Contact

Subscribe via Email

Subscribe via RSS

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

Roaming profile permissions and versions

Ever noticed that when you moved from Windows XP to Windows 7 the profile name as a .V2 appended to it? That’s because the profile format changed with Windows Vista and to avoid mistakenly loading the older profile format, Vista and upwards add a .V2 (version 2) to the profile folder name. This way a user can login to both XP and Vista/ 7 machines at the same time and the profiles won’t get mashed. 

Windows 8/ 8.1 changes the format again to version 3. This time, however, they don’t change the folder name. When a Windows 7 user logs in to a Windows 8/ 8.1 machine the profile format is upgraded in-place but the folder name is not changed. Later, if they log in to a Windows 7 machine there will be trouble. Workarounds include this one from a member of the AD team or using GPOs on the computers to redirect roaming profiles to different locations (the “Set roaming profile path for all users logging onto this computer” GPO setting). More information is available in this KB article which seems to be missing. 

Speaking of GPOs and roaming profiles, by default roaming profiles are configured with very minimal permissions. Only the Creator/ Owner and the Local System have full permissions to the roaming profile on the server. Administrators don’t have any permissions, including being able to see the existing permissions. There is a GPO setting which can be used to grant the Administrator group access to roaming profiles. This is a Computer policy, found under Computer Configuration > Policies > Administrative Templates > System > User Profiles and is called “Add the Administrator security group to roaming users profiles”. 

Once this policy is applied to computers, when a user logs in the computer adds the Administrator group to the ACL of the roaming profile. However, this policy has a catch in that it only takes effect on roaming profiles created after the policy was deployed. If a user has a roaming profile from before the policy was deployed, the Administrator group will not be added to it. Even if the user logs in to a new machine the Administrator group will not be added (because in effect the machine is downloading the existing profile and leaving things as they are). Of course, if you delete the roaming profile of an existing user so it’s recreated afresh then the Administrator group will be added. 

admin group gpo

 

The only way to assign access to the Administrator group in such cases is to take ownership of the user’s roaming profile add the Administrator group to its ACLs. Best to create a PowerShell script or a batch file and automate the whole thing. 

Using netsh to set Static/ DHCP addresses

Place where I work, our desktops are locked down so regular users have no access to the network settings. And since I am always logged in as a regular user and only use my admin account via RunAs (because it’s best practice not to be logged in with your admin account) I don’t have access to the network settings window either. Of course I could logout-login, but who does that!?

Enter netsh (or PowerShell if you are on Windows 8, but I am on Windows 7 at work).

To show your currently assigned IPv4 addresses and interfaces:

To set a Static IPv4 address for the “Local Area Connection” interface:

And to set a DHCP IPv4 address for the “Local Area Connection” interface:

Easy peasy! (sort of)

A cool thing about netsh is that it’s an interactive shell so you can type netsh at the command prompt to enter the shell and then navigate around to get a list of commands and slowly figure your way out.

Print Management console to manage printers

Discovered the Print Management console today. Wonder how I missed it so far! It’s such a useful tool when you have many print servers and would like to manage them all. Moreover, if your print server is a Server Core install, then using the console definitely beats typing the commands and scripts that are provided by default to manage the print server on Server Core.

Couple of things as a note to myself:

  1. A 64-bit server requires 64-bit drivers to be installed. This was surprising to me. Always thought 32-bit drivers were ok even if the OS is 64-bit. But no, that won’t do for printers. You have to install the 64-bit drivers, but you can install additional drivers – that are 32-bit – for clients and such. So in a way, yes, a 64-bit server can have 32-bit drivers installed, but only as an additional set of drivers.
  2. When managing remote servers it’s better to add the drivers first using this console and then adding the printer. If you try adding drivers when adding printer, the dialog box showing progress tends to freeze and you might think everything’s stuck.
  3. It is better to add both the 64-bit and 32-bit (if you require) drivers to the server, and then add the printer. If you add the 64-bit driver first, then add printer, and then add the 32-bit drivers via the additional drivers dialog box, it gets added but trying to open the printer again gives errors that your client machine needs to have 32-bit drivers. (This is on a Windows 7 client managing a Server Core 2008 R2 machine so could just be a bug with my setup). So best to add all drivers first to the server, and then add printer.
  4. If you already added 32-bit and 64-bit drivers to the Print Management console, then when adding a new printer the 32-bit drivers are automatically picked up as additional drivers. No need to select them manually.
  5. Additional drivers can be added by opening the printer properties, going to the sharing tab, and selecting ‘Additional Drivers’. But like I said above, better to just add these additional drivers first itself by going to the ‘Drivers’ menu in the Print Management console.

