Restricting Application Access Using AppLocker:
https://helpcenter.itopia.com/en/articles/4859965-restricting-application-access-using-applocker
https://adamtheautomator.com/windows-10-applocker/
https://helpcenter.itopia.com/en/articles/4859965-restricting-application-access-using-applocker
https://adamtheautomator.com/windows-10-applocker/
Shut down all VMs and PCs that might use shared on this server data.
On the old server:
Get and save information about all local accounts:
wmic useraccount get name,sid > D:\old-SIDs.txt
Get and save all permissions in selected folder:
icacls "D:\Data" /save D:\Data-icacls.txt /t /c
On the new server:
Configure new accounts
Get and save information about all local accounts:
wmic useraccount get name,sid > D:\new-SIDs.txt
On your PC:
Replace old SIDs with the new SIDs in ICACLS dump files (copy original dump files first)
On the new server:
Attach disk D: from an old server to the new one
Configure System to own D:
Allow admin to access D: (“This folder only” type)
Restore permissions from icacls dump:
icacls R:\ /restore D:\Data-icacls.txt
for %%G in (“C:\Program Files (x86)\Test Folder\*.exe”) do (
netsh advfirewall firewall add rule name=”Blocked With Batchfile %%G” dir=in action=block program=”%%G” enable=yes profile=any
netsh advfirewall firewall add rule name=”Blocked With Batchfile %%G” dir=out action=block program=”%%G” enable=yes profile=any
)
Я сделал так:
Скрипт с таким содержимым:
rd /q /s “%userprofile%\AppData\Local\1C\1Cv8\”
rd /q /s “%userprofile%\AppData\Local\1C\1Cv82\”
rd /q /s “%userprofile%\AppData\Local\1C\1Cv83\”
rd /q /s “%userprofile%\AppData\Roaming\1C\1Cv8\”
rd /q /s “%userprofile%\AppData\Roaming\1C\1Cv82\”
rd /q /s “%userprofile%\AppData\Roaming\1C\1Cv83\”
поставил в GPO нужных групп пользователей на выполнение при Logoff
https://www.4isla.ru/poleznoe/it-analitika/ochistka-kesha-1s-predpriyatie/
Добавляем все нужные базы из-под пользователя в 1С.
В файле c:\ProgramData\1C\1cestart\1cestart.cfg пишем:
CommonInfoBases=\\Путь-до-списка-доступный-всем\список.v8i
Вписываем базы из %userprofile%\AppData\Roaming\1C\1CEStart\ibases.v8i в \\Путь-до-списка-доступный-всем\список.v8i
Очищаем %userprofile%\AppData\Roaming\1C\1CEStart\ibases.v8i
https://www.portal-yug.ru/blog/corp/34.php
https://interface31.ru/tech_it/2014/01/ustanovka-i-nastroyka-ms-sql-server-dlya-1spredpriyatie.html
Инструкция для перезапуска сервисов 1С+SQL:
1. Снять все зависшие сеансы 1С через Администрирование серверов 1С
2. Остановить службу 1С
3. Подождать минутку, при этом должны быть завершены все процессы rphost, ragent
4. Удалить все процессы, запущенные под доменным пользователем USR1CV8 (под которым запускается служба Агент сервера 1С:Предприятия) – если они есть
5. Удалить содержимое папки C:\Program Files\1Cv8\srvinfo\reg_1541\snccnt
Внимание! не перепутай папку! Внутри папки будет несколько файлов snccntx*.dat, их все удалить, несмотря на предупреждения. Это файлы сеансов 1С.
6. Очистить временную папку пользователя, под которым запускается служба Агент сервера 1С:Предприятия
7. Перезапустить службы SQL (запросит перезапуск зависимой службы Агент SQL сервера)
8. Запустить службу Агент сервера 1С:Предприятия
Немного модифицированный батник:
@echo off
set logfile=”C:\Log1C\rest1c.log”
echo >>%logfile%
echo %date% %time% >>%logfile%
net stop “1C:Enterprise 8.3 Server Agent (x86-64)” >>%logfile%
ping -n 60 localhost>Nul
echo %date% %time% >>%logfile%
net stop “SQLSERVERAGENT” >>%logfile%
ping -n 20 localhost>Nul
echo %date% %time% >>%logfile%
net stop “MSSQLSERVER” >>%logfile%
ping -n 300 localhost>Nul
del /f /q “C:\Program Files\1cv8\srvinfo\reg_1541\snccntxb2cd4cc0-6c7c-4c26-9069-1d66fff886b9\*.*” >Nul
echo %date% %time% SRVINFO Cleared >>%logfile%
ping -n 10 localhost>Nul
del /f /s /q “PATH-TO-USERS-PROFILES\USR1CV8\AppData\Local\Temp\*.*” >Nul
echo %date% %time% USR1CV8 Temp Cleared >>%logfile%
ping -n 10 localhost>Nul
echo %date% %time% >>%logfile%
net start “MSSQLSERVER” >>%logfile%
ping -n 120 localhost>Nul
echo %date% %time% >>%logfile%
net start “SQLSERVERAGENT” >>%logfile%
ping -n 20 localhost>Nul
echo %date% %time% >>%logfile%
net start “1C:Enterprise 8.3 Server Agent (x86-64)” >>%logfile%
ping -n 60 localhost>Nul
exit
Спасибо Руслану.
https://www.avtomatizator.ru/articles/arkhivnye-novosti/sbros-parolya-1s-8-2-ili-8-3-sql/
https://geekbullet.com/how-to-add-performance-stats-in-windows-11-taskbar/
https://www.partitionwizard.com/news/internal-hard-drive-ssd-shows-as-removable.html
Sometimes in Windows disks installed inside PC case may be seen as removable despite they are connected to the SATA or PCIe and fixed by the screw.
In my PC it happened because of the SATA controller: it has a hot swap drive function. I need that function because my PC case has an option to add/remove SATA HDD/SSD from the front panel very quickly and easy without unscrewing the case and shutting down the OS.
Add selected disks in the list of fixed drives:
In Device Manager look at which bus number seats the disk(s) you want to add to the fixed drives list.
Add the TreatAsInternalPort key:
reg add “HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters\Device” /f /v TreatAsInternalPort /t REG_MULTI_SZ /d X
Than add the disks you need to be fixed to the list inside TreatAsInternalPort key. Each bus number should be placed in its own line.
If you need to add drive on the bus 0 together with the drives on the other buses, use this: reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters\Device" /f /v TreatAsInternalPort /t REG_MULTI_SZ /d "0\01\02\03"
https://superuser.com/a/217506
Windows Environment Path Variables
%AllUsersProfile% - Open the All User's Profile C:\ProgramData
%AppData% - Opens AppData folder C:\Users\{username}\AppData\Roaming
%CommonProgramFiles% - C:\Program Files\Common Files
%CommonProgramFiles(x86)% - C:\Program Files (x86)\Common Files
%HomeDrive% - Opens your home drive C:\
%LocalAppData% - Opens local AppData folder C:\Users\{username}\AppData\Local
%ProgramData% - C:\ProgramData
%ProgramFiles% - C:\Program Files or C:\Program Files (x86)
%ProgramFiles(x86)% - C:\Program Files (x86)
%Public% - C:\Users\Public
%SystemDrive% - C:
%SystemRoot% - Opens Windows folder C:\Windows
%Temp% - Opens temporary file Folder C:\Users\{Username}\AppData\Local\Temp
%UserProfile% - Opens your user's profile C:\Users\{username}
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup - Opens Windows 10 Startup location for program shortcuts
Run commands
Calc - Calculator
Cfgwiz32 - ISDN Configuration Wizard
Charmap - Character Map
Chkdisk - Repair damaged files
Cleanmgr - Cleans up hard drives
Clipbrd - Windows Clipboard viewer
Cmd - Opens a new Command Window (cmd.exe)
Control - Displays Control Panel
Dcomcnfg - DCOM user security
Debug - Assembly language programming tool
Defrag - Defragmentation tool
Drwatson - Records programs crash & snapshots
Dxdiag - DirectX Diagnostic Utility
Explorer - Windows Explorer
Fontview - Graphical font viewer
Ftp - ftp.exe program
Hostname - Returns Computer's name
Ipconfig - Displays IP configuration for all network adapters
Jview - Microsoft Command-line Loader for Java classes
MMC - Microsoft Management Console
Msconfig - Configuration to edit startup files
Msinfo32 - Microsoft System Information Utility
Nbtstat - Displays stats and current connections using NetBios over TCP/IP
Netstat - Displays all active network connections
Nslookup - Returns your local DNS server
Odbcad32 - ODBC Data Source Administrator
Ping - Sends data to a specified host/IP
Regedit - registry Editor
Regsvr32 - register/de-register DLL/OCX/ActiveX
Regwiz - Registration wizard
Sfc /scannow - System File Checker
Sndrec32 - Sound Recorder
Sndvol32 - Volume control for soundcard
Sysedit - Edit system startup files (config.sys, autoexec.bat, win.ini, etc.)
