The administrative template that you get with Win11 is somewhat out of date, so if you want to manage OneDrive with domain group policy your options are limited, if only there was a newer administrative template!
Well, there is, and it gets updated and sent to you quite regularly. Microsoft just do a good job of hiding it.
Solution OneDrive GPO
Depending on your deployment the files you need can be in different locations, the biggest challenge is finding them. execute the following PowerShell to locate them.
As you can (above) see mine are in my user profile. The folder that they are in will also give you the build number, so you can check occasionally for updates (that will get pulled down when your OneDrive client gets updated).
Go to that directory and you will find the ADMX and ADML files.
Note: For anyone who is not English speaking, there may be a different ADML file in the locale folders you can see above.
Copy the OneDrive.admx file into your PolicyDefinitions folder (if unsure of the path, see below. obviously substitute your own domain name and here I’m on a domain controller so the SYSVOL volume on my local drive).
Now change to the INPUT LOCALE folder (in my case en-US) and copy the OneDrive.adml file into that folder.
Then when you are in the Group Policy Management Editor you will see the updated OneDrive options.
If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;
VPN establishment capability for a remote user is disabled. A VPN connection will not be established
VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established
This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235).
Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;
Profile settings do not allow VPN initiation from a remote desktop.
Note: This is fixed in version 4.8 and you will se the error at the top of the page.
Solution
To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)
Edit AnyConnect Profile With ASDM
Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.
Give the profile a name > Select a group policy to apply it to > OK.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
OR (older versions)
Apply the changes, and then save to the running configuration.
Edit AnyConnect Profile With Stand-Alone Profile Editor
1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).
Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to step 3, and skip all the other steps.
If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.
2. Once you have installed the profile editor, launch the “VPN Profile Editor”.
3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
4. Save the profile somewhere you can locate it quickly.
6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.
7. Make sure the file uploads correctly > Close.
8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.
9. Click New > Browse Flash > Locate the profile you uploaded earlier.
10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.
11. Then reconnect with your AnyConnect Mobility Client software.
Related Articles, References, Credits, or External Links
There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.
The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.
You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.
You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.
2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.
2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.
3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.
Carry Out a Windows 8 Password Reset.
This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.
1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.
2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.
Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.
3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.
4. We want password reset so select option 1.
5. We will be editing user data and passwords, so again select option 1.
6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.
Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.
7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.
8. To step back you need to enter an exclamation mark.
9. Enter a ‘q’ to quit.
10. To write the changes you have made enter a ‘y’.
11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.
12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.
13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.
14. To change the password, press Ctrl+I > Change PC settings.
15. Users > Create a password.
16. Type and confirm your new password, and enter a password hint > Next.
17. Log off the account and test the new password.
Related Articles, References, Credits, or External Links
I installed a Barracuda Web Filter 410 hardware appliance last week for a client on a 30 day trial. It was in ‘inline’ mode in front of their firewall and was happily logging all web activity and sites that were getting blocked. The problem was when you looked in the log this is what you saw;
With other vendors you simply need to put an agent in to fix this, and as it turns out Barracuda is no different.
Solution
I went onto the web and tried to get the agent, but you can download it straight from the appliance. (Users and Groups > Authentication Tab)
To proceed you need to add your domain controllers onto the Barracuda
Note: You will need a domain account (a simple domain user is fine, it does not need any additional rights). Here I’m connecting via 389, if you wanted to connect with LDAPS see the following article.
Once you have installed the ADAgent.exe, (on each domain controller), run it and enter your domain user account, and test it connects properly.
Then add in your Barracuda device.
Note: Theres nothing else you need to do in the agent but while you are setting it up I suggest you see the logging level to debugging.
Now, before the successful logon events can be uploaded to the barracuda, the domain controllers need to have auditing enabled for;
Audit account logon events (success)
Audit logon events (success)
Set this in the ‘local security policy’ on each of the domain controllers, (administrative tools local security policy).
On the Barracuda itself you now have to register the agent for each one you have deployed, after a few minutes they should ‘go green’ this is done on the same tab you specified the domain controllers.
You now need to wait until your users have logged off and back on again before it starts logging properly so leave it a while to slowly populate.
Related Articles, References, Credits, or External Links
GNS3 had nagged me the last few times I tried to use it about upgrading, so I downloaded and installed the update and it stopped here;
Could not find a VM named ‘GNS3 VM’ is it imported in VMware or Virtualbox
I use both VMware Fusion and Virtualbox. But Virtualbox looks after all the VM’s I use in GNS3. Either way I did not know what I was looking for, and the download (and application folder) did not have a VM within it for me to import?
Solution
It turns out the link for the VM is on the GNS3version download page, (it redirects you to another site).
Once you have it downloaded, you can import it into either Virtualbox, VMware Fusion or VMware Workstation.
Then you can select it, and progress.
Related Articles, References, Credits, or External Links
I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.
Solution
Note: At time of writing he latest version is 8.6
1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.
Note: You can do the same in future, by going to Edit > Preferences
2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.
3. Option 2.
4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.
Adding Router Images to GNS 3
5. Option 3
Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.
6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.
Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).
7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.
8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.
Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!
9. When complete click Close > Save > Close.
10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.
Adding a Host to GNS3
Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.
12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.
13. Save > OK > Apply.
14. You can now drag a Quemu Guest machine onto the work space, and console into it.
Adding a Cisco ASA to GNS3
Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.
15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;
[box]
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
[/box]
Set the Kernel cmd line option to;
[box]
-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
[/box]
16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?
