HOWTO: Add a Local User to Windows 10 Using Group Policy (Add it To Local Administrators Group)

Since there are some outdated information about this topic, I’m going to give the steps necessary to create a local user to a Windows 10 machine using AD Group Policy, and then add this user to the local Administrator group.

First, create a new policy using Group Policy Management Editor and follow this screenshot:

Next, click on New and select Local User. In the Action field, select Update. For the other fields, select the options you need.

Click OK button and that’s basically how it’s done.

Next, I’m going to assign this user to the local Administrator group. I will be using the same group policy to achieve this.

Right-click on Restricted Groups and then click on Add Group…

Next, you’re going to type the username we created in the previous step.

I always find this misleading, but just make sure you local username account we created previously

Click OK to go to the next crucial step. You’re going to a work with This group is a member of section and click Add button

Next, type Administrators and click OK

The properties should look like the following screenshot

That’s all there is to it.

PowerShell: Remove Google Chrome (any version)

The following PowerShell script will allow you to remove any installed version of Google Chrome.

Function UninstallChrome() {
    $app = get-wmiobject Win32_Product | Where-Object {$_.Name -eq "Google Chrome"}
    $removeChrome = $app.IdentifyingNumber msiexec /x
    $removeChrome /q
 }
 
# If chrome is running then close the process and uninstall it
 If (Get-Process chrome -ErrorAction SilentlyContinue) {
    # Chrome is running
    # Stop chrome process
    Stop-Process -Name chrome -Force

    # Now uninstall chrome
    UninstallChrome
 } Else {
     # Chrome is not running…
     # Uninstall chrome
     UninstallChrome
 } 

PowerShell: Create a Repetitive Scheduled Task for Shadow Copy

The following article describes how to create a scheduled task that creates Shadow Copies in Windows 10. The scheduled task will run daily and at 8:00AM and every 4 hours for a total of 8 hours.

Here are is the PowerShell code that does it:

# Create a scheduled task
$taskAction = New-ScheduledTaskAction -Execute "wmic.exe" -Argument "shadowcopy call create Volume=C:\"
 
# Set how many times the task runs daily and its frequencey
$taskTrigger = New-ScheduledTaskTrigger -Daily -At 8am
$taskTrigger.Repetition = $(New-ScheduledTaskTrigger -Once -At "08:00" -RepetitionDuration "8:00" -RepetitionInterval "04:00").Repetition
 
# Task owner is SYSTEM account and task runs wether user is logged on or not
$taskPrincipal = New-ScheduledTaskPrincipal -UserID "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
 
# Task settings to wake device, to run hidden and to allow to run on battery
$taskSettings = New-ScheduledTaskSettingsSet -WakeToRun -Hidden -AllowStartIfOnBatteries
 
# Setup scheduled task object
$scheduledTask = New-ScheduledTask -Principal $taskPrincipal -Action $taskAction -Trigger $taskTrigger -Settings $taskSettings
 
# Register scheduled task based on setup information gathered from $scheduledTask variable
Register-ScheduledTask "Daily Shadow Copy" -InputObject $scheduledTask

Next the screenshots of the result when the code is executed.

Task general properties. Note that it runs with the SYSTEM account.

We use WMIC to create a volume shadow copy for C:\

Here’s the trigger/schedule information for the task

SCCM Task Sequence Remove Video Drivers

During my project to upgrade all our Windows 7 Enterprise SP1 (64bit) devices to Windows 10 Enterprise 1809 (64bit), I ran into a compatibility issue during the task sequence. Windows 7 video drivers were detected as incompatible during the in-place upgrade to Windows 10, so I had to find a way to remove the drivers during the SCCM task sequence.

This is the batch file code I used to disable, then remove video drivers from the task sequence.

@ECHO OFF

REM Driver is disabled
devcon disable =display

REM Driver is removed here
devcon remove =display

REM reg add command replaces whatever value is in the SearchOrderConfig with the appropriate value to tell the system NOT to go to windows update for driver updates
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching /t REG_DWORD /v SearchOrderConfig /d 0x0 /f

REM Driver package is removed here
FOR /F “tokens=4 delims= ” %%A IN (‘devcon driverfiles ^=display ^| FINDSTR “Driver installed from”‘) DO devcon.exe dp_delete -f %%A

EXIT 0

The following shows where in the task sequence I add the video driver removal step. Also, note that I have a step to copy devcon.exe utility which is not on Windows 7 by default.

I’ve extensively tested this on my DELL devices and it works perfectly.

SCCM Task Sequence Error Code 0x80004005

While attempting to perform an in-place upgrade from Windows 7 Enterprise to Windows 10 Enterprise I came across Error Code 0x80004005.

Looking at C:\WINDOWS\CCM\Logs\smsts.log gave me the clues on the error message.

There are many posts on how to fix this particular error message; it seems that this error code is pretty generic and it shows up on several instances in many SCCM operations – this document particularly deals with a task sequence for an in-place operating system upgrade.

Since this was an in-place Windows upgrade, I needed to find out more detailed information and I was able to get it from C:\$WINDOWS-BT\Sources\Panther this folder contains a list of .XML files that collect compatibility data that is collected during the upgrade process.

I opened the last XML file and this gave me the actual clue as to what was failing during the upgrade process – video drivers were the culprit!

Now I know what’s going on during the task sequence and I can attempt to fix this issue.

I’ll blog about how to fix this issue in a new post, stay tuned!

Uninstalling Applications in SCCM not Working

I had quite the experience when several of my applications refused to uninstall. I spent several days troubleshooting this issue and going through logs to the point that I ended up opening a case with Microsoft.

