Find All HP iLOs on your Network

KB ID 0001571

Problem

I had to find all the HP iLOs on a client network today, I could have got an IP scanner and then sorted the results for HP devices, but I would have ended up with switches, printers and God knows what else!

If only there was a PowerShell command I could use?

Solution

There is! You will need to download it though, (HPiLOCmdlets-x64,) extract them to your C: drive.

 

Here I’m installing them from PowerShell, but you can simply run the HPiLOCmdlets-x64.msi file, (if you do install from PowerShell, you will need to restart it, and might need to change your signing policy).

Run the following commands;

[box]

Find-HPiLO
{Then supply the range to scan i.e. 192.168.1.1-254}

[/box]

Related Articles, References, Credits, or External Links

NA

Convert MBR Partitioned Drives to GPT

KB ID 0001407

Problem

I got asked if I’d ever had to do this today, I vaguely remember having this problem in the past, but I can’t remember how I solved it. You set the ‘Partition Table Type‘ on a  disk in Windows, when the drive is first initialised, like so;

And the default is MBR, so that usually gets ticked, the problem is MBR only supports disks up to 2TB in size. Now if it’s just a new disk, with no partitions on it, you can simply change it;

But if it’s got a partition on it, (and probably some live data) you cant!

Previously, (before Windows 10, and Server 2016,) The Microsoft solution was to delete the partitions and create a new one, which can be a little time consuming, especially if you have live data on it! So can you convert it to GPT Live with no data loss? 

Solution

Yes! As usual, make sure you have a decent backup first, and if you are using a virtual environment, you can snapshot the virtual machine before hand, (I tested this in the lab, by taking a snapshot, converting a drive from MBR to GPT, then reverting to the snapshot, and it flipped back to MBR with no loss of data). 

You need to know what disk number Windows has assigned to the drive, in disk management right click the drive, and select properties.

Windows 10 and Windows Server 2016

Using this method will require (after you have finished) you machine. is set to UEFI boot, otherwise it will work fine until you try and reboot, then the machine won’t boot! So if you are doing this on a Virtual Machine in Hyper-V MAKE SURE it’s a generations 2 VM!

You will find MBR2GPT.exe in C:\Windows\System32, if it’s not there do a full round of Windows updates! Simply open an Administrative command window and run the following commands;

[box]

cd c:\windows\system32
mbr2gpt /convert /disk:1 /allowfullOS

[/box]

Take note of the warning the machine should now be set to UEFI boot mode, so if its a VMware VM, then change this value;

For OLDER Vesions of Windows

Download and extract gptgen-1.1 then run the following command;

[box]gptgen.exe -w \\.\\physicaldrive1[/box]

Note: Where ‘1‘ is the disk number you took note of above.

Note: If you see “Block read failed, check permissions!” Then you might want to use MBR2GPT {above} instead.

That’s it done! In ‘disk management’ you will need to ‘Rescan Disks’ to see the change.

In the unlikely event that something exploded, you can ‘roll-back‘ to your snapshot.

Related Articles, References, Credits, or External Links

NA

Remote Desktop Services – Securing By Group Policy

KB ID 0001211

Problem

Note: This is not an exhaustive list, but it’s what I use when securing Remote Desktop Services, (Terminal Services) servers. Some of these settings are ONLY for Server 2012 R2 and later. If you have any settings you think are omitted, please comment below.

 

Solution

User Access To RDS

If you want to create a Domain security group for RDS users than please do so. BE AWARE the ‘Remote Desktop Users’ group you see in Active Directory Users and Computers, (in the built in OU) is for access to Domain Controllers Only! In all the examples I use below I am allowing access to ‘Domain Users’.

If you log onto the RDS server itself > Windows Key+R > systm.cpl > Remote  > Remote Desktop > Select Users > Add as appropriate.

Errors

I had a situation where everyone worked apart from one user, who got this error;

The connection was denied because the user account is not authorised for remote login.

This user was a member of domain users, and all the normal boxes were ticked, I had to add ‘Domain Users’ AGAIN via Group Policy before the problem went away?

GPO Location

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > User Rights > Allow Log on through Remote Desktop Services[/box]

Group Policy

Stop Group Policy Applying to Domain Administrators

Restricting users is fine but if you create a GPO and link it to your RDS servers, and enable ‘loopback processing’, then the policy will apply to the domain administrator, and members of the domain administrators group. To stop that happening, you need to ‘Deny: Apply group policy‘ to the users/groups that you DON’T want the policy being applied to;

Computer Policies

Stop Server Manager Launching at Logon

(Note: to remove the Server Manager shortcut from the task bar see below)

GPO Location

[box]Computer Configuration  > Policies  > Administrative Templates  > System >  Server Manager > Do not display Server Manager automatically at logon[/box]

Setting: Enabled

Configure Group Policy Loopback Processing

The reason you do this is, a lot of the policies you want to apply are ‘user policies‘ and the group policy you link to your RDS servers is linked to a domain/site/OU that contains Computer objects. If you enable loopback processing you can configure user settings in the same policy and they get applied to users logging onto those computers the policy is linked to. This is perfect for Remote Desktop Services.

GPO Location

[box]Computer Configuration  >Administrative Templates > System > Group Policy > Configure User Group Policy loopback processing mode[/box]

Setting: Enabled

User Policies

Prevent/Hide Access to Drives

I hide access to the drives that are on the RDS server itself, and leave the rest because most people still have mapped drives and network drives they want access to.

GPO Location

[box]User Configuration > Administrative Templates > Windows Components > File Explorer > Prevent access to drives from My Computer[/box]

Setting: Enabled

GPO Location (Server 2012 and older)

[box]User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer[/box]

Setting: Enabled

Prevent/Hide Access to Control Applications 

There is a policy that blocks access to applications you specify, but I prefer to block ALL applications except the ones I specify, and I only ever allow access to Devices and Printers.

GPO Location

[box]User Configuration > Administrative Templates > Control Panel > Show only specified Control Panel items[/box]

Setting: Enabled

Setting: Microsoft.DevicesAndPrinters

Note: For a list of all applications, search for ‘Canonical names for Control Panel Items’.

Remove Shut Down / Restart, Sleep and Hibernate

For obvious reasons you don’t want your users to have the ability to shut down the server.

GPO Location

[box]User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands[/box]

Setting: Enabled

 

Now your users should just have’ lock’ and ‘sign out’.

Remove Use Of Command Line (CMD)

I say ‘remove use’, because with this policy enabled, even if a user manages to get a command window to run, they still can’t execute any commands. 

GPO Location

[box]User Configuration > Policies  >Administrative Templates > System > Prevent access to the command prompt[/box]

Setting: Enabled

Setting: Disable the command prompt script processing also: Yes. (Read the warning!)

So if a user does manage to get a command window open, this is what they will see;

Prevent Access to Registry Editing Tools (Regedit)

For obvious reasons, I don’t trust most techs in the registry, never mind ‘users’.

GPO Location

[box]User Configuration > Policies > Administrative Templates> System > Prevent access to registry editing tools[/box]

Setting: Enabled

Setting: Disable Regedit from Running Silently: Yes. (Make sure you dont have any reg commands in your login scripts!)

If a user attempts to run the registry editing tools this is what they will see;

Remove Server Manager From the Task Bar

To do this you need to change permissions on the shortcut files.

GPO Location

[box]Computer configuration > Policies > Windows settings > Security Settings > File System[/box]

Right click File system ‘Add File’, Change the permissions on the following files BY REMOVING  USERS, 

File: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk

The users/groups remaining should be;

  • Administrators
  • Creator 
  • SYSTEM
  • All Application Packages (may not be present)

Note: Sometimes you need to test this with a new ‘fresh user’. This is because these shortcuts are copied into the user profile, the first time a user logs on.

Prevent Access to PowerShell

This is much more difficult that it needs to be! I prevent access to the powershell.exe and powershell_ise.exe files.

GPO Location

[box]User Configuration” > Policies > Administrative Templates > System > Don’t run specified Windows applications[/box]

Setting: Enabled

Setting: powershell.exe and powershell_ise.exe

Now if you user attempts to run PowerShell this is what they will see;

RDS Removing Administrative Tools From Start Menu

I do this by creating a custom start menu for my users, see the following article;

RDS – Custom Start Menu (Remove Administrative Tools)

Remove ‘Pinned’ Applications / Programs from the Taskbar

This is a bit of a ‘shotgun approach’, because it removes ALL [pinned items and stops users pinning items (which you might not want). I use it because all solutions Ive found to remove the PowerShell shortcut from the Taskbar don’t seem to work on Server 2012R2

GPO Location

[box]User Configuration > Policies  >Administrative Templates > Start Menu and Taskbar > Remove pinned programs from the taskbar[/box]

Setting: Enabled

This is what your users will see; 

Related Articles, References, Credits, or External Links

NA

Certificate Chain Incomplete

KB ID 0001570

Problem

The certificate here at PNL expired over the weekend, I got a new one and installed it. All appeared to be fine until I did an online check to make sure it was OK. 

The server’s certificate chain is incomplete

Solution

I had this problem once before, back then I was using Apache and CentOS7, and things were a little different, (now I’m using NGINX and Ubuntu 18.04). Essentially you see this error because you have bought a ‘cheap‘ SSL certificate. There’s nothing wrong with that per se, but they tend to be issued from an ‘Intermediate CA‘. Again there’s nothing wrong with that either, but to improve your score you need to ‘Embed‘ the intermediate certificate, into your SSL certificate, (or all the intermediates back to a Root CA Server, if you have multiple intermediate certificates!) 

