Windows Server – Prevent users from changing printer preferences for color

This post is created because I see a lot of demand on the forum to be able to block the color usage of some printers by blocking the user to change the printer preference.

At first I will tell that the driver make a huge difference, any option available in the preference’s windows are available to the user, as they are mapped under the HCU of the user.

Sadly, but necessary to tell it, the easiest way to block that is to buy a printer that got the accounting module in it to be able to ask for a PIN for the color’s usage. The driver is usually wrote to allow the user to enter the PIN when it detect that it’s a color printout. Some model will ask the PIN locally on the touch screen.

Now some workaround:

First, we block the color usage in the printer’s configuration.

Now if we use GPP in example to deploy the printer, please set it to replace. It will replace existing setting at each GPO refresh’s interval. (by default 90 minutes)

Delete and recreate the shared printer connection. The net result of the Replace action overwrites all existing settings associated with the shared printer connection. If the shared printer connection does not exist, then the Replace action creates a new shared printer connection.

We could add the Printer only at each logon too in replace’s mode.

I suggest that GPO below. That will prevent any user to manually add a printer into their computer to bypass our restriction. That will force the user to use published printer. As when the printer got connected the computer, the print driver got pushed, thus it open a door to allow a non-admin user to add the printer.

User Configuration–> Administrative Templates –> Control Panel –> Printers –> Prevent addition of printers –> Enable

Last workaround, block the color usage in the printer itself if you can.

As you can see there is not much tip to prevent the user, but as said it exist some workaround.

 

Thanks

 

Windows Server 2012 R2 – Firewall Logging for RDP (or any other service!)

Want to restrict a public service in your server ?

Today I’am giving a small tip if your router does not allow access-list, so we will do it at 100% from the server’s side.

Let’s start with an example with RDP.

We start by forwarding the port 3389 to our server. An example below with a small Linksys.

rdp.png

In the Windows Firewall we check if RDP is Allowed and we can click to allow only the specified IP’s range.

rdp2.png

In the screen below we enter the wanted IP’s group. (For me it was my local ISP range (pic source)

rdp4.png

Now the more obscure step, we gonna configure our firewall to log blocked entry. The firewall’s log is found there by default:  %windir%\system32\logfiles\firewall\pfirewall.log.

We execute that query to allow the log be be fill with DROP’ed connection attempt.

netsh advfirewall set allprofiles logging droppedconnections enable

After a while if our rule work correctly, our log should show some blocked attempt.

2016-10-22 10:02:35 DROP TCP 179.43.149.5 192.168.1.10 26286 3389 52 S 2834367233 0 8192 – – – RECEIVE
2016-10-22 11:34:48 DROP TCP 185.93.185.7 192.168.1.10 45610 3389 40 S 3512451859 0 1024 – – – RECEIVE
2016-10-22 11:44:54 DROP TCP 47.18.154.28 192.168.1.10 48447 3389 40 S 763731365 0 1024 – – – RECEIVE
2016-10-22 12:03:24 DROP TCP 171.8.0.87 192.168.1.10 30612 3389 40 S 1989410816 0 16384 – – – RECEIVE
2016-10-22 12:42:31 DROP TCP 104.223.180.20 192.168.1.10 60328 3389 40 S 3936878592 0 16384 – – – RECEIVE
2016-10-22 14:04:36 DROP TCP 183.60.48.25 192.168.1.10 12213 3389 40 S 62195378 0 8192 – – – RECEIVE
2016-10-22 15:02:26 DROP TCP 61.240.144.65 192.168.1.10 42805 3389 40 S 2066287928 0 1024 – – – RECEIVE

At this step if our IP’s range is correctly setupped, we can be more secure on the internet, and don’t worry to see connection attempt, a lot of bot/robot try to scan well know port.

 

Thanks !

 

Windows VDA – Script to re-install the Microsoft’s Update add-on

If someday you fall on a machine that the Microsoft Update does not want to install for a reason X, there is a quick fix for that issue.

