Internet Explorer Trusted Sites and Automatic User Logon Registry (ADFS/SSO)

You can’t use GPO if you want your users themselves to be able to add sites to Trusted Sites in Internet Explorer. You can use good old registry though.
Since these are user settings, the user can edit their own registry settings, if you use elevated rights, you would change the elevated users’ settings.
So I used HKEY_CURRENT_USER to add some domains (and subdomains) and change a setting in IE using a VBS script.

The customer I used this for wanted SSO using ADFS to a site, so this option had to be enabled: “Internet Explorer Settings / Security / Trusted Sites / Custom Level / User Authentication / Logon / Automatic Logon with current user name and password”

After searching around and 2 hours of time I borrowed some code, and adapted a script into the following (thank you windowsitpro.com and thank you nefaria.com for info):

'This script adds 2 domains with subdomains as trusted sites, and turns on autologon with current username and password
'Basic script was found at 
'https://nefaria.com/2009/10/adding-trusted-sites-for-ie-via-the-registry/
'Setting Autologon with username and password was found at 
'http://windowsitpro.com/networking/jsi-tip-5130-how-can-i-manage-internet-explorer-security-zones-registry
' 
' Thanks windowsitpro.com and nefaria.com
'
'I needed this setting to use with for ADFS SSO, and didn't want managed Trusted Sites (Users can now still add their own trusted sites if they want)
'
' Registry settings for autologon:
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
'"1A00"=dword:00000000
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
'@=""
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain1.com]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain1.com\subdomain]
'"https"=dword:00000002
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain2.com]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain2.com\subdomain]
'"https"=dword:00000002

Option Explicit
Dim DomainArray(1), SubDomainArray(1), strComputer, strHTTPS, strAutoLogon
Dim dwordZone, dwordAutoLogon, regPath, objReg, counter, subkeyPath
Dim subkeyValue

Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
Const HKEY_CURRENT_CONFIG = &H80000005

strComputer = "."
strHTTPS = "https"
strAutoLogon = "1A00"
dwordAutoLogon = "0"
dwordZone = "2"

DomainArray(0) = "domain1.com\"
SubDomainArray(0) = "subdomain\"

DomainArray(1) = "domain2.com\"
SubDomainArray(1) = "subdomain\"

Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & strComputer & "\root\default:StdRegProv")

regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"
objReg.CreateKey HKEY_CURRENT_USER,regPath

regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
objReg.CreateKey HKEY_CURRENT_USER,regPath

'Add domains and subdomains to Trusted Sites
For counter = 0 to 1
        subkeyPath = regPath & DomainArray(counter)
        objReg.CreateKey HKEY_CURRENT_USER,subkeyPath
        subkeyPath = regPath & DomainArray(counter) & SubDomainArray(counter)
        objReg.CreateKey HKEY_CURRENT_USER,subkeyPath
        objReg.SetDWORDValue HKEY_CURRENT_USER,subkeyPath,strHTTPS,dwordZone
Next

'set Autologon with current username and password
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"
objReg.SetDWORDValue HKEY_CURRENT_USER,regPath,strAutoLogon,dwordAutoLogon

You can then execute it for the user as follows:

cscript //B script.vbs

Hope this helps you!

Posted in Configuration, Internet Explorer, Software, Windows | Comments Off on Internet Explorer Trusted Sites and Automatic User Logon Registry (ADFS/SSO)

HP Device Manager installation

Here’s a quick blurb from todays’ afternoon, quickly testing HP Device Manager in my lan here.

(On Win2008 R2, will try server 2012 soon)

Install .NET 4.5
Install SQL Express 2014
Turn on SQL Server browser service (set to automatic) and start the service (using e.g. start run: services.msc)

For FTP access I installed FileZilla. https://filezilla-project.org/
It expects the name of the share that you use as a directory, so, in filezilla configure a usename and password and set the home directory of that user to the inetpub ftproot after installation of the HP Device Manager.

Download and install HP Device Manager 4.7
http://www8.hp.com/us/en/thin-clients/downloads.html
or
ftp://ftp.hp.com/pub/hpdm/Software/4.7/
You need the .exe, you can upgrade afterwards, by running the latest Service Pack (SP5 — see hp ftp site)
Install on a disk location where you want the application.
After installation, configure MS SQL.
In the server field, with default SQL installation, enter:
SERVERNAME\SQLEXPRESS
With windows username authentication or sql username authentication
The rest should be default.

Note: you may want to place the inetpub (the repository) on a large disk, as you can capture images from that location. Captured images can be large.
Share that location, using advanced sharing.

Since I am in a domain the username domain must be set using “DOMAIN\Username” type.

You may want to reboot this after config in order to see if everything starts correctly.

Now you should be able to start HP Device Manager and discover devices in your lan.

Hope this helps you.

Posted in News | Comments Off on HP Device Manager installation

Remove .NET Framework because of Mamut software

On a completely updated Windows7 workstation you may have .Net Framework 4.6.
This sometimes doesn’t work with particular (older) version of Mamut Business Software.
In order to fix this, remove all updates for .NET framework from Windows Updates.

Then go to Control Panel, Programs and features, and remove all mentions of .Net Framework 4.6 (including language packs).

Reboot. Now you can install your Mamut software.

(just not tested if it breaks when you update afterwards, but we will see soon I guess)

Hope this helps you,
cheers.

Posted in News | Comments Off on Remove .NET Framework because of Mamut software

VMware 5.5, HP P2000, Datastores, iSCSI, ATS, VAAI and whatnot

Brilliant, the customer got a freshly installed Gen9 HP host with 112Gb mem.
My collegue installed it with VMware and seems to work fine.

But not for the datastores it is supposed to work with.
I  wanted to add the datastores that are located on a HP P2000 storage unit.
Turns out it needs an extra driver.
Errors appeared with textst like: “ATS-Only VMFS volume ‘DATASTORE-NAME’ not mounted. Host does not support ATS or ATS initialization has failed.”

It sure failed. By missing a plugin that is.

The HP Software is in the form of zip file that needs to be uploaded to your host: https://h20566.www2.hpe.com/hpsc/swd/public/detail?idx=0&swEnvOID=&action=driverDocument&swLang=&itemLocale=&swItemId=MTX_30e09de4fc7e4498bfd9102a99&lang=en-us&cc=us&mode=3

The VMware info can be found here:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2006858

The file can also be downloaded from this article -> hp_vaaip_p2000_210.

However, some things didn’t quite work out, such as the command “esxupdate –bundle”. Probably due to “old info”.

After some searching, the steps I followed to get it working, were as follows:

Download the HP zip file.
Open up your VMware host, and browse to the local datastore.
Upload your file to the local datastore.
Go to configuration, security profile, click SSH, properties, Start, OK.
You’ve now started the ssh server on your host.
SSH should now be started and you can now use an ssh client such as e.g. Putty to log in as root to the IP of your host.
perform the following commands:

mkdir /root
mv /vmfs/volumes/yourdatastore/hp_vaaip_p2000_210.zip /root/
cd /root/
unzip hp_vaaip_p2000_210.zip

Then, set the host in maintenance mode with:

vim-cmd hostsvc/maintenance_mode_enter

Then install the software with:

esxcli software vib install -d hp_vaaip_p2000_offline-bundle-210.zip

To find out that creates a set of errors (in my case). wtf.

I got:

 [MetadataDownloadError]
 Could not download from depot at zip:/var/log/vmware/hp_vaaip_p2000_offline-bundle-210.zip?index.xml, skipping (('zip:/var/log/vmware/hp_vaaip_p2000_offline-bundle-210.zip?index.xml', '', "Error extracting index.xml from /var/log/vmware/hp_vaaip_p2000_offline-bundle-210.zip: [Errno 2] No such file or directory: '/var/log/vmware/hp_vaaip_p2000_offline-bundle-210.zip'"))
 url = zip:/var/log/vmware/hp_vaaip_p2000_offline-bundle-210.zip?index.xml
 Please refer to the log file for more details.

Fine! /var/log/vmware/hp_vaaip_p2000_offline-bundle-210.zip is missing.
Oh well, then we copy it there?

cp /root/hp_vaaip_p2000_offline-bundle-210.zip /var/log/vmware/

Then just perform the same command again in /root (don’t cd to /var/log/vmware/)

esxcli software vib install -d hp_vaaip_p2000_offline-bundle-210.zip

To get:

Installation Result
 Message: Operation finished successfully.
 Reboot Required: false
 VIBs Installed: Hewlett-Packard_bootbank_vmware-esx-hp_vaaip_p2000_2.1.0-2
 VIBs Removed:
 VIBs Skipped:

Successful! That seemed to work.

Take your host out of Maintenance mode and reboot your VMware host in order to load the new plugin/driver/whatever HP thinks it is, and now your ATS Datastores should be visible.

Hope this helps you,
Have fun!

Posted in VMware | Tagged , , , , , | Comments Off on VMware 5.5, HP P2000, Datastores, iSCSI, ATS, VAAI and whatnot

WDS and a Dell 5570 adding drivers to WIM image.

Today I am creating an image for a Dell E5570 laptop over at a customer.
The image that I use has all the applications installed and working.
However, the image is meant for other computers that don’t have the same drivers
as is required for this type of machine.

In order to make this work you have to [can try to] do two things:
– Make sure the boot and capture images have the x86 driver to be able to work with the machine on x86 (I have two boot images, one to load an image, one to capture an image to the server).
– Add the x64 drivers to the image that you want to roll out.

[Note that it is best to turn off your antivirus software, or this may take ages.]

Adding x86 network drivers to boot.wim and capture.wim

Download and extract from the www.dell.com, or extract the drivers from the CD that comes with the E5570 laptop on a machine.
In this case these driver files are located on the CD in to following zip file:
(You can look up the location of the exact driver zip file with the tool D:\Win78\RCDMENU.EXE)
D:\ZIPFILES\Network_Driver_KJTXR_WN32_20.2.0.0_A00.EXE
When you have unpacked the driver to your desired location, move it to the WDS server, to a folder of your choosing.

in WDS, right click driver packages, and choose add driver package.
In the window that pops up, select “Select a driver package from a folder”.
Select your folder with the x86 driver and choose next, next, next, next, finish.
In my case this was D:\E5570\LAN\production\Windows7-x86\
Now the drivers are added to the repository for the boot images.

Go to the boot and capture images in WDS, right click them and choose:
“Add driver packages to image..”
Click Next, Click Search and add the drivers to the image. Both of them.

Now you have added the network driver that is necesary for the boot and capture image to be able to use the network on your new machines.

Add the x64 drivers to the image that you roll out.

When you have an image that doesn’t have the drivers, unpack all drivers for this certain machine to a directory of your choosing.
e.g. D:\5570
Make subdirectories for each driver.
e.g.
D:\5570\LAN
D:\5570\Audio
etc.
When you are done unpacking them all, mount the image that you want to roll out:
(I choose to ‘cd’ to the directory, but ofcourse you can specify a path for the image, but I do it like this:)

DISM.exe /Mount-Wim /WimFile:image.wim /index:1 /MountDir:D:\Mount\

Note that the directory “D:\Mount\” should exist.

When it’s mounted, insert the drivers into the image with:

DISM.exe /image:D:\Mount\ /add-driver /driver:D:\E5570 /recurse

This adds all the drivers into the image.

When it is done, you have to commit the changes to the image file with:

DISM.exe /Unmount-Wim /MountDir:D:\Mount\ /commit

Now you can add your image to WDS and try it out.

As it turns out, not all drivers are installed, but at least the network driver is installed, you can then install the rest of the drivers, and capture a new image for this machine.

Hope this helps you,
Have fun!

[Note: don’t forget to turn on antivirus software again]

Posted in Dell 5570, DISM, RIS, WDS, WIM | Tagged , , , | Comments Off on WDS and a Dell 5570 adding drivers to WIM image.

Raspberry Pi3 installation and configure wlan/wifi (raspbian)

Today I’m setting up the raspi3 that I recently got from the pihut.
https://thepihut.com/
The pi3 has wifi built in (2.4Ghz only).

I use linux now, so in order to set it up with raspbian I performed the following steps.

Get the latest raspi (lite) image here: (I install all software by hand)
https://www.raspberrypi.org/downloads/

Unzip the image with:

unzip [filename]

I got an 8Gb SD card laying abouts. To write the unpacked image  [.img] to the SD card, do the following on linux [you may want to carefully watch where the kernel put you card-device with e.g. the command:]

dmesg

write the data:

dd if=2016-03-18-raspbian-jessie-lite.img of=/dev/mmcblk0 bs=1M

after a while it’s done. To perform a sync to flush all buffers, do:

sync
sync

and unplug the card, put it in your raspi, and turn it on.

To configure the pi from scratch, I connect it with an ethernet cable (no display). By default, the raspi image has eth0 on dhcp. I look up the address it got in my router, or use an ip scanner on my local network to see what it has become.

When you’ve located it, ssh to the IP address:

ssh pi@xx.xx.xx.xx

(where xx stands for the IP)
By default, the image has the password “raspberry” for user “pi”

Great to change that immediately.

sudo passwd pi
 [wisely choose a password]
 [enter it correctly again]

I want to change the root password immediately as well:

sudo passwd root
 [wisely choose a password]
 [enter it correctly again]

Now you’re still on eth0, and perhaps you want to use wifi.

Use your favorite editor like vi or nano to edit the following two files to configure it (I usually just do this with su – [password] as root/uid0 or you can do it as user pi with sudo):

(found at http://weworkweplay.com/play/automatically-connect-a-raspberry-pi-to-a-wifi-network/)

vi /etc/network/interfaces

and change the contents to:

auto wlan0

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet static
address 192.168.100.200
netmask 255.255.255.0
gateway 192.168.100.254
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Change the ip adresses and network settings for your network, or leave these entries and specify: iface wlan0 inet dhcp (for dhcp, for just interface wlan0, leave the other entries intact)

and

vi /etc/wpa_supplicant/wpa_supplicant.conf

to change the wifi settings for your network:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
ssid="SSID"
psk="verysecret!"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
auth_alg=OPEN
}

proto=RSN stands for WPA2

Of course you may want to update your pi:

apt-get update
apt-get upgrade
apt-get dist-upgrade

Reboot, and possibly do this again, maybe an apt-get autoremove is neccesary afterwards.

You’re now set up with your pi, you can use

raspi-config

to enable the camera or enable SPI or I2C, or other settings or functions, etcetera.
Don’t forget to expand the filesystem on the sd card, see raspi-config main menu, there’s an entry for it there.

Hope this helps you!
Have fun!

Posted in raspi | Comments Off on Raspberry Pi3 installation and configure wlan/wifi (raspbian)

VMWare virtualise a Windows 2008R2 server with P2V

I am being in the process of virtualising a Windows 2008 R2 server with P2V.
That is, from HP hardware to VMWare.
Since this is a hardware HP machine, I have made the following considerations using P2V.

Before virtualising:

– Make sure that the P2V-tool assigns each disk to a vmdk, by default it makes one big disk, something you may not want. (it handy to slice it up, in case you want to change datastore, or perhaps make a change in cluster size later.)
– Set the name of the server right, it reflects this in the datastore directory.
– Set the CPU right, I usually take 2 cpu, 2 cores, but ofcourse that is up to you or your licensing model.
– In P2V, deselect the option to install VMWare tools, do it manually later, or your sever may hang.

