Automatically drop your Privileged Access Workstation off the network while it’s unattended

“One of my favorite hobbies is hunting sysadmins” – Hacker of Hacking Team’s network

I only periodically log in to my Privileged Access Workstation to carry out administrative tasks. Although I have restrictive policies applied and Windows Firewall locked down, there’s no reason for that machine to be on the network while I’m not actively using it.

In an attempt to address this, I created two simple scheduled tasks:

1. Disable all NICs when workstation is locked

2. Enable all NICs when workstation is unlocked

Note that these depend on the correct audit logging being enabled on the machine in question, otherwise these tasks won’t trigger:

It also depends on how you use your PAW. If you regularly log out rather than shut down, you will need to add additional triggers to the tasks to handle the log off/log on events.

Import these tasks into Task Scheduler and use them at your own peril. You may run into issues if you don’t store any cached logons and simultaneously require a domain controller to be accessible at logon.

Mitel: The TKB has failed to connect to or has lost connection with the IP console application

Had an issue today where our old IP5550 consoles decided that they wouldn’t communicate with the software on our reception PCs. Looking through the logs, this was the only error I could find:

The TKB has failed to connect to or has lost connection with the IP console application

As it happened, I’d just built a Windows 10 PC and installed the 5550 software. I thought that some incompatibility with W10 was the cause of my issues, but then the second console with software on a Windows 7 PC also decided to flake out.

The solution, after all of my troubleshooting, was to pull the power plug on both of the IP consoles and then plug them back in again. So basic that I should have thought of it earlier.


Reset the CSC (Offline Files) database

Over the years I’ve had many issues where a Windows client PC just won’t connect to a share using the FQDN, but can connect using the NetBios name. There have also been plenty of occasions where the opposite is true, too.

I had the issue again today on a freshly-built Windows 10 machine. Folder redirection wouldn’t apply because the user’s desktop folder was inaccessible.

Then I came across this post on the Spiceworks forums that mentioned resetting the CSC database. I tried that, and folder redirection now works perfectly!

If caching is enabled on the share in question, and the CSC database is knackered, you’ll run into this same problem.

If only I’d known about this earlier in my 15-year IT career, it could potentially have saved a lot of headaches.

Add the following reg key/value. then reboot the PC:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f

Retrieving voicemail files from a Mitel 3300 controller, and converting them to WAV

Today I had the displeasure of having to figure out how to retrieve and convert voicemail files from some old Mitel 3300 controllers.

Thanks to this forum post which pointed me in the right direction.

  1. Connect via FTP using a proper FTP client like FileZilla, to the 3300’s IP address
  2. Navigate to /vmail/d/vm/grp/<extension>
  3. Grab the relevant file. They’re all G.711 U-Law format RAW audio files
  4. Grab SoX –, and extract it somewhere
  5. Run the following command:
sox.exe --channels 1 --type raw --rate 8000 -e u-law -v 1 -D <inputfile> outputfile.wav

Quickly uninstall an MSI on multiple computers using WMI

Today I was working on reducing our vulnerability attack surface, and needed to remove Adobe Reader from our servers. It appears that it was installed as part of a VM image, but never maintained afterwards.

Long story short, rather than mess around with ConfigMgr baselines or Applications, I decided to go the direct route. To top it off, PowerShell remoting’s currently playing up. I ended up using WMI via the method that I outlined in my previous post.

Given an array of server names in $servers:

$servers | %{Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList 'MsiExec.exe /x "{AC76BA86-7AD7-1033-7B44-AA1000000001}" /norestart /qn' -ComputerName $_}

Trigger a remote GPUpdate without PSRemoting or PSExec

I recently enabled Windows Firewall on an unused server via GPO, but forgot to include the inbound RDP exception. This, of course, kicked me off my RDP session.

Rather than wait ~90 minutes for my revised GPO to take effect, I found that I could trigger a GPUpdate remotely using WMI (WinRM wasn’t enabled, and I didn’t want to use PSExec)

The following command does the trick:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "gpupdate.exe" -ComputerName <computername>

View the creation date for AD-integrated DNS records

6 months in to my new job, and I’ve still got a big mess of old static DNS records to clean up from our Active Directory-integrated DNS.

The DNS management console doesn’t show any sort of date information, but I knew that because the data is stored in AD, there should be some sort of created/modified date on each record.

I had a look using ADSIEdit, and sure enough, there were the dates! Here’s a quick one-liner to pull out the records and their created/modified dates:

Get-ChildItem ",CN=MicrosoftDNS,CN=System,DC=contoso,DC=com" | Get-ADObject -Properties Created,Modified | Select-Object Name,Created,Modified | Sort-Object -Property Created

Armed with the creation date of each record, I’m in a better position to determine which ones are no longer needed.