Re: [NTSysADM] Re: Advice: migrate to new file server - UPDATE

[Michael Leone]

On Tue, Feb 6, 2018 at 10:15 AM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> If its a matter of keeping the logs, you could post-process the log file
> afterward and strip out all the garbage.
>

True. Doubt I would need to keep them, just check after each run for any
errors, etc. After everything is copied, I will re-name and retire the
source server, and re-name the destination to take it's place.



>
> --
> Espi
>
>
> On Tue, Feb 6, 2018 at 6:33 AM, Michael Leone <oozerd...@gmail.com> wrote:
>
>> Thanks. Yeah, I've seen it. It says:
>>
>> It seems that the /MIR option ignores the logging options. Also /MT
>> messes it up. The only way I got working was " D:\robocopy>robocopy source
>> destination /MIR /W:3 /R:100 /NS /NC /NFL /NDL /NP /LOG:log.txt". If you
>> try /MT, it will still show the silly 100%
>>
>> So I may be out of luck. I like that multi-threading, it really seemed to
>> speed things up for me. So I may have to live with the lines. I'll find out
>> this weekend, when I run the /MIR /MT run again. I will try the /NC /NS
>>
>> On Tue, Feb 6, 2018 at 8:47 AM, Micheal Espinola Jr <
>> michealespin...@gmail.com> wrote:
>>
>>> This may be helpful to you:
>>>
>>> https://superuser.com/questions/511702/how-do-i-hide-extra-f
>>> ile-and-100-lines-from-robocopy-output
>>>
>>> --
>>> Espi
>>>
>>>
>>> On Tue, Feb 6, 2018 at 5:18 AM, Michael Leone <oozerd...@gmail.com>
>>> wrote:
>>>
>>>> On Mon, Feb 5, 2018 at 7:01 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>>>
>>>>> Right you are...
>>>>>
>>>>> But, if you want to see output on the console, and still log to a text
>>>>> file, use both the /np and /tee switches.
>>>>>
>>>>
>>>>
>>>> In my case, I don't, as the job executes as a scheduled task, so no
>>>> need for outputting to the console. I just want to see the log afterwards.
>>>> I search it for "error". But it would help to not have a millions lines of
>>>> "100%" in the log ...
>>>>
>>>>
>>>> I do that with some regularity for small jobs like this.
>>>>>
>>>>
>>>>> Kurt
>>>>>
>>>>> On Mon, Feb 5, 2018 at 3:49 PM, Micheal Espinola Jr <
>>>>> michealespin...@gmail.com> wrote:
>>>>>
>>>>>> /NP is for the console display of progress.  As long as you are not
>>>>>> logging by way of redirected output, this would have no effect.
>>>>>>
>>>>>> --
>>>>>> Espi
>>>>>>
>>>>>>
>>>
>>
>

Re: [NTSysADM] Re: Advice: migrate to new file server - UPDATE

[Michael Leone]

Thanks. Yeah, I've seen it. It says:

It seems that the /MIR option ignores the logging options. Also /MT messes
it up. The only way I got working was " D:\robocopy>robocopy source
destination /MIR /W:3 /R:100 /NS /NC /NFL /NDL /NP /LOG:log.txt". If you
try /MT, it will still show the silly 100%

So I may be out of luck. I like that multi-threading, it really seemed to
speed things up for me. So I may have to live with the lines. I'll find out
this weekend, when I run the /MIR /MT run again. I will try the /NC /NS

On Tue, Feb 6, 2018 at 8:47 AM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> This may be helpful to you:
>
> https://superuser.com/questions/511702/how-do-i-
> hide-extra-file-and-100-lines-from-robocopy-output
>
> --
> Espi
>
>
> On Tue, Feb 6, 2018 at 5:18 AM, Michael Leone <oozerd...@gmail.com> wrote:
>
>> On Mon, Feb 5, 2018 at 7:01 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>>> Right you are...
>>>
>>> But, if you want to see output on the console, and still log to a text
>>> file, use both the /np and /tee switches.
>>>
>>
>>
>> In my case, I don't, as the job executes as a scheduled task, so no need
>> for outputting to the console. I just want to see the log afterwards. I
>> search it for "error". But it would help to not have a millions lines of
>> "100%" in the log ...
>>
>>
>> I do that with some regularity for small jobs like this.
>>>
>>
>>> Kurt
>>>
>>> On Mon, Feb 5, 2018 at 3:49 PM, Micheal Espinola Jr <
>>> michealespin...@gmail.com> wrote:
>>>
>>>> /NP is for the console display of progress.  As long as you are not
>>>> logging by way of redirected output, this would have no effect.
>>>>
>>>> --
>>>> Espi
>>>>
>>>>
>

Re: [NTSysADM] Re: Advice: migrate to new file server - UPDATE

[Michael Leone]

On Mon, Feb 5, 2018 at 7:01 PM, Kurt Buff  wrote:

> Right you are...
>
> But, if you want to see output on the console, and still log to a text
> file, use both the /np and /tee switches.
>


In my case, I don't, as the job executes as a scheduled task, so no need
for outputting to the console. I just want to see the log afterwards. I
search it for "error". But it would help to not have a millions lines of
"100%" in the log ...


I do that with some regularity for small jobs like this.
>

> Kurt
>
> On Mon, Feb 5, 2018 at 3:49 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> /NP is for the console display of progress.  As long as you are not
>> logging by way of redirected output, this would have no effect.
>>
>> --
>> Espi
>>
>>

Re: [NTSysADM] Re: Advice: migrate to new file server - UPDATE

[Michael Leone]

On Mon, Feb 5, 2018 at 9:23 AM, Melvin Backus 
wrote:

> That would be the /NP switch. (no progress)
>

No, I'm already using it, and still getting the 100% ...


>Options : *.* /NDL /NFL /S /E /COPYALL /ZB /NP /MT:20 /R:0 /W:0
>

[NTSysADM] Re: Advice: migrate to new file server - UPDATE

[Michael Leone]

A little update. I did a run with the /CREATE option first, to create all
the files as zero length entries. Then, this past Friday, I did a run
without /CREATE. I perhaps should have used the /MIR option, to delete any
files/folders in the destination that may have been deleted in the source
since the initial run. But I was a bit hesitant, so I'll do that next week.

Here's some output:

  Started : Fri Feb 02 19:41:06 2018

   Source : 
 Dest : \\

Files : *.*

  Options : *.* /NDL /NFL /S /E /COPYALL /ZB /NP /MT:20 /R:0 /W:0

   TotalCopied   Skipped  MismatchFAILEDExtras
Dirs : 8735364 87289 0 0 2
   Files :830622800743 29879 0 029
   Bytes :   1.459 t   1.395 t  66.373 g 0 0 0
   Times :  90:36:42   4:17:16   0:00:00   0:13:29

   Ended : Sat Feb 03 00:11:52 2018

Not bad at all. Close to 1.4T copied, in less than 4.5 hours. (the skips
were because a few of the folders were previously fully populated, during a
test run).

The only issue - apparently when you use /MT (or /MIR), you end up with a
lot of lines in your log file that say "100%". (By a "lot", I mean I have
literally 1 million lines in my log file ..) If anyone knows how to
suppress that, I would appreciate it ...

Re: [NTSysADM] Problems with changing File Share Witness

[Michael Leone]

I went with changing the Quorum back to default (even though I don't have a
disk to act as witness for these clusters); then just re-created the File
Share Witness. Worked like a charm.

Thanks

On Thu, Feb 1, 2018 at 9:45 AM, Michael B. Smith <mich...@smithcons.com>
wrote:

> How many physical nodes?
>
>
>
> As long as all your nodes are online and the FSW isn’t casting a vote, you
> should be able to remove the duplicate FSWs. That being said, switching to
> Node Majority (if all nodes are online), deleting all the FSWs, switching
> back to FSW in the new location is also easy.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Thursday, February 1, 2018 9:28 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Problems with changing File Share Witness
>
>
>
> So I have 3 different clusters, all of which use the same File Share
> Witness (different shares, but all on the same server). And that FSW server
> is going away ...
>
>
>
> So I set up a new share on a different server, and went to change one of
> the clusters to use it. I was able to add the new share (i seem to have
> done it twice, stupidly). So now I see *3* file share witness entries:
>
>
>
> 1. old FSW - shows ONLINE
>
> 2. new FSW - shows ONLINE
>
> 3. new FSW - shows ONLINE (this is the same share as in #2).
>
>
>
> I want to remove #1 completely, regardless (and also #3, which is
> redundant). And searches tell me that in order to remove a FAILED FSW, you
> have to change back to NODE MAJORITY. Then switch back to FSW, specifying
> the new location.
>
>
>
> Does that still apply in my case, where I just want to remove a FSW that
> is *not* FAILED? Or can I just REMOVE that entry? I haven't found anything
> that says what to do in this case.
>
>
>
>
>

Re: [NTSysADM] Problems with changing File Share Witness

[Michael Leone]

On Thu, Feb 1, 2018 at 9:45 AM, Michael B. Smith <mich...@smithcons.com>
wrote:

> How many physical nodes?
>


2, one online, one paused [long story].


As long as all your nodes are online and the FSW isn’t casting a vote, you
> should be able to remove the duplicate FSWs. That being said, switching to
> Node Majority (if all nodes are online), deleting all the FSWs, switching
> back to FSW in the new location is also easy.
>


OK. So just switch to Node Majority; wait a minute; change back to FSW,
pointing at the new share? I don't need to delete the share, or it's
contents?



>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Thursday, February 1, 2018 9:28 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Problems with changing File Share Witness
>
>
>
> So I have 3 different clusters, all of which use the same File Share
> Witness (different shares, but all on the same server). And that FSW server
> is going away ...
>
>
>
> So I set up a new share on a different server, and went to change one of
> the clusters to use it. I was able to add the new share (i seem to have
> done it twice, stupidly). So now I see *3* file share witness entries:
>
>
>
> 1. old FSW - shows ONLINE
>
> 2. new FSW - shows ONLINE
>
> 3. new FSW - shows ONLINE (this is the same share as in #2).
>
>
>
> I want to remove #1 completely, regardless (and also #3, which is
> redundant). And searches tell me that in order to remove a FAILED FSW, you
> have to change back to NODE MAJORITY. Then switch back to FSW, specifying
> the new location.
>
>
>
> Does that still apply in my case, where I just want to remove a FSW that
> is *not* FAILED? Or can I just REMOVE that entry? I haven't found anything
> that says what to do in this case.
>
>
>
>
>

[NTSysADM] Problems with changing File Share Witness

[Michael Leone]

So I have 3 different clusters, all of which use the same File Share
Witness (different shares, but all on the same server). And that FSW server
is going away ...

So I set up a new share on a different server, and went to change one of
the clusters to use it. I was able to add the new share (i seem to have
done it twice, stupidly). So now I see *3* file share witness entries:

1. old FSW - shows ONLINE
2. new FSW - shows ONLINE
3. new FSW - shows ONLINE (this is the same share as in #2).

I want to remove #1 completely, regardless (and also #3, which is
redundant). And searches tell me that in order to remove a FAILED FSW, you
have to change back to NODE MAJORITY. Then switch back to FSW, specifying
the new location.

Does that still apply in my case, where I just want to remove a FSW that is
*not* FAILED? Or can I just REMOVE that entry? I haven't found anything
that says what to do in this case.

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

Oh, the joys of special permissions on sub-folders ...

Good thing I did an initial run using the /CREATE switch (thanks for
that!). Found a number of errors, couldn't access destination folder.
Checking the source folder permissions, I see that these have been set
manually - not inherited, limited to only certain AD accounts (which now
don't exist, as those users left, and have been deleted from AD), etc.

So I'm wondering if it's better to run Robocopy as the local system
account, to avoid issues like this?

(I can probably fix the source permissions on a couple, after consulting
with that department, and seeing who to re-set the security to)

How do others get around this type of problem? Or are your folders set with
sane NTFS security on all of them? LOL



On Tue, Jan 30, 2018 at 8:23 AM, Michael Leone <oozerd...@gmail.com> wrote:

> On Mon, Jan 29, 2018 at 5:07 PM, Charles F Sullivan <
> charles.sulliva...@bc.edu> wrote:
>
>> By default it only copies changed files, no /a switch needed.
>>
>
>
> AH HA. Vital information/confirmation. Thanks. So if I do a /MIR this
> weekend, I should (theoretically) be able to do the same command, say every
> 3-4 days, until the move (17 days until the move).  That should make the
> final command, on the weekend of the move, relatively quick.
>
> I will start testing the /MIR on some temp and test folders ...
>
> Thanks!
>
>
>
>> On Mon, Jan 29, 2018 at 3:15 PM, Michael Leone <oozerd...@gmail.com>
>> wrote:
>>
>>> On Mon, Jan 29, 2018 at 2:57 PM, Charles F Sullivan <
>>> charles.sulliva...@bc.edu> wrote:
>>>
>>>> I always use the /mir option when doing a migration like that. The
>>>> reason is I have to do a "big" initial copy and then at least one delta
>>>> copy. (I usually do the final copy after removing access by changing share
>>>> perms or removing the share entirely so no further changes are made.) If I
>>>> don't use the /mir option, users will likely end up with data that is no
>>>> longer supposed to be present. (This assumes they will continue to have
>>>> access to the old server while copy job is running.)
>>>>
>>>
>>>
>>> Hmmm ... well, this would be done after hours on a Friday, so I doubt
>>> there would be any access.The idea is that the users go home Friday, and
>>> come back Monday, and it's all done behind the scenes.
>>>
>>>
>>>
>>>> It's completely safe despite the warning in the help, at least in this
>>>> scenario. Unless I'm missing something, the new server will not be
>>>> accessible to users until you finish the migration, thus there should be no
>>>> extra data which could get deleted.
>>>>
>>>
>>>
>>> I may test that this weekend, do a /MIR. Then I would need to only copy
>>> things that have changed since then. Is that  the /A option?
>>>
>>>
>>>> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone <oozerd...@gmail.com>
>>>> wrote:
>>>>
>>>>> I'd like to impose once more for some advice and opinions. I have a
>>>>> Win 2008 R2 file server; I need to migrate everything (shares and user 
>>>>> home
>>>>> folders) to a Win 2012 R2 Storage Server, and then retire the old server.
>>>>> Everything is one 1 drive, with 3 main folders (Shares,Users,Scans), total
>>>>> size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
>>>>> bandwidth of 4G.
>>>>>
>>>>> I'm thinking of use robocopy. I would make a full copy over the
>>>>> weekend:
>>>>>
>>>>> Source=OldFS\F$
>>>>> Destination=NewFs\d$
>>>>>
>>>>> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP
>>>>> /NFL /NDL /LOG+:
>>>>>
>>>>> That should get everything, NTFS security and all sub-folders. I
>>>>> thought about the /MIR option, but I've never used it, and so am just a
>>>>> touch leery (perhaps illogically).
>>>>>
>>>>> The end goal is to:
>>>>> copy all the files and shares to the new FS;
>>>>> re-name and re-IP the old FS;
>>>>> power off the old FS;
>>>>> re-name and re-IP the new FS to the old name.
>>>>>
>>>>>  (this way I can power up the old FS, just in case I need it for
>>>>> something I've missed)
>>>>>
>>>>> That *should* make things transparent to the 

Re: [NTSysADM] Multi-Threading Robocopy

[Michael Leone]

On Tue, Jan 30, 2018 at 7:28 PM, Michael B. Smith <mich...@smithcons.com>
wrote:

> The tech specs for the devices.
>


OK .. source has an HP SmartArray P800 controller, and  300G 2-port SAS
drives. Destination has a Dell PERC 810 controller and 800G drives ...

I will look to see if I can determine how many threads each will support ...



>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Tuesday, January 30, 2018 6:17 PM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Multi-Threading Robocopy
>
>
>
> On Tue, Jan 30, 2018 at 6:01 PM, Michael B. Smith <mich...@smithcons.com>
> wrote:
>
> How many threads does your I/O controller support? Each disk in the array?
> What about quick disconnects?
>
>
>
>
>
> No idea. And no idea on how to find out. :-( Can you point me to a clue?
> It's all HP hardware ..
>
>
>
>
>
> As a rule of thumb, two threads per spindle is where I start. But some
> hardware can support a heck of a lot more than that. And that will overload
> some hardware.
>
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Michael Leone
> Sent: Tuesday, January 30, 2018 4:57 PM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] Multi-Threading Robocopy
>
> On Tue, Jan 30, 2018 at 4:35 PM, Michael B. Smith <mich...@smithcons.com>
> wrote:
> > Doing a /create is going to be MFT lock-bound. You probably won’t get any
> > improvement above /MT:2.
>
>
> Mostly I put that in there, as preparation for when I run it without
> the /CREATE this weekend. What I'm really interested in is the thread
> count when I run a /MIR on a 1.1TB source (I ran the /CREATE based on
> a suggestion earlier in this thread).
>
> > You are probably far more interested in IO Total
> > than anything else.  A single thread can be holding a 64 MB buffer, but
> > depending on the driver and IO controller there may be darn close to zero
> > processor usage (and on others it could have a huge impact – it all
> > depends).
> >
> >
> >
> > From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com]
> > On Behalf Of Michael Leone
> > Sent: Tuesday, January 30, 2018 3:16 PM
> > To: ntsysadm@lists.myitforum.com
> > Subject: [NTSysADM] Multi-Threading Robocopy
> >
> >
> >
> > In my tests, I've been using a thread count of 20 (/MT:20). While doing a
> > /CREATE only run, it seems to not have any impact on performance (based
> on
> > CPU usage in taskmgr).
> >
> >
> >
> > What's your favorite thread count? LOL
> >
> >
> >
> >
>
>
>

Re: [NTSysADM] Multi-Threading Robocopy

[Michael Leone]

On Tue, Jan 30, 2018 at 6:01 PM, Michael B. Smith <mich...@smithcons.com>
wrote:

> How many threads does your I/O controller support? Each disk in the array?
> What about quick disconnects?
>
>

No idea. And no idea on how to find out. :-( Can you point me to a clue?
It's all HP hardware ...



> As a rule of thumb, two threads per spindle is where I start. But some
> hardware can support a heck of a lot more than that. And that will overload
> some hardware.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Michael Leone
> Sent: Tuesday, January 30, 2018 4:57 PM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] Multi-Threading Robocopy
>
> On Tue, Jan 30, 2018 at 4:35 PM, Michael B. Smith <mich...@smithcons.com>
> wrote:
> > Doing a /create is going to be MFT lock-bound. You probably won’t get any
> > improvement above /MT:2.
>
>
> Mostly I put that in there, as preparation for when I run it without
> the /CREATE this weekend. What I'm really interested in is the thread
> count when I run a /MIR on a 1.1TB source (I ran the /CREATE based on
> a suggestion earlier in this thread).
>
>
> > You are probably far more interested in IO Total
> > than anything else.  A single thread can be holding a 64 MB buffer, but
> > depending on the driver and IO controller there may be darn close to zero
> > processor usage (and on others it could have a huge impact – it all
> > depends).
> >
> >
> >
> > From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com]
> > On Behalf Of Michael Leone
> > Sent: Tuesday, January 30, 2018 3:16 PM
> > To: ntsysadm@lists.myitforum.com
> > Subject: [NTSysADM] Multi-Threading Robocopy
> >
> >
> >
> > In my tests, I've been using a thread count of 20 (/MT:20). While doing a
> > /CREATE only run, it seems to not have any impact on performance (based
> on
> > CPU usage in taskmgr).
> >
> >
> >
> > What's your favorite thread count? LOL
> >
> >
> >
> >
>
>
>

Re: [NTSysADM] Multi-Threading Robocopy

[Michael Leone]

On Tue, Jan 30, 2018 at 4:35 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Doing a /create is going to be MFT lock-bound. You probably won’t get any
> improvement above /MT:2.