Get-WindowsFeature missing

I always open up PowerShell on $randomcomputer and type Get-WindowsFeature expecting to get a list of Windows features. Sometimes it doesn’t work and then I Google on why that’s the case, forgetting that I’ve been down this route umpteen times. So here’s a post for myself.

The *-WindowsFeature cmdlets are available via the Server Manager module which in turn is either present by default (on servers) or installed via the Remote Server Admin Tools (on clients).

  1. Windows Server 2012: Modules are loaded automatically on demand so the *-WindowsFeature cmdlets are available without any additional steps.
  2. Windows Server 2008 R2: Import the Server Manager module and then the *-WindowsFeature cmdlets can be used.
  3. Windows 8: Install the Server Manager via RSAT. This makes the Server Manager module available for automatic loading and then the *-WindowsFeature cmdlets can be used. Windows 8 also provides (Get|Enable|Disable)-WindowsOptionalFeature cmdlets as part of the DISM module (which is present by default). These provide similar functionality to the *-WindowsFeature cmdlets (doesn’t work on remote computers though!). Add the -Online when using these cmdlets as they can work with the running instance or a mounted Windows image.
  4. Windows 7: Installing the Server Manager via RSAT doesn’t help. It doesn’t include the Server Manager module and so the *-WindowsFeature cmdlets are not available. An alternative is to install the 3rd party Client Manager module which gives the *-ClientFeature cmdlets.

Managing BitLocker disks on Server Core

I have a Server Core 2012 that has two BitLocker encrypted disks on it. When I encrypted those disks the server had the full GUI but after I converted to Core there’s obviously no GUI to just double click and be prompted for a password etc. So need to use the command line tools.

There seems to be two ways.

First are the BitLocker command line tools. Manage-bde looks like the most useful command here. Using this one can see the status of all the drives on the machine, lock, unlock, set auto-lock auto-unlock, and also turn on or off BitLocker encryption on a drive.

Typing manage-bde in the command prompt gives you all the options. Each of these options have further switches which you can discover by typing manage-bde <option-name> -?.

To view the status of all drives on the machine:

To unlock an encrypted drive (with drive letter D:) to use with the system:

I use passwords, hence the -pw switch. If you use recovery keys or certificates there are switches for that too. manage-bde prompts for a password and unlocks the drive, mounting it on the specified drive letter.

To set the drive (with drive letter D:) as auto-unlocked:

That’s all. From now on the drive will be automatically unlocked when attached to the system.

The syntax for disabling auto-unlock and locking a drive are pretty obvious from the examples above. The thing to remember is you always specify the manage-bde command followed by a dash switch specifying what you want to do, and after that you specify the drive letter.

There are two other commands: Repair-Bde for repairing corrupted BitLocker encrypted drives and BdeHdCfg for setting up a drive with BitLocker encryption (though it doesn’t seem to be required any more as Manage-Bde includes some of this functionality).

Apart from the BitLocker command line tools you can also manage BitLocker via PowerShell. This is only for Windows 8/ Windows Server 2012 and is available via the BitLocker module (requires RSAT on Windows 8).

To view the available drives on a system and their BitLocker status do:

You can also check the status of a specific drive with the above cmdlet by passing it the drive letter with the -MountPath switch.

To unlock a BitLocker drive (with letter D:) do:

The cmdlet does not prompt for a password. You have to pass it via the -Password switch. You can’t pass the password as plain text either, so have to convert it to a secure string. Use the ConvertTo-SecureString cmdlet for that or just use Read-Host and convert the inputted text to secure string on the fly.

