How to fix the error “an authentication error has occurred(code 0x80004005)” when connecting through RDP.

Ever since the policy to disable TLS 1.0 was pushed down to the local machines, we started getting the error “an authentication error has occurred(code 0x80004005)”  when accessing few of our Windows 2008 R2 servers. It was interesting because we have a bunch of other servers with no problems accessing. This seems to be a very generic error code as google results were showing multiple problems and multiple solutions for this.

Apparently, in my case, the patch to add RDS support for TLS 1.1 and TLS 1.2 was not installed in 3 of the servers with this problem. So I had to download the patch from this Microsoft website and install and reboot them remotely. Once installed and rebooted, voila!!

Edit: There are multiple reasons for this problem, and there are multiple ways to fix it. I am just sharing what worked for me, and it may not work for all. Saying this because this post is now in the first page of google results and I am getting lot of traffic to this, and I do not want to disappoint you. Thanks

Fix “Failed to open Group Policy Object. You might not have the appropriate rights” error

I was facing this error in one of my servers while trying to open gpedit, with additional message “The volume for a file has been externally altered so that the opened file is no longer valid”.

Here is how  I fixed it.

1) Enable view hidden files from explorer.

2) Navigate to C:\Windows\System32\GroupPolicy\Machine

3)Rename the file Registry.pol to something else.

4) Run gpupdate

By now, I was able to open gpedit normally.

Note that by doing this, whatever polices in the local group policy settings will be gone. There will only be settings from the domain policy. So if you have made any local policy changes, they need to be re-done.

Fix problems in trusting files from a DFS namespace

So we migrated our fileshare to a DFS namespace and we started facing a lot of problems. One of the most annoying one was, no matter how we trust the source, the powershell scripts from the DFS namspaces were not able to run, as they give warning.

Interestingly, problem was that the FQDN of the DFS namespace is considered as an internet location by windows, causing it to not trust the location. This can be fixed by editing the local group policy.

Group policy editor -Computer configuration- Administrative templates – Windows components -Internet Explorer – Internet Control Panel – Security Page – Site to Zone Assignment List.

fqdn

How to export services and their users into csv

I need to export the services and their ‘run as’ users in a number of servers. This is how I did it.

#Ebin Issac 6/3/2018
#This will read a list of servers from a text file, and extract the services which are not run by localsystem, and save into a csv file. Need to be run from a server with elevated permissions

$ComputerList = Get-Content serverlist.txt
ForEach ($Server In $ComputerList) {
    Write-Host "Processing $($Server) ... " -ForegroundColor White -NoNewline
    Get-wmiobject -computername $Server win32_service | where { $_.startname -notmatch "localsystem"}| select-object pscomputername,Displayname,name,startname | Export-Csv "$Server.csv" -NoTypeInformation 
   # write-host $?
    If ($? -eq 'True') {
			Write-Host "OK." -ForegroundColor Green
    }
     Else {
			Write-Host "Failed." -ForegroundColor Red
    }
}

You can find the download link here.

So this will take a list of servers, and extract the services, but excludes those run by localsystem, and export into a csv. You can filter that part based on your requirements. The output will look similar to this.

ServiceUsers

How to export group memberships of Active Directory users into CSV format..

So I started a new job recently, and I am working on a as-is migration. I needed to export the list of AD users and their group memberships into human readable format. So this is how I did it.

$users = Get-ADUser -Filter *
foreach ($user in $users) {

$Groups = (Get-ADPrincipalGroupMembership -Identity $user.SamAccountName | Select-Object -ExpandProperty name) -join ','
get-aduser $user.SamAccountName -properties memberof,samaccountname,givenname,surname | select samaccountname, @{name="Groups";expression={$Groups}} | export-csv -append "ADUsers.csv" -Delimiter "," -NoTypeInformation -Encoding UTF8
}

You can find it in github here.

Basically, it just get all users from AD, and find their memberships and save only their names and memberships.

