How to make a Group Policy that affects only Servers using WMI query

Today I had to deploy a Group Policy to all servers only and specifically exclude workstations. I figured the best way to do it was to write a WMI query to include only Operating Systems which had the word “Server” in it, since no workstation version of Windows contains the word Server. So here goes.

1. Open Group Policy Management and browse to WMI Filters on the left.
2. Right Click the WMI Filters folder and select New.
3. Name: OS Name Contains Server.
4. Click Add
5. Namespace: root\CIMv2
6. Query:

   select * from Win32_OperatingSystem where Name like '%server%'

7. Click Ok and then Save to create the filter.

All I have to do now is link my new group policy (Default Server Policy in my case) to my domain(assuming you know how to do this) and make sure to use new WMI query aswell.

1. Select the Group Policy you want to apply the filter to.
2. Select the Scope tab.
3. Under WMI Filtering, select OS Name Contains Server filter from the list.
4. Select Yes.

That’s it.

 

How to downgrade Windows Server Datacenter to Windows Server Standard

I had this licensing issue the other day with one of our servers that had been installed with Windows Server 2012 R2 Datacenter by accident, which I wanted to run Windows Server 2012 R2 Standard on in order to cut licensing costs.

Also, I really needed this server roles and software to remain intact because it had been so extensively configured that it would take an enormous amount of effort to reinstall a new Standard server, so I set out to figure out how it could be done.

Microsoft does however not support downgrading Datacenter to Standard…officially.

I tried re-installing the server by keeping the server settings and selecting Windows Server 2012 R2 Standard, but the installer wouldn’t allow it, because you can’t downgrade a Datacenter license to Standard.

As you might know, the Datacenter license doesn’t add anything functional to the Operating System that the Standard license can’t, so there must be some sort of registry hack we can do to fool the installer to think it’s a Standard environment.

As it turns out, there is indeed a registry hack you can perform to fool the installer.

DISCLAIMER! All restrictions for a reinstall apply, so there are no guarantees that roles and software work after this procedure, and Microsoft does not support this form of downgrade, so don’t blame me if anything goes sideways.

In my case I opened up regedit and modified the following values in HKLM\Software\Microsoft\Windows NT\CurrentVersion.

• EditionID from ServerDatacenter to ServerStandard.
• ProductName from Windows Server 2012 R2 Datacenter to Windows Server 2012 R2 Standard.

One more thing I did was also go with Windows Server 2016 Standard instead of the same version of 2012 R2, but I’m guessing this will work with same level OS aswell.

So I run the installer and upgraded to Windows Server 2016 Standard, and there were no complaints from the installer. The installation took over and about an hour later the server was ready again as a fully functional Windows Server 2016 Standard server.

Powershell PSReadLine Module

On Windows 10, the PS extension PsReadline comes with PowerShell 5 by default.

Run Get-PSReadlineKeyHandler to have a list of PSReadline Key bindings.

Get-Content on the following to view your full command history.

C:\Users\username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

For older systems make sure you have the latest Framework and PowerShell 5 installed in order to install the PsReadline module.

Install-Module PSReadLine

Import-Module PsReadLine

 

Access a disk drive using volume ID instead of drive letter in Windows

I’ve come across this a number of times working with volumes, drives and shadowcopies and even USB drives fail to register a drive letter in Windows. This is a quick and simple prompt command to get some overview.

Just type mountvol in the command prompt and you’ll see all the volumes on your computer.

You can cut and paste the volume ID into the Run command, Windows Explorer or just type start <volume-id> in the command prompt.

Example command in my case opening my C: drive using it’s ID.

start \\?\Volume{277709ec-0000-0000-0000-500600000000}\

The command itselt is used for mounting volumes to drive letters or folders. Read the info by typing mountvol /?.

Enjoy :)

How to Configure Smart Screen Filter with Group Policy

Create a new GP and apply it to your domain or the custom OU containing your computer objects.

Go to Computer Configuration, Preferences, Windows Settings, Registry.
Create a new registry Item with the following settings.

Action: Update
Hive: HKLM
Key Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Value Name: SmartScreenEnabled
Value Type: REG_SZ
Value Data: *SettingString

*SettingString:
RequireAdmin = Get administrator approval before running an unrecognized app from the internet
Prompt = Warn before running an unrecognized app, but don’t require administrator approval
Off = Don’t do anything

Source: http://www.eightforums.com/tutorials/2631-windows-smartscreen-turn-off-windows-8-a.html

How to find Users, Contacts and Groups in Windows quickly through command prompt

This is mainly for scripting etc. but here goes. You can run the following command:

rundll32 dsquery,OpenQueryWindow

Seems a bit cryptic, but for the GUI version, the only one i’ve been able to find is clicking the Network in the Windows Explorer and selecting Search Active Directory from the ribbon.

Allow Administrators full access to users’ redirected folders with exclusive rights disabled

Source article linked below. I’ve modified the article here because it allowed authenticated users to create folders in other users’ folders. This modified article allows authenticated users to browse the root folder for redirected folders, but not the subfolders. This is in some cases needed where users need access to other users’ folders(they must be granted access first), so they can browse to them, instead of having to save direct links to them.

