Office 365: Enable User Password Reset

KB ID 0001551

Problem

If you want to give your Office 365 users the ability to change and recover their passwords this is the procedure.

Solution

Open the ‘Azure Active Directory’ admin console.

If you didn’t already know, Azure is what’s underpinning your Office 365 subscription, Select ‘Azure Active Directory’ > Password reset.

I’m enabling for everyone, you can choose ‘Selected’ and then nominate groups the you want to grant password reset for. when done click ‘Save‘.

Now when your users login they will be asked for additional information.

You can then set a phone and andalternative email address you can use for authentication.

Related Articles, References, Credits, or External Links

NA

VMware vSphere Hot Add and Hot Plug

KB ID 0000527 

Problem

I was trying to hot add some memory to a VM the other day, and found the option grayed out. Normally I’d just down the VM, add the memory, then bring it back up. But it was a production server and I was pretty sure the OS supported it.

A quick Google search told me why it was grayed out, but it also transpired there was little to no information on what version of Windows hot add and hot plug would work with.

Solution

I’m not going to argue the semantics of the differences between “hot add” and “hot plug”, if I’m taking about hot add I’m talking about memory, if I’m talking about hot plug I’m talking about adding CPUs. You also need to be aware that to date Few OS’s support hot remove or hot unplug. If you try you will see the following;

vSphere version 6 or 6.5 (Hot Unplug )

It simply wont let you lower the value;

Note: With a Supported O,S (i.e. Server 2016 and 2019) you CAN hot remove CPU.

vSphere version 5.0 or 5.5

Hot Add Memory/ CPU in vSphere 6 & 6.5

As with earlier version of vSphere, to enable hot plug or hot remove, the machine has to be shut down. Then the option can be enabled. Select the VM > Edit Settings.

Memory: Virtual Hardware > Memory > Tick ‘Memory Hot Plug’ > Save.

CPU: Virtual Hardware > CPU > Tick ‘Enable CPU Hot Add’ > Save.

Hot Plug, Hot Add  in the vSphere HTML5 Client

Hot Add Memory/ CPU in vSphere 5 & 5.5

As for memory and CPU settings you will probably see what I was seeing. Both the options are not changeable.

2. Sorry but to enable this feature you need to power off the client machine, then when you edit its settings > Options > Advanced > Memory/CPU_Hotplug > You can enable hot add and hot plug > OK . Power the VM back on again.

3. Now you will see you have the option to hot add memory and hot plug CPUs.

What Operating Systems support this?

Like I said above, I did some testing because information is thin on the ground, this is what I was actually able to make work.

With 2008 R2 Standard

1. As you can tell from the table memory hot add will work but to add a CPU will need a reboot. Before I started I had 2 CPUs and 4GB of memory.

2. Lets add more memory and CPUs.

3. For all machines I tested there was a lag, sometimes as little as 3-5 seconds, other times as long as 15-20 seconds, during this time you will see some processor and memory usage spikes. But as shown the memory eventually becomes available.

4. Post reboot, your extra CPUs will appear.

With 2008 R2 Enterprise and Datacenter

1. Note I’m using Datacenter here, but Enterprise is the same. I increased the memory from 4 to 5 GB, And added a further 3 CPUs.

2. It does work, you simply need to restart the “Task Manager” to reflect the increased CPU count.

3. Finished.

Related Articles, References, Credits, or External Links

NA

Event ID 1202

KB ID 0000124 

Problem

Security policies were propagated with warning. 0x4b8 : An extended error has occurred.

Solution

In my case, driver signing policies.

Enable Logging

1. Enable debug logging for the Security Configuration client-side extension. To do this: a. Start Registry Editor.

b. Locate and then click the following registry subway:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonGPExtensions{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

c. On the Edit menu, click Add Value, and then add the following registry value:

Value name: ExtensionDebugLevel Data type: DWORD Value data: 2

d. Quit Registry Editor.

2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:

secedit /refreshpolicy machine_policy /enforce (Or gpupdate /force)

This creates a file that is named Winlogon.log in the %SYSTEMROOT%SecurityLogs folder.

Look at the log (Go to the bottom of the log and work upwards!)

Error from Log

—-Configure Security Policy… Configure password information. Configure account force logoff information.

System Access configuration was completed successfully.

Audit/Log configuration was completed successfully.

Kerberos Policy configuration was completed successfully.