Here I have ONE intermediate, (which is pretty normal.)

There a no special tools you require to be able to do this, other than a simple text editor, you open your SSL certificate and ‘Paste” the intermediate certificate on the bottom. (DO NOT ADD ANY EXTRA SPACES). Like so;

Note: As you can see, you DON’T put the Root CA certificate at the bottom, (clients should already have them!) I made this mistake then got the following error;

[box]

Jun 23 14:12:29 localhost nginx[1197]: nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/www_petenetlive_com.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
Jun 23 14:12:29 localhost nginx[1197]: nginx: configuration file /etc/nginx/nginx.conf test failed

[/box]

Retry your test.

Related Articles, References, Credits, or External Links

NA

Windows 10 & Windows Server Update Error 0x800705b4

KB ID 0001569

Problem

I can’t remember Windows being so diabolically bad at simply updating? I built a new 2016 server, simply to create a VM template, and it would not update;

There were some problems installing updates, but we’ll try again later. If you keep. seeing this and want to search the web or contact support for information this may help: (0x800705b4)

Solution

Well that’s a very polite but useless error! (Thanks anyway). One thing I have noticed, is this tends to happen if one of the updates is an update for Windows Defender, so open that fist, and perform a manual update of that, then try again.

If that does not work, then run SCONFIG, and select  option 6.

A new windows will open, follow the instructions, (THIS TAKES AGES.) Seriously, start if going, and check it the next day!

After that, you should be good to go 🙂

Related Articles, References, Credits, or External Links

NA

vCenter ‘Root’ Account Expired

KB ID 0001568

Problem

Today I found I could no longer log in to the VCSA vCenter appliance;

Exception in invoking authentication handler User password expired

Solution

Just because I can’t log into the web console, I could still log into the the appliance via SSH. Then invoke the shell command, and reset the root password with the passwd command;

Now if you wish, you can Disable VCSA Password Expiration: Administration > Edit > No > Save.

Related Articles, References, Credits, or External Links

NA

iLO: Java Error “Unable to Load Resource”

KB ID 0001567

Problem

When attempting to connect to an iLO 3 remote console on an HP Server;

General Exception
Name: com.hp.ilo2.intgapp.intgapp
ExitException: Unable to load resource
https://{Server}/html/intgapp3_231.jar

Solution

Having added the URL to the iLO to the trusted sites in the the Java Preferences, I thought this all I had to do. Turns out I was wrong. Navigate to Administration > Security > Encryption > Encryption Enforcement Settings > Enforce AES/DES Encryption > Change to ‘Enabled‘ > Apply > Wait for the iLO to reset, and try again.

Related Articles, References, Credits, or External Links

NA

vSphere ESX: Replace / Update the VMware Tools ISO

KB ID 0001566

Problem

On Experts Exchange this morning someone asked about how to upgrade the VMware Tools as a result of a security advisory that advocated updating Windows VMware Tools to version 10.3

So here’s how to replace / upgrade the VMware Tools distribution ISOs, that live inside ESX.

Solution

Firstly, you need to download the tools! It’s easier if you simply get them in .zip format.

Download and extract them, Note: There is also a floppy images section, I’m not bothering with them, but you will see where they go as we progress, if you want to do those as well.

Use WinSCP to connect to your ESX host, and navigate to /vmimages/tools-isoimages

Note: There’s your floppies directory!

WARNING: To be on the safe side copy away any files you are going to over-write with the new ones, I’ve moved them to another folder in case there’s a drama, and I need to put them back! Then upload the new files you downloaded earlier.

You will see your VMs now know there’s a newer version.

You can now successfully update them to the newest version.

Related Articles, References, Credits, or External Links

NA

vSphere: Cannot Change the Host Configuration

KB ID 0001565

Problem

There’s always one! I had a single ESX host that refused to add a datastore?

Failed to create VFMS Datastore {Name} – Cannot change the host configuration.

Solution

I already half suspected what the problem was, because I’d had a similar problem earlier on this week presenting disks to a Windows VM, there’s a GPT partition table on the dive/array.

But without waiting an hour for the HP RAID software to security erase the drives, (and a reboot,) how would I do the same with ESX?

First take note of the drive device name.

Enable SSH on your ESX host.

Connect with an SSH client, and list the device names with the following commands;

[box]

cd /dev/disks
ls

[/box]

Copy the device name to the clipboard, and execute the following command;

[box]

partedUtil mklabel /dev/disks/{device-id} msdos

[/box]

Then try to add the datastore again.

Related Articles, References, Credits, or External Links

NA