Registry

The Permission Panic: How to Backup and Restore Share & NTFS Permissions | Lazy Admin Blog

Posted on Updated on

It only takes one “Inheritance” checkbox error to bring a department to a standstill. If you are migrating a file server or just performing routine maintenance, having a permission backup is your “Undo” button.

1. Share Permissions (The Registry Method)

“Share” permissions (the ones you see in the Sharing tab) are not stored on the files themselves; they are stored in the Windows Registry.

To Backup: Open a Command Prompt (Admin) and run:

DOS

reg export HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares shareperms.reg

To Restore: Simply import the file back on the new or repaired server:

DOS

reg import shareperms.reg

Note: You must restart the ‘Server’ service or reboot for the shares to reappear.

2. NTFS Permissions (The icacls Method)

NTFS permissions (the “Security” tab) are much more complex. We use the built-in icacls tool to handle these.

The Backup Command:

DOS

icacls d:\data /save ntfsperms.txt /t /c
  • /t: Recurses through all subfolders.
  • /c: Continues even if it hits a single file error (like a long file path).

The “Tricky” Restore Command: When restoring, icacls treats the paths inside the text file as relative. If your backup file says “Data\Folder1,” and you try to restore to D:\Data, it will look for D:\Data\Data\Folder1.

The Correct Syntax:

DOS

icacls d:\ /restore ntfsperms.txt

Lazy Admin Warning: Always point the restore command one level above the folder you backed up. If you backed up D:\Data, restore to D:\.

Understanding the “Secret Code” (SDDL)

If you open your ntfsperms.txt file, you’ll see strings like D:AI(A;ID;FA;;;BA). This is Security Descriptor Definition Language (SDDL).

  • BA = Built-in Administrators
  • SY = Local System
  • AU = Authenticated Users

It looks like gibberish, but to the Windows Kernel, it is a perfect map of your security infrastructure.

#WindowsServer #SysAdmin #DisasterRecovery #NTFS #FileServer #TechTips #CyberSecurity #ITAdmin #LazyAdmin

This entry was posted in Windows and tagged , , , , , , , , , .

RDP Rescue: How to Fix Remote Desktop Issues Without a Reboot | Lazy Admin Blog

Posted on Updated on

If you can reach a server via ping or the VM console but RDP is failing, you can often “kick-start” the service by toggling specific registry keys. This forces the Terminal Services stack to re-read its configuration without dropping the entire OS.

1. The Firewall Check

Before diving into the registry, ensure the Windows Firewall isn’t blocking Port 3389. If you have console access, try disabling it temporarily to rule it out.

  • Quick Command: netsh advfirewall set allprofiles state off

2. The “Deny” Toggle (The Most Common Fix)

Sometimes the registry says RDP is allowed, but the service isn’t honoring it. Toggling the value can reset the listener.

Path: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

  • fDenyTSConnection: Should be 0. (If it’s already 0, change it to 1, refresh, then back to 0).
  • fAllowToGetHelp: Should be 0 to ensure Remote Assistance isn’t conflicting.

3. WinStation Listeners (RDP & Citrix)

If the main switch is on but the specific “listener” is disabled, you’ll get a “Connection Refused” error.

For Standard RDP: Path: HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp

  • fEnableWinStation: Must be 1. Toggle this (1 -> 0 -> 1) to reset the listener.

For Citrix Servers (ICA): Path: HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\ICA-Tcp

  • fEnableWinStation: Must be 1.

4. Port Verification

Ensure the server is actually listening on the standard port. If someone changed the RDP port for “security,” your connection will fail.

Path: HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp

  • PortNumber: Should be 3389 (Decimal).

Test it from your workstation: tnc <ServerIP> -port 3389 (PowerShell) or telnet <ServerIP> 3389

5. The Winlogon Block

In rare cases, the entire Winlogon station for terminal services is disabled at the software level.

Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • WinStationsDisabled: Must be 0. If set to 1, no one can log in via RDP regardless of other settings.

Lazy Admin Tip 💡

If you can’t get to the console, you can change these registry keys remotely from your workstation! Open Regedit, go to File > Connect Network Registry, and enter the target server’s name. You can perform all the toggles mentioned above without ever leaving your desk.

#WindowsServer #RDP #SysAdmin #Troubleshooting #ITOps #TechTips #Networking #RemoteDesktop #LazyAdmin #ServerManagement

This entry was posted in Windows and tagged , , , , , , , , , .

Installing ADSI Edit on Windows Server 2003

Posted on Updated on

Whether you are performing a schema extension or manually cleaning up metadata after a failed Domain Controller demotion, ADSI Edit is the tool you need. Because it interacts directly with the Active Directory database, it is powerful—and dangerous.

Warning: ADSI Edit does not have “undo” functionality. Always ensure you have a valid System State backup before making manual attribute changes.

Step 1: Locating the Installation Files

On Windows Server 2003, ADSI Edit is not installed by default. It is part of the Windows Support Tools package.

  • From the CD: Insert your Windows Server 2003 installation media and navigate to: [CD-DRIVE]:\SUPPORT\TOOLS\
  • Run the Installer: Double-click SUPTOOLS.MSI and follow the installation wizard.
  • No CD? You can download the “Windows Server 2003 Service Pack 2 Support Tools” directly from the Microsoft Download Center.

Step 2: Launching the Console

Once the Support Tools are installed, you can launch the editor:

  1. Go to Start > Run.
  2. Type adsiedit.msc and press Enter.

Step 3: Troubleshooting “adsiedit.msc not found”

If you have installed the tools but still receive an error that the file cannot be found, the system likely hasn’t registered the required library (.dll) file properly.

To manually register the DLL:

  1. Go to Start > Run.
  2. Type the following command: regsvr32 adsiedit.dll
  3. You should see a success message stating that the DllRegisterServer succeeded.

What can you do with ADSI Edit?

ADSI Edit allows you to view and edit the three primary partitions of the Active Directory database:

  • Domain Partition: Contains the users, groups, and OUs.
  • Configuration Partition: Contains forest-wide configuration data (like site topology).
  • Schema Partition: Contains the definitions for every object type and attribute in the forest.

#ActiveDirectory #ADSIEdit #WindowsServer #SysAdmin #ITPro #Microsoft #TechSupport #LazyAdmin #ServerManagement #VintageTech #ADTroubleshooting

This entry was posted in Active Directory, Windows and tagged , , , , , , , , .