3 ways to grant “Local Admin” permissions to Domain Users.

August 16th, 2015 by Andrea Matesi 96 Views


There are three ways (that I know of..), to grant “Local Machine” Administrator credentials to a Windows Domain User:

  1. lusr-method (!).
  2. “Restricted Groups” / Secure Restricted Groups (convenient for that funny bunch).
  3. “Secure Local Administrators” (a-la Alan’s way).



to grant “Local Machine” Administrator permissions to a Windows Domain User through lusrmgr.msc:

  1. Remotely login to the User’s Workstation as a “Domain Admin” (or physically sit in front of the User’s Windows PC).
  2. Win+R –> “lusrmgr.msc”.
  3. From the Local Users and Groups Snap-in, Browse to Groups, Double Click on the “Administrators”-Group, locate your Domain User Account & grant him/her membership to the “Administrators”-Group.
  4. Repeat 1..3 for each desired Windows Computer.


Restricted Groups.

lusrmgr.msc may work for your “home” domain or lab.

For that funny bunch of your colleagues, you may wish to use a more convenient way to perform the task of granting them “Local Machine” Administrator permissions.

The Restricted Groups-feature provides you more automation than the “lusrmgr.msc“-method (especially in regards to Step 4).

The Restricted Groups does just that -- it “restricts” local groups membership to the (domain) Groups of your choice.

There are 2 ways to use Restricted Groups.

  • The first way simply adds New Users along the pre-existing Local Administrators Users (within the (Local) “Administrators”-Group).
  • The second way resets (ie. deletes/wipes) ALL the pre-existing Local Administrators Users off the (Local) “Administrators”-Group.


Restricted Groups / Secure Restricted Groups requirements.

  • Active Directory Domain (SBS or Windows Server 2000+ based).
  • Your “Domain User(s)” have to be members of a “Domain Group” (alas not so common on some SBS environments…).
    On my example, I will assume your Domain User Jack Daniels is a member of  the Group “G_HeadOfficeWorkstationAdmins”.
  • Since the Restricted Groups feature is provided by Group Policy, you should also have an OU with some Computers (unless you want to edit the “Default Domain Policy”, which, of course you “can do”!).


Restricted Groups on your workstations -- in 10 easy steps.

Today I will show you Restricted Groups because it is automated, non-destructive and less confusing to implement.

On my next article, I’ll show you how to implement Secure Restricted Groups (which is pretty similar BTW).

  • With Restricted Groups you will automatically add New Users to the (Local) “Administrators”-Group of each Windows PC member of your Domain.

That way, pre-existing Users (ie. already Members of the (Local) Administrators Group), won’t be affected at all (which, depending on how you see it, it may represent an advantage OR a disadvantage).

  1. Browse to Administrative Tools -> Group Policy Management –> Locate your Computers OU (ie. “HeadOffice Workstations”) -> R-Click on your Computers OU & “Create GPO & Link it here” (name it, say, “HeadOffice Workstations Local Admins”).
  2. On the Group Policy Management Editor, Expand:
    Computer Configuration
    + “Policies”
    + “Windows Settings”
    + “Security Settings
    + “Restricted Groups”.
  3. On the Right pane of “Restricted Groups”, Right click and Select “Add Group…”.
  4. To provide Local Admin Permissions to a Pre-existing Group (ie. say “G_HeadOfficeWorkstationAdmins”), Click on the “Browse…”-Button, locate G_HeadOfficeWorkstationAdmins (the group you wish to attach Local Admin Creds to) and Click Ok to confirm.
  5. A new “Group Name Properties”-window will popup.
    On the new properties window skip/ignore the first text box area (ie. the one that says “Members of this group”…).
  6. Focus your attention to the second text box area, where it says “This group is a member of:“(on the lower half).

    From http://support.microsoft.com/kb/279301 :”The “Member Of” list specifies which other groups the restricted group should belong to“.


  7. Click on the “Add”-Button and Type (or copy-paste) “BuiltIn\Administrators” in the Group Membership dialog then Click OK to Confirm.
  8. [Optional] Click again on the “Add…”-Button & type “BuilIn\Remote Desktop Users” & Click OK.
  9. Run an admin cmd & “gpupdate /force”.
  10. REBOOT the Target Computer(s) belonging to the (GPO-linked) OU.

Step No.7 is where you will actually grant Local Admin permissions to the members of the Restricted Group.

Step No. 8 is optional because Local Administrators already have Remote Desktop Access Permissions by default, (but if you must!).

Restricted Groups is “just OK” for small domains of (7 -- 75) SMB Workstations, but it isn’t really that flexible because it relies only on Groups and OUs.


Secure Local Administrators (a-la Alan’s-way).

If you want a preview of “how deep the rabbit hole goes”, then head to Alan’s grouppolicy.biz blog and read (…or should I say “decrypt“?), his sensational article: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


On my follow-up article, I will show you how to implement Secure Restricted Groups.



Posted in Microsoft, System Administration | No Comments »

4 useful lsof commands explained

July 12th, 2015 by Andrea Matesi 175 Views

This short post introduces you 4 useful lsof commands by examples.

Due to their usefulness, I’d like to “remember to use” those commands more often.


lsof -u “username”.

Example running lsof -u root

lsof-u root

The command above will show you all “root’s user” open files.


lsof -a -p “PID”.

lsof -a -p 1

lsof -a -p 1

-a is a simple AND operator. Used this way is the equivalent of “lsof -p 1“.

-p 1 limits the output to PID 1 (usually that is the kernel…). You get PIDs by running the ps command.

When you specify more than 1 lsof -X -Y command switches (ie. “lsof -p 1 -u johndoe“), by default lsof will perform an OR operation (ie. EITHERPID = 1ORUser = johndoe“).

IF you type, say, “lsof -p 1 -a -u johndoe“, lsof will filter your output by “PID = 1ANDUser = johndoe“.


lsof “/var/log/filename.log”.

lsof /var/log/messages

lsof /var/log/messages

lsof with a file parameter will show you who & what daemon is using the file (ie. the “messages“-log file).

On the above screenshot, /var/log/messages is opened by root thru rsyslogd (which has a PID of 1078).


lsof -i :TCP|UDP-PortRange.

[root@host:~]#-> lsof -i :1-100
sshd     1216 root    3u  IPv4  11823      0t0  TCP *:ssh (LISTEN)
sshd     1216 root    4u  IPv6  11827      0t0  TCP *:ssh (LISTEN)
sendmail 1240 root    4u  IPv4  11922      0t0  TCP localhost:smtp (LISTEN)
sshd     1446 root    3r  IPv4  22798      0t0  TCP> (ESTABLISHED)

lsof -i :1-100

The above command (with a space-char after “-i“), queries your system about “what services are running on the first 100 ports”?

If you want to know only what TCP ports are in use, then type:

lsof -i tcp

That’ll show you all the open TCP ports.

My short examples are only the tip of the iceberg of what lsof can do.

lsof is extremely useful and has an extensive (and sometimes arcane) list of options and switches -- check for yourself at the lsof man page: http://linux.die.net/man/8/lsof

Posted in LINUX, System Administration | No Comments »

2 correct ways to install RDS apps (formerly TS) on your RDS HOST.

June 13th, 2015 by Andrea Matesi 272 Views


2 Options.

  • When you need to provision a new Windows program to by multiple Users (ie. that remotely login to the same TS/RDS Host), you have 2 options.

Setup.EXE VS Setup.MSI

  1. If your app comes packaged with a 3rd party installer (generally “Setup.EXE“), you’ll need to manually place your TS/RDS Host into “Install Mode”.
  2. If your app is offered with a “Setup.MSI“-file, the System will go automatically into Install Mode after you double-click on it & switch back when finished (ie. no need to manually switch to “Install Mode”).

So, if you have an msi, just go ahead and install it -- it’ll automatically be available to your Users (‘though check your RDS Host settings/make sure the app is published).


How to properly deploy “Setup.EXE” Applications.

To correctly deploy an application packaged with a third party installer (ie. Notepad++) & in order to make it available to all your Users, on your Terminal Server or Remote Desktop Services Host(s) :

  • Run cmd as admin then switch to “install mode” with the following command:

change user /install

  • Now install your desired application by, say, running “Setup.exe” (follow the installer prompts as usual).

Once the installer has finished, return to (default) “Execute Mode”.

change user /execute

Install mode allows you to correctly deploy apps to your Users.


Under which mode am I?!

To know under which mode you currently are, run (On an Admin CMD):

change user /query

As per MS recommendation, don’t leave your system in “Install Mode” (see http://support.microsoft.com/kb/186515).



By quoting http://blogs.technet.com/b/perfguru/archive/2008/06/30/how-to-install-application-windows-2008-terminal-server.aspx

“When an application is installed in Install mode, HKEY_CURRENT_USER information is primarily written to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install

This information is then circulated to HKEY_CURRENT_USER for each user when they log on to the Terminal Server.”

Posted in Microsoft, System Administration | No Comments »

Custom Alcatel OmniPCX Voice Prompts.

May 16th, 2015 by Andrea Matesi 300 Views


  • Alcatel OmniPCX requires a .wav format file sampled in PCM 8000 kHz, 8 bits, mono -- full stop.

3, 2, 1…action!

Record your voice message as a wav file.

To record a voice prompt, you may simply…

  1. Run “Windows sound recorder”.
  2. Record a wma (or a wav) file.

Then you’ll need to convert your message to PCM 8000 kHz, 8 bits, mono.

How to convert your voice prompt to PCM 8000 kHz, 8 bits, mono.

To convert your sample you may wish to use ffmpeg.

  1. On Windows, obtain a copy of ffmpeg from the following address (courtesy of zeranoe): http://ffmpeg.zeranoe.com/builds/
  2. Decompress one of the latest ffmpeg builds into a temp folder.
  3. Open the temp folder (ie. where you extracted ffmpeg).
  4. Put a copy of your original Alcatel voice prompt, inside the ffmpeg’s “bin” folder (just for your convenience).
  5. Open a Command Prompt (Right Click then “Run as Administrator”).
  6. CD to your ffmpeg bin folder.
  7. To convert your audio file to an Alcatel OmniPCX acceptable-format, type the following command:

ffmpeg -i MyOriginalVoicePrompt.wma -ac 1 -ar 8000 Converted.wav

This is it, you may now correctly upload your converted wav file into your Alcatel OmniPCX Phone System.

Posted in NEWS | No Comments »

Include non-indexed (network) locations to your Libraries.

April 18th, 2015 by Andrea Matesi 372 Views

Thanks to the following (awesome) blog post: http://blog.ryankempt.com/2012/09/windows-library-add-non-indexed-location.html, today I was able to add/show non-indexed network locations into my Documents Library.

This workaround is especially useful whenever you’re storing, say, your family Pictures on a (Linux-based) NAS that does not support indexing.

For convenience’s sake, I’ll report what’s involved the way “it worked for me“:

  1. Win+E –> C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Libraries\
  2. Right-Click on the Library you wish to customise (ie. Pictures).
  3. Select “Open with…” and open w/your fav txt editor.
  4. Scroll to EOF and locate the last “</searchConnectorDescription>”.
  5. Copy the following code:


  6. Paste the above code BEFORE “</searchConnectorDescriptionList>” AND BELOW/AFTER the last “</searchConnectorDescription>”.
  7. Update “<url>\\your-file-share\location\folder</url>” with your desired Network Location.
  8. Save and close, then browse to, say, your Pictures Library (as you normally would).

[BONUS UPDATE]: On Windows 8/8.1, Libraries have been disabled (by default).

To enable/show Libraries on your folders list, proceed as follows:

Show Libraries

  1. Open File Explorer and move your mouse to the vertical/left navigation list (Favorites, This PC, etc.).
  2. Right Click on a blank spot in that area (ie. on the white empty space between Favorites & This PC).
  3. Select “Show Libraries” to bring Libraries back.

SRC: http://blog.ryankempt.com/2012/09/windows-library-add-non-indexed-location.html

Posted in Tips and Tricks., Windows 8/8.1 | No Comments »

Quick and dirty upgrade to Windows 8.1 from MS Store.

April 9th, 2015 by Andrea Matesi 308 Views


In case you missed how to get the free Windows 8 to Windows 8.1 upgrade, here’s a quick rundown of what’s involved:

1) Install http://www.microsoft.com/en-us/download/details.aspx?id=40098 and restart as requested.


2) Open the Windows Store “As Administrator”.

Update to Windows 8.1 for free

3) Click (or tap) on the huge “Update to Windows 8.1 for free”-tile & Select Download.


The download process will take awhile (depending on your Internet connection speed) and don’t be surprised if your next Restart is slow!

Posted in Windows 8/8.1 | No Comments »

[video] intel Wireless docking.

February 16th, 2015 by Andrea Matesi 352 Views

Posted in NEWS | No Comments »

[Solved] Chrome “Waiting for cache” (WSOD) & How to Open all your Synched Tabs back.

February 14th, 2015 by Andrea Matesi 639 Views

Chrome broke my heart <3 by not loading pages anymore.

So instead of going out with my beloved ones, here I am, fighting with Chrome :)

This error seems to be referred to as “White Screen of Death” (WSOD) because of a white background and a ”Waiting for cache…”-message on the lower left Status bar while no page is being loaded.

While searching for a solution, I tried the “Clear browsing Data…”-Button from:”the beginning of time”.

I cleared the following:


  • Clear browsing history.
  • Clear download history.
  • Delete cookies and other site and plug-in data.
  • Empty the cache.
  • Clear data from hosted apps.

After a couple of days, the dreaded “Waiting for cache…”-blank page started reappearing again(!).

To fix the “Waiting for cache…” issue, I adopted a radical approach -- uninstall Chrome!

Before rushing into uninstalling Chrome, there was an issue I had to take care of first – …153 Open Tabs!

Since I adopted Chrome as tool of trade, I “bought” into the Google Sync Service, which promises to Save you all your Open Tabs:“in the cloud” – sweet!

To allow Chrome Tabs Sync with Google, you’ll have to:

  1. Be signed in to Chrome with your Gmail Account.
  2. Make sure “Open Tabs” is checked (even though your browser is not working…).
    Go to chrome://settings/syncSetup and flag “Open Tabs”.
  3. Verify that your Google Dashboard says you have xXx “Open Tabs”.
    153 is just a Number.

If you can confirm the previous steps, uninstalling Chrome should just be a matter of:

  1. Clearing your browsing data (as explained above, at the beginning of my post).
  2. Uninstalling Chrome from your Control Panel –> Programs (as usual).
  3. Opening your AppData & Searching/Deleting any “Chrome-related”-remnants.
  4. Rebooting your Computer.

Time to Install Chrome…

While installing Chrome back, I also experimented with “Chrome for Business” MSI Installer Package (& related Administered Settings), to deploy it through Group Policy (but that’s another story…).

Install Chrome as usual then Sign in to Chrome with your Google Account.

You will notice all your Web Apps will re-appear back, but not your Tabs…

To reopen all your Open Tabs:

  1. Open a New Empty Tab.
    CTRL (or Command) + T or Click on the “PLUS”-Symbol.
  2. Click on “Other Devices” (Bottom right).
    You never noticed that…eh?
  3. Click on the miniscule Small Arrow near your “ComputerName” and Click on “Open all”.
    ALL your Tabs are belong to US!

I hope “Waiting for cache…” is now a thing of the past also for you!



Posted in Tips and Tricks. | No Comments »

Fast-enable vncserver on CentOS.

January 3rd, 2015 by Andrea Matesi 541 Views

…Assuming it is already installed (if not then “yum install vnc”).

Launch the server by typing the following on a terminal:

vncserver :1

Then edit ~/.vnc/xstartup as follows:

# Uncomment the following two lines for the normal desktop:
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
gnome-session &

And done!

Posted in LINUX, System Administration | No Comments »

HOW-TO Setup a Windows RESET Image.

December 28th, 2014 by Andrea Matesi 676 Views



As promised, today I will continue blogging on how to Setup a Windows RESET Image to Restore your System to a previously working state.

This post builds on my previous ones (reported here for convenience):

1. Best Windows UEFI/GPT partitioning scheme

2. HOW-TO Setup a Windows REFRESH Image.

Please note – the RESET procedure will WIPE all your User Profile Data (including your Desktop, Documents, Pictures, Music, Videos, Etc.).

Basically you will lose everything and your computer will return to a previous (virgin, empty, nil) state.

To put it in military speech --

  • REFRESH is like tactical bombing (with some collateral damage).
  • RESET is like nuking(!).

The main advantage of RESET is that you won’t have to rely on a lost or missing Windows DVD or USB KEY to Restore your computer to a working state.

Use RESET only as a last resort and try other options first – That is especially true since it is your data I am talking about.


How-to Setup a RESET Image.

That said, I’ll show you how to setup a RESET Image for your computer first.


  • The process starts by taking a copy of the original install.wim Image From your Windows Install Media (ie. DVD, USB KEY) To a folder within your Recovery partition.

In this example I’ll assume that:

  1. Your Recovery Partition is D:\
  2. Your Recovery Folder is D:\Recovery
  3. Your original “install.wim” Image from your Windows Media is usually located into the “sources”-folder.

Once your RESET Image is in place, open an Admin CMD Prompt and type the following commands:

reagentc /setosimage /path D:\Recovery\install.wim /index 1
cacls D:\Recovery /E /R Users
icacls D:\Recovery /inheritance:d

With the “reagentc”-command, you will specify the path to your RESET Image. The “/index 1”-option selects the first Windows Image within your “install.wim“-Image (Windows 8.1 Pro in my example).

You can find the correct image index with “dism /get-wiminfo /wimfile:D:\Recovery\install.wim”.

Also, to prevent damage to your RESET image, use the cacls and icacls commands to remove normal Users’ permissions and to disable inheritance.


Now you see me, now you’re dead!

I highly suggest you to test your RESET image.

Proceed as follows:

  1. Install a new application (say 7-zip).
  2. START –> POWER-Button –> RESTART while keeping the SHIFT-KEY pressed.
  3. Boot to WinRE.
  4. Select “Troubleshoot your Computer”.
  5. Select “RESET” to Reset your PC.

After your computer has been reset, your computer will enter the OOBE process.

You will also notice that 7-Zip is missing from the list of installed Programs and all your User Data is gone!


1-Star Movie Reviews: Dr. Strangelove



BONUS – Hide the Recovery Partition.

If you’ve made it that far, I guess then it’s time to hide your Recovery partition from malicious eyes.

That is to prevent you (or s/else) to accidentally write data (& fill-up) your Recovery Partition.

In this case, a few DISKPART commands will do the trick, so open a CMD as Admin and type:

select disk 0
list volume
select volume 1 <- select your “Recovery”-Volume.
remove <- remove the letter assignment (ie. D-Letter).
list partition
select partition 4 <- select your “Recovery”-Partition
set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac override <- Hide the partition.


Posted in Microsoft, System Administration | No Comments »

« Previous Entries