(Solved) 2502/2503 Error When Installing from a .msi File

Sometime, you will get a 2502/2503 error message when trying to install a program from a .msi file.

Here’s how to fix it.

  1. Log in as an administrator
  2. Navigate to the C:\windows directory in file explorer
  3. Find and right-click the temp folder in this directory
  4. Select properties from the menu and click the security tab
  5. Make a note of the permissions for the following:
    1. All Application Packages
    2. Creator/Owner
    3. Users
    4. Trusted Installers
  6. Click the edit button and change the permissions to full control for all of these
  7. Click apply and OK/close out of the temp folder properties windows
  8. You can now install the program without issue
  9. Once the program is installed and working, go back to the temp properties and change the permissions back to what they were before

(Solved!) How to Disable “You should only open attachments from a trustworthy source” in Outlook on Windows Remote Desktop Server

(Solved!) How to Disable “You should only open attachments from a trustworthy source” in Outlook on Windows Remote Desktop Server.   Recently we set up an RDP server for a client who moves around from location to location.  In their outlook profile when the user tried to open a PDF a message would pop up:

Solution:

  1. Login as administrator to your RDP server
  2. Promote the user having the issue to a local computer administrator on the remote desktop server.  (Control Panel, User Accounts, Manage User Accounts, Add, then select the user and domain if applicable and choose administrator)
  3. Log in as the user
  4. Hold Control and Shift then click on the Outlook icon.  Or right-click the Outlook icon and “Run as Administrator”.  Outlook will open in elevated status and should not ask for a username and password as you are logged in as a local administrator.  It will also load the correct Outlook profile.
  5. Open a PDF and the box will be able to be unchecked.
  6. Log off of the user and back into the domain admin
  7. Remove the  user as an administrator for the local remote desktop (we don’t want them to continue to be an admin)

Notice the “Always ask before opening this type of file” is greyed out.  This setting requires local administrator access and an elevated Outlook to get rid of the checkbox.  On a remote desktop server, this was a real issue as the local user isn’t an administrator.  When you tried to open Outlook as an administrator and use the network admin credentials, Outlook would not load the profile correctly so you couldn’t see any files which would bring up this error.

We perused the Googles for hours and couldn’t come up with a registry entry or anything that worked.  We finally fixed the issue.  What ended up helping was a post from Roady, a Microsft MVP.  His solution would work on a normal Windows machine but did not work in a remote desktop environment.

The key is, you need a local administrator to elevate Outlook to enable the checkbox.

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-mso_win10/how-to-disable-the-warning-on-opening-any/b424facc-3855-4467-8225-cb0c9de44c11

As this is a computer-wide change, you can only change that option when you are running Outlook as an Administrator.

  1. Close Outlook.
  2. Hold CTRL+SHIFT while clicking on the Outlook icon.
  3. Accepts the security prompt and/or provide administrator credentials.
  4. Open the attachment and untick the “Always ask…” box.
  5. Close Outlook and start it normally.

Robert Sparnaaij [MVP-Outlook]

https://www.howto-outlook.com

https://www.msoutlook.info

How To: Setup Active Directory Roaming Profiles with Folder Redirection Server 2016, Server 2012, Server 2008R2

How to Setup Active Directory Roaming Profiles with Folder Redirection with Administrative access to files and folders and without user access to other people’s profiles.

First a warning.  Do not forward the App Data folder.  From our practical application, we found many programs require your App Data Local and App Data Roaming folder to be editable on the local computer and may respond incorrectly to different installations and configurations.  This includes most networked programs particularly requiring network connectivity like SQL based applications.  Also, MS Outlook can act erratically by not being able to read the folder on your local machine to find the profiles etc.

Setting up a server with Roaming Profiles can be a great benefit to your organization.  It allows users to log in to any computer and have their user settings and files follow them.  There are drawbacks to the default Roaming Profiles setup.  Windows Server, if you just use the profile settings which Microsoft defaults to in the Active Directory Users and Computers app, then you will end up with user profiles in a folder where you as an administrator cannot access.  Also, some backup software will have issues backing up the software because of the user permissions assigned.

In this tutorial, we’ll show you how to set up a Roaming Profile and set up proper Folder Redirection where the user cannot see the other users files, but the administrator can administer the files and assign other users like backup operators to be able to access and backup the files as well.  Some steps in this user guide will assume you have a basic knowledge of Windows Server software, File Permissions, and Active Directory.

Step 1 – Create two folders

Create two folders on your storage drive, this may be a separate drive or on your C:\ drive.  We will call this “Profiles” and “Users.”  You can name them what you want. We recommend you do this on a separate storage drive or partition for backup and working purposes.  The reason why we have two is one will hold our User Profile, and the other will hold our home directories, like Documents, Desktop, Downloads, Etc.

