Wednesday, November 1, 2017

Chrome Browser - prevent / restrict user sign in

In the past I've always forced my end users to use IE.  This made sense as IE is integrated with Windows and could be heavily managed by GPO and other domain settings.
More and more I found myself personally going to Chrome for tasks since it "worked better".  So, I finally admitted (few years back actually) that maybe it makes sense for me to loosen up a bit and let the end users in on Chrome in the workplace as well.

As with all good things come that pain in the arse with them as well.  Google of course wants users to utilize it's services and logging into the Chrome site helps simplify this.  But in the workplace this may not be a great thing to have end users purposely or accidentally logging into their personal Gmail (or even other company G Suite) accounts.

One would think a simple google search would yield lots of results on how to prevent login to Chrome browser, but for me at least I only found lots of irrelevant junk.  Perhaps I need to work on my googlefoo.

At one time Chrome ADM templates had a settings called "Allow sign-in to chrome" or something to that respect.  Fairly obvious and easy to find.  That has since been removed.

NOW there is a setting in the ADMX labeled "Restrict which users are allowed to sign in to Google Chrome".  This is the new setting that we want.  Found under the following after you add your ADMX template.
Computer Configuration/Administrative Templates/Google/Google Chrome  (also under User Config if that meets your needs better)

Enable the setting, put in a bogus expression (or your organizations matching expression if you utilize Google business apps) and deploy to computers or users depending on your needs.

Users can now attempt to login to Chrome and they are greeted with a lovely "you can't do that"

Funny enough I found that I could go to other Google services, for instance blogspot, and login.  But then once I tried to go away from blogspot to say, gmail, it choked.

Wednesday, November 2, 2016

Powershell - FSMO Roles

Viewing FSMO with Powershell
Get-ADDomainController -Filter * | ForEach-Object {$_.Name; $_.OperationMasterRoles; Write-Host}

Transfering FSMO roles with Powershell
Move-ADDirectoryServerOperationMasterRole -Identity servername -OperationMasterRole InfrastructureMaster, RIDMaster, DomainNamingMaster, PDCEmulator, SchemaMaster

Tuesday, July 19, 2016

WSUS Error: Connection Error after KB3148812 and KB3159706

After getting a WSUS server up to date the console no longer worked.

The error is very uninformative...

Log Name:      System
Source:        Service Control Manager
Date:          7/18/2016 10:39:15 AM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
The WSUS Service service terminated unexpectedly.  It has done this 3 time(s).

The proper fix for both of these KB's which you SHOULD install:

Also, don't forget that if you are not using SSL for WSUS you should be!

Tuesday, July 5, 2016

Remove iPhone Native apps

With our recent iPhone re-deployment there where several native apps that I wanted to remove.  This is pretty easy to do with Apple Configurator and XenMobile.  This requires the phone to be supervised.  Supervised mode can be set with Apple Configurator or if you sign up for Apple DEP.  Supervising the phone will wipe it.

  1. Ensure Apple Configurator is version 2.x
  2. Click File - New Profile
  3. Restrictions - Configure - Apps tab
  4. Under "Restrict App Usage"
  5. Set to "Do not allow some apps"
  6. Click the plus sign
  7. Type the App name you want to remove and choose it
  8. File - Save - name it and save it
Now you have a profile for the app(s) that will remove them.  You just need to upload this into XenMobile (or other MDM) and apply it to your devices.  Can also be applied straight from Apple Configurator.  I prefer to not use the Configurator to apply ANY configuration and instead push it through MDM.  This allows easier removal of profiles and policies.

XenMobile - do this from the Mac with Apple Configurator on it.
  1. Under Configure - Device Policies - Add
  2. More - Custom - Import iOS & Mac OS X Profile
  3. Name it and then browse to the newly created and saved profile.
  4. Assign to the proper delivery policy and you're all set!
Sit back and watch the native app disappear.

How to get the native app back?  Just remove the profile.

Wednesday, May 25, 2016

DHCP Migrate Failover Deployment to Server 2012 R2

Awhile back I wrote a guide to migrate from split scope to failover that is new in Windows 2012.

This guide is intended to move the failover to a new Windows Server 2012 R2.  As you already know you can only have two servers in each failover scope.  So in order to do the migration we'll need to drop a server.  The steps to do this are very easy, but attention needs to be paid to where you execute the commands or you could drop the wrong server.

We'll identify our servers as the following:
  • Win2012-01 - Primary DHCP server moving away from
  • Win2012-02  - Secondary DHCP server moving away from
  • Win2012R2-01 - Primary DHCP server moving to
  • Win2012R2-02 - Secondary DHCP server moving to
I'm assuming you already have your new servers built and DHCP role installed.

