You used to be able to Search Active Directory from any Windows computer. This was pretty great for looking up printers, groups and computers in AD.
Then Microsoft took it away. Kind of. It’s still there, but hidden. You can add it back by adding a shortcut to your desktop with the following path:
rundll32 dsquery,OpenQueryWindow
Way better than having to install AD tools for a minor task.
Have you ever needed to work on a computer, but you were not able to log into the computer remotely? This issue could be a long jaunt across campus or an hour drive in the middle of the night, depending on your situation. In this post, we will look at how to enable the remote desktop protocol remotely. Note this is written with the assumption you are in a windows domain environment of 2008 schema or newer connecting to Windows clients.
Ideally, you would never have to do this in the first place because all workstations were configured correctly, or Group Policy has defined these settings appropriately. This tutorial is for the guys or gals who are not so lucky.
1. Management Console
Let us first start by opening our management console. You can do this through Active Directory, or you can open this locally. Press the start button and right click on My Computer. Click Manage.You will see that we are managing the local computer. By right clicking this you can change which computer you wish to control. When you have done that click the services tab and navigate down to the remote registry and click start.
2. Regedit.exe
Open a run prompt and start Regedit on your local machine. At the top left of the window click the file drop down tab and connect a network registry. Add the computer to which you want to connect to remotely. Now that you are in the remote computer’s registry navigate to
hklm\system\currentcontrolset\control\terminalserver
set fdenytsconnection to 0
Be careful modifying the registry as incorrectly doing so can cause damage to your system!
3. Restart
For the changes to take effect, we must reboot the computer. Below are a couple of options you can run from command prompt. When the computer starts, RDP should work.
shutdown /m \\remotecomputer -r -t 0
shutdown /i will open a GUI that you can use to remotely shutdown the computer
4. Cleanup
The setting we modified in the registry is not likely the ideal setting that you want for RDP as it selects the most insecure option and doesn’t authenticate by default with Network Level Authentication. To change this setting press the start button. Type in remote access and open the utility. Change the setting to use Network Level Authentication and the task has been finished.
Long Title:
How to do scheduled backups to a network share with built in windows server backup command line utility, wbadmin.
Remember how easy it was to backup a server with the Windows utility ntbackup.exe? Why Microsoft decided to get rid of this easy to use and easy to understand backup utility is a mystery buried in the dusty back halls of the Microsoft decision making engine. It took me a while to figure out the new way to get this done and I thought I’d share it with the masses.
The wbadmin utility is not intuitive, but by the time you finish reading this you’ll be a backup Ace. Note that this post assumes you are working in a windows domain environment and active directory with windows server 2008 r2 or higher.
Let us start by creating a backup user service account and making it a member of the group backup operators. You don’t want to use an admin account for this task as that is far too powerful and we want to follow the rules of least privilege. Definitely don’t use your user account unless you like being locked out 3 months later when you change your password but not the task. Now that we have our backup operator account we need to change to change some security settings in component services. If you don’t it is likely that this will not work or you will see some funky errors in your event logs (which you should be checking on a regular and consistent basis).
Open component services with admin permissions. Expand component services folder and then expand the computers as well. Right click my computer and select properties. Click the COM security tab. We are now going to edit the defaults on both the access permissions and the launch and activation permissions. Add the backup operator account that we created earlier and assign it local rights unless you are planning on doing this project another way in which case give it remote rights. Click ok and we are done with that.
Think about: Why are we doing the above? Is this Microsoft Recommended? If so, cool. What security holes does it open up for the backup account? Any? I did not find any, but do some checking to make sure just in case. You never said to log into the server that’s being backed up (Source machine), so you should probably say that to differentiate it from the target machine somewhere. Where do I go to open component services? Control Panel?
Wbadmin which is the command line utility that controls windows server backup and can be used to create scheduled task. At first i spent a fair amount of time trying to call a powershell script I made with ISE (https://technet.microsoft.com/en-us/library/dd315244.aspx) using task scheduler. That cost far more time then it is worth.
To get started, open powershell with admin rights. The syntax for the command to create our schedule backup job looks like this:
wbadmin enable backup -schedule:01:15 -systemStatebackup -addtarget:\\mynetwork\share\folder -quiet
Now you can add the username and password for you backup operator to that previous command if you wish, but it is going to prompt us for one right now anyway. In the prompt type the username of the backup operator we created and then fill in the password prompt as well. This utility will automatically check to see if you can access and write to the network share. If you get access denied then we know there is a problem with write permissions somewhere. This can be a lengthy process to troubleshoot so I will only talk about the issue I had. The network share I was using was a buffalo terastation. This has its own series of permissions that trump windows network share permissions so be certain to add that user with read and write permissions.
To double check that your task is scheduled and ready to run issue the command “wbadmin enable backup” in an admin prompt and it will give you the details on your scheduled backup job. You can also open up task scheduler and see it listed there as well. Be certain to check your network share that data is actually being written there. An unchecked backup is just as good as no backup.
You may notice one of my steps seems redundant feel free to leave it out. I just like being thorough.
for /f %%a in (c:\locationyourworkingfrom\listofcomputer.txt) do (
psexec \\%%a -h -u “domain\username” -p password cmd /c copy \\networkshare\location\TranscodedWallpaper.jpg C:\users\profileneedingwallpaper\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg /y
)
continue 1
for /f %%a in (c:\locationyourworkingfrom\listofcomputers.txt) do (
psexec \\%%a -h -i -u “domain\name” -p password cmd /c reg add “HKCU\Control Panel\Desktop” /v Wallpaper /t REG_SZ /d C:\users\profileneedingwallpaper\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg /f
)
Continue 2
for /f %%a in (c:\locationyourworkingfrom\listofcomputers.txt) do (
psexec \\%%a -h -u “domain\name” -p password cmd /c copy \\networkshare\location\TranscodedWallpaper.bmp C:\users\userneedingwallpaper\TranscodedWallpaper.bmp /y
)
continue 3
for /f %%a in (c:\locationyourworkingfrom\listofcomputers.txt) do (
psexec \\%%a -h -i -u “domain\name” -p password cmd /c reg add “HKCU\Software\Microsoft\Internet Explorer\Desktop\General” /v WallpaperSource /t REG_SZ /d C:\users\userneedingwallpaper\Transcodedwallpaper.bmp /f
)
continue 4
for /f %%a in (c:\locationyourworkingfrom\listofcomputers.txt) do (
psexec \\%%a -h -i -u “domain\name” -p password cmd /c Rundll32.exe user32.dll,UpdatePerUserSystemParameters
)
pause
This is all one script the continue tells the it go to the next command and pause tells it stop and not close out prompt when done if you want to review for errors you could also output info to a text document.
I have a friend in the Microsoft world that has to SSH to several servers and then tunnel Remote Desktop through the SSH tunnel. He does this with the ssh client PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) and the ssh server from bitvise (http://www.bitvise.com/ssh-server-download). I was goofing around with writing a windows batch script to make the process easier and faster, and thought I’d use it to make a short intro to making batch files. You can use the examples here to make lots of your own little tools to accomplish tasks for users. I’ve done this in the past with allowing a user to encrypt a file or dynamically changing the DNS server. There’s no limit to what you can dream up.
I have added some features in this .bat file that you don’t really need only to show you what’s possible and give you some ideas.
We write these in Notepad. Once it’s all in, we “save as” and select “all files” instead of .txt. Name your file with a .bat extension (Gorilla_ssh.bat for example) and you have a finished product. So open up notepad and get started.
Let’s walk it a few lines at the time.
REM***SSH bat from Gorilla Admin REM***Created 30 February 1492 REM***This bat file will ssh to the selected server REM***UAC is not necessary for this file to work
This is the header of our batch file. When you type REM, the CMD shell will ignore anything after that. So we put things here to remind ourselves why something is the way it is, or to give information to folks that may be looking at what we did.
So now, just for fun lets set a title and color.
@echo off color 0A TITLE Gorilla Admin, SSH
The “@echo off” just tells the cmd shell not to print the command that is is currently executing. I chose a black background with green writing because I’m old school. You can pick other colors. A good place to find out what you can use is here:
http://www.robvanderwoude.com/ntcolor.php
The TITLE command will place whatever you tel it to at the top of the CMD window. We simply use Gorilla Admin, SSH.
We now set a place marker with something called a label. Labels start with “ : ”.
:Begin
We set this so that we can tell the CMD shell to come back to this spot if the user does something we don’t like, or makes a mistake. I’m just calling my label :Begin. I have another label at the bottom called :END.
Now we set some variables, and give them values.
SET Target=0 SET Location=Unknown SET Answer=False SET Continue=False
Some folks will tell you that the variable don’t have to have values yet. I will tell you that about 15 percent of the time, I have issues with empty variables, so I just eliminate that with prepopulated values. You can put them in the body of the batch file next to where you will be using them. But I learned a long time ago, that if you have to change them, it’s better to have them all up top rather than having to search through the body of the file. Here I’m saying set the value of Target to be 0, and set the value of location to be unknown, etc.
Now we give some instructions to the user with the “echo” command.
echo Choose 1 for HOME echo Choose 2 for WORK echo Choose 3 for PLAY echo.
