Category: Windows

Workaround to connect the server with RDP Licenses not available Error

You might sometimes see the error like this when trying to connect to Remote Desktop Session Host server

The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.

Continue reading “Workaround to connect the server with RDP Licenses not available Error”

Resolving winget not recognized error when running with the System Account

Although winget exists on your system, but when you try to run the winget with system account (or using the scheduled task with the system account) and you see this error.

winget : The term ‘winget’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Continue reading “Resolving winget not recognized error when running with the System Account”

Most Common WSUS Errors Codes

If you encounter Windows update error codes, you can check the System log in the Event Viewer, typically under the event source “WindowsUpdateClient” (though it doesn’t provide much info as always 😂). Another place to look is in the “C:\Windows\Logs\WindowsUpdate.log” file for Server 2012R2 / Windows 8.1 and below. For the later Windows version, you will need to use Event Tracing for Windows (ETW) to generate diagnostic logs.

Continue reading “Most Common WSUS Errors Codes”

How to Renew Root Certificate of Microsoft CA with a longer validity period

You might have defined the root certificate validity period of Microsoft internal CA as 5 years at initial installation, and what if you want to change the validity period to a longer duration like 10 or 20 years later ? For this, we will need to create a CaPolicy.inf file under windows installation directory (typically C:\Windows) and put some settings and start the renewal process.

Continue reading “How to Renew Root Certificate of Microsoft CA with a longer validity period”

The Internet Explorer Registry Tweaks: How to set Page Margin, Fonts, Paper Sizes and Default Page

The Internet explorer is a bit outdated life-long browser for now. And in this post, I’d like to show some registry tweaks that you can make a bulk computers deployment of page size and font related settings. Below are the topics I cover in this blog.

  • Page Margin & Fonts
  • Custom Paper Sizes
  • Default Page Size

Continue reading “The Internet Explorer Registry Tweaks: How to set Page Margin, Fonts, Paper Sizes and Default Page”

Install and Manage DNS Server Running on Nano Server

In this post, we will install DNS service on Nano Server and manage via the DNS Manager Console from other computer. If you want to create Nano Server Image GUI wizard, you can check out here. In our post we are going to create Nano Sever Image by the Nano Server Generator powershell script that comes with installation ISO.

There will be two Scenarios in our testing and you can just use either depending on your environment. Continue reading “Install and Manage DNS Server Running on Nano Server”

Find who reset my password: The Powershell Script to Audit User Accounts Changes

Getting the account management activity is an essential process for auditing purpose. We can check it at the windows event log if the auditing for account management is enabled. To automate this tiresome job, I wrote this powershell script to make life easier.
This script will show you all the changes that admin made to the user/system account, such as the time when the password was reset and who reset the password; who added user to specified group; which attributes of user account was changed. Before running this script, you’ll have to enable auditing of account management to ‘Success’ in local security policy, for the enough of the time so that required events are collected. Don’t worry I have included the user’s option to enable from within this script. Continue reading “Find who reset my password: The Powershell Script to Audit User Accounts Changes”

Batch/Powershell: How to check Pending Computer Restart after Installing Windows Update

Some windows updates require a system restart after installation because it needs to change some system files which are currently used by running processes, or changes in registry. You’ll be prompted with the yellow icon shield like in fig-1.

Fig-1: Pending Restart after windows update install
 

Continue reading “Batch/Powershell: How to check Pending Computer Restart after Installing Windows Update”

Find all SNMP Settings of Windows Machine in Powershell

SNMP has a long history with Microsoft Windows. And Microsoft now said that it has been deprecated (moreover, snmp v1 or v2 is less secure than the latest snmp v3, but windows natively doesn’t support version 3 till now) and recommend using CIM for managing hardware and software layers. In this article, we will find the SNMP community string by batch method and powershell method. Continue reading “Find all SNMP Settings of Windows Machine in Powershell”

Set Windows Service Permission to Non-Administrator Accounts

Service related operations such as start/stop/restart windows services are usually assigned to Administrators. Sometimes, you might need to delegate these tasks to non-admin users. In this article, I will show the 4 methods to set the service’s permission to any user account/service account. I will use SQL service (MSSQLSERVER) in domain environment.

