Removable Storage Access GPO setting not working

There is a badly documented requirement for the Removable Storage Access group policy settings, which causes a lot of Active Directory administrators to complaint in official and unofficial forums.

The requirement is that a service named “Portable Device Enumerator Service” must be running for the setting to be effective. This poses a problem when you want to restrict devices to user targets, because in many cases you should deploy two GPOs: one to disable removable devices for users, and one to enable the service on their computers.

To enable the Portable Device Enumerator Service, apply to the computer a GPO configured in the Computer Configuration\Policies\Windows Settings\Security Settings\System Services section as shown in the following example:

 

Windows Start menu not working due to AppLocker GPO

As I can see, this is a common issue in Windows 8 and later. The symptom is that if you click the Windows logo at the bottom left corner, which usually opens the Start menu, nothing happens. Even pressing the Windows key on the keyboard doesn’t work. However you can right click the start button and see the administrative menu.
There are many sites, blogs and forum threads that suggest using tools such as fsc.exe and Add-AppXPackage, and if these fail the final solution is to repair or reinstall the OS.
Before using such an invasive solution, consider if a GPO can be responsible for your issue (this is not the case if your PC doesn’t belong to a domain).
A GPO that enables AppLocker executable rules may be the cause. First check the AppLocker log in Event Viewer (Applications and Services Logs → Microsoft → Windows → AppLocker → Packaged App-Execution). If you find an event with ID 8026 or 8027, you are near the solution. A change of the AppLocker GPO (or a new GPO) is required. You (or your systems administrator) could filter that GPO for the affected PC, or alternatively create the default rules for the packaged apps section, and enforce them.

In the Security section of the computer configuration, expand AppLocker, right click Packaged app Rules and select Create Default Rules:

Then right click AppLocker and select Properties. Enable Packaged app Rules by selecting Configured and ensure that the Enforce rules option is selected:

For more details you can refer to these TechNet pages:

•  Create AppLocker default rules
•  Configure an AppLocker Policy for Audit Only
  (Despite the title, this page also explains how to enforce the rule, which is your goal.)

Hyper-V crazy replication

This is not supported by Microsoft, of course: it’s crazy! But it may be funny, also.

This post is about running  Hyper-V replica by using only one host. I ever liked doing interesting things with minimal resources. But pay attention: if you never implemented Hyper-V replica, you may need additional guidance. Here I’m not giving you a step-by-step guide, but you will find some useful links with details.

So I’ll show you how to test Hyper-V replica with a single host, that is a single physical computer, and possibly with a single VM (however, you can replicate more VMs at the same cost). There are some limitations, of course. Since the second Hyper-V host is a virtual machine, it cannot run them. It can however send and receive replicas, and this lets you also try both failover and test failover.

First of all, you must have got a 64 bit physical computer supporting virtualization and install Windows Server 2012 R2 on it (this may work also with Windows Server 2012). Let’s call this server “HVHOST”.

Replication is simpler if we have a domain, however if you prefer to manage self signed certificates, you may choose not to install Active Directory.

ADDS role may be installed on the physical Hyper-V host (this is not recommended, but you can do it). To add still a bit of insanity, in my lab I installed it on the VM instead, and then joined the physical host to the new domain. To be honest, I made also that host the node of a cluster, but please don’t follow me on this path, it is really too crazy.

So you’ll have to install ADDS and create a domain. I’m not going to explain this. You’ll have also to install the Hyper-V role. That is simple.

Once you have the Hyper-V role in place, create a VM, based on the same operating system as the host. This will be your second host, let’s call it “VMHOST”. Remember to join it to the domain (you may use an “internal” virtual switch to connect VMHOST to HVHOST without placing it on the external network).

Now the first tricky step. You cannot install Hyper-V on the VM in the usual way. You must do it by using PowerShell. So, sign in on VMHOST, open an elevated PoweShell Session and type these commands (more on this):

Enable-WindowsOptionalFeature –Online -FeatureName Microsoft-Hyper-V –All -NoRestart
Install-WindowsFeature RSAT-Hyper-V-Tools -IncludeAllSubFeature

Then restart your VM.

As the first replication test, let’s try to replicate from VMHOST to HVHOST. We need to create VMs in VMHOST, right? Better, we’ll create them on HVHOST, and then import them on VMHOST.

If you follow my advice, you’ll create and mount on HVHOST a new VHD, by using Disk Management. Then in Hyper-V Manager create one or more VMs placing them (VM configuration and disks) on the mounted VHD. Install on them whatever operating system you want.

When they are ready, turn off them and unmount the VHD containing them. Now attach the VHD to the SCSI controller of VMHOST and sign in to VMHOST. If necessary use Disk Management (on the VM) to bring online the attached disk, and then use the Hyper-V manager to import the VMs that are found there.

Note: on HVHOST, the VMs you created should now be in a “critical” state. You can remove them.

We are ready for replication. The VMs you imported in VMHOST cannot start, but they can be replicated to HVHOST in the usual way, and you can also try every kind of failover, since the replicas can start.

The replica can be done also in the opposite direction. We just have a VM on our host: that is VMHOST. We can replicate VMHOST to itself. This is really crazy!

