Advanced Audit Policy Configuration with Group Policy

I was creating some new group policy for some audit settings  when things started to work funny. As you might know there are 2 audit settings.

The legacy one:

Legacy

And the advanced one:

Advanced

If you enable the advanced one be careful not to forget enabling the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.” policy.

So after configuring all this auditing should work. But if you play around with it a bit it gets all messed up.  You have the legacy settings, advanced settings, group policy settings and local policy settings. Some settings cancle each other out, some overwrite each other…

To check the current applied settings use the GPRESULT /H foo.htm  command. You can see what kind of policies were applied in the created document. If everything looks ok but it is still not working as you want it to you have to dig  a little bit deeper.  Thanks to Ned for his great post btw.  As he explains you need to check the applied settings with the auditpol.exe /get /category:* command.

results

The settings here were all wrong. So I tried to reset them with auditpol /clear but the correct setting still would not apply. No gpupdate /force nor system restart worked. I also deleted all audit.csv files in the domain SYSVOL\***\Policies\ folders to make sure that no old audit settings were applied.
I found out that the correct audit settings were located here firs here %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv and which is then copied to here %systemroot%\security\audit\audit.csv

Based on Ned’s info I found out that the applied settings are stored in a registry key HKEY_Local_Machine\Security\Policy\PolAdtEv and were not updated with the current audit.csv file.

In the end I ran “Auditpol /restore /file:C:\Windows\security\audit\audit.csv” and the correct settings were loaded….

 

 

 

The Routing and Remote Access service terminated with the following service-specific error: A device attached to the system is not functioning.

One day after a server reboot on VM with Windows Server 2012 the RRAS service didn’t want to start. After reviewing the event logs i found 2 errors regarding RRAS.

The Routing and Remote Access service terminated with the following service-specific error: A device attached to the system is not functioning.

1

Unable to load C:\Windows\System32\iprtrmgr.dl

1

After some googling around and finding some great info on technet i realized that the issue is connected to a recently applied group policy.

The gpo (IPv6 Configuration Policy) applied disabled IPv6 on the domain computers. In my current network setup i found no reason why have IPv6 enabled as it would only spam the network and cause problems.

Administrative templates\network\ipv6 configuration\

After deleting the following registry key the service could start again with no issues.

1

HKEY_LOCAL_MACHINE\System\currentcontrolset\services\remoteaccess\routermanagers\IPV6

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

It’s been quite a while since my last post here.

I have an exchange server which has quite a history and has been upgraded constantly. There was an issue with some user mailbox. After the deletion of the user (deleted the user also in ad) and recreation internal users couldn’t send mails to the newly created user.

IMCEAEX-_O=COMPANY=First+20administrative+20group_cn=recipients_cn=FIRSTNAME+2ELASTNAME@DOMAIN.COM
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

After some time of research.. these sites helped a lot
http://ficility.net/tag/exchange-2010-mailbox-re-created-legacy-exchange-dn-missing/
http://msexchangeguru.com/2012/03/15/x500/
http://zytelnetworks.com/kb/?p=273

All my old users have a X500 address but the newly created users don’t. That is actually no issue since exchange is backward compatible as the X500 addresses are still used but hidden a bit. You can find the current X500 address in the user properties (in AD) under Attribute Editor and the property is legacyExchangeDN.
The value here is the users X500 address but it differs from the old address and is therefore useless. You can change the address here to the old one or add a X500 record to the users mailbox. Both work.

Firstly you need to transform the IMCEAEX address a bit.
IMCEAEX-_O=COMPANY=First+20administrative+20group_cn=recipients_cn=FIRSTNAME+2ELASTNAME@DOMAIN.COM
Cut the begining

_O=COMPANY=First+20administrative+20group_cn=recipients_cn=FIRSTNAME+2ELASTNAME@DOMAIN.COM

replace the following values

_ /
+28   (
+29 )
+2E .
+20 SPACE
+40 @
+2C ,
+5F _

/O=COMPANY=First administrative group/cn=recipients/cn=FIRSTNAME.LASTNAME@DOMAIN.COM

remove the domain and you get the correct address
/O=COMPANY=First administrative group/cn=recipients/cn=FIRSTNAME.LASTNAME

Now just change legacyExchangeDN to this value or add a new X500 record to the mailbox. You can do it via GUI

custom add

or it via console if you don’t use it anymore or can’t use it :

