John Yassa's Blog

Home » Windows Server 2008

Category Archives: Windows Server 2008

How to Back Up and Restore NTFS and Share Permissions

Backup and Restore of Share Permissions

 To backup share permissions, export the Shares registry key.

  1. Open Regedit to the following location:HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
  2. Right-click the Shares registry key and select Export. Give it a file name such as shareperms.reg.

When you want to restore the permissions, double-click shareperms.reg to import it back into the registry.

Use the Reg tool to backup the registry key from the command line:

reg export HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares shareperms.reg

If you need to restore it at some point, just run:

reg import shareperms.reg

Backup and Restore of NTFS Permissions

 Use this command to backup NTFS permissions:

icacls d:\data /save ntfsperms.txt /t /c

The /T switch allows it to get subfolder permissions too. The /C switch allows it to continue even if errors are encountered (although errors will still be displayed).

Use this command to restore them:

icacls d:\ /restore ntfsperms.txt

Note that in the command to save the permissions, I specified the target folder D:\Data, but when I restored them, I specified just D:\ as the target. Icacls is a little funky like that, and here’s why.

If you open the text file with the exported permissions (ntfsperms.txt in the above example), you’ll see that Icacls uses relative paths (in bold below). Underneath the relative paths are the permissions for the folders in Security Descriptor Definition Language (SDDL) format.


Had I specified D:\Data in the command to restore the permissions, it would have failed looking for a D:\Data\Data folder:

D:\>icacls d:\data /restore perms.txt
d:\data\data: The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

You might think specifying D:\ as the target in the restore command may somehow mess up the permissions on other folders at that level, but as you can see from the ntfsperms.txt output file, it only has information about the Data folder and sub folders, so that is all it will change.

Source :


How to display and configure admin for the file resource manager

Configures e-mail notification options used by File Server Resource manager and the DirquotaFilescrn, and Storrept commands. If used without parameters, the dirquota admin options command displays the values of the options that are currently configured

    • To display currently configured administrative options, type:

      dirquota admin options

    • To configure the default From address and administrative recipients for e-mail notifications and storage reports, type:

      dirquota admin options / /;

    • To specify that e-mail notifications that are raised for repeatedly exceeding a quota or detecting an unauthorized file is to be sent only once every two hours, type:

      dirquota admin options /runlimitinterval:m,120

    For more Info :

Add or Update a User Picture to the Active directory

This is a quick article to show how easy it is to update an Active Directory user account with a photo of the user.

The Active Directory thumbnail Photo attribute is used by several applications to display a picture for the user account. Microsoft Outlook is one such application that uses this attribute to display the picture of people you send and receive emails to and from (within an Active Directory domain).


Now, for the fun bit! Let’s assume we have user John, and we have saved John’s photo to C:\photos\John.jpg

In two lines of code, we can update John’s photo.

Get the photo, using the Get-Content Power Shell cmdlet, using the encoding type byte. Store the photo as a byte array in the $photo variable. Then update Active Directory using the Set-ADUser cmdlet, passing the byte array ($photo) to the thumbnailPhoto attribute.

$photo = [byte[]](Get-Content "C:\photos\John.jpg" -Encoding byte)            
Set-ADUser John -Replace @{thumbnailPhoto=$photo}

To shorten this to one line of code, we could write this as;

Set-ADUser John -Replace @{thumbnailPhoto=([byte[]](Get-Content "C:\photos\John.jpg" -Encoding byte))}

Now the Photo of John will appear in Outlook and Lync as below:

1- Outlook


2- Lync


Change the UPN Suffix (User Principle Name) for Users in domain contorller

Below is a PS1 script to modify the UPN Suffix for Users inside OU

#Replace with the old suffix

$oldSuffix = ‘Existing UPN Domain name’

#Replace with the new suffix
$newSuffix = ‘New UPN Domain name

#Replace with the OU you want to change suffixes for
$ou = “LDAP Path of the OU that contain the users”

#Replace with the name of your AD server
$server = “Domain Controller name”

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn }

Some DNS name queries are unsuccessful after you deploy a Windows Server 2008 R2-based DNS server

After you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server, DNS queries to some domains may not be resolved successfully

This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS.
EDNS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.

To work around this issue, turn off the EDNS0 feature on Windows Server 2003 and Windows Serve 2008 R2 DNS Servers. To do this, follow these steps
For Windows Server 2008 R2

  • DNSCMD is installed by default on Windows Server 2008 R2 DNS Servers. At a command prompt, type the following command, and then press ENTER:
    dnscmd /config /enableednsprobes 0
    Note Type a 0 (zero) and not the letter “O” after “enableednsprobes” in this command.

For More Info:

%d bloggers like this: