Typical End User…

 

Animation by Lisa Larson-Walker. Images by Den Rise/Shutterstock, courtesy of Rosa Menkman/Flickr Creative Commons.

A simple under the covers description of NTLM/Kerberos

I did not write this, but I liked it. All credit to Summit7.

NTLM

NTLM is a Windows challenge/response authentication protocol that leverages the interactive use of a login box that requires the end user to input their network credentials manually. Those credentials would include the users Username, password and domain name if logging into an organizations domain.

Plain English: end users log in by entering a username, password and domain into a login box. That being said we need to understand at least the basics of the process.

1. NTLM authenticates end users by first creating an encrypted one-way hash of the users password, discarding the original password and then sending the user name to the server in plain text.
2. The server responds to the client with a 16-bit challenge called a nonce.
3. The client encrypts the nonce and the hash of the users password and returns them to the server. This is the Response.
4. The server in turn sends three items to the domain controller; the users name, the challenge sent to the client and the clients response to the challenge. The domain controller retrieves the hash of the user name is has received from the Security Account Manager (SAM) database and uses that hash to encrypt the challenge.
5. Once the challenge has been encrypted by the domain controller it is compared to the challenge encrypted by the client and if they match the end user is authenticated successfully.

Plain English: If you enter your password incorrectly the hashes will not match and you won’t be able to log into the network.

Kerberos

The Kerberos security protocol has been a part of Windows since Windows Server 2000 and was intended as a replacement for NTLM. Obviously that hasn’t happened and the two can often be found working together or in a mixture across Windows environments everywhere.

Kerberos is a Windows Security Protocol designed to authenticate users and services on an organisations network and relies on three components; a client, a service and a trusted third party. The trusted third party in most Windows networks would likely be the Key Distribution Center (KDC) which creates the shared secret that is leveraged to allow access to the service. A simple view of the process might look like this:

1. A user account is created in the domain and assigned a password.
2. The Kerberos client adds a text string, or a SALT and the Kerberos version number to the unencrypted password and runs them through a process known as the “string2key” This conversion generates the “shared secret”.
3. At the client the user enters their username and password and requests access to an application or service.
4. When the user submits their username and password the Kerberos client creates the secret key on the client based on that information. Because the client uses the same key to generate the secret key that the KDC does the two will match, or should anyway. If they don’t match authentication fails and access id denied.

Plain English: If you enter your password incorrectly the hashes will not match and you won’t be able to log into the network.

Thanks to Summit7 for this – full link –> http://summit7systems.com/claims-based-authentication-adfs-3-0-and-sharepoint-2013-beginners-guide/

Setup a secure point-to-site connection to a virtual network in Azure

Configure the network and gateway

Log in to the Azure portal (http://manage.windowsazure.com/). Create a new Virtual Network. Click Custom Create. On the DNS Servers and VPN Connectivity page, then click on: 

• Configure Point-To-Site VPN: Select the checkbox.
• On the Point-To-Site Connectivity page, specify the IP address range from which your VPN clients will receive an IP address when connected. Don't overlap with an on-premise address.

Update the IP range for the Azure subnet

When your virtual network has been created, you will see Created listed under Status on the networks page in the Azure portal. Once your virtual network has been created, you can create your dynamic routing gateway.

 

The gateway type must be configured as dynamic. Static routing gateways will not work with this feature.

1. In the portal, on the Networks page, click the virtual network that you just created, and navigate to the Dashboard page.
2. Create Gateway. It can take around 15 minutes for the gateway to create.

 

Generate and upload certificates

Previously, you were required to generate your own self-signed certificate. Now, you can now use certificates that you generated using an enterprise solution. You can upload up to 20 root certificates to Azure.

Option 1: Planning to use an enterprise certificate solution, the steps within each section will be different, but you'll still need to do the following:

• Identify or generate a root certificate.
• Upload the root certificate .cer file to Azure.
• Generate a client certificate.
• Export and install the client certificate.

Option 2: Planning to use a self-signed certificate, use the steps:

• One way to create an X.509 certificate is by using the Certificate Creation Tool (makecert.exe). To use makecert, download and install Microsoft Visual Studio Express, which is free of charge.
• Navigate to the Visual Studio Tools folder and start the command prompt as Administrator.
• The command in the following example will create and install a root certificate in the Personal certificate store on your computer and also create a corresponding .cer file that you'll later upload to the Azure portal.
• Change to the directory that you want the .cer file to be located in and run the following command, where RootCertificateName is the name that you want to use for the certificate. If you run the following example with no changes, the result will be a root certificate and the corresponding file RootCertificateName.cer.

Because you have created a root certificate from which client certificates will be generated, you may want to export this certificate along with its private key and save it to a safe location where it may be recovered.

• Download Visual Studio 2013 Express and makecert is included. http://www.visualstudio.com/en-us/downloads/download-visual-studio-vs.aspx

C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert -sky exchange -r -n "CN=NewRootCertName" -pe -a sha256 -len 4096 -ss My "NewRootCertFile.cer"

• NewRootCertName refers to the self-signed root certificate that you generated.

Upload the root certificate .cer file to the Azure portal

1. In the Azure portal, on the Certificates page for your virtual network, click Upload a root certificate.

Generate a client certificate

The steps below are for generating a client certificate. On the same computer that you used to create the self-signed root certificate, open a Visual Studio command prompt window as administrator.

1. Change the directory to the location where you want to save the client certificate file. RootCertificateName refers to the self-signed root certificate that you generated. If you run the following example (changing the RootCertificateName to the name of your root certificate), the result will be a client certificate named "ClientCertificateName" in your Personal certificate store.

C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert.exe -n "CN=NewClientCertificateName" -pe -sky exchange -m 96 -ss My -in "NewRootCertName" -is my -a sha256



2. All certificates are stored in your Personal certificate store on your computer. If you want to reuse it export it

Installing a client certificate on each computer that you want to connect to the virtual network is a mandatory step.

The steps below will walk you through installing the client certificate manually.

1. A client certificate must be installed on each computer that you want to connect to the virtual network. This means you will probably create multiple client certificates and then need to export them. To export the client certificates, use certmgr.msc. Right-click the client certificate that you want to export, click all tasks, and then click export.
2. Export the client certificate with the private key. This will be a .pfx file. Make sure to record or remember the password (key) that you set for this certificate.
3. Copy the .pfx file to the client computer. On the client computer, double-click the .pfx file in order to install it. Enter the password when requested. Do not modify the installation location.

Configure your VPN client

The client requires both a client certificate and the proper VPN client configuration in order to connect.

Create the VPN client configuration package

1. In the Azure portal, on the Dashboard page for your virtual network, navigate to the quick glance menu in the right corner and click the VPN package that pertains to the client that you want to connect to your virtual network.

2. After you generate and download the VPN client package from the Azure portal, you can install the client package on the client computer from which you want to connect to your virtual network.

3. If you plan to install the VPN client package to multiple client computers, make sure that they each also have a client certificate installed. The VPN client package contains configuration information to configure the VPN client software built into Windows. The package does not install additional software.

Install the VPN configuration package on the client and start the connection. Done.

 

 

This information is a simplification of the article https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/#create-your-certificates

Script to strip out details from phone numbers ( brackets in this example )

 

 

#requires -Modules ActiveDirectory

<#

.SYNOPSIS

    Removes and brackets () from phone number fields of an Active Directory

.EXAMPLE

    .\Remove brackets from phones.ps1

.NOTES

   Developed By:

     n: Dave Colvin

     e: dave.colvin_at_experteq.com

     m : +61411265846

#>

Import-Module ActiveDirectory

clear-host

Get-ADUser -Filter {sAMAccountName -like "dave.colv.in*"} -SearchBase "OU=Users,DC=int" -searchscope subtree -Properties telephoneNumber, facsimileTelephoneNumber, homePhone, ipPhone, displayName |

foreach {

write-host "updating -> " $_.displayName

if ($_.telephoneNumber) {set-aduser -identity $_ -replace @{telephoneNumber=$_.telephoneNumber -replace '[()]',''}}

if ($_.facsimileTelephoneNumber) {set-aduser -identity $_ -replace @{facsimileTelephoneNumber=$_.facsimileTelephoneNumber -replace '[()]',''}}

if ($_.homePhone) {set-aduser -identity $_ -replace @{homePhone=$_.homePhone -replace '[()]',''}}

#if ($_.ipPhone) {set-aduser -identity $_ -replace @{ipPhone=$_.ipPhone -replace '[()]',''}}

            }

Get SQL Server Product Keys for Local and Remote Servers

This script you download and paste into PowerShell, then call function Get-SqlServerKeys and it outputs to the console. Nice and easy.

 

https://gallery.technet.microsoft.com/scriptcenter/Get-SQL-Server-Product-4b5bf4f8

Script to read in email addresses and set passwords, enable accounts

Hopefully the blog does not mundge the code… Self explanatory I hope…

 

 

Import-Module activedirectory

# Based on email addresses in file, sets password to common or predefined (choose below) and enable accounts

#

#format of CSV:

#

#importfile.csv

#email,password

#First.Last@ment.gov.au,SecretPassword!1

#dave.colv.in,SecretPassword!1

#Write-Output "Startup "

Import-Csv ".\ChurnReset.csv" | Foreach {

$email = $_.email

$dynamicPW = $_.password     #use this the passwords in the CSV

$setPW = "davecolvin00111!!" #use this for a preset password

#Write-Output "checking user -> $email password -> $dynamicPW"

try {

#Get-ADUser $user

$user = Get-ADUser -Filter {mail -like $email } -SearchBase "DC=dec,DC=int" -searchscope subtree -Properties samAccountName

Set-ADAccountPassword $user -NewPassword (ConvertTo-SecureString $setPW -AsPlainText -force) -Reset

Enable-ADAccount $user

Write-Output "$user, Password reset and enabled"

    } catch

    { Write-Output "$user,Error" }

}   # <-remove if you want a log file instead of screen       | Out-File PassChange.log

The scale of apathy..

A friend wanted to know what was lower on the scale of apathy then Meh. So I have put together the scale:

Apathetic

indifference

lack of interest

lack of enthusiasm

lack of concern

unconcern

uninterestedness

unresponsiveness

impassivity

dispassion

lethargy

languor

ennui

listlessness

torpor

acedia

inertia

coolness

passivity

coldness

stoicism

nonchalance

phlegm

sluggishness

unconcern

insensibility

unresponsiveness

impassivity

passiveness

impassibility

unfeelingness

emotionlessness

meh

Google Chrome getting business ready

Google now support GPO policy templates for administrators who want to set Chrome policies on their corporate-managed devices.

Download the policy templates zip file here and view the Chromium developer site for additional information.

 

Enter chrome://policy in your Chrome address bar, and Chrome will display all the policies which are currently in effect for that browser.

 

Policies which say “Applies to: Current user” are cloud-based user policies set from the Admin console, or they could be OS-user policies set by Group Policy Objects (GPO). Group policies can be per user or per machine. Device policies will show up as “Device” on Chrome devices, and “Machine” on Windows/Mac/Linux computers.

Machine Policies are applied through Group Policy Objects (GPO) on Windows and through the Admin console for Chrome OS ("Applies to: Device"). These are device-specific and apply to all users, regardless of which browser they’re using or whether or not they’re signed into Chrome or the device.

OS-user policy is applied to Chrome when a user signs into their corporate-managed computer. These policies are set using GPO on Windows. OS-user policies take precedence over cloud policies set for Chrome.

Chrome Profile refers to a user’s Chrome experience when he signs in to the Chrome browser on his machine. These are also called cloud-based user policies in the documentation, and they’re set by an administrator using the Admin console.

 

When there is a conflict between policies set on different scopes, the one that’s higher on the list above takes precedence. Machine Policies take precedence over OS-user and Chrome Profile policies.

https://support.google.com/chrome/a/answer/187202?hl=en

Windows Licences and Azure

Windows Server 2012 r2 brings a consistent licensing model and common features (for enterprises). These options are Standard and Datacenter.

Both Standard and Datacenter editions provide the same set of features; the only thing that differentiates the editions is the number of Virtual Machines (VMs). A Standard edition license will entitle you to run up to two VMs on up to two processors (subject to the VM use rights outlined in the Product Use Rights document). A Datacenter edition license will entitle you to run an unlimited number of VMs on up to two processors.