To set security on the shared folders in Windows Server

1. Log on as an administrator to the server that can host the user’s redirected folders.
2. Locate the top-level folder that can hold the user’s redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) by using Windows Explorer. Right-click the folder, and then click Properties.
3. Click the Security tab.
4. Click Advanced.
5. Click to clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. check box.
6. When you are prompted to copy or remove permissions, click Remove.
7. If the Administrators group is not present, click Add, type Administrators, and then click OK.
8. Select the Administrators group, and then click Edit.
9. Verify that the Full Control permission is set to Allow, and then click OK.
10. Click Add, and add System and Creator Owner to the Permissions entries.
11. Verify that the System and Creator Owner objects have the Full Control / Allow permission.
12. Click Add, add Authenticated Users, and set Apply to to This folder only, and then set the following permissions to Allow:

• Create Folders / Append Data
• Read Permissions
• Read Attributes
• Read Extended Attributes
• List Folders / read data

1. Close all property sheets and dialog boxes.
2. Now set up folder redirection with user exclusive rights UNCHECKED.

Source article: http://support.microsoft.com/kb/288991

Adding Trusted Sites in Internet Explorer using Group Policies

In my case I use folder redirection to a DFS share. Users get a warning about the safety of files they manage, since the computer doesn’t trust the DFS domain(\\contoso.com\Data).

What I did was simply add *.contoso.com to Intranet Zone in Internet Explorer.

If you want to add items to this list using Group Policies, and at the same time allow users to modify their settings, you can do this by adding the two following Group Policy Preferences.

1. Go to User Configuration, Preferences, Windows Settings, Registry
2. Create a new Registry Item with the following attributes:
   Action: Update
   Hive: HKCU
   Key Path: Software\Microsoft\Windows\CurrentVersion\Internet
   Settings\ZoneMap\Domains\contoso.com
3. Create a new Registry Item with the following attributes:
   Action: Update
   Hive: HKCU
   Key Path: Software\Microsoft\Windows\CurrentVersion\Internet
   Settings\ZoneMap\Domains\contoso.com
   Value name: *
   Value Type: REG_DWORD
   Value Data: *ZoneID

*ZoneID: Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone.

How to Disable Internet Explorer Enhanced Security Configuration (IE ESC) using Group Policies

Assuming you know how to create a Group Policy, this is what you need to do in order to disable Administrator and User IE ESC.

Create a new Group Policy and go to Computer Configuration/Preferences/Windows Settings/Registry.

Create a new Registry Item with the following settings, in order to disable IE ESC for Administrators.

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Value: IsInstalled
Value type: REG_DWORD
Value data: 0

Create a new Registry Item with the following settings, in order to disable IE ESC for Users.

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Value: IsInstalled
Value type: REG_DWORD
Value data: 0

Flush Exchange Logs

Transaction logs store all changes to the databases, including copies of all incoming and outgoing email. The only proper way to clean up transaction logs is to perform a backup.

The problem is when you perform migrations, or other large scale data chances to your databases, it will create transaction logs bigger than your log disks and/or backup media can handle. The only way to prevent this without corrupting the database is to flush the exchange logs.

There are 3 ways to flush logs.

1. Flush with ESEUtil.exe.
   Requires database dismount, but requires no extra diskspace.
2. Fake backup with DISKSHADOW.
   Can be performed online but requires diskspace for shadowcopy.
3. Perform a regular backup.
   Can be performed online but requires diskspace for shadowcopy and of course diskspace for the actual backup data.

The fastest way to flush exchange logs is to use ESEUtil.exe on a dismounted store. Dismounting means downtime, which is in most cases not the preferred option.

In order to flush logs without dismounting databases is to simply perform a backup of Exchange, or if that takes too long to fake a backup of Exchange.

I’ll give an example of all three options using Exchange 2010 on a Windows Server 2008 R2 box.

Flushing logs with ESEUtil.exe (Fast/Offline)

• Dismount the database.
• Run ESEUtil.exe /MH Database.edb
• Make sure the State value is either Clean Shutdown or Consistent State.
• Delete all the files in the transaction log folder.
• Mount the database.

Backing up Exchange with Window Server Backup (Slow)

• Install and run backup feature from server manager
• Click Backup Once under Actions
• Select Different Options and click Next
• Select Custom and click Next
• Click Add Items
• Select everything except Bare Metal Recovery and System State and click OK
  Selecting System State will not clear your transaction logs.
• Click Advanced Settings
• Select the VSS Settings tab
• Select VSS Full Backup and Click OK
• Click Next
• Select a destination for your backup and click Next
• Click Backup

Notice that the backup performs an Exchange Server consistency check before backing up. This takes time, proportional to the total size of your transaction logs.

After backup completes, you will notice the files in the transaction log have been flushed.

Faking backup of Exchange with DISKPART (Fast)

• Run CMD as admin.
• DISKSHADOW
• Add Volume C:
• Add Volume D:
• Add Volume E: (etc…)
• Begin Backup
• Create
• End Backup

You should now see the logs purging slowly on the log drive.