There is the script to run to enable it :

Set ServiceManager = CreateObject(“Microsoft.Update.ServiceManager”)
ServiceManager.ClientApplicationID = “My App”
‘add the Microsoft Update Service by GUID
Set NewUpdateService = ServiceManager.AddService2(“7971f918-a847-4430-9279-4a52d1efe18d”,7,””)

There is the script to disable it :

Set ServiceManager = CreateObject(“Microsoft.Update.ServiceManager”)
ServiceManager.ClientApplicationID = “My App”
‘remove the Microsoft Update Service by GUID
ServiceManager.RemoveService(“7971f918-a847-4430-9279-4a52d1efe18d”)

 

Thanks !

 

Reference

 

Windows VDA / Terminal Server session – Kill for good that Java update Warning !

Ever wonder how to really kill that java updater that keep returning back into your Windows VDA start up or within your users Terminal Session ?

Justcheck.exe scheduler do an online check, but java got another method too, with an expiration date of the product.

First, create that environment variable:

setx deployment.expiration.check.enabled false /m

After lets go there; c:\windows\sun\java

Create Deployment.config file

Enter that into it:

deployment.system.config=file\:C\:/Windows/Sun/Java/Deployment/deployment.properties

deployment.system.config.mandatory=true

Create Deployment.properties file

deployment.javaws.autodownload=never

deployment.javaws.autodownload.locked

 deployment.expiration.check.enabled=false

 deployment.expiration.check.enabled.locked

  deployment.expiration.check.enabled.locked

 deployment.expiration.decision=never

deployment.expiration.decision.locked

deployment.expiration.decision.suppression=true

deployment.expiration.decision.suppression.locked

 

Thanks 🙂 and enjoy the tip

The Citrix’s purge ! part 1

There is part #1 of a series of some blog I will write to counter the great purge citrix started to remove some of their CTX from the Internet.. (I have no idea why they do so, but the information was still handy even today)

The first tip I will share I can’t find the CTX number it was under… (no longer indexed)

Latency when using Receiver 3+ when connecting to an old farm…

If you have to still connect to an old farm, and your keyboard really lag, and your mouse, make sure that registry key is there in your client;

32bit

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Seamless Windows]
“DeferredUpdateMode”=”False”

 

64bit

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Seamless Windows]
“DeferredUpdateMode”=”False”

 

 

 

 

 

 

 

 

Windows – Outgoing Fax in the Console

Having difficulty with the fax console for your user to see outgoing fax for everyone ?

There is some generic tip to help you out.

First, logging enabled ?

Open Fax Service Manager.
In the left pane, right-click Fax, and then click Properties.
1.  On the Archives tab, please check the “Archive all faxes to this folder” item, and the sent faxes will be stored in this folder.

and

Open Fax Service Manager.
– Right-click Fax, and then click Properties.
– On the Activity Logging tab:

— Enable Log outgoing fax activity check box to start logging outgoing faxes.

Secondly, it’s a Windows Server 2008 R2 or the client is Windows 7 ?

Check to see if those patch are installed:

Consider the following scenario:You have a computer that is running Windows Server 2008 R2 or Windows 7.
You run an application or a service that calls the FaxEnumJobs function to query fax jobs that are on a FAX server.
In this scenario, the FaxEnumJobs function does not return all the fax jobs. The function returns only the fax jobs of the current user account.

For example, an administrator account can view only the fax jobs of the administrator account.

Consider the following scenario:You install the Fax Server role on a computer that is running Windows Server 2008 R2.
Your account is assigned the View Outgoing Jobs permission in Fax Service Manager on the Fax server.
You open Windows Fax and Scan to check outgoing faxes.
In this scenario, you cannot view or manage outgoing faxes from other users.

