Below script used to assign NTFS permissions( List,Read,Traverse, Create/Append) for FSlogix user profiles, it provides users not to access other folders
#Below script used to assign NTFS permissions( List,Read,Traverse, Create/Append) for FSlogix user profiles, it provides users not to access other folders
# User Groups/Users are given in input file , Keep Heading(top) GROUPS and provide groupnames under that
# Input your Storage account name and Domain Name in below script
# Whoever runs the below code, he should have full admin privilege
$permission = ":(X,RD,AD,RC)"
$Lists = Import-csv -Path "C:\temp\devgroups.csv" #group Accounts
$shares = "<Share Name 1>,<Share Name 2>"
$sharelist = $shares.Split(",")
foreach($share in $sharelist)
{
$share
$shrpath=\\<storageAccountName>.file.core.windows.net\$share
foreach($list in $lists)
{
$UserName = $list.groups
Invoke-Expression -Command ('icacls $shrpath /grant "<Domain Name>\${UserName}${permission}"')
}
}
While volume activation is a process that many have utilized over the years, today’s post offers guidance to help you ensure that all your devices have been properly activated regardless of their connection to your organization’s network.
First, a refresher. Volume activation enables a wide range of Windows devices to receive a volume license and be activated automatically and en masse versus tediously entering an activation key on each Windows device manually.
The most common methods of volume activation require that devices to be connected to an organization’s network or connected via virtual private network (VPN) to “check in” from time to time with the organization’s activation service to maintain their licenses. When people work from home and off the corporate or school network; however, their devices’ ability to receive or maintain activation is limited.
Volume activation methods
There are several methods to activate devices via volume licensing. For detailed information, see Plan for volume activation. Here, however, is a summary for easy reference.
Key Management Service
Key Management Service (KMS) activation requires TCP/IP connectivity to, and accessibility from, an organization’s private network so that licenses are not accessible to anyone outside of the organization. By default, KMS hosts and clients use DNS to publish and find the KMS key. Default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
KMS activations are valid for 180 days (the activation validity interval). KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries to reach the host every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
Multiple Activation Key
A Multiple Activation Key (MAK) is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of activations allowed. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft-hosted activation service counts toward the activation limit.
You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation, which is useful for moving a computer off the core network to a disconnected environment.
Active Directory-based activation
Active Directory-based activation is similar to KMS activation but uses Active Directory instead of a separate service. Active Directory-based activation is implemented as a role service that relies on Active Directory Domain Services to store activation objects. Active Directory-based activation requires that the forest schema be updated using adprep.exe on a supported server operating system, but after the schema is updated, older domain controllers can still activate clients.
Devices activated via Active Directory maintain their activated state for up to 180 days after the last contact with the domain. Devices periodically attempt to reactivate (every seven days by default) before the end of that period and, again, at the end of the 180 days.
Windows 10 Subscription Activation
Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to Windows 10 Enterprise automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – Windows 10 Education.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
To step a device up to Windows 10 Education via Subscription Activation the device must meet the following requirements:
Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
Note: If Windows 10 Pro is converted to Windows 10 Pro Education using benefits available in Store for Education, then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
Volume activation while working from home
If you activate devices in your organization using MAK, the activation process is straightforward and the devices are permanently activated. If you are using KMS or Active Directory-based Activation, each device must connect to the organization’s local network at least once every 180 days to “check in” with either the KMS host or the Active Directory domain controller. Otherwise, the user will be warned to activate Windows again.
With many users working or taking classes from home, a connection to the organization’s network may not exist, which would ultimately leave their devices in a deactivated state. There are a few options to avoid this:
Use a VPN. By having the device connect to your organization’s network via a VPN, it will be able to contact a KMS host or Active Directory domain controller and will be able to maintain its activation status. If you manage your devices through a wholly on-premises solution to deploy policies, collect inventory, and deploy updates and other software, there is a good chance you are already using a VPN. Depending on the VPN configuration, some manual configuration of the client device may be required to ensure the KMS service is accessible through the VPN. For more details on these settings, which can be implemented via script, see Slmgr.vbs options for obtaining volume activation information.
Convert the devices from KMS to MAK activation. By converting from KMS to MAK activation, you replace the license that requires reactivation every 180 days with a permanent one, which requires no additional check-in process. There are some cases—in educational organizations, for example—where each device is re-imaged at the end of the school year to get ready for the next class. In this case, the license must be “reclaimed” by contacting your Microsoft licensing rep or a Microsoft Licensing Activation Center.
One way of converting a device from KMS to MAK activation is to use the Windows Configuration Designer app (available from the Microsoft Store) to create a provisioning package, which includes the MAK, and deploy the package through email or a management solution such as Microsoft Intune.
You can also deploy a MAK directly within Intune without creating a provisioning package by creating a simple PowerShell script with the following commands and deploying the script to a user group:
slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX slmgr.vbs /ato (In the example above, XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your MAK key.)
It is important to monitor the success of these activations and remove users from the target group once their devices have been activated so that their other devices do not receive a new license.
Use Subscription Activation. This requires the devices to be joined to your Azure AD domain, enabling activation in the cloud. This is possible if you have one of the following subscriptions:
Windows 10 Enterprise E3/E5
Windows 10 Education A3/A5
Windows 10 Enterprise with Software Assurance
Microsoft 365 E3/E5
Microsoft 365 E3/A5
Microsoft 365 F1/F3
Microsoft 365 Business Premium
If you need assistance and have one of the preceding subscriptions with at least 150 licenses, you may be eligible for assistance through FastTrack. Contact your Microsoft representative or request assistance from FastTrack and a Microsoft FastTrack representative will contact you directly.
Conclusion
Windows volume activation has been around for a long time, but the increased number of users working from home may require your organization to re-evaluate how to best keep your devices activated if they cannot reach your on-premises activation service if you are using KMS or Active Directory-based Activation. It is important to consider the options available to you to ensure your devices stay activated. As always, there is no “one-size-fits-all” approach, so consider the pros and cons of each option as you plan on how to best support your remote workers and students.
NTLM: Authentication is the well-known and loved challenge-response authentication mechanism, using NTLM means that you really have no special configuration issues. As Microsoft likes to say, “It just works.”
Older than Kerberos, and is for authentication as well. Can still be used as a backup to Kerberos authentication being down.
Kerberos: It’s complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client. While Kerberos is more secure, it can be a bit challenging to set up properly. Win 2003 with the latest SP can be configured to use either NTLM or Kerberos. Well, besides being more secure, Kerberos has two key advantages that make it worth consideration.
Authentication for ticket based domain authentication i.e. logging into the domain. Replaced NTLM.
Kerberos is the authentication protocol that is used in Windows 2000 and above where as NTLM was used in Windows Server NT 4 ad below. As for LDAP, it is the protocol that is used with Active Directory, Novell Directory Service, and newer Unix systems.. If you have older workstations you may still need to use NTLM, but if you only have Windows Me clients or below you can disable it using Group Policy. Windows 2000 professional and above used Kerberos
LDAP: It is primarily a directory access protocol. They do different things. LDAP has a primitive authentication mechanism called “simple bind” that applications can use to verify credentials if they can’t handle other authentication protocols. It gets tricky because LDAP also includes an extensible authentication framework called SASL that allows alternate authentication protocols to be added. Protocol to allow other programs to access the Active Directory Framework, used in VBScript extensively. Think of it as a “hole to allow you to peek inside your Active Directory Domain”.
Advantages of Kerberos: Better Security, Faster authentication, Mutual authentication, Kerberos is an open standard, Support for authentication delegation, Support for the smart card logon feature.
Performance – Kerberos caches information about the client after authentication. This means that it can perform better than NTLM particularly in large farm environments.
