Recover deleted files/folders on a Workstation

So you have managed to delete some files/folders. Or perhaps even the wrong profile by scripting.

  • First rule of recovery: Don’t write the hard drive from where you want to recover data. If possible shut of the computer until you have a plan.
  • Second rule of recovery: Don’t forget to take backups.
  • Third rule or recovery: Backups are only as good as the last restore test.

There are a couple of ways to recover data that has been deleted but not yet overwritten, but this blog post is about one method. This method requires the System Restore to be enabled. A little list of options:

  • Restore using your backup. There is no replacement for a good backup.
  • Restore using this method (Shadow Copy).
  • Restore using data recovery software.
  • Restore using restore company, for example IBAS.

So how do we restore delete files from a workstation using the Windows Shadow Copy Service? [Read more…]

Adding features to a Specops Deploy/OS Reference image

So as usual when it concerns Specops Deploy/OS it was a request from a customer that got me started. The customer wanted .NET 3 installed in their reference image. But that feature is no longer copied to the winsxs folder, but instead only lives on the DVD or on Windows Update. So how do we do this, DISM my world? MDT has a pretty way of doing this, we just needed to make sure we could use this in Deploy / OS. [Read more…]

The msi peeping tom tool ORCA

So I guess that most people working with any kind of deployment has needed to look into a msi file at some time. Microsoft has released a really basic and wonderful tool called ORCA. It will allow you to look into and edit msi files ad a really low level. So how do I download it. Well Microsoft has made it available in the Windows Software Development Kit (SDK) for Windows 8. [Read more…]

USB booting Specops Deploy / OS (x86)

This is a basic x86 bootstick that should be able to boot both UEFI and bios computers. I also have a version of the blog for those that really don’t like to be one version behind, USB booting Specops Deploy / OS (x64 UEFI).
[Read more…]

USB booting Specops Deploy / OS (x64 UEFI)

Since I’m moving all my systems at home away from x86, simply creating a x86 usbstick was a bit to easy. I therefor thought it would be more fun to create a x64 UEFI boot. Im not really sure if this is required, but it will allow computers that cant read NTFS (from UEFI boot) to still boot the installation. I have also written a simple x86 instruction.
[Read more…]

Deploying Bitlocker protected Workstation using Specops Deploy / OS

For one of my customers I was looking up the correct way of activating BitLocker while using Specops Deploy / OS. So after a little searching on google I understood that I will be in uncharted territory. Well after looking around how my customer currently implemented BitLocker I was able to solve it. This solution is not dependent on any manual changes to the MDT, so its a clean Deploy / OS solution.

Changes to installation group policy

So lets open up our installation GPO, and go straight down to the Specops Deploy / OS parts. Now edit the installation policy and go to the Custom MDT Properties and add the following variables:

Variable Name Value Description
DoNotCreateExtraPartition NO Allows the installer to create required partitions on the drive.
BdeInstallSuppress NO Setting this to anything but YES will start the BDE installation

After doing that all required changes to the installation policy is done.

Save the numerical recovery password to the Active Directory.

Most customers want to be able to access the drive if/when the computer/TPM chip dies. So we need to store the numerical recovery password in another location. So the regular choices are:

  • Manual, risking to forget and getting into trouble.
  • Store in share, better but still more complex than required
  • Store in AD, safe secure and redundant.

So how do we make sure the clients store the recovery password in the AD. Well first of are you running an active directory schema of 2008 or later you are practically done. Otherwise you could extend the Schema to include the Bitlocker parts, or as I would suggest extend the schema with Windows 2012R2. See link below for more information if you dont want to extend schema to Windows 2008 or later. Windows will store the recovery password in an object called ms-FVE-RecoveryInformation that is located below the computer object. This helps in cleanup as when the computer is deleted so is all the keys.

So now we have extended the schema. We still need to instruct our workstations to save the password to the AD. Well here I would suggest going the Group Policy route mostly because I really likes GPOs.

So lets fire up our Group Policy Management Console (gpmc.msc).
Create a new GPO for the Bitlocker settings or select another GPO.
Edit the selected GPO

You are now facing two different places to edit depending on if you are deploying Vista or later.

Window Vista

  • Location: Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption
  • Setting: Store BitLocker recovery information in Active Directory Domain Services
  • Value: Enabled

Window 7 or later

  • Location: Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives
  • Setting: Choose how BitLocker-protected operating system drives can be recovered
  • Value: Enabled

Dont forget to check the box that says Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.

Start the installation

So after being bored for a while looking at a screen doing nothing, the install is complete. We login to the client and open a cmd windows as administrator so we can check the progress. And what do you know, it is encrypting the drive as I am writing this.

Command line windows showing that encryption has started.

Sources:

Backing Up BitLocker and TPM Recovery Information to AD DS

 

 

Copying command line tools between windows machines

I needed to help diagnose a client computer and I needed the dfsutil tool, this tool is only available in the RSAT package. Usually no problems, just install it. But this time I needed to run dfsutil without installing it on the client. So I copied the executable file and tried to run it.. Well.. This is what happened:

That doesn’t look like it should. There is something missing, and no error message either. So I checked the binary from another language server, they were the same.. So the language is not in the file? Wait Windows has support for multiple languages. I’m missing the language and strings part. So where to find that part. Under the %Windir%\system32 directory there exists a en-us directory, and if I look in there I find a dfsutil.exe.mui file. When I copy that file to a directory named en-us at the same level as the .exe binary it works.

Manually remove Direct Access from a client

So why would I even want to do this, isn’t Direct Access is great?

Well yes, when Direct Access is working it is great, unless you are using Citrix without a Citrix Secure Gateway. So why is it good to know how to manually remove the Direct Access from a client. I ran in to a problem last week, when changing the Network Location server location some clients got stuck. The NLS server was changed but the NRPT didnt get the change before triggering the Direct Access connection. AND to make things worse had the customer had problems that stopped the clients from connecting through Direct Access from the inside.

So there I was, when a client refreshed the Direct Access GPO it stopped working. So we disabled the GPO, that stopped new clients getting in to this dark place that is broken Direct Access. [Read more…]

Setting up alternative names for a computer

So a friend of mine had a problem with them not being able to access a windows server using a CName they had created for the computer.

So what is wrong with this picture. Well using a Cname is as bad as using an IP, the AD does not know about this name. There are so many more things that you need to fix.

There are a few simple and simpler solutions.

Using netdom

Reboot the computer to make it all work.

OptionalNames for Server service [SMB]

By altering OptionalNames (You might need to create it) under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, you can make the Server service allow other names for the machine. Remember that type of OptionalNames needs to be Multi-String Value.

SPNs (Service Principal Name)

You can also manually edit the SPNs for a server to allow Kerberos to IIS and other services.

Different ways of specifying Internet Explorer Zones

There are a few different ways of doing IE zone.. I dont like all though. I have listed the most common and the way I like.

[Read more…]