Microsoft KB 187498 describes the registry values that can be used to disable various security protocols. Disabling SSLv2 is as easy as
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /V Enabled /t REG_DWORD /d 0
This does require a reboot to put into affect.
I administer a server VM with a lot of disks, and many of them are the same size. When I need to make changes to the system’s storage, I’m always nervous that I’m going to poke the wrong disk. I could trust that the order of the disks listed in the vSphere client is the same as the order that the guest OS lists (starting at 1 and 0 respectively). But I want a little more assurance.
Using diskpart, you can list the details for individual disks, partitions and volumes, but I wanted a report showing all the disks, the partitions on those disks, and the volumes residing on those partitions. I have reported some of this info previously, using PowerShell’s Get-WMIObject cmdlet to query the Win32_DiskDrive, Win32_Partition, and Win32_Volume classes. I figured there must me a way to correlate instances of these classes.
I found these two blog posts:
They did most of the heavy lifting in building the WQL ASSOCIATOR OF queries. I put together a short script to give me a little more detail. Here’s some sample output:
PS C:\local\scripts> .\Get-DiskInfo.ps1
Disk 0 - SCSI 0:0:2:0 - 45.00 GB
Partition 0 100.00 MB Installable File System
Partition 1 44.90 GB Installable File System
C: [NTFS] 44.90 GB ( 3.46 GB free )
[...]
Disk 5 - SCSI 0:0:2:5 - 39.99 GB
Partition 0 40.00 GB Installable File System
B: [NTFS] 40.00 GB ( 34.54 GB free )
This will make it easier to be sure about the vSphere storage element that corresponds to a particular volume (or, more accurately, the Physical Disk on which the volume resides).
Here’s the actual script:
<#
.SYNOPSIS
Get information about the physical disks and volumes on a system.
.DESCRIPTION
Get details about the physical disks and the volumes located on
those disks, to make it easier to identify corresponding vSphere
storage (VMDKs).
.EXAMPLE
PS C:\> .\Get-DiskInfo.ps1
.NOTES
Author: Geoff Duke <Geoffrey.Duke@uvm.edu>
Based on http://bit.ly/XowLns and http://bit.ly/XeIqFh
#>
Set-PSDebug -Strict
Function Main {
$diskdrives = get-wmiobject Win32_DiskDrive | sort Index
$colSize = @{Name='Size';Expression={Get-HRSize $_.Size}}
foreach ( $disk in $diskdrives ) {
$scsi_details = 'SCSI ' + $disk.SCSIBus + ':' +
$disk.SCSILogicalUnit + ':' +
$disk.SCSIPort + ':' +
$disk.SCSITargetID
write $( 'Disk ' + $disk.Index + ' - ' + $scsi_details +
' - ' + ( Get-HRSize $disk.size) )
$part_query = 'ASSOCIATORS OF {Win32_DiskDrive.DeviceID="' +
$disk.DeviceID.replace('\','\\') +
'"} WHERE AssocClass=Win32_DiskDriveToDiskPartition'
$partitions = @( get-wmiobject -query $part_query |
sort StartingOffset )
foreach ($partition in $partitions) {
$vol_query = 'ASSOCIATORS OF {Win32_DiskPartition.DeviceID="' +
$partition.DeviceID +
'"} WHERE AssocClass=Win32_LogicalDiskToPartition'
$volumes = @(get-wmiobject -query $vol_query)
write $( ' Partition ' + $partition.Index + ' ' +
( Get-HRSize $partition.Size) + ' ' +
$partition.Type
)
foreach ( $volume in $volumes) {
write $( ' ' + $volume.name +
' [' + $volume.FileSystem + '] ' +
( Get-HRSize $volume.Size ) + ' ( ' +
( Get-HRSize $volume.FreeSpace ) + ' free )'
)
} # end foreach vol
} # end foreach part
write ''
} # end foreach disk
}
#--------------------------------------------------------------------
function Get-HRSize {
[CmdletBinding()]
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[INT64] $bytes
)
process {
if ( $bytes -gt 1pb ) { "{0:N2} PB" -f ($bytes / 1pb) }
elseif ( $bytes -gt 1tb ) { "{0:N2} TB" -f ($bytes / 1tb) }
elseif ( $bytes -gt 1gb ) { "{0:N2} GB" -f ($bytes / 1gb) }
elseif ( $bytes -gt 1mb ) { "{0:N2} MB" -f ($bytes / 1mb) }
elseif ( $bytes -gt 1kb ) { "{0:N2} KB" -f ($bytes / 1kb) }
else { "{0:N} Bytes" -f $bytes }
}
} # End Function:Get-HRSize
Main
Please let me know if you find this helpful.