On a computer that is running Windows 7 or Windows Server 2008 R2, you have an application that uses the Fax Service Extended COM API to query fax jobs on a Fax server. However, the application can only enumerate the fax jobs of the current user account that you use to run the application.

Note This issue occurs even when you run the application by using a user account that has necessary permissions to enumerate the fax jobs of all users.

Thirdly, a nice workaround if you need to have a user manage the outgoing box. A Script that create an .html’s file with all the outgoing fax information (that you can share on IIS after). Using it in a planned task to run it at each hour in example can do the trick.

The script is not from me, credit to Logman for the modified version, and original version is there

# This script takes the outboxlog.txt file from the Windows Server fax service 
# and parses it to find faxes that did not complete. Results are dumped as a 
# Web page. Normally a user can view only the status of their own faxes. 
# This allows you to view failed faxes for any user. 

# This script can be run as a scheduled task to provide a constantly updated list 
# Required command line in scheduled task is: 
# powershell.exe "& 'C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\ParseOutbox.ps1'" 

# Created by Byron Wright, byron@conexion.ca 

# Define the file locations used. 
$Source="C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\outboxLog.txt" 
$TempSource="C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\outboxlogtemp.txt" 
$CsvDestination="C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\outboxlog.csv" 
$HTMLDestination="C:\inetpub\wwwroot\FailedFaxes.htm" 

# Import-TabDelimited function taken from The PowerShell Guy 
# Source located at http://thepowershellguy.com/blogs/posh/archive/2007/03/31/powershell-examples-used-on-ars-technica.aspx 

function Import-TabDelimited ($Path) { 
 gc $path |% {$header = $true} { 
 if ($header){ 
 $h = $_.split("`t") 
 $header = $false 
 } 
 Else { 
 $r = new-object object 
 $_.split("`t") |% {$i=0}{ 
 $r | add-Member -memberType noteProperty -name $h[$i] -value $_ 
 $i++ 
 } 
 $r 
 } 
 } 
} 


#Processing the text file may lock it and cause problems on a busy fax server 
#So, copy it quick. 
Copy-Item -Path $Source -Destination $TempSource 

#Convert to Outboxlog.txt to a csv file 
Import-TabDelimited -Path $TempSource | Export-csv -Path $CsvDestination -NoTypeInformation 

#Get a list of faxes that failed by looking at the Status column 
#Note that the column name includes double quote. Single quotes used to allow that. 
$BadFaxes=import-csv -Path $CsvDestination | where {$_.'"Status"' -eq '"Transmission Error"'} | Sort-Object {[datetime] $_.'"SubmissionTime"'} -descending 

#Dump bad faxes to an HTML file. The Select-Object cmdlet is selecting the columns to include. 
#Again note that double quotes are part of the column name. 
# "JobID" "ParentJobID" "SubmissionTime" "Scheduled" "Status" "ErrorDesc" "ErrorCode" "StartTime" "EndTime" 
# "Device" "DialedNumber" "CSID" "TSID" "Pages" "TotalPages" "QueueFileName" "Document" "FileSize" "Retries" 
# "ServerCoverPage" "CoverPageSubject" "CoverPageNote" "UserName" "SenderName" "SenderFaxNumber" 
# "SenderCompany" "SenderStreet" "SenderCity" "SenderZipCode" "SenderCountry/Region" "SenderTitle" 
# "SenderDepartment" "SenderOffice" "SenderHomePhone" "SenderOfficePhone" "SenderEMail" "RecipientName" 
# "RecipientFaxNumber" "RecipientCompany" "RecipientStreet" "RecipientCity" "RecipientZipCode" "RecipientCountry/Region" 
# "RecipientTitle" "RecipientDepartment" "RecipientOffice" "RecipientHomePhone" "RecipientOfficePhone" 
# "RecipientEMail" "BillingCode"


$Header = @"
<style>
TABLE {border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}
TH {border-width: 1px;padding: 3px;border-style: solid;border-color: black;background-color: #6495ED;}
TD {border-width: 1px;padding: 3px;border-style: solid;border-color: black;}
</style>
"@
$Pre = "<H1>Failed Faxes: $(Get-Date -format 'g')</H1>"
$Post = "<H3>$(Get-Date -format 'g')</H3>"

$BadFaxes | Select-Object '"SubmissionTime"','"RecipientName"','"RecipientFaxNumber"','"CoverPageSubject"','"Retries"','"ErrorDesc"' | ConvertTo-HTML -Body $Header -PreContent $Pre -PostContent $Post | Out-File -FilePath $HTMLDestination 

SQL Server 2014 on a Domain Controller ?

Thinking to install a SQL instance on your Domain Controller ? Think twice, as it got bad implication if you do.

I will quote the Microsoft’s article: (there )

You cannot run SQL Server services on a domain controller under a local service account.

That mean that you will have to create an Active Directory account to run the service with higher right than a local service account.

After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.

After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.

Plan it right, don’t plan to add an ADDS’s server on your SQL’s server, as you will end up to create another server in the end. Planning it right to prevent unplanned cost to your customer.

SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.

SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.

Now we fall into the limitation.

As you can see you are winner to plan your deployment correctly 🙂

ps. there it’s another reference there that show that it’s not something new.

Thanks

Windows VDA + Pre Deploy Juniper client / Pulse Secure

Today I will talk a small tip if you want to deploy a golden image to make it possible to pre-configure the pulse secure application (formerly knew as the juniper client)

If you don’t do the tip the error you will face if pulse secure is already installed is only one simultaneous machine will be able to connect the VPN. (One user will connect, and the other will be disconnected)

In the base image you need to edit the connstore.dat

10-24-2016 9-30-01 AM.png

After you open the file with notepad, and remove that machine GUID’s line:

10-24-2016 9-29-04 AM.png

10-24-2016-9-29-35-am

Save the change., after we need to erase the Device ID in the registry.

I did a script that do it that way:

net stop juniperaccessservice
REG delete “HKLM\SOFTWARE\Wow6432Node\Juniper Networks\Device Id” /v DeviceId /f
REG delete “HKLM\SOFTWARE\Juniper Networks\Device Id” /v DeviceId /f

After you can copy the .dat, and put in the same folder and name it connstore.new. It will be used if you re-change the golden image, and you need to re change fast the GUID. We can add those line to our script:

   copy “C:\Program Files\Common Files\Juniper Networks\ConnectionStore\connstore.new” “C:\Program Files\Common Files\Juniper Networks\ConnectionStore\connstore.dat” /y
copy “C:\Program Files (x86)\Common Files\Juniper Networks\ConnectionStore\connstore.new” “C:\Program Files (x86)\Common Files\Juniper Networks\ConnectionStore\connstore.dat” /y

Updated: Pulse added a command line parameter for shared install, SHAREDINSTALL=1

The command line make the installer to not write the GUID and it does not start the service (so the registry key is not wrote).

I keep my tip there as if you need to restart your golden image for a reason X, then you will still need the script.

Thanks

How to add non latin entry in the Windows Host file ? (%SystemRoot%\System32\drivers\etc\hosts)

There is a small tip if you need to add a non latin entry in the host file.

An example;

127.0.0.1         www我等主营.com

or

127.0.0.1   локалхост

The file itself does not accept any non latin encoding, thus those two example over would not work, but you can bypass the problem with punycode. (Look there for a generator)

A description from Wikipedia of what is punycode;

Punycode is a way to represent Unicode with the limited character subset of ASCII supported by the Domain Name System. For example, “München” (German name for the city of Munich) would be encoded as “Mnchen-3ya”.

 

That tip would transform our two test domain to that;

127.0.0.1 xn--80atccmdviy

or

127.0.0.1    xn--tiq769bnnsi9h.com

 

Thanks

 

ps. Some post referencing that problem in Serverfault : 1, 2