Monthly Archives: March 2011

The Blog Wrap-Up for March 2011

  • %System%System32 secrets: change

    Change money, change your life? No, just change the way your terminal server behaves

  • Some new cool betas

    MS issued several absolutely awesome betas – join the programs and influence the products on their early stages

  • Delegate permissions for creating GPO objects in other domain

    You cannot delegate this permission easily, let’s do it “hard way” which is not particularly hard, actually

  • Too many smart-cards inserted. Good thing: no need to throw them away

    Do you see the message? Problem solved!

  • %SystemRoot%System32 Secrets: certreq

    Systemroot continues to reveal its secrets

  • %SystemRoot%System32 secrets: BITSAdmin

    Download files even after the connection has been lost. A bit outdated command but it still works

  • Wildcard certificates drawbacks

    They are an excellent means to simplify your life, but what can be on a flipside?

  • %SystemRoot%System32 secrets: BCDEdit

    Dual boot of W7 with FreeBSD? Easy

  • %System%System32 secrets: change

    CLIAnother old-timer here. I cannot remember when I last used it, but I guess it still can be useful in a number of situations. For example I used to use it to install new software on a terminal server or to cease users logins to it. Now I usually don’t touch terminal servers and as far as I know they have other means to complete these tasks. Anyway, Windows 2003 is still in place and we still have the command around.

    It can the following:


    • Change logon setting: we can turn new logons to the TS. Just change logon disable.
    • Change port mappings. I haven’t use it at all and I hope you won’t have to either, because KB article says: “Changes the COM port mappings to be compatible with DOS applications”. No way I want be anywhere near this stuff anymore =)
    • Prepare a TS for installation of a software. .ini files mapping and all that stuff. To install some software you need to change user install and you have to change user execute.

    And this is all it can… But I remember what wonderful bugs you could get in case you didn’t know the command…

    The only thing I don’t know how to explain is why it is still present on Windows 7? Does anyone know the answer? =)))

    Some new cool betas

    During the past week or so there were several messages spread about availability of betas for some products of MS and some new tools. Some of them are definitely of interest to me and, probably, for you. The first is

    VMM SSPv2 SP1

    Such a nice an abbreviation, isn’t it? =) It stands for Virtual Machine Manager Self-Service Portal v2 with SP1. Being a bit buggy, it is still a very cool application. I’m going to use it as soon as it is released, and now we are using it in a test environment.

    New features:

    • You can import machines which are not yet in SSP zone of authority
    • Expiration for virtual machines
    • Notify administrators of business units about various events
    • Move infrastructures between business units

    Quite impressive, isn’t it? Joint the beta here.


    I wrote about it some time ago: it’s a new addition to MDOP that can help you to manage and monitor BitLocker. Now the beta is available for the product. You can join the beta here. What it can:

    • IT can automate the process of encrypting volumes on client machines across enterprise
    • Helpdesk can reduce the time required for BitLocker PIN and Recovery Key information
    • Security officers can quickly produce reliable evidence that indicates the compliance state of individual computers or even the enterprise itself.
    • Security Officers can easily audit access to Recover Key information.
    • Windows Enterprise users are empowered to continue working anywhere knowing their corporate data is protected.

    System Center Virtual Machine Manager 2012

    Wow! W! O! W! =)

    I saw some review. It is awesome. No, really. From just creating a new VM to creating a private cloud based on VMWare. Or Hyper-V. Or both… Whatever, you can download it here. It can so much, that MS restricted benefits to somewhat bullshittish phrases. But it has ribbon as an administrator GUI. So I will definitely love it 😉

    New version of the Exchange 2010 Mailbox Server Role Requirements Calculator

    Nothing special, but if you use it, then you’d better use the new version.

    And not technical stuff: if you are an MCP, then you’ve just received new certificates (just new look, actually, not new certifications =) ) and new transcript. Just look at fabulous it:


    It’s not available yet, though. But in April it will =)

    Enough for today =)

    Delegate permissions for creating GPO objects in other domain

    imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.


    At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

    1) in AD on Domain/System/Policies container:





    I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

    2) now on a Policies folder:



    That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

    Too many smart-cards inserted. Good thing: no need to throw them away

    image002_thumb[2]Some time ago I used to issue certificates on Aladdin (now SafeNet) eToken  smart-cards through a CA web-nterface. Occasionally it was hard to accomplish, because when I tried to do that I received the following error:

    “Too many smart-cards inserted. please insert only one smart-card”

    Wow! But I need two:

    • one – eToken with a certificate for enrollment
    • the second – for a new certificate

    May be CA thinks that I have too much of them generally and I need throw away them? No, fortunately (they cost much when in bulk, you know) it is not the case. Moreover, there is just a simple solution to the problem: set the registry entry NoDefaultKeyContainer in HKLMSOFTWAREAladdineTokenMIDDLEWARECAPIIEXPLORE.EXE (or create one, if you don’t have it) to the DWORD value 00000000:

    That always solved the problem for me.

    Important Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

    322756 ( ) How to back up and restore the registry in Windows

    %SystemRoot%System32 Secrets: certreq

    CLIThe next two candidates for the series from System32 folder were bootcfg and cacls (I’m going through them alphabetically). But they are deprecated and, what’s important too, I’ve managed to learn theirs new variants. Moreover, I’ve already described BCDEdit, which is a successor to bootcfg (and I’ve managed to learn how to use the new one ;)). Therefore I’m skipping these two commands and go straight to certreq command.

    So, certreq. It is more for advanced admin use, then for general user. But still it is good to remember of it… Just in case you need to:

    • create new request for a certificate, which can be later submitted to a CA
    • submit the request to a CA
    • retrieve a certificate from a CA
    • sign a certificate request
    • and all other stuff to deal with certificates =)

    Of course, it is scriptable, but, to be honest, I’ve used it several times so far. Still it can become handy in scripting, on helpdesk and on a disconnected from your network box. So, keep in mind 😉

    Further reading:

    Certreq Syntax

    Extended explanation of it

    Advanced Certificate Enrollment and Management

    %SystemRoot%System32 secrets: BITSAdmin

    CLIAnother deprecated friend of mine. But I still like it, really. First of all because I haven’t still found enough time to get acquainted with all that *-BITSTransfer PowerShell comandlets. Second… Well, there is nothing for the “second”, naturally =) But still – it is a great command and I’d like to make a tribute to it with this article, because it is AWESOME! It is soooo powerful! Even though I used it usually just to be sure I would download the file regardless of network loss or whatever, it can do much more. Download or upload, retry these tasks, get some part of the file, set myriads of parameters, including authentication, use peer caching… Wow! =)

    But again, usually I used it to download large files. Let’s take a look at one example.

    Lets start with creating a download job:

    BITSAdmin /CREATE /DOWNLOAD DownloadJob1


    You can see that the job has been created and it has been assigned some GUID you can use later (but we’ll use it’s name in this example). Also as you can see we are being constantly notified about the command deprecation =( Let’s take a look at the job:



    (Yeah, a LOT of information). Obviously, the job is currently empty (FILES: 0 / 0), so let’s add some files to it:

    BITSadmin /ADDFILE DownloadJob1 <URL> <PathToSavedFile>


    Added successfully and created a temp file already:


    Let’s add one more:


    and look at the second temporary file:


    They are both of 0 bytes size yet. Now, once we have two files for our job to download, we can get more info from the job:


    Here we can see both our files (JOB FILES) and… Can we just wait till the files get downloaded? No, because the job is not started at the moment (STATE: SUSPENDED). We need to start it and this is easy:

    BITSADMIN /RESUME DownloadJob1


    Now the job is in TRANSFERRING state, we can see how many bytes (BYTES) or files (FILES) has been transferred and so on. On this point something goes wrong and we get our network disconnected: image. Is it a problem for our downloads? Yes:


    their state is TRANSIENT_ERROR. Should we worry about it? No, because as soon as network restores we’ll get our job QUEUD and then resumed automatically:


    Looking at this big picture from time to time reentering /LIST command is boring, so we’ll monitor it in other way:



    which will refresh the state for our jobs occasionally (each 1 second in the example):


    As soon as we get our files transferred:


    we can just go to our download location and… Oh… Wait… What’s that?


    The files do have appropriate size but their names… They are still temporary =( But don’t worry, just one more little step:

    BITSadmin /COMPLETE downloadJob1


    Oops. Seems like BITSadmin treats job names as case-sensitive. We should remember this, so let’s rewrite it in the correct way:

    BITSadmin /COMPLETE DownloadJob1


    Here we are! The files are here and no more job to do! I’m loving it © =)


    Forgive me for that useless lesson: just couldn’t resist it Winking smile

    If you are as amazed, as I am, here is some reading.