windows
ADM to set Google as default search provider for IE7
Feb 21st
Copy this to a text file and change the extension to .adm, then add it into your group policy in the realivent place.
CLASS USER
CATEGORY !!WindowsComponents
CATEGORY !!InternetExplorerPOLICY !!PopulateSearchProviderList
#if version >= 4
SUPPORTED !!SUPPORTED_IE7
#endif
EXPLAIN !!IE_Explain_PopulateSearchProviderList
KEYNAME “Software\Policies\Microsoft\Internet Explorer\SearchScopes”
VALUENAME Version
VALUEON NUMERIC 1
ACTIONLISTON
KEYNAME “Software\Policies\Microsoft\Internet Explorer\SearchScopes”
VALUENAME DefaultScope VALUE “{2BC28A1E-D072-420F-9746-3CE8DC279237}”KEYNAME “Software\Policies\Microsoft\Internet Explorer\SearchScopes\{2BC28A1E-D072-420F-9746-3CE8DC279237}”
VALUENAME DisplayName VALUE “Google”
VALUENAME URL VALUE “http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=”
END ACTIONLISTON
END POLICY
END CATEGORY
END CATEGORYCLASS MACHINE
CATEGORY !!WindowsComponents
CATEGORY !!InternetExplorer
POLICY !!PopulateSearchProviderList
#if version >= 4
SUPPORTED !!SUPPORTED_IE7
#endif
EXPLAIN !!IE_Explain_PopulateSearchProviderList
KEYNAME “Software\Policies\Microsoft\Internet Explorer\SearchScopes”
VALUENAME Version
VALUEON NUMERIC 1
ACTIONLISTON
KEYNAME “Software\Policies\Microsoft\Internet Explorer\SearchScopes”
VALUENAME DefaultScope VALUE “{2BC28A1E-D072-420F-9746-3CE8DC279237}”KEYNAME “Software\Policies\Microsoft\Internet Explorer\SearchScopes\{2BC28A1E-D072-420F-9746-3CE8DC279237}”
VALUENAME DisplayName VALUE “Google”
VALUENAME URL VALUE “http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=”
END ACTIONLISTON
END POLICY
END CATEGORY
END CATEGORY[strings]
SUPPORTED_IE7=”At least Internet Explorer 7.0″
WindowsComponents=”Windows Components”
InternetExplorer=”Internet Explorer”
PopulateSearchProviderList=”Populate List of search providers”
IE_Explain_PopulateSearchProviderList=”This policy setting will allow you to populate a list of search providers that will be displayed in the Internet Explorer search box.\n\n If you enable this policy setting and if the “Restrict search providers to a specific list of search providers” Group Policy setting is enabled, this list will be the only list that appears in the Internet Explorer drop-down list. If the “Add a specific list of search providers to the user’s search provider list” Group Policy setting is enabled, this list will be added to the user’s list of search providers.\n\n If you disable this policy setting or do not configure it, users will have complete freedom to create their own search provider list.”
Installing Server 2008 from a USB drive
Feb 21st
I had to follow these steps to boot and install server 2008 on my server box (which doesn’t have a DVD-drive).. I was quite shocked to find that server 2008 R2 no longer natively supports 32-bit processors, so this may become quite useful for those of you that aren’t blessed with the wallet for a shiny 64bit server for your home.
Open command prompt and use the following commands:
- Type: diskpart
- list disk
- select disk 1 (assuming disk 1 was your thumb drive in the above list disk command)
- clean
- create partition primary
- select partition 1
- active
- format fs=fat32
- assign
- exit
Finally you will need to copy over the server 2008 files from the cd or the place where you extracted your ISO.
- xcopy d:\*.* /s/e/f e:\ (d:\ can be replaced by your cd/dvd drive letter and e:\ is the drive letter of your usb drive)
Considerations
If you have a U3 drive you may want to remove the U3 partition before you begin.
