Bulk Creating Users For Your Test Network

KB ID 0000784 

Problem

Update Jan 2023: Feel free to use this Bulk-Create-AD-Users-Script (Just remeber to change the domain details in the “Global Variables’ Sections to give you 10o0 users, with sensible names addreeses etc.

Having a test network, is great for both learning, and testing. I’ve got some major migrations coming up in the next few months, so I’m in the process of running up some new test servers. I usually run a quick .vbs file like this;

[box]

Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext"))

For i = 1 To 1000
Set objLeaf = objContainer.Create("User", "cn=UserNo" & i)
objLeaf.Put "sAMAccountName", "UserNo" & i
objLeaf.SetInfo
Next
WScript.Echo "1000 Users created."

[/box]

Save that as createusers.vbs and run it on your domain controller and it will churn out 1000 users (named UserNo1 – UserNo1000). They will be disabled, with no passwords, but that can be rectified with a few mouse clicks.

But I want something a little more realistic, so I found a random name generator, and decided to have a script to create 1000 users that were a little more ‘lifelike’.

Solution

1. Download this zip file, and extract it to your desktop. To run the script you will need to set your Execution Policy with the following command;

[box]
Set-ExecutionPolicy Unrestricted[/box]

2. You will need to change a couple of lines in the newusers.ps1 file open it with notepad and change the domain details to match yours;

[box]

$TargetOU = [ADSI]“LDAP://CN=Users,DC=pnl,DC=com”
foreach ($user in import-csv usernames.csv)
{
$newUser = $TargetOU.Create(“user”,“cn=” +$user.login)
$newUser.put(“sn”, $user.Last)
$newUser.put(“DisplayName”, $user.First + ” “ +$user.Last)
$newUser.put(“givenName”, $user.First)
$newUser.put(“sAMAccountName”,$user.login)
$newUser.put(“userPrincipalName”,$user.login + “@pnl.com”)
$newUser.SetInfo()
$newUser.SetPassword($user.password)
$newUser.put(“userAccountControl”, 512)
$newUser.SetInfo()
}

[/box]

3. Change directory to the folder with your script in, and run it, it will put the details from the usernames spreadsheet;

[box]

cd Desktop/New_Users
./Newusers.ps1

[/box]

3. Look in Active Directory and there are your new users.

Bulk Creating Mailbox’s for your Users

Now I’ve got my users in AD, I want them all to have a mailbox, so a quick PowerShell command;

[box]
Get-User -OrganizationalUnit “pnl.com/users/” -ResultSize Unlimited | Enable-Mailbox -Database “Mailbox-Database” [/box]

It will throw out the odd error (e.g. if it finds users that are already mail enabled), that’s OK.

Related Articles, References, Credits, or External Links

NA

Windows Server – Schedule a Reboot

KB ID 0001321 

Problem

Back in the day we just used the ‘At’ command to schedule a reboot, but starting with Server 2012 that was stopped! If you try it now you will see the following;

The AT command has been depreciated. Please use schtasks.exe instead

Solution (The Quick Way)

Execute the following command (change time and data accordingly);

[box]

schtasks /create /tn “Scheduled Reboot” /tr “shutdown /r /t 0” /sc once /st 12:20:00 /sd 02/03/2020 /ru “System”
[/box]

Solution (The Long Way)

Launch Task Scheduler.

Create Basic Task.

Give the task a name, (and optionally a description) > Next > One time > Next > Enter the date and time for the reboot to occur > Next.

Start a program > Next > Program/Script = PowerShell > Add Arguments = Restart-Computer -Force > Next > Finish.

Related Articles, References, Credits, or External Links

NA

PowerShell: Add All Members of an OU to a Security Group

KB ID 0001589

Problem

I’ve written in the past about ‘Bulk Adding Users from CSV files, into Groups‘. But what if you want to add ALL users in a particular OU into a security group?

Solution

The syntax is;

[box]

Get-ADUser -SearchBase ‘OU=Source-OU,OU=PNL,DC=pnl,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SG-Test-Group’ -Members $_ }

[/box]

Here I’ve got 20 users that need adding to a group, in this example the group’s in the same OU, but it does not have to be;

You will need to close and reopen the group properties for it to refresh its membership.

