The following details the Computer Settings that the script will perform in order to Optimise Windows Server 2016 in XenApp/RDS based environment as per citrix optimisation Guide in 2008 R2/Various blogs and my own experience in running citrix environments.
I have extensively reviewed all settings/Changes and believe that they all apply to Windows Server 2016 (from server 2016 performance tuning, validated services/tasks) but please feedback any mistakes…
Computer Setting:
Windows Services (Disable)
| Service Name | Service Description |
| AJRouter | AJRouter Service |
| ALG | Application Layer Gateway Service |
| AppMgmt | Application Management Service (do not disable if deploying software via Group Policy) |
| bthserv | Bluetooth Support Service |
| Browser | Computer Browser |
| DcpSvc | DataCollectionPublishingService |
| DeviceAssociationService | Device Association Service |
| DPS | Diagnostic Policy Service |
| WdiServiceHost | Diagnostic Service Host |
| WdiSystemHost | Diagnostic System Host |
| TrkWks | Distributed Link Tracking Client |
| MapsBroker | Downloaded Maps Manager |
| EFS | Encrypting File System (EFS) |
| Eaphost | Extensible Authentication Protocol Service |
| FDResPub | Function Discovery Resource Publication |
| lfsvc | Geolocation Service |
| vmickvpexchange | Hyper-V Data Exchange Service |
| vmicguestinterface | Hyper-V Guest Service Interface |
| vmicshutdown | Hyper-V Guest Shutdown Service |
| vmicheartbeat | Hyper-V Heartbeat Service |
| vmicvmsession | Hyper-V PowerShell Direct Service |
| vmicrdv | Hyper-V Remote Desktop Virtualization Service |
| vmictimesync | Hyper-V Time Synchronization Service |
| vmicvss | Hyper-V Volume Shadow Copy Requestor |
| UI0Detect | Interactive Services Detection |
| SharedAccess | Internet Connection Sharing |
| NcaSvc | Network Connectivity Assistant |
| CscService | Offline Files |
| defragsvc | Optimize Drives |
| SstpSvc | Secure Socket Tunneling Protocol Service |
| SensrSvc | Sensor Monitoring Service |
| ShellHWDetection | Shell Hardware Detection |
| SNMPTRAP | SNMP Trap Service |
| SSDPSRV | SSDP Discovery |
| SysMain | Superfetch |
| TapiSrv | Telephony |
| Themes | Themes |
| upnphost | UPnP Device Host |
| VSS | Volume Shadow Copy |
| dmwappushservice | WAP Push Message Routing Service |
| WinDefend | Windows Defender Service |
| WerSvc | Windows Error Reporting Service |
| icssvc | Windows Mobile Hotspot Service |
| wuauserv | Windows Update |
| dot3svc | Wired AutoConfig |
| XblAuthManager | Xbox Live Auth Manager |
| XblGameSave | Xbox Live Game Save |
NOTE: Below Technet blog covers the Services installed by default and Microsoft’s view on If OK to disable.
Scheduled Tasks (Disable)
| Task Name | Task Path |
| AD RMS Rights Policy Template Management (Automated) | \Microsoft\Windows\Active Directory Rights Management Services Client |
| AD RMS Rights Policy Template Management (Manual) | \Microsoft\Windows\Active Directory Rights Management Services Client |
| EDP Policy Manager | \Microsoft\Windows\AppID |
| PolicyConverter | \Microsoft\Windows\AppID |
| SmartScreenSpecific | \Microsoft\Windows\AppID |
| VerifiedPublisherCertStoreCheck | \Microsoft\Windows\AppID |
| Microsoft Compatibility Appraiser | \Microsoft\Windows\Application Experience |
| ProgramDataUpdater | \Microsoft\Windows\Application Experience |
| StartupAppTask | \Microsoft\Windows\Application Experience |
| appuriverifierdaily | \Microsoft\Windows\ApplicationData |
| appuriverifierinstall | \Microsoft\Windows\ApplicationData |
| CleanupTemporaryState | \Microsoft\Windows\ApplicationData |
| DsSvcCleanup | \Microsoft\Windows\ApplicationData |
| Proxy | \Microsoft\Windows\Autochk |
| UninstallDeviceTask | \Microsoft\Windows\Bluetooth |
| ProactiveScan | \Microsoft\Windows\CHKDSK |
| Consolidator | \Microsoft\Windows\Customer Experience Improvement Program |
| KernelCeipTask | \Microsoft\Windows\Customer Experience Improvement Program |
| UsbCeip | \Microsoft\Windows\Customer Experience Improvement Program |
| Scheduled | \Microsoft\Windows\Diagnosis |
| Microsoft-Windows-DiskDiagnosticDataCollector | \Microsoft\Windows\DiskDiagnostic |
| Microsoft-Windows-DiskDiagnosticResolver | \Microsoft\Windows\DiskDiagnostic |
| Notifications | \Microsoft\Windows\Location |
| WindowsActionDialog | \Microsoft\Windows\Location |
| WinSAT | \Microsoft\Windows\Maintenance |
| MapsToastTask | \Microsoft\Windows\Maps |
| MapsUpdateTask | \Microsoft\Windows\Maps |
| MNO Metadata Parser | \Microsoft\Windows\Mobile Broadband Accounts |
| Background Synchronization | \Microsoft\Windows\Offline Files |
| Logon Synchronization | \Microsoft\Windows\Offline Files |
| AnalyzeSystem | \Microsoft\Windows\Power Efficiency Diagnostics |
| MobilityManager | \Microsoft\Windows\RAS |
| VerifyWinRE | \Microsoft\Windows\RecoveryEnvironment |
| RegIdleBackup | \Microsoft\Windows\Registry |
| IndexerAutomaticMaintenance | \Microsoft\Windows\Shell |
| SpeechModelDownloadTask | \Microsoft\Windows\Speech |
| ResolutionHost | \Microsoft\Windows\WDI |
| Windows Defender Cache Maintenance | \Microsoft\Windows\Windows Defender |
| Windows Defender Cleanup | \Microsoft\Windows\Windows Defender |
| Windows Defender Scheduled Scan | \Microsoft\Windows\Windows Defender |
| Windows Defender Verification | \Microsoft\Windows\Windows Defender |
| QueueReporting | \Microsoft\Windows\Windows Error Reporting |
| Automatic App Update | \Microsoft\Windows\WindowsUpdate |
| Scheduled Start | \Microsoft\Windows\WindowsUpdate |
| sih | \Microsoft\Windows\WindowsUpdate |
| sihboot | \Microsoft\Windows\WindowsUpdate |
| XblGameSaveTask | \Microsoft\XblGameSave |
| XblGameSaveTaskLogon | \Microsoft\XblGameSave |
| CleanupOldPerfLogs | \Microsoft\Windows\Server Manager |
| ServerManager | \Microsoft\Windows\Server Manager |
| Registry Idle Backup | \Microsoft\Windows\Windows Filtering Platform |
Remove Windows Features not required
Remove-WindowsFeature Windows-Defender, Windows-Defender-GUIWindows Features
NOTE : Only remove Windows Defender if being replaced by another Software Vendor
Registry Tweaks (OS/ICA/SMB)
| Optimisation | Setting |
| Hide VMware Tools Systray Icon
(if VMware is the hypervisor) |
HKLM\SOFTWARE\VMware, Inc.\VMware Tools “ShowTray”=dword: 00000000 |
| Disable NTFS Last Access Timestamps | HKLM\SYSTEM\CurrentControlSet\Control\FileSystem] “NtfsDisableLastAccessUpdate”=dword:00000001 |
| Disable Memory Dump Creation Do not send Administrative alert during system crash |
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl] “CrashDumpEnabled”=dword:00000000 “SendAlert”=dword:00000000 |
| Increase Disk I/O Timeout to 200 Seconds |
HKLM\SYSTEM\CurrentControlSet\Services\Disk] “TimeOutValue”=dword:000000C8 |
| Disable TCP Offloading | HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters “DisableTaskOffload”=dword:00000001 |
| Hide Action Centre | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth=dword:00000001 |
| Set Service Startup time from 30 to 45 Secs | HKLM\SYSTEM\CurrentControlSet\Control “ServicesPipeTimeout”=dword:0xafc8 |
| Disable Internet Explorer First Run Wizard | HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main “DisableFirstRunCustomize”=dword:00000001 |
| Disable default system Screensaver | HKEY_USERS\.DEFAULT\ControlPanel\Desktop “ScreenSaveActive”=dword: 00000000 |
| Hide Hard Error Messages | [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows] “ErrorMode”=dword:00000002 |
| Disable Paging of Kernel | HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management] “DisablePagingExecutive”=dword:00000001 |
| Write only Errors in Spooler Warning Events |
HKLM\System\CurrentControlSet\Control\Print\Providers “EventLog”=dword:00000001 |
| Disabled CIFS Change Notificaiton | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoRemoteRecursiveEvents”=dword:0 |
| Additional Worker Thread – To Increaase I/O Performance | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive “AdditionalCriticalWorkerThreads”=dword:64 |
| Active Setup | |
| Windows Media Player 12 | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} SubPath – Delete Key |
| Microsoft Windows Media Player | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} SubPath – Delete Key |
| Microsoft Windows Media Player | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} SubPath – Delete Key |
| Themes | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} SubPath – Delete Key |
| Windows Mail | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} SubPath – Delete Key |
| Windows Desktop Update | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} SubPath – Delete Key |
| Web Platform Customization | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} SubPath – Delete Key |
| DotNetFramework | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} SubPath – Delete Key |
| IE for Admin | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} SubPath – Delete Key |
| IE for Users | HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} SubPath – Delete Key |
| Windows Media Player 12 | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} SubPath – Delete Key |
| Microsoft Windows Media Player | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} SubPath – Delete Key |
| Microsoft Windows Media Player | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} SubPath – Delete Key |
| Themes | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} SubPath – Delete Key |
| Windows Mail | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} SubPath – Delete Key |
| Windows Desktop Update | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} SubPath – Delete Key |
| Web Platform Customization | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} SubPath – Delete Key |
| DotNetFramework | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} SubPath – Delete Key |
| IE for Admin | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} SubPath – Delete Key |
| IE for Users | HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} SubPath – Delete Key |
| File Explorer Lockdown | |
| Remove Quick Access from File Menu | HKCR\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder “Attributes”=dword:2690646016 |
| Applied when Optimising using PVS Target Software but also apply to Persistant Image | |
| Clear Page File at Shutdown | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] “ClearPageFileAtShutdown”=dword:00000000 |
| Disable Defrag | HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction “Enable”=”N” |
| Disable Hibernation | HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Power “Heuristics”=hex:05,00,00,00,00,01,00,00,00,00,00,00,00,0 0,00,00,3f,42,0f,00 |
| Disable Large Send OffLoad | HKLM\SYSTEM\CurrentControlSet\Services\BNNS\Parameters “EnableOffload”=dword:00000000 |
| Disable Machine Password Changes | HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters “DisablePasswordChange”=dword:00000001 |
| ICA | |
| TimeOut for ICA Sessions | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-TCP “MaxDisconnectionTime”=dword:10800000 |
| SMB Tuning | |
| Directory Cache, increased to improve performance/Network when Directory when accessing Large Directories | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “DirectoryCacheEntriesMax”=dword:4096 |
| File Information Cache, increased to improve performance/Network when Directory when accessing Large Directories | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “FileNotFoundCacheEntriesMax”=dword:32768 |
| Limits number of outstanding request for a session | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “MaxCmds”:dword:2048 |
| Metadata info Cache, increased to improve performance/Network when Directory when accessing Large Directories | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “FileInfoCacheEntriesMax”=dword:32768 |
| Disable Large MTU | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “DisableLargeMtu”=dword:0 |
| Disable Bandwidth Throttling | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “DisableBandwidthThrottling” |
| Number of outstanding requests on a session | HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters”MaxMpxCt”=dword:2048 |
| Use Opportunistic Locking | HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters “UseOpportunisticLocking”=dword:0 |
| Enable Opportunistic Locking | HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters “EnableOplocks”=dword:0 |
| Number of receive buffers, or work items, the Server service is permitted to allocate at one time. | HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters “MaxWorkItems”:dword:16384 |
| Maximum number of raw work items (undivided receive buffers) that the Server service can allocate each time it runs. | HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters “MaxRawWorkItems”:dword:512 |
| Specifies how many threads is allowed to run at once, each thread allows one outstanding operation | HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters “MaxThreads”=dword:255 |
| Disable NTFS 8dot3 Name Creation | HKLM\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters “NTFSDisable8dot3NameCreation”=dword:1 |
| TCP/IP Tuning | |
| Disable Receive-Side Scaling State | netsh int tcp set global rss=disabled |
| Disable TcpAutotuning | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “TcpAutotuning”:dword:0 |
| Disable TcpAutotuning | HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings “TcpAutotuning”:dword:0 |
| Disable TcpAutotuning | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp “TcpAutotuning”:dword:0 |
Power Option Changes:
| Optimisation | Command |
| Switch Off Hibernate | Powercfg -h off |
| Set PowerPlan to High Performance | Try { $HighPerf = powercfg -l | %{if($_.contains(“High performance”)) {$_.split()[3]}} $CurrPlan = $(powercfg -getactivescheme).split()[3] if ($CurrPlan -ne $HighPerf) {powercfg -setactive $HighPerf} } Catch { Write-Warning -Message “Unable to set power plan to high performance” } |
All the above can be found on the the script i have created can be found here WILKYIT-W2016-Optimise-Tweaks_v1.4(zip file)
Please extract all files to “C:\temp\OptimisationScript” : NOTE: This is required otherwise some element of the script will fail.
