2024年11月4日 星期一

如何將一組Registry利用Group Policy(GPO)派送至Client端(遠端新增機碼)

方法一
指令Logon Script

regedit /s \\[存放位置]\SBM1.reg

方法二
群組原則派送

群組原則管理編輯器 --> 使用者設定 --> 喜好設定 --> Windows 設定 --> 登錄 --> 新增 --> 登錄項目


2023年6月7日 星期三

Group Policy Console error: The volume for a file has been externally altered so that the opened file is no longer valid

 Problem
===========
GPedit.msc error: The volume for a file has been externally altered so that the opened file is no longer valid

Cause
=======
This seems to be caused due to GPOs not being enforced properly on the server, causing a corrupted GPO file.

Solution
===========
Rename or delete those folder C:\Windows\System32\GroupPolicy\User and C:\Windows\System32\GroupPolicy\Machine

(note: GroupPolicy is a hidden folder, you may need to enable hidden folders to navigate to this path)

Run gpupdate

2023年5月4日 星期四

How to disable RC4 and 3DES on Windows Server?

 RC4

To disable RC4 on your Windows server, set the following registry keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

        "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

        "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

        "Enabled"=dword:00000000


3DES

To disable 3DES on your Windows server, set the following registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

        "Enabled"=dword:00000000

If your Windows version is anterior to Windows Vista (i.e. XP, 2003), you will need to set the following registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]

        "Enabled"=dword:00000000

2023年1月16日 星期一

How to Fix the Calculator App Not Working in Windows

 Re-register Windows apps via PowerShell

hoe to register windows 10 apps via powershell

Since the calculator is a default application in Windows, you can possibly repair it by re-registering these Windows apps.

  1. Press the Windows + S keys on your keyboard to bring up the search tool, then look for “PowerShell.”
  2. Right-click on “Windows PowerShell” from the search results, then choose “Run as administrator.”
  3. If prompted, click Yes to allow PowerShell to make changes on your device.
  4. Once the application is open, copy and paste the following script into it, then press the Enter key on your keyboard to execute it: Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)AppXManifest.xml”}
  5. After the process of re-registering the Windows 10 apps has finished, try using the Calculator app again.

2023年1月4日 星期三

How to Transfer or Seize Active Directory FSMO Roles with PowerShell

There are several ways to move FSMO roles between Active Directory domain controllers: the graphical AD consoles, the ntdsutil command, and PowerShell. When transferring or seizing multiple roles at a time, PowerShell is likely the fastest and simplest method.

The Move-ADDirectoryServerOperationMasterRole cmdlet is used to transfer or seize FSMO roles. It can be run directly on a DC, or on a domain-joined server or workstation with the ActiveDirectory PowerShell module installed. There are two critical parameters that must be supplied to this command: Identity and OperationMasterRole.

The Identity parameter specifies the destination DC - i.e., the DC to which the role or roles are being moved. (It's not necessary to specify the source DC, since role-holder information is stored within AD.) This is typically the hostname of the destination DC but can also be a fully-qualified domain name, distinguished name, or GUID.

The OperationMasterRole parameter specifies which role or roles are being moved. Possible values of this parameter are PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, and DomainNamingMaster, but there are also numeric shortcuts for each of these:

0: PDCEmulator
1: RIDMaster
2: InfrastructureMaster
3: SchemaMaster
4: DomainNamingMaster

This is where the speed and efficiency of PowerShell becomes apparent. To transfer all five FSMO roles to a DC named NewDC, simply run this cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity NewDC 
-OperationMasterRole 0,1,2,3,4

PowerShell will prompt for confirmation of each role by default, but there is a Yes to All option.

To seize one or more FSMO roles, which should only be done if the existing role holder is permanently offline, simply add the -Force parameter to the cmdlet. Using the example above, if all five roles were held by a domain controller which was in an unrecoverable state, they could all be seized on NewDC with this cmdlet:
Move-ADDirectoryServerOperationMasterRole -Identity NewDC 
-OperationMasterRole 0,1,2,3,4 -Force

2022年9月28日 星期三

Event 1096 The processing of Group Policy failed

In case you see event 1096 (The processing of Group Policy failed) in your eventviewer, you’re experiencing problems with your group policies. The following event occurs several times in your SYSTEM LOG:

Log Name:     System
Source:       Microsoft-Windows-GroupPolicy
Event ID:     1096
Level:         Error
User:         SYSTEM
Description:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

 

To solve this issue, check the last modified date of the following file:

C:\Windows\System32\GroupPolicy\Machine\   and C:\Windows\System32\GroupPolicy\User\ 
(note: GroupPolicy is a hidden folder, you may need to enable hidden folders to navigate to this path)

 

 

An Attempt was to modify an object to include an attribute that is not legal for its class

Cause:
This problem comes when you are using a mixed-mode of OS in your AD environment such as you have Windows Server 2012 and Windows Server 2019 AD. If you have enabled the AD Recycle bin in mixed-mode of OS then this problem may come during the restore due to the schema version.


Solution:
In such environment where you are using mixed-mode of OS, always use the newer version of OS to perform any task. So in this case, you might be using the Win 2012 AD to restore the object. Use the latest OS AD, your restore should work fine.