How to Properly Remove a Domain Account Profile from a Windows 10 / 11 Domain Joined Computer

Removing a domain user account from a Windows 10 domain joined workstation requires a few steps to ensure that the process is completed properly and fully. This is useful if you are re-deploying the computer to a new user and want to remove any data left behind from any previous users. This article outlines the steps required to remove a domain user account from a Windows 10 domain joined workstation.

Step 1: Log in as a Local Administrator

Before you can remove a domain user account, you must first log in as a local administrator on the workstation. This can be done by selecting the "Local Account" option on the login screen and entering the username and password of a local administrator account.

Step 2: Remove the User Account from the Local Administrators Group

Once you have logged in as a local administrator, you must remove the domain user account from the local administrators group on the workstation. This can be done by following these steps:

Open the Control Panel and select "User Accounts".

Select "Manage User Accounts".

Select the domain user account you want to remove and click "Remove".

Click "Yes" to confirm the removal.

Or

Launch Computer Manage by clicking Start, type compmgmt.msc and hit Enter. 

From the left window pane, expand Local Users and Groups and on the right double-click the Administrators group.

Step 3: Delete the User Profile

After you have removed the domain user account from the local administrators group, you must delete the user profile associated with the account. This can be done by following these steps:

Open the Control Panel and select "System".

Click on "Advanced system settings".

Under the "User Profiles" section, click on "Settings".

Select the domain user account you want to remove and click "Delete".

Click "Yes" to confirm the deletion.

Delete the Registry Entries

The next step is to delete the registry entries that correspond to the user account you want to delete. Removing a user profile following the steps above SHOULD remove the associated registry keys related to their account, but it's prudent to confirm the keys were actually removed. To do this, follow these steps:

Press the Windows key + R to open the Run dialog box.

Type "regedit" (without the quotes) and press Enter to open the Registry Editor.

Navigate to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

In the left pane of the Registry Editor, locate the key that corresponds to the user account you want to delete. The key name will be a long string of letters and numbers, followed by the user account name.

Right-click on the key and select "Delete."

Confirm that you want to delete the key.

Repeat steps 4-6 for any other keys that correspond to the user account you want to delete.

Step 4: Reboot Your Computer

After deleting the user profile folder and registry entries, it's important to reboot your computer. This will ensure that any changes you made to the registry are fully applied. To reboot your computer, simply click on the Start menu, then click on the power icon, and select "Restart."

In conclusion, removing a domain profile from a Windows 10 workstation requires deleting the user profile folder and the corresponding registry entries. It's important to create a backup of the registry before making any changes, and to reboot your computer after deleting the registry entries. By following these steps, you can safely remove a domain profile from your Windows 10 workstation.

You can view a more in depth version of this article at RTGLabs.IT!

SPF Record - What is it and how to configure

If you’re running an email server or sending emails on behalf of your domain, it’s important to set up a Sender Policy Framework (SPF) record.

SPF (Sender Policy Framework) is an authentication protocol that allows senders to specify which IP addresses are authorized to send email on behalf of a particular domain. An SPF-protected domain is less attractive to fraudsters and is therefore less likely to be blacklisted by spam filters.

An SPF record is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. It helps prevent spam and spoofing by providing a way for email receivers to check that the email they received came from a server authorized to send email for your domain.  When an email is sent, the receiving email server will check the SPF record of the domain in the email's "From" address. If the sending IP address is not listed as authorized in the SPF record, the email may be rejected or marked as spam.

In this article, we’ll walk you through the steps of creating an SPF record, including what to include in the record and how to test it. We’ll also provide examples of common SPF records to help you get started.

Creating an SPF record is a simple process, but it does require access to your domain's DNS settings. Here are the steps to create an SPF record:

Choose an SPF mechanism

You’ll need to choose one or more mechanisms to include in your SPF record. Mechanisms specify which email servers are authorized to send email for your domain. There are several mechanisms to choose from:

ip4: specifies an IPv4 address or range of addresses that are authorized to send email

ip6: specifies an IPv6 address or range of addresses that are authorized to send email

a: specifies the domain’s A record, which maps the domain name to an IP address. This mechanism authorizes any IP address associated with the domain name

mx: specifies the domain’s MX record, which lists the mail servers that accept email for the domain. This mechanism authorizes any mail server listed in the MX record

include: specifies another domain’s SPF record that should be included in this domain’s record. This mechanism allows you to delegate email authentication to a third-party service or to consolidate SPF records for multiple domains

Determine your SPF policy

Determine which IP addresses are authorized to send emails on behalf of your domain. This may include your own mail server, your email marketing service provider, or any third-party services that you use to send emails.