All features that are available in the Datacenter edition are also available in the Standard edition, including high availability features like failover clustering. The only difference between the two editions will be virtualization rights.

 

Hyper-V and Azure?

Windows Server licenses are not eligible for License Mobility through Software Assurance. The license to run Windows Server in the Azure environment is included in the per-minute cost of your Windows Virtual Machine. Licenses for use of Windows Server on-premises (whether in a VHD or otherwise) must be obtained separately through volume licensing.

Can you, the customer bring their own image that has applications and middleware on top of Windows Server?

Yes, Azure will charge the Windows Server Virtual Machine rate applicable for their instance. Customers are responsible for proper licensing of any application or middleware in the image.

Do you need Windows Server CALs to connect to a Windows Server image that is running in Azure Virtual Machines?

No. Windows Server CALs are not required for accessing Windows Server running in the Azure environment because the access rights are included in the per-minute charge for the Virtual Machines. Use of Windows Server on-premises (whether in a VHD or otherwise) requires obtaining a separate license and is subject to the normal licensing requirements for use of software on-premises.

 

Windows Server 2012 R2 Editions

	Windows Server Datacenter	Windows Server Standard
Maximum number of users	based on CALs	based on CALs
Maximum SMB Connections	16,777,216	16,777,216
Maximum RRAS Connections	unlimited	unlimited
Maximum IAS Connections	2,147,483,647	2,147,483,647
Maximum number of 64-bit sockets	64	64
Maximum RAM	4 TB	4 TB
Server can join a domain	Yes	Yes
DirectAccess	Yes	Yes

Server Roles

	Windows Server Datacenter	Windows Server Standard
Active Directory Certificate Services	Yes	Yes
Active Directory Domain Services	Yes	Yes
Active Directory Federation Services	Yes	Yes
AD Lightweight Directory Services	Yes	Yes
AD Rights Management Services	Yes	Yes
Application Server	Yes	Yes
DHCP Server	Yes	Yes
DNS Server	Yes	Yes
Fax Server	Yes	Yes
File Services	Yes	Yes
Hyper-V	Yes	Yes
Network Policy and Access Services	Yes	Yes
Print and Document Services	Yes	Yes
Remote Access	Yes	Yes
Terminal Services Application Sharing	Yes	Yes
Terminal Services Gateway	Yes	Yes
Web Services (IIS)	Yes	Yes
Windows Deployment Services	Yes	Yes
Windows Essentials	Yes	Yes
Windows Media Services support (Streaming Media Services)	See Installation Options documentation	See Installation Options documentation
WINS Server	Yes	Yes

Features

	Windows Server Datacenter	Windows Server Standard
RODC – read only domain controller	Yes	Yes
Automatic Virtual Machine Activation	Both guest and host	As guest
Best Practices Analyser	Yes	Yes
BranchCache Hosted Server	Yes	Yes
BranchCache P2P Cache	Yes	Yes
Windows Control Panel	Yes	Yes
Distributed File System Replication	Yes	Yes
Data Deduplication	Yes	Yes
ISCSI target support	Yes	Yes
DirectAccess	Yes	Yes
Dynamic Memory (in virtualization)	Yes	Yes
Failover Clustering	Yes	Yes
"Hot" add/replace RAM	Yes	Yes
IPAM (IP Address Management)	Yes	Yes
Microsoft Management Console	Yes	Yes
Minimal Server Interface	Yes	Yes
Network Load Balancing	Yes	Yes
Support for Non-volatile Memory Express	Yes	Yes
Windows PowerShell	Yes	Yes
Server Core mode	Yes	Yes
Server license logging	Yes	Yes
Server Manager	Yes	Yes
SMB Direct and SMB over RDMA	Yes	Yes
Storage Management Service	Yes	Yes
Storage Spaces	Yes	Yes
Volume Activation Services	Yes	Yes
VSS (Volume Shadow Copy Service) integration	Yes	Yes
Windows Server Update Services	Yes	Yes

 

 

 

These are non-typical enterprise customer editions. Just here for completeness.