Mostly I put that in there, as preparation for when I run it without
the /CREATE this weekend. What I'm really interested in is the thread
count when I run a /MIR on a 1.1TB source (I ran the /CREATE based on
a suggestion earlier in this thread).


> You are probably far more interested in IO Total
> than anything else.  A single thread can be holding a 64 MB buffer, but
> depending on the driver and IO controller there may be darn close to zero
> processor usage (and on others it could have a huge impact – it all
> depends).
>
>
>
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Michael Leone
> Sent: Tuesday, January 30, 2018 3:16 PM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Multi-Threading Robocopy
>
>
>
> In my tests, I've been using a thread count of 20 (/MT:20). While doing a
> /CREATE only run, it seems to not have any impact on performance (based on
> CPU usage in taskmgr).
>
>
>
> What's your favorite thread count? LOL
>
>
>
>

[NTSysADM] Multi-Threading Robocopy

[Michael Leone]

In my tests, I've been using a thread count of 20 (/MT:20). While doing a
/CREATE only run, it seems to not have any impact on performance (based on
CPU usage in taskmgr).

What's your favorite thread count? LOL

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 4:40 PM, Joe Matuscak  wrote:

>
> Lately I've been using FreeFileSync for this sort of thing over robocopy.
> It seems much faster
> when you're doing the full copy/incremental approach.
>
> https://www.freefilesync.org/
>



Hmmm ... Robocopy took 11min for 11G; this utility took 8:15. That's close
to a 25% increase ...  Can't tell if there's a way to automate it, tho,
especially for 3 different folders. Looks like you need to do each folder
individually ..


Still, a very nice utility. Thanks!

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 10:23 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> Youngsters these days...
>
> If I change the DVD/CD drive letter, I change it to Y:, because long
> ago, under some really old version of windows (3.1? wfwg 3.1x? I'm
> getting old - get off my lawn) logon scripts used Z:.
>


AHEM. We assign Z: to a user's home folder in AD ... I guess that makes us
antiques  (that's the way it was when I first got here 10 years ago,
haven't found a compelling enough reason for the pain of changing it)



>
> You can find a vague reference to it here:
> http://www.oreilly.com/openbook/samba/book/ch06_06.html
>
> Heh.
>


I remember from back in Win 3.1, you can assign "[:" as a drive letter, too
...



>
> Kurt
>
> On Mon, Jan 29, 2018 at 2:42 PM, Dave Lum <l...@ochin.org> wrote:
> > My typical buildout:
> >
> > Anything with a user share (other than a domain controller) gets a
> separate volume than the OS and the files live there. Database servers get
> at least two additional (logs for one, DB for the other). Server hosting
> applications with a lot of read/writes and or file growth get an additional
> volume as this allows easy movement/growth/reallocation of data volumes
> without impacting the host OS. Doing a file recovery can be simplified with
> this setup as there's lower risk of restoring the wrong applicaiotn
> file/setting*
> >
> > Single volume systems are infrastructure stuff like domain controllers,
> DHCP servers, and print server (depending on its load and if it's not also
> a file server).
> >
> > My OCD also sets the DVD drive to Z: so adding other drive letters is
> contiguous.
> >
> > Dave
> > * This is probably legacy thinking as I haven't run into this in many,
> many years.
> >
> >
> > -Original Message-
> > From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> > Sent: Monday, January 29, 2018 2:10 PM
> > To: ntsysadm <ntsysadm@lists.myitforum.com>
> > Subject: Re: [NTSysADM] Advice: migrate to new file server
> >
> > Don't know about everybody, but I do it - because I hate it when someone
> copies a ton of big files to the driver that data shares with the OS, and
> the machine chokes. Makes for a very unpleasant time for the users.
> >
> > I've also had to do this on machines with hyperactive print queues.
> > Now, if I'm building a print server, the spool directory goes on a
> separate partition - doesn't really matter how big the partition is, even
> just a few gigs, as long as it doesn't share the OS partition.
> >
> > Kurt
> >
> > On Mon, Jan 29, 2018 at 1:40 PM, Gantry Zettler <gan...@gmail.com>
> wrote:
> >> "I'm hoping that the data is on a separate partition from the OS.
> >> That's pretty critical. "
> >>
> >> Is this what everyone else does?  Even on VMs?
> >>
> >>
> >>
> >> On Mon, Jan 29, 2018 at 3:16 PM, Melvin Backus
> >> <melvin.bac...@byers.com>
> >> wrote:
> >>>
> >>> Ditto. I usually do this over a span of days or weeks. Big initial
> >>> copy, then incrementals periodically depending on normal usage, etc.
> >>> Last pass as I’m ready to make the move.  By that time we’re talking
> >>> about a few minutes because everything should be the same anyway,
> >>> just the time to scan the file systems.
> >>>
> >>>
> >>>
> >>> --
> >>> There are 10 kinds of people in the world...
> >>>  those who understand binary and those who don't.
> >>>
> >>>
> >>>
> >>> ¯\_(ツ)_/¯
> >>>
> >>>
> >>>
> >>> From: listsad...@lists.myitforum.com
> >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F
> >>> Sullivan
> >>> Sent: Monday, January 29, 2018 2:58 PM
> >>> To: ntsysadm@lists.myitforum.com
> >>> Subject: Re: [NTSysADM] Advice: migrate to new file server
> >>>
> >>>
> >>>
> >>> I always use the /mir option when doing a migration like that. The
> >>> reason is I have to do a "big" initial copy and then at least one
> >>> delta copy. (I usually do the final copy after removing access by
> >>> changing share perms or removing the share entirely so no further
> >>> changes are made.) If I don't use the /mir option, users will likely
> >>> end up with data that is no longer supposed to be present.

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 5:09 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> Don't know about everybody, but I do it - because I hate it when
> someone copies a ton of big files to the driver that data shares with
> the OS, and the machine chokes. Makes for a very unpleasant time for
> the users.
>


Definitely. If a data drive fills up, you've got an aggravating time
clearing space. If the OS drive fills up, it might stop responding, which
can ruin your whole day ...



>
> I've also had to do this on machines with hyperactive print queues.
> Now, if I'm building a print server, the spool directory goes on a
> separate partition - doesn't really matter how big the partition is,
> even just a few gigs, as long as it doesn't share the OS partition.
>


I didn't know you could re-point the spool directory. Also good info. My
new server is also a print server; maybe I will see about re-pointing the
spool folder to the D: drive instead ...



>
> Kurt
>
> On Mon, Jan 29, 2018 at 1:40 PM, Gantry Zettler <gan...@gmail.com> wrote:
> > "I'm hoping that the data is on a separate partition from the OS.
> > That's pretty critical. "
> >
> > Is this what everyone else does?  Even on VMs?
> >
> >
> >
> > On Mon, Jan 29, 2018 at 3:16 PM, Melvin Backus <melvin.bac...@byers.com>
> > wrote:
> >>
> >> Ditto. I usually do this over a span of days or weeks. Big initial copy,
> >> then incrementals periodically depending on normal usage, etc.  Last
> pass as
> >> I’m ready to make the move.  By that time we’re talking about a few
> minutes
> >> because everything should be the same anyway, just the time to scan the
> file
> >> systems.
> >>
> >>
> >>
> >> --
> >> There are 10 kinds of people in the world...
> >>  those who understand binary and those who don't.
> >>
> >>
> >>
> >> ¯\_(ツ)_/¯
> >>
> >>
> >>
> >> From: listsad...@lists.myitforum.com
> >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
> >> Sent: Monday, January 29, 2018 2:58 PM
> >> To: ntsysadm@lists.myitforum.com
> >> Subject: Re: [NTSysADM] Advice: migrate to new file server
> >>
> >>
> >>
> >> I always use the /mir option when doing a migration like that. The
> reason
> >> is I have to do a "big" initial copy and then at least one delta copy.
> (I
> >> usually do the final copy after removing access by changing share perms
> or
> >> removing the share entirely so no further changes are made.) If I don't
> use
> >> the /mir option, users will likely end up with data that is no longer
> >> supposed to be present. (This assumes they will continue to have access
> to
> >> the old server while copy job is running.)
> >>
> >>
> >>
> >> It's completely safe despite the warning in the help, at least in this
> >> scenario. Unless I'm missing something, the new server will not be
> >> accessible to users until you finish the migration, thus there should
> be no
> >> extra data which could get deleted.
> >>
> >>
> >>
> >> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone <oozerd...@gmail.com>
> >> wrote:
> >>
> >> I'd like to impose once more for some advice and opinions. I have a Win
> >> 2008 R2 file server; I need to migrate everything (shares and user home
> >> folders) to a Win 2012 R2 Storage Server, and then retire the old
> server.
> >> Everything is one 1 drive, with 3 main folders (Shares,Users,Scans),
> total
> >> size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
> >> bandwidth of 4G.
> >>
> >>
> >>
> >> I'm thinking of use robocopy. I would make a full copy over the weekend:
> >>
> >>
> >>
> >> Source=OldFS\F$
> >>
> >> Destination=NewFs\d$
> >>
> >>
> >>
> >> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
> >> /NDL /LOG+:
> >>
> >>
> >>
> >> That should get everything, NTFS security and all sub-folders. I thought
> >> about the /MIR option, but I've never used it, and so am just a touch
> leery
> >> (perhaps illogically).
> >>
> >>
> >>
> >> The end goal is to:
> >>
> >> copy all the files and shares to the new FS;
> >>
> >> re-name and re-IP the old FS;
> >>
> >> power off the old FS;
> >>
> >> re-name and re-IP the new FS to the old name.
> >>
> >>
> >>
> >>  (this way I can power up the old FS, just in case I need it for
> something
> >> I've missed)
> >>
> >>
> >>
> >> That *should* make things transparent to the end users.
> >>
> >>
> >>
> >> (ordinarily, I would think about doing a restore from my backup program
> >> Networker. But this is a remote site, and I believe that doing a local
> >> robocopy will probably be faster than trying to restore 2TB of what is
> >> probably a lot of small user files and folders across a 1G link)
> >>
> >>
> >>
> >> What have I missed? What would make it better?
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >>
> >> Charlie Sullivan
> >>
> >> Sr. Windows Systems Administrator
> >>
> >> Boston College
> >>
> >> 197 Foster St. Room 367
> >>
> >> Brighton, MA 02135
> >>
> >> 617-552-4318
> >
> >
>
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 5:07 PM, Charles F Sullivan <
charles.sulliva...@bc.edu> wrote:

> By default it only copies changed files, no /a switch needed.
>


AH HA. Vital information/confirmation. Thanks. So if I do a /MIR this
weekend, I should (theoretically) be able to do the same command, say every
3-4 days, until the move (17 days until the move).  That should make the
final command, on the weekend of the move, relatively quick.

I will start testing the /MIR on some temp and test folders ...

Thanks!



> On Mon, Jan 29, 2018 at 3:15 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
>
>> On Mon, Jan 29, 2018 at 2:57 PM, Charles F Sullivan <
>> charles.sulliva...@bc.edu> wrote:
>>
>>> I always use the /mir option when doing a migration like that. The
>>> reason is I have to do a "big" initial copy and then at least one delta
>>> copy. (I usually do the final copy after removing access by changing share
>>> perms or removing the share entirely so no further changes are made.) If I
>>> don't use the /mir option, users will likely end up with data that is no
>>> longer supposed to be present. (This assumes they will continue to have
>>> access to the old server while copy job is running.)
>>>
>>
>>
>> Hmmm ... well, this would be done after hours on a Friday, so I doubt
>> there would be any access.The idea is that the users go home Friday, and
>> come back Monday, and it's all done behind the scenes.
>>
>>
>>
>>> It's completely safe despite the warning in the help, at least in this
>>> scenario. Unless I'm missing something, the new server will not be
>>> accessible to users until you finish the migration, thus there should be no
>>> extra data which could get deleted.
>>>
>>
>>
>> I may test that this weekend, do a /MIR. Then I would need to only copy
>> things that have changed since then. Is that  the /A option?
>>
>>
>>> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone <oozerd...@gmail.com>
>>> wrote:
>>>
>>>> I'd like to impose once more for some advice and opinions. I have a Win
>>>> 2008 R2 file server; I need to migrate everything (shares and user home
>>>> folders) to a Win 2012 R2 Storage Server, and then retire the old server.
>>>> Everything is one 1 drive, with 3 main folders (Shares,Users,Scans), total
>>>> size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
>>>> bandwidth of 4G.
>>>>
>>>> I'm thinking of use robocopy. I would make a full copy over the weekend:
>>>>
>>>> Source=OldFS\F$
>>>> Destination=NewFs\d$
>>>>
>>>> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP
>>>> /NFL /NDL /LOG+:
>>>>
>>>> That should get everything, NTFS security and all sub-folders. I
>>>> thought about the /MIR option, but I've never used it, and so am just a
>>>> touch leery (perhaps illogically).
>>>>
>>>> The end goal is to:
>>>> copy all the files and shares to the new FS;
>>>> re-name and re-IP the old FS;
>>>> power off the old FS;
>>>> re-name and re-IP the new FS to the old name.
>>>>
>>>>  (this way I can power up the old FS, just in case I need it for
>>>> something I've missed)
>>>>
>>>> That *should* make things transparent to the end users.
>>>>
>>>> (ordinarily, I would think about doing a restore from my backup program
>>>> Networker. But this is a remote site, and I believe that doing a local
>>>> robocopy will probably be faster than trying to restore 2TB of what is
>>>> probably a lot of small user files and folders across a 1G link)
>>>>
>>>> What have I missed? What would make it better?
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Charlie Sullivan
>>>
>>> Sr. Windows Systems Administrator
>>>
>>> Boston College
>>>
>>> 197 Foster St. Room 367
>>> <https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135%0D+%0D+617=gmail=g>
>>>
>>> Brighton, MA 02135
>>> <https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135%0D+%0D+617=gmail=g>
>>>
>>> 617-552-4318 <(617)%20552-4318>
>>>
>>
>>
>
>
> --
>
> Charlie Sullivan
>
> Sr. Windows Systems Administrator
>
> Boston College
>
> 197 Foster St. Room 367
> <https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135+%3Chttps://maps.google.com/?q%3D197%2BFoster%2BSt.%2BRoom%2B367%250D%2B%250D%2BBrighton,%2BMA%2B02135%250D%2B%250D%2B617%26entry%3Dgmail%26source%3Dg%3E%0D+%0D+617=gmail=g>
>
> Brighton, MA 02135
> <https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135+%3Chttps://maps.google.com/?q%3D197%2BFoster%2BSt.%2BRoom%2B367%250D%2B%250D%2BBrighton,%2BMA%2B02135%250D%2B%250D%2B617%26entry%3Dgmail%26source%3Dg%3E%0D+%0D+617=gmail=g>
>
> 617-552-4318 <(617)%20552-4318>
>

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 3:10 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> Oh, yes
>
> My thoughts make the assumption that this will be done while users are
> not in play.
>


Nope, Friday after hours. On the upcoming holiday weekend (boo!).


>
> If that's not true, there are a couple of things that will need to be
> adjusted.
>
> - Still consider doing a first run with the /CREATE switch.
> - Can't shut down the server service, but probably still shouldn't
> need the /ZB switch. Instead, do a second full run (not the initial
> /CREATE run) after hours to pick up any changed data.
> - If a second full run is required, then the /MIR switch is useful
>
> Kurt
>
> On Mon, Jan 29, 2018 at 11:27 AM, Michael Leone <oozerd...@gmail.com>
> wrote:
> > I'd like to impose once more for some advice and opinions. I have a Win
> 2008
> > R2 file server; I need to migrate everything (shares and user home
> folders)
> > to a Win 2012 R2 Storage Server, and then retire the old server.
> Everything
> > is one 1 drive, with 3 main folders (Shares,Users,Scans), total size in
> the
> > neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total bandwidth of
> 4G.
> >
> > I'm thinking of use robocopy. I would make a full copy over the weekend:
> >
> > Source=OldFS\F$
> > Destination=NewFs\d$
> >
> > RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
> > /NDL /LOG+:
> >
> > That should get everything, NTFS security and all sub-folders. I thought
> > about the /MIR option, but I've never used it, and so am just a touch
> leery
> > (perhaps illogically).
> >
> > The end goal is to:
> > copy all the files and shares to the new FS;
> > re-name and re-IP the old FS;
> > power off the old FS;
> > re-name and re-IP the new FS to the old name.
> >
> >  (this way I can power up the old FS, just in case I need it for
> something
> > I've missed)
> >
> > That *should* make things transparent to the end users.
> >
> > (ordinarily, I would think about doing a restore from my backup program
> > Networker. But this is a remote site, and I believe that doing a local
> > robocopy will probably be faster than trying to restore 2TB of what is
> > probably a lot of small user files and folders across a 1G link)
> >
> > What have I missed? What would make it better?
> >
> >
> >
>
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 3:04 PM, Kurt Buff <kurt.b...@gmail.com> wrote:

> I'm hoping that the data is on a separate partition from the OS.
> That's pretty critical.
>


Yes, indeed. :-) I'm not a total newbie ... All data is drive E:. OS is C:,
applications are D:



>
> Some things to consider
>
> - /S is redundant to /E - use just the /E
> - /V will really slow down the copy job - I'd consider not using it,
> as I've found robocopy to be very robust.
>


A typo, you're right, the actual run won't include it.



> - If you shut down the server service on the old machine, you can use
> /R:0 and /W:0
>


D'OH! That never occurred to me .. good point.


> - Ditto for the /ZB switch - not needed in this situation, most
> likely, if the server service is shut down
> - If the partition on the new server is empty, you will not need /MIR
>

Just a couple of test sub-folders.


> - You might want to do a first run with just the /CREATE switch - it
> can really help mitigate disk/MFT fragmentation, and you will won't
> need the /MIR switch
>


See, there's another thing that wouldn't have occurred to me. Thanks!



> - Don't forget to create the shares on the new machine
>


I export the  LANMAN reg key that lists shares, so I should just be able to
import it into the new server, to create the new shares.



