Categories
blog howto windows

Windows 10 May 2021 update can break audio service

Problem:
Sound is not working anymore in Windows and all programs. In the task area the speaker icon shows a red circle with an X. When you open sound settings it says there are no devices. In device manager the sound card is enabled and shows the correct latest driver.

Troubleshooting:
Removing (with delete driver) all the sound devices and output devices and reinstalling them has no effect. DISM /ScanHealth and SFC /scannow find no corruption. After trying lots of possible solutions, including doing a build upgrade to the same version, I was almost at the point that I would reset the entire system and install everything again. However in one last desperate Google search I came across the solution.

Solution:
The first solution I found was to add the localservice and networkservice (hidden) user accounts to the local administrators group. I tried this and sure enough this fixed the issue. But after reviewing other comments and checking on another (correctly working) computer I was convinced this was not a secure solution. So I removed the user accounts again from the group and sure enough the problem was back (after reboot). Luckily someone at the Dell forums found the real and secure solution.

The problem is a corrupted registry value that defines the Windows ACL rights for some part of the Windows Audio service. So open the registry editor (regedit) and navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations

The issue is the value for ConsoleSecurity shows as binary null or empty and that’s faulty. The value is the same on each computer and should be:

"ConsoleSecurity"=hex:01,00,14,80,9c,00,00,00,a8,00,00,00,00,00,00,00,14,00,00,\
  00,02,00,88,00,06,00,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,\
  04,00,00,00,00,00,14,00,bf,03,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,00,\
  00,14,00,89,00,0f,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,81,00,\
  00,00,01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,bf,03,0f,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,21,01,00,00,01,02,00,00,\
  00,00,00,05,20,00,00,00,2b,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
  01,00,00,00,00,00,05,12,00,00,00

I have attached a (zipped) reg file you can use to fix this value back to the original value.

More information:
Apparently this happens when the Windows 10 May 2021 cumulative update (KB5003173) fails to install the first time. Somehow in this process the registry value gets corrupted.

As a side note somehow this update failure also changes the setting in the local group policy that requires you to press CTRL-ALT-DEL at the logon screen.

Resources and credit:
https://www.dell.com/community/Latitude/Latitude-5400-no-sound-after-May-2021-Windows-update/m-p/7980056/highlight/true#M34613
https://docs.microsoft.com/en-us/answers/questions/401440/kb5003173-no-audio-device-installed.html


Categories
blog cloud howto

Enable or disable password expiration for Office365 users using Powershell

You can change the general password expiration policies in the online GUI but for individual users and to check the state you need to use powershell.

  1. First make sure you have installed the required module for powershell.
    – Azure Active Directory Module for Windows Powershell.
    On Windows 10 you can open powershell with run as administrator and run the command: Install-Module -Name MSOnline
    Or you can download the installer from:
    http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
    You need the AdministrationConfig-V1.1.166.0-GA.msi file.
    – For this to install you need to have the Microsoft Online services sign-in assistant > 7.
    If you don’t have it you can download it from:
    https://www.microsoft.com/en-us/download/details.aspx?id=41950
  2. Now that we have the necessary software we can connect, start powershell for windows azure ad and execute:

    Connect-MsolService
  3. Check if password expiration is set for any of the users:
    Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
  4. Change password expiration for all users:
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $false
  5. Change password expiration for just one user:
    Set-MsolUser -UserPrincipalName u1@dm.tld -PasswordNeverExpires $true
    Set-MsolUser -UserPrincipalName u1@dm.tld -PasswordNeverExpires $false
Categories
blog howto server windows

Can’t find script engine “VBScript” for script …

I recently came across this error while trying to execute a VBscript.

Can’t find script engine “VBScript” for script …

After some troubleshooting this was related to the uninstall of McAfee antivirus software.
McAfee antivirus intercepts all VBscript execution by changing the executable that runs the scripts.
After uninstallation, this change was not rolled back and VBscript execution would faill unless explicitely called by wscript.exe or cscript.exe.

Solution is to revert he change in the Windows registry.
In the following registry key:
HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Find the value named (Default) of type REG_SZ and change the data back to:
C:\Windows\system32\vbscript.dll
instead of:
c:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110218083735.dll

You have the adjust the permissions on the key InprocServer32 to give write permission to Administrator (or your user).

If your problem is unrelated to McAfee and the registry value is correct you might have to re-register the DLL’s.
Open a CMD with elevated privileges (run as administrator) and execute the following commands:

cd "%systemroot%\system32"
regsvr32 jscript.dll
regsvr32 vbscript.dll
cd "%systemroot%\SysWow64"
regsvr32 jscript.dll
regsvr32 vbscript.dll

More information and information that i used to troubleshoot this issue:
http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/cant-find-script-engine-vbscript-for-script/960f24d1-bf92-4cec-b73e-520a04891073
https://community.mcafee.com/thread/50961?start=0&tstart=0

Categories
blog howto windows

Windows 2012 Server Manager refresh failed, requires a restart

The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.

Role and feature refresh failed with the following error: The Request to list features available on the specific server failed. The operation cannot be completed, because the server that you specified requires a restart.

Restarting the server does not help.

Check the eventlog for an error from Service Control Manager ID 7041 that reads:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

Check the “Windows Internal Database” service is running, it probably is not and can’t start.

If this is a domain controller you can assign the logon as service right for the account using the “Default Domain Controllers Policy” GPO.

  1. Open gpmc.msc
  2. Select the “Default Domain Controllers Policy” under the “Domain Controllers” OU in the left tree.
  3. Right click on it and select edit.
  4. In the editor navigate to “Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments”.
  5. Open the properties of the “Log on as a service” item.
  6. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button.
  7. Close the window with OK. Close the GPO editor.
  8. Run gpupdate and restart the computer.

If this is a normal member or standalone server you can assign the logon as service right for the account using the “Local Security Policy”.

  1. Open secpol.msc
  2. Navigate to” Local Policies, User Rights Assignments”.
  3. Open the properties of the “Log on as a service” item.
  4. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button. If this is greyed out, than the item is set using Domain Group Policies (see above).
  5. Close the window with OK. Close the local security policy editor.
  6. Run gpupdate and restart the computer.
Categories
blog howto windows

Uninstall Sophos Antivirus tamper protection lost password

How to uninstall Sophos Antivirus when the Tamper Protection doesn’t let you, and you don’t know the Tamper password.

  1. Stop the Sophos Anti-Virus service if possible. Open services.msc and stop the service.
  2. Open notepad with UAC elevation, run as Administrator.
  3. In notepad open the file “C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml”
  4. Find the configuration section for TamperProtectionManagement

    <TamperProtectionManagement>
    <settings>
    <password>123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ</password><enabled>true</enabled>
    </settings>
    </TamperProtectionManagement>

  5. Change the password string (123456789ABCD… above is just an example, yours will be different.) to the new value: E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73
  6. Start Sophos Antivirus or restart the computer.
  7. Disable tamper protection using the new password: “password” (without the quotes).
  8. Uninstall Sophos Antivirus.
Categories
blog howto server virtualization

MONITOR PANIC: Unable to decompress PPN from swap slot for VM

VMWARE ESXi 5.1U1

My VM would power off without apparent reason.
Looking in to the logs this error appears.

MONITOR PANIC: Unable to decompress PPN from swap slot for VM

I believe the underlying storage (a single SATA disk in my case) to be at fault, or almost dying I guess.
I storage vmotion’ed the VM to another disk.

Categories
blog howto network server windows

Backup domain controller sync issues KRB_AP_ERR_MODIFIED 0x80090322 target principal name incorrect

My case:
1x Windows 2008 Small Business Server (named: SBS2008)
1x Windows 2008 R2 standard on off-site location (named: TS2008) BACKUP DOMAIN CONTROLLER & GC
Connection between the 2 servers was lost for nearly 3 months.
Replication would only work from SBS2008 to TS2008 but not from TS2008 to SBS2008.
I couldn’t view the shares on \\SBS2008 from the console on TS2008, i received the error “The target principal name is incorrect”. On SBS2008 I could view the shares on TS2008.
In the eventlog there were errors:

The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

Sites:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domein,DC=local

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:
DC=domain,DC=local

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

Site:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
Directory partition:
DC=domain,DC=local
Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local

The File Replication Service is having trouble enabling replication from SBS2008 to TS2008 for c:\windows\sysvol\domain using the DNS name SBS2008.domein.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

The session setup from the computer SBS2008 failed to authenticate. The name(s) of the account(s) referenced in the security database is SBS2008$. The following error occurred:
Access is denied.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was E3514xx-xxxxxxxxxxxxxxx/yyyyyyyyyyyyyyy/domain.local@domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was DNS/sbs2008.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

Demote and the promote for TS2008 would not work without forcing and doing a lot of NTDS cleanup on the PDC. So this was my last resort.

1st reboot -> did not work.
Doing a lot of searching and looking up the SPN for SBS2008 on both DC’s did not show any differences.

Luckily I found an older KB from microsoft on how to reset the kerberos secure channel between two DC’s.
http://support.microsoft.com/kb/288167

I had to disable the KDC (Kerberos Key Distribution Center) service on TS2008 and then reboot.
Immediately after reboot I noticed I could browse the shares on the SBS2008 without error.
This is because TS2008 was no longer supplied Kerberos tickets itself but requesting them from SBS2008.
Now I opened an elevated command prompt and forced a sync of all replica partitions and triggered the KCC checker.
repadmin /syncall /ade
repadmin /kcc

To check the replication backlog queue use:
repadmin /queue

After replication was succesful I put the KDC service back to automatic and started it. Problem solved.

If you can’t get replication working yet, you’ll need these extra steps.
klist /purge
netdom resetpwd /server:sbs2008 /userd:domain\Administrator /passwordd:* (the * will make it prompt for password).

Also you might need to check your DNS settings and put the IP adres of SBS2008 as primary DNS IP on the NIC of TS2008.

Other helpful information:
http://support.microsoft.com/kb/2090913

Categories
blog howto windows

Excel has problems with space as thousand seperator

Change the system settings to use a . instead (configuration panel, region and local settings, more settings, number).

For existing files, use search and replace to delete spaces. If still left justified multiply all with the number 1 using paste special, see link below.

http://answers.microsoft.com/en-us/office/forum/office_2007-excel/space-as-thousand-separator-in-a-csv-file/90c4a714-7a4e-4deb-ac89-0bdd2fcadc40?msgId=8b3ef2f1-7170-4720-95bf-86263c5add7e

Categories
blog howto windows

Acrobat X pro as part of CS6 suite does not start 30days after installation

Acrobat X pro as part of CS6 suite does not start 30days after installation

Use solution 2.

http://helpx.adobe.com/creative-suite/kb/acrobat-failed-launch-30-days.html

Does not work for regular standalone Adobe X problems, only when installed (and activated) as part of CS6 suite, and stops to work after 30 days.

1) Download: http://helpx.adobe.com/creative-suite/kb/acrobat-failed-launch-30-days/_jcr_content/main-pars/download/file.res/Acrofix.zip
2) Unzip to a convenient location
3) Open a command prompt as administrator (in start menu search for cmd and right click run as administrator)
4) go to the location where you unzipped
cd c:\temp\adobefix\
5) Execute the executable
Acrofix.exe
6) Exit Code: 0 means succesfully patched!
7) Try Adobe X Pro again.

Categories
blog howto server virtualization

VMware ESXi 5.1 on USB stick won’t boot Proliant DL380 G5

Installation using the cdrom was succesful but after restarting the server won’t boot from the USB stick.
Make sure you set the correct BIOS options to allow to boot from USB.
bios_boot_order

bios_usb_enable

ESXIi formatwithmbr runweasel

If still doesn’t boot than it probably has to do with GPT/MBR formatting of the USB stick done by VMWARE.
You need to boot from the ESXi install CD again and right after you press enter to choose “ESXi5.1 installer ISO …” you see in the lower righthand corner the text “Shift + o” press this key combination (shift and the letter o). Now you see the text “runweasel” remove any chars after this, type a space and then “formatwithmbr”.

Now install as normal but now VMware should format your USB stick as MBR instead of GPT and you should be able to boot from it after the install finishes.

sources:
http://vmtoday.com/2012/09/esxi-5-wont-boot-from-usb/
http://communities.vmware.com/thread/430852?start=0&tstart=0
http://communities.vmware.com/message/1824957#1824957
http://community.spiceworks.com/topic/247715-sandisk-cruzer-fit-esxi-5