+all: allows any server to send email for your domain (not recommended)

-all: blocks any server that is not authorized in your SPF record from sending email for your domain

~all: soft fail - it doesn’t block any server that is not authorized in your SPF record, but it suggests to the recipient’s email server that it should be treated as spam

Create a TXT record 

Now that you’ve chosen your mechanisms and determined your SPF policy, you can write your SPF record. An SPF record is a TXT record in your domain’s DNS settings. Here is an example of what an SPF record might look like:

v=spf1 include:_spf.google.com ~all

or

v=spf1 include:_spf.nyc.gov include:spf.protection.outlook.com mx -all

If you are using Microsoft 365 for mail hosting, your basic SPF record would look like this:

v=spf1 include:spf.protection.outlook.com -all

Create a TXT record in your domain's DNS settings with the following information:

v=spf1 [IP address/es] [include:domain.com] ~all

The "v=spf1" indicates that this is an SPF record. Replace "[IP address/es]" with the IP addresses that are authorized to send emails on behalf of your domain. If you use a third-party service to send emails, you may also need to include their domain using the "include" mechanism, like so: "[include:domain.com]". The "~all" indicates that any other IP addresses should be treated as neutral, but not necessarily authorized.

Save the changes to your DNS settings, and wait for the changes to propagate. This can take up to 24 hours, but usually happens much faster. You can always run your domain through a tool like mxtoolbox to see if your SPF record is available to the world. 

Once your SPF record is created and propagated, it will help to prevent email spoofing and increase the deliverability of your legitimate emails. However, it's important to note that SPF is just one of many factors that email providers use to determine whether an email is spam or not. To further increase the deliverability of your emails, you may also want to consider implementing DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) records, which provide additional layers of email authentication and security.

Check out more on SPF at RTGLabs.IT!

Using Bitlocker to Encrypt Your Windows 10 Computer - How to Secure Your Hard Drive

Full disk encryption is the process of encrypting all the data on a storage device, such as a hard drive or solid-state drive, so that it can only be accessed by authorized users who have the encryption key. There are several reasons why you might want to use full disk encryption: 

 1. Protecting sensitive data: Full disk encryption ensures that if someone gains physical access to your device, they won't be able to access your data without the encryption key. This is particularly important if you store sensitive information, such as financial data, medical records, or confidential business information. 

 2. Preventing identity theft: Full disk encryption can prevent hackers and identity thieves from stealing your data, even if they manage to access your device remotely. 

 3. Meeting regulatory requirements: Some industries, such as healthcare and finance, have regulations that require encryption of sensitive data to protect patient or customer privacy. 

 4. Protecting your privacy: Full disk encryption can also be used to protect your personal privacy, especially if you're concerned about government surveillance or other forms of monitoring.

Overall, full disk encryption is an effective way to protect your data and ensure that it remains confidential and secure, both on your device and in transit.

BitLocker is a built-in encryption tool in Windows that can be used to protect your data by encrypting your entire drive. Encryption ensures that even if someone gains access to your computer, they will not be able to read your data without the encryption key. Here's how to use BitLocker to encrypt your drive:

First, check if your version of Windows supports BitLocker. BitLocker is available on Windows 10 Pro, Enterprise, and Education versions.

Open File Explorer and right-click on the drive you want to encrypt.

Select "Turn on BitLocker" from the dropdown menu.

BitLocker will guide you through the process of setting up encryption. Choose how you want to unlock your drive, such as with a password or smart card. Be sure to save the Recovery Key when prompted. It is recommended to either save it to another location (thumb drive, other computer, cloud storage, etc) or print it out as you won't be able to access your data if you lose your password. 

Wait for BitLocker to finish encrypting your drive. This process may take some time depending on the size of your drive and the speed of your computer.

Once your drive is encrypted, you'll need to enter your password or insert your smart card every time you want to access the drive.

It's important to note that if you forget your password and don't have a recovery key, you won't be able to access your data, so make sure you keep your recovery key in a safe place.

How to Browse a Mapped Drive / UNC Path from Windows Command Line

If you need to access files or folders on a network share, you may need to browse UNC paths from the Windows Command Line. UNC stands for Universal Naming Convention, and it is a way to specify the location of a shared network resource. UNC paths are written in the form \\servername\sharedfolder\subfolder.

In this article, we will explore how to browse UNC paths from the Windows Command Line.

Step 1. Open a Command Prompt

The first step is to open the Command Prompt. You can do this by pressing the Windows key + R on your keyboard to open the Run dialog box, and then type cmd and hit Enter. Alternatively, you can search for "Command Prompt" in the Start menu and click on it.

Step 2. Map the Network Drive

Before you can browse a UNC path, you need to map the network drive.

Map a network drive: 

You will be prompted to enter your username and password for the network share. Once you enter the credentials, the network drive will be mapped to the next available drive letter on your computer.

Alternatively, you can set the drive letter manually with the following command: 

Step 3. Browse the UNC path:

Replace X: with the drive letter that you mapped the network drive to. This will then show you the contents of the shared folder on the network. 

Optionally, disconnect the network drive:

Browsing UNC paths from the Windows Command Line is a useful skill for accessing files and folders on a network share. By following the steps outlined in this article, you can map a network drive, browse the UNC path, and disconnect the network drive when you're finished.

How to Identify a Phishing Attempt

What is Phishing?
A phishing attack is an attempt by attackers to trick an individual into divulging sensitive information such as passwords, credit card numbers, and other personal information. 

Phishing attacks can come in many different forms. Some common tactics used by attackers include sending emails, SMS messages, and social media messages, which look like they come from legitimate sources such as banks, credit card companies, and other businesses. Phishing messages often contain links that lead to fake websites designed to look like the real ones. These fake sites can then collect the user's login credentials or other sensitive information.

Phishing attacks can be broadly categorized into two types: targeted phishing attacks and generic phishing attacks.

A targeted phishing attack, also known as spear phishing, is a type of attack where the attacker tailors the attack to a specific individual or organization. The attacker may use personal information about the target that they have gathered through research or social engineering to craft a convincing message that appears to be from a trusted source. For example, the attacker may send an email that appears to be from the target's boss or colleague, requesting that they provide login credentials or other sensitive information.

In contrast, a generic phishing attack, also known as a mass phishing attack, is a more widespread, automated attack where the attacker sends out a large number of identical or similar messages to a broad audience, such as all users of a particular email service or all customers of a specific bank. The messages may appear to be from a legitimate source, such as a bank or social media platform, and will typically ask the recipient to click on a link or download an attachment that contains malware or prompts the user to enter sensitive information.

Here are some tips on how to spot a phishing attempt:

1. Check the sender's email address: Check the email address of the sender to ensure that it matches the company's domain name. For example, if you receive an email from your bank, the sender's email address should end with the bank's domain name. If the email address doesn't look legitimate, it's probably a phishing attempt.

If the attack is targeted, you may find the display name of the sender is one of a co-worker or executive within your company, or in a company you are associated with, but the email address is one that is unfamiliar. This is why you should be cognizant of the originating email address regardless of the display name. You may also find such emails to contain your companies signature in the body and references other employees within the company. This information is often easily found on the corporate website or other sites like LinkedIn and takes minimal intelligence gathering to collect and use. 

Even if the message originates from a trusted source, but contains any type of unusual request or is in a writing style you know differs from the person who is supposedly sending it, it is quite possible their email has been compromised and is being used to send out further phishing attempts. If such an email is received, pick up the phone and give the sender a call to verify the legitimacy of the message. If you are unable to reach out by phone, contact your IT team for further guidance. They would much rather review a suspicious email than have to react to a compromised email account that could in turn cost the company a substantial amount of money (and potentially your job). 

Both targeted and generic phishing attacks can be very effective if the attacker is able to craft a convincing message and the victim falls for the trick. However, targeted phishing attacks are generally considered to be more sophisticated and more difficult to detect and defend against, as the attacker has taken the time to research the target and create a personalized message.

2. Check the spelling and grammar: Phishing emails often contain spelling and grammatical errors. Legitimate companies are unlikely to make such mistakes in official communications.

3. Be wary of urgent or threatening messages: Phishing emails often contain urgent or threatening messages that demand immediate action. This is an attempt to make the user panic and provide sensitive information without thinking twice.

4. Be cautious of unexpected requests: Legitimate companies won't ask you for sensitive information such as passwords or credit card numbers via email or social media. If you receive such requests, even if from a trusted source,  it very well could be a phishing attempt sent from a compromised email account. 

5. Keep your software up to date: Software updates often contain security patches that can protect you from phishing attacks. Keep your operating system, web browser, and other software up to date to reduce the risk of a successful phishing attempt.

6. Check the URL: Phishing emails often contain links that lead to fake websites. Frequently, they will contain a message requesting you follow the link in the body or an attachment to view or download an invoice or other important documentation and that link will lead to a fake but legitimate looking cloud storage site like Microsoft OneDrive, Sharepoint, or Dropbox. You will then be requested to enter your email address and password before you are able to access the documents. This is very often how unsuspecting victims get their credentials compromised.  Before clicking on any links, hover your mouse over the link to check the URL. If the URL looks suspicious, don't click on it.

In conclusion, spotting a phishing attempt is critical to protecting your personal information and preventing identity theft. By following the tips above, you can reduce the risk of falling victim to a phishing attack. Remember to always be cautious when receiving unexpected emails or social media messages, and always double-check the sender's email address, URL, and message content before taking any action.

How to Respond If Your Google Email Has Been Compromised

 

Email is a critical aspect of our digital lives and losing control of it can be a nightmare. If you suspect that your Google email has been compromised, it's important to take quick action to prevent further damage. In this article, we'll walk you through the steps you need to take to regain control of your email and secure it from future attacks.

1. Change Your Password

The first thing you need to do is change your password immediately. This will help to prevent the attacker from accessing your email further. Choose a strong and unique password that you haven't used before. You can change your password by going to the Google account security page and selecting "Change password."

2. Enable Multi-Factor Authentication

Multi-Factor or Two-factor authentication is a critical security feature that adds an extra layer of protection to your Google account. It requires you to enter a code sent to your phone or generated by an authenticator app before you can log into your account. This makes it much more difficult for someone to access your account, even if they have your password.

    Configure 2FA

    1. Open your Google Account.

    2. In the navigation panel, select Security.

    3. Under “Signing in to Google,” select 2-Step Verification > Get started.

    4. Follow the on-screen steps.

3. Check Your Email Settings and Filters

Check your email settings and filters to see if any unauthorized changes have been made. This includes forwarding rules, send-as settings, and vacation responder. You can access your email settings by going to the Google account settings page.

4. Review Your Email Activity

Check your email activity to see if there have been any suspicious logins or other unauthorized access. You can view your email activity by going to the Google account security page and selecting "Recently used devices." If you see any suspicious activity, take immediate action to secure your account. You should also review your account for any suspicious mail rules. 

In most cases, email accounts are compromised in automated attacks, and the attacker will utilize the account to send further phishing message with the goal of compromising yet more mailboxes. During the attack, they will configure mailbox rules to move any inbound messages containing specific keywords that could alert the victim of the compromise to relatively hidden or unsuspecting folders within the account. It is therefore prudent to review your account for any suspicious message rules moving emails to unusual locations within the account.

5. Report the Incident

If you suspect that your email has been compromised, it's important to report the incident to Google. Google has a reporting form that you can use to report a compromised account. You can also report a compromise to the authorities if you feel that your personal or financial information has been put at risk.

In conclusion, if your Google email has been compromised, it's important to take quick action to prevent further damage. Change your password, enable two-factor authentication, check your email settings and filters, review your email activity, and report the incident. By following these steps, you can regain control of your email and secure it from future attacks.