Server 2008

Terminal Server Security

Posted by robd on December 01, 2014
powershell / 1 Comment

Today a client noticed several thousand failed secuity attempts on their Terminal Server:

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x5f8
	Caller Process Name:	C:\Windows\System32\winlogon.exe

Network Information:
	Workstation Name:	SERVER01
	Source Network Address:
	Source Port:		56272

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-


So after filtering the Event 4625 in event viewer I found I couldnt export the Source Network Address. So came up with this handy powershell script to export the IP to a csv:

$DT = [DateTime]::Now.AddDays(-1)
$logName = '{0}{1}_security4625_log_{2}.csv' -f "c:\temp\",
 $DT.tostring("dd-MM-yyyy"), $env:Computername
Get-EventLog -LogName 'Security' `
 -InstanceId 4625 `
 -After $DT |
 Select-Object @{
  Expression={$_.ReplacementStrings[1] -replace '\$$'}
 } |
 Export-Csv -Path $logName


Tags: , , ,

DNS for a subdomain

Posted by robd on May 08, 2014
DNS / No Comments

Hi All,

My company uses a sub domain for a satellite office, all works fine and replication takes places etc etc.

The problem I had was with DNS.  I’m based in Contoso.local and I cannot ping any device the sub-domain Sub.contoso.local without fully qualifying the domain.

For example if I ping a server1 on the subdomain using

"Ping Server1"

DNS cannot route the command where as if I type

"Ping Server1.sub.contose.local"

it works fine.

I’ve checked DNS on Contoso.local and there are conditional forwarders to Sub.contoso.local:


So how can I get around this??  The answer is to add a DNS Suffix locally or to all the domain devices via group policy:

Group policy:

Computer Policy > Policies > Administrative Templates > Network/DNS Client > DNS Suffix Search List.


Then GPUPDATE /force your client and run IPCONFIG /ALL and you should see:




Tags: , , , , , ,

Find AD users using Profile Paths (roaming profiles)

Posted by robd on May 08, 2014
powershell / 1 Comment

So today due to a server migration I needed a list of all the users who have roaming profiles, found this useful Powershell script:

Please note you need to ammed this line of code to suite your site: “OU=VI2,OU=Students,OU=Users,OU=Monmouth School,DC=Monmouth,DC=local”

Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(profilepath=*))" `
 -Path Ad:\"OU=DEPARTMENT,OU=Users,OU=SITE,DC=DOMAIN,DC=local" -Recurse |             
foreach {             
 $user = [adsi]"LDAP://$($_.DistinguishedName)"            
 $user | select @{N="Name"; E={$}},             
 @{N="DistinguishedName"; E={$_.distinguishedname}},            
 @{N="ProfilePath"; E={$_.profilepath}}            
} | export-csv txt.csv  

Tags: , , , , , , ,

User Account Control (UAC) for Server 2008

Posted by robd on September 03, 2013
Server 2008 / No Comments

Today a admin mentioned how annoying the “Run as Administrator” option is on Server 2008, well I agree so here’s how to turn it off:

Click Start

Type UAC:


Click “Change User Account Control Settings” and change the sliding setting.  I chose Never notify:


Click OK and Yes if prompted.

If for some reason this doesnt change UAC for all users of the server you either need to create a group policy to change:

“User Account Control:Run all administrators in Admin Approval”

or you can change it locally using Local Security Policy i.e.

Click Start, Run, type:



Go to:


Find: “User Account Control:Run all administrators in Admin Approval” and choose Disabled.



Tags: , ,

Windows 7 Login Wallpaper with Group Policies

Posted by robd on October 09, 2012
Group Policies, Windows 7 / 1 Comment

I’m sure you all know what group policiesare as I’m guessing you wouldn’t be here otherwise!

Well here’s a quick how to on the settings you need to set up a login Wallpaper for Win 7:

Firstly you’ll need a Domain Controller running Server 2008 (I used R2) or a Windows 7 workstation with the AD tools installed and be logged on as a admin of some sort (preferably a Domain Admin):

1. open group policy Management.

2. Go to: Computer Configuration\Preferences\Windows Settings\Files

3. Right-click the “Files” icon and click:  New > File

4. Select Replace

5. Type in the UNC path for your source file i.e. \\Server\Share\LogonWallpaper.jpg
     •Remember this file needs to be small, less than 256K
     •Also the permissions on this share need to allow the computer account READ access. If in doubt use “Authenticated Users”.
6. For the Destination File, type this (without the quotes): “%windir%\system32\oobe\info\backgrounds\backgrounddefault.jpg
7. Click the “Common” tab

8. Select “Remove this item when it is no longer applied”. This will ensure your file is removed if:
     •The GPO is deleted or disabled
     •The workstation is moved to another OU
     •The policy is filtered out
     •You update your policy to send a new wallpaper file
9. Select Item-level targeting to specify only Windows 7 computers. This will ensure your file isn’t sent to versions of Windows that wouldn’t make use of it anyway i.e. XP.
10. Go to: Computer Configuration\Policies\Administrative Templates\System\Logon
11. Click “Always use custom logon background” and set it to “Enabled”

Tags: , , ,