Admins Handbook

In a command prompt:
wmic useraccount get name,sid

Install telnet client:
dism /online /Enable-Feature /FeatureName:TelnetClient

Disable firewall:
netsh advfirewall set allprofiles state off

Boot on Windows 2012 install media
Choose Troubleshoot and in a command prompt type:
bcdedit /set {bootmgr} displaybootmenu Yes
bcdedit /set {bootmgr} timeout 10
Enables the bootmenu
Now you can use “safe mode”.

wusa.exe /kb:3114409 /uninstall

Show all locked accounts:
Get-Eventlog -logname Security | Where EventID -EQ “4740” | Format-Table

When trying to set rights with the command: Add-ADPermission you get this error:
Active Directory operation failed on DC.dom.local. This error is not retriable. Additional information: Access is denied.
Example:
Add-ADPermission -Identity TestGroup1 -user TestUser1 -AccessRights writeproperty -Properties member

You need to give “Full access” to the user “Exchange trusted subsystem” on the AD group opject.
Tip: Enable “advanced features” in AD to add the security tab.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA (dword) 00000000

If rpc over https is wrongly configurated, or the certificate for some reason not trusted on your local computer, you can disable the SSL check.
Simply add this key:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
DefConnectOpts (dword) 0

Remove the 120 days time bomb.
Remove this key:
HKLM\System\CurrentControlSet\Control\Terminal Server\RCM
GracePeriod
Restart server.

If you have a license server:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()
$obj.SetSpecifiedLicenseServerList(“server.dom.local”)
$obj.GetSpecifiedLicenseServerList()

Set lines mode, device or user:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.ChangeMode(value)
Value can be 2 (per Device) or 4 (Per user)
$obj. LicensingType
$obj.LicensingName

Create a regfile:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarGlomLevel”=dword:00000002

2: Never combine
1: Combine when taskbar is full
0: Always combine

Find this file: Stream_autocomplete (on the source computer).
In this location: C:\Users\%username%\AppData\Local\Microsoft\Outlook\RoamCache

could have a name like this: Stream_Autocomplete_0_8D3BCAEDYTGFEB43A6DDDDDD8B2B89BF
Close Outlook on target computer, and copy this file to same location.

You have to rename file, so it overwrites the name from same file on target.

Log into the system as Administrator and open regedit.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
In this path you can see all users, and inside this you can see their profile path etc c:\users\test1
You will also see the user SID

This SID can be found in: HKEY_USERS

If you for some reason need two RDP-Tcp connections in Windows 2008 you could easily add one in the “Remote desktop Session Host Configuration” tool.

This tool does not exist in Windows 2012 and you have to do it with regedit.
Make an export of this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Edit this regfile and change the path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-3390

This will be your new RDP-Tcp connection.
Change “LanAdapter” to the listening netcard
0 = all
1= netcard1
2=netcard2
3=netcard3

Change “PortNumber” to the port listening on the RDP-Tcp-3390
In this way, the original RDP-Tcp could listening on port 3389 with netcard1 and RDP-Tcp-3390 listening on port 3390 with netcard2

Show netcard ID:
netsh interface ipv4 show interfaces

Show assignments in powershell:
gwmi Win32_TSNetworkAdapterSetting -filter “TerminalName=’RDP-Tcp'” -namespace “root/cimv2/TerminalServices” | Select NetworkAdapterLanaID,NetworkAdapterName
and
gwmi Win32_TSNetworkAdapterSetting -filter “TerminalName=’RDP-Tcp-3390′” -namespace “root/cimv2/TerminalServices” | Select NetworkAdapterLanaID,NetworkAdapterName

RUNDLL32 PRINTUI.DLL,PrintUIEntry /y /n “RICOH 3228C”

If you need a delay og 10 sec, add this before:
ping 1.1.1.1 -n 1 -w 10000 > nul

—-
Alternative:

In bat file:
cscript print.vbs

In vbs file:
Option Explicit
On Error Resume Next
Dim objNetwork
Set objNetwork = CreateObject(“WScript.Network”)

objNetwork.SetDefaultPrinter “printer MFP(PCL) (redirected 1)”
objNetwork.SetDefaultPrinter “printer MFP(PCL) (redirected 2)”
objNetwork.SetDefaultPrinter “\\server\printer”

WScript.Quit

Enable running scripts:
set-ExecutionPolicy Unrestricted

From the “METRO” you can right-click “this pc” and have some options from there.

Map Network drive is one of them.

Use this in a script:
C:\Progra~2\Google\Chrome\Application\chrome.exe –make-default-browser

List of switches:
http://peter.sh/experiments/chromium-command-line-switches/

Download and install:
https://adblockplus.org/en/internet-explorer

GPO:
Computer Configuration –> Administrative Template –> Windows Components –> Internet Explorer
Automatically activate newly installed add-ons
Enable

User Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Toolbars
Hide the status bar
Disabled

You might want to disable Automatic updates:
Edit the hostfile
127.0.0.1 update.adblockplus.org

On old DHCP Server:
netsh dhcp server export C:\dhcp.txt all

On new DHCP Server:
netsh dhcp server import c:\dhcp.txt all

If errors, remove the scope options on the new server.

ROBOCOPY \\srv1\c$\share\ \\srv2\d$\share\ /MIR /SEC /R:2 /W:5 /LOG+:C:\AdminFolder\log.txt

MIR : mirrors files
SEC : NTFS rights
R:2 : Retry two times
W:5 : wait 5 seconds

If you are running into this error, you can try to disable the services:

File Replication Service (FRS) – Most likely only this
Distributed File System (DFS)
Windows Search
Indexing Service

Just install the indexing service (role service)
It does not have to index anything!

OR

Windows Search Service

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”ntp.siminn.dk”
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
“UseWUServer”=dword:00000000

C:
Cd\Windows\System32\spool
Cacls.exe PRINTERS /e /g users:C

restart spooler
—
/T Changes ACLs of specified files in
the current directory and all subdirectories.

/L Work on the Symbolic Link itself versus the target

/M Changes ACLs of volumes mounted to a directory

/S Displays the SDDL string for the DACL.

/S:SDDL Replaces the ACLs with those specified in the SDDL string
(not valid with /E, /G, /R, /P, or /D).

/E Edit ACL instead of replacing it.

/C Continue on access denied errors.

/G user:perm Grant specified user access rights.
Perm can be:
R Read
W Write
C Change (write)
F Full control

/R user Revoke specified user’s access rights (only valid with /E).

/P user:perm Replace specified user’s access rights.
Perm can be:
N None
R Read
W Write
C Change (write)

Create a task:
%windir%\system32\defrag.exe
With the drive as argument.
-c or -d

Create a bat file:

C:\Progra~1\MySQL\MYSQLS~1.5\bin\mysqldump.exe –opt –single-transaction –user=root –password=xxxx DB-name > backup_DB-name.sql

set backupFilename=%DATE:~6,4%%DATE:~3,2%%DATE:~0,2%
C:\Progra~1\7-Zip\7z a MyBackup%backupFilename%.zip *.sql

In the search box: Slui.exe 0x3
In the command prompt: slmgr.vbs -ipk 00000-00000-00000-00000-00000

http://handbook.dk/download/DisableAntiSpam2007.reg
http://handbook.dk/download/DisableAntiSpam2010.reg
http://handbook.dk/download/DisableAntiSpam2013.reg

Make a script with this content:

Windows 2003:
DEL C:\”Documents and Settings\%username%\Local Settings\Temporary Internet Files”\*.* /Q /F /S

Windows 2008:
DEL C:\”Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files”\*.* /Q /F /S

Add is as an logoff script
Great on Terminal servers.

