Category Archives: Tips’N’Tricks

Delegate permissions for creating GPO objects in other domain

imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.

image

At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

1) in AD on Domain/System/Policies container:

image

image

image

image

I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

2) now on a Policies folder:

image

image

That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

Advertisements

Too many smart-cards inserted. Good thing: no need to throw them away

image002_thumb[2]Some time ago I used to issue certificates on Aladdin (now SafeNet) eToken  smart-cards through a CA web-nterface. Occasionally it was hard to accomplish, because when I tried to do that I received the following error:

“Too many smart-cards inserted. please insert only one smart-card”

Wow! But I need two:

  • one – eToken with a certificate for enrollment
  • the second – for a new certificate

May be CA thinks that I have too much of them generally and I need throw away them? No, fortunately (they cost much when in bulk, you know) it is not the case. Moreover, there is just a simple solution to the problem: set the registry entry NoDefaultKeyContainer in HKLMSOFTWAREAladdineTokenMIDDLEWARECAPIIEXPLORE.EXE (or create one, if you don’t have it) to the DWORD value 00000000:

That always solved the problem for me.

Important Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

%SystemRoot%System32 secrets: BITSAdmin

CLIAnother deprecated friend of mine. But I still like it, really. First of all because I haven’t still found enough time to get acquainted with all that *-BITSTransfer PowerShell comandlets. Second… Well, there is nothing for the “second”, naturally =) But still – it is a great command and I’d like to make a tribute to it with this article, because it is AWESOME! It is soooo powerful! Even though I used it usually just to be sure I would download the file regardless of network loss or whatever, it can do much more. Download or upload, retry these tasks, get some part of the file, set myriads of parameters, including authentication, use peer caching… Wow! =)

But again, usually I used it to download large files. Let’s take a look at one example.

Lets start with creating a download job:

BITSAdmin /CREATE /DOWNLOAD DownloadJob1

image

You can see that the job has been created and it has been assigned some GUID you can use later (but we’ll use it’s name in this example). Also as you can see we are being constantly notified about the command deprecation =( Let’s take a look at the job:

BITSadmin /LIST /VERBOSE

image

(Yeah, a LOT of information). Obviously, the job is currently empty (FILES: 0 / 0), so let’s add some files to it:

BITSadmin /ADDFILE DownloadJob1 <URL> <PathToSavedFile>

image

Added successfully and created a temp file already:

image

Let’s add one more:

image

and look at the second temporary file:

image

They are both of 0 bytes size yet. Now, once we have two files for our job to download, we can get more info from the job:

image

Here we can see both our files (JOB FILES) and… Can we just wait till the files get downloaded? No, because the job is not started at the moment (STATE: SUSPENDED). We need to start it and this is easy:

BITSADMIN /RESUME DownloadJob1

image

Now the job is in TRANSFERRING state, we can see how many bytes (BYTES) or files (FILES) has been transferred and so on. On this point something goes wrong and we get our network disconnected: image. Is it a problem for our downloads? Yes:

image

their state is TRANSIENT_ERROR. Should we worry about it? No, because as soon as network restores we’ll get our job QUEUD and then resumed automatically:

image

Looking at this big picture from time to time reentering /LIST command is boring, so we’ll monitor it in other way:

BITSadmin /MONITOR /REFRESH 1

image

which will refresh the state for our jobs occasionally (each 1 second in the example):

image

As soon as we get our files transferred:

image

we can just go to our download location and… Oh… Wait… What’s that?

image

The files do have appropriate size but their names… They are still temporary =( But don’t worry, just one more little step:

BITSadmin /COMPLETE downloadJob1

image

Oops. Seems like BITSadmin treats job names as case-sensitive. We should remember this, so let’s rewrite it in the correct way:

BITSadmin /COMPLETE DownloadJob1

image

Here we are! The files are here and no more job to do! I’m loving it © =)

image

Forgive me for that useless lesson: just couldn’t resist it Winking smile

If you are as amazed, as I am, here is some reading.

Do you miss your search results? Kill’em.

exchangeI’ve had one more case recently: an employee reported that his outlook wouldn’t search any item for the last three weeks or so. Rebuilding indices didn’t help and moreover he was not using cached outlook mode. Well, while my search seemed to be ok, I needed to reproduce the problem somehow, so I went nuts and removed cached mode too. Bingo! My search results were restricted by the period from the same three-weeks-ago and to the beginning of time. No results from yesterday or last week. Considering the fact that mailboxes, both the employee’s and mine were in the same storage group I decided that it was the server index who was responsible for that tragedy (do you know where is each your mail at the moment, by the way?).

