Take Ownership and Grant ‘Full Control’ Recursively

Take Ownership KB ID 0001200 

Problem

I had a bunch of old user profile folders I needed to delete today, When setup properly even the domain administrator can’t get in there and delete them;

You need permission to perform this action.

You don’t currently have persmission to access this folder

If it’s just one folder then simply take ownership, grant yourself rights and delete it! But I had a lot of folders so I needed a more robust (read less work) solution.

Solution: Take Ownership

Take Ownership of all Folders/Sub-Folders, and Files

Open an administrative command window, and execute the following command;

[box]

takeown /a /r /d Y /f C:\"Path-To-Folder"

[/box]

Grant ‘Full Control’ Rights to all Folders/Sub-Folders, and Files

Just because you are the owner, that does not mean you have any rights to the folders and files, to grant full control to the administrators group.

[box]

icacls C:\"Path-To-Folder" /grant administrators:F /t

[/box]

You can then delete the folder and its contents recursively with the following command.

[box]

Remove-Item -Path "Path-To-Folder" -Force -Recurse

[/box]

Related Articles, References, Credits, or External Links

Can’t Delete a File or Folder or Take Ownership

Migrate NPS Server

Migrate NPS Server KB ID 0001841

Problem

If you have deployed an NPS Server on your network, there may be a time when you want to replace that server – if all its doing is NPS and its 2012 or newer I’d be tempted to simply in-place upgrade it, but some people are rigid in their beliefs that that is not a good idea. So in that case you need to migrate to a new server.

Solution : Migrate NPS Server

Locate NPS Server

Just in case you know you have an NPS server, but you don’t know what server it’s on, (or how many you have!) The simplest way to find out is to look in the RAS and IAS Servers group in AD.

You can use the following procedure on Server 2012 (and newer) If your source server is Server 2008 then you need to use the netsh method I’ll outline below.

Migrate NPS Server : Export NPS Settings PowerShell

On the OLD (source) server,

 

[box]

Export-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then simply copy that exported XML file to the new NPS server.

Migrate NPS Server : Import NPS Settings PowerShell

At this point I’ll assume that your target server is built, updated and domain joined. So we have three tasks, install NPS, authorise the NPS server in AD, then import the settings from the file you exported above. Note: There is no direct PowerShell command to authorise the new server in AD (at time of writing) So we need to use the netsh command to do that.

[box]

Install-WindowsFeature NPAS -IncludeManagementTools

netsh ras add registeredserver

Import-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then at this point I’d stop and disable NPS services on the old server and give everything a test. REMEMBER if you have RADIUS clients you may need to change the IP address that THEY are set to to the new NPS Server.

WARNING: If you are using authentication protocols that need certification like PEAPMS-CHAP v2, PEAPTLS, or EAPTLSAND your client are set to check the server’s identification (this is optional usually). Then check the new server has the correct certificates.

Migrate NPS Server (Server 2008)

On older OSs you don’t have the Export-NpsConfiguration and Import-NpsConfiguration PowerShell commandlets to use, so you have to use the netsh command instead.

Export NPS with Netsh

[box]

netsh

nps

export filename="C:\NPS-Exported-NETSH.xml" exportPSK=YES

[/box]

Import NPS with Netsh

[box]

netsh

nps

import filename="C:\NPS-Exported-NETSH.xml"

[/box]

Remove NPS

Once you’ve waited long enough to be sure you no longer need the old NPS server you can remove it with the following commands.

[box]

netsh ras delete registeredserver

Uninstall-WindowsFeature NPAS

Restart-Computer

[/box]

Note: If you are removing from Server 2008 you may need to use Remove-WindowsFeature NPAS instead!

Related Articles, References, Credits, or External Links

NA

Disable LLMNR and NetBIOS (via GPO)

Disable LLMNR and NetBIOS KB ID 0001816

Problem

LLMNR is a protocol that’s used both in IPv4 and IPv6 networks to provide name resolution (in the absense of DNS), the problem with it is that it is wide open to exploitation and can be used to perform a MITM attack on your network. NetBIOS is much older and asscociated with IPv4 networks only. Really old Microsoft OSs used to rely on it heavily, but these days its pretty much redundant*

*Note: Unless you have Windows Server NT/2000/2003 or Windows 2000/XP floating around, or some older flavours of Linux that need to talk to your Microsoft server estate, may still rely on NetBIOS.

NetBIOS itself is not actually a protocol (depending on who you ask, let’s not have an argument) It’s actually much older than the old Windows systems that are synonymous with it’s use, the actual protocol that’s used is actually NetBEUI.

Solution: Disable LLMNR and NetBIOS

Step 1: Disable LLMNR

Disabling LLMNR is as easy as peas, theres a GPO setting for it, NetBIOS is more of a challenge because its enabled/disable against a network connection, each network conection on each machine has a differnet identifyer in the registry, so we can even use a GPP and set the registry key. The only way to do this practically is with a script thats called from Group Policy that disables NetBIOS on ALL network cards.

Create (or edit an existing) Group Policy object that is linked to the OU that you computers are in.

Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > DNS Client > Turn off Multicast name resolution

[/box]

Enable the Policy > Apply > OK.

Step 2: Disabling NetBIOS (For Static IP Clients)

Remember this protocol is pretty much dead not, but it is worth just firing up WireShark and having a sniff round the network to make sure nothing is still using it to be on the safe side.

Copt the following Powershell Script

[box]

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{  
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

[/box]

Note: Before you all start emailing in, yes it does a credentials check to make sure you have the right to perform the change – and yes I am aware startup script run under the system account (so theres no need to do this) but people can use this script universally, If I leave that in.

Save the script somewhere that’s shared, or simply \\{Domian-Name}\Sysvol\{Domain-Name}\Scripts

Then back in you group policy managment console, navigate to.

[box]

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup

[/box]

Add a New Script > PowerShell Scripts > Add  > Browse > MAKE SURE you browse to the network location of the script > Open > OK > Apply > OK.

To Test: Go to a client this policy is applied to, and look at its network card properties, it should show “Disable NetBIOS over TCP/IP“.

Step 3: Disabling NetBIOS (For DHCP Clients)

If your end clients get their IP addresses form a DHCP server, you can disable this (PER SCOPE) on your DHCP server. Locate the scope you want to work on > Scope Options > Configure Options > Advanced  >Microsoft Windows 2000 options > Tick Option 001 > Change the entry to 0x2 > Apply > OK.

Related Articles, References, Credits, or External Links

NA

Migrate DHCP Scope(s)

Migrate DHCP KB ID 0001792

Problem

If you have a lot of DHCP scopes, options, or reservations, then manually creating them on your new DHCP servers can be a both a time consuming and tedious process. If only there was an easier way?

Migrate DHCP with Netsh

Below you can see an example, where  I have many scopes and lot’s of settings that would be painful to have to recreate from scratch. This example is on Server 2008 R2,but your source server could be server 2000, (or newer) the export procedure is the same.

Open an administrative command window, and issue the following  command.

[box]

netsh dhcp server export C:\dhcp-export.txt all

[/box]

Now on the source DHCP server I’m stopping and disabling the DHCP SERVER service, you might want to wait until, you are about to authorise the new 2022 DHCP server to minimise downtime, before doing this in production.

Copy the exported text file from the old DHCP server, to the new server.

Migrate DHCP: Install DHCP on Windows Server (via PowerShell)

Open an administrative PoweShell window, and issue the following  command.

[box]

Install-WindowsFeature DHCP -IncludeManagementTools

[/box]

Then import the settings with the following command.

[box]

netsh dhcp server import C:\dhcp-export.txt all

[/box]

Go to Administrative Tools > DHCP > You should see your migrated information in here, the DHCP scopes will be down (because the server has not yet been authorised in AD). Right click the server name, and select Authorise.

Note: At this point ENSURE the old DHCP server has had its DHCP server service stopped and disabled.

Wait a few seconds and then restart the DHCP Server service, (this can be done as shown below).

After a few seconds, the new scopes should be up and getting served.

Related Articles, References, Credits, or External Links

NA

Remote Desktop Services – Connection Errors

KB ID 0001132

 

Below is not an exhaustive list of connection errors, it’s just a some things that have tripped me up. If you have a nasty error that you have fixed, feel free to drop me a line, send me some screenshots and the fix, and I’ll add them as well.

General Errors

Remote Desktop can’t connect to the remote computer for one of the following reasons;

1) Remote access to the server is not enabled
2)The remote computer is turned off
3)The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access sis enabled.

Probably the most common (and easiest to troubleshoot) of RDP errors, firstly ensure that the server is actually ‘listening’ for RDP connections, on the SERVER issue the following command;

[box]

netstat -an | find /i ":3389"

[/box]

You should see it LISTENING (Note: Below its listed twice because its listening on IPv4 and IPv6)

If its not, the the service might not even be running, Look in Services, and ensure the following services are running;

  • Remote Desktop Services
  • Remote Desktop Services UserMode Port Redirector

Make sure that RDP has been allowed on the local firewall of the RDP server, In the past I’ve seen a bug on some versions of Windows when even with the firewall disabled, things didn’t work unless RDP was allowed on the firewall settings. (I know that makes no sense, but I’ve seen it, particularly for remote VPN traffic).

