Hi, 

    I have an AD on windows server 2012 and I have 20 users. User tries to install some software it will ask for admin credentials because they are not a member of administrators. I dont want to give them admin access but i need to give software installation access. 

PLEASE HELP ME TO SET UP THIS

Thanks,

Dev

We had something (unknown) happen last week that stopped successful sysvol replication

I've been going through loads of articles looking for clues after running dcdiag on all 3 servers

This is from the Master Domain controller

https://support.microsoft.com/en-us/kb/840674/
Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine ch-dc1-2k8, is a DC.
   * Connecting to directory service on server ch-dc1-2k8.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Cardiff\CH-DC1-2K8
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... CH-DC1-2K8 passed test Connectivity

Doing primary tests
   
   Testing server: Cardiff\CH-DC1-2K8
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=companyname,DC=local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=companyname,DC=local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=companyname,DC=local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         Site

         CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local

         was skipped because it never had an ISTG running in it.
         Site

         CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local

         was skipped because it never had an ISTG running in it.
         Site

         CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local

         was skipped because it never had an ISTG running in it.
         ......................... CH-DC1-2K8 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC CH-DC1-2K8.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=companyname,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=companyname,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=companyname,DC=local
            (Domain,Version 2)
         ......................... CH-DC1-2K8 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\CH-DC1-2K8\netlogon)
         [CH-DC1-2K8] An net use or LsaPolicy operation failed with error 67, Win32 Error 67.
         ......................... CH-DC1-2K8 failed test NetLogons
      Starting test: Advertising
         The DC CH-DC1-2K8 is advertising itself as a DC and having a DS.
         The DC CH-DC1-2K8 is advertising as an LDAP server
         The DC CH-DC1-2K8 is advertising as having a writeable directory
         The DC CH-DC1-2K8 is advertising as a Key Distribution Center
         Warning: CH-DC1-2K8 is not advertising as a time server.
         The DS CH-DC1-2K8 is advertising as a GC.
         ......................... CH-DC1-2K8 failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
         ......................... CH-DC1-2K8 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 12100 to 1073741823
         * ch-dc1-2k8.companyname.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 10600 to 11099
         * rIDPreviousAllocationPool is 10600 to 11099
         * rIDNextRID: 10613
         ......................... CH-DC1-2K8 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC CH-DC1-2K8 on DC CH-DC1-2K8.
         * SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname.local
         * SPN found :LDAP/ch-dc1-2k8.companyname.local
         * SPN found :LDAP/CH-DC1-2K8
         * SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname
         * SPN found :LDAP/bfe39346-13d8-455a-a97a-2a33f9e779f5._msdcs.companyname.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/bfe39346-13d8-455a-a97a-2a33f9e779f5/companyname.local
         * SPN found :HOST/ch-dc1-2k8.companyname.local/companyname.local
         * SPN found :HOST/ch-dc1-2k8.companyname.local
         * SPN found :HOST/CH-DC1-2K8
         * SPN found :HOST/ch-dc1-2k8.companyname.local/companyname
         * SPN found :GC/ch-dc1-2k8.companyname.local/companyname.local
         ......................... CH-DC1-2K8 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... CH-DC1-2K8 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         CH-DC1-2K8 is in domain DC=companyname,DC=local
         Checking for CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local in domain CN=Configuration,DC=companyname,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... CH-DC1-2K8 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... CH-DC1-2K8 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 04/21/2015   21:42:20
            Event String: The File Replication Service is having trouble

enabling replication from NA-DC1-2K8 to

CH-DC1-2K8 for c:\windows\sysvol\domain using the

DNS name na-dc1-2k8.companyname.local. FRS

will keep retrying.

 Following are some of the reasons you would see

this warning.

 

 [1] FRS can not correctly resolve the DNS name

na-dc1-2k8.companyname.local from this

computer.

 [2] FRS is not running on

na-dc1-2k8.companyname.local.

 [3] The topology information in the Active

Directory Domain Services for this replica has

not yet replicated to all the Domain Controllers.



 

 This event log message will appear once per

connection, After the problem is fixed you will

see another event log message indicating that the

connection has been established.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 04/22/2015   01:54:49
            Event String: The File Replication Service is having trouble

enabling replication from CH-DC2-2K8 to

CH-DC1-2K8 for c:\windows\sysvol\domain using the

DNS name ch-dc2-2k8.companyname.local. FRS

will keep retrying.

 Following are some of the reasons you would see

this warning.

 

 [1] FRS can not correctly resolve the DNS name

ch-dc2-2k8.companyname.local from this

computer.

 [2] FRS is not running on

ch-dc2-2k8.companyname.local.

 [3] The topology information in the Active

Directory Domain Services for this replica has

not yet replicated to all the Domain Controllers.



