2011-06-28

Track Users logon/logoff activity in Windows Domain environment (Active Directory)

Sorry for bad formatting, but I'm using wordpress for bloging now and this is just copy paste without any additional work. You can view this post here for better looks: http://www.pupils.lt/?p=447

If you find yourself in need to quickly review historical logon/logoff information in your environment then following might be useful in future.

So how are we going to track user logon information?

Answer is by implementing user logon logoff scripts in Group Policy.

Steps

1) Share a directory on network where logs will be saved.

Share a folder with full access permissions for everyone, as well as full NTFS permissions for users which you want to log. It is recommended that you make a hidden share \\server\share$\. In this scenario I will use 2 folders in shared location, one for computers \\server\share$\computers\ and another for users \\server\share$\users\.

2) Create a .bat file with necessary commands for logon and logoff events.

a) Create logon.bat with the contents below and put it in the \\server\share$\logon.bat

ver >>\\server\share$\computers\%computername%.txt
echo %username% logged on %date% - %time% >>\\server\share$\computers\%computername%.txt
ipconfig /all |findstr Address >>\\server\share$\computers\%computername%.txt\\server\share$\users\%username%.txt
echo %computername% logged on %date% - %time% >>\\server\share$\users\%username%.txt
ipconfig /all |findstr Address >>\\server\share$\users\%username%.txt


First command returns OS version and writes it to computer_name.txt on your share.

Second command writes username of logged on user with the date when the script was run and writes it to computer_name.txt on your share.

Third command returns IP and Mac addresses of network connections and also writes them to computer_name.txt on your share.

Next three commands do exactly the same as above, but writes all info into user_name.txt files \\server\share$\users

b) Create logoff.bat with the contents below and put it in the \\server\share$\logoff.bat

echo %username% logged off %date% - %time% >>\\server\share$\computers\%computername%.txtecho %computername% logged off %date% - %time% >>\\server\share$\users\%username%.txt


Of course you can modify .bat files to suit your needs.

3) Enable .bat files to run on user logon and logoff via Group Policy.

Now we need to make those .bat files run every time users logon and logoff.

Open Group Policy Management, Create and Link GPO to the OU where targeted users reside. Now right click that that GPO and choose Edit. Navigate to User Configuration\Windows Settings\Scripts Logon/Logoff double click on Logon and then Add, browse for logon.bat (\\server\share$\logon.bat) and click OK two times. Now open Logoff click Add and navigate for logoff.bat (\\server\share$\logoff.bat) and click OK two times.



All set. To test it firs update group policy on a target computer with gpupdate /force command. Then logoff and logon with a test user which resides within the OU where your GPO applies.

If your test users is A.Test and computer TESTXP you should get 2 files created:

\\server\share$\computers\TESTXP.txt with the following contents:

Microsoft Windows XP [Version 5.1.2600]
A.test logged on 2011.06.28 - 11:45:14,44
Physical Address. . . . . . . . . : 00-0C-0C-60-C2-FA
IP Address. . . . . . . . . . . . : 192.168.1.15
A.test logged off 2011.06.28 - 11:45:50,35


and \\server\share$\users\A.test.txt with the following contents:

Microsoft Windows XP [Version 5.1.2600]
TESTXP logged on 2011.06.28 - 11:45:15,82
Physical Address. . . . . . . . . : 00-0C-0C-60-C2-FA
IP Address. . . . . . . . . . . . : 192.168.1.15
TESTXP logged off 2011.06.28 - 11:45:50,37

2011-06-14

Moving to wordpress

For more comfortable user UI I am moving my blog to wordpress platform here: www.pupils.lt
I will continue to mirror my blog on blogger.com as well.Link

2011-06-10

Enabling Remote Desktop Connection client Single Sign On (SSO) for Remote Desktop Services

You probably came here for one of the following reasons:

a) having to login twice when connecting to terminal server in RD Connection Broker Farm
b) having to enter credentials for every Remote App even though you already are logged on with same credentials

To avoid (multiple) double logins you will need to enable Single Sign On functionality. For that you will make some changes on both - Server and Client.

1. Server

Connect to Remote Desktop Host Server
Start Server Manager
Expand Roles->Remote Desktop Services select RD Session Host Configuration
In the right pane in the Connections right click RDP-Tcp connection name and choose Properties
On the Log on Settings tab make sure "Alsways prompt for password" is unchecked.
On the General tab choose security layer: Negotiate or SSL (TLS 1.0)
Click OK.

2. Client

2.1
Windows Vista / Windows 7

Start Group Policy Editor (run: gpedit.msc)
Expand Computer Configuration->Administrative Templates->System->Credentials Delegation
Enable following settings: Allow Delegating Default Credentials and Allow Delegating Default Credentials with NTLM-only Server Authentication
Add following entries to each setting TERMSRV/server_name

server_name is the name of the RDSH server, you can use one wildcard there, for example: TERMSRV/myserver or TERMSRV/*.domain.com or TERMSRV/*

Do a "gpupdate /force" on your client and now you should be able to connect to your RDSH server without having to supply credentials. If you have saved credentials in your RDC client - delete them and you should see message "Your Windows logon credentials will be used to connect." indicating that SSO functionality is on.

2.2 Windows XP SP3

It is more tricky for windows XP as it does not have GPO setting to enable SSO, so you will need to do some registry changes.
Fortunately there is Microsoft Fix It tool which can do it for you - http://go.microsoft.com/?linkid=9758284

If you prefer to do it yourself read below:

Enable CredSSP

Under HKLM\SYSTEM\CurrentControlSet\Control\LsaEdit the REG_MULTI_SZ value named Security Packages and add tspkg to the list.

Under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Edit the REG_SZ value named SecurityProviders and add ", credssp.dll" to the end (without quotation marks)

Also you will need to create the following registry entries:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationName: ConcatenateDefaults_AllowDefaultType: REG_DWORDData: 1

Name: AllowDefaultCredentialsType: REG_DWORDData: 1
Name: AllowDefCredentialsWhenNTLMOnlyType: REG_DWORDData: 1
Name: ConcatenateDefaults_AllowDefNTLMOnlyType: REG_DWORDData: 1
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentialsName: 1Type: REG_SZData: TERMSRV/*
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnlyName: 1Type: REG_SZData: TERMSRV/*

note:
modify TERMSRV/* to your needs, if you need to specify more servers just create aditional entries with names "2" "3" and so on.
You might need to restart windows XP machine for registry changes to take effect.
In addition after all these changes you still might need a hotfix for Windows XP - http://support.microsoft.com/kb/953760

Links:
Paul Adams blogpost - http://blogs.technet.com/b/mrsnrub/archive/2010/12/16/xp-clients-credssp-sso-connection-broker-and-other-animals.aspx
Technet article - http://technet.microsoft.com/en-us/library/cc742808.aspx
Microsoft KB article - http://support.microsoft.com/kb/951608/

2011-06-06

Can't launch executable files from shares (domain environment)

When trying to launch some .exe files from network drive (mapped share from file server) I've got the following error:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

This error occurs even though I have full security permissions on the file and full share permissions and non executable files are opening as expected. This behavior is due to IE security settings, to fix it you will need:

1) Open IE and go Tools -> Internet Options
2) Click Security tab select Local intranet and click on Sites
3) Add "file://server name" (without quotes) to the Local intranet zone, click close OK and OK.

"server name" is the name of your server where the shared files reside.


Double login to Terminal Servers with RD Connection Broker

If your users are frustrated by the double login prompt while attempting to connect to terminal server (2008 R2 in my case) in RD Connection Broker farm you may try few things.

1) Make sure users are entering their credentials on the RDP client and not when they are already connected to the server.

2) Enable Credssp on windows XP SP3

Click Start, click Run, type regedit, and then press ENTER.
In the navigation pane, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the details pane, right-click Security Packages, and then click Modify.
In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
In the navigation pane, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
In the details pane, right-click SecurityProviders, and then click Modify.
In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.

3) Create RDP shortcut and edit it with notepad, add the following lines: