Schneider's questions

First I tried enabling PIN using Computer Configuration/Administrative Templates/System/Logon/Turn on convenience PIN sign-in.

This did allow me to set a PIN on the client PC (previously this option was greyed out). But after logging off, and even restarting, it kept asking for a password not PIN.

So, following the help provided on that setting:

"In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. "

So I went ahead and enabled Windows Hello for Business as well. After restarting client I still was not able to login with PIN, and on top of that the PIN setting within Settings was now greyed out. Under the Windows Hello section it states

"Windows Hello isn't available on this device"

This same device was connected at one point to Azure AD and it worked fine with a PIN so it seems the hardware is perfectly capable of using the PIN.

But I am now stuck as to what settings I need to change to enable to PIN for this local domain-joined device.

Using: Windows 10 Pro 14393.726 and Server 2016 14393.693

We have a build server VM which previously had 4GB of RAM allocated but that has now been reduced to 2GB, partially as an experiment to see if it runs just as well with less memory.

I've been watching the memory usage in the Task Manager during a build to monitor how much memory is "In use" and it has not risen above 90%...which makes me suspect it's running just fine.

But this started me thinking: What are they key metrics that would tell me a server has/has not got enough memory or would benefit from more?

Is it as simple as looking at "In Use" memory over time? Or should I look at "Available"? Or look at the amount of paging? Should I setup alerts and what on? I suppose I'm looking for some insights into analysing server memory usage.

We run a small business and have begun to use Azure AD to manage our users. Our Windows 10 workstations are connected to the Azure domain via "Connect to work or school" setting, and that works nicely.

The problem is we have a couple of Windows Server 2016 installations in the office. Currently they are setup with local admin accounts and people log in as that in order to administer them.

What we really want is to be able to grant admin rights to our Azure AD users and allow them to login to the server with their regular Azure AD credentials.

What is the equivalent of "Connect to work or school" for Windows server 2016? How do we allow Windows server to grant admin rights to specific AD users?

I have seen Azure AD Connect, but that seems to require us to setup AD locally and sync it with Azure. I'm concerned, if this is the solution, that it will complicate our admin load. We are just looking for a really simple solution. If Azure AD connect is the answer, what is the simplest way to set it up to achieve the most basic on-site server administration for Azure AD users?

I'm trying to disable the local admin on my workstation. I load local group policy editor and navigate to Computer Config -> Windows Settings -> Security settings -> Local Policies -> Security options, and I disable the Accounts: Administrator account status. I then exit the editor and reload it but the setting has returned to enabled.

This PC is connected to Azure ActiveDirectory. I can't see any errors in the Event Viewer.

My goal is to stop the local admin account logging in automatically when Windows starts up, which is what it's doing currently.

Last Friday user logged in to windows 10 PC using their Azure AD account successfully. User then was absent for one week and PC was left untouched.

This morning user is unable to login. PIN number is instantly reported as "incorrect". Password the same.

Diagnosis so far:

• We have confirmed the Anniversary Update was installed on this PC during the users absence and appears related to, if not the direct cause of, the problem.
• We have confirmed that our Azure AD is working correctly, as we are able to login using other Windows 10 PCs, as well as directly to the Azure portal.

I have managed to enable to local admin account using a registry hack. This has allowed me to see that:

• Windows reports "Your device is up to date". I'm on build Version 10.0.14393 Build 14393

I'm using sc start "MyService" from an elevated "Administrator: Command Prompt" but am getting the following error:

[SC] StartService FAILED 5:

Access is denied.

For completeness, the error when you try to run it from the GUI (services.msc) is:

Error 5: Access is denied

As it's a .NET service, it was installed using InstallUtil.exe (run as Administrator). The service is configured to run as NETWORK SERVICE but I have also tried it with LOCAL SERVICE.

I have been having some issues with explorer.exe hanging when I create a new folder.

If I use Analyse Wait Chain in the Resource Monitor it says "One or more threads of explorer.exe are waiting to finish network I/O".

When I look at the offending thread in Process Explorer it reveals nothing interesting:

ntdll.dll!ZwWaitForMultipleObjects+0xa 
KERNELBASE.dll!GetCurrentThread+0x36 
kernel32.dll!WaitForMultipleObjectsEx+0xb3 
USER32.dll!PeekMessageW+0x1cd 
USER32.dll!MsgWaitForMultipleObjectsEx+0x2a 
USER32.dll!MsgWaitForMultipleObjects+0x20 
SHELL32.dll!SHAppBarMessage+0x41e 
SHELL32.dll!DragAcceptFiles+0x2a3c 
SHELL32.dll!DragAcceptFiles+0x2a4f 
SHELL32.dll!Ordinal211+0x124 
SHELL32.dll!SHChangeNotification_Unlock+0x12f4 
USER32.dll!GetSystemMetrics+0x2b1 
USER32.dll!IsDialogMessageW+0x19b 
USER32.dll!IsDialogMessageW+0x1e1 
ntdll.dll!KiUserCallbackDispatcher+0x1f 
USER32.dll!PeekMessageW+0xba 
USER32.dll!PeekMessageW+0x89 
SHELL32.dll!SHChangeNotification_Unlock+0xd9f 
SHELL32.dll!Ordinal885+0x1407 
SHLWAPI.dll!SHRegGetUSValueW+0x306 
kernel32.dll!BaseThreadInitThunk+0xd 
ntdll.dll!RtlUserThreadStart+0x21

While I was looking at the explorer.exe threads I did notice a fair few that talk about ETW (Event Tracing for Windows) so obviously explorer.exe uses tracing.

