Blog

Quite frequently on information security audits we find machines where group policies have been applied incorrectly or not at all.  The IT administrator swears the policy is working, but the policies haven’t always taken on machines.  What we can do in that situation for Windows XP machines is use GPupdate.exe, Rsop.msc, and GPresult.exe to find out more information. [more]

GPupdate

After you make changes to group policies, you may want the changes to be applied immediately, without waiting for the default update interval (90 minutes on domain members and 5 minutes on domain controllers) or without restarting the computer. To make this update, at a command prompt, run the Gpupdate.exe utility.

RSoP

The Resultant Set of Policy MMC snap-in has a nice interface and is easily used. Just go to Start, Run and enter rsop.msc. This will flash up a quick screen with a summary of the environment it’s processing.

When the progress reaches 100%, it will pull up a report for the policies upon which the computer and the user are having applied. You can browse the list, which mirrors the Group Policy Management Console, and see which policies the machine is seeing, which might not quite match what you’ve set in the Active Directory server.

You can also use this to diagnose any errors. For example, if a software deployment isn’t coming through for some reason, you can verify that it has access to the policy and has received the command. You can also see any related errors to help your troubleshooting.

GPResult

Starting with Vista SP1, RSoP no longer shows all of the group policies that a computer might have being applied to it. Instead, Microsoft recommends that you use the command line tool GPResult. Just open the Command Prompt and type:  gpresult

Being a command line tool, it opens up the possibilities to include it in scripting. There are a large number of options you can use with GPResult to get exactly what you want. You can use it to create a nicely formatted HTML or XML report and you can also use it to run remotely on another system and as a different user (provided you know the password).

Just as IT departments are finally locking down the use of removable media, a new threat may make existing technical controls irrelevant.  The “Teensy” is a USB microcontroller that plugs into a PC in the same manner as a USB thumbdrive.  But, the technical controls that are able to neutralize the use of thumbdrives and other USB storage have no effect on the Teensy.  That is because the Teensy emulates a human interface device, such as a keyboard.  Since USB keyboards are restricted by very few, if any companies, the Teensy is able to connect undetected.  The tiny microcontroller can be programmed with virtually any code- including code useful in an exploit.

Teensy devices are available online for relatively low cost- under $10 US.  It looks like IT administrators have another thing to keep them awake at night.

A customer that had been printing duplex documents to a HP LaserJet 8150 had to send the printer off for repairs.  When they got it back and reconnected it to the network, they were unable to print duplex.  Printing test pages from the printer’s console came out duplexed and the settings on the display showed that duplexing was enabled. 

When I went to look at the printer properties on the printer server, I found a setting under the Device Settings tab for Duplex Unit.  It was set to Not Installed.  As soon as I changed it to Installed, users were able to print on both sides of the page.  I’m not sure what caused the printer to lose this functionality while it was being repaired, but this was the solution. [more]

I run a Windows 7 virtual machine when I need to connect to customer sites.  From this VM I frequently create an RDP session on a customer server then run the vSphere client to connect to the console of multiple VM's.  I ran into a problem where the vSphere client would "capture" my mouse/keyboard in the console session.  Normally you would press Ctrl-Alt to release the mouse, but unfortunately when running from a desktop VM, this releases for the VM and not the connected RDP session.  The only way to get out of this is to force logoff of your RDP session from different session.

My workaround was to create a new key combination through VMware Fusion to send Ctrl-Alt to the VM.  I believe this same technique will work for VMware Workstation also.

I've noticed an increasing use of Micro USB connectors in things such as bluetooth headsets, external hard drives, Kindle and BlackBerry devices, etc.

Since so many devices use the Mini USB connector, I have more than enough of the Mini USB cables.  I looked and found some nice little Micro to Mini adapters that just plug onto the end of the Mini cable.  If you can keep from losing such a small item, it saves room and cables.

I had a problem with my iPhone. It was getting hot to the touch. I then discovered that it was chewing up download data... about 5MB every 15 minutes. This was discovered when AT&T sent me a message that my consumption of my monthly allotment was at 90%.

After many hours of work, I discovered that it was the Exchange server “push”   that was causing it to chew through data. Specifically, it was “push” on the Contacts folder. I ended up extracting my contacts folder to a PST file, and re-importing the file and this seemed to fix the issue of chewing through the Cellular Network Data. [more]

At this point, I realized that I had a problem syncing all my contacts. The contacts would just not all load onto my phone. This was not related to the issue above with Cellular Network Data, but the contacts download would just stop before synchronizing all the contacts. I had noticed this problem forever, but had not researched. It turns out that there were two contacts in my address book that were causing the problem. These contacts have been in my list for years.  After removing these two contacts ( I discovered which ones they were by dividing my list in halves  - binary search- until I isolated the culprits) everything works fine. I have not yet discovered the cause as to why these particular contacts will not sync. I sent one of the contacts to a coworker, and it will not sync with his phone (not an iPhone) either …

A network support customer was having an issue on one PC that every time he opened Excel documents with graphs generated by data from worksheets, no graph would appear. However the same Excel document opened on any other PC would work fine. If other users logged into the affected system the graphs worked. I found that defect print drivers could cause this problem, so I changed his default printer and the graphs work. Changed it back and the graphs wouldn’t work. I then uninstalled and reinstalled the drivers for the default printer he was using and the problem was gone. So do not run out corrupt print drivers when troubleshooting Office 20XX problems.

One of our IT consulting customers using a Windows 7 laptop was experiencing a problem with access mapped drives while connected to their company using VPN.

Doing some research I found that Windows 7 and Vista both have what's called "slow link mode".  The behavior is that if the latency of the network connection exceeds 80 milliseconds (ms), the system will transition the files to "offline mode".  The 80 ms value is configurable using a local group policy edit.

1. Open Group policy (start -> run -> gpedit.msc)
2. Expand "Computer Configuration"
3. Expand "Administrative Templates"
4. Expand "Network"
5. Click on "Offline Files"
6. Locate "Configure slow-link mode"
7. This policy can either be disabled or set to a higher value for slower connections.

Note – The "Configure Slow link speed" value is for Windows XP Professional. [more]

Additionally, there is a registry value that can be added that can force auto reconnection...

When a server has been unavailable (offline mode) and then becomes available again for connection, Offline Files Client Side Caching tries to transition that server to online mode if all the following conditions are true:

• There are no offline changes for that server on the local computer.
• There are no open file handles for that server on the local computer.
• The server is accessed over a "fast" link.

You can adjust the definition of "slow" and "fast" by using the SlowLinkSpeed Offline Files policy. With this, you can configure Offline Files Client Side Caching to ignore these conditions and transition the server to online mode regardless of whether these conditions exist. To do this, follow these steps:

1. Click Start, click Run, type REGEDIT, and then click OK.
2. Locate and click the following registry subkey:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\NetCache
3. Click Edit, point to New, and then click DWORD Value.
4. Type SilentForcedAutoReconnect, and then press ENTER to name the value.
5. Double-click SilentForcedAutoReconnect.
6. In the Value data box, type 1, and then click OK.

Finally, here is a link to a Microsoft TechNet article explaining how Vista/7 handles offline files.  At the bottom of the article is a procedure for disabling offline files completely using a Group Policy Object.  http://technet.microsoft.com/en-us/library/cc749449%28WS.10%29.aspx

I had an IT consulting customer email me requesting assistance with extending the system partition on a Windows 2003 virtual machine. The partition had been running low on disk space for a while. The customer had extended the vmdk using VMware, but was unable to extend the partition using diskpart. This is normal behavior for a Windows 2003 system so I scheduled downtime so that I could use VMware Converter to fix the problem.

I have done this operation a number to times in the past. You simply tell Converter to convert the VM and target the same ESX cluster with the imported copy. During the operation, VMware gives you the option to change the partition size. Windows recognizes the partition size change at first boot and you are good to go. However, the customer failed to tell me that they had un-marked the c:\ drive partition as active while trying to get the disk to extend. When I shut the VM down to clone it, it never came back up. Neither did the imported copy. Both were completely useless. They would boot to an “Operating System not found” error. [more]

I tried fixboot and fixmbr from the recovery console but neither worked. I ended up restoring from a CommVault backup. Later, based on some comments from coworkers, I decided to see if I could fix this problem by mounting the disk to another VM and adding back the “active partition” status. I mounted the vmdk that was broken to a Windows 2008 server and using disk manager re-marked the partition as active. Sure enough, after dismounting from the temp VM the original VM booted up no problem. Just one more reason to use virtual machines.