Import Windows 8 GPO Templates to Windows Server 2008 R2

On your domain connected Windows 8 workstation open an elevated Command Prompt (Command Prompt (Admin)) and run the following commands:

cd /d %windir%\winsxs
dir *.admx /s /b > %USERPROFILE%\Desktop\admx.txt
dir *.adml /s /b | find /i "en-us" > %USERPROFILE%\Desktop\adml_en-us.txt

mkdir %USERPROFILE%\Desktop\PolicyDefinitions
mkdir %USERPROFILE%\Desktop\PolicyDefinitions\en-US
FOR /F %i IN (%USERPROFILE%\Desktop\admx.txt) DO copy %i %USERPROFILE%\Desktop\PolicyDefinitions\
FOR /F %i IN (%USERPROFILE%\Desktop\adml_en-us.txt) DO copy %i %USERPROFILE%\Desktop\PolicyDefinitions\en-US\

This will copy all of the new templates from your Windows 8 machine to the GPO location.

Logon to your Domain Controller and browse to c:\Windows\ and rename PolicyDefinitions to PolicyDefinition.pre-8 then copy the PolicyDefinitions folder you just created on your desktop to your domain controller in c:\windows\. Finally open the group Policy Editor to access the new, upgraded templates.

Note: This process can also be used to import Windows Server 2012 templates into a Windows Server 2008 R2 based domain.

Windows Server 2012 Desktop Experience

To change your User Profile picture in Windows Server 2012 the “Desktop Experience” feature is required. Desktop Experience provides a similar interface experience to Windows 8. The ‘Desktop Experience’ feature can be added under the Server Manager -> Features.

To install the Desktop Experience:

1. Select ‘Manage’
2. Select ‘Add Roles & Features’
3. Select ‘Role-based or feature-based installation’
4. Select (local server)
5. Select ‘Features’ on the left hand menu
6. Scroll down and select ‘User Interfaces and Infrastructure’
7. Check the ‘Desktop Experience’ box
8. Click ‘Install’
9. Once the installation completes you will need to reboot your server.

Once your server has rebooted, login and you will now have Windows 8 desktop functionality as part of your Windows Server 2012. Features and functionality are outlined here.

Find Dell Service Tags in Windows and Linux

From time to time its necessary to have the Dell Service tag for a server in order to download updated software, drivers and to request onsite service in the event of a hardware failure. The Dell Support Site shows the physical location of the service tag and express code stickers for various Dell hardware models.

In the event you don’t have physical access to a server you can request the service tag at the OS level using the following commands for Linux and Windows:

Windows Systems

Login to the Windows remote-host using Remote Desktop or VNC then use the Windows Management Instrumentation (WMIC) to quiery the service tag:

C:\>wmic bios get serialnumber
SerialNumber
ZZDDEE7

Following WMIC syntax will provide the service tag along with the model number of the server:

C:\>wmic csproduct get vendor,name,identifyingnumberIdentifyingNumber    Name                Vendor
ZZDDEE7              PowerEdge R710      Dell Inc.

Alternatively, you can remotely query the Service Tag of a remote server as long as you have login credentials available to you:

C:\>wmic /user:administrator /node:remote-host bios get serialnumber
SerialNumber
ZZDDEE7

Linux Systems

Login to the remote Linux server using SSH then use dmidecode to query the service tag:

[server]# dmidecode -s system-serial-number
ZZDDEE7

Alternatives for Linux are outlined here.

Hardening a Microsoft IIS Web Server

Here are some quick tips on how to harden a Microsoft IIS web server for production use:

1. Enable SSL

When possible, configure your web server and sites to utilize an SSL certificate. SSL will protect client-server communication. Instructions on how to configure SSL in IIS can be found at: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

2. Disable Weak SSL and TLS Ciphers

Paste the following registry configuration into a text file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000 Continue reading "Hardening a Microsoft IIS Web Server"

Removing Old Active Directory Accounts

Find and removing old user and computer accounts from Active Directory is an important part of Active Directory maintenance. Removing unused and expired account is important in order to optimize and secure your Active Directory environment.

PowerShell is a powerful scripting environment for Windows which can be used for this type of maintenance but first you all you need to install the Active Directory Powershell tools:

1. Click Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell

2. At the command prompt type:

Import-Module ActiveDirectory

3. Once the module install is complete, confirm its available by running:

Get-Module -ListAvailable | select-string -pattern "Active"

Once you have installed the Active Directory PowerShell commands you may use the following syntax to search for computers which haven’t logged in for 6 or more months: Continue reading “Removing Old Active Directory Accounts”