How can we check if something is wrong with the index on a server? The answer was easy to find: Test-ExchangeSearch for Exchange 2010 or for 2007. Running the command for my account returned the following:

ResultFound : False
SearchTime : –1

Obviously something went wrong with index. How can we restore it? Again, easy: here is the KB which was found at no time. So I just got to my server and run the script ResetSearchIndex.ps1 for the problematic DB from Exchange folder. Of course, deleting index and recreating it gives a server hard time in terms of processor usage and IO, so I did it in non-working hours. And just in case you, like I, need to know if the index is being rebuilt or has it been rebuilt, you will need to look at a counter for the DB which you are reindexing. The counter is MSExchange Search Indices – Full Mode Crawl Status. You can track it for a particular DB or for _Total. If it is 1 then you have Full Crawl being performed. If it is 0, then crawls have stopped. And after they stopped, you can check again if you have solved your problems with search:

[PS] C:Windowssystem32>Test-ExchangeSearch domainnameusername

                            ResultFound                              SearchTime
                                     ———–                                     ———-
                                            True                                               5

I definitely did =)

The case of jammed permissions

imageOnce I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the account was a member of any of protected groups: no, it wasn’t though it had been before. So I tried several more tricks, like moving the account to another OU and back. No luck. And and that point I received another request, from other administrator with the same problem but an other account. And this other person had been domain admin before too.

Well, at this point I was almost sure, that it is because SDProp overwrites the permissions. Quick check of adminCount attribute showed that I was right: it was set to 1. After I had set it to 0 and restored inheritance to the object everything became normal. And a bit of investigation showed that when an account leaves a protected group, adminCount attribute doesn’t switch to 0. After that a bit more of investigation showed me that it is by design. In more detail read here and here. Next time, I won’t be so lazy and will trust my inner admin Winking smile

Manage your Windows 2008 R2 DNS Server from XP

Being an MS MVP involves answering questions. I don’t receive many of them, but this happens sometimes. The latest one was quite interesting. After reading my article about delegating administration of DNS one of my readers discovers that he cannot implement my solution in his environment. You see, he has got Windows XP workstation for administrators but windows Server 2008 R2 DNS servers. This configuration leads to either “access denied”, this:

image

or other errors error while trying to connect from XP DNS console to W2K8R2 DNS server.

I hadn’t ever encounter such a problem, seems like I pass it and others similar due to my habit to use new MS Windows versions from early beta stage. So, at first I thought that it can be some misconfiguration at me reader’s network, but a simple experiment showed me that I had been wrong: my freshly installed XP box wouldn’t connect to any R2 DNS servers in my network, while connecting to any 2003 was not a problem at all. To cut long story short, I have finally found a KB article at support.microsoft.com which describes the problem. Here you got it: Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later.

The cause of the problem is in the fact that 2008 R2 uses more secure means of RPC communication by default. The solutions, proposed by the article are simple enough: you can either

1) manage your DNS Server locally (from console or through terminal services)

2) or reduce security level by entering the command dnscmd /config /RpcAuthLevel 0 on each server which you want to manage from Windows XP workstation.

The first method is self-explanatory: don’t get what you want at the expense of your security. The second method is less straightforward in terms of consequences. Obviously enough it makes your DNS servers less secure. What you can do to reduce impact? That’s easy:

  • use this only for one server: let AD or other means to replicate changes
  • isolate this server as much as you can. Let only your administrators’ workstations to access it via RPC (and other necessary hosts, of course, if any)

And the last option, which I like the best: upgrade your workstations to Windows 7. Get the most out of your environment =)

%SystemRoot%System32 Secrets: Auditpol

CLIThis command is very useful in case you need to fine-tune audit. For example you cannot set “Audit directory service changes” without setting “Audit directory service replication” using only GUI, because “There is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories”. therefore, you need auditpol badly in case you need to set those subcategories. You also need it in order to script changes to or audit of SACL. You need it also to backup or restore those policies quickly (say you need to turn some auditing settings on for some time and turn them off later). You also can fully reset auditing policy.

Wow! While writing the text I become filled with awe. I definitely should have used it more =)

Syntax is quite excessive, so I just show you a very simple example:

image

Have fun! =)