The echo command prints out everything after it to the screen. The echo command with a dot right after it, just means to skip a line. I use these for spacing so my text doesn’t look all run together and confusing. So what we did was ask our user which of the three servers he wants to log onto. Home, work or play?
Now the user has to answer and we have to store that answer in a variable.
set /p Target=Select the SSH target for your session, or (Q) to quit: echo.
The set /p command will change the value of the variable Target (we gave it a value of 0 up top) to whatever the user types in. We also here offer the user the chance to quit instead of continuing. We could have made that an option for “Choose 4 to quit”, but I left that off so that if we need to add newer servers, I don’t have to rewrite as much and only add that info.
What this looks like to the user is this:
Choose 1 for HOME Choose 2 for WORK Choose 3 for PLAY Select the SSH target for your session, or (Q) to quit:
Once the user types in a variable, we begin some checks to see if the user did what we wanted by typing in a correct option. We’ll start with the correct options, and then later talk about incorrect user input.
if %Target% == Q (goto :END) if %Target% == q (goto :END)
if %Target% == 1 (SET Location=HOME SET IP=192.168.1.1 SET Hostname=server)
if %Target% == 2 (SET Location=WORK SET IP=172.16.8.1 SET Hostname=WORK-svr)
if %Target% == 3 (SET Location=PLAY SET IP=10.20.30.1 SET Hostname=PLAY-SVR-01)
So, basically we have a few things going on here, all based off “IF”. The first two statements tell us IF the user typed a Q or a q, to go to the label :END, which we placed at the bottom of the script. That ends the execution. Notice that our variable has to be included between two % signs. I don’t know why this is, it’s just windows. All variables have to be called this way. So %Target% is the same Target that we got input from the user about, and declared as 0 at the top.
If %Target% is not a Q or q, then we check to see if it’s a 1. If it is, we assign values (with the SET command) to variables based on what is required to ssh to home. The three values we set are a site name, IP address to the site, and what the name of the server at the site is that we’ll want to Remote Desktop to connect to once the ssh tunnel is up. We repeat this for a choice of 2 or 3.
Notice that after the IF, we have a statement that “IF” true, we execute everything between the ( and ). So basically it’s:
IF ThisThing==True (then do this. And this. And this too.) REM but not this because I’m outside the parentheses.
Don’t forget the double equals sign. It’s important.
Now what if the user enters something we don’t expect? Notice that we set the variable “Location” to “Unknown” at the top of our script. If the user makes a valid choice, that value gets changed to something else. If they make an invalid choice, that variable %Location% still contains “Unknown”.
if %Location% == Unknown (cls echo You have made an invalid selection, please try again. echo. echo Resetting.. ping -n 3 127.0.0.1>nul cls echo You have made an invalid selection, please try again. echo. echo Resetting.... ping -n 3 127.0.0.1>nul cls echo You have made an invalid selection, please try again. echo. echo Resetting...... ping -n 3 127.0.0.1>nul echo. goto :Begin)
So here, we know that since the user didn’t make a valid choice, that this very long if statement will be run. This is unnecessarily long. But we are doing it for learning’s sake. It’s basically the same routine three times (yes, we could have done this with a loop, I’m staying basic here). At the end of the IF statement, we are told to go back to the label “:Begin”, which basically starts us over.
So lets look at what the IF statement does. CLS erases the screen. You know what echo does and the only thing we change here is to add two dots at the end of “Resetting”. The sly little trick here is the 3 pings to the loopback address. The output is redirected to the black hole called nul. But the fun thing is that for three seconds, the batch file waits. So basically, what we have here is a crude, unnecessary animation that penalizes the user nine seconds for making a wrong choice. Is that mean? Nah, people need a break if even nine seconds.
At the end of the If statement, the user starts all over again and gets to either get it right this time, or quit entirely. Let’s assume that the user enters 1, 2, or 3, and we’ll move on by showing the user what she selected, and asking her if it’s right.
echo You have selected: %Target% for %Location% echo.
echo Is this correct?
echo. set /p Answer=(Y)es to continue, (Q)quit to end, or any other key to retry: echo.
So none of this is new. We got values for %Target% and %Location% or we wouldn’t be here. So what the user would see, if we selected “3” for example would be:
You have selected: 3 for PLAY
Is this correct?
(Y)es to continue, (Q)quit to end, or any other key to retry:
As you see above, we’ll once again use “set /p” to change the value of %Answer% based off the user’s input. The user simply follows the instructions, and as before, we continue based off what the user inputs.
if %Answer% == Q (goto :END) if %Answer% == q (goto :END) if %Answer% == Y (SET Continue=True) if %Answer% == y (SET Continue=True) if %Answer% == Yes (SET Continue=True) if %Answer% == yes (SET Continue=True) if %Answer% == YES (SET Continue=True)
First, remember that we set the value for %Answer% to False way up at the top of the batch file. So unless the user chages it here, it’s still set to false. So we are back to the IF statements. I made this so if the user types Q or q, the script ends again. I also made it so that most variations of the word yes would change the value of Continue (again set to False up top) to True. If the user does’nt change it to True, the value remains false, and we continue.
if NOT %Continue% == True (echo Retrying... echo. goto :Begin)
This IF statement only triggers if %Continue% is still false. In other words NOT == True. If the user said that they selected the right server, then this statement won’t do anything. If the user “hit any other key”, meaning they wanted to retry, then %Continue% is NOT equal to true, and we go back to our old friend :Begin to start all over. We also echo Retrying, but since we did not cls or ping to slow it down, the user may not even notice.
But let’s assume our user typed “Y” and we’ll move on. We have the right location. We have the right IP address. We have the correct server to tunnel to. The user has confirmed that it’s all right. It’s time to make a connection and a little extra.
echo Trying %Location% at %IP% start mstsc.exe cd "c:\Program Files\PuTTY\" putty.exe -L 9001:%Hostname%:3389 -P 22 %IP%
So, just to give the user some feedback, we echo the location and IP address back to the user. But the next line does something a little cool. Since we know the user is going to use remote desktop, we go ahead and open it up for her using the start command. Mstsc.exe is Microsoft Terminal Services Client, or more commonly known as Remote Desktop. Don’t say I never teach you anything useful for Geek Trivia night. Remote Desktop will launch in a separate window, obviously.
You can use the start command to launch anything. But calc.exe would not really do much for us here.
The next line jumps into the directory that PuTTY is in with the cd command. Naturally, your’s may be slightly different. The next line may be difficult to follow if you don’t understand networking well. But basically it says:
“Hey PuTTY, Listen on port 9001 and whatever hits that port, push it through the ssh connection to the server %Hostname% and connect to port 3389 on that side. For the SSH connection, use port 22 and go to IP address %IP%.”
Remember that the values for %Hostname% and %IP% will be filled in based off what the user picks. Putty will also launch in a separate window, not so obviously. At this point, the user can minimize the batch file, as it will remain open as long as the SSH session is in progress. Switch to the PuTTY window, and log in with your username and password.
If you actually try to use this, you’ll have to connect Remote Desktop by typing in localhost:9001 to the computer field of the Remote Desktop Window after the SSH session is established. Remember we told PuTTY to Listen on 9001, and send anything that connects to it to the Hostname on the other side to port 3389.
You can use the same techniques we already discussed to use a VNC client instead of Remote Desktop and change the application launched with “start” and the port that putty connects to on the other side. Or, even cooler make variables and allow the user to decide on RDP or VNC.
Lastly as cleanup, we include the finishing up bit.
echo Shutting down connection :END
Once the user ends the connection we’ll send this message, again that will probably flash by so fast the user won’t see it unless you slow it down with the handy ping command you learned already. Lastly, we have the :END label to jump to anytime the user hit’s Q or q.
Don’t forget at the end to save your file with a .bat extension (not ssh.bat.txt, but ssh.bat). It’s icon will look like a gear in a box if you did it right. Double click on it to run it.
I’m sure you’ll have to play with this to get it to work, and I may not have explained it as well as I could have, but you are a Gorilla Admin. Use your brain, and get it to work, and make me proud.
Every once in a while, you get those one offs. That unusual situation where you have to help someone far away who is on a dynamically assigned and PATed IP address behind a firewall that neither you, nor they, are able to control. CrossLoop was great for this because it was free and easy to use. And even the paid professional version was cheap.
But for whatever reason, AVG bought them out and shuttered the whole deal, quite abruptly and as has been opined in a few forums, rudely. But that’s the way the cookie crumbles in the big city.
I tried finding a good substitute and I wasn’t happy with what was out there. There were a lot of products, but free and open source no longer seems to be in the cards. So I did some digging.
I knew that CrossLoop used VNC and that VNC is open source so I decided to see what possible. I was already using TightVNC on Windows Domain networks as a replacement for Dameware. Dameware was and is still, a great product. But when Solar Winds picked it up they tripled the price and now I just can’t afford it on a small budget. They said they did this because they added a chat function. Dameware already had a chat function. It was called notepad. I picked TightVNC to research because I’d used that product well in the past. After reading through the documentation, replacing CrossLoop would be laughably easy. Maybe not for the average Joe, but for a Gorilla Admin, truly a piece of cake.
Setting this up requires some preparation on your part. The scenario we’ll use is that you (on the client), and Grandma (on the server and in distress) are both at home and neither of you are on a business network, and nobody has a static IP address. Grandma needs help, but you can email her instructions to download TightVNC and how to connect back to your client.
First, set your network up by starting at your router. All modern home routers have port forwarding capabilities. If yours doesn’t, buy a new one. Log onto your home router and find the port forwarding page. You need to know the IP of the computer that you are going to control Grandma’s computer from (the client). We’ll use 192.168.150.10. I always make that third Octet something high at home because it keeps me from having issues with VPNing into a network that has the same range.
Anyway, on my own router, it’s in the advanced settings. Yours may be different because picking a router is like picking a car. Nobody’s is just like yours. Once you find it, set up a new port forward to your client machine.
Service Name ReversVNC Service Type TCP Starting Port 5500 Ending Port 5500 Internal Starting Port 5500 Internal Ending Port 5500 Internal IP Address 192.168.150.10
This example offers a range of ports to forward, but we are only using 5500. I’m keeping the internal and external ports the same for simplicity. The idea is that as soon as you are done with Grandma, you’ll delete this port forward to close this hole in your Firewall.
Now you get a VNC viewer running. If you don’t have the software installed, you can go with TightVNC as I have for Windows clients. It’s also the example I’ll be using. Get it at: http://www.tightvnc.com
If you are on Linux, I get a lot of use out of vinagre. You can install it with whatever package manager you like.
First the Windows TightVNC guide. My current version is 2.7.10. Once you launch TightVNC you should get the New TightVNC Connection window with Connection on the top third of the window. Skip that. We are looking for the Reverse Connections section with the “Listening mode” button. Click it. TightVNC minimizes to the system tray. If you get tired of waiting for your incomming connection, right click on it, and choose “Close listening daemon” to end it.
You now have to let the server connect back to you through Windows Firewall. I’ll go with a Windows 8 example. From the Desktop hit the windows key and “S” to bring up the search bar. You can type “Windows Firewall” and go straight to it, or type “Control Panel” and open the windows firewall from there the same way you did in Windows 7 and XP. No one admits that Vista ever existed. Once it’s open, click on the Advanced settings menu item on the left side of the window. Once the advanced settings window appears, click on inbound rules, then “New Rule” On the first screen of the Firewall rule wizard (Rule Type), click the “Port” option. On the next window (Protocols and ports), choose TCP, and in the specific port field type 5500. Allow the connection on the next page (Action), and next (Profile), apply to all, or whatever network you need. Lastly, give it a name such as AllowInboundReverseVNC. That should do it. You can always delete this rule when you are done helping grandma.
For Linux, my version of Vinagre is 3.4.2. I launch it from a terminal window by typing “vinagre” Once it opens up, choose “Remote” from the menu bar and then “Reverse Connections”. This launches a window where you’ll check a block for “Enable Reverse Connections”.
Now you need to open port 5500. The following rule for iptables should get you started if you have the iptables firewall running, but you should be smart enough to figure it out if you are. To allow port 5500 try:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5500 -j ACCEPT
Again, remember to put it back when you are done helping Grandma.
But for now, your end it set, and it’s time to send Grandma the email on how to set up her end. The last thing you need to do is find out your public IP address to give to grandma. You do this by opening Google Chrome and typing “IP” in the search bar. The firs thing listed will be something like: Your public IP address is 256.75.75.75
I leave lots out of your letter to Grandma, but It goes like this:
____________________________________________________________________
Dear Grandma,
Open your web browser, and go to this website:
http://www.tightvnc.com/download.php
Under “Download TightVNC for Windows (Version 2.7.10)” download the “Installer for Windows 32 bit” or the 64 bit if that’s what you have.
Click on the installer, check the box for “I accept the terms” and click next. Click the box for typical, and when the “Select Additional tasks” window pops up, uncheck Register TightVNC server as a system service (recommended). You don’t need that. Then click next. On the last page, click install. When it’s done installing, click finish.
After it’s installed, You want to run TightVNC server, not viewer. You won’t notice it, but you will now have an icon in the system tray that looks like a “V” with wavy lines. It may complain that you have not set any passwords. Right click on it, and choose “Attach Listening Viewer” I am the listening viewer. Put my IP address in the box. It’s 256.75.75.75. Don’t check the box that says view only, or I can’t help you. Then call me and when I tell you to, click the button for “Attach” so we can get your knitting software fixed.
Love Baby Gorilla.
