Archive

Posts Tagged ‘Windows Server’

Delegate “logoff” permission RDS 2012


Recently I had a challenge with delegating the permission to logoff sessions to a group of users on a RDS solution based on 2012 R2, but without giving them local administrator permissions. Microsoft has removed the RDSH console in Windows Server 2012, which means we have no place to set permissions for the sessions on a RDSH based on 2012 or later. After a quite bit a research I found a solution.

Step 1: Assign permissions

Some googling led me here where I found this command which does the job if you replace “domain\group”with correct values.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName =”RDP-Tcp”) CALL AddAccount “domain\group”,2

However if you have an existing 2008 R2 server you can install the RSAT for RDSH and connect to the 2012 R2 session host and set the needed permissions there.

rdsh_gui1

Step 2: Enable logoff

Now when the users have permission to logoff sessions, they still can’t use task manager because the options there are very limited when you’re not an administrator:

rdsh_taskmgr

And Powershell can’t query the RDS deployment without administrator rights, so for once I couldn’t user Powershell to save the day.

However we have command line tools to get the job done. To make this more user friendly I made a batch-file and put it on the desktop for the delegated users. Here the user can list all sessions on the server and select which one to logoff. It boils down to a combination of “query session” and “logoff” commands. This is the batch file, feel free to use if needed.

@echo off
REM List sessions and log off users
REM Written by Per-Torben Sørensen
:MENU
ECHO.
ECHO ………………………………………..
ECHO PRESS 1 or 2 to select your task, or 3 to EXIT.
ECHO ………………………………………..
ECHO.
ECHO 1 – List current sessions only
ECHO 2 – List and log off a session
ECHO 3 – EXIT
ECHO.
SET /P T=”Type 1, 2, or 3 then press ENTER: ”
IF %T%==1 GOTO LIST
IF %T%==2 GOTO LOGOFF
IF %T%==3 GOTO EOF
:LIST
query session
GOTO MENU
:LOGOFF
query session
echo.
SET /P ID=”Type the ID of the session to log off, or C to cancel: ”
IF %ID%==C GOTO MENU
logoff %ID%
GOTO MENU

 

Error when expanding disks in Windows Server 2008


If you try to expand disks on a Windows Server 2008 and you get an error message like this:
notenoughspace

The resolution that worked for me is to do an Manual rescan of the disk.
Do like this:
rescan

 

IPconfig is blank (Windows IP Configuration)


Recently I found that a server lost it’s IP configuration, or so it looked like.

When runnin the ipconfig command the only output is this line:
Windows IP Configuration

All info about IP adresses, netmask, gateways, dns servers and all other info are gone.

I fixed this problem by restarting the TCP/IP Netbios Helper service.

In other blogs I have found that the same problem can be fixed by runnin the command:
netsh int ip reset
This command had no effect on mye problem, but might help others.

Since this problem where reoccuring on my server I created a scheduled task for restarting the service once pr day. This completly mends this problem (at least so far).

Java security settings


Java 7u51 has been a headache so far with security settings, especially on a terminalserver. I needed to adjust the security setting for Java for all users on the terminalserver and add a website (example.com) to the exception site list in Java.

The solution was to create 3 text files and place them all in the folder C:\Windows\Sun\Java\Deployment

filename: Deployment.config

deployment.system.config=C:\WINDOWS\Sun\Java\Deployment\deployment.properties
deployment.system.config.mandatory=true

filename: deployment.properties

deployment.security.level=MEDIUM
deployment.security.level.locked=
deployment.user.security.exception.sites=C\:\\WINDOWS\\Sun\\Java\\Deployment\\exception.sites

filename: exception.sites

https://www.example.com

After these 3 textfiles are created, the new java settings till take effect at next logon, and you can verify it by looking at the security tab in java control panel.

Delete old files from commandline


To quickly run a command (like delete) on files older than X days in commandprompt:

forfiles -p “C:\folder\Subfolder” -s -m *.* -d (Number of days) -c “cmd /c (command) @PATH”

Number of days has to be negative for days in the past (for example -30 for 30 days old). Replace “command” with the command you want to run (like del or echo)  

Create a custom event with powershell


To create an event without eventcreate.exe, which is limited to EventID below 1000, you can use powershell. { } indicates what you have to customize and then just run everything as admin from powershell.

$evt=new-object System.Diagnostics.Eventlog(“{Application/System/etc..}”)

$evt.Source=”{SOURCE}”

$evtNumber={EVENT ID}

$evtDescription=”{write a description}”

$infoevent=[System.Diagnostics.EventLogEntryType]::{Warning/Error/etc..}

$evt.WriteEntry($evtDescription,$infoevent,$evtNumber)

How to find locked out users by using PowerShell


To retrive a list of locked user in Active Directory use these PowerShell commands:

1. start powershell on one of your domain controllers
2. import AD module: “Import-Module ActiveDirectory”
3. search for locket users: “Search-ADAccount -LockedOut | select name”
4. unlock users: “Search-ADAccount -LockedOut | Unlock-ADAccount -Confirm”

If number 4 fails, unlock users manualy from ADUC.

locket_users

%d bloggers like this: