20 Dos and don’ts to prevent corona virus from spreading

1- Do: Avoid large crowds. The best way to slow the spread of the virus and protect those at risk of serious illness is social distancing, according to the Centres for Disease Control and Prevention. That means it’s important to avoid crowded spaces, community gatherings and other events that could speed up the spread of the virus.

3- Don’t: Hoard paper and hygiene products so that there’s none left. “Panic buying is a self-fulfilling prophecy,” Karan Girotra, professor of operations at Cornell University, told USA Today. “If everyone thinks things are going to run out, they go and buy out things and they do run out.”

3- Do: Call your doctor if you’re displaying symptoms of the illness. Fever, cough and shortness of breath are the most common symptoms of the coronavirus known as COVID-19.

4- Don’t: Panic. The CDC still considers the general public’s risk as “low.” But seniors and those with compromised immune symptoms face a higher risk of serious illness, so it’s important to follow the CDC and local officials’ instructions. It’s unlikely that the virus is transmitted through food or sex, so there’s little reason to worry about either of those things.

5- Do: Care for your pets like normal. It’s highly unlikely that dogs and cats can pass coronavirus to people, the Associated Press recently reported. Experts from two universities in Hong Kong and the World Organisation for Animal Health agreed that “human-to-animal” transmission would be more common, but only low-levels of infection have been reported so far.

6- Don’t: Kiss your dog or cat. Although the risk of catching the infection is low, Hong Kong’s Agriculture, Fisheries and Conservation Department still suggest pet owners not kiss their cat or dog for the sake of good hygiene, the Associated Press recently reported.

7- Do: Wash your hands for at least 20 seconds. According to the Centers for Disease Control and Prevention, the best defense against the virus is washing your hands with soap and water for at least 20 seconds before eating, after using the bathroom and after blowing your nose, coughing or sneezing.

8- Don’t: Touch your face. Coronavirus begins in the eyes, nose or mouth, The Washington Post recently reported. The more you touch your face, the more you increase your risk of exposure to the virus.

 

9- Do: Use hand sanitizer when soap and water isn’t available. The CDC recommends that the hand sanitizer contain at least 60% alcohol.

10- Don’t: Leave used tissues on the couch, nightstand or anywhere but a garbage can. The virus is spread through respiratory droplets that can survive on hard surfaces.

11- Do: Regularly clean hard surfaces, including TV remotes, cellphones, light switches and doorknobs. The CDC recommends wearing gloves and only using disinfectants registered with the Environmental Protection Agency, which recently released a list of products that kill coronavirus from surfaces.

12- Don’t: Leave your purse on the ground. A 2013 study from Initial Washroom Hygiene, a UK-based hygiene and washroom services company, showed that handbags have more bacteria than a toilet seat. Putting your purse on the ground of a public restroom or the floor of a bus increases your exposure to not only bacteria but also viruses.

13- Do: Wear a face mask if you’re a health care provider or caregiver. The World Health Organization recommends washing your hands frequently, avoiding touching your face or the mask and throwing them away in a closed garbage bin.

14- Don’t: Buy face masks if you’re not in the health care industry. Not only could a mask shortage be detrimental to health care professionals but also masks could increase residents’ chance of infection because they’re often worn improperly.

15- Do: Be careful while continuing to use public transportation. Several agencies, including SMART and San Francisco’s BART, are cleaning and disinfecting their trains more frequently to prevent the virus from spreading. Other safety measures include standing or sitting away from others, limiting contact with train and bus poles, carrying hand sanitizer, keeping your purse off the ground and avoiding eating, drinking or using your phone, according to Business Insider.

16- Don’t: Use Lyft, Uber or public transportation if you’re showing symptoms of coronavirus, which includes coughing, difficulty breathing and fever, to prevent the virus from spreading.

17- Do: Choose a window seat if you’re traveling on an airplane. You’re the least likely to come into contact with someone affected by any virus, according to National Geographic, although washing your hands and avoiding coughing passengers also is recommended.