Related Articles, References, Credits, or External Links

NA

PowerShell: Finding Stale User and Computer Accounts

KB ID 0001438

Problem

I do this a lot, (usually prior to big migrations), most organisations have no mechanism for removing old users and computers from Active Directory, some don’t even disable the accounts.

Find Users Who Have Never Logged On

Use the following PowerShell Command;

[box]

Get-ADUser -Filter { LastLogonDate -notlike "*" -and Enabled -eq $true } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression={$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName | Export-Csv C:\temp\Users-Never-Logged-On.csv

[/box]

Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.

Find Users Who Have Not Logged On In ‘x‘ Days

I’m going to use the value of 90 days (remember some staff might be on long term sick/maternity so check with HR!) Execute the following three commands;

[box]

$DaysInactive = 90
$TrueInactiveDate = (Get-Date).Adddays(-($DaysInactive))
Get-ADUser -Filter { LastLogonDate -lt $TrueInactiveDate -and Enabled -eq $true } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression={$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName | Export-Csv C:\temp\Users-Inactive-90-days.csv

[/box]

Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.

Find Computers Who Have Not Logged On In ‘x‘ Days

Again I’m using 90 days. Execute the following three commands;

[box]

$DaysInactive = 90
$TrueInactiveDate = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter { PasswordLastSet -lt $TrueInactiveDate} -properties PasswordLastSet | Select-Object Name, PasswordLastSet, DistinguishedName | Export-Csv C:\temp\Computers-Inactive-90-days.csv

[/box]

Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1813 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

Next > Next > Finish.

Your connection request policies should look like this.

Your network policies should look like this.

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remote Access > Next.

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

Open the Getting Started Wizard > Select VPN Only.

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

VPN Access > Next > Finish > Start service.

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Accounting provider, (below).

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Add a VPN Connector.

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Change Adapter options.

Right click the VPN connection > Properties.

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

Connect your VPN to test it.

Make sure everything works.

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.


That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links

NA

Deleting Folders With ‘Long Filenames’ (Source Path Too Long)

KB ID 0001396

Problem

Source Path Too Long
The source file name(s) are larger than is supported by the file system. Try moving to a location which has a shorter path name, or try renaming to shorter name(s) before attempting this operation.

“Have you come across a problem deleting folders with long filenames?” I got asked this question twice in the first week at a new job. In a former role my colleague did a lot of work in schools and was forever coming across this problem when doing file migrations.

As it transpired this was a problem at, yes you’ve guessed it a school that was a client. The little darlings had got hold of a script that recursively created nested folders, and as obviously this is hilarious it had happened multiple times.

I didn’t have a solution of the top of my head, but I thought I’d try and recreate the problem, and see if there was a simple solution.

Solution

The most difficult part was replicating the script. Windows is pretty good at protecting itself. But thanks to the good folk at Experts-Exchange’s assistance, I was good to go, attempting to move or delete the file generated the error you see above.

Method One: Use Robocopy

Robocopy has been built into windows for a while, you can use it with the /MIR flag to remove all your subfolders.

[box]

MD C:\DELETE-ME
robocopy C:\DELETE-ME C:\{path}\{The Top Level Folder To Delete} /s /mir

[/box]

Then you can simply delete the two remaining empty folders

[box]

rd C:\DELETE-ME
rd C:\{path}\{The Top Level Folder To Delete}

[/box]

Method Two: Use a GUI Tool

I’m always suspicious of third party tools, and if you Google this problem two pieces of software will jump out, one’s brilliant does not have any spamware or malware in it, the other one’s, well not free and annoying.

The Good

DeleteLongPath by BackupChain simple and does exactly what you expect. Take some time to look a their backup software as well!

The Bad

Message boards are spammed with people saying how great this piece of software is, probably by the clowns who make it! Long Path Tool, they just want your money don’t bother. 

Update: I’ve had about 15 to 20 chancers trying to post favourable comments for this piece of junk, don’t bother i wont approve them!

