There may come a time when you want to turn off Windows firewall and ensure that it doesn’t come back on. Windows appears to do this randomly (I’m sure there is a reason). To ensure that it is disabled, you can use Group Policy when on a domain. However, when you are off the domain, you need to do it locally. Using GPEDIT.MSC, you can do this on a machine.
Open up GPEDIT.MSC and browse to Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. In there, you will see several profiles. Under each profile, change the “Windows Firewall: Protect all network connections” to disabled. This will effectively disable the Windows Firewall and not allow anyone/anything to turn it back on. You should repeat this for all profiles that it makes sense on.
So one of my pet peeve statements is “That’s the way we’ve always done it.” In my current position, I was shown how to use our template images in VMware to produce new machines and what options to click in. I always felt something was missing in the process. Recently, I was reading an article on VMware and sysprep as I was considering redoing the image and taking out a lot of manual work. Then I learned about customization templates which I never knew existed because I did it the way it was always done! Here are a few things I learned about using the customization templates, and I’ll keep adding as I find more.
What is it?
The customization template is basically applying sysprep to a Windows box after it is cloned or deployed. You don’t have to do the process yourself before the last shutdown. VMware Tools will do it for you. It will join the domain, apply a license, run scripts, setup a NIC, etc. Don’t do this yourself. Let VMware do it for you.
Post Install Scripts
I could not find any documentation detailing this. From what I can tell, this creates a “RunOnce” key after the sysprep is complete. When you set your auto-login reboot count to at least one, on the first login, VMware Tools will run a script. This will be running as the local Administrator user in the user-context after the WinLogon startup process, but before the desktop loads. I added a batch file that asks a few questions during the login and then reboots the machine one last time. I also setup a RunOnce key to delete the folder after it was done. Here is the interesting thing though. I’ve seen other RunOnce keys run before the reboot. So it may be deleting it sooner. Keep that in mind… adding new RunOnce keys manually during this process may result on them running right after, not on the next reboot.
You can specify network settings in the template and have it ask you for the IP when you apply the customization later. If you do this and use different VLANs, make sure you change the VLAN to the matching subnet range that you specified in the template. If you don’t and it can’t get to the network during the cutomization, it will not apply correctly, such as joining the domain. You’ll find yourself doing everything manually or starting over again.
I was presented with a question from a user the other day. They needed to be able to use Adobe Flash on a Windows 2012 R2 server while using Internet Explorer. Apparently, they have regular users logging into the server to grab information from the web server application it was running. Aside from the blatant security issues of using Flash in IE and why they don’t access it remotely via HTTP, I don’t know, but I will be looking into it. So I started looking into installing Flash. The installer that they had downloaded, presumably from their machine, told me “Your Microsoft Internet Explorer browser includes the latest version of the Adobe Flash Player built-in.” Well, I went to the Adobe Flash test page, and it didn’t load Flash. So where was it? Well, after some digging, I finally discovered that while IE 11 does indeed contain Adobe Flash, it does not contain it on Windows Server 2012 unless you install the Desktop Experience. I only found one other webpage that appeared to mention this, so I thought I would help spread the word. If you need Adobe Flash on Server 2012, make sure you install the Desktop Experience feature. Keep in mind however that it will require not one, but two reboots. After you install the feature and reboot, it will apply settings at bootup, then reboot again.
Where I work right now, they use a Nortel phone system. For voicemail, they use CallPilot. The CallPilot system happens to be on the network, which is rather intriguing. For the department I am in, we use an Asterisk phone system that talks to the Nortel. I’ve always wondered however if there was an phone directory of the extensions. I was told no. So I did some digging. I happened across and LDAP server running on the CallPilot system. After some hacking, I discovered that the LDAP system had all the names in it (outdated of course). Two caveats though: it is only the extensions which have voicemail and it is using LDAP 2.0.
There are times when I need a Windows program that performs an outside function to simply access a website with a particularly formed URL. Many times, these programs do not have an option to “touch” a URL. By touch, I am referencing the touch command in Linux which creates an empty file. Sometimes I need to touch something like http://www.somewebsite.com/folder/update.php?q=Update. I could use wget for Windows, but why do that when I could use a built-in function of Windows. I wrote a VB Script that simply “gets” a URL and exits.
' Created by Jason C. Greb
Set Args = WScript.Arguments
URL = Args(0) ' Read argument (must be in quotes)
Set oHTTP = CreateObject("MSXML2.XMLHTTP")
oHTTP.Open "GET", URL, False
oHTTP.Send() ' Send to the server
'Wscript.Echo oHTTP.Status ' Output the status if you'd like
Set oHTTP = Nothing
This script takes an argument after it, in quotes, and accesses that URL, then quits. You can add it to your program that runs an external program and put the argument after it. Keep in mind that you may need to reference the cscript.exe file (usually in system32) then the script, then the argument.
From time to time in a corporate network a user may lock out their account accidentally. In the corporate network that I am involved in there are generic accounts (unfortunately with dead simple passwords) that occasionally get locked. Since this is a 24/7 operation, it can happen in the middle of the night (in fact, more common at night). So to ease this a bit, and be proactive, I decided to find a way to get an alert every time an account gets locked. I of course, just used Windows easy to use built in feature. Oh wait, Windows doesn’t have that… Read on for how I did this…