Activate common Desktop Icons on Windows 10 and Server 2016

I still like to have the icons for ‘Network’ and ‘This PC’ on my Desktop on Windows. In Windows 10 and Server 2016, this setting is not so easy to find. It can be accessed via Settings -> Personalization -> Designs -> Themes -> Desktop Icon Settings.

Another way is to execute the following command:

rundll32.exe shell32.dll, Control_RunDLL desk.cpl,, 0

The setting can also be found via the desktop search by typing in the term “Common”.

Certificate warning when starting applications via remote desktop services

In my test environment I recently built a new Windows Server 2016 based remote desktop environment.
The environment consists of a server with the roles RD Web Access, RD Gateway, RD Gateway, RD
Connection Broker and the RD License Server as well as another server that acts only as RD Session Host.
For the roles Web Access, Gateway and Connection Broker, an official wildcard certificate was used and a official DNS name has been created so that the server can be accessed via the Internet.

After everything was set up I did some tests and tried to access the Web Access site over the internet from a computer that wasn’t a Member of the Domain
Although I am using an official wildcard certificate the following warning was displayed when an application or desktop was started:

Your remote desktop desktop connection failed because the remote computer cannot be authenticated

The remote computer could not be authenticated due to problems with its security certificate.  It may be unsafe to proceed.

Name mismatch

Requested remote computer:
SHEPSRV129. SHEP-NET. DE

Name in the certificate from the remote computer 
*.pre-system.de

Certificate errors

The following errors were encountered while validating the remote computer's certificate:

The server name on the certificate is incorrect.

The reason for this message is that in the RDP file the internal name of the RD Connection Broker was used and my client tries to connect to this server.

The problem can be solved by specifying an alternative name, which is then transmitted in the RDP file. We can configure this alternative name using the following PowerShell cmdlet:

Set-RDSessionCollectionConfiguration -CollectionName "Standard Apps" -CustomRdpProperty "use redirection server name:i:1`n alternate full address:s:webinterface.pre-system.de"

The name of the Collection for which the setting is to be made and the name to be requested instead of the internal name are specified.
After I made the settings and logged off and back on Web Access once, so that the new settings become effective, I received the following application startup error:

Remote Desktop can't connect to the remote computer "webinterface. pre-system. de" for one of these reasons:

1) Your user account is not listed in the RD Gateway's permission list 
2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example, computer1. fabrikam. com or 157.60.0.1).

The reason for this error is the Remote Desktop Resource Authorization Policy, which by default only allows connections to the internal name of the Connection Broker Server. Now that my client is trying to webinterface.pre-system.de this attempt is prevented by the policy.
To allow access, the RD Gateway Manager must be opened on the gateway server. In the Gateway Manager open the item “Manage Local Computer Groups” in the menu on the right and add the name webinterface.pre-system.de in the tab and field Network ressources .

If there are still problems with the gateway configuration, these can be found in the event log on the gateway server under “Custom Views” -> “Server Roles” -> “Remote Desktop Services1”.

Custom Event view to monitor logins of a user

A couple of days ago a customer asked me if I know a solution for his problem:

They have used the standard domain administrator account (contoso\Administrator) during the last 10 years for the installation and configuration of server software and applications. Now they want to change the password of the domain administrator and they don’t know where the account has been used so that they can change it in the application / service / scheduled task etc.

Using the standard domain administrator account to install and configure software is not a good idea because in a situation like this you can not easily change it. It is a better approach to use a dedicated user for every application (yes, every application) and give this account only the permissions the application requires to run.

If you are in a situation like my customer and you want to find out where the account is used you can create a custom event view and track the logon events of the user. You can create a custom XML filter like the following to track the logon events (event id 4624) for the user Administrator:

<QueryList>
 <Query Id="0" Path="Security">
 <Select Path="Security">
 *[System[(Level=4 or Level=0) and (EventID=4624)]]
 and
 *[EventData[Data[@Name='TargetUserName'] and (Data='Administrator' or Data='CONTOSO\Administrator')]] 
</Select>
 </Query>
</QueryList>

You can extract the IP address or name of the computer where the account has logged on from the data in the event:

New Logon:
Security ID: CONTOSO\Administrator
Account Name: Administrator
Account Domain: CONTOSO
Logon ID: 0xc22879
Logon GUID: {056ed80b-1111-2222-3333-9e58a66aa2c9}

Process Information:
Process ID: 0x344
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: SERVER2
Source Network Address: 192.168.1.2

Source Port: 53183

The paragraph “Network Information” contains the information from which computer or network address the logon has occurred. This way you can at least identify the computers that still use the domain administrator account and check the services, applications or scheduled tasks on this computer. Please note that it is possible that the workstation information or source network address contains no information because the request was initiated from the local computer or it has not used TCP/IP at all.

You can find more information about the data contained in the logon event body on the following site:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

The following sites contain information about custom event filters:

https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

https://blogs.technet.microsoft.com/brad_rutkowski/2006/12/04/how-to-filter-the-eventlog-in-vista-manually-xml/

 

Enable IMAP and Message Submission with SSL/TLS for Exchange Server 2013

From time to time I need to enable IMAP and Message Submission for Exchange servers. Most of the time it is because there is some kind of CRM / ERP System that needs to send and receive emails. Here are the steps to enable IMAP and Message Submission with SSL/TLS. I used a Wildcard certificate (*.contoso.com) to secure the data.

IMAP/S uses port 993 (TCP) and Message Submission uses port 587 (TCP). Message Submission was created to distinguish between SMTP for Servers and SMTP for Clients. SMTP for Servers runs on port 25 and SMTP for Clients (Message Submission) runs on port 587 and requieres the Client to authenticate first.

Activate IMAP

Set the IMAP services start type to “Automatic” on the Exchange server. Please note that there are two Services that need to be started to support IMAP, “Microsoft Exchange IMAP4” and “Microsoft Exchange-IMAP4-Back-End”. Use the following cmdlets in an elevated PowerShell:

Set-Service "MSExchangeImap4" -StartupType Automatic
Set-Service "MSExchangeIMAP4BE" -StartupType Automatic

Now start the IMAP services:

Start-Service "MSExchangeImap4"
Start-Service "MSExchangeIMAP4BE"

The next step is to set the certificate name for the IMAP service. Remember I am using a wildcard certificate and I need to specify the host hame for the IMAP service:

Set-ImapSettings -X509CertificateName mail.contoso.com

You need to grant users the right to use IMAP with the following cmdlet:

Set-CASMailbox -Identity "Fred" -IMAPEnabled $true

 

Enable TLS for Message Submission Connector

Now we need to enable TLS for the Message Submission connector in Exchange. Exchange creates a Message Submission connector by default, it is named “Server name\Client Frontend Server Name“.

First get a list of available certificates on the Server:

Get-ExchangeCertificate

Now use the thumbprint of the certificate you want to use to get a reference to this certificate:

$certificate = Get-ExchangeCertificate -Thumbprint DE67EC3C8D6793535D17678FEC519072723535E2

Create the certificate name so that it can be used by the connector:

$certificateName = "<i>$($certificate.Issuer)<s>$($certificate.Subject)"

Last step is to the tell the connector witch certificate to use:

Set-ReceiveConnector "EX01\Client Frontend EX01" -TlsCertificateName $certificateName

Now clients can use Message Submission with TLS.

Login to IMAP with Outlook

As an example I configured a IMAP profile in Outlook (German version) to show you the required settings. Please note that you have to use the UPN of the user (user@domain) to logon to IMAP:

2017-05-31 10_15_42-Add-IMAP-Account

2017-05-31 10_15_42-SMTP-Authentication

2017-05-31 10_40_22-Server-Settings

 

 

 

 

 

 

 

 

 

 

 

Get-ADUser returns empty value for Active Directory attribute msDS-UserPasswordExpiryTimeComputed

Today I wrote a script for a customer of mine to send emails to remote users that their password will expire in 10 days or less and they have to change it. To get the Information when the Password of a user will expired I used the PowerShell cmdlet Get-ADUser and received the AD property ‘msDS-UserPasswordExpiryTimeComputed’:

$users = Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $false} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "UserPrincipalName", "GivenName", "SN", "Mail" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, "UserPrincipalName", "GivenName", "SN", "Mail" | Sort DisplayName

This worked on the Domain Controller but not on the Exchange Server so I was wondering why. After some tests I found the reason: On the Domain Controller I used a domain administrator to execute the PowerShell cmdlet, on the Exchange server I was using a standard scheduled task user with only local administration rights. So I granted the task user the permission to read the property in the Active Directory Users and Computers console:

  1. Open Active Directory Users and Computers console
  2. Right click the domain and select “Properties”
  3. Switch to the “Security” tab and add the task user with read permission
  4. Select the task user and click on ‘Advanced’
  5. Find the Task user in the list, mark it and click on ‘Edit’
  6. Select ‘Descendant User objects’ in the ‘Apply to’ drop down and switch to the ‘Properties’ tab
  7. Scroll down the list and make sure that the option ‘Read msDS-UserPasswordExpiryTimeComputed’ is allowed
  8. Click on OK and leave the Dialogs

After the change my task user was able to read the property and the script showed me the time the Password will expire.

Download Location of Citrix Netscaler VPX Express edition

I only access the Citrix Website from time to time so I am always searching for the download page of the Netscaler VPX Express Edition. If you need it too you can find it under the following URL:

https://www.citrix.com/downloads/netscaler-adc/virtual-appliances/netscaler-vpx-express.htm

You need a Citrix account to access this site.

You can also navigate there from the regular download page via https://www.citrix.com/downloads -> “Select a product: Netscaler ADC” -> “Netscaler VPX Express”. Please note that there is no 12.x Netscaler VPX Express Edition. Only the 11.x branch is available.

Exporting password properties from Active Directory to file with PowerShell

This command exports password information of users from Active Directory and writes them to a csv file:

Get-ADUser -Filter * -Properties SamAccountName, PasswordLastSet, PasswordNeverExpires | Select SamAccountName, PasswordLastSet, PasswordNeverExpires | Sort SamAccountName | Export-CSV -Path ("{0}\Desktop\AD.User.Password.csv" -f $env:USERPROFILE) -NoClobber -Encoding UTF8 -NoTypeInformation -Force

 

Get Exchange mailboxes of disabled Active Directory accounts with PowerShell

Today a one liner:

I needed a list of Exchange mailboxes with disabled Active Directory accounts. Here is the command to display them in the PowerShell window:

Get-Mailbox | where {$_.ExchangeUserAccountControl -Match "AccountDisabled"} | fl DisplayName, Database, ExchangeUserAccountControl

If you want to create a csv file that lists all OWA enabled users but excludes all disabled accounts use the following command line (using Get-CASMailbox together with Get-Mailbox):

Get-Mailbox | where {$_.ExchangeUserAccountControl -ne "AccountDisabled"} | Get-CASMailbox | where {$_.OwaEnabled -eq "True"} | Select DisplayName, OwaEnabled | Export-Csv -Path ("{0}\Desktop\OWA.Users.csv" -f $env:USERPROFILE) -NoClobber -Encoding UTF8 -NoTypeInformation

This will create the list and save it as ‘OWA.Users.csv’ on the desktop of the executing account.

Change the Windows updates install time on Hyper-V Server

I needed to change the install time of Windows updates on a Hyper-V Server 2016 from the default of 03:00 to 01:00. There is an Option in sconfig (the blue menu box) to change the Windows update install behavior from manual to automatic but there is no option to change the time when the installation of the updates should happen so it defaults to 3:00 AM. It is also not possible to install the Windows update Cmdlets that would allow us to change the configuration of the Windows updates because that feature does not exist in Hyper-V Server.

So the solution is to directly edit the registy of the server. Open regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Add a DWORD 32 bit value with the following Name:

ScheduledInstallTime

Set the entry to the full hour of the day you want the system to install updates. For example if you want the system to install the updates on 01:00 set the value to ‘1’. If you want the system to install updates on 23:00 set the value to 23. Don’t forget to change the base in the Regedit dialog to ‘Decimal’ if you want to set a value greater than 9.

It is only possible to set the time to the full hour.

After the Change restart the Windows update Service with the following commands:

net stop wuauserv
net start wuauserv

You can find a full list with registry options for Windows updates on the following website:

https://technet.microsoft.com/en-us/library/cc708449(v=ws.10)