Pacific Computer Wizards - Repository ....

An information repository of … thoughts, data, sharing, and ideas, posted.
    – Use the information in these posts at your own risk.      
                                The ideas, thoughts, and expressions posted here are for my own use.                 
  -President & Chief Wizard                                                        

Google takes on Active Directory

posted Jan 17, 2020, 6:19 AM by Andrew Chadick   [ updated Feb 18, 2020, 7:06 AM ]

Manage Windows 10 devices through the G Suite Admin console

Posted: 16 Jan 2020 01:45 PM PST

What’s changing 

We’re enabling enhanced desktop security for Windows with a new beta. This will allow you to manage and secure Windows 10 devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices today. It will also enable SSO so users can more easily access G Suite and other SSO-enabled applications on Windows 10 devices.

With these new controls G Suite admins can:

  • Enable their organization to use existing G Suite account credentials to login to Windows 10 devices, and easily access apps and services with SSO 
  • Protect user accounts with anti-phishing, anti-hijacking, and suspicious login detection technologies 
  • Ensure that all Windows 10 devices used to access G Suite are updated, secure, and within compliance 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without specific network requirements

Sign up for the Beta on this:

Manually Download Latest Win 10

posted Dec 12, 2019, 12:42 PM by Andrew Chadick

Windows Update (via PowerShell command line)

posted Dec 3, 2019, 6:53 AM by Andrew Chadick   [ updated Dec 3, 2019, 6:59 AM ]

Install-Module PSWindowsUpdate
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
Import-Module PSWindowsUpdate

usoclient.exe  /StartScan, /StartDownload, /StartInstall
startdownload               (download updates)
startinstall                    (install updates)
Refreshsettings             (Refresh settings if any changes were made)
StartInteractiveScan      (Open a dialog and start scanning for updates)
RestartDevice                (Restart computer to finish installing updates)
ScanInstallWait              (Scan, Download, and install updates)
ResumeUpdate               (Resume installing updates on next boot)

Thanksgiving - Turkey

posted Nov 12, 2019, 11:02 AM by Andrew Chadick   [ updated Nov 30, 2019, 6:19 PM ]

Read through, don't follow like a traditional recipe -

Prep - 24 hours before - Start the Brine process. 

I generally go for a 20-ish pound bird or larger... 26 is my target size -make sure it's completely prepped, neck removed, organs removed. (save these for gravy). Make sure feathers are completely removed. 
You need to make this an all day project, you are going to be at the stove on and off for roughly 7 hours. Give yourself time, and when the bird comes out of the oven, let it rest for half an hour at least before carving it.

Day of, remove from Brine, rinse bird thoroughly inside and out.  

Peel bag of baking potatoes, and halve-them at an angle.  Place in  a butter greased turkey pan - lining the bottom of the pan. Then drizzle olive oil lightly over the tops of the raw peeled potatoes.

Make your stuffing - I do mine completely by sight and texture.   Bread crumbs, chicken broth, celery, carrots, onion, mushrooms, sausage, and green apple.
The Stuffing is made of dried bread crumbs, about 8 ounces of chicken broth (added to lightly moisten the bread crumbs -not to soak them wet). In a pan, place the sliced mushrooms, peeled and diced onion and saute with diced celery and shredded carrots until onion is translucent, add the cooked and crumbled seasoned and savory game sausage, and then the peeled and diced green apple.  Combine in a large bowl.  
When stuffing the bird, pack the stuffing in tightly at first and then looser as you approach the opening, you want the top to look loose and fluffy.  If there is leftover stuffing, put in a glass Pyrex dish to cook separately, or another day.
Note about sausage, make sure it's a flavor you like before using it in stuffing.  The complex flavor of the sausage will color the stuffing.  This stuffing is a meal unto itself.

Take the turkey and completely heavy dust coat the bird with bread flour while it's still damp from its rinse.  
(Flour should be adhered thoroughly on all surfaces.)

