GPO – GPP Printer per Computer’S 0x80070005 error

Hi

Today I wanted to talk about a small bug you might encounter if you do printers GPP per computers. Such GPP create a local printer port, usually TCPIP, but need a printer share to set the driver and option.

The error is not documented much, but it’s the error 0x800700005.

That error is caused by a lack of security for the computer account to access the printer’s share for the initial setup. I seen that case on customers where the printer share are more restricted between users.

To resolve the issue you need to set back everyone into the printer security, like shown there;

Make sure that everyone is there (and CREATOR OWNER too)

That change should make your GPO work

Cumulative Update KB5009557

If you install that update on a Domain Controller, please make sure you install the outofband update KB5010791 !

It apply to Windows 10 Enterprise 2019 LTSC, Windows 10 IoT Enterprise 2019 LTSC, Windows 10 IoT Core 2019 LTSC and Windows Server 2019

Highlights

  • Updates a known issue that affects VPN connections. 
  • Updates a known issue that causes unexpected restarts on Windows Server domain controllers. 

Information Link; January 18, 2022—KB5010791 (OS Build 17763.2458) Out-of-band

Cached Credential

Hi everyone !

Today I wanted to share another tip. It’s something I see a lot in help desk call, and sometimes it make call a lot longer to not know that one.

It’s for the managed credential in the Windows Account’s store.

You could be renaming an account on a Domain Controller, or it can be a pass through user set for authentication, but changing it can break thing.

The tip is just to never forget to go there and delete the cached credential that give you problem;

enter image description here

enter image description here

You can see my answer there, and it’s something useful to know 🙂

Blocked Windows Update on restart

Hi everyone

Today I wanted to share a small tip that can help if your server is stuck on reboot with a Windows patch that don’t want to terminate.

Please use with precaution the tip to not loose data or break the OS.

In my case it was useful on a Windows Server 2019, as it was stuck for 3 hours and more, and the CBS log was growing indefinitely.

You can use ps exec, but we have tasklist that support a remote computer.

To use that way;

tasklist /s remote_computer with the username and password. /u domain\username /p password

tasklist /s remote_computer /u domain\username /p password

After the command we got a list with all PID.

To stop the Windows Update, in my case I had to close Windows Installer service.

The command is the same, except we give to it the PID, or we could use the /im parameter to target the executable image name. (/f force the closure)

taskkill /s remote_computer /u domain\username /p password /pid PID /f

Command reference

YK22 bug ! Exchange 2016, 2019

Hi everyone

Happy new year 2022! And I wanted to share that if you have the latest patch installed in your Exchange you might have run into a YK22 bug !

The Microsoft Filtering Service got hit by a bug in it’s patch system.

To resolve in the short term please run;

Set-MalwareFilteringServer -BypassFiltering $True -identity <server name>

Or;

Disable-AntimalwareScanning.ps1 -forcerestart from the script folder.

The bug is explained there; https://old.reddit.com/r/sysadmin/comments/rt91z6/exchange_2019_antimalware_bad_update/ but it’s a variable error from the year 2021 to 2022 that make a long overflow vs an unsigned long that would had been ok.

Thanks everyone for reading, and good year !! 🙂

Update; it’s now fixed;

MSI: The System Administrator has set policies to prevent this installation

Hi everyone

Today I wanted to talk a problem I seen on newer Windows Server 2019 in a RD setup.

Some user were having problem with a GPO for software installation (per user).

After some diagnostic I found on all my 2019 that the MSI system is restircted now by default.

If you stumble upon this bug;

enter image description here

Then you must be like me, and you have a registry to change.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
“DisableMSI”=dword:00000000

Now it should work.

Windows RDS | Publishing RADC shortcut on the DesktoP (part 2)

Hi

Today I will talk a small tip to be transparent to the users, and thus to enhance a tip I already gave in the past, as seen there; Windows 2019 RDS | Publishing RADC shortcut on the Desktop

In my older blog post I was creating a shortcut to only the RADC’s folder from the start menu, but on the desktop.

Today I wanted to be more granular and create shortcut for each applications on the user desktop. The user experience is greatly enhanced that way.

It’s a 3 steps GPO to do, but first we need to generate our .ico and .rdp’s files to use.

Go inside a computer that as the RADC’s farm installed correctly, and navigate inside the folder; %AppData%\Microsoft\Windows\Start Menu\Programs\Work Ressources (RADC)

From there select the shortcut you want to deploy, like Word, and click property.

From the property windows, check the path of the argument, it’s where our .rdp and .ico are. The shortcut created are just mstsc.exe “path/to/local profile/”. It should be a path liks, %AppData%\Roaming\Microsoft\Workspaces\{….-….-….-….}\Ressources\Word.rdp”

Copy the .RDP you want and the associated .ICO, which are cached there too.

I usually copy them to a folder where all computer can read, like a sub folder in NETLOGON.

From there we start our GPO.

1. Create a GPO, in my example, “RADC – Desktop Word shortcut”

2. Create a file copy to copy the .rdp. Under user\Preference\Windows parameters\Files. The source is like \\dc\netlogon\source\Word.rdp, the destination is a administrative folder on the computer, like c:\it\word.rdp.

3. Create a file copy to copy the .ico. Same source and destination’s folder as the previous one.

4. After that we create a shortcut, under preference too.

We use target as %DesktopDir%\Word, target; c:\it\Word.rdp, and we select the the target icon as c:\it\Word.ico.

I use to copy the files for a reason, if you DC become available for a short period of time, it’s more efficient to simply copy the files locally and create a shortcut to those local’s files.

5. After that we use the same security to apply this GPO’s to as the group you make Word visible with in your RADC’s console.

Voila, the shortcut should be visible easily after that. It’s more work in the start, but after that it’s less call to find the resource in my own opinion.

Thanks for the reading

Push Acrobat Reader via GPO

Hi everyone

Today I will share some step necessary to push by GPO Acrobat Reader if you need it in your environment.

You can download the latest Acrobat Reader installer for offline installation.

For that you need to get to the enterprise portal; https://get.adobe.com/fr/reader/enterprise/

After that you need to extract the .exe, as installation GPO need a .MSI.

Go in a command prompt where your download is, and type such command;

AcroRdrDCxxxxxxxxxx_en_US.exe -sfx_o”C:\Temp\Acrobat” -sfx_ne

After that we got our folder with the correct files. Copy that where your computer can access it. I tend to use the netlogon subfolder on my side, but it can be anywhere.

Next step is to modify the .MST to include the correct’s option. For that you need to use the Acrobat Wizard, available there; https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/index.html (Direct download; https://ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/misc/CustWiz2000920067_en_US_DC.exe)

With the wizard please open Acrobat.MST that you have in your folder where you uncompressed the data (c:\temp\acrobat from my example)

In the first section I click to Accept the EULA, and in the next section I click to enable silent’s mode, to have the GPO per machine. Click save.

Now we need create the GPO, click in advanced mode. Point the software installation package to your Acrobat.MSI, and after that go in the deployment option, and click to add the .MST.

Make sure the other files from the download are in the same folder.

After that it should work 🙂