Also to get around the restrictions on WordPress rename the following:-
- RemoveQuickAccessandNetwork.txt to RemoveQuickAccessandNetwork.bat
- SetACL.txt to SetACL.exe
User Settings:
This should be applied by using Group Policy/Ivanti/WEM and set to Run-Once
| Optimisation | Registry Setting |
| Settings “Visual Effects to Custom” | [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects] “VisualFXSetting”=dword:00000003 |
| Disable “Show translucent selection rectangle” | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ListviewAlphaSelect”=dword:00000000 |
| Disable “Show shadows under windows” | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ListviewShadow”=dword:00000000 |
| Disable “Animate windows when minimizing and maximizing” | [HKEY_CURRENT_USER \ControlPanel\Desktop\WindowMetrics] “MinAnimate”=”0” |
| Disable “Animations in the taskbar” | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “TaskbarAnimations”=dword:00000000 |
| Disable “Enable Peek” | [HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM] “EnableAeroPeek”=dword:00000000 |
| Disable “Save Taskbar Thumbnail Previews” | [HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM] “AlwaysHibernateThumbnails”=dword:00000000 |
| Disable “Smooth edges of screen fonts” | [HKEY_CURRENT_USER \Control Panel\Desktop] “FontSmoothing”=”0” |
| Disable the rest of the visual effects | [HKEY_CURRENT_USER \Control Panel\Desktop\] “UserPreferencesMask”=RegBin: “90,12,03,80,10,00,00,00” |
| Disable cursor blink rate | [HKEY_CURRENT_USER \Control Panel\Desktop] “CursorBlinkRate”=”-1″ |
| Reduce menu show delay | [HKEY_CURRENT_USER\ControlPanel\Desktop] MenuShowDelay”, “0” |
| Remove Non-Admins from Viewing Windows Administrative Tools | icacls “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools” /INHERITANCE:d icacls “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools” /REMOVE “EVERYONE” icacls “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools” /REMOVE “BUILTIN\USERS” |
| Remove Command Line from Start Menu\Programs\Windows System | %AppData%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk |
| Remove Admin Tools from Start Menu\Programs\Windows System | %AppData%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows Administrative Tools.lnk |
| Remove Windows Powershell from Start Menu\Programs\Windows PowerShell | %AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell |
| Remove Windows Powershell from Start Menu\Programs\Windows PowerShell | %AppData%\Microsoft\Windows\Start Menu\Programs\Windows Accessories\Windows Server Backup.lnk |
Change History:-
- 1.0 -Initial Optimisation Script
- 1.1 -Add Remove Quick Access to Compiuter Settings/User Setting
- 1.2 -Added Configuration Variables/Improvement on how script run visually.
- 1.3 – Updated typo and additional spaces
- 1.4 – Removed DSMSvc has this is required for adding printers
is this the Windows 2016 or Win 10
Appears that there is an issue using chrome to download the script, please use IE until i investigate
Even with Edge or IE I cannot download it. I get a response error.
i will have a look at it now, can you drop me your e-mail address and i’ll let you know to retest?
Further review, it is because there is a .EXE for the Set-ACL element of the script. I have tried to password protect but same issue occurs. Send me a mail on david@wilkyit.com and i’ll try and send via that.
try that again now. I have renamed the .bat & .exe to .txt to get around the wordpress restriction. When extracing files ensure that
RemoveQuickAccessandNetwork.txt is renamed RemoveQuickAccessandNetwork.bat
and
Set-ACL.txt is rename to Set-ACL.exe
Apologies for the issue, hope this resolves getting you access to the script now. Let me know
Now its working, thank you very much 🙂
Great, any feedback is welcome or improvements.
Reblogged this on Computer Services.
I’ve been running the script on a Server 2016 XenApp server and since then I cannot add network printers anymore trough control panel or the “new” settings app. The add printer or add device wizard in the control panel won’t open anymore and even my mapped network printers don’t show up anymore in the control panel or settings app, although they are listed under HKCU\printers\connections. What could be causing this??
Hi
Can you send a screenshot to me on david@wilkyit.com please. I have checked and don’t see any issues adding/discovering printers on the the lab server i have running 2016.
Cheers
David
Hi David,
when it comes to adding/discovering printers by the wizard in Windows Server 2016/2019 the issue is still there even if you use version 1.4. The wizard is in need of the “Device Association Service” that got disabled. As soon as you switch it back to manual the wizard will start as usual.
KR, Holger.
Hi,
Nice script!
Will this work on Server 2012 R2? I can test it but wondering if you already know. If so, is there a similar for that operating system?
Br,
Björn Bergström
Hi,
This would only be for server 2016. I would recommend 2012 optimisation script by George Spiers.
Cheers
David Wilkinson
Thank you! will check his script out.
With regards to “Remove Non-Admins from Viewing Windows Administrative Tools”
I found it caused an error when trying to add Applications in studio from Start Menu.
Fix was to add Network Server as per https://support.citrix.com/article/CTX214524
I used the following command.
icacls “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools” /GRANT “NT AUTHORITY\NetworkService”:(OI)(CI)(F)