18- Don’t: Travel to China, South Korea, Italy and Iran unless absolutely necessary. The CDC issued a Level 3 warning, the most extreme included in its guidelines, for US residents to avoid all nonessential travel to these countries because of the virus

19- Do: Be cautious, but continue to support local restaurants. The wine and beverage industry may take a hit from the coronavirus. Because the CDC is urging people across the country to distance themselves from others and avoid crowded places, the best way to support local restaurants is buying gift cards or ordering takeout. The New York Times recently reported that food likely cannot carry the coronavirus, but it’s important to be mindful of menus and serving utensils that others may have touched.

20- Do: Have two weeks of groceries on hand in case you’re quarantined for two weeks. Dry goods such as rice, pasta, beans and oats, along with canned goods such as tomatoes and beans, are recommended, according to Business Insider. Other items include pet food, prescriptions and diapers if you have children.

PowerShell Install-Module: The term ‘Install-Module’ is not recognized

PowerShell error : Install-Module: The term ‘Install-Module’ is not recognized as the name of a cmdlet.
This error Is Manly Because Of The Limitation of cmdlet and resource available on Machine.

This Gallery TechNet Will help you to resolve The Error” Install-Module: The term ‘Install-Module’ is not recognized as the name of a cmdlet.”
While Performing This Step We Need to restart the system So Request You to Save Any unsaved Document Before Following the Below Steps.
To Resolve This We Need to Update. Windows Management Framework 5.1 with the Help of Below Link

https://www.microsoft.com/en-us/download/details.aspx?id=54616
*Tested on Client Machine

Step 1 : Run the PowerShell as Administrator.

 

Step 2 : When We try the Command Install-Module msonline
PS C:\Users\Administrator>Install-Module msonline
It Givens Error
Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file,or operable program.
Check the spelling of the name, or if a path was included,verify that the path is correct and try again.
At line:1 char :1
+Install-module msonline



Step 3 : To Check the Host version Type Host

PS C:\Users\Administrator>HOST

 

Step 4 :if the Host Version 4.0 or Below That Need to Download And Install the Windows Management Framework 5.1

Need to Update. Windows Management Framework 5.1 with the Help of Below Link

https://www.microsoft.com/en-us/download/details.aspx?id=54616
* Note :When We Download and install windows Management Framework 5.1. it Will restart the Machine So please Save any unsaved Document.


Step 5 : Choose the Download you want as per Your Operating System.

Step 6 : Once we Restart the Machine Than Run the PowerShell as Administrator again.

Step 7 : We can Confirm if the HOST Version is Updated to 5.1

Component-Based Servicing (cbs.log) causes all drive space to be consumed

Because I’ve seen this question asked in many places and not answered, I thought I’d post my issue and resolution here.  I regard this as a Bug, but I’m not invested enough to deal with the support incident process.

I’ve had repeated instances where a Windows 7 x64 client runs out of hard drive space, and found that C:\Windows\TEMP is being consumed with hundreds of files with names following the pattern “cab_XXXX_X”, generally 100 MB each, and these files are constantly generated until the system runs out of space.  Upon removing the files & rebooting, the files start being generated again.

I’ve found that this is caused by large Component-Based Servicing logs.  These are stored at C:\Windows\Logs\CBS.  The current log file is named “cbs.log”.  When “cbs.log” reaches a certain size, a cleanup process renames the log to “CbsPersist_YYYYMMDDHHMMSS.log” and then attempts to compress it into a .cab file.

However, when the cbs.log reaches a size of 2 GB before that cleanup process compresses it, the file is to large to be handled by the makecab.exe utility.  The log file is renamed to CbsPersist_date_time.log, but when the makecab process attempts to compress it the process fails (but only after consuming some 100 MB under \Windows\Temp).  After this, the cleanup process runs repeatedly (approx every 20 minutes in my experience).  The process fails every time, and also consumes a new ~ 100 MB in \Windows\Temp before dying.  This is repeated until the system runs out of drive space.

This can be reproduced by trying to manually create the cab file –

Directory of C:\CBS-BAK
12/11/2019  12:28 PM    <DIR>          .
12/11/2019  12:28 PM    <DIR>          ..
12/11/2019  12:12 PM     2,491,665,966 CbsPersist_20150823021618.log

C:\CBS-BAK>makecab CbsPersist_20150823021618.log
Cabinet Maker – Lossless Data Compression Tool
86.19% – CbsPersist_20150823021618.log (1 of 1)
ERROR: (FCIAddFile)Data-size or file-count exceeded CAB format limits

C:\CBS-BAK>dir %TEMP%\cab*
Volume in drive C is OSDisk
Volume Serial Number is 44DE-0CDD
Directory of C:\Users\USERNAME\AppData\Local\Temp
08/26/2015  02:31 PM       102,786,654 cab_4556_2

12/11/2019  12:28 PM        12,978,919 cab_5860_2
12/11/2019  12:27 PM                 0 cab_5860_3

To resolve this –

Stop the Windows Modules Installer (TrustedInstaller) service

Delete or move the large Cbspersist_XX.log file out of \Windows\Logs\CBS.

Start the Windows Modules Installer (TrustedInstaller) service

How to Disable/Enable Internet Options Tabs in Internet Explorer

As an IT guy, I always encounter problems when untrained users tweak their Internet connection settings.  They always make a mistake somewhere and sometimes the solution is to just keep them away from the Internet Options dialog box altogether.

I have worked at many companies that hide the Internet Options tab in Internet Explorer to discourage users from changing the options, which makes sense since network admins are the only ones who are supposed to access these options.

In a controlled environment, companies usually allow only one type of browsers like Internet Explorer and those companies usually don’t allow their employees to change the Internet Options like default the homepage and proxy server.

Below is a typical Internet Options window:

There are several ways to disable the Internet Options tabs in IE and I’ll explain the different methods in this post. The first method uses Group Policy, but will only work if you have the Pro or Ultimate versions of Windows. If you are running Home or Home Premium, then skip down to the registry section.

Disable Internet Options in IE via Group Policy

To disable any tab in the Internet Options window, follow these steps below:

Step 1: Click Start RUN and type GPEDIT.MSC in the search bar and hit enter to launch the Group Policy editor window.

Step 2: In the Local Group Policy editor window expand User Configuration > Administrative Templates > Windows Components > Internet Explorer then click on Internet Control Panel.

Step 3: On the right pane of the window, double click on the item you want to disable. For example, to disable the Advanced tab, double click on Disable the Advanced page option.

Step 4: In the properties window, click on the Enabled option and click OK. The Advanced tab in the Internet Options window will now be disabled and removed.

Step 5: Follow the previous steps to disable other items in the Internet Options window. To enable items, just select the Not Configured option in the properties window and click OK.

There you have it!  For less savvy computer users who don’t know about GPEDIT, it should discourage them from changing the advanced settings in IE.

Disable IE Options via Registry Editor

The second way to disable tabs in IE options is to use the registry editor. This is a bit more complicated but is the only option if you can’t access the group policy editor.

You can open the registry editor by clicking on Start and typing in Regedit. Once there, navigate to the following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft

Note that if you want to disable this option for all users on the PC, navigate to the same key, but under HKEY_LOCAL_MACHINE.

If there isn’t already a key called Internet Explorer under Microsoft, you’ll have to create it manually. Just right-click on Microsoft and choose NewKey. At this point, there are two options. If you want to disable the entire Internet Options dialog, you can create another key under Internet Explorer called Restrictions.

Lastly, you’ll create a new DWORD value in the right-pane inside Restrictions called NoBrowserOptions. Give that a value of 1 and restart Internet Explorer. If you try to go to Internet Options, it will give you an error message.

If you don’t want to disable the whole dialog, but instead just a few of the tabs, then you should create a new key called Control Panel under Microsoft instead of Restrictions. Inside of that, you’ll create DWORD entries that correspond to the tabs:

AdvancedTab

ConnectionsTab

ContentTab

GeneralTab

PrivacyTab

ProgramsTab

SecurityTab

As you can see above, I created the Control Panel key under Internet Explorer and then created a DWORD entry in the right-pane called AdvancedTab with a decimal value of 1. This removed just the advanced tab from the IE options window.

Hopefully, these methods will allow you to gain more control over Internet Explorer advanced settings in your environment. If you’re having issues, feel free to comment and I’ll try to help. Enjoy!

How to Enforce Multi-Factor Authentication for All Users of Your Office 365 Subscription

Multi-Factor Authentication (MFA) is a great security tool, and we always recommend it. Office 365 admins can enforce MFA for users, which means you can help protect anyone sharing your Office 365 business subscription.

To do this you’ll need to be an Office 365 administrator, which only happens with a business plan. If your Office 365 subscription comes as part of a domain hosting package, then you’ll have access to the Admin console. However, if you’ve just purchased a personal subscription (or home subscription for your family), then you won’t have access to the Admin console, and you can only turn MFA on for yourself. If you’re not sure, click the Office 365 app launcher and look for the Admin tile.

The Admin tile on the O365 app launcher

If it’s there, you’ve got access to the Admin console. Click the Admin tile, and on the menu on the left-hand side click Settings > Services and add-ins.

The "Services & add-ins" option in the Admin menu

This opens the Services and add-ins page, where you can make various tenant-level changes. One of the top items will be “Azure multi-factor authentication.”

The "Azure multi-factor authentication" option

Click this, and on the panel that opens on the right, click “Manage multi-factor authentication.”

The "Azure multi-factor authentication" link

This will take you to the multi-factor authentication page. You can immediately turn MFA on for anyone who is using your Office 365 subscription, but, before that it’s best to acquaint yourself with the default settings. To do this, click “Service Settings.”

The "service settings" tab

You can change whatever settings you like, or leave them as the defaults. One potential setting to look at changing is whether or not MFA can be remembered on a device. By default this is off, but turning it on means your family won’t have to go through the MFA process every time they want to check their email or edit a document.

If you switch this on, the default number of days a device can go before having to re-authenticate is 14, which means a phone/tablet/computer will be trusted for 14 days before the user has to go through the MFA process again. Having to go through the MFA process is simple, but having to do it every 2 weeks on every device that your family uses might still be a bit too much and you have the option to set this as high as 60 days.

If you do make any changes to this or any other settings, click “Save” at the bottom to the panel to save the changes, then click “users” to go back to turning on MFA.

The "service settings" options and the "users" tab

Now that you’ve made sure the settings are right, you can enable MFA for each user. Select the users for whom you want to turn MFA.

The users table with a selected user

To the right of the table of users, click the “Enable” option that appears.

The Enable option

On the confirmation screen, click “Enable Multi-Factor Authentication.”

The "enable multi-factor authentication" button

This will enable MFA for the user, and the next time they login to Office 365 on the web, they’ll have to go through a process of setting up MFA. If they don’t log in very often (or you want to make sure you’re around to help them through the process), you can also send them the link from the confirmation screen so that they can set up MFA at a time that suits them. The link is https://aka.ms/MFASetup, which is the same for everyone setting up MFA.

Once you’ve clicked “Enable Multi-Factor Authentication” you’ll see a success message, which you can close.

The "Updates successful" dialogue

MFA is now enabled for the user; now, they need to set it up. Whether they wait until the next time they login, or they use the link we mentioned above, the process for setting up MFA is exactly the same.

Login to your Office 365 account as normal, and a screen will be displayed telling you that “your organisation needs more information to keep your account secure.”