Stuff the bird, both cavities.  You can use toothpicks to hold the neck flap in place while rotating the bird if needed.
Place bird on top of the roasting pan lined with potatoes. (potatoes are there to lift the bird off the bottom, and give roasted goodness to serve with the bird).
Salt and Pepper the top outside of the bird, making sure to get the breast, legs, and wings with dry seasoning ingredients. 

Pre-heat the oven to 425 degrees. Place bird in the oven, uncovered for 35 minutes at 425.

At 35 minutes lower the temperature to 325 and cover with a loose sheet of foil.
At every hour mark from here on in, baste.  Cook until internal temperature of bird reaches at least 165 degrees but no more than 170.
Should look something like this when ready.

For the turkey gravy, I put the neck, and internal organs in to a saucepan with 4 cups of water.  I put the burner on roughly medium-ish, and just let it simmer along for the course of the day while the bird is cooking. I add water as needed to keep it at that 4 cup level, trying to keep it about the same because of evaporation.  Prior to pulling the bird out of the oven, you can get a feel for that as you check the temperature, turn the burner up to high and bring the water to a boil.  Scoop out the organs and turkey neck and if you don't want to consume them(just toss them away). Add 1/2 cup of butter. Add a little flour and cornstarch (about equal parts 2 tablespoons of each) to the boiling water and whisk until thick, turn to medium and keep stirring slowly for about 15 minutes, then turn to lowest setting and keep warm until ready to serve.  Note: do not use the drippings from the turkey pan, they will be too salty.

Cranberry sauce - 
1/2 cup fresh squeezed orange juice
1/2 cup water
1 cup sugar
12 ounces of fresh cranberries
Zest of the orange, somewhere in the line of 2 teaspoons worth
and a pinch of kosher salt

Bring the orange juice, water, cranberries, and sugar to a boil in a saucepan, stir until the sugar is fully absorbed and the cranberries are mush.  Turn the temperature to low and add the rest of the ingredients, zest of the orange and a pinch of salt.  Let cook for about 20 minutes more, then turn off burner and let it cool.  

Waldorf Salad -
6 Tbsp mayonnaise 
1 Tbsp lemon juice
1/3 cup of flaked Parmesan cheese
1/2 teaspoon salt
1 tablespoon honey
fresh ground black pepper 1/2 teaspoon
2 honey crisp apples, peeled, cored and chopped
1 cup red seedless grapes, sliced in half 
1/4 cup of raisins
1 cup celery, thinly sliced
1 cup chopped, lightly toasted walnuts
Romaine hearts Lettuce - chopped
Combine in a large bowl and toss together.

BBQ Sauce that Bites back!

posted Nov 12, 2019, 9:19 AM by Andrew Chadick   [ updated Nov 12, 2019, 9:31 AM ]

                ¼ cup ketchup

                ¼ hoisin sauce

                2 Tablespoons lemon juice

                2 Tablespoons sugar

                2 cloves garlic, minced

                1 Tablespoon Siracha, Tabasco, or Louisiana hot sauce (At least this amount,... to taste.)

                1 teaspoon habanero chile hot sauce

                ¼ teaspoon ground cinnamon

                ¼ teaspoon ground allspice.

-Credit to Alyssa B. for this brilliant creation.

Newest Build - Version 1903 - breaking the Start Menu

posted Oct 25, 2019, 6:31 AM by Andrew Chadick   [ updated Jan 7, 2020, 6:29 AM ]

Once again, Microsoft released an update that broke the start menu.  It's the same deal as my 2016 posts on this topic. At least the fix is pretty straightforward, and not difficult to do.  It's just time consuming and a pain if you have lots of workstations that all applied this update.

Log in as your admin profile; Then you delete the c:\users folder for your profile, and then also go in and delete the corresponding registry entry under profiles, then log back in as the user having the start menu issue.  The profile rebuilds/reloads, and the start menu works once again.  Then you just need to recreate the app shortcuts. Details below.

