Disable Windows Server 2016+ Group Policy Logon Script Delay

Something that bit me in the butt back at the release of Server 2016, and I can laugh now, is the Group Policy Logon Script Delay “feature”. I lost a few hours trying to figure out why my GPO user logon scripts I was created weren’t seemingly running even though RSOP told me they were. Turns out, Server 2016 and newer implement a delay on user Group Policy scripts for performance reasons (quicker logon/user experience).

To Disable

Computer Configuration\Administrative Templates\System\Group Policy: Configure Logon Script Delay: Enabled

Set the value (integer) in minutes. 0 being no delay and maximum 1,000 (why? lol)

Reference: https://support.microsoft.com/en-us/help/2895815/logon-scripts-do-not-run-for-five-minutes-after-a-user-logs-on-to-a-wi

Enable Disk Performance Counters (Server 2012R2 and newer)

Disk performance counters were disabled by default in Server 2012 R2 and onward due to performance reasons in collecting the disk metrics.  Only enable these when troubleshooting disk performance and do not leave enabled.

Enabling Disk Performance Counters

  1. Ensure Task Manager is closed.
  2. Launch the Command Prompt using the “Run as Administrator” option.
  3. Enter the following at the Command Prompt:

    diskperf -Y

  4.  Hit Enter.
  5. Close the Command Prompt.
  6. Re-open the Task Manager.

After running the diskperf command, the ability to view Disk performance statistics on the performance tab should now be visible.

Enable or Disable smb1protocol using PowerShell

Windows Server 2012 R2 & 2016: PowerShell methods

SMB v1
Detect:Get-WindowsFeature FS-SMB1
Disable:Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enable:Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows 8.1 and Windows 10: PowerShell methods

SMB v1 Protocol
Detect:Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Disable:Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Enable:Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
SMB v2/v3 Protocol
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration –EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration –EnableSMB2Protocol $true

Windows 8 and Windows Server 2012

SMB v1 on SMB Server
Detect:Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable:Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB1Protocol $true
SMB v2/v3 on SMB Server
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB2Protocol $true

Source: https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

WordPress on IIS

These are my notes for getting WordPress on IIS 10 (1809) on Windows Server 2019 Core working.  I ran into a problem with MySQL 8.0 so I reverted back to MySQL 5.6 until I can spend a little more time troubleshooting and document my experience.

[This is a running draft currently]

  1. Install and Configure: IIS 10 (1809)
    1. IIS Role
      1. Features > CGI, Dynamic Compression
    2. Configure IIS FastCGI parameters – can be done with Administration pack, but I’m running Core and did from commandline.
      1. %windir%\system32\inetsrv\appcmd set config -section:system.webServer/fastCgi /[fullPath='c:\{php_folder}\php-cgi.exe'].instanceMaxRequests:10000
      2. %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/fastCgi /+"[fullPath='C:\{php_folder}\php-cgi.exe'].environmentVariables.[name='PHP_FCGI_MAX_REQUESTS',value='10000']"
    3. GZIP (static/dynamic compression)
  2. Install and Configure: PHP 7.3
    1. Non-thread safe PHP 7.3 x64 installed to C:\PHP
    2. Needs VC15 redistributable (x64)
    3. Configure date.timezone, upload_tmp_dir, etc.
      1. Set permissions for tmp file location using icacls
        1. icacls tmppath /grant "IIS_IUSRS":(OI)(CI)F
  3. Install and Configure: MySQL Community Server 5.6.42
    1. Needs VC13 redistributable
    2. Configure bind-address for in C:\ProgramData\MySQL\my.cnf
  4. Install and Configure WordPress
    1. Folder permissions required (IIS_IUSR) using icacls
      1. icacls websiteroot /grant "IIS_IUSRS":(OI)(CI)F
    2. Download latest ZIP
      1. Tip: PowerShell Extract-Archive latest.zip works great – seemed slow, but it worked.
    3. IIS Rewrites (2.1 is required – I used x64 download)
      1. Permissions
        1. Note:  example.com is the name of  a website I created in IIS, so permissions use the App Pool Identity.
        2.   icacls "C:\inetpub\example.com" /grant:r "IIS APPPOOL\example.com:(OI)(CI)(RX,W)" /T
        3. Some notes I need to revise:
          1. iis permissions setup
            icacls PATH /remove "UserOrGroup" /t (removes recursively)
            i use:
            icacls httproot /inheritance:d
            icacls httproot /remove "BUILTIN\Users" /t
            icacls httproot /grant "IIS APPPOOL\domain.com" (this will propagate via inheritance to httproot\*)
            icacls httproot /grant "IIS APPPOOL\domain.com:(OI)(CI)F" /t
            PS C:\inetpub\domain.com> icacls httproot
            httproot IIS APPPOOL\domain.com:(F)
            NT SERVICE\TrustedInstaller:(F)
            NT SERVICE\TrustedInstaller:(OI)(CI)(IO)(F)
            CREATOR OWNER:(OI)(CI)(IO)(F)
            create site
            authentication > anonymouse authentication > edit > change to Application Pool Identity > OK
            right click on site > manage > advanced > ensure application pool is selected for correct application pool (domain.com)
            application pools > right click domain.com pool > ensure Process Model section > Identity is set to ApplicationPoolIdentity
  5. LetsEncrypt SSL
  6. benchmark
  7. Php 5.7 on old iis 7.5 (2008R2) vs new server (2019 core) with php 7.3


Error: This operation was blocked by role based access control settings or other network issue

I’m attempting to upload a file via Windows Admin Center and encountered the following error: Error: This operation was blocked by role based access control settings or other network issue.

Cursory search points to an issue with role-based access, so within Windows Admin Center dashboard, I hit the settings (bottom left) and choose Role Based Access Control.

In here, I attempt to apply Role Based Access Control (RBAC) and get the following error.

Couldn’t apply role-based access control to the computer. Error: The network path was not found.

Another cursory search leads me to think, via Windows Admin Center known issues, that it could be the Windows Defender Application Control (WDAC).  So for kludge purposes, I just decide to remove Windows Defender itself;  I’ll be utilizing a different security suite anyway whenever this makes it to production.

To remove Windows Defender completely from Server 2019 using powershell, I use the following command: Uninstall-WindowsFeature -Name Windows-Defender

Note:  This will require a reboot of your server.

After my server came back up, I again tried to apply Role Based Access Control and it failed with the same error.  Now I will dig in a little deeper and update this post soon with new information and hopefully a solution I’ve found.


The firewall was the culprit — disabling it, Set-NetFirewallProfile -Profile domain,public,private -Enabled false, resolved the upload error.  I have not attempted to apply RBAC yet.

Tip:  Ensure PSRemoting is enabled on the target server as well as firewall rules are added.  From an elevated PowerShell prompt:


Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

I also needed to allow port 445 as those two didn’t solve my issue:

New-NetFirewallRule -DisplayName “WAC File Upload” -Direction Inbound -Action Allow -Protocol TCP -Port 445 -RemoteAddress -Profile Public,Domain,Private

The next error I get, and I’m not sure why yet, is the following AFTER uploading a file.  The file does upload and the file content is good, but I get the following notification error.

Failed to upload to C:\PHP\TEST. Error: QueryCache: Unable to refresh data; call createObservable() and fetch() first.

Cursory search shows not much info out there.  A couple GitHub repos with JSON file this string belongs in and some stuff for Excel / SQL linking.

When in doubt, procmon reboot.

Well, that didn’t work.  But uploads work, and I guess that’s good enough for Government work.

Ah wait.  I had a look at that error message again and it seemed “webbrowserish” (like jQuery or something) so I restarted my browser and I no longer get that error.


Windows Server 2019 Licensing Notes

Windows Server 2019 per-core licensing model requires a minimum of 8 cores per physical socket, with 16 total cores minimum licensed for a server.

Windows Server 2019 user CALs are required for every user accessing directly, or indirectly, the server.