Archive

Archive for the ‘Windows 2008’ Category

How to get the last password change for a user in Active Directory

If you need to know when was the last password change made ​​by a user member of an Active Directory domain, you can simply use the following PowerShell instructions:

  • on a Windows 7 client or Windows 2008, Windows 2008R2 server which are member of the Active Directory domain that belong the user you want to analyze, open PowerShell Console and at the prompt write:

Import-Module ActiveDirectory
Get-ADUser ‘UserName’ -properties PasswordLastSet | Format-List

  • for example:

Import-Module ActiveDirectory
Get-ADUser ‘tani.alessandro’ -properties PasswordLastSet | Format-List

In the field PasswordLastSet you can find date of last password change.

Advertisements

Information about Windows 7 and Windows 2008 R2 Service Pack 1

On February 22, 2011 was released Service Pack 1 of Windows 7 and Windows 2008 R2. To download this Service Pack you must first pass the test Genuine Microsoft Software. To download the Service Pack 1 of Windows 7 and Windows 2008 R2 just go to the Microsoft Download Center and follow these steps:

  • press the button Continue;
  • run the program GenuineCheck.exe;
  • enter the Windows Genuine Advantage code in website proposal;
  • proceed with the download of the version of Service Pack required.

Since the web pages of the Microsoft Download Center does not help much on which version of Service Pack 1 of Windows 7 and Windows 2008 R2 you need to download, you can find a little more detail below:

  • Windows6.1-KB976932-X86.exe: this application installs SP1 to a 32-bit machine running Windows 7 (537,8MB);
  • Windows6.1-KB976932-X64.exe: this application installs Sp1 to a 64-bit machine running Windows 7 or Windows Server 2008 R2 (903,2MB);
  • Windows_Win7SP1.7601.17514.101119-1850.X86FRE.Symbols.msi: standalone debugging symbols (free) for 32-bit machines (330,6MB);
  • Windows_Win7SP1.7601.17514.101119-1850.X86CHK.Symbols.msi: standalone debugging symbols (checked) for 32-bit machines (294,5MB);
  • Windows_Win7SP1.7601.17514.101119-1850.AMD64FRE.Symbols.msi: standalone debugging symbols (free) for 64-bit machines. This contains debugging symbols for both Windows 7 SP1 and Windows Server 2008 R2 SP1 (287,8MB);
  • Windows_Win7SP1.7601.17514.101119-1850.AMD64CHK.Symbols.msi: standalone debugging symbols (checked) for 64-bit machines. This contains debugging symbols for both Windows 7 SP1 and Windows Server 2008 R2 SP1 (262,7MB);
  • 7601.17514.101119-1850_Update_Sp_Wave1-GRMSP1.1_DVD.iso: this DVD image contains standalone update for all architectures (1953,3MB).

To learn how to install the Service Pack 1 of Windows 7 and Windows 2008 R2, you can see the following two guides:

Thank you for your attention.

How to manage printers – Part I

The management of printers has always required a certain burden to system administrators. But with the advent of Windows 2000 and Active Directory, printer management has become a bit more comfortable. In this first part we take care of how to assign a name to a printer and how to assign a name to the Location field.

With the term network printer, we intend any printer that meet at least one of the following two statements:

  • the printer has a network adapter and the printer is assigned an IP address (possibly static or reserved via DHCP);
  • two or more workstations can print, more or less simultaneously, on the same printer.

During this post, we will consider only network printers and workstations that belong to an Active Directory domain. The first question we consider is this: what does name to give a network printer? I believe that when you have to give a name to a network printer, you should consider the following golden rules:

  • do not use names longer than eight characters;
  • use only alphanumeric characters;
  • not enter in the printer name, parts that can change over the time, eg acronyms of office, or numbers of room;
  • match the printer name with the shared name of the printer queue.

For example, for an HP Laserjet 2100DN, a good printer name could be: HPLJ01 Where the first two letters are an acronym of the manufacturer (Hewlett-Packard) printer, the second two are a acronym of the type of printer (LaserJet) and the last two digits are a numerical sequence (01). Following this rule, the HP Color LaserJet CP1815NI, will be called: HPLJ02.

Once you have chosen the name for a printer, is a good idea to put a label on the printer where you can find the printer name and if the printer is equipped with network card, his IP address.

The second issue I want to face is: where are my printers? This is an extremely important point! To learn how to fill in the Location field you should read what is written in the Microsoft document Best Practices for Deploying Printer Location with Active Directory. A name can be entered in the Location field could be the following: Italy/ReggioEmilia/ViaBrigataReggio/HQ/FirstFloor/Room112 Where Italy is the country where the printer is located, ReggioEmilia is the name of the city (Reggio Emilia), ViaBrigataReggio is the address of headquarters, HQ is the Headquarter where the printer is located, FirstFloor indicate that the printers is in a room at the first floor,  Room112 indicate that the printer is in the room with the number 112:

Printer Name and Location

Printer Name and Location

In the second part of these post series, I will explain how to use the Location field to improve the search for the printers in Active Directory.

Connecting to SMB share with an alias name (CNAME)

In the Microsoft Knowledge Base article number 281308 of the December 4, 2008 is written:

The registry key that is mentioned in the “Resolution” section is supported in Windows
Server 2008. However, it works only for Server Message Block (SMB) version 1. It does not work for SMB version 2, also known as CIFS (Common Internet File System). By default, CIFS is the file sharing protocol that is used on Windows-based computers. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). Windows Server 2008 and Windows Vista support the new SMB 2.0.

At first reading it appears that the suggestion proposed in the KB281308 does not apply to Windows 2008/Vista/7 … In the same KB281308, but updated to September 28, 2009, we reads rather:

The registry key that is mentioned in the “Resolution” section is applicable only to SMB 1.0. To communicate over the SMB2.0 protocol, or CIFS (Common Internet File System), you do not have to set the registry key. SMB 2.0 allows for the functionality described in this article to work by default without additional configuration. Computers that run Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 support both SMB 1.0 and SMB 2.0. Windows includes an SMB client component (Client for Microsoft Windows) and an SMB server component (File and Printer Sharing for Microsoft Windows). By default, SMB 2.0 is the file sharing protocol that is used when both client and server support it.

All other music … If you have a Windows server 2008 with hostname (NetBIOS Name) Galileo (galileo.homeworks.it as FQDN) and that server have a shared resource called Saturn and instead to use the UNC path \ \Galileo\Saturn you would like to use the UNC path \ \Newton\Saturn, where Newton (newton.homeworks.it) is an alias DNS (CNAME) for Galileo, then you need to follow the following recipe:

  • for clients with Windows 2008/Vista/7: creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
  • for clients with Windows 2000/2003/XP:
    • creates the DNS alias (CANME) called Newton (newton.homeworks.it) associated to the server Galielo (galileo.homeworks.it);
    • connected to server Galileo with the credentials of a user with administrative rights on the server;
    • start Registry Editor (Regedt32.exe);
    • locate and click the following key in the registry: HKEY_LOCAL_MACHINE\System
      \CurrentControlSet\Services\LanmanServer\Parameters
    • on the Edit menu, click Add Value, and then add the following registry value:
      Value name: DisableStrictNameChecking
      Data type: REG_DWORD
      Radix: Decimal
      Value: 1
    • quit Registry Editor;
    • restart the server Galileo.

Once you restarted the server Galileo, execute from the Command Prompt of Galileo the following commands: setspn -a host/newton galileo and setspn -a host/newton.homeworks.it galileo Or more generally: setspn -a host/<CNAME_Server> <NetBIOS_Name_Server> and setspn -a host/<CNAME_FQDN_Server> <NetBIOS_Name_Server>

Now to access the shared resource (SMB share) Saturn you can use or the UNC path \ \Galileo\Saturn, or the UNC path \ \Newton\Saturn.

This recipe is good for Windows 2000/2003/2003R2 (Windows 2000 should have installed Service Pack 4) and Windows 2008/2008R2. Note that the command setspn.exe is not pre-installed on Windows 2003R2, but  is part of the Windows 2003 Support Tools.

How to setup Microsoft Standalone Root CA

If you need to create a Microsoft Standalone Root CA, this short paper tries to help you. Before creating the Microsoft Standalone Root CA, you must provide to create a text file called CAPolicy.inf. At a minimum, a file CAPolicy.inf should be done with:

; File %SystemRoot%\CAPolicy.inf
;
; File di configurazione della HomeWorks Root CA (Windows 2003 R2 Standard Server, fa parte di Active Directory)

[Version]
Signature= “$Windows NT$”

[certsrv_server]
renewalkeylength = 2048
RenewalValidityPeriodUnits = 10
RenewalValidtyPeriod = Years
CRLPeriod = Years
CRLPeriodUnits = 1

[AuthorityInformationAccess]

[CRLDistributionPoint]

;Fine file

Once created the file CAPolicy.inf, copy it in the folder %SystemRoot% of your Windows system (in this paper we assume that you are working on a Windows 2008 Standard member of an Active Directory domain). To learn how to install a Microsoft Standalone Root CA you can watch this video:

If you only use the Standalone Root CA to provide your certificates, then it is good that you also install the Certification Authority Web Enrollment role.

Run a post-configuration scripts on Microsoft Standalone Root CA. A simple post-configuration script could be:

@echo off

rem Definiamo l’ambiente locale
setlocal enableextensions

rem Impostiamo le variabili
set Answer=

echo.
echo Questo script ha il compito di personalizzare la configurazione della Root CA.

:QUESTION
echo.
Set _T=%temp%\~tmp
echo Set oFS=CreateObject(“Scripting.FileSystemObject”)>%_T%.vbs
echo oFS.OpenTextFile(“CON”,2).Write “Vuoi proseguire con l’esecuzione dello script [si/no]: “>>%_T%.vbs
echo S=(Trim(oFS.OpenTextFile(“CON”,1).Readline))>>%_T%.vbs
echo Wscript.Echo “set Answer=”+CStr(S)>>%_T%.vbs
cscript.exe //nologo %_T%.vbs > %_T%.bat
for %%v in (%_T%.bat del) do call  %%v %_T%.???
set _T=
goto CONTINUE

:EXEC
rem Controlliamo l’esistenza della cartelle necessarie all’esecuzione dello script
if not exist %SystemDrive%\Logs md %SystemDrive%\Logs
set LOGFILE=%SystemDrive%\Logs\Root_CA_Post_Config.log

rem Intestiamo il file di log
echo FILE DI LOG DEL COMANDO ROOT_CA_POST_CONFIG.CMD  >> %LOGFILE%
echo. >> %LOGFILE%
echo Esecuzione del %DATE% alle %TIME% >> %LOGFILE%
echo. >> %LOGFILE%
echo.

rem Impostiamo le variabili per la gestione dei certificati delle Subordinate CA
set /p myADnamingcontext=”Inserisci il nome del dominio LDAP (ad es: DC=homeworks,DC=it): ”
echo Esempio: http://www.homeworks.it/ca/cert/HomeWorks_Root_CA_Public_Cert.crt
set /p myCACertURL=”Inserisci URL del Certificato della Root CA: ”
echo Esempio: http://www.homeworks.it/ca/crl/HomeWorks_Root_CA_Revocation_List.crl
set /p myCACRLURL=”Inserisci URL della Root CA CRL: ”
echo.

rem Impostiamo la configurazione dei Certificati Digitali rilasciati dalla Root CA
echo Impostiamo la configurazione della Root CA …
echo Dominio LDAP: %myADnamingcontext%
certutil -setreg CA\DSConfigDN “CN=Configuration,%myADnamingcontext%” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myCACRLURL%\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myCACertURL%\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriodUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriod “Years” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLDeltaPeriodUnits 0 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapPeriod “Days” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriodUnits 5 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriod “Years” >> %LOGFILE%

rem Riavviamo il servizio Certification Authority (Active Directory Certificate Services)
echo Riavviamo il servizio Active Directory Certificate Services …
net stop certsvc & net start certsvc >> %LOGFILE%

rem Attiviamo la Root CA
echo Attiviamo la Root CA …
certutil -vroot >> %LOGFILE%

rem Pubblichiamo la CRL
echo Pubblichiamo la CRL della Root CA …
certutil -CRL >> %LOGFILE%

echo Fine esecuzione dello script ….
echo. >> %LOGFILE%
echo Fine del file di log >> %LOGFILE%

:END
endlocal
exit /b

:CONTINUE
if /i “%Answer%” equ “si” goto EXEC
if /i “%Answer%” equ “no” goto END
goto ERRATA

:ERRATA
echo.
echo La risposta che hai dato non e’ corretta !!!
echo Puoi rispondere solamente con un si o con un no.
goto QUESTION

Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory: certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>

The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll

Assign a digital certificate for HTTPS connection to IIS to access the website where you require your digital certificates. To learn how to do this work, read the article (use the action Create Domain Certificate …Installing an SSL Certificate in Windows Server 2008 (IIS 7.0). Now you’re ready to drop your digital certificates.

For more information, please consult the following article: Designing and Implementing a PKI Part II

Active Directory TombStone Lifetime

Interesting article by Joeware on how to discover the default value of the Active Directory tombstoneLifetime: http://blog.joeware.net/2010/02/05/1896/

The Secrets of Windows 7 and Windows 2008

Microsoft’s Windows division president, Steven Sinofsky, said in a recent interview with Ina Fried, reported in Windows 7 has lots of ‘GodModes’ (exclusive), which Windows 7 and Windows 2008 resulted in a series of shortcuts to the main administration tools for Windows, which go under the name Windows Master Control Panel. The most important of these shortcuts are definitely the GodMode and Windows Components. For more information, please read the guide How to create shortcuts “Windows Master Control Panel” (GodMode) in Italian.