How to: Remove the “Network” from Windows Explorer in Windows 2008 R2 using Group Policy Preferences

With the following registry key, you can remove the Network from Windows Explorer. Users cannot browse the network anymore.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}]=dword:00000001

A nice solution to deploy this registry key to all your desktop computers in your organization, is to use Group Policy Preferences. This is a new feature within Windows Server 2008.

Use can use the following steps to configure this:

1.) Create a new GPO whtin the Group Policy Management Console
2.) Open the new GPO en navigate to the Computer Settings.
(It’s a HKEY_LOCAL_MACHINE settings)
3.) Navigate to Preferences \ Windows Settings \ Registry
4.) Create a new Registry Item
5.) Actie: Update
6.) Hive: HKEY_LOCAL_MACHINE
7.) Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum
8.) Value name: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
9.) Value type: REG_DWORD
10.) Value data: 1 (Decimal), 00000001 (Hexadecimal)

        

How to: show the drive letters first in Windows Explorer

In some situations our customers want to see the drive letters first, instead of the drive name. For example (C:) SYSTEM or SYSTEM (C:). You can edit this with the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
“ShowDriveLettersFirst”=dword:00000004

       

How to: Remove the “Libraries” and the “Control Panel” icons from the desktop in Windows 2008 R2

Today i’ve setup a new Windows 2008 R2 Remote Desktop Services environment. When I configure the GPO “force classic start menu”, all users have the icons “Libraries” and “Control Panel” available on the desktop. You can fix this problem to delete the following resgistry keys:

Remove the Libraries icon from the desktop
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}]
Remove Control Panel icon from the desktop
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}]

How to: Create a Mandatory profile in Windows Server 2008 R2

1.) Make a local user on the server (Windows Server 2008 R2 in my environment)
2.) Make the user member of the local administrators group on your server
3.) Login in with this user and customize for example the start menu
4.) Logoff and login again with an administrator account
5.) Create a share on your file server. For example \\SRV-RDSDC-01\TSmandatory
6.) For share permissions choose Everyone Full Control, NTFS permissions choose Authenticated Users Read
7.) Turn off Caching on this share
8.) Copy the complete template folder from the C:\Users directory to the new TSmandatory share
9.) Rename the template folder to TSmandatory.V2
You have to add the .V2 in the name of your folder, because it’s the new profile type in Windows Server 2008 and 2008 R2!
10.) Delete the Local and LocalLow folders from the AppData folder
11.) The next step is to add the right permissions on the mandatory profile
12.) Open REGEDIT and load the NTUSER.DAT hive
13.) Right-click on the TS Mandatory profile and choose permissions
14.) Delete the template user and add the Authenticated Users (Full Control)
15.) Unload the NTUSER.DAT from your registry
16.) Rename the NTUSER.DAT to NTUSER.MAN
17.) When you configure a GPO to specify the location of the Mandatory profile, you’ve to choose to following location:
\\SRV-RDSDC-01\TSmandatory\TSmandatory without the .V2!

TS_MAN_00 TS_MAN_01 TS_MAN_02

TS_MAN_03 TS_MAN_04 TS_MAN_05

TS_MAN_06 TS_MAN_07 TS_MAN_08

TS_MAN_09 TS_MAN_10

Windows 2008 R2 Core Configurator 2.0

With this nice tool you’re able to manage your Windows 2008 R2 server Core Edition through a graphical user interface. This tool is open source, so if you want something more in it, go ahead! 😉

Core Configuration tasks include:

– Product Licensing
– Networking Features
– DCPromo Tool
– ISCSI Settings
– Server Roles and Features
– User and Group Permissions
– Share Creation and Deletion
– Dynamic Firewall settings
– Display | Screensaver Settings
– Add & Remove Drivers
– Proxy settings
– Windows Updates (Including WSUS)
– Multipath I/O
-Hyper-V including virtual machine thumbnails
– JoinDomain and Computer rename
– Add/remove programs
– Services
– WinRM
-Complete logging of all commands executed

You can download the tool here.

CC_R2_01    CC_R2_02    CC_R2_03

CC_R2_04    CC_R2_05    CC_R2_06

CC_R2_07    CC_R2_08    CC_R2_09

How to: Recovering Deleted AD Objects in Windows Server 2008 R2

A new nice feature in Windows Server 2008 R2 is the Active Directory Recycle Bin. Deleted items can be restored without rebooting the Domain Controller(s), restarting the Active Directory Services and even without any backuptapes!! Let’s have a look on that.

The first step is to enable the Recycle Bin feature. Make sure your functional level is Windows Server 2008 R2 and keep in mind that when you enable this feature, you can’t disable this feature anymore!!

1.) Start the  Active Directory Module for Windows PowerShell
Import-Module ActiveDirectory

2.) View the actual settings of the Recycle Bin feature 
Get-ADOptionalFeature -Filter { name -like “Recycle*” }

3.) Enable the feature for your Active Directory environment 
Enable-ADOptionalFeature “Recycle Bin Feature” -Scope ForestOrConfigurationSet -Target E2K7SP2.LOCAL

4.) View all the deleted Active Directory objects 
Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=E2K7SP2,dc=LOCAL” -includeDeletedObjects -filter { name -notlike “Deleted*” }

5.) Restore the user objects you want 
Restore-ADObject -Identity “CN=User01\0ADEL:cc40dfd4-f671-4e90-90cc-3c8a33b18391,CN=Deleted Objects,DC=E2K7SP2,DC=LOCAL”
Restore-ADObject -Identity “CN=User02\0ADEL:394ec482-5bb2-4131-bdb4-7c92d7193987,CN=Deleted Objects,DC=E2K7SP2,DC=LOCAL”
Restore-ADObject -Identity “CN=User03\0ADEL:19f1bf8b-0227-486a-bc8d-ca72a342e116,CN=Deleted Objects,DC=E2K7SP2,DC=LOCAL”
Restore-ADObject -Identity “CN=User04\0ADEL:1b00b1c9-1f1f-4b74-b027-fa88feb4069d,CN=Deleted Objects,DC=E2K7SP2,DC=LOCAL”
Restore-ADObject -Identity “CN=User05\0ADEL:970b2597-4cf3-4971-87ea-9ada827e376d,CN=Deleted Objects,DC=E2K7SP2,DC=LOCAL”

6.) With this command you restore all the deleted items (Not Recommended!!)
Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=E2K7SP2,dc=LOCAL” -IncludeDeletedObjects -filter { name -notlike “Deleted*” } | Restore-ADObject

7.) All deleted Active Directory objects are restored now. Even the group membership of the users are restored!! Cool 😀

AD_RCB_01

AD_RCB_02    AD_RCB_03    AD_RCB_04

AD_RCB_05    AD_RCB_06    AD_RCB_07

AD_RCB_08    AD_RCB_09    AD_RCB_10

AD_RCB_11    AD_RCB_12    AD_RCB_13

AD_RCB_14    AD_RCB_15

How to: Installing a Windows 2008 Read Only Domain Controller (RODC)

In this article I’m going to set up a Read Only Domain Controller in a Windows 2008 environment. There’s already a writable Domain Controller available in the domain GPO.LOCAL. The first step is to Install a new Windows 2008 Server, in my example it’s a Core Edition. After the installation, you can begin configuring your new server.

— Enter the productkey:
slmgr.vbs -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

— Activate Windows:
slmgr.vbs -ato

— Rename the computer:
Netdom renamecomputer “%computername%” /newname:SRV-RODC01 /reboot:15

— Show all network interfaces:
Netsh interface ipv4 show interface

— Set a static IP address:
Netsh interface ipv4 set address name=2 source=static address=172.16.1.11 mask=255.255.0.0 gateway=172.16.1.1
(make sure that you’re choosing the right network interface. In this example it’s 2, so name=2 it means interface 2)

— Set a static DNS server:
Netsh interface ipv4 add dnsserver name=2 address=172.16.1.10 index=1

— Turn Remote Desktop (RDP) on:
Cscript %windir%\system32\SCRegEdit.wsf /ar 0

— Enable Remote Desktop (RDP) in the Windows Firewall:
netsh advfirewall firewall set rule group=”remote desktop” new enable=yes
(Note: type this rule in by your self, copy past will give an error!)

— Enable Remote Management (RemoteCMD) in the Windows Firewall:
netsh advfirewall firewall set rule group=”Remote Administration” new enable=yes
(Note: type this rule in by your self, copy past will give an error!)Making the unattended.txt:
Copy and past the following test into the new textfile and save this file on the C: drive of the Core Server.
==================================================
[DCInstall]
InstallDNS=Yes
ConfirmGc=Yes
CriticalReplicationOnly=No
DisableCancelForDnsInstall=No
Password=********
RebootOnCompletion=No
ReplicaDomainDNSName=GPO.local
ReplicaOrNewDomain=ReadOnlyReplica
ReplicationSourceDC=srv-w2k8dc01.gpo.local
SafeModeAdminPassword=********
SiteName=Default-First-Site-Name
UserDomain=GPO.local
UserName=Administrator
==================================================

 — Run the DCPROMO
dcpromo /unattend:c:\unattend.txt15)

— Reboot the Domain Controller
shutdown -r -t 0

cs_01    cs_03    cs_04

cs_05    cs_06    cs_07

cs_08    cs_09    cs_10

cs_11    cs_12    cs_13

As you can see, when you make a connection to the RODC, you’re not be able to make any changes to existing users or groups and the option “New” is hidden when you right-click in your environment.

In the next post i’m going to delete a RODC from the environment. (for example if your server is stolen or something like that).