Wednesday, February 01, 2023

Setting up a "Guest" or "Visitor" user account on a domain on Windows 10

The requirements

To have a "guest" account on a specific system; but staff on the active directory have to be able to login and access the data they need such as mounted drives and network shares while the "guest" has access to save files to the computer and has no access to any network resources except internet.  The Guest user must be setup as the default user and auto login.  For making this setup I am using an administrator account, specifically a local admin account, and the computer is already attached to the domain.  This computer is also going to be hooked up to a large sound system and will need to be muted on reboot as well at the end of the day if the sound had been left enabled if someone had been using it.  Finally we will have to ensure that no files had been left behind; so we will need a way to delete them.

The User Account

The user account is a domain user; and therefore has to be placed in the local machine guest group for proper privileges to apply.  On the active directory controller I setup a OU called Guest, I will add a GP to this later, but here we want to block inheritance, to stop any global GP from being applied which is what the ! means.  The user and the computer will be placed in the Guest OU.


Auto Login

I don't want to enable a global "guest" or "visitor" account to the entire org which is why I don't have the AD Guest account enabled.  So I created a user in AD called lets call them "org guest"; and on a specific computer that the org guest will be able to login to I also want it to auto login to that account for ease of use.  I also need to ensure that the user is in the proper local group so they get the proper restrictions which is really quite restrictive; I don't want them to be able to access any of the organizations network resources such as any network drives.  All I want them to have is the internet and the ability to copy from a USB drive to the local computer.

So to do this we are going to use regedit to make the following changes to the following registry location.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Find the following entries we will need to edit them

AutoAdminLogon

DefaultPassword

DefaultUserName

if you don't have them we will need to make these entries and set the following values, these are all string entries and will need the following values


AutoAdminLogon and set the Value data to 1


DefaultUserName and set the Value data to $domainuser


DefaultPassword and set the Value data to $userpassword


Add the user in this case "guest" to our guest group on the local machine.

Local Users and Groups







Group Policy

Once complete login to your AD controller and setup the following File Explorer settings under computer management.  Computer Management -> Administrative Templates -> Windows Components -> File Explorer

Essentially the only settings we are changing is the hibernate power options menu and the sleep power options menu.  We are going to set them to disabled.



Now the user Profile in AD requires a bit more configuration.

User Configuration -> Administrative Templates -> Windows Components -> File Explorer

We aren't going to be modifying anything in the following

  • Common Open File Dialog
  • Explorer Frame Pane
  • Previous Versions
We have altered the settings for the file explorer in AD with the following settings as shown below.


With our group policy configured we still have two requirements we have to work though; the audio muting and deleting left over files.  We are going to deal with the left over files first.

I created a folder called "orgtools" working out of the C: drive; I have the folder hidden by default and inside it I have a folder called powershell where I have a bat file setup so the powershell script can run, called deletefiles.bat

The bat file is configured to specifically only allow the single script to run.

@ECHO OFF
Powershell.exe -executionpolicy remotesigned -File ./delete.ps1

The powershell file I have configured to delete files and folders in the user (orgguest) directory.  The file is call "delete.sp1"

Get-ChildItem -Path C:\Users\orgguest\ -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Desktop -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Downloads -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Documents -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path "C:\Users\orgguest\3D Objects" -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Contacts -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Favorites -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Links -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Music -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Videos -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Pictures -Include *.* -File -Recurse | foreach { $_.Delete()}

Get-ChildItem -Path C:\Users\orgguest\Searches -Include *.* -File -Recurse | foreach { $_.Delete()}

rm C:\Users\orgguest\Desktop -r -force

rm C:\Users\orgguest\Downlaods -r -force

rm C:\Users\orgguest\Documents -r -force

rm C:\Users\orgguest\Music -r -force

rm C:\Users\orgguest\Videos -r -force

rm C:\Users\orgguest\Pictures -r -force

rm "C:\Users\orgguest\3D Objects" -r -force

rm C:\Users\orgguest\Contacts -r -force

rm C:\Users\orgguest\Favorites -r -force

rm C:\Users\orgguest\Links -r -force

rm C:\Users\orgguest\Searches -r -force


To run the powershell file I have it setup to run on login; but could be setup to run on logoff, restart, shutdown etc.  I have it setup to use task scheduler to run on login of the domain\orgguest user.




And our final requirement is the Auto Mute, we will require some additional software like with my post about creating an Audio PA System; we are going to use NirSoft Sound CommandLine tool.  For this I am putting it in the powershell directory just for convivence sake.

