OneDrive GPO (Domain Group Policy)

OneDrive GPO KB ID 0001821

Problem

The administrative template that you get with Win11 is somewhat out of date, so if you want to manage OneDrive with domain group policy your options are limited, if only there was a newer administrative template!

Well, there is, and it gets updated and sent to you quite regularly. Microsoft just do a good job of hiding it.

Solution OneDrive GPO

Depending on your deployment the files you need can be in different locations, the biggest challenge is finding them. execute the following PowerShell to locate them.

[box]

$OnePath = ("$env:LOCALAPPDATA\Microsoft\OneDrive", `
"$env:ProgramFiles(x86)\Microsoft\OneDrive", `
"$env:ProgramFiles\Microsoft OneDrive")
$OnePath | foreach{
    Get-ChildItem "$_\*\adm\onedrive.adm?" -ErrorAction SilentlyContinue
}

[/box]

As you can (above) see mine are in my user profile. The folder that they are in will also give you the build number, so you can check occasionally for updates (that will get pulled down when your OneDrive client gets updated).

Go to that directory and you will find the ADMX and ADML files.

Note: For anyone who is not English speaking, there may be a different ADML file in the locale folders you can see above.

Copy the OneDrive.admx file into your PolicyDefinitions folder (if unsure of the path, see below. obviously substitute your own domain name and here I’m on a domain controller so the SYSVOL volume on my local drive).

Now change to the INPUT LOCALE folder (in my case en-US) and copy the OneDrive.adml file into that folder.

Then when you are in the Group Policy Management Editor you will see the updated OneDrive options.

[box]

Computer Configuration > Policies > Administrative Templates > OneDrive

[/box]

If you can’t see them ensure your policy definitions have been setup correctly.

Related Articles, References, Credits, or External Links

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

AnyConnect – ‘VPN establishment capability for a remote user..

KB ID 0000546 

Problem

If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;

VPN establishment capability for a remote user is disabled. A VPN connection will not be established

 

VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

Profile settings do not allow VPN initiation from a remote desktop.

Note: This is fixed in version 4.8 and you will se the error at the top of the page.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

Give the profile a name  > Select a group policy to apply it to > OK.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

OR (older versions)

 

Apply the changes, and then save to the running configuration.

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

4. Save the profile somewhere you can locate it quickly.

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

7. Make sure the file uploads correctly > Close.

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Install and Configure Cisco ASA5500 AnyConnect SSL VPN 

Windows – Lost / Forgotten Password?

KB ID 0000755

Problem

There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.

The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.

You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.

You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.

Solution

How to Burn the ISO Disc Image

1. Download the Password Reset CD Image.

2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.

2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.

3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.

Carry Out a Windows 8 Password Reset.

This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.

1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.

2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.

Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.

3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.

4. We want password reset so select option 1.

5. We will be editing user data and passwords, so again select option 1.

6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.

Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.

7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.

8. To step back you need to enter an exclamation mark.

9. Enter a ‘q’ to quit.

10. To write the changes you have made enter a ‘y’.

11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.

12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.

13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.

14. To change the password, press Ctrl+I > Change PC settings.

15. Users > Create a password.

16. Type and confirm your new password, and enter a password hint > Next.

17. Log off the account and test the new password.

 

Related Articles, References, Credits, or External Links

NA

Barracuda Web Filter – Not Displaying Usernames

KB ID 0001296 

Problem

I installed a Barracuda Web Filter 410 hardware appliance last week for a client on a 30 day trial. It was in ‘inline’ mode in front of their firewall and was happily logging all web activity and sites that were getting blocked. The problem was when you looked in the log this is what you saw;

With other vendors you simply need to put an agent in to fix this, and as it turns out Barracuda is no different.

Solution

I went onto the web and tried to get the agent, but you can download it straight from the appliance. (Users and Groups > Authentication Tab)

To proceed you need to add your domain controllers onto the Barracuda

Note: You will need a domain account (a simple domain user is fine, it does not need any additional rights). Here I’m connecting via 389, if you wanted to connect with LDAPS see the following article.

Windows Server 2012 – Enable LDAPS

Once you have installed the ADAgent.exe, (on each domain controller), run it and enter your domain user account, and test it connects properly.

Then add in your Barracuda device.

Note: Theres nothing else you need to do in the agent but while you are setting it up I suggest you see the logging level to debugging.

Now, before the successful logon events can be uploaded to the barracuda, the domain controllers need to have auditing enabled for;

  • Audit account logon events (success)
  • Audit logon events (success)

Set this in the ‘local security policy’ on each of the domain controllers, (administrative tools local security policy).

On the Barracuda itself  you now have to register the agent for each one you have deployed, after a few minutes they should ‘go green’ this is done on the same tab you specified the domain controllers.

You now need to wait until your users have logged off and back on again before it starts logging properly so leave it a while to slowly populate.

Related Articles, References, Credits, or External Links

Barracuda Email Security Gateway Setup and Deployment

GNS3 Update – Could Not Find a VM Named ‘GNS3 VM’

KB ID 0001160 

Problem

GNS3 had nagged me the last few times I tried to use it about upgrading, so I downloaded and installed the update and it stopped here;

Could not find a VM named ‘GNS3 VM’ is it imported in VMware or Virtualbox

I use both VMware Fusion and Virtualbox. But Virtualbox looks after all the VM’s I use in GNS3. Either way I did not know what I was looking for, and the download (and application folder) did not have a VM within it for me to import?

Solution

It turns out the link for the VM is on the GNS3version download page, (it redirects you  to another site).

Once you have it downloaded, you can import it into either Virtualbox, VMware Fusion or VMware Workstation.

Then you can select it, and progress.

Related Articles, References, Credits, or External Links

NA

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0000927 

NOTE: THIS ARTICLE IS FOR THE OLD VERSION OF GNS3

GO HERE FOR THE NEW ONE

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.

Solution

Note: At time of writing he latest version is 8.6

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

3. Option 2.

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

9. When complete click Close > Save > Close.

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences.

n

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

13. Save > OK > Apply.

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

[box]

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

[/box]

Set the Kernel cmd line option to;

[box]

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

[/box]

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

17. Finally select the vmlunuz file > Open.

18. Save > OK > Apply.

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

[/box]

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

Deploy a Router in your ESX Environment

KB ID 0000182

Problem

ESX is designed for building both enterprise class networks, and networks solely for test purposes. That’s all fine and dandy but what if you want turn on DHCP in your network but still have it connected to the outside world? Yes you could deploy a Windows server running Routing and Remote Access – as a router, but that seems to be overkill in the extreme. In the past I’ve done articles on deploying virtual firewalls. But again that might be a little too much for your scenario.

Solution

To solve the problem, we can do what VMware do on their own training courses, for anyone who has done a VCP3 or VCP4 course you will have seen this router deployed in one of the labs.

FreeSco is a linux router on a floppy disk, (Microsoft Disciples “don’t panic” there will be next to no sandal wearing coming up). I hunted all over the internet for the version I used on my course and most of the links I found are dead, or provide a router we don’t know the root password for. However after much searching I found one that works, we know the password for,and can be configured.

1. Download the floppy image HERE

2. Follow the instructions below (Note: this was done in ESX3 the process for vSphpere is the same).

Related Articles, References, Credits, or External Links

http://www.rtfm-ed.co.uk/2005/10/10/routernatfirewall-on-a-floppy-linux-based/

Upgrade ESX 3 to version 4.1.0

to upgrade ESXi to 4.1 Click here

KB ID 0000305 

Problem

I had to upgrade some ESX hosts from ESX 3.5 the other day, as they are a long way away, and version 4.1 is hot off the presses (at time of writing) that’s what I wanted to upgrade them to.

Lessons Learned

1. At first I tried with the “Host Update Utility”.

2. But no matter what version I gave it, it gave me this error,

Unsupported ESX version: esx-4.0.0 X.X-XXXXXX-release or Unsupported product ESXi Installer vx.x.x-x-x

3. That points you HERE, and the fix is “Download the latest Version of Host Update Utility” DONT BOTHER YOU WILL NOT FIND IT.

Solution

1. First I got the hosts updated to version 4.0.0 Update 2 – To do that I used the VMware Update Manager (Install on your Virtual Center it’s on the VIM setup CD).

2. Then found out I couldn’t upgrade to version 4.1 using the same method.

3. You need to download TWO update patches,

a. pre-upgrade-from-ESX4.0-to-4.1.0-0.0.260247-release.zip b. upgrade-from-ESX4.0-to-4.1.0-0.0.260247-release.zip

4. Connect to your ESX box with an SCP client I prefer Veem Fast SCP because its free.

5. Create a folder on your ESX box and copy the two patches to this folder, with your SCP client.

6. Log onto the ESX console or connect via SSH.

7. Put the host into maintenance mode with the following command,

[box]vimsh -n -e /hostsvc/maintenance_mode_enter[/box]

8. The folder I created was called UPDATE change into that folder with the following command,

[box]cd /UPDATE[/box]

9. Run the “Pre-Update” package first with the following command, (that’s one command if its gets text wrapped).

[box]esxupdate update –bundle=pre-upgrade-from-ESX4.0-to-4.1.0-0.0.260247-release.zip[/box]

It’s pretty quick don’t go anywhere

10. When it’s completed, run the following command, (that’s one command if its gets text wrapped).

[box]esxupdate update –bundle=upgrade-from-ESX4.0-to-4.1.0-0.0.260247-release.zip[/box]

11. That command takes a while, go and have a coffee, when finished it will ask for a reboot you can reboot the ESX with the following command,

[box]shutdown -r now[/box]

12 Post reboot you can either exit maintenance mode from the vi client or with the following command,

[box]vimsh -n -e /hostsvc/maintenance_mode_exit[/box]

Related Articles, References, Credits, or External Links

VMware ESXi 5 – Applying Patches and Updates

VMware ESX – When Deploying a Template ‘Network interface {name} uses network {name} which is not accessible’

KB ID 0000846 

Problem

I tried to deploy a VM Template today and was greeted with this error, I had renamed all the networks in this environment since I created this template, so I know why I was getting this error.

But there seems to be no way to edit the template itself to change the value to the correct network.

Solution

In the procedure below I will be jumping backwards and forwards between Hosts and Clusters view and VMs and Templates view. I’m assuming you know the difference between them, and how to switch between. Note: If you can’t see the templates then switch to VMs and Templates If you can’t see the storage then switch to Hosts and Clusters.

1. Browse your datastore(s), and locate the filename.vmtx that is associated with your ‘problem’ template, and download it to your PC/Laptop.

2. Open the vmtx file with a text editor, and locate the entry that refers to the ‘old network’.

3. Get the correct name of the new network from an existing working VM like so.

4. Change the entry in the vmtx file to the new name, then save the changes.

5. Now upload the edited file, to over-write the one in your datastore.

At this point you would thing that’s all you need to do. However before the change is recognised by Virtual Center, you need to remove then re-register it again.

6. Locate the template and remove it from the inventory.

7. Then right click your edited vmtx file and add it back to the inventory.

8. Now your template should deploy correctly.

Related Articles, References, Credits, or External Links

NA