Windows: Copy User Membership to Another User

Copy User Membership KB ID 0001828

Problem

If you have a lot of user groups and simply want to copy/clone one users group membership to another user, then with PowerShell that’s quite simple to do.

Solution: Copy User Membership

Here I have two users ALane who is a member of a few groups and APatel who is simply a member of domain admins.

Although we can see above what groups ALane is a member off let’s prove that will PowerShell.

[box]

Get-ADUser -Identity ALane -Properties memberof | Select-Object -ExpandProperty memberof

[/box]

Copy User Membership

Then let’s copy the groups from ALane to APatel.

[box]

Get-ADUser -Identity ALane -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members APatel

[/box]

And finally, lats make sure APatel is a member of those groups.

[box]

Get-ADUser -Identity APatel -Properties memberof | Select-Object -ExpandProperty memberof

[/box]

Or simply look in Active Directory users and computers (you might need to refresh if you already had APatel’s properties open!)

Related Articles, References, Credits, or External Links

NA

Install Windows Terminal on Windows Server 2022

Windows Terminal KB ID 0001827

Problem

I’ve been aware of Windows Terminal for a while, I’ve just never felt the need to set it up. Most of my work for the website involves me taking screenshots on Windows Server OS. So, when I decided to take a look at it I had to jump through a few hoops to get it to work, in the words of Juan Sánchez Villalobos Ramírez, Chief metallurgist to King Charles V of Spain, “I would save you that pain”. (If you get that reference, we can be friends).

Solution: Windows Terminal on Server 2022

So, Windows Server OSs cannot access the Windows Store, so you need to manually download the app packages (msibundle) then install them with PowerShell. If you want to install on Server 2022 then don’t download the Windows 11 package, if you do and try and install it you will see something like.

Deployment failed with HRESULT: 0x80073CFD, A Prerequisite for an install could not be satisfied. Windows cannot install package Microsoft.WindowsTerminal_1.16.10262.0_x64__8wekyb3d8bbwe because this package is not compatible with the device. The package requires OS version 10.0.22000.0 or higher on the Windows.Desktop device family. The device is currently running OS version 10.0.20348.1668

I walked back though a few versions before I realised you need to download the Windows 10 versions. go here and check for the latest version.

Previous Windows Server Versions: In some cases you may need to download and install the Preinstall kit (See above page for download link) Simply download it as a Zip file, extract it, and then use Add-AppxPackage to install the msibundle for that first. But for Server 2022 you don’t need to do that.

Firstly, you need to download another package as it’s a pre-requisite, the following commands will download and install it.

Note: Ensure C:\Temp Exists!

[box]

Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -outfile C:\Temp\Microsoft.VCLibs.x86.14.00.Desktop.appx
Add-AppxPackage C:\Temp\Microsoft.VCLibs.x86.14.00.Desktop.appx

[/box]

Once complete you can download and install the Windows Terminal Package (Check for the latest version and change the URL accordingly).

[box]

Invoke-WebRequest -Uri https://github.com/microsoft/terminal/releases/download/v1.16.10261.0/Microsoft.WindowsTerminal_Win10_1.16.10261.0_8wekyb3d8bbwe.msixbundle -OutFile C:\Temp\Microsoft.WindowsTerminal_Win10_1.16.10261.0_8wekyb3d8bbwe.msixbundle 
Add-AppxPackage -path C:\Temp\Microsoft.WindowsTerminal_Win10_1.16.10261.0_8wekyb3d8bbwe.msixbundle

[/box]

Now you can launch Windows Terminal.

Related Articles, References, Credits, or External Links

NA

Windows: Migrate DHCP HA

Migrate DHCP HA KB ID 0001826

Problem

I got an email last week.

“Hi thanks for your video. I have two win 2012 DC DHCP on a failover/load balance config and want to migrate to new Win 2022 VMs. What’s the exact procedure? If it’s a single VM it’s easy but I’m not sure about if it’s on a failover setup.”

Well migrating the domain controller element I’ve covered before.

Migrate From Server 2012 to Server 2022 Domain Controllers

And Migrating stand-alone DHCP servers is easy.

Migrate DHCP Scope(s) to Windows Server 2022

But what if you have your DHCP servers deployed in HA – be that Load Balanced, or Hot Standby (failover)? 

How do you migrate DHCP to a new platform then ?

Solution: Migrate DHCP HA

There was very little information I could find on this subject, you can drop down to one DHCP server and perform a simple migration to Server 2022 then setup HA again of course, but I think the following solution is much more elegant, and there’s NO DOWNTIME to worry about.

Windows Migrate DHCP HA – Step 1 Remove HA

In my example I have some 2012 R2 Servers running DHCP (it does not matter if they are in Load balancing mode or Hot Standby, the approach is the same just the commands will vary.

I’ve got two new Windows Server 2022 servers updated and added to the domain ready to take on the DHCP HA roles.

The first thing I’m going to do is remove the failover partnership. You can do this on either of the legacy DHCP servers but the one you run the command on will be the DHCP server that remains operational after you remove the partnership (in this case 2012-dhcp-1.dingdong.com).

 

Use the following syntax, the first command gets the failover groups name, you then delete that failover group.

[box]

Get-DHCPServerv4Failover
Remove-DHCPServerv4Failover "Failover-Group-Name"

[/box]

Windows Migrate DHCP HA – Step 2 Uninstall DHCP

Go to the server you have just removed the partnership from, it will not be performing DHCP but still has the role installed.

To Remove DHCP from the redundant legacy server use the following PowerShell commands. WARNING the last command will reboot the server.

[box]

Uninstall-WindowsFeature DHCP
Uninstall-WindowsFeature RSAT-DHCP
Restart-Computer

[/box]

Windows Migrate DHCP Failover – Step 3 Create HA to Server 2022

We will now create a failover partnership to the first of our two new Windows Servers.

Firstly we need to install the DHCP role on BOTH of our new Windows Servers, register them in AD, and change a registry key to stop server manager bugging you about running the DHCP setup wizard.

[box]

Install-WindowsFeature DHCP -IncludeManagementTools
netsh dhcp add securitygroups
Add-DhcpServerInDC -DnsName 2022-DHCP-1.dingdong.com -IPAddress 192.168.110.18
Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2

[/box]

NOW CARRY OUT THE NEXT STEP ON THE REMINING LEGACY DHCP SERVER

To create a Load Balanced Failover partnership (with a 50/50 load balance) use the following syntax. (change the values in red accordingly).

[box]

Add-DhcpServerv4Failover –ComputerName “2012-DHCP-1.dingdong.com” –PartnerServer “2022-DHCP-1.dingdong.com” –Name “DHCP-LOAD-BALANCE” –LoadBalancePercent 50 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.110.0 -SharedSecret “Password123"

[/box]

To create a Hot Standby (failover) partnership, use the following command instead.

[box]

Add-DhcpServerv4Failover -ComputerName “2012-DHCP-1.dingdong.com” –PartnerServer “2022-DHCP-1.dingdong.com” -Name “DHCP-HOT-STANDBY” -ServerRole Active -ReservePercent 10 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.110.0 -SharedSecret “Password123

[/box]

Windows Migrate DHCP Failover – Step 4 Break Replication

If you are replicating many scopes then wait a while for the servers to be ‘in sync’, the next step seems counter intuitive, as you are going to delete the very thing you have just created, but this procedure is carried out on the NEW DHCP SERVER NOT THE LEGACY ONE, (so the DHCP scope is removed from the last remaining legacy DHCP server.)

On the first new DHCP server execute the following commands. (same commands you used above in step 1).

[box]

Get-DHCPServer4Failover 
Remove-DHCPServer4Failover "Failover-Group-Name"

[/box]

Windows Migrate DHCP HA – Step 5

Now just as you did in step 2, remove the DHCP role form the last remaining legacy DHCP server.

Again, use the following commands. WARNING the last command will reboot the server.

[box]

Uninstall-WindowsFeature DHCP
Uninstall-WindowsFeature RSAT-DHCP
Restart-Computer

[/box]

Windows Migrate DHCP Failover – Step 6 Deploy new DHCP HA Configuration

Lastly, we setup a new failover relationship that is setup the same as the one we setup in step 3, but this time with the last remaining new DHCP server.

Like so.

[box]

Add-DhcpServerv4Failover –ComputerName “2022-DHCP-1.dingdong.com” –PartnerServer “2022-DHCP-2.dingdong.com” –Name “DHCP-LOAD-BALANCE” –LoadBalancePercent 50 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.110.0 -SharedSecret “Password123"

[/box]

You can now migrate any remaining roles or applications form the old servers, remove them from the domain and decommission them.

 

Related Articles, References, Credits, or External Links

Configure DHCP for Failover

Deny RDS

Deny RDS KB ID 0001825

Problem

Way back when I started doing tech (in the days of Novell 4 and NT4), my mantra was, if you must deny something then you’ve done something wrong. Now I work for a UK based MSP that offers SPLA licensing to clients.

Unlike typical RDS licensing, With SPLA this requires every ‘capableAD user that ‘canRDP onto a server (regardless of it’s a Session Host RDS Server or not) needs to have an RDS SAL.

So, when audited and hit with a big licensing bill, the clients first question is usually “How do I reduce this?

Solution: Deny RDS

Create a new security group (don’t use domain users!) Give it a sensible name i.e. GS-Deny-RDS-Access (GS for Global security, and I don’t like spaces in names, as it makes scripts easier to write!)

Obviously put in the users you want to explicitly deny RDS access to.

Create (or edit an existing) Group policy linked either to the OU that contains your servers (remember domain controllers are in a different OU, so link it there also). Or If you’re lazy like me simply link it to the root of the domain.

Edit the policy and navigate to.

[box]

Computer Configuration > Policies > Windows Settings > Security Settings > User Rights Assignment > Deny Log on through Remote Desktop Services

[/box]

Enable the policy > Browse to and select the group you created earlier.

Then wait, or force a policy update to test.

Related Articles, References, Credits, or External Links

NA