Here is a picture of the directory


So the powershell command is fairly simple.  I called the file mute.ps1

.\svcl.exe /Mute "Speakers"

and again I have a bat file setup to run the powershell script like our delete files

@ECHO OFF
Powershell.exe -executionpolicy remotesigned -File ./mute.ps1

I have setup a task scheduler to run on login and at 11:30 pm; incase the speakers are left on after an event which would typically be in the evening near close.  If there is something during the day it would be up to staff to either reboot the system or mute the speakers after using the system.

So what we have is a system that autoboots and logs in as a specific user who has very restricted access.  Below are some screen shots of the logged in user.  You can connect a flash drive mount it and copy files off







After the reboot; the copied file is gone


If you were to try copy to a folder you don't have access to you would get the following Error.





Friday, January 06, 2023

How to fix Lenovo Laptop Dock Monitor Blinking/Flickering

The organization I work for uses Lenovo Thinkpads and we purchased Lenovo USB C docks for those laptops and on the two of the new Gen 11 Intel laptops and on the Gen 8 Intel laptop using three separate Lenovo ThinkPad USB C Docks specifically the Type 40A9 and Type 40AY.  The laptops when docked and started from a cold boot or a reboot have an issue showing the screen on the monitors connected with DisplayPort.  I don't have HDMI monitors so I can't use HDMI.  

This seems to be a well known issue with Lenovo laptops and Lenovo USB C Docks you can reference the sources below.  This issue has been going on for about 6 months and I have tried all the fixes listed below during the 6 months applying the fixes as soon as they were available. 

Sources

https://pcsupport.lenovo.com/ca/en/solutions/ht514019-external-monitor-flickering-when-connected-to-dock-using-dp-or-hdmi-thinkpad

https://forums.lenovo.com/t5/ThinkBook-Notebooks/Thinkbook-15-G2-ITL-Flickering-Dual-Screens-with-ThinkPad-USB-C-Dock-Gen-2/m-p/5081214

https://forums.lenovo.com/t5/Displays-Options-and-Accessories/ThinkPad-USB-C-Dock-40A9-External-Display-flickering-issue/m-p/4233887

https://support.lenovo.com/ca/en/solutions/ht507541

The screens are either not showing (just black after about 1 to 3 minutes) or the screen is distorted with running horizontal lines showing only on one screen with screen jitter.


In fact the issue has persisted; with some staff using the devices becoming upset that this issue has not been fixed.  I can't say I blame them, we have been using Lenovo laptops and docks for 8 years and just within the last 6 months this has become an issue that hasn't been resolved.  At least until today with a work around using powershell.  Troubleshooting this issue nothing really came up in the event viewer; I caught an issue with the UCM-USCI ACPI Device not responding and given a error 43 but the dock had not stopped working with the exception of the displays.  At least according to the computer management console.  


View in device manager


Code 43 given randomly

I had noticed Network, sound, keyboard, webcams, mouse all continued to work when the monitors did the "blinking" issue.


Lenovo L15 Gen2 blinking issue on Type: 40AY Dock

For what ever reason when the monitor "Blinks" stops working and stay black until you either unplug the dock and plug it back in or you disable and re-enable the Intel display driver.

So my solution (after making sure everything was as up-to-date as possible with the latest Lenovo fixes) was the following.

Two Scripts.  A bat file and a powershell file.

The bat file allows the running of the powershell script.

---------BAT FILE----------

@ECHO OFF
Powershell.exe -executionpolicy remotesigned -File  ./dock-disable-enable.ps1

--------------------------------

-------Powershell File-------

Get-PnpDevice -FriendlyName 'Intel(R) Iris(R) Xe Graphics' | Disable-PnpDevice -Confirm:$false
Start-Sleep -Seconds 10
Get-PnpDevice -FriendlyName 'Intel(R) Iris(R) Xe Graphics' | Enable-PnpDevice -Confirm:$false

-----------------------------------

Using Task Scheduler, On a user login; I have a script that runs after a 30 second wait to run; However once it runs the script disables the Intel Driver and re-enables it after 10 seconds.  


This has stopped staff from having to unplug and re-plug in their laptops into the docking stations; and are much more happy with going to get a coffee when they login then come back then having to unplug and re-plug in their laptop dock.