 

Related Articles, References, Credits, or External Links

NA

Exchange 2013 / 2016 / 2019 Default Receive Connector Settings

Default Receive Connectors KB ID 0001314 

Problem

Out of the box, Exchange 2016 (&2013) has five receive connectors. Three for the frontend transport service and two for the mailbox transport service.

  • Front End Transport Service: Does not alter, inspect, or queue mail. It is the first port of call for ALL mail coming into (and out of) the Exchange organisation. This service creates THREE receive connectors All are bound to 0.0.0.0 0.0.0.0, and all IPv6;
    • Client frontend {Server-Name} : listens on TCP 587 (Secure SMTP). It is generally only used for POP clients that are ‘Authenticated’, so are then able to send mail though the Exchange Org.
    • Default frontend {Server-Name}: Listens on TCP 25 (SMTP) and will allow Anonymous connections (by default). Note: Your  incoming mail, (from the public internet,) usually comes in through this connector.
    • Outbound proxy frontend {Server-name}: Confusingly this is actually a send connector and it’s only used if you have set your ‘send connector’ to proxy though one of your Exchange servers.
  • Mailbox Transport Service: Does NOT receive mail from clients it, (as the name implies),  routes mail from/to mailboxes from/to the frontend transport service. It is further broken down into;
    • Mailbox Transport Submission Service:
    • Mailbox Transport Delivery Service:
  • This creates two more receive connectors;
    • Client Proxy {Server-Name}: Listens on TCP 465.
    • Default {Server-Name}: Listens on TCP Port 25 (or 2525).

So what if someone ‘fiddles’ with them, or you are unsure if they are setup correctly?

 

Solution: Default Receive Connectors

Default Receive Connectors Settings

If you just want to check the settings in the Exchange Admin Center;

  • Client Frontend {Server-Name}
    • General Settings;
      • Name: Client Frontend {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
    • Permission Groups;
      • Exchange Users
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 587
        • (All Available IPv4) Port 587
      • FQDN: {The internal FQDN of your server}
  • Client Proxy {Server-Name}
    • General Settings;
      • Name: Client Proxy {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
      • Exchange Users
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 465
        • (All Available IPv4) Port 465
      • FQDN: {The internal FQDN of your server}
  • Default {Server-Name}
    • General Settings;
      • Name: Default {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
      • Legacy Exchange Servers
      • Exchange Users
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 2525
        • (All Available IPv4) Port 2525
      • FQDN: {The internal FQDN of your server}
  • Default Frontend {Server-Name}
    • General Settings;
      • Name: Default Frontend {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
        • Enable domain security (mutual Auth TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
      • Legacy Exchange Servers
      • Anonymous
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 25
        • (All Available IPv4) Port 25
      • FQDN: {The internal FQDN of your server}
  • Outbound Proxy Frontend {Server-Name}
    • General Settings;
      • Name: Outbound Proxy Frontend {Server-name}
      • Connector Status: Enable
      • Protocol logging level: Verbose
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
        • Enable domain security (mutual Auth TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 717
        • (All Available IPv4) Port 717
      • FQDN: {The internal FQDN of your server}

Recreating Your Exchange Default Receive Connectors From Scratch

Note: We are talking about the default receive connectors here, if you have created any of you own, for mail relaying from a device for example, you would need to manually recreate these. Below we are going to delete all the default connectors, and recreate them with a PowerShell Script.

Download Recreate Default Exchange Receive Connectors Scripts

Optional: Take a backup of the default receive connectors settings to a text files. Run the ‘Backup-Connector-Settings.ps1‘ script. This will dump the settings to the root of the C: drive in ‘Current {Server-Name} {Connector-Name}.txt’ format.

You can now delete the default receive connectors (Warning: Notice I said default  receive connectors, this may or may not be all the connectors). 

Recreate the Default Receive Connectors: Run the  ‘Create-Default-Receive-Connectors.ps1‘ script. 

Optional: You can now output the settings of the new connectors, (why? So you can compare them to your original settings.) Run the ‘AFTER-Connector-Settings.ps1’ script. This will dump the settings to the root of the C: drive in ‘Receive {Server-Name} {Connector-Name}.txt’ format.

You can now compare differences, the only differences are usually the creation date, and the GUID.