The start of the O365 login process

Click “Next” to be taken to the “Additional security verification” panel, where you can choose your MFA method. We always recommend using an authenticator app, and you’ll have to use Microsoft Authenticator with Office 365. Even using MFA via SMS is still better than not having MFA at all, so choose the method that works best for you in the first dropdown.

The "Additional security verification" panel

We’re going to use a mobile app, which will change the available configuration options. First you need to choose whether to”Receive notifications for verification” (which means a message will pop up on the Microsoft Authenticator app on your phone asking you to approve or deny a login to your account) or whether to “Use verification code” (which means you’ll have to enter a code generated by the Microsoft Authenticator app on your phone when you login to Office 365). Either works fine, and it’s up to you what you choose. After this, you need to click the “Set Up” button to set up the app.

Radio buttons to choose the contact method

At this point a panel will appear telling you to install the Microsoft Authenticator app on your phone and then either scan a QR code or, if you can’t scan the QR code, enter a code and URL instead. Once you’ve done this, click “Next” to go back to the Additional Security Verification window, which will show that the activation status is being checked.

The "Checking activation status" message

This may take a few seconds, and once it’s finished the message will change to show that MFA has been configured.

The successful MFA configuration message

Click Next, and Office 365 will check that everything is working. Depending on what option you selected for verification, it will either send a Deny or Approve message to your app, or ask you to enter a code from the app. In this example, it sent a Deny or Approve message and is waiting for a response.

A message displayed while waiting for you to respond to the test notification

After you’ve verified that MFA is working, you’ll be asked for a phone number in case you lose access to the app.

The mobile phone number text field

This phone number will be used as backup to use SMS or voice calls in the event that you can’t use the Microsoft Authenticator app, such as when you haven’t got Wi-Fi (or you’ve run out of data on your monthly plan, and you’re out and about). It could also be used if you’ve lost your phone, so you might want to choose the number of a family member instead of your own. Once you’ve entered a number, click “Next” to see the final screen.

The app passwordtext box, and Finished button

This page includes a Microsoft-generated password that it will recognize as being created for MFA use. You’ll need to use this password now on rather than the one you normally use, in all of the following apps:

  • Outlook desktop app for your PC or Mac
  • Email apps (except the Outlook app) on an iOS, Android or BlackBerry device
  • Office 2010, Office for Mac 2011 or earlier
  • Windows Essentials (Photo Gallery, Movie Maker, Mail)
  • Zune desktop app
  • Xbox 360
  • Windows Phone 8 or earlier

The next time you try to open any of these apps they’ll ask for your password, so copy it down from here and use it when asked. We can verify that Outlook on your computer needs to use the generated password but the Outlook app on your phone doesn’t, and yes, we find that odd as well, but it’s not a great hardship.

Click “Finished,” and you’ll be taken back to the login screen to login as normal, but this time using MFA. It’s a simple, quick process that provide a valuable layer of extra security, and one that we at How-To Geek strongly recommend.

How to change your expired passwords in OWA Exchange 2010 SP3

Exchange Server 2010 Service Pack 1 and Exchange Server 2007 Service Pack 3 (running on Windows Server 2008 or Windows Server 2008 R2) have a new feature that will allow users with expired passwords to change their password. This also works for users who have their accounts configured to change password on next logon (User must change password at next logon in ADUC).

Use this procedure to enable it on Exchange 2007 SP3 and Exchange 2010 SP1 Client Access servers:

Note: If you are using a CAS Array, you must perform these steps on each CAS in the array.

  1. On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
  3. Right click the MSExchange OWA key and click New > DWord (32-bit).
  4. The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1.
    Note: The values accepted are 1 (or any non-zero value) for “Enabled” or 0 or blank / not present for “Disabled”
  5. After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.

Important: When changing passwords, users can’t use a UPN (for example, johndoe@contoso.com) in the Domain\user name field in the Change Password window shown below, unless E2010 SP1 RU3 or later has been deployed on the Client Access servers.

Troubleshooting Failed Login Attempts in Windows Active Directory Server

On Event Viewer, we should look for the following information (filter Security log):

Security log, events 4625 and 4771 (format for filtering is: 4625,4771).

We need to filter for these two events since we don’t know if the user failed to authenticate using NTLM (4625) or Kerberos (4771).

References:

4625(F): An account failed to log on

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

4771(F): Kerberos pre-authentication failed

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

With a view containing only events 4625 and 4771 we can then search (Find…) the user we are troubleshooting.

We should be looking for and see the following information on each of events.

4625:

You can refer to the article above for a full description on the Status and Sub-Status codes.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/21/2019 10:40:19 AM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC2.contoso.local

Description:

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: –

Account Domain: –

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: test2016 à This should be showing the account you are troubleshooting.

Account Domain: WIN2K16MEMBER

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D à These are the fields you should be looking also.

Sub Status : 0xC0000064 à We can have either 0xC0000064 or 0xC000006A

Process Information:

Caller Process ID: 0x0

Caller Process Name: –

Network Information:

Workstation Name: WIN2K16MEMBER à This might not show on this event but if it does this is where the bad password is coming from.

Source Network Address: 192.168.0.31 à This might not show on this event but if it does this is the IP where the bad password is coming from.

Source Port: 49735

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: –

Package Name (NTLM only): –

Key Length: 0

If the above event does not show the Network Information details, you will have to enable the Netlogon debug log to have more tracing and NTLM authentication information.

You can refer to the following article for the full instructions on how to enable and disable Netlogon

debugging:

Enabling debug logging for the Netlogon service

https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service

Although, enabling and disabling Netlogon debugging is quite easy but should only be enabled for troubleshooting purposes and disabled afterwards:

Enable Netlogon debug:

From an elevated command prompt (as administrator), run the following command:

nltest /dbflag:2080ffff

Disable Netlogon debug:

From an elevated command prompt (as administrator), run the following command:

nltest /dbflag:0x0

The netlogon debug log can then be found under C:\Windows\debug\netlogon.log

On the netlogon debug log we should look for (find…) the user we are troubleshooting and should be able to find information similar to the bellow:

08/15 16:38:22 [LOGON] [608] C ONTOSO: SamLogon: Generic logon of CONTOSO.LOCAL\test2016 from ( WIN2K16MEMBER ) (via JUMPSERVER) Returns 0xC000006A

This entry tells you where the bad password came from.

4771:

You can refer to the article above for a full description on the Failure Codes.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 7/26/2019 11:47:11 AM

Event ID: 4771

Task Category: Kerberos Authentication Service

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC2.contoso.local

Description:

Kerberos pre-authentication failed.

Account Information:

Security ID: CONTOSO\Administrator

Account Name: Administrator à This should be showing the account you are troubleshooting.

Service Information:

Service Name: krbtgt/CONTOSO

Network Information:

Client Address: ::ffff: 192.168.0.4 à This might not show on this event but if it does this is the IP where the bad password is coming from.

Client Port: 49908

Additional Information:

Ticket Options: 0x40810010

Failure Code : 0x18 à This is the Failure Code we should be looking for: The wrong password was provided.

Pre-Authentication Type: 2

Certificate Information:

Certificate Issuer Name:

Certificate Serial Number:

Certificate Thumbprint:

This was the easy part!

The hard part is often to troubleshoot from the client side as we don’t have any specific procedure to understand what is sending the bad passwords.

An application? A Scheduled Task? A script?

Can be either and/or all of them and for that reason we often need to revisit the client workstation to continue searching for the culprit(s).

Sometimes it is a middle device that connects the user to Exchange, SQL or any other resource and the same steps needs to be taken on each device in the middle that will bring us back to the originating source.

