Archive for the ‘Windows’ Category

Difference between Computer Configuration settings and User Configuration settings in Active Directory Policy Editor

November 22nd, 2013 No comments
  • Computer Configuration settings are applied to computer accounts at startup and during the background refresh interval.
  • User Configuration settings are applied to the user accounts logon and during the background refresh interval.
Categories: Windows Tags:

An Introduction to Active Directory Basics

November 12th, 2013 No comments

Before we get started covering Active Directory, we’ll lay the foundation with some basics. These
definitions aren’t completely comprehensive but will give you the foundation you need to under-
stand the topics in this chapter. Although there are a lot of terms to grasp, no term is that complex.
We’ll define them here with a short introduction and often expand on them later.


  • Workgroup

A workgroup is a group of users connected in a local area network (LAN) but

with each computer having its own user accounts. A user who can log onto one computer will
need a different user account to log onto a different computer, which can become a problem.
A single user who needs to access several computers will have several different user accounts,
often with different passwords.

Workgroups are often used in organizations with fewer than 10 computers. As more computers
are added, a decentralized workgroup becomes harder to manage and administer, requiring it
to be promoted to a domain.

  • Domain

When an organization becomes too big for a workgroup, a domain is created by
running the domain controller promotion wizard (DCPromo) on a server and promoting the
server to a domain controller. A domain controller is a server that hosts a copy of Active
Directory Domain Services.

  • Active Directory Domain Services

Active Directory Domain Services (AD DS) is used to
provide several services to an organization. At its core, it’s a big database of objects (such as
users, computers, and groups) and is used to centrally organize and manage all the objects
within an organization. A single user would have a single user account in Active Directory
and can use this single account to access multiple computers in the organization. This is often
referred to as single sign-on.
Additional services include the ability to easily search AD DS so that objects can easily be
located, as well as secure authentication using Kerberos.
Copies of Active Directory are kept on domain controllers. It’s very common to have at least two
domain controllers for redundancy purposes in case one goes down. Any changes to Active
Directory are passed to each of the domain controllers using a process called replication.

  • Replication

When any object (such as a user account) is added, deleted, or modified within
Active Directory, the change is sent to all other domain controllers (DCs) in the domain. When
a business is located in a single location, the changes are sent to all other DCs within a minute.
Modifications can be done on any DC. The initial change is sent from the DC where the change
was created to other DCs (designated as replication partners) within 15 seconds. If there are
more than four DCs in the organization, they are automatically organized in a logical circle,
and the change is replicated through the replication circle until all the DCs have the change.

  • Objects

Objects within AD are used to represent real-world items. Common objects are
user objects and computer objects that represent people and their computers. The objects can
be managed and administered using AD DS. For example, to represent a user named Sally,
a user account object is created. Sally can then use this account to log onto the domain and
access domain resources such as files, folders, printers, and email. Although we would often
say that we give Sally permission to access the resources, we actually give Sally’s user object
permission to access the resources. Similarly, a computer account object is created to repre-
sent Sally’s computer. All objects have properties that can be configured such as the user’s
first name, last name, display name, logon name, and password for a user object.
The types of objects and their properties are predefined. You won’t find a kitchen-sink object
in AD DS, and you won’t find a favorite color property for users—at least not by default. All
objects that can be added to AD DS and the properties used to define these objects are specified
in the schema.

  • Schema

The schema is the definition of all the object types that Active Directory can
contain, and it includes a list of properties that can be used to describe the objects. You
can think of the schema as a set of blueprints for each of the objects. Just as a blueprint for
a house can be used to create a house, a schema definition for a user object can be used to
create a user object.

Only objects that are defined by the schema can be added to Active Directory, and these objects
can be described only by properties defined and identified by the schema. It’s common for
the schema to be modified a few times in the lifetime of an Active Directory enterprise. For
example, to install Exchange Server 2007 (for mail), the schema must be modified to accept the
different objects and properties required by Exchange. Modifying the schema is often referred
to as extending the schema.

