Tag Archives: administration

Updating firewall rules with netsh

I needed to adjust the scope of a built-in firewall rule in a couple of servers, restricting the remote IPs to a list of UVM subnets in CIDR notation. The netsh documentation describes the syntax for a list as comma-separated values (no spaces). But I kept getting errors with the command:

netsh advfirewall firewall set rule name="Windows Internet Naming Service (WINS) (NB-Name-UDP-In)" remoteip="10.10.0.0/16,10.11.0.0/16,10.12.0.0/16"

Finally, I actually read the error message:

For ‘set’ commands, the ‘new’ keyword must be present and must not be the last argument provided.

And the related part of the usage text:

Values after the new keyword are updated in the rule.  If there are no values, or keyword new is missing, no changes are made.

One little three-letter keyword was all I needed:

netsh advfirewall firewall set rule name="Windows Internet Naming Service (WINS) (NB-Name-UDP-In)" new remoteip="10.100.0.0/16,10.101.0.0/16,10.102.0.0/16"

/sigh

Who’s logged into Server 2012?

I’m severely disappointed that Microsoft has removed from Server 2012 the tools required for managing and configuring Remote Desktop for Administration. On previous server editions, I’ve used the Remote Desktop Services Manager to troubleshoot colleagues and delegated administrators’ access issues. We’ve also had situations where the SSL certificate used to identify the server and to encrypt traffic has expired and needed some intervention.

Some discussion on Mark Minasi’s support forum indicates that some of this functionality is returning in Server 2012 R2. In the meantime, and until all our servers get upgraded, I’ll be using a combination of the Task Manager (which shows user sessions),

Displaying user logon sessions in Server 2012 Task manager

Displaying user logon sessions in Server 2012 Task manager

and Process Explorer, which can show the username and start time for process.

Geoff

July 2, 2013

Wondering about the physical memory configuration of a system?

PS> gwmi Win32_PhysicalMemory | ft DeviceLocator,@{l='Size (GB)';e={$_.Capacity / 1GB} } -a

Adding VMware Tools to WinPE 4.0

I’m trying to augment the Bare Metal Recovery boot image provided by EMC as part of the NetWorker Client to support recovery in our VMware vSphere environment. The BMR .ISOs include a sources\boot.wim file that I should be able to modify.

I started with these somewhat date instructions in the VMware knowledgebase. I copied the contents of the .ISO file to a temporary directory on my PE Build system (Windows 8 guest). Using the Windows ADK, I mounted the sources\boot.wim file.

C:\Temp>dism /mount-image /imagefile:c:\temp\NW-MBR-ISO\sources\boot.wim /index:1 /mountdir:c:\temp\mount

I downloaded the latest VMware Tools, then used the /A switch (administrative install) on the setup file to extract the contents to a local folder. The driver files are contained within Program Files\VMware\VMware Tools\VMware\Drivers. I copied that directory to my working location, then added the drivers to the WIM files.

dism /image:c:\temp\mount /add-driver /driver:c:\temp\drivers /recurse

DISM reported success, so I committed the changes and umounted the WIM file.

dism /unmount-image /mountdir:c:\temp\mount /commit

The files I copied off of the EMC-provided ISO were not sufficient to create a new bootable image. So I used the CopyPE command to create a new base image, which included a file source for the PE image as well as the appropriate boot sector files. Since the image source files were identical to the file in the EMC disk image (because this is how they created the image), I just copied my customized boot.wim over the default boot.wim. Then I was able to use the makewinpemedia command to create a new .ISO image.

I’ve been able to boot the image, and it loaded the VMXNET3 like a champ. We’ll see how the Bare Metal Recover process goes. Thankfully, this is a test and not a crisis.

Renewing Tomcat SSL certificates

Following Greg’s advice, as well as the Tomcat docs here are the steps I’ve performed to update the SSL certificates used by two Tomcat instances:

  1. Backup the existing keystore file, just in case..
  2. Generate a new certificate, with new alias
    E:\Tomcat\conf> %java_home%\bin\keytool -genkey -keystore mytomcatserver.keystore -storepass ############ -alias tomcat2013 -keyalg RSA -keysize 2048  -dname "CN=mytomcatserver.uvm.edu, OU=Enterprise Technology Services, O=University of Vermont, L=Burlington, ST=VT, C=US" -validity 730
  3. Create a certificate signing request for that cert
    E:\Tomcat\conf> %java_home%\bin\keytool -certreq -keystore mytomcatserver.keystore -storepass ############ -keyalg RSA -alias tomcat2013 -file mytomcatserver.csr
  4. process the CSR with our CA

Now, there are two options for importing the certificate, and I’m not sure if there are implications for the difference:

  1. Import the rootCA cert first, then the intermediate CA, then the actual server
  2. Import the three certificates together as a chained cert. The order of the certificates in the certificate file appears significant; our signing authority provides the chained cert with the RootCA first, which hides the other certs from the Windows cert viewer, among other things.

To import the chained cert (ordered with the host cert, interm. cert, then rootCA cert):

E:\Tomcat\conf> %java_home%\bin\keytool -import -keystore mytomcatserver.keystore -storepass ############ -alias tomcat2013 -file mytomcatserver_uvm_edu.cer -trustcacerts

Now, we need to update the tomcat server.xml so that the keyalias attribute references our new certificate’s alias. Then, when the tomcat process is cycled, it should use the new cert.

Scripting printer permissions

I will probably need to refer to this myself, but maybe someone else will find this useful.

Still working through some print queue management tasks, I needed to change permissions on a collection of printers. Yesterday, I broke down and did a bunch of repetitive work in the GUI, and noticed there were some inconsistencies in the permissions applied to a clients print queues. Today, I decided that I would fix them, but I didn’t want to use the GUI.

Although the Server 2012 Printer Management Set-Printer cmdlet can change the permissions through its -PermissionSDDL parameter, I haven’t found a workable (even if you call SDDL workable) way to do so on a Server 2008 system.

So I fell back to using PowerShell with Helge Klein’s SetACL command-line tool. I could also have used his COM version if I wanted to be really efficient. I use an array of arguments to the external command. See this Scripting Guy post for more info on calling external commands.

Here’s what I did:

# Retrieve a list of target printers
PS C:> $rlprinters = gwmi Win32_Printer -filter "Name like 'RL -%' OR Name like 'RL-%' "

# Construct a list of printer names in \\[hostname]\[sharename] format
PS C:> $printers = $rlprinters | % { '\\' + $_.SystemName + '\' + $_.ShareName }

# Create some variables to make the command construction simpler
PS C:> $setacl = 'C:\local\bin\SetACL.exe'
PS C:> $group = 'DOMAIN\RL-PrinterGroup'

# Iterate through the list of printers, calling SetACL for each
PS C:> foreach ( $p in $printers ) {
>> & $setacl '-on', $p , '-ot', 'prn', '-actn', 'ace','-ace',"n:$group;p:full"
}

It worked like a champ.

Note that I needed to run an elevated PowerShell session (run as Administrator) to be able to make the changes. Also, I tested this on a single printer before attempting to make bulk changes. I also have a nightly dump of my printer configuration. You get the idea.

You can include multiple actions for each invocation of SetACL, and there are a number of ways to collect output in case you need to follow-up on problems when applying changes to large collections of printers. Hopefully, this is enough to get you started,

Printer management with PowerShell

I find the printer management scripts included with Server 2008 bothersome. However, until we get to Server 2012, with its shiny new printer management cmdlets, I’ll keep trying to make do with what we have.

I was pleased to find an old post on the Printing Team’s blog about using the .Net System.Printing namespace with PowerShell to automate things. Some brief experimenting looks promising.

For the moment, in order to switch the printer driver version on about fifteen printers (all the same model), I used PowerShell and WMI, like this:

PS C:\> $printers = Get-WmiObject Win32_Printer -filter "Name like 'RL -%'"
PS C:\> $printers | sort Name | ft Name, DriverName -a
PS C:\> $printers | Where DriverName -eq 'HP Universal Printing PCL 6 (v5.3)' | % {
>> $_.DriverName = 'HP Universal Printing PCL 6 (v5.6.1)'
>> $_.Put()
>> }

This took quite a while to execute, but did work. What I need to do now is modify the permissions on each printQueue. I doubt I can leverage Get-ACL and Set-ACL for this.

Printer drivers and architectures with PowerShell

We have a number of 32-bit Windows 2008 print servers that we want to migrate to Windows Server 2012, for the printer management PowerShell cmdlets, among other things. I found a helpful blog post about using the PRINTBRM utility to migrate print queues, which mentions that you need to have both 32-bit and 64-bit drivers versions of all the drivers in order to migrate from a 32-bit to a 64-bit OS instance.

I wrote a little script to quickly show me which print drivers need a 64-bit version installed. It can take a moment to run if you have many printers configured.

UPDATE: I made a couple changes, most notably that the count of printers using a driver is now optional (since it can take a while on a system with lots of printers).

<#
.SYNOPSIS
Lists printer drivers,  whether 32- and 64-bit versions are installed,
and how many printers are using each driver.


.PARAMETER Printers
Includes a counter of the printers using each printer driver. On a system
with many installed printers, this can take a a little time, so this 
functionality is optional.


.EXAMPLE
PS C:\local\scripts> .\Get-PrinterDriverArchitecture.ps1 | format-table -auto

Name                                       x86   x64
----                                       ---   ---
Brother HL-5250DN                         True False
Epson LQ-570+ ESC/P 2                     True False
HP Business Inkjet 2230/2280              True False
HP Business Inkjet 2250 (PCL5C)           True  True
HP Business Inkjet 2800 PCL 5             True False

This command lists the installed printer drivers, and whether 32-bit (x86)
or 64-bit (x64) drivers are available.


.EXAMPLE
PS C:\local\scripts> .\Get-PrinterDriverArchitecture.ps1 | where x64 -eq $false | ft -a

Name                                      x86   x64
----                                      ---   ---
Brother HL-5250DN                        True False
Epson LQ-570+ ESC/P 2                    True False
HP Business Inkjet 2230/2280             True False
HP Business Inkjet 2800 PCL 5            True False

This command uses the Where[-Object] cmdlet to filter out those drivers that
have a 64-bit driver installed.


.EXAMPLE
PS C:\local\scripts> .\Get-PrinterDriverArchitecture.ps1 -Printers | ft -a
Enumerating printers:
    WID - Kyocera TASKalfa 3050ci KX
    WC - Kyocera TASKalfa 300ci KX
    UFS - Canon iR-ADV C5035
    ...

Name                                       x86   x64 Printers
----                                       ---   --- --------
Brother HL-5250DN                         True False        5
Epson LQ-570+ ESC/P 2                     True False        0
HP Business Inkjet 2230/2280              True False        1
HP Business Inkjet 2250 (PCL5C)           True  True        0
HP Business Inkjet 2800 PCL 5             True False        1

This command includes the -Printers switch parameter to add a count of
the printers using each driver. Enumerating the printers can take a while
if there are lots of them installed, so this behavior is optional.


.NOTES
 - Author    : Geoffrey.Duke@uvm.edu
 - Mod. Date : May 28, 2013
#>

param( [switch] $printers )

$wmi_drivers = get-wmiobject Win32_PrinterDriver -Property Name
$drivers = @{}
foreach ($driver in $wmi_drivers) {
    # Isolate the driver name and platform
    $name,$null,$platform = $driver.Name -split ','

    if ( -not $drivers[$name] ) {
        switch ( $platform ) {
            'Windows NT x86' { $drivers[$name] = [ordered]@{ 
                                 'Name'=$name; 'x86'=$true; 'x64'=$false }; break }
            'Windows x64'    { $drivers[$name] = [ordered]@{ 
                                 'Name'=$name; 'x86'=$false; 'x64'=$true }; break }
             default         { write-warning "Unexpect platform $platform on driver $name"}
        }
    }
    else {
        switch ( $platform ) {
            'Windows x64'    { $drivers[$name]['x64'] = $true; break }
            'Windows NT x86' { $drivers[$name]['x86'] = $true; break }
             default         { write-warning "Unexpect platform $platform on driver $name"}
        }
    }
}

if ( $printers ) {
    # Initialize all printer counts
    $drivers.keys | foreach { $drivers[$_]['Printers'] = 0 }
    # Add a count of the number of printers using each driver
    # With some progress info
    write-host 'Enumerating printers:'
    $count = 0
    get-wmiobject Win32_Printer -Property Name,DriverName | foreach { 
        write-host "    $($_.Name)"  -foreground darkgray
        $drivers[$_.DriverName]['Printers']++ 
        $count++
    }

    write-host "Retrieved $count printers"
}

# Output collection of objects
$drivers.keys | sort | foreach { New-Object PSObject -Property $drivers[$_] } 
 

I hope this is useful to others.

Which Disk is that volume on?

I administer a server VM with a lot of disks, and many of them are the same size. When I need to make changes to the system’s storage, I’m always nervous that I’m going to poke the wrong disk. I could trust that the order of the disks listed in the vSphere client is the same as the order that the guest OS lists (starting at 1 and 0 respectively). But I want a little more assurance.

Using diskpart, you can list the details for individual disks, partitions and volumes, but I wanted a report showing all the disks, the partitions on those disks, and the volumes residing on those partitions. I have reported some of this info previously, using PowerShell’s Get-WMIObject cmdlet to query the Win32_DiskDrive, Win32_Partition, and Win32_Volume classes. I figured there must me a way to correlate instances of these classes.

I found these two blog posts:

They did most of the heavy lifting in building the WQL ASSOCIATOR OF queries. I put together a short script to give me a little more detail. Here’s some sample output:

PS C:\local\scripts> .\Get-DiskInfo.ps1
Disk 0 - SCSI 0:0:2:0 - 45.00 GB
    Partition 0  100.00 MB  Installable File System
    Partition 1  44.90 GB  Installable File System
        C: [NTFS] 44.90 GB ( 3.46 GB free )
[...]
Disk 5 - SCSI 0:0:2:5 - 39.99 GB
    Partition 0  40.00 GB  Installable File System
        B: [NTFS] 40.00 GB ( 34.54 GB free )

This will make it easier to be sure about the vSphere storage element that corresponds to a particular volume (or, more accurately, the Physical Disk on which the volume resides).

Here’s the actual script:

<#
.SYNOPSIS
Get information about the physical disks and volumes on a system.

.DESCRIPTION
Get details about the physical disks and the volumes located on
those disks, to make it easier to identify corresponding vSphere
storage (VMDKs).

.EXAMPLE

PS C:\> .\Get-DiskInfo.ps1

.NOTES
    Author: Geoff Duke <Geoffrey.Duke@uvm.edu>
    Based on http://bit.ly/XowLns and http://bit.ly/XeIqFh
#>

Set-PSDebug -Strict

Function Main {

    $diskdrives = get-wmiobject Win32_DiskDrive | sort Index

    $colSize = @{Name='Size';Expression={Get-HRSize $_.Size}}

    foreach ( $disk in $diskdrives ) {

        $scsi_details = 'SCSI ' + $disk.SCSIBus         + ':' +
                                  $disk.SCSILogicalUnit + ':' +
                                  $disk.SCSIPort        + ':' +
                                  $disk.SCSITargetID
        write $( 'Disk ' + $disk.Index + ' - ' + $scsi_details +
                 ' - ' + ( Get-HRSize $disk.size) )

        $part_query = 'ASSOCIATORS OF {Win32_DiskDrive.DeviceID="' +
                      $disk.DeviceID.replace('\','\\') +
                      '"} WHERE AssocClass=Win32_DiskDriveToDiskPartition'

        $partitions = @( get-wmiobject -query $part_query | 
                         sort StartingOffset )
        foreach ($partition in $partitions) {

            $vol_query = 'ASSOCIATORS OF {Win32_DiskPartition.DeviceID="' +
                         $partition.DeviceID +
                         '"} WHERE AssocClass=Win32_LogicalDiskToPartition'
            $volumes   = @(get-wmiobject -query $vol_query)

            write $( '    Partition ' + $partition.Index + '  ' +
                     ( Get-HRSize $partition.Size) + '  ' +
                     $partition.Type
                   )

            foreach ( $volume in $volumes) {
                write $( '        ' + $volume.name + 
                         ' [' + $volume.FileSystem + '] ' + 
                         ( Get-HRSize $volume.Size ) + ' ( ' +
                         ( Get-HRSize $volume.FreeSpace ) + ' free )'
                       )

            } # end foreach vol

        } # end foreach part

        write ''

    } # end foreach disk

}

#--------------------------------------------------------------------
function Get-HRSize {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
        [INT64] $bytes
    )
    process {
        if     ( $bytes -gt 1pb ) { "{0:N2} PB" -f ($bytes / 1pb) }
        elseif ( $bytes -gt 1tb ) { "{0:N2} TB" -f ($bytes / 1tb) }
        elseif ( $bytes -gt 1gb ) { "{0:N2} GB" -f ($bytes / 1gb) }
        elseif ( $bytes -gt 1mb ) { "{0:N2} MB" -f ($bytes / 1mb) }
        elseif ( $bytes -gt 1kb ) { "{0:N2} KB" -f ($bytes / 1kb) }
        else   { "{0:N} Bytes" -f $bytes }
    }
} # End Function:Get-HRSize

Main

Please let me know if you find this helpful.