	Windows Server Essentials	Windows Server Foundation	Microsoft Hyper-V Server	Windows Storage Server Standard	Windows Storage Server Workgroup
Maximum number of users	25	15	unlimited	unlimited	50
Maximum SMB Connections	16777216	30	16,777,216	16,777,216	250
Maximum RRAS Connections	50	50	250	50	50
Maximum IAS Connections	50	10	50	50	50
Maximum number of 64-bit sockets	2	1	64	64	1
Maximum RAM	64 GB	32 GB	4 TB	4 TB	32 GB
Server can join a domain	For migration only	For migration only	Yes	Yes	Yes
DirectAccess	See documentation	Yes	No	Yes	Yes

Server Roles

	Windows Server Essentials	Windows Server Foundation	Microsoft Hyper-V Server	Windows Storage Server Standard	Windows Storage Server Workgroup
Active Directory Certificate Services	Yes	Yes	No	No	No
Active Directory Domain Services	Required	Yes (optional)	No	No	No
Active Directory Federation Services	Yes	Yes	No	No	No
AD Lightweight Directory Services	No	Yes	No	Yes	Yes
AD Rights Management Services	Yes	Yes	No	No	No
Application Server	Yes	Yes	No	No	No
DHCP Server	Yes	Yes	No	Yes	No
DNS Server	Yes	Yes	No	Yes	No
Fax Server	Yes	Yes	No	No	No
File Services	Yes	Yes	Limited features	Yes	Yes
Hyper-V	No	No	Yes	Yes	No
Network Policy and Access Services	Yes	Yes	No	No	No
Print and Document Services	Yes	Yes	No	Yes	Yes
Remote Access	Yes	Yes	No	No	No
Terminal Services Application Sharing	No	Yes	No	No	No
Terminal Services Gateway	No	See documentation	No	No	No
Web Services (IIS)	Yes	Yes	No	Yes	Yes
Windows Deployment Services	Yes	Yes	No	No	No
Windows Essentials	Default	No	No	No	No
Windows Media Services support (Streaming Media Services)	Yes	See Installation Options documentation	No	No	No
WINS Server	Yes	Yes	No	Yes	No

Features

	Windows Server Essentials	Windows Server Foundation	Microsoft Hyper-V Server	Windows Storage Server Standard	Windows Storage Server Workgroup
RODC – read only domain controller	No	No	No	No	No
Automatic Virtual Machine Activation	As guest	No	No	No	No
Best Practices Analyser	Yes	Yes	Yes	Yes	Yes
BranchCache Hosted Server	Yes	Yes	No	Yes	No
BranchCache P2P Cache	Yes	Yes	No	Yes	Yes
Windows Control Panel	Yes	Yes	No	Yes	Yes
Distributed File System Replication	Yes	Yes	No	Yes	Yes
Data Deduplication	No	No	No	Yes	No
ISCSI target support	Yes	Yes	No	Yes	Yes
DirectAccess	Yes	Yes	No	Yes	Yes
Dynamic Memory (in virtualization)	Yes	No	No	Yes	No
Failover Clustering	No	No	Yes	Yes	No
"Hot" add/replace RAM	Yes	No	Yes	Yes	Yes
IPAM (IP Address Management)	Yes	Yes	No	Yes	Yes
Microsoft Management Console	Yes	Yes	Remote only	Yes	Yes
Minimal Server Interface	No	No	No	Yes	Yes
Network Load Balancing	Yes	Yes	No	Yes	Yes
Support for Non-volatile Memory Express	Yes	Yes	Yes	Yes	Yes
Windows PowerShell	Yes	Yes	Yes	Yes	Yes
Server Core mode	No	No	Yes--the only option	after setup	after setup
Server license logging	Yes	Yes	Yes	Yes	Yes
Server Manager	Yes	Yes	From a remote computer	Yes	Yes
SMB Direct and SMB over RDMA	Yes	Yes	Yes	Yes	Yes
Storage Management Service	Yes	Yes	Basic file server only	Yes	Yes
Storage Spaces	Yes	Yes	Yes	Yes	Yes
Volume Activation Services	No	No	No	No	No
VSS (Volume Shadow Copy Service) integration	Yes	Yes	No	Yes	Yes
Windows Server Update Services	Yes	No	No	No	No

Azure Active Directory editions

The Free edition of Azure Active Directory is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronise with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Google Apps, ServiceNow, Dropbox, etc.

