Creating a Group Policy to Log Off Remote Desktop’s ‘Disconnected’ sessions

Usually huge IT infrastructures are faced with a scenario, where server administrators, usually while using Remote Desktop Snapin in MMC, do not log off their sessions. And when they close their MMC, they are disconnected and not ‘logged off’ from the servers. This causes them to occupy and keep valuable connections on the server disallowing any other users to connect to it. Also open sessions mean that applications and processes which were running when the user disconnected would continue to run indefinitely causing them to occupy valuable system resources.

The following steps would ‘log off’ all such sessions after a specific period of time.

Note: If you want to implement this policy in your organization, please make sure that you communicate this to your server administrators. Because force ‘logging off’ (even if it is a disconnected session) would stop any application and/or copy job they might have initiated and left to run. Server Administrators must be aware of this policy so that they can plan such jobs accordingly. Also it would be a good idea to put the time-out value as high as e.g. 12-24 hours, during which most operations will finish.

1. Open Group Policy Management through gpmc.msc. Create a linked policy on either the domain level (not a good practice) or on the OU level (best practice). Make sure you make the policy on the OU where all your Servers reside.
   
2. Enforce the policy. I love this option since it gives you a clear mind that this policy is being applied way down the OU chain and would always win in case of precedence and conflict wars with other policies.
   
3. Go in Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Sessions.
   
4. Select the option ‘Set time limit for disconnected sessions’. Enable it, and enter the time limit. ‘Never’ means the session will remain open indefinitely. Usually a time limit of 12 hours and/or 24 hours should be good enough.
   
5. Please note that this setting will only log off those sessions which are disconnected by the user. It will not log off any active session.

I hope my readers know the difference between Active, Idle and Disconnected sessions. Cause if you don’t and you plan to implement a group policy, then God help your organization.

Some Hurdles

If you have put this group policy on the domain or OU level and its applied on all your servers and things are going hunky dory and suddenly Aziz from development comes and says that he made an application and he has to initiate his application from the remote desktop from a freakish service account. And after starting it, he disconnects the remote desktop, and that application is supposed to run indefinitely and with the current settings you have messed it all up! As due to force log off all applications running in the session are also closed. Now either you can lecture Aziz on the best practices of code development and execution OR you can just go in the Group Policy, put this computer account and deny the execution of group policy for this computer. And as you might know, ‘Deny’ is the mother of all precedence.

Some Alternates & Notes

1. This setting will not work on connections to Windows XP Professional.
   
2. If group policies give you a chill, then you can do this setting manually on each server or maybe you just want to do it on your mission critical and resource hungry servers. Manually it can be done by changing the RDP-Tcp Properties on the server.
   
3. You can also put this limit on one or more users by making changes in their properties > sessions tab.
   
4. If you can do this setting on multiple places then you would be wondering the priority each setting will have over other similar settings. The following is the priority
   
   1. Group Policy – Computer Configuration
   2. Group Policy – User Configuration
   3. RDP-Tcp Properties
   4. User Session Properties

Restoring a system state backup (Captain’s Log)

 

The following is the restoration of a system state backup in the ‘Captain’s Log’ format. Meaning its not very refined, might have some typos, but it will have all the steps and also the decisions that I made and why.