Also important to note first! If the static IP address of a DHCP server needs to be changed, you must first delete all DHCP failover relationships that exist on that server, and then recreate the relationships when the new IP address is active. 

First we'll remove DHCP failover from Win2012-02
  1. Get a good backup of DHCP
  2. Log into Win2012-01 and open powershell as administrator (right click run as administrator)
  3. Run Get-DhcpServerv4Failover
    1. This gives us necessary information for removing the failover.  Note this will also tell you which partner it's connected to.
  4. Make note of the Name.  In my case it's TF-192.168
  5. The next command will remove the failover AND the scope from the opposite server.  For instance, I'm running this on Win2012-01, which will leave it's scope and leases intact.  But it will remove the scope and leases from Win2012-02.  Always run the remove command from the server you want to leave intact.
    1. Remove-DhcpServerv4Failover -Name TF-192.168
  6. Note that Win2012-02 no longer has the scope available (refresh the console)
Now let's add Win2012R2-01 into the scope (note I'm leaving my scope name the same, also I'm using hot standby which is indicated by "ServerRole")
  1. This command is run from Win2012-01
  2. Add-DhcpServerv4Failover -ComputerName Win2012-01 -PartnerServer Win2012R2-01 -name TF-192.168 -ScopeId -ServerRole Active -SharedSecret Ican'tTellYou -Force
  3. From the DHCP console we can now confirm that Win2012R2-01 is getting the scope and leases replicated to it (F5)
  4. In addition run Get-DhcpServerv4failover and you should see the new replication partner of Win2012R2-01 listed, ServerRole of Active (meaning Win2012-01 is still the primary), and Mode of hotstandby.
NOTE: Notice that it only replicates over the scope, but not anything below that.  If you set your Options or policies at the server level then this will not move them!  It also won't move your Filters.  

At this point we have DHCP Failover between Win2012-1 (Active) and Win2012R2-01 (Standby)

Now let's drop Win2012-01 out of the failover
  1. This command is run from Win2012R2-01  (Important, otherwise you'll drop the wrong server)
  2. Remove-DhcpServerv4Failover -Name TF-192.168
  3. Confirm in DHCP console that Win2012-01 no longer has any dhcp scopes (refresh)
Now we can add in Win2012R2-02
  1. From Win2012R2-01
  2. Add-DhcpServerv4Failover -ComputerName Win2012R2-01 -PartnerServer Win2012R2-02 -name TF-192.168 -ScopeID -ServerRole Active -SharedSecret Ican'tTellYou -Force

As a final step run your Get-DhcpServerv4Failover and check status.  Also refresh your DHCP consoles and ensure all is happy.  Make sure you configure your Server level options and Policies if needed as well as Conflict Detection Attempts.

Thursday, May 19, 2016

Powershell Moving and Viewing FSMO roles

Recently wanted to move my FSMO roles, but didn't want to use the old method of netdom.  Besides, everything is going powershell so might as well start learning now!

View the current holders:

  1. Thanks to The Scripting Guy - Get-ADDomainController -filter * | Select-Object Name, OperationMasterRoles

Now we can move them

  1. Move-ADDirectoryServerOperationMasterRole -Identity "servername" -OperationMasterRole 0,1,2,3,4 (or use their names)

Wednesday, April 27, 2016

Domain Controller high CPU - Service Host / Security Log

I had been having problems for sometime with our Windows Server 2012 and 2012 R2 domain controllers.  The CPU would spike to 50% and sit there occasionally dropping down to 2% and then shortly after back up to 50%.

The process in question was the Service Host: Local Service (Network Restricted).
The sub processes are:

  • TCP/IP NetBIOS Helper
  • Windows Event Log
  • DHCP Client

It doesn't take a lot of google fu to find the following post:

From this post it indicates that the Windows Security log could be at fault.  I took a look at ours and it was set to overwrite and had a maximum size of 1GB (actually well under the MS maximum size, but still large imo).  A quick test of clearing the log fixed the issue.

Of course the issue started up again a few days later when the log got full and started to overwrite again.  So, I reduced the maximum size of the security log to 10mb (not large enough to hold much of course, but we're just testing at this point).  Once the log started overwriting again no issue.  From this I made the conclusion that the issue isn't just overwriting events, but rather overwriting the events when the log is very large.

  1. Ensured that our SIEM solution was collecting the logs every hour.
  2. Set the maximum log size for the security log to a value that will hold 12 hours of logs and then overwrite.  To determine this value I just had to wait and then check it's properties (for each DC!)
  3. If any logging event success / failures are ever changed I'll need to re-evaluate that the size is still sufficient.
Another solution that I didn't like as much was to throw hardware at the issue, ie add a CPU.

In addition here's a good table of MS recommendations on logging settings

Friday, March 25, 2016

XenApp 6.5 Remote Powershell

Recently I wanted to be able to remotely run a powershell script against my XenApp 6.5 farm to be able to manipulate the logon mode.  This can easily be done with Powershell from the hosts themselves, but I ran into issues when running it from workstations or in my case a monitoring service.

Goal: Remotely run a powershell script from a monitoring service to disable logons if a specific failure occured.  In addition, query the server what what the servers are currently set to.

  1. XenApp AppCenter / DSC installed on remote machine
  2. Patch DSCXAMx650W006 installed on remote machine
  3. CitrixXenAppCommandsRemoting Service set to Automatic and Running on at least one server in the farm.
  4. Port 2513 open
Note: if a XA server is installed in Session host mode then it will have the Command Remoting service disabled.

Once you have AppCenter installed and the patch installed you should be set.  Open Powershell up (I prefer to use ISE)

First we need to add the Citrix snappin.  Add-PSSnapin Citrix*
For the command we'll need two components to make it work.
  1. -Computername parameter, this is going to be the XA Server that has the XenApp Command Remoting Service enabled and running on it.  
  2. -Servername parameter, this is going to be the XA Server that you want information on.  If you do not include this parameter then it will return information on all servers in the farm.

Let's say I want to find out all information for a single server in my farm.  In this instance XAADM is my data collect that has the Commands Remoting service running on it and XA01 is the server I want information on.  In this instance we could run the following:

Get-XAServer -ComputerName XAADM -ServerName XA01

Great, now we can use this to disable logons on a server remotely.

Set-XAServerLogonMode -ComputerName $Comp -LogOnMode $LogonMode -ServerName $Server

  • AllowLogOns
  • ProhibitNewLogOnsUntilRestart
  • ProhibitNewLogOns
  • ProhibitLogOns

or to get a list of LogonMode status:
$(Get-XAServer -ComputerName XAADM -ServerName XA01).LogonMode

Errors and causes:
Citrix XenApp Commands Remoting Service:
Get-XAServer : Could not connect to net.tcp://s-xa01:2513/Citrix/XenAppCommandsRemoting. The connection attempt lasted for a time span of
00:00:01.0010632. TCP error code 10061: No connection could be made because the target machine actively refused it x.x.x.x:2513.
At line:1 char:3
+ $(Get-XAServer -ComputerName S-XA01).LogonMode
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-XAServer], EndpointNotFoundException
    + FullyQualifiedErrorId : System.ServiceModel.EndpointNotFoundException,Citrix.XenApp.Commands.GetServerCmdlet

This error indicated that the "CitrixXenAppCommandsRemoting" service was not running on the specified "Servername"

Citrix Remoting:
Get-XAServer : Citrix commands must be executed at the Citrix server or using remoting. Make sure that your user account is a Citrix
administrator and that the IMA service is started.
At line:1 char:1
+ Get-XAServer
+ ~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-XAServer], InvalidOperationException
    + FullyQualifiedErrorId : ImaInteropError,Citrix.XenApp.Commands.GetServerCmdlet

Command was issued using -servername which works if proper remoting is setup with certificate, This can be challenging to setup, instead use -computername to target the remoting service along with -servername to target the server needed.  IE Get-XAServer -Computername XAwithRemotingService -Servername XAwantinginfofrom

Tuesday, December 15, 2015

Files not showing up "timely" for some users with DFS-R

Recently we started having a strange issue where users wouldn't be able to see files, but other users could.

The locations in question resided in a share with DFS-R setup.  Only one of the folder targets was enabled so all users are looking at the same share.  We could even confirm with DFS tab that they where pointed at the same locations, yet User1 couldn't see the file and User2 could see it.  Navigating to the exact path of the share would then display that the file did in fact exist.  Only the DFS path showed the issue.

No issues being reported with DFS-R or AD (both running Server 2012).
Taking a step back I recalled that we had fairly recently added a new DC to the environment (Windows Server 2012 R2).

After a quick look at DFS Namespaces I realized that the new DC had not been added as a namespace server.

Preliminary reports look promising that the missing namespace server was the cause for this anomaly.  Note to self, always add new DC to namespace servers!

Wednesday, October 28, 2015

XenApp - Auto Restored printers / Lynx... / XPS Document Writer

Gradually over the past year I've seen an issue where strange printers appear for user, sometimes more than 100 of them, making it hard for them to find the proper printer they want. Many of them have Document Writer in there name, but some are more mysterious with names starting with lynx* and even other names.

Some quick digging on the server and you can quickly see that it's somehow related to the Microsoft XPS Document Writer being autocreated from the clients machine. Here we only auto create the users default printers, but this one (known this for a long time) still creates even when it's not the default.

 Looking in the users registry its pretty easy to track some of the settings back to HKCU\Software\Citrix\PrinterProperties as well as a few other locations.