It started with an alert from System Center Operations Manager about a failed scheduled task. Of course, the alert references a task name that looks like a SID. Running schtasks /query show a few jobs with a status that warranted inspection. Looking at the Microsoft-Windows-TaskScheduler/Operational log I found that the task “\Microsoft\Windows\CertificateServicesClient\UserTask” is the one the failed and triggered the alert.
I also noted that there were some Group Policy processing errors occurring at about the same time as the task failure, including a problem applying the Group Policy Scheduled Tasks settings. And the failing task starts at user login.
Next, I ran gpresult /h to create a report of the GPOs and settings that applied, and any errors that were generated. The report confirmed that there were failures in applying the Group Policy Files settings and the Group Policy Scheduled Tasks settings.
Some web searching turned up this thread, among others, which pointed me to the Group Policy History files in C:\Users\All Users\Microsoft\Group Policy\History. This directory contained four subdirectories named with the GUIDs for the corresponding GPOs. I was able to find three of the four GPOs by inspecting the details in the GPMC, but I couldn’t find the fourth.
I decided to search more programmatically, and started with an LDAP search with ADFind:
adfind -f "&(objectClass=groupPolicyContainer)(Name={DC257675-89C1-5AA6-5F65-B5D5CFC35E17})"
0 Objects returned
Then, just to be sure, I used the PowerShell GroupPolicy module:
PS Z:\> import-module GroupPolicy
PS Z:\> get-gpo -guid "{DC257675-89C1-5AA6-5F65-B5D5CFC35E17}"
Get-GPO : A GPO with ID {DC257675-89C1-5AA6-5F65-B5D5CFC35E17} was not found in the campus.ad.uvm.edu domain.
So I removed the subdirectory with that name from the GP History directory, and retried gpupdate /force. This time, it completed successfully.
I have been working on a function to convert the output of NET SHARE <sharename> commands into usable PowerShell objects. In the course of my work, I was storing the output of the command in a variable, which I later pass into a parsing function. Curiously, the function I developed iteratively in the console worked fine, but when I dressed it up in my script, it failed:
test-array : Cannot bind argument to parameter 'foo' because it is an empty string.
At line:1 char:12
+ test-array $party
+ ~~~~~~
+ CategoryInfo : InvalidData: (:) [test-array], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,test-array
I had verified that the variable was of type System.Array, and that it had string elements. After banging my head on it for a while, I decided to break out the parameter handling and test it separately. I wrote a quick function to accept and process the elements of a string array:
function test-array {
param( [string[]] $foo )
$i = 0
foreach ( $line in $foo ) {
write "[$i] $line"
$i++
}
}
This video of a presentation by Scott Chacon has helped me start to get my head around Git.
I’ve started experimenting with Git in my current PowerShell project, and I’m going to watch it again, now that I’ve got a little bit of actual expeience.
I’m working on some storage issues with our file services, and DFS Namespace services may the the best solution. But I will need to be able to keep the permissions on the DFS folders with targets in sync with the permissions on the target folders. I’m hoping that the new DFS-N PowerShell commands will facilitate this process. However, on my Server 2012 test system, I can’t get the help content to download for the DFSN-related cmdlets.
I did find this gem in the PowerShell Tips of the Week archive:
Windows PowerShell Tip: Working With Security Descriptors
Good stuff.
For the past eight month, I’ve been working with EMC and Microsoft to diagnose a problem. Several time a month, during the backup of our primary Windows 2008 R2 file server, all the VSS shadow copies get deleted for the volume containing all our shared departmental directories.