Delegation – Kerberos can delegate the client credentials from the front-end web server to other back-end servers like SQL Server. Work Flows
In Active Directory (AD), two authentication protocols can be used:
• NT LAN Manager (NTLM): This is a challenge-response authentication protocol that was used before Kerberos became available. However, an organization may still have computers that use NTLM, so it’s still supported in Windows Server. • Kerberos: This protocol works on the basis of tickets, and requires the presence of a trusted third party.
The basics of how NTLM works
Here’s a step-by-step description of how NTLM authentication works:
• The user provides their username, password, and domain name at the interactive logon screen of a client. • The client develops a hash of the user’s password and discards the actual password. • The client sends the username in plain text to the server it wants to access. • The server sends a challenge to the client. This challenge is a 16-byte random number. • The client then sends a response to the server. This response is the challenge encrypted by the hash of the user’s password. • The server sends the challenge, response, and username to the domain controller (DC). • The DC retrieves the hash of the user’s password from its database, and then encrypts the challenge using it. • The DC compares the encrypted challenge it has computed (in the above step) to the response of the client. If these two match, the user is authenticated.
NTLMv2 – A big improvement over NTLMv1
NTLMv2 is a more secure version of NTLM (discussed above). It differs from its predecessor in the following ways:
• It provides a variable length challenge instead of the 16-byte random number challenge used by NTLMv1. • In NTLMv2, the client adds additional parameters to the server’s challenge such as the client nonce, server nonce, timestamp and username. It then encrypts this with the hash of the user’s password with the HMAC-MD5 algorithm. In contrast, in NTLMv1, the client only adds the client nonce and the server nonce to the server’s challenge. It then encrypts this with the hash of the user’s password with the relatively weak DES algorithm.
NTLMv2 gives a better defense against replay attacks and brute-force attacks. However, Kerberos is an even more secure authentication protocol because of its use of encrypted tickets.
How Kerberos works
NTLMv2 – A big improvement over NTLMv1 NTLMv2 is a more secure version of NTLM (discussed above). It differs from its predecessor in the following ways:
Here is the step-by-step process of how Kerberos works:
• The user attempts to join the network through the client’s interactive logon screen. • The client constructs a package called an authenticator which has information about the client (username, date, and time). Except for the username, all the other information contained in the authenticator is encrypted with the user’s password. • The client then sends the encrypted authenticator to the KDC. • The KDC immediately knows the identity of the client that has sent the authenticator by looking at the username. The KDC will then look into its AD database for the user’s password, which is a shared secret. It then decrypts the authenticator with the password. If the KDC is able to decrypt the authenticator, it means that the identity of the client is verified. • Once the identity of the client is verified, the KDC creates a ticket granting ticket (TGT), which is encrypted by a key that only the KDC knows. • The KDC sends the TGT to the client. The client stores the TGT in its Kerberos tray. It can use this ticket whenever it needs to access a resource on a server on the network (within a typical time limit of eight hours). • When the client needs to access another server, it sends the TGT to the KDC along with a request to access the resource. • The KDC decrypts the TGT with its key. This step verifies that the client has previously authenticated itself to the KDC. • The KDC generates a ticket for the client to access the shared resource. This ticket is encrypted by the server’s key. The KDC then sends this ticket to the client. • The client saves this ticket in its Kerberos tray, and sends a copy of it to the server. • The server uses its own password to decrypt the ticket.
If the server successfully decrypts the ticket, it knows that the ticket is legitimate. The server will then open the ticket and decide whether the client has the necessary permission to access the resource by looking through the access control list (ACL).
To understand subnetting, you should first understand the decimal and binary structure of an IP address.
Let’s start with the basics. Here’s what an IP address looks like: 192.168.1.20
An IPv4 address is a 32-bit number. To make addresses more straightforward, they are divided into four 8-bit numbers — or octets — separated by a decimal point. These octets range in number from zero to 255.
Why do octets only go up to 255? Because they’re binary.