Once I began looking I found that the mysterious printers effected most of my users, not just one or two. Looking around on the internet I found this: 

Makes sense... I did find that I could eliminate the issue without all of his steps though.

  1. Prevent XPS document writer from auto creating.
    1. Open AppCenter (XenApp 6.5) and go to my policies
    2. Make or modify existing user policy (make sure it filters to all users or use unfiltered policy)
    3. Printer driver mapping and compatibility - Microsoft XPS Document Writer - Deny (spelling of driver name must be exact) 

  1. Next we need to remove the junk registry setting for all users.
    1. Open GPO and make a new policy that applies to your XenApp servers
    2. Apply the loopback policy with merge - Computer Configuration - Policies - Administrative Templates - System - Group Policy
      1. Mode Merge
    3. Create preference to remove registry settings - User Configuration - Preferences - Windows Settings - Registry
      1. New Registry item
        1. Set to delete
        2. enter hive of HKEY_Current_User
        3. enter path Software\Citrix\PrinterProperties\Microsoft XPS Document Writer
    4. Update GPO on each XA server and test.

Note: I found that this took a long while to completely clear out since many of my users are part time.  I just had to sit back and be patient for everything to complete.  I did do some manual attaching to registry profiles and cleaning to help along the process for users that rarely work.

Tuesday, May 5, 2015

The source file name(s) are larger than is supported by the file system.

The source file name(s) are larger than is supported by the file system.  Try moving to a location which has a shorter path name, or try renaming to shorter name(s) before attempting this operation.

Recently I found that some operations in a backup maintenance job where failing because a file it was trying to remove was failing due to the filenames/path length.

I did the typical options available none of which worked:
  • Attempt to rename it via cmd prompt
  • Attempt to rename it via cmd prompt using the short name.  It contained several special characters and I never could figure out which one it was complaining about.
  • Attempt to rename the directories containing it.  Even using a single letter for each directory didn't reduce it enough.

In the end a simple command did the trick to get the path short enough.
  • Navigate into the directory in question
  • subst M: . (notice the period there indicating current directory)
  • del filename (or rename filename newfilename)
  • subst M: /D

Monday, April 27, 2015

8193 Volume Shadow Copy Service error - Access is denied

Log Name:      Application
Source:        VSS
Event ID:      8193
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      servername
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
   Initializing Writer
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {3e927ae5-5139-42ad-bd99-6e467a3941eb}

This was occurring on my DHCP servers.  Apparently permissions to a key are removed when the DHCP role is installed.

Tuesday, February 24, 2015

Netscaler 10.5 password field missing

With Netscaler 10.5 and Web Interface 5.4 users were greeted with a logon screen with the password field missing.  This was on IE11.

The fix ended up being pretty simple.  Just hit Ctrl + F5.
According to Citrix this has to do with the Netscaler's static page caching feature (used to improve performance).  

Tuesday, February 3, 2015

Fortigate upgrade v5.2.2 build 642 - no external access after update

After upgrading of our Fortigate 100D cluster to v5.2.2 build 0642 (going from v5.0 build 04429) we no longer had internet access.  Traffic from external to internal still worked fine, just internal to external failed. 

At the time while in the frantic search for what the heck happened I hadn't noticed that the only traffic that failed was traffic through policies that used the Service = ALL.  In hind site I can now see it since that explains why external to internal traffic all worked (specified services only!)

After beating my head against the wall for about 15 minutes I called Fortinet support.  Once I had a support rep on the line and said "upgraded to v5.2.2, all is lost, world is falling in around me" he instantly had an answer.
  • Click Policy & Objects
  • Objects
  • Services
  • Edit the ALL service
  • Take note of what the Protocol Number is.  In my case it was 6.
  • Change to 0
  • Click OK
Instantly all my internal to external ping monitors came back to life.

Apparently it's a known issue that can sometimes occur during the upgrade to v5.2.2 (not sure if it effects other builds).

Thursday, January 15, 2015

Citrix Director 7.6 with XenApp 6.5 - WinRM exception

On one of my servers I was seeing the below after setting up Citrix Director 7.6.

The BIG hint here was the "The requested data could not be found in the data".
Easy answer, I forgot to install the DirectorWMIProvider_x64.msi. 

Log Name:      Application
Source:        Citrix Director Service

Event ID:      4
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
The description for Event ID 4 from source Citrix Director Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

The requested data could not be found in the data 'The virtual desktop via WinRM service reported an exception. See the event log for more information.' ('').

User: '\username'
Console operation: 'Retrieving running application details for IMA Session…'

Additional information:
'Exception of type 'Citrix.Dmc.Common.NotFoundException' was thrown.'

the message resource is present but the message is not found in the string/message table