

For now I have installed the thing and tried downloading patches for Windows 7, it seemed to work flawlessly – but I will try to do some install testing and see how this works out.  Looks solid enough though.

Project web site;

http://www.wsusoffline.net/