Заметки сисадмина

Заметки сисадмина о интересных вещах из мира IT, инструкции и рецензии. Настраиваем Компьютеры/Сервера/1С/SIP-телефонию в Москве

Ошибка Код 80072EFE

2023-11-21 · Posted in Windows - 7

Ошибка возникает в центре обновления Windows 7 при попытке поиска новых обновлений для их установки. Центр обновлений некоторое время пытается их найти и потом как раз выдаёт ошибку «Код 80072EFE».

Ошибка "Код 80072EFE" в работе центра обновлений при попытке поиска и установки обновлений.

Ошибка «Код 80072EFE» в работе центра обновлений при попытке поиска и установки обновлений.

Суть ошибки заключается в том, что устарел модуль агента обновления Windows и для корректной работы его требуется обновить. Его можно просто скачать и установить и для 32 бит и для 64 бит версии Windows.

Найти инсталляторы агента обновлений можно на сайте MS и ссылки на эти инсталляторы так же можно найти на нашем сайте. Они ниже.

Для Windows 8 и Windows Server 2012 (KB2937636)

Для Windows 7 (SP1) и Windows Server 2008 R2 (SP1)

Внимание! Обратите внимание на то, данный материал описывает то, как именно мы исправили конкретное затруднение на конкретном ноутбуке. Скорее всего подобный способ поможет и Вам, однако нужно понимать, что все действия со своим ноутбуком Вы выполняете на свой страх и риск, опираясь на собственные соображения и навыки.

После установки нового Агента обновлений Windows центр обновления корректно отработал и отыскал все имеющиеся к установке апдейты.

Которые и были тут же установлены. На нашем ноутбуке это не заняло много времени — благо мы установили SSD в наш(на время обслуживания) ноутбук.

Еще один важный момент касательно исправления описываемого затруднения — это не точно, но похоже, что для корректной работы нового агента обновлений на компьютере или ноутбуке должен стоять не просто Windows 7, а Windows 7 с обновлением до Service Pack 1. На это намекают некоторые их оставленных комментариев.

Точка входа в процедуру AddDLLDirectory не найдена в библиотеке DLL Kernel32.dll

2023-11-21 · Posted in Windows - 7

При попытке установки любого (кроме видео) драйвера выдает ошибку “Точка входа в процедуру AddDLLDirectory не найдена в библиотеке DLL Kernel32.dll”. Драйвера с офсайта.

Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: To use this function in an application, call GetProcAddress to retrieve the function’s address from Kernel32.dll. KB2533623 must be installed on the target platform.

Это обновление заменено обновлением KB3063858, по этой причины скачать  KB2533623 с сайта майкрософт не удается.

KB3063858  решит вашу проблему:

32-bit: https://www.microsoft.com/en-us/download/details.aspx?id=47409

64-bit: https://www.microsoft.com/en-us/download/details.aspx?id=47442

Fix Certificate Error when Installing .NET Framework

2023-11-21 · Posted in Windows - 7

You may experience an ‘Installation did not Succeed’ error when installing newer versions of the dot net framework and other runtimes such as Microsoft Visual C++ in Windows 7.

In most cases, such as with .NET framework 4.8 and 4.7.2, Windows 7 SP1 is the minimum-supported OS. However, you may still experience installation errors even with this service pack installed.

The exact cause of this error is related to the certificate used to digitally sign the software, hence the error message: “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.“

Some tutorials online recommend installing the MicrosoftRootCertificateAuthority2011.cer certificate to fix this error. Based on my experience, this did not solve the error since this particular certificate expired in 2021.

It may have worked before then, but currently it does little to remedy installation. Instead, you may as I did, get another error: “The timestamp signature and/or certificate could not be verified or is malformed.” if you try installing the runtime after installing the certificate.

The real culprit behind this error is not actually the certificate but related to the fact the Windows 7 no longer receives updates. You see the new runtimes are being digitally signed using certificates using SHA-2 hash, which Windows 7 doesn’t support as it only shipped with support for the now retired SHA-1 certificates.

Fortunately, you can fix the issue by installing the necessary updates manually. Here’s how to go about it.

How to Install SHA-2 Code Signing Support Updates:

As explained in this Microsoft article, you need to enable SHA-2 Code signing support by installing the following updates:

The above updates apply to those running Windows 7 SP1 or Windows Server 2008 R2 SP1. For Windows Server 2008 SP2 you’ll need to install:

The above links will take you to the Microsoft Catalog page for the respective update. You’ll need to download the correct package for your OS and architecture (x86/32-bit or x64/64-bit.)

Each package comes in a standalone MSU file. To install you only need to double-click on the file and Windows update will install it. Make sure the Windows Update service is not disabled, otherwise the updates will not install.

Once you’re done installing the updates, restart your computer and try installing the runtime again. They should work this time round.

Remove Local Admin Rights Using Group Policy

2023-11-14 · Posted in Active Directory

In this guide, I’ll show you how to remove local admin rights using group policy.

I’ll also show you how to add users or groups to the local administrator group.

By using group policy you can gain control over local admin rights and ensure no user is added back to the local administrator group without your approval.

Why Local Administrator Rights is a Huge Security Risk

You do not want your users to log into computers and perform daily work with administrator rights. Exploiting administrator rights is a primary method attackers use to spread and gain control of systems inside an organization.

Scenario 1: A user is logged in to their computer with administrator rights, this person is fooled into opening an email that contains a malicious attachment. This attachment contains executable code and is executed on the computer. Because the user is logged in with administrator rights this malicious code has full rights to the computer, it could install a keylogger, sniffer, run ransomware and encrypt all the files, install remote control software, and so on. Not good.

Scenario 2: Someone..maybe a helpdesk tech created a local user on multiple computers with the same password and added it to the local administrator group. If an attacker cracked this password the attacker then has administrator access to all the machines that this account is created on. The attacker could then move laterally from system to system dropping malicious files, stealing data, and so on.

Both scenarios can be mitigated by getting control of your local admin groups. Now… Let’s move on to the tutorial.

Create a Report of Users with Local Administrator Rights

It’s very important that you first run a report on all computers to see who has local admin rights. Then review this report with staff members to discuss why these users or groups have local admin rights on their computers. The next step would be to get approval to remove these users.

I’ve been through this process with large organizations and people get very angry when you remove their admin rights. Plus things can break. I highly recommend you communicate these changes and get proper approval.

To get a report you can use the Local Administrator Report Tool from the AD Pro Toolkit.

Here are the steps:

1)Download and Install Toolkit.
2)Open toolkit -> Local Admin Report
3)Select Search Options (Select the entire domain or an OU/Group)
4)Click Run

When it is done running you can sort and filter on any column. You can export this report to CSV for your records. It’s a good idea to share this report with staff so they have an idea of who has admin rights and who will be removed.

How to Remove Local Admin Rights Using Group Policy

Tip: I recommend you test these changes on a single computer or user before implementing them on all production systems.

First, let’s check a computer and see what accounts are in the local administrator group. This can easily be done by using the following PowerShell command.

You can see in the screenshot there are several local and domain users in the administrator group.

You can also get this report from the AD Pro Toolkit.

This is bad.

You can see PC2 has a local user and three domain groups that are a member of the local administrator’s group.

Using group policy I can not only remove these accounts but I can control what user accounts or groups are members of this group. If someone tried to manually add a user to this group the group policy would override it.

I like to put all computers in an organizational unit, this makes it easy to apply group policies to computer accounts.

Create a New GPO

1)Right-click the organizational unit where you want the GPO applied and select  “Create a GPO in this domain, and link it here”

2)Name the GPO and click OK

Now you need to edit the GPO.

3)Right-click the GPO and click edit

4)Browse to the following GPO settings

Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups

Now right-click in the right side window and select new -> Local Group

New Local Group Properties

  • Action: Update
  • Group name: Administrators (built-in)
  • Delete all member users: This will delete all the users from the local administrator group. I’m going to check this box.
  • Delete all member groups: This will delete all the groups from the local administrator group. I’m going to check this box.


Click add and select the members you want to be added to the local administrator group. You probably want to keep the local administrator account and domain admins group as local admins… but that is totally up to you. I’m going to also add a group that has the helpdesk staff so they have local admin rights on the computers.

Screenshot of my settings

The above settings will delete all users and groups from the local administrator’s group and then add back the users specified in the member’s box. This will clean up all unwanted accounts and add only the accounts you have approved via the GPO.

Note: A user with admin rights could still modify the group membership locally but when the GPO refreshes it will revert back to the GPO settings.

Run gpupdate or Reboot Computer

Now that the GPO is created and linked to an organizational unit let’s test it.

On PC1 I will run the following command to force a group policy update.

Once the command completes I’ll check the group membership again. Below is a screenshot of the before and after. You can see the GPO has removed the members of the local administrator group and configured the members to the GPO settings.

Pretty cool right?

You can see from the screenshot that the unwanted accounts have been removed from the administrator group. The GPO removed three groups and two local user accounts. It then added the domain admins group, the IT_Wrk_Admin group, and the local administrator account.

Any computer you apply this policy to will get these exact settings. If you choose to delete all member user and group accounts it will indeed remove those accounts from the local administrator’s group. I recommend you test this before rolling it out into production.

Exclude Computers from the GPO Policy

If you need to exclude a computer from this policy follow these steps:

Tip: There are many poorly coded programs out there that don’t run without giving users admin rights. If you can avoid these programs please do so. It’s ridiculous that there are still companies selling software that cannot run with admin rights…again try to avoid these programs. If you can’t then look into privilege escalation programs like BeyondTrust and PolicyPak. These programs allow you to configure programs to run without giving the user administrator rights.

1)Create a new active directory group. Name it whatever you want.

2)Add the computer account that you want to exclude into this group.

3)In the group policy management console, select the GPO you created and select the delegation tab.

Now click the advanced tab

Click add and select the group you just created.

Now make sure this group has only these permissions:

Read: Allow
Apply group policy: Deny

This will deny any member of this group from applying the GPO. This is a very simple approach to excluding computers from applying this GPO. It also makes it easy to manage, if you want to know who is excluded from a GPO you can just check the members of the AD group.

Now, I’ll verify the computer is excluded by using the gpresult command.

To see all the GPOs applied to a computer and user type this command.

You will need to be an administrator on the computer to get the computer results.

You can see the GPO “GPO Computer – Local Admin Group members” is applied to this computer. I will reboot the computer and run the command again. Once I reboot I should no longer see that GPO being applied to this computer because it’s being denied from applying.

I will run gpresult /r again

You can see the GPO is no longer applied to this computer.

You should first do an audit of user rights and understand why they have local admin rights. You don’t want to enable this policy on all computers without first testing and understanding its impact. Unfortunately, there are programs that still need elevated rights, and applying this policy could break and prevent programs from running.

How to disable sudo and su on Ubuntu?

2023-11-14 · Posted in Ubuntu

You don’t have to disable sudo to get a root shell. Run:

And now every command you type is as the root user.

Also when you are logged in as root, you don’t have to preprend every command with sudo anymore. If think, you are confused here. You sudo before a command when you run it as a user, but once root, you dont need it.

It is obvious you should be extra carefull when you do that. Use a colored prompt (red, enabled by default) to always know when you are in a root shell.

Also, it could be a good idea to set an timeout on your root session by using the TMOUT environment variable

In /root/.bashrc, add the line

for a 5 minutes timeout.