> I won't go into using security in shares vs. NTFS, nor making sure
> that shares aren't set at the root of a drive - I have my own thoughts
> on those subjects, but that discussion is probably not relevant to
> your task (I hope).
>


Thanks! (BTW, the shares are all under a folder called ... wait for it ..
"Shares", at the root of the drive. LOL)



>
> Kurt
>
> On Mon, Jan 29, 2018 at 11:27 AM, Michael Leone <oozerd...@gmail.com>
> wrote:
> > I'd like to impose once more for some advice and opinions. I have a Win
> 2008
> > R2 file server; I need to migrate everything (shares and user home
> folders)
> > to a Win 2012 R2 Storage Server, and then retire the old server.
> Everything
> > is one 1 drive, with 3 main folders (Shares,Users,Scans), total size in
> the
> > neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total bandwidth of
> 4G.
> >
> > I'm thinking of use robocopy. I would make a full copy over the weekend:
> >
> > Source=OldFS\F$
> > Destination=NewFs\d$
> >
> > RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
> > /NDL /LOG+:
> >
> > That should get everything, NTFS security and all sub-folders. I thought
> > about the /MIR option, but I've never used it, and so am just a touch
> leery
> > (perhaps illogically).
> >
> > The end goal is to:
> > copy all the files and shares to the new FS;
> > re-name and re-IP the old FS;
> > power off the old FS;
> > re-name and re-IP the new FS to the old name.
> >
> >  (this way I can power up the old FS, just in case I need it for
> something
> > I've missed)
> >
> > That *should* make things transparent to the end users.
> >
> > (ordinarily, I would think about doing a restore from my backup program
> > Networker. But this is a remote site, and I believe that doing a local
> > robocopy will probably be faster than trying to restore 2TB of what is
> > probably a lot of small user files and folders across a 1G link)
> >
> > What have I missed? What would make it better?
> >
> >
> >
>
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Michael Leone]

On Mon, Jan 29, 2018 at 2:57 PM, Charles F Sullivan <
charles.sulliva...@bc.edu> wrote:

> I always use the /mir option when doing a migration like that. The reason
> is I have to do a "big" initial copy and then at least one delta copy. (I
> usually do the final copy after removing access by changing share perms or
> removing the share entirely so no further changes are made.) If I don't use
> the /mir option, users will likely end up with data that is no longer
> supposed to be present. (This assumes they will continue to have access to
> the old server while copy job is running.)
>


Hmmm ... well, this would be done after hours on a Friday, so I doubt there
would be any access.The idea is that the users go home Friday, and come
back Monday, and it's all done behind the scenes.



> It's completely safe despite the warning in the help, at least in this
> scenario. Unless I'm missing something, the new server will not be
> accessible to users until you finish the migration, thus there should be no
> extra data which could get deleted.
>


I may test that this weekend, do a /MIR. Then I would need to only copy
things that have changed since then. Is that  the /A option?


> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
>
>> I'd like to impose once more for some advice and opinions. I have a Win
>> 2008 R2 file server; I need to migrate everything (shares and user home
>> folders) to a Win 2012 R2 Storage Server, and then retire the old server.
>> Everything is one 1 drive, with 3 main folders (Shares,Users,Scans), total
>> size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
>> bandwidth of 4G.
>>
>> I'm thinking of use robocopy. I would make a full copy over the weekend:
>>
>> Source=OldFS\F$
>> Destination=NewFs\d$
>>
>> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
>> /NDL /LOG+:
>>
>> That should get everything, NTFS security and all sub-folders. I thought
>> about the /MIR option, but I've never used it, and so am just a touch leery
>> (perhaps illogically).
>>
>> The end goal is to:
>> copy all the files and shares to the new FS;
>> re-name and re-IP the old FS;
>> power off the old FS;
>> re-name and re-IP the new FS to the old name.
>>
>>  (this way I can power up the old FS, just in case I need it for
>> something I've missed)
>>
>> That *should* make things transparent to the end users.
>>
>> (ordinarily, I would think about doing a restore from my backup program
>> Networker. But this is a remote site, and I believe that doing a local
>> robocopy will probably be faster than trying to restore 2TB of what is
>> probably a lot of small user files and folders across a 1G link)
>>
>> What have I missed? What would make it better?
>>
>>
>>
>>
>
>
> --
>
> Charlie Sullivan
>
> Sr. Windows Systems Administrator
>
> Boston College
>
> 197 Foster St. Room 367
> <https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135%0D+%0D+617=gmail=g>
>
> Brighton, MA 02135
> <https://maps.google.com/?q=197+Foster+St.+Room+367%0D+%0D+Brighton,+MA+02135%0D+%0D+617=gmail=g>
>
> 617-552-4318 <(617)%20552-4318>
>

[NTSysADM] Advice: migrate to new file server

[Michael Leone]

I'd like to impose once more for some advice and opinions. I have a Win
2008 R2 file server; I need to migrate everything (shares and user home
folders) to a Win 2012 R2 Storage Server, and then retire the old server.
Everything is one 1 drive, with 3 main folders (Shares,Users,Scans), total
size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
bandwidth of 4G.

I'm thinking of use robocopy. I would make a full copy over the weekend:

Source=OldFS\F$
Destination=NewFs\d$

RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
/NDL /LOG+:

That should get everything, NTFS security and all sub-folders. I thought
about the /MIR option, but I've never used it, and so am just a touch leery
(perhaps illogically).

The end goal is to:
copy all the files and shares to the new FS;
re-name and re-IP the old FS;
power off the old FS;
re-name and re-IP the new FS to the old name.

 (this way I can power up the old FS, just in case I need it for something
I've missed)

That *should* make things transparent to the end users.

(ordinarily, I would think about doing a restore from my backup program
Networker. But this is a remote site, and I believe that doing a local
robocopy will probably be faster than trying to restore 2TB of what is
probably a lot of small user files and folders across a 1G link)

What have I missed? What would make it better?

[NTSysADM] Moving share/printer definitions from Win 2008 R2 to Win 2012 R2 Storage Server

[Michael Leone]

At the moment, I am using a Win 2008 R2 server as file/print server. I want
to replace that with a Win 2012 R2 Storage Server. Now, I remember that in
order to copy share definitions, you used to be able to export the reg key

HKLM\System\CurrentControlSet\Services\LanmanServer\Shares

to save the share definitions, and then import that same key elsewhere, to
re-create the shares.

Does that still work on Win 2012 R2 Storage Services, to create share
defintiions?

Similarly, doing "PrintBRM -B -F " would save your printer definitions to a
file, which could then be imported with "PrintBRM -R -F" to re-create the
printer definitions?

Does that still work on Win 2012 R2 Storage Services , to create printers?
I'd need to import newer drivers, I think ...

Thanks. This got handed to me today, to be done in a couple weeks (!).
Nothing like planning, I mean, it's not like I've got nothing else to do
with my time ...

Re: [NTSysADM] Scheduling updates on a DC via GPO isn't working

[Michael Leone]

Never had to set it for the other GPOs, all have these same

On Fri, Jan 26, 2018 at 12:52 PM, Joe Tinney <j...@joetinney.com> wrote:

> Is it the Automatic Maintenance feature messing with you?
>
> https://blogs.technet.microsoft.com/wsus/2013/10/08/
> enabling-a-more-predictable-windows-update-experience-for-
> windows-8-and-windows-server-2012-kb-2885694/
>
>
>
>
> On Jan 26, 2018 11:06, "Susan Bradley" <sbrad...@pacbell.net> wrote:
>
> Well at least on my Windows 10's that misbehave like this I've never ever
> seen a message in the log file indicating anything.
>
> I also set the policy, "Always automatically restart at the scheduled time"
>
> On 1/26/2018 7:09 AM, Michael Leone wrote:
>
> DC OS is Win 2012 R2. And yes, the option to reboot with logged in
> users is disabled. Not that I leave a DC with a logged in user
> overnight; I always log out when I am done, so there was no logged on
> user at the time the updates were supposed to install. Even if so, I
> should have seen a message to that effect in a log, shouldn't I?
>
> On Fri, Jan 26, 2018 at 9:29 AM, Susan Bradley <sbrad...@pacbell.net> 
> <sbrad...@pacbell.net> wrote:
>
> What OS?
>
> and did you set the setting to not reboot if a user is logged in?
>
>
> On 1/26/2018 5:44 AM, Michael Leone wrote:
>
> I can't tell what I am doing wrong (I'm practically certain it's my
> fault, but I don't know where ... yet). I want to schedule automaticWhat
> updates using WSUS to my domain controllers. So I created new AD
> groups (multiple groups, because I want to stagger the rebooting of
> DCs - I have 6). And I made a series of new GPOs, and set them to
> automatically download and schedule install, all at different hours
> and different days. Filtered them to the new AD groups, linked them to
> the "Domain Controllers" OU.
>
> So one was supposed to happen this morning at 5 AM. Nothing. No reboot.
>
> I check the host, and both "gpresult /r" and rsop.msc are telling me
> the same thing - updates are scheduled to be installed Friday at 5 AM.
> The specific GPO that this DC is supposed to use is actually being
> applied, it says.
>
> And there are 5 important updates waiting, so I know that it checked
> in with WSUS, and found what it should. So it should have done
> *something*.
>
> But no installation today, no reboot. No interesting entries in event
> log. Nothing interesting in windowsupdate log - it says it found 5
> updates, but nothing about installing the durn things ...
>
> This should work, right? No reason I can't create a GPO to
> automatically install Windows Updates via WSUS, right?
>
>
>
>
>
>
>

Re: [NTSysADM] Scheduling updates on a DC via GPO isn't working

[Michael Leone]

On Fri, Jan 26, 2018 at 11:03 AM, Susan Bradley <sbrad...@pacbell.net>
wrote:
> Well at least on my Windows 10's that misbehave like this I've never ever
> seen a message in the log file indicating anything.
>
> I also set the policy, "Always automatically restart at the scheduled
time"

Already is set ...

[image: Inline image 1]



>
>
> On 1/26/2018 7:09 AM, Michael Leone wrote:
>
> DC OS is Win 2012 R2. And yes, the option to reboot with logged in
> users is disabled. Not that I leave a DC with a logged in user
> overnight; I always log out when I am done, so there was no logged on
> user at the time the updates were supposed to install. Even if so, I
> should have seen a message to that effect in a log, shouldn't I?
>
> On Fri, Jan 26, 2018 at 9:29 AM, Susan Bradley <sbrad...@pacbell.net>
wrote:
>
> What OS?
>
> and did you set the setting to not reboot if a user is logged in?
>
>
> On 1/26/2018 5:44 AM, Michael Leone wrote:
>
> I can't tell what I am doing wrong (I'm practically certain it's my
> fault, but I don't know where ... yet). I want to schedule automaticWhat
> updates using WSUS to my domain controllers. So I created new AD
> groups (multiple groups, because I want to stagger the rebooting of
> DCs - I have 6). And I made a series of new GPOs, and set them to
> automatically download and schedule install, all at different hours
> and different days. Filtered them to the new AD groups, linked them to
> the "Domain Controllers" OU.
>
> So one was supposed to happen this morning at 5 AM. Nothing. No reboot.
>
> I check the host, and both "gpresult /r" and rsop.msc are telling me
> the same thing - updates are scheduled to be installed Friday at 5 AM.
> The specific GPO that this DC is supposed to use is actually being
> applied, it says.
>
> And there are 5 important updates waiting, so I know that it checked
> in with WSUS, and found what it should. So it should have done
> *something*.
>
> But no installation today, no reboot. No interesting entries in event
> log. Nothing interesting in windowsupdate log - it says it found 5
> updates, but nothing about installing the durn things ...
>
> This should work, right? No reason I can't create a GPO to
> automatically install Windows Updates via WSUS, right?
>
>
>
>
>
>
>
>

Re: [NTSysADM] Scheduling updates on a DC via GPO isn't working

[Michael Leone]

DC OS is Win 2012 R2. And yes, the option to reboot with logged in
users is disabled. Not that I leave a DC with a logged in user
overnight; I always log out when I am done, so there was no logged on
user at the time the updates were supposed to install. Even if so, I
should have seen a message to that effect in a log, shouldn't I?

On Fri, Jan 26, 2018 at 9:29 AM, Susan Bradley <sbrad...@pacbell.net> wrote:
> What OS?
>
> and did you set the setting to not reboot if a user is logged in?
>
>
> On 1/26/2018 5:44 AM, Michael Leone wrote:
>>
>> I can't tell what I am doing wrong (I'm practically certain it's my
>> fault, but I don't know where ... yet). I want to schedule automaticWhat
>> updates using WSUS to my domain controllers. So I created new AD
>> groups (multiple groups, because I want to stagger the rebooting of
>> DCs - I have 6). And I made a series of new GPOs, and set them to
>> automatically download and schedule install, all at different hours
>> and different days. Filtered them to the new AD groups, linked them to
>> the "Domain Controllers" OU.
>>
>> So one was supposed to happen this morning at 5 AM. Nothing. No reboot.
>>
>> I check the host, and both "gpresult /r" and rsop.msc are telling me
>> the same thing - updates are scheduled to be installed Friday at 5 AM.
>> The specific GPO that this DC is supposed to use is actually being
>> applied, it says.
>>
>> And there are 5 important updates waiting, so I know that it checked
>> in with WSUS, and found what it should. So it should have done
>> *something*.
>>
>> But no installation today, no reboot. No interesting entries in event
>> log. Nothing interesting in windowsupdate log - it says it found 5
>> updates, but nothing about installing the durn things ...
>>
>> This should work, right? No reason I can't create a GPO to
>> automatically install Windows Updates via WSUS, right?
>>
>>
>>
>
>
>

Re: [NTSysADM] Can't run Powershell SpeculationControl check on Win 2008 R2

[Michael Leone]

On Thu, Jan 18, 2018 at 9:48 AM, Michael Leone <oozerd...@gmail.com> wrote:

> On Thu, Jan 18, 2018 at 9:32 AM, Michael B. Smith <mich...@smithcons.com>
> wrote:
>
>> It hasn’t been validated on anything older than PSv3.
>>
>>
>>
>
>
> 
>
> We don't automatically install upgraded Powershell or WMF.  Now, if I have
> to do so just to run this script, that would be an extra reboot. I'd
> probably have to import it into WSUS, and approve it for the next round of
> patches.
>
> Wish there was a utility I could use to verify remotely. I found
> references on using this script to do it, but that requires enabling PS
> Remoting first ...
>


Here's a script that does check remotely. Again, PS-Remoting needs to be
enabled, but I could probably do that via GPO ...


https://github.com/vrdse/MeltdownSpectreReport


>
> Thanks
>
>

Re: [NTSysADM] Can't run Powershell SpeculationControl check on Win 2008 R2

[Michael Leone]

On Thu, Jan 18, 2018 at 9:32 AM, Michael B. Smith 
wrote:

> It hasn’t been validated on anything older than PSv3.
>
>
>




We don't automatically install upgraded Powershell or WMF.  Now, if I have
to do so just to run this script, that would be an extra reboot. I'd
probably have to import it into WSUS, and approve it for the next round of
patches.

Wish there was a utility I could use to verify remotely. I found references
on using this script to do it, but that requires enabling PS Remoting first
...

Thanks

[NTSysADM] Can't run Powershell SpeculationControl check on Win 2008 R2

[Michael Leone]

I downloaded the SpeculationControl PS module to a Win 2008 R2 host. This
still only has Powershell v2 on it. I can't import the module, it
complains  that the manifest contains invalid members.

I can run this on my Win 7 workstation, where I am running v5.

Is there a minimum required PS version to importing this module? I haven't
found any information about required versions ...

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

On Wed, Jan 17, 2018 at 12:59 PM, David L Herrick 
wrote:

> What OS version?
>


Win 7, running WMF 5.0.



> A Windows Update module is available on Windows versions 1709 and later.
> This includes Windows 10 Fall Creators Update, Windows Server 1709 and
> Windows Insider previews (Server and Client) post the 1709 release.
>
> The module supplies the following cmdlets
>
> Get-WUAVersion
> Get-WUIsPendingReboot
> Get-WULastInstallationDate
> Get-WULastScanSuccessDate
> Install-WUUpdates
> Start-WUScan
>
>
>

I guess that explains that, then ...

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

On Wed, Jan 17, 2018 at 12:27 PM, Melvin Backus 
wrote:

> Isn’t Get-WULastInstallationDate giving you what you’re looking for?
>

It would be indeed! Presuming that it worked for me ... (and yes, that's an
elevated session ...)

PS SQLSERVER:\> Get-WULastInstallationDate
Get-WULastInstallationDate : The term 'Get-WULastInstallationDate' is not
recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:1
+ Get-WULastInstallationDate
+ ~~
+ CategoryInfo  : ObjectNotFound:
(Get-WULastInstallationDate:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException




> On my system it gives me a date like so:
>
>
>
> Wednesday, January 10, 2018 6:06:35 AM
>


I would like that output, yes. LOL

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

On Wed, Jan 17, 2018 at 11:33 AM, Webster <webs...@carlwebster.com> wrote:

> And you are running from an elevated PoSH session?
>


Yes, I did a run as administrator, and got the same result.



>
>
>
>
> Webster
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Wednesday, January 17, 2018 10:27 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Using PS to query date of latest Windows
> Updates installed
>
>
>
> 
>
>
>
> PS P:\software\PHA Scripts> Get-Help Get-WULastResults
>
>
>
> NAME
>
> Get-WULastResults
>
>
>
> SYNOPSIS
>
> Get Windows Update results.
>
>
>
>
>
> SYNTAX
>
> Get-WULastResults [-ComputerName <string[]>] [-Debuger
> ] [-PSWUSettings ] [-SendReport
> ]
>
> []
>
>
>
>
>
> DESCRIPTION
>
> Use Get-WULastResults cmdlet to get Windows Update
> LastSearchSuccessDate and LastInstallationSuccessDate.
>
>
>
>
>
> RELATED LINKS
>
> Author Blog http://commandlinegeeks.com/
>
>
>
> REMARKS
>
> To see the examples, type: "get-help Get-WULastResults -examples".
>
> For more information, type: "get-help Get-WULastResults -detailed".
>
> For technical information, type: "get-help Get-WULastResults -full".
>
> For online help, type: "get-help Get-WULastResults -online"
>
>
>
>
>
>
>
> PS P:\software\PHA Scripts> Get-WULastResults
>
> WARNING: To perform some operations you must run an elevated Windows
> PowerShell console.
>
> Get-WULastResults : Object reference not set to an instance of an object.
>
> At line:1 char:1
>
> + Get-WULastResults
>
> + ~
>
> + CategoryInfo  : NotSpecified: (:) [Get-WULastResults],
> NullReferenceException
>
> + FullyQualifiedErrorId : System.NullReferenceException,
> PSWindowsUpdate.GetWULastResults
>
>
>
>
>
> So this cmdlet should return exactly what I am looking for, but for some
> reason it isn't working for me ...
>
>
>
> On Tue, Jan 16, 2018 at 4:46 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
>
> On Tue, Jan 16, 2018 at 4:31 PM, Matt Stork <mst...@northwestern.edu>
> wrote:
>
> I find the Get-WUHistory from the PSWindowsUpdate module provides far more
> useful information regarding which updates are installed. It has an option
> -SendReport but the help for the cmdlet does not provide any information on
> how to use the option.
>
>
>
>
>
> For the purposes of this report, I don't need any more detail than "When
> were updates last applied?".
>
>
>
>
>
> Thanks,
> -Matt
>
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> Sent: Tuesday, January 16, 2018 2:51 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] Using PS to query date of latest Windows Updates
> installed
>
> help get-hotfix -full
>
> For your purposes this might work, if you have a small number of computers:
> ( get-hotfix -computername work1, work2, work3 | sort installedon )[-1]
>
> Kurt
>
> On Tue, Jan 16, 2018 at 12:37 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
> > I'm drawing a blank on this. I need to query a set of clients, and return
> > the date that Windows Updates was last run (date updates were installed).
> > Then I will email this to the appropriate person.
> >
> > I'm finding lots of ways to query for the list of needed updates, or a
> list
> > of the installed updates,  but not for the last date/time when updates
> were
> > actually installed. Clue/pointer, anyone? I remember something about a
> user
> > created WSUS module that might have that as a function, but for the life
> of
> > me, I'm not finding it.
> >
> > Thanks
> >
> > (I originally sent this to the powersh...@lists.myitforum.com , but it
> said
> > I didn't have permission to post there. Dunno why, I used to be able to
> post
> > there .. and the return message didn't include instructions on how to
> sign
> > back up)
> >
>
>
>
>
>

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

PS P:\software\PHA Scripts> Get-Help Get-WULastResults

NAME
Get-WULastResults

SYNOPSIS
Get Windows Update results.


SYNTAX
Get-WULastResults [-ComputerName <string[]>] [-Debuger
] [-PSWUSettings ] [-SendReport
]
[]


DESCRIPTION
Use Get-WULastResults cmdlet to get Windows Update
LastSearchSuccessDate and LastInstallationSuccessDate.


RELATED LINKS
Author Blog http://commandlinegeeks.com/

REMARKS
To see the examples, type: "get-help Get-WULastResults -examples".
For more information, type: "get-help Get-WULastResults -detailed".
For technical information, type: "get-help Get-WULastResults -full".
For online help, type: "get-help Get-WULastResults -online"



PS P:\software\PHA Scripts> Get-WULastResults
WARNING: To perform some operations you must run an elevated Windows
PowerShell console.
Get-WULastResults : Object reference not set to an instance of an object.
At line:1 char:1
+ Get-WULastResults
+ ~
+ CategoryInfo  : NotSpecified: (:) [Get-WULastResults],
NullReferenceException
+ FullyQualifiedErrorId :
System.NullReferenceException,PSWindowsUpdate.GetWULastResults


So this cmdlet should return exactly what I am looking for, but for some
reason it isn't working for me ...

On Tue, Jan 16, 2018 at 4:46 PM, Michael Leone <oozerd...@gmail.com> wrote:

> On Tue, Jan 16, 2018 at 4:31 PM, Matt Stork <mst...@northwestern.edu>
> wrote:
>
>> I find the Get-WUHistory from the PSWindowsUpdate module provides far
>> more useful information regarding which updates are installed. It has an
>> option -SendReport but the help for the cmdlet does not provide any
>> information on how to use the option.
>>
>
>
> For the purposes of this report, I don't need any more detail than "When
> were updates last applied?".
>
>
>
>> Thanks,
>> -Matt
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] On Behalf Of Kurt Buff
>> Sent: Tuesday, January 16, 2018 2:51 PM
>> To: ntsysadm <ntsysadm@lists.myitforum.com>
>> Subject: Re: [NTSysADM] Using PS to query date of latest Windows Updates
>> installed
>>
>> help get-hotfix -full
>>
>> For your purposes this might work, if you have a small number of
>> computers:
>> ( get-hotfix -computername work1, work2, work3 | sort installedon )[-1]
>>
>> Kurt
>>
>> On Tue, Jan 16, 2018 at 12:37 PM, Michael Leone <oozerd...@gmail.com>
>> wrote:
>> > I'm drawing a blank on this. I need to query a set of clients, and
>> return
>> > the date that Windows Updates was last run (date updates were
>> installed).
>> > Then I will email this to the appropriate person.
>> >
>> > I'm finding lots of ways to query for the list of needed updates, or a
>> list
>> > of the installed updates,  but not for the last date/time when updates
>> were
>> > actually installed. Clue/pointer, anyone? I remember something about a
>> user
>> > created WSUS module that might have that as a function, but for the
>> life of
>> > me, I'm not finding it.
>> >
>> > Thanks
>> >
>> > (I originally sent this to the powersh...@lists.myitforum.com , but it
>> said
>> > I didn't have permission to post there. Dunno why, I used to be able to
>> post
>> > there .. and the return message didn't include instructions on how to
>> sign
>> > back up)
>> >
>>
>>
>>
>

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

Well, that's very close, yes. I can do a "Get-WUHistory -MaxDate xxx", and
it shows me all the updates since the specified date. But I don't need the
detail, only the last installed date. So I'd have to parse that output.

I will keep poking ... That value shows up when you look at Windows Updates
in a Control Panel, so it has to be *somewhere*. :-) I just have to figure
out where it is, and how to get it.

Thanks!

On Tue, Jan 16, 2018 at 5:02 PM, Michael B. Smith <mich...@smithcons.com>
wrote:

> Seems pretty clear from the raw docs:
>
> 
>  pipelineInput="false" position="named">
>   PSWUSettings
>   
> Required parameter for -SendReport.
> Passes the parameters (as hashtable) necessary to
> send the report: \r\n@{SmtpServer="your.smtp.server";From="sender@email.
> address";To="recipient@email.address";[Port=25];[Subject="Alternative
> Subject"];[Properties="Alternative object properties"];[Style="Table|
> List"]}
> Send parameters can also be saved to a
> PSWUSettings.xml file in ModuleBase path: \r\nExport-Clixml
> @{SmtpServer="your.smtp.server";From="sender@email.
> address";To="recipient@email.address";[Port=25]}"
>   
>   Hashtable command:parameterValue>
>   
> System.Collections.Hashtable
> 
>   
>   System.Collections.Hashtable defaultValue>
> 
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Matt Stork
> Sent: Tuesday, January 16, 2018 4:32 PM
> To: ntsysadm@lists.myitforum.com
> Subject: RE: [NTSysADM] Using PS to query date of latest Windows Updates
> installed
>
> I find the Get-WUHistory from the PSWindowsUpdate module provides far more
> useful information regarding which updates are installed. It has an option
> -SendReport but the help for the cmdlet does not provide any information on
> how to use the option.
> Thanks,
> -Matt
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> Sent: Tuesday, January 16, 2018 2:51 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] Using PS to query date of latest Windows Updates
> installed
>
> help get-hotfix -full
>
> For your purposes this might work, if you have a small number of computers:
> ( get-hotfix -computername work1, work2, work3 | sort installedon )[-1]
>
> Kurt
>
> On Tue, Jan 16, 2018 at 12:37 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
> > I'm drawing a blank on this. I need to query a set of clients, and return
> > the date that Windows Updates was last run (date updates were installed).
> > Then I will email this to the appropriate person.
> >
> > I'm finding lots of ways to query for the list of needed updates, or a
> list
> > of the installed updates,  but not for the last date/time when updates
> were
> > actually installed. Clue/pointer, anyone? I remember something about a
> user
> > created WSUS module that might have that as a function, but for the life
> of
> > me, I'm not finding it.
> >
> > Thanks
> >
> > (I originally sent this to the powersh...@lists.myitforum.com , but it
> said
> > I didn't have permission to post there. Dunno why, I used to be able to
> post
> > there .. and the return message didn't include instructions on how to
> sign
> > back up)
> >
>
>
>

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

On Tue, Jan 16, 2018 at 4:31 PM, Matt Stork <mst...@northwestern.edu> wrote:

> I find the Get-WUHistory from the PSWindowsUpdate module provides far more
> useful information regarding which updates are installed. It has an option
> -SendReport but the help for the cmdlet does not provide any information on
> how to use the option.
>


For the purposes of this report, I don't need any more detail than "When
were updates last applied?".



> Thanks,
> -Matt
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> Sent: Tuesday, January 16, 2018 2:51 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] Using PS to query date of latest Windows Updates
> installed
>
> help get-hotfix -full
>
> For your purposes this might work, if you have a small number of computers:
> ( get-hotfix -computername work1, work2, work3 | sort installedon )[-1]
>
> Kurt
>
> On Tue, Jan 16, 2018 at 12:37 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
> > I'm drawing a blank on this. I need to query a set of clients, and return
> > the date that Windows Updates was last run (date updates were installed).
> > Then I will email this to the appropriate person.
> >
> > I'm finding lots of ways to query for the list of needed updates, or a
> list
> > of the installed updates,  but not for the last date/time when updates
> were
> > actually installed. Clue/pointer, anyone? I remember something about a
> user
> > created WSUS module that might have that as a function, but for the life
> of
> > me, I'm not finding it.
> >
> > Thanks
> >
> > (I originally sent this to the powersh...@lists.myitforum.com , but it
> said
> > I didn't have permission to post there. Dunno why, I used to be able to
> post
> > there .. and the return message didn't include instructions on how to
> sign
> > back up)
> >
>
>
>

[NTSysADM] Using PS to query date of latest Windows Updates installed

[Michael Leone]

I'm drawing a blank on this. I need to query a set of clients, and return
the date that Windows Updates was last run (date updates were installed).
Then I will email this to the appropriate person.

I'm finding lots of ways to query for the list of needed updates, or a list
of the installed updates,  but not for the last date/time when updates were
actually installed. Clue/pointer, anyone? I remember something about a user
created WSUS module that might have that as a function, but for the life of
me, I'm not finding it.

Thanks

(I originally sent this to the powersh...@lists.myitforum.com , but it said
I didn't have permission to post there. Dunno why, I used to be able to
post there .. and the return message didn't include instructions on how to
sign back up)

Re: [NTSysADM] Are the Meltdown/Spectre reg keys needed for workstations?

[Michael Leone]

On Tue, Jan 9, 2018 at 5:08 PM, Mike  wrote:

> For CVE-2017-5754 [rogue data cache load] you are good as the PCID line
> doesn't impact security.
> For CVE-2017-5715 [branch target injection] you need a
> microcode/BIOS/firmware update.
>
> The Windows patch is installed
> *Windows OS support for branch target injection mitigation is present:
> True*
>
> But the hardware isn't fixed...
> *Hardware support for branch target injection mitigation is present: False*
>
> Which is causing the patch to be disabled...
> *Windows OS support for branch target injection mitigation is disabled by
> absence of hardware support: True*
>
> As shown here...
> *Windows OS support for branch target injection mitigation is enabled:
> False*
>
> Once the hardware gets its fix the last two should go True.
>


Well, due to the age of the systems involved (5+ years old), I don't really
expect to see a hardware fix, although I might be wrong. Haven't see a
firmware upgrade in 2-3 years, for either machine ..

So I'm not really protected. Oh, goodie ...

Re: [NTSysADM] Are the Meltdown/Spectre reg keys needed for workstations?

[Michael Leone]

On Tue, Jan 9, 2018 at 4:53 PM Art DeKneef  wrote:

> What systems are you seeing this with? You seem to be bouncing back and
> forth between servers and clients making it confusing to follow.
>


Not at all. As the post says, I'm asking about workstation OSes, Win10 and
Win 7.

Have you restarted your servers yet?
>

Not asking about servers, asking about home PCs.

 For clients Microsoft has stated to help protect your client machines you
> need:
>
>
>1. Verify you have a supported antivirus program.
>2. Apply all Windows OS system updates including the Windows security
>update released on Jan. 3, 2018.
>3. Apply the firmware update from your hardware vendor, if available.
>
>
Yes, as I said, I have also read that the registry keys are necessary to
activate the new Security updates. And that advice made no distinctions
betweens client And server Oses.

Re: [NTSysADM] Are the Meltdown/Spectre reg keys needed for workstations?

[Michael Leone]

I've already issued the registry entries, so it looks like this:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by
system policy: False
Windows OS support for branch target injection mitigation is disabled by
absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables
hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control
mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent : False
BTIWindowsSupportPresent   : True
BTIWindowsSupportEnabled   : False
BTIDisabledBySystemPolicy  : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired  : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled   : False



On Tue, Jan 9, 2018 at 3:58 PM, Mike <craigslist...@gmail.com> wrote:

> Interesting. Can you post the output of the Get-SpeculationControlSettings
> command?
>
> On Tue, Jan 9, 2018 at 3:12 PM, Michael Leone <oozerd...@gmail.com> wrote:
>
>> On Tue, Jan 9, 2018 at 3:00 PM, Mike <craigslist...@gmail.com> wrote:
>>
>>> You only need the Registry entries on Server versions.
>>> You do need hardware support to protect against CVE-2017-5715.
>>>
>>> Run the Get-SpeculationControlSettings PowerShell command to get the
>>> details.
>>> https://gallery.technet.microsoft.com/scriptcenter/Speculati
>>> on-Control-e36f0050
>>>
>>
>>
>> I have run it. It didn't answer my question. If you don't run the
>> registry entries, some values are false. I take "false" to mean "not as
>> fully protected as you should be". Which indicates to me that I need the
>> registry entries, even if it's not a server.
>>
>> Hence my question ...
>>
>>
>

Re: [NTSysADM] Are the Meltdown/Spectre reg keys needed for workstations?

[Michael Leone]

On Tue, Jan 9, 2018 at 3:00 PM, Mike  wrote:

> You only need the Registry entries on Server versions.
> You do need hardware support to protect against CVE-2017-5715.
>
> Run the Get-SpeculationControlSettings PowerShell command to get the
> details.
> https://gallery.technet.microsoft.com/scriptcenter/
> Speculation-Control-e36f0050
>


I have run it. It didn't answer my question. If you don't run the registry
entries, some values are false. I take "false" to mean "not as fully
protected as you should be". Which indicates to me that I need the registry
entries, even if it's not a server.

Hence my question ...

[NTSysADM] Are the Meltdown/Spectre reg keys needed for workstations?

[Michael Leone]

Here's something (more) I am confused about. Suppose I have Win 7 and Win
10 workstations, and I have properly patched the OS. Do I *also* need to
issue the 2 (or is it 3) registry entries?

I *thought* the registry entries were only for servers, but I have seen
other statements that say that the Meltdown/Spectre fixes are *not* enabled
until you issue the registry entries.

So without the reg entries, you are effectively unpatched? The patches are
there, but dormant?

(neither of my home PCs have BIOS updates issued - one is for a very old
Dell Optiplex 755 that I only use to connect to a NAS, and the other is one
I assembled from parts back in 2011. Neither has has had a BIOS upgrade
released in years. Ah, the joy )

Re: [NTSysADM] KB4056894 offered for Win 7

[Michael Leone]

On Mon, Jan 8, 2018 at 9:49 AM, Charles F Sullivan <
charles.sulliva...@bc.edu> wrote:
> The firmware update is there for your model:
>
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=GYM2C

Yep. Downloaded and installed. I was on ver A9, latest is A21. After
installation reboot, it re-detected all devices, and rebooted a second
time. And my workstation, at least, seems fully covered ...


Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not
required for security]


BTIHardwarePresent : True
BTIWindowsSupportPresent   : True
BTIWindowsSupportEnabled   : True
BTIDisabledBySystemPolicy  : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired  : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled   : False

> Lucky you. I have a couple of older Optiplex models and they aren't on the
> list, which I assume means that won't bother fixing those. Here's the
entire
> list:
>
http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-attacks--cve-2017-5715--cve-2017-5753--cve-2017-5754---impact-on-dell-products?lang=en

I don't usually deal with our workstation inventory, but it wouldn't
surprise me if we had the same problem. I may have it on a database server,
too, I still need to check.

Re: [NTSysADM] KB4056894 offered for Win 7

[Michael Leone]

On Mon, Jan 8, 2018 at 9:05 AM, Michael B. Smith  wrote:
> I don't believe you read the article properly.

Entirely possible,

> This update (the Microsoft update – mbs) has compatibility issues with the
> following Kaspersky Lab solutions:
>
> Kaspersky Endpoint Security 10 for Windows version 10.3.0.6294 (SP2)

Right, a later version than the one I am running ...

So it's *only* this particular version of KES v10 that has a problem;
earlier versions of that product (like mine), and the other Kaspersky
products, do *not* have a problem. And will install the readiness flag
properly ...
That's the bit I got backwards 

That's a big relief to me, I was having nightmares about having to
upgrade all my AV first, then roll out OS patches, then try and figure
some way to push firmware/BIOS updates (if they are even available,
for some of my older models) 

[NTSysADM] KB4056894 offered for Win 7

[Michael Leone]

So at work, my PC is Win 7 running Kaspersky 10.2.1.23 (yeah, I know).
According to the Kaspersky website, the required version for the reg
key needed is 10.3.0.6294 (SP2).

Yet, I *do* have the reg key (I double checked). And I am being
offered the 2018-01 Security Monthly Quality Rollup KB4056894.

Now, I don't know *why* I am being offered it, since I thought that I
needed to upgrade my AV version from 10.2 to 10.3, before I would get
the prerequisite reg key. But it for sure looks like I am read for the
OS patch patch of the Meltdown / Spectre fixes ... Their document
14042 says that their database updates went out Dec 28 to enable the
flag. Apparently this applied even to my version ...

Haven't checked yet for the firmware patch for my Optiplex 9020, but I
imagine that will be there, or there soon ...

So that may make patching my workstations a lil easier. Not sure yet
about all my servers ...

Re: [NTSysADM] New GPO for DC being filtered out

[Michael Leone]

On Wed, Jan 3, 2018 at 4:43 PM, Charles F Sullivan
<charles.sulliva...@bc.edu> wrote:
> I'm not sure why you're using security filtering. Is your objective to only
> have *some* DCs get this policy?

Correct. I can't have all DCs rebooting to install updates at the same
time. So I want 1 to reboot at 4AM, 1 at 5AM, etc. So I have multiple
GPOs, set for different times, and I filter based on group membership,
to stagger reboots.

> If so, as Joe said those servers need to
> get the group membership into their access tokens. Ha! I saved a post which
> says how to do that without rebooting and it turns out it was from you!
>
> I actually used the method you described after I added a server to a group
> about a month ago, so thanks.

You're welcome! Yes, I remembered that tip, too, and so now it is working.

For anyone else:

klist purge –li 0x3e7

This will reset the computer access token (Kerberos ticket), so you
don't need to reboot. Then just do a "gpupdate /force", and all should
be good.


>
> On Wed, Jan 3, 2018 at 3:26 PM, Michael Leone <oozerd...@gmail.com> wrote:
>>
>> OK, I'm scratching my head over this. I made a new GPO, set it to
>> automatically install Windows Updates at a specific time. I set it to
>> filter only to an AD group. I linked it to the Domain Controllers OU.
>> Pretty much what I've always done. The only difference is that this
>> time, this new GPO is for my DCs.
>>
>> When I run a "gpresult /r", I see the new GPO being not applied,
>> because it was being filtered out. The reason shows as "Security".
>>
>> And I can't figure out what I did wrong. This particular DC is a
>> member of the AD group that this GPO is set to filter on. Now, the
>> "Default Domain Controllers Policy" is being applied. And this is just
>> set to filter on "Authenticated users".
>>
>> I don't get it. I checked the link order, and the updating GPO is a
>> lower number than the Default policy. Running the Group Policy
>> Modeling, I see the new GPO as a winning GPO.
>>
>> So what am I doing wrong? Where to look next, to figure out where this
>> filtering is taking place?
>>
>>
>
>
>
> --
>
> Charlie Sullivan
>
> Sr. Windows Systems Administrator
>
> Boston College
>
> 197 Foster St. Room 367
>
> Brighton, MA 02135
>
> 617-552-4318

[NTSysADM] New GPO for DC being filtered out

[Michael Leone]

OK, I'm scratching my head over this. I made a new GPO, set it to
automatically install Windows Updates at a specific time. I set it to
filter only to an AD group. I linked it to the Domain Controllers OU.
Pretty much what I've always done. The only difference is that this
time, this new GPO is for my DCs.

When I run a "gpresult /r", I see the new GPO being not applied,
because it was being filtered out. The reason shows as "Security".

And I can't figure out what I did wrong. This particular DC is a
member of the AD group that this GPO is set to filter on. Now, the
"Default Domain Controllers Policy" is being applied. And this is just
set to filter on "Authenticated users".

I don't get it. I checked the link order, and the updating GPO is a
lower number than the Default policy. Running the Group Policy
Modeling, I see the new GPO as a winning GPO.

So what am I doing wrong? Where to look next, to figure out where this
filtering is taking place?

[NTSysADM] Advice: RAID-1 with SSD for home use?

[Michael Leone]

I have a non-business question. My GF needs a new PC; her current Dell
is like 8 years old, and is really slow with her Google Chrome and 30+
tabs open (yes, I've told her to try not keeping so many tabs open;
no, she won't change her behavior ...)

Anyways, I'm looking at a HP Pavillion 570-p30 (that's an I7-7700 CPU,
16G RAM, 256G SSD). Her current machine (Dell Studio XPS 8000) does
have mirrored SATA boot drives (I ordered it that way). I did it for
safety, not backup (we do backups to an external HD via scheduled task
and SyncToy).

It doesn't appear that I can do that with this HP machine, doesn't
looks like there's enough SSD connectors, although I haven't been able
to confirm that.

My question - do I even really need to mirror the boot drive?  Do you
folks do mirrored drives at home? Or am I just being overly cautious?
(I don't have one on my own desktop, just a single SSD boot drive. I
do have mirrored data storage drives, for photos, etc. Again for
safety).

(at work, it would never occur to me to spec out a server that didn't
have mirrored boot dives. But this isn't a server ...)

Re: [NTSysADM] SQL Server 2012 R2 ISO download

[Michael Leone]

On Tue, Dec 12, 2017 at 3:58 PM, Jack Kramer <j...@smalltype.net> wrote:
> Pretty sure you have to get it from the VLSC (volume licensing service 
> center).

THAT'S what I was forgetting, the VLSC. Thanks!

Yes, I see download links for SQL 2012 with SP4 (per core and per
server, although it's odd that they are different links, unless it's
because the keys are different, not the software).

Thanks!


> 
> Jack Kramer, Senior Consultant
> Small Type Computing - www.smalltype.net
> W: 855-765-8973 x101 - C: 248-635-4955
>
>> On Dec 12, 2017, at 3:42 PM, Michael Leone <oozerd...@gmail.com> wrote:
>>
>> I apologize for the stupid question. I'm looking to download an ISO of
>> SQL Server 2012 R2 (STD and ENT), preferably with SP3 pre-installed.
>> The ISOs I currently have already have a license key (it's pre-filled
>> in, when I execute the installer).
>>
>> I've never downloaded a SQL ISO like that, my old boss used to do it.
>> Where does one download something like that? I've signed into Tech
>> Net, but all I see are evaluation versions. Do I need to download one
>> of these, and then just apply my license, and - later - the SP I want?
>>
>> Thanks
>>
>>
>
>
>

[NTSysADM] SQL Server 2012 R2 ISO download

[Michael Leone]

I apologize for the stupid question. I'm looking to download an ISO of
SQL Server 2012 R2 (STD and ENT), preferably with SP3 pre-installed.
The ISOs I currently have already have a license key (it's pre-filled
in, when I execute the installer).

I've never downloaded a SQL ISO like that, my old boss used to do it.
Where does one download something like that? I've signed into Tech
Net, but all I see are evaluation versions. Do I need to download one
of these, and then just apply my license, and - later - the SP I want?

Thanks

Re: [NTSysADM] Advice: physically moving a site, but not changing AD Site info ...

[Michael Leone]

On Tue, Dec 5, 2017 at 10:51 AM, Melvin Backus  wrote:
> Moving DHCP shouldn't be as bad as you might think. If you're running 2012r2 
> or later you can do failover, and either way you can export / import the 
> setup. The only real change would be the network guys having to add/replace 
> the DHCP helper IP setup in your routers/switches.

Yes, all DCs are Win 2012 R2. (AD domain/forest level is still Win
2008 R2, but I think I can raise that, I believe all prerequisites
have been met)

Re: [NTSysADM] Advice: physically moving a site, but not changing AD Site info ...

[Michael Leone]

Thanks. As an update, they've decided *not* to move the servers
tomorrow, during the downtime at the site. They will stay, and be back
up the next day, when the power people get down doing whatever it is
that they are doing.

(which means all the users at that site are coming here. And logging
in .. to no profile, as their profile is hosted on the server which
will be powered off at the remote site. I foresee lots of fun and
amusement ...)

However, that site will close early next year, so I will have to move
the file server and DC. I thought about collapsing down the subnets
(and AD sites), but my networking guys don't want to do that, as they
still need them for the telecom/VOIP system - don't ask me, I'm not
following all that. If we don't change the subnets, then the
networking guys have a ton of re-VLANing of ports to do, at the
remaining site ...

No doubt I will be writing again, when the move actually happens. What
I'd really like, is to be able to move the DHCP services off the DC,
and onto another server. But that may be scary, too, guess we'll find
out ...



On Fri, Dec 1, 2017 at 2:21 PM, Charles F Sullivan
<charles.sulliva...@bc.edu> wrote:
> I don't see any issues with doing that.
>
> You may want to (once everything is working as expected) add that subnet to
> the main data center site and do away with the old site. There's no reason
> to have intersite replication now that the moved DCs have good connectivity
> to the other DCs. Your remote users at least will have more up to date AD
> changes, even if they may now suffer from slower overall response from the
> file server and DCs.
>
> On Fri, Dec 1, 2017 at 11:07 AM, Michael Leone <oozerd...@gmail.com> wrote:
>>
>> I'm pretty sure I know the answer, but I want to verify.
>>
>> I've got a remote site that is scheduled to be shut down for the day
>> next week, for power issues (don't ask me, I don't own the building
>> ...). Since this site is scheduled to be abandoned next month, the
>> Powers That Be have decided that they want to move the servers out of
>> that site, down to the main data center, on Wed. This means that when
>> the building re-opens on Thu, all the employees who are still at that
>> remote sitewill then log in to the servers across the WAN.
>>
>> 
>>
>> Now this site is also a Site in AD, with 4 subnets assigned. The
>> servers that are moving are all only in 1 subnet (x.x.16.x),
>>
>> Got all that?
>>
>> So I think if we physically move the servers to the main datacenter,
>> re-configure some switch ports there to be the .16 subnet. And
>> everything should still Just Work  ...
>>
>> by which I mean, the folks still out at the remote site can still
>> login in to the domain, and access their file server, pretty much
>> transparently. They're just going to be accessing their files long
>> distance now, instead of locally.
>>
>> I don't need to do any AD or host reconfiguration, right? There is
>> switch reconfigs to do (ports), but that should be on my networking
>> guys, correct?
>>
>> Anything I can tell them to make sure they cover? This is all
>> possible, right? And shouldn't be a big deal, presuming the
>> connectivity all works? I am not a networking guy in any sense ...
>>
>> Thanks for any help. This just dropped into my lap when I came back in
>> today. I thought we had until the end of Feb to prepare for this 
>>
>>
>
>
>
> --
>
> Charlie Sullivan
>
> Sr. Windows Systems Administrator
>
> Boston College
>
> 197 Foster St. Room 367
>
> Brighton, MA 02135
>
> 617-552-4318

Re: [NTSysADM] Advice: physically moving a site, but not changing AD Site info ...

[Michael Leone]

On Fri, Dec 1, 2017 at 11:19 AM, Kennedy, Jim
<kennedy...@elyriaschools.org> wrote:
> Based on your description and the network guys doing it rightyou are fine.

Thanks! That's what I thought. It's all on them. LOL


>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael Leone
> Sent: Friday, December 1, 2017 11:08 AM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Advice: physically moving a site, but not changing AD 
> Site info ...
>
> I'm pretty sure I know the answer, but I want to verify.
>
> I've got a remote site that is scheduled to be shut down for the day next 
> week, for power issues (don't ask me, I don't own the building ...). Since 
> this site is scheduled to be abandoned next month, the Powers That Be have 
> decided that they want to move the servers out of that site, down to the main 
> data center, on Wed. This means that when the building re-opens on Thu, all 
> the employees who are still at that remote sitewill then log in to the 
> servers across the WAN.
>
> 
>
> Now this site is also a Site in AD, with 4 subnets assigned. The servers that 
> are moving are all only in 1 subnet (x.x.16.x),
>
> Got all that?
>
> So I think if we physically move the servers to the main datacenter, 
> re-configure some switch ports there to be the .16 subnet. And everything 
> should still Just Work  ...
>
> by which I mean, the folks still out at the remote site can still login in to 
> the domain, and access their file server, pretty much transparently. They're 
> just going to be accessing their files long distance now, instead of locally.
>
> I don't need to do any AD or host reconfiguration, right? There is switch 
> reconfigs to do (ports), but that should be on my networking guys, correct?
>
> Anything I can tell them to make sure they cover? This is all possible, 
> right? And shouldn't be a big deal, presuming the connectivity all works? I 
> am not a networking guy in any sense ...
>
> Thanks for any help. This just dropped into my lap when I came back in today. 
> I thought we had until the end of Feb to prepare for this 
>
>

[NTSysADM] Advice: physically moving a site, but not changing AD Site info ...

[Michael Leone]

I'm pretty sure I know the answer, but I want to verify.

I've got a remote site that is scheduled to be shut down for the day
next week, for power issues (don't ask me, I don't own the building
...). Since this site is scheduled to be abandoned next month, the
Powers That Be have decided that they want to move the servers out of
that site, down to the main data center, on Wed. This means that when
the building re-opens on Thu, all the employees who are still at that
remote sitewill then log in to the servers across the WAN.



Now this site is also a Site in AD, with 4 subnets assigned. The
servers that are moving are all only in 1 subnet (x.x.16.x),

Got all that?

So I think if we physically move the servers to the main datacenter,
re-configure some switch ports there to be the .16 subnet. And
everything should still Just Work  ...

by which I mean, the folks still out at the remote site can still
login in to the domain, and access their file server, pretty much
transparently. They're just going to be accessing their files long
distance now, instead of locally.

I don't need to do any AD or host reconfiguration, right? There is
switch reconfigs to do (ports), but that should be on my networking
guys, correct?

Anything I can tell them to make sure they cover? This is all
possible, right? And shouldn't be a big deal, presuming the
connectivity all works? I am not a networking guy in any sense ...

Thanks for any help. This just dropped into my lap when I came back in
today. I thought we had until the end of Feb to prepare for this 

Re: [NTSysADM] Accessing only a lower level folder in a share

[Michael Leone]

On Tue, Nov 14, 2017 at 1:50 PM, Kurt Buff  wrote:
> You need to adjust the permissions in the directory tree, and breaking
> inheritance is the wrong way of doing it.
>
> Change the permissions at each level so that they are explicitly
> defined to allow "This Folder and Files" for those who only need to
> see the files in that directory, but not other subdirectories.
>
> Also, it seems as if your directory structure needs refactoring - it's
> way too complex if you're running into these kinds of permission
> problems.

Actually, this is a rare occurrence. Usually, I have a share based on
department. And AD groups for each department. I just add a user to
the right group, and forget about it. It's only when they want between
departments, and especially only a lower level folder, that I even
touch any permissions, etc. In our case, if you are a member of
"Finance", you need access to any sub-folders under the main Finance
departmental share. If there are sub-folders that need to be more
tightly locked down, I break inheritance and assign perms
individually. That doesn't happen too often.

Re: [NTSysADM] Accessing only a lower level folder in a share

[Michael Leone]

On Tue, Nov 14, 2017 at 12:02 PM, Kennedy, Jim
 wrote:
> ABE won't do that, it just controls what they seeit just hides what they 
> don't have read access to. Great feature, I use it everywhere but not what 
> you need for this.
>
> Break inheritance on D4, add the group for the new users and create a 
> shortcut for them directly to that path.  \\server\B2\C3\D4  I am assuming B2 
> is shared here.

The share is A1; none of the lower level folders are shared.

Just had a talk with the requester, and we decided to take the easy
way out. I made a copy of D4, and put it on the departmental share of
the new users. And then set the permissions on the copy to be only
certain users, and not everyone else in that department.

I preferred this, rather than changing permissions on A1 (traversal)
and D4 (RW). This way, I only need to change the permissions on the
D4-copy, and don't need to worry about traversal elsewhere.

A bit of a cop-out, but I'll take it. LOL

Thanks for the advice, tho, I will star these emails to keep them for
later reference.

[NTSysADM] Accessing only a lower level folder in a share

[Michael Leone]

It's been so long since I've had to do this, I need a check. I'm doing
something fundamentally wrong, I think.

We use groups to set share/ACLs on folders. I got a request to share a
4th level sub-folder with other employees not in the ACL. So what I
have is:

Folder A1 (shared)
-->>B2
   -->>C3
 -->> D4 (this is the one I want to allow access to)

Now, the share permissions on A1 is for DevelopmentGroup, and the NTFS
permissions are the same. Those permissions just flow down to B2, C3
and D4 (i.e., normal inheritance).

Now, I'm pretty sure the only way to allow access to only D4, and not
allow access to B2 and C3 or even see files there, is to enable ABE.
But I've never done that, and am leery of enabling it in production,
without a whole more testing and forethought (I shudder to think of
all the help desk calls, if I get something wrong).

Am I correct that only ABE will do what I am thinking of (allow access
only to D4 and hide contents of A1, B2, C3)?

Barring ABE, there's nothing I can do, short of granting a new group
access to D4, and living with the consequences?

Thoughts? At this point, I want to just add the new group to the NTFS
permissions of D4 only, and live with the fact that these new group
members can see everything higher up.

Re: [NTSysADM] Re: Advice: moving SQL cluster instance from 1 cluster to another

[Michael Leone]

Thanks! I will check that out. I believe I have 1 very small advantage
- pretty sure this isn't supposed to be a multi-site cluster, so that
eliminates a bit of configuration (in our case, we need a script to
run at failover, so that the LUNs at the DR site are marked as the
"active" copy in our RecoverPoint replication).

On Fri, Nov 3, 2017 at 10:09 PM, Damien Solodow
<damien.solo...@harrison.edu> wrote:
> I did something quite similar and made use of this guide:
> https://dba.stackexchange.com/questions/139282/sql-server-2012-on-a-windows-2008-r2-cluster-would-like-to-upgrade-windows-to-2
>
>
> It worked quite well. :)
>
>
>
> DAMIEN SOLODOW
> IT Engineering Lead
> 317.447.6033 (office)
> 317.447.6014 (fax)
> HARRISON COLLEGE
> 
> From: listsad...@lists.myitforum.com <listsad...@lists.myitforum.com> on
> behalf of Michael Leone <oozerd...@gmail.com>
> Sent: Friday, November 3, 2017 2:36:57 PM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Re: Advice: moving SQL cluster instance from 1 cluster
> to another
>
> Anyone? Teachable comments most welcome ...
>
> On Thu, Nov 2, 2017 at 10:41 AM, Michael Leone <oozerd...@gmail.com> wrote:
>> Looking for some advice. I've just been told that in a couple weeks,
>> I've got some cluster re-arranging to do. (Mind you, I've had a week's
>> vacation scheduled for the last 6 months, so I really only have 1 week
>> to do this ...)
>>
>> Here's what I have now:
>>
>> Windows 2008 R2 / SQL 2008 R2 cluster (call it "UnusedSQLCluster)
>> - This is a 1 node cluster, at the moment.
>> Windows 2008 R2 / SQL 2008 R2 cluster with 3 named SQL instances
>> - This is a 2 node cluster
>>
>> So here's what they want.
>>
>> Get rid of UnusedSQLCluster; reformat it as a Win2012 R2/SQL 2012 R2
>> cluster.
>> Move one of the named SQL instances to what used to be
>> UnusedSQLCluster but *keeping* the current instance name and IP
>> address.
>>
>> Got all that?
>>
>> So here's what I think I need to do.
>>
>> Gracefully uninstall the old UnususedSQLCluster (both SQL and Win
>> clusters);
>> (This should be relatively straightforward - uninstall SQL node; evict
>> Windows node)
>> reformat it and install Win 2012 R2/SQL 2012 R2, using a temporary SQL
>> cluster name - "TempSQLCluster".
>>
>> Uninstall SQLInstance01 from the cluster it is in.
>> (this cluster remains in production, servicing the 2 other SQL instances)
>>
>> Rename TempSQLCluster to SQLInstance01, using same IP address,
>>
>> Have I missed a step?
>>
>> BIG QUESTIONS / CONCERNS:
>>
>> 1. It is possible to rename a SQL cluster instance name to something
>> else, that looks straightforward enough. And there is no log shipping,
>> event forwarding, etc, that I know of. I know I may have to do some
>> DNS cleanup.
>>
>> 2. I know that SQL cluster instances register themselves into AD,
>> hence why I want to gracefully uninstall everything. But re-using the
>> same SQL instance name should be OK? Or do I need to clean that object
>> out of AD after uninstalling it?
>>
>> I did this once, months ago, and I know I didn't do all the steps
>> properly at that time, as my boss deleted the AD account of a SQL
>> instance without uninstalling it first. So it's still there in SQL, in
>> a zombie state.
>>
>> What have I missed? What do I need to look out for? (DNS, etc)
>>
>> I'm sure I didn't explain everything clearly enough, so feel free to
>> interrogate further.
>
>

[NTSysADM] Re: Advice: moving SQL cluster instance from 1 cluster to another

[Michael Leone]

Anyone? Teachable comments most welcome ...

On Thu, Nov 2, 2017 at 10:41 AM, Michael Leone <oozerd...@gmail.com> wrote:
> Looking for some advice. I've just been told that in a couple weeks,
> I've got some cluster re-arranging to do. (Mind you, I've had a week's
> vacation scheduled for the last 6 months, so I really only have 1 week
> to do this ...)
>
> Here's what I have now:
>
> Windows 2008 R2 / SQL 2008 R2 cluster (call it "UnusedSQLCluster)
> - This is a 1 node cluster, at the moment.
> Windows 2008 R2 / SQL 2008 R2 cluster with 3 named SQL instances
> - This is a 2 node cluster
>
> So here's what they want.
>
> Get rid of UnusedSQLCluster; reformat it as a Win2012 R2/SQL 2012 R2 cluster.
> Move one of the named SQL instances to what used to be
> UnusedSQLCluster but *keeping* the current instance name and IP
> address.
>
> Got all that?
>
> So here's what I think I need to do.
>
> Gracefully uninstall the old UnususedSQLCluster (both SQL and Win clusters);
> (This should be relatively straightforward - uninstall SQL node; evict
> Windows node)
> reformat it and install Win 2012 R2/SQL 2012 R2, using a temporary SQL
> cluster name - "TempSQLCluster".
>
> Uninstall SQLInstance01 from the cluster it is in.
> (this cluster remains in production, servicing the 2 other SQL instances)
>
> Rename TempSQLCluster to SQLInstance01, using same IP address,
>
> Have I missed a step?
>
> BIG QUESTIONS / CONCERNS:
>
> 1. It is possible to rename a SQL cluster instance name to something
> else, that looks straightforward enough. And there is no log shipping,
> event forwarding, etc, that I know of. I know I may have to do some
> DNS cleanup.
>
> 2. I know that SQL cluster instances register themselves into AD,
> hence why I want to gracefully uninstall everything. But re-using the
> same SQL instance name should be OK? Or do I need to clean that object
> out of AD after uninstalling it?
>
> I did this once, months ago, and I know I didn't do all the steps
> properly at that time, as my boss deleted the AD account of a SQL
> instance without uninstalling it first. So it's still there in SQL, in
> a zombie state.
>
> What have I missed? What do I need to look out for? (DNS, etc)
>
> I'm sure I didn't explain everything clearly enough, so feel free to
> interrogate further.

[NTSysADM] Re: Advice: moving SQL cluster instance from 1 cluster to another

[Michael Leone]

Well, this is not a promising start. I went to uninstall the
UnusedSQLCLuster. I got errors (apparently there was an application
installed (IBM CDC) that was holding the master.dbf open, and also
hanging on to a clustered disk resource. After the uninstall SQL
instance failed, I finally figured out it was probably the CDC app,
and uninstalled it. And now the uninstall SQL instance shows no
instance.

Of course, Failover Manager *does* show the instance, and the AD
account is not disabled.



Now, in this particular case, I can (probably) live with this, since I
am getting ready to nuke the box entirely. I can - I think - just
delete the AD account of the SQL instance, with no ill effects,
especially since I am not planning on reusing that particular name for
a SQL instance in future (HOPEFULLY).

Sound about right? I'm about to evict the node from the Windows
cluster (just to be complete). Then gonna nuke the box, and make a new
Win2012 R2 cluster, and then a SQL 2012 R2 cluster, with a completely
different name.



On Thu, Nov 2, 2017 at 10:41 AM, Michael Leone <oozerd...@gmail.com> wrote:
> Looking for some advice. I've just been told that in a couple weeks,
> I've got some cluster re-arranging to do. (Mind you, I've had a week's
> vacation scheduled for the last 6 months, so I really only have 1 week
> to do this ...)
>
> Here's what I have now:
>
> Windows 2008 R2 / SQL 2008 R2 cluster (call it "UnusedSQLCluster)
> - This is a 1 node cluster, at the moment.
> Windows 2008 R2 / SQL 2008 R2 cluster with 3 named SQL instances
> - This is a 2 node cluster
>
> So here's what they want.
>
> Get rid of UnusedSQLCluster; reformat it as a Win2012 R2/SQL 2012 R2 cluster.
> Move one of the named SQL instances to what used to be
> UnusedSQLCluster but *keeping* the current instance name and IP
> address.
>
> Got all that?
>
> So here's what I think I need to do.
>
> Gracefully uninstall the old UnususedSQLCluster (both SQL and Win clusters);
> (This should be relatively straightforward - uninstall SQL node; evict
> Windows node)
> reformat it and install Win 2012 R2/SQL 2012 R2, using a temporary SQL
> cluster name - "TempSQLCluster".
>
> Uninstall SQLInstance01 from the cluster it is in.
> (this cluster remains in production, servicing the 2 other SQL instances)
>
> Rename TempSQLCluster to SQLInstance01, using same IP address,
>
> Have I missed a step?
>
> BIG QUESTIONS / CONCERNS:
>
> 1. It is possible to rename a SQL cluster instance name to something
> else, that looks straightforward enough. And there is no log shipping,
> event forwarding, etc, that I know of. I know I may have to do some
> DNS cleanup.
>
> 2. I know that SQL cluster instances register themselves into AD,
> hence why I want to gracefully uninstall everything. But re-using the
> same SQL instance name should be OK? Or do I need to clean that object
> out of AD after uninstalling it?
>
> I did this once, months ago, and I know I didn't do all the steps
> properly at that time, as my boss deleted the AD account of a SQL
> instance without uninstalling it first. So it's still there in SQL, in
> a zombie state.
>
> What have I missed? What do I need to look out for? (DNS, etc)
>
> I'm sure I didn't explain everything clearly enough, so feel free to
> interrogate further.

[NTSysADM] Advice: moving SQL cluster instance from 1 cluster to another

[Michael Leone]

Looking for some advice. I've just been told that in a couple weeks,
I've got some cluster re-arranging to do. (Mind you, I've had a week's
vacation scheduled for the last 6 months, so I really only have 1 week
to do this ...)

Here's what I have now:

Windows 2008 R2 / SQL 2008 R2 cluster (call it "UnusedSQLCluster)
- This is a 1 node cluster, at the moment.
Windows 2008 R2 / SQL 2008 R2 cluster with 3 named SQL instances
- This is a 2 node cluster

So here's what they want.

Get rid of UnusedSQLCluster; reformat it as a Win2012 R2/SQL 2012 R2 cluster.
Move one of the named SQL instances to what used to be
UnusedSQLCluster but *keeping* the current instance name and IP
address.

Got all that?

So here's what I think I need to do.

Gracefully uninstall the old UnususedSQLCluster (both SQL and Win clusters);
(This should be relatively straightforward - uninstall SQL node; evict
Windows node)
reformat it and install Win 2012 R2/SQL 2012 R2, using a temporary SQL
cluster name - "TempSQLCluster".

Uninstall SQLInstance01 from the cluster it is in.
(this cluster remains in production, servicing the 2 other SQL instances)

Rename TempSQLCluster to SQLInstance01, using same IP address,

Have I missed a step?

BIG QUESTIONS / CONCERNS:

1. It is possible to rename a SQL cluster instance name to something
else, that looks straightforward enough. And there is no log shipping,
event forwarding, etc, that I know of. I know I may have to do some
DNS cleanup.

2. I know that SQL cluster instances register themselves into AD,
hence why I want to gracefully uninstall everything. But re-using the
same SQL instance name should be OK? Or do I need to clean that object
out of AD after uninstalling it?

I did this once, months ago, and I know I didn't do all the steps
properly at that time, as my boss deleted the AD account of a SQL
instance without uninstalling it first. So it's still there in SQL, in
a zombie state.

What have I missed? What do I need to look out for? (DNS, etc)

I'm sure I didn't explain everything clearly enough, so feel free to
interrogate further.

Re: [NTSysADM] RE: GPO application question.

[Michael Leone]

On Tue, Oct 24, 2017 at 2:06 PM, James Rankin  wrote:

> It will write the Registry key, I presume, but the OS will just ignore it.
>

This would have been my guess, as well. If the OS isn't programmed
specifically to look at, and honor, a registry setting, then it should
completely ignore it.

Now, if this changed a DLL or something, that would be a different story.
But I can't imagine anything but an OS component looking for such a
specific key ...



>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kennedy, Jim
> *Sent:* 24 October 2017 18:57
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] GPO application question.
>
>
>
> What happens with a setting that is in a GPO applied to a non-supported
> OS.  So for example the SMB setting below is on an OU with Win 10 boxes in
> it. Is it just ignored? So it will get ignored and not mess up the Win 10
> dependencies..correct?
>
>
>
>

Re: [NTSysADM] Pro tip for you: free...

[Michael Leone]

On Tue, Oct 17, 2017 at 1:24 AM, Kurt Buff  wrote:

> I can't say for sure what caused it, but somewhere during this process
> about 10 out of the 70+/- GPOs got fubared, and I had to recover them
> - something I've never had to do before. Thank all the gods (and
> decent planning!) that I had snapshot backups of the DC holding all of
> the FSMO roles, and could mount the VMDK and pull out the sysvol
> directory and copy them back from the Friday night backup.

Really. I have a scheduled task that backs up all GPOs to a central
share on the last day of the month. I always assumed that if I needed
to, I could import a GPO from there, if I needed to restore some
settings.That seems easier than having to mount a copy of the sysvol
and copy them out of that.

> It was not a good time last week.

Sounds like!

>- Or the phase of the moon and a lack of chicken blood.

This. :-)

[NTSysADM] Is it possible to allow users to update just 1 field in AD?

[Michael Leone]

I have a user, who needs to do 2 things in AD.

1. She needs to lookup a user, to see what their login ID is (it has
to match what is in our Cisco VOIP, I'm told). And then ...
2. She needs to input a value in the "IP Phone" field. (apparently,
the Cisco software does an LDAP lookup of this field).

Is it possible to delegate the right to change just that one field to
a user? (I think not) We don't want her to inadvertently delete a
user, or change anything else. We're just tired of her calling the
help desk to do simple lookups, or enter a phone number that she
should (might?) be able to do herself.

Mind you, I did an export of all user logins, which was supposed to be
fed into the Cisco system. So why they think the logins don't match, I
don't know. And don't have time (or inclination) to deal with.

Thanks for any advise.

Re: [NTSysADM] Problems enabling AD Recycle Bin

[Michael Leone]

On Thu, Oct 12, 2017 at 6:41 PM, Brian Desmond <br...@briandesmond.com> wrote:
> It is not possible to only enable this in one domain. It's a forest-level 
> feature. Here's the sample syntax from the docs:
>
> Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional 
> Features,CN=Directory Service,CN=Windows 
> NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope 
> ForestOrConfigurationSet –Target ‘contoso.com’

Yeah, that's what I originally did, to generate the error. :-)

So you're saying I have to do this up in the root domain, because
that's where the forest starts? And once I do, it'll be enabled for
the root domain and the child domain, since the feature will bubble
down to all domains in the forest?


>
> Thanks,
> Brian Desmond
>
> w – 312.625.1438 | c – 312.731.3132
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael Leone
> Sent: Thursday, October 12, 2017 2:08 PM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Problems enabling AD Recycle Bin
>
> My AD is Win 2008 R2 (forest and domain level). I have a parent-child domain 
> structure, and want to enable the AD Recycle Bin in the child domain. I am 
> getting an error of "A referral was returned form the server".
>
> Q: Do I need to be doing this on the child DC, or on the root DC?
>
> Specifically, I am doing (in Active Directory Module for Powershell (as 
> Administrator):
>
> Enable-ADOptional Feature "Recycle Bin Feature" -Scope 
> ForestorConfigurationSet -Target (Get-ADForect -Current LocalComputer)
>
> I am doing this on the PDC of the child domain.
>
> Do I need to be doing this on the Domain Naming Master, which is in the Root 
> domain? And - if so - will enabling it there, then enable it for both domains?
>
>

Re: [NTSysADM] This pleases me...

[Michael Leone]

Congratulations! Well done.

On Fri, Oct 6, 2017 at 9:24 PM, Kurt Buff  wrote:
> It's a good start
> https://www.giac.org/certified-professional/kurt-buff/162966
>
> Passed with 85%, in 1h 12m.
>
>

Re: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Michael Leone]

On Thu, Sep 14, 2017 at 2:33 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
> On Thu, Sep 14, 2017 at 9:31 AM, Michael Leone <oozerd...@gmail.com> wrote:
>>
>> We use Kaspersky for our AV needs, and to be honest, it's worked out
>> well for us. It's certainly caught things that McAfee, our previous AV
>> solution, didn't. However, they have this slight problem with being a
>> covert arm of the Russian government, apparently ..
>
> Citation needed. I have not seen anything that supports the idea that
> Kaspersky is an arm of the Russian government.

Tell that to the US government .. LOL

>> So we need to drop them, as the federal agencies are doing.
>
> Is this a requirement by law/regulation for your departement? If not,
> don't drop them, at least not for the reason stated above.

My boss says it's not meeting our needs, and it will be replaced, so
the requirement is for me to obey orders and keep my job. LOL

Listen, I'm happy with Kaspersky, and I would recommend keeping it.
But I have an idea that this is a mandate from farther high up.
Especially seeing as to how we are a state agency, I guess my CIO
doesn't want to spend time explaining to our board of commissioners
why the feds are wrong, and we're keeping Kaspersky when they aren't
...

> We have Eset, and I'd drop them in a heartbeat, if I could. Not
> because it's a bad product of its kind - far from it. It's been fairly
> good.
>
> Instead, I'd go with Applocker, and removing admin privileges - we
> already do patching fairly well.

The order was for AV, since we need to do local workstations and
remote devices. So we will.

Also, no one here (including me) knows Applocker, and there's not a
lot of support here, besides me, for anything OS or AD related ..

[NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Michael Leone]

We use Kaspersky for our AV needs, and to be honest, it's worked out
well for us. It's certainly caught things that McAfee, our previous AV
solution, didn't. However, they have this slight problem with being a
covert arm of the Russian government, apparently ..

So we need to drop them, as the federal agencies are doing.

There are lots of reviews, such as av-test.org, that we are looking
at. But tell me, who do you have? And - more importantly - if you had
your say in the matter, would you keep them?

We're an sort of enterprise level organization, maybe 1K users, bunch
of laptops issued to remote users. So far, all Win 7 for workstations,
but obviously that will change in the future. Servers are all Win
2008/2012 R2 (so far). So we need something with a centralized
console, to push out rules, updates, etc.

We use Proofpoint as an email gateway, so it does mail scanning. We
have Checkpoint firewalls for managing that sort of traffic.

Thoughts?  I know I've heard good things about ESET and Sophos, among
others. Just soliciting some real world opinions, along with our own
research.

Re: [NTSysADM] Building a test domain

[Michael Leone]

On Tue, Sep 12, 2017 at 5:31 PM, Heaton, Joseph@Wildlife
 wrote:
> For a quick build of a test domain, completely separate from a production
> domain, would you take a vReplica of the production domain controller, then
> revive that in the test area?  Sounds great, but I have huge trepidation
> about it.

I have done it this way. I took a clone of one of my DCs (it's a VM),
set it on an ESXi server and configured it to use a specific vswitch,
*not* configured to have any NICs assigned to it  (so it was a private
network, and completely isolated from the other vswitches).

Be certain of that part ..

 Then, on that cloned VM, I seized roles, deleted the other, missing
DCs, changed it's IP to be one on that private vswitch, created a
"management" PC to talk to it. It did work. I posted here about it,
years ago.

It was a lot of work. But yes, it does give you a replica of your
current config (all same OUs, sites, etc).

[NTSysADM] Disabling a web site in IIS

[Michael Leone]

I know very little about IIS. I have a Win2008 R2 server, and IIS
Manager shows 3 sites under the web server. I want to disable 2 of
them (one is the default web site), leaving only the 3rd running and
accessible.

I stopped them, and set them to not automatically start. What I'd like
to do is ensure that they are disabled, and can't start. I keep
finding search results that indicate making changes to the Directory
Security, which will do that. And I don't see any icon that says
Directory Security, nor on any right click of a site, etc.

What am I misunderstanding here? How can I disable these 2 sites, so I
can be sure they don't start? (I don't know if they will be needed
again, hence why I don't want to delete them)

Re: [NTSysADM] Group Policy - Enforce screensaver and password

[Michael Leone]

On Wed, Sep 6, 2017 at 2:25 PM, Kurt Buff  wrote:

> Below is a picture of what we do. We just lock the screen. Doesn't matter
> if the user chooses a screensaver or not - the screen locks after 900
> seconds (too long in my opinion, but it quelled the screaming).
>

AH HA. That's the sort of thing I was looking for. That command does lock
the screen, no need to worry whether a screensaver was set or not. So while
it's not a "real" screensaver, it does serve the ultimate purpose (locking
the machine, and requiring a password to unlock).

Thanks so much! This seems to be working in my testing.

Re: [NTSysADM] Group Policy - Enforce screensaver and password

[Michael Leone]

On Wed, Sep 6, 2017 at 2:05 PM, Kennedy, Jim
<kennedy...@elyriaschools.org> wrote:
> So did your power settings only partially kick in...like 10 minutes to 
> dark...30 to lock...and you only waited 10?

Dark kicked in at 10. Most of my PCs are set to never go to sleep
(AFAIK - I haven't been too finely detailed on the workstation
setups).

>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael Leone
> Sent: Wednesday, September 6, 2017 1:51 PM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] Group Policy - Enforce screensaver and password
>
> On Wed, Sep 6, 2017 at 1:13 PM, Webster <webs...@carlwebster.com> wrote:
>> How about testing it on a test user account so you will know exactly what 
>> happens??? It is a user policy setting so you can restrict it to a single 
>> user account for testing.
>
> I am testing it. :-) That's why I asked - I set it to enforce a password 
> screensaver, but then didn't set a screensaver (as the user).
> And the situation happened as I described - monitor went dark (power), but 
> clicking on anything put me right back into the session, no password. That's 
> what I need to find a way to avoid ...
>
>
>>
>>
>> Webster
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
>> Sent: Wednesday, September 6, 2017 11:03 AM
>> To: ntsysadm@lists.myitforum.com
>> Subject: Re: [NTSysADM] Group Policy - Enforce screensaver and
>> password
>>
>> On Wed, Sep 6, 2017 at 11:38 AM, Wolf, Daniel <da.w...@neopost.com> wrote:
>>> Don't specify a screensaver. It will just lock the machine with the screen 
>>> off.
>>
>> OK. So what if the user doesn't choose a screensaver. Then nothing happens, 
>> right? No screensaver, and - more importantly - no password needed to unlock 
>> the PC (presuming the display turns off, for power saving). I got the 
>> impression that this is what he is trying to prevent. Doesn't want people 
>> just walking away from a PC, and leaving it unlocked, for anyone to walk up 
>> and do nefarious things ...
>>
>>
>>>
>>> -Original Message-
>>> From: listsad...@lists.myitforum.com
>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone
>>> Sent: Wednesday, September 6, 2017 10:26 AM
>>> To: ntsysadm@lists.myitforum.com
>>> Subject: [NTSysADM] Group Policy - Enforce screensaver and password
>>>
>>> I've had a "suggestion" from my CIO. :-) He would like to use GP to enforce 
>>> that all domain computers have a screensaver (set to like 15 minutes), and 
>>> that the screensaver is password enabled. He didn't seem to care which 
>>> screensaver, as long as one is set.
>>>
>>> (these are all Win 7 PCs, BTW)
>>>
>>> I see the options in User Config/Policies/Admin Templates/Control 
>>> Panel/Personalization that I can Enable Screen saver and password protect 
>>> the screen saver. But if I read it right, I either have to specify which 
>>> screen saver to use, or depend on the user to pick one.
>>>
>>> So what happens if I choose
>>>
>>> Enable screen saver: ENABLED
>>> Password protect the screen saver: ENABLED screen saver timeout: 900
>>> seconds
>>>
>>> and the user does *not* set a screensaver? If I use the above settings, do 
>>> I really also need to force a specific screen saver, so that I can be sure 
>>> that at least a passworded screen saver is set?
>>>
>>> What do the rest of you do? I'm assuming at least some of you enforce 
>>> passworded screensavers.
>>>
>>> Thanks for any advice.
>>>
>>>
>>
>>
>
>

Re: [NTSysADM] Group Policy - Enforce screensaver and password

[Michael Leone]

On Wed, Sep 6, 2017 at 11:38 AM, Wolf, Daniel <da.w...@neopost.com> wrote:
> Don't specify a screensaver. It will just lock the machine with the screen 
> off.

OK. So what if the user doesn't choose a screensaver. Then nothing
happens, right? No screensaver, and - more importantly - no password
needed to unlock the PC (presuming the display turns off, for power
saving). I got the impression that this is what he is trying to
prevent. Doesn't want people just walking away from a PC, and leaving
it unlocked, for anyone to walk up and do nefarious things ...


>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael Leone
> Sent: Wednesday, September 6, 2017 10:26 AM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Group Policy - Enforce screensaver and password
>
> I've had a "suggestion" from my CIO. :-) He would like to use GP to enforce 
> that all domain computers have a screensaver (set to like 15 minutes), and 
> that the screensaver is password enabled. He didn't seem to care which 
> screensaver, as long as one is set.
>
> (these are all Win 7 PCs, BTW)
>
> I see the options in User Config/Policies/Admin Templates/Control 
> Panel/Personalization that I can Enable Screen saver and password protect the 
> screen saver. But if I read it right, I either have to specify which screen 
> saver to use, or depend on the user to pick one.
>
> So what happens if I choose
>
> Enable screen saver: ENABLED
> Password protect the screen saver: ENABLED screen saver timeout: 900 seconds
>
> and the user does *not* set a screensaver? If I use the above settings, do I 
> really also need to force a specific screen saver, so that I can be sure that 
> at least a passworded screen saver is set?
>
> What do the rest of you do? I'm assuming at least some of you enforce 
> passworded screensavers.
>
> Thanks for any advice.
>
>

[NTSysADM] Group Policy - Enforce screensaver and password

[Michael Leone]

I've had a "suggestion" from my CIO. :-) He would like to use GP to
enforce that all domain computers have a screensaver (set to like 15
minutes), and that the screensaver is password enabled. He didn't seem
to care which screensaver, as long as one is set.

(these are all Win 7 PCs, BTW)

I see the options in User Config/Policies/Admin Templates/Control
Panel/Personalization that I can Enable Screen saver and password
protect the screen saver. But if I read it right, I either have to
specify which screen saver to use, or depend on the user to pick one.

So what happens if I choose

Enable screen saver: ENABLED
Password protect the screen saver: ENABLED
screen saver timeout: 900 seconds

and the user does *not* set a screensaver? If I use the above
settings, do I really also need to force a specific screen saver, so
that I can be sure that at least a passworded screen saver is set?

What do the rest of you do? I'm assuming at least some of you enforce
passworded screensavers.

Thanks for any advice.

Re: [NTSysADM] Win2012 R2 and offline files

[Michael Leone]

We don't do roaming profiles, only redirected folders (not the whole
profile).

On Fri, Sep 1, 2017 at 10:13 AM, Andrew S. Baker <asbz...@gmail.com> wrote:

> https://serverfault.com/questions/658892/issue-with-
> offline-availability-of-roaming-profiles
>
> Regards,
>
>  *ASB*
>  *http://XeeMe.com/AndrewBaker <http://xeeme.com/AndrewBaker>*
>
>  *Providing Expert Technology Consulting Services for the SMB market…*
>
> * GPG: *860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842
>
>
>
> On Fri, Sep 1, 2017 at 8:49 AM, Michael Leone <oozerd...@gmail.com> wrote:
>
>> Here we use redirected folders (not the whole profile, just the
>> Documents and Desktop parts). And so, we also have offline files
>> configured (in case the server with the desktop and documents
>> disappears for a bit, at least the clients can still work with a local
>> copy of their stuff, until the server comes back and it syncs.
>>
>> Been set that way for years, all was well. Then, we upgraded one of
>> those file servers to Win2012 R2, and it stopped working. Went to
>> check, and the option to make files available for offline use was
>> turned off (on the server). It's still on for my 3 other file servers,
>> but they're all Win2008 R2.
>>
>> I haven't seen anything that says that making files available offline
>> is broken on Win2012R2. Did we just miss that option, or did my (now
>> former) boss turn it off for some technical reason?
>>
>> Anybody using redirected folders and offline file with a Win2012 R2
>> server? It all Just Works, right? We set all that via Group Policy,
>> and all clients are Win 7.
>>
>> This is just an oversight on somebody's part here, yes? Offline files
>> are still the recommended way to go, when using redirected home
>> folders, and Desktop and Documents?
>>
>> Thanks
>>
>>
>>
>

Re: [NTSysADM] Win2012 R2 and offline files

[Michael Leone]

What I *want* is redirected folders to a DFS share, that is replicated
between my 4 file servers (at 4 different sites). So all I have to do
is redirect users folders to "\\DFS-Home\%user%", and then it doesn't
matter what location they log into, their files (and home folders)
follow them, curtesy of DFS. And always be available, even if one of
the replicas goes down for some reason (such as for applying updates,
etc).

But apparently DFS (with replication) doesn't play well with redirected folders.

Hence offline files ...


On Fri, Sep 1, 2017 at 9:02 AM, James Rankin <ja...@htguk.com> wrote:
> Offline Files suck ass. But there's not much choice unless you want to put 
> your hand in your pocket.
>
> Wouldn't it be easier just to put more resiliency in the file share that 
> hosts the stuff?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael Leone
> Sent: 01 September 2017 13:50
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Win2012 R2 and offline files
>
> Here we use redirected folders (not the whole profile, just the Documents and 
> Desktop parts). And so, we also have offline files configured (in case the 
> server with the desktop and documents disappears for a bit, at least the 
> clients can still work with a local copy of their stuff, until the server 
> comes back and it syncs.
>
> Been set that way for years, all was well. Then, we upgraded one of those 
> file servers to Win2012 R2, and it stopped working. Went to check, and the 
> option to make files available for offline use was turned off (on the 
> server). It's still on for my 3 other file servers, but they're all Win2008 
> R2.
>
> I haven't seen anything that says that making files available offline is 
> broken on Win2012R2. Did we just miss that option, or did my (now
> former) boss turn it off for some technical reason?
>
> Anybody using redirected folders and offline file with a Win2012 R2 server? 
> It all Just Works, right? We set all that via Group Policy, and all clients 
> are Win 7.
>
> This is just an oversight on somebody's part here, yes? Offline files are 
> still the recommended way to go, when using redirected home folders, and 
> Desktop and Documents?
>
> Thanks
>
>

[NTSysADM] Win2012 R2 and offline files

[Michael Leone]

Here we use redirected folders (not the whole profile, just the
Documents and Desktop parts). And so, we also have offline files
configured (in case the server with the desktop and documents
disappears for a bit, at least the clients can still work with a local
copy of their stuff, until the server comes back and it syncs.

Been set that way for years, all was well. Then, we upgraded one of
those file servers to Win2012 R2, and it stopped working. Went to
check, and the option to make files available for offline use was
turned off (on the server). It's still on for my 3 other file servers,
but they're all Win2008 R2.

I haven't seen anything that says that making files available offline
is broken on Win2012R2. Did we just miss that option, or did my (now
former) boss turn it off for some technical reason?

Anybody using redirected folders and offline file with a Win2012 R2
server? It all Just Works, right? We set all that via Group Policy,
and all clients are Win 7.

This is just an oversight on somebody's part here, yes? Offline files
are still the recommended way to go, when using redirected home
folders, and Desktop and Documents?

Thanks

Re: [NTSysADM] A new task for me - setting up a SQL Server cluster on vSphere 6.0

[Michael Leone]

On Thu, Aug 17, 2017 at 2:12 PM, Mayo, Bill  wrote:
> I haven't done it since Windows 2008 R2, but Microsoft clustering does work 
> in a vSphere environment if you have the shared storage (sounds like you do).

I had MS clustering working on SQL 2008 R2 running on 2 Win2008R2 VMs,
using vSphere 5.5. It worked then. You do need shared storage, and you
need to define the virtual disks properly (trying to remember -
something about thick format, eager zeroing? The docs are on VMware's
site).

Mine was only a little test implementation thing, and my boss
eventually deleted one of the nodes (he didn't realize it was part of
a cluster; why people don't read the notes you can put on a VM in
vSphere, I have no idea ..).

Re: [NTSysADM] Win10 1607 - Some installed programs don't show up to be uninstalled

[Michael Leone]

On Fri, Aug 11, 2017 at 9:23 AM, Melvin Backus  wrote:
> I've seen some of the firewall endpoint clients that can only be removed via 
> the firewall management interfaces.  I ran into that when we eval'd Fortinet 
> a while back as I recall.  The policy will probably need to be adjusted to 
> allow removal before you can do the upgrade.

See, that may be the answer. At work, I do see it, in my Win 7
Programs, as something to be uninstalled. I don't see it at home, tho.
Maybe it has something to do with a remote policy? dunno. But come
Monday (in the words of Jimmy Buffett), I'll ask my firewall guy, when
he comes back from his cruise ..

Re: [NTSysADM] Win10 1607 - Some installed programs don't show up to be uninstalled

[Michael Leone]

On Thu, Aug 10, 2017 at 11:12 AM, James Rankin  wrote:
> If you look in the Registry subkeys under 
> HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall, do any of the 
> subkeys hold the Uninstall information for the application?

No.



https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon;
target="_blank">https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif;
alt="" width="46" height="29" style="width: 46px; height: 29px;"
/>
Virus-free. https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link;
target="_blank" style="color: #4453ea;">www.avast.com

Re: [NTSysADM] Win10 1607 - Some installed programs don't show up to be uninstalled

[Michael Leone]

On Thu, Aug 10, 2017 at 1:12 PM, Eamonn Twohig  wrote:
> On that 'Apps and Features' window, scroll down to the very end and you 
> should be able to access the traditional 'Program and Features' routine to 
> list the programs as you have done in the past. I only noticed this the other 
> day.

Did that. Still doesn't show up. No CheckPoint entry there.

> E80.70 works on my home laptop, but prior to running the upgrade from 1607 to 
> 1703, I did remove the Check Point client.



https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon;
target="_blank">https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif;
alt="" width="46" height="29" style="width: 46px; height: 29px;"
/>
Virus-free. https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link;
target="_blank" style="color: #4453ea;">www.avast.com

[NTSysADM] Win10 1607 - Some installed programs don't show up to be uninstalled

[Michael Leone]

This is odd. I am running Win10 1607 at home, and I have the
CheckPoint Endpoint Security client installed (08.50). Apparently,
that is incompatible with 1703, as I can't install  the 1703 update.

Doing some searching, I see that there is a later client (08.70),
specifically for use in 1703. Fair enough. I will ask my firewall guy
on Monday, when he gets back from vacation, if the new client is
compatible with our firewall. If so, I will upgrade the client at
home, then I can upgrade the OS.

In the meantime, I went looking to uninstall the Checkpoint client.
And I don't see it in "Apps and Features" anywhere. Oh, it's
installed, I see it in the system tray, and I've used it many times.

What's up with that? It's not showing in Apps and Features, it's not
showing in "Manage optional features" (not that I expected it to). I
have it set to show content from all drives (even though it's
installed on drive C:).

What am I misunderstanding or missing here? Why am I not seeing an
option to uninstall this anywhere?



https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon;
target="_blank">https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif;
alt="" width="46" height="29" style="width: 46px; height: 29px;"
/>
Virus-free. https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link;
target="_blank" style="color: #4453ea;">www.avast.com

Re: [NTSysADM] How to handle patching a patch, using scheduled installations

[Michael Leone]

On Mon, Jul 24, 2017 at 11:43 AM, Kennedy, Jim  wrote:

> Did it fail for sure, or is that one just showing up now.
>


Update history shows it failed yesterday.


Did you also approve the Security Only?
>


Nope, I decline Security Only and decline Previews.




> If that one installs first it won’t show the Quality until after reboot
> IIRC.
>

Re: [NTSysADM] How to handle patching a patch, using scheduled installations

[Michael Leone]

On Mon, Jul 24, 2017 at 11:24 AM, Sean Chapman 
wrote:

> It’s a little bit of an extra crappy situation since that June update is
> an exclusive update.
>
>
>
> If there is a second round of updates, I just do them Monday morning or if
> its not a critical update I have also just let it roll until the next AU
> update window (which for me is Saturday)
>


Our windows are once a month, on a pre-determined schedule. I'm trying to
avoid scheduling an out-of-band round of updates ...

[NTSysADM] How to handle patching a patch, using scheduled installations

[Michael Leone]

I'd like some advice, please. So this past weekend, we applied our monthly
updates, and for the first time, half of my servers applied them using a
scheduled installation time from my WSUS v3 server. And yes, the patches
were applied, the servers rebooted, no human intervention needed. Yay!

BUT ... some servers then came back saying that another patch needed to be
installed (apparently on some servers, the June Monthly Quality update
failed, hence why it's still waiting to be installed). What that means is
that this coming Sunday, those servers will apply this waiting patch and
reboot (which I don't want to happen, because it's outside of the monthly
maintenance window).

I might be able to apply that patch offhours, before next Sunday.

So how does everyone else handle this issue - the issue of installing a
patch, and then having another patch now needing to be installed, or - as
with me - a patch that failed to install the first time attempt to re-try?
So how to avoid having the server reboot the next weekend, during a
non-scheduled window?

Thanks

Re: [NTSysADM] Sending email from Powershell via Yahoo (with app password) - RESOLVED

[Michael Leone]

That resolved it. Last night my Powershell script was able to send email
from either my G Suite account, or my Yahoo account (I got app passwords
for both, just in case.

Thanks for the help, everybody.

On Thu, Jul 20, 2017 at 11:11 AM, Michael Leone <oozerd...@gmail.com> wrote:

> I did a Live Chat with support, and we got it figured out. turns out, I
> hadn't properly enabled it for the domain first. Once I did that, I turned
> on 2FA for my user, and then was able to create the app password. Later
> tonight I will try the app password, see if the script that runs at home
> will email me the results of the scheduled backup sync.
>
> Thanks everybody.
>
>
> On Thu, Jul 20, 2017 at 9:51 AM, Michael Leone <oozerd...@gmail.com>
> wrote:
>
>>
>>
>> On Wed, Jul 19, 2017 at 10:00 PM, Joe Tinney <j...@joetinney.com> wrote:
>>
>>> Alright, I just ran through it own my own domain as a test and this
>>> worked: https://support.google.com/a/answer/1032419?hl=en
>>>
>>> Basically, enable 2FA for your domain, enroll the account you want an
>>> app password for in 2FA  and then go to generate an app password. I got a
>>> message saying I couldn't before doing so and afterward I get an app/device
>>> screen with a generate button.
>>>
>>
>> Great! That's what I want. BUT ... when I sign into my domain, go to
>> "Sign-in and Security", and try to turn 2FA on, it wants me to enter my
>> password, to prove it's me.
>>
>> I do that ... and go right back to the "Sign-in & Security". WTF?
>>
>> 
>>
>> I will keep trying to make this work. In the meantime, I did get the app
>> password to work with my Yahoo account. There, I was able to enable 2FA and
>> get an app password. :-)
>>
>> This is why I pay Google; I think I can actually call support and ask. Or
>> live chat. Can't do that with the legacy free Google Apps accounts (hence
>> the $4.16 a month :-)).
>>
>> Thanks. I'll keep the list posted, once I get this 2FA and app passwords
>> sorted for my domain.
>>
>
>

Re: [NTSysADM] Sending email from Powershell via Yahoo (with app password)

[Michael Leone]

I did a Live Chat with support, and we got it figured out. turns out, I
hadn't properly enabled it for the domain first. Once I did that, I turned
on 2FA for my user, and then was able to create the app password. Later
tonight I will try the app password, see if the script that runs at home
will email me the results of the scheduled backup sync.

Thanks everybody.


On Thu, Jul 20, 2017 at 9:51 AM, Michael Leone <oozerd...@gmail.com> wrote:

>
>
> On Wed, Jul 19, 2017 at 10:00 PM, Joe Tinney <j...@joetinney.com> wrote:
>
>> Alright, I just ran through it own my own domain as a test and this
>> worked: https://support.google.com/a/answer/1032419?hl=en
>>
>> Basically, enable 2FA for your domain, enroll the account you want an app
>> password for in 2FA  and then go to generate an app password. I got a
>> message saying I couldn't before doing so and afterward I get an app/device
>> screen with a generate button.
>>
>
> Great! That's what I want. BUT ... when I sign into my domain, go to
> "Sign-in and Security", and try to turn 2FA on, it wants me to enter my
> password, to prove it's me.
>
> I do that ... and go right back to the "Sign-in & Security". WTF?
>
> 
>
> I will keep trying to make this work. In the meantime, I did get the app
> password to work with my Yahoo account. There, I was able to enable 2FA and
> get an app password. :-)
>
> This is why I pay Google; I think I can actually call support and ask. Or
> live chat. Can't do that with the legacy free Google Apps accounts (hence
> the $4.16 a month :-)).
>
> Thanks. I'll keep the list posted, once I get this 2FA and app passwords
> sorted for my domain.
>

Re: [NTSysADM] Sending email from Powershell via Yahoo (with app password)

[Michael Leone]

On Wed, Jul 19, 2017 at 10:00 PM, Joe Tinney  wrote:

> Alright, I just ran through it own my own domain as a test and this
> worked: https://support.google.com/a/answer/1032419?hl=en
>
> Basically, enable 2FA for your domain, enroll the account you want an app
> password for in 2FA  and then go to generate an app password. I got a
> message saying I couldn't before doing so and afterward I get an app/device
> screen with a generate button.
>

Great! That's what I want. BUT ... when I sign into my domain, go to
"Sign-in and Security", and try to turn 2FA on, it wants me to enter my
password, to prove it's me.

I do that ... and go right back to the "Sign-in & Security". WTF?



I will keep trying to make this work. In the meantime, I did get the app
password to work with my Yahoo account. There, I was able to enable 2FA and
get an app password. :-)

This is why I pay Google; I think I can actually call support and ask. Or
live chat. Can't do that with the legacy free Google Apps accounts (hence
the $4.16 a month :-)).

Thanks. I'll keep the list posted, once I get this 2FA and app passwords
sorted for my domain.

Re: [NTSysADM] Sending email from Powershell via Yahoo (with app password)

[Michael Leone]

On Wed, Jul 19, 2017 at 9:07 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:
> It would have to be a Google/Apps account.  You use the generated app
> password with your account email address.  You do not use your interactive
> account login password.

My mike-leone.com domain is a Google Apps account. And it says app
passwords are not supported.

[image: Inline image 1]

Re: [NTSysADM] Sending email from Powershell via Yahoo (with app password)

[Michael Leone]

No, app passwords are not supported for my domain. I think they are
supported for this Gmail account, but not for my domain "mike-leone.com",
it says. Ideally that's the account I want to use, but if I can't, I can't.

Supposing i get an app password for my oozerd...@gmail.com, how do I use
it? Do I use that app password when sending email, instead of my account
password?


On Jul 19, 2017 8:35 PM, "Micheal Espinola Jr" <michealespin...@gmail.com>
wrote:

> The correct way is to generate an app password for Gmail as well.  Do not
> lower your account security.
>
> <http://goog_1551210275>
>
> https://myaccount.google.com/apppasswords
>
>
> --
> Espi
>
>
> On Wed, Jul 19, 2017 at 5:00 PM, Michael Leone <oozerd...@gmail.com>
> wrote:
>
>> Using Win 10 1607, PSVersion  5.1.14393.1480
>>
>> I am seriously confused. I want to send an email using Powershell via
>> my Yahoo account. (I would have liked to send via my gmail account,
>> but GMail rejects Powershell connections, unless I reduce the security
>> on my account, which I am unwilling to do. Yahoo provides an "app
>> password", supposedly for situations just like this).
>>
>> So I generated an app password from my Yahoo account, and tried to
>> send a test email like this:
>>
>> $Username = "oozerd...@yahoo.com"
>> $Password = "-Yahoo generated app password-"
>>
>> $SecurePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
>> $Credentials = New-Object System.Management.Automation.PSCredential
>> -ArgumentList $Username, $SecurePassword
>>
>> $RcptTo = "tur...@mike-leone.com.com"
>> $Subject = "Yahoo Test"
>> $Body = "This is a test message"
>> Send-MailMessage -From $Username -To $RcptTo -Subject $Subject -Body
>> $Body -SmtpServer smtp.mail.yahoo.com -Port 587 -UseSsl -Credential
>> $Credentials
>>
>> And yet it still fails:
>>
>> Send-MailMessage : The SMTP server requires a secure connection or the
>> client was not authenticated. The server response was: 5.7.1
>> Authentication required
>> At C:\Scripts\Send-Email-from-PS1.PS1:27 char:1
>> + Send-MailMessage -From $Username -To $RcptTo -Subject $Subject -Body
>> ...
>> + ~
>> + CategoryInfo  : InvalidOperation:
>> (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage],
>> SmtpException
>> + FullyQualifiedErrorId :
>> SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
>>
>>
>> What am I missing here? How can I use Powershell to send email via
>> Yahoo mail, preferably  using their generated app password? Anyone
>> doing this?
>>
>> How are you sending email from Powershell?
>>
>>
>>
>

[NTSysADM] Sending email from Powershell via Yahoo (with app password)

[Michael Leone]

Using Win 10 1607, PSVersion  5.1.14393.1480

I am seriously confused. I want to send an email using Powershell via
my Yahoo account. (I would have liked to send via my gmail account,
but GMail rejects Powershell connections, unless I reduce the security
on my account, which I am unwilling to do. Yahoo provides an "app
password", supposedly for situations just like this).

So I generated an app password from my Yahoo account, and tried to
send a test email like this:

$Username = "oozerd...@yahoo.com"
$Password = "-Yahoo generated app password-"

$SecurePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential
-ArgumentList $Username, $SecurePassword

$RcptTo = "tur...@mike-leone.com.com"
$Subject = "Yahoo Test"
$Body = "This is a test message"
Send-MailMessage -From $Username -To $RcptTo -Subject $Subject -Body
$Body -SmtpServer smtp.mail.yahoo.com -Port 587 -UseSsl -Credential
$Credentials

And yet it still fails:

Send-MailMessage : The SMTP server requires a secure connection or the
client was not authenticated. The server response was: 5.7.1
Authentication required
At C:\Scripts\Send-Email-from-PS1.PS1:27 char:1
+ Send-MailMessage -From $Username -To $RcptTo -Subject $Subject -Body  ...
+ ~
+ CategoryInfo  : InvalidOperation:
(System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage],
SmtpException
+ FullyQualifiedErrorId :
SmtpException,Microsoft.PowerShell.Commands.SendMailMessage


What am I missing here? How can I use Powershell to send email via
Yahoo mail, preferably  using their generated app password? Anyone
doing this?

How are you sending email from Powershell?

Re: [NTSysADM] Running a command with parameters using PSEXEC - SOLVED

[Michael Leone]

On Tue, Jul 18, 2017 at 10:42 AM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> This is likely because you needed to escape the quotes with backslashes.
> But since you didnt need them at all, that worked too.
>


Why would the quotes have needed to be escaped at all, tho? The quotes
don't need to be part of the actual passed parameters. Then again, once the
parameter part of the invocation is reached, everything after that is
presumed to be part of the parameters, I guess. Hence no need for quotes
anywhere, I guess ..




>
> --
> Espi
>
>
> On Tue, Jul 18, 2017 at 7:22 AM, Michael Leone <oozerd...@gmail.com>
> wrote:
>
>> On Tue, Jul 18, 2017 at 9:54 AM, Melvin Backus <melvin.bac...@byers.com>
>> wrote:
>>
>>> Try killing the quotes entirely.
>>>
>>>
>>
>> Well, what do you know , that was it ..
>>
>> C:\SysinternalsSuite>psexec -h \\dctrweb026
>>  c:\windows\system32\klist.exe -li 0x3e7 purge
>>
>> PsExec v2.11 - Execute processes remotely
>> Copyright (C) 2001-2014 Mark Russinovich
>> Sysinternals - www.sysinternals.com
>>
>>
>>
>> Current LogonId is 0:0xa28ef9e
>> Targeted LogonId is 0:0x3e7
>> Deleting all tickets:
>> Ticket(s) purged!
>> c:\windows\system32\klist.exe exited on dctrweb026 with error code 0.
>>
>> Thanks so much! Now for the 2nd command (gpupdate /force"). That should
>> update everything from the new GPO settings, without having to wait for
>> scheduled refresh.
>>
>>
>

Re: [NTSysADM] Running a command with parameters using PSEXEC - SOLVED

[Michael Leone]

On Tue, Jul 18, 2017 at 9:54 AM, Melvin Backus 
wrote:

> Try killing the quotes entirely.
>
>

Well, what do you know , that was it ..

C:\SysinternalsSuite>psexec -h \\dctrweb026  c:\windows\system32\klist.exe
-li 0x3e7 purge

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com



Current LogonId is 0:0xa28ef9e
Targeted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!
c:\windows\system32\klist.exe exited on dctrweb026 with error code 0.

Thanks so much! Now for the 2nd command (gpupdate /force"). That should
update everything from the new GPO settings, without having to wait for
scheduled refresh.

Re: [NTSysADM] Running a command with parameters using PSEXEC

[Michael Leone]

On Tue, Jul 18, 2017 at 9:42 AM, Webster  wrote:

> Try "c:\windows\system32\klist -li 0x3e7 purge"
>


Nope .. which is odd, because that's where the file is ...

C:\SysinternalsSuite>psexec -h \\dctrweb026  "c:\windows\system32\klist.exe
-li 0x3e7 purge"

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start c:\windows\system32\klist.exe -li 0x3e7 purge on
dctrweb026:
The system cannot find the file specified.


>

Re: [NTSysADM] Running a command with parameters using PSEXEC

[Michael Leone]

On Tue, Jul 18, 2017 at 9:13 AM, David McSpadden  wrote:

> I would move the first quote to in front of the c:\windows and maybe add
> user permissions to the remote box in the command line.
>

No joy. Different error, tho ...

C:\SysinternalsSuite>psexec \\dctrweb026 -u XX -p XX
"c:\windows\system32\klist" "-li 0x3e7 purge"

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com



Usage: klist.exe [command]

Command list:
  [tickets] [-lh ] [-li ]
  tgt [-lh ] [-li ]
  purge [-lh ] [-li ]
  sessions [-lh ] [-li ]
  kcd_cache [-lh ] [-li ]
  get  [-lh ] [-li ]
[-kdcoptions ]
  add_bind  
  query_bind
  purge_bind
c:\windows\system32\klist exited on dctrweb026 with error code -1.

Re: [NTSysADM] Running a command with parameters using PSEXEC

[Michael Leone]

On Tue, Jul 18, 2017 at 9:13 AM, Michael B. Smith <mich...@smithcons.com>
wrote:

> I always thought it was “klist purge –li 0x3e7”, but this isn’t something
> I do often. It may not matter.
>

I used 'klist -li 0x3e7 purge" interactively, and it works fine.

C:\SysinternalsSuite>klist -li 0x3e7 purge

Current LogonId is 0:0x3aace53f
Targeted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!


Anyway, does just a klist work, with no arguments? Does “klist –li 0x3e7” ?
>

Yep, works fine ..

C:\SysinternalsSuite>psexec \\dctrweb026  c:\windows\system32\klist.exe

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com



Current LogonId is 0:0xa23e334

Cached Tickets: (1)

#0> Client: leonem @ WRK.ADS.PHA.PHILA.GOV
Server: cifs/dctrweb026.wrk.ads.pha.phila.gov @
WRK.ADS.PHA.PHILA.GOV
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a1 -> forwardable renewable pre_authent
name_canonicalize
Start Time: 7/18/2017 9:22:15 (local)
End Time:   7/18/2017 19:11:00 (local)
Renew Time: 0
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x8 -> ASC
Kdc Called:
c:\windows\system32\klist.exe exited on dctrweb026 with error code 0.



>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Tuesday, July 18, 2017 9:02 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Running a command with parameters using PSEXEC
>
>
>
> OK, so I'm just stupid today (altho today isn't really any different than
> any other day ..)
>
>
>
> I want to run "klist -li 0x3e7 purge" on one of my servers, and I want to
> do it remotely. So I tried to fire up PSEXEC to do it, and I'm passing the
> arguments wrong, somehow.
>
>
>
> C:\SysinternalsSuite>psexec \\dctrweb026   c:\windows\system32\klist "-li
> 0x3e7 purge"
>
>
>
> PsExec v2.11 - Execute processes remotely
>
> Copyright (C) 2001-2014 Mark Russinovich
>
> Sysinternals - www.sysinternals.com
>
>
>
>
>
>
>
> Usage: klist.exe [command]
>
>
>
> Command list:
>
>   [tickets] [-lh ] [-li ]
>
>   tgt [-lh ] [-li ]
>
>   purge [-lh ] [-li ]
>
>   sessions [-lh ] [-li ]
>
>   kcd_cache [-lh ] [-li ]
>
>   get  [-lh ] [-li ]
>
> [-kdcoptions ]
>
>   add_bind  
>
>   query_bind
>
>   purge_bind
>
> c:\windows\system32\klist exited on dctrweb026 with error code -1.
>
>
>
>
>
> So what did I do wrong on the PSEXEC invocation? I gave it the machine to
> run on; the full path to the command I want executed; and the arguments for
> that command. That's what the help says to do.
>
>
>
> I obviously have rights to do it, but I'm not sending the parameters to
> klist correctly.
>
>
>
> It's got to be something simple, and I'll feel like a moron, once somebody
> points it out to me. But that won't be the first time ..
>
>
>
> Clues, anyone?
>
>
>
> (target is Win2012 R2, if it matters)
>
>
>

[NTSysADM] Running a command with parameters using PSEXEC

[Michael Leone]

OK, so I'm just stupid today (altho today isn't really any different than
any other day ..)

I want to run "klist -li 0x3e7 purge" on one of my servers, and I want to
do it remotely. So I tried to fire up PSEXEC to do it, and I'm passing the
arguments wrong, somehow.

C:\SysinternalsSuite>psexec \\dctrweb026   c:\windows\system32\klist "-li
0x3e7 purge"

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com



Usage: klist.exe [command]

Command list:
  [tickets] [-lh ] [-li ]
  tgt [-lh ] [-li ]
  purge [-lh ] [-li ]
  sessions [-lh ] [-li ]
  kcd_cache [-lh ] [-li ]
  get  [-lh ] [-li ]
[-kdcoptions ]
  add_bind  
  query_bind
  purge_bind
c:\windows\system32\klist exited on dctrweb026 with error code -1.


So what did I do wrong on the PSEXEC invocation? I gave it the machine to
run on; the full path to the command I want executed; and the arguments for
that command. That's what the help says to do.

I obviously have rights to do it, but I'm not sending the parameters to
klist correctly.

It's got to be something simple, and I'll feel like a moron, once somebody
points it out to me. But that won't be the first time ..

Clues, anyone?

(target is Win2012 R2, if it matters)

Re: [NTSysADM] Advice on patching Domain Controllers via WSUS

[Michael Leone]

On Wed, Jul 12, 2017 at 11:33 AM, Michael B. Smith <mich...@smithcons.com>
wrote:

> In my opinion, you are not being over-cautious. You certainly (ABSOLUTELY)
> do not want all your DCs patching at the same time, much less rebooting at
> the same time.
>


Yes, that's what I do manually. Patch one, reboot, make sure I can log in,
log out, move on to next DC.
And to emulate that, I would need multiple GPOs, all set to trigger at
different time. And I can't see how to set an automatic install time except
in hourly increments.

So I think I may just stay with doing it manually. (I have 10 DCs, spread
across the root and child domain, although there really isn't anything in
the root domain except those DCs). It just takes close to an hour manually
that way, between waiting for patches to install, and the reboot to finish,
and check.



>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Wednesday, July 12, 2017 11:23 AM
> *To:* ntsysadm@lists.myitforum.com; Patch Management Mailing List
> *Subject:* Re: [NTSysADM] Advice on patching Domain Controllers via WSUS
>
>
>
> On Wed, Jul 12, 2017 at 11:05 AM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
>
> Separate group in WSUS, download but don’t install.  I manually install
> them during downtime I schedule shortly after patch Tuesday. That is how I
> hand member servers and DC’s.
>
>
>
> But, I only have 40 or so servers to do.
>
>
>
> Yeah, we have close to 4x that. When it was only 40-50, manually
> installing patches is manageable. With our number, we have 3 staff come in
> and have to do 50+ servers once a month. That's like 12 hours or so
> overtime (total for all 3) every month. So auto-installing patches would
> also be a cost saving maneuver for us, as well.
>
>
>
> I have groups in WSUS, and approve current month patches for just our
> testing servers, and everything up until this month for all other servers.
> So I would just add the DCs to that second group. And then use a GPO to
> either download or install, and tie it to a specific AD group.
>
>
>
>
>
> I'm just a bit leery about having DCs auto-patch. I don't know if I am
> being over-cautious, is all ...
>

Re: [NTSysADM] Advice on patching Domain Controllers via WSUS

[Michael Leone]

On Wed, Jul 12, 2017 at 11:05 AM, Kennedy, Jim <kennedy...@elyriaschools.org
> wrote:

> Separate group in WSUS, download but don’t install.  I manually install
> them during downtime I schedule shortly after patch Tuesday. That is how I
> hand member servers and DC’s.
>
>
>
> But, I only have 40 or so servers to do.
>

Yeah, we have close to 4x that. When it was only 40-50, manually installing
patches is manageable. With our number, we have 3 staff come in and have to
do 50+ servers once a month. That's like 12 hours or so overtime (total for
all 3) every month. So auto-installing patches would also be a cost saving
maneuver for us, as well.

I have groups in WSUS, and approve current month patches for just our
testing servers, and everything up until this month for all other servers.
So I would just add the DCs to that second group. And then use a GPO to
either download or install, and tie it to a specific AD group.


I'm just a bit leery about having DCs auto-patch. I don't know if I am
being over-cautious, is all ...



>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Wednesday, July 12, 2017 10:56 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Advice on patching Domain Controllers via WSUS
>
>
>
> Our policy has been that our DCs are not patched via WSUS, like other
> member servers, but instead that we manually install the current patches
> from Microsoft Update. But now, I would like to change this, and use WSUS
> to patch all the DCS to our production levels (meaning: one month behind on
> released patches).
>
>
>
> I don't see any downsides to this. I would create a new GPO (rather than
> modify the Default Domain Controllers Policy). I think I might still set
> them to download only, not automatically install.
>
>
>
> Thoughts?
>
> Should I let them auto-install, like most of my other member servers?
>
> Is that what you others do?
>
> Do you let your DCs get their patches via WSUS?
>
>
>
> (the more servers I don't have to manually install patches on, the happier
> I am. We have some servers that we must do manually, for reasons I won't go
> into)
>
>
>

[NTSysADM] Advice on patching Domain Controllers via WSUS

[Michael Leone]

Our policy has been that our DCs are not patched via WSUS, like other
member servers, but instead that we manually install the current patches
from Microsoft Update. But now, I would like to change this, and use WSUS
to patch all the DCS to our production levels (meaning: one month behind on
released patches).

I don't see any downsides to this. I would create a new GPO (rather than
modify the Default Domain Controllers Policy). I think I might still set
them to download only, not automatically install.

Thoughts?
Should I let them auto-install, like most of my other member servers?
Is that what you others do?
Do you let your DCs get their patches via WSUS?

(the more servers I don't have to manually install patches on, the happier
I am. We have some servers that we must do manually, for reasons I won't go
into)

Re: [NTSysADM] Using GPP to fight Petya

[Michael Leone]

On Wed, Jun 28, 2017 at 2:00 PM, Melvin Backus <melvin.bac...@byers.com>
wrote:

>
>
> If you’re running 2012 servers I’d recommend you go to at least 8.1 for
> your workstation, so you can run the RSAT tools.  Even if it means you
> have to virtualize one just for a management workstation.
>


I created a 2012R2 VM just for that purpose, a management station. :-) But
I still end up doing a lot of these type of things on my own workstation,
it's faster. Don't have to open the other VM, unlock, etc. I've mentioned
that we need to start testing Win10 in  our environment ... and you see
that I am still running Win 7 ...




>
>
> --
> There are 10 kinds of people in the world...
>  those who understand binary and those who don't.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Michael Leone
> *Sent:* Wednesday, June 28, 2017 11:26 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Using GPP to fight Petya
>
>
>
> On Wed, Jun 28, 2017 at 10:59 AM, Melvin Backus <melvin.bac...@byers.com>
> wrote:
>
> From GPMC select the OU, right click, Group Polcy Update.
>
>
>
> I don't see this option in my GPMC (Win 7 Pro). I see it on GPMC from a
> Win2012 R2 server ...
>
>
>
> Part of the problem is, I set those changes to the Default Domain Policy,
> which isn't in an OU. And there's no such option at the domain level.
>
>
>
> Still, I can push it to the servers, which are all in 1 OU. Since I do my
> GPOs from my Win 7 machine, I didn't know this option existed. Thanks!
>
>
>
>
>
>
>
> It isn’t immediate on all systems but it will happen within the next 10-15
> minutes as it staggers them to avoid swamping the server.
>
>
>
>
>
>

Re: [NTSysADM] Using GPP to fight Petya

[Michael Leone]

On Wed, Jun 28, 2017 at 11:16 AM, J- P  wrote:

> kaspersky detected perfc.dat as a malicious file
>

> anyone else get that?
>



Yep, seeing the same warnings. And all on the perfc.dat file that I created
using GPP, to stop "Petya". LOL

Guess I didn't need to create that file, anyway. Oh, well, maybe tomorrow
I'll change the entry to "Delete", rather than "Replace". After figuring
out how to change the read-only flag ...



>