Windows Server 2016 RDP–You must change your password before logging on the first time

As I start to roll out Windows Server 2016 to replace Windows Server 2008 R2 RDP Servers, I’ve been encountering issues that just didn’t exist with Server 2008 R2.  Today’s issue is that by default, if a new user account is created, or if the user’s password expires, or if an admin simply checks the Active Directory “User must change password at next login” property, when the user attempts to connect via RDP instead of getting a password change prompt they instead see this error:


Title: Remote Desktop Connection

You must change your password before logging on the first time.  Please update your password or contact your system administrator or technical support.

This has the unusual effect of preventing the user from changing their password themselves, leaving the administrator with one of two undesirable options:

  • Turn off the “User must change password at next login” property.
  • Change the password to some other password yourself, and also make sure that property is not set.

In either case, the implication is that some person other than that user now knows what that user’s password.

How to solve the issue – Change the RDP Security Layer

To solve the issue, you have to edit the Session Collection, Security, Configure Security settings and then change the Security Layer setting from Auto-Negotiate to RDP Security Layer.


Once that change has been applied, remote RDP users return to being able to set a new password.

As an added bonus, this RDP Security Layer is actually more secure, and is also PCI Compliant (at least as of this writing anyway).

Facebook Copy-Paste Threads

Why are so many people falling for copy/paste bait threads lately? Copy/paste Facebook threads are the modern day equivalent of chain letters. The people who start them are doing so to see how many people that they can trick into doing it.

It is a form of social engineering, a psychological test to see what works and what doesn’t – what words and phrases can we use to evoke sufficient emotion in the reader to make them do what they were told to do? (i.e. copy/paste).

It is not hard to imagine this being done on purpose so that the data of who follows the instructions can be data-mined and correlated with which technique worked. You could be telling a data-miner which techniques will work ON YOU.

If you haven’t figured it out yet, the copy/paste threads all follow similar patterns. There are many different patterns, but the worst in my opinion are these two:

Pattern #1 – Prey on fear:

These are the messages that start with a warning or something scary that sounds true. The people who share these are concerned about their friends and probably want to protect them. These are the "add this legal notice to your profile to stop your pictures from being used in ads" ones, the "someone is spoofing profiles" ones, the "make sure you change these privacy settings or else" ones. They all say something scary and they all share in common that you must "copy/paste" the message and "Not just share it".

If you’re being told to copy/paste it then it should immediately seem suspicious to you. Take some time, research the issue, find an article in a reputable news media outlet, search the Internet to see if that phrase or keyword shows up as a known fraud or as something that has been disproven. Really want to project your friends? Stop spreading fear.

Pattern #2 – Prey on insecurities:

These are the messages that try to make you "test" who your friends are. The "did you read this whole post" ones, the "I’m trying to figure out who only likes my photos and doesn’t read my text so read this and copy/paste it to prove your friendship" ones, etc.

All you figure out when you do this are which of your friends are gullible, and depending on the content of the message, which of them you can manipulate using guilt.

This is not data that you should be sharing about yourself. This is not data that you should be asking your friends and family to share about themselves.

If you really are feeling insecure and want to know who your real friends are? Ask them to private message you or to share a story about a great moment they shared with you or of a great memory that they have of you. Better yet, reach out to them and share one of your memories.


So how do you know if something is worth copying or not? The answer is simple: if the thread ends with the phrase "copy/paste" just DON’T DO IT. If if the thread ends with instructions that "you must follow exactly" then it should be considered highly suspicious. Just like chain mail, these threads will only stop when a critical mass of people STOP DOING IT.

Stop and think about WHY the original message is asking you to copy/paste instead of sharing or adding your own original thoughts. The message is likely crafted to make it seem to your friends and family reading the message as though the thoughts expressed were yours. But by definition since you just copy/pasted it they are NOT your own original thoughts! There is a word for passing someone else’s thoughts off as if they were your own: Plagiarism.

If you agree with what someone is saying, like it, or share the thought and add your own original thought. Do the research, credit the original author, but if a friend asks you to copy/paste something, be a real friend: Just Don’t.

Moving databases to a new server

This weekend I was retiring an old server, replacing it with a new server.  The old server had 3 different SQL instances with hundreds of mounted databases.  To move them all to the new server (and get them re-mounted again) I figured there had to be some SQL Scripts already written for the task and after a brief search I found an excellent article with exactly the scripts that I needed here: 

The important parts from that article were the script generator to detach the databases:

-- Build the sp_detach_db command (ONLINE, non-system databases only):
SELECT DISTINCT 'exec sp_detach_db ''' + DB_NAME(dbid) + ''';'
FROM master.dbo.sysaltfiles
WHERE SUBSTRING(filename,1,1) IN ('E','F')
AND DB_NAME(dbid) NOT IN ('master','tempdb','msdb','model')

And the script generator to subsequently mount the databases (again, 100% of the credit for this script goes to Michelle Gutzait):

— Build the sp_attach_db:

DECLARE     @cmd        VARCHAR(MAX),
            @dbname     VARCHAR(200),
            @prevdbname VARCHAR(200)

SELECT @cmd = ”, @dbname = ‘;’, @prevdbname = ”

    (Seq        INT IDENTITY(1,1) PRIMARY KEY,
     dbname     SYSNAME NULL,
     fileid     INT NULL,
     filename   VARCHAR(1000) NULL,
     TxtAttach  VARCHAR(MAX) NULL

SELECT DISTINCT DB_NAME(dbid) AS dbname, fileid, filename, CONVERT(VARCHAR(MAX),”) AS TxtAttach
FROM master.dbo.sysaltfiles
WHERE dbid IN (SELECT dbid FROM master.dbo.sysaltfiles
            WHERE SUBSTRING(filename,1,1) IN (‘E’,’F’))
            AND DATABASEPROPERTYEX( DB_NAME(dbid) , ‘Status’ ) = ‘ONLINE’
            AND DB_NAME(dbid) NOT IN (‘master’,’tempdb’,’msdb’,’model’)
ORDER BY dbname, fileid, filename

UPDATE #Attach
SET @cmd = TxtAttach = 
            CASE WHEN dbname <> @prevdbname
            THEN CONVERT(VARCHAR(200),’exec sp_attach_db @dbname = N”’ + dbname + ””)
            ELSE @cmd
            END +’,@filename’ + CONVERT(VARCHAR(10),fileid) + ‘=N”’ + filename +””,
    @prevdbname = CASE WHEN dbname <> @prevdbname THEN dbname ELSE @prevdbname END,
    @dbname = dbname

SELECT TxtAttach
(SELECT dbname, MAX(TxtAttach) AS TxtAttach FROM #Attach
GROUP BY dbname) AS x


I noticed however, that many of the files I had attached had massive sql .ldf (log) files.  Since none of my databases needed to run with full logging, I could go ahead and shrink the log files without any issue.  Shrinking the log files had the effect of reducing the data to move from server A to B by nearly 1TB.  Here’s the script, courtesy of:

      ‘USE [‘ + + N’]’ + CHAR(13) + CHAR(10)
    + CHAR(13) + CHAR(10) + CHAR(13) + CHAR(10)
         sys.master_files mf
    JOIN sys.databases d
        ON mf.database_id = d.database_id
WHERE d.database_id > 4;

This generates the shrink commands using the syntax:

USE [MountedDatabaseName]

The thing that’s a bit strange to me at least about the SHRKINFILE command is that it uses the internal database name instead of the mounted name.  So having a script generator like this one to create the script is invaluable!

The last thing that most of these articles do not mention is that if other users have detached databases in the folder structure that you’re trying to move, then their user accounts (or the SQL Service account if they were using SQL Auth) will then have exclusive security permissions to the detached .mdf/.ndf/.ldf files.

That means you will hit file system permission issues, so the way that you solve that is using an admin account, run the following commands from a command prompt:

First, change to the root folder where your databases are mounted on the old server, then:

1. Use the TakeOwn command to take ownershp of all of the files from the current folder (dot) and sub-folders /R:

TakeOwn /F . /R

2. Use the cacls command to grant permission to the physical files:

cacls * /G Everyone:F /T

Note: in my case  just granted “everyone” full permission to the SQL Database files, because when I move these files to the destination server the destination server’s folder permissions are going to impose new restrictions.

MSComCTL.ocx broken in Microsoft Security Update KB3039794 or KB2920727 or KB2881029 January 12, 2016

This week’s Microsoft Security update includes a breaking change to MSComCtl.ocx located on most computers in C:\Windows\SysWow6432\mscomctl.ocx.  The update has a different title / KB # depending on the version of Microsoft Office you have installed.  The ones that I have encountered so far include:

Security Update for Microsoft Office 2010 (KB2881029) 32-Bit Edition: Link:

Security Update for Microsoft Office 2013 (KB3039794) 32-Bit Edition: Link: 

Security Update for Microsoft Office 2016 (KB2920727) 32-Bit Edition: Link:

In all cases, the update replaces mscomctl.ocx with a new version 6.01.9846.

Microsoft had previously “broken” this control before, however last time it happened, the issue was with the registry.  A simple work around of registering an old version and re-registering the current version typically worked to fix the issue.

This time, that work around does not appear to work.

Users of Blue Link Elite that are affected will see an “Object doesn’t support this property or method” error message when they launch the software: “The OpenForm action was canceled” followed by:


As of this writing, the temporary work around is to un-install this update.  Blue  Link is working on a permanent fix that will allow the application to work with the new version of the control in place.  Until then, the approach to remove the update is different depending on the version of the operating system that you have installed.

How to Remove and Block the KB on different Windows Versions

Windows 10 / Office 2016 32-bit example

To remove the already installed update type “View installed updates” into your search bar and open the View installed updates applet:


Select the Security Update for Microsoft Office _____ (KB_______) that matches your version of Office and the KB# that updates mscomctl.ocx, then click the Uninstall button at the top of the screen.

Note: Depending on your windows update settings, it may almost immediately attempt to RE-INSTALL the update, so it is important that when this step is complete that you do not unnecessarily delay before performing the next step of blocking the update.

To Block the update on Windows 10 you now have to download a special tool since Microsoft removed the built-into-the-os version of the feature.

If running Windows 10, you’ll have to download the wushowhide.diagcab file from here: 


Click Next, To Block the update if already un-installed, choose the hide option and then you’ll be presented with a list of updates that have NOT YET BEEN APPLIED to your machine.  If the KB is in this list, you may selected it and then click through the wizard.  This will prevent it from being auto-reapplied:




The procedure on Windows 8.1, and Windows 7 is different.  This blog will be updated on a regular basis as new information is made available.

Note: If you can figure out a way to restore functionality without removing the update please post a comment below.


UPDATE: 2016-02-09: Orphaned Registry Keys are the issue

What we have been able to determine is that as Microsoft patches the mscomctl.ocx file new GUIDs get created.  The old GUIDs then become pointers to the new GUIDs, but on some cases, those old GUIDs are still pointing to other GUIDs which now no longer exist.  To fix that problem, those old invalid pointer GUIDs need to be deleted, but Microsoft’s installer for the KB does NOT detect and delete the bogus pointers successfully resulting in the controls not working.

One of our developers has created a utility that will crawl through the mscomctl related registry keys, deleting most.  When that utility is done running he has instructed us to then copy/paste some additional registry deletion commands to an admin command prompt.

Since I don’t expect readers of this blog to simply trust running a .net executable I’ve asked the developer to give me the files and the source code so that we can post it here. 

UPDATE: 2016-04-20: I wasn’t able to get the source code, but I am making a version available for download here.

It should go without saying that you should of course BACKUP your registry before you run any kind of registry script as a best practice.  I cannot assume any responsibility for your actions running deletion scripts against the Windows registry.  That said, our techs are now able to follow these steps and have this issue fixed 99% of the time using the latest security fix version of mscomctl.ocx:

Step 1: unregister the current file: From an Administrator command prompt:

  • change to the folder containing the mscomctl.ocx file (C:\WIndows\System32\ if 32-bit or C:\Windows\SysWow64 on a 64-bit machine).
  • regsvr32 /u mscomctl.ocx

Step 2: Run the BLRegClean_Net.exe utility (Source code coming soon).

Step 3: BACKUP YOUR REGISTRY (if this is the first time you’re trying this for example)

From an administrator command prompt run the following additional deletion statements.

reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410}" /f

Step 4: Re-Register the mscomctl.ocx file

  • change to the folder containing the mscomctl.ocx file (C:\WIndows\System32\ if 32-bit or C:\Windows\SysWow64 on a 64-bit machine).
  • regsvr32 /u mscomctl.ocx

In most cases these steps alone are sufficient to solve the problem.

In the cases where this has not worked, the technique of register an older version of mscomctl.ocx and then re-register the current version has worked after performing the steps above.


Skype for Business 2016 from Office 2016 media endless authentication loop

For those of you who have upgraded to Microsoft Office 2016 and are using Microsoft Skype for Business 2016 with Microsoft Office 365, you may have noticed a seemingly endless authentication loop where after having successfully signed in with your Office 365 credentials, you keep getting prompted to indicate if this is a work or Microsoft Account.

This basically  makes Skype for Business 2016 (Lync’s new name) unusable so we opened a case with Microsoft to try to get a fix.

The result of the case was as follows:

1. Exit out of Skype for Business, and delete following files:


2. Make sure you empty Lync folders under:        



3. Create these two DWORD32 entries







4. You may have to reboot the computer.

Start Skype. You will be prompted once to enter User/Pass to access corporate address book.



The other issue that we’ve noticed with Skype for Business 2016 is that after a few minutes of use the backspace key stops working in message replies and you’re stuck having to highlight words that you want to delete and use the DEL key instead.  We haven’t got a fix for that one yet, so my personal recommendation is to just avoid Skype for Business 2016 completely and revert to Skype for Business 2015 which is part of the Microsoft Office 2013 media.

To do this, in Programs and Features, select Microsoft Office 2016 and choose change.

Remove the checkbox beside Skype for Business 2016.

When that’s done, go back into Programs and Features and this time select Microsoft Office 2013 (assuming that it is still listed) and choose Change.

Check the checkbox beside Skype for Business 2015.


When done, you’re back up and running on the stable release of Lync (Skype for Business 2015) and aren’t stuck in endless authentication loops and you can actually use the backspace key.

I’ll update the article later when we get a solution to the backspace key.  For the moment we’re going to block the upgrade of Skype for Business from our volume media setup files.

Deleting User Profiles to which you do not have permission

Every once in a while I encounter user profiles for employees who have long since left the company that need to be deleted.

In the example below, I have a user account: "dmacdonald" that I want to delete.  The profile consumes 2 GB of storage, their user data folder another 6GB.

Step 1: Delete the user Profile from User Profiles tool:

The fastest way to get to the System Utility for user profiles:


Is to just key “User Profile” into the start menu and choose the  “Configure advanced user profile properties” link.


You can then select a profile, and then click the “Delete” button.


Normally this is all that’s required to delete the files and folders.

But this time, although it DID delete the profile from the User Profile utility and did delete the \Users\dmacdonald folder it did not actually delete the UserData files.  Those files if you attempt to access them still show Permission Denied, but using a tool like SpaceSniffer.exe I could see that the folder was still consuming nearly 6GB of storage so I didn’t just want to leave it around.


You could click through the continue boxes, and manually try to seize ownership of EACH sub-folder one at a time, and then after doing so grant yourself permission to the folder, but you don’t have time for that.  So instead, use these commands:

To fix this run these commands from an administrator command prompt:

takeown /F dmacdonald /R /D "Y"

Followed by:

icacls dmacdonald /grant Everyone:F /T

After that you can access the files and/or delete them.

Cisco AnyConnect Failed to initialize connection subsystem after applying MS15-011

After applying recent security fixes for Windows 8.1 ( my Cisco ANYConnect client failed to load.  Error:

Cisco AnyConnect: Failed to Initialize connection subsystem.

I’m not sure what it is about the most recent security updates that made it stop working, but I found that by setting it into Windows 7 Compatibility mode the issue was resolved.

The registry hack for doing this was:


Add a string value with the string name set as the full path to this file:

C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe

Then set the string value to:

$ Win7RTM



After making the registry change, right-click the AnyConnect icon, and choose Quit:


Then re-launch the AnyConnect client. and all seems to work.