Cogenesis Logo

National IT Support for your business (Sydney, Brisbane, Melbourne, Perth)

National Local Call: 1300 88 35 99
Level 13, 155 Castlereagh St, Sydney, NSW 2000

articles

IT Support

vCloud Director Console Session Browser Plugin issue resolved

 

Browser vendors have updated their browsers to disable NPAPI plugins which Vmware use in vCloud Director 5.x to open the console session to the individual Virtual Machines.   There is a solution to this, so you can open virtual machines directly from the browser, without having to have a very old version of Firefox installed

This solution was tested on the latest firefox at the time of writing 53.0.3

image

 

Click Here To Read More

Fixing a corrupt Navigation Pane in Outlook

A corrupt Navigation pane in Outlook can cause several issues with Outlook. Most common is the inability to open Outlook. You may see the following error:

Cannot start Microsoft Office Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The file C:\users\%username%\AppData\Local\Microsoft\Outlook\Outlook.pst cannot be opened.

Note: Username and PST name will vary.

Furthermore, a corrupt navigation pane can cause other issues, such as errors accessing favourite’s folder in Outlook, and outlook preventing you from sending email, depending on the issue with the navigation pane.

Click Here To Read More

Meraki device changes to Repeater Mode

When adding a second, or additional Meraki device onto an existing network; or in the case of an already configured multiple-device wireless network, you may noticed that one of the device operates or switches into “Repeater Mode”.

If you are used to configuring multiple access points as gateways (preferred method), you may not immediately identify that one of the devices has changed into operating as a Repeater.

If you have not intestinally configured the device in this manner, and prepared the site for this kind of setup, you may find the device in repeater mode has trouble with connectivity, and drops users off the network, especially when there is a high amount of users / traffic. This will especially be evident if the devices do not have a strong signal between each other, often not such a major issue when the access points are both setup as gateways. Pushing all the traffic from one device, to another access point over wireless is obviously not an ideal scenario if Ethernet cable access is available.

Click Here To Read More

Active Directory Features in Windows Server 2016

This document will look at some of the new features of Active Directory on Windows Server 2016.

Active Directory levels

Windows Server forest and domain functional levels are updated in 2016. File Replications Services (FRS) which Server 2003 use to replicate SYSVOL and its folder contents will not work on Windows Server 2016. Organisations should therefore raise the functional of a domain to Windows Server 2008 or higher to ensure SYSVOL replication continues to work in future.

Click Here To Read More

Windows Server 2016 Nano Server

Microsoft have pushed the envelope of a minimal footprint server by introducing Nano Server. Nano Server is a completely headless installation with no local GUI or console, with no ability to install a server operating system on top of a Nano Server.

With organisation running more VMs on their hosts in private and public cloud scenarios, Microsoft have recognised that the large footprint of their traditional server operating systems was the high footprint for servers which often ran basic functions.

It has resulted in a stripped down server, efficiently capable of running a set of applications and services, without the overhead of the operating system itself. In addition to removing the user interface, Microsoft has left out features such as 32 bit compatibility as well as MSI support. So, you have a Server with no local login, 64-bit only support for applications and tools.

Click Here To Read More

Exchange 2013 – Reseed a corrupt search catalogue

Issue

Microsoft Exchange search services are not functioning, and search results are not being displayed. On further investigation you see the following event being logged on the Exchange Server.

Event ID: 123
Level: Error
Source: ExchangeStoreDB

 

At <timestamp> the Microsoft Exchange Information Store Database <identity> copy on this server experienced a corrupted search catalog. Consult the event log on the server for other "ExchangeStoreDb" and "MSExchange Search Indexer" events for more specific information about the failure. Reseeding the catalog is recommended via the ‘Update-MailboxDatabaseCopy’ task.

The error suggests that there is a corrupt Exchange Search Catalogue.

Running the “ContentIndex State” and/or Get-MailboxDatabaseCopyStatus may also highlight issues if it returns a result of anything other than “Healthy”…. such as “failed” or “unkown”

Click Here To Read More

Implementing AppLocker Control on RDS

A Remote Desktop Server, by nature, is an all-inclusive approach to providing users a Standard Operating Environment. Applications, printers and other resources are available for all users on the server.  However this causes some concerns, particularly in the application space.  AppLocker provides a method to restrict access to applications from certain users or groups.

In this example, the application being targeted is Adobe Creative Cloud on a Windows 2012 R2 Remote Desktop Server.  Creative Cloud is a subscription-based service and as such, not all users on the target RDS have the required subscription to use the product.  However, there are a number of processes that run for every single user logged in to the RDS:-

Processes

Obviously on a multi-user server this will quickly lead to CPU and memory bloat for absolutely no reason, consider the majority of users do not use the application anyway.

The solution in this case is to implement AppLocker via Group Policy to block the Creative Cloud application for any user that does not need it. But first, there are a few caveats that need to be addressed.

  • AppLocker is a computer policy and it is best applied to a computer.  Consider changing the security filtering of your policy to apply to the target machine (more on this below)
  • DENY policies always overrule ALLOW policies. For example, denying Domain Users and attempting to allow AdobeCC-AllowedUsers will result in all users being denied anyway. As such, populate your security groups with users you intent to deny access to, rather than allow.
  • Do your research in to the application(s) you intend to block. Is blocking a single executable enough, or do you need to block whole folders? Do other processes spawn from this executable and how will that impact users?

These points will be illustrated below. Now on to the configuration.

The AppLocker GPO itself is quite simple and with the above caveats in mind the implementation is straightforward.

  • Create yourself a GPO.  As mentioned above, consideration of the intended target computer should be given. In this example, the Security Filtering has been changed from Authenticated Users to AUS-RD02, the name of the Remote Desktop Server.

SecurityFiltering

  • Turn on the Application Identity service via the GPO. Application Identity may not be used depending on how you target applications, but it won’t hurt to have it on. This service is used to discover parameters of the program such as the publisher, version etc. If it’s not running on the target computer, the details of the application can’t be retrieved. This is particularly important if you choose to target Publishers (eg blocking all Adobe products) or Versions (preventing groups from using particular versions of an application). This can be done via Computer Configuration/Policies/Windows Settings/Security Settings/System Services

ApplicationIdentity

  • The next step is to configure your rule enforcement. There are two options for the various categories, either to enforce rules or to audit.  Enforcement would strictly apply your rules, restricting user access to the applications, while Audit will monitor and report (used for testing). Configure these options under Computer Configuration/Policies/Windows Settings/Security Settings/Application Control Policies/AppLocker and right click the AppLocker icon and select Properties.

    AppLocker Properties

  • Next step, configure some executable rules. You’ll note there are some defaults already applied. These are to ensure that all users can access sections such as Program Files and that Administrators have access to all files. Leave these in place unless you have a specific reason not to. For this example will focus on configuring a DENY rule, applying to a specific AD Security Group called APP-AdobeCCDeny and covering the entire Adobe Creative Cloud Program Files folder.  You’ll note that there is a few options on how to apply this (Publisher, Path and File Hash). This will only cover File Path.

Select the Executable Rule tab and right click and choose Create New Rule.

Select your action. We want to DENY and then choose the security group to apply this to:

createrule1

Select Path as the primary condition and press Next. At this prompt you’ll need to fill in the path – keep in mind that appropriate variables should be used, as the program you want to block can’t be selected by choosing Browse as it is likely not installed on the domain controller or computer you are working from to generate the policy.

createrule2

NOTE: %PROGRAMFILES% covers both Program Files and Program Files (x86).  In this example, we are choose to apply the rule to Program Files (x86)\Adobe\Adobe Creative Cloud\* which will include all files and subfolders.

Press Next through the exceptions unless required. NOTE that exceptions are for excluding files or folders from the rule rather than users or groups. Next specify a name for the rule and click Create.

createrule3

The final step is to apply the GPO to the target Orginsational Unit, such as the OU containing the Remote Desktop Server.

The settings will only take effect once users log off and back on again, and the result should be that anyone in the DENY user group receives the following error when they try to access the program:

blocked

All other users should still be able to use the program.  You’ll note that for blocked users, any background processes that run from that folder or have dependencies on executables that run from that folder will also fail to run.  In this example, the result is a much cleaner and leaner user profile.

processes-after

Installing HP tools for ESXi Hosts (the easy way) – updated 2016/17

Since the split of HP into server business (HPE) and desktop/printer business (HP) some of the Syntax for installing and managing HP tools on ESXi has changed

What you now need to do is below

First put your host in maintenance mode then ssh to your ESXi host

cd \tmp

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/hpe-HPUtil-esxi5.5-bundle-2.6-12.zip

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/hpe-esxi5.5uX-bundle-2.6.0-22.zip

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/ams-esxi5.5-bundle-10.5.0-13.zip

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/hpe-nmi-esxi5.5-bundle-2.4.16.zip

 

Click Here To Read More

Deploying Office 365 on Remote Desktop Server

Gone are the days where simply inserting a Microsoft Office DVD and running the setup executable was sufficient for installing Microsoft Office on a Remote Desktop Server. With many organisations switching to the flexible Office 365 model, Microsoft was released the Office Deployment Tool to facilitate installing multi-user, per-user licensed editions of Office.

ODT1

Click Here To Read More

Windows Server 2012 R2 Asynchronous Credits

We recently came across an issue with several new Windows 2012 R2 boxes in a particularly organisation having mysterious file save errors and mapped drive disconnects.

clip_image001

error2

Click Here To Read More

Get a free IT consultation today

Contact Us Today - IT Consulting Sydney

simply complete your details below and a consultant will get right back to you

Or feel free to call us on
1300 88 35 99