On a new deployment of Citrix , the Print Spooler would crash and then stop. This means you cannot remove any errored drivers. You will need to reset the Print Spooler manually in the registry

Stage 1

  1. Go into the registry by typing REGEDIT into the run dialog box
  2. Export
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print Key as a backup
  3. Navigate to the following keys:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environment\Windows NT x86  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64
  4. In these keys, there should be two subkeys
    Drivers ( Version 3 and Version 4 )
    Print Processors
  5. Delete Any Physical Printer Drivers you have added ( easier to re-add these then reinstalling Doc Converters )
  6. Try Starting Print Spooler to see if this fixes it

Stage 2

  1. In Explorer, rename everything in this folder
    and c:\windows\system32\spool\drivers\x64
  2. Try Starting Print Spooler to see if this fixes it

Stage 3

  1. Navigate to the following key:
  2. In this key, there should be 7 subkeys
    BJ Language Monitor
    Local Port
    Microsoft Document Imaging Writer Monitor
    Microsoft Shared Fax Monitor
    Standard TCP/IP Port
    USB Monitor
    WSD Port
  3. If there are any extra keys, export them and delete them.
  4. Try Starting Print Spooler to see if this fixes it

There is also an application that can help you with this https://github.com/jdickson289/Print-Reset-Tool/

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I needed to help a customer move their domain to Office 365 and to do this we needed full access to the Domain. A whois for the domain showed the below:

Registrar WHOIS Server: whois.auda.org.au
Registrar URL: 
Last Modified: 2019-01-06T11:00:10Z 
Registrar Name: Netregistry Pty Ltd 
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: 
Reseller Name: 
Status: ok https://afilias.com.au/get-au/whois-status-codes#ok
Registrant Contact ID: SECO1386 
Registrant Contact Name: Corporate Services 
Registrant Contact Email: corporateservices@reckon.com.au
Tech Contact ID: C0573762-AR 
Tech Contact Name: Dominic Main 
Tech Contact Email: dmain@netregistry.com.au

The domain was purchased when setting up the company with the accountant reckon.com.au so it was in their Netregistry account. Netregistry don’t let Resellers access domains , so we had to contact Reckon.com.au via Telelphone and after verifying our identity they send through an EPP code for the domain which we could transfer in to another provider

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

DFSR Event ID 4004

Tried several solutions to resolve event ID 4004 before finding one that worked: https://community.spiceworks.com/topic/569594-dfsr-tombstoned-folder-s. The issue can arise when you remove/delete a server from a replication group or delete the replication group itself and re-create it with the same name or same target and/or destination folders, which is what I did as a result of the datastore corruption

Apart from event logs, you can run this command in PowerShell to check DFSR status. You want to see 4s.

Get-WmiObject -Namespace “root\MicrosoftDFS” -Class DfsrReplicatedFolderInfo | Select-Object ReplicatedFolderName,ReplicationGroupName,state

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Installation Files for the Client

Terminal Client Plug In for BigHand.msi

Terminal Client Plug In for BigHand (64-bit RDP).msi

Installation on the Terminal Server

Terminal Server Add Ons for BigHand Client.msi

On the 2012 R2 Remote Desktop Server you will need to do the following GPO steps:

  1. Click Start > Run and type in gpedit.msc
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client
  3. Select the ‘Turn Off UDP On Client’ option and set this to Enabled.
  4. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
  5. Select the ‘Select RDP transport protocol’ and set this to Enabled.
  6. Then in the drop down select ‘Use only TCP’
  7. Restart the server
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

There is no information for this WQL Query

Turns out you need a VBS script to run to populate this, without the Professional License you will need to get this to run another way

Enter GPO!

Save the Below script to a location that all users have access to e.g. \\domain.local\NETLOGON\Scripts


Create a new GPO and Apply it to the Workstations OU

Create the Below File Copy in the GPO

Source file \\domain.local\NETLOGON\Scripts\AVStatus.vbs

Destination file C:\Windows\AVStatus.vbs

Add Startup Script to the GPO

Create AVStatus.bat with the below and add this to startup

cscript AVStatus.vbs WRITE

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently got a new Konica C658 installed with a Punch and Stapler Unit , however you have to add these manually for the options to show up under Finish options

If you go to properties of the Printer , then choose Configure, you can then add the Finisher and Punch Unit Model per beow

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I was trying to add a Windows Feature into a Windows.wim file. 

After mounting the Wim I ran the below on a server 2012 machine

Dism /Image:”c:\temp” /Enable-Feature /FeatureName:NetFx3 /all

However I got 

Error 87 : “enable-feature is unknown”

I had to run the Dism /Image:”c:\temp” /Enable-Feature /FeatureName:NetFx3 /all command on a Windows 10 Box

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Meraki’s Advice to enable AD authentication for VPN is to create the Service account as …. Domain Administrator


This is big security no no ( Incase the account gets compromised then the whole domain gets compromised ) 

You can set this account as Domain User which will give the access

  • Query the user database via LDAP
  • Query group membership via LDAP

You can then assign the WMI permissions for : Query the domain controller via WMI 

by doing the below on the domain controller 

To set the WMI user access permissions

  1. Select Start > Run.
  2. On the Run dialog, type wmimgmt.msc in the Open field.
  3. Click OK to display the Windows Management Infrastructure (WMI) Control Panel.
  4. In the left pane of the WMI Control Panel, highlight the WMI Control (local) entry, right-click, and select the Properties menu option. This displays the WMI Control (Local) Properties dialog box.
  5. Select the Security tab in the WMI Control (Local) Properties dialog box.
  6. In the namespace tree within the Security tab, expand the Root folder. This action lists the available WMI name spaces.
  7. Click the CIMV2 namespace to highlight it.
  8. Click Security to display the Security for ROOT\CIMV2 dialog box.
  9. Click Add in the Security for ROOT\CIMV2 dialog box to display the Select Users or Groups dialog box.
  10. Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.
  11. Click OK to close the Select Users or Groups dialog box and return to the Security for ROOT\CIMV2 dialog box. The user account you selected should now be listed in the Name list at the top of the dialog box.
  12. Select the newly added user (if it is not already selected) and enable the following permissions:
    • Enable Account
    • Remote Enable
      Enable the permissions by clicking the Allow box, if it is not already checked for that permission. The Enable Account permission should already be selected, but the Remote Enable permission will need to be selected.
  13. Click OK to close the Security for ROOT\CIMV2 dialog box.
    The permissions should now be properly set for the proxy data collection user account.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to authenticate a user with their AD credentials and the error displayed

The remote connection was denied because of the username and password combination

In the Event Log on the Meraki 


Also saw these errors

msg: invalid DH group 19.
 msg: invalid DH group 20.

msg: failed to begin ipsec sa negotiation.

You need a TLS Certificate on the Domain Controller and Radius server for Communication , run the below powershell 

New-SelfSignedCertificate -DnsName domaincontroller.domain.local -CertStoreLocation cert:\LocalMachine\My

This will create a cert for you in Personal / Certificates for the Local Computer

You will need to use the MMC to copy this to the Trusted Root Certification Authorities


I also has issues with Radius with the error : msg: failed to begin ipsec sa negotiation.

After following these settings : https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

In the end I had to Clear out the Conditions in the network polices ( Specifically the Calling Station ID ) and re-add

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Debloat Scripts
GPO’s to add


Computer Configuration\Administrative Templates\Windows Components\Search
Allow CortanaDisabled
Prevent automatically adding shared folders to the Windows Search indexDisabled
Don’t search the web or display web results in searchEnabled
Allow Cloud SearchDisabled
Allow indexing of encrypted filesDisabled
Prevent clients from querying the index remotelyEnabled
Do not allow locations on removable drives to be added to librariesEnabled
Prevent automatically adding shared folders to the Windows Search indexEnabled
Prevent indexing files in offline files cacheEnabled
Prevent indexing public foldersEnabled
Stop indexing in the event of limited hard drive spaceEnabled
Do not allow web searchEnabled
Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization
Download ModeLAN
Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Toggle user control over Insider buildsDisabled
Allow Telemetry0 – Off
Disable pre-release features or settingsDisabled
Computer Configuration\Administrative Templates\Windows Components\App Privacy
Let Windows apps communicate with unpaired devicesDisabled
Computer Configuration\Policies\Admin Templates\Windows Components\Application Compatibility
Turn off Application Telemetry Enabled
Turn off Inventory Collector Enabled
Computer Configuration\Policies\Admin Templates\Windows Components\Endpoint Protection\MAPS
Join Microsoft MAPS Disabled
Computer Configuration\Administrative Templates\System\OS Policies 
Allow publishing of User ActivitiesDisabled
Enables Activity FeedDisabled
Computer Configuration\Administrative Templates\Windows Components\OneDrive\
Prevent the usage of OneDrive for file storageEnabled
Prevent the usage of OneDrive for file storage on Windows 8.1Enabled
Prevent OneDrive files from syncing over metered connectionsEnabled
Save documents to OneDrive by defaultDisabled
Computer Configuration\Administrative Templates\Windows Components\Cloud Content
Turn off Microsoft consumer experiencesEnabled
Do not suggest third-party content in Windows spotlightEnabled
Turn off the Windows Spotlight on Action CenterEnabled
Do not use diagnostic data for tailored experiencesEnabled
Turn off the Windows Welcome ExperienceEnabled
Local Computer Policy\User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications
Turn off tile notificationsEnabled
Turn off toast notifications on the lock screenEnabled
Turn off notification mirroringEnabled


Set Explorer to My Computer not Quick Access


LaunchTo DWORD

1 = This PC 2 = Quick access

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)