Windows 8 has a wireless profiles peculiarity. I first experienced it when I had to re-connect to a network that had the wireless password changed. I had the network stored in the wireless profiles and had been gone for a month. When I returned to the building that network was in, Windows 8 tried to join the network with the old key and errored out. I put in the new key, and viola, it worked. Until I rebooted. I added the key again, and the profile showed up with a “SSID 2 3” at the end. This repeated daily adding a new number every time I had to reconnect with the same password resulting in a “SSID 2 3 4 5 6” and got to be a real pain. I have also seen this happen with networks that go from broadcast SSID to hidden SSID and vice versa.
The simple explanation, is that Windows 8 stores the network profile with both the old and new sets of information. When you reboot, Windows has conflicting information on how to join the network, so just doesn’t do anything. This forces you to do it manually and of course, creates a new conflicting profile while placing an incrementing number at the end.
I’ve seen this several times since then and like so many things Windows 8, the fix is not obvious or easy for the masses. You actually have to fix this with the command prompt.
First, make sure you open a command prompt with administrator privileges. Next, we need to list all the currently saved wireless profiles. We do that with the netsh command.
netsh wlan show profiles
C:\Users\Gorilla>netsh wlan show profiles
Profiles on interface Wi-Fi:
Group policy profiles (read only)
---------------------------------
<None>
User profiles
-------------
All User Profile : GorillaNet 2 3 4 5 6 7 8 9 10
All User Profile : GorillaNet 2
All User Profile : MITS 2
All User Profile : GorillaNet 2 3 4 5 6 7 8 9
All User Profile : GorillaNet 2 3 4
All User Profile : Cisco
All User Profile : GorillaNet 2 3 4 5 6 7
All User Profile : GorillaNet 2 3 4 5 6 7 8
All User Profile : GorillaNet 2 3 4 5 6
All User Profile : GorillaNet 2 3 4 5
All User Profile : MITS
All User Profile : Skynet
All User Profile : GorillaNet 2 3
All User Profile : GorillaNet
All User Profile : ITportable
All User Profile : RPK
All User Profile : RPK2
All User Profile : gabby
All User Profile : PopNGrndma
As we see above, Gorilla net has gone crazy and just keeps implementing the profile number every time we reconnect to it. I originally deleted these one by one, until I discovered (happily) that you can just wildcard it with the asterisk. Again, we use another function of the netsh command.
netsh wlan delete profile name=SSIDtoBeDeleted*
C:\Users\Gorilla>netsh wlan delete profile name=GorillaNet*
Profile "GorillaNet 2 3 4 5 6 7 8 9 10" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3 4 5 6 7 8 9" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3 4" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3 4 5 6 7" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3 4 5 6 7 8" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3 4 5 6" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3 4 5" is deleted from interface "Wi-Fi".
Profile "GorillaNet 2 3" is deleted from interface "Wi-Fi".
Profile "GorillaNet" is deleted from interface "Wi-Fi".
Lastly, just to make sure we did it, we show the profiles again.
C:\Users\Gorilla>netsh wlan show profiles
Profiles on interface Wi-Fi:
Group policy profiles (read only)
---------------------------------
<None>
User profiles
-------------
All User Profile : MITS 2
All User Profile : Cisco
All User Profile : MITS
All User Profile : Skynet
All User Profile : ITportable
All User Profile : RPK
All User Profile : RPK2
All User Profile : gabby
All User Profile : PopNGrndma
So now, with all GorillaNet profiles deleted, we join the network one last time, and when we reboot, no more manual rejoining of the network.
It frustrated me a while that whenever I rebooted my laptop from Windows to Linux or vice versa that the clocks didn’t match. The short version of why this is, is that one expects a UTC time zone, and the other expects the local time zone. I lived with this for a while before it bothered me enough to research how to fix it. The Windows registry change solution offered below worked on my 64bit Windows 8.1 machine, and I can’t imagine it would be any different on an older version.
Get regedit open and navigate to the registry key at:
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Add a new 32 bit DWORD value in the right pane and call it:
RealTimeIsUniversal
Once you’ve created the value, double click to open it, and give it a value of 1.
Reboot into Linux, check the clock. If it’s wrong, fix it. Reboot again into Windows, and now Windows should agree with Linux. Hope this helps!
Every once in a while I have to make an .iso. Disk imaging software makes that easy enough, but for me, when I’m on an operating system that has dd (Most Linux/Unix systems, and downloadable versions for windows) it’s just too easy to backup a CD or DVD with this one liner:
gorilla@localhost ~ $ dd if=/dev/cdrom of=~/Desktop/Dell_WinXP_SP3_32bit_oem.iso 1222032+0 records in 1222032+0 records out 625680384 bytes (626 MB) copied, 147.125 s, 4.3 MB/s
In the above example, I’m copying a Dell OEM CD as the input file from the CD tray (if=/dev/cdrom). The output file is the path and file name I want to write my .iso to (of=/pat/filename). Naturally, change the file output file name to match your disk.