Configure machinesoftwaremicrosoftdriver signingpolicy. Undo value for the undefined group policy setting <machinesoftwaremicrosoftdriver signingpolicy> wasn’t reset successfully (1627). Undo value was not removed. Error 1627: Function failed during execution. Error configuring machinesoftwaremicrosoftdriver signingpolicy. Configure machinesystemcurrentcontrolsetcontrollsalmcompatibilitylevel. There is already an undo value for group policy setting <machinesystemcurrentcontrolsetcontrollsalmcompatibilitylevel>. Configure machinesystemcurrentcontrolsetserviceslanmanserverparametersenablesecuritysignature. There is already an undo value for group policy setting <machinesystemcurrentcontrolsetserviceslanmanserverparametersenablesecuritysignature>. Configure machinesystemcurrentcontrolsetserviceslanmanserverparametersrequiresecuritysignature. There is already an undo value for group policy setting <machinesystemcurrentcontrolsetserviceslanmanserverparametersrequiresecuritysignature>. Configure machinesystemcurrentcontrolsetservicesnetlogonparametersrequiresignorseal. There is already an undo value for group policy setting <machinesystemcurrentcontrolsetservicesnetlogonparametersrequiresignorseal>. Configure machinesystemcurrentcontrolsetservicesntdsparametersldapserverintegrity. There is already an undo value for group policy setting <machinesystemcurrentcontrolsetservicesntdsparametersldapserverintegrity>.

Configuration of Registry Values was completed with one or more errors.

Changed all policies

PolicyComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Unsigned driver installation behavior

to “Warn but allow”

Ran gpupdate /force on the domain controller you should see Event ID 1707 “Security policy in the group policy objects has been applied successfully”

Related Articles, References, Credits, or External Links

NA

VMware Workstation – Error – ” Virtualized Intel VT-x/EPT is disabled”

KB ID 0000540 

Problem

Seen on VMware Workstation, when attempting to virtualise a product that IS a virtualisation hypervisor (ESX for example).

Error: Virtualized Intel VT-x/EPT is disabled for this ESX VM. You will only be able to run 32-bit nested VMs.

At first I (wrongly) assumed that I needed to enable something in the BIOS on my laptop, and searched though every page to enable some virtualization setting that was turned off. But that’s NOT what it’s telling you. what it is telling you is you are trying to virtualize a virtualization product, so all the clever VT settings from your physical machines CPU will be shown to VMware workstation. But that presents a Virtual CPU to the OS you are installing as a guest (In the case above ESX) and THAT virtual CPU does NOT have Intel- VT-x/EPT enabled.

So a “Nested VM” – is a Guest VM, running Inside a Guest Hypervisor, that’s been virtualized.

Solution

Note: I’m using VMware workstation 8.

1. Right click the VM in question and select “Settings”.

2. Hardware Tab > Processors > Tick the option to enable VT-x/EPT or V/RVI > OK.

3. Restart the guest machine.

Note: You can also do this be editing the machines .vmx file with a text editor and adding the following lines;

[box]

monitor.virtual_mmu = "hardware"

monitor.virtual_exec = "hardware"

vhv.enable = "TRUE"

monitor_control.restrict_backdoor = "true"

[/box]

Related Articles, References, Credits, or External Links

NA

VMware View 5 – Configure and Deploy Clients in ‘Kiosk Mode’

KB ID 0000610 

Problem

Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.

Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.

Solution

Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.

Configure Windows 7 to be a VMware View Desktop

Step 1: Prepare Active Directory

1. Set yourself up an OU to hold your kiosk machine, and a security group that will contain the user account you are going to create later.

Step 2: Configure the VMware Connection Server

2. Now log into your VMware Connection Server, open a command window with elevated privileges. then issue the following command;

[box]vdmadmin -Q -clientauth -setdefaults -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -noexpirepassword -group kioskusers[/box]

Note: where kioskusers is the name of the group you created.

3. Now I will create a user ‘custom-kiosk-user’ with a password of ‘Password123’, and put him in the OU and group we created earlier;

[box]vdmadmin -Q -clientauth -add -domain petenetlive -clientid custom-kiosk-user -password “Password123” -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -group kioskusers -description “Kiosk Terminal”[/box]

Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).

4. Then allow this connection server to accept kiosk connections with the following command;

[box]vdmadmin -Q -enable -s PNL-CS[/box]

Note: Where PNL-CS is the name of my VMware Connection Server.

5. You can view the settings configured on this connection server with the following command;

[box]vdmadmin -Q -clientauth -list[/box]

6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.

7. Manual Pool > Next.

8. Dedicated > Next.

9. vCenter virtual Machines > Next.

10. Next.

11. Give the pool an ID and Display name > Next.

12. Select the machine you are using as the source for the Kiosk machine > Next.

13. When the pool is created > Entitlements.

14. Add in the group that you created in step 1 > OK.

15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.

Step 3: Connect to the Kiosk Machine

16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.

[box]c:program filesvmwarevmware viewclientbinwswc” -unattended -serverURL PNL-CS -userName custom-kiosk-user -password “Password123″[/box]

Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.

17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.

Related Articles, References, Credits, or External Links

Deploying VMware View 5

vSphere Web Client – Options Greyed Out (Cannot install Client Integration Plug-in)

KB ID 0001064

Problem

While working on the vSphere Web Client in Google Chrome, I was unable to ‘Open Console’, the option was on the right click menu, but disappeared and was then greyed out after a second or so.

Essentially this happens because the plug-in has either not been installed, (from the login page) or a pop-up blocker is stopping the plug-in working.

Solution

1. With Chrome there’s an extra hoop to jump though, the plug-in uses NPAPI, and Chrome disabled that beginning with version 42. To enable it open a new tab and navigate to;

[box]chrome://flags/#enable-npapi[/box]

In the NPAPI section select ‘Enable’.

2. Click ‘Relaunch Now’.

3. At this point you will be able to install the Client Integration Plug-in.

4. Now you need to make sure the plug-in will run, click the plug-in warning and select ‘Always allow plug-ins on localhost’, refresh the page.

5. You can now tick the box to login with Windows session authentication.

6. The first time you try and launch something the pop-up blocker will suppress it you will need to disable the pop-up blocker for this site.

7. The vSphere Web Client should now perform correctly in Google Chrome.

 

Related Articles, References, Credits, or External Links

NA

Windows – ‘Telnet’ is not recognized as an internal or external command

KB ID 0000455

Problem

Telnet client from Windows, and have it as an “Optional Extra”. For most people that’s fine, but for anyone who programs network devices, or needs to test that ports are open, or test mail flow by telnet to port 25, that’s a pain.

Solution

Enabling Telnet – Windows 10

1. From PowerShell execute the following command;

[box]

dism /online /Enable-Feature /FeatureName:TelnetClient

[/box]

Enabling Telnet – Windows Server 2019, 2016, and 2012

1. From PowerShell execute the following command;

[box] Add-WindowsFeature Telnet-Client [/box]

Enabling Telnet – Windows 8, 7, Vista, and Server 2008 (NOT R2)

1. Open a command Window and execute the following command;

[box] pkgmgr /iu:"TelnetClient" [/box]

Or

2. Control Panel > Programs > Turn Windows features on or off > Select “Telnet Client” > OK.

Note: On Windows 8, Press Windows Key+X to get straight to control panel.

Enabling Telnet – Windows Server 2008 R2

1. From command line execute the following command;

[box] servermanagercmd -i telnet-client [/box]

Or

2. Launch Server Manager > Features > Add Features > Locate and select “Telnet Client”.

 

Related Articles, References, Credits, or External Links

NA

PPTP VPN – Enable Split Tunneling

 

KB ID 0000997 

Problem

I was asked yesterday, “When you get five minutes, I need split tunneling setup, when I VPN into a network I lose Internet connectivity”. On inspection he was using the Microsoft VPN client, I jumped on the VPN device to discover it was a Cisco IOS router.

What I discovered was, unlike the firewall VPN’s I’m used to, you DONT set split tunneling up on the VPN device, you set it up on the client, (and its a bit clunky – sorry!)

Solution

1. Windows Key + R > ncpa.cpl {Enter} > Locate the VPN connection > Right Click > Properties > Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.

2. Untick “Use default gateway on remote network” > OK > OK > OK.

BE AWARE: There is a downside to doing this, as site visitor Clayton Webb points out;

“Unchecking that default gateway is a godsend, until end users use their laptops for torrents, malware, etc. If you have the time I’d recommend a direct access setup for company equipment. VPN w/ NPS health validators for non-company equipment.”

I agree, I would only ever see this as a temporary solution for the ‘technically savvy’.

3. WARNING: At this point you may find you can connect to the VPN, and your Internet now works, (hooray!) But you can no longer talk to any servers or systems on the site you are VPN’d into. This is a Windows routing problem, lets take a look at what IP address I’m getting from the VPN Device.

Above you can see Ive got an IP address of 192.168.2.207, and in my case I don’t have a default gateway (this is not unusual, yours may be the same or you may have a default gateway as well).

4. If you open a command window and issue a ‘route print’ command, you can see the reason I don’t have a default gateway is my gateway is may actual IP address (again this is not unusual, In my case I need to remember 192.168.2.207, if you have a different gateway listed thats the one you need to take notice of).

5. Run a command window (as administrator) and issue a ‘route add‘, command like below.

Note: -P Adds the route persistently (will remain after a reboot). The network you are trying to get to will probably be a different network, to the network IP you are being leased to you by the VPN device. If you have multiple networks you will need a ‘route add’ for each one.

6. To demonstrate; below I can’t get to 192.168.1.1, I then enter the ‘route add’ command, and after that I can get to 192.168.1.1.

Note: I’m not adding my route as persistent!

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

Windows – Remote Desktop Error ‘An authentication error has occurred. The Local Security Authority cannot be contacted’

KB ID 0000826

Problem

Update May 2018: This is Following ArticleIs Probably What You Are Looking For;

Windows RDP: ‘An authentication error has occurred’

 

 

I saw this while attempting to create a remote desktop connection to a Windows 2012 Server. (Though connecting to Windows 8 will be the same).

I’d only just set this server up, and knew I’d enabled RDP, and I was attempting to connect as the domain administrator, so at first I was a little perplexed.

Solution

If you have direct/local access to the machine you are trying to connect to.

1. Press Windows Key+R > In the run box type sysdm.cpl {enter} > Remote.

2. Remove the tick from “Allow connections only form computers running Remote Desktop with Network Level Authentication (recommended)”.

3. Try again.

If you do not have direct/local access to the machine you are trying to connect to.

1. On YOUR Machine > Windows Key+R > type regedit {Enter} > File > Connect Network Registry > Type in the details for the machine you are trying to connect to > OK.

2. Navigate to;

[box]
{remote-machine-name} > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp[/box]

Locate the UserAuthentication value and change it to 1 (one) > OK > Exit the registry editor.

3. Try again.

Disable RDP Network Level Authentication via Group Policy

If the destination server is in a remote data centre or remote location, and you cannot access the System Properties, you can turn this option off with group policy, and wait a couple of hours.

1. On a DC > Start > Group Policy Management > Either create a new group policy object and link it to the OU containing the problem machine, or edit and existing one. (Here on my test network I’m going to edit the default domain policy – WARNING this will disable this feature on all machines in a production environment!

2. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security[/box]

3. Locate the ‘Require user authentication for remote connections by using Network Level Authentication’ policy.

4. Set the policy to Disabled > Apply > OK > Close the Group Policy Management Editor.

5. How long before the Group Policy will affect the target machine? Group policies are processed when a machine starts up, after this they are processed again, (only if they have changed), the time period varies (so all clients do not update at the same time). The interval is 90 minutes, with a random offset off 30 minutes. So the maximum time it can possibly take is 2 hours (120 minutes). Note: this is the default setting, it can be manually changed up to (45 Days) 64,800 minutes, (though why would you do such a thing?)

Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 – Enable Aero

KB ID 0000321

Problem

You might ask why? But I needed to do this the other day for some screen shots, and if I had to work out how to do it then someone else will want to use Aero on Windows Server 2008. Besides I’ve seem people running this OS on their Laptops etc, so if it were me, I’d rather look at Aero than the standard windows “Theme”.

Solution

Minimum Requirements for Aero

CPU = 1 GHz or Higher RAM = 1 GB or better Graphics Card = 128MB or better Graphics Card = DirectX 9 & Pixel shader 2.0 with 32 bits per pixel

Rule of thumb

Single monitor up to 1280×1024 = 64MB Graphics Memory Single monitor up to 1600×1200 = 128MB Graphics Memory</br? Single monitor up to 2560×1600 = 256MB Graphics Memory

Enabling Aero Theme Fore Remote Desktop Services (RDP) Users

(Updated 01/12/12). I had a user that needed his Remote Desktop Services (Terminal Services) users, to get an Aero themed desktop, so his RemoteApp applications would run with the correct icons. In this case the easiest solution is to setup a LOCAL policy on the Remote Desktop Services server to force this.

1. On the server, Windows Key+R > gpedit.msc {enter} > When the policy editor opens > Navigate to;

[box]User Configuration > Administrative Templates > Control Panel > Personalization > Force a Specific Visual Style file or force Windows Classic[/box]

Enable the policy > Set the ‘Path to Visual Style’ to;

[box]%WinDir%resourcesThemesAeroaero.msstyles[/box]

Copy that path to the clipboard > Apply > OK.

2. The next policy is directly above and is called ‘Load a specific theme’ > Enable the policy > Paste in the same path as above.

3. Close the policy editor > Then either reboot, or from command line run;

[box]gpupdate /force[/box]

Related Articles, References, Credits, or External Links

Enable Aero for RDP “One or more of the themes has been disabled by Remote Desktop Connection settings”

Original Article Written 09/09/10

Thanks to Michael Dixon at Springvale EPS for his assistance.