Sunday, November 27, 2022

Enabling Nested Virtualization on Hyper-V

To enable nested virtualization on Microsoft Hyper-V; run the following command from Powershell on your Hyper-V host.  

 Set-VMProcessor -VMName syspass -ExposeVirtualizationExtensions $true


If you try running the command while the System is running you will get an error.


When the command is successful; you will be able to run a virtual server on your Hyper-V Host.  You need to run this command on the VM on the host if you are wanting to run Hyper-V nested; KVM or docker on a virtual machine running on the host.

Thursday, September 29, 2022

Information about Meraki Licensing

 When renewing your Cisco Meraki Licensing, it should be done within a few weeks.  I have gotten conflicting information from the sellers and the technical support at Meraki.  According to the Meraki support rep, the license is active from the date of the invoice.


Hello Trevor,

As a reminder, the license key is active from date of invoice complete which was xx/xx/2022. When the license is added to the organization it will have a license start date from xx/xx/2022. If the license is added as a renewal today, the co-termination date would be xxx xx, 2025 (the organization will absorb the current remaining 88 days). I would suggest to add the license as soon as possible.

You may always contact your Meraki Account Manager if you had any questions or concerns about your licensing or order; **** ****@cisco.com

Thank you again, 

Cisco Meraki Support


So if you apply the license where can you find your keys?  Well that can be found in the change log.  When you apply your license you can restore your old license by clicking on the undo arrow at the far right (shown below highlighted in yellow).


You will get a popup with a key you can add to update your license.  If however you miss or close the popup without getting your key you can get the key from the change log.  The key is labelled as an unclaimed license.




You will want to select the latest generated value as shown below




This is an ongoing issue here is a link to a reddit thread where someone had a similar issue.

Monday, September 26, 2022

RDP Periodically Freezes in Windows 10 and Windows Server

I work with windows a lot and have found I had been having connection issues with Remote Desktop on most of my Windows Servers and some Windows 10 Machines.  After some research I found that Windows Server version 1809 (2022) and Windows 10 versions 1806 - 21H2, I have had issues with Remote Desktop freezing.  I would have several stints where the RDP client froze on my workstation or computer I am remoting in from.  This wasn't the only computer that was having an issue.  Another user which also had remote desktop on a workstation (for specific reasons) had also been intermittingly been having the same issue.  I also found that in some instances AV also causing some issues.

https://docs.microsoft.com/en-us/answers/questions/664026/2022-rds-session-freezing-randomly.html

https://blog.techinline.com/2021/01/08/remote-desktop-keeps-freezing-windows-10/

After some testing; I found a way to mostly stop the disconnection and freezing from the Remote Desktop Client and Server by Disabling UDP and using only TCP.  To do this we are going to add a registry key and modify a group policy setting.  Let's do the registry key entry first.

On your remote desktop client open and type in the following in cmd promt or powershell as administrator

reg add “HKLM\software\policies\microsoft\windows nt\Terminal Services\Client” /v fClientDisableUDP /d 1 /t REG_DWORD



Now group policy.




Run gpedit.msc. then Navigate to Computer Configuration > Administrative templates > Windows components > Remote Desktop Services > Remote Desktop Connection client.

Enable the Turn off UDP on client setting.

Now that takes care of the remote desktop client.  On the Remote Desktop server on the machine you are wanting to connect to go to:

Computer Configuration > Administrative templates > Windows components > Remote Desktop Services > Remote Desktop Session Host.

Select Transport Type -> USE ONLY TCP





Thursday, September 15, 2022

Issues connecting to DFS shares from a computer

The issue is an odd one.  A single computer connected to a domain lost it's connection to two DFS file shares.  The file shares are wide open for all domain users with nothing that would cause a restriction connecting to the share.  The share shows up in the user's share list but gives a permissions alert when clicked on and displays as 0 bytes or as nothing at all.

Issue: An active directory connected workstation (laptop) won't connect to DFS file shares.  The two network shares in question have read/write and execute privileges' granted to everyone in the organization.  Out of 8 file shares two of them say that domain users do not have permission to access them; and these are shares where everyone has access.



The shares that they should have access to show a 0KB size and they do not have permissions to access the resource but are clearly a member of the security group to get access to the shared resource.

After trying several of the typical ways to fix the issue such as:

  • removing the system from the active directory
  • a disk check and file system scan
  • logging in as a separate user
  • logging into another system with the user where the issue exists.
After several attempts to get it fixed using typical tools; I looked outside the box; the event viewer was not showing anything helpful for troubleshooting so  I disabled offline files to see if I could access the network shares. After doing this it appears I was able to.

Resolution:

The resolution is a little odd I think it was caused by a corrupt DFS Cache which needs to be removed using local computer group policy.  Local computer group policy processing order can be found here.  To summarize the processing order can be seen below.

  1. Local
  2. Site
  3. Domain
  4. OU

Removing the computer from the domain and removing the computer from the active directory was not enough to reset the offline DFS Cache.  I had to enable the prevention of the Offline File use to get the issue fixed.

On the local computer

open gpedit.msc

go to local computer policy -> Computer Configuration -> Network -> Offline Files -> Prevent use of Offline Files Folder

Enable Prevent use of Offline Files folder


Remove the computer from the Active directory, and login as a local user.  Remove any unused users form the System Properties -> Advanced -> User Profiles -> Local User Profiles


Once that was done, I tried to connect to the DFS share from the workgroup computer; using domain credentials and the DFS shares started showing correctly.  Then when I reconnected the system to the domain, all users could access all the DFS shares properly.  After verifying that the share showed up properly; I then set the Prevent use of Offline Files folder to "Not Configured".  Then I verified that the network drives still showed properly and were accessible which they were. It was an odd issue which did not affect the user but a specific machine's connection with specific shares regardless of the user logged in.




Tuesday, August 09, 2022

Hyper-V VM Backup using Powershell (VM-Export)


One of the many things I've been working on is an automated script to do VM backups.  I've been doing a lot of work automating processes with PowerShell recently so I thought I would just sit down and finish hammering out this little script I was working on.

This PowerShell script exports Hyper-V VM's to a directory; and sends an email notification when the export completes or if there is an error.  I am not 100% there with the backup as there are still a few bugs like sending an email when the entire script finished but I am confident enough of this working that I am going to pass this along for anyone to use if they wish.


##########BACKUP VM SCRIPT##########
#Set Variables for count, date and VM's you want to backup
$BackupNum = 0;
$TimeStart = Get-Date;
#Set the names of the computers you want to backup
$ComputerNameArray = '$VM1','$VM2','$VM3','$VM4','$VM5','$VM6','$VM7','$VM8','$VM9';
#Get the Number of Computers you want to backup
$BackupTotal = ($ComputerNameArray.count -1);
#Set the Path to save the backups
$SavePath = "$PATH TO FOLDER";

#Run the backup while the backup number is less then the backup total
while($BackupNum -le $BackupTotal){
#Set the first computer to be backed up
$ComputerName = $ComputerNameArray[$BackupNum];

#Check to see if there are previous backups
if (Test-Path -Path $SavePath\$ComputerName) {
#if the computer name is not blank remove the previous backup
if ($ComputerName -ne ""){
Remove-Item -Path "$SavePath\$ComputerName" -Force -Recurse
}
}

#Get the start time of the backup
$TimeStart = Get-Date;

#Export Backup
$ExportJob = Export-VM -Name $ComputerName -Path $SavePath;

#After the export runs get the time finished and send an email notification
$TimeFinished = Get-Date;
Send-MailMessage -From '$MAILFROM' -To '$EMAIL' -Subject "VM Backup for $ComputerName was Successful" -Body "The VM $ComputerName was successfully backed up. It started at $TimeStart and Finished at $TimeFinished" -smtpserver '$SMTP_SERVER'
#Auto Increment the export so we can get the next computer name
$BackupNum++
}

#While the jobstate is running or not started; get the progress
while( $ExportJob.State -eq "Running" -or $ExportJob.State -eq "NotStarted"){ 
$progress = $ExportJob.Progress.PercentComplete;
Write-Output ("[Export] " + $($ExportJob.Progress.PercentComplete) + "% complete"); 

#If the backup state is not Completed and errors out
if($ExportJob.State -ne "Completed") { 
#Get the time finished
$TimeFinished = Get-Date;
#Send an email that the export did not finish
Send-MailMessage -From '$MAILFROM' -To '$MAILTO' -Subject "Backup For $ComputerName Failed at $progress % complete" -smtpserver '$SMTPSERVER'
Write-Error ("Export Job did not complete: " +$ExportJob.State);
throw $ExportJob.Error;
}
##########END SCRIPT###########

Resources

Setting up a "Guest" or "Visitor" user account on a domain on Windows 10

The requirements To have a "guest" account on a specific system; but staff on the active directory have to be able to login and ac...