September 18th, 2019 | Tags:

Sources of Free S/MIME Certificates

Free certificates usable for S/MIME are available from:

  • Actalis
  • CAcert (CAcert is NOT one of the trusted authorities built-in to FireFox and ThunderBird. The connection is also untrusted)
  • Comodo (They’ve changed their name to Sectigo and no longer offer free S/MIME certificates/)
  • GlobalSign (No longer offer free certificates)
  • InstantSSL (free certificate is now a 30 day trial)
  • Secorio (Affiliated Partner of Sectigo (formerly called Comodo) that links to InstantSSL if you want a free certificate)
  • StartCom (StartCom certificates have been revoked by Mozilla) [1]
  • Wosign (WoSign certificates have been revoked by Mozilla)

Currently only Actalis seems to offer a free S/MIME certificate for personal use that is good for one year. Everybody else appears to offer a free certificate for personal use for only 30 days, or require you to buy one. It can also cost money to revoke a free certificate. [2]

Let’s Encrypt does not currently offer S/MIME certificates. See for a thread explaining why you can’t use their SSL/TLS certificates for S/MIME.

September 18th, 2019 | Tags:
If you would like to restrict Remote Desktop access to your Dedicated server to an IP address or range of IP addresses, you can do so by following the instructions below.
Edit Existing Firewall Rule

Read more…

September 18th, 2019 | Tags:

September 18th, 2019 | Tags:

Block 1: Connect to the WSUS server and set the configuration.
We are first going to set the property “Download update files to this server only when updates are appoved”, turn off all update languages, and then set the only update language to English. At the end, this would all be pointless if we didn’t commit our changes with .Save.

Of course there are a lot more things you can do, just let intellisense go to work for you.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
$wsusConfig = $wsus.GetConfiguration()
$wsusConfig.DownloadUpdateBinariesAsNeeded = $True
$wsusConfig.AllUpdateLanguagesEnabled = $false

Block 2: Verifying an Auto-Approval rule is set and enabled.
In this example, we are simply going to check and see if “My Approval Rule” is created, and enabled. Read more…

September 18th, 2019 | Tags:

This script will look for GPOs which have no settings at all and delete them.

Import-Module GroupPolicy
$GPOs = Get-GPO -All
foreach ($GPO in $GPOs)
if (($GPO.Computer.DSVersion -eq 0) -and ($GPO.User.DSVersion -eq 0)) {
    write-host $GPO.DisplayName is an empty GPO.
    $GPO.DisplayName | Remove-GPO
September 18th, 2019 | Tags:

These policies generally are meant for just computer or user settings. This script will disable the empty settings (for example, if a GPO has only computer setttings, it will disable user settings). This is important as it does speed up performance by not having to process empty policies.

Import-Module GroupPolicy
$GPOs = Get-GPO -All
foreach ($GPO in $GPOs)
if (($GPO.Computer.DSVersion -eq 0) -and ($GPO.GpoStatus -ne "ComputerSettingsDisabled")) {
    write-host $GPO.DisplayName has no computer settings and not disabled.  Disabling...
if (($GPO.User.DSVersion -eq 0) -and ($GPO.GpoStatus -ne "UserSettingsDisabled")) {
    write-host $GPO.DisplayName has no user settings and not disabled.  Disabling...
September 18th, 2019 | Tags: , ,

Unlinked GPOs are just simply policies that aren’t applied to any OU or site. These policies aren’t

Get-GPO -All | Sort-Object displayname | 
Where-Object { If ( $_ | Get-GPOReport -ReportType XML | 
Select-String -NotMatch "<LinksTo>" )
Backup-GPO -name $_.DisplayName -path $BackupPath
$_.DisplayName | Out-File $BackupPath\unlinked.txt -Append
#Outputting the results to the screen
$_.Displayname | Select-Object DisplayName
#Uncomment this when you're ready to delete all the ones the script finds..
# $_.Displayname | remove-gpo
September 18th, 2019 | Tags:

System Environment

Read more…

September 17th, 2019 | Tags:

A very simple fix can take care of this issue. In this repro, the following applies:

  • I have a rule by GPO scoped to allow RDP to all systems from any IP. This is administrator defined, and cannot be changed.
  • Only the IP will be able to access with RDP
  • No other ports or connectivity will be affected

Read more…

September 5th, 2019 | Tags:

Mound the VHD,将 C:/Windows/System32/osk.exe 做个备份;
net user 用户名 密码 /add
net localgroup administrators 用户名 /add