[Solved] Macbook Pro erratic behaviour with bottom cover IN.

January 9th, 2016 by Andrea Matesi 76 Views

 

I successfully replaced a liquid-spilled Macbook Pro Logic Board, specifically an A1278, which is the Mid-2010 model.

After replacing the Logic Board (and re-connecting all the connectors), I turned the laptop ON and it behaved perfectly.

  • The problems appeared once I screwed the bottom cover to the case!

After I turned the Macbook with the bottom cover ON, I experienced the following problems:

  • The fan was blowing at full speed.
  • The Cursor moved slowly (ie. scattered).
  • While Shutting the System down, it turned back ON automatically!
  • It was bloody slow!

The previous issues disappeared as soon as I removed the back cover, so I thought it should’ve been something related to it.

I searched on Google and after some time I found this magnificent Apple Support post by “averagedude” (or should I say awesomedude): https://discussions.apple.com/message/12340188#12340188

So, armed with some good old black electrician duct tape, I covered all the unprotected MB connectors.

On my specific case, I reckon the problem was related to the power connector: because of the liquid spill, the power connector “sponge” absorbed all the liquid and it reduced in size (and so it didn’t protect the power connector anymore).

By screwing the bottom cover to the case, somehow, the metal from the back cover touched the power connector (this should also explain the erratic shutdown…).

Can I say problem solved?!

Next please!

Posted in dirty hacks | No Comments »

5,000 free Star Citizen credits.

December 20th, 2015 by Andrea Matesi 142 Views

 

 

Become a Star Citizen by using my referral link and get 5,000 free in-game Credits.

  • https://robertsspaceindustries.com/enlist?referral=STAR-26K6-PTP4

 

To get 5,000 free UEC in-game credits, please refer me by joining Star Citizen with the following link:

  • https://robertsspaceindustries.com/enlist?referral=STAR-26K6-PTP4

 

What will you get?

  • 5,000 UEC in-game credits.
  • The Best Damn PC Game/Space Sim ever.
  • Premium “CRYSIS”-engine-based FPS experience.

 

What will Andrea get?

  • In-game perks (ie. no in-game credits) -- see here for full list of perks: https://robertsspaceindustries.com/referral-program

 

Hope you won’t miss this opportunity -- https://robertsspaceindustries.com/enlist?referral=STAR-26K6-PTP4

See you “in the ‘verse“!

Posted in Games | No Comments »

How to setup Per-Computer “Local Admins” on a Domain.

December 19th, 2015 by Andrea Matesi 223 Views

Veggies.

This post is a humble summary of Alan Burchill’s brilliant post published at the following address in 2010:

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Alan is the überhero (& self-declared genius…), so please thank him for his precious time and effort.

Alan’s methods reconnects to one of my previous articles were I talked about granting Local Admins credentials to Domain Users.

Here: http://www.pwrusr.com/?p=1534 AND here: http://www.pwrusr.com/?p=1681

Despite the method I discussed above are still valid as of today, IMHO, Secure Local Administrators a-la Alan-way is still the Best method.

Withoud further ado, I’ll just summarise what he’s explained on his post(s).

I’ll also assume you’ve designed a “proper” (best practice) Active Directory structure, namely by creating some OUs to organise “Groups of Computers” (ie.: “Laptops”-OU, “Servers”-OU, etc.).

 

Red Meat.

The whole point of Alan’s article allows you to granularly grant “Local Administrator”-Permissions to select Users, by mapping one to one relationships.

In other words, inside an Active Directory Domain, one designated User should be also “Local Administrator” of his [designated…] Computer -- this way all y’all pwrusrs out there can enjoy a certain degree of privileged of freedom :).

Not only that, you can also designate more than 1 User as Local Administrator of the same Computer.

 

How to setup Per-Computer “Local Admins” on a Domain.

  • The very first step involves creating some Groups inside any of your designated OUs (say “Laptop01_Administrators”, “Laptop02_Administrators”, etc.).

Inside each of those Groups, you will place the Users capable of Locally Administering their Computer.

The idea here is:

  1. To use as less GPOs as possible.
  2. To avoid the “Restricted Groups” feature offered by Group Policy.
  • Run gpmc.msc, create a new Group Policy Object and link it to your DOMAIN (refer to p.2).
  • “Edit…” your new Group Policy as follows…

image

1. Browse the “Computer” –> “Preferences” –> “Control Panel Settings” –> “Local Users and Groups” tree.

 

image

2. On “Local Users and Groups”, Right Click on the white area and select “New” –> “Local Group”.

By so doing, you will update the “Administrators” Local Group Members (which by default is built in into each computer -- including Domain-Joined ones).

 

image

3. On the “Group Name”-dropdown, Select “Administrators (built-in)”.

 

Now “Add…” the built in Administrator Account to the Local Group:

image

Flag the “Delete all member users” & “Delete all member groups” checkmarks (ie. tick them), then click on the “Add…”-Button, copy/paste “BUILTIN\Administrator” (without quotes) and Press the “OK”-Button twice to confirm your selections and Close the “New Local Group Properties”-dialog.

 

Fish.

Next you will specify who will be the Local Administrator for any of your Computers.

Please refer to Alan’s post for a detailed explanation about the settings I’m about to use:

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/2/

 

Repeat Steps 1..3 and Add a New Local Group as follows:

image

Again, Select “Administrators (built-in)” from the “Group Name” dropdown.

 

This time DO NOT Check the “Delete all member users” & “Delete all member groups” Checkboxes (ie. leave them unchecked).

image

Click on the “Add”-Button and this time specify the Groups to which you wish to grant “Local Administrators” permissions.

 

Now, provided your Computer Groups were named as I suggested earlier (at the beginning of this post), you will Add something similar to the following:

image

“%DomainName%\%ComputerName%_LocalAdmins” (without quotes).

Please note: the previous entry encompasses ALL your Computers Groups (unless you wish to manually specify them, that is).

  • %DomainName% represents your Domain Name.
  • %ComputerName%_LocalAdmins includes all your Computer Groups.

Now you may wish to repeat the previous steps by including the Domain Admins.

While your next step could be to grant your desired Users membership to the “%ComputerName%_LocalAdmins”-Groups (ie. “Laptop01_Administrators”, “Laptop02_Administrators”, etc.).

[BONUS} wash, rinse & repeat for Remote Desktop Users ;-)

[BONUS No.2] Say you wanna be pesky about whom to grant Local Admin Permissions.

In this case, you might choose to designate an additional AD User (“JohnAdmin”), which would have the same rights as the Standard AD User (say “John”), but -- in addition, he’d also get membership to the “PC01_LocalAdmins”-Group.

This way, whenever John is prompted by UAC (say b/c he’s trying to setup 7zip or run stuff “As Administrator”), he may just simply type “JohnAdmin” as User (w/related password), without opening a new Support request!

Kudos to Alan Burchill and feel free to comment below.

Posted in Microsoft, System Administration | No Comments »

3 commands to INSTALL Unsigned Drivers (by disabling driver signing w/bcdedit).

December 16th, 2015 by Andrea Matesi 379 Views

 

RUN “CMD” As Administrator.

First things first -- run a command prompt As Administrator!

[Win 7] Win + R -> cmd -> CTRL + SHIFT + ENTER

[Win 8/8.1/10] Win -> cmd -> CTRL + SHIFT + ENTER.

[GUI]:

01.run-cmd-as-admin

02.run-cmd-as-admin

 

To DISABLE “Driver Signing” (so you CAN install UNSIGNED Drivers):

1) Disable “Integrity Checks“.

2) Enable “Test Mode“.

3) Restart your System.

Copy-Paste code to install unsigned drivers:

bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
shutdown /r /t 0

# above commands will:

  1. “DISABLE Integrity checks” so unknown drivers could be installed.
  2. Allow “Test” signatures.
  3. Restart your computer.

 

 

To ENABLE “Driver Signing” (so you CAN’T install UNSIGNED Drivers):

1) Enable “Integrity Checks“.

2) Disable “Test Mode“.

3) Restart your System.

Copy-Paste below code:

bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING OFF
shutdown /r /t 0

# above commands will:

  1. “Enable Integrity checks” so unknown drivers won’t be installed.
  2. Disable/Disallow “Test” signatures.
  3. Restart your computer.

Posted in Tips and Tricks. | No Comments »

Early look at containers in Windows Server, Hyper-V and Azure – with Mark Russinovich

November 23rd, 2015 by Andrea Matesi 148 Views

 

 

Early look at containers in Windows Server, Hyper-V and Azure – with Mark Russinovich.

Interesting -- have a look!

Posted in NEWS | No Comments »

my favourite “mysqldump” options.

November 15th, 2015 by Andrea Matesi 154 Views

 

MySQL Tools & Co. are very nice and smart toys, ‘though sometimes DB Admins like to overcomplicate things that should be easy and simple.

Over time and experience, I developed a specific taste for the following mysqldump options:

mysqldump -u root -p -- -add-drop-databases -- -add-drop-table -- -databases DB_NAME > filename.sql

Beware of the dreaded “- -“.

This command simply dumps ALL the DB data into a single file, but the best part is the “--databases” option, that enables (even if dumping a single DB), the insertion of the “CREATE DATABASE DB_NAME” statements (very useful indeed!).

A pwrusr’s most common operation: I want to dump a “whole db” (why?) -> I want to import it as a whole into another place, and that’s it!

 

[BONUS] copy database from one server to another:

mysqldump –user=root –password=P@ssw0rd -- -add-drop-databases -- -add-drop-table -- -databases DB_NAME | mysql -h my-remote-host-3 –user=root –password=remote-host-3-mysql-password DB_NAME

Automate backups to a specific user for cron-enabled dumps.

1) Create the bck-usr on mysql.

2) Grant some permissions to the user needed to perform the automated backups.

GRANT SELECT,LOCK TABLES ON mydb.* TO bck-usr@pwrusr.com

flush privileges;

3) Put your script into crontab!

Posted in DBs, DEV | No Comments »

Thinking of SHA512 for your PKI? Think again.

November 9th, 2015 by Andrea Matesi 200 Views

 

 

  • If you are in the process of deploying a new CA, and you are thinking of issuing Certs that use SHA512 Hashes, think again!

(From https://support.microsoft.com/en-us/kb/2973337):”If you currently use SHA512 certificates, and do not have this update installed, you may have problems in one or more of the following scenarios by using TLS 1.2:

  • Internet Protocol security (IPsec) stand-alone
  • IPSec with DirectAccess
  • Microsoft Lync Server 2013
  • Remote Desktop Services (RDP)
  • SSL websites
  • SSL based VPN
  • Web applications”

(From https://support.microsoft.com/en-us/kb/2973337).

The affected products/features list is “quality vs quantity” (re-read it!) and lots of super-important components will break (including Windows Updates under certain conditions!).

Don’t misunderstand me -- Computers’ security is important, ‘though, at times, it is imperative that things “just work”.

 

Lessons learned.

If you seek wider compatibility over stronger security (while provisioning a new CA), then you should consider SHA (or SHA256 given SHA will be decommissioned starting from 2017) and RSA 2048 (or 4094) bits.

If you still seek greater security, then I recommend you to consider SHA256 (or SHA384 if you must), perhaps with Elliptic Curves instead of RSA (‘though that will open another possible “can of shiny new eels”!).

Posted in Microsoft, System Administration | No Comments »

Star Citizen Alpha 2.0 Press Demo -- click on the referral link for a bonus 5000 in-game credits.

November 8th, 2015 by Andrea Matesi 194 Views

 

 

Star Citizen is an extremely good looking Space Sim and FPS.

But don’t take my word for it, watch it yourself:

 

If you like what you see…

  • Join by following my referral link and you will get a bonus 5,000 in-game credits:

https://robertsspaceindustries.com/enlist?referral=STAR-26K6-PTP4

Posted in Games | No Comments »

Windows XP, Vista, 7, 8/8.1 Auto-Login Howto.

October 18th, 2015 by Andrea Matesi 1294 Views

 

Auto-login saves you the hassle of typing your Password after your Windows System has been turned ON (or Restarted).

If you’d like your computer to go automatically to your Desktop (or, uhm…to the new Start Menu), then automatic login is for you.

The good news is -- it works with every Windows version (starting from XP and/or Server 2003+ Editions).

Please note -- by following this howto, you are:

  1. Seriously lowering (ie. compromising) your Windows System Security.
  2. You’re making a potential thief’s life easy!
  3. You’re saving a minimum amount of time.

Before recurring to such extreme measures, ask yourself the economical value a malicious user could gain by just turning ON your unattended computer or by stealing it (yes, a facebook compromise has serious consequences).

That said, the compromising feature could be handy on a home environment, ie. when you want to share your system with other members of your family.

IF you still feel safe to apply this hack to your Windows system, then proceed as follows:

-- Make sure you can edit (ie. add) regkeys to the Registry.

To hack your Registry, you will require Administrative Credentials.

[Obligatory disclaimer] By manually changing your Windows Registry, depending on what you do, your system might not Start anyomore, so:

  • Pay attention to what you’re doing.
  • Stick to the instructions.
  • Always make sure you are able to undo the changes in case (ya know…).

Of course I am not to be held responsible for any damages, but I’d be more than happy to fix it for you ;-)

Let’s get hands-on.

-- To check if you have “Administrator”-Credentials either:
1. Win+R -> control.exe -> “User Accounts” and check if your account is reported as “Standard” or “Administrator”.

2. Ask your System Administrator (which I’m sure he’d be more than eager to delete all your accounts…).

Let’s get dirty.

-- Open Notepad and copy/paste the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“DefaultUserName”=”Administrator”
“DefaultPassword”=”your-cleartext-admin-pwd”
“AutoAdminLogon”=”1”

  • Text Change No.1): Locate the string “Administrator” and replace it with you User Logon Name (leave the quotes in place).
  • Text Change No.2): Locate the string “your-cleartext-admin-password” and replace it with your Computer Password (leave the quotes in place).

-- Save the above text as “autoadminlogin.reg” to you Desktop (make sure no txt extension is automatically attached to the file name).

-- Right Click on your new “autoadminlogin.reg”-file and Select “Run As Administrator”.

You’ll be prompted to type-in your (Administrator) Password.

-- Type the Password and Click on OK to Confirm.

-- When Prompted, Click OK to insert your text data into your Windows Registry.

Happy now?

Reboot your Windows system and check if Automatic Windows Login (ie. w/o having to type your Password) works.

This hack will work on every Local (ie.non-domain-joined) & Networked (ie. AD Domain-joined) Windows copy (be it XP, Vista, 7, 8 or 8.1).

Posted in dirty hacks, Microsoft, System Administration | 1 Comment »

Secure Restricted Groups to grant Local Admin Credentials to Domain Users.

September 20th, 2015 by Andrea Matesi 456 Views

 

As I said on my previous post titled “3 ways to grant “Local Admin” permissions to Domain Users“:

There are 2 ways to use Restricted Groups.

  • The first way simply adds New Users along the pre-existing Local Administrators Users (within the (Local) “Administrators”-Group).
  • The second way resets (ie. deletes/wipes) ALL the pre-existing Local Administrators Users off the (Local) “Administrators”-Group. Hope that makes sense.

For further details regarding the first way (also referred to as Restricted Groups), please refer to the linked article linked on my first paragraph (above).

In this post I will show you how to deploy Secure Restricted Groups (the second way).

 

Secure Restricted Groups.

Secure Restricted Groups happens to be more secure, but it is also disruptive at the same time.

It is more secure because it removes all the pre-existing (Local/Domain) Users from the (Local) “Administrators” Group (in case sneaky software tricks your Local Admin Users).

It is disruptive because it removes all the pre-existing (Local/Domain) Users from the (Local) “Administrators” Group (that’s not an error).

Worst case scenario -- you lose Administrative access to your Windows PC(!).

The second way to use Restricted Groups to grant Local Administrator Permissions could be more confusing to implement (especially if you now know how to implement the first way), because the order of the Users and Groups is reverted.

 

Secure Restricted Groups requirements.

The Secure Restricted Groups requirements are the same as the Restricted Groups:

  • An Active Directory Domain (SBS or Windows Server 2000+ based).
  • A “Domain Group” whom to grant Local Administrator permissions.
    (In this post I will assume your Domain Group is “G_HomeAdmins”).
  • Group Policy.

 

Secure Restricted Groups on your workstations -- automatically.

How to:

  • Wipe clean your workstations’ (Local) “Administrators”-Group first.
  • Then force only the Users of your choice as members of the (Local) “Administrators”-Group.
  • Fully automate the above 2 bullet points.

On your Domain Controller Server or from your RSAT management console,

  1. Browse to Administrative Tools -> Group Policy Management –> Locate your Computers OU (ie. “HeadOffice Workstations”) -> R-Click on your Computers OU & “Create GPO & Link it here” (name it, say, “HeadOffice Workstations Secure Local Admins”).
    image
  2. On the Group Policy Management Editor, Expand:
    Computer Configuration”.
    + “Policies”.
    + “Windows Settings”.
    + “Security Settings”.
    + “Restricted Groups”.
    image
  3. On the Right pane of “Restricted Groups”, Right click and Select “Add Group…”.
  4. To provide Local Admin Permissions ONLY to the Group of your choice, here TYPE (or copy-paste) “Administrators“.
  5. A new “Administrators Properties“-window will popup.
    IGNORE/Skip the second text box area (where it says “This group is a member of:”).

    From http://support.microsoft.com/kb/279301 :”any current member of a restricted group that is not on the “Members [of this group]” list is removed with the exception of administrator in the Administrators group. Any user on the “Members [of this group]” list which is not currently a member of the restricted group is added”.

    On the new properties window, on the first text box area (ie. the one that says “Members of this group”…), Click on the “Add…”-Button:
    2013-10-02 20_07_17-Remote Desktop Manager [Admin@pwrdc01]

  6. On the New Widow, Click on “Browse…”, locate (or copy-paste) “Domain Admins” (ie. the Group you wish to attach Local Admin Creds to) and Click on the Ok-button to confirm.
  7. Run an admin cmd & “gpupdate /force”.
  8. REBOOT the Target Computer(s) belonging to the (GPO-linked) OU.

 

Step No.6 is were you actually grant Local Admin permissions to the Domain Admins.

That’ll delete all the Workstation’s (Local) “Administrators” Members first,
then it’ll ADD “Domain Admins” to the “Administrators” Group.

Next I will show you how Alan’s article has “worked” for me.

Posted in Microsoft, System Administration | No Comments »

« Previous Entries