Blog: Windows

For most customer networks, file servers turn into a mess over the years. This is usually due to a few things. First, users have access to make folders at high levels and then place data in those folders that should have access restricted. Second, users try to solve the first problem by securing those folders, but end up breaking access to administrator accounts. Third, most lack a logical structure or any guidance as to where certain documents should be stored, so documents end up in multiple folders.

I have been working with a customer who had all of these issues, along with the need to merge two file structures into a single structure after the merger of their two companies. My suggestion to the customer was to come up with a structure for five to ten top level folders that would be the shared folders. Their primary focus for the top level folders was by department (HR, Finance, Legal, etc.) We then tightly controlled the second to fifth levels, depending on the granularity needed of the specific folder. At the controlled levels, we did not allow users to make new folders or files and also prevented them from changing the permissions for these folders. We used a combination of list, read, and read/write access to all of these folders. We created an Active Directory group for each folder and the level(s) of access necessary for that folder. We then created additional groups in Active Directory based on job role and made these groups members of the Active Directory groups used for setting permissions on each folder.

After setting all of the folder permissions, I found that the Owner of the file or folder had Full Control even if they should not have this level of control based on the NTFS permissions. This can be fixed by setting OWNER RIGHTS to none, which will cause the permissions explicitly defined to be enforce and not be circumvented by OWNER RIGHTS.

The partial folder tree shown in the screenshots below is as follows:

  • Shares – OWNER RIGHTS permissions set
    • (Other folders not shown)
      • Internal Reports – List permissions
        • Containment – Read only and Modify permissions set

Example of OWNER RIGHTS permissions. Notice no boxes are selected, which causes the owner to have no rights and the other defined permissions to be used:

Example of the Internal Reporting folder with list permissions:

Example of the Internal Reporting\Completions folder with read only access:

Example of the Internal Reporting\Completions folder with modify access. Notice "Delete" is not selected, but "Delete Subfolder and files is". Delete is the value in the "Modify" permission set, so this change makes this not truly "Modify", but rather "Special":


 

I came across a system that was running very low on disk space.  Disk cleanup utility scans did not offer much to remove, even with system files checked.  When I looked at the drive with a graphical utility, I could see that a big chunk of space was being consumed in C:\Windows\Installer.

I came across a very useful utility called "PatchCleaner" which can be downloaded free from https://www.homedev.com.au/Free/PatchCleaner .  When it runs, it will give you the results about how many patch files are in use and how many are orphaned. 

From there, you have 2 options in the program.  Either move the unneeded files to another drive or delete them altogether.  I elected to move the patch files first and observed that it moved MSP patch install files.  It freed up many GB of space. 


 

I was working on a Windows 10 PC connected to a domain. This PC could be pinged by DNS name and IP address.  RDP was also working.  There were no other issues on network.  No domain policies were in place that should have been keeping PC admin shares from working.  But it was still failing after registry settings changes, removing and re-adding to domain, etc.
 
I found an article about shares not working if there is a misconfigured DNS entry somewhere.  I looked on the secondary DNS server and there was an old, incorrect entry for that PC.  Removed the DNS entry and shares began to work.

 

I was working with a customer who called in a disk space issue. I ran SpaceSniffer and discovered  there were 92GB of files in a temp folder and nearly all were cab files.

My research discovered that on Windows 7 64bit and Server 2008 R2 the makecab.exe utility breaks whenever a log file is over 2GB. The problem is that the cabinet file format cannot store files larger than 2GB and it breaks the compression process as a result. Consequently all new logs created afterwards never get created properly and C:\Windows\Temp fills up with corrupt cabinet files; as much as 200MB+ a day. 