$smth = Get-Mailbox “FIRSTNAME LASTNAME”
$smth.EmailAddresses+=”/O=COMPANY=First administrative group/cn=recipients/cn=FIRSTNAME.LASTNAME”
Set-Mailbox “FIRSTNAME LASTNAME” -EmailAddresses $smth.EmailAddresses

Disable Java update with a group policy

To disable the annoying java updates you need to create a new Group Policy Object and link it to your domain.
When having both 32bit and 64bit systems in your domain you need to use both keys. To prevent adding both keys to both types of machines you need to check the value of the keys first before applying the update

This is the key for 32bit systems

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000
Base: Hexadecimal
32

This is the key for 64bit systems

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000
Base: Hexadecimal
64

Now you need to setup Targeting. Go to the Common tab and click Targeting.
Click New item and add a Registry Match entry.
Fill out all the entries that have to match if you want the registry to apply. The 64 bit version should look like this. Do the same thing to the 32bit entry just change the key path accordingly.
64 target

The entries in the Group Policy Management Editor should now look like this
view

Now all you need to do is run gpupdate and check the registry to see if the changes applied😉
Each time this GPO will check the EnableJavaUpade property in the registry and if it exists and is set to 1 it will update it to 0

Exchange 2010 problems

Recently we had to reinstall the MS Exchange 2010 server as the one in use from time to time just randomly froze.  This installation was anything else than trivial…

1. If you think it is a good idea to reuse the existing database to save time (it saved me -2 days time)

2. I had a problem reattaching the database to the new server.  Found that there is a limitation for the log files… If they are too big it just fails. Had to do use Eseutil to clean the database.

3. I had to reattach every user mailbox using  “Connect-Mailbox” command (  you can get a list with “Get-MailboxStatistics -Database MBD01 | Where { $_.DisconnectReason -eq “Disabled” } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason” )

BTW when you install the exchange server, the name of the EXCHANGE ORGANISATION HAS TO BE THE SAME.

Open a FTP site with windows explorer

After quite a while i had to upload some file to a FTP server.  I didn’t have a dedicated ftp client installed so i planned to use the integrated FTP client that is in windows 7.

I opened windows explorer pasted in the address and chrome opened. Darn… Ok tried changing the default opening for FTP in “Control Panel\Programs\Default Programs\Set Associations” but i cold choose only IE,Chrome and Firefox.  I googled around a bit and found this registry key

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ftp]
@=”URL:File Transfer Protocol”
“AppUserModelID”=”Microsoft.InternetExplorer.Default”
“EditFlags”=dword:00000002
“FriendlyTypeName”=”@C:\\Windows\\system32\\ieframe.dll,-905”
“ShellFolder”=”{63da6ec0-2e98-11cf-8d82-444553540000}”
“Source Filter”=”{E436EBB6-524F-11CE-9F53-0020AF0BA770}”
“URL Protocol”=””
[HKEY_CLASSES_ROOT\ftp\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,75,00,72,00,\
6c,00,2e,00,64,00,6c,00,6c,00,2c,00,30,00,00,00
[HKEY_CLASSES_ROOT\ftp\shell]
@=”open”
[HKEY_CLASSES_ROOT\ftp\shell\open]

Now everything works as it should.

Visual Studio 2012…. ugly

I was playing around with some little project of mine when i got some test solution for VS 2012.

Image

I know that there is Visual Studio 2013 already out there but i liked to use 2010.

When i opened VS 2012 i remembered why i didn’t switch… it is a horrible gui. Everything is so… boxish.. monochromish…touchish…

Soooo when i googled around i found out that with update 2 they included a blue skin… yay… ok lets install the latest update…Image

 

Ok i still missed the old icons but the blue skin really helped😉

Image

After googling some more i found out that there is a project o codeplex called Visual Studio Icon Patcher

You need to run it as admin and ruin the following commands, i ran also backup just to be sure.

backup -v 2012

extract

inject

 

I also found a nice feature to toggle the uppercase menus.This did not work for me probably as i was using the express edition

menus

This way you get your old icons back, but you need to have VS 2010 Installed. Here i found another way how to disable UPPERCASE MENU ITEMS which worked for me.

[HKEY_CURRENT_USER\Software\Microsoft\WDExpress\11.0\General]
“SuppressUppercaseCOnversion”=dword:00000001

And this was pretty much it… VS 2012 is usable now! Need to install VS 2013 now😉