Matt's questions

I'll happily close this if its a dumb question. I am trying to grant rights to SELF on an AD service (user) account for a MSSQL Server instance account.

Problem is I cannot see the check box for Read ServicePrincipalName / Write ServicePrincipalName based on multiple sources that suggest I need to add that ACE to the account.

Is this because I am using a user account as supposed to an MSA? I tried running the following anyway since I should not be limited by checkboxes...

dsacls "CN=SQL Engine Service,<redacted>" /G SELF:RPWP; "servicePrincipalName"

Which came back as successful but I have been unable to verify that change is present anywhere.

(get-acl "ad:\CN=SQL Engine Service,OU=Service Accounts,DC=cdn-north,DC=ab,DC=ca").access | where identityreference -eq "NT AUTHORITY\SELF" | select objecttype,activedirectoryrights

ObjectType                                                                                        ActiveDirectoryRights
----------                                                                                        ---------------------
ab721a53-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
00000000-0000-0000-0000-000000000000                                                         WriteProperty, GenericRead
e45795b2-9455-11d1-aebd-0000f80367c1                                                        ReadProperty, WriteProperty
e45795b3-9455-11d1-aebd-0000f80367c1                                                        ReadProperty, WriteProperty
ab721a53-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
ab721a54-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
ab721a56-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
77b5b886-944a-11d1-aebd-0000f80367c1                                                        ReadProperty, WriteProperty
ea1b7b93-5e48-46d5-bc6c-4df4fda78a35                                                                      WriteProperty
3f78c3e5-f79a-46bd-a0b8-9d18116ddc79                                                        ReadProperty, WriteProperty
91e647de-d96f-4b70-9557-d63ff4f3ccd8                                         ReadProperty, WriteProperty, ExtendedRight

I am expected to see th GUID Service-Principal-Name (f3a64788-5306-11d1-a9c5-0000f80367c1) but its not there.

Where I am going wrong? Why can't I add read and write permission for ServicePrincipalName to the user account sqlengine in my domain?

Our main website was moved to a new webhost and a new domain. We control our DNS and were instructed to change the A record for olddomain.com to point it to the new host newdomain.ca.

We lowered the TTL about a week before the change and made the change on November 1st.

Since then some, not all, clients e.g. mobile and desktop of varying browsers are getting certificate errors when browsing to https://olddomain.com. If the option is available to continue anyway then you are sent to https://newdomain.ca and the correct cert shows.

We were told that this issue with with the local clients that had previously browsed to the website and are caching the old certificate for olddomain.com. Further to that the easiest thing to do would be to migrate DNS to new nameservers so that local clients would be forced to purge the old cert.

That's almost makes sense to me except I don't understand why the issue persists if I clear my SSL state and browser cache.

Why I am still getting certificate errors when browsing to https://olddomain.com? It should just be redirecting to newdomain.ca

There is a program we have that needs to be set up after the user signs in. This change is the same for everyone and only needs to be done once. We are trying to present that app in Citrix and are having a small issue.

I am trying to get this file to populate when the local profile is being created.

C:\users\[username]\.folder\.settings\properties.ini

Since this only needs to happen on a few server I figured a simple way would be to use the default user profile and add that folder into it. In practice it appears this is ignored by the profile creation process.

I was curious if there was something authoritative that explains why that didn't work. Searching mostly leads to image creation and dealing with unattend.xml which is not what I am trying to do.

We are likely going to be using a GPO and populate the RunOnce to run a script or something similar. I am trying to avoid running a script everytime the user signs in for something that only has to happen once.

We had a security incident recently where we needed to rebuild the network. For the time being we are just putting things back the way they were until we have more time to come up with a better go forward plan.

We have many locations that do not have their own server infrastructure on site and use our main location for DNS. These remote sites are located in that same site per ADSaS. The VPN tunnels at these sites can only see our main location. We have other sites with Domain Controllers in them that the remote sites do not need to see.

When we go to a machine at set its DNS server and do lookups to our domain the query result is returning all our Domain Controllers in our organization. This includes servers it cannot see. After several passes of ipconfig /release and ipconfig /renew it finds the correct Domain Controllers and we can move forward.

I turned on DNS Client logging on these machines and I can results like this...

