Extending partition in WIndows XP (and possibly 2003)

If you are trying to extend a non-OS partition in Windows using diskpart and get a message saying that the partition was extended but diskpart failed to extend the filesystem then it could be due to the indexing service.  Stopping the indexing service then trying "extend filesystem" on the partition worked for me.

RDP remote control fails when UAC is enabled

A small problem that I didn't find obvious at first. On a Windows 2008 or above server with UAC enabled you may not be able to remote control another console session. A workaround is to find the console session name or session id and then run a cmd prompt with the run as administrator option. Then run the command:

shadow  "session id or session name"

For example:

shadow 1

or

shadow rdp-tcp#4

Windows 7 VM sleep

I had a problem with some Windows 7 VM's that was stopping people connecting by RDP until the mouse or keyboard was used in a vSphere console. I found alerts similar to this below in vCenter.

Windows 7 has power saving modes enabled by default out of the box and it turned out the VM's were going to sleep.  I don't find this useful in a virtualised environment.  I decided the best thing for my environment was to set some power saving in a group policy like below.  This keeps the VM's from sleeping.

 

Importing GPO from ISO/CD-ROM

This is a little something I noticed when importing group policies into different domains.  Originally I wanted to copy some policies from a production to some test domains that are logiccaly seperated.  I backed up all the production GPO's and burnt the backup to an ISO to mount as a CD-ROM in a VM.  The GPO's import fine but when trying to edit them afterwards I received access denied errors and no settings would change.  It turns out this is as the files and folders when imported will copy as read only from the CD.  Simply removing the read only attribute on the GUID named folder for the GPO and ensuring this filters down to child files and folders fixes the problem.

Windows DNS client cache timeout

I've had problems especially during testing of systems where if the DNS name isnt resolved then a machine will cache that the "Name does not exist" for 300 seconds, this is the default for a Windows computer.  It's a little annoying when at first you don't realise this but fix any DNS issue and find your computer still won't resolve!  To reduce this negative cache behaviour you can update the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

MaxNegativeCacheTtl

Data type: REG_DWORD

Value data: Set the value to 0 if you do not want negative responses to be cached.  Otherwise set to a value in seconds.  

I think a configured a value of 5 to 10 seconds is useful to stop computers constantly querying a DNS server if you want to stop the negative cache from causing problems.  This could be useful particularly if you have any kind of DNS based geo load balancing such as the Kemp Loadmaster DR which can give negative results in certain circumstances where the device sees all services are down.

Having done a little googling to figure this out I think the key for Windows 2000 is NegativeCacheTime.

IIS 7 IP restrictions with PowerShell

PowerShell can be used to configure many options in IIS, this is useful for repetitive tasks such as IP restrictions on websites. First import the IIS module into powershell, execution policy must at least be set to remoteSigned.

Import-Module WebAdministration

Then use Add-WebConfiguration to add individual IP's or a subnet at a website or a directory/virtual directory under it:

Add-WebConfiguration /system.webServer/security/ipSecurity -location 'test1' -value @{ipAddress='192.168.1.2';allowed='true'}

Add-WebConfiguration /system.webServer/security/ipSecurity -location 'test1/test2' -value @{ipAddress='192.168.1.2';allowed='true'}

Add-WebConfiguration /system.webServer/security/ipSecurity -location 'test1/test2' -value @{ipAddress='192.168.3.0'; subnetMask='255.255.255.0';allowed='true'}

Set-WebConfigurationProperty can be used to allow or deny unlisted IP addresses at a site or a directory/virtual directory under it:

Set-WebConfigurationProperty -Filter /system.webserver/security/ipsecurity -Name allowUnlisted -Value $false -Location 'test1/test2'

Set-WebConfigurationProperty -Filter /system.webserver/security/ipsecurity -Name allowUnlisted -Value $true -Location 'test1'

Scheduled Powershell Tasks

When setting up a powershell scheduled task the program should be:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

The arguments should be the location of the powershell script:

 -command ". ‘<location of script.ps1>’"

The arguments for an exchange task are slightly different as you will need to run an Exchange powershell session to get the required modules:

-command ". 'D:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer <CAS Server>; <script.ps1>"

Note to self, the sender address for a windows scheduled task on an exchange server using the PowerShell command Send-MailMessage seems to need to match the email address of the account running the task.

Update: security policy may stop you from saving the password for the account running the task.  Check this policy either in local or group policy.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\

Policy:

Network access: Do not allow storage of passwords and credentials for network authentication
[disable] to allow the password to be saved.

RDP with NLA

I recently enabled network level authentication for RDP on some servers to close a security audit point and found a problem with accounts that have computers configured under the userWorkstations attribute in AD. This is set on the account tab using the log on to button. If the account used for RDP to a remote machine isn't allowed to logon to the local machine then RDP will fail with an error "the local security authority cannot be contacted." It didn't strike me as the most obvious thing as I assumed all authentication would be with the remote machine for NLA but it appears the use must authenticate locally first to create the RDP session.