The biggest IP address possible is 255.255.255.255
In binary, this IP address looks like this: 11111111.11111111.11111111.11111111
Note that there are eight numbers between the decimal points. Each number represents a bit. Hence the term octet or the 8-bit number grouping.
Binary corresponds to this table:
128
64
32
16
8
4
2
1
Let’s use this binary number, for example: 10000001
Every 1 in a binary number “turns on” the number in its position. So, 1 in the first and last positions “turn on” 128 and 1.
128
64
32
16
8
4
2
1
1
0
0
0
0
0
0
1
Add up all the positions to get the decimal number: 128 + 1 = 129
When all the positions are “turned on,” they add up to 255.
You can see how it works here. These are the most common octets you’ll encounter in subnetting:
128
64
32
16
8
4
2
1
255
1
1
1
1
1
1
1
1
254
1
1
1
1
1
1
1
0
252
1
1
1
1
1
1
0
0
248
1
1
1
1
1
0
0
0
240
1
1
1
1
0
0
0
0
224
1
1
1
0
0
0
0
0
192
1
1
0
0
0
0
0
0
128
1
0
0
0
0
0
0
0
How to define the network portion of a subnet IP address
During the early stages of the internet, organizations assigned IP addresses like crazy until we nearly ran out. Luckily, the designers of IP addressing came up with a way to end this wasteful practice: Dividing networks using subnetting.
The process of taking an extensive network and splitting into smaller networks is known as subnetting — and it’s freeing up more public IPv4 addresses.
There are two parts to an IP address: The network portion and the host portion.
It’s like the address for a house. The network portion is like the city, state, and zip code. The host portion is like the house and street number.
A subnet defines the number of bits, out of 32, used for the “network portion” of the address. Subnet masks can also be defined in a more common ‘slash’ representation, known as CIDR notation. In the following table, the red digits represent the bits used for the network. The black digits will be used for device IP addresses. Note that the 255.0.0.0 mask can also be represented as a ‘/8’ because it reserves 8 bits of the overall 32 bits used to describe an IPv4 address as the network portion.
Bits used for mask
Default netmask
Subnet binary
/8
255.0.0.0
11111111.00000000.00000000.00000000
/16
255.255.0.0
11111111.11111111.00000000.00000000
/24
255.255.255.0
11111111.11111111.11111111.00000000
For example, you might have a network with devices (known as hosts) with the following IP addresses:
In this case, we’re using 24 bits (or three octets) for the network. Notice that every host device in the network has the same first three octets. That’s the network portion of the IP address with a /24 mask.
IP address: 172.16.56.40 Mask: 255.255.255.0 Binary mask: 11111111.11111111.11111111.00000000
The last octet is the host portion of the IP address. That’s where you’d assign your devices. In this case, you could assign up to 254 hosts. (More on that later.)
IP address: 172.16.56.40 Mask: 255.255.255.0 Binary mask: 11111111.11111111.11111111.00000000
Let’s look at the table again. If it were /16, then the first two octets would be the network portion, and the host portion would occupy the last two octets.
/16
255.255.0.0
11111111.11111111.00000000.00000000
If it were an /8 network, then only the first octet would be the network portion.
/8
255.0.0.0
11111111.00000000.00000000.00000000
These are the most common masks because they’re the simplest, but when you need more than one network, you have to subnet. Subnetting enables you to choose the number of bits to use for the Network portion. You can even steal bits from the host portion for the network.
Here’s what the full subnet mask table looks like. In this table, 1s represent the network portion, and 0s represent the host portion.