Query response for name ourdomain.net, type 1, interface index 0 and network index 0 returned 0 with results 10.20.13.1;10.20.20.50;10.20.40.51;10.20.68.2;10.20.66.2;10.20.66.51;

and what happens is that the order of the results shifts after each release renew.

When I look at NS for our sites it looks correct. I am trying to keep the information lean as I do not know what would be useful to include and being too verbose will put off some people.

Why are the DNS clients being offered Domain Controllers IPs that exist outside their site? Those are all valid Domain Controllers but not for all PCs. Some of those are relative to their own sites.

I am using BitVise SSH Server. Normally I have it listening on 49000 for SSH/SFTP requests which works fine. I am trying to set it up to listen for FTP on 21. According to the logs the connection is established and terminates normally. However the client side is not connecting correctly.

Using WinSCP I see this in the logs and on screen

. 2019-09-11 11:10:31.735 Connecting to sftp.mysite.ca ...
. 2019-09-11 11:10:31.735 Connected with sftp.mysite.ca. Waiting for welcome message...
< 2019-09-11 11:10:31.735 220 Bitvise SSH Server 8.32
> 2019-09-11 11:10:31.735 USER scanner
< 2019-09-11 11:10:31.735 530 No security mechanism selected
. 2019-09-11 11:10:31.735 Connection failed.
* 2019-09-11 11:10:31.773 (EFatal) Connection failed.
* 2019-09-11 11:10:31.773 Authentication failed.
* 2019-09-11 11:10:31.773 Connection failed.
* 2019-09-11 11:10:31.773 No security mechanism selected

Surely I need to do something on the server side. All I did was add a listening port under Settings > Server > Bindings and UPnP > IPv4 for FTP on port 21.

So I am looking to either FTP was not setup correctly or what I need to do on the client side to offer the correct security mechanism. I am doing this as we have some old printers that do not support modern security protocols like SMBv2 so FTP is supposed to be an acceptable compromise and I am using Bitvise to broker the connection so that users can scan to folders but using FTP.

We are having an issue with our 6.5 ESXi host. As part of our troubleshooting we have enabled ESXi Shell and SSH. Between VMWare Docs and community posts I keep seeing that we are supposed to be able to access the ESXi Shell over SSH.

I am signed in via SSH to the problem host and I am only getting access to basic commands.

login as: root
[email protected]'s password:
/admin1-> help
[Usage]
    show   [<options>] [<target>] [<properties>]
           [<propertyname>== <propertyvalue>]
    set    [<options>] [<target>] <propertyname>=<value>
    cd     [<options>] [<target>]
    create [<options>] <target> [<property of new target>=<value>]
           [<property of new target>=<value>]
    delete [<options>] <target>
    exit   [<options>]
    reset  [<options>] [<target>]
    start  [<options>] [<target>]
    stop   [<options>] [<target>]
    version [<options>]
    help   [<options>] [<help topics>]
    load -source <URI> [<options>] [<target>]
    dump -destination <URI> [<options>] [<target>]
/admin1-> ps
cmdstat
        status       : 2
        status_tag   : COMMAND PROCESSING FAILED
        error        : 253
        error_tag    : COMMAND NOT RECOGNIZED

I am connected to the ESXi shell on session 0 on the host but a process is hung and I need to stop it (I ran esxcli with no parameters and its just letting me keep typing and I can't exit it). However I don't seem to be able to run commands to kill the processes I want.

I am not in there enough to recognize the place I am stuck in. Not the focus of the question but the larger issue we are trying to troubleshoot is the host in unresponsive in vCenter and VMs are up but in a disconnected state

I have a functioning wildcard certificate running on a Barracuda Load Balancer. From what I understand I can use that same certificate on other servers / appliances. The certificate is listed as exportable and, once I provide a password, I get a PKCS #12 file.

When I try to import that into IIS 10 Certificates > Import Wizard. I just get the error

The specified network password is not correct.

I read that this can be a result of using a weak password. I tried a couple of long and complex passwords but I end up with the same error.

