Thursday, April 17, 2025

🧼 Cleanup: Invalid SID Members in Local Groups (Windows Server Maintenance)

🧼 Cleanup: Invalid SID Members in Local Groups (Windows Server Maintenance)

Overview

This PowerShell script scans all local groups for orphaned (invalid) SIDs — entries left behind after a user or service account has been deleted. These show as raw SIDs (e.g., S-1-5-21-...) in group membership.

We use NinjaOne to deploy this as a recurring cleanup task across servers.

🔧 What It Does

  • Enumerates all local groups
  • Identifies broken/unresolvable SID entries
  • Removes only invalid entries
  • Outputs all actions to NinjaOne

🛠 PowerShell Script

PowerShell Script

$badEntries = @()

$localGroups = Get-LocalGroup | Select-Object -ExpandProperty Name

foreach ($groupName in $localGroups) {
    Write-Output "`nProcessing group: $groupName"
    $badSIDs = @()

    $output = powershell -Command "Get-LocalGroupMember -Group '$groupName'" 2>&1

    foreach ($line in $output) {
        if ($line -match "SID '([^']+)'") {
            $badSIDs += $matches[1]
        }
    }

    if ($badSIDs.Count -gt 0) {
        $group = [ADSI]"WinNT://./$groupName,group"
        foreach ($sid in $badSIDs | Select-Object -Unique) {
            $path = "WinNT://$sid"
            try {
                $group.Remove($path)
                Write-Output "Removed: $sid from $groupName"
                $badEntries += [PSCustomObject]@{ Group = $groupName; SID = $sid; Status = "Removed" }
            } catch {
                Write-Warning "Failed to remove: $sid from $groupName"
                $badEntries += [PSCustomObject]@{ Group = $groupName; SID = $sid; Status = "Failed" }
            }
        }
    } else {
        Write-Output "No orphaned SIDs found in $groupName"
    }
}

$badEntries | Format-Table
        

🧪 Example Output

Processing group: Administrators
Removed: S-1-5-21-...-6274 from Administrators

Processing group: Users
Removed: S-1-5-21-...-6835 from Users
Removed: S-1-5-21-...-13465 from Users
    

🔒 Safety

  • Only removes entries matching S-1-5-21-*
  • Only removes if the SID causes an error in Get-LocalGroupMember
  • Leaves all valid users/groups untouched


Tuesday, June 27, 2017

Replacement Motherboard causes DC server to not allow login.

Recently I had a server that had to have a motherboard replaced. It was a Dell server for anyone who cares. I won't go into the drama around this issue, but basically the Windows Server 2012 was forcing the time on the server. We thought it was the motherboard BIOS doing it but actually it was the Windows OS.

The main issue here is the would reboot, and the time would be January, 1, 1981, or some weird number.

Needless to say since this was a Domain Controller and the time from when it was last on and the new time are soooo off, it would not let you log in.

To fix this, just boot into safe mode, log in, change the time and then reboot the system.

Problem solved.

Server 2012 R2 Evaluation won't register

Building new server you run into things sometimes that are annoying or weird. One of those can registration and activation. 

Building some new 2012 R2 Standard server and I couldn't register the server. It kept saying the activation code was wrong. 

Well there is a VERY easy fix for this. 

I found it here.
https://social.technet.microsoft.com/Forums/windows/en-US/4211c642-b15d-49ea-8124-f0628aa0f92e/activate-windows-server-2012-evaluation-standard-version-with-a-product-key-oem?forum=winserver8gen&prof=required

Run this code to change it from evaluation.

DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula


Change <edition ID> to the edition you have the licence for eg.

DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

You will need to reboot, so keep that in mind. 

The one thing that the source where i found this doesn't tell you is, you still need to activate your server with your key. 

So go to the Server Manager > Local Server > Properties > Click Activate next to Product ID > Enter your information.

Enjoy.


Thursday, December 8, 2016

Fresh Windows 7 install won't update

Fresh Windows 7 install won't update


If you have installed a fresh Windows 7  recently you might have run across an issue where it won't finish running Windows Update. It just hangs and runs and churns and seems to never finish. There is a resolution, and it was ultimately found at https://www.bleepingcomputer.com/forums/t/607544/windows-could-not-search-for-new-updates/


Here is the resolution and break down of that forum update.

The Resolution

I won't go into why this doesn't work, or how MS screwed up, I will just put the fix here. 

  1. Install SP1 if you haven't, and restart.
    https://www.microsoft.com/en-us/download/details.aspx?id=5842
  2. Install the latest windows update, use Method 2 where you just download and install the update, and restart.
    https://support.microsoft.com/en-us/kb/3050265
  3. Install Update for Windows 7 for x64-based Systems (KB3102810), and restart.
    https://www.microsoft.com/en-us/download/details.aspx?id=49540
  4. Last install IE 11, and restart.
    https://support.microsoft.com/en-us/help/18520/download-internet-explorer-11-offline-installer 


After all the restarts and the installs try and run Windows Update again.

NOTE it will still take what seems like for ever still, this is because it's downloading over 200 updates to your machine. 


Hope this helps. Let me know if this does or doesn't work, I would like to know and I am sure other will also. 

Wednesday, February 24, 2016

Quasi-Failover DHCP 2008 R2

I was given a client recently that was running out of IP addresses on their DHCP server. 

After some investigation I discovered that they had 2 DHCP server on the same AD and on the same network. Let say the network is 192.168.1.0, it had a subnet mask of 255.255.0.0. No really it does have that subnet mask. Anyways, the 2 DHCP servers are giving out the same scope of 192.168.1.1 - 192.168.1.254. DHCP1 was giving an exclusion of 192.168.1.1 - 192.168.1.170 and DHCP2 had an exclusion of 192.168.170 - 254. Of course there were other exclusions for servers and printers but you get the point. 

After looking a little bit deeper I noticed that the DHCP1 server was not giving out any leases. This didn't make sense until I fully thought about what was happening here. 

The reason DHCP2 server was the only one giving out IP addresses is because it is, for lack of a better term, faster. The reason is because once a machine has made contact with a DHCP server, even if it’s out of addresses, it will NOT try a different DHCP server. It will keep  trying that same DHCP server for an address. This is why the DHCP1 is not giving out leases, its to slow to answer. 

So, since DHCP2 is always the fastest, it always replies first, even if its full. The one way of testing, and verifying, this is to turn off the DHCP2 services on DHCP2, momentarily, and do a request for an address from a device. Then look at DHCP1 to see if it gave out the address to that device. Of course we tested this and it worked as I expected. 

Doing an “ipconfig /release” and then an “ipconfig /renew” on a computer would give you the request needed for testing. I would not do this on a computer that already has an address that you need to use to turn the DHCP services back on, maybe do this on a temp PC.

So basically in this configuration there is a quasi-failover DHCP system in place. If DHCP2 is offline then DHCP1 would pick up and start handing out addresses. Of course this is not the best way to setup a failover DHCP environment, but, it kinda works. Here is the correct way:

I hope this helps someone in their endeavour of trying to figure out why a DHCP might not be giving out leases. 

New-MailboxExportRequest not recognized

If you go and try to use New-MailboxExportRequest and get "New-MailboxExportRequest' is not recognized as the name of a cmdlet.  That's because your user is not part of the ManagementRole.

To fix this run the below command in PowerShell from the Exchange server.

New-ManagementRoleAssignment -Role "Mailbox Import Export" -user UserName


UserName is the that you are using to run the command new-mailboxexportrequest.

Log out then log back in and you should be fine to to go.



Solution found at:
https://social.technet.microsoft.com/Forums/exchange/en-US/d6bbff4b-8be0-4b4f-925d-1c5db5c31cc4/newmailboxexportrequest-is-not-recognized-as-the-name-of-a-cmdlet?forum=exchangesvrgenerallegacy 

Monday, February 8, 2016

Trojan-Downloader.Win32.VB.eql (Translated)

Trojan-Downloader.Win32.VB.eql


Translated from
https://securelist.social-kaspersky.com/ru/descriptions/Trojan-Downloader.Win32.VB.eql 


Technical details

This Trojan downloads without your knowledge on your computer other software. The program is a Windows application (PE EXE-file). Its size is 1509125 bytes.

Installation

Once launched, the Trojan copies its body to the Windows system directory under the name "WINSP00L.EXE":
% System% \ WINSP00L.EXE
To start automatically each time you start the system, the Trojan adds a link to its executable file in the system registry:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"

Load

Once launched, the Trojan extracts from its body to the catalog "E_4" in the temporary directory of the current user the following files:
% Temp% \ E_4 \ krnln.fnr - 1110016 bytes
% Temp% \ E_4 \ shell.fne - 61440 bytes
% Temp% \ E_4 \ eAPI.fne - 335872 bytes
% Temp% \ E_4 \ internet.fne - 196608 bytes
% Temp% \ E_4 \ spec.fne - 86016 bytes
% Temp% \ E_4 \ RegEx.fne - 167936 bytes
% Temp% \ E_4 \ dp1.fne - 126,976 bytes
% Temp% \ E_4 \ com.run - 278528 bytes
Then copy them to the Windows system directory under the same name:
% System% \ krnln.fnr
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \ com.run
In addition, it removes the Windows system directory files:
% System% \ ul.dll - 2404 bytes
% System% \ og.dll - 692 bytes
% System% \ og.edt - 512 bytes
After completing these steps, the Trojan accesses the following address:
http: //www.*****base.cn/install.htm pn = M080410?
At the time of writing, this link was not working. The file is located on this link is stored in the temporary Internet files directory and launched for execution. Filename - random. And also drawn to the following address:
http://www.microsoft.com
http://hi.baidu.com/siletoyou
http://www.baihe.googlepages.com/ul.htm
http://www.bloguser.googlepages.com/au.htm
After that, remove the file from its body with a name composed of the current date and time, for example 20090929153554.exe and places it in the Windows system directory:
% System% \ 20090929153554.exe
This file has a size of 9216 bytes. 
The extracted file gets executed and then deleted. 
In addition, the Trojan spreads via removable media under the name "Recycled.exe". "Autorun.inf" file is also created to automatically run the Trojan file in the root directory of removable media.


Removal Instructions

If your PC was not protected by Antivirus and got infected with this malware, then remove it, proceed as follows:
  1. Using Task Manager to terminate the Trojan process:
    WINSP00L.EXE
  2. Delete the original Trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  3. Delete the copy of the Trojan:
    % System% \ WINSP00L.EXE
  4. Remove files and directories created by the Trojan:
    % Temp% \ E_4 \ krnln.fnr
    % Temp% \ E_4 \ shell.fne
    % Temp% \ E_4 \ eAPI.fne
    % Temp% \ E_4 \ internet.fne
    % Temp% \ E_4 \ spec.fne
    % Temp% \ E_4 \ RegEx.fne
    % Temp% \ E_4 \ dp1.fne
    % Temp% \ E_4 \ com.run
    % Temp% \ E_4
    % System% \ krnln.fnya
    % System% \ shell.fne
    % System% \ eAPI.fne
    % System% \ internet.fne
    % System% \ spec.fne
    % System% \ RegEx.fne
    % System% \ dp1.fne
    % System% \ com.run
    % System% \ ul.dll
    % System% \ og.dll
    % System% \ og.edt
    Remove key registry :
    [HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
    "WINSP00L" = "% System% \ WINSP00L.EXE"
  5. Check removable media for files:
    Recycled.exe
    autorun.inf
    In case of detection - remove them.
  6. Clear Temporary Internet Files directory, containing infected files ( How to delete infected files from Temporary Internet Files folder? ):
  7. And perform a full scan of your computer with Kaspersky Antivirus Update your antivirus databases ( download a trial version ).