Should you wish to locate these files form a less reputable source you are looking for asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.
17. Finally select the vmlunuz file > Open.
18. Save > OK > Apply.
19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*
*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.
Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.
[box]
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}
I had a load of Cisco Catalyst 3560 switches that needed ‘ipbase’ licenses adding to them today. I’ve messed about with plenty of ASA license upgrades before, but not switches.
Solution
1. First thing you need is a Cisco PAK, this may be in an email or turn up in a cardboard envelope.
2. Go to http://www.cisco.com/go/license and log in (if you don’t already have a Cisco CCO account you can create one for free). Enter your PAK and select ‘fulfil’.
3. Select ‘All Quantities’ > Next.
4. Enter your product ID and serial number (see below).
To locate your Product ID (PID), and serial number (SN), on the switch issue a ‘show license udi’ command.
5. Accept the agreement > ensure your email address is correct > Submit.
6. Select ‘Download’ to get the license straight away (it will get emailed to you shortly).
Note: If it does not turn up in your email, check your junk email folder, I’m sure Microsoft Outlook does this on purpose!
7. You will have a file with a big long name and a .lic extension. If you want you can copy this onto the switch via TFTP, but let’s keep things simple and use a FAT32 formatted USB drive.
8. Before we start let’s check the license on the switch. I’m running my ipbase license on an evaluation, this is what we are going to add a permanent license for.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: 7 weeks 5 days
License Type: Evaluation
License State: Active, In Use
License Priority: Low
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
10. Then copy the .lic file to the switches flash memory.
[box]
Mar 30 04:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
Petes-Switch#copy usbflash0: flash:
Source filename []? FDO1818X123_201410200338212345.lic
Destination filename [FDO1818X123_201410200338212345.lic]? {Enter}
Copy in progress...C
1152 bytes copied in 0.041 secs (28098 bytes/sec)
Petes-Switch#
[/box]
11. Install the new license.
[box]
Petes-Switch#license install flash:/FDO1818X123_2014102003382212345.lic
Installing licenses from "flash:/FDO1818X123_2014102003382212345.lic"
Installing...Feature:ipbase...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
Petes-Switch#
Mar 30 04:19:35.643: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560x
Next reboot level = ipbase and
License = ipbase
Mar 30 04:19:36.146: %LICENSE-6-INSTALL: Feature ipbase 1.0 was installed in this device.
UDI=WS-C3560X-24T-L:FDO1818X123;
StoreIndex=1:Primary License Storage
Petes-Switch#
[/box]
12. The license wont take effect until you reload the switch.
[box]
Petes-Switch#write mem
Building configuration...
[OK]
Petes-Switch#reload
Proceed with reload? [confirm]{Enter}
Mar 30 04:20:43.104: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
[/box]
13.Post reboot, check and the license should now be permanent.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
[/box]
Related Articles, References, Credits, or External Links
ESX is designed for building both enterprise class networks, and networks solely for test purposes. That’s all fine and dandy but what if you want turn on DHCP in your network but still have it connected to the outside world? Yes you could deploy a Windows server running Routing and Remote Access – as a router, but that seems to be overkill in the extreme. In the past I’ve done articles on deploying virtual firewalls. But again that might be a little too much for your scenario.
Solution
To solve the problem, we can do what VMware do on their own training courses, for anyone who has done a VCP3 or VCP4 course you will have seen this router deployed in one of the labs.
FreeSco is a linux router on a floppy disk, (Microsoft Disciples “don’t panic” there will be next to no sandal wearing coming up). I hunted all over the internet for the version I used on my course and most of the links I found are dead, or provide a router we don’t know the root password for. However after much searching I found one that works, we know the password for,and can be configured.
I had to upgrade some ESX hosts from ESX 3.5 the other day, as they are a long way away, and version 4.1 is hot off the presses (at time of writing) that’s what I wanted to upgrade them to.
Lessons Learned
1. At first I tried with the “Host Update Utility”.
2. But no matter what version I gave it, it gave me this error,
3. That points you HERE, and the fix is “Download the latest Version of Host Update Utility” DONT BOTHER YOU WILL NOT FIND IT.
Solution
1. First I got the hosts updated to version 4.0.0 Update 2 – To do that I used the VMware Update Manager (Install on your Virtual Center it’s on the VIM setup CD).
2. Then found out I couldn’t upgrade to version 4.1 using the same method.
I tried to deploy a VM Template today and was greeted with this error, I had renamed all the networks in this environment since I created this template, so I know why I was getting this error.
But there seems to be no way to edit the template itself to change the value to the correct network.
Solution
In the procedure below I will be jumping backwards and forwards between Hosts and Clusters view and VMs and Templates view. I’m assuming you know the difference between them, and how to switch between. Note: If you can’t see the templates then switch to VMs and Templates If you can’t see the storage then switch to Hosts and Clusters.
1. Browse your datastore(s), and locate the filename.vmtx that is associated with your ‘problem’ template, and download it to your PC/Laptop.
2. Open the vmtx file with a text editor, and locate the entry that refers to the ‘old network’.
3. Get the correct name of the new network from an existing working VM like so.
4. Change the entry in the vmtx file to the new name, then save the changes.
5. Now upload the edited file, to over-write the one in your datastore.
At this point you would thing that’s all you need to do. However before the change is recognised by Virtual Center, you need to remove then re-register it again.
6. Locate the template and remove it from the inventory.
7. Then right click your edited vmtx file and add it back to the inventory.
8. Now your template should deploy correctly.
Related Articles, References, Credits, or External Links