April 3

Windows: Create a batch file that logs users into their home directory on demand

The following batch script can be used to log on users to their home directory on demand.  This can be good for businesses that use Kiosk’s with generic logons, but still need to give users access to their home drives.

@echo off
set /p userid=”Enter your username: ”
C:\Windows\System32\runas.exe /user:riverview\%userid% “explorer.exe \”\\fiiservers1\Home\%userid%””

Category: Windows | Comments Off on Windows: Create a batch file that logs users into their home directory on demand
August 30

Windows: Managing local groups on domain members via GPO restricted groups

Introduction:
AD administrators often have the requirement to manage local group memberships of Windows workstations and servers from on a central way. Group Policies Restricted Groups is a simple way to accomplish this requirement and works in a Samba AD as well as in a MS controlled.

Restricted Groups are non-tatooing changes. This means, if you undo this change in the GPO, the changes are reset to their previous state on the affected computers after the next GPO refresh.

A best practice is, to use only AD groups instead of individual user accounts, to add to local groups. This allows changes on a central place (AD), by adding/removing members to/from the group, instead of modifying the GPO.

For simplicity, all examples in this documentation are configured on domain level through the Default Domain Policy. Needless to say, that is possible in self-created GPOs and OU-level, too.

Preconditions
Installed Group Policy Management Console. It is part of the Remote Server Administration Tools (RSAT).
The examples used below add a AD domain group “SAMDOM\Wks Admins”. Groups can be added to the AD using ‘samba-tool’ or Active Directory User and Computer (ADUC).

Modify local group membership and keep existing members
This is the most typical field of application: An AD group should be added as a member to a local group and all already existing members should be untouched.

Example: The AD domain group “SAMDOM\Wks Admins” should be added to the local “Administrators” group on all computers in the domain (workstations and server). The members of this domain group can be managed central in AD and allows e. g. supporter accounts to have local administrator permissions on all Windows computers, without knowing the Domain Administrator password or being member of the “Domain Admins” group. All existing members in the local “Administrators” group should stay. Only the domain group “SAMDOM\Wks Admins”should be added.

Create a domain group “Wks Admins”, using ‘samba-tool’ or Active Directory Users and Computers from the Remote Server Administration Tools (RSAT).Open the Group Policy Management Console
Right-click to “Default Domain Policy” and choose “Edit…”
The Group Policy Management Editor opens
Navigate and right-click to “Computer Configuration” / “Policies” / “Windows Settings” / “Security Settings” / “Restricted Groups” and choose “Add group…”.
Enter the name of the AD group “SAMDOM\Wks Admins” by browsing your directory and click “OK”.
The properties window opens. Click the “Add” button next to the “This group is a member of” box.
Enter the local “Administrators” group name. If you use the “Browse” button, select the local computer, by using the “Locations…” button in the upcomming window, to browse local instead of AD security objects!
You see the local “Administrators” group entry in the “This group is a member of” list.
Click “OK”.
After the clients have re-read the changed group policy, the domain group “SAMDOM\Wks Admins” will appear in the local “Administrators” group on each client affected by the GPO. All existing members of this group stay untouched.
Explicit control of local group membership
This way describes how to explicitly set the membership of a local group by replacing existing memberships with the ones defined in the GPO. Use this with care, to ensure that you don’t break existing permissions of accounts used by users and applications!
Example: On all computer in the domain (workstations and servers), the local Administrator and the domain group “SAMDOM\Wks Admins” should be the only members of the local “Administrators” group. All existing members of this group should be removed and just these two objects should be part of it.

Create a domain group “Wks Admins”, using ‘samba-tool’ or Active Directory Users and Computers from the Remote Server Administration Tools (RSAT).
Open the Group Policy Management Console
Right-click to “Default Domain Policy” and choose “Edit…”
The Group Policy Management Editor opens
Navigate and right-click to “Computer Configuration” / “Policies” / “Windows Settings” / “Security Settings” / “Restricted Groups” and choose “Add group…”.
Enter the local “Administrators” group name. If you use the “Browse” button, select the local computer, by using the “Locations…” button in the upcomming window, to browse local instead of AD security objects!
Click the “Add” button next to the “Members of this group” box.
Enter the domain group “SAMDOM\Wks Admins” and the local “Administrator” account. If you use the “Browse” button, select the domain/local computer, by using the “Locations…” button, to browse the domain/local security objects!
You see the local “Administrator” account and the AD group “SAMDOM\Wks Admins” in the “Members of this group” list.
Click “OK”.
After the clients have re-read the changed group policy, only the local “Administrator” account and then domain group “SAMDOM\Wks Admins” will appear in the local “Administrators” group on each client affected by the GPO. All previous members have been replaced by this new members.

Force manual group policy refresh
Windows computers refresh and apply group policies on changes per default every 90 minutes with a random offset of 0 to 30 minutes.
To see if changes took effect, you can force an immediate refresh of all GPOs on a host by running:

> gpupdate /force /target:computer

The “/target:computer” option reads only the “Computer Configuration” part of GPOs.

By: SambaWiki

Category: Windows | Comments Off on Windows: Managing local groups on domain members via GPO restricted groups
July 27

Windows: How to see the block size of a drive

Microsoft Windows includes a utility in Windows called fsutil.  This tool displays drive information that cannot be seen in the GUI.

  1. Type: fsutil fsinfo ntfsinfo c:
  2. You should see something that looks like the following

Partition alignment on device :                         Aligned (0x000)
Performs Normal Seeks
Trim Not Supported

C:\Windows\system32>fsutil fsinfo ntfsinfo c:
NTFS Volume Serial Number :       0xd2caf83ccaf81f03
NTFS Version   :                  3.1
LFS Version    :                  2.0
Number Sectors :                  0x000000000634f7ff
Total Clusters :                  0x0000000000c69eff
Free Clusters  :                  0x000000000013a2b9
Total Reserved :                  0x0000000000001010
Bytes Per Sector  :               512
Bytes Per Physical Sector :       512
Bytes Per Cluster :               4096
Bytes Per FileRecord Segment    : 1024
Clusters Per FileRecord Segment : 0
Mft Valid Data Length :           0x0000000011dc0000
Mft Start Lcn  :                  0x00000000000c0000
Mft2 Start Lcn :                  0x0000000000000002
Mft Zone Start :                  0x00000000008ba660
Mft Zone End   :                  0x00000000008bbca0
Resource Manager Identifier :     113AA49C-B92F-11E3-9E65-AEF8CF9A8C09

By: Timothy Conrad

Category: Windows | Comments Off on Windows: How to see the block size of a drive
March 24

Windows: BDE Drive Removal / Extending you drive

So you want to extend your C: drive, but you discover a BDE partition is in your way.   You have discovered the Bitlocker partition.  As nice as Bitlocker is, the location of it’s partition will stop you from extending your hard drive.  Along with this if you look at this partition in Drive Manager you will notice something very important.  The BDE partition is the Active, System partition. If you boot up in Gparted and delete it, you will be in for some recovery headache.  The following is the best way that I have found to get rid of the BDE partition.

1. If you have have “Bitlockered” your drive you will need to decrypt it before preceding.
2. Start the Command prompt as “Administrator”
3. Run: bcdboot c:windows /s c: (This assumes you have installed the OS using defaults)
4. Run: diskpart
5. Type: list disk
6. Type: select disk 0
7. Type: list part
8. Type: select part 1
9. Type: activate part
This did not work for me like it should have, so I used the GUI:
Open Computer Management
On the left, under Storage, click Disk Management.
Right-click the primary partition that you want to make active, click Mark Partition as Active, and then click Yes.
10. Reboot (Upon login it may ask you to reboot one more time for computer changes to take effect.)
11. Log in
12. Start the Command prompt as “Administrator”
13. Run: diskpart
14. Type: list disk
15. Type: select disk 0
16. Type: list part (verify the partition number you would like to delete.)
17. Type: select part 2
18. Type: list part(Verify you have select the right partition you are about to delete)
19. Type: delete part

You can now extend you C: drive

By: nighthawk and J Banerjee

Category: Windows | Comments Off on Windows: BDE Drive Removal / Extending you drive
March 4

Windows: How to Disable or Enable Windows Defender in Windows 10 (All versions)

There are a few methods, but home users have fewer options due to the lack of a policy editor.

  1. Start “regedit” from the search or run line
  2. Goto HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  3. Create a new 32bit Dword called DisableAntiSpyware
  4. Press Enter
  5. Modify the DWORD’s value data field to be a hex value of 1
  6. Click OK

If you check your Windows Defender Settings in Settings, Update & Secruity, Windows Defender, you will now she it off and greyed out

By: Britec09

Category: Windows | Comments Off on Windows: How to Disable or Enable Windows Defender in Windows 10 (All versions)