PowerShell: Restart Fails ‘Other Users Logged On’

KB ID 0001374

Problem

If you intend to shutdown, or restart a remote computer using PowerShell, you may see the following error message;

PS C:\> Restart-Computer “Computer-name
Restart-Computer : This command cannot be run on target computer(‘Computer-name’) due to following error: The system shutdown cannot be initiated because there are other users logged on to the computer.
At line:1 char:1
+ REstart-Computer “Computer-name
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Computer-name:String) [Restart-Computer], InvalidOperationException
+ FullyQualifiedErrorId : RestartComputerFailed, Microsoft.PowerShell.Commands.RestartComputerCommand

Solution

You need to add the -Force flag to the command like so;

Related Articles, References, Credits, or External Links

NA

Reset an AD Users Password Expiry Date

KB ID 0001272

Problem

I was setting up a Cisco ASA this week and needed to enable the ability for users to reset their domain passwords when they are about to expire. To actually test that, I needed a test user that had their password either about to expire, or actually expired. As I dint want to wait 42 days, or setup a password policy just for one user, I needed to find a ‘quick and dirty’ fix for one user.

Solution

You need to open Active Directory Users and Computers, and you need to have ‘Advanced options’ enabled. Locate your user and open their properties > Attribute Editor > Attributes > pwdLastSet.

If you want to set it to expired, then set its value to Zero.

It should change to <never>, which is not strictly true, it actually changes to 12:00AM January 1st 1601.

Note: If you set its value to -1 and apply the change it resets the attribute to the current day and time (you may need to close and reopen the property dialog to see the change).

Related Articles, References, Credits, or External Links

NA

Event ID 9327

KB ID 0000480 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA
Event ID: 9327
Task Category: (13)
Level: Warning
Keywords: Classic
User: N/A
Description:
OALGen skipped some entries in the offline address list 'Global Address List'. To see which entries are affected, event logging for the OAL Generator must be set to at least medium. 

This is just an instruction to enable logging so that you can see the REAL error.

Solution

Option 1 Enable Logging via the Exchange Management Shell

1. Launch the Exchange Management Shell and check the current logging level it will probably be set to “Lowest” Issue the following command:

[box]Get-EventLogLevel[/box]

Then scroll down to “MSExchangeSAOAL Generator” and check its status.

2. To turn the logging Level Right up issue the following command:

[box]Set-EventLogLevel -Identity “MSExchangeSAOAL Generator” –Level Expert[/box]

Option 2 Enable Logging via the Exchange Management Console

1. Launch the Exchange Management Console > Server Configuration > Right click the offending server > Manage Diagnostic Logging Properties > Expand MSExchangeSA > Select OAL Generation > Tick Expert > Configure > Finish.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, you will see this error again but there should be a more descriptive error near it to let you know what is failing.

 

Related Articles, References, Credits, or External Links

NA

Event ID 9323

KB ID 0000481 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA Event ID: 9323 Task Category: (13) Level: Warning Keywords: Classic Description: Entry ‘{Username}’ has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for ‘Global Address List’.

Solution

1. Go to a domain controller, Launch “Active Directory Users and Computers”, Select View and enable “Advanced Features”. Locate the username reported in the error (In this example it’s the administrator), On the properties for that user locate the “Published Certificates” tab.

If you can’t see the published certificates tab you are probably on the Exchange Server and NOT on a domain controller.

2. You will see that this user has a certificate which you can see by pressing the view certificate button, In this case we can see that the certificate has expired.

3. I didn’t need to renew this certificate, so I simply removed it.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, to make sure it now completes without error.

Related Articles, References, Credits, or External Links

NA

Event ID 9323

KB ID 0000481 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA
Event ID: 9323
Task Category: (13)
Level: Warning
Keywords: Classic
Description:
Entry '{Username}' has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for 'Global Address List'. 

Solution

1. Go to a domain controller, Launch “Active Directory Users and Computers”, Select View and enable “Advanced Features”. Locate the username reported in the error (In this example it’s the administrator), On the properties for that user locate the “Published Certificates” tab.

If you can’t see the published certificates tab you are probably on the Exchange Server and NOT on a domain controller.

2. You will see that this user has a certificate which you can see by pressing the view certificate button, In this case we can see that the certificate has expired.

3. I didn’t need to renew this certificate, so I simply removed it.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, to make sure it now completes without error.

 

Related Articles, References, Credits, or External Links

NA

vSphere – Virtual Machine Will Not ‘Power Off’ (Hangs at 95%)

KB ID 0000911 

Problem

I had a virtual machine crash on me, while I was doing some work on it As I was unable to shut it down gracefully, I attempted to ‘Power Off’. It progressed to 95% and stopped there.

Expecting it to ‘time out’, I carried on with some other work and kept an eye on it. 30 minutes later there was still no progress.

Solution

1. Enable SSH access on the ESX host that is hosting the problem VM.

2. Connect to the ESX host via SSH, and logon as root. Execute the following command to see all the running VMs on this host, and list their world ID numbers.

[box]

esxcli vm process list[/box]

 

3. Once you have the World ID of the problem VM, you can attempt to power it off with the following command;

[box]

Syntax

esxcli vm process kill --type {soft,hard,force} --world-id {ID Number}
Example

esxcli vm process kill –type hard –world-id 1397444

 

[/box]

4. Check, and your VM should now be powered off.

If That Didn’t Work (How to Kill a VM)

Note: This is a last resort.

1. Issue the following command to locate the Process ID’s that are associated with the problem VM.

[box]

Syntax

ps | grep "VM Name"

Example

ps | grep "2012 Test"

[/box]

You will get all the processes, and they are preceded by two columns of numbers, the first column contains the individual PID’s. The second column is the PID for the parent process, this is the one you need.