 

Related Articles, References, Credits, or External Links

NA

Changing Domain Users’ ‘User Logon Names’ and UPN’s

KB ID 0001238

Problem

Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though.

 

A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format.

What would happen if I changed their user logon names? Would they have to use a different logon name? Would their profile break? Or worse still, would they all lose their roaming profiles?

 Solution

Adding A New UPN Suffix

Before you can add a new UPN suffix you need to make it available in the domain. Administrative Tools > Active Directory Domains and Trusts > Right Click ‘Active Directory Domains and Trusts’  > Properties > Add the new Suffix  >Apply > OK.

From this point forward you can add that as a new suffix for any/all users.

The Effect of Changing a User Logon Name

Using the same user as above, I’ve changed the ‘User Logon Name’, and added the new UPN Suffix to test.

How Does Changing a User Logon Name Affect Profile and Home Drive Paths?

Put simply it does not! To prove it I did some testing. The profile and home drive path of this user’s is set on the ‘profile’ tab of their user object.

It remains the same after the User Logon Name changes. When these users were setup the profile paths and home drive paths were all set ‘on mass’, by selecting multiple users and setting the path to \\server-name\folder-name\%username% and it fills in all the ‘usernames‘ with the sAMAccountName and that has not changed.

Does the User Have to Change their Logon Name?

Confusingly users don’t log on with their User Logon Name (Usually, but they can if they wanted to) from all the way back to NT4 we have logged on with the DOMAIN-NAME\USER-NAME format which uses the sAMAccountName, NOT the User Logon Name. If you look at the very first picture at the top of the page you can see that below the UPN. Its called the User name (pre-Windows 2000). You may not of even have noticed, but on Windows 10 they put this right in your face on the logon screen.

Whats the Point of a UPN Then?

You can actually authenticate, and log on with your UPN, (see below)

This logs on as the user in the example above with the correct profile, and group membership etc. Though it’s not common practice to logon with a UPN. Microsoft Now Have a Very BAD HABIT of telling users, (and putting in their documentation), to ‘Log on with your Email AddressThis is wrong, you actually are logging on with your UPN, Microsoft are making the assumption, that your Email and UPN are the same. This is why blogs and forums are full of scripts to change your UPN so that it matches your email address. They assume, (usually quite rightly, that if you tell users to log on with their UPN they will be confused and not know what that is). So rather than address this problem, they tell users to log on with their Email addresses. That’s the real reason we are talking about changing UPN’s, and probably why your here in the first place.

Some Users Don’t Have UPN’s?

This is normal, don’t panic, a user does not have to have a UPN, if you are seeing blank entries that user was probably migrated via a script or tool into your AD, or simply was migrated from an older version of AD as part of a domain upgrade.

So Nothing Broke?

No, the local cached copy of the profile is still named the same as the sAMAccountName;

And the roaming profile and home drive also stayed the same;

WARNING: Just so I don’t do the same thing Microsoft did and ‘Make an Assumption’. Where changing the User Logon Names would affect you is if users were already logging into their machines with their UPN, Then they would need to change their login names to the new UPN, (or use the pre-Windows 2000 login name). But I’ve never seen a user logon with a UPN, the only time I’ve ever logged onto something with a UPN, is when I can’t type a back slash to log on as DOMAIN\Username (I use a Mac). 

Remove Spaces From User Logon Names

Seriously who does this? I don’t even like spaces in folder names! Below is a PowerShell script that will search through AD and find users with a space in the middle of their logon name and replace the login name with firstname.lastname

Change the values in red.

[box]

Import-Module ActiveDirectory
Get-ADUser -Filter "UserPrincipalName -like '* *'" -SearchBase 'OU=Test,DC=pnl,DC=com' | ForEach { Set-ADUser -Identity $_.SamAccountName -UserPrincipalName "$($_.GivenName).$($_.Surname)@pnl.com" }

[/box]

Note: If you have users with spaces in their GivenName or Surname attributes in AD this wont work, i.e if AD thinks a users first name is Juan Carlos, and the Surname is Rodriquez, then it would change the user logon name to ‘Juan Carlos.Rodriquez’ which is the very problem we are trying to fix! Also the first name and surname fields in AD have to have properties in them as well, or you will see red errors.

Change UPN Suffix For All Users Script

In the script below I’ve targeted a specific OU, but you can change the $ou parameter to point at the root of the domain, and do all users at once if you wish. Change the values in red to suit your domain.

[box]

Import-Module ActiveDirectory
$oldSuffix = "pnl.com"
$newSuffix = "petenetlive.com"
$ou = "OU=Test,DC=pnl,DC=com"
$server = "DC-01"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

[/box]

Related Articles, References, Credits, or External Links

PowerShell – Update All Domain Users With Email Address From UPN

PowerShell – Updating Users Email Addresses In Active Directory

Deploying VMware View 5 – Part 2: Configure Windows 7 to be a VMware View Desktop

KB ID 0000596

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

In Part 1 we looked at setting up your connection server. To actually deliver a virtual desktop you need to a) have a desktop built, and b) have the VMware View ‘agent’ installed on it.

In addition there are various changes you need to make, both to streamline the virtual machine, and make it more efficient for VMware View.

Note: If you are doing manual assignment of desktops to users, then this is not as important, but if you are going to deploy linked clone desktops this is VERY important. Either way its still good practice to ‘prep’ desktops first.

Solution

1. Build the desktop you intend to deliver via View (In this example I’m using Windows 7 Pro x32 bit).

Licencing Note: For manual desktop assignments you can use MAK license keys, but for larger deployments using VMware composer and linked clones, use Microsoft’s KMS server to service your licensing needs.

Using KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010

2. Run a full Windows update, allow the machine to reboot, then keep running Windows update until it says that it is up to date.

3. Then install the VMware tools.

4. Install any software and applications you require.

5. Download these scripts to auto configure your clients.

Note: There are two scripts, one called PrepClient.bat and the other called PrepClientPM.bat (Only use the latter if you are going to deploy persona management). I originally got these scripts from VMware, and have made a subtle change to them, they are 99% NOT my work!

Make sure you execute the scripts from a command window “As Administrator”, (right click the cmd shortcut while holding down Shift). You will need to do this even if you are logged in as the administrator.

What this script is doing?

a. Sets screen saver to “Blank Screen”, enable after one minute, and password protects it. b. Empties the internet cache. c. Turns off RSS Feeds in Internet Explorer. d. Disables Microsoft Action center. e. Stops the “Welcome to Internet Explorer” Dialogue for new users. f. Disables “Superfetch”. g. Disables Windows update (Note: If you are not using linked clones you might want to remove this line);

[box]reg ADD “HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU” /v NoAutoUpdate /t REG_DWORD /d 0x1 /f[/box]

h. Disables System Restore, and removes access to the restore options. i. Sets the application log size to 10MB and allows it to overwrite events as needed. j. Sets the system log size to 10MB and allows it to overwrite events as needed. k. Sets the security log size to 10MB and allows it to overwrite events as needed. l. Disables the Network Location Wizard. m. Disables Crash Dump Logging. n. Deleted files are instantly deleted, they do not go to the recycle bin (Stops the recycler file filling up with junk), to stop this remove this line.

[box]reg ADD “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer” /v NoRecycleFiles /t REG_DWORD /d 0x1 /f[/box]

o. Enables Remote Desktop (RDP Connections) from all clients (the less secure option) p. Disables Windows User Access control. q. Disables Windows SideShow. r. Disables the following services.

Bitlocker Drive Encryption Service ‘BDESVC’ Block Level Backup Engine Service ‘wbengine’ Diagnostic Policy Service ‘DPS’ Desktop Window Manager Session Manager Service ‘UxSms’ Disk Defragmenter Service ‘Defragsvc’ Home Group Listener Service ‘HomeGroupListener’ Home Group Service ‘HomeGroupProvider’ IP Helper Service ‘iphlpsvc’ Microsoft iSCSI Initiator Service ‘MSiSCSI’ Microsoft Software Shadow Copy Provider ‘swprv’ Client side Caching Service ‘CscService’ Secure Socket Tunnelling Protocol Service ‘SstpSvc’ Windows Security Center Service ‘wscsvc’ Simple Service Discovery Protocol Service ‘SSDPSRV’ ReadyBoost Service ‘SysMain’ Tablet Input Service ‘TabletInputService’ Themes Service ‘Themes’ Universal Plug and Play Service ‘upnphost’ Volume Snapshot Service ‘VSS’ (Note: NOT Disabled if using the Persona Management Batch File) Windows Backup Service ‘SDRSVC’ Windows Defender Service ‘WinDefend’ Windows Error Reporting Service ‘WerSvc’ Windows Firewall Service ‘MpsSvc’ Windows Media Center Receiver Service ‘ehRecvr’ Windows Media Center Scheduler Service ‘ehSched’ Windows Search Service ‘WSearch’ Windows Update Service wuauserv’ Wireless LAN Service ‘Wlansvc’ Wireless Auto config Service ‘WwanSvc’

s. Sets Windows to show “Blank Screen” when booting instead of the Windows animation. “bcdedit /set BOOTUX disabled”. t Remove all Shadow Copies, “vssadmin delete shadows /All /Quiet” (Note: NOTDisabled if using the Persona Management batch file). u. Disables Hibernation “powercfg -H OFF”. v. Disables the “Last accessed” timestamp for windows files “fsutil behavior set DisableLastAccess 1”. w. Stops scheduled Windows Defragmentation (Note: In Linked clone environments this would expand all the delta disks and is a common ‘gotcha’). x. Stops the registry backup which happens every 10 days. y. Stops the scheduled Windows Defender tasks. z. Stops the Windows System Assessment Tools (this gives your PC its ‘performance rating’ from 1 to 5).

Another Option to Prepare Windows 7 for View

You can also (If you prefer a graphical tool) use Desktop Optimizer from Quest. (Note: Also needs to be ran as administrator or you will get runtime errors!)

6. Then Install the VMware View Agent.

7. Then make sure any floppy drives, and CD/DVD drives are also disconnected.

8. If the virtual machine is going to be in a manual pool leave it powered on. If it’s going to be part of an automated pool, you can snapshot it.

Related Articles, References, Credits, or External Links

Deploying VMware View 5 – Part 1: Configure Active Directory and Deploy VMware Connection Server

Deploying VMware View 5 – Part 3: Creating a ‘Manual Pool’ and Connecting a View Client

 

VMware View 5 – Configure and Deploy Clients in ‘Kiosk Mode’

KB ID 0000610 

Problem

Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.

Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.

Solution

Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.

Configure Windows 7 to be a VMware View Desktop

Step 1: Prepare Active Directory

1. Set yourself up an OU to hold your kiosk machine, and a security group that will contain the user account you are going to create later.

Step 2: Configure the VMware Connection Server

2. Now log into your VMware Connection Server, open a command window with elevated privileges. then issue the following command;

[box]vdmadmin -Q -clientauth -setdefaults -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -noexpirepassword -group kioskusers[/box]

Note: where kioskusers is the name of the group you created.

3. Now I will create a user ‘custom-kiosk-user’ with a password of ‘Password123’, and put him in the OU and group we created earlier;

[box]vdmadmin -Q -clientauth -add -domain petenetlive -clientid custom-kiosk-user -password “Password123” -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -group kioskusers -description “Kiosk Terminal”[/box]

Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).

4. Then allow this connection server to accept kiosk connections with the following command;

[box]vdmadmin -Q -enable -s PNL-CS[/box]

Note: Where PNL-CS is the name of my VMware Connection Server.

5. You can view the settings configured on this connection server with the following command;

[box]vdmadmin -Q -clientauth -list[/box]

6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.

7. Manual Pool > Next.

8. Dedicated > Next.

9. vCenter virtual Machines > Next.

10. Next.

11. Give the pool an ID and Display name > Next.

12. Select the machine you are using as the source for the Kiosk machine > Next.

13. When the pool is created > Entitlements.

14. Add in the group that you created in step 1 > OK.

15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.

Step 3: Connect to the Kiosk Machine

16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.

[box]c:program filesvmwarevmware viewclientbinwswc” -unattended -serverURL PNL-CS -userName custom-kiosk-user -password “Password123″[/box]

Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.

17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.

Related Articles, References, Credits, or External Links

Deploying VMware View 5