Azure AD premium is what you will need for password self service in the cloud and AD write back.

The Microsoft Enterprise Mobility Suite (EMS) discount makes it the most cost-effective way to acquire the included cloud services:

1. Microsoft Azure Active Directory Premium for hybrid identity management, Microsoft Intune and Microsoft Azure Rights Management for information protection

Features	Free edition	Basic edition	Premium edition
Directory as a service	Up to 500K objects	No object limit	No object limit
User and group management using UI or Windows PowerShell cmdlets	Tick	Tick	Tick
Device registration	Tick	Tick	Tick
Access Panel portal for SSO-based user access to SaaS and custom applications	Tick Up to 10 apps per user	Tick Up to 10 apps per user	No app limit
User-based application access management and provisioning	Tick	Tick	Tick
Self-service password change for cloud users	Tick	Tick	Tick
Azure AD Connect – For syncing between on-premises directories and Azure Active Directory	Tick	Tick	Tick
Standard security reports	Tick	Tick	Tick
Features		Basic edition	Premium edition
High availability SLA uptime (99.9%)		Tick	Tick
Group-based application access management and provisioning		Tick	Tick
Customisation logo and colours to the Sign In and Access Panel pages		Tick	Tick
Self-service password reset for cloud users		Tick	Tick
Application Proxy: Secure Remote Access and SSO to on-premises web applications		Tick	Tick
Features			Premium edition
Advanced application usage reporting			Tick
Self-service group management for cloud users			Tick
Self-service password reset with on-premises write-back			Tick
Microsoft Identity Manager (MIM) user licenses – For on-premises identity and access management			Tick
Advanced anomaly security reports (machine learning-based)			Tick
Cloud app discovery			Tick
Multi-Factor Authentication service for cloud users			Tick
Multi-Factor Authentication server for on-premises users			Tick

Multi-Factor Authentication is included with Premium and can secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 etc.

Microsoft Identity Manager (MIM) - Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure.

 

Note, if you have SSPR on prem too?

Q: Can I synchronise data for security questions from on premises?
A: No, this is not possible today, but Microsoft are considering it.

Note2, locked out account?

Q: Do you unlock the local active directory accounts when users reset their passwords?

A: Yes, when a user resets his or her password and password writeback has been deployed with versions of AADSync 1.0.0485.0222 or later, then that user’s account will be automatically unlocked when that user resets his or her password.

Note3 & 4, worries about hackerz?

Q: Do you prevent users from attempting password reset many times in a short time period?

A: Yes, Users may only try 5 password reset attempts within an hour before being locked out for 24 hours. Users may only try to validate a phone number 5 times within an hour before being locked out for 24 hours. Users may only try a single authentication method 5 times within an hour before being locked out for 24 hours.

Q: For how long are the email and SMS one-time passcode valid?

A: The session lifetime for password reset is 105 minutes. This means that from the beginning of the password reset operation, the user has 105 minutes to reset his or her password. The email and SMS one-time passcode are invalid after this time period expires.

 

 

 

 

Azure AD versions: https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Azure AD Password writeback: https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx

Setting up SSRP: https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx

XenDesktop 7.6, Windows 2012 R2, Office 365

 

When opening any Office 365 application before opening Internet Explorer 11 (IE11) Office will fail with file permissions error.

It turns out Office 365 uses the temporary internet folder location from IE11 as its path to open temp files into. IE 11 has now got a new path for these files:

%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 – this Content.IE5 file does not exist until up have opened up IE11 first.

Even if you change the path in the user profile it ignores it and looks to use IE11 path regardless.

Solution:

Create group policy in IE11 (may have to load the IE11 admx files) which changes the path back to %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files

All works correctly once this applied.

 

Thanks to Andrew Hill – Senior Consultant, Experteq for the tip.