  • Organizational units

Organizational units are used to organize objects within Active
Directory. You can think of an OU simply as a container for the objects. By placing the objects
in different containers, they are easier to manage. For example, you can create a Sales OU and
place all the objects representing users and computers in the sales department in the Sales OU.
OUs have two distinct benefits. You can delegate permissions to an OU, and you can link Group
Policy to an OU. As an example, Maria may be responsible for administration for all users and
computers in the sales department. If these objects were placed in the Sales OU, Maria could
be delegated permission to administer the OU, and it would include all the objects in the OU.
Similarly, you can use Group Policy to apply different settings and configurations to all the user
and computer objects in an OU by applying a single Group Policy object to the OU.

  • Group Policy

Group Policy allows you to configure a setting once and have it apply to
many user and/or computer objects. For example, if you want to ensure all the computers in
the sales department have their firewall enabled, you could place the computers in an OU
and call it Sales, configure a Group Policy object (GPO) that enables the firewall, and link the
policy to the Sales OU. It doesn’t matter if there are five computers in the OU or 5,000; a GPO
will apply the setting to all the computers in the OU.
You can link GPOs to OUs, entire domains, or sites. When linked, a GPO applies to all the
objects within the OU, domain, or site. For example, if you want all users in the entire domain
to have firewalls enabled, instead of linking the GPO to the site, you’d link it to the domain. Two
default GPOs are created when a domain is created: the default domain policy and the default
domain controllers policy.

  • Default domain policy

The default domain policy is a preconfigured GPO that is added
when a domain is created and linked at the domain level. Settings within the default domain
policy apply to all user and computer objects within the domain. This policy starts with some
basic security settings such as requirements for passwords but can be modified as desired.

  • Default domain controllers policy

The default domain controller policy is a preconfig-
ured GPO that is added when a domain is created and linked at the Domain Controllers
OU level. The Domain Controllers OU is created when a domain is created, and all domain
controllers are automatically placed in this OU when they are promoted to a DC. Since the
default domain controller policy is linked to the Domain Controllers OU, it applies to all
domain controllers.

  • Site

A site is a group of well-connected computers and is sometimes referred to as a group
of well-connected subnets. Small to medium-sized businesses often operate out of a single
location, and all the computers in this location are connected via a single LAN. This is a site.
If a remote office is created and connected via a slower connection, it could be configured as
a site. The remote office is well connected within the remote office but not well connected to
the main office. Sites are explored in much more depth in Chapter 21.

  • Forest

A forest is a group of one or more domains that share a common Active Directory.
A single forest will have only one schema (only one definition of objects that can be created)
and only one global catalog.

  • Global catalog

The global catalog (GC) is a listing of all the objects in the entire forest. It is
easily searchable and is often used by different applications to search AD DS for specific objects.
The global catalog is hosted on domain controllers that are designated as GC servers. Since there
is only one GC for a forest and a forest can include multiple domains, it can become quite large.
To limit its size, objects in the GC have only a subset of properties included. For example, a user
account may have 100 properties to describe it, but only about 10 are included in the GC.

  • Tree

A tree is a group of domains with a common namespace. That simply means the two-
part root domain name is common to other domains in the tree. The first domain in the forest
may be called A child domain could be created named Notice
the common name ( It is possible to create a separate tree within a forest. For
example, another domain could be created named It’s not the same namespace,
but since it is in the same forest, it would share a common schema and global catalog.

Note: this is from book Mastering Windows Server® 2008 R2

Categories: Windows Tags:

use batch script to start up & shutdown Virtualbox VMs

October 28th, 2013 No comments

I woke up before 8 every day on weekdays, and want to poweron two VMs in virtualbox named “xp” and “win2008″. So I can write a script and put it in “startup” folder, then these two VMs will startup with system automatically:

@echo off
date /t | find “Mon” && goto 1
date /t | find “Tue” && goto 1
date /t | find “Wed” && goto 1
date /t | find “Thu” && goto 1
date /t | find “Fri” && goto 1

if %time:~0,2% leq 8 (
c:\VirtualBox\VBoxManage startvm win2008 –type gui
c:\VirtualBox\VBoxManage startvm xp –type gui
) else exit

And I also want to shutdown these two VMs in one run:

c:\VirtualBox\VBoxManage controlvm win2008 acpipowerbutton
c:\VirtualBox\VBoxManage controlvm xp acpipowerbutton


You may also consider group policy(gpedit.msc -> Computer Configuration -> Windows Settings -> Scripts -> Shutdown) in windows so that when you shutdown your pc, all VMs will turned off automatically if you have a GPO for shutdown. More in


Categories: Programming, Windows Tags: ,

windows tips

June 30th, 2013 No comments

shutdown -r #reboot
at 22:00 Shutdown -s

ctrl+shift+n #create new folder
shutdown -t 0 #shutdown now
netstat -an|findstr :8080
ping /? #windows show help, or ping /h or ping -? or ping help
teamviewer, realvnc, mstsc(RDP), radmin #remote connection
mstsc /v:win20081 #Microsoft Terminal Services Connection
msra #remote assistant
ipconfig | clip
baretail #windows tail
Process Explorer #libraries and files accessed by an individual process
ALT+SPACE+N #minimize current window
netsh winsock reset #ping is ok but can not get on line

\\<hostname>\c$ #show drive C, ensure there’s WINS running in the network
slmgr -rearm #extend by thirty days. reboot needed
servermanagercmd.exe -query # report on what roles, role services, and features are installed
#to use powershell to install roles/role services
import-module Servermanager
add-windowsfeature File-Services,FS-Resource-Manager -whatif
add-windowsfeature File-Services,FS-Resource-Manager -concurrent
set-executionpolicy unrestricted $then you can use powershell.exe <script.ps1> to add roles/role services
ctrl+shift+esc #start up Task Manager
C:\Windows\System32>cscript scregedit.wsf /cli #edit registry in windows core. cscript is VB interpreter. or just use regedit to open GUI
cscript scregedit /au 4 #enable automatic updates
cscript scregedit /au /v #view current setting
control timedate.cpl #set timezone(using GUI)
netdom renamecomputer WIN-AG6PVO7DM2A /NewName:Bfsc1 /reboot:5 #rename computer
netdom join bfsc1 / /userd:Administrator /passwordd:P@ssw0rd /reboot:5 #join a domain
sc query dhcpserver #check service status
Net Share Drive_D=D:
net share #all shares
WMIC QFE List Full #installed service packs and patches
echo %prompt% #Command Prompt Personalization Values, prompt=$D$P$G
dir #internal command, help to check all
dir name.* /S #find file recursively
findstr /m /c /i “andy test” *.* # /m show only filename, /i case insensitive
findstr /m /c:”andy here” *.* #/c: for searching items with space
tasklist /? #help message
TaskList /FI “Status eq Not Responding”
SystemInfo #system info, include patch, NIC
SystemInfo /S Main /U Joe /P #a machine named Main with Joe’s account
TaskList /FI “ImageName eq Notepad.EXE”
taskkill /pid 7936
getmac /v
ipconfig /all
net localgroup #Manages a complex array of network information, including accounts, groups, computers,services,and ?les
netstat -a -b #-b to get which program opens the connection
whoami /all #user info
@Echo Hello #@ prohibits the output of “Echo hello”,but put “hello”
@Pause Press AnyKey…
network logins don’t lead to user pro?les, interactive logins do #regedit, under HKEY_USERS
reg query “hkcu\control panel\desktop” /v ScreenSaverIsSecure #查询注册表值
reg query HKLM /f “Organization” /t REG_SZ /s
reg add “HKCU\Software\Microsoft\Notepad” /v fWrap /d 1 /f
reg export “HKCU\Software\Microsoft\Notepad” notepadback.reg #and then type notepadback.reg to see the contents
net user nopower Panda12 /add #normal user nopower with password Panda12
net user administrator * #change password
shutdown -l #log out
gpedit.msc #group policy object, LGPO. Or run mmc and then add the snap-in for Group Policy Object editor(you can select Administrators or Non-Administrators or User Specific LGPO from here)
diskpart.exe #disk management CLI
list disk
select disk 1
convert mbr #or convert gpt
convert dynamic #convert disk from basic to dynamic which has volumes that can across multiple physical disks(simple, spanned, striped, mirrored, raid5)
list partition
select partition 2
active #mark a partition as active which will be bootable
diskmgmt.msc #disk management
format e: /fs:ntfs
convert p: /fs:ntfs
NetSH Interface IP Set Address “Local Area Connection” Static 1
NetSH Interface IP SetDNSServer “Local Area Connection” Static
nbtstat -n #get NetBIOS name of workstation
net view \\ANDY-PC
net use Z: \\bf1\temp #net use Z: /del to remove the mapped drive
servermanager.msc #server management
compmgmt.msc #computer management
ncpa.cpl #view network connections
dnscmd /info #config of dns server
nslookup #set q=ptr; set q=soa; set q=ns; set q=srv;
dcdiag /test:RegisterInDNS / /f:documents\ dcdiagRegisterInDNS.txt #test whether a domain controller can perform DDNS to register the SRV records
download remote Server Administration Tools to manager server from win7
[email protected] Te$t225223
dsquery user -upn [email protected] #get DN of user
dsquery user -samid liandy
dsmod user “CN=JoeBloggs,OU=Users,OU=BigFirm,DC=bigfirm,DC=com”-mgr”CN=AlexandraGarcia,OU=Users,OU=BigFirm,DC=bigfirm,DC=com”
gpedit.msc #group policy editor for local machine GPO.
gpmc.msc #group policy management console for AD. right click one GPO and “edit”, will open GPME for that GPO
gpme.msc #group policy management editor
gpupdate /force #refresh Group Policy
perfmon.msc #performance monitor
secpol.msc #local security policy
ipsecmon #identify systems that are using IPSec and the level of security they are using

MMC – Microsoft Management Console, mmc.exe
MSC – Microsoftsavedconsole, like compmgmt.msc
(most of them in C:\Windows\System32)
eventvwr.msc #event viewer
azman.msc authorizationmanager
certmgr.msc certmgr(certi?cates–currentuser)
comexp.msc componentservices
compmgmtlauncher.exe servermanager
devmgmt.msc devicemanager
eventvwr.msc eventviewer
fsmgmt.msc sharedfolders

iscsicpl.exe iscsiinitiator
lusrmgr.msc lusrmgr(localusersandgroups)
mdsched.exe memorydiagnosticstool
msconfig.exe systemcon?guration
napclcfg.msc napclcfg(napclientcon?guration)
odbcad32.exe datasources(odbc)
rsop.msc resultantsetofpolicy
scw.exe securitycon?gurationwizard

services.msc services
storagemgmt.msc shareandstoragemanagement
storexpl.msc storageexplorer
tapimgmt.msc telephony
taskschd.msc taskscheduler
tpm.msc trustedplatformmodule
tsadmin.msc terminalservicesmanager
tsconfig.msc terminalservicescon?guration
tsmmc.msc remotedesktops
wbadmin.msc windowsserverbackup
wf.msc windowsfirewallwithadvancedsecurity
wmimgmt.msc wmimgmt(consoleroot\wmicontrol)


Categories: tips, Windows Tags:

resolved – resolv.conf windows equivalent

November 12th, 2012 No comments

This is an interesting topic. As the filesystem is totally different between linux and windows, so there’s no /etc/resolve.conf in windows. But there’s a way to meet your requirement(no software required). Follow the steps below to resolve resolve.conf in windows issue:

1.Go to “Network Connections”:

2.Double click the connection you want to set DNS resolution against(usually Local Area Connections if you’re using the wire to get online):

3.Click “Properties”, later double click “Internet Protocal Version 4(TCP/IPv4)”:

4.Then in the prompted window, click “Advanced”, later switch to “DNS” tab of that window:

5.Check box “Append these DNS suffixes(in order)”, and click “Add”. And then enter the suffix in want to add, for example, “”:


After this, click Add, then “OK” and close all other opened ones.

Now you can test again using ping/browser etc, you’ll find it’s just playing the same as /etc/resolve.conf in linux.

Categories: Systems, Windows Tags: