GP Pref Drive Maps not working at logon

Had an annoying issue on Windows 8.1 clients where I’d configured several of the GPPref Drive Maps preferences but these were not working when users logged on. They would however work if I ran a gpupdate /target:user after the desktop had appeared.

I looked in the Application event log and found the following:

Log Name:      Application
Source:        Group Policy Drive Maps
Event ID:      4101
Task Category: (2)
Level:         Information
Keywords:      Classic
User:          SYSTEM
The user 'S:' preference item in the ' ' Group Policy Object was successfully removed.

which was interesting, the GPO name wasn’t being referenced properly, and why was it being removed anyway? The prefs were all set to “replace”. So then I turned on GP Pref logging, and had a look in the user.log file:

2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Starting class  - S:.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Adding child elements to RSOP.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Beginning drive mapping.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Set user security context.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] User does not have a split token.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Drive doesn't exist (full token).
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Set system security context.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Properties handled.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Handle Children.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] EVENT : The user 'S:' preference item in the ' ' Group Policy Object was successfully removed.
2014-06-02 11:18:15.315 [pid=0xb40,tid=0xe20] Completed class  - S:.

Which didn’t really help.
Then I read this, which mentions the policy setting:

Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon

I’d come across that setting before but discounted it because the description text says:

If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized.

And as I am utilising all three of roaming profiles, home directories and user object logon scripts I had no reason to think that the policy setting would make any difference. But I thought I’d try enabling it anyway, and it seems to have done the job. Drives now do map correctly at logon.

Posted in Windows | Tagged , , , , , , , | Leave a comment

RDSH 2012 R2: Shadow Users without Connection Broker admin rights

It seems as though the only way to use the PowerShell Get-RDUserSession cmdlet against the Connection Broker is if the user running the command is a member of the  Administrators group on the Connection Broker server. This might be undesirable…!

This is a workaround that allows you to get a list of active sessions from your Remote Desktop deployment without granting users admin rights on the Connection Broker(s).

Note that you still have to give them administrator rights on the RDSH servers to allow the Remote Desktop Client shadowing process to work (which might also be undesirable!). EDIT: Or perhaps not… Not tried this myself though.

I’m running my Connection Broker in high availability mode, which means I have a shared SQL database, and it is this SQL database that is what I’m using at the root of my workaround.

We’re going to create a SQL View to pull together the session and host information from the database, then use this to launch a basic GUI to fire off the RDP client in shadowing mode. You need to have created a group, probably in active directory, to add the shadowing users to – this is used to grant limited permissions to the Connection Broker SQL database. A potential benefit of this is that you don’t need to have the Windows Remote Server Admin Tools installed on your helpdesk PCs (which you would need in order to use Get-RDUserSession).

Modify and then run the following SQL against your connection broker SQL server (maybe backup your connection broker database first in case you mess up!):

USE [master]
USE [CBR2012]
CREATE USER [RCMTECH\Shadow Users 2012] FOR LOGIN [RCMTECH\Shadow Users 2012]
CREATE VIEW [dbo].[Shadowing]
SELECT Session.UserName, Pool.DisplayName AS PoolName, Target.Name AS ServerName, Session.SessionId
FROM rds.Session AS Session
INNER JOIN rds.Target AS Target ON Target.Id = Session.TargetId
INNER JOIN rds.Pool AS Pool ON Target.PoolId = Pool.Id
WHERE (Session.State = 0)
GRANT SELECT ON [dbo].[Shadowing] TO [RCMTECH\Shadow Users 2012]

and now here’s the PowerShell that the shadowing users run to pull that data and present it via the Out-GridView GUI:

$CBSQLServer = ""
$CBDB = "CBR2012"
# Open connection to Connection Broker DB
$CBDBConnection = New-Object -TypeName System.Data.SqlClient.SqlConnection -ArgumentList "Server=$CBSQLServer;Database=$CBDB;Integrated Security=SSPI"
# Get Shadowing View
$SQLCommand = $CBDBConnection.CreateCommand()
$SQLCommand.CommandText = ("SELECT * FROM Shadowing")
$SQLReader = $SQLCommand.ExecuteReader()
$ShadowingView = New-Object System.Data.DataTable
$Session = $ShadowingView | Out-GridView -Title "Remote Desktop Shadowing - Active Sessions" -OutputMode Single
if($Session -eq $null){
    # No session selected, user probably clicked Cancel
mstsc /v:($Session.ServerName) /shadow:($Session.SessionId) /control | Out-Null

Just pick a session and click OK to launch mstsc with the correct command line switches – /v:<servername> /shadow:<sessionid> /control

Posted in Remote Desktop, Windows | Tagged , , , , , , , , , , , , , | Leave a comment

Hyper-V 2012 R2 VMM status: Host Not Responding

Just noticed that one of my Windows Server 2012 R2 Hyper-V hosts was showing as Host Not Responding in the Status column for all the VMs running on it via System Center Virtual Machine Manager 2012 R2.

