Remotely enable Remote Desktop in Windows 7/8/8.1

Step 1: Open ports in the Windows firewall

There is no native way to change the settings of a remote Windows firewall. However, you can use PsExec from SysInternals to disable it or change some rules.

If you download the app and drop it into your c:\ drive, you can run this command and get command line access for that remote box.

c:\psexec \\remote_machine_name cmd

Once you have that command line open, you can run this command to disable the firewall:

netsh advfirewall set currentprofile state off

Alternatively you can run this command to allow only Remote Desktop while still leaving the rest of the firewall as is:

netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

Step 2: Start the Remote Registry service

Load up the Services MMC (Control Panel > Administrative Tools > Services), right click on “Services (Local)” and choose “Connect to another computer”. Enter the name of your remote machine and connect to it. You should now be able to find the “Remote Registry” service and start it.

Depending on your environment, this may already be running, but I have found it generally isn’t on fresh computers.

Step 3: Change a registry setting to enable Remote Desktop

It’s time to make use of the Remote Registry and actually enable RDP. Load up regedit and go to File > Connect Network Registry. Enter the name of your remote computer and connect to it. Navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Terminal Server. Change the value of “fDenyTSConnections” to “0”.

Step 4: Start the Remote Desktop service

Go back to the Services MMC you used in Step 2. Find the service “Remote Desktop Services” and start it (or restart if it is already running).

Step 5: Connect

By this point you should be able to connect to a remote desktop session on your remote computer. Remember that only administrative users can connect to an out-of-the-box Remote Desktop setup. If you have got this far and still can’t connect, it is worth checking your firewall rules to ensure nothing is being blocked.

 

Taken from: http://mediarealm.com.au/articles/2013/03/remotely-enable-remote-desktop-in-windows-7/

Advertisements

Mikrotik – Basic universal firewall script

This is a basic script I always use when setting up Mikrotik firewalls from scratch.

/ip firewall address-list add address=10.0.0.0/24 disabled=no list=support

/ip firewall address-list

add address=0.0.0.0/8 comment=”Self-Identification [RFC 3330]” disabled=no list=bogons
add address=10.0.0.0/8 comment=”Private[RFC 1918] – CLASS A # Check if you need this subnet before enable it” disabled=yes list=bogons
add address=127.0.0.0/16 comment=”Loopback [RFC 3330]” disabled=no list=bogons
add address=169.254.0.0/16 comment=”Link Local [RFC 3330]” disabled=no list=bogons
add address=172.16.0.0/12 comment=”Private[RFC 1918] – CLASS B # Check if you need this subnet before enable it” disabled=yes list=bogons
add address=192.168.0.0/16 comment=”Private[RFC 1918] – CLASS C # Check if you need this subnet before enable it” disabled=yes list=bogons
add address=192.0.2.0/24 comment=”Reserved – IANA – TestNet1″ disabled=no list=bogons
add address=192.88.99.0/24 comment=”6to4 Relay Anycast [RFC 3068]” disabled=no list=bogons
add address=198.18.0.0/15 comment=”NIDB Testing” disabled=no list=bogons
add address=198.51.100.0/24 comment=”Reserved – IANA – TestNet2″ disabled=no list=bogons
add address=203.0.113.0/24 comment=”Reserved – IANA – TestNet3″ disabled=no list=bogons
add address=224.0.0.0/4 comment=”MC, Class D, IANA # Check if you need this subnet before enable it” disabled=yes list=bogons
/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=”Add Syn Flood IP to the list” connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment=”Drop to syn flood list” disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=”Port Scanner Detect” disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=”Drop to port scan list” disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment=”Jump for icmp input flow” disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input comment=”Block all access to the winbox – except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST” disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment=”Jump for icmp forward flow” disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=”Drop to bogon list” disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=”Add Spammers to the list for 3 hours” connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment=”Avoid spammers action” disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment=”Accept DNS – UDP” disabled=no port=53 protocol=udp
add action=accept chain=input comment=”Accept DNS – TCP” disabled=no port=53 protocol=tcp
add action=accept chain=input comment=”Accept to established connections” connection-state=established disabled=no
add action=accept chain=input comment=”Accept to related connections” connection-state=related disabled=no
add action=accept chain=input comment=”Full access to SUPPORT address list” disabled=no src-address-list=support
add action=drop chain=input comment=”Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED” disabled=yes
add action=accept chain=ICMP comment=”Echo request – Avoiding Ping Flood” disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment=”Echo reply” disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment=”Time Exceeded” disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment=”Destination unreachable” disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=”Drop to the other ICMPs” disabled=no protocol=icmp
add action=jump chain=output comment=”Jump for icmp output” disabled=no jump-target=ICMP protocol=icmp

 

 

Taken from : http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

NAV 2013/2015/2016: Log in any database

Run this on a NAV 2013/2015/2016 database to clear all users and restore default permissions:

 

delete from [dbo].[User]

delete from [dbo].[Access Control]

delete from [dbo].[User Property]

delete from [dbo].[Page Data Personalization]

delete from [dbo].[User Default Style Sheet]

delete from [dbo].[User Metadata]

delete from [dbo].[User Personalization]

HTTP Error 503 Accessing Company Web on SBS 2011 Standard

Taken from: http://blogs.technet.com/b/sbs/archive/2011/08/17/http-error-503-accessing-company-web-on-sbs-2011-standard.aspx

If your SharePoint service account passwords ever become out-of-sync, you will have issues trying to accesshttp://companyweb. The most common error you will see is “HTTP Error 503. The service is unavailable.” While this is the most common symptom, there are also several others depending on where you look and what account is out-of-sync, we have included many more symptoms toward the end of this post.

Background Information

In SBS 2011, we use 3 different accounts to run Windows SharePoint Foundation. The accounts we use are spfarm, spsearch, and spwebapp. For security reasons the passwords on these accounts are periodically reset. SharePoint manages the spsearch and spwebapp accounts and the Windows SBS Manager service manages the spfarm account. All of these accounts can be found under MyBusiness > Users > SBS Users.

Display Name Logon Account
SharePoint Farm Account spfarm
SharePoint Search Service Account spsearch
Windows SBS Internal Web site Account spwebapp

The password for spfarm is reset every 7 days that the Windows SBS Manager service is running. The passwords or spsearch and spwebapp are reset the first day of each month.

In addition to these passwords being stored in AD, they are also kept in the SharePoint configuration database and the services database. Due to this, the passwords can become out of sync. Passwords may get out of sync or expire due to the following causes:

  • A SharePoint database is restored that contains an out of date password.
  • The Windows SBS Manager service is broken/disabled.
  • The Windows SBS Manager is never allowed to run more than 7 days (server is rebooted ever <7 days).
  • The accounts passwords expire due to a combination of password expiration policy and date change. I.e. your passwords must be reset every 180 days and you change the date by more than 180 days.
  • You change your password policy to require passwords be changed more often than every 31 days.
  • Failed migration.

Of all these possible causes, the most common is restoring a database that contains an old password.

To check if your passwords are in sync, run the SharePoint 2010 Management Shell as an administrator. From the powershell then run Repair-SPManagedAccountDeployment. If one or more of the passwords is out-of-sync it will return an error.

clip_image002

Resolution

If you receive an error that your passwords are out of sync, perform the following steps for each out-of-sync account to resolve the issue.

  1. Reset the AD password for the out-of-sync account(s), the accounts can be found under MyBusiness>Users>SBSUsers. Please see above for more information on the accounts.  Note: Be sure to uncheck “User must change password at next logon”
  2. Sync the password for the account(s) from elevated SharePoint 2010 Management Shell (replace accountname with the affected account):
    Set-SPManagedAccount -UseExistingPassword -Identity $env:userdomain\accountname
  3. Run repair to verify that passwords are synced:
    Repair-SPManagedAccountDeployment
  4. IISreset /noforce

Symptoms

If your passwords are out of sync you may receive one or more of the following errors:

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5002
Level: Error
Computer: server.domain.local
Description: Application pool ‘SBS Sharepoint AppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5021
Level: Warning
Computer: server.domain.local
Description: The identity of application pool SBS Sharepoint AppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5057
Level: Warning
Computer: server.domain.local
Description: Application pool SBS Sharepoint AppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
Computer: server.domain.local
Description: An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: domain
Logon ID: 0x3e7
Logon Type: 4
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: spwebapp
Account Domain: domain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Following services may fail to start with a logon failure:

  • SharePoint 2010 VSS Writer
  • SharePoint 2010 Timer
  • SharePoint Foundation Search V4

Update

9/9/2011:  We have identified another cause of the 503 error and have detailed it here:http://blogs.technet.com/b/sbs/archive/2011/09/01/an-uncommon-reason-why-browsing-companyweb-may-fail-with-http-error-503-on-sbs-2011-standard.aspx.

Force-removing the RDS licensing time-bomb

Force-removing the RDS licensing time-bomb registry entry:

HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

RegEdit alone couldn’t do it. It had to actually be run under highest privileges with the help of Sysinternals: psexec -s -i regedit.exe

After another reboot things seem to be working now.

How to change the Port of ADFS 3.0 (Windows server 2012 R2) to 444

Thanx to: http://inogic.com/blog/2014/07/how-to-change-the-port-of-adfs-3-0-windows-server-2012-r2-to-444/

This worked also on Windows Server 2008 R2 with AD FS 2.0  installed for me.

 

 

There have been times when we need to configure IFD and both, ADFS and CRM are installed on same server.

In case of Windows server 2008, we need to install ADFS 2.0 and in Windows server 2012 standard, ADFS 2.1 comes by default as a part of windows features, we just need to install and configure ADFS. But in both cases, ADFS gets installed on Default website in IIS. Hence we used to change the port of ADFS to 444 directly from the IIS default website and CRM (https) remains on 443. So that we could easily browse CRM IFD URL as https://orgname.domainame.com without appending port to the URL.

But this is not the same with Windows server 2012 R2, as ADFS 3.0 on Windows server 2012 R2 does not depend on IIS. So in that case, as ADFS port cannot be changed we used to change CRM (https) port to 444. As a result of which the users need to browse CRM IFD URL ashttps://orgname.domainame.com:444.

But sometimes the requirement is that they should not be required to append the port in IFD URL. To achieve this we should have ADFS to use port 444 instead which can be done by some PowerShell commands.

We have outlined below our experience and learning during IFD configuration on such Windows server 2012 R2 having both ADFS 3.0 and CRM installed on same server.

1)      Firstly install ADFS 3.0 on Windows Server 2012 R2,

2)      Now after that configure ADFS 3.0. You can get the detailed steps of configuring ADFS 3.0 and IFD from here.

3)      During the configuration of ADFS 3.0, you will come across following screen where you can clearly see that, you can only configure the Federation Service Name and *not* the port which could be done with earlier ADFS versions and earlier windows server versions.

img1

1)      Hence after configuring ADFS 3.0 and IFD. You need to run some commands in PowerShell, but before that first you need to check how many URLs are reserved by ADFS already, so that for them you can run some PowerShell commands,

netsh http show urlacl

The above command will display the list of reserved URLs. As you can see below form the list, the highlighted 2 URLs are reserved by ADFS 3.0 on port 443 i.e. https://+:443/adfs/ andhttps://+:443/FederationMetadata/2007-06/

img2

5)      Now we need to first delete them using following PowerShell commands.

netsh http del urlacl https://+:443/adfs/

netsh http del urlacl https://+:443/FederationMetadata/2007-06/

img3

6)      After deleting them you need to execute following commands to add them on port 444.

netsh http add urlacl https://+:444/adfs/ user=”NT SERVICE\adfssrv” delegate=yes

netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user=”NT SERVICE\adfssrv” delegate=yes

img4

7)      Finally run following command

Set-ADFSProperties -HttpsPort 444

Note: If you change the Port of ADFS to 444 from default port then it will give following warning. It means, if you set ADFS on 444, then you will not be able to register mobile device in ADFS, hence you will not be able to develop Mobile device app for CRM.

img5

8)      After performing above step, you need to restart the “Active Directory Federation Services”.

img6

9)      Now if your FederationMetadata URL is shifted to port 444, then it will look likehttps://sts1.adventure25.com:444/federationmetadata/2007-06/federationmetadata.xmland if you browse this URL then it will not work, as shown in the below screen. So there seems to be some issue with ADFS 3.0 configuration

img7

10)      Microsoft says ADFS 3.0 does not depend on IIS i.e. not installed under default website of IIS, and this is true, because you will not find any ADFS related files under default website of IIS

11)      But still if you go to IIS and set the binding of Default Website to port 444, then it starts working as shown in below screen:

img8

12)      After completing above steps, first you need to change the CRM website port to 443, then you need to configure Web Address Properties, Claim Based, IFD from Deployment Manager to this new Federation Metadata URL, and then update the relying party in ADFS. Then IFD will start working and you just need to browse it like https://orgname.domainame.com