Test RDP Connectivity

From a machine ON THE SAME NETWORK as the target RDP Server, firs see if you can ping the server by both IP address and hostname. (This is more for peace of mind remember the server might ot respond to pings but might be responding to RDP Traffic.

Then test that the machine you are on can get to the the RDP server on the correct port, (TCP 3389*)

[box]

Test-NetConnection {IP-Address-or-Hostname} -Port 3389
OR
Test-NetConnection {IP-Address-or-Hostname} RDP

[/box]

Providing this works, now try the SAME tests form outside you network, i.e. outside the firewall, or on a remote VPN  connection etc.

*RDP Port Note: Normally RDP is on TCP 3389, check on the server just in case someones changed the RDP listening port number. Or the firewall is expecting you to connect on another RDP Port.

Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.

Solution for Windows 10: I struggled with this for a while, all forum posts refer to windows 7/8 and the problem was caused by a windows update (KB2592687), that needed to be removed. But I was connecting with Windows 10? This  was the resolution;

Create/Edit a 32 bit DWORD value called RDGClientTransport in your registry at;

[box]

HKCU > SOFTWARE  >Microsoft > Terminal Services Client

[/box]

Set its value to ‘1’ (one).

Also See Remote Desktop Web Access – Connection Error


Your computer can’t connect to the remote computer because your computer or device did not pass the Network Access Protection requirements set by your network administrator.Contact your network administrator for assistance.

You normally see this error if one (or more), of your Remote Desktop Role servers does not have the correct certificate installed on it, (or the certificate it does has has expired).

Server Manager > Remote Desktop Services > Collection > Task > Select your collection > Task > Edit Deployment Settings > Certificates > Check and reinstall each one as required.

Remote Desktop Gateway Errors

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway server address.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

The machine trying to connect needs to be able to resolve the ‘public name’ of the Remote Desktop Gateway server. And this may not be the hostname of the server! As you can see in the image above the Gateway server name is set to rdg.smoggyninja.com. The important thing is when I ping this name, it resolves to the correct IP address, (mine responds to pings, yours probably wont if you’re connecting though a firewall.)

In some cases you need to set the public name of the the Remote Desktop Gateway server, in the servers IIS Settings. On the Gateway server > Start > Administrative Tools > Internet Information Services (IIS) Manager > {Server-name} > Sites > Default Website > RDWeb > Pages  > Application Settings > Set ‘DefaultTSGateway’ to the public name of the gateway server. Then from command line run ‘iisreset‘ to restart the web services.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator for assistance.

In most cases this should be easy to fix, if you use self signed certificates make sure your CRL settings and/or OCSP settings are correct. If you use a publicly signed cert make sure your client can contact the publishers CRL (look on the properties of the certificate).

Check the Obvious: It saying the RDG cert has expired, make sure it’s in date! In the Gateway Server Launch Server Manager > Remote Desktop Services > Collections > {Collection-name} > Tasks > Edit Deployment Properties.

Certificates > RD Gateway > View Details > Is it in date?

Everything is OK? But I’m Still Getting This Error? Are you publishing the Gateway with something else like Web Application Gateway? Threat Management Gateway? Load Balancer? Look in that direction.

Also See Remote Desktop Web Access – Connection Error

Related Articles, References, Credits, or External Links

NA

Enable Remote Desktop (Remotely)

KB ID 0001747

Problem

Let’s say you want to RDP to a remote server (imagine such a thing!) But some doofus didn’t enable RDP? Well you can enable Remote Desktop via group policy and wait a while. I used to connect to the registry remotely and change the key that enabled RDP, but now you can do it with a simple PowerShell command. Not only will it enable Remote Desktop, it will also allow RDP on the Windows firewall (if enabled).

Enable Remote Desktop (Powershell)

First install the module, then execute the command;

[box]

Install-Module Enable-RemoteDesktop
Enable-RemoteDesktop -Target {Computer-name}

[/box]

A nice, quick fix.

Related Articles, References, Credits, or External Links

Enable RDP via Group Policy

Remote Desktop Services – Securing By Group Policy

 

Leave Domain: “A general network error occurred’

KB ID 0001738

Problem

After a recent lab on the test bench, I ended up with a 2008  x32 standard server. It took me a while to get this setup and running, so I wanted to keep it (or turn it into a VMware template should I ever need  another). But first I needed to ‘remove it’ from  the domain it was in. However, when attempting to do so this happened;

Computer Name /Domain Changes

The following error occurred validating the name “Host-Name”
A general network error occurred

That stinks of DNS? But the machine could resolve DNS, ping the domain name, was authenticated to the domain, and could ping itself by netbios name and FQDN?

Leave Domain (via Command Line)

With modern servers and clients we can simply ‘force’ a machine out of the domain with some PowerShell. In an old machine like this (2008 ran Powershell version 1 natively) those commands are not open to us. So to solve the problem I had to go a little more ‘old school’

Remember – You will need to either know the local administrator password, or a local account with administrative access before you drop it out of the domain, (or post reboot you wont be able to login!)

Open an administrative command window, and execute the following command;

[box]

netdom remove %computername% /domain:{your-domain-name} /force

[/box]

This will remove the machine from the domain, and drop it in a workgroup that that has the same name as the domain (in this  case TESTBENCH).

Related Articles, References, Credits, or External Links

NA

Windows File Server Migration (Maintain Share & NTFS Permissions)

KB ID 0001201

Problem

When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.

How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!

Windows File Server Migration Tools

Source Server Pre-requisites

  • Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
  • Server 2008: PowerShell and 25Mb free drive space.
  • Server 2008 R2 and Newer: 25Mb free drive space.
  • All: UDP port 7000 needs to be open, from source to the destination server.

File Server Migration Server 2008 to Server 2019

File Server Migration from Server 2003!

  • Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
  • Destination Server: Windows 2012 R2 Data Center 2012 

Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.

You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).

 

Destination  Server: Open a PowerShell windows and install the tools with the following command;

[box]

Install-WindowsFeature Migration –ComputerName {computer-name}

[/box]

Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;

[box]

cd C:\Windows\System32\ServerMigrationTools

SmigDeploy.exe /package /architecture amd64 /os WS03 /path \\{Destination-Server}\{folder-name}

[/box]

Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).

Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;

[box]

.\smigdeploy

[/box]

Another PowerShell window will open, leave it open, and return to the destination server.

Destination Server: Here I’ve created a folder that I’m going to migrate into.

Destination Server: Open a PowerShell window and issue the following two commands;

[box]

add-pssnapin microsoft.windows.servermanager.migration

Receive-SmigServerData

[/box]

You will be asked to provide a password, (use what you want, but remember it, you will need it in a minute).

You now have a five minute window to get the migration running, or you will need to re-issie the last command again. 

Source Server: Return to your open PowerShell Window, and issue the following command;

[box]

Send-SmigServerData -ComputerName {destination-computer-name} -SourcePath {path-to-source-folder} -DestinationPath {path-to-destination-folder} -include all -recurse

[/box]

Supply the password, then go and put your feet up.

Destination Server: You can watch progress here.

Profiles migrated! And permissions intact.

Don’t forget to change the path to the user profile, on the user(s) user object(s) in Active Directory.

If you have a lot you can do them in bulk by multi-selecting the users.

 

Related Articles, References, Credits, or External Links

XCOPY – Insufficient Memory

Migrating – Folders and Share Permissions

Domain Join SID Error

KB ID 0001732

Problem

Thankfully I don’t see a SID error very often these days;

The following error occurred when attempting to join the domain ‘{domain-name}

The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine. This is a symptom of an improperly cloned operating system install. You should run Sysprep on this machine in order to generate a new machine SID.

Resolve SID Errors (Joining Domains)

In my case it was a server I was deploying into EVE-NG and I hadn’t ran says-rep on the image, (typically I only need one Windows server in my EVE-NG labs, but this time I needed another), so then I added a second and tried to add it to a domain, this happened. I should know better really!

If you have ever deployed or imaged Windows you can probably guess what the fix is, ‘Run Sysprep‘.

Note: I will probably get emails saying ‘Why not just run NewSID?’, well because it’s not officially supported any more, and sysprep is.

Navigate to C:\Windows\System32\Sysprep and run sysprep.exe > Tick the ‘Generalize’ option > Set the Shutdown option to ‘Reboot” > OK.

Go and have a coffee, when the server reboots, run though the OOBE setup, and try to join the domain again.

Related Articles, References, Credits, or External Links

NA

Setup FTP Server with Windows Server

KB ID 0000342

Problem

You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.

Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.

Setup FTP Server (Windows Server)

Setup FTP on Windows Server 2012 (Including firewall setup)

 Setup FTP on Windows Server 2008 R2 (Including firewall setup)

Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).

>

Related Articles, References, Credits, or External Links

NA