To avoid a crash of your lab environment, however, there is a small trick to implement.

On VMHOST, create a new VHD and attach it to VMGUEST (you may use the wizard in Hyper-V manager). Sign on to VMGUEST, open disk management, bring online and format that new disk. Then configure replication to use the new disk as the “default location to store replica files” in Hyper-V Settings/Replication Configuration.

You are almost ready. When you enable VMHOST replication, pay attention at the wizard page that lets you choose which disks to replicate. Ensure that only the main disk (the one containing the operating system) is selected.

And now, have fun!

Everyone denies (ITA)

Read this post in english

Hai un problema col tuo PC. Potrebbe essere un vecchio Windows XP, magari la Home Edition. Un paio di sintomi del tuo problema potrebbero essere i seguenti:

Quando provi ad aprire un file di office, l’applicazione (Word, Excel, etc.) ti dice che potrebbe essere già aperto da “un altro utente”.

<nomefile> è utilizzato al momento da “un altro utente”. Aprire in ‘Sola lettura’ o fare clic sul pulsante ‘Notifica’ per aprire in sola lettura e ricevere un messaggio di avviso quando il file originale sarà disponibile.

Se scegli di aprire il file in sola lettura, poi, ricevi questo errore:

Errore durante l’apertura del file.
Provare le seguenti operazioni.
 Verificare le autorizzazioni del file per il documento o l’unità.
 Verificare la memoria e lo spazio su disco.
 Aprire il file con il convertitore per il ripristino di testo.

Inoltre, quando apri Outlook Express, riesci a scaricare nuovi messaggi, puoi vedere il mittente e l’oggetto, ma il testo del messaggio è vuoto.

Altre applicazioni potrebbero dare problemi, con vari tipi di messaggi di errore.

Che cosa può essere successo?

Be’, come prima cosa si può sospettare che il tuo PC sia stato infettato da qualche tipo di malware. Fai subito una scansione con il tuo antivirus, poi apri msconfig (Start, Esegui, digita msconfig), vai su “Avvio” . Disabilita qualunque programma sospetto e riavvia.

Poi apri la tua cartella %userprofile% (Start, Esegui, digita %userprofile%) e scendi in Menu Start, Programmi, Esecuzione automatica. Rimuovi tutti i file indesiderati. Se non è possibile eliminarli a causa di un “accesso negato”, prova ad usare uno strumento come  Unlocker.

Questi passaggi comunque non risolvono il tuo problema. È probabile che il tuo problema sia legato ai permessi sulla cartella temporanea.

Apri un prompt dei comandi (Start, Esegui, digita cmd). Al prompt digita: cacls %temp%

Potresti vedere che il gruppo Everyone ha un permesso negativo (deny)

Sei fortunato: hai trovato il problema. Ora esegui:
cacls %temp% /e /r everyone

Prova ad aprire i tuoi file e le tue applicazioni: potrebbero funzionare.

Se il comando indicato fallisce, puoi creare una nuova cartella nel profilo e redirigere sia %temp% sia %tmp% su di essa. Oppure, come soluzione estrema, potresti creare un nuovo utente e spostare i tuoi file personali nel nuovo profilo.

Se questo articolo ti è stato di aiuto, lascia un commento: potrebbe aiutare altre persone che sperimentano lo stesso problema.

Everyone denies

Leggi questo articolo in italiano

You have a problem with your PC. It may be an old Windows XP, possibly Home Edition. A couple of symptoms are the following:

When you try to open an office file, the application (Word, Excel, etc.) states that it is yet open by “another user”.

Error: “<filename> is locked for editing by ‘another user’. Open ‘Read-Only’ or click ‘Notify’ to open read-only and receive notification when the document is no longer in use.

If you choose to open it in read-only mode, you receive an error such as:

Word experienced an error trying to open the file.
Try these suggestions.
 Check the file permissions for the document or drive
 Make sure there is sufficient free memory and disk space
 Open the file with the Text Recovery converter

Moreover, when you open Outlook Express, you can download new messages, you can see the sender and the subject, but the message body is blank.

Other applications may fail with any kind of error message as well.

What happened?

Well, first of all I suspect you were infected by some kind of malware. Please do a full scan with your antimalware software, then open msconfig (Start, Run, type msconfig) and go to the “startup” section. Disable any suspect program, and reboot.

Also open your %userprofile% folder (Start, Run, type %userprofile%) and go to Start menu, Programs, Startup. Remove any unwanted file. If you receive an “access denied” error, try using a tool such as Unlocker.

These step don’t resolve your problem, however. It’s likely that your problem is related to your temp folder permissions.

Open a command prompt (Start, Run, type cmd). At the prompt type: cacls %temp%

You may see that the Everyone group has a deny permission.

You are lucky: you found the problem.
Just type:
cacls %temp% /e /r everyone

Now please try opening you applications and files. They should work.

If  the above command fails, you may create a new folder in your profile and redirect both %temp% and %tmp% to that folder. Or you may want to create a new user and move your personal file on the new profile.

If this post was helpful, please leave a comment: this could help other people having the same issue.