Citrix/RDP Shortcut Keys... The Cheat Sheet

How to Enable or Disable Hotkeys within an ICA file (including Template.ica)

The procedure below allows for the default ICA Client hotkeys to be mapped within Web Interface. If any keys affect your application, alter them to reflect a key that does not conflict with your application. This process alleviates the need to alter each appsrv.ini file on the individual client workstation.

The Citrix Web Client, 6.x versions (985, 986, and 1050), do not have the code to read from the client installed Appsrv.ini or an .ICA file. Download and use the latest ICA client.

1. Using a text editor such as Notepad, locate the Template.ica file, or if using Web Interface 4.x or later, the default.ica file being used for the Web Interface site.

2. Copy the ICA parameters below into the Template.ica or default.ica file. Place this code after the [WFCLIENT] tag:

Mount ISO files in Linux

Use the following command to mount the ISO files in Linux

mount -o loop <ISO_FILE_NAME.ISO>  <MOUNT_POINT>

For Example:

mount -o loop linux-dvd.iso /mnt/linux-dvd/

Now you can goto /mnt/linux-dvd and check.. now you can see the ISO image contents

Securing Access to Printers over the Internet

If you use Internet Printing Protocol (IPP) to share or access your printers over the Internet, keep in mind, print jobs aren’t secure. However you can enable encryption by setting up IIS with a security certificate, so you can access the printer via the https address using SSL.

First you need to create a self-signed cert using IIS:

1. Open the IIS Manager from the Control Panel.
2. Double-click the Server Certificates icon.
3. Click the Create Self-Signed Certificate link on the right.
4. On the dialog box, enter a name, and click OK.

Next you need to create bindings for HTTPS using IIS:

Cron Task

Configuring a Cron Task

The main configuration file for cron, /etc/crontab, contains the following lines:

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

The first four lines are variables used to configure the environment in which the cron tasks are run. The value of the SHELL variable tells the system which shell environment to use (in this example the bash shell), and the PATH variable defines the path used to execute commands. The output of the cron tasks are emailed to the username defined with the MAILTO variable. If the MAILTO variable is defined as an empty string (MAILTO=""), email will not be sent (sendmail on ESX is not installed by default). The HOME variable can be used to set the home directory to use when executing commands or scripts.
Each line in the /etc/crontab file has the format:

Enable Remote Desktop Through a Script

To use copy the code below and paste into a file with a text file with a .vbs extension. This will work for the local machine. Just replace the perion part that is mentioned in this string to another computer name if you

want have it work on one machine - strComputer - "."

Const ENABLE_CONNECTIONS = 1 strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery _ ("Select * from Win32_TerminalServiceSetting") For Each objItem in colItems errResult = objItem.SetAllowTSConnections(ENABLE_CONNECTIONS) Next
By the way if you want to turn off Remote Desktop just change the 1 in this line of code

Const ENABLE_CONNECTIONS = 1 to a 0 (Zero).

Viewing Hidden Mailboxes from ADUC

I didn’t have access to an Exchange server to view them nor did I have access to an admin box that had it installed. All I had was Active Directory Users and Computers. With that I knew that I could queries within AD to see this info. The only hard part was finding out what I need to query for to find hidden mailboxes. After seconds of thinking…okay so more like hours but seemed like days I figured it out. Below are the steps that will find that data for you.

1. Bring up Active Directory Users & Computers.
2. Right-click your domain name at the top, and choose Find.
3. In the Find combo box at the top, select Custom Search.
4. Click the Advanced tab.
5. Paste in the following LDAP query:

Shortcuts for Administrative Tools



AD Domains and Trusts


Active Directory Management


AD Sites and Services


AD Users and Computers




Authorization manager


Certification Authority Management


Certificate Templates


Cluster Administrator


Computer Management


Component Services


Configure Your Server


Device Manager


DHCP Management


Disk Defragmenter


Disk Manager


Distributed File System


DNS Management


Event Viewer


Indexing Service Management


IP Address Manage


Licensing Manager


Local Certificates Management


Local Group Policy Editor


Local Security Settings Manager


Local Users and Groups Manager


Network Load balancing


Performance Monitor


PKI Viewer


Public Key Management


QoS Control Management


Remote Desktops


Remote Storage Administration


Removable Storage


Removable Storage Operator Requests


Routing and Remote Access Manager


Resultant Set of Policy


Schema management


Services Management


Shared Folders


SID Security Migration


Telephony Management


Terminal Server Configuration


Terminal Server Licensing


Terminal Server Manager


UDDI Services Management


Windows Management Instrumentation


WINS Server manager


Script to Determine Members of a Group

I needed to find a way to list the members of a group. Thankfully I blogged about the first issue in February because that led me to the solution. I'm actually using the same DSGET command but instead of using the user command I'm using the group command.

DSGET GROUP CN=West_Coast_Sales,OU=Sales,OU=GROUPS,DC=adminprep,DC=com -MEMBERS –EXPAND

Output Like this,

"CN=bmiller,OU=Sales,DC=adminprep,DC=com "
"CN=jsmith,OU=Sales,DC=adminprep,DC=com "
"CN=dregan,OU=Sales,DC=adminprep,DC=com "
"CN=lramero,OU=Sales,DC=adminprep,DC=com "
"CN=cpeters,OU=Sales,DC=adminprep,DC=com "
"CN=jhorton,OU=Sales,DC=adminprep,DC=com "

Hopefully this solution works for you too.

How to Display the Groups a User is a Member of

I've been trying to work more and more with scripts and today I'm sharing a simple but useful one. How to display the groups a user account is a member of. To display a user's groups via the command prompt you need to use the dsget command with the -memberof and -expand switches. The -expand command will list all of the groups that you belong to that are nested in other groups.

Below is an example of how this would look:

dsget user "CN=Brian W. McCann,OU=Users,OU=Sales,DC=Adminprep,DC=com" -memberof -expand

The output would look similar to this:
"CN=GG Sales,OU=Groups,OU=Sales,DC=Adminprep,DC=com"
"CN=Domain Admins,CN=Users,DC=Adminprep,DC=com"
"CN=Domain Users,CN=Users,DC=Adminprep,DC=com"
"CN=GG Inside Sales,OU=Groups,OU=Sales,DC=Adminprep,DC=com"
"CN=GG Outside Sales,OU=Groups,OU=Sales,DC=Adminprep,DC=com"

Installing Active Directory on Server Core with an Answer File

Active Directory still gets installed by using DCPromo on Server Core, however you will have to use the /unattend: switch. In my case I copied the following sample answer file to the C:\temp directory and then ran the following command to install Active Directory using an answer file - dcpromo /unattend:c:\temp\answer.txt Here is a look at the answer file (don't worry I just made that password up for this demo).

This is the Replica Domain Controller Answer File:

As I've written this blog I noticed on Microsoft's site that they have a KB that can be of further assistance with doing unattended installs or removals of Active Directory. take a look at KB947034.

DNS Command Reference


DNSCMD option



Do any dnscmd command on a remote system

dnscmd servername command

dnscmd /zoneprint

Create a primary zone

dnscmd /zoneadd zonename /primary

dnscmd /zoneadd /primary

Create a secondary zone

dnscmd /zoneadd zonename /secondary master IP address

dnscmd /zoneadd /secondary

Host a zone on a server based on an existing (perhaps restored) zone file

dnscmd /zoneadd zonename /primary /file filename /load

dnscmd /zoneadd /primary /file /load

Delete a zone from a server

dnscmd /zonedelete zonename [/f]

dnscmd /zonedelete /f

(without the /f, dnscmd asks you if you really want to delete the zone)

Show all of the zones on a DNS server

dnscmd /enumzones

dnscmd /enumzones

Dump (almost) all of the records in a zone

dnscmd /zoneprint zonename

dnscmd /zoneprint

Doesn't show glue records.

Add an A record to a zone

dnscmd /recordadd zonename hostname A ipaddress

dnscmd /recordadd mypc A

Add an NS record to a zone

dnscmd /recordadd zonename @ NS servername

dnscmd /recordadd @

Delegate a new child domain, naming its first DNS server

dnscmd /recordadd zonename childname NS dnsservername

dnscmd /recordadd test NS

This would create the "" DNS child domain unter the DNS domain

Add an MX record to a zone

dnscmd /recordadd zonename @ MX priority servername

dnscmd /recordadd @ MX 10

Add a PTR record to a reverse lookup zone

dnscmd /recordadd zonename lowIP PTR FQDN

dnscmd /recordadd 3 PTR

This is the PTR record for a system with IP address

Modify a zone's SOA record

dnscmd /recordadd zonename @ SOA primaryDNSservername responsibleemailipaddress serialnumber refreshinterval retryinterval expireinterval defaultTTL

dnscmd /recordadd @ SOA 41 1800 60 2592000 7200

Ignores the serial number if it's not greater than the current serial number

Delete a resource record

dnscmd /recorddelete zonename recordinfo [/f]

dnscmd /recorddelete @ NS /f

Again, "/f" means "don't annoy me with a confirmation request, just do it."

Create a resource record and incorporate a nonstandard TTL

dnscmd /recordadd zonename leftmostpartofrecord TTL restofrecord

dnscmd /recordadd pc34 3200 A

Reload a zone from its zone file in \windows\system32\dns

dnscmd /zonereload zonename

dnscmd /zonereload

Really only useful on primary DNS servers

Force DNS server to flush DNS data to zone file

dnscmd /zonewriteback zonename

dnscmd /zonewriteback

Tell a primary whom to allow zone transfers to

dnscmd /zoneresetsecondaries zonename /nonsecure|securens

dnscmd /zoneresetsecondaries /nonsecure

That example says to allow anyone who asks to get a zone transfer

Enable/disable DNS NOTIFY

dnscmd /zoneresetsecondaries zonename /notify|/nonotify

dnscmd /zoneresetsecondaries /nonotify

Example disables DNS notification, which is contrary to the default settings.

Tell a secondary DNS server to request any updates from the primary

dnscmd /zonerefresh zonename

dnscmd /zonerefresh

Enable or disable dynamic DNS on a zone

dnscmd /config zonename /allowupdate 1|0

1 enables, 0 disables, 0 is default

Stop the DNS service

Either net stop dns or sc stop dns

(No dnscmd command for this)

Start the DNS service

Either net start dns or sc start dns

(No dnscmd command for this)

Install the DNS service on a 2008 full install system

servermanagercmd -install dns

Install the DNS service on a 2008 Server Core system

ocsetup DNS-Server-Core-Role

Case matters -- ocsetup dns-server-core-role would fail

Uninstall the DNS service on a 2008 Server full install system

servermanagercmd -remove dns

Uninstall the DNS service on a 2008 Server Core system

ocsetup /uninstall DNS-Server-Core-Role

Server Core Commands

Server Core Common Networking Commands

To configure the IP address we will have to remember (or learn) Netsh.

Configure a Static IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” static
Netsh int ipv4 set dnsserver “Local Area Connection” static primary
Netsh int ipv4 set winsserver “Local Area Connection” static primary

Configure a Dynamic (DHCP) IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” source=dhcp

Change the name of the network interface on Server Core:
Netsh int set interface name = “Local Area Connection” newname = “Primary Network”

Server Core Common Windows Firewall Commands:

The Windows Firewall is a blessing to some and a curse to others. Either way it is installed by default and you have to understand the commands that are needed to configure the basics and in some cases some advanced commands.

Disable firewall:
netsh firewall set opmode disable

Server Core can be managed by using MMCs from a remote server. However with the firewall being on by default you will have to allow these tools to work remotely. The first thing to note here is how to translate the MMC Snap-in to Windows Firewall Rule Group.

MMC Snap-in - Event Viewer
Windows Firewall Rule Group - Remote Event Log Management

MMC Snap-in - Services
Windows Firewall Rule Group - Remote Services ManagementMMC Snap-in - Shared Folders
Windows Firewall Rule Group - File and Printer Sharing

MMC Snap-in - Task Scheduler
Windows Firewall Rule Group -
Remote Scheduled Tasks Management

MMC Snap-in - Reliability and Performance
Windows Firewall Rule Group - Performance Logs and Alerts
Windows Firewall Rule Group - File and Printer Sharing

MMC Snap-in - Disk Management
Windows Firewall Rule Group - Remote Volume Management

MMC Snap-in - Windows Firewall with Advanced Security
Windows Firewall Rule Group - Windows Firewall Remote Management

To enable all of these rules follow use this command:
Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

To enable specific commands follow this format:
Netsh advfirewall firewall set rule group=“” new enable=yes

Server Core Common Domain Management Commands

Join a domain:
netdom join ComputerName /domain:DomainName /userd:UserName /passwordd:*
Yes, /passwordd:*

needs to have that second d at the end of it.

Remove from domain:
netdom remove

Rename a Domain Member:
netdom renamecomputer %computername% /NewName: /userd: /passwordd:*

Rename Administrator:
wmic UserAccount where Name="Administrator" call Rename Name="new-name"

Add User to a Local Group
net localgroup GroupName /add \

Remove User from a Local Group
net localgroup GroupName /delete \

Confirm Domain and/ New Computer name

Update User Passwords:
Net user [/domain] *

Server Core Common Server Management Commands

Toggle Remote Desktop on and off:
Cscript \windows\system32\scregedit.wsf /ar 0

Enable reduced security for RDP connections:
Cscript \windows\system32\scregedit.wsf /cs 0

Active Server Core:
Local method - Slmgr.vbs –ato
Remote method - Cscript windows\system32\slmgr.vbsServerName UserName password:-ato

Rename a Stand-Alone Member:
netdom renamecomputer /NewName:

List of installed patches:
wmic qfe list

Install Updates:
wusa .msu /quiet

Configure for AutoUpdates:
cscript scregedit.wsf /AU /4

Disable AutoUpdates:
cscript scregedit.wsf /AU /1

View AutoUpdate Setting:
cscript scregedit.wsf /AU /v

Configure the Page File:
wmic pagefileset where name=”” set InitialSize=,MaximumSize=

Configure a Proxy Server: (Server Core cannot use a proxy that requires a proxy)
netsh Winhttp set proxy :

All your favorite TCP/IP commands work including the following:

List Running Services:
sc query

Start and/or Stop a Service:
sc start
sc stop

Task Manager: (Ctrl+Shift+Esc)

Manage Disk Volumes:
Diskpart /?

Defrag a Volume:
defrag /?

Change Time and Time Zone:
control timedate.cpl

Change the Desktop Resolution: (requires you to log off and back on)
Regedit - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video

Display the Time in the Command Prompt:
prompt [$t]$s$p$g

Log off:
shutdown /l

Restart Now:
shutdown /r /t 0

To get the Roles and Features installed you are going to need to use the ocsetup.exe command. The OC is short for Optional Components. The most important thing to remember about this command is that IT IS CASE SENSITIVE!!! As a best practice you should always use the /w switch with ocsetup.exe as this will hold the Command Prompt from being active (when you can type again) until the setup is complete. Below you will find a list of the commands that are required to install Roles and Features on Server Core.

start /w ocsetup DNS-Server-Core-Role

start /w ocsetup DHCPServerCore

File Services (Server service is installed by default) but there are other role features

File Replication Service
start /w ocsetup FRS-Infrastructure

Distributed File System
start /w ocsetup DFSN-Server

Distributed File System Replication
start /w ocsetup DFSR-Infrastructure-ServerEdition

Services for Network File System (NFS)
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base

Hyper V
start /w ocsetup Microsoft-Hyper-V

Print Server feature
start /w ocsetup Printing-ServerCore-Role

Line Printer Daemon (LPD) service
start /w ocsetup Printing-LPDPrintService

Active Directory Lightweight Directory Services
start /w ocsetup DirectoryServices-ADAM-ServerCore

Active Directory Domain Services
dcpromo /unattend:

Streaming Media Services
Follow directions found in Article ID 934518

start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To uninstall IIS use the following command
start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel

NOTE: If you need to install a Role that you installed with ocsetup all you need to do is to append the commands above with /uninstall.

Now let's take a look at how we install Features on Server Core:

Microsoft Failover Clustering
start /w ocsetup FailoverCluster-Core

Network Load Balancing
start /w ocsetup NetworkLoadBalancingHeadlessServer

Subsystem for UNIX-based applications
start /w ocsetup SUACore

Multipath IO
start /w ocsetup MultipathIo

Removable Storage
start /w ocsetup Microsoft-Windows-RemovableStorageManagementCore

Bitlocker Drive Encryption
start /w ocsetup BitLocker

start /w ocsetup WindowsServerBackup

Simple Network Management Protocol (SNMP)
start /w ocsetup SNMP-SC

Windows Internet Name Service (WINS)
start /w ocsetup WINS-SC

Telnet client
start /w ocsetup TelnetClient

NOTE: If you need to install a Feature that you installed with ocsetup all you need to do is to append the commands above with /uninstall.

Having the Role or Feature installed doesn't do much without going in and configuring the service. The quick and easy way to manage these Roles and Features is to have either a dedicated Terminal Server have the AdminPak or Remote Server Administrative Tools (RSAT) installed or just install those same tools on XP or Vista.

How to Remove a Failed or Offline DC

I’ve seen this issue come up time and time again. Some administrator decided to remove an old DC from the network but forgot to remove it from Active Directory or the DC has entered a failed state and cannot be recovered from. In a perfect world DCPROMO is all you have to do to remove a DC from the environment. However, if that DC was already shutdown or DCPROMO is giving you problems you will have to remove it the manual way. That method involves using a command called NTDSUTIL. NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks.

Below are the steps needed to remove a failed or offline Domain Controller from your environment.
TIP: NTDSUTIL does not require the full command to be entered…you only have to enter enough of the command that is unique. For Example, instead of typing metadata cleanup you could just type met cle…or better yet m c

  1. Open the Command Prompt
  2. Type ntdsutil (all the commands will be entered via this command prompt)
  3. Type metadata cleanup
  4. Type connections
  5. Type connect to server and replace with the name of a functional DC in your environment…even if you are logged in locally. This step is not needed post W2K3 SP1.
  6. Type quit
  7. Type select operations target
  8. Type lists sites
  9. Type select site <#> where <#> is the site where the failed or offline DC resided
  10. Type list servers in site
  11. Type select server <#> where <#> is the DC that is failed or offline
  12. Type list domains
  13. Type select domain <#> where <#> is the domain where the failed or offline DC resided (at this point you should verify that the site, server and domain are all selected)
  14. Type quit (this should set you back to the metadata cleanup menu)
  15. Type remove selected server ( a warning message will pop up…verify that this is the correct DC…in fact get a peer to verify it for you too)
  16. Click Yes
  17. Open Active Directory Sites and Services
  18. Expand out the site that the failed or offline DC resided in
  19. Verify the DC cannot be expanded out (no connection objects and such)
  20. Right Click the DC and select Delete
  21. Close Active Directory Sites and Services
  22. Open Active Directory Users and Computers
  23. Expand the Domain Controllers OU
  24. Delete the failed or offline DC from the OU (if it even exists)
  25. Close Active Directory Users and Computers
  26. Open DNS Manager
  27. Expand the zones where this DC was also a DNS server and perform the following steps
  28. Right click the zone and select Properties
  29. Click the Name Servers tab
  30. Remove the failed or offline DC from the Name Servers tab
  31. Click OK to also remove the HOST (A) or Pointer (PTR) record if asked
  32. Verify the zone no longer has a DNS record for the failed or offline DC

You can also find more info located on Microsoft site here and here for removing orphaned domains.