So I decided to try and user TraceView.exe to try and listen in on the explorer.exe traces.

The problem is TraceView requires some difficult-to-come-by stuff... either pdbs, or CTL files, and .TMF files. I tried using the explorer.pdb that comes with the Windows SDK but that did not work. I do not see explorer.exe in the "named providers". And I have no idea where to locate the ctl or .TMF files for explorer.exe.

So the question is: Is there a way to view the ETW trace messages from explorer?

Or shall I just not bother and go back to the age old technique of disabling every explorer extenion one-by-one in the hope its one of them. (Prefer the former as I like to get to the bottom of things!!)

I ask because in the architecture diagram on wikipedia, it indicates the "host" OS (root partition) is on a par with the "guest" (child partition), with Hyper-V components below all of them.

http://en.wikipedia.org/wiki/Hyper-V

If that is the case then the host OS is itself being virtualized, so will suffer from that overhead even if there are no guests installed.

Questions:

• Do the hypervisor/vm-bus only get installed once you select the Hyper-V role, or are they below the surface on every Windows Server R2?
• Does adding the Hyper-V role require a reboot?
• How does the presence of the Hyper-V components affect performance of the root partition?
• Is the performance of root identical to child partitions?

Note: I am using Windows Server 2008 R2.

Thanks, Jack

I have just reinstalled a PC with Windows 7 RTM (previously was RC).

The PC had a second hard disk, with various permissions set for the two local user accounts.

After reinstalling the two user's SIDs obviously no longer exist, so they show up as unknown SIDs in the folder security permissions tab.

I would like to know if there is a standard technique or utility/script to allow me to basically scan over the hard disc and update all old SIDs to new SIDs (assuming I know which SID belonged to who), so I don't have to manually reset all the permissions.

Thanks, Jack

What is the best way to format a USB drive with FAT32 (for Mac compatibility) from within Windows 7/Vista?

I ask because the Disk Management only lets you pick exFAT (because the disk is over 32 GB I believe).

Doing it from the command line with diskpart doesn't seem to work either.

I am using iSCSI to connect to some hard drives on the host from a guest.

Here is my setup:

• Vmware Server 2 on host
• Windows Server 2008 (host and guest)
• StarWind Enterprise iSCSI target on host
• MS iSCSI initiator on the guest

The guest only has one network adaptor - setup in bridged mode from the host.

With this out-of-box configuration I am getting about 10 MB/s. I know the physical disks are capable of at least 50MB/s.

Any tips for better performance?

I used VMware Converter to do a P2V of my server.

My server had 3 HDDs: C: D: E: (SATA/IDE)

I only included the C: drive (boot) in the image, because I had not intended to need to activate this VM - just access the files.

After doing a P2V I reinstalled the host OS on to C:.

It turns out that I now need to run the old server as a VM... the problem is drives D: and E: are not accessible, but they are needed in order for the server to function correctly.

How can I access the physical drives D: and E: on my host from my VM in a transparent way? I cannot used network shares because things like SQL server on the VM will not let you have the data store on a network share.

Any ideas? Thanks, Jack

Edit: I am using Vmware Server 2.x (latest from site), Windows Server 2008, and SATA/IDE discs.

With IIS it is very easy to setup bindings between a host name and a website.

If I have my DNS setup with the original registrar, all I need to do is update the A records to point to my IIS server and everything just works.

Domain Name -> IP Address -> (using the host header) -> Website

All good.

I have noticed with my Linux hosts that all of them require me to transfer my DNS to their name servers in order to get the 'bindings' to work. From what I can tell there is no way in cPanel to just tell it to associate a host name with a website.

How do I achieve the same things as IIS bindings in Apache/Linux? Is it even possible in cPanel?

I am just about to "invest" in a cheap Windows 2008 VPS ($30 per month!) which comes with 1GB.

Before I do that I thought I would ask if its realistic to expect a usable server with only 1GB of RAM?

I intend to use it for light development/prototyping work which means 5-10 small websites running on IIS 7 + .NET 3.5 + SQL 2008 Express. If any of my ideas take off I will be upgrading the RAM of course, but I am just curious whether the server would be crippled or unbearably slow with only 1GB etc.

I suppose having SQL on the same server may be the biggest problem...

Thanks

UPDATE: Forgot to mention that its 64-bit windows if that makes much of a difference to memory requirements. Apparently its also Enterprise edition (perhaps I should disable some features on this edition?)

I know how to search for files using dir/gci, but that only works across one drive AFAIK.

• Is there a way to search across all drives on the computer?
• Is there a way without manually enumerating then looping through the drives?
• Is there a way to access the search indexes/services that are already available in windows, to speed up the search?