LAPS missing from GPO

Don’t worry if LAPS is missing from GPO: most likely it’s not being copied to your SYSVOL share and it can be fixed real quick. Obviously, you must have LAPS installed on the machine where you’re trying to create the group policy object on (I installed it on a Domain Controller to keep things simple):

  • Copy  C:\Windows\PolicyDefinitions\AdmPwd.admx to \\itdroplets\sysvol\itdroplets.com\Policies\PolicyDefinitions
  • Copy C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to \\itdroplets\sysvol\itdroplets.com\Policies\PolicyDefinitions\en-US

gpo-laps

Read More

Cannot connect to remote registry

Cannot connect to remote registry on “Computer” is an error that is pretty much self explanatory and you get it when trying to access a process (remotely) that requires the Remote Registry service to be started.
For instance, I do get “Cannot connect to remote registry” a lot when trying to use PsList (from PsTools) to grab the current running processes on a remote machine. The error I get when the remote registry service is not started is (in the example below the target machine is called LAP020):

Cannot connect to remote registry on lap020:
The network path was not found.
Failed to take process snapshot on lap020.
Make sure that the Remote Registry service is running on the remote system, that you have firewall ports allow RPC access, and your account has read access to the following key on the remote system:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib

Here’s the screenshot with the error.

pslist-cannot-connect-to-remote-registry

How to start the remote registry remotely

Since I am running a command remotely, it means I need to start the remote registry remotely. In order to do that, run the following command (requires PsExec from PsTools):

This will fail most of the times because generally RemoteRegistry is disabled and you cannot start a disabled service!

psexec-sc-start-service-failed

So here’s what you’d do to enable it first (I will set it to automatically start):

psexec-sc-config-service-start-auto

If you don’t want to configure it as automatic, you may use these other options:

  • boot
  • system
  • auto
  • demand
  • delayed-auto

You may disable it again by running:

Now that is enabled, I will try to start the Remote Registry service:

psexec-sc-start-service

You may finally run the command you had issues with in first place, in this example it’ll be PsList on LAP020.

pslist-basic

Read More

The user does not have RSoP data

This is an error you get back from running GPRESULT /R and it happens because the user you’re running this command with isn’t logged on the system.
For instance you want to check the policies applied to your computer but you’re not logged on with your administrator account. So you would run a command line prompt as a different user and then run gpresult /r or gpresult /r /scope computer getting stuck at The user does not have RSoP data.

gpresult-the-user-does-not-have-rsop-dataIn order to avoid this warning, you can run the following:

Where itdroplets\myuser is the user account that is logged on that workstation at the minute.

If you’re running this with PSEXEC (remotely) and you don’t know who’s logged on, run the following (with your admin account):

Where PC01 is the target computer. Note that this command might fail if ran it as above but it won’t if you run it with psexec like this:

 

Read More

Set up an L2TP VPN Server on Windows Server 2012

This article will describe how to set up an L2TP VPN Server on Windows Server 2012 R2 start to finish and step by step including Firewall configuration and port forwarding. The way I’m going to set it up includes the NAT service as well that will allow you to not only connect to the L2TP VPN but also to access the internal LAN you’re connecting to. One of the reasons why I tried this  was due security (I never did it before). I didn’t want to use Windows 10’s “Incoming connection” as that will set up an insecure VPN server using the PPTP protocol.

If you’ve already set up the VPN bit and are having issues with reaching anything within the LAN you’re connected to (even the VPN server itself), then you might have missed the NAT service.

This article might look lengthy but trust me, the actual configuration is pretty fast, I’m just adding literally every single step.

The step by step guide was performed on a clean Windows Server 2012 R2 Virtual Machine running in Hyper-V (Windows 10 Pro is the Hypervisor sharing its only network card). The steps apply also when you’re performing this on a physical Server.

internet-wirelessrouter-hyper-v-server-vm

The above represent more or less what the network behind the router looks like. In my specific case I have other plain switches between the wireless router and the Hypervisor (which, again, it’s not a Server but a Windows 10 desktop).

TIP: If the server you’re installing this on is a virtual machine, take a snapshot before and after every major step so that you can revert to it in case of issues without starting from scratch. Make sure you remove them once you’re happy. :)

(more…)

Read More

L2TP VPN not working in Windows

I’m going to skip the first troubleshooting steps because if you’re struggling with this for days I guess you’ve tried that (IE Connection, Server is up..). Now why is L2TP VPN  not working in Windows? That is generally when the VPN server is behind a NAT-T and here’s the reason (Microsoft KB 926179) from Microsoft:

By default, Windows Vista and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network (VPN) server is behind a NAT device, a Windows Vista-based VPN client computer or a Windows Server 2008-based VPN client computer cannot make a Layer Two Tunneling Protocol (L2TP)/IPsec connection to the VPN server.

This actually applies to every Microsoft OS up to Windows 10’s latest release (I’m writing this on the 22nd of September 2016).

In order to resolve this, you will have to add/modify the following key in the registry and reboot afterwards. For the less experts, keep reading to see the below detailed steps in order to create/modify the Key.

Registry subkey location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
DWORD Value Name: AssumeUDPEncapsulationContextOnSendRule
DWORD Value Data: 2

For Windows XP, the Registru subkey location is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec.

See these notes about the values (from Microsoft):

A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.

I’ve read on a Forum that a person had to follow the below process in order to get it working (when I tried I never had to, but I guess better mention it):

  • Add the Key above, but give it value 1.
  • Reboot.
  • Modify the Key’s value to 2.
  • Reboot

Should you have more issues with Windows 7/Windows Server 2008, try with applying this Hotfix (requires reboot): https://support.microsoft.com/en-gb/kb/2523881

Step by Step instructions

  • Open RUN by pressing the Windows key + R, type regedit and press Ok. Alternatively, if you’re on Windows Vista and above, click Start and type regedit and press Enter once the Registry Editor’s icon appear.
    • Regedit icon: regedit-start-search
    • From Run:
      run-regedit
  • Navigate all the way to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent (or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec for Windows XP).
  • Right click on PolicyAgent (or in an empty spot on the right pane) and click New > DWORD (32-bit) Value.
    • regedit-new-dword-32bit-value
  • Name it AssumeUDPEncapsulationContextOnSendRule. Note, if you saved it with the default name, you may rename it by right clickcing on it > Rename. If it already exists, go to the next step.
  • Right click on the newly created DWORD and select Modify (or double click on it).
  • Under Value data type 2 and click Ok.
    • regedit-modify-value-data
  • Close the Registry Editor and reboot your computer.

Now you should be able to connect to the VPN.

Read More