Grant user permission to unlock Active Directory accounts.

OS: Windows 2012 R2

This is the command I used to grant a group permission to unlock accounts.

C:\> DSACLS “ou distinguished name” /i:s /G “group name“:rpwp;LockOutTime;user



Timestamp and lftp

I was using lftp to get a file and do a local listing of the transferred file. The timestamp was days off when I used “local ls”. With some experimentation, I was able to find that if I pass the command a switch I could get the file creation time.

This is what I used:

lftp> local ls -cl

Internet Explorer Group Policy not changing.

I was trying to change the home page policy and the proxy settings for Internet Explorer 11. I had looked at this a couple times but did not resolve the issue. I even started looking toward a registry option when I knew that this had to work. It turns out that is something really stupid, and has been the case for a long time. I just needed to hit the F6 key while the cursor was still on the changed setting. Then, you will see the red line under the setting go from red to green. It turns out that there are few function keys are important so I will note them here.

F5: This will configure and update of the settings.
F6: This will update only the setting you are currently positioned on.
F7: This will ignore only the setting you are currently positioned on.
F8: This will ignore all changes.

Windows 2012 R2 and .Net 3.5 Features

I changed my CD/DVD drive letter after I installed Windows Server 2012 R2 and a couple other features. Then, I wanted to install the .NET Framework 3.5 feature. It kept complaining out not being able to find the source. I had to set the new source location for it to install correctly.

From Server Manager, you add the role as you normally would until you get to the “Confirm installation selections” window:

Click the “Specify an alertnate source path” link and for the path enter the location with the correct directory of your 2012 R2 installation source. Since I changed my drive letter to the Z drive, mine was as follows.


From here, it installed as it normally would.

Note: I also discovered that if you apply some updates and then need to add the .NET 3.5 Framework feature, you might need to uninstall one or two of the updates. In my case, I had to remove update 2966828. I used the method specified here:

Uninstall/Install an Update from the Command Line – Windows Server 2012 R2

To list all installed updates:

c:\>wmic qfe list

To install an update:

c:\>wusa C:\somedirectory\someupdate1234567.msu

To uninstall an update:

c:\>wusa /uninstall /kb:1234567

Ubuntu – /var/log/syslog not rotating.

I was having trouble with any of the logs managed by rsyslog not rotating. This resulted in a number of huge log files, especially the /var/log/syslog file. Not only those but also others from remote systems since I was using this server as a syslog server.

All I needed to do is comment out the following line in the /etc/rsyslog.conf file:

$PrivDropToUser syslog

I restarted the rsyslog service.

# service rsyslog restart

Windows Group Policy to Run a Script with Privilege.

Sometimes you need to make a change to a lot of desktops, and you need to use an account with administrator level privilege. The best way I found to do this other running a script that would make the changes remotely was to add it to the startup script option in the a Group Policy.

I wrote the script (and tested it, obviously), and saved it with the logon scripts so it would replicate to all the domain controllers.

Then, I identified a current policy and edited it. This is a Computer Configuration policy that causes the script to be run upon reboot. You want to change the properties (add your script/command) for:

Computer Configuration/Policies/Windows Settings/Scripts/Startup
Click Add…
You can run the script from anywhere, but I chose the logon script directory for redundancy and efficiency.

This is where I stored the script and referenced:

Another option is store the script with the policy which might even be a better choice:

Once you’ve added the script, click Ok and close the Group Policy Management Editor.

CentOS 7 – Create encrypted partition

Note: This is to create a new partition that is encrypted. Do not do this on an existing partion, because you will lose all the data on the partition.

Note: I added a summarization to the end of this post to provide a bit more clarity about the volume names, etc.

Add the disk to the system and identify it. I used the following:
See if it is there already:

# fdisk -l

If not, scan for it on all your buses:

# echo “- – -” > /sys/class/scsi_host/host0/scan
# echo “- – -” > /sys/class/scsi_host/host1/scan
# echo “- – -” > /sys/class/scsi_host/host2/scan

Check again:

# fdisk -l

Create a volume:
Add the physical disk:

# pvcreate /dev/sdb

Create a volume group;

# vgcreate centos_test /dev/sdb

Activate the volume group:

# vgchange -a y centos_test

Create the volume:

# lvcreate -l 100%FREE -n test centos_test

Write random data to the partition. This is important when reusing a volume.

# shred -v –iterations=1 /dev/centos_test/test

Install cryptsetup:

# yum install cryptsetup

Initialize the volume and set the passphrase:

# cryptsetup –verbose –verify-passphrase luksFormat /dev/centos_test/test

Open the volume and setup the mapping:

# cryptsetup luksOpen /dev/centos_test test

Create the filesystem:

# mkfs.ext3 /dev/mapper/centos_test-test

Mount it:

# mount /dev/mapper/centos_test-test /mnt

Add the volume to be mounted at boot to the crypttab file:
# vi /etc/crypttab

centos_test-test /dev/centos_test/test none

Add the mount to the fstab:

# vi /etc/fstab

/dev/mapper/centos_test-test /mnt ext3 defaults 1 2

Restore selinux context:

# /sbin/restorecon -v -R /mnt

I was not getting prompted for the passphrase at boot. So, I had to boot into single user mode. When I did, I was prompted for the passphrase and the partition mounted fine. I needed to do remove the rhgb parameter from the boot parameters to be prompted when booting into multi-user mode:

# cd /etc/default

Remove the rhgb parameter from kernel parameters.

# vi grub

I removed the rhgb parameter from this line:

GRUB_CMDLINE_LINUX=” vconsole.font=latarcyrheb-sun16 crashkernel=auto vconsole.keymap=us quiet”

Update grub with the new settings:

# grub2-mkconfig -o /boot/grub2/grub.cfg

When you reboot, you will be prompted for the passphrase you set when prompted in the cryptsetup.

# shutdown -r now

Here is a short summary. Pay particular attention to the luksOpen and mount command and the format of the crypttab and fstab files. Hopefully, these names will make it easier to keep straight.:

# fdisk -l
# fdisk /dev/sdb
# shred -v –iterations=1 /dev/sdb
# pvcreate /dev/sdb
# vgcreate vgtest /dev/sdb
# vgchange -a y vgtest
# lvcreate -l 100%FREE -n lvtest vgtest
# shred -v –iterations=1 /dev/vgtest/lvtest
# cryptsetup –verbose –verify-passphrase luksFormat /dev/vgtest/lvtest
# cryptsetup luksOpen /dev/mapper/vgtest-lvtest lvtest
# mkfs -t ext4 /dev/mapper/lvtest
# mount /dev/mapper/lvtest /mnt

# vi /etc/crypttab

lvtest /dev/mapper/vgtest-lvtest none

# vi /etc/fstab

/dev/mapper/lvtest /mnt ext4 defaults 1 2

Linux – Extract Files from an RPM file.

Make sure you copy the rpm to a temp area to extract the files.

# rpm2cpio somerpm | cpio -idmv

Windows Performance Monitor – Data Collector Sets

When you create a Data Collector Set in Windows 2012 server, the task is disabled in the Task Scheduler. You will find it under Microsoft/Windows/PLA. Just right mouse click the task and select Enable. Then, you right mouse click on it again and select Run to start it. They really should have allowed that from within Performance Monitor.

Return top