Thursday, February 13, 2014

PowerShell: Create a manual System Restore point


1.  Ensure that System Restore is turned on. Control Panel > System > System Protection.
2.  Run PowerShell as Administrator
3. Type Checkpoint-Computer -Description then Enter
4.  You will see the progress of the restore
5.  Once complete you will be able to view your System Restore Points. Control Panel > System > System Protection > System Restore button > Check "Choose a different restore point" and click Next.

Note:  If you get an error message "Access Denied" when running the command, ensure that you are running PowerShell window as Administrator.

Monday, June 17, 2013

HOWTO: Enable AppLocker cmdlet in PowerShell

To use the AppLocker cmdlets, you must first import the AppLocker module by using the following command at the PowerShell command prompt:

C:\PS> Import-Module AppLocker

Note: Scripting must be enabled on the computer.

That's it!

Wednesday, May 15, 2013

How to Reset Local Group Policy to Default in Vista, Windows 7, and Windows 8

To Reset "Local Group Policy" to Default in a Command Prompt at Boot

1. Logon as local Administrator

2. Open an elevated command prompt ("Run as Administrator")

3. In the command prompt, type the command below, and press Enter.

RD /S /Q "C:\Windows\System32\GroupPolicy"

4. In the command prompt, type the command below, and press Enter.

RD /S /Q "C:\Windows\System32\GroupPolicyUsers"

5. Restart the computer.

All done. The Local Group Policy Editor has now been reset back to default.


Thursday, November 8, 2012

How to: Apply Active Directory Group Policy to Citrix XenApp servers

This may seem straight forward but it's taken some time to get this to work like a charm.


XenApp (XA) 6.x farm with multiple servers. You have settings that need to be applied to the servers as well as settings for Users.

This is how I configured it.  I came to this conclusion because Group Policy wasn't applying the correct Intranet Zone sites in Internet Explorer (although the same settings worked flawlessly on their desktop)

1.  Create and move all servers to an OU containing XA Servers only.

XenApp Computer object location
       __ Computer Accounts
                                _ XenApp
                                        |- XENAPP01
                                        |- XENAPP02
                                        |- XENAPP03

Therefore: OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com

User Accounts object location

Create or use an existing group containing your users.
       __ User Accounts
                                _ Location
                                        |- USER1
                                        |- USER2
                                        |- USER3

2.  Create and AD group eg. 'All XenApp Servers' containing all your XA servers .  This is important to allow the computer configuration settings to apply to the servers.

3. Three group policies required.
           A.  Name: Policy XenApp Loopback
                 Purpose: This invokes Loopback processing
                 Settings: Computer Configuration > Policies > Administrative Templates > System /
                 Group Policy
                     Policy:  User Group Policy loopback processing mode
                     Mode: Replace
                 GPO Status: User Configuration settings disabled
                 Link Order: 3 (Apply this first)
           B.  Name: Policy XenApp Server Configuration
                 Purpose: Contains computer configuration settings which will apply to all your XA servers
                 Settings:  Computer configuration > As required.
                 GPO Status: User Configuration settings disabled
                 Links:  OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com
                 Security Filtering: All XenApp Servers
                 Link Order: 2 (Apply second)

           C.  Name: Policy XenApp User Configuration
                 Purpose: Contains users configuration settings which will apply to all your XA users
                 Settings:  User Configuration > As required.
                 GPO Status:  Computer Configuration settings disabled

                 Links:  OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com
                 Security Filtering: 'All XenApp Users' or Authenticated Users
                 Link Order: 1 (Apply last)

That's it.



Tuesday, August 14, 2012

Administering the ActiveX Installer Service in Windows 7

The below link contains details on configuring the ActiveX Installer Service to automatically install ActiveX controls silently for Windows 7 PCs.


Sunday, July 1, 2012

AnyConnect removes "Connections" tab from IE Settings

If enabled in policy AnyConnect disables and re-enables the Connections tab on a graceful disconnect of the VPN client.  The trouble arises when a user abruptly closes the AnyConnect VPN client. The "Connections" tab is left hidden and subsequent connect/disconnects of the VPN client do not restore it.  

Delete the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]

Thursday, March 8, 2012

HOWTO: Generate and import an SSL certificate on VMware View Connection Server

To generate and import an SSL certificate on the View Connection Server:
  • Certificates are required only for client-facing systems, such as Standard, Replica, or Security servers.
  • Information appearing within represents variable information. Do not include the brackets when typing commands.
  1. Add keytool to the system path:
    1. In your View Connection Server or Security Server host, right-click My Computer and click Properties.
    2. Click the Advanced tab.
    3. Click Environment Variables.
    4. In the System variables group, select Path and click Edit.
    5. Type the path to the JRE directory in the Variable Value text box. For example,\VMware\VMware View\Server\jre\bin.

      Note: Use a semicolon (;) to separate each entry from the other entries in the text box.
  2. Generate a Keystore and Certificate:
    1. Open a command prompt and run this command using keytool to generate a Keystore file:keytool -genkey -keyalg "RSA" -keystore -storetype pkcs12 -validity 360To generate a 2048-bit key, run this command:keytool -genkey -keyalg "RSA" -keystore -storetype pkcs12 -validity 360 -keysize 2048
    2. When keytool prompts you for the first and last name, type the fully qualified domain name (FQDN) that the client computers use to connect to the host.
    3. Enter all other information to complete the keystore file.
    4. After keytool creates the Keystore file in the current directory, back up the file.
  3. Obtain a Signed Certificate from a CA:
    1. Open a command prompt and run this command using keytool to create a CSR:keytool -certreq -keyalg "RSA" -file -keystore -storetype pkcs12 -storepass
      • keytool creates the CSR file in the current directory.
      • The keystore password must be at least 6 characters and cannot be left blank.
    2. Send the CSR to the CA according to the CA's enrollment process and request a certificate in PKCS#format.

      Some CAs provide certificates only in PKCS#12 format. If you download a certificate in the PKCS#12 format, you must convert it to PKCS#7 format.  Some vendors may use type rather than file type.  In this case request a Tomcat certificate.

      To convert a PKCS#12 certificate to PKCS#7 format:
      1. Open the certificate file in Internet Explorer.

        Note: Verify that the certificate chain is complete, including root and intermediate certificates.
      2. In the Details tab, click Copy to File. The Certificate Export wizard appears.
      3. Specify PKCS#7 format, include all certificates in the certification path, and then click Next.
      4. Specify a filename and click Next.
      5. Click Finish to export the file in PKCS#7 format. The file is saved with a .P7B extension.
  4. Import the Signed Certificate into a Keystore file.

    To import the Signed Certificate into a keystore file, open a command prompt and run this command using keytool:
    keytool -import -keystore -storetype pkcs12 -storepass -keyalg "RSA" -trustcacerts -file

    Note: The storepass must be the same password that was used to generate the CSR in step 3.
  5. Configure the View Security Server to use the new certificate:
    1. Copy the Keystore file that contains your certificate to the SSL gateway configuration directory on the View Connection Server or security server host. For example, install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12.
    2. Add the keyfile and keypass properties to the file in the SSL gateway configuration directory on the View Connection Server or security server host.

      Note: If the file does not exist, you must create it.
    3. Set the keyfile property to the name of your Keystore file.
    4. Set the keypass property to the password for your Keystore file. For example:keyfile=keys.p12
  6. Restart the View Connection Server service or Security Server service for the changes take effect.
  7. Ensure that the certificate is being used by checking the debug log on the server.