SSH Tunneling And File Sharing
Feb 17th
SSH Tunnelling
http://slashstar.com/blogs/dave/archive/2006/11/27/SSH-Tunneling-_2800_on-Windows_2900_-with-OpenSSH-and-Putty-through-an-HTTP-proxy-.aspx
Downloads
- Putty
- OpenSSH
- VNC
Home Machine
Step 1
Install OpenSSH on your home machine. Once installed go to the OpenSSH Directory (c:\ Program Files\OpenSSH) and follow the quick start guide in the Docs folder.
Step 2
Once you have created your group and password file go to the Bin directory and open SSHD_CONFIG (not ssh_config) in wordpad.
Uncomment the line # Port 22 and change the port number to 443 (this discuses the traffic as normal https traffic)
Also uncomment # AllowPortForwarding Yes (make sure it is set to YES)
Close and save.
Now configure your router to allow port forwarding. Go to the port forwarding set in your routers config and set it to forward all 443 TCP traffic to the nat’d IP of your home PC. E.g. 192.168.0.4
Work PC
Step 1
Download and configure Putty
1. Under the session tab enter the external IP of your home pc – this will be the router’s IP – you can get this from going to status or something of the like on your router. This should not be a 192.168 address. Enter the port as 443 (this is going to fool the proxy). Next set the protocol to SSH.
2. Now go down under Connections and pick your proxy type (I used http, but you may want to pick something else if you are behind a socks proxy). Enter in its hostname and port. If you don’t know what this is check the proxy settings for your web browser, this should give you all the information you need. It’ll probably be 8080..
3. Under the SSH tab set the protocol for version 2 and move AES encryption up to the top with 3DES below.
4. Now under the SSH tab, click on Tunnels – this part gets a bit confusing. Source port is the port on your work computer you want to forward over the tunnel and destination should be localhost:port. This is because when your home computer gets the forwarded packets, it will forward it to localhost:port – which will be homeComp:port – exactly what we need. This is also interesting, because we could set it up to forward to a 3rd machine, I’ll leave that one up to someone else with some good ideas. When your done, click add and you should have something like “L5900 localhost:5900” – I set up this forward so I can use VNC from workComp to connect to homeComp.
5. Remember to save your session, up on the main session tab, as it is quite annoying have to type all these settings in every time you start up putty.
Tunneling through your own proxy
Install a proxy on home PC ( ProxyPlus /squid)
Add tunnel in putty
Source port: ProxyPortNumber (eg 3333)
Destination: 127.0.0.1:3333
Do the same for your proxies config.
Point the your proxy server address as 127.0.0.1:ProxyPortNumber
Proxy goes over the tunnel made by putty to home pc on what port you chose.
File sharing through your SSH Tunnel
http://souptonuts.sourceforge.net/sshtips.htm
Step 1 – Create a loopback network adapter
Control panel > Add Remove Hardware
1. Yes, I already connected the hardware
2. Add a new hardware device (bottom of menu)
3. Install the hardware that I manually select from a list (Advanced)
4. Select Network Adapters
5. Micosoft Loopback Adapter
Step 2 – Configure the loopback adapter
– Asign the loopback adapter the IP 10.0.0.1 and the subnet 255.255.255.0
– Leave default gateway and DNS blacnk
– Go to advanced
– In IP settings tab set the metric to 9999
– Go to the WINS tab
- Enable LMHOSTS
- Disable Net Bios over TCP/IP
Step 3 – Configure putty
- Go to tunnels and add
- Source port: 10.0.0.1:139
- Destination: IP ADDRESS OF HOME PC (192.168.0.4)
- Click add then go to sessions and save your new settings
Step 4 – Connect
- Go to start -> Run and enter \\10.0.0.1
Step 5 – Share permissions
You may get errors on newly created shared folders. To get around this:
- Right click on the folder
- Select Properties
- Go to the security tab
- Press add
- Type Everyone, click check names and OK
- Tick Full control
- Apply and OK
DSQUERY
Feb 11th
The following comand will query Active Directory for users that haven loged on in a certain amount of time.
dsquery computer -inactive 8 -limit 0
The above comands looks for computer accounts that have been inactive for 8 weeks.
If the accounts are definatly not in use then the following command can be used to clear them from Active Dierctory.
dsquery computer -inactive 8 -limit 0 | dsrm -noprompt
Disconected mail boxes in Exchange 2007
Feb 11th
When a users mailbox becomes disconnected it may not show in the EMS GUI. If the mailbox is not showing you need to use the EMS (Exchange Management Shell and enter the command Clean-MailboxDatabase <Database>, where database is the name of the database where the disconnected mailbox resides. In this particular case the command I used was Clean-MailboxDatabase “Mailbox Database”.
After this is run go back to the GUI and refresh and ALL missing disconnected mailboxes should appear. You can then re-connect in the usual manner.
Conflicker AT Task removal script
Feb 11th
Whilst dealing with the conflicker virus I noticed that it leaves behind a number of scheduled tasks that are named in the following fashion: AT1**.
I wrote a small script that removes them at start up.
TITLE CONFLICKER AT TASK REMOVAL @ECHO off SET COUNT=1 :LOOP ECHO Scanning for Jobs Begining with AT%COUNT% IF %COUNT% == 500 GOTO EOF SCHTASKS /Delete /TN At%COUNT% /F >> \\server-name\conflog\%computername%-Conflog.txt CLS SET /A COUNT=COUNT+1 GOTO LOOP :EOF
Every machine that runs the script will write to a log file on the server detailing the AT* tasks that it has found and removed.
The following link was useful: http://www.robvanderwoude.com/schtasks.php
Good SCCM pdf
Feb 11th
A PDF detailing some best practices regarding the settup of SCCM 2007.
It can be downloaded here.
Migrating FSMO Roles
Feb 11th
Needed to look at Migrating FMSO roles due to a server migration. I found these links helpful:
http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm
http://support.microsoft.com/kb/324801
FSMO Best Practices: (ref: http://www.windowsnetworking.com/articles_tutorials/Managing-Active-Directory-FSMO-Roles.html)
- Rule One: In your forest root domain, keep your Schema Master and Domain Naming Master on the same domain controller to simplify administration of these roles, and make sure this domain controller contains a copy of the Global Catalog. This is not a hard-and-fast rule as you can move these roles to different domain controllers if you prefer, but there’s no real gain in doing so and it only complicates FSMO role management to do so. If for reasons of security policy however your company decides that the Schema Master role must be fully segregated from all other roles, then go ahead and move the Domain Naming Master to a different domain controller that hosts the Global Catalog. Note though that if you’ve raised your forest functional level to Windows Server 2003, your Domain Naming Master role can be on a domain controller that doesn’t have the Global Catalog, but in this case be sure at least to make sure this domain controller is a direct replication partner with the Schema Master machine.
- Rule Two: In each domain, place the PDC Emulator and RID Master roles on the same domain controller and make sure the hardware for this machine can handle the load of these roles and any other duties it has to perform. This domain controller doesn’t have to have the Global Catalog on it, and in general it’s best to move these two roles to a machine that doesn’t host the Global Catalog because this will help balance the load (the Global Catalog is usually heavily used).
- Rule Three: In each domain, make sure that the Infrastructure Master role is not held by a domain controller that also hosts the Global Catalog, but do make sure that the Infrastructure Master is a direct replication partner of a domain controller hosting the Global Catalog that resides in the same site as the Infrastructure Master. Note however that this rule does have some exceptions, namely that the Infrastructure Master role can be held by a domain controller hosting the Global Catalog in two circumstances: when there is only one domain in your forest or when every single domain controller in the domain also hosts the Global Catalog.
To summarize these three rules then and make them easy to remember:
- Forest root domain – Schema Master and Domain Naming Master on the same machine, which should also host the Global Catalog.
- Every domain – PDC Emulator and RID Master on the same machine, which should have beefy hardware to handle the load.
- Every domain – Never place the Infrastructure Master on a machine that hosts the Global Catalog, unless your forest has only one domain or unless every domain controller in your forest hosts the Global Catalog.