It appears that if any of application that you’re trying to uninstall has an installation deployment job set to ‘available’ or ‘required’ – no uninstall task will work. You have to delete all your installation deployment jobs as it appears that installation jobs have a higher precedence.

Here are some notes from Microsoft.

Here are the details.

The uninstall deployment wasn’t get enforced as per the logs. Here is what we see in the logs.

CIAgentJob({FFF396C4-40D1-481D-AC35-196D80F45D90}): EnforceCIs CIAgent 12/14/2018 11:18:42 AM 2972 (0x0B9C)

Initiating Enforce tasks. CIAgent 12/14/2018 11:18:42 AM 2972 (0x0B9C)

Skipping non compliant policy CI ScopeId_935E5529-E59C-4F44-9332-DBAF15F5C166/ProhibitedApplication_d0830875-5b6a-422b-bfee-142777b8361e:3.         CIAgent 12/14/2018 11:18:42 AM 2972 (0x0B9C)

No mandatory Enforce tasks. No actions will be performed. CIAgent 12/14/2018 11:18:42 AM  2972 (0x0B9C)

• I could reproduce the same thing in my lab as well. So it seems like since we have an Install deployment active, the uninstall required deployment didn’t get triggered.
• Performed some testing by removing the active “available” installdeployment from the machine. Now as suspected it triggered the required uninstall deployment and the app got removed.
• Did some code review and internal checks
• I could confirm that the install deployment always wins. I.e. even there is an uninstall deployment (required) the install action always WIN.

 

DELL OptiPlex 7060 & SCCM OS Deployment

Recently we started buying DELL OptiPlex 7060 desktops and I ran into a situation where WinPE wouldn’t work properly as there was no IP address assignment and no C drive showing in the environment.

Fixing the missing NIC hardware was easy enough; however, the environment was still lacking a hard drive. These 7060 models come with SATA SSD drives and an Intel Rapid Storage Technology F6 controller.

Installing Intel drivers or DELL drivers didn’t work.

After many hours of trying different things, here’s the solution I found. In the BIOS, change the storage settings from RAID ON (DELL’s default setting) to AHCI…just that simple.

There are many interesting documents comparing AHCI and Raid On, I suggest you read them, but AHCI is newer technology and we decided to stick with this setting on our desktop devices.

Conflicting VIB: Upgrading to ESXi 6.5

While attemtping to upgrade from ESXi 6.0 to 6.5, I received the following message from Upgrade Manager:

The upgrade contains the following set of conflicting VIBs: VMware_bootbank_ehci-ehci-hcd_1.0-4vmw.600.3.69.5572656 Remove the conflicting VIBs or use Image Builder to create a custom upgrade ISO image that contains the newer versions of the conflicting VIBs, and try to upgrade again.

After researching this message and not finding an answer that could fix it, I called Vmware support and this is what they suggested.

My server hardware: DELL PowerEdge R330

1. Support asked me to download 6.5 upgrade, the zip file though. ESXi 6.5 zip file for DELL PowerEdge R330 can be found here. Click on the Vmware ESXi 6.5 U2 section and then click on the ‘Other formats’ link do download the .zip file.
2. Next, upload this file to the host you’re trying to upgrade.
3. Log on to the host as root and type the following command
   1. esxcli software vib install -d “/vmfs/volumes/Datastore/DirectoryName/PatchName.zip”
4. Reboot your host

 

The actual Vmware KB can be found here.

 

 

 

 

 

Disable Instant Message History for Cisco Jabber

The following steps will allow you to disable IM history for Cisco Jabber. These steps have been confirmed on Jabber 11.x.x.

Modify Jabber Configuration File

1. Jabber configuration file is called: jabber-config-defaults.xml
2. File is located at: C:\Program Files (x86)\Cisco Systems\Cisco Jabber
3. The following settings were added to the end of the file:

<!– My Customization Section –>

<userConfig name=”Disable_IM_History” value=”TRUE”/>

<userConfig name=”EnableSaveChatToFile” value=”FALSE”/>

<userConfig name=”EnableAutosave” value=”FALSE”/>

Disable_IM_History Disables instant message history. When IM window is closed all history is removed

EnableSaveChatToFile If set to FALSE, will not allowed chat to be saved to a file

EnableAutosave Specifies whether users can save instant messages automatically each time they close a conversation

4. Close Jabber and re-open it

Note: Detailed information can be found here

How to Share a Folder in Outlook 2013

I was asked to share an Outlook 2013 folder for a user and I ran into a scenario…most imformation out there targets older versions of Outlook and Exchange. We run Exchange 2016 and Outlook 2013 (latest version), so most of the information out there didn’t work for me, so I decided to document how I was able to achieve sharing folders in Outlook 2013.

For this excersice we’re going to share a folder named: Test Folder

From the mailbox we want to share Outlook folders

1. Right-click on the user’s mailbox name and select Folder Permissions
2. Next, click on Permissions tab and Add the user you’re going to allow to access, or share, the folder(s)
3. View the screenshot for the permissions settings
4. Next, right click on the Inbox folder and click on Properties
5. Click on Permissions tab and you’re going to add the same user you added at the mailbox permissions level (step 3)
6. View the screenshot for the permissions settings
7. Next, you’re going to right click on the folder you want to share and click on Properties
8. Click on Permissions tab and you’re going to add the same user again
9. Permissions here are set based on your requirements
10. View the screenshot for the permissions settings
11. That’s all that needs to be done
12. The next and final step is to go to the Outlook client of the user that needs access to the folder and add the mailbox

 

These steps worked for me, none of the other information out there worked.