I tried right-clicking on the host and doing a refresh, but just got an error back in the VMM tasks list:

Error (2912)
An internal error has occurred trying to contact the server: : .
WinRM: URL: [], Verb: [ENUMERATE], Resource:
[], Filter: []
Unknown error (0x8004100a)
Recommended Action
Check that WS-Management service is installed and running on server
For more information use the command "winrm helpmsg hresult". If is
a host/library/update server or a PXE server role then ensure that VMM agent is installed
and running. Refer to for more details.

So I tried stopping the WinRM service, which also required the SCVMMAgent service to be restarted. However, the WinRM service just sat at Stopping and wouldn’t die. WinRM runs within an svchost process, which is somewhat annoying, as I didn’t want to kill the other services running in that process. You can see what services are running in svchost processes by using:

tasklist /svc

In the end I killed all the wmiprvse services running on the host, which then allowed the WinRM service to stop.

I restarted it again and did another host refresh via VMM. This time I got the following error:

Error (2927)
A Hardware Management error has occurred trying to contact server :n:CannotProcessFilter :HRESULT 0x8033801a:No instance found with given property
values. .
WinRM: URL: [], Verb: [INVOKE], Method: [GetVersion], Resource:
Unknown error (0x8033801a)
Recommended Action
Check that WinRM is installed and running on server For more information use the
command "winrm helpmsg hresult" and .

which was because I’d forgotten to restart the SCVMMAgent service. Once I’d started that I tried another host refresh, which completed successfully and the VMs are now showing as healthy again.

Posted in Hyper-V, VMM 2012 R2, Windows | Tagged , , , , , , , , , , , , , | Leave a comment

Add and remove VMware NFS datastores via PowerCLI

Been experimenting with these recently, and they have to be added to or removed from each host individually, which is tedious via the GUI.

Easy via PowerShell/PowerCLI though.


$hosts = Get-VMHost -Location "RCM"
foreach($VMHost in $hosts){
    Write-Host $VMHost.Name
    New-Datastore -VMHost $VMHost -Name "VM Archive" -Nfs -NfsHost -Path "/vmarchive"


$hosts = Get-VMHost -Location "RCM"
foreach($VMHost in $hosts){
    Write-Host $VMHost.Name
    Remove-Datastore -VMHost $VMHost -Datastore "VM Archive" -confirm:$false
Posted in PowerShell, vSphere | Tagged , , , , , , , , | Leave a comment

MsMpSvc terminates on Windows Server 2003 with defininition version

Have had various servers this morning with the Microsoft System Center Endpoint Protection Client service msmpsvc.exe terminating frequently. The service control manager restarts it but it dies again fairly quickly.

So far all the servers are running Windows Server 2003 32-bit.

The version of SCEP I have running is, although I tried uninstalling and reinstalling, which reverted it back to and that has the same problem.

The virus and spyware definitions were updated from version 1.169.2706.0 to overnight. It seems as though it is the definition change which is causing the problems.

Have posted this to TechNet Forums.

The following event is posted into the System event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
User:  N/A
The Microsoft Antimalware Service service terminated unexpectedly.  It has done this 3 time(s).

There is nothing posted to the Application event log unless you have some kind of debugger installed, e.g. on some servers with SQL Server 2005 management tools installed I’m seeing:

Event Type: Error
Event Source: VsJITDebugger
Event Category: None
Event ID: 4096
An unhandled win32 exception occurred in MsMpEng.exe [4400]. Just-In-Time
debugging this exception failed with the following error: Debugger could
not be started because no user is logged on.
Check the documentation index for 'Just-in-time debugging, errors' for more
0000: 02 00 5c 80               ..\€


A possible temporary workaround seems to be to uninstall SCEP and revert to the older Forefront Client Security. Have just installed client version 1.5.1996.0 which has given me engine version 1.1.10501.0 and that has so far not died with definition version

Workaround #2

From the TechNet forum thread linked to above: Set the following registry DWORD value to 1:

HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableBehaviorMonitoring

Note that you’ll have to give Administrators full control to the Real-Time Protection key first, unless you change the value via something that runs as the local System account. You should probably change the permissions back to Read for Administrators afterwards.

Also note that the word Behavior is spelt in American, without the “u”!

Or go into the GUI, Settings tab, Real-time protection and untick the box titled Enable behaviour monitoring.


Seems as though this can also affect Windows XP.

Update #2 (updated!)

New definitions have been released, version and higher, but as yet these have not fixed the problem. I initially thought they had as the service ran for nearly an hour without failing, but fail it did. Apparently (see link in first update above) there will be a new engine released later today to resolve the problem.

Update #3

Definitions or higher are apparently the ones to go for and do fix the problem, though I’ve not been able to confirm this personally yet. I’ll know by tomorrow morning.

Update #4

The 2003 server that I left running overnight with behaviour monitoring enabled was (and still is) fine.

Posted in Applications, Windows | Tagged , , , , , , , , , , | 9 Comments

2919355 Windows Update not showing in WSUS

I have been keen to get hold of this update early to check it out before some of our other users get hold of it so have been checking Windows Update directly rather than going via our WSUS server. The update is now available via Windows Update but is not being picked up by my WSUS servers.

Currently this behaviour is by design, due to KB2919355 breaking connectivity with SSL (HTTPS) secured WSUS servers. The 2919355 update has been held back from WSUS whilst a new update to fix this problem can be prepared and released, otherwise you’d potentially get 2919355  and then nothing else from WSUS, ever.

I’m not using SSL for my WSUS servers so this wouldn’t affect me, but at least I now know why the update isn’t showing.

Info from:

Quoting from the latter:

There is a known issue which causes some PCs updated with the Windows 8.1 Update (KB 2919355) to stop scanning against Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2 or WSUS 3.2) servers which are configured to use SSL and have not enabled TLS 1.2.

Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are temporarily suspending the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers.

UPDATE 2014/04/15

There is now a KB article KB2959977 about this issue, though no fix yet (and I also fixed the link to the blog post above that I’m quoting from).

Posted in Windows | Tagged , , , , , , , , | Leave a comment

PowerShell: Finding user sessions on RDSH servers

If you’ve been working with Citrix Metaframe/Presentation Server/XenApp and/or Microsoft Terminal Server/Terminal Services/Remote Desktop Session Host for a while you’ll probably be familiar with the command line utility quser (or query user). It returns a tabular output showing details of users currently logged on:

 a-user                ica-tcp#15          1  Active          7  08/04/2014 07:19
 an-other              ica-tcp#16          2  Active          .  08/04/2014 08:26
 all-rest              ica-tcp#19          3  Active          .  08/04/2014 08:36
 no-play               ica-tcp#20          5  Active          .  08/04/2014 08:37
 b-usy                 ica-tcp#18          4  Active          .  08/04/2014 08:30

You can get the same information from a remote server by appending /server:<servername> onto the end of the command.

If no users are logged on to the server being queried then the command returns (via StdErr):

No User exists for *

This is a very useful command.Very untouched by Microsoft for approaching the last 15 years…

Which is a shame because the output format leaves a little to be desired. For example if there are some disconnected sessions the table format goes a bit awry:

 a-user                                 2  Disc        none   07/04/2014 09:58
 an-other           ica-tcp#69          1  Active          .  08/04/2014 08:15

Looks ok on screen but try and parse that empty SESSIONAME column from a scripting point of view, nasty.

So you can use this command to retrieve information, but for anything other than a basic test of “is somebody logged on or not” for scripting purposes it’s not ideal.

Oh, and there’s basically no (built in) PowerShell equivalent. You might be able to use Get-RDUserSession, or not, depending on whether your server is part of a Remote Desktop Deployment.

So, I tried using WMI to get a count of user sessions:

$OSVersion = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $NewVMName).Version
if($OSVersion -eq "5.2.3790"){
    # Server 2003
    $ActiveSessions = (Get-WmiObject -Class Win32_PerfRawData_TermService_TerminalServices -ComputerName $NewVMName).ActiveSessions
    $InactiveSessions = ((Get-WmiObject -Class Win32_PerfRawData_TermService_TerminalServices -ComputerName $NewVMName).InactiveSessions - 1) # subtract one for "Console" session
} else {
    $ActiveSessions = (Get-WmiObject -Class Win32_PerfRawData_LocalSessionManager_TerminalServices -ComputerName $NewVMName).ActiveSessions
    $InactiveSessions = ((Get-WmiObject -Class Win32_PerfRawData_LocalSessionManager_TerminalServices -ComputerName $NewVMName).InactiveSessions - 2) # subtract two for "Service" and "Console" sessions

Which as you can see, is a little fiddly due to the classes being different between 2003 and newer OSs, and that the console and service sessions are included. It also doesn’t tell you if there is a user logged on to the (local) console, as there is always a console session present. Not ideal if you’re wanting to ensure there are no people logged on to a server prior to rebooting/rebuilding it.

So in the end I’ve gone back to old faithful, quser:

$Server = "SomeServerName"
$ErrorActionPreference = "Continue"
$QUResult = quser /server:$Server 2>&1
$ErrorActionPreference = "Stop"
if($QUResult -notmatch "no user exists for"){
    Write-Host "Sessions found" -ForegroundColor Red

Note that I’m setting $ErrorActionPreference to “Continue” because I tend to set it to “Stop” at the top of my scripts (not shown in the chunk above) and because quser returns the “No User exists for *” text via StdErr, the script will stop with an error if there are no users logged on. That’s also the reason for the 2>&1 on the end of the quser command line – re send the StdErr output to the same place as StdOut, to ensure they both end up in the $QUResult variable irrespective of whether users are logged on or not.

Posted in PowerShell, Remote Desktop, Scripting | Tagged , , , , , , , , , | Leave a comment