Windows: How to change the network from Public to Private?


On my Windows 10, I found the network is set to Public network. That means you can’t share anything to/from other computers. When you connect to a new network, Windows gives you an option to share files with another computer on the network. If you check that box, the network is flagged as Private. If you missed it, the network is flagged as Public. It looks like this:

PublicNetwork

I tried to change that network back to the Private network. For some reason, Windows 10 didn’t give me any to option to change the network type anywhere in GUI settings.

But I found how to do it in PowerShell. If you want to change the network type, open the PowerShell with Administrative Privileges (Right click on PowerShell, Run as Administrator) and run these commands:

Run this command and note down “InterfaceAlias” of the network you want to change.

Get-NetConnectionProfile

Store the Network connection profile of the network to a variable (enter the interface alias you noted down from the previous command) :

$netprofile = Get-NetConnectionProfile -InterfaceAlias <Interface Alias name>

Change the Network Category to “Private” or “Public” in the object stored in $netprofile:

$netprofile.NetworkCategory = "Private"

Set the network profile with the modified object:

Set-NetConnectionProfile -InputObject $netprofile

You can close the PowerShell now. Check your network, it should be changed now.

PrivateNetwork

Advertisements

Group Policy is failed to update on Windows 10 computer


On my Windows 10 computer, I found Group Policy is not being applied anymore. If I ran group policy update on a administrative command shell, I get this:

PS C:\WINDOWS\system32> gpupdate /force
Updating policy…
Computer Policy update has completed successfully.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

So after some research I found the issue and fixed it. The solution is

Make the freaking NETLOGON service to start automatically and start the service.

Did this solution helped you? leave me a reply here.

IIS: Publish Windows Share to WebDAV site


Publishing local folders as WebDAV site is very easy with IIS. There is plenty of help available that.

BUT there is not much help on publishing a Windows share via WebDAV. So I decided to publish one after we successfully published it at my work. It works beautifully.

One Liner: The trick is to replace ApplicationPoolIdentity (by default it is IIS_IUSRS local group on the server) and use different Application Pool.

More info about IIS_IUSRS local group is here: http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

Step by Step instructions: (for Windows Server 2012 R2)

1. Create or find an service account in your Active Directory domain. (e.g., Contoso\svc-webdav )
2. Give the service account at least read permissions for the whole Windows Share. My case I gave modify permissions for my NetApp CIFS share.
3. Logon to the Web server and open IIS Administration Console.
4. Go to Application Pools section and create a new application pool by clicking Add Application Pool… on the Actions pane.
5. Open Basic Settings of the newly created Application Pool. Change the Managed pipeline mode to Classic.

image

6. Open Advanced Settings of the same new Application Pool. Find Identity under Process Model. Change ApplicationPoolIdentity with the chosen service account (e.g., CONTOSO\svc-webdav)

image

7. Create a new Virtual Site and Open Basic settings of the virtual site. Type the Windows Share path in Physical path text box. click Test Settings… button. Click OK to close the dialog box.

image

8. If you are hosting HTTPS site, select Basic authentication. If you are not using HTTPS, select Windows Authentication for the HTTP site.

image

9. Enable WebDAV at Root of the site (e.g., Default Site) at WebDAV Authoring Rules. (click on Enable WebDAV on the action pane)

image

10. Enable Directory Browsing on the Virtual Site settings.

image

That’s all. Try accessing your WebDAV folder from the client. You may have to enter your user name/password to enter to the site. Enjoy and leave me a reply if it helped you.

RDS 2012R2/Profile Disk: Adobe Reader X says “There was an error opening this document. Access Denied”


PDF attachments from application is not opening correctly. Adobe Reader spits this error message.

image

We use RDS 2012 R2 and Profile Disks for the users. Somehow PDF files on the profile disk is having same issue with Adobe Reader.

Solution: It turn out to be new Adobe Reader software has Protected Mode feature. This feature has issues with Profile Disks and Roaming profiles. Just disable Protected Mode under Security (Enhanced) section in Preferences.

image

Hope this helped you. Leave me a reply. Smile

WebDAV: Increasing Maximum File Size Limit in Windows Server


Windows (IIS) server based WebDAV server has “laughable” file size limit for download or uploads to/from the server. It turn out to be the restriction is on the client side (Windows). Microsoft says the reason for this restriction is,

 

This issue occurs because a security change that was introduced in
Windows XP SP2 affects the Web Distributed Authoring and Versioning
(WebDAV) redirector. This security change makes sure that an
unauthorized server cannot force a client computer into a denial of
service attack. If you try to download a file that is larger than
50000000 bytes, the client computer interprets this download as a denial
of service attack. Therefore, the download process stops.

Also it’s fixable. Too bad we have to fix this for every client machine that needs to use WebDAV with huge files. It is documented at http://support.microsoft.com/kb/900900.

The fix is also described in above KB article. You can also see fix below as per in the KB article.  

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
  3. In the right pane, right-click the FileSizeLimitInBytes value, and then click Modify.
    If you cannot see the FileSizeLimitInBytes value, right-click the blank space in the right pane, click New, click DWORD Value, type FileSizeLimitInBytes, and then click OK.
  4. In the Edit DWORD Value box, click to select the Decimal option. In the box under Value data, type a value that is larger than the size of the file that you want to download. Click OK.
    Note The default value for the file size limit is 50000000 bytes.
  5. Quit Registry Editor. Restart the computer.

Unfortunately I didn’t find any server side solution, since Windows clients are set to restriction.

Citrix/RDS: Publish Internet Explorer without Address Bar


Publishing IE for a web application without address bar is easier than you think. Simply publish the following VBScript or PowerShell script to launch IE without address bar and go to specific intranet website.

Copy either one of the script into Notepad and save as LaunchIE.vbs for vbscript OR LaunchIE.PS1 for PowerShell. Change the website address in the script. Run the script to make sure it works as you expected. Publish the script in Citrix or RDS.

Here is the VBScript Code. You can download this script from here: http://sdrv.ms/1cijdke


‘ Script: LaunchIE.vbs
‘ Purpose: Launch IE without Address bar with the given website
‘ Written by: Anand Venkatachalapathy


‘ Note: Replace your own webstie below in 12th line

Dim objIE
Set objIE = WScript.CreateObject (“InternetExplorer.Application”)
objIE.Toolbar = false    ‘Turning off the tool/address bar
objIE.Navigate “
http://anandthearchitect.com”
objIE.Visible = true

‘ End of Script

Here is the PowerShell Code. Download the script from here: http://sdrv.ms/1cijnYN

#    __                           __       __________
#   / /   ____ ___  ______  _____/ /_     /  _/ ____/
#  / /   / __ `/ / / / __ \/ ___/ __ \    / // __/
# / /___/ /_/ / /_/ / / / / /__/ / / /  _/ // /___
#/_____/\__,_/\__,_/_/ /_/\___/_/ /_/  /___/_____/
#
# Launch IE without Tool bar and Address bar
# Written by: Anand the Awesome Venkatachalapathy
#
# Replace your website on next line
$site = “
http://anandthearchitect.com”

#Get IE Application object
$ie = New-Object -ComObject “InternetExplorer.Application”

#Hide Address Bar and Tool Bar
$ie.AddressBar = $false
$ie.ToolBar = $false

#Launch the IE with the specified website address
$ie.Navigate($site)

#
#-*-*-*-*-*-*-*-*-*-*- The End *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

RDS: Trusting the certificate used for publishing by GPO


When you run a published RDS RemoteApp and you are getting this following warning dialog box, that means the certificate used to publish the RemoteApp is not in trusted by the local computer.

“A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.”

image

There is a easy fix, but not very well documented anywhere. Technet document says simply add the RDS Certificate thumbprint into credentials delegation section in GPO. It’s all well and good, but they forgot to mention thumbprint have to in UPPERCASE and no spaces. I have mentioned step by step instructions below to add the certificate thumbprint in to GPO. GPO needs to apply to all domain computers that used to access RDS RemoteApp.

1. Open your RDS Certificate like below and go to Details and find Thumbprint. (below is yahoo’s SSL certificate used as example)

image

2. Select and Copy the Thumbprint into clipboard. (e.g., ‎e9 c0 09 f9 4e f5 e9 92 e2 fa 56 5d 13 f5 a2 56 76 da 6e 7b)

3. Convert all characters to Uppercase and remove the spaces. You could use the following PowerShell commands to do just that. Replace your cert thumbprint with mine below.

$thumbprint = “‎e9 c0 09 f9 4e f5 e9 92 e2 fa 56 5d 13 f5 a2 56 76 da 6e 7b”

($thumbprint).ToUpper().Replace(” “,””)

Copy the Result to clipboard. Note: leave the first character.

My thumbprint converted to E9C009F94EF5E992E2FA565D13F5A25676DA6E7B.

4. Open GPMC (Group Policy Management Console). Create a new Policy or edit an existing policy that applies to all computers. E.g., Default Domain Policy.

5. Right click on GPO and select Edit the Policy.

6. Go to User Configuration ==>Policies ==>Administrative Templates ==> Windows Components ==> Remote Desktop Services ==>Remote Desktop Connection Client

image

7. Double click the setting: Specify SHA1 thumbprints of certificates representing trusted .rdp publishers. Enable this policy. Under Options, paste the converted thumbprint into the text box. Click OK.

8. Double click on the setting: Allow .rdp files from valid publishers and user’s default .rdp settings.

You can close the Group Policy Management Editor and apply the setting to the users. But you can do more. You can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). Edit the same GPO as below.

1. Go to Computer Configuration ==> Policies ==> Administrative Templates ==> System ==> Credentials Delegation

image

2. Double click on Allow delegating default credentials. Click Show button in Options next to “Add servers to the list”.

image

3. Add your Connection Broker, RDS Gateway and common name FQDN as following format.

TERMSRV/RDCB.company.com
TERMSRV/RGGW.company.com
TERMSRV/remoteapp.company.com

4. Do the same for Apply delegating saved credentials.

That’s all. Enjoy.