How to fix puppet certificate errors

When we recently took over some client’s infrastructure, we started to get the following error.

puppet-cert-error

I just had to renew the cert to fix this. To renew, follow the steps below:

1.Delete the old certificate from client.

root@agent1:/etc/puppetlabs/puppet# mv ssl ssl.20171115

2.Delete the old certificate from server.

root@ip-172-31-7-177:/home/ubuntu# puppet cert clean agent1.ap-southeast-1.compute.internal   //make sure to change the agent name

3.Run puppet agent again, it will create a new certificate.

root@agent1:/etc/puppetlabs/puppet# puppet agent -tv
Info: Creating a new SSL key for agent1.ap-southeast-1.compute.internal
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent1.ap-southeast-1.compute.internal
Info: Certificate Request fingerprint (SHA256): 16:E8:E6:51:46:A1:07:0E:FA:E1:E9:F9:54:C4:4E:F7:F9:EF:0E:xx:xx:xx:xx:xx:xx
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@agent1:/etc/puppetlabs/puppet#

4.If we get the following message, that means puppet server auto sign is not enabled, so we need to manually sign the cert from server. If it is not there, move to step 7

Exiting; no certificate found and waitforcert is disabled

5.To manually sign, first list the certs to be signed in the master.

root@ip-172-31-7-177:/home/ubuntu# puppet cert --list
"agent1.ap-southeast-1.compute.internal" (SHA256) 16:E8:E6:51:46:A1:07:0E:FA:E1:E9:F9:54:C4:4E:F7:F9:EF:0E:xx:xx:xx:xx:xx:xx
"agent2.ap-southeast-1.compute.internal" (SHA256) B1:3F:AF:A5:70:90:33:60:B8:63:EF:2C:A5:97:72:2C:DD:EF:xx:xx:xx:xx:xx:xx:xx
root@ip-172-31-7-177:/home/ubuntu#

6.Sign the certificate for that agent by :

root@ip-172-31-7-177:/home/ubuntu# puppet cert sign agent1.ap-southeast-1.compute.internal
Signing Certificate Request for:
"agent1.ap-southeast-1.compute.internal" (SHA256) 16:E8:E6:51:46:A1:07:0E:FA:E1:E9:F9:54:C4:4E:F7:F9:EF:xx:xx:xx:xx:xx:xx:xx
Notice: Signed certificate request for agent1.ap-southeast-1.compute.internal
Notice: Removing file Puppet::SSL::CertificateRequest agent1.ap-southeast-1.compute.internal at '/etc/puppetlabs/puppet/ssl/ca/requests/agent1.ap-southeast-1.compute.internal.pem'
root@ip-172-31-7-177:/home/ubuntu#

7.To verify, run puppet agent again in agent.

root@agent1:/etc/puppetlabs/puppet# puppet agent -tv
Info: Retrieving plugin
Info: Caching catalog for agent1.ap-southeast-1.compute.internal
Info: Applying configuration version '1510728583'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.01 seconds
root@agent1:/etc/puppetlabs/puppet#

How to export the last login details of all users in a Windows server using Powershell

So one of our clients want to get a monthly report on the last login details of all users in the Windows servers in our environment. So we came up with this powershell script which is scheduled to run end of every month. This will extract the data, and upload them to an S3 bucket. It makes use of awscli for uploading to s3. We can even include SNS notification, but right now it is not implemented.

Below is the script:

Disclaimer : I do not know if this is the best way to do it just like all my other scripts, but this works [ At least for me ]

$currentMonth = Get-Date -Format MM
$currentYear = Get-Date -UFormat %Y
$hostname = hostname
$filename = $currentYear+""+$currentMonth+""+$hostname+"_login.csv"
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:/temp/$filename

(gc C:/temp/$filename) -replace (gc C:/temp/$filename)[0],"" | sc C:/temp/$filename -Force
(gc C:/temp/$filename) -replace (gc C:/temp/$filename)[1],"" | sc C:/temp/$filename -Force
(gc C:/temp/$filename) | ? {$_.trim() -ne "" } | set-content C:/temp/$filename

aws s3 cp C:/temp/$filename s3://YourBucket/$currentYear/$currentMonth/

This will create a csv file in the following format.
windows_last_login