Popular Posts

Tuesday, October 24, 2017

How to add a Domain Group into local administrator group in one line


Run from PowerShell:


([ADSI]"WinNT://./Administrators").PSBase.Invoke("Add",([ADSI]"WinNT://my.domain.net/adc_win_defaultadmins").PSBase.Path)
or from CMD:

 PowerShell -command "& {([ADSI]'WinNT://./Administrators').PSBase.Invoke('Add',([ADSI]'WinNT://my.domain.net/adc_win_defaultadmins').PSBase.Path)}"
at No comments:

Monday, October 23, 2017

Cannot connect to RDP "An authentication error has occurred. The Local Security Authority cannot be contacted"

We have 3 systems in our environment hosted in the cloud and recently we countered this issue connect to these systems via RDP from within our premises.

 To fix this:

 Start Menu -> Computer -> right click -> properties -> Remote settings ->  under Remote, make sure Allow connections only from computers running Remote Desktop with Network Level Authenticate(more secure) is not selected. Preferred setting is Allow connections from computers running any version of Remote Desktop
at No comments:

Unable to install Updates on server, Access Denied to everything on the machine


We had this weird issue with installing an update on one of our servers. While troubleshooting this, it got it even messier as it turned out that the server is throwing "Access Denied" to almost everything even though I had administrator privileges. We worked with Microsoft on this case and the issue was fixed by changing the DCOM configuration.
  1. "Default Authentication Level" was set to "None"  -- > Changed it to "Connect"
  2. "Default Impersonation Level" was set to Anonymous --> Changed it to "Identify" 

And this is not the first time we had trouble caused by DCOM. It seems DCOM is one of the most important configurations of the server.

Below script will help to make sure correct DCOM configuration is in place.

 

$logfile = 'C:\Windows\Temp\DCOMenable.log'

 

function checkregistrysubkeys {

 

    try{

 

        $checkImpersonationLevel = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty LegacyImpersonationLevel -ErrorAction Stop

 

        if($checkImpersonationLevel -eq 2){

 

        write-host "Impersonation level is correct : Identify"

        writetolog("Impersonation level is correct : Identify")

 

        } else {

 

            try{

 

                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name LegacyImpersonationLevel -value 2 -ErrorAction Stop

                write-host "Impersonation level set to Identify"

                writetolog("Impersonation level set to Identify")

 

            } catch{

                       

                write-host "ERROR: Unable to change ImpersonationLevel registry"

                writetolog("ERROR: Unable to change ImpersonationLevel registry")

                exit -1

            }

 

        }

 

    } catch {

 

            write-host "ERROR: Unable to check ImpersonationLevel registry"

            writetolog("ERROR: Unable to check ImpersonationLevel registry")

            exit -1

 

    }

 

    try{

 

        $checkAuthenticationLevel = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty LegacyAuthenticationLevel -ErrorAction Stop

 

        if($checkAuthenticationLevel -eq 2){

 

            write-host "Authentication level is correct : Connect"

 

        } else {

 

            try{

 

                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name LegacyAuthenticationLevel -value 2 -ErrorAction Stop

                write-host "Authentication level set to Connect"

 

            } catch{

                       

                write-host "ERROR: Unable to change AuthenticationLevel registry"

                exit -1

 

            }

 

        }

 

    } catch {

 

        write-host "ERROR: Unable to check AuthenticationLevel registry"

        exit -1

 

    }

 

}

 

function writetolog([string] $txt) {

    

    $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")

 

    Add-content $logfile -value $Stamp':'$txt

 

}

 

 

 

try{

 

    $isEnabledDCOM = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty EnableDCOM -ErrorAction Stop

 

    if($isEnabledDCOM -eq 'Y'){

 

        write-host "DCOM already enabled"

        writetolog("DCOM already enabled")

        checkregistrysubkeys

 

    }

    exit 

 

    if($isEnabledDCOM -eq 'N'){

 

        write-host "DCOM disabled"

        writetolog("DCOM disabled")

        write-host "Enabling DCOM..."

        writetolog("Enabling DCOM...")

 

        try{

 

            Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name EnableDCOM -value 'Y' -ErrorAction Stop

            write-host "DCOM enabled"

            writetolog("DCOM enabled")

            

            checkregistrysubkeys

 

 

        }catch { 

 

            write-host "ERROR: Unable to change registry"

            writetolog("ERROR: Unable to change registry")

            exit -1

 

        }

 

    }

 

    write-host "Task completed successfully"

    writetolog("Task completed successfully")

    exit 0

 

 

} catch {

 

    write-host "ERROR: Unable to check EnableDCOM registry"

    writetolog("ERROR: Unable to check EnableDCOM registry")

    exit -1

 

}

 



at No comments:

503 error after patching windows web servers






In some cases, web application will throw the above error 503. We have seen this a couple of times post monthly patching activities.

 This is how to fix it
1.      Open Application Pools -> <application name> -> right click -> advanced settings
2.      Scroll down to Process Model -> Identity -> click on the to change the value
3.      In Application Pool Identity window,  select Built-in account and select             ApplicationPoolIdentity
             (previous setting could have been Customer account --> appadmin)
at No comments:

SCCM 2007: Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED

If you ever come across an issue with installing software updates from SCCM and if WUAHandler.log throws a similar error as follows

 Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://SCCMMP.example.com:8899  and Policy ENABLED    WUAHandler     5/20/2017 7:34:04 PM    4592 (0x11F0)
Failed to Add Update Source for WUAgent of type (2) and id ({7E86093A-A9D4-4D0F-8B95-DD18478F0FEE}). Error = 0x80040692.       WUAHandler     5/22/2017 2:40:31 PM    1536 (0x0600)
Try this out:



  1. Rename following file, c:\windows\system32\GroupPolicy\Machine\Registry.pol
  2. Stop and start WU service
  3. Run gpupdate /force
  4. Check if WSUS local policy 'Specify intranet Microsoft Update service location' is enabled and it is having correct MP, disable and enable back if still doesn't fix the issue
at No comments:

How to perform a complete removal of SCCM 2007 client from a system

  • Uninstall SCCM
    • C:\Windows\ccmsetup\ccmsetup.exe /uninstall
    • Monitor Log and wait for completionC:\Windows\ccmsetup\logs\ccmsetup.log
  • Delete if exist
    • Folder C:\Windows\ccm
    • File C:\Windows\SMSCFG.INI
    • Reg Keys:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS
at No comments:
Subscribe to: Posts (Atom)