The only solution is to delete all of the corrupted cab files from the temp folder and the initially corrupted log file in the CBS folder. Here is a link to the article explaining this issue. 

https://serverfault.com/questions/746849/windows-temp-large-amounts-of-cab-xxxx-files


 

I was working with a customer who had accidently deleted some files when copying them to a different drive. When trying to restore them using the Previous Versions option, I got a message saying that the source file name was too long. I tried everything, but eventually the steps below worked for me:
 
  1. Right click on the folder you're trying to restore from shadow copy and chose Previous Versions. Chose a date and click on Open.
  2. Right click on any file or folder within the previous folder and chose Properties. On the General tab copy what's shown in 'location', e.g.: \\localhost\D$\@GMT-2011.09.20-06.00.04\_Data
  3. Open cmd.exe and type in - subst X: \\localhost\D$\@GMT-2011.09.20-06.00.04\_Data
  1. Open PowerShell and use robocopy to copy content of X:  - robocopy Z: D:\Folder\ /E /COPYALL
  1. Check that all files have been copied.
  2. When finished type - subst X: /D in cmd.exe

 

I have had the issue of Windows explorer crashing several times a day. All explorer windows, the desktop and task bar disappear then the desktop and task bar reappear after a few seconds.

I did not nail down the specific culprit but used ShellExView (www.nirsoft.net/utils/shexview.html) to disable all non-Microsoft shell extentions. That made a significant difference and I haven't had explorer crash in the last few days. Of course, it could be a combination of shell extensions that will make it harder to identify. In the meantime, I will add an extension as I miss it and see if it destabilizes Windows explorer again.


 

I was recently doing a maintenance window for a customer and had an issue with several of their servers giving me an Error Code 80243004 – Windows Update encountered an unknow error when I was trying to install updates.  After researching, I came across an article with a very simple and weird fix for the issue. 

  1. Right click on the taskbar and select Properties.
  2. Click the Customize… button on the Taskbar and Start Menu Properties window.
  3. On the Notification Area Icons window, make sure Always show all icons and notifications on the taskbar is checked and click OK.

After turning on the notifications for Windows Update, I was able to successfully install all Windows Updates.


 

Recently I was deploying Cylance for a customer. The first approach I took to deployment was to create a group policy that ran a batch script at logon. I set up the policy and then restarted one of the test PCs I was working with. The group policy was being applied, but the software was not installing.

My research suggested disabling  asynchronous processing of group policies. To do that, I went to Group Policy and navigated to:  Administrative Templates\System\Logon. There is a policy called Always wait for the network at computer startup and logon and when that is enabled, it turns off asynchronous processing. As soon as I enabled that, the install worked.

Not long after I applied that policy, the customer called and said their users were having issues with one of their applications not launching. After some investigating, it turned out that the program required that a network drive be mapped first, before the program could launch. Clearly the order of operations was broken when I disabled asynchronous processing. So, I turned it back on, but the trick about group policies is that you have to go in and manually fix anything that was modified in the registry. I fixed that and everything started working. Moral of the story is always remember the policy changes you make, just in case you need to go unmake them.


 

I had two customers that needed to exempt a couple of systems from a group policy that disables USB/CD-ROM access, but I ran into the same issue both times when trying to do so.

I added the user to the appropriate group to block the GPO, but when I logged into the user’s PC, the drives still said access denied. I figured the group policy had not applied, so I forced it to apply and then I had the user both log off and back on and also restart with no success on the policy applying.

I did some digging and discovered that there is a bug in Windows that affects the Portable Device Enumerator Service. I tried several things with that service (restarting, looking at other depenedent services, etc) but nothing worked. Microsoft had a Hotfix available, so I tried that and still got nothing. Finally, after some additional research, I ran across a KB article that recommended going into Disk Management, uninstalling the driver for the CD-Rom and then rescanning the disks to let it re-install. As soon as I did that, everything started working properly. 

Here is the KB article with the Hotfix, in case it happens to work for someone else down the road: https://support.microsoft.com/en-us/help/2738898/users-cannot-access-removable-devices-after-you-enable-and-then-disabl


 

Recently I wanted to test a dual factor authentication solution on my Windows VM, so I took a snapshot to revert to later if needed. After testing for several days I reverted to the snapshot, but started getting an error about an expired computer account password. Apparently the machine password expired and automatically renewed while testing, so this was lost when I reverted to the old snapshot.

Rather than disconnect and rejoin the computer from the domain, I found a Powershell command to reset the machine password. Details about this command are at:

https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.management/reset-computermachinepassword