DCOM Permissions Scripting

Similar Messages

• Permissions Script

  Hi, apologies if the answer to this is already out in the wild, but my Googling has drawn a blank.
  We have single sign on with Active Directory holding all the user accounts. We have the network home folders stored on a Raid attached to one of our 10.8 servers.
  Now the problem we have is, when we add a new user and fill in the path to the home folder Active Directory will create the folder, set the POSIX permissions so that the user that created the account has ownership and domain users & others have no access. The ACL is then inherited from the parent folder. I'm pretty sure this is a problem with SMBX as we didn't have this issue when the Servers where running 10.6. This hasn't been much of an issue as we've not had many users to create and then ones we have, I've just set the permission in the server app manually. In the next few weeks though we'll be creating the accounts for our new students, has anyone else seen this issue? I've logged it as a bug with Apple but I don't think it'll be fixed in time, so...
  Does anyone have a script kicking around that will:
  Remove the inherited permissons
  Check AD for a username against a folder of the same name
  Set the permissions of that username to Read and Write
  Add in Domain Admin's with full control
  My bash scripting isn't great, but I'll poke around Google some more until some kind soul takes pity on me
  Thanks!

  Hello Alexis,
  Make modifications to your scripts like this....
  [void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
  $User = [Microsoft.VisualBasic.Interaction]::InputBox("Username,Name,GUID,Alias etc","Enter the name of
  the Mailbox you want to Search permissions for")
          [system.Windows.Forms.MessageBox]::show("$user","Completed!")
  $ConvertedUser = (get-mailbox $user).userprincipalname.split("@")[1].split(".")[0] + "\" + (get-mailbox
  $user).userprincipalname.split("@")[0]
  $output = Get-Mailbox -resultsize Unlimited -RecipientTypeDetails sharedmailbox  |Get-MailboxPermission
  | 
  Where-Object {($_.AccessRights -eq "FullAccess") -and ($_.User -like $ConvertedUser) -and ($_.IsInherited
  -eq $false) -and ($_.User -notlike 'NT Authority\Self')} 
  $Output | FT Identity
  $Output | Export-CSV c:\user.csv -notypeinformation
  Write-Host "Press any Key To continue..."
  $Temp = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
  This will ask user to press any key before it disappears and saves result to c:\user.csv file....

• List permissions script pop up dissappears

  Hello,
  I've created a script for the help desk that works. Thing is when the help desk double clicks the powershell shortcut the scripts executes and gives them the info and the window closes.
  I would like the window the stay open so that they are able to read what is in there and also pipe the results into a csv file for them on the root of their C drive.
  Here is the script:
  [void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
  $User = [Microsoft.VisualBasic.Interaction]::InputBox("Username,Name,GUID,Alias etc","Enter the name of the Mailbox you want to Search permissions for")
          [system.Windows.Forms.MessageBox]::show("$user","Completed!")
  $ConvertedUser = (get-mailbox $user).userprincipalname.split("@")[1].split(".")[0] + "\" + (get-mailbox $user).userprincipalname.split("@")[0]
  Get-Mailbox -resultsize Unlimited -RecipientTypeDetails sharedmailbox  |Get-MailboxPermission |
  Where-Object {($_.AccessRights -eq "FullAccess") -and ($_.User -like $ConvertedUser) -and ($_.IsInherited -eq $false) -and ($_.User -notlike 'NT Authority\Self')} |
  Format-Table Identity
  Thanks
  Alexis

  Hello Alexis,
  Make modifications to your scripts like this....
  [void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
  $User = [Microsoft.VisualBasic.Interaction]::InputBox("Username,Name,GUID,Alias etc","Enter the name of
  the Mailbox you want to Search permissions for")
          [system.Windows.Forms.MessageBox]::show("$user","Completed!")
  $ConvertedUser = (get-mailbox $user).userprincipalname.split("@")[1].split(".")[0] + "\" + (get-mailbox
  $user).userprincipalname.split("@")[0]
  $output = Get-Mailbox -resultsize Unlimited -RecipientTypeDetails sharedmailbox  |Get-MailboxPermission
  | 
  Where-Object {($_.AccessRights -eq "FullAccess") -and ($_.User -like $ConvertedUser) -and ($_.IsInherited
  -eq $false) -and ($_.User -notlike 'NT Authority\Self')} 
  $Output | FT Identