Thursday, April 28, 2011
Windows 7 temporary profile after profile cleanup
After cleaning up a userprofile on a Windows 7 station (Deleting folders “c:\users\MyUserAccount” and the roaming profile on “\\fs01\profiles\MyUserAccount”) i thought i would start with a clean profile.
But Windows kept logging user “MyUserAccount” in with a temporary profile.
It seems that Windows keeps a list of profile locations in the registry. If that location for a certain user can’t be found, the user is logged on with a temporary profile.
This is the key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
What you see there is a lists of profile SID’s, so you have to check them all out to find your user and delete the whole key accordingly.
I thought it would be handy to write a script that automates this.
It checks for a key called “ProfileImagePath” and if the value in that key (e.g. c:\users\JohnDoe) doesn’t exist on the local system, it wipes the whole registry key from the ProfileList.
Save as W7ProfileListCleanup.vbs:
ON ERROR RESUME NEXT '### GLOBAL VARIABLES Dim WSHShell, oFSO, strComputer, ProfileListRegistryLocation, ArrayWithProfileSIDS, Subkeys, HKEY_LOCAL_MACHINE '### CREATE OBJECTS Set WSHShell = CreateObject("WScript.Shell") Set oFSO = CreateObject("Scripting.FileSystemObject") strComputer = "." Set objRegistry = GetObject("winmgmts:\" & strComputer & "\root\default:StdRegProv") '### CONSTANTS HKEY_LOCAL_MACHINE = &H80000002 ProfileListRegistryLocation = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" RegistryKeyContainingPath = "ProfileImagePath" '### FUNCTIONS NEEDED Function CheckAndDelete(LocalProfileDir, ProfileSID, FullPath) If not oFSO.FolderExists(LocalProfileDir) then WScript.Echo "NOT FOUND: " + LocalProfileDir DeleteProfileListKeyRecursive FullPath else WScript.Echo "OK: " + LocalProfileDir end if End Function Function DeleteProfileListKeyRecursive(FullPath) WSHShell.Run "reg delete ""HKLM" + FullPath + """ /f", 0, True WScript.Echo "- Deleted: " + FullPath End Function '### END OF FUNCTIONS NEEDED '### START THE ACTION '### ENUMERATE THE LIST WITH PROFILES objRegistry.EnumKey HKEY_LOCAL_MACHINE, ProfileListRegistryLocation, ArrayWithProfileSIDS For Each ProfileSID In ArrayWithProfileSIDS FullPath = ProfileListRegistryLocation & "" & ProfileSID objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE, FullPath, RegistryKeyContainingPath, LocalProfileDir '### CHECK FOR DIRS AND DELETE IF NOT FOUND CheckAndDelete LocalProfileDir, ProfileSID, FullPath Next
Wednesday, April 27, 2011
Exchange 2010 SP1 anonymous relay
A common usecase for the need of open relays are MFC’s (”Copiers”) because people need to scan documents and want to mail them directly to recipients on the internet.
Never apply the following to your normal connector for mailflow, as your mailserver will most certainly be used to send spam!
Create a new receive connector (Server configuration, Hub Transport) and make sure it’s bindings don’t conflict with other connectors. The name for the connector could be something like “Relay Connector MFC’s” and make sure you add the right ip-addresses or ranges.
To grant the relay access, the following line will do the trick:
Get-ReceiveConnector "Relay Connector MFC's" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Friday, April 22, 2011
Change Windows 7 logon background
Whether it’s just for fun or your company wants to brand their Windows 7 logon background, here’s how:
Prepare the system:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d "0x1" /f mkdir c:\windows\system32\oobe\info\backgrounds
Now, at least place the following file in c:\windows\system32\oobe\info\backgrounds.
- backgroundDefault.jpg
This will be the “fallback” image, so if none of the following files is found the image above will be stretched to fit your current resolution.
Optionally you can place the following files:
- background768×1280.jpg
- background900×1440.jpg
- background960×1280.jpg
- background1024×1280.jpg
- background1280×1024.jpg
- background1024×768.jpg
- background1280×960.jpg
- background1600×1200.jpg
- background1440×900.jpg
- background1920×1200.jpg
- background1280×768.jpg
- background1360×768.jpg
Remeber: file size cannot exceed 256 KB (so i’ve heard, not tested)….
Tuesday, April 12, 2011
icacls (win2k8) scripting examples
After cacls, xcacls.vbs, now we have icacls to set file and folder permissions.
Here are some practical examples.
Create a bunch of directories
md d:\apps md d:\profiles md d:\users
Share the directories. Note the offline caching; users are allowed to enable offline caching for their homedirs, other directories are disabled for offline caching.
net share apps=d:\apps /grant:everyone,FULL /CACHE:None net share profiles=d:\profiles /grant:everyone,FULL /CACHE:None net share users=d:\users /grant:everyone,FULL /CACHE:Manual
Now let’s script the ntfs permissions for the apps share:
- “(OI)(CI):F” means Full Control “This Folder, Subfolders and files”
- “(OI)(CI):M” means Modify “This Folder, Subfolders and files”
- “/inheritance:r” means remove all inherited ACL’s from parent
icacls "d:\apps" /grant "domain admins":(OI)(CI)F /inheritance:r icacls "d:\apps" /grant "everyone":(OI)(CI)M /inheritance:r
On the profiles share, only the “domain admins” should be allowed to enter all “Folders, Subfolders and files” (hence the (OI)(CI):F) , everyone else should be able to to ready “this folder only”.
So without an combination of (CI) and/or (OI) it means “this folder only”
icacls "d:\profiles" /grant "domain admins":(OI)(CI)F /inheritance:r icacls "d:\profiles" /grant "everyone":R /inheritance:r
Upon creating a new user, the Domain Admin should manually create a profile folder for the user and add the user with appropriate rights.
The same goes for the users share containing the homedirectories of all users
icacls "d:\users" /grant "domain admins":(OI)(CI)F /inheritance:r icacls "d:\users" /grant "everyone":R /inheritance:r
Now use your own imagination :)