2. Armed with your PID, you need to terminate that parent process with the following command;

[box]

Syntax

kill {PID}
Example

kill 1398644

[/box]

3. Check, and your VM should now be powered off.

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 – Enable Aero

KB ID 0000321

Problem

You might ask why? But I needed to do this the other day for some screen shots, and if I had to work out how to do it then someone else will want to use Aero on Windows Server 2008. Besides I’ve seem people running this OS on their Laptops etc, so if it were me, I’d rather look at Aero than the standard windows “Theme”.

Solution

Minimum Requirements for Aero

CPU = 1 GHz or Higher RAM = 1 GB or better Graphics Card = 128MB or better Graphics Card = DirectX 9 & Pixel shader 2.0 with 32 bits per pixel

Rule of thumb

Single monitor up to 1280×1024 = 64MB Graphics Memory Single monitor up to 1600×1200 = 128MB Graphics Memory</br? Single monitor up to 2560×1600 = 256MB Graphics Memory

Enabling Aero Theme Fore Remote Desktop Services (RDP) Users

(Updated 01/12/12). I had a user that needed his Remote Desktop Services (Terminal Services) users, to get an Aero themed desktop, so his RemoteApp applications would run with the correct icons. In this case the easiest solution is to setup a LOCAL policy on the Remote Desktop Services server to force this.

1. On the server, Windows Key+R > gpedit.msc {enter} > When the policy editor opens > Navigate to;

[box]User Configuration > Administrative Templates > Control Panel > Personalization > Force a Specific Visual Style file or force Windows Classic[/box]

Enable the policy > Set the ‘Path to Visual Style’ to;

[box]%WinDir%resourcesThemesAeroaero.msstyles[/box]

Copy that path to the clipboard > Apply > OK.

2. The next policy is directly above and is called ‘Load a specific theme’ > Enable the policy > Paste in the same path as above.

3. Close the policy editor > Then either reboot, or from command line run;

[box]gpupdate /force[/box]

Related Articles, References, Credits, or External Links

Enable Aero for RDP “One or more of the themes has been disabled by Remote Desktop Connection settings”

Original Article Written 09/09/10

Thanks to Michael Dixon at Springvale EPS for his assistance.

 

Windows Server – Enable Multiple RDP sessions

KB ID 0000471

Problem

Server 2012/2008 R2 unlike their predecessors, comes with the multiple remote desktop session restriction enabled. If you are only connecting to a server for remote administration purposes that can get a bit annoying, especially if you have a generic administrative account that multiple techs are using, and you keep kicking each other off the server.

Just as with earlier versions of Windows server you CAN have two RDP sessions at any one time, the restriction is one logon for one account. Thankfully you can disable the restriction and there are a number of ways to do so.

Solution

Server 2008 R2 Option 1: Enable Multiple RDP sessions from TSCONFIG

Note: tsconfig.msc does not work on Windows Server 2012

1. On the server, click Start and in the search/run box type tsconfig.msc{enter}. Locate “Restrict each user to a single session” Right click > Properties.

2. Remove the tick from “Restrict each user to a single session” > Apply > OK.

Server 2012 and 2008 R2 Option 2: Enable Multiple RDP sessions via the registry

1. Start > in the search/run box type regedit {enter} > Navigate to:

[box] HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server [/box]

Locate the fSingleSessionPerUser value > Set it to 0 (Multiple sessions allowed), or 1 (Multiple sessions NOT allowed).

Server 2012 and 2008 R2 Option 3: Enable Multiple RDP sessions via Local Policy

1. Start > in the search/run box type gpedit.msc {enter}.

2. Navigate to:

[box] Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections [/box]

Locate the “Restrict Remote Desktop Services users to a single Remote Desktop Services session” setting.

3. To enable multiple sessions set the policy to disabled > Apply > OK.

Server 2012 and 2008 R2 Option 4: Enable Multiple RDP sessions via Group Policy

1. On a domain controller > Start > in the search/run box type gpmc.msc {enter}.

2. Either edit an existing GPO that’s linked to your COMPUTERS, or create a new one and give it a sensible name.

3. Navigate to:

[box] Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections [/box]

Locate the “Restrict Remote Desktop Services users to a single Remote Desktop Services session” setting.

4. To enable multiple sessions set the policy to disabled > Apply > OK.

5. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

Original Article Written 27/06/11

RDS Server – Remove the Shutdown Command

KB ID 0000499 

Problem

I’m surprised that when you make a server a Terminal Services Server / Remote Desktop Services Server, that this does not get applied from an administrative template anyway, but it does not.

Why would you want to do this? Well users are used to hitting Start > Shutdown, when they are finished working, which is fine, unless they are in a terminal session with 500 other users and they’ve just issued a shutdown command to the server!

Solution

The simplest way to do this is run gpedit.msc on the server itself and remove shutdown through local group policy, but a far more elegant solution is create a domain group policy for the TS Server(s).

1. On a domain controller,  launch the “Group Policy Management Console”. Create a policy, and link it to the OU that contains the Terminal Servers, you want to enforce the policy on, (Or edit an existing policy linked toy them).

2. Now remove the shutdown is a USER policy, and this is a COMPUTER policy we are writing, so it wont work unless we turn on “Loopback processing”. Navigate to Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing. (Note: On 2016 It will be called, ‘Configure user Group Policy loopback processing mode’.)

3. In most cases you will already have user policies applied to your users, if so you will want to “Merge” this with them rather than replace them > Apply > OK.

4. Now to remove the Shutdown command. Navigate to User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands.

5. Enable > Apply > OK.

6. Then either reboot the TS Server(s), wait a couple of hours or run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

NA