All users desktop
C:\Users\Public\Desktop
(The Desktop folder is hidden)

All users start menu and programs:
C:\ProgramData\Microsoft\Windows\Start Menu
C:\Users\All Users

Download the ADMX/ADM files from here:
http://www.microsoft.com/en-us/download/details.aspx?id=18968
Extract the downloaded file.

Copy the content of the ADMX folder to this folder on the DC:
\\localhost\SYSVOL\domain.local\Policies\policydefinitions

Create the folder policydefinitions if it is missing.
The new policies are automatically replicated to all the DC’s.
And they are visible in GPMC

Remember this last step.
The old gpo’s is now missing. This is because the new “policydefinitions” folder is in control.
You need to copy the contents of: C:\Windows\PolicyDefinitions
from a DC to this folder – then the old polycy’s are back.
Remember, Widows update does not update this new store’s policy’s!
You need to do this by hand.

taskkill /F /IM iexplorer.exe
taskkill /F /IM iexplore.exe
taskkill /F /IM firefox.exe
taskkill /F /IM chrome.exe
taskkill /F /IM javaw.exe
taskkill /F /IM jqs.exe
taskkill /F /IM jusched.exe
wmic product where “name like ‘Java%%'” call uninstall /nointeractive
msiexec.exe /i \\Fileserver\jre-7u11\jre1.7.0_11.msi /qn

Explanation:
First. Kill all the processes needed to install java
vmic search after “Java * ” in “add-remove” programs.
If something starts with “Java”, it will be removed.
Last. Do a silent install

You need the two files in the folder where java is installed from:
Data1.cab
jre1.7.0_11.msi

If you start up the java install double clicking “jre-7u11-windows-i586.exe”, they can be found in:
C:\Users\user\AppData\LocalLow\Sun\Java\jre1.7.0_11
———————————–
What version of Java is installed and do somethig based on that:

IF (@PRODUCTTYPE) = “Windows 7 Professional Edition”
? “Windows 7”
$FileVersionWin7 = GetFileVersion(“C:\Program Files (x86)\Java\jre7\bin\java.exe”)
IF $FileVersionWin7 >= “7.0.150.3”
? “Java: ” + $FileVersionWin7 + ” No update”
else
? “Java: ” + $FileVersionWin7 + “Update”
RUN “\\nas\Java\jre-7u15\update.cmd”
endif
? “…”

EndIF

IF (@PRODUCTTYPE) = “Windows XP Professional”
? “Windows XP”
$FileVersionXP = GetFileVersion(“C:\Programs\Java\jre7\bin\java.exe”)
IF $FileVersionXP >= “7.0.150.3”
? “Java: ” + $FileVersionXP + ” No update”
else
? “Java: ” + $FileVersionXP + ” Update”
RUN “\\nas\Java\jre-7u15\update.cmd”
endif

You can disable Java update notifications by editing the registration database.
Set the values to zero.

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy
EnableAutoUpdateCheck
EnableJavaUpdate
NotifyDownload

The Terminal server restarted, but why?
You see this in the log:
The Windows Installer initiated a system restart to complete or continue the configuration of ‘Adobe Acrobat X Standard

A “user” can initiate an update or repair of Adobe Reader. In the end of this process, the software initializes an system restart.
This has to be disabled on an terminal server.

Disable Reapir:
Adobe Reader X32
Adobe Reader x64
Adobe Acrobat X32
Adobe Acrobat x64

Hide update menu:
In this folder, but the file: HideMenu.js
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Javascripts

Customization Wizard X

More info:
http://blog.stealthpuppy.com/deployment/deploying-adobe-reader-x/

http://go.microsoft.com/?linkid=9726441

http://support.microsoft.com/kb/310049/en

dim objNetwork
set objNetwork = createobject(“Wscript.Network”)

WScript.Sleep 1000 * 60 * 1
objNetwork.SetDefaultPrinter “PrinterName”
—
Just make a .vbs file. You can use it in a startup script (GPO)
The line: WScript.Sleep 1000 * 60 * 1
makes an delay of one minute.