To set auto-unlock on a drive (with letter D:) do:

Similar cmdlets exist for locking and auto-locking drives.

After writing this post I discovered a TechNet article that goes into more detail on the above command line tools and cmdlets. Go check it out.

Windows Advanced Firewall

Just some notes on the Windows Firewall.

  1. Starting with Windows Vista and Windows Server 2008 you have to use the netsh advfirewall firewall command-line context to manage the firewall. You still have the netsh firewall context, but that’s just for backward compatibility.
  2. Starting with Windows Vista and Windows Server 2008 you also have three profiles: domain (which applies when you are connected to a domain), public (for networks you mark as public), and private (for networks you mark as private/ home). Prior to this the firewall only had a domain profile (which is still present) and a standard profile (which now maps to the private profile). So by using the netsh firewall context you can only modify the domain and private profiles
  3. netsh advfirewall firewall (show|add|set|delete) commands can be used to view, add, modify, and delete rules. You can’t filter by rule names unfortunately. All you can do is filter for all rules based on their profile and direction (inbound or outbound). Moreover you can’t format the output and neither can you manage multiple rules (except if they are part of a group but then you can’t filter further in terms of “all rules of a particular group that belong to such and such profile”). Very limited, actually.
  4. Starting with Windows 8 and Windows Server 2012 you have PowerShell 3 and this can manage the firewall. Unfortunately, while you can install PowerShell 3 on Windows 7 and Windows Server 2008 R2, it doesn’t have the NetSecurity module which provides the firewall cmdlets. So you can’t manage the firewall on these OSes with PowerShell 3. See this blog post for a list of PowerShell 3 firewall related cmdlets.

Windows backups

Got myself a new USB 3 external disk for taking backups so past few days I’ve been exploring that. My laptop’s about 6 months old now and I have customized it to the way I want and I would hate having to lose all that should anything happen. So apart from a data backup – which is what I usually do – I wanted something that would just “image” the drive and be restore-able easily.

The wannabe geek that I am, my initial impulse was to explore solutions like ImageX or Disk2VHD. ImageX especially appealed to me as it’s a file based image format so if I manage to use it I’ll have a backup in an image format that just backs up the actual files instead of doing a sector based backup. This would mean the backup size is small (if a 100GB partition only has 50GB worth of files, the backup is only 50GB in size as opposed to a sector image backup that would be 100GB in size), I can restore to partitions that aren’t the same size as the original partition, I can mount the backup and fiddle around, I can compress the backup… and in general it just feels pretty cool using ImageX to backup, so why not!?

This forum post talks about using ImageX for backups. Microsoft does not recommend using ImageX for system backups because it has some limitations – mainly to do with extended attributes being lost and sparse files no longer being sparse and junctions possibly getting corrupted – and although I don’t actually use any of these features I am not sure Windows does not use them by default (as a matter of fact I do know Windows uses junctions for the SxS (side-by-side) folder so I could be unaware that it’s using the other features too somewhere by default). Also, while ImageX is cool, there is the additional hassle of having a WinPE (or BartPE) disk ready so I can restore the ImageX backup and reinstall the boot-loader etc.

Disk2VHD was another option I considered but again, it’s a hassle converting the VHD disk to a physical disk. Sure it’s possible, but as I have learnt when actually having to restore files after a problem: you don’t tend to be too appreciative of geeky solutions then, you are probably pissed and irritated and short of time and so just want something that works and gets the job done as quick as possible.

The forum post that talks about ImageX gives many more suggestions. DriveImage XML is a good alternative. I have used it in the past to backup my machine computer and while I am not a fan of its interface it takes an image level backup and is good at what it does. To restore the backup I can use their Linux based recovery CD or create a WinPE disk using Bart’s PE Builder. I tried DriveImage XML and it was fast too.