1. I created a group policy on the domain level, by which I ‘Removed Help menu from the Start Menu’ for all users.
2. I ran gpupdate /force
3. Ran ntbackup
4. Selected SystemStateBackup, selected a ‘Normal’ copy and then provided a location on D for copying the backup file.
5. Backup has started and its going on well. It took some time reading the data to backup and then the numbers appeared in the ‘Backup Progress’ screen. Initially it showed me an estimated time of 3 minutes
6. It took a little over 3 minutes. I believe in production environments it will be quite higher than this.
7. I clicked on ‘Report’ to check whether there is anything untoward. There wasn’t.
8. I checked the size of the backup file, it is 503 MB.
9. Transferring the file to DEN-SRV1
10. I don’t like copying stuff to root and don’t like to bury my file under millions of folder. So I am copying in the legal folder on C Drive.
11. Copy complete.
12. Now assuming that my DEN-DC1 is dead. I am going to close my virtual machine and delete all changes, since I want to use this machine for future labs and want to keep the size to minimum. This can be a very tricky scenario.
13. Before running dcpromo, note that the DEN-SRV1 is already joined to the domain being controlled by DEN-DC1. I will keep the IP and network settings as is and see what happens. As this can happen in a real scenario.
14. Selected ‘Domain controller for a new domain’
15. Selected ‘Domain in a new forest’
16. Provided the full DNS name contoso.msft. This name should exactly be the same as name of my domain. I can’t create a new domain and restore the backup of the old domain to this new domain. I know this much, okay. (Angry smiley)
17. After giving the FULL DNS name for the new domain, I pressed ‘Next’ and its still pressed after a minute. Lets see what happens. 7:25
18. okay done. Within a minute.
19. Now asking Domain NetBIOS name, for which I have given ‘CONTOSO’
20. Going with default database folder and log folder.
21. and sysvol folder.
22. hmmmm. DNS diagnostic failed. Obviously it would fail, since DEN-DC1 was also my DNS server. Three available options and I am going with ‘Install and configure the dns server o nthis computer, and set this computer to use this dns server as it preferred dns server’
23. Asked for ‘Restore Mode’ and ‘Confirm’ password, and I entered Pa$$w0rd. Yes I know they are the same.
24. Now I think installing the DNS. As I can see a server icon, with a book icon in the front and a crazy pencil writing something on it.
25. Hmmm. I got this message. Because I chose not to remove my original IP settings and/or disjoin the computer from the domain. So it has done it himself.

1. Sheezers. I should have tested the backup before running the dcpromo. Maybe I wouldn’t have required to run the dcpromo. Anyways I can try it later. Bolded to remember what I have to try later.
2. Crazy pencil has finished writing and some installation started, no no the pencil is back again now. ‘Configuring DNS service on this computer’
3. Okay its complete now. And its asking for a restart. Shall I restart. Okay I will. What have I got to lose except time. Its all virtual machines, I can revert back to a earlier point in time.
4. Okay the machine is restarted now.
5. I have logged in and now I will try to restore the backup by double clicking on it. I know that it doesn’t work as I would have restart the server in safe mode and use NTDSUTIL to restore the backup, but whats the harm in trying.
6. ntbackup has started. I am going in wizard mode.
7. Selected restore file and settings and browsed to the file again. Double clicking the backup file just started the ntbackup

1. I selected the ‘System State’ as mentioned in the pic above.
2. Now the restore screen is saying that ‘Restore to Original Location’ and ‘Existing Files Do not replace. I will go ahead with these options although not very sure about ‘do not replace existing files’.
3. Failure. A good one actually. Proving that I cannot restore as is and I would have to restart in ‘Directory Services Restore Mode’, which is good because previously I was thinking that I would to restart in safe mode.

1. Cancelled the restore job and now putting my finger in F8 to get the type of boot I want.
2. Gotcha.
3. Going in ‘Directory Services Restore Mode’
4. First I will try using the ntbackup utility for restore. If that fails then only I would delve into NTDSUTIL
5. Okay now another misgiving gone one regarding ‘do not overwrite existing files’. As I received the following message

1. Restore progress screen is achieved. Numbers coming up and restore has started. Estimated remaining time is coming as 2 minutes 7:49

1. Sheezers. I didn’t check what existing users and group policies are there. It would have been a good idea to create a user and a group policy in the new domain controller and see what happens after the restore job. Maybe I will try it later. Next time I just have to run dcpromo, install DNS, restart and then restart again in safe mode and then I can try it again.

1. Restore complete 7:51. Nice. Took 2 minutes. Again in production environment this might be bigger.

1. Okay after restart, while trying to close the progress window it has asked for a restart. Good and logical. Restarting and not going to go in Safe mode.

1. After restart it gave me the following message L

1. I clicked on ‘Yes’
2. It requires internet connectivity and I don’t have that. Lets see I think I would build another Windows 2003 server from my authorized and licensed version and then check this. Actually that might be a bit better. I think I might have those labs somewhere.
3. Luckily I already had one lab environment which had licensed Windows 2003 DC and a member server. Tried it and it worked like a charm. The group policy and all the users, OUs etc etc were restored.

System State Backup & Restore

Note: The following scenario is to be used when your domain controller is shot and it was the one and only domain controller in your environment. If you had more than one domain controllers, then the following steps are not for you.

1. Create a backup of the system state through ntbackup
2. Store in a share location.
3. Shut down the DC.
4. Create a new windows 2003 server
5. Run dcpromo to make it a domain controller. Make the following selections
a. Select ‘Domain Controller for a new domain’
b. Select ‘Domain in a new forest’
c. The full dns name should be exactly the same as the previous domain.
6. Continue to install DNS services
7. Restart the server.
8. Restart the server in ‘Directory Services Restore Mode’
9. Run ntbackup restore
10. Select the backup file which was created in step 1
11. Once the restore is complete, restart the server.
12. And now you can see all the objects, group policies etc which were present in the old domain controller.

Enabling Remote Desktop Through Group Policy

Recently, in an organization I know very closely, a requirement came up to allow a set of users to use 'Remote Desktop' for troubleshooting purposes. The AD administrators over there thought for a while and applied the most convienient, common but also the riskiest solution i.e. giving 'Domain Admin' access to all these users. Something ticked me that its wrong and there must be a better solution. 

While doing my MCSE, I leared about Group Policies and then stumbled upon the less riskier option of the above mentioned problem. I tried it in my lab and it worked like a charm. Although not all the following steps are necessary but they are based on best practices. 

1. Create a security group, which would contain all users for whom you want to give Remote Desktop for all your servers/computers. 

2. Put the users inside that security group. 

3. Open the Group Policy Management Console by typing the command gpmc.msc in Run. If you don't have GPMC, then download it for free from the internet and install it in your domain. Although you can work without GPMC as well, but it is basically criminal not to have GPMC if you want to work with Group Policies.

4. Create a group policy on the domain / OU level. If you are sure that all your computer are inside a single OU (usually the computers OU), then apply the policy on that OU, otherwise create the policy on the domain level. In the organization under discussion, they have servers spread all the over the OUs. 

5. Make sure that you have selected the 'Enforced' option. This option would ensure that the group policy is inherited into child OUs upto the last level, even if inheritence is closed on a child OU or a Child OU has a conflicting Policy Setting. 

6. Edit the policy and go in 'Computer Configuration > Windows Settings > Restricted Groups' and then add the group 'Remote Desktop Users'. Add the security Group you created in Step 1 as a member of this group. This would add this group in all the Built in group 'Remote Desktop Users' inside 'Local Users and Groups' of each computer. Please note that application of a group policy might take sometime. If you want to force update you can run the 'gpupdate /force' command on the Target Computer. 

 

7. Now you need to enable Remote Desktop service/option on all the target computers. Staying within the same policy, go in Computer Configuration > Administrative Templates > Windows Components > Terminal Services. Find the option 'Allow Users to connect remotely  using Terminal Services' and then Enable that option. 

After this you are good to go. As soon as the group policy is applied on the computer, it would allow all the users in the security group you created in step 1 to start 'Remote Desktopping' to the computers. I tried in my lab and it worked like a charm. 

I have written this thinking that you might have worked with AD and/or at least know what and where the group policies are. If you want further information, feel free to drop a line. 

Eject USB

Roof Fiddler,

I've seen this happening on XP too every now and then, so there's nothing
new in this behavior on Vista. Two ways I usually troubleshoot/workaround
this issue: configuring drive for quick removal and tracking down offending
process.

1. To configure drive for quick removal, Open Device Manager; expand "Disk
drives" node; double click drive in question; on the Policies tab make sure
"Optimize for quick removal" radio-button is checked. This will slow down
file operations on the drive but will allow you to remove it at any moment
without even using (sometimes failing) "Safe Removal" function.

2. Two usual suspects that can keep your USB drive busy are System Restore
and Indexing. I'd check their settings to see if your system configured to
either create restore points for this drive or to index its contents for
instant search. Also, I'd find out exact instance of svchost that has
handles open to this drive and which services are running under this
instance. I use Sysinternals' handle.exe and built-in tasklist.exe
command-line utilities for this. First, you run

handle DRIVE:

to get PIDs of processes that have handles open on the drive. Then you can
run

tasklist /SVC /FI "PID eq PROCESS_ID"

where PROCESS_ID is the PID you've got from handle. If it's svchost that has
handles open, you'll get the list of services that run under this instance
of svchost.

To get friendly names of services, you can use sc.exe built-in utility:

sc qc SERVICE_NAME | find /i "DISPLAY_NAME"

where SERVICE_NAME is the name you've got from taskilst output.



Example:
======================8<========================
C:\>handle H:\

Handle v3.2
Copyright (C) 1997-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

System pid: 4 1C8:
H:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00...
System pid: 4 270:
H:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
System pid: 4 27C:
H:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00...
System pid: 4 288: H:\$Extend\$RmMetadata\$Txf
System pid: 4 368: H:\System Volume
Information\{3808876b-c176-4e48-b7...
System pid: 4 36C: H:\System Volume
Information\{477ccf48-a888-11db-b5...
svchost.exe pid: 1148 5BC: H:\$Extend\$ObjId
svchost.exe pid: 1148 5C4: H:\System Volume Information\tracking.log

C:\>tasklist /SVC /FI "PID eq 1148"

Image Name PID Services
=============== ========= =======================================
svchost.exe 1148 AudioEndpointBuilder, CscService,
EMDMgmt,
hidserv, Netman,
PcaSvc, SysMain,
TabletInputService,
TrkWks, UmRdpService,
UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc

C:\>sc qc AudioEndpointBuilder | find "DISPLAY_NAME"
DISPLAY_NAME : Windows Audio Endpoint Builder

C:\>sc qc CscService | find "DISPLAY_NAME"
DISPLAY_NAME : Offline Files

C:\>sc qc EMDMgmt | find "DISPLAY_NAME"
DISPLAY_NAME : ReadyBoost

C:\bin>
======================8<========================

Hope this helps,

--
Alexander Suhovey

Windows PE 2.0: a tiny version of Windows for system maintenance

Original Link: http://apcmag.com/windows_pe_20_a_tiny_version_of_windows_for_system_maintenance.htm

James Bannan
22 August 2006, 4:28 AM

Few people know it, but when you boot off the Vista install DVD, you're booting into a different version of Windows altogether: Windows PE 2.0. Stripped away from the Vista installer, it's a remarkably powerful, compact OS.

Few people know it, but when you boot off the Vista install DVD, you're booting into a different version of Windows altogether: Windows PE 2.0.

It's based on the Vista kernel, but it's extremely compact. It provides read/write access to NTFS filesystems, a wide range of 32- and 64-bit hardware drivers, network connectivity and the ability to run both 32- and 64-bit applications.

However, stripped away from the Vista installer, it's also a very versatile tool for administrators. It allows troubleshooting, installation and system recovery, and its small size means it can be run from CD, USB key or even via network boot.

PE has actually been around since the release of XP, but most administrators have avoided using it, instead preferring more mature third-party management and installation tools.

The newest version of Windows PE (version 2.0), is different. Along with tools which I’ve discussed previously, ImageX and System Image Manager (SIM), Windows PE 2.0 is bundled in the Windows Automated Installation Kit (WAIK), and is an integral part of both the WAIK and Vista itself.

How to get Windows PE

To use Windows PE 2.0, you need to get your hands on the Windows Automated Installation Kit (WAIK), which is a free download from Microsoft.

Finding WinPE on your machine

Once the WAIK is installed, the WinPE folder structure is available in C:\Program Files\Windows AIK\Tools. The main folders needed are the architecture folders (x86, ia64 and amd64), and the PETools and Servicing folders.

Building your own bootable WinPE 2.0 environment

The next step is to create the actual WinPE tool, based on the architecture you require. This is done using the COPYPE.CMD command, which resides in the PETools folder. Navigate there in a command window, or just launch the “Windows PE Tools Command Prompt” link from Start, Program, Microsoft Windows AIK.

The COPYPE.CMD syntax is “COPYPE.CMD ”, so in this case I’m using “COPYPE.CMD x86 C:\Temp\x86_PE”. The destination folder gets created as part of the process, and shouldn’t already exist. Files are expanded and copied into the correct folder structure - the whole process takes no more than a minute or two.

The resulting x86_PE folder contains the WINPE.WIM file, a MOUNT folder which you can use to mount the WIM via ImageX, an ISO folder which contains all the files needed to create a WinPE ISO image, and the BIN file needed to make the ISO bootable.

The ISO is created using OSCDIMG - a command-line application bundled with the WinPE tools. There are quite a few command arguments available, but the most important ones are:

• -b (specify location of boot file)
• -n (enable long filenames)
• -o (optimise storage by ignoring duplicate files -- this is one of the cool standard features of the WIM format).

So the syntax I’m using is “OSCDIMG -bc:\temp\x86_pe\etfsboot.com -n -o c:\temp\x86_pe\iso c:\temp\x86_pe.iso”. The process is nice and quick and the ISO is created. I used Nero to create a bootable CD and used it to fire up the Vista machine.

Booting and using Windows PE 2.0

The Windows PE 2.0 interface looks like the Vista logon screen with a command window instead of a logon box.

Here, you can do pretty much anything. The real advantage with WinPE is that it is running a stripped-down version of the Vista kernel, so it gives you read/write access to NTFS filesystems, a wide range of 32- and 64-bit hardware drivers, network access and will launch both 32- and 64-bit applications.

The WinPE system drive is created as X: drive, and all the other machine drives are accessible. You can map network drives, create new physical or logical drives or partition and format existing drives, and reinstall Vista - all from within the WinPE kernel space.

Customising Windows PE 2.0

Because Windows PE 2.0 complies to all the WIM standards, you can bundle any tools and applications you like and create a customised WinPE operating environment.

You can customise deployment options, create installation menus, make use of local installation media, network distribution or Windows Deployment Services … anything really.

Windows PE 2.0 gives sysadmins a wonderful degree of flexibility. Sysadmins will be making much more use of it than they did of WinPE 1.0. If you'll need to use it for Vista deployment, you should start taking a look under the hood now.

The fact that PE uses Windows Imaging format (WIM) and XML standards means that Vista installation and deployment is the most streamlined and integrated of any Windows operating system yet.

Downloading From MegaUpload

1. Load the MegaUpload video in your IE. 

2. Let the video completely load

3. Go in IE > Internet Options > Browsing History > Settings > View Files. 

4. Sort the files by 'Size'. 

5. Check 'Internet Address' and 'Size' to find out which file is from megaupload. 

6. Copy the file to another location in your hard disk. 

7. Rename the file to something meaningful with extension .mp4

8. Use VLC Media Player to view the file. 

Windows Vista Brightness Issue

Vista Brightness worked well, but whenever I closed my laptop's lid and opened it again, Windows vista started with very low brightness. The laptop's brightness keys also were not working. So I searched and came up against this article and hence got the solution.

The Solution was

1. Goto Control Panel > Power Options
2. Click on adjust Display Brightness.
3. I used the slider to select full brightness for both 'On Battery' and 'Plugged In'
4. Press 'Save Changes'
5. I switched off the power and switched it back on and hence got the full brightness I required.

For More Details and Reasons:
http://support.microsoft.com/kb/929249

Enabling Internet in a VPC Guest

Host Operating System: Windows Vista

Guest Operating System: Windows Server 2003

Shut down the Virtual Machine. 

Goto Settings > Network. And enable Shared Networking (NAT)

Start the Virtual Machine. 

Login into the Guest OS

Right Click on 'My Network Places' > Properties

Right Click on 'Local Area Connection' > Properties

Just enter the following IP in the section 

'192.168.131.254'

Courtesy: 

http://www.tipandtrick.net/2008/fix-virtual-pc-2007-shared-networking-nat-internet-not-working-in-windows-server-2003-2008-and-vista-guest-os/