Auto enrollment issue - in AD user object certificate is missing

Similar Messages

• Expired AD User Object certificate

  We have an expired certificate under Active Directory User Object > Certificates.
  Can someone please tell me to renew or re-create this certificate?

  Hi,
  We cannot renew expired certificate, you can request a new certificate instead.
  If you are using enterprise CA, you can refer to this article below to request a new certificate:
  Request a Certificate
  http://technet.microsoft.com/en-us/library/cc730689.aspx
  For stand-alone CA:
  How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007
  http://technet.microsoft.com/en-us/library/bb735417.aspx
  How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA
  http://technet.microsoft.com/en-us/library/hh467905.aspx
  Best Regards,
  Amy

• Domain Controller Auto-Enrollment Issue

  I recently noticed one of our domain controllers is not auto enrolling its Domain Controller certificate with our AD CS server. 
  We have 2 DC's and one auto-enrolls just fine and the other one doesn't. The one that auto-enrolls fine is a Server 2008 R2 domain controller and the one that doesn't is a Server 2012 R2 domain controller (the schema has been updated to accommodate this
  domain controller). The CA is on the Server 2008 R2 DC (I noticed this issue as I am planning on migrating off the CA from the DC to its own dedicated DC). 
  I see three errors in the event log:
  Event ID 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
  Event ID 13: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from DC
  FQDN\CA Name (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
  Event ID 82: Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {61B8511A-9BFE-46A8-90D5-FB1709DADB2D} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
  Failed to enroll for template: DomainController
  In a packet capture, I am seeing this error: Expert Info (Note/Response): Fault: nca_s_fault_access_denied
  I did notice the "Certificate Service DCOM Access" group had no members, so I added the Authenticated Users group into it (I have a newly stood up development domain and notice Authenticated Users was in this group by default). Still not having
  any success. I tried stopping the CA service and starting it up after this group change and had no success either. I haven't rebooted any of the servers yet...didn't think I needed too. 
  I tried the "certutil -config - -ping" command and it found the proper CA and once I selected it, I was able to connect to the CA just fine and says its alive. 
  Not to sure where to look at from here as I am out of ideas. 

  Ok I got this working, but not sure what finally kicked it in.
  I followed this article first: http://support.microsoft.com/kb/947237 After performing what that article mentions, I still had the same errors.  It only mentions Vista, so didn't think it applied. Not entirely sure what the certutil
  -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG does. I think it added permissions to my DCOM COM Security for Access and Launch/Activation permissions? 
  Initially testing this, it failed with the same errors. After a few minutes, I tried again to see if the packet capture was showing the same authentication error, and it finally succeeded. 

• Anyconnect SCEP Auto-enrollment Issue

  Hello Everyone,
  I have been trying to configure cisco`s any connect client with SCEP Auto-enrollment with no success. I followed all the steps necessary to complete the configuration but still no success. What happens to me is, enrollment happens fine, certificate is downloaded according to what it should be but when I try to use it to authenticate and connect to my VPN it seems the certificate is not valid and not forwarded to the ASA, every time I reconnect the Anyconnect enrolls me to a new certificate, which means that if I repeat the process a 1000 times I`ll most likely have 1000 new certificates. Being trying for a while now and nothing seems to work with it. Can anyone tell me anything that could help me?
  I am using windows 2k12 with NDES module installed, the certificate template being used is a custom IPSEC Offline request template, the asa sends the enrollment request according to what it should be and the enrollment happens fine, the problem is that I cannot match the certificate for some reason.
  Anyone that can help me?

  Scep-proxy was not integrated into the ASA until 8.4
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html#wp1318578
  If you want to do legacy scep, this should work.  Your Anyconnect version is ok, but we always suggest the latest in the 3.0/3.1 line for the most up-to-date bug fixes.

• Linux NSS DB Issue with Personal User/Client Certificate Friendly Names.

  I have an issue with the NSSDB lib and my browsers in which client certificates I use for an application (Nessus Vulnerability Scanner) show up in the list with the same friendly name/nickname, making it very difficult to distinguish which certificate goes with which server.
  Each certificate is generated on a different server with a different hostname but the same username. Upon importing the certificate into my browser, or even the pk12util command, the first certificate will appear correctly. However, importing additional certificates will just reuse the nickname from the first certificate instead of the nickname I chose. I have tested many different scenarios, and it doesn't seem the problem is related at all to the content of the nickname, so I have no idea how to force it to work correctly. I've searched around and found some indications of "nickname conflicts" and things, but nothing that helps me resolve the issue. I'm not sure if it's a bug or if it's some weird condition I've encountered.

  Maybe try to ask on the mozilla.dev.tech.crypto news group.
  *https://developer.mozilla.org/en-US/docs/NSS
  *news://news.mozilla.org/mozilla.dev.tech.crypto
  *http://groups.google.com/group/mozilla.dev.tech.crypto

• Problems with auto-enroll with the certificate expiration

  Hello,
  we have routers that work with certificates. We have problems with the auto-enroll when the certificates go to expire.
  ?Can somebody help?
  I can send mor debug o configurations.
  We attach a debug.
  Very thanks

  Hello,
  I attach the debug.
  Very thanks

• Re-enrollment issue

  We are upgrading the clients to Windows 8.1 with SCCM 2012 and are experience a strange issue with users and computers certificates,
  the clients both consist of laptops, desktops and hybrids (Lenovo Tablet) and the only client that experiences this problems is the laptop.
  There active directory is running windows server 2003 as does the certificate authority with a two tier.
  When the client first deploys and goes through the task sequence they both get the certificates installed, user certificate and computer
  certificate.  However during and redeployment of the client were, I suspect, when an certificated already have been issued it can't reenroll once more, except when enforcing it with certutil –pulse in which the certificates gets installed.
  As the auto enrollment have worked fine with Windows XP clients, but also works with the desktops and hybrid I have no idée to fix this.
  I have looked through the certificate authority and controlled all the settings, but I don’t suspect the CA is the issue here since it can reenroll, just on other clients when they are redeployed.
  In the CA I can read this error in the event viewer; but the error doesn’t get any more specific.
  "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not
  have permission to request this type of certificate"
  Why this does only happened to laptops and not the desktops/hybrids? There is no difference between them either in AD or in CA, not
  in the task sequence either if someone interested in that, just different standard applications and drivers.
  Why does the command certutil -pulse work on the contrary to GPO?
   Is this issue even a problem that related to the certificate authority?

  I'm actually seeing the same issue here for my Windows 8.1 workstations. Until Windows 8 the autoenrollment policies have not been a problem. The client certificates are needed for the automatic client enrollment in System Center Configuration Manager. Until
  now I've checked if the group policies were applied well. Results of the get-certificateautoenrollmentpolicy are:
  PS C:\Users\administrator> Get-CertificateAutoEnrollmentPolicy -context machine -scope applied
  PolicyState                : Enabled
  EnableMyStoreManagement    : True
  EnableTemplateCheck        : True
  ExpirationPercentage       : 10
  StoreName                  : {MY}
  EnableBalloonNotifications : False
  So it looks like the policy is being applied.
  When rebooting or manually updating the policies with gpupdate no certificate is enrolled. When I use the certutil -pulse command however i receive a certificate without any problems. I've been testing with your suggestion to change the permissions
  on the template (giving authenticated users enroll permissions as well) but this doesn't change anything. 
  We're using a Server 2008 R2 CA
  Did you get any further with this?

• Creating a security group for S/Mime cert auto-enrolment

  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?

  On Thu, 6 Feb 2014 19:20:37 +0000, Alen Williams wrote:
  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?
  Although this group is going to be used for certificate enrollment this
  really isn't the right forum for your question. You should repost to either
  an Active Directory forum or to one dedicated to scripting or Powershell.
  Paul Adare - FIM CM MVP
  urbi et IP -- axelm in <mode=pope>

• SQL Connection Failed for SCCM 2012 R2 (Unable to load user-specified certificate)

  We've recently completed an upgrade from SCCM 2012 SP1 to 2012 R2 and have been running in the new environment for about a week. As of this morning, The consoles failed to connect to the CAS' and one of the Primary Site's database. The issue was resolved
  easily enough by addressing a certificate issue in SQL, but I'm left wondering if there's a correlation between the SP1-to-R2 upgrade that would cause the cert to fail. Anyone have experience with this?
  2014-01-21 22:10:11.81 Server      The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030d. Check certificates to make sure they are valid.
  2014-01-21 22:10:11.81 Server      Error: 26014, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      Unable to load user-specified certificate [Cert Hash(sha1) "haaaaassssshhhh"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See
  "Configuring Certificate for Use by SSL" in Books Online.
  2014-01-21 22:10:11.81 Server      Error: 17182, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
  2014-01-21 22:10:11.81 Server      Error: 17182, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
  2014-01-21 22:10:11.81 Server      Error: 17826, Severity: 18, State: 3.
  2014-01-21 22:10:11.81 Server      Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
  2014-01-21 22:10:11.81 Server      Error: 17120, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

