Meraki’s Advice to enable AD authentication for VPN is to create the Service account as …. Domain Administrator

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integration

This is big security no no ( Incase the account gets compromised then the whole domain gets compromised ) 

You can set this account as Domain User which will give the access

  • Query the user database via LDAP
  • Query group membership via LDAP

You can then assign the WMI permissions for : Query the domain controller via WMI 

by doing the below on the domain controller 

To set the WMI user access permissions

  1. Select Start > Run.
  2. On the Run dialog, type wmimgmt.msc in the Open field.
  3. Click OK to display the Windows Management Infrastructure (WMI) Control Panel.
  4. In the left pane of the WMI Control Panel, highlight the WMI Control (local) entry, right-click, and select the Properties menu option. This displays the WMI Control (Local) Properties dialog box.
  5. Select the Security tab in the WMI Control (Local) Properties dialog box.
  6. In the namespace tree within the Security tab, expand the Root folder. This action lists the available WMI name spaces.
  7. Click the CIMV2 namespace to highlight it.
  8. Click Security to display the Security for ROOT\CIMV2 dialog box.
  9. Click Add in the Security for ROOT\CIMV2 dialog box to display the Select Users or Groups dialog box.
  10. Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.
  11. Click OK to close the Select Users or Groups dialog box and return to the Security for ROOT\CIMV2 dialog box. The user account you selected should now be listed in the Name list at the top of the dialog box.
  12. Select the newly added user (if it is not already selected) and enable the following permissions:
    • Enable Account
    • Remote Enable
      Enable the permissions by clicking the Allow box, if it is not already checked for that permission. The Enable Account permission should already be selected, but the Remote Enable permission will need to be selected.
  13. Click OK to close the Security for ROOT\CIMV2 dialog box.
    The permissions should now be properly set for the proxy data collection user account.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to authenticate a user with their AD credentials and the error displayed

The remote connection was denied because of the username and password combination

In the Event Log on the Meraki 

 

Also saw these errors

msg: invalid DH group 19.
 msg: invalid DH group 20.

msg: failed to begin ipsec sa negotiation.

You need a TLS Certificate on the Domain Controller and Radius server for Communication , run the below powershell 

New-SelfSignedCertificate -DnsName domaincontroller.domain.local -CertStoreLocation cert:\LocalMachine\My

This will create a cert for you in Personal / Certificates for the Local Computer

You will need to use the MMC to copy this to the Trusted Root Certification Authorities

 

I also has issues with Radius with the error : msg: failed to begin ipsec sa negotiation.

After following these settings : https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

In the end I had to Clear out the Conditions in the network polices ( Specifically the Calling Station ID ) and re-add

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Debloat Scripts
 
https://github.com/Sycnex/Windows10Debloater
 
https://www.reddit.com/r/Windows10/comments/8jgrgr/guide_how_to_make_windows_10_less_intrusive_and/
 
GPO’s to add
 
 
.

 

Computer Configuration\Administrative Templates\Windows Components\Search
Allow CortanaDisabled
Prevent automatically adding shared folders to the Windows Search indexDisabled
Don’t search the web or display web results in searchEnabled
Allow Cloud SearchDisabled
Allow indexing of encrypted filesDisabled
Prevent clients from querying the index remotelyEnabled
Do not allow locations on removable drives to be added to librariesEnabled
Prevent automatically adding shared folders to the Windows Search indexEnabled
Prevent indexing files in offline files cacheEnabled
Prevent indexing public foldersEnabled
Stop indexing in the event of limited hard drive spaceEnabled
Do not allow web searchEnabled
  
Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization
Download ModeLAN
  
Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Toggle user control over Insider buildsDisabled
Allow Telemetry0 – Off
Disable pre-release features or settingsDisabled
  
Computer Configuration\Administrative Templates\Windows Components\App Privacy
Let Windows apps communicate with unpaired devicesDisabled
  
Computer Configuration\Policies\Admin Templates\Windows Components\Application Compatibility
Turn off Application Telemetry Enabled
Turn off Inventory Collector Enabled
  
Computer Configuration\Policies\Admin Templates\Windows Components\Endpoint Protection\MAPS
Join Microsoft MAPS Disabled
  
Computer Configuration\Administrative Templates\System\OS Policies 
Allow publishing of User ActivitiesDisabled
Enables Activity FeedDisabled
  
Computer Configuration\Administrative Templates\Windows Components\OneDrive\
Prevent the usage of OneDrive for file storageEnabled
Prevent the usage of OneDrive for file storage on Windows 8.1Enabled
Prevent OneDrive files from syncing over metered connectionsEnabled
Save documents to OneDrive by defaultDisabled
  
Computer Configuration\Administrative Templates\Windows Components\Cloud Content
Turn off Microsoft consumer experiencesEnabled
Do not suggest third-party content in Windows spotlightEnabled
Turn off the Windows Spotlight on Action CenterEnabled
Do not use diagnostic data for tailored experiencesEnabled
Turn off the Windows Welcome ExperienceEnabled
  
Local Computer Policy\User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications
Turn off tile notificationsEnabled
Turn off toast notifications on the lock screenEnabled
Turn off notification mirroringEnabled

 

Set Explorer to My Computer not Quick Access


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

LaunchTo DWORD

1 = This PC 2 = Quick access

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If your windows 10 machines get their updates from WSUS then you might get Error 0x800F081F while installing .NET Framework 3.5 on Windows 10. This is probably due to Windows 10 not being able to search your Windows Updates location for the Feature.


Approve these updates

Synchronise Server and try again

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to import a Citrix Storefront Config produces the following Error

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. Method invocation failed because
[System.Collections.Hashtable+ValueCollection] does not contain a method named ‘Contains’.
At line:1 char:1
+ Import-STFConfiguration -configurationZip “c:\Temp\backup.zip” -HostB …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-STFConfiguration], Exception
+ FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException,Citrix.StoreFront.ImportConfigura
tion

 

You need to wipe your Storefront Config using the below Commands


PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> . .\ImportModules.ps1
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Clear-DSConfiguration

Then retry import

 

I got then next error

 

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. The running command stopped because
the preference variable “ErrorActionPreference” or common parameter is set to Stop: Cannot remove item C:\Program
Files\Citrix\Receiver StoreFront\Receiver Clients\Mac\CitrixReceiver.dmg: You do not have sufficient access rights to
perform this operation.
At line:1 char:1
+ Import-STFConfiguration -configurationZip “c:\Temp\backup.zip” -HostB …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-STFConfiguration], Exception
+ FullyQualifiedErrorId : System.Management.Automation.ActionPreferenceStopException,Citrix.StoreFront.ImportConfi
guration

 

Deleting 

C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Mac

and 

C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows

fixed this

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Upon restoring a domain controller to a new or isolated network in example a DR environment, the domain controller will lose access to its other domain controllers for replication. You might find you cannot start the DNS server and or Active directory services.

To force the server to start without checking for others modify the below key and reboot the server

 Add the Following reg Key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name:  Repl Perform Initial Synchronizations
Value type:  REG_DWORD
Value data: 0

You should then go into Active Directory Sites and services and remove the old Domain Controllers and Also go into the DNS server and remove any references in the Nameserver tabs for the Zones

_msdcs.domain.local

domain.local

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a user was trying to use the Edit functionality of a Sharepoint Online List using Classic View with over 5000+ Items. To which they got when trying to change the view to modify the above error Cannot show the value of the filter

To fix this

  1. Create a new View and set the sort of this view to the users Sort

  2.  

    Filter the view to only get a select amount of items ( not the 5000+ all ) 

     
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I was trying to SysPrep a machine ready for imaging , however I got the below

The app was : cannot remove 46928bounde.EclipseManager_2.1.0.21_neutral__a5h4egax66k6y becuase user does not have it installed

I removed all the user profiles on this PC which fixed the issue.

I then had this issue on another computer specifically Facebook_Facebook. Clearing the profile did not fix it. I had to run the below commands to reset the AppRepository Database on the mac

Stop-Service -Name "StateRepository" -Force
takeown /F C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd
takeown /F C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
Rename-Item C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment_corrupted.srd -Force
Rename-Item C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine_corrupted.srd -Force
Start-Service -Name "StateRepository"
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

outlook-security-popup

 

You will need to run the below as Administrator , if the use doesn’t have local admin you will need to change them to one then remove after  ;

  • Right-click on the Outlook shortcut holding the SHIFT key and choose Run as administrator
  • Go to File > Options > Trust Center > Programmatic Access
  • Set the programmatic access to Never warn me about suspicious activity (not recommended)

outlook-programmatic-access

 

IMPORTANT NOTE: If these option are greyed out, it usually means that you didn’t run Outlook with administrative rights.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Outlook\Security
DWORD: ObjectModelGuard
Value: 2

As an alternative way, you can achieve the same result by altering your registry file in the following way:

  • Navigate through   (create the key if it doesn’t exist)
  • Add the following DWORD item:
    •  , with a value of 1.
    •  , with a value of 3.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
  • Navigate through   (create the key if it doesn’t exist)
  • Add the following DWORD items:
    •  , with a value of 1.
    •  , with a value of 3.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
    •  , with a value of 2.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

With an account that has full access to the Shared Mailbox , login to Webmail and Choose “Open Another Mailbox”

Enter the Shared Maibox and Click OK

Next Click on the settings Icon and Choose “Publish Calendar”

 

Next Change the Details Below


Next Send the External party the HTML or ICS file

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)