Windows 7

image.pngAnd then I stumbled upon Windows 7’s in-built backup program. Which is really the subject matter of this post. You see, my mind was still stuck on Windows backup being that old crappy backup software that came with Windows XP – I hadn’t really updated myself to the fact that Windows Backup is now kind of cool. It does regular backups, but it also offers the option to make a System Image backup – which is exactly what I was looking for!

A System Image is essentially a VHD file with a bunch of XML files that contain metadata about the backup. You can take the backup to an external disk or a network path. The backup program creates a folder on path you specify, within which there’s a subfolder with the name of the machine you are trying to backup, with a subfolder containing the date of the backup. As I mentioned above, the System Image backup is a VHD file containing a snapshot of the C: drive and the hidden system drive (so you have two VHD files created). Unlike the regular backup, which is also offered, you can’t restore individual files with a System Image (as it’s a file image after all), but since you can mount these VHD files as a drive letter (Windows 7 and later let you mount VHD files) essentially you can navigate through the backup and just copy and restore files from the System Image if you wish. I find that cool!

Best of all, you can choose to create a System Repair Disc – or if you don’t do that, just use the Windows 7 installation disc and choose the “Repair” option – and then point it to the external disk or network path containing the System Image backup and it will restore the image. Easy!

I am paranoid and like my backups to be encrypted. That too is no problem coz I can use BitLocker to encrypt the disk I will be backing up to and so now the System Image is encrypted. When restoring, the program is smart enough to ask for the BitLocker key after which the System Image is available.

image.pngThe Storage Team blog has four posts ([1], [2]. [3]. and [4]) that introduce the Windows 7 backup features. I recommend everyone reads it, including the comments which answer many questions. They talk not just about the System Image backups, but also the regular backup (where you take a full backup followed by many incrementals, and which you can restore file by file) as well as features like System Restore that let you use Volume Shadow Copy (VSS) to automatically have previous versions of files preserved on a drive. This Paul Thurrott article too talks about Windows 7 backup features and has many screenshots.

I must point out that if the System Image backup is taken to a network path only the latest backup is kept. On external disks it keeps multiple backups but it moves the older backups to the Shadow Copy storage area. Shadow Copy (aka “System Restore”) is disabled by default for non-OS drives, so only one copy o the System Image will be kept even on external disks. And if Shadow Copy is enabled, by default only 30% of the partition size is allocated for Shadow Copy and so only 30% of the partition size will be used for System Image backups. If you use the external disk exclusively for System Image backups you can tweak this via the “System Restore” (click “Configure” in the screenshot).

Last, but not the least, for those who like the command-line there is a wbadmin command. This is useful if you want to script or schedule creation of System Image backups based on other triggers (when you connect to a home network, for instance).

Windows 8

It’s worth pointing out that Windows 8 has a different sort of backup. Windows 8 backups are more like the Mac OS X “Time Machine” backups wherein you specify an external disk and the OS periodically saves snapshots of your files and documents to that disk. You can specify the snapshot intervals and how long you’d like to keep them, and the OS offers you a GUI to go back to previous versions/ deleted files. It is sort of like Windows 7’s “System Restore” feature but with more prominence. And it does not do System Image backups.

However, Windows 8 does have the Windows 7 backup program – in a different name (it’s called Windows 7 File Recovery) – and that lets you do regular backups and System Image backups, so all that was discussed above still applies there.

Virtual lab setup

Here is a high level overview of how my virtual lab is set up.

Tony Redmond’s “Exchange 2010 Inside Out” book is what inspired my current set up. Previously I had a desktop machine running Debian Linux & KVM with Windows and Linux machines as guests and I would Remote Desktop or SSH into these; but Tony’s book mentioned how cool he found it to be able to have a laptop with all his virtual machines as well as applications such as Word running side by side and it was fascinating that both were just an Alt+Tab away from each other. I too found it a fascinating idea, and I was in need of an excuse to purchase a new powerful laptop as well as move to a system where all my virtual machines were “in hand” and so that’s where I am now.

I purchased a Samsung NP550P5C laptop which I upgraded to 16GB RAM (the laptop has two slots and comes with 4GB in each). It runs Windows 7 and I installed VirtualBox as the hypervisor. I chose VirtualBox as it supports 64-bit guests, unlike Virtual PC, and I had trouble with my initial choice VMWare Server (Windows Server 2008 guests kept crashing upon reboot). I am glad I chose VirtualBox – so far it’s been a great experience and my only wish is that it supported some way of organizing guests in the virtual manager console into folders and let me manage them as a group (automatically start the guests in a particular delayed order, for instance)[Update: VirtualBox 4.2 supports grouping, headless launching, and autostart of VMs with the host system (not on Windows though)].

I have set my Windows 7 host task bar to the left. This way I can maximize the window of the guests and have them as sort of full-screen but with the ability to easily select other apps on the host with a mouse click. Further, I set Ctrl+Shift as the “host key” in VirtualBox, which means when I am in a guest I can press Ctrl+Shift and then Alt+Tab to any other guest or app. Or I can do Ctrl+Shift and then Win+ to switch to that app in the taskbar. I find that very neat.

desktop

Here’s a screen shot of a freshly installed guest.

Notice  how all the icons in the host taskbar are grouped except the VirtualBox ones? That’s thanks to the 7+ Taskbar Tweaker which lets me tweak the taskbar in many useful ways. Also, by default if you move the taskbar to any side the icons are large and ugly – but there is a workaround for that. Applying the workaround each time you login (or whenever the taskbar expands back to the large and ugly size as it tends to do sometimes) is a chore so I created a AutoHotkey script that does it for me.

In terms of the guests, I have a WSUS server guest to take care of the Windows updates. This way each guest does not have to keep downloading updates and clog my bandwidth. The WSUS server downloads and caches it. It is also a good experience for me to get familiar with WSUS.

When I think of WSUS I think of a battle tank. It feels that way – slow and lumbering. No fault of WSUS though; it is a very I/O intensive application what with all the downloading and storing in a database and that obviously takes a toll on its performance as a guest. A useful tip for when you install WSUS as a virtual guest is to limit the SQL Server process’s memory usage. The first time I tried WSUS I found that it made all my guests and the host slow and I saw that the WSUS guest was always eating up all the RAM allocated to it. A bit of Googling showed that this was a common complaint and there was a way to limit the SQL Server’s memory usage. I did that and since then WSUS is well behaved. Currently I have set aside a 2GB guest as my WSUS server and limited the memory usage of the SQL Server process to 1GB.

The WSUS server is also my gateway router for the virtual guests. I have many internal networks in VirtualBox (to simulate multiple LAN/ WAN segments) and have assigned each guest two NICs – one on an internal network and another for VirtualBox NAT. When a guest is on the VirtualBox NAT  the host acts as a DHCP server and assigns the guests dynamic IPs from the 10.0.x.0/24 range. The x corresponds to the instance of the NAT interface plus 2, so if your guest has 3 NICs and all three are on VirtualBox NAT then the first NIC will be on the 10.0.2.0/24 network, the second on the 10.0.3.0/24 network, and the third on the 10.0.4.0/24 network. Each NIC will have a dynamic IP from that networks’ address range, and the gateway will be set as 10.0.x.2 and the name server as 10.0.x.3.

It is not necessary to use the dynamic IP assigned by the VirtualBox host. Instead, you can assign the guests static IPs from that network and they will work fine.

In my case, once a guest is up and running I disable – from the guest – the NIC that’s assigned to the VirtualBox NAT. That way all guests are on the internal network with no direct access to the outside network. (I choose to disable the NIC from the guest rather than from the host as it’s easier if I ever want to enable internet access on a particular guest for some quick testing). As mentioned earlier, all guests also have the WSUS server set as the default gateway. And so on the WSUS server I assigned it’s NAT connected NIC a static IP, installed the Routing and Remote Access role, and enabled routing. Thus the WSUS server acts as a router for all the guests on the various internal networks.

Apart from that each domain’s DC also has GPOs that direct all the machines to connect to the WSUS server for updates, change the background to display information from the SysInternals BgInfo tool, and disable the irritating shutdown tracker. The WSUS server is (as of now) a standalone server.

That’s all for now!