 

 This event log message will appear once per

connection, After the problem is fixed you will

see another event log message indicating that the

connection has been established.
         ......................... CH-DC1-2K8 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... CH-DC1-2K8 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/22/2015   07:16:20
            Event String: The Kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

Administrator. The target name used was

companyname\CH-DC2-2K8$. This indicates that

the target server failed to decrypt the ticket

provided by the client. This can occur when the

target server principal name (SPN) is registered

on an account other than the account the target

service is using. Please ensure that the target

SPN is registered on, and only registered on, the

account used by the server. This error can also

happen when the target service is using a

different password for the target service account

than what the Kerberos Key Distribution Center

(KDC) has for the target service account. Please

ensure that the service on the server and the KDC

are both updated to use the current password. If

the server name is not fully qualified, and the

target domain (companyname.LOCAL) is different

from the client domain (companyname.LOCAL),

check if there are identically named server

accounts in these two domains, or use the

fully-qualified name to identify the server.
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 04/22/2015   07:16:20
            Event String: The Kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

administrator. The target name used was

companyname\NA-DC1-2K8$. This indicates that

the target server failed to decrypt the ticket

provided by the client. This can occur when the

target server principal name (SPN) is registered

on an account other than the account the target

service is using. Please ensure that the target

SPN is registered on, and only registered on, the

account used by the server. This error can also

happen when the target service is using a

different password for the target service account

than what the Kerberos Key Distribution Center

(KDC) has for the target service account. Please

ensure that the service on the server and the KDC

are both updated to use the current password. If

the server name is not fully qualified, and the

target domain (companyname.LOCAL) is different

from the client domain (companyname.LOCAL),

check if there are identically named server

accounts in these two domains, or use the

fully-qualified name to identify the server.
         ......................... CH-DC1-2K8 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local and

         backlink on

         CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=CH-DC1-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local

         and backlink on

         CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local are

         correct.
         The system object reference (serverReferenceBL)

         CN=CH-DC1-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local

         and backlink on

         CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local

         are correct.
         ......................... CH-DC1-2K8 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : companyname
      Starting test: CrossRefValidation
         ......................... companyname passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... companyname passed test CheckSDRefDom
   
   Running enterprise tests on : companyname.local
      Starting test: Intersite
         Skipping site Cardiff, this site is outside the scope provided by the

         command line arguments provided.
         Skipping site Edinburgh, this site is outside the scope provided by

         the command line arguments provided.
         Skipping site London, this site is outside the scope provided by the

         command line arguments provided.
         Skipping site Belfast, this site is outside the scope provided by the

         command line arguments provided.
         ......................... companyname.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\ch-dc1-2k8.companyname.local
         Locator Flags: 0xe00011bd
         PDC Name: \\ch-dc1-2k8.companyname.local
         Locator Flags: 0xe00011bd
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         KDC Name: \\ch-dc1-2k8.companyname.local
         Locator Flags: 0xe00011bd
         ......................... companyname.local failed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

This should be an easy one. I have a 2008r2 domain. When I add a computer to an AD security group, so it will get targeted from a GPO that has that same group in its security filter, does the computer need to reboot to start processing any part of that policy?  It has always seemed that computers need a reboot to pick up their group memberships, but I wanted to double-check.

Dave

I had no idea what to put this in.....

I have been tasked with writing a windows batch file to alter the theme to windows classic for all users on a domain.

It will be preferred if I use a registry change key to achieve this.

I have identified the root of the registry key: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\THEMES and then alternate between the folders DefaultVisualStyleOff and DefaultVisualStyleOn.

And that's as far as I've got. I can use command prompt to look up my IP or browse a directory, but I have never used it for something as complex as.... anything to do with the registry.

I don't even know how to start!

What's more, I get bonus points if I can also get the batch file to switch windows visual effects to 'Adjust for Best Performance' and Double Bonus points if I can make the visual effects a custom setting with nothing but 'Smooth Edges of Screen Fonts' ticked.

Can anyone help?!

We are experiencing a weird issue with new users logging onto our Windows 7 clients.

Some computers have had a number of settings applied to the default user profile and also some settings applied via User Group Policy Preferences.

When a new user is logged in the new .V2 profile creates and applies many of our Default User settings, however none of our Preferences have applied. A logoff and log back on is required to get the preferences to apply. This is frustrating because we would like to apply the setting "Apply once and do not reapply" and if these is selected the system believes the Preferences have applied (which they dont) and will not try again.

Has this been seen before?

Are there any policies that could be applied to force down User Group Policy settings at first logon?

Thanks

Hi there,

Wondering if anyone can help.

I am experiencing the following issue when trying to load ActiveX control without UAC prompts for standard users.

I have:

Configured ActiveXInstaller Service and configured allowed sites and settings via GPO.

Configured IE Security settings for the Trusted Zone to Allow ActiveX content to run via GPO.

Configured IE to use per user proxy settings via GPO.