  We got the same certificate related error events after a fresh install of SCCM 2012 R2 on a new server. It happened during the first reboot after SCCM was installed. In the Certificates mmc, I right-clicked on the certificate used by SQL and chose Manage
  Private Keys. Giving the service account that runs the MSSQLSERVER service read rights to the private key allowed SQL to start. However, after a day or so we rebooted the server again, and SQL wouldn't start. Something had removed the service account's read
  permission. Since the SCCM configuration wasn't that far along, we uninstalled SCCM. After giving the service account read rights again, and rebooting several times over a few days, and SQL started every time. We then installed SCCM 2012 R2 again, and checked
  the certificate's permissions before rebooting. The service account still had read permissions when the install completed, but as soon as the server was rebooted, it lost the permissions again.
  The Certificates mmc was then used to request a second computer certificate and then SQL was configured to use that new certificate via SQL Server Configuration Manager. After several days and a number of reboots the SQL services have started normally every
  time so the second certificate seems to have fixed the issue. I have kept the original certificate for fear that removing it will cause whatever part of SCCM 2012 R2 that modifies the original certificate to start removing permissions from the new certificate
  as well.

• System Copy -- database PRR conains user object belongs to system user dbo

  Hi all,
  I am having an issue while performing the system copy for the sql server.
  Actions taken so far.
  1.Detached the database.
  2.Installed central instance in the target system .
  3.Attached the database using attach as option.
  4.Then used STM coll for the conversion.
  5.Bought sap in Up condition.
  Before detaching the database made export for java addin abap in source system
  Then I am trying to import the java add in abap using sapinst(system copy option)..In the half of the way i am getting the below message as ..
  DATABASE QAS containus user object belongs to system user dbo.
  I have performed the 551915 , 151603 but the still the same message is dispalying.
  In log files.  inserting
  TRACE [iaxxejsexp.cpp:208]
  EJS_Installer::writeTraceToLogBook()
  - Database XIA contains user objects belonging to system user dbo
  TRACE [iaxxbjsmod.cpp:301]
  CJSlibModule::showMessageBox_impl()
  <html> <head></head> <body> <b>Problems were found after checking configuration of database server b><br>- Database XIA contains user objects belonging to system user dbo<br><br>SOLUTION: Fix these problems to continue the installation. </body> </html>
  TRACE [iaxxgenimp.cpp:845]
  showDialog()
  waiting for an answer from gui
  TRACE [iaxxdlghnd.cpp:180]
  CDialogHandler::doHandleDoc()
  ACTION_OK received
  ERROR 2009-01-09 12:52:31 [iaxxinscbk.cpp:289]
  abortInstallation
  MDB-05919 Errors were found when checking connection to or configuration of database server (listed above in the log file).
  TRACE [iaxxejsbas.hpp:270]
  EJS_Base::dispatchFunctionCall()
  JS Callback has thrown std::ESAPinstException: ESAPinstException: error text undefined
  TRACE [syxxcfsmgt.cpp:430]
  CSyFileSystemMgtImpl::getFile(iastring,bool)
  lib=iamodmssql module=CIaNtMssDmo
  WARNING: THE FUNCTIONALITY YOU ARE USING IS DEPRECATED: getFile(const iastring & sFullName, bool bCaseSensitive) const. Use getFile(const PSyFSPath &) const instead.
  TRACE [syxxcfsmgt.cpp:195]
  CSyFileSystemMgtImpl::getNode(iastring,bool)
  lib=iamodmssql module=CIaNtMssDmo
  WARNING: THE FUNCTIONALITY YOU ARE USING IS DEPRECATED: getNode(const iastring & sFullName, bool bCaseSensitive) const. Use getNode(const PSyFSPath &) const instead.
  TRACE [syxxcfsmgt.cpp:921]
  CSyFileSystemMgtImpl::isExisting(iastring,bool)
  lib=iamodmssql module=CIaNtMssDmo
  WARNING: THE FUNCTIONALITY YOU ARE USING IS DEPRECATED: CSyFileSystemMgtImpl::isExisting(const iastring & , bool , ISyNode::eNodeType ) const. Use CSyFileSystemMgtImpl::isExisting(const CSyPath & , ISyNode::eNodeType ) const instead.
  WARNING 2009-01-09 12:52:31 [iaxxccntrl.cpp:477]
  CController::stepExecuted()
  The step dSetActionUnattended with step key J2EE_EngineEnterprise_Addin_OneHost|ind|ind|ind|WebAS|630|0|J2EE_EngineEnterpriseDialogs|ind|ind|ind|WebAS|630|0|J2EE_Engine|ind|ind|ind|J2EE_Engine|630|0|MssJ2eeDBSetup|ind|ind|ind|ind|ind|0|MssDatabaseInfo|ind|ind|ind|ind|ind|0|dSetActionUnattended was executed with status ERROR.
  TRACE [iaxxcsihlp.hpp:301]
  main()
  An error occurred during the installation of component SAP NetWeaver '04 SR1> SAP System Installation> Java Add-In for ABAP> MS SQL Server> Central / Distributed System> Java System Finalization. Press the log view button to get extended error information or press OK to terminate the installation. Log files are written to SAP NetWeaver '04 SR1> SAP System Installation> Java Add-In for ABAP> MS SQL Server> Central / Distributed System> Java System Finalization.
  TRACE [iaxxgenimp.cpp:845]
  showDialog()
  waiting for an answer from gui
  TRACE [iaxxdlghnd.cpp:180]
  CDialogHandler::doHandleDoc()
  ACTION_OK received
  WARNING 2009-01-09 12:52:33 [iaxxcsihlp.hpp:250]
  main()
  An error occurred during the installation.
  Regadrs
  Vijay