ATTENTION: Spiceworks has significantly changed since this posting and this will not be the best post for the most current information.
I’ve used lots of network monitoring tools over the years. Some of the open source stuff was hard to set up, hard to configure, and time consuming. But free. Lots of commercial products are pretty easy to use. But the cost for those prohibitive to the small network administrator that has to monitor less than fifty devices and has a budget that makes buying a five hundred dollar computer a major purchase that management groans loudly about.
So for me, discovering Spiceworks was pretty nice. I’ve used it for a few years now, and it keeps getting better. I decided to make this tutorial on how I set up Spiceworks. Like anything in IT, there are lots of different ways to do it, but this one works for me, and if you’ve never set it up before, it gets you from zero to seventy five in, well, about twelve hours or so of scanning time. But you’ll catch on to why that’s not so bad.
Let’s talk about the environment that we’ll use in our example. I’m using this set up because in the area that I live in, and for small offices with no full time IT person, it’s a common setup.
The Internet is connected via the WAN port of one lousy, home based wireless router, that should not be used for a business, but is. Next up is a dumb switch with a single flat VLAN and 24 ports going out to the Nodes. One of which is a single server that serves as a domain controller and file server. Another is an all in one, copier, fax, scanner that is IP capable. And then 15 to 20 Windows workstations, all joined to the domain. DNS and DHCP are done on the single Windows Domain Controller.
If you have a workstation free, I like to see Spiceworks on a separate machine dedicated for it, but I have put it on the Server and it’s worked fine. These instructions will be the same regardless of where you put your Spiceworks instance. One note is that is has to go on a Windows machine. There’s no Linux version or Mac. I’m sure you can run it from a virtual machine on a Linux or Mac fine, but I haven’t actually done it.
Before we even start the install, let’s get the environment ready for Spiceworks by jumping into group policy on the domain controller. You can make a Spiceworks group policy object, or just edit the default policy.
The most comprehensive tutorial I’ve found to do this is here:
But the quick instructions for those that are a little more group policy savvy are below.
Group policy path is: Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile
Look for, and make enabled:
Windows Firewall: Allow remote administration exception
Windows Firewall: Allow ICMP exceptions
In the actual settings here, you want to allow inbound echo requests
Once the policy is enforced and your workstations begin picking this up, they’ll show up in Spiceworks quickly. If you can do this a day or so before you do your first scan, you’ll be happier.
At this point, we are ready to install Spiceworks. Download it from www.spiceworks.com/downloads/
There’s some cool info there about other stuff you can use as well, but we are looking for the install, which at the time of this writing, reads “On your Windows Computer.”
Once you get to the “Thank you for downloading Spiceworks!” page, the MD5 Checksum will be displayed.
I used the Microsoft File Checksum Integrity Verifier (FCIV), a command line tool, to verify the md5 checksum. I dropped the executable for this file in c:\windows\system32 so that I don’t need to use the full path when using the tool. If you don’t want to do this, you’ll have to give both the full path to the tool, and the full path to the spiceworks.exe file. If you know that you don’t really need to do this, then you don’t need me to tell you how to do that. Once you are ready to run your checksum, then pull up a command prompt, and check the hash as in the below example.
______________________________________________________________________________
C:\>fciv -md5 c:\Users\gorilla\Downloads\Spiceworks.exe
//
// File Checksum Integrity Verifier version 2.05.
//
db932159cec17bbdadf673b1687e69b1 c:\users\gorilla\downloads\spiceworks.exe
______________________________________________________________________________
You can download the Microsoft File Checksum Integrity Verifier (FCIV), at http://support.microsoft.com/kb/841290
Now for the fun stuff. Once you get click the installer, you get the standard “Do you want to allow this program…..” You should know what to do there. Then the Spiceworks setup wizard starts. The first choice you are asked to make is what port Spiceworks will run on. If you are running a webserver on the machine already, then you will have some decisions to make. But for this tutorial, we are going with the default and leaving it as is. If you are not sure if you are running a web server, you can generally tell by opening a web browser and typing http://127.0.0.1/
Next you have to accept the terms of use. You can try not accepting, but we all know what happens after that, so just accept them.
The next choice is whether you want to install nmap and WinPCap. This is easy for me, because It usually gets installed on anything I use anyway. Next again with the defaults.
Change the destination folder if you need to and click Install. You can now watch the little green bar and read the provided stuff, or just go get another cup of something.
At the end, you get a couple of checkboxes about shortcuts and launching, so leave em and hit continue.
You’ll now have a Spiceworks icon running in your system tray, but leave it alone. Every time I’ve ever installed Spiceworks this part takes a while. Wait a good ten minutes or so for the Spiceworks application to pop up in your default web browser. After the ten minutes if it hasn’t, then go ahead and click on the icon to get the login screen.
