Second in a series on improving Windows Group Policy.
One very common Group Policy strangulator shows up in Windows event logs as SceCli, event ID 1202. When Group Policy processing encounters this, it can prevent many things from occurring.
The error, specifically, is a nonexistent user or group present in a GP configuration item. For instance, most recently there was a Group Policy including a security item which included “Domain Uers”, a typo of “Domain Users”, deep in computer-level security items, and this prevented the policy from doing anything, even though there were other, equivalent, items in the same area. I’ll repeat, the typo item had to be removed, before the entire policy would do anything; group policy processing is apparently not able to treat a nonexistent referent as irrelevant.
Finding the item is interesting too. It requires a file of this name and location:
%SYSTEMROOT%\Security\Logs\winlogon.log
It may not exist. If not, or if it’s not up to date, browse to this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
and set DWORD ExtensionDebugLevel to 2. Then run gpupdate, and the file will be created. Then in administrative CMD, run:
FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
The above will produce one or more invalid security group names or login names, included somewhere as a configuration item within a group policy. Once you have the name(s), run:
rsop.msc
and examine all of its tree carefully, to find the error. That will lead you to the spot in GPMC where you will find the bad entry, to fix. Once you have fixed, try your gpupdate again, and your policy will apply, unless something else is wrong!
Part III, Copying Files, is here.
Categories:
Group Policy
Windows OS-Level Issues
In my experience, group policy is the only nearly indispensable tool on a Microsoft domain-controlled LAN which breaks very often and admits of almost zero solid documentation towards fix. Someday this may be thorough, Lord willing; for now, we have:
Part I, General
Part II, Destrangulation
Part III, Copying Files
Categories:
Group Policy
Windows OS-Level Issues
This works in PowerShell. Some off-the-charts numbers will be reported for virtual NICs. The speed you want is in megabytes, so a gigabit NIC will read as 1000:
Get-CIMInstance -Class Win32_NetworkAdapter | Where-Object { $_.Speed -ne $null -and $_.MACAddress -ne $null } | foreach-object { ($_.Speed / 1000000) }
and this works in CMD. Reports speed in bytes per second, so gigabit is reported as “1000000000” and 100-megabit is “100000000”.
wmic NIC where NetEnabled=true get Name, Speed
Categories:
Diagnostics
A great little tool found by the extraordinary Zach Hogan:
http://www.icc-usa.com/raid-calculator.html
Categories:
RAID
Here is the only complete method known to this writer to automatically download and install all current Microsoft redists. It uses this:
https://www.powershellgallery.com/packages/VcRedist
Steps:
- You’ll need the PowerShell Gallery. Windows 10 and WMF 5.1 come with it.
- If you have 10, or once you have WMF installed, you can just run GETREDISTS.CMD (part of windows-tools ) as administrator. Alternatively, you can continue :-)
- VcRedist is the core, we’ll install that automatically as part of the procedure. In administrative PowerShell (the -Force takes in any new updates):
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Install-PackageProvider -Name NuGet -Force
Install-Module -Name NuGet -SkipPublisherCheck -Force
Import-Module -Name NuGet
Install-Module -Name VcRedist -SkipPublisherCheck -Force
Import-Module -Name VcRedist
New-Item C:\VcRedist -ItemType Directory
Get-VcList | Get-VcRedist -Path C:\VcRedist
Get-VcList | Install-VcRedist -Path C:\VcRedist
The above installs all of the redistributables which Microsoft currently supports. Reportedly, some older ones (going back to 2005 at this writing) can be had using this:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Install-PackageProvider -Name NuGet -Force
Install-Module -Name NuGet -SkipPublisherCheck -Force
Import-Module -Name NuGet
Install-Module -Name VcRedist -SkipPublisherCheck -Force
Import-Module -Name VcRedist
New-Item C:\VcRedist -ItemType Directory
Get-VcList -Export All | Get-VcRedist -Path C:\VcRedist
Get-VcList -Export All | Install-VcRedist -Path C:\VcRedist
You may wish to delete the downloadables after the procedure:
Remove-Item C:\VcRedist -Recurse -Force
Categories:
Windows OS-Level Issues
Windows Installer, Updates, Patching
Categories:
Microsoft Office
Categories:
Servers
NTFS
Categories:
Web Methods
At your own risk!!! For the brave and the risk-tolerant only, put five grams per liter of Hexagonal Boron Nitride, also called HBN:
https://www.bulletcoatings.com/product/hex-boron-nitride-hbn-powder/
in your engine oil. Smooth power, like wow :-) The stuff is actually very non-toxic, it is the primary ingredient in many women’s cosmetics. An extremely fine powder, and extremely slippery. Do NOT put it in any transmission…
Categories:
Miscellaneous
For quite a while I had been curious as to why a simple method to do this was not available. CCLEANER and others do not reach into every user profile, and on many machines this is crucial, e.g., terminal servers. CATE was originated as a .VBS by the excellent David Barrett ( http://www.cedit.biz ) and has been rewritten thoroughly by yours truly (JEB of Ponderworthy). The current VBS is here.
The most recent version is a PowerShell script, which adds removal of Ask Partner Network folders from user profiles, and a good bit of speed and clean running. Future development will be in PowerShell, as part of the ponderworthy-tools project.
One thing discovered along the way, is even in XP there was a user profile called the “System Profile” — XP had it in C:\WINDOWS\System32\config\systemprofile — and some malware dumps junk into it, and sometimes many gigs of unwanted files can be found in its temporary storage. CATE cleans all user profiles including those, as well as the Windows Error Reporting cache, and the .NET caches, and the system TEMP folders, and in recent versions, many Windows log files which are often found in many thousands of fragments.
The tool is designed for Windows 10 down through XP. As of 2017-10-10, it is self-elevating if run non-administratively.
It is licensed as follows:
The 3-Clause BSD License
SPDX short identifier: BSD-3-Clause
Note: This license has also been called the “New BSD License” or “Modified BSD License”. See also the 2-clause BSD License.
Copyright 2017 Jonathan E. Brickman
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Categories:
Cleanup