Step 2 – Permissions of the Profiles Folder.

Right-click on the Profiles folder and click “Share With” and then “Specific People”  Make sure the Administrator has Read/Write access.  Then click the Security Tab.  Change the Group or user names permissions by clicking Edit.  Click Add and type “Users”.  Hit enter and your box should look like below.

Step 3 – Permissions of the Users Folder

Right-click on the Profiles folder and click “Share With” and then “Specific People”  Make sure the Administrator has Read/Write access.  Then click the Security Tab. Make sure the “Users” is not on this folder as we do not want other users to be able to look at other people’s files.

Step 4 – Create Folder Redirection Policy in Group Policy

This setup is not scary!

Go back to your Administrator Tools and select Group Policy Management.  Open it to Forest/Domains/*your domain*.  It should look like below.

Now, right-click on your “Default Domain Policy” and select Edit

Navigate to User Configurations / Policies / Windows Settings / Folder Redirections

Here you can see the folders which can be redirected.  Right-click on each one, Select Basic – Redirect everyone’s folder to the same location

Then select the Root Path “\\yourservername\users”  **Make sure this is a UNC path and not a local C:\whatever

Then select the Settings tab.  Make sure the “Grant the user exclusive rights to *whatever* is UNCHECKED.

Do the same procedure for all of the folders you want re-directed.  Accept prompts.

Step 5 – Create a new user in Active Directory

Open the Windows Administrator Tools Window from the Control Panel

Open Active Directory Users and Computers

Click on Users and right-click.  Select New / User

Name your user whatever.  Here we named our user Test6

Click Next, Select Password, click ok

Step 6 – Profile paths in the User Profile section

Find the new user and right-click on the user then select Properties

Click the Profile tab

In the Profile tab, enter the UNC path to our first “Profile” folder  *in my test it was \\pfd-server\profiles\test6  -the pfd-server is your username and the test6 is the profile folder you want to create for this user.  We keep them the same.

Under the “Home Folder, select “Connect”, then select the U drive *or any drive letter* then type the UNC path to your users folder you created earlier.  *In my test, it is \\pfd-server\user\test6

Press Apply, and OK

Step 7 – Login as the User

When you log in as the user, you should now see a regular login screen but you should also see “Applying Folder Re-Direction Policy” which means it is copying the home folders to the “Users” folder you selected.  It may take a minute or two to copy.

Now you should see in your file explorer under your “This PC” a U drive with the username listed.  If you click on it, you should see all of your home folders there for the user.

Now if you log into the server, you should be able to go to your storage drive and go to users.  You can see below, I am logged in as the administrator but I am able to fully access the files and work with them.

Good luck out there!  Hope this helps you :).

Solved! Login Failed, slow logins, winlogon notification subscriber gpclient error taking 450 seconds to boot

A client was having an issue logging into their computer.  First was a blue screen with the login failed because the unique identifier is not supported.  After fixing that issue, We faced two errors today with our roaming profile.

Error 1:

First logon fails with “The universal unique identifier (UUID) type is not supported

Error 2:

Here is the winlogin notification about the gpclient in event viewer we received after taking 10 minutes to login.

The first part was solved by taking control of the gpsvc service then applying the command from here:

cmd /c reg add “HKLM\SYSTEM\CurrentControlSet\Services\gpsvc” /v Type /t REG_DWORD /d 0x10 /f

after we ran this command in an elevated command prompt, the error for the UUID went away, but it still took ten minutes to log in.  We did a little more research and found a beautiful script below.  We copied it into a winlogin.bat file, saved it on the C Drive.  After we saved it, we opened an elevated command prompt and ran navigated to the script to run it.  I found just double clicking the script or opening it did not work properly.

@Echo off
If EXIST "c:\Wbem.txt" GOTO END
:BEGIN
 Echo.Checking following services... 
Echo IPHelper (iphlpsvc) 
Echo SMS Agent Host (CcmExec) 
Echo Security Centre (wscsvc)  
Echo Windows Management Instrumentation (winmgmt) 
Echo.  

Set Service1="ccmexec"
Set Service2="iphlpsvc"
Set Service3="wscsvc"
Set Service4="winmgmt"

:CHECK
for /F "tokens=3 delims=: " %%H in ('sc query %Service1% ^| findstr "STATE"') do ( 
Set Service1State=%%H 
if /I "%%H" NEQ "STOPPED" (
echo.%Service1% still STOP_PENDING. Press Any key to check again otherwise Ctrl C out of the script
net stop %Service1% timeout 10 cls GOTO Check ) ) for /F "tokens=3 delims=: " %%H in ('sc query %Service2%  ^| findstr "STATE"') do (   Set Service2State=%%H if /I "%%H" NEQ "STOPPED" (    echo.%Service2% still STOP_PENDING. Press Any key to check again otherwise Ctrl C out of the script net stop %Service2% timeout 10 cls GOTO Check ) ) for /F "tokens=3 delims=: " %%H in ('sc query %Service3% ^| findstr "        STATE"') do ( Set Service3State=%%H if /I "%%H" NEQ "STOPPED" (    echo.%Service3% still STOP_PENDING. Press Any key to check again otherwise Ctrl C out of the script    net stop %Service3% timeout 10 cls GOTO Check ) ) for /F "tokens=3 delims=: " %%H in ('sc query %Service4% ^| findstr "        STATE"') do ( Set Service4State=%%H if /I "%%H" NEQ "STOPPED" (    echo.%Service4% still STOP_PENDING. Press Any key to check again otherwise Ctrl C out of the script    net stop %Service4% timeout 10 cls GOTO Check ) )  

:STATUS CLS Echo.%Service1% is %Service1State% Echo.%Service2% is %Service2State% Echo.%Service3% is %Service3State% Echo.%Service4% is %Service4State% echo. echo.All Services Stopped... Please Wait... Repairing WBEM Repository del C:\Windows\System32\wbem\Repository\*.* /q rd C:\Windows\System32\wbem\Repository* /q timeout 5 cls echo.Fix complete. Your computer will Restart in 60 seconds. shutdown -r -t 60 echo.WBEM Script Control > c:\WBEM.txt timeout 60  :END

After running this script, the boot time went down to 30 seconds instead of 5-10 minutes.  It seems when this problem happens you have to run this manually.  I’m sure you can set this up in a shutdown sequence.

Here are two resources I used:

https://support.microsoft.com/en-us/help/2976660/first-logon-fails-with-the-universal-unique-identifier-uuid-type-is-no

https://community.spiceworks.com/topic/324801-winlogon-notification-subscriber-gpclient-error-taking-605-seconds-to-boot

Synchronize time with external NTP server on Windows Server 2008, Server 2008R2

Here’s how to synchronize time with an external NTP server on Windows Server 2008 (R2).

Posted on 16 November 2009 by Marek in MicrosoftWindows Server 2008Windows Server 2008 R2

Time synchronization is an important aspect for all computers on the network. By default, the clients’ computers get their time from a Domain Controller and the Domain Controller gets his time from the domain’s PDC Operation Master. Therefore the PDC must synchronize his time from an external source. I usually use the servers listed at the NTP Pool Project website. Before you begin, don’t forget to open the default UDP 123 port (in- and outbound) on your (corporate) firewall.

  1. First, locate your PDC Server. Open the command prompt and type: C:>netdom /query fsmo
  2. Log in to your PDC Server and open the command prompt.
  3. Stop the W32Time service: C:>net stop w32time
  4. Configure the external time sources, type: C:> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
  5. Make your PDC a reliable time source for the clients. Type: C:>w32tm /config /reliable:yes
  6. Start the w32time service: C:>net start w32time
  7. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:>w32tm /query /configuration
  8. Check the Event Viewer for any errors.

How to show and hide a Windows Update or Driver Update from Windows 10

Recently I’ve had an issue with Windows Update where it wouldn’t install a particular update.  It would crash and make Windows boot screen stay in a perpetual startup or “Welcome” screen.  I was able to cancel the update by restarting which rolled the computer back to a time before the update, then it would re-download the update and crash again.  Unlike Microsoft Windows updates of old, there is no place natively to view updates and stop them from installing.  I found the following steps from the Microsoft article on how to prevent a driver update from reinstalling to be helpful.  In particular downloading the wushowhide.diagcab file did the trick for us.  We were able to hide the update and the system hasn’t been in a reboot loop since:

For Windows 10 Version 1607 (Anniversary Update)

  1. Start Device Manager. To do this, press and hold (or right-click) the lower-left corner of the desktop, and then select Device Manager.
  2. Locate and right-click the device that has the problem driver installed, and then select Properties.
  3. Select the Driver tab, and then select Roll Back Driver.

For Windows 10 Version 1511 (November update)

Important If you don’t have Version 1607 installed, we recommend that you update now. You can use Windows Update to get Version 1607 or go to https://www.microsoft.com/en-us/software-download/windows10, and then select Update Now.

  1. Start Device Manager. To do this, press and hold (or right-click) the lower-left corner of the desktop, and then select Device Manager.
  2. Locate and right-click the device that has the problem driver installed, and then select Properties.
  3. In the Confirm Device Uninstall dialog box, select the Delete the driver software for this device checkbox, if it’s available.

To temporarily prevent the driver from being reinstalled until a new driver fix is available, a troubleshooter is available that provides a user interface to hide and show Windows updates and drivers for Windows 10.

The following troubleshooter is available for download from the Microsoft Download Center (note, file will begin downloading once you click):

Download icon Download the “Show or hide updates” troubleshooter package now.

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

When you click the download link, you’re prompted to open or save wushowhide.diagcab.

open or save wushowhide.diagcab prompt

To run the troubleshooter, open wushowhide.diagcab, select Next, and then follow the instructions in the troubleshooter to hide the problematic driver or update.

Getting files to show up in Network folder

Remove the following registry keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteRecursiveEvents
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteChangeNotify
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]

“DirectoryCacheLifetime”=dword:00000000


Restart explorer and try again!

The keys didn’t exist for me, but I added them as DWord with a value of 0 (zero) and restarted Explorer and it worked.

http://www.teamas.co.uk/2012/02/windows-2008-r2-shared-files-do-not.html

https://social.technet.microsoft.com/Forums/windows/en-US/947489ae-dc86-45f0-ad5e-463a62e1d59f/files-not-showing-up-in-networked-drive

Group Policy Settings for Personalization

Group Policy

Preventing users from changing their personalization settings

The following Group Policy settings prevent users from making changes:

  • Prevent changing theme
  • Prevent changing visual style for windows and buttons
  • Prevent changing window color and appearance
  • Prevent changing desktop background
  • Prevent changing desktop icons
  • Prevent changing mouse pointers
  • Prevent changing screen saver
  • Prevent changing sounds

Preventing users from changing personalization settings locks them to their current settings. If you want to force specific settings, you can apply a specific theme for new users by using the following Group Policy setting:

  • Load a specific theme
Note
You should carefully consider if this policy setting is appropriate. People with disabilities use several personalization options. For example, high-contrast modes are applied by using the themes and the Window Color and Appearance features in Personalization in Control Panel.

Using the screen saver to lock the system when it is not being used

It is possible to enforce a system lock after a defined interval. This requires the following two policy settings:

  • Password protect the screen saver
  • Screen saver timeout

When you change these policy settings, the system locks after the time you define, no matter what screen saver the user has selected. In Windows 7, even if the user selects the screen saver labeled None, the system locks at the specified interval. If you want to enforce a specific screen saver, you can use the following policy setting:

  • Force specific screen saver

Group Policy settings introduced in Windows 7

The following Group Policy settings to control personalization are added in Windows 7.

The full path of this node in the Group Policy Management Console is:

User Configuration\Administrative Templates\Control Panel\Personalization

Available policy settings:

Name Explanation Requirements
Prevent changing mouse pointers This policy setting allows you to prevent users from changing their mouse pointers.

If you enable this policy setting, the Change mouse pointers link in Control Panel does not function.

At least Windows 7 or Windows Server 2008 R2
Prevent changing sounds This policy setting allows you to prevent users from changing system sounds.

If you enable this policy setting, the Sounds option in Personalization in Control Panel does not function.

At least Windows 7 or Windows Server 2008 R2
Load a specific theme This policy setting allows you to apply a specific theme when the user logs on for the first time.

If you enable this policy setting, when the user logs on for the first time, the theme you selected is applied to that computer.

Note
This policy setting does not prevent the user from customizing their current theme or selecting another theme. To lock a specific theme, see Preventing users from changing their personalization settings.
At least Windows 7 or Windows Server 2008 R2

Changes to legacy Group Policy settings

In Windows 7, many legacy Group Policy settings have been removed or located so that domain administrators can find all of the relevant options in one place.

The full path of this node in the Group Policy Management Console is:

User Configuration\Administrative Templates\Control Panel\Personalization

Available policy settings:

Name Explanation Requirements
Prevent changing color scheme This policy setting is removed in Windows 7.

If you enable the Prevent changing window color and appearance policy setting, you can prevent users from changing the colors and system metrics of your windows.

Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP
Prevent changing theme This policy setting allows you to prevent users from selecting a different theme or saving any of their customized themes.

If you enable this policy setting, the theme gallery in Personalization in Control Panel does not function.

At least Windows XP Professional or Windows Server 2003 family
Password protect the screen saver This policy setting allows you to lock the system.

If you enable this policy setting, the system locks at a user-defined interval. This policy setting is effective even when no screen saver is selected.

Note
If you want to control the time interval, use the Screen saver timeout Group Policy setting.
At least Windows 2000 Service Pack 1
Screen saver timeout This policy setting allows you to specify the amount of idle time that must elapse before launching the screen saver.

If you enable this policy setting with the Enable screen saver policy setting, you ensure that the system lock will work even when no screen saver is selected.

Note
The system will lock at a user-defined interval. If you want to control the time interval, use the Screen saver timeout policy setting.
At least Windows 2000 Service Pack 1

Update group policy CMD

c:\>gpupdate /force