I’ve had trouble in the past with this part. If it doesn’t go as planned and you never get the “create an account” page, then try a reboot, then start the application. If that doesn’t work, then an uninstall, and re-install usually does it.
At the initial login screen, go ahead and create a Spiceworks login with an email account and a password that will be unique to your Spiceworks installation. Once that’s accomplished, you’ll be presented with a welcome to spiceworks page with an address of http://localhost/wizard/startup
But we are going to cheat and change the URL to http://localhost/login
Log in with the account you just created and you should be taken to your Spiceworks dashboard.
At the top of the page, hover over “Inventory”, then select “Settings”.
On the Settings page, select “Network Scan”. At the top of the page, Spiceworks should have already detected what it thinks is your network range. In most cases this will be correct. You can correct it now if not. If you have other subnets in a routed network, then you can add them as well now by clicking “Add IP Range”.
Before you start the network scan, it’s important to make sure you have as many valid credentials for your network as possible to ensure that you gather the most information.
For your windows boxes, enter a valid Windows domain account with administrative rights in the WMI section. Be sure to click the “Add Account” button before trying to save a new account. If you don’t, you’ll overwrite the account that you just created.
If you have Linux or Macs in your Network, then enter credentials for those devices under SSH. You’ll have to make sure that an SSH server is listening on the machine that you want to monitor and that IP tables, or other firewall is allowing SSH connections.
If you have snmp set up, this is the time to put that in as well. You might get lucky with and snmp string of “public” with a lot of printers. Since that seems to be a standard default with a lot of manufacturers.
Once you have your credentials configured, place a checkmark in the box with your network range under “Your Networks” and the “Start Scan” button will now be available. Click it to get your scan started.
Let the scan go for about a half hour, then check the box that lists the errors at the end to troubleshoot any issues. Don’t forget to consider firewalls for your devices and make changes to the rules to allow whatever protocol you are using, i.e. snmp, wmi or ssh.
Any devices such as the Wireless router that we talked about will have to go unscanned. Spiceworks simply can’t keep up with the web interface of five hundred different versions of a hundred manufacturers routers. For those devices, you’ll have no choice but to use the option “I don’t want hassle free monitoring – I’ll manage this device myself. Like a caveman.”
After the devices have been scanned in as best as you can get them, you can go to Inventory and select devices individually. Then add or change as desired by clicking on the pencil icon marked “edit”.
This is not a logical place to throw the Active Directory sync into the mix, but since it will make enrolling Mobile devices a bit easier, we’ll jump quickly over to it. Hover over “Inventory” until you get the pop up menu, then select “settings” from the menu that pops up.
From the settings menu, under “Getting Started” you should see “Active Directory Configuration”. Select that.
Enter your credentials, set the frequency (every few hours is good in a small network) and check the block for “Sync changes with AD” and “AD integration with user portal”. If security is an issue where you think someone may get onto your Spiceworks installation and use your credentials, then you probably shouldn’t be using Spiceworks and should learn about security. But I digress.
Hover over “Inventory” then select “Mobile Devices”. If you are accessing this for the first time, click the blue “get started” button, then you’ll be required to log into the spiceworks community if you haven’t done so yet. This was tricky for me as it opened up a second tab. Once you log in, you have to return to the first tab that is sitting there waiting for you to return to it and click refresh. I entered my password about three times before I realized what was going on.
When the “Welcome to Mobile Device Management” window pops up, fill in your Company Name, or use your Name if you don’t have one, and agree to the terms of use. Then click “Get Started”. You’ll get a success announcement, and then a blue button to enroll your first device.
In the prompt to enroll your first device, your choices will be yourself, an existing user, or create a new user. Since we’ve created no users, choose yourself or create a new user. If your Active Directory is already syncing up, then you should be able to choose those users as well.
Next you’ll have to choose whether the device is an Android device, Apple iOS device, or Windows phone. You also get told right off that enrolling Apple devices requires additional steps. Choose the type of device and click “Send Request”. If it’s an Apple device, go through the steps to get an Apple certificate with Apple. Once those steps are completed, then click “Send request”.
For future devices you’ll click the button for “Enroll Device.” Under “Your Enrollment Queue,” Choose the user you want to send the request to, or choose “Everyone”. Then click the button for “Send Request”.
Users will receive an email from MaaS360 with the subject line “Device Enrollment Request”. They’ll get this request even though we have not setup the email settings on the Spiceworks server yet.
Once the user responds to the request and downloads the MaaS360 app you’ll start seeing that data populate in Spiceworks.
Gorilla Admin 