Posts Tagged ‘active directory’

Change Windows 10 default lock screen image via win registry LockScreenImage key change

Tuesday, September 21st, 2021

fix-lock-screen-missing-change-option-on-windows-10-windows-registry-icon

If you do work for a corporation on a Windows machine that is part of Windows Active Directory domain or a Microsoft 365 environment and your Domain admimistrator after some of the scheduled updates. Has enforced a Windows lock screen image change.
You  might be surprised to have some annoying corporation logo picture shown as a default Lock Screen image on your computer on next reoboot. Perhaps for some people it doesn't matter but for as a person who seriously like customizations, and a valuer of
freedom having an enforced picture logo each time I press CTRL + L (To lock my computer) is really annoying.

The logical question hence was how to reverse my desired image as  a default lock screen to enkoy. Some would enjoy some relaxing picture of a Woods, Cave or whatever Natural place landscape. I personally prefer simplicity so I simply use a simple purely black
background.

To do it you'll have anyways to have some kind of superuser access to the computer. At the company I'm epmloyeed, it is possible to temporary request Administrator access this is done via a software installed on the machine. So once I request it I become
Administratof of machine for 20 minutes. In that time I do used a 'Run as Administartor' command prompt cmd.exe and inside Windows registry do the following Registry change.

The first logical thing to do is to try to manually set the picture via:
 

Settings ->  Lock Screen

But unfortunately as you can see in below screenshot, there was no way to change the LockScreen background image.

Windows-settings-lockscreen-screenshot

In Windows Registry Editor

I had to go to registry path


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\.]

And from there in create a new "String Value" key
 

"LockScreenImage"


so full registry key path should be equal to:


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization\LockScreenImage]"

The value to set is:

C:\Users\a768839\Desktop\var-stuff\background\Desired-background-picture.jpg

windows-registry-change-lock-screen-background-picture-from-registry-screenshot

If you want to set a black background picture for LockScreen like me you can download my black background picture from here.

That's all press CTRL + L  key combination and the black screen background lock screen picture will appear !

Hopefully the Domain admin, would not soon enforce some policty to update the registry keys or return your old registry database from backup if something crashs out with something strange to break just set configuration.

To test whether the setting will stay permanent after the next scheduled Windows PC update of policies enforced by the Active Directory (AD) sysadmin, run manually from CMD.EXE

C:\> gpupdate /force


The command will download latest policies from Windows Domain, try to lock the screen once again with Control + L, if the background picture is still there most likely the Picture change would stay for a long.
If you get again the corporation preset domain background instead,  you're out of luck and will have to follow the same steps every, now and then after a domani policy update.

Enjoy your new smooth LockScreen Image 🙂

 

Testing your local network for open Windows shares from Linux router

Friday, June 28th, 2013

Windows sharing testing local network for open shared directories Samba Software logo

Whether you administrate local Windows network behind a DMZ router, It is useful to routinely scan from Linux router which Windows hosts on the network has enabled sharing? The reason is some Windows user might share something by mistake which is not supposed to be shared without even he realizes this.
 

 In case, where new Linux router is configured and Windows hosts behind it can't locate each other on network make sure you have in your firewall before any filtering (REJECT / DROP) firewall rules:

iptables -A INPUT -s 192.168.5.1/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT  -s 192.168.5.1/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT  -s 192.168.5.1/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT  -s 192.168.5.1/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

iptables -A INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 445 -j REJECT
iptables -A INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 138 -j REJECT
iptables -A INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 139 -j REJECT
iptables -A INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 137 -j REJECT

(Qquickest way to place rules to exec on next boot is via /etc/rc.local)

Once set, to check all is fine with fwall rules:

router:~# iptables -L INPUT -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  —  192.168.5.0/24       0.0.0.0/0           state NEW tcp dpt:137
ACCEPT     tcp  —  192.168.5.0/24       0.0.0.0/0           state NEW tcp dpt:138
ACCEPT     tcp  —  192.168.5.0/24       0.0.0.0/0           state NEW tcp dpt:139
ACCEPT     tcp  —  192.168.5.0/24       0.0.0.0/0           state NEW tcp dpt:445 
REJECT tcp — 0.0.0.0/24 0.0.0.0/0 state NEW tcp dpt:445 reject-with icmp-port-unreachable
REJECT tcp — 0.0.0.0/24 0.0.0.0/0 state NEW tcp dpt:138 reject-with icmp-port-unreachable
REJECT tcp — 0.0.0.0/24 0.0.0.0/0 state NEW tcp dpt:139 reject-with icmp-port-unreachable
REJECT tcp — 0.0.0.0/24 0.0.0.0/0 state NEW tcp dpt:137 reject-with icmp-port-unreachable

On CentOS / Fedora / Redhat router place below rules in /etc/sysconfig/iptablesdefault firewall configuration file for RPM based distros:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 137 -j REJECT
-A RH-Firewall-1-INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 138 -j REJECT
-A RH-Firewall-1-INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 139 -j REJECT
-A RH-Firewall-1-INPUT -s 0.0.0.0/24 -m state --state NEW -p tcp --dport 445 -j REJECT

After that check lets say 192.168.5.0/24 whether Windows Samba shares ports are reachable:

 To check hosts with Sharing easiest way is to scan your network C class range with nmap for all ports through which Windows Samba shares communicate – i.e. check for open state TCP / UDP port numbers 139,137,139,445 list of samba used default ports is in  /etc/services

router:~# grep netbios /etc/services

netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp

Note that Port 445 microsoft-ds is not in /etc/services because it is not common used (only used whether Windows hosts are using Active Directory)

 
router:~# nmap 192.168.5.1-255 -p 139,137,139,445

Interesting ports on 192.168.5.23:

PORT    STATE    SERVICE
137/tcp filtered netbios-ns
139/tcp open     netbios-ssn
445/tcp open     microsoft-ds
MAC Address: 00:AA:4D:2F:4D:A2 (Giga-byte Technology Co.)


Interesting ports on 192.168.5.31:

PORT    STATE    SERVICE
137/tcp filtered netbios-ns
139/tcp open     netbios-ssn
445/tcp open     microsoft-ds
MAC Address: 3C:B9:2B:76:A6:08 (Unknown)
….
…..