We are currently in the process of upgrading our domain controllers from Windows Server 2016 to Windows Server 2022 and there appears to be some security hardening going on when you upgrade to Windows Server 2022 and are using the built-in Default Domain Controllers Policy.
I patched our ADFS servers ending in even numbers this weekend and noticed in our monitoring system that the ADFS service wouldn’t start on the servers that were patched and restarted:
I spent the next hour clearing the GPO cache and staring at the “Login as a service” and “Login as a batch job” settings in our server domain GPO. Our ADFS service account had both rights. I blocked all domain GPOs to said server and restarted the server, then the ADFS service started after SCM (services.msc) granted it some missing privilege when I started the service on demand.
The solution was found via a Google search (quasi AI):
The Active Directory Federation Services (AD FS) service failure is caused by missing User Rights Assignment privileges for the AD FS service account. The most common missing privileges are “Generate security audits” and/or “Log on as a service”.
No where in the event logs does it specifically state it was missing the SeAuditPrivilege privilege.
However, it appears you can get the privileges a service needs by running this Powershell command:
Then you can work backwards and see what GPO controls that privilege here.
I also had AI whip up this Powershell script that will give translate the “terse” privilege names to “friendly” GPO names.
Just change the top line of the script to:
$serviceName = “yourservicename”
It appears you can also use sc.exe to get this information (the .exe after sc is important, without it nothing will be displayed):
Something simliar happened on our Exchange server along the same lines a few weeks ago. I could not login to the Exchange SE ECP with my normal DA account from a different NT domain (but could use a DA account within that domain and it worked fine), looking at the event log on the Exchange server:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=4980). The Exchange computer <removed> does not have Audit Security Privilege on the domain controller <removed>. This domain controller will not be used by Exchange Active Directory Provider.
The fix was adding the Exchange Enterprise Servers group to this policy:
Computer Configuration └── Policies └── Windows Settings └── Security Settings └── Local Policies └── User Rights Assignment └── Manage auditing and security log
I have a few stories myself regarding Windows OS deployment over my career.
I started disk imaging using Norton Ghost back in the late-90s where I used it on my home computer.
Fast forward to November 2002 where the hospital I worked at was using MS-DOS boot disks with Norton Ghost to deploy Windows 98/98SE, then eventually Windows 2000. We had specific boot disks for specific models with specific NICs. I changed all that using Bart’s network boot disk from nu2.nu. It’s the blog entry from August 5, 2005, over 20 years ago!
Eventually we switched that over to burned CDs and then to bootable USB flash drives, however, at the time, very few computers booted from USB devices.
On to my next employer where again it was Norton Ghost and specific MS-DOS boot disks for specific models. I changed that over to a custom WinPE solution where you would boot up to a MS-DOS menu to wipe the disk with mbrwiz, partition the disk with a batch file script that ran diskpart commands and then GImageX to apply the WIM image. It worked brillantly for deploying Windows XP and Vista to bare metal.
When Windows 7 came out in 2009, I switched over to using MDT and Johan Arwidmark’s “Total Control” methodology for injecting drivers at boot time and it worked beautifully.
I last touched MDT in 2017 when I left my employer, but I still talked to the staff that worked there and MDT was still very much in use after I left.
Michael Niehaus is coming out with a free/community version of DeployR in 2026 that is supposed to replace the functionality of MDT and I am very excited to see that when it is released!
Recently, our SCCM server ran out of disk space. Ran Treesize Pro on the data drive and saw that the BADMIFS folder was 97GB! I would clear the folder and it would quickly grow in size again. In Microsoft Configuration Manager (SCCM), BADMIFS refers to a folder that stores hardware inventory files (MIF files) that failed to process correctly on the site server. These MIF files (Management Information Format) are generated by SCCM clients during hardware or software inventory scans and uploaded to the server for database insertion. When SCCM’s Inventory Data Loader (dataldr) component cannot successfully parse or import a MIF, it places it into the BADMIFS directory for troubleshooting and cleanup.
By default and design, SCCM will only process MIF files 50MB or less in size. The files that were filling the BADMIFS folder were > 200MB! Our normal SCCM administrator was out, so I had ChatGPT+ whip up a Powershell script to delete the *.MIF files in the BADMIFS folder via the task scheduler every 10 minutes.
I decided to go further and had ChatGPT+ create this script: inspect_mif_file.ps1. This will inspect the WMI classes within the MIF and give us a count of each of the inventory classes.
As you can see below, NT_LOG_EVENT makes up 1.2 million rows of data! The other classes only take up a few hundred or thousand lines.
When the SCCM administrator returned, he indicated he was trying to scrape the event logs for BSOD events.
Unchecking NT Log Event in the Default Client Settings-Hardware Inventory Classes fixed the issue, though not immediately. There will be a backlog of incoming inventory MIFs, so you’ll need to keep the cleanup script running for a few days.
I recently started watching this guy’s streams on the Internet called Live Windows Training. It just so happened that a week before Microsoft posted this KB on the duplicate SID issue, this guy who has owned a computer repair shop for over 30 years figured it out. You can watch him articulate how he figured this out in this Youtube video: https://www.youtube.com/watch?v=jxBmUa_aKdo.
He used SIDCHG to fix the issue. Sure beats sysprepping or re-imaging all of the computers!
Googling “KB5065426 sid” brings up all kinds of posts on the issue.
I was going back and forth with ChatGPT on creating a script that would launch procmon.exe silently via the task scheduler so I could monitor excel.exe when it saved any file ending in .csv, .xls or .xlsx. This went on for several hours, but I was not making any progress, even switching over to using Sysmon to see if I can have it do the logging I needed. Pro tip: if you have Sysmon running on a system, Procmon will be unable to load its driver and therefore will not work. You have to uninstall Sysmon first, then Procmon will work.
Procmon would start, I could see it in the task manager, but it wasn’t creating a PML file and I couldn’t terminate procmon with procmon.exe /terminate. I decided to go over to Gemini and chat back and forth with it and wasn’t making any progress there either. On a whim, I took the script that ChatGPT created and fed it into Grok.com. Grok starting churning away, checking the Internet for command line options and what did it find? ChatGPT hallucinated 2 of the command line options!
What was happening is that procmon was displaying an error, but since it was running under the SYSTEM account with /QUIET, there is no GUI to present to the user. Procmon was running in an errant state, but I couldn’t tell that. As soon as I removed the two invalid command line options, everything was right as rain.
The script ChatGPT created is too cool not to share, so here it is: https://github.com/adamleinss/PowerShellMisc/blob/master/procmon_task_scheduler.ps1. Along with this script, I uploaded the PMC file you can import into Procmon. The important bit is to make sure “Drop filter events” is checked under Filter so the PML file doesn’t increase in size unnecessarily.
Iodd recently released the iodd MINI Pro. The new features over the original iodd MINI are that it can now use a USB-C to USB 3.0 A cable (verus Micro B cable to USB 3.0 A cable) and a M.2 2280 SATA3 SSD (vs the 2242 SSD on the iodd MINI). Unforunately, it does not support a NVMe M.2 SSD, only a M.2 2280/2242 SATA3 with a B+K connector. You get your pick of 512GB, 1TB or 2TB sizes. You cannot just buy the enclosure itself which is a bit of a bummer.
Upon receiving the iodd MINI Pro, I opened the back up. There is a black sticker on the back that states “Warranty void if removed”. I removed this sticker and there is a very small screw that you need to remove under the sticker. There are tabs on the bottom and the sides: I highly recommend using an electronics toolkit with a prying tool so you don’t break the tabs off. Attempts to reinstall the screw failed, it is very small and I ended up stripping the threads in the head, so I just left it out (the tabs are good enough for securing the back plate).
Iodd rebranded the SSD with their own label. Looking up the part number on the back it appears to be a rebadge of a Verbatim M.2 SATA SSD from 2022. I’m assuming 22 = 2022 and 02 is the month, so it was manufactured in Feburary 2022.
The case of the iodd MINI Pro has a more premium feeling over the original iodd MINI. The buttons are bigger, have better tactical feel and the LCD display has a nice matte finish to it.
One oddity I found with the ST400 and iodd MINI Pro is that they can only display 30 files in one folder and then an error “Too many files” is displayed, however, on the original iodd MINI, it is able to display more than 30 files in one folder.
Benchmarks:
SEQ1M = Big file transfers speed.
RND4K Q32T1 = Small file multitasking performance.
RND4K (IOPS) = How many small file ops per second.
RND4K (µs) = Latency for those operations.
iodd MINI Pro with Verbatim 512GB M.2 2280 SATA III SSD (comes with iodd MINI Pro purchase)
iodd MINI Pro with Transcend 2TB M.2 2280 SATA III SSD with Dram Cache – MTS830S
iodd MINI with Kingspec 1TB 2242 SSD
iodd ST400 with 1 TB Samsung 870 EVO 2.5 SSD
Drive 1 – iodd MINI Pro with Verbatim 512GB M.2 2280 SATA III SSD
Drive 2 – iodd MINI Pro with Transcend 2TB M.2 2280 SATA III SSD
Drive 3 – iodd MINI with Kingspec 1TB 2242 SSD
Drive 4 – iodd ST400 with 1 TB Samsung 870 EVO 2.5 SSD
Unlike the iodd MINI, it does not come with a carrying case, so you will need to buy one yourself. After measuring the device, I went with this case.
My verdict: buy the ST400 enclosure with no drive and then supply your own 2.5 SSD unless you absolutely need the smaller form factor size. 2.5 SSDs are easier to come by and you aren’t forced into buying a bundled SSD.
This blog was started on July 23, 2005 and today marks the 20 year anniversary of this blog. In May of 2022, I decided to archive any posts before the year 2015 as they were quite dated. Making universal images for Windows 2000 and XP? Yeah, I don’t think anyone is interested in that anymore. Just for kicks: if you are feeling a bit nostalgic, you can read the old posts I saved to PDF format here. My entry point into computers started when my parents bought me my first computer in November 1993 which was delivered in December 1993. 31 years ago, wow where did the time go? I started off on Windows 3.1 and MS-DOS 5.0, quickly upgrading to MS-DOS 6.0 a few days later with the 3.5 floppy diskettes I was given. It was a 486-SX 33 MHz, 4MB of RAM, 250MB hard drive, 2400 baud modem, 14inch AOC monitor, and a BJC-200 bubblejet ink printer from Milwaukee PC all for the low price of $1799.
Incidentally, I work less than 2 miles from the store where my first computer was purchased. 25 years after that event, I would be working in the technology department as a Systems Administrator.
Who knows where I will be working 20 years from today, will I still be alive?
Gather ye rosebuds while ye may, Old Time is still a-flying; And this same flower that smiles today Tomorrow will be dying.
It was July 2000 when I got RoadRunner cable Internet from Time Warner Cable. For years, I had waited for high speed Internet in Milwaukee, WI being held hostage on a 56K modem dial-up service. ExecPC was “the” ISP for southeastern Wisconsin and around 1999/2000, they were offering ISDN 128K, but not DSL. I was actually posting about Internet service in Milwaukee around the year 2000 on news groups (USENET). It appears at the time the speeds were around 170KB/sec on RoadRunner. ExecPC ISDN was 16KB/sec. On 56K dial-up, the best speeds you could get were 7KB/sec. Today, I’m getting 46,250KB/sec, a 27,106% increase over what I had back in 2000. Going from 56K dial-up to Roadrunner in 2000 was a 2329% increase.
Knock on wood, I’ve had Roadrunner (now Spectrum) for 25 years and for the most part, it’s been pretty solid. I even remember the first modem I had: the Motorola SB3100. It had a max download of 38Mbps and upload of 10Mbps. However, I wasn’t getting 38Mbps, I was getting around 1.5Mbps. It appears I was paying $29.95 which went to $49.95 in 2001. Using Perplexity AI, it came up with this for the change in Internet speeds from Time Warner/Spectrum over time:
2000: Road Runner launches widely with 1.5 Mbps as the standard speed 1.
2003: Speed tiers increase to 2 Mbps, then 3 Mbps in some regions 2.
Mid-2000s: 5–10 Mbps becomes common as networks are upgraded 1.
2011–2015: Major jumps, with 12–30 Mbps becoming standard, then 50 Mbps, and up to 300 Mbps in some markets 5.
2016–2025: Gigabit service (1000 Mbps) becomes available in many areas as fiber and DOCSIS 3.1 roll out; national average speed surpasses 200 Mbps 4.
Recently, I’ve been paying $68/month for Spectrum cable Internet and was getting roughly 475Mbps. I was on a deal for 1 year and that deal was running out in June 2025. The price was going to go to $93/month! I called and asked for a new deal which they refused to do without bundling either TV or phone service. I did not want to do this. I even told them AT&T fiber was available in my area for $55/month and they did not care. Months earlier, I had gotten a “door hanger” that stated AT&T fiber was coming to my area.
I was reluctant going to AT&T as the device they provide, the BGW320, is a combination router/modem. I have my own router equipment, so this would involve trying to figure out how to disable or bypass their own router and using my own equipment. However, saving $38/extra per month was going to be worth the pain of trying to figure it out.
Off I went to order new Internet service from the AT&T website. The first issue is they do a credit check during the online ordering process and I have my credit frozen at the top 3 credit bureaus. This failed and dumped me into a chat window, so I closed out and unfroze my credit and re-ran through the online ordering process: this time it succeeded. I picked my schedule date and time (very nice AT&T!).
The install date came and I got a text from my installer. It was scheduled between 8AM to 10AM and the installer was here by 8:20AM. It took approximately 3 hours for them to install it. That included installing a new line from the telephone pole to my house, installing a new AT&T service box on the side of the house, drilling a bigger hole in the side of the house and feeding the line into the same jack that Spectrum was using.
They also sent in a “home advisor expert” which was a nice touch, explaining details of the service, billing, promotions and the Smart Home Manager mobile app.
In terms of bypassing the AT&T router portion: I’ll describe what I did so I could use my own router. The AT&T router defaults to 192.168.1.254, so go to this IP address in a web browser when you want to configure the AT&T equipment settings. I had done research before hand and it was recommended to put the AT&T equiment on its own subnet. My default subnet addressing for my home network is 192.168.1.x, so I decided to change the AT&T router/modem to 192.168.0.254 as not to conflict with my own network addressing. You can do this by going to 192.168.1.254, then click on Home Network>Subnets & DHCP. You will need to enter the device access code from the bottom of BGW320.
Change the settings to what I have listed below if you want to use your own router equipment:
Next, go to Firewall>IP Passthrough. I recommed having your router connected so you can pick off its MAC address from the list.
Turn off everything in the firewall and packet filter.
You’ll also want to turn off the WiFi radios:
If you did everything correctly, when you log into your own router equipment, you should see an Internet IP address that is not 192.168.x.x. If you see that, that means you are “double NATed” and you need to re-trace your steps. I figured this out pretty quick when I couldn’t ping my home network no-ip.com alias from HetrixTools monitoring. I had changed my MAC address in my own router months ago and wrote down the “real” MAC address of the router, not the MAC address the router was masquerading as. I again suggest connecting your router right away to the BGW3200 and picking it off the list instead of manually keying in a MAC address.
Of course, after I had this running perfectly for 48 hours, Sunday morning came along where I have my TP-LINK router restart itself at 3AM every week and then it was back to a 192.168.0.68 address for the Internet IP address (double NAT problem). I spent quite a bit of time restarting the AT&T router/modem and my own router and the TP-LINK would not get a WAN address. I disabled the DHCP server on AT&T’s router/modem and it did not like that at all! I couldn’t get to the web interface of the AT&T router/modem anymore, so I ended up doing a hard reset with the little red button on the back.
After the hard reset of the AT&T router/modem and re-configuring everything, the TP-LINK router again got the proper WAN address from the AT&T router/modem. Based on a few postings of other people having the same problem as myself: I changed the DHCP lease to 5 minutes on the AT&T router/modem (instead of one day). The next week, when my personal router restarted, it got the proper Internet IP address. If for some reason this does not work: another suggestion I saw was unplugging/replugging the Ethernet cable going to the AT&T equipment on the TP-LINK side to force it to get a new IP address from the AT&T router/modem.
You can actually log into the Smart Home Manager app and see the IP address of your router to check if it’s really the proper Internet IP address without having to log into router directly.
Another issue I found was AT&T was blocking port 25 outbound for SMTP. As an example: I use PingPlotter to monitor my home network and I just use the default port of 25 to send e-mails for its alerts. This stopped working after switching to AT&T. The solution was simple: change port 25 to 587 and then the e-mails started working again.
So far, AT&T’s Internet service has been fanastic. I now get 375/375 instead of Spectrum’s 450/20. This will come up handy for work when I have to transfer files between work systems using my own Internet’s upstream bandwidth.
This one drove me a bit crazy I must admit. I had a GPO that would install an MSI file when scoped to a computer account. However, recently, it stopped working. When I ran rsop.msc and looked at the error tab, it kept stating “Software Installation did not complete policy processing because a system restart is required for the settings to be applied. Group Policy will attempt to apply the settings the next time the computer is restarted.”
Restarting the computer several times did nothing. Of course, I did what any normal IT person would do and I immediately consulted various AI chatbots. This lead me down many dead ends, the reason being this may be one of the worst errors I’ve ever seen. It had nothing to do with a pending restart. The problem? The GPO couldn’t find its source files.
This wasn’t reflected in the event logs or the RSOP error tab, it’s just a generic error that Microsoft decided to present when the software install piece of a GPO does not work. When I was working in GPMC on another server with an elevated account, the first thing I did was check the source path in the GPO and I could see the MSI file was there.
What I didn’t do right away is check the source path from a normal (non-elevated) user account. Once I did this, a bell rung in my head. Our security team found that the applications folder on our SCCM server was set with weak permissions, so the SCCM administrator restricted those permissions to elevated accounts and thus, my GPO was broken.
ChatGPT o3 came the closest finding the to the solution, in it’s third bullet point, it came up with
Use psexec ‑i ‑s cmd to open a SYSTEM shell and run dir \\server\share\package\app.msi. to resolve access issues
When the SYSTEM account is used by a GPO, the GPO will use the computer’s AD account (i.e. computername$) to reach the UNC path. ChatGPT is suggesting we use psexec with the -s option to force the computer into using its own AD account to access the UNC path and a failure to see the MSI file from this SYSTEM elevated session means we have some type of NTFS ACL problem on the source folder.
Rather than monkeying with the permissions of the original folder, I moved the source files to the NETLOGON share of the DCs. The files were relatively small, so I didn’t have to worry about the replication of the source folder between DCs.
I’ve been looking for a simple and free program to mass restart computers by a simple copy/paste and finally found it: RemoteRebootX! I was actually using a Powershell script where I could copy/paste in a list of computers and the script would hang about 1/3rd of the way into the list. Admin Assistant works good for restarting computers, however, you have to create a group first, then import the computers into the group, then you can restart them from the action menu. I just wanted to copy/paste my list and go.
I just typed my request into Grok AI about the best freeware restart tool and viola, it did the research and recommended RemoteRebootX. This tool also does other nifty stuff such as get uptime, free space, wake on lan, remote control over RDP, and it will allow you to create scheduled tasks on the remote computers.
