Archives for 2013

Incorrectly ordered NTFS ACEs?

I got a question today about a strange permissions problem one of their users was having. Even more strange when the checked the permissions on the folder they got the following:

The permissions on Sub_Directory are incorrectly ordered, which may cause some entries to be ineffective.

Well what is this? Microsoft has a few articles about things like this.

But since this was a users homedirectory we decided just to reset all the permissions on the users folder. [Read more…]

Remove Linkedin post using Iphone

I needed to remove a status update on LinkedIn. Well since I have the LinkedIn app I thought that would be easy. Boy was I wrong. I might be missing something here, but this is the way I found works.

So lets start by opening the post and see what we can do.

IMG_1238

So I see 3 possibilities:

  • Green – If I click there I get my profile
  • Red – Nothing happens, unless the post is a link and then you are off.
  • Blue –  Allows me share but not delete it.

So lets surf into www.linkedin.com and be done:

IMG_1243

But wait, I asked for www.linkedin.com and but got the touch site.

I couldn’t find a way to delete the post there either.

Getting the real website

IMG_1244

Click on the LinkedIn logo in the top left corner.

Pull the list down and select Full site

Now just delete it…. [Read more…]

Setting up alternative names for a computer

So a friend of mine had a problem with them not being able to access a windows server using a CName they had created for the computer.

So what is wrong with this picture. Well using a Cname is as bad as using an IP, the AD does not know about this name. There are so many more things that you need to fix.

There are a few simple and simpler solutions.

Using netdom

Reboot the computer to make it all work.

OptionalNames for Server service [SMB]

By altering OptionalNames (You might need to create it) under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, you can make the Server service allow other names for the machine. Remember that type of OptionalNames needs to be Multi-String Value.

SPNs (Service Principal Name)

You can also manually edit the SPNs for a server to allow Kerberos to IIS and other services.

Keys for Windows and Office

I was trying to find the Office 2013 Keys and all I found was the Windows ones. So here are the links to the key pages at Microsoft.

The keys I use the most at the moment

Software  KMS Client Setup Key
2012 R2 Datacenter W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
2012 R2 Standard  D2N9P-3P6X9-2R39C-7RTCD-MDVJX
2012 R2 Standard AVMA DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Windows 10 Professional W269N-WFGWX-YVC9B-4J6C9-T83GX
Windows 10 Enterprise NPPR9-FWDCX-D2C8J-H872K-2YT43
Windows 10 Enterprise 2015 LTSB WNMTR-4C88C-JK8YV-HQ7T2-76DF9
Windows 8.1 Enterprise MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Links

 

Acronyms

Acronym Full name
AVMA Automatic Virtual Machine Activation
VLK Volume License Key
GVLK Generic Volume License Key
MAK Multiple Activation Key
KMS Key Management Services

Remote Desktop IP Virtualization networking adapter

So I was setting up Remote Desktop IP Virtualization for a customer. Since Microsoft removed the TS configuration console (TSConfig.msc) with Windows 2012. How do I do the configuration now. Well one way that you could have used before to is a GPO, this also gives the benefit of that all servers will be configured the same.

So when I was configuring the GPO setting I noticed this small gotcha:

This policy setting specifies the IP address and network mask that corresponds to the network adapter used for virtual IP addresses. The IP address and network mask should be entered in Classless Inter-Domain Routing notation; for example, 192.0.2.96/24.

So what is strange with this. Well not really strange, but could I really be forced to enter the IP of the server? No, as long as the network ID / subnet match it will work. So for the example that Microsoft provided I would have used 192.0.2.0/24 instead.

Select the network adapter to be used for Remote Desktop IP Virtualization

The insensitive hash table

So we needed analyze a case-sensitive text. We decided to store hold each word in a hashtable. That is simple enough.

Name Value
The 2
ice 1
over 1
flew 1
little 1
fox 1

But what the.. We needed it case-sensitive but the hashtable thought The and the was the same.. So what now. By using changing @{} to the full form New-Object System.Collections.Hashtable we switch it to the case-sensitive form. Lets try again.

Name Value
the 1
fox 1
ice 1
The 1
flew 1
little 1
over 1

How to demote a Domain Controller

So you might have a system hardcoded to talk with that domain controller. Now you need to find which servers are talking to the domain controller.

  1. Disable dynamic DNS
  2. So now clean up the DNS of that domain controller so no more clients will talk to the server by DNS queries.
  3. Wait a couple of days.
  4. Then use Network monitor to check if any and which clients are still talking to the server.
  5. For DNS you can use my script from the blog post about DNS logging.
  6. Continue to remove systems that are still using the Domain Controller.
  7. When you give up or is done. You can now remove the domain controller.
  8. Depending on which Windows version you have you have the option of dcpromo or the Server Manager.

How to Prevent Domain Controllers from Dynamically Registering DNS Names

Update: Since I wrote this Pierre Audonnet has written about this too given the following suggestions.

Playing with NTFS permissions

So if you need to see what the different parts mean look at my earlier post about icacls rights.

What is needed for

Allow users to create folders but not see all if Access Based Enumeration is enabled. Good for home folders.

Remove all rights for the SID for Authenticated users below and on all files / Folders below.

Grant the Creator fullcontrol of new folders

Icacls rights

These are the simple rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
N No Access None
F Full access Full Control
M Modify access Modify/ Read & Execute/ List folder contents/ Read
RX Read and execute access Read & Execute/ List folder contents/ Read
R Read-only access Read
W Write-only access Write
D Delete access Hidden under Special permissions

These are the specific rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
DE Delete Delete
RC Read control Read permissions
WDAC Write DAC Change permissions
WO Write owner Take ownership
S Synchronize ?
AS Access system security ?
MA Maximum allowed ?
GR Generic read List folder / Read data / List folder / Read data / Read extended attributs / Read permissions
GW Generic write Create files / Write data / Create folders / Append data / Write Attributes / Write extended attributes / Read Permissions
GE Generic execute Traverse folder / Execute file / Read Permissions
GA Generic all All Checked (Full control)
RD Read data/ List directory List Folder / Read data
WD Write data / Add file Create files / Write data
AD Append data / Add subdirectory Create folders / Append data
REA Read extended attributes Read extended attributes
WEA Write extended attributes Write extended attributes
X Execute / Traverse Traverse folder / Execute file
DC Delete child Delete subfolders and files
RA Read attributes Read attributes
WA Write attributes Write attributes

Inheritance

Short form Long Name
Short form Long Name
OI Object inherit
CI Container inherit
IO Inherit only
NP Dont propagate inherit
I permission inherited from parent container

So when you do simple rights in explorer it will select both OI and CI. Which means all files and folders and the current folder.

 

Remove unwilling B2D device in Backup Exec

So you are using Backup Exec 2012 and are having problems with a ghost B2D folder.. You can’t seem to be able to remove it. You get an error like:

Remove-BEDiskStorageDevice : Unable to delete the disk storage. The device (or Backup Exec server) cannot be deleted because existing jobs or selection lists remain.  You must select another target for these jobs or selection lists before you can delete the device or Backup Exec server.

[Read more…]