Moving the FIM 2010 R2 (FIM Service, read FIM portal) to a new SQL server

Shutdown the Forefront Identity Manager Service in services.cpl.

Backup the DB from the SQL Manager

Move it, rename it, restore it.

On the new DB server, set the FIM service account you are using as DB_Owner

 

You need to run the following command to enable SQL server service broker for the FIM Service Database since the DB has been restored. Remember that every time you restore FIM Service from a backup or move the DB to a new server, you would need to:

ALTER DATABASE [SQLD0040Q] SET ENABLE_BROKER WITH NO_WAIT

The alter query may fail if there are active connections to the database. You need to fix that if so.

 

On the FIM portal server

Open RegEdit
    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMService

DatabaseServer is the name of the new SQL Server (it would have been blank if the local server was the SQL server)

DatabaseName is the file name in the remote SQL Server

 

Start the FIM Services

Moving the FIM 2010 R2 SQL database (or renaming the database)

Shutdown any jobs on FIM. Shut down the FIM Service in services.cpl.

 

Backup the DB from the SQL Manager

Move it, rename it, restore it.

On the new DB server, set the FIM service account you are using as DB_Owner

 

On the FIM server

Open RegEdit
    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters

        Server is the name of the new SQL Server (it would have been blank if the local server was the SQL server)

        DBName is the file name in the remote SQL Server

        SQLInstance Property should equal the name of the instance (default instance, then it should be blank)

Start the FIM Services

 

Hat-tip: http://social.technet.microsoft.com/wiki/contents/articles/5465.fimilm-how-to-move-the-backend-sql-server-synchronization-service-database.aspx  (note this says Server Property inferring the key is called “Server Property“ it is just “Server”

FIM portal, the setup needs to run under SharePoint Farm administrator

Well they got an error, it just turns out it is wrong, here is the answer.

Error message text:
To install FIM portal, the setup needs to run under SharePoint Farm administrator account with at least Open permission that allows users to open a Web site, list, or folder in order to access items inside that container. Please make sure you are a SharePoint Farm administrator with Open permission and then click “Retry”. Click “Cancel” to abort setup.
Despite what the message says, you configure the farm administrators group and it does not work. What it really needs is a Site Collection Administrator. The Site Collection Administrators is an individual user (ie not two and not a group)!

Go to, Central Admin (URL:34997), then click on Application Management, then click on Change Site Collection Administrators, change to the user.
 


Hattip: http://blog.msresource.net/2013/01/29/to-install-fim-portal-the-setup-needs-to-run-under-sharepoint-farm-administrator-account-with-at-least-open-permission-that-allows-users-to-open-a-web-site-list-or-folder-in-order-to-access-items-i/

July 29 2015 – Windows 10 - free for the first year

 

Microsoft officials* said Windows 10 Home will be priced at $119usd and Windows 10 Pro will cost $199usd. Windows 10 upgrade $99usd will allow users to move from Windows 10 Home to Pro. You will also need to buy this if you are running Windows XP or Vista.

Microsoft is making Windows 10 available for FREE for the first year to computers with Windows 7 Service Pack 1 and Windows 8.1 on July 29, 2015. This is a limited time promotion that expires on July 29, 2016. Once the promotion ends, Microsoft will charge Windows 7 and Windows 8.1 users to upgrade to Windows 10.

New today!

If you are using a Windows 7/8.1, you will notice a Windows flag icon in your system tray starting today. This is the “Get Windows 10″ reservation launcher.

To reserve the upgrade, you just need to click the button in the wizard that launches. This will prepare Windows Update for Windows 10 upgrade when it arrives on July 29. So you will need to do this on each PC you intend to upgrade to Windows 10.

* According to to Neowin

FIM Portal (No Display Name)

 

If you did an important and everyone came in a (No display name) here is what to do.

First, set the display name precedence in the FIM Sync Manager console

http://social.technet.microsoft.com/wiki/contents/articles/5140.fim-reference-checking-configuring-attribute-precedence.aspx

Then you need to bulk delete all the crap (this is slow)

http://social.technet.microsoft.com/wiki/contents/articles/2108.how-to-use-powershell-to-delete-all-users-from-the-fim-portal.aspx

And you are ready to start again.

 

Forefront Identity Manager Portal

Robocopy to Onedrive Personal

 

If you are sick of the stupid sync clients for onedrive, map a drive a use robocopy, it runs, it is restartable and can tick away for weeks or months.

First map a drive to onedrive:

Open the outlook.com onedrive link in the web.

This is an example of the link location: https://onedrive.live.com/#cid=a3e4ab99159b06d6

In Windows explorer, map a drive to https://d.docs.live.net/a3e4ab99159b06d6

Connect using different credentials and use your outlook account, if you have two factor, you need an APP password. Once this is done use your robocopy command of choice and site back and wait.

Find the detailed XenServer tools version

 

To get the UUID:

xe vm-list | \
awk '{if ( $0 ~ /uuid/) {uuid=$5} if ($0 ~ /name-label/) \
{$1=$2=$3="";vmname=$0; printf "%s - %s\n", vmname, uuid}}'

Then:

xe vm-param-get uuid=<uuid from above> param-name=PV-drivers-version

 

Example output:

major: 6; minor: 2; micro: 0; build: 6

major: 6; minor: 2; micro: 0; build: 7 (update http://support.citrix.com/article/CTX142219)

 

 

Thanks: http://larryn.blogspot.com.au/2012/02/list-of-vms-on-xenserver-with-uuids.html

XenDesktop 7.6 Feature Pack 1 (Platinum Edition Below) Released

 

Features:

1. Session Recording - Session Recording enhances the ability for admins to actively monitor and record user sessions to simplify troubleshooting, accelerate issue resolution, evaluate personnel for training guidance, and monitor user behavior for compliance purposes.
   
2. Director 7.6.200 - This release includes controls to start and stop session recording (Session Recording is a feature in the Platinum Edition), as well as bug fixes.
   
3. HDX RealTime Optimization Pack 1.7 for Microsoft Lync - offers clear, crisp high-definition video calls in conjunction with Microsoft Lync®. This release adds support for Lync 2013 on Windows and Linux devices, plus new calling features.
   
4. License Server 11.12.1 for Windows - An optional component in Feature Pack 1. This release introduces the opportunity to participate in the Customer Experience Improvement Program.

• Note: that the components listed above are only the new items in Feature Pack 1. Even if you have already deployed 7.6, there are five components (beyond the items listed above) that have been updated or added since the initial 7.6 release.

Removing the Windows update cache

 

If your Windows update is stuck, errors on install or does not download, you can install manually or remove the Windows Update cache and let Windows learn again.

Run ‘cmd’ as Administrator

Either from the command line run ‘net stop wuauserv’ or stop the service in services.msc.

Go to the %windir% folder

run the commad ‘rd /s SoftwareDistribution’ to delete the contents

Restart the wuauserv (Windows update) service.

Microsoft detail this here.

Hat tip to…

Need to run Windows XP? do it safely

 

There are still plenty of Windows XP machines needed, so pull them out of virtualisation platforms, rip them off hardware and put them somewhere safe, on a VDI environment with read only, stateless disks !

If you try install the current version of the Virtual Desktop Agent (VDA) v7.6 on a machine running Windows XP or Windows Vista; however, you can install an earlier VDA version on these.

Setup your XenDesktop VDA environment, your PVS servers and once ready.

Downloading the older VDA for your VDI platform:

• XenDesktop Platinum: https://www.citrix.com/downloads/xendesktop/product-software/xendesktop-56-feature-pack-1-platinum.html 
• XenDesktop Enterprise: https://www.citrix.com/downloads/xendesktop/product-software/xendesktop-56-feature-pack-1-enterprise.html
• XenDesktop VDI: https://www.citrix.com/downloads/xendesktop/product-software/xendesktop-56-feature-pack-1-vdi.html

Install VDA as described in Installing and Upgrading the Virtual Desktop Agent.

Installing the latest VDA Hotfix Rollup, the latest rollup is available at:

• For x86-bit: Hotfix Rollup XD560VDAWX86400 (Version 5.6.400)
• For 64-bit: Hotfix Rollup XD560VDAWX64400 (Version 5.6.400)

 

Link to article http://support.citrix.com/article/ctx140941