Categories
Fixes for Windows

Automatic Logon on Domain Computers

Warning

From all the bad advise on this site, this might be the worst yet.

If you still decide to proceed, make sure you’re setting this up on a computer that is not running Remote Desktop (either the built-in service or a third party’s like TeamViewer), not running a remote access services like a VPN server, proxy server, router, NAT, DirectAccess, etc. Make sure remote management tools like as RSAT, Windows Admin Center, WinRM and Remote Registry are either turned off, firewalled-off or both. If possible, use a ultra-low-privileged domain account. If you’re accessing a computer over vSphere’s virtual console, make sure the VM is set to lock when disconnected from the virtual console.

If you have a better method to set this up, please share.

Sometimes you need to run apps that are a pain to set as Windows Services and even if you manage they’re not quite there. You might also have the need to mount network shares as a certain domain user, so local accounts are just not an option.

Setting up automatic login on a domain-join computer is not as easy as [winkey]R control userpasswords2, the only solution I’ve found so far is to set the credentials right on the Windows Registry where they are unencrypted and easily retrievable over a multitude of methods.

You might also be able to set auto-logon up if you have a Microsoft System Center deployment in the network. It seems extremely inefficient even going through the trouble of setting a config policy for this, though.

You need four registry entries to set up automatic login on a domain-join computer, even for local accounts.

The values go in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

NameTypeData
AutoAdminLogonREG_SZ (String Value)1
DefaultDomainNameREG_SZ (String Value)<domain>
Can be FQDN or shortname
DefaultUserNameREG_SZ (String Value)<username>
DefaultPasswordREG_SZ (String Value)<password>
Categories
Fixes for Windows

Fix Server Manager data retrieval failures (WS-Management Envelope Size)

tl;dr

AdminPowerShell(oneLine): Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192

Sometimes in Server Manager you’ll get an error where you can’t get information from other servers.

Manageability: Online – Data retrieval failures occurred

When you click to get more information about the error you get:

servername : Configuration refresh failed with the following error: The WS-Management server cannot process the request. The computed response packet size (519883) exceeds the maximum envelope size that is allowed (512000).

A well-adjusted person would think something is wrong with the remote server, ZPLEX in the example above and it’d be understandable if you went immediately to the remote server looking for something wrong. The something-something exceeds something else, this has clearly an accusatory tone to it: the envelope must be sent smaller so it doesn’t exceed whatever it’s exceeding. It makes sense.

But this is Microsoft software, nothing makes sense. Nothing is straightforward.

Before you go and screw up your remote server, open an Administrative PowerShell in the local server, execute Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192

It will behave like BASH, meaning: if it didn’t return any crap, it went through correctly. Refresh Server Manager, information should be pulled correctly now.

Most of the time I use PowerShell because it can also run standard Command Prompt commands. Sometimes an elevated session (Administror-level user, administrative) isn’t even needed, but if it isn’t needed it could not hurt so I go with that.

When Microsoft decided to distract people with PowerShell instead of doing a good GUI, they assigned new names to the old commands and gave them shortcuts using their old names plus shortcuts using what a matching command would be in BASH.

For instance, move is now Move-Item, or mv in BASH. dir is now Get-ChildItem, or ls in BASH.

To fix this Envelope nonsense they didn’t come up with a different version though, if you want to use a Command Prompt window (cmd.exe) you need to run the following:

To get the current envelope size: winrm get winrm/config you’ll get a lot of data, make your windows taller or scroll up, the value will be on the very first of the Config section.

To set a working value: winrm set winrm/config @{MaxEnvelopeSizekb="8192"}

Categories
Fixes for Windows

Change the default Organizational Unit where machine accounts drop

This is an easy one.

If you want to customize your directory’s default location for newly-joined machine accounts (that do not specify OU where they wish to join), it’s a single 2-part command.

As is the norm with these tasks, launch an Administrative PowerShell and run redircmp OU=Devices,OU=MyDomain,DC=example,DC=tld. If your there are spaces on the address of your LDAP tree, wrap the LDAP string in “”, e.g; redircmp "OU=Awaiting Placement,OU=My Domain,DC=example,DC=tld". Windows is very forgiving with whitespaces but it’s best to be sure. Microsoft is not know for consistency.

Remember, Domain Controllers go into their own thing. Ignore them as much as you can and keep forcing replication (repadmin /syncall). If you change too many things.

Categories
Fixes for Windows

Repair computer’s relationship with domain

Sometimes you go on a cleanse and decide it’s fine to move around computers in your directory, or perhaps forgot to disconnect the network from VM clone causing conflict in the directory.

Power losses, bad time, machine- or machine’s password resets are a few of other things that can cause a computer’s relationship with the domain to break.

Forcing the machine to leave the broken relationship and rejoin the domain will fix this but may also cause loss of data from the lingering files of a roaming user profile, for instance.

This is also not an option if the machine happens to be an Enterprise Certificate Authority. CAs cannot be unbound from AD while they hold the role.

To test that a machine has a valid relationship with the domain, launch an Administrative PowerShell and run Test-ComputerSecureChannel right away you’ll get a true or false.

If it’s false, fix it with Test-ComputerSecureChannel -Repair -Credential [email protected].

BTW, it’s fine if you try to repair where it’s not broken.

If you run this on a domain controller, you’ll get a huge error.

You’ll need to use an account with privileges to domain-join; you’ll be fine using a Domain Admin’s or an Enterprise Admin’s account.

A new window will pop up to enter the account’s password, the user account will be prepopulated. Despite the nonsensical redundancy, -Credential switch is needed in the PowerShell syntax.

Categories
Fixes for Windows

Install Telnet (client) on Windows

Back when my mind was becoming slightly untethered trying to route email directly from my server, I came across one email relay that was willing to forward me my email from their servers for free but I had to guarantee things were in working order; which is completely fair of course.

It was then when I learned that a Telnet client besides of its normal outdated SSH-like functions, it also works to check on open SMTP ports. Telnet, though not immediately obvious, still comes with Windows.

Windows Server

In the Server family, it’s available as part of Windows’ Features. To install use Server Manager and add the feature to the server you wish.

The faster way is with an Administrative PowerShell window; execute Install-WindowsFeature -Name Telnet-Client

Non-Server Windows

Yep… Each passing moment Microsoft and Apple lock things more and make it more difficult for you to find settings that might reduce telemetry or allow you install things where they don’t get a cut when the purchase wasn’t made through their stores for your security.

Categories
Fixes for Windows

Fixes for Windows

When I say Windows, I really mean anything done my Microsoft. If you’re deploying/using a product made my Microsoft and the magical migration doesn’t go as planned. Even purchasing is a nightmare and they sell you direct. Don’t be too hard on yourself. Microsoft’s products never work as advertised, they’re sort of geniuses at that actually–if only they’d applied their smart at doing something half-assedlessly. You probably wouldn’t be here, I guess.

A recurring thought of mine for years has been Microsoft never disappoints disappointing.

Fix Macs’ scrolling in Windows

Useful for those times you wipe macOS on a whim and remember about the Boot Camp drivers too late when you tried to scroll down Windows’ EULA and it went the other way.

Open an Administrative PowerShell and run:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Enum\HID\*\*\Device` Parameters FlipFlopWheel -EA 0 | ForEach-Object { Set-ItemProperty $_.PSPath FlipFlopWheel 1 }

Here I have witnessed some weird behavior if you don’t restart the system immediately. Either do what you need to do and then execute the command or do the command, restart and continue doing what you were after the restart. From PowerShell you can execute Restart-Computer -Force to more or less guarantee the system won’t hiccup restarting. Though this is Windows: no guarantees. Restart-Computer does a normal restart.