I contacted Barracuda to see what they could do and they took my cert and password and converted it for me into another format containing "-----BEGIN PRIVATE KEY-----" and "-----BEGIN CERTIFICATE-----" sections. I don't know how that file was created exactly. When I import that I get the message that the

Certificate does not contain a private key

I read that this can be because of previous failed import attempts which was certainly the case for me. I needed to repair the cert. That ends in failure as well with an error from certutil

No key provider information
Cannot find the certificate and private key for decryption.

When I import the cert to the Personal Store and open it I do not see a message to tell me there is a private key associated which might explain previous error messages.

openssl pkcs12 -in c:\users\matt\Downloads\Wild.p12 -nocerts -out c:\temp\test\wild.key
openssl pkcs12 -in c:\users\matt\Downloads\Wild.p12 -clcerts -nokeys -out c:\temp\test\wild.crt

With a pair of valid file I tried to import again but that did not help.

I'm not sure what I need to do to get my PKCS #12 from my Load Balancer to successfully import into a IIS 10 instance.

I have a Windows Server 2008 R2 SP1 machine that is isolated in a DMZ. Historically it has not had issues but everything works before it breaks. The port 8530 is open on the firewall appliance and I can telnet from the client to the server which proves the site is ready and open.

This machine is not attached to the domain so WSUS server is set in the registry. So under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate I have

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://kanwsus2k16:8530"
"WUStatusServer"="http://kanwsus2k16:8530"
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

The windowsupdate.log corroborates this. I would like to try and include only what is required to try and keep the post length down. The client reaches out to the server and see that it has X available updates. However it fails to download those. The log shows entries like this:

2018-05-07  11:05:19:960     668    47c DnldMgr BITS job {7835096F-E02C-4B66-AD0F-3D71EF17C73B} hit a transient error, updateId = {3FD57624-1808-41C7-979D-8606CA1229B6}.202, error = 0x80072EE2
... output truncated ....
2018-05-07  11:05:40:963     668    47c Misc    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2018-05-07  11:05:40:963     668    47c Misc    WARNING: WinHttp: SendRequestUsingProxy failed for <http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows6.1-kb4093118-x64-express_c1473ce4b149cf34239c364a9787030447e376ca.cab>. error 0x80072ee2

With regards to the SendRequestUsingProxy failed, that should fail. The server does not have access to Microsoft websites so it will be blocked from being able to go there. What I can't figure out is why it isnt getting the updates from the WSUS server directly. We do not use a proxy nor is one configured.

On the WSUS Server side of things I see that it get a download failed status for each of the updates. So in short the communication is there but the client is trying to download the updates from externally. It is a 2k16 server and reading the logs with Get-WindwosUpdateLog has not proven useful.

This is the only external server I have to the network so I do not have any comparison systems to know exactly where the system is.

In an attempt to testing connectivity to the server I try to browse to http://kanwsus2k16:8530/selfupdate/wuident.cab which is met with page cannot be displayed on the client server. (That link works fine on the internal network)

Why is my Windows Update client not honoring the WSUS path for updates and instead attempting to go externally for Microsoft?

Other things I have tried:

• System Update Readiness Tool for Windows Server 2008 R2 x64 Edition
• Clearing BITS Queue
• Renaming SoftwareDistribution folder
• Verified nothing is being blocked from the networking side going to WSUS server on port 8530
• Added DoNotConnectToWindowsUpdateInternetLocations equal to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

On a SQL 2008R2 box we recently had a number of jobs fails for various reasons that were mostly memory related, including one stating the page file was full. The Windows 2008R2 VM had 16GB of RAM and a dedicated disk for a 6GB page file. For now we moved the page file back to the C: drive and increased its size to 8GB. The long term effects of that are yet to be seen.

Our Server Admin, this morning, increased that "swap" drive to 25GB as was recommended by the GUI. What struck me as odd is that the admin also changed virtual memory to be mananged automatically across all drives. This strikes me as waste of space but I don't really understand how Windows automatically manages the page file. Here is a snapshot of the current virtual memory settings to help with the description.

Can a Windows OS that is automatically managing paging file size for all drives effectively use a drive that is dedicated for that purpose?

I made a script that takes data from an HR database and populates correlating attributes in AD e.g department, title, manager, location.

