showing all posts
by lunarg on March 18th 2021, at 16:22

If you are annoyed by the Notification Manager for Adobe Creative Cloud and/or are using VDI and want to get rid of it, use this PS one-liner:

Get-AppxPackage -AllUsers *AdobeNotificationClient* | Remove-AppxPackage -AllUsers
by lunarg on March 18th 2021, at 12:36

With PowerCLI it is very easy to get a list of provisioned storage for a list of VMs:

Get-VM | Select-Object Name,@{n="ProvisionedGB"; e={(Get-HardDisk -VM $_ | Measure-Object -Sum CapacityGB).Sum}}

You can combine this with other cmdlets to limit the search to a specific folder, datastore, etc...

To get a complete sum of all the VMs, add | Measure-Object -Sum ProvisionedGB at the end.

by lunarg on March 15th 2021, at 16:46
The most easy way to debug the sending of the FortiToken activation e-mails from a FortiGate firewall is by using the CLI debugging tools. The sending of activation e-mails is part of the alerts e-mail system so we need to enable debugging on that system.

To enable debugging from the CLI:

diag debug resetdiag debug enablediag debug console timestamp enablediag debug application alertmail -1

Sending the activation e-mail will output the e-mail contents and the SMTP session. Particularly useful are the SMTP return codes after each SMTP command. See this page on Wikipedia to see a list of return codes.

The debug session will remain active for 30 minutes after which it will stop automaticall  ...
by lunarg on March 15th 2021, at 09:28

When configuring a provisioning link (e.g. for 3CX) in DHCP server on a Draytek firewall, and are using certain phones (particular Snom), you may run into the issue where the firewall is complaining about illegal characters when attempting to add the link through the web interface.

The solution is to configure the option through the CLI. Log in using either telnet or SSH (whichever is enabled), and type:

srv dhcp option -e 1 -i 1 -c 66 -v{mac}

Take particular care to the -i option, which defines the LAN subnet to be used: in this case, 1 references LAN 1 on the Draytek.

by lunarg on February 19th 2021, at 09:54

You can enforce a password change for Office 365 (Azure AD) users without having to reset the password through Powershell.

For a single user:

Set-MsolUserPassword -UserPrincipalName -ForceChangePasswordOnly $true -ForceChangePassword $true

To force all users to change their password:

Get-MsolUser -All | Set-MsolUserPassword -ForceChangePasswordOnly $true -ForceChangePassword $true

You can also use filters ? {} to limit the password change enforcement to specific groups of users.

Note that it is recommended to also use Revoke-AzureADUserAllRefreshToken to end all current open sessions, and immediately enforcing the user(s) to log in again and change their passwords.

by lunarg on February 18th 2021, at 17:35
Offline installation of PowerCLI module is possible by following these easy steps:Uninstall all older PowerCLI software (6.5R1 or earlier).

Download the PowerCLI offline bundle (ZIP-file) from the PowerCLI home page.

Transfer the ZIP to the machine on which PowerCLI is to be installed.

Open Powershell on the target machine.

To determine the modules folder paths, run this:$env:PSModulePath

The modules will have to be extracted in one of the folders from the output of the above command. Both user-based and machine-based installation is possible (e.g. C:\Windows\System32\WindowsPowerShell\v1.0\Modules).

Extract the contents of the ZIP file directly into the folder.

For Windows, run this   ...
by lunarg on January 25th 2021, at 09:34
When using credentials in Powershell, you usually use Get-Credential, which essentially creates PSCredential objects. Creating such an object prompts the user to enter a username and password, which is not really usable in unattended scripts. There's a method where you can specify an unencrypted password but this is not secure. Fortunately, there's also a method where you can store the encrypted password in a file and use it to set the password.

Note that the password is stored in the file using a computer-based encryption key. This means that the file would only work on the computer it was generated on. Trying to use it elsewhere would invalidate the password file.

To create a passwo  ...
by lunarg on December 9th 2020, at 11:02
I had an issue where a forwarder service would not work even though all settings were correctly configured (firewall/LM/real server). When troubleshooting using on the LM itself (using tcpdump), I noticed that forwarded requests (from the LB to the real server) were been sent out using the right interface but with the wrong source IP, causing return traffic not to work. As it was a migration from an older Kemp LM, I established the configuration was indeed correct but there was another reason why it was not working.

After some more troubleshooting and comparing against the backup from the original LM (backup files are in fact TGZ-archives and can be unpacked), and found these settings to be  ...
by lunarg on December 9th 2020, at 10:27
To backup Microsoft SQL Server, the account used for VM-side processing (application aware processing) requires certain permissions. Veeam recommends assigning the sysadmin role on the SQL Server but it is also possible to assign minimal permissions on the databases it needs to backup, which is the preferred method for security hardening.

The User Guide for VMware vSphere outlines the required permissions as well but for convenience, I've listed them here as well.

Instance-level roles:

Assign these roles:public


Database-level roles:

Assign these roles:

System databases master and model:db_backupoperator



System database msdb:db_backupoperator

db_dat  ...
by lunarg on December 8th 2020, at 11:52
If the SSL-certificate on your VMware Horizon View Composer server is about to expire, it will have to be replaced. The process is pretty straight forward.

Import the new certificate (in PFX-format) in the Computer certificate store. You can use the MMC snap-in or certutil to accomplish the task. If it's not a publicly signed certificate, you will also need to make sure the intermediate and trusted root CA is imported.

Open an elevated command prompt.

Stop the VMware Horizon Composer service:net stop svid

Navigate to the install location of View Composer. The default location is C:\Program Files (x86)\VMware\VMware View Composer. On a 32-bit machine, leave out "(x86)".

Run t  ...
by lunarg on December 3rd 2020, at 21:21
When downloading files from the internet or copying them from a (foreign) server, these files will be marked as blocked by default.

Each file can be unblocked by right-clicking the file and manually selecting unblock, but what if you have a whole bunch of files to unblock? In that case you can use Powershell:

Get-Item -Path "$env:windir\Fonts\*" -Stream "Zone.Identifier" -ErrorAction SilentlyContinue | % { Unblock-File -Path $_.FileName }

The oneliner above consists of two parts:

The flag that says whether or not a file is blocked is stored in a hidden NTFS-stream called Zone.Identifier, which is stored for each individual file. By looking for those hidden streams,   ...
by lunarg on November 30th 2020, at 16:45
A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

You are able to succesfully log on using a domain account you'  ...
by lunarg on November 25th 2020, at 10:12

There are many ways to verify the syntax of a Powershell script (other than running it of course), but the most simple and useful is this one:

Get-Command -Syntax 'path\to\script.ps1'

If the syntax is valid, it will simply return the name of the script. If there are errors, it will provide a detailed syntax error report.

by lunarg on November 16th 2020, at 15:31

Using Powershell, you can quickly verify the status of the replication between domain controllers in Active Directory. This can be used in monitoring to verify a healthy AD replication. This can be run on any domain controller or on another system with RSAT or ActiveDirectory Powershell module.

Get-ADReplicationPartnerMetadata -Target "$env:USERDNSDOMAIN" -Scope Domain | FT -Auto Server,LastReplication*

To see forest-wide replication, replace -Scope Domain with -Scope Forest.

by lunarg on November 13th 2020, at 16:52
By default, Adobe Reader DC pummels you with all kinds of offers for trial versions and cloud accounts, which can be annoying for yourself and your users. Luckily, it can be turned off through a few well-placed registry keys, as described in the Enterprise Toolkit.

Create the following key(s):HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM (for 32-bit app on 64-bit Windows)

Create these DWORD-values and set them to zero:bDontShowMsgWhenViewingDoc (DWORD) = 0

bShowMsgAtLaunch (DWORD) = 0

bAllowUserToChangeMsgPrefs (DWORD) = 0

Note that the value for bDontSh  ...
by lunarg on November 13th 2020, at 13:30
While heavily deprecated and frowned upon, sometimes you'd still need to use the SMB1 protocol in Windows 10. You can effortless enable this through the GUI (Control Panel → Add/Remove Programs), it may be necessary to install it through scripting (e.g. for automated install). One of the methods is through Powershell.

Enabling the SMB1 client but not the server (or vice versa) is a multi-step process, as it's not possible to "only" enable the SMB1 client. First, you need to enable everything of SMB1, then disable the unneeded sub-features. An important item to disable is the SMB1 Deprecation option, as leaving this enabling could result in the automatic removal of all SMB1 fe  ...
by lunarg on November 11th 2020, at 14:40
I ran into an issue where a local group policy had settings that were not accessible or editable using the conventional Local Group Policy editor (gpedit.msc), causing unwanted settings to be re-applied each time the group policy was refreshed. After a bit of searching around on the internet, I found a Powershell module with the ability to add, edit and remove individual items directly from Registry.pol policy files.

The module PolicyFileEditor can be downloaded and installed easily through Powershell:

Install-Module -Name PolicyFileEditor

As with everything from PSGallery, you need to have NuGet installed and updated.

The module comes with examples on how to use it. It can also be viewe  ...
by lunarg on November 9th 2020, at 16:43
If you are using multi-factor authentication, it is not possible to use the old method of connecting to Exchange Online. You will have to install the Exchange Online PowerShell Module, and use the Connect-ExchangeOnline cmdlet to connect.

With the deprecation of Internet Explorer, the old method below no longer works. Use the method described here to install: Installing Exchange Online Management Powershell cmdlets

Old instructions
Log on to Exchange admin center.

In the left menu, click on hybrid.

Click the configure button for the Exchange Online Remote PowerShell Module. This will start the installation.

In the Application Install that appears, click the Install button.

When using  ...
by lunarg on November 9th 2020, at 16:34

With the deprecation of Internet Explorer, it is currently no longer possible to install the Exchange Online Powershell module via ECP. But you can also install the Exchange Online Powershell module via Powershell itself:

First install the dependencies:

Install-PackageProvider -Name NuGet -Force
Install-Module -Name PowerShellGet -Force

Next install the Exchange Online Management module:

Install-Module -Name ExchangeOnlineManagement
by lunarg on November 4th 2020, at 09:57
Using PowerCLI, you can easily retrieve the status of CPU/Memory hot-add/remove. After logging in (use Connect-ViServer), run this cmdlet:

(Get-VM | Select ExtensionData).ExtensionData.config | FT -Auto Name, MemoryHotAddEnabled,CpuHotAddEnabled,CpuHotRemoveEnabled

If you only want a list of VMs which have hot-add/remove enabled for either CPU or memory, you can use filters to filter on this:

(Get-VM | Select ExtensionData).ExtensionData.config | ? {$_.MemoryHotAddEnabled -eq $true -or $_.CpuHotAddEnabled -eq $true -or $_.CpuHotRemoveEnabled -eq $true} | Select Name, MemoryHotAddEnabled,CpuHotAddEnabled,CpuHotRemoveEnabled | FT -Auto

To export the result to CSV, replace the FT -Auto in t  ...
showing all posts