It is nice to see the history of crashed applications in Windows 2008.
But when you start up “reliability monitor” it is empty – why is that?
You have tried this: http://support.microsoft.com/kb/983386 but still no lock.
Are you running as Domain Controller on the server, it could be a right issue of the service.

Changed the RacTask on DCs to run “AS System” instead of “Local Service”.
Can be found in “task scheduler” –> “Microsoft” –> “Windows” –> “RAC”
RacTask

Computer Conf –> Preferences –> Control Panel Settings –> Folder Options –> Right click –> New –> File Type

User Conf –> Preferences –> Control Panel Settings –> Folder Options –> Right click –> new –> Open With

You can remove the “Admin Tools folder” with a GPO.

Go to:
User Configuration\Preferences\Windows Settings\Registry

Add a new Registry Item:
Action: Update
Hive: HKEY_CURRENT_USER
Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value name: StartMenuAdminTools
Value type: REG_DWORD
Value data: 00000000

Add a second Registry Item:
Action: Update
Hive: HKEY_CURRENT_USER
Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value name: StartAdminToolsRoot
Value type: REG_DWORD
Value data: 00000000

Remember to enable Loopback on the OU where the RD Host are.
Computer Configuration\Policies\Administrative Templates\User Group Policy loopback processing mode
Mode: Merge

Create new keystore with a 2048 bit certificate:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -genkey -keysize
2048 -alias tomcat -keyalg RSA -keystore keystore.2012

Make a request:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -certreq -keyalg
RSA -alias tomcat -file MyDom.csr -keystore keystore.2012

Import root cert:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -import -alias r
oot -keystore keystore.2012 -trustcacerts -file root.crt

Import intermediate cert:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -import -alias i
ntermed -keystore keystore.2012 -trustcacerts -file intermediate.crt

Import the trusted SSL cert:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -import -alias t
omcat -keystore keystore.2012 -trustcacerts -file MyDom.crt

More info

If you get this error trying to open a Office document: “The file is corrupt and it cannot be open” it might be a security setting.

If the file is from the Internet / Outlook, it is blocked by default.

You can unblock in the file properties or make a GP
Goto: User Configuration > Administrative Templates > Windows Components > Attachment Manager Enable: Do not preserve zone information in file attachments

Regedit:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\outlook] “DisableAntiSpam”=dword:00000001

Download regfile

By default Windows use the driver “HP DeskJet500c” or “HP Color LaserJet 5/5M PS” if no exact driver is found.
This can be changed in regedit on the terminal server.

Below is “HP LaserJet 4” the default.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd]
“FallbackPclDriver”=”HP LaserJet 4”
“FallbackPsDriver”=”HP Color LaserJet 5/5M PS”

Download regfile

On a terminal server where a user is trying to print, you get whis error in the log:

“Win32 error code returned by the print processor: 5. Access is denied”

Give the users trying to print write access to thsi folder on the terminal server:
C:\Windows\System32\spool

You have a Windows 2008 64 bit terminal server and needs some additional printer drivers x86 and x64.
When installing the x86 drivers this error occurs:

“please provide a path to windows media x86”

All you have to do is finding ntprint.inf from a 32 bit Windows 7 and give it that file and folders.
From a Windows 7 find this folders:

C:\Windows\winsxs\x86_ntprint.inf.*

Move it to your Windows 2008 server, and point the wizard to this files.

Script:
EnableOnLoad.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\FileValidation]
“EnableOnLoad”=dword:00000000

—

Group Policy:
“Options\Security\Trust Center\Protected View”

—

Reg file:
bProtectedMode.reg

The local harddrive of a client can be changed in a citrix invioment.
Create this on the server if you want it to be x:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix]
“InitialClientDrive”=”x:”
Type REG_SZ

On a terminal server all users are requested to enable or disable the protected mode in the new Adobe Reader X. On some systems enabling does not work.
You can easily disable this functionality for the user in regedit with the use of a login script running this command:

REG ADD “HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\Privileged” /v bProtectedMode /t REG_DWORD /d 0 /f

Update Adobe Reader XI
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Privileged
“bProtectedMode”=dword:00000000

What is coursing the svchost.exe to use 100% CPU?
Use this command:
tasklist /svc /fi “imagename eq svchost.exe

Show the dll’s:
tasklist /m /fi “imagename eq svchost.exe

Sysinternals Process Explorer

HKEY_CURRENT_USER\Software\Microsoft\Office\XX.X\Outlook\Security

XX.X indicates your version of Outlook:
14.0 – Microsoft Office 2010
12.0 – Microsoft Office 2007
11.0 – Microsoft Office 2003
10.0 – Microsoft Office 2002
9.0 – Microsoft Office 2000

Add a new string value key in that location:
Level1Remove
Add the extensions: .lnk;.com;.exe

Download a Reg file

Upgrade the admin folder in the office folder with the newest “Office Customization Tool” files.
Start the tool:
setup.exe /admin

Featues –> modify user setting –> Microsoft office 2010 system –> Privacy –> Trust center
Disable Opt-in Wizard on first run (enabled)
Enable customer Exoerience improvement program (Disabled)
Save the MSP file

Setup.exe /adminfile office.MSP
(Runs the installation)

GPedit:
User –> Administrative Temp. –> Microsoft Office 2010 system –> Privacy –> Trust center
Disable Opt-in Wizard on first run (enabled)
Enable customer Exoerience improvement program (Disabled)

User –> Administrative Temp, –> Microsoft Office 2007 –> tools account settings –> rss feeds
Turn off RSS feature

Just a black screen. Saves a lot of time:
bcdedit /set bootux disabled

Vista boot screen
bcdedit /set bootux basic

More info

By defaults all new added computers are created in the default OU “Computers”. You can change the default OU.

redircmp ou=NewComputers,DC=mydom,dc=local

If you get this error when trying to open Outlook:
Microsoft Office Outlook kan ikke startes. Outlook-vinduet kan ikke åbnes (Danish).
Microsoft Office Outlook cannot start. Outlook window cannot be opened (English)

You can try this commands i “Run”.
Outlook.exe /resetnavpane
Or:
Outlook.exe /cleanprofile

BrowserChoice.reg

Right click on “my computer” –> properties –> “advanced” –> “startup and recovery” –> “setting” Choose “edit”

Change
/NoExecute=OptIn
to:
/NoExecute=AlwaysOff
And reboot

You are receiving an email with a digital signature, but it has a warning: “There are problems with the signature.  Click the signature button for details”.

Something is probably changing the email before delivery, and now it it not valid. An antivirus and/or SPAM scanner could course this. If you are using ESVA Mail scanner this software is insetting a text in the email. This can be disabled.

ESVA Customization

 Display a message at logon, before you can proceed to log on to a server.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“LegalNoticeCaption”=”Testing on top”
“LegalNoticeText”=”Test Test”

Download

You can extend the default 30 days grace period op to 120 days with this command:
slmgr /rearm
Then restart.

Works in Windows 7

How to map a network drive with the use of username and password.

NET USE S: \\servername\share /USER:domainname\username password

servername = Name of the server
share = Name of the share
domainname = Name of the domain where the username is defined, if local user just remove it.
username = Username
password = Password

Only the administrators on the terminal server can “shadow” other users, but what do you do if you have a “super user” that need to remotely support the other users?

You just have to modify the rights a little bit.
On the terminal server open “Terminal Services Configuration” and right click on the connection.
In “remote control” choose “use remote control with…”.
In “permissions” add the super user and go to “advanced”. Add the “remote control” right.