Systeminfo - display various system information in text console
Taskmgr - Task manager
Telnet - Telnet program
Taskkill - kill processes using command line interface
Tskill - reduced version of Taskkill from Windows XP Home
Tracert - Traces and displays all paths required to reach an internet host
Winchat - simple chat program for Windows networks
Winipcfg - Displays IP configuration
Microsoft Office suite
winword - Microsoft Word
excel - Microsoft Excel
powerpnt - Microsoft PowerPoint
msaccess - Microsoft Access
outlook - Microsoft Outlook
ois - Microsoft Picture Manager
winproj - Microsoft Project
Management Consoles
certmgr.msc - Certificate Manager
ciadv.msc - Indexing Service
compmgmt.msc - Computer management
devmgmt.msc - Device Manager
dfrg.msc - Defragment
diskmgmt.msc - Disk Management
fsmgmt.msc - Folder Sharing Management
eventvwr.msc - Event Viewer
gpedit.msc - Group Policy (< XP Pro)
iis.msc - Internet Information Services
lusrmgr.msc - Local Users and Groups
mscorcfg.msc - Net configurations
ntmsmgr.msc - Removable Storage
perfmon.msc - Performance Manager
secpol.msc - Local Security Policy
services.msc - System Services
wmimgmt.msc - Windows Management
Control Panel utilities
access.cpl - Accessibility Options
hdwwiz.cpl - Add New Hardware Wizard
appwiz.cpl - Add/Remove Programs
timedate.cpl - Date and Time Properties
desk.cpl - Display Properties
inetcpl.cpl - Internet Properties
joy.cpl - Joystick Properties
main.cpl keyboard - Keyboard Properties
main.cpl - Mouse Properties
ncpa.cpl - Network Connections
ncpl.cpl - Network Properties
telephon.cpl - Phone and Modem options
powercfg.cpl - Power Management
intl.cpl - Regional settings
mmsys.cpl sounds - Sound Properties
mmsys.cpl - Sounds and Audio Device Properties
sysdm.cpl - System Properties
nusrmgr.cpl - User settings
firewall.cpl - Firewall Settings (sp2)
wscui.cpl - Security Center (sp2)
Wupdmgr - Takes you to Microsoft Windows Update
Configure “Use only TCP” in Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Configure “Turn Off UDP On Client” in Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client
Query:
qwinsta /server:IP/servername
Reset:
rwinsta SESSIONID /server:IP/servername
https://winitpro.ru/index.php/2018/07/11/rdp-shadow-k-rabochemu-stolu-polzovatelya-windows-10/
Перед установкой Ad Role: Windows Internal Database, reboot
Необходимо чтобы во время добавления роли была запущена служба Remote Registry.
Необходимо чтобы на обоих контроллерах была включена поддержка IPv6 в настройках сетевых карт.
