Where in the blue hell is sysprep?

Are you trying to sysprep a Windows Server 2012 R2 box but can’t find sysprep.exe? Have you dropped to an administrative command prompt, typed sysprep /… like you have done for years and years only to be spanked with a

sysprep is not recognized as an internal or external command, operable program or batch file.

Did you fear that Microsoft pulled the utility that you have used for generations? Me too, on all counts. I both Binged, and then broke down and Googled and could not find anyone who pointed out what is obvious in retrospect. The sysprep utility is now in its own subdirectory, and therefore no longer in your path.

From your admin cmd prompt, cd into C:\Windows\system32\Sysprep and you will find what you’re looking for.

Oh look, there it is! c:\windows\system32\sysprep

howto://upgrade Active Directory to 2012R2

Alternate title, DCPROMO is dead! Long live some little yellow triangle! 

It being past time for me to upgrade Active Directory at home to DCs running 2012R2, I wanted to put together this little walkthrough for others looking for a procedure doc to cover schema and perms, or maybe even where the hell dcpromo went! If you’d like a 20K foot overview of what you need to do in order to add a 2012R2 DC to your domain, here’s what you need to know. Continue reading “howto://upgrade Active Directory to 2012R2”

howto://fix the hardware on the destination computer is not compatible

I’m in the middle of upgrading my Hyper-V servers at home from 2012 to 2012R2. To keep things up and running, I live migrated (shared NOTHING) the VMs from the first server to be rebuilt to the second. That worked just fine. I flattened the first server, installed 2012R2, added the Hyper-V role, and tried to move a VM back to it, only to be spanked with Continue reading “howto://fix the hardware on the destination computer is not compatible”

howto://register the schema dll in 2012r2

As a follow up to upgrading AD to 2012R2, I wanted to transfer all the roles off the legacy DC. When I went to register the schema management.dll using regsvr32 in a run dialog box, like this…

regsvr32.exe schmmgmt.dll

I got spanked with this.


The module “schmmgmt.dll” was loaded but the call to DllRegisterServer failed with error code 0x80040201.

User Account Control (UAC) doesn’t let us do this directly from a run dialog. To do this and get it to work, you need to run this from an administrative command prompt.

Running the same command this way


gets this


and more to the point, lets you run the Active Directory Schema Management console.

howto://USE a REGEX to match everything up to the @


I use PSPAD as my default text editor. It’s been my favourite such application for years because it can do so much. Recently I was handed a CSV that contained email addresses for 25,000 users. I needed to pull out just the SMTP suffixes for some manipulation. PSPAD can do global search and replace with a REGEX and it seemed like just what I needed. The only challenge was to figure out what pattern matches everything in an email address up to and including the @ sign. Here’s the pattern I used.


That says to start at the beginning of the line, match any number of alphanumeric characters up to, and including the @. Easy.

2018-01-29 edit-since I am copying from Archive.org and am too lazy to try to recreate all the great comments, I am adding this one from my former boss, Jim Palic of ONLC, which is an even easier way to do this.

Another easy way to do that would be to use the negation operator inside the square brackets. e.g. ^([^@]+)@ Meaning match everything that is not an @.

howto://map caps lock to windows-key

I have a little no-name Bluetooth keyboard that I like to use when travelling. It has a joystick mouse with scroll, all the important keys for editing and cursor navigation, function keys, a/v keys…the only thing it’s really missing is a Windows key. CTRL+ESC is not a substitute for the Windows key, since it doesn’t work with any WIN+ shortcuts. I really wanted a Windows key. I did some digging around on the interwebz and figured out how to map the caps lock key to the Windows key.

In other words, I made this


into this!


If you want to do the same thing for some older keyboard you want to use, here’s what you need to do.

1. Launch regedit.exe.

2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout.

3. Export that key and save it as undokeyboard.reg in case you want to go back, screw something up, etc.

4. Create a text file and copy the following into it.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,02,00,00,00,5c,e0,3a,00,00,00,00,00

5. Save as WINning.reg.

6. Double click it to import the settings into your Registry.

7. Reboot.

8. (Optional) Use a silver Sharpie marker to draw in the Windows logo.

Once you reboot, the CAPS LOCK key on any and every keyboard you use will be your WIN key. Of course, that may cut down on shouting, extra emphasis, license key entries, etc…but your SHIFT key is probably a little lonely anyway. Keep that undo file just in case you find yourself really needing a CAPS LOCK key. See what I did there?


howto://disable hibernation in Windows 8

2018-01-29 edit-this works just the same and as well in Windows 10!

Getting ready for my Windows 8.1 upgrade, I wanted to get some things cleaned up, and that included moving some VMs from my laptop to one of my Hyper-V servers. The Exchange server alone is about 100GB so I wanted to fire it up to delete some of the test accounts/mailboxes to trim it down to size before moving it. Unfortunately, it looks like my tendency to save everything had just about run me out of space. The VMs would not start!


Checking on things, I found myself with only a few hundred MB of free space. I started deleting ISOs and other large files that I have multiple copies of, but was only able to free up a few GB of space. My disk was still code red!


Looking for more things I could get rid of, I realized that I had a 13GB hibernation file sitting on the C: drive. Since I hate hibernation, I figured losing this would free up enough space to do what I needed to.



To disable hibernation in Windows 8, do this.

  1. Open an administrative command prompt.
  2. Enter the following command:
    powercfg /hibernate off [enter]image
  3. Check to see you have more space freed up!


Yes, I am still code red. I’m a hoarder (of data, anyway.) I don’t have any specific reason why I don’t hibernate…I just don’t. I may have had a bad experience in the past that I have suppressed, or maybe I just want the disk space back. Whatever the reason, I don’t mind telling my computer to go the <bleep> to sleep. When I do, I always hear myself doing it in Samuel L. Jackson’s voice.

howto://get upns for a list of sams


I often find the need to have a list of UPNs when the only thing the customer provides me is a list of sAMAccountNames. Far too often users’ SAM and UPN don’t match, so it’s not as simple as tacking the UPN suffix onto the SAM and calling it a day. If you have a list of SAMs and you need to get UPNs, here’s two ways to do it. This assumes you have admin rights in AD, and a workstation on which you also have admin rights.

Single domain

The first way works well if you have a single domain, or just need to search a single domain.

1. Install the RSAT tools if they are not already in place. You will need the AD specific pieces.

2. Create a text file with one sAMAccountName per line. Name it users.txt.

3. Launch PowerShell and cd to the folder containing users.txt

4. Import the AD Module using this command
import-module activedirectory

5. Run this command
get-content users.txt | get-aduser | ft samaccountname, userprincipalname >userslist.txt

6. If you need to search a different domain, add the -searchscope “dc=sub,dc=example,dc=com” to the get-aduser command to specify the domain.

Entire Forest

If you want to quickly and easily search the entire forest, it’s a little more complicated.

You can do it the “low and slow” way using this. Substitute the servername for a GC in your environment, and your forest root where appropriate. This will take a LOOONGGG time to complete, but gets you there in a one liner.

$list | % {write-verbose $_ -verbose; get-aduser -ldapfilter "(samaccountname=$_)" -server gc-server1:3268
-searchbase "dc=sub,dc=example,dc=com"} | select samaccountname, userprincipalname  | export-csv .\upns.csv

Or if you are in a hurry and want to also use Excel, you can do this.

1. Run this command to just get EVERYBODY’s data.
get-aduser -ldapfilter "(samaccountname=*)" -server siladdc01:3268 -searchbase "dc=dir,dc=labor, dc=gov" | export-csv c:\scratch\allusers.csv

2. Import the data into Excel. Delete every column except the sAMAccountName and UPN, and delete all the header rows.

3. Create a new worksheet in Excel.

4. Import your source list into that.

5. Create the following formula in the next column of your second worksheet.


That will compare the sAMAccountNames in your source file to the full dump, and where it finds an exact match in column A, it will put in the UPN from column B.

howto://dump a list of users with email address and upn

I needed to dump a list of all users in a forest so that I could compare their UPN to their email address. I came up with this PS command that will connect to a GC, enumerate all users in the forest, and output a CSV that lists their displayname, emailAddress, and UPN. It will skip users with blank email or display, or accounts that are disabled.

The scriptlet assumes whoever runs it has administrative rights, and has the RSAT tools for AD installed on the machine they are using so the AD module exists. It doesn’t require anything else.

import-module activedirectory

get-aduser -filter {(EmailAddress -like “*”) -and (DisplayName -like “*”) -and (Enabled “True”)} -searchscope subtree -searchbase ‘dc=yourdomain,dc=tld‘ -properties DisplayName, EmailAddress, UserPrincipalName, proxyAddresses -server yourgc.yourdomain.tld:3268 | select-object displayname, emailaddress, userprincipalname | export-csv c:\scratch\users.csv

Make sure you change the variables in italics to match your environment. Hope this helps someone out.

kerberos response codes

code message meaning
0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos
0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos
0x8 KDC_ERR_PRINCIPAL_NOT_UNIQUE: Multiple principal entries in
0xA KDC_ERR_CANNOT_POSTDATE: Ticket not eligible for postdating
0xC KDC_ERR_POLICY: KDC policy rejects request
0xD KDC_ERR_BADOPTION: KDC cannot accommodate
requested option
0xE KDC_ERR_ETYPE_NOTSUPP: KDC has no support for
encryption type
0xF KDC_ERR_SUMTYPE_NOSUPP: KDC has no support for
checksum type
0x12 KDC_ERR_CLIENT_REVOKED: Clients credentials have
been revoked
0x17 KDC_ERR_KEY_EXPIRED: Password has expired change
password to reset
0x19 KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication
0x1B KDC_ERR_MUST_USE_USER2USER: principal valid for
user2user only
0x1C KDC_ERR_PATH_NOT_ACCEPTED: KDC Policy rejects transited
0x1D KDC_ERR_SVC_UNAVAILABLE: A service is not available
0x1F KRB_AP_ERR_BAD_INTEGRITY: Integrity check on decrypted
field failed
0x20 KRB_AP_ERR_TKT_EXPIRED: Ticket expired
0x21 KRB_AP_ERR_TKT_NYV: Ticket not yet valid
0x22 KRB_AP_ERR_REPEAT: Request is a replay
0x23 KRB_AP_ERR_NOT_US: The ticket isn’t for us
0x24 KRB_AP_ERR_BADMATCH: Ticket and authenticator
don’t match
0x25 KRB_AP_ERR_SKEW: Clock skew too great
0x29 KRB_AP_ERR_MODIFIED: Message stream modified
0x34 KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP,
retry with TCP
0x3C KRB_ERR_GENERIC: Generic error