If the users affected by the new rights were logged in, remember to log them off before the changes are working.

Every time you send a new message in Outlook, and manually type in an email, this information is automatically inserted into the AutoComplete list.
A local database file stores this information (.NK2).
This file can be found in the user profile etc. C:\Documents and Settings\\Application Data\Microsoft\Outlook.

If you move this file to a new computer or just a new user profile, the information is active again.

The NK2 file can be edited with this program: http://www.nirsoft.net/utils/outlook_nk2_autocomplete.html

Need to access your SQL server from another computer?

Configuration in SQL Server Management Studio
Click “All Programs” –> Click “Microsoft SQL Server 2005” –> click “Microsoft SQL Server Management Studio”.
Log in to SQL Server 2005 with windows authentication or sa user.
Highlight the server and right click “Properties”.
Highlight “Security” –> Under “Server authentication”, choose “SQL Server and Windows authentication mode”.
Highlight “Connections” –> Under “Remote server connections”, choose “Allow remote connections to this server”.

Configuration in SQL Server Surface Area Configuration
Click “All Programs” –> Click “Microsoft SQL Server 2005” –> click “Configuration Tools” –> click “SQL Server 2005 Surface Area Configuration”.
Click “Surface Area Configuration for Services and Connections” -> click “MSSQLSERVER” –> click “Database engine” –> click “Remote connections” -> Under “Local and remote connections”, choose “Using TCP/IP only” or other protocols.

Remember the “SQL server browser” service. It it ussed when connected from the outside.

Get a boot-disk to fix the problem on this page.
Direct link here.

An exchange with the default settings have this problem.

To fix it enter the Exchange System Manager.
“Global Settings” –> “Internet Message Formats”.
Right click “default”. –> “Properties” –> “Advanced”.
Check the “allow out of office responses” box.

Find this path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Make two new DWORD values:
MaxConnectionsPer1_0Server
MaxConnectionsPerServer

Give both of them a value of ‘a’ (don’t write the  ‘ ‘ )

Make a bat file with the extension .bat or .cmd
Define the the tabs this way in the file:

START http://www.microsoft.com/
START http://www.hp.com/
START http://www.ibm.com/

Find this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
Add this key: NoSearchBox”=dword:00000001

Download reg file

Find this path in regedit:

HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\General
and the key: UserTemplates
type: REG_EXPAND_SZ

Just give it a value. (path to a folder)

If you can not find the key UserTemplates, Office is using the standard path:
C:\Documents and Settings\\Application Data\Microsoft\Templates

If you use KIX:
WriteValue(“HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\General”, “UserTemplates”, “c:\somefolder”, “REG_EXPAND_SZ”)

net stop “World Wide Web Publishing Service”
net start “World Wide Web Publishing Service”

To disable it, find this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Locate this key: EnableICMPRedirect
change the value from 1 to 0

Run this command from a .bat file:
shutdown.exe -r -f -t 60 -c “Windows Server 2003 will now restart in 1 minute…”

Make a scheduled job that runs the bat file.

net statistics server
(look after statics since…)

If you for some reason want your Windows 2003 server to automatic login a specific user when booted, it can be done with regedit.
Find this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Create/change the values of (strings):

DefaultUserName
DefaultPassword
DefaultDomainName
AutoAdminLogon (0 disable | 1 enable)

Make a new icon or use it in a script

C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muweb.dll,LaunchMUSite

First the firewall or router needs to be configured. Remember when using an encrypted ftp all passive ports has to be redirected.
 

This example are from a Cisco ASA

access-list allow_inbound extended permit tcp any interface outside eq ftp
access-list allow_inbound extended permit tcp any interface outside eq 2950
access-list allow_inbound extended permit tcp any interface outside eq 2951
access-list allow_inbound extended permit tcp any interface outside eq 2952
etc.

static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 2960 192.168.1.2 2950 netmask 255.255.255.255
static (inside,outside) tcp interface 2961 192.168.1.2 2951 netmask 255.255.255.255
static (inside,outside) tcp interface 2962 192.168.1.2 2952 netmask 255.255.255.255
static (inside,outside) tcp interface 2963 192.168.1.2 2953 netmask 255.255.255.255
etc.

Configuration on the ftp server:
General tab:
Specify address for passive mode: Write your public ip
specify port range for passive mode: Write 2950 to 3000

SSL/TLS tab:
Create a certificate.
Enable secure ftp through implicit ssl/tls and write using ssl/tls, only allow secure data transfers

That’s it!

You need to remote a server with remote desktop but thats not allowed, what do you do?

It is possible to “activate” this remotely with regedit.
find this regedit patch: HKLM\System\CurrentControlSet\Control\Terminal Server
Set this DWORD to 0: fDenyTSConnections

All the shortcuts in the control panel have an name with the .cpl extension.
Most of them can be found here: c:\windows\system32

I you for an example want to start the display properties just start the file: desk.cpl
(could be done from run)

If you want to activate through a script
rundll32.exe shell32.dll,Control_RunDLL desk.cpl

The shortcut MAIL can be found here:
C:\Program Files\Common Files\System\MSMAPI\1030\MLCFG32.CPL

More info here.

You need the Office 2003 SP3, download it here

On your computer make 3 directories.
TempSP3
Office2003
MSOffice2003

Put the servicePack file in the folder TempSP3
Extrakt the SP into Office2003 directory with this command:
C:\TempSP3\Office2003SP3-KB923618-FullFile-DAN.exe /Q /C /T:C:\Office2003
(depending on your chosen language, the name on the SP is different)

Make a administrative install of office 2003 with this command:
d:\setup.exe /a

During the install you have to use the serial number.

Slipstream with this commands:
msiexec /p C:\Office2003\MAINSP3.msp /a C:\MSOffice2003\PRO11.msi SHORTFILENAMES=TRUE /qb
msiexec /p C:\Office2003\OWC11SP3.msp /a C:\MSOffice2003\OWC11.MSI SHORTFILENAMES=TRUE /qb

In remote desktop it is possible to only redirect the default printer on the client.
The server need to have Windows 2003 SP2.
The client need to have XP SP2 and remote desktop client version 6

Nothing has to be done on the server.
On the client in regedit find this path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\RDPDR

Add a DWORD value: RedirectDefaultPrinterOnly = 1
Deactivate with 0

The client need Remote Desktop version 6.

More info  http://support.microsoft.com/kb/911913

RedirectDefaultPrinterOnly.reg

Make a task in windows control panel running a bat-file.

Bat-file:
cd C:\Program Files\Symantec\Backup Exec
bemcmd -o111 -d”HP 1″ -e1

first line enters the directory where “bemcmd” is localized.
second line runs a quick erase on the device “HP 1”.

Just an example of scope options on a windows 2003 active directory server with dhcp server.

003 Router: 192.168.1.1
006 DNS servers: 192.168.1.3
015 DNS Domain name: dom.local
044 WINS/NBNS Server: 192.168.1.3
046 WINS/NBT Node Type: 0x8

If you get this error when performing an backup of exchange: “Access denied to directory .
Access is denied to Remote Agent.  Check the login account for the specified device”, some things has to be checked.

1)
The user running the agent on exchange MUST be visible in Global Address List. In Active Directory user properties be sure not to have “Hide from exchange address list” checked.
If your exchange is an standard setup and your using the administrator account in the agent, this is probably whey the error came.

2)
If not using the Administrator account, be sure to check that the used account is a member of Domain Admin and NOT a member of Domain Users.
The account also need to have the exchange role “full exchange administrator”.

This can be done in the exchange manager.
– Open Exchange System Manager
– Right-click on the First Organization (Exchange) root and select Delegate “EXCHANGE FULL ADMIN” to the user”.

If the printing service (spoolsv.exe) is using 99% of the CPU, and an reboot of the whole server and or just the service does not work, what could be wrong?

Maybe an old print-job is stuck on the computer.
Go to: C:\WINDOWS\system32\spool\PRINTERS
and remove all the files.

Restart the printing service.

What do you do if you want an *.exe to run as a service?

You need two files from the “Windows Server 2003 Resource Kit Tools”. Instrsrv.exe and Srvany.exe.
Run this command:

c:\reskit\INSTSRV.EXE “Your service name” c:\reskit\SRVANY.EXE
Now the service “Your service name” exsists on the server.

You now need to add the actual exe to be run by the service.
This is done in Regedit.
Navigate to this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\”your service name”.Add Key and name it Parameters.

In this Add Value and type EXE information.
Value Name: Application
Data Type : REG_SZ
String:c:\your.exe

Links:
Windows Server 2003 Resource Kit Tools

Create shortcuts with this command in it:

Lock screen:
rundll32.exe user32.dll,LockWorkStation

Restart:
shutdown -r -t 01

Shutdown:
shutdown -s -t 01

Every time you print, a notification is shown above the clock.

There are different ways to remove it.

In Active Directory Group Policy:  “Administrative Templates” –> “Start menu and Taskbar” –> “Remove Balloon Tips on start Menu items”.

On a standalone XP click “start” –> “run”. Type: “gpedit.msc”.

What do you do if you want an user in your organization with the ability to change the system time and not using an administrator account.
In an Active Directory environment it can be done with a Group Policy.

Computer Configuration –> Windows Settings –> Local Policies/User Rights Assignment –> Change System Time.

You can specify specific users and or groups.

By default there are two time servers in windows XP. But it is possible to use our own prefered one. Just use this command:
w32tm /config /syncfromflags:manual /manualpeerlist:ntp.webpartner.dk
(ntp.webpartner.dk) is one example of an time server.

w32tm /config /update
Activities the changes.

net stop w32time
net start w32time
w32tm /resync

This works on Windows XP and 2003.

 more info

What do you do if you have two routers to the outside world. One to be used for Internet and one for an Intranet application?

The first router is deleverd by your ISP and the second one is making an VPN tunnel to the Intranet server.

Normally you would set up a routing roule on the first router, but if not possible an routing roule has to be set up on every computer who needs access to the Intranet server thug the second router.

In this example the Intranet application is accessed on http://10.79.10.2

On all the clients this has to be typed in the command console:
route add 10.79.10.0 mask 255.255.255.0 192.168.1.2 /p
The /p makes the rule persistent (not removed after an reboot).

It is possible to activate remote desktop in regedit, you do not have to use the GUI on the computer itself.

In regedit go to this path:

HKLM\System\CurrentControlSet\Control\Terminal Server
The value fDenyTSConnections must be 0 (zero) for enabling.

You are working with trust between two windows domains and gets this error.

Are you using vmware… ? yes, keep on reading.

This error does not occur on physical hardware but on a virtualized environment and only in vmware. The problem is the vmware driver  hgfs.sys. This driver handles the “vmware shared folders”.

To resole this disable vmware shared folders. It can be done thug regedit. Se the image below. Just change the “start” key value to 4. The path is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hgfs

For more information about this issue See this blog here

If you for some reason need to have more than one computer-name on a server it can not be done in the GUI. It has to be done in regedit.

1)
Find this location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

2)
Add a new key here with the name: OptionalNames with the type: REG_MULTI_SZ

Type in the server names you want as the value. Separate more than one name with a space.

3)
Restart the server.

Tired of messenger and do you want to remove it completely?

It can not be found in “add/remove programs” It has to be removed with this command:
RunDll32 advpack.dll,LaunchINFSection %windir%\\INF\\msmsgs.inf,BLC.Remove

Open “start” –> “run” and click “OK”.