Allowed the domain in our proxy and bypassed authentication for that domain.

Everything seems to be in place but I receive a UAC prompt for the Internet Explorer Add-on Installer UNLESS I either turn off the IE proxy  settings or add the domain to the IE proxy exclusions list.

Unfortunately neither of these are options in our environment..

Anything I've missed?

Thanks!

Guys,

Is it possible to create a policy that is able to logg users off from the network when they locked their computer?

Basically I am attempting to lock down a Remote Desktop Session Host. I want my users to be able to kill processes via the task manager but I don't want them to access the C drive. I can prevent access to the C drive via Group policy. I would prefer the option to open file location not be available from the task manager.

I have been looking for a registry key all day and found many references about how to add this feature to windows XP workstations. Reversing this process on the Windows 2008 R2 server has not helped me accomplish my goal. I hope this is possible.

We have a group in AD of "Developers".  We want to give that group access to all of our "QA" Servers but not to remote in and only to do Read Only.

So a developer should be able to go to \\qaserver\c$ and see what's in that and all subfolders, but not be able to modify anything or remote into the machine itself.

I don't know if there's a built in group that can do this or if I'll have to create something from scratch.

Thanks for any advice.

I'm attempting to troubleshoot an issue with an Amazon Web Services hosted Server 2012 R2 enviro.

It is used as a terminal server by multiple users.
This server is also running Active Directory.
An application that the users run via RemoteApp is being affected by IE Enhanced Security in IE11.

The application runs fine for Administrator accounts with ESC disabled.
With ESC enabled part of it is blocked and fails to display.

Attempts have been made to disable ESC and according to the GUI and registry keys it should be disabled.
However logging in as a regular user accounts IE11 still reports ESC as being ENABLED.

I have searched through many potential fixes via Google and have yet to discover why this is occurring.
90% of the articles just point to the settings in Local Server and advise to turn off the settings for Administrators and Users.

This is what I see on the server:

GUI settings in Local Server: Enhanced Security Configuration: Off
In the pop up window - 
Administrators: Off
Users: Off

When launching IE11:

IE11 for Domain Admin users: Caution: Internet Explorer Enhanced Security Configuration is not enabled
IE11 for Domain Users: Internet Explorer Enhanced Security Configuration is enabled

I have checked the following registry entries which both show a value of 0 as expected from what you see set in the GUI options. I also found a support thread for Server2012 (not R2) where it was suggested to delete the user key forIsInstalled completely which seemed to make no difference in my case.

HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled

HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.

I've also tried manually setting the security zone values via gpedit for both computer or user section, again no difference.

It's as if something is overriding the local policy for domain users.

I believe if the embedded site address is added as a trusted site it may also accomplish the same goal here, however as NONE of the policy changes I have attempted have had any impact in my testing I have no idea how to set this for the domain users group either.

Can anyone offer any suggestions on how to proceed with solving this issue?

EDIT: I was able to test adding the location as a trusted site and still no dice, it appears ESC is still blocking something that is necessary and need to be disabled.

Cheers,
Mark.

Are there any more detailed policies available other than simply allowing or blocking Internet Connection Sharing?

I need to find out if there are policies allow management of Internet Connection Sharing?  For instance we would like to allow ICS, but control it so that it cannot be set up by the user in unsafe manner.

We would like to either set the PSK password in advance or at least disallow weak ICS WPA passwords.  It would also be a good idea if we could set up ICS so that only domain joined computers from our domain could join the ICS session from another computer on our domain or else disallow direct access and file sharing between the ICS host and the guests joining the ICS network.

Can these types of things be managed via group policy?

I am currently assisting in managing a domain of 3-4000 users. All of our users have administrative privileges on their machines. We are looking into several different ways of removing these administrative rights for obvious security reasons.

I have read about privilege management software like Avecto, but it would be great if you could utilize something like Restricted Groups in Active Directory or SCCM 2012R2 to achieve this somehow.

I read about Restricted Groups here:

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html

I am wondering if we can achieve this by deploying these Restricted Group GPO's.  I understand that these GPO's are linked to computer accounts though, but from what I am under the impression I can restrict adding accounts to the admin group and explicitly allow other accounts.

Our AD functional level is 2008R2 and 99% of our workstations are running Win7 32-bit.  Has anyone had any experience removing user administrative rights without purchasing third-party software?

Hi Windows Server Expert,

We are using Windows Server 2008 R2 in our company. We would like to have a group policy to push down the wallpaper or screensaver per user that login to our domains computers. That's mean when the users login to any of the computer, the wallpaper or screensaver will be pushed down automatically to their profile. Please advise.

Thanks.

Hi all,

I have 500 workstations in my domain. I want to apply a Group Policy to achieve the following  only for Workstations (Servers Excluded)

1. No one from the domain can change the local administrator account password except Domain Administrators, Desktop Support Technicians.

-tfernandes

tfernandes