Active Directory, Log in as the domain admin, go to C:\Users and delete the account folder. Then go to regedit.msc and delete the corresponding registry key for the profile. Go Here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Look on the right side window pane of regedit.msc, and find the profile name by clicking through the list, most likely the bottom one. Right click, delete.

Then reboot.  Login as that user, the profile will reload/rebuild.  The start menu will work once again.  However, the apps themselves may need to have their links recreated.  Pause here, and wait and see.  If you have your apps back, there is no need to continue.  If you find that you don't have your office suite, or other apps restored, continue on.

Open PowerShell, run as admin, then copy paste this: (then press enter)
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Once running, this powershell command will rebuild the start menu list of apps.  Once it completes, restart the computer one last time, and log back in.  Everything will be back up and working.

Or, you could skip all of this and simply roll back to a previous version ... but where's the fun in that?


DHS Binding Operational Directive 18-01 (BOD 18-01)

posted Jun 7, 2019, 2:50 PM by Andrew Chadick   [ updated Jun 12, 2019, 11:53 AM ]

If you are seeing a lot of attempts coming in where phishing emails look exactly like internal emails and are getting through your spam filters, there are some things you can do to mitigate your risks. 

I have seen such emails come through recently which I could barely tell weren't from our own domain, with no evidence of spoofing except minor character changes in source; which has prompted me to increase the mail servers SPF, DKIM, and DMARC record settings to make it as next to impossible to impersonate a user on the server as is possible without someone literally hacking one of our accounts.
If you are interested, this tool will check your email settings for you and tell you what you need to do: to increase security.  You Run the DKIM test tool, and send an email to the randomized address it gives you.  After you click send, just wait until the server receives the email and it will diagnose your settings and tell you what's what with your settings. It will even run a spam check. 

After you have done that, you can check all your changes with this site: to verify compliance with the current standards. It's basically a dashboard view of your settings.

If you need assistance creating a DMARC record, this tool works great:

Salesforce DKIM Security on Emails - CNAME

posted Jun 5, 2019, 1:19 PM by Andrew Chadick   [ updated Jun 5, 2019, 3:37 PM ]

If you find that your Salesforce emails are going to spam when they were working fine before- it's because of tightening security measures on the backend.  In order to rectify the situation, you will need to create a new DKIM Key in Salesforce.  Go to the Setup area in Salesforce, and search for DKIM.  It will pop up straight away.

One of the things that is very confusing when creating the key, is that what you are given, is NOT a DKIM key, but instead, you are given a pair of CNAME's.  

It took quite a bit of time to figure out what was needed as there is really no explanation given, but, the bottom line, is you need to go into your domain registrar, and create 2 CNAME Txt Records and insert the data you are given.  What Salesforce does is that they have created secure records on their backend, which they don't share with you, and you are simply setting up a CNAME which points to that location, and their servers will handle the rest.

Example of what you are given when creating the keys:
Alternate CNAME Record IN CNAME

The way this looks in your registrar might be different, but for me, it looks like this:

Alias                                      TTL              Refers to Host Name    Other Host                           
____________________           ____________ _____________________    _________________________   
specialkey1._domainkey   3600                                           
specialkey2._domainkey   3600                                           

The important thing here is to make sure that you have your "Alias" without your domain name added to it as Salesforce does on the detail view of the supposed DKIM record results that they give you.  You have to copy paste the right parts over to your TXT record fields in the registrar. 

Once you have saved the CNAME's to your registrar, it takes about 30 minutes for the changes to take place.  Once you have waited the 30 minutes, go back to the location where you created the DKIM key in Salesforce, and click the button that says "Activate".  

Once activated, the check box next to your key will be ticked, and your emails will now be fixed and flowing back to your inbox instead of spam.  You can test this by running the Test Deliverability (Emails from Salesforce or Email Relay Only) option in the control panel, type your email in, and a series of 16 emails will go out, and they should come to your inbox instead of spam.  If they don't immediately go to the inbox, just wait another 30 minutes.  It will work.

Note to Salesforce: (These links aren't helpful), you need to spell out what it is happening.

SSH Server CBC Mode Ciphers - SSH Weak Algorithms

posted Jun 3, 2019, 8:32 AM by Andrew Chadick   [ updated Jun 3, 2019, 10:03 AM ]

You may have had a security scan of your web server, and found the results of a weak algorithm with your SSH "Cipher Block Chain" Mode Ciphers - See Wikipedia for details.

  1. SSH Server CBC Mode Ciphers Enabled
  2. SSH Weak MAC Algorithms Enabled

The default /etc/ssh/sshd_config file may contain lines similar to the ones below:

  1. # default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
  2. # aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
  3. # aes256-cbc,arcfour
  4. # default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

To disable CBC mode ciphers and weak MAC algorithms, add the following lines into the:

nano  /etc/ssh/sshd_config

  1. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
  2. MACs hmac-sha1,,hmac-ripemd160

Restart after you have made these changes.

Talking about Securing your PC and Cyber Security

posted May 15, 2019, 2:22 PM by Andrew Chadick

Talking about computer and cyber security, so you can be safe on and offline-

You go to your favorite electronics store, buy a PC, and take it home. You boot the new machine up, it asks you your name, a user-name, you create a password, and then the Operating System puts you on a desktop and you are off and running right?

No, you should stop right here. This is a bad setup. You do not want to run your computer as an administrator. Your first step is to go in to the control panel and create a new user account, make it an administrator, set it up with a long and complex password, then login to that new administrator profile. While in that login, change your first login which is the one with your name to a "user" profile type. Remove administrator level permissions.

Why? You simply do not need administrator rights on your computer in order to use it day to day. When you have a machine setup with the primary login having an administrator level privilege, that is where the problems will start. You want to make sure that your daily use profile is something that doesn't have the ability to modify the basic operation of the computer. You reserve that functionality for the admin account. This is true for home and business users.

Reasoning: If an application is executed, and you have 'user' configured as the security profile, the application just runs and you use the tool as intended. If however you try to install an application with 'user' as the security profile, you will be prompted to enter an administrator password. The install won't happen with it. This behavior is what you should want to happen, as this is the best way to have your system configured.

The best practices is for a user profile for daily use and a separate administrator profile that you only use to install intended applications.

Don't use the administrator profile for any daily activities; it's just there to install or uninstall applications. You want your day to day profile to be one that doesn't have the privilege of installing a program. I can't emphasize this point enough.

The biggest reason? What if you accidentally go to a server on-line that tries to run a virus or malware against your machine? If you are running as admin, it can just install, without you doing anything further than accidentally running it... if however you are running as a user account and it tries to install, a prompt will happen, and at this point you will KNOW that something is trying to install, and you can click Cancel. You want this behavior from your computer. You want the machine to question every install. You do not want a program to just install without you being aware.

Again, this is true for a network of employees, to even if you have a single computer with just one person using it, a home machine, work machine, laptop, etc. The separate user and administrator setup is the ideal and the best practice. This form of configuration is known as "Least Privilege".

If you don't give an application the permission to install, and you have made sure that everything within your power is up to date, software, drives, firmware, and there are no known holes in your security, you have the best chance of keeping your machine secure.

Least privilege is your friend.

Passwords? That's not really a question; they are still needed. Not only needed, but they need to be both good and memorable, while at the same time being something that cannot be guessed or surmised by looking at breach data, and your past passwords - it's a balance.


You must have a complex (Letters, numbers, symbols) and lengthy set of words that make up you 'password' and it should be at least 16 digits, but ideally somewhere near 30.

-- You know, telling people this part has never been the highlight of any IT admin's day.

No user wants to hear about having a complex and very long password to remember, or yet alone typing it in every day, multiple times a day.

It's frankly a pain, you type it, you miss a key, or mistype it, and it comes back wrong, and you have to redo it all over again. And to compound matters, you have to have a DIFFERENT long complex password for every computer, every profile, every website. But, it's necessary, not optional. You just have to do it. There is a technique that is know as a pass-phrase. Using several words to make up a single password. Its a very good technique, but, I will take that idea a step further; think of creating an email address, but using random words, combined with numbers, using Caps and Lowercase to create the address.

Something like "General 4 Good @ Internet [dot] com. " This password/phrase is pretty easy to remember and its 25 digits, and is complex. If you made passwords like this, a simple brute force script would take a very long time to complete.

Passwords protect your devices on the front end. And while using techniques like a pass-phrase are really good, you should take password security a step further with your devices, with your websites, with everything you do if it's an option... Enable "2 factor" or Multi Factor protection. You will still enter a user-name and password, but you will also enter a third piece of data, generally a piece of data that comes from your phone.

This kind of password protection is ideal under the current best practices.

The next thing for you to keep in mind, is making sure your devices are updated.

Patch all of them. Every time you see a notification that there is a patch, plan to apply it that night before you go to bed; tell the machine to update.

It doesn't have to take up your day, just get it done when you aren't using it actively.

This is true for your phones as well. Make sure to update it and patch the installed applications too. Remember that any tool you use that is classified as a computer has the ability to be hacked. You want to create a situation for yourself where you have the least opportunity to be attacked by someone that wants to do you harm. Remember, that the people out there that hack others, they generally aren't doing it because they know you, or that they care about you, they just want your data. Don't make it easy for them to get it.

This brings me to looking closely at what is installed on your machine, and what is receiving updates, or as the case may be, not receiving them. Take a look at what is installed in your machine. Do you need all the applications that are installed? Especially pay attention to Java and Flash Player. Do you need those? My suggestion, is to remove them both and see if you can live without them. Both of them are historically the most exploited applications you can have installed on your machine. If you use the Chrome web browser, you don't need either of them, Chrome will give you a simulation of both services without having them installed. As for the rest of the applications, do you see any bloat-ware? Do you need them there? If not remove them. Anything on your computer that isn't of use to you has a potential for being a future exploit, either because they have a security hole in them now, or they will have a discovered one in the future, especially if it's an application that doesn't receive any/many updates. Remove what you don't use or need. It's just a good rule of thumb.

Zero Days and hacking: Your computer is a machine that has a few functions, and those include doing a few local tasks, but, most likely, it's biggest role is to connect you to the Internet. Aside from anything else it does for you locally like saving photos, doing a few word doc’s or spreadsheets, most people tend to spend the bulk of their time on-line. Because it connects to the Internet, it means your devices are vulnerable when connected. You can minimize your vulnerability by updating your operating system, updating and patching your applications and reducing the number of unused or unneeded applications on it. So what else can you do? You can protect it with tools that scan your drives, ports, and applications. Block unwanted connections through a software configured firewall. That protection can also come from rudimentary protection programs like Anti-Virus, and Anti-Mal-ware. However, I would add something to that list of tools, something that goes a step beyond and scans not only your applications and what is downloaded and that which runs actively in memory, but, a program that also looks at your Internet traffic, does advanced heuristics on it, and watches where domains are pointed. Something that blocks domains with a negative history, or are known for being parked, or have an un-trusted status. You want something that looks at the current configuration of your machine and watches for changes, and can revert back if there is a problem or unexpected change.

Look to such additional protection systems that scan your DNS, look at packet filtration, and do active monitoring of network traffic. Although all of these functions do slow the operation of your machine down a little, the added protections to a machine you care whether or not it gets hacked are worth it. Make sure that whatever tools you implement have decent reporting, and a way to notify you of what it does, and what it is doing or has logged.

Next up - Zero Days. So, to define: Zero Days are simply an exploit or program that has been written and has not been used in such a way as to have been documented. It means that if it's used against your machine, that your machine will likely succumb to whatever it is written to do. As mentioned elsewhere, ‘least privilege’ and other protections can help mitigate this, but, you will need to be watchful still, and be aware of what traffic is going in and out of your machine, review those reports, look at your log files. If you don't know how to do so, look it up, Google, Bing, DuckDuckGo and others are your friend. And, what if you go somewhere and you think you have gone too far, that your machine has possibly been exposed, and is running a virus… what do you do? RESTORE from BACKUP. Just do it. Don’t take chances. Don’t just reboot and hope it will go away.

What else can you do to protect your machine? What about protecting it while it's turned off? Did you know that your machine can be compromised while it's off? Actually yes it can; someone with a little bit of expertise and time and your computer can do what's called an ‘image of the drive’. In essence, they take an external hard drive, plugging it in to your computer, and booting off of either a thumb drive or a CD/DVD and into an Operating System designed to copy your hard drive in digital form from you. The process quite literally copies every piece of data from your current drive to the portable drive they brought with them. This system can be as compact as 2 thumb drives, or SIM card sized memory chips, depending on the type of storage being used. By taking an image, it makes it so that the hacker can take their time in getting in, and work on it at their leisure.

When your machine is turned off, and you get back to turn it back on, you will have no way of knowing if your computer has been touched, as there will be no log files changed. Your OS will not have run. Your drive and it's data will simply be copied.

So, what can you do in this ‘imaged drive’ scenario? You prepare for it in advance. You encrypt your hard drive. Disk encryption is something that has been around for actually quite a while. I would say going back the early 1990’s on the desktop but getting traction before 2010. There have been many programs written to encrypt drives, or create special containers that take up a portion of your hard drive space, and create an encrypted file. Using both of these methods together is the ideal way of protecting yourself and any data you hold as being very important, as reversing two sets of encryption is a daunting task to any thief. This is also true for your smart-phone as well. If disk encryption is available, use it, and create a strong password that protects it.

Lastly, the final thing you can do to protect your privacy and yourself on-line is to be as anonymous as you can possibly be while connected to the Internet.

You can do this in a number of ways, and it does take a little time, has varying levels of anonymity, it can take diligence to make sure it’s still protecting you, and includes just simply being careful and observant. One of the best and most easily used ways is to engage with a Virtual Private Network (VPN) service.

If you go this route, I recommend that you use a paid one; that way you have an expectation of getting what you pay for out of the service, and you get certain guarantees. You can use browser search engines like duckduckgo so your searches aren't tracked. You can make sure that you don't sign in to any websites while you surf the Internet. Remember to clear your cache, cookies, and temp files every time, or set your browser to automatically clear them for you.

VPN tunnels to a point, protect you from having your Internet connection’s packets from being sniffed, which is a technique that many hackers utilize to monitor network traffic and obtain your user-names and passwords when being transmitted on-line. Some hackers can even do man in the middle attacks, which, are a way of intercepting your Internet traffic and running it through their computer so that they can get your data. This works even on SSL traffic to different websites providing that you go directly to the site once connected. The VPN tunnel creates an encrypted pathway from your connection to outside of the network you are in, and effectively places your computer into a network on the other side of the world, limiting your exposure to certain forms of hacking. It’s definitely a means to protect your machine on-line when you are traveling, or in a network that you don’t trust.

For those that are always in untrustworthy networks; You can even go a step further, and boot off of a thumb drive, or DVD to an alternate OS, which automatically uses a VPN and destroys itself when you turn off your computer. This form of privacy protection is the ultimate way of protecting yourself on-line. Why would you go this far when a VPN tunnel to a service provider offers pretty good protection? Because a temporary Operating System offers you the protection of nothing being stored on your hard drive. Nothing can be physically taken from you. You don’t have to worry about imaging, or even browser exploits that steal stored passwords. Every time you boot, you have a fresh operating system. It’s an option for those that want it.

As with all information and advice, you should take it in, research the topics given, and make your own informed decisions. Don't just take our word for it.

1-10 of 195