  Hi,
  what do you get executing this statement:
  use <SID>
  go
  select * from sys.objects where schema_id =
  (select schema_id from sys.schemas where name = 'dbo')
  go
  Sven

• Mac Enrollment Issue on SCCM 2012 SP1

  Hi Guys,
  I am working on Mac enrollment(10.7) and facing issue during enrollment. Below is the error message when we try to run the enrollment command on Mac :
  “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error"
  Below are Log info:
  Enrollsrv.log : No error message is highlighted.
  Enrollweb.log:
  No error message is highlighted.
  Enrollservice.log:
  [7, PID:7304][10/28/2013 16:40:03] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
  ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
     at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
  [7, PID:7304][10/28/2013 16:40:03] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed
  [13, PID:7304][10/28/2013 17:11:01] :EnrollmentService application stop ...
  [3, PID:956][10/28/2013 17:45:37] :EnrollmentService application start ...
  [3, PID:956][10/28/2013 18:06:38] :EnrollmentService application stop ...
  [3, PID:4700][10/28/2013 18:45:39] :EnrollmentService application start ...
  [7, PID:4700][10/28/2013 19:06:40] :EnrollmentService application stop ...
  [3, PID:5872][10/28/2013 19:45:42] :EnrollmentService application start ...
  [13, PID:5872][10/28/2013 20:06:42] :EnrollmentService application stop ...
  Can someone shed info on resolution of the above issue?
  Also, is there any means by which we can troubleshoot the Mac enrollment issue step by step? Also what entries needs to be checked in all logs for successful enrollment?

  the following links may give you some hints:
  http://social.technet.microsoft.com/Forums/en-US/48bc7fcc-3d84-4042-abac-67f30d701121/mac-enrollment-issue?forum=configmanagerdeployment
  http://www.windows-noob.com/forums/index.php?/topic/7391-mac-enrollment-issue/

• Regarding accessing SQL query issued by any user in Oracle 10g

  Hi all,
  i want to know the queries issued by various users accessing a database...
  But the in view DBA_AUDIT_TRAIL,I was getting empty value...(in SQLTEXT column) ...how can i get this value...
  Thanx
  in advance..

  Straight from the documentation :
  The SQL_BIND and SQL_TEXT columns are only populated if the AUDIT_TRAIL initialization parameter is set to db,extended.In addition, you have to make sure you issued the AUDIT command on the objects you would like to AUDIT access on.
  [Configuring and Administering Auditing|http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cfgaudit.htm]

• User object not getting created in IdM8.1.1(Oracle Waveset)

  Hi,
  I am trying to create user object in IdM8.1.1 using com.waveset.provision.workflowServices
  but giving the following error - java.lang.NullPointerException at com.waveset.provision.WorkflowServices.convertView.
  Code Snippet causing the error:
  <Action id='0' process='Provision'>
  <Argument name='accountId' value='$(accountId)'/>
  <Argument name='user' value='$(user)'/>
  <Argument name='op' value='$(op)'/>
  <Argument name='options' value='$(options)'/>
  <Return from='userCreated' to='userCreated'/>
  </Action>
  But the same code is working fine in IdM7.0 & IdM8.1.
  Please help me in solving this issue.