This has two major effects. First, it means that our clients no longer can recover files using the Previous Versions feature of Windows. Second, it casts significant doubt on the validity of the backups performed at that time, which EMC NetWorker reports as having completed successfully.
We have been unable to find a technical solution to the shadow copy loss, so we will be reconfiguring our storage and shared directories to accommodate the limitations of NetWorker. In the meantime, I want to note a few of resources that have been helpful in diagnosing problems with VSS (it will be easier to find them here than in my pile o’ email):
Volume Shadow Copy Service (TechNet)
Volume Shadow Copy Service (MSDN)
Recently, I wanted to provide a client with a list of groups that related to some work he was doing. I wanted the group names as well as their location with AD. Although I often use the ds* commands or excellent ADfind tool for this type of task, I had been working in PowerShell on another project, so I decided to use the PowerShell ActiveDirectory module.
The Get-ADGroup Cmdlet pulled out the groups easily enough, but the there wasn’t a property representing the group object’s parent, nor is there an LDAP property that I could request (AFAIK). The object’s parent is contained within the DistinguishedName (DN) property, though.
For a group with the following DN:
CN=FOO-FileServices Administrators,OU=FOO,OU=Departments,DC=uvm,...
I just need to strip off the CN. I could split the DN on commas, remove the first element, and then reassemble what’s left to get the parent. I also needed to avoid splitting on an LDAP-escaped comma where a value actually contains a comma (e.g., CN=).
PS> $dn -split '(?<![\\]),'
In my discussion and demo at the IT-Discuss Live – Security event in May, I used a short slide deck to describe—in broad terms—how PGP Whole Disk Encryption works. This laid the foundation for working through some common-ish support scenarios.
Having received several requests for a copy of the slides, here they are, in both PowerPoint (.pptx) and PDF formats.
I really like the newer event log model on Windows 2008 family, and the flexibility of the XML events and the queries that makes possible.
Recently, I started noticing a quiet failure of a scheduled task. The Task Scheduler thinks that the task completed successfully, though the executable called by the task action returned an error code of 3:
Task Scheduler successfully completed task “\ShareVol_Sync” , instance “{92ac3257-f52d-47eb-9a3a-ce02c5196bbd}” , action “diskshadow.exe” with return code 3.
I wanted to see how long this have been going on, so I switched from the Task Scheduler console to Eventlog Viewer, and navigated to the Operational log under “Applications and Services Logs”- Microsoft – Windows – TaskScheduler.
I started by using the using the Filter Current log dialog to select events with Event ID 201, but this included all “Action completed” events for all tasks. So I looked at the XML view for one of the events for the task I was researching. The event includes a data value named “ActionName” with the value “diskshadow.exe” that should allow me to find all the relevant events.
Next, I needed to refine my filter to look for this value in the events. I opened the Filter Current log dialog again, and switched to the XML tab, then checked the Edit query manually option. You get a scary warning about not being able to use the GUI again, but that only applies to the current filter. Be bold: click OK.
Next, I edited the query, following examples from this excellent Ask the Directory Services Team blog post. The query is junk the between the select tags. Originally, the query was simply:
*[System[(EventID=201)]]
To that, I added the following:
and
*[EventData[Data[@Name='ActionName'] and (Data=’diskshadow.exe’)]]
So that the whole query looks like this:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
<Select Path="Microsoft-Windows-TaskScheduler/Operational">
*[System[(EventID=201)]]
and
*[EventData[Data[@Name='ActionName'] and (Data='diskshadow.exe')]]
</Select>
</Query>
</QueryList>
Now event viewer shows me only the “Action Completed” events for the diskshadow.exe command, and I can see exactly when the behavior changed.
Note that you can save use the query XML with PowerShell’s Get-WinEvent commandlet’s -filterXML parameter [See an example]. You can also use the Save Filter to Custom View option to make this view persistent.
I routinely review Windows’ Event logs during diagnostics and troubleshooting. I find the ability to query those logs for specific data is an indispensable technique. No more dumping to CSV and running findstr! I hope you find it helpful, too.