Blog

Generate a CSV from your GPO’s per OU

2011-07-28
/ / /

If you come into an environment like I have, you’ll find that some companies prefer to break out their AD structure by location and then generate a OU structure that matches it. Physically, this is understandable and you can understand what’s where. Logically, this causes issues because AD utilizes an inheritance model and this gets complicated and very messy very quickly if you do not follow a strict model. This model falls on its face when you have a centralized IT force. As an example, the company I worked for acquired numerous other companies and a each company/location had it’s own IT workforce. Eventually, the company consolidated all of these external IT departments into one. The IT staff then standardized each site for GPO’s. Which made having each one redundant.

This is a mockup of the OU structure:

And the GPO’s applied:

If you look closely, you can see that some sites are missing some GPO’s, some have an extra GPO, and some have the same. The goal I was given is that I need to consolidate the OU’s with the same GPO’s applied and then I can examine the disparate ones individually. In order to make a nice spreadsheet to do this I created this script (run on Windows, I added awk, sed, and grep to the windowssystem32 folder and installed group policy management).

Since the structure has a nice, predictable “end” OU (eg, Laptops, Desktops, Users) I could script for that keyword:

This generates the following file:

Which looks like this when you put it in Excel:

Nice and pretty and if you add conditional formatting on “x” you can easily identify which OU’s are the same and can be consolidated, or just a nice report on which GPO’s are affecting which OU’s.

Read More

XP – Slow user login, constant prompts for accessing file shares

2011-07-13
/ / /

At work we were having an issue that seemed to happen a lot at remote sites. Either login times were glacially slow, users could not access file shares without being prompted over and over again for their credentials and numerous logs of:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: time
User: N/A
Computer: Computername
Description: The Security System detected an authentication error for the server ldap/dca.acc.local. The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request. (0xc000005e)”.
For more information, see Help and Support Center at http://support.microsoft.com.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: date
Time: time
User: N/A
Computer: Computername
Description: The Security System could not establish a secured connection with the server ldap/Computername.domain.com. No authentication protocol was available.
For more information, see Help and Support Center at http://support.microsoft.com.
Data: 0000: c0000388

The fix to these issues is to switch Kerberos to UDP. After doing so the warnings disappeared and accessing file shares worked without constant reprompting. As well, logins for these remote users became much, much faster.

The change to set Kerberos to UDP is here:
http://support.microsoft.com/kb/244474

Start Registry Editor.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters
Note If the Parameters key does not exist, create it now.
On the Edit menu, point to New, and then click DWORD Value.
Type MaxPacketSize, and then press ENTER.
Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
Quit Registry Editor.
Restart your computer.

Read More

Find all OU’s and what GPO’s are linked to them

2011-07-11
/ / /

I made a script using SED and ADFIND to find all OU’s and what GPO’s were linked to them:

Love it 🙂

To expand on the above, here is a batch file that will find all empty OU’s and what GPO’s are linked to them:

 

Read More

Set home directories even if it’s a hidden share

2011-07-06
/ / /

There exists an issue with DSMOD that prevents you from modifying the -hmdir with a share that has a dollar sign in it. According to the dsmod.exe example:

The special token $username$ (case insensitive) may be used to place the
SAM account name in the value of -webpg, -profile, -hmdir, and
-email parameter.
For example, if the target user DN is
CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is “janed,” the -hmdir parameter can have the following
substitution:

-hmdir users$username$home

The value of the -hmdir parameter is modified to the following value:

– hmdir usersjanedhome

This does not work if your home directory is structured like so:

-hmdir users$$username$home

The value returned by DSMOD is actually:

– hmdir users$$username$home as opposed to the proper
users$janedhome

To fix this you can use the awesome ADFIND and ADMOD from Joeware.

The command to fix set it correctly would be:

Go Joe!

Read More

AD Script to Link GPO’s via the command line

2011-06-28
/ / /

I’ve modified a script I found online to allow standard batch file passthrough for linking a GPO to a OU.

Usage: cscript.exe linkGPO.vbs “Test GPO” “lab.com” “OU=AD Project,DC=lab,DC=com”

 

Read More

invalid pxe server list format – Altiris

2011-05-03
/ / /

I restarted our Altiris server and our PXE services wouldn’t come up. Trying to start them resulted in:

File not found
I then checked the path listed in the service and found that, indeed, our PXE files where not in the location that the service was trying to start them in:
F:\Program Files\Altiris\eXpress\Deployment Server\PXE
The missing files were:
PXEService.exe
PXEmtftp.exe
PXEMgr.exe
PXECfgService.exe
They were located here:
F:\Program Files\Altiris\eXpress\Deployment Server\PXE\MasterImages\UpSrv\51
I don’t know why it wasn’t looking for them in the longer path, but I copied those files to the directory it wanted (PXE)
I then attempted to start the services and they all started correctly.
Then I attempted to PXE boot one of my VM’s. This failed with an error stating:
“invalid pxe server list format”
Attempting to troubleshoot this, I used procmon and saw that it was downloading bstrap.0 successfully then generating the error. I enabled logging for the PXE Server in Altiris and set the logging level for “Errors”. I then restarted all the Altiris services. When I restarted the PXE Server service, I got this error message:
E [11:32:26 05/03] (3480): Enter: SetupDHCP(…)
E [11:32:26 05/03] (3480): SetupDHCP: Auto Detect, configure option 60.
(3480)Failed to load Dll Library.
(3480)Failed to load Dll Library.
(3480)Failed to load Dll Library.
(3480)Failed to load Dll Library.
I then fired up Process Monitor and did a file trace while restarting PXE Server. It informed me it could not find the following files:
 
