So what does the Group Policy Preferences Drive Mapping log file contain?

Once you enable the logging via Group Policy, you’ll end up with a log file which contains:

  • Environment variable dump
  • Group Policy settings
  • Drive mapping lists (but not the actual path)

If you are like me, and misspell a file path, you’ll see an error like this:

2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Passed filter [FilterGroup].
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Filters passed.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Set user security context.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Adding child elements to RSOP.
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Properties handled. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Set system security context.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] EVENT : The user 'G:' preference item in the 'Map-Network-Drives {E089D01A-C249-48F5-8049-9C8FC96AA38F}' Group Policy object did not apply because it failed with error code '0x80070035 The network path was not found.'%100790273
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Error suppressed. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Completed class <Drive> - G:.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] {67803C61-824B-4ABA-ABFF-65E8687B0E59}

Three things to note:

  1. Windows Explorer will accept a “\” in a network path, Group Policy Preferences won’t.
    ie.  \\NODDYLAND\HOMEDRIVE\BE01\ vs \\NODDYLAND\HOMEDRIVE\BE01
  2. GPP will wait 3+ seconds before timing out with an error.
    Multiple wrong/missing paths will slow down your user’s logon experience.
  3. The error will also write into the Event Log.

The fun of buying Melbourne International Comedy Festival tickets

I see a lot of comedy during the Melbourne International Comedy Festival (MICF).

*LOTS*

As in 40+ shows this year.  This means dealing with multiple ticketing agents, including 2 variants of Ticketmaster.  Yes I could buy at the door.  Artists like ticket sales.  I like buying a ticket as it means I don’t run the risk of a sold-out show.

In an ideal world, there would be a “one stop shop” for all ticket purchases.  The MICF Ticketmaster combined purchase option goes partly towards this.

Ticketmaster – via MICF website.

ticketmaster-combined
The Good:
It saved me 15% over 10 tickets.

The Bad:
Some shows which are definitely Ticketmaster ticketed shows, don’t show up in the combined transaction list.

The Ugly:
There are issues with the “Combined purchase” option.  MICF are fixing them when they find them.  Dropping shows from your purchase list is the biggest issue so far.

Ticketmaster – other
If the show you want to see is not in the MICF “Combined” list, you have two options:

  1. buy individual tickets at Ticketmaster’s website, at great expense or
  2. go to a Ticketmaster outlet and buy all your tickets there.

I went to an outlet.

Trybooking
Works well, site search can be a bit difficult.  Print your own ticket(s).

Seatadvisor
Seatadvisor countdown
From the start of your booking session, you have ten minutes per show session.  So if you’re into a) going to multiple shows, and b) adrenaline; you’ll love the race between you and the expiring tickets.

ImprovConspiracy
One show, one purchase.  No way to combine purchases.

Windows 10 – “The properties for this item are not available”

The properties for this item are not availableThere’s a bug with Windows 10 which prevents you from seeing the properties for a folder.  To trigger it, you need to do the following:

  1. logon to Windows 10 with user account UserA.
  2. Run As an application, such as Explorer++ or QDir, with a different user account UserB
  3. right mouse-click on a folder, and select Properties.

“The properties for this item are not available” occurs.

The fix
Apply March 2016 Cumulative Update for Windows 10 for x64-based Systems (KB3140745), or later

The workaround
The “Interactive User” value needs to be removed form the the Runas registry key under [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{448aee3b-dc65-4af6-bf5f-dce86d62b6c7}]

You may need to take ownership of the key in order to change it.

AppLocker and applications which install in the users profile directory.

Google Chrome can be installed without administrator privileges - Continue(shout out to: Google Chrome, Mozilla Firefox and Microsoft’s SharePoint Designer)

Gee thanks guys.

We implemented AppLocker to improve our IT security, and you chaps decided to be clever.  The typical call to the Help Desk was
“My Google Chrome doesn’t work anymore.”

Well no, we block applications which are installed into the users profile directory.  Which is what Google Chrome/Firefox/Sharepoint Designer do.

The fix was to install Google Chrome with an Admin account.

AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

$NOCSC$–No Client Side Caching

NOCSC Twitter

No, I didn’t know that either.

So in other words, if you want to use the Server copy of a file, instead of the copy stored on the PC, you can do that by adding $NOCSC$ to the file path.
ie. \\Server$NOCSC$\<somefolder>\<somefile>
Another way of putting it, it causes the local computer to bypass the local file cache, and to grab the file from the file server.

I only found out about $NOCSC when a customer complained that their Roaming Profile was broken.  Looking at the event log I saw the strange $NOCSC$ entry

Log Name:      Application
Source:        Microsoft-Windows-User Profiles General
Date:          17/01/2016 17:15:09
Event ID:      1509
Task Category: None
Level:         Warning
Keywords:
User:          NODDYDOMAIN\BigEars
Computer:      SecurityPC
Description:
Windows cannot copy file C:\Users\BigEars\AppData\Roaming\Microsoft\Windows\Cookies\BigEars@fred.desk[2].txt to location \\server01$NOCSC$\Profiles$\BigEars.V2\AppData\Roaming\Microsoft\Windows\Cookies\BigEars@fred.desk[2].txt. This error may be caused by network problems or insufficient security rights.

DETAIL – Access is denied.

There is no Microsoft documentation on $NOCSC$ which means that it is unsupported for customer use.  The earliest reference to $NOCSC$ I can find is an event log reference in this Microsoft TechNet blog article from March 2008.   The earliest suggestion to use it, for debugging purposes, is from Microsoft’s Ned Pyle in March 2009.

It would seem that the earliest operating system to support it, is Microsoft Vista.

Victoria – Motorcycle Filtering

is now mostly legal.  Mostly legal, as there are still times & places where you CAN’T filter.

You can’t filter:

  • if you don’t have a FULL licence
  • between traffic and an adjacent curb.Legal-but-stupid_thumb.png
    (see photo)
  • between lines/lanes of traffic traveling in opposite directions
  • in bicycle lanes
    (or stationary in bicycle boxes for that matter)
  • in special purpose lanes
  • a no motorcycle lane filtering sign applies to the length of road09-94sr019149
  • where it is not safe
  • at speeds greater than 30km/h

But don’t accept my opinion on the subject, do go read the following:

Lane splitting / Mobile chicaning is still illegal.

The Chaplain’s Pen

Pilot BL-G21-7M G-2exIt was a chaplain who introduced me to this pen.  She uses it to write chaplainly things, sermons and such.

If you are writing plenty, you might want something which is pleasurable to use.  Plus anything which can improve my “is that scribbling Dale?” handwritting, is a blessing.

So the Pilot BL-G21-7M G-2ex is a large barrelled pen with a rubberised grip.  The ink is an acid free gel which is delivered via a 0.7mm ball.

Back in June, the chaplain mentioned that the pens were no longer available.

I do love a challenge.

So some Googling later, I found PilotOnline.com.au sell these G-2ex pens over the internet.  For good measure I ordered a box of Pilot BLS-G2 Refills.  So a short time later we each had a supply of pens and refills.

Now if I could only stop losing my pens.

Saturday Link Roundup–Group Policy, Kerberos, BranchCache

grouppolicy_thumb.jpgGroup Policy

Kerberos

BranchCache