Method-1: Using Powershell Module (from TechNet Script Repository, easiest but modules are not trusted by Microsoft)
Method-2: Using subinacl.exe (from Official Microsoft Download, need to install executable locally on computer, an easy method)
Method-3: Using built-in security configuration template in MMC console (do not need to install executable, easy with GUI but more steps are needed)
Method-4: Using built-in service control manager command line (difficult, prone-to-errors if manually configured)

Method-1: Using Powershell Module
Edit: As of Aug,2021, I found that PowershellAccessControl module is no longer available on microsoft gallery. So, alternatively you can download it from github. Extract the zip file and rename the folder name PowerShellAccessControl-master to PowerShellAccessControl and move it to C:\Program Files\WindowsPowerShell\Modules. Before we start, let’s see the  SQL service restart option is gray-out for ‘myuser’. See Fig-1.

Fig-1: Normal user can’t start/stop the service

 

Open the powershell and check the current service permission for ‘myuser’. To do this, make Get-service and pipeline into Get-EffectiveAccess. Type the following command.
Get-Service MSSQLSERVER | Get-EffectiveAccess -Principal contosomyuser
You can also check the service permission for domain admin account.
Get-Service MSSQLSERVER | Get-EffectiveAccess -Principal contosoadministrator
See Fig-2.

Fig-2: Check the users permissions on SQL service

 

Now, give the user start/stop permission of MSSQLSERVER. See Fig-3.
Get-Service MSSQLSERVER | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal contosomyuser

Fig-3: Assign start/stop permission to ‘myuser’ in powershell

You can see that the ‘myuser’ now has the start/stop/restart permission on SQL service. See Fig-4.

Fig-4: SQL service can now be stopped

 
Method-2: Using subinacl.exe
As of Aug,2021, I found that Server 2003 Resource kit is no longer available from Microsoft downloads. So, I suggest you to use other three methods instead of this.
subinacl.exe is a command-line tool that is included in Server 2003 Resource kit. You can separately download it from Microsoft website here.
Install the subinacl.msi. See Fig-5.

Fig-5: Install subinacl.exe

 
After install is completed, go to the install directory and use subinacl.exe. For help, type subinacl.exe /?. See Fig-7.

Fig-7: Getting help with subinacl.exe

 
Since we are going to check/assign/revoke permission to sql service. We will use only these commands:
subinacl.exe /service <myservice> /accesscheck=<username>
subinacl.exe /service <myservice> /<grant/revoke>=<username>=<access>
Fig-8 shows how to check the current permission of sql service for ‘myuser’ and ‘contosoadministrator’ by using this command.
subinacl.exe  /service mssqlserver /accesscheck=contosomyuser

Fig-8: Check the sql permission for ‘myuser’ and ‘contosoadministrator’

 
Since we’re going to give start/stop permission. Use /grant parameter with username. See fig-9.
We also re-check if the permission is correctly assigned.
subinacl.exe /service mssqlserver /grant=contosomyuser=TO

Fig-9: Assign start/stop permission & re-check the permissions

 
From table, we can see that we have use TO alias in <access> parameter for starting & stopping the service. A full list of ACE aliases can be found here.
Alias
Description
F
Full Control
R
Generic Read
W
Generic Write
X
Generic eXecute
L
Read controL
Q
Query Service Configuration
S
Query Service Status
E
Enumerate Dependent Services
C
Service Change Configuration
T
Start Service
O
Stop Service
P
Pause/Continue Service
I
Interrogate Service
U
Service User-Defined Control Commands
Now, you can start/stop the SQL service !
If you want to revoke the permission. You can use with the subinacl.exe command with /revoke switch. See Fig-10.
subinacl.exe /service mssqlserver /revoke=contosomyuser

Fig-10: Revoke service permission

 
Method-3: Using built-in security configuration template in MMC console
You can also use local security configuration to assign necessary permissions. These are steps:
  1. Create new security template (in which security settings of service is defined)
  2. Create new security database with newly created security template
  3. Analysis the current configuration with the security database and find the conflicts
  4. Apply the security configuration
1) Create new security template
Create “Security Template” folder under C: where we can save our own security templates.
Open MMC console >> Add/Remove Snap-in >> Choose Security Templates >> Add >> OK
Right-click and “New Template Search Path”. See Fig-11.
Select the location to our newly created folder(C:Security Templates). The path will be listed in console as shown in Fig-12.

Fig-11: Set the new template search path

 
Then, right-click the new node and choose “New Template”. See Fig-12.

Fig-12: Creating new security template

 
Give the new template name and click OK. See Fig-13.

Fig-13: Give the new template name

You will see a bunch of security options (the same one you see in Local Security Policy Editor). Since we want to modify the security setting of SQL service, right-click SQL Server (MSSQLSERVER) and click Properties. See Fig-14.
Enable the check box to define the policy. Click Edit Security for more options.

Fig-14: Browse for sql service to edit security settings

 
You can see that “System” and “Administrators” already have full permissions. Add ‘myuser’ as new user and select ‘Start, stop and pause’ permission. See Fig-15.

Fig-15: Add new user and set service permissions

 
You need to save this modified security template. Right-click the template node and save. And the file will be saved as .inf file in your template directory. See Fig-16.

Fig-16: Save the template

 
2) Create new security database with newly created security template
From current MMC console >> Add/Remove Snap-in >> Security Configuration and Analysis >> Add >>OK. See Fig-17.

Fig-17: Add Security Configuration & Analysis Snap-in

 
Right-Click the “Security Configuration and Analysis” node and click open database…
Choose the location you want to save the security database file (I use the default directory “C:Users<myusername>DocumentsSecurityDatabase”). I give the name of the database as “ModifySQLServicePermission”. See Fig-18.

Fig-18: Set location to save the security database & give the file name

 
Then you will need to import the template. Choose your saved template which is stored at C:Security TemplateAssign MSSQLSERVER Start_Stop Permission to MyUser. See Fig-19.

Fig-19: Import the security template to use with security database

 
3) Analysis the current configuration with the security database and find the conflicts
Now, we can analyze your computer security’s setting whether it matches with our newly created security database.
Right-click the “Security Configuration and Analysis” and click Analyze Computer Now….See Fig-20.

Fig-20: Analyze if the current security setting matches with the security database

 
You will see the result tree after analysis is finished.
Go to SQL service and check the result and there you will see the red cross icon which indicates that it conflicts with your current (unmodified) security settings. See Fig-21.

Fig-21: The red-cross shows us the conflicted security settings

 
4) Apply the security configuration
You can now apply the security settings.
Click Configure Computer Now… as shown in Fig-22. You will see the progress status as in Fig-23.

Fig-22: Apply Security Settings

 

Fig-23: Apply Security settings in progress

Now, you can start/stop the SQL service with our normal user account.

Method-4: Using built-in service control manager command line
In this method, we edit the Security Descriptor of windows service in SDDL (Security Descriptor Definition Language) language. it is a bit difficult to understand if you’re not already familiar to SDDL descriptions. But there is an easy method to do this, which will be explained here. (I have written the another blogpost to explain the details of modifying these access control lists with example).
Here, you need to use sc.exe to check/get/set the service permissions. Its syntax is:
sc.exe sdshow <myservice>        Find the current security settings
sc.exe sdset <myservice>  <securitySettingsInSDDLformat>      Set the security settings

So, we will check the current permission of SQL service by the following command.

sc sdshow myssqlserver

Fig-24: Check the initial service security stings

 
Then, you need to generate the new security descriptor using the same method as we do in previous method with MMC console.
  • Open MMC Console
  • Add “Security Templates” and “Security Configuration and Analysis” Snap-ins (Fig-11)
  • Set the template path, create new template with desired settings and save the template (Fig-12,13,14,15,16)
There is an .inf file in your saved location. Open the file and you will see entries as the below one. See Fig-25.
“MSSQLSERVER”,2,”D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;S-1-5-21-2647241702-1957647361-952520019-1197)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)”

Fig-25: Contents of security template (.inf) file

 
You will see there is an extra entry compared to our initial result which I highlighted in red color. This is the added user permission to start/stop the SQL service followed by user’s SID.
 Note: You can also get the user name back from this SID by the following command (optional, just for knowledge)
wmic useraccount where sid=”S-1-5-21-2647241702-1957647361-952520019-1197″ get name,sidNow, I can set this new permission with sc.exe sdset <newSDDL> command. See Fig-26.

Fig-26: Set the new permission with sc.exe sdset

 

The command completes successfully. And user now has start/stop permission on SQL service. See Fig-27.

Fig-27: User can now start/stop the service

Â