Make sure you stop Exchange services (taking the exchange server offline, so it stops mail reception and delivery, –if you have an Exchange server, it was in this case.).
Stop all HP services (set the services to manual, so that they don’t start once virtualised).

After virtualising:

– First start the server in safe mode, to make sure the new “hardware” drivers install correctly.
– Reboot the server, boot normally, install VMware tools.
– Remove any network cards in VMWare and add the VMX3 net network card.
– Set  IP, netmask, gateway, dns entries as before/recommended. A message will show in Windows that there is a card that has these settings, this message will resolve that.

– Deinstall HP software
o (Eventually. you may need to stop HP Services)
o (Eventually, you may need to kill the HP Insight management in task manager)
o (Eventually, you may need to kill other HP processes with task manager)
– Activate Windows, because of hardware changes, key should still be the same.
– Deinstall disconnected drivers in Device Manager:
– In cmd, execute:
set devmgr_show_nonpresent_devices=1
devmgmt.msc
– From the menu, select: Show hidden devices
– You can now remove all drivers that are not in use with [del] [enter]. Do not forget to remove software when the deletion of the driver gives this option.
– Do not deinstall fs_rec, this is supposed to be a MS driver of sorts.
– Finally reboot, done!

Hope this helps you, have fun!

P.S. there are more considerations when pushing an Exchange to VMware, such as disk cluster size, IOps etc, but I won’t cover that in this post. More on that here: http://www.vmware.com/files/pdf/exchange-2010-on-vmware-best-practices-guide.pdf

 

Posted in VMware, Windows | Comments Off on VMWare virtualise a Windows 2008R2 server with P2V

raspi raspbian compile ffmpeg

Edit: It is called avconv, duh! You can use this now:

https://www.raspberrypi.org/documentation/usage/camera/raspicam/README.md

Today I’m setting up a raspi with raspbian and a raspi camera.
After enabling the camera (with rapi-config as root) I wanted to test it wtih ffmpeg.
Which wasn’t there.

In order to compile it from source with h264 support, first install the h264 libs:

git clone git://git.videolan.org/x264
cd x264
./configure --host=arm-unknown-linux-gnueabi --enable-static --disable-opencl
make -j4
sudo make install

I just want video output, so I skipped the audio requirements (or else you should install these now). So I continued with ffmpeg itself:

cd /usr/src
git clone git://source.ffmpeg.org/ffmpeg.git
cd ffmpeg
sudo ./configure --arch=armel --target-os=linux --enable-gpl --enable-libx264 --enable-nonfree
make -j4
sudo make install

Now you have to wait a long time for it to finish.

Found at: http://www.jeffreythompson.org/blog/2014/11/13/installing-ffmpeg-for-raspberry-pi/

Posted in News | Comments Off on raspi raspbian compile ffmpeg

Don’t start Win10 update

In order to make sure things are blocked when it comes to the win10 update.

in a batch file:

REM === Windows 10 update block ===
MKDIR C:\Temp > nul
COPY \\SERVER\NETLOGON\NoWin10.reg C:\Temp\NoWin10.reg > nul
regedit /s C:\Temp\NoWin10.reg
del C:\Temp\NoWin10.reg > nul

In the NoWin10.reg the data is:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GWX]

"DisableGWX"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

"DisableOSUpgrade"=dword:00000001

Hope this helps you, have fun!

Posted in News | Comments Off on Don’t start Win10 update

Group Policy Update for Windows Operating System Updates

On further investigation of previous post(s), I have now learned that Microsoft has an update for Windows Update and Group Policies.

Basically, there is an update that should be installed on Domain servers and workstations that will add the option to turn of Upgrades/Updates to new versions of Windows.

Info about this and about GPO settings:

https://support.microsoft.com/en-us/kb/3080351

The update:

https://support.microsoft.com/en-us/kb/3065987

This is better than scripting your way around the problem, unless you have standalone workstations.

Hope this helps you, have fun!

Posted in News | Comments Off on Group Policy Update for Windows Operating System Updates