  If you are not using user form and instead launching a custom workflow then probably the view is null because you do not get or checkout the view.
  Regards
  Vivek Kumar

• Should I spend the $280.00 to have Canon fix my 70D auto-focusing issue?

  Should I spend the $280.00 to have Canon fix my 70D auto-focusing issue? Or just return back to my very much trusted Rebels?
  Solved!
  Go to Solution.

  MelekalsCanon wrote:
  Very much appreciate your taking time to send a response. As a new user I wasn't sure if anyone would bother. Allow me to add a little more to my first post. I fit in that niche between amateur and a person with clients. For over 10 years I have covered events for a non-profit agency capturing the look and feel of 20+ events per year and was given permission to purchase a few cameras over the year. My decision from the beginning was to use the Canon Rebel. Images were spot on and only once did I have an issue with one of them (after shooting outside events in 105 degree temps for 3 days).
  So, when I retired a year ago it was for me a pretty simple choice to get a Canon for myself - especially since at that time the 70D was on the cover of magazines and was very highly touted. I also did a lot of desktop publishing and photo editing which helped me realize I wanted the best sensor, sharpness, resolution and lens I could afford - the 70D. My post was actually a result of reading many online responses including your very informative replies about the 70D focusing issues. My biggest concern is that I will spend several hundred dollars and maybe, just maybe get back a camera which captures better focused images, but still not as sharp as the lower end Rebels I was using. I had hoped to purchase my first "L" lens and really get excited - not repair the most expensive camera I've bought to date.
  Thanks again and before it gets noted by someone...yes, I should have pushed this issue sooner and then at least the warranty would have covered the cost. An expensivve lesson learned. But I will have to add that at least one authorized Canon repair dealer told me they have had several folks feel like I did - that it was the photographer/me as a new user having the issue and not the camera. I now know it's my camera.
  Let me clarify that I don't own a 70D, so anything I say about it is from watching what others have said, mainly in this forum. But it is disconcerting to see so much complaint about a camera that's supposed to have an innovative focusing system. One is strongly tempted to suspect that they went overboard in trying to make the camera serve both still  photographers and videographers.
  That said, I'm not a great fan of the Rebel line, because they lack autofocus microadjustment and I have at least one otherwise excellent Canon lens that would be useless without it. (The 70D does have AFMA, a point in its favor.)
  As far as spending the $280 for the repair, I understand why it's a hard call. If I were in your shoes and were convinced that Canon understands the issue and would fix it correctly and permanently, I guess I'd go for it. If you don't think they do, but fell that you need something a cut above the Rebels, this may be a good time to buy a leftover or refurbished 7D. Even though I now have a 5D3, I still use my 7D's a fair amount and have been very happy with them. And the 7D2 has gotten such a favorable reception that's it's almost bound to make more 7D's available at a decent price.
  Bob
  Boston, Massachusetts USA

• Java.lang.OutOfMemoryError when trying to refresh all User objects

  Hello - I am running IdM version 7.1. Currently, I am attempting to refresh all user objects in the IdM database as directed in this article:
  http://docs.sun.com/source/820-2961/A_edit_configObjects.html
  In order to interface with the Database, I am using NetBeans on a Windows 2003 SP2 server with 3.5G of memory. Through NetBeans, I select the "Run lh command" option, provide the Configurator password when prompted, and then enter the command: "refreshType User". This is supposed to go through and "touch" each user record.
  The command runs for about 5 minutes and then bombs out with an error message:
  Exception in thread "Object Change Dispatcher" java.lang.OutOfMemoryError: Java heap space
  I'm assuming that the JRE on the Windows server I'm running NetBeans on is running out of memory. My questions are 1) Is my assumption correct and 2) If so, is there a way to allocate more memory to the Java process which is running the lh command? This Windows server is running JRE 1.5
  Thanks in advance!

  I ran into same issue, ran the deferred task scanner instead.. Took a long time to run, but didn't hang.. :)