I then copied those missing DLL’s from the F:\Program Files\Altiris\eXpress\Deployment Server\PXE\MasterImages\UpSrv\51 directory to the F:\Program Files\Altiris\eXpress\Deployment Server\PXE directory and restarted the PXE Server Service.
I then attempted to PXE boot my VM and lo and behold, it worked again.
Read More

Configure Local Group Policy via the command line

2011-04-29
/ / /

Apply a security policy using an .inf file

[Unicode]Unicode=yes
[Version]signature=”$CHICAGO$”
Revision=1
[Profile Description] Description=profile description
[System Access] MinimumPasswordAge = 10
MaximumPasswordAge = 30
MinimumPasswordLength = 6
RequireLogonToChangePassword = 0
NewAdministratorName = “NewAdminAccountName”
NewGuestName = “NewGuestAccountName”

Simple to apply from a cmd line

 

Read More

Maya and rendering priorities

2011-04-19
/ / /

I have a small farm of computers at home that I want to use as a render farm. Some of them are used by my family though and starting Maya renderings on them greatly diminishes their usability during that time. What needs to be done is force the priority lower on the rendering app (mayabatch.exe). 3D Studio Max has a script called “serverpriority.ms” that does this and it’s essentially one line that, upon startup, sets the priority to low. I’ve been unable to find one like that for Maya but have found an acceptable workaround.

If you start the Backburner server.exe app as low priority all threads that the apps server.exe starts (like cmdjob and mayabatch.exe) will start in the same priority. Start the server.exe as low and your rendering threads will be low. To start server.exe in a low priority mode via command-line it looks like this:
Done!
Read More

Windows Backup Error 0x81000019

2010-12-12
/ / /

Recently, I’ve been getting an error from Windows Backup:

Error Code: 0x81000019
Event Viewer lists the following additional information:
Shadow copy creation failed because of error reported by ASR Writer. More info: The requested system device cannot be found. (0x80073BC3).
 
Volume Shadow Copy Service warning: ASR writer Error 0x80073bc3. hr = 0x00000000, The operation completed successfully.
.
 
Operation:
PrepareForBackup event
 
Context:
Execution Context: ASR Writer
Execution Context: Writer
Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
Writer Name: ASR Writer
Writer Instance ID: {5c8b67a8-a665-45e5-9f5c-45382f136693}
 
Error-specific details:
ASR Writer: The requested system device cannot be found. (0x80073BC3)
 
Volume Shadow Copy Service error: Unexpected error calling routine Check OnIdentifyError. hr = 0x80073bc3, The requested system device cannot be found.
.
 
Operation:
PrepareForBackup event
 
Context:
Execution Context: ASR Writer
Execution Context: Writer
Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
Writer Name: ASR Writer
Writer Instance ID: {5c8b67a8-a665-45e5-9f5c-45382f136693}
 
Error-specific details:
ASR Writer: The requested system device cannot be found. (0x80073BC3)
 
Fault bucket 668258104, type 5
Event Name: WindowsBackupFailure
Response: Not available
Cab Id: 0
 
Problem signature:
P1: Backup
P2: 6.1.7600
P3: 0x81000019
P4: 7
P5:
P6:
P7:
P8:
P9:
P10:
 
Attached files:
C:\Windows\Logs\WindowsBackup\WindowsBackup.1.etl
 
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Backup_7a9178ddfcd376c581a8653b09ae5e2464735bf_100ef6dc
 
Analysis symbol:
Rechecking for solution: 0
Report Id: 8b57e781-0633-11e0-a042-90e6ba2d22c8
Report Status: 0
 
Backup did not complete successfully because a shadow copy could not be created. Free up disk space on the drive that you are backing up by deleting unnecessary files and then try again.
And what does it all mean? Well, I just recently installed a new hard disk and installed an alternative OS onto it. This new hard disk is appearing as “Disk 0” in Disk Management and it *is* the boot device. When I boot off it and then select my Windows partition I get these error messages. It appears VSS attempts to access/lock the drive that booted the OS and it fails. If I attempt to take “Disk 0” offline, I get the following error message:
—————————
Virtual Disk Manager
—————————
Disk attributes may not be changed on the current system disk or BIOS disk 0.
—————————
OK
—————————
Using Procmon I can see that VSSVC.exe attempts to access a filesystem that it cannot… Well, the only disk that it can’t access is the lone “Alternative OS” disk. I suspect removing that disk or forcing my BIOS to boot directly to the Windows partition will resolve my issues. If you’re in a similar situation as me, I would suggest checking your boot order, removing any extraneous disks or ensuring your boot drive is appearing as “Disk 0” in disk management.
I’ve just tested and confirmed that forcing my BIOS to boot directly to my OS drive without going through an alternative drive has enabled the backup program to operate without any errors.
This blogpost is for anyone else that my experience a similar issue.
Read More