Subscribe via Email

Subscribe via RSS/JSON


Recent Posts

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan


[Aside] Plug-ins not loading in Adobe Reader XI?

Disable Protected Mode:

Thanks to this forum post.

[Aside] How to convert a manually added AD site connection to an automatically generated one

Cool tip via a Microsoft blog post. If you have a connection object in your AD Sites and Services that was manually created and you now want to switch over to letting KCC generate the connection objects instead of using the manual one, the easiest thing to do is convert the manually created one to an automatic one using ADSI Edit.

1.) Open ADSI Edit and go to the Configuration partition.

2.) Drill down to Sites, the site where the manual connection object is, Servers, the server where the manual connection object is created, NTDS Settings

3.) Right click on the manual connection object and go to properties

4.) Go to the Options attribute and change it from 0 to 1 (if it’s an RODC, then change it from 64 to 65)

5.) Either wait 15 minutes (that’s how often the KCC runs) or run repadmin /kcc to manually kick it off

While on that topic, here’s a blog post to enable change notifications on manually created connections. More values for the options attribute in this spec document.

Also, a link to myself on the TechNet AD Replication topology section of Bridge All Site Links (BASL). Our environment now has a few sites that can’t route to all the other sites so I had to disable BASL today and was reading up on it.

[Aside] Finding the source of a domain account lockout

An excellent post. Easy and to the point. Wish I had discovered this much before. The upshot is:

  • Enable debugging on a domain controller: nltest /dbflag:0x2080ffff
  • Disable debugging after a bit: nltest /dbflag:0x0
  • Check the logs at %windir%\debug\netlogon.log to find out where/ what is locking the account.

[Aside] NetScaler and WireShark

FYI to myself: NetScaler + WireShark. Lots of useful WireShark tips and tweaks.

[Aside] Profile Manager NTUSER.DAT editing

I liked this blog post. That’s something I had thought of trying earlier when I was thinking about registry keys and applying them via GPP vs other methods. For now I am applying a huge bunch of my registry keys via the default profile and if there’s any subsequent changes then I’ll push the change out via GPP (for existing users) and also modify the default profile (for new users). But the geeky method the author followed of loading each user’s NTUSER.DAT and modifying the registry key directly is fun and something I had considered. Only catch though is that this has to be done during a period no users are logged in. Coz of this I don’t think I’ll be trying this in my environment but I liked the idea.

[Aside] Citrix StoreFront customizations & tweaks

As a reference to myself for the future:

[Aside] Enable ICA file logging

Very useful when you are troubleshooting and want to see the ICA file received by the client/ receiver. Instructions at

[Aside] Citrix Storefront Sync Problems – Propagate Changes – Server is not reachable. Configuration settings might be out of date.

A quick thank you to this blog post for making my day slightly better today! Stumbled upon this issue and when a quick reboot and a look at the running services didn’t show any obvious errors I was at a loss of what to do. Wouldn’t have thought these two accounts were getting removed via GPOs. :)

[Aside] Group Policy Objects – VDA User Settings

An amazing post from Carl Stalhood (as a reference to myself for later):

Group Policy Objects – VDA User Settings

[Aside] IE11 does silently ignores file server locations for PAC file

I had encountered this the hard way some months ago, but today I was Googling on this to share the same with a colleague. Starting with IE 11 you cannot use file server locations (e.g. c:\windows\global.pac or \\mydomain\dfs\global.pac) for the PAC file. You have to use an HTTP or HTTPS location (e.g. http://myserver/global.pac).

It is possible to change a registry key to enable this behavior. This and other nuggets of info can be found in this wonderful MSDN article on web proxy configuration.

  • There’s WinINET and WinHTTP proxy settings. WinINET is the one you set via IE. WinHTTP is the one you set via netsh winhttp I think.
  • Firefox uses the WinINET settings if set to use system proxy settings.
  • Proxy settings are per user, but can be changed via a registry key to be for all users of a machine.
  • Automatically detect settings looks for the wpad.<domainname> entry or uses DHCP to get a proxy script URL.

[Aside] Configuring Windows Server 2012 R2/ 2016. Start Menu via GPO

Option 1: – export the layout, push it out via GPO to all users. Unfortunately, on Server 2012 R2 this means users can’t modify the Start Menu after this.

Option 2: – much better. You push out a default “template”, but users can customize it further on.

On a related note: – for customizing the Start menu colors (these are the colors of the background you get when pressing the Windows button on Server 2012 R2. I find it better to modify the colors first so the two registry keys mentioned in this link are created).

[Aside] Using GPP Item-Level targeting to set environment variables based on AD attributes

The subject says it all. Wanted to do this, found the following. Excellent!

Unrelated, but I was Googling on this and I want to put the links somewhere –

Msiexec /fu {ProductCode} : repairs all user-specific registry settings

Msiexec /fup {ProductCode}: repairs all user-specific registry settings and reinstalls missing files

[Aside] Links to DFSR, Profile Data, etc.

Been reading quite a bit about user profiles and stuff lately. I’ve always imagined profiles as this blob of user settings + data under the C:\Users\<username> location. And every time we need to reset a profile there’s this arduous task of backing up the user data too and restoring it. Silly.

But turns out it’s just easier to use folder redirection and redirect all your data folders to a common place. Advantage of this is that roaming profile users can login any place and have the latest up-to-date data. None of the hassle of requiring a logoff-login for the profile to sync etc.

[Aside] Various SharePoint links

Been dabbling in a bit of SharePoint at work, here’s some links I came across and want to put here as a reference Future Rakhesh:

[Aside] Misc ADFS links

Update: To test ADFS as an end-user, go to https://<adfsfqdn>/adfs/ls/IdpInitiatedSignon.aspx. Should get a page where you can sign in and select what trusts are present.