logo-512x5123Just a quick heads up on a cool new utility (free even) …

Working as an IT specialist within a large international corporate entity, we had the challenge regarding “Administrative/Non administrative” user rights on our corporate Windows machines.  We likely have all faced this question/challenge, we WANT to tighten the machines down to gain the added security and subsequently lower the support need, however the hurdle of preparing for this (as well as maintenance) puts great demand on the planning and deployment of corporate machines/software – especially if you like us have many people in the field.

See if we removed all administrative rights from users, then they would have to call the ServiceDesk whenever they needed administrative rights- this could be to install a printer, software, drivers etc. Now for some very “static” machines this would not be a real big problem, but for a large segment of our users, this would be very annoying and troublesome – especially for users in the field where the ServiceDesk may have problems connecting.

On the other hand, having users not be local administrators is a huge gain when it comes to protection against malware and exploits, according to a podcast “Security Now” on the twit network you can minimize the risk/impact of IE exploits by up to 99+% by being a non-administrative user. In other words, there is a heavy tradeoff here.

Then again, perhaps not anymore – there now seem to be a way to both “have your cake and eat it” at the same time.

One of the very talented external consultants we use on a regular basis “Thomas Marcussen”, recently told me about a FREE cool utility they developed called “Access director for Windows”.  What this “Access Director” does is actually simple yet still quite clever, after you install the utility users will have the opportunity to grant themselves temporary administrative rights whenever needed. Therefore, the user account will normally have no administrative rights, however by right clicking the utility icon in your status bar, users can grant themselves a limited period (eg. 2 min) where their user rights are elevated to local admin. Now they will be able to install that printer/driver etc. that they may need to work, and after this period then the local admin rights are automatically revoked and the machine is again secured against malware and exploits.

The optimal implementation of a utility like this would probably be to have a group of “trusted machines” (eg. traveling sales persons, management etc.) where this utility is installed, on these machines users can elevate themselves as needed. Then have another base of “regular” machines (eg. production/office pc’s) where the administrative rights are removed, and the users will still need to contact the ServiceDesk in case administrative rights are required.

Oh yeah, did I remember to mention it is a free utility 😀

 

I talked to Thomas about corporate use of this utility, and he assured me that several corporate initiatives were on the way like; Ability to customize settings via registry settings, Ability to control who can elevate (via groups) plus a manual.  He said that the reason for the lacking documentation was that the release was slightly rushed due to TechEd.  There is a little info on some registry settings here; http://sl.readmydamnblog.com/RZdo7J

Anyway, enough talk – take a look at the YouTube video and it will all be clear 🙂

Download site is (look for “Download Access Director”);
http://sl.readmydamnblog.com/1oj6KVi

YouTube Video here;
http://sl.readmydamnblog.com/1qXwECv

Thanks to Thomas Marcussen for this nice utility.

With Windows XP/2003 and earlier you could often just look in C:\windows for installed patches there would be a KBxxxxxxx folder, however life moved on..

Today I had the need to see if a patch was installed and I found this quite useful;
http://serverfault.com/questions/263847/how-can-i-query-my-system-via-command-line-to-see-if-a-kb-patch-is-installed

I ended up using the command;

wmic qfe | find "KB2744129"

You ofcause exchange the KB number with the one you are looking for..

This worked like a charm for me 🙂  tnx Jscott.

In the good old days you could install SUS on your “home” server and have your own Windows update repository, however after WSUS version “whatnot” the requirements for WSUS has by far outgrown what I wish to allocate on my home/test rig..  Hell I only have 3 machines and a few servers anyhow….

Never the less, when installing new test VM’s etc it would be nice to avoid all the patching since SP1 :-/ well, now you can 🙂

 

Martin over at Ghacks.net has reviewed an excellent utility that will do JUST that 🙂

http://www.ghacks.net/2013/01/03/windows-offline-update-8-0-released/

http://www.ghacks.net/2011/02/25/wsus-windows-offline-update-updated/

 

Further uses is as he describe that you can download all patches for an OS (pt. Win 7 = 1.8GB since SP1) and put it on a stick so you can patch your friends and family’s machines with minimal Internet impact.

For now I have installed the thing and tried downloading patches for Windows 7, it seemed to work flawlessly – but I will try to do some install testing and see how this works out.  Looks solid enough though.

Project web site;

http://www.wsusoffline.net/

An odd SCCM bug, some of our DP (Distribution Points) recently stopped working, the Task Sequence would hang during the “Installing Updates” step and would never finish..  Now the updates (files/packages) were all there and refreshing them did nothing to resolve the issue – at the end one of our external consultants pointed me to a hotfix kb2509007 which quickly resolved the issue (thanks to Thomas Marchussen, Edgmo).

Deployment would just get stuck here and never finish.

Odd and annoying problem which caused a lot of wasted time 🙁 – however the patch once applied and replicated worked like a charm.

http://support.microsoft.com/kb/2509007

Keywords; Sccm 2007, Updates, Stuck, Hung, Installing, Windows, Microsoft

I have just installed Windows 2008R2 on a HP DC7900 machine and had a lot of problems finding all the device drivers, even after installing EVERY fu….. driver from the HP download site it still would not find the last 2-3 devices (PCI something something)..

Well I found this on a HP forum and it helped me, download and install these two packages and rescan for new hardware (you may have to reboot also) and viola problem gone…;

Re: dc7900 pci simple controller and pci port problem

01-12-2009 07:07 AM

Hi Scott,

These are most likely the Intel Active Client Manager HECI Device:
http://h20000.www2.hp.com/bizsupport/TechSupport/S​oftwareDescription.jsp?lang=en&cc=us&prodTypeId=1…

And the Intel AMT LMS/SOL device:
http://h20000.www2.hp.com/bizsupport/TechSupport/S​oftwareDescription.jsp?lang=en&cc=us&prodTypeId=1…

Hope this helps,
Another Scott

If you need to get the serial number of a workstation or a server, then this command may be of use to you (not this will likely not work on homebuild systems, but systems like Dell, HP, Lenovo, Acer etc. should work fine) ;

wmic bios get serialnumber
Type it in a command window like this;


WMIC csproduct get name

will get you the product name/model number of the pc (very useful when applying Driver Packs via SCCM with a WMI scope on it, this is the exact model number SCCM-WMI will also get).

A very strange problem with a very strange resolve.

So we are deploying a bunch of virtual servers and yesterday I found myself in a heap of trouble, I had a server that I needed to be ready but it kept failing the PXE boot.  Normally you would just delete the virtual server and create a new and the problem would likely be solved, however these servers are created by a script which creates a bunch of servers and a bunch of MDT settings and thus re-starting the process would require re-creating a bunch of servers.

The error I got was; PXE-E55: ProxyDHCP service did not reply to request on port 4011.

When I looked in the PXE log on the PXE server however I found;

MAC=02:00:AA:55:1E:02 SMBIOS GUID=4BDBDC9E-FD92-4BBB-BCA3-2D3A0752C049 > Device found in the database. MacCount=1 GuidCount=0 smspxe 01-06-2011 10:21:21 2364 (0x093C)

This appeared like everything was ok, so I tried logging on to the SCCM server and “Cleared last PXE advertisement” but still no luck, and following this I was unable to do so again as from now on SCCM stated that there was no PXE advertisement to clear (even though I tried PXE booting and got the “Device found in the database” in the pxe log).

Anyhow, I moved on to deleting the computer object on the SCCM server and then re-importing it manually (note; we use static ip on our virtual servers, these are created via the create script to avoid MAC conflicts) with the same MAC.  This did no difference, still the PXE log stated the same, Device found in database, but DHCP kept hanging.  I restarted both the SCCM, DHCP and PXE servers but no luck.

So after a bit of googeling which did not really turn up anything I out of fustration tried to set the MAC address to dynamic and booted the server again, this time everything worked fine as an unknown system – thus the connectivity was obviously fine – I even noticed that the GUID stayed the same.  Anyhow more puzzled I set the MAC address back to the static address from before and viola the PXE boot started and worked like a charm..

I have no idea why, my guess would be that the GUID somehow was cached in some stalled state and the the change of MAC somehow jolted that state.

Anyway, changing the MAC address may be worth a try if you find yourself in a similar situation.

In a recent post (https://readmydamnblog.com/?p=1877) I mentioned Driver Magician Light the free version of Driver Magician, now it would seem I managed to find yet another product that does the same completely for free (and this not as a limited light version)..

Double Driver (odd name, but hey..)

Get it here;
http://www.boozet.org/dd.htm

An older review here (older version);
http://dottech.org/freeware-reviews/7225

Also there is still DriverMax;
http://www.drivermax.com/
However I never really liked this product, it’s complicated navigating and as I recall it requires some kind of registration (free as I reacll, but I don’t like having to register anyhow).

If you have ever worked with MS-SCCM then you may have faced the problem of creating a new distribution point!?  You will need to copy a lot of packages to the new distribution point, but just which packages will you need and how to copy them in an easy way?

Well some clever guy (Cory Becht) actually wrote an excellent app for this;
http://www.myitforum.com/articles/42/view.asp?id=8904

Are you as annoyed as me in regard to the “first run wizard” thingy that IE8 is displaying the first time it runs?? It’s as annoying as the older IE’s that also launched the Email creation wizard… as if it was not enough that they always start off by launching some stupid intro site..

Anyhow, no reason to get TOO upset, as with most things there are ways around this, so take a look here;
http://digitaljive.wordpress.com/2009/07/23/disable-ie8-%E2%80%9Cset-up-windows-internet-explorer-8%E2%80%9D-wizard/
many lovely ways to get rid of this stupidity.

One of the simplest is this;

Registry:
DWORD : “DisableFirstRunCustomize” set to 1 under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main