Если на втором сервере появляется ошибка типа “Невозможно добавить роли потому что сервер должен быть перезагружен”, то надо на оба сервера установить Windows Internal Databese, перезагрузиться, добавить в Logon As Service: NETWORK SERVICE, NT SERVICE\ALL SERVICES и NT SERVICE\MSSQL$MICROSOFT##WID, включить службу Remote Regitry, сделать gpupdate на обоих серверах, перезагрузить оба сервера, проверить, есть ли оба пользователя в gpedit, и потом только добавлять роль DC на второй сервер.
Console commands:
https://community.spiceworks.com/topic/1495956-trransferring-fsmo-roles#entry-5601702
The GUI interface for the FSMO roles is spread all over the place. I always use NTDSUTIL to do this.
Open a command prompt on a Domain Controller
Enter “ntdsutil” and the following commands:
roles
connections
connect to server dc1 - put the target DC server's name here
quit
transfer infrastructure master
transfer naming master
transfer pdc
transfer rid master
transfer schema master
quit
quit
After each transfer you will see a list of the FSMO roles and where they are currently stored. Also, ntdsutil has the ability to seize the FSMO roles to a new domain controller. Instead of “transfer …” you use “seize …” for the roles. Use transfer first and seize only as a last resort.
Если после переезда на новый DC не применяются групповые политики на других компьютерах, необходимо проверить чтобы в DNS сервере нового DC были убраны и изменены все записи, касающиеся старого DC.
Sometimes it can work better in Powershell. It used to for me because using ntdsutil once I got error with transferring Schema Master role:
https://petri.com/seizing_fsmo_roles/
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole PDCEmulator -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole RIDMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole InfrastructureMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole SchemaMaster -Force
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole DomainNamingMaster -Force
Удаление:
https://winitpro.ru/index.php/2022/01/13/udalenie-kontrollera-domena-active-directory/
Authoritative restore for DFSR replication:
https://www.rmtechteam.com/blog/dfs-replication-dfsr-fix/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-authoritative-recovery-sysvol
It happens when you restore old controller’s backup due, as I suppose, to a outdated DC database.
https://support.hostway.com/hc/en-us/articles/360001126259-How-to-fix-Error-0xc00002e2-after-rebooting-Windows-Domain-Controller
Reboot the server into Directory Services Restore Mode by pressing F8 before the OS begins loading. You will be required to use the local Administrator account password.
In Directory Services Restore Mode, you can check if there is a problem with the database by running the following commands:
ntdsutil.exe
activate instance ntds
files
If there is a problem with the Active Directory database NTDS.DIT, you will see an error like the following:
Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
To resolve this issue, rename all of the .log files located in C:\Windows\NTDS\ to .log.old, so the logs can be recreated after reboot.
This should fixed the database after the server is rebooted once more. If you continue to get the error, you can access again Directory Services Restore Mode and run the following command:
esentutl /p "c:\windows\ntds\ntds.dit"
Reboot the server and the issue should be solved.
https://winitpro.ru/index.php/2022/01/13/udalenie-kontrollera-domena-active-directory/
An Active Directory Domain Controller Could Not Be Contacted
https://winitpro.ru/index.php/2019/03/18/primenenie-gpo-spravka-admina/
https://portal.msrc.microsoft.com/en-us/security-guidance
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-320/Microsoft-Office.html
Enabling WRSM in Windows Server 2012 R2 to manage resouses used by each user:
https://www.vioreliftode.com/index.php/windows-system-resource-manager-and-windows-server-2012-r2/
Enabling multiconnection in windows 7, 8.1, 10:
https://github.com/stascorp/rdpwrap
https://winitpro.ru/index.php/2015/09/02/neskolko-rdp-sessij-v-windows-10/
1. Войти в windows под локальной учетной записью Администратора или Администратора домена;
2. Выполнить команду klist purge (для зачистки кэша Kerberos);
3. Выполнить команду «netdom resetpwd /s:x.x.x.x /ud:domain\User /pd:*»;
где x.x.x.x это IP-адрес контроллера домена
domain\User это учетная запись администратора домена с указанием имени домена
4. После запроса пароля — необходимо ввести пароль от учетной записи администратора домена;
5. Далее перезагрузить компьютер и войти под учетной записью.
https://www.itworkroom.com/the-trust-relationship-domain-failed/