Since people change titles, departements and/or locations on occasion it is important to keep AD up to date since we have processes that depend on the validity of this information e.g. location based dynamic distribution groups. To try and keep the process fast I just run Set-ADuser for each users regardless if something changed or not.

I had worried that I would be changing the modified timestamps needlessly since it is faster to just make these changes constantly then it is to verify that no changes would be needed.

To my surprise it seems that AD is doing something like this for me as most of the user modified timestamps are not matching subsequent script execution times. This seems like a positive for me as AD is doing this for me under the hood. FYI I have 2 DC's that I could be talking to for this and I have checked both times to ensure that I am not just drawing a horrible conclusion.

I cannot find an authoritative source that explains this and I am not sure if this is PowerShell doing the job for me or something Active Directory is doing.

There are two sections of the script that make updates to Active Directory. First updates their employeeID

foreach($currentUser in $idlessUsers){
    Write-Progress @progressParameters -CurrentOperation $currentUser.Name -PercentComplete ($userIndex / $idlessUsers.count * 100)
    $matchuser = $hrUsers | Where-Object{$_.givenname -eq $currentUser.givenname -and $_.surname -eq $currentUser.surname}
    if($matchuser){
        $currentUser | Set-ADUser -EmployeeID $matchuser.employeeid
        Write-Host ("{0} employeeid updated to {1}" -f $currentUser.Name, $matchuser.employeeid) -ForegroundColor Green
    }
    $userIndex++
}

The second changes more information using splatting

foreach($singleADUser in $usersToUpdate){
    Write-Progress @progressParameters -CurrentOperation $singleADUser.Name -PercentComplete ($userIndex / $usersToUpdate.count * 100)
    # Try and find a match in the $hrUsers
    $matchingHRUser = $hrUsers | Where-Object{$_.EmployeeID -eq $singleADUser.EmployeeID}

    if($matchingHRUser){
        # Get the AD object of this users supervisor
        $mathingUserSupervisor = $ADSupervisors | Where-Object{$_.employeeid.trim() -eq $matchingHRUser.supervisorid}

        if(!$mathingUserSupervisor){
            Write-Host ("Could not find supervisor for {0} using supervisor id: {1}" -f $matchingHRUser.name, $matchingHRUser.supervisorid) -ForegroundColor Red
        }

        $parameters = @{
            Replace = @{l=$matchingHRUser.Location}
            Title = $matchingHRUser.title
            Department = $matchingHRUser.Department
            Manager = $mathingUserSupervisor
        }
        $singleADUser | Set-ADUser @parameters
    } else {
        write-host "Cannot find a HR user with ID: '$($singleADUser.EmployeeID)' and Name: $($singleADUser.Name)" -ForegroundColor Red
    }

    $userIndex++
}

I am trying to automate a weekly process where I download a CSV copy from the Client page on the Meraki website.

Before I lose you I am aware there is an API and it works very well. However there in a device attribute that is not exposed in the API. I got this from their support:

At this point, the "Owner" field is not accessible through the API, and it is currently in development.

I need the Owner as that is how I associate devices to people in our organization.

Using PowerShell I am able to successfully log into the website and get a 200 response for a basic page. My problem comes when I try to use the same session to get to the data I want I keep getting a page with just breadcrumbs and no actual data.

# Browse the Meraki website
$response = Invoke-WebRequest -Uri "https://n116.meraki.com/login/dashboard_login" -SessionVariable meraki

# Form Credentials
$formFields = @{
    email = "my address"
    password = "my password"
}

# Authenticate to the site
Invoke-WebRequest -Uri $response.Forms.Action -WebSession $meraki -Body $formFields -Method Post
# Get the client list
Invoke-WebRequest -Uri "https://n116.meraki.com/my-company/n/_-tSGb0b/manage/pcc/list" -WebSession $meraki -Method Get

Worst case is I am hoping to get the parsedHtml of the Client List table so I can work with its contents. I can't seem to get any useful data no matter what page. I am not sure if the issue is working with Meraki or my PowerShell approach. I have only done simple scraping up until this point.

I realize this is a very specific request but I am curious to know if someone that has Meraki is able or has been able to get this information using these means.

We purchased a networking and software solution for PCI compliance: TrustWave. We started to install the antivirus but realized that it was not required on the machines it was being installed on and wanted to install a different solution.

The program's attended uninstall works fine. It is the unattended install that is not very clean. While it supports a silent switch much of itself is left behind. I have scripted most of it but there is one part I am having issues with: Windows still sees the software as installed as an antivirus product. Looking at how to confirm this comes from WMI

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

I am having a hard time finding out how to wipe this information. Searching just leads me to solution about installing or removing the whole antivirus product which has already been done.

Is there a way to write to this namespace (or equivalent registry) specifically so that Windows forgets this has been installed? I realize this request could be seen as malicious.

Installing the other antivirus would most likely fix this issue but there are some machines that will be running without so this information would still be useful.

We are having issues talking to another company. There mails are bouncing back with the error:

#< #5.0.0 X-Spam-Firewall; mail for airinuit.ca loops back to myself> #SMTP#

I have seen this message in relation to configuration issues with PostFix. My environment is Exchange 2010 with a Barracuda Spam & Virus appliance as our mail gateway.

When I looked up the MX record with nslookup I got

> set type=mx
> domain.ca
Server:  mydc.domain.net
Address:  10.10.13.21

Non-authoritative answer:
airinuit.ca     MX preference = 10, mail exchanger = loopback.internic.ca

loopback.internic.ca    internet address = 127.0.0.1

I got the same results from the MXtoolbox. So I guess I understand why my mail gateway thinks it is supposed to send mail to itself. Internic.ca is a CA Registrar.

This does not make sense to me. Even less when I try to email them from my google account and I don't get a bounce back.

What does this mean? I don't think there is an issue on my side but I don't understand why this means.

In Exchange 2010 distribution groups must be universal. This is supported by documentation

You can create or mail-enable only universal distribution groups.

I am trying to create a role based security group structure so that if someone leaves or changes jobs you only have to change the groups membership of a users "role" (Where the role is just another security group). In its simplest form roles would have users for members and the role would itself be a member of other resource-centric security groups e.g. a read-write group for a share. There is more to the model than that but it should be enough for the purpose of this question.

The problem comes from when I want to add these role groups as distribution members. If I try and add a "Marketing Manager" role to the "[email protected]" distribution list it will not forward mail to the role members unless the role security group is universal.

Universal groups cannot be members of global groups though. So, if I wanted to convert my role groups to universal so that I can mail enable them I would then also have to change the groups the role itself is a member of as well. This means that I would be converting near all my security groups in AD to universal to support my proposed structure.

We are a single domain forest with about 1000 users and I would expect once all the groups for this are made to have 1000+. Functional level of the domain is 2008R2

I honestly don't know of the impact this might have in our active directory environment. Is making all the group universal really the only way to do this if I wanted to add my roles to distribution groups? The answer appears to be yes if I want them to be used for mail. I do want this so that way help desk users don't have to worry about what groups users need. They just need to know their "role".

The linked question answers why I cannot just have simple security groups but I want to know if my proposed structure, meaning that I will be converting near all my groups to universal, has any negative implications or is maybe considered a bad practice.

I was trying to update our Central Store with new policies for Windows 10. Originally I made a copy of the store in the same location and named it .bak just in case.

I copied the local definitions folder into the Store successfully. However I look now and see the folder names:

PolicyDefinitions_NTFRS_45859c8a
PolicyDefinitions_NTFRS_49198af0

No surprise that when I rename one of them to drop the new suffix it is tacked on again pretty quickly. I am making these changes on one of the domain controllers. We have 4 AD sites and 6 DC's in total.

So this is related to FRS but I don't see errors related to this in the logs. I am not sure what the issue is here. Replication still appears to be working as the new names are seen on all my other DC's. Group Policy however is not pulling templates from the Central Store; just my local computer.

For Microsoft Server OS's, is there a location in the registry or possibly WMI that stores the number of pending Important Updates?

My inventory software supports wmi and registry keys. Trying to see if there is a way to report that number so that I know remotely if there are updates either ready to be downloaded/installed. Searching for this gives a lot of out of scope information since ther are generic terms.

While I do use WSUS this information would be preferential to have centralized in my LanSweeper inventory system. Neglected to mention that I use WSUS yes. For WSUS to have this information I would gather that is it locally on my machine as well.