More information:
You can also check the bellow articles for more information on troubleshooting information and tips regarding account lockouts:

Active Directory: Bad Passwords and Account Lockout

https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx

Active Directory: Troubleshooting Frequent Account Lockout

https://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

Troubleshooting account lockout the PSS way

https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

how-to-disable-inactive-user-accounts-using-powershell

Inactive Active Directory (AD) user accounts can pose a security risk to organizations, in situations such as when former employees still have active accounts months after leaving the company because HR failed to inform IT, or accounts might be created for a particular purpose but never deleted after the event. Whatever the reason for the existence of such accounts, Active Directory can quickly get out of control, in turn making your systems harder to audit and less secure.

Active Directory Module for PowerShell

The PowerShell module for Active Directory allows system administrators to query Active Directory and generate reports using the resulting data. The AD module for PowerShell is installed by default on Windows Server 2012 domain controllers, or alternatively you can download the Remote Server Administration Tools (RSAT) for Windows 8.1 and install the module using the command below.

Log in as a local administrator, open a PowerShell prompt, type the code below and press ENTER to install the AD module for PowerShell:

Install-WindowsFeature RSAT-AD-PowerShell

Search Active Directory for Inactive Accounts

The Search-ADAccount cmdlet provides an easy way to query Active Directory for inactive user accounts:

Search-ADAccount –UsersOnly –AccountInactive

clip_image002Figure 1

The above command returns all inactive accounts. To narrow down the results to a specific time range, you can add the –TimeSpanparameter to Search-ADAccount. In the example below, a variable defines the value for the –TimeSpan parameter, using the New-Timespan cmdlet to simplify the input:

$timespan = New-Timespan –Days 90

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan

Alternatively, you can specify the –DateTime parameter to return accounts that have been inactive since a given date. In the command that follows, accounts not active since May 5th 2014 are returned:

Search-ADAccount –UsersOnly –AccountInactive -DateTime ‘5/20/2014’

To get more user-friendly information about the accounts, pipe the results to the Get-ADUser cmdlet and then choose the columns to display in the output using Select:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Select Name,Department,Title,DistinguishedName

clip_image004Figure 2

The results can also be sorted by a specified field, in this example by the LastLogOnDate attribute, which is derived from the LastLogonTimestamp and converted into a readable format:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Sort LastLogOnDate | Select Name,Department,Title,DistinguishedName

It’s worth noting that unlike the LastLogOn attribute, LastLogonTimestamp is synchronized between domain controllers, but can be 9 to 14 days out-of-date, so you should bear this in mind when processing your results.

Another way to simplify the output and count the number of inactive users is to pipe the results to the Measure cmdlet:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure

As with any other PowerShell cmdlets, the results can be piped to Out-GridView, or to a comma-delimited file so that the results can be imported into Excel.

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Out-GridView

Disable Inactive Accounts

Once you’ve got the set of results you’re looking for, all you need to do is pipe them to the Disable-ADAccount cmdlet as shown here to disable the accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Disable-ADAccount

IPSEC Service fails to start in Windows 2003 Server with Error 2: The system cannot find the file specified

Upon rebooting a Terminal Server that had resource issues, we could not log back into the server through RDP.  We could log in through iLO, and it was apparent that the logins were working but they were very slow.  Upon examining the services, we could see that the IPSEC service was not started. 

Trying to manually start the service gave the following popup: “Could not start the IPSEC Services service on Local Computer.  Error 2: The system cannot find the file specified.”  The event logs also showed that TCP/IP was in blocking mode. 

Disabling the service and rebooting restored all network communication, but trying to start the service would drop all connectivity again and slow down the server.  I found another article that said that IPSEC may need to be rebuilt.  When I looked for the registry keys for IPSEC, they were not there.  After I ran the following commands, the registry keys were populated, and IPSEC was able to run properly.

To rebuild IPSEC, follow these steps: [more]

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\Local.  (In my case, the server’s registry ended before IPsec.  If this is the case, skip to step 6.)
  3. On the Edit menu, click Delete.
  4. Click Yes to confirm that you want to delete the subkey
  5. Quit Registry Editor
  6. Click Start, click Run, type regsvr32 polstore.dll, and then click OK.