Slash
Netmask
1st Octet
2nd Octet
3rd Octet
4th Octet
/30
255.255.255.252
11111111
11111111
11111111
11111100
/29
255.255.255.248
11111111
11111111
11111111
11111000
/28
255.255.255.240
11111111
11111111
11111111
11110000
/27
255.255.255.224
11111111
11111111
11111111
11100000
/26
255.255.255.192
11111111
11111111
11111111
11000000
/25
255.255.255.128
11111111
11111111
11111111
10000000
/24
255.255.255.0
11111111
11111111
11111111
00000000
/23
255.255.254.0
11111111
11111111
11111110
00000000
/22
255.255.252.0
11111111
11111111
11111100
00000000
/21
255.255.248.0
11111111
11111111
11111000
00000000
/20
255.255.240.0
11111111
11111111
11110000
00000000
/19
255.255.224.0
11111111
11111111
11100000
00000000
/18
255.255.192.0
11111111
11111111
11000000
00000000
/17
255.255.128.0
11111111
11111111
10000000
00000000
/16
255.255.0.0
11111111
11111111
00000000
00000000
/15
255.254.0.0
11111111
11111110
00000000
00000000
/14
255.252.0.0
11111111
11111100
00000000
00000000
/13
255.248.0.0
11111111
11111000
00000000
00000000
/12
255.240.0.0
11111111
11110000
00000000
00000000
/11
255.224.0.0
11111111
11100000
00000000
00000000
/10
255.192.0.0
11111111
11000000
00000000
00000000
/9
255.128.0.0
11111111
10000000
00000000
00000000
/8
255.0.0.0
11111111
00000000
00000000
00000000
/7
254.0.0.0
11111110
00000000
00000000
00000000
/6
252.0.0.0
11111100
00000000
00000000
00000000
/5
248.0.0.0
11111000
00000000
00000000
00000000
/4
240.0.0.0
11110000
00000000
00000000
00000000
/3
224.0.0.0
11100000
00000000
00000000
00000000
/2
192.0.0.0
11000000
00000000
00000000
00000000
/1
128.0.0.0
10000000
00000000
00000000
00000000
What are IP address classes?
To complicate things further, IP addresses have five classes, but only three are applicable to subnetting — A, B, C.
Here are the IP address ranges by class:
Class A = 1.0.0.0 to 127.0.0.0
Class B = 128.0.0.0 to 191.255.0.0
Class C = 192.0.0.0 to 223.255.255.0
Remember these IP addresses are represented in binary.
Here are the largest subnet IP addresses in these ranges:
Class A
127.0.0.0
01111110
00000000
00000000
00000000
Class B
191.255.0.0
10111111
11111111
00000000
00000000
Class C
223.255.255.0
11011111
11111111
11111111
00000000
This is important to know because it affects the number of hosts and subnets available in a network.
Notice that Class A addresses provide the most room for host addresses (the black digits). That’s because the network portion only occupies the first octet. Most large enterprises use Class A IP addresses for this reason. You can connect more devices to a Class A network than a Class C.
Class A
127.0.0.0
01111111
00000000
00000000
00000000
In every class, you can steal bits from the hosts to create more subnets, but you’re also reducing the number of hosts. Notice how stealing just one bit for the network drops the number of hosts significantly.
Class A Subnet Netmasks and Hosts
Network Bits
Subnet Mask
Number of Subnets
Number of Hosts
/8
255.0.0.0
0
16,777,214
/9
255.128.0.0
0
8,388,606
/10
255.192.0.0
2
4,194,302
/11
255.224.0.0
6
2,097,150
/12
255.240.0.0
14
1,048,574
/13
255.248.0.0
30
524,286
/14
255.252.0.0
62
262,142
/15
255.254.0.0
126
131,070
/16
255.255.0.0
254
65,534
/17
255.255.128.0
510
32,766
/18
255.255.192.0
1,022
16,382
/19
255.255.224.0
2,046
8,190
/20
255.255.240.0
4,094
4,094
/21
255.255.248.0
8,190
2,046
/22
255.255.252.0
16,382
1,022
/23
255.255.254.0
32,766
510
/24
255.255.255.0
65,534
254
/25
255.255.255.128
131,070
126
/26
255.255.255.192
262,142
62
/27
255.255.255.224
524,286
30
/28
255.255.255.240
1,048,574
14
/29
255.255.255.248
2,097,150
6
/30
255.255.255.252
4,194,302
2
Class B IP addresses offer fewer hosts than Class A because its network portion occupies the first two octets.
Class B
191.255.0.0
10111111
11111111
00000000
00000000
Class B Subnet Netmasks and Hosts
Network Bits
Subnet Mask
Number of Subnets
Number of Hosts
/16
255.255.0.0
0
65,534
/17
255.255.128.0
0
32,766
/18
255.255.192.0
2
16,382
/19
255.255.224.0
6
8,190
/20
255.255.240.0
14
4,094
/21
255.255.248.0
30
2,046
/22
255.255.252.0
62
1,022
/23
255.255.254.0
126
510
/24
255.255.255.0
254
254
/25
255.255.255.128
510
126
/26
255.255.255.192
1,022
62
/27
255.255.255.224
2,046
30
/28
255.255.255.240
4,094
14
/29
255.255.255.248
8,190
6
/30
255.255.255.252
16,382
2
Class C IP addresses offer the fewest hosts because the network portion occupies three octets.
Class C
223.255.255.0
11011111
11111111
11111111
00000000
You might notice that the default IP address your home router uses falls into the Class C category. This is a special subnet reserved for private IP addresses, you can read why in the Network Address Translation article.
Class C Subnet Netmasks and Hosts
Network Bits
Subnet Mask
Number of Subnets
Number of Hosts
/24
255.255.255.0
0
254
/25
255.255.255.128
0
126
/26
255.255.255.192
2
62
/27
255.255.255.224
6
30
/28
255.255.255.240
14
14
/29
255.255.255.248
30
6
/30
255.255.255.252
62
2
These standards make subnetting a little easier. For example, if you choose a Class ‘C’ address, you know that it uses at least 24 bits (/24) of the 32 available bits for the network portion of the address.
How to subnet in IPv4
Now that we know about classes, binary, and subnets. Let’s dive into a subnet.
Here’s the IP address we’ll use: 43.17.255.71/27
Here’s what it looks like in binary:
00101011.000100011.111111.01000111
From the IP address we already know two things:
It’s a Class A IP Address
It must have at least eight network bits, but we’re giving it 27 bits
In that case, we know the network portion of the subnet will occupy these bits:
/27
255.255.255.224
11111111
11111111
11111111
11100000
Let’s reverse engineer this last octet to determine the network portion of the address or what the subnet is for this address.
Here’s what we want to do:
Determine the number of allowed subnets using the /27 network mask
Determine what subnet the address lies in
Here’s an example:
1. Determine number of allowed subnets using /27 network mask.
Here’s the binary representation of the possibilities for the last octet with a /27 mask:
000|0 0000
001|0 0000
010|0 0000
011|0 0000
100|0 0000
101|0 0000
110|0 0000
111|0 0000
0
32
64
96
128
160
192
224
This gives us eight possible subnets with the /27 mask.
2. How to determine what subnet your IP address lives
Now, let’s find the subnet address where this IP address resides.
Remember that the IP address is 43.17.255.71
We are only looking at the last octet because the first three octets are the network portion.
43.17.255.71
We just have to take a look at our table again. 71 falls above the 43.17.255.64 subnet and below the 43.17.255.96 subnet. So it belongs in the 43.17.255.64 subnet.
Subnet
Last Octet
Block size
IP Address
1
0
+
32
43.17.255.0
2
32
+
32
43.17.255.32
3
64
+
32
43.17.255.64
4
96
+
32
43.17.255.96
5
128
+
32
43.17.255.128
6
160
+
32
43.17.255.160
7
192
+
32
43.17.255.192
8
224
+
32
43.17.255.224
We now have the subnet for 43.17.255.71: 43.17.255.64.
Whilst you are planning to use Hyper-V as your OS, the following configuration guide is quite useful to understand which components on the UCS you need to configure to enable Jumbo Frames:
