Tuesday, May 26, 2009

Creating a Group Policy to Log Off Remote Desktop’s ‘Disconnected’ sessions


Usually huge IT infrastructures are faced with a scenario, where server administrators, usually while using Remote Desktop Snapin in MMC, do not log off their sessions. And when they close their MMC, they are disconnected and not ‘logged off’ from the servers. This causes them to occupy and keep valuable connections on the server disallowing any other users to connect to it. Also open sessions mean that applications and processes which were running when the user disconnected would continue to run indefinitely causing them to occupy valuable system resources.

The following steps would ‘log off’ all such sessions after a specific period of time.

Note: If you want to implement this policy in your organization, please make sure that you communicate this to your server administrators. Because force ‘logging off’ (even if it is a disconnected session) would stop any application and/or copy job they might have initiated and left to run. Server Administrators must be aware of this policy so that they can plan such jobs accordingly. Also it would be a good idea to put the time-out value as high as e.g. 12-24 hours, during which most operations will finish.

  1. Open Group Policy Management through gpmc.msc. Create a linked policy on either the domain level (not a good practice) or on the OU level (best practice). Make sure you make the policy on the OU where all your Servers reside.
  2. Enforce the policy. I love this option since it gives you a clear mind that this policy is being applied way down the OU chain and would always win in case of precedence and conflict wars with other policies.
  3. Go in Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Sessions.
  4. Select the option ‘Set time limit for disconnected sessions’. Enable it, and enter the time limit. ‘Never’ means the session will remain open indefinitely. Usually a time limit of 12 hours and/or 24 hours should be good enough.
  5. Please note that this setting will only log off those sessions which are disconnected by the user. It will not log off any active session.

I hope my readers know the difference between Active, Idle and Disconnected sessions. Cause if you don’t and you plan to implement a group policy, then God help your organization.

Some Hurdles

If you have put this group policy on the domain or OU level and its applied on all your servers and things are going hunky dory and suddenly Aziz from development comes and says that he made an application and he has to initiate his application from the remote desktop from a freakish service account. And after starting it, he disconnects the remote desktop, and that application is supposed to run indefinitely and with the current settings you have messed it all up! As due to force log off all applications running in the session are also closed. Now either you can lecture Aziz on the best practices of code development and execution OR you can just go in the Group Policy, put this computer account and deny the execution of group policy for this computer. And as you might know, ‘Deny’ is the mother of all precedence.

Some Alternates & Notes

  1. This setting will not work on connections to Windows XP Professional.
  2. If group policies give you a chill, then you can do this setting manually on each server or maybe you just want to do it on your mission critical and resource hungry servers. Manually it can be done by changing the RDP-Tcp Properties on the server.
  3. You can also put this limit on one or more users by making changes in their properties > sessions tab.
  4. If you can do this setting on multiple places then you would be wondering the priority each setting will have over other similar settings. The following is the priority
    1. Group Policy – Computer Configuration
    2. Group Policy – User Configuration
    3. RDP-Tcp Properties
    4. User Session Properties
Posted by at No comments:

Restoring a system state backup (Captain’s Log)

 

The following is the restoration of a system state backup in the ‘Captain’s Log’ format. Meaning its not very refined, might have some typos, but it will have all the steps and also the decisions that I made and why.

  1. I created a group policy on the domain level, by which I ‘Removed Help menu from the Start Menu’ for all users.
  2. I ran gpupdate /force
  3. Ran ntbackup
  4. Selected SystemStateBackup, selected a ‘Normal’ copy and then provided a location on D for copying the backup file.
  5. Backup has started and its going on well. It took some time reading the data to backup and then the numbers appeared in the ‘Backup Progress’ screen. Initially it showed me an estimated time of 3 minutes
  6. It took a little over 3 minutes. I believe in production environments it will be quite higher than this.
  7. I clicked on ‘Report’ to check whether there is anything untoward. There wasn’t.
  8. I checked the size of the backup file, it is 503 MB.
  9. Transferring the file to DEN-SRV1
  10. I don’t like copying stuff to root and don’t like to bury my file under millions of folder. So I am copying in the legal folder on C Drive.
  11. Copy complete.
  12. Now assuming that my DEN-DC1 is dead. I am going to close my virtual machine and delete all changes, since I want to use this machine for future labs and want to keep the size to minimum. This can be a very tricky scenario.
  13. Before running dcpromo, note that the DEN-SRV1 is already joined to the domain being controlled by DEN-DC1. I will keep the IP and network settings as is and see what happens. As this can happen in a real scenario.
  14. Selected ‘Domain controller for a new domain’
  15. Selected ‘Domain in a new forest’
  16. Provided the full DNS name contoso.msft. This name should exactly be the same as name of my domain. I can’t create a new domain and restore the backup of the old domain to this new domain. I know this much, okay. (Angry smiley)
  17. After giving the FULL DNS name for the new domain, I pressed ‘Next’ and its still pressed after a minute. Lets see what happens. 7:25
  18. okay done. Within a minute.
  19. Now asking Domain NetBIOS name, for which I have given ‘CONTOSO’
  20. Going with default database folder and log folder.
  21. and sysvol folder.
  22. hmmmm. DNS diagnostic failed. Obviously it would fail, since DEN-DC1 was also my DNS server. Three available options and I am going with ‘Install and configure the dns server o nthis computer, and set this computer to use this dns server as it preferred dns server’
  23. Asked for ‘Restore Mode’ and ‘Confirm’ password, and I entered Pa$$w0rd. Yes I know they are the same.
  24. Now I think installing the DNS. As I can see a server icon, with a book icon in the front and a crazy pencil writing something on it.
  25. Hmmm. I got this message. Because I chose not to remove my original IP settings and/or disjoin the computer from the domain. So it has done it himself.

clip_image002

  1. Sheezers. I should have tested the backup before running the dcpromo. Maybe I wouldn’t have required to run the dcpromo. Anyways I can try it later. Bolded to remember what I have to try later.
  2. Crazy pencil has finished writing and some installation started, no no the pencil is back again now. ‘Configuring DNS service on this computer’
  3. Okay its complete now. And its asking for a restart. Shall I restart. Okay I will. What have I got to lose except time. Its all virtual machines, I can revert back to a earlier point in time.
  4. Okay the machine is restarted now.
  5. I have logged in and now I will try to restore the backup by double clicking on it. I know that it doesn’t work as I would have restart the server in safe mode and use NTDSUTIL to restore the backup, but whats the harm in trying.
  6. ntbackup has started. I am going in wizard mode.
  7. Selected restore file and settings and browsed to the file again. Double clicking the backup file just started the ntbackup

clip_image004

  1. I selected the ‘System State’ as mentioned in the pic above.
  2. Now the restore screen is saying that ‘Restore to Original Location’ and ‘Existing Files Do not replace. I will go ahead with these options although not very sure about ‘do not replace existing files’.
  3. Failure. A good one actually. Proving that I cannot restore as is and I would have to restart in ‘Directory Services Restore Mode’, which is good because previously I was thinking that I would to restart in safe mode.

clip_image006

  1. Cancelled the restore job and now putting my finger in F8 to get the type of boot I want.
  2. Gotcha.
  3. Going in ‘Directory Services Restore Mode’
  4. First I will try using the ntbackup utility for restore. If that fails then only I would delve into NTDSUTIL
  5. Okay now another misgiving gone one regarding ‘do not overwrite existing files’. As I received the following message

clip_image008

  1. Restore progress screen is achieved. Numbers coming up and restore has started. Estimated remaining time is coming as 2 minutes 7:49
  1. Sheezers. I didn’t check what existing users and group policies are there. It would have been a good idea to create a user and a group policy in the new domain controller and see what happens after the restore job. Maybe I will try it later. Next time I just have to run dcpromo, install DNS, restart and then restart again in safe mode and then I can try it again.
  1. Restore complete 7:51. Nice. Took 2 minutes. Again in production environment this might be bigger.
  1. Okay after restart, while trying to close the progress window it has asked for a restart. Good and logical. Restarting and not going to go in Safe mode.
  1. After restart it gave me the following message L

clip_image010

  1. I clicked on ‘Yes’
  2. It requires internet connectivity and I don’t have that. Lets see I think I would build another Windows 2003 server from my authorized and licensed version and then check this. Actually that might be a bit better. I think I might have those labs somewhere.
  3. Luckily I already had one lab environment which had licensed Windows 2003 DC and a member server. Tried it and it worked like a charm. The group policy and all the users, OUs etc etc were restored.
Posted by at No comments:

System State Backup & Restore

Note: The following scenario is to be used when your domain controller is shot and it was the one and only domain controller in your environment. If you had more than one domain controllers, then the following steps are not for you.

1. Create a backup of the system state through ntbackup
2. Store in a share location.
3. Shut down the DC.
4. Create a new windows 2003 server
5. Run dcpromo to make it a domain controller. Make the following selections
a. Select ‘Domain Controller for a new domain’
b. Select ‘Domain in a new forest’
c. The full dns name should be exactly the same as the previous domain.
6. Continue to install DNS services
7. Restart the server.
8. Restart the server in ‘Directory Services Restore Mode’
9. Run ntbackup restore
10. Select the backup file which was created in step 1
11. Once the restore is complete, restart the server.
12. And now you can see all the objects, group policies etc which were present in the old domain controller.
Posted by at 1 comment:
Labels:

Sunday, May 24, 2009

Enabling Remote Desktop Through Group Policy

Recently, in an organization I know very closely, a requirement came up to allow a set of users to use 'Remote Desktop' for troubleshooting purposes. The AD administrators over there thought for a while and applied the most convienient, common but also the riskiest solution i.e. giving 'Domain Admin' access to all these users. Something ticked me that its wrong and there must be a better solution. 

While doing my MCSE, I leared about Group Policies and then stumbled upon the less riskier option of the above mentioned problem. I tried it in my lab and it worked like a charm. Although not all the following steps are necessary but they are based on best practices. 

1. Create a security group, which would contain all users for whom you want to give Remote Desktop for all your servers/computers. 

2. Put the users inside that security group. 

3. Open the Group Policy Management Console by typing the command gpmc.msc in Run. If you don't have GPMC, then download it for free from the internet and install it in your domain. Although you can work without GPMC as well, but it is basically criminal not to have GPMC if you want to work with Group Policies.

4. Create a group policy on the domain / OU level. If you are sure that all your computer are inside a single OU (usually the computers OU), then apply the policy on that OU, otherwise create the policy on the domain level. In the organization under discussion, they have servers spread all the over the OUs. 

5. Make sure that you have selected the 'Enforced' option. This option would ensure that the group policy is inherited into child OUs upto the last level, even if inheritence is closed on a child OU or a Child OU has a conflicting Policy Setting. 

6. Edit the policy and go in 'Computer Configuration > Windows Settings > Restricted Groups' and then add the group 'Remote Desktop Users'. Add the security Group you created in Step 1 as a member of this group. This would add this group in all the Built in group 'Remote Desktop Users' inside 'Local Users and Groups' of each computer. Please note that application of a group policy might take sometime. If you want to force update you can run the 'gpupdate /force' command on the Target Computer. 
 
7. Now you need to enable Remote Desktop service/option on all the target computers. Staying within the same policy, go in Computer Configuration > Administrative Templates > Windows Components > Terminal Services. Find the option 'Allow Users to connect remotely  using Terminal Services' and then Enable that option. 

After this you are good to go. As soon as the group policy is applied on the computer, it would allow all the users in the security group you created in step 1 to start 'Remote Desktopping' to the computers. I tried in my lab and it worked like a charm. 

I have written this thinking that you might have worked with AD and/or at least know what and where the group policies are. If you want further information, feel free to drop a line. 


Posted by at 1 comment:
Labels: ,

Sunday, May 17, 2009

Eject USB

Roof Fiddler,

I've seen this happening on XP too every now and then, so there's nothing
new in this behavior on Vista. Two ways I usually troubleshoot/workaround
this issue: configuring drive for quick removal and tracking down offending
process.

1. To configure drive for quick removal, Open Device Manager; expand "Disk
drives" node; double click drive in question; on the Policies tab make sure
"Optimize for quick removal" radio-button is checked. This will slow down
file operations on the drive but will allow you to remove it at any moment
without even using (sometimes failing) "Safe Removal" function.

2. Two usual suspects that can keep your USB drive busy are System Restore
and Indexing. I'd check their settings to see if your system configured to
either create restore points for this drive or to index its contents for
instant search. Also, I'd find out exact instance of svchost that has
handles open to this drive and which services are running under this
instance. I use Sysinternals' handle.exe and built-in tasklist.exe
command-line utilities for this. First, you run

handle DRIVE:

to get PIDs of processes that have handles open on the drive. Then you can
run

tasklist /SVC /FI "PID eq PROCESS_ID"

where PROCESS_ID is the PID you've got from handle. If it's svchost that has
handles open, you'll get the list of services that run under this instance
of svchost.

To get friendly names of services, you can use sc.exe built-in utility:

sc qc SERVICE_NAME | find /i "DISPLAY_NAME"

where SERVICE_NAME is the name you've got from taskilst output.



Example:
======================8<========================
C:\>handle H:\

Handle v3.2
Copyright (C) 1997-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

System pid: 4 1C8:
H:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00...
System pid: 4 270:
H:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
System pid: 4 27C:
H:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00...
System pid: 4 288: H:\$Extend\$RmMetadata\$Txf
System pid: 4 368: H:\System Volume
Information\{3808876b-c176-4e48-b7...
System pid: 4 36C: H:\System Volume
Information\{477ccf48-a888-11db-b5...
svchost.exe pid: 1148 5BC: H:\$Extend\$ObjId
svchost.exe pid: 1148 5C4: H:\System Volume Information\tracking.log

C:\>tasklist /SVC /FI "PID eq 1148"

Image Name PID Services
=============== ========= =======================================
svchost.exe 1148 AudioEndpointBuilder, CscService,
EMDMgmt,
hidserv, Netman,
PcaSvc, SysMain,
TabletInputService,
TrkWks, UmRdpService,
UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc

C:\>sc qc AudioEndpointBuilder | find "DISPLAY_NAME"
DISPLAY_NAME : Windows Audio Endpoint Builder

C:\>sc qc CscService | find "DISPLAY_NAME"
DISPLAY_NAME : Offline Files

C:\>sc qc EMDMgmt | find "DISPLAY_NAME"
DISPLAY_NAME : ReadyBoost

C:\bin>
======================8<========================

Hope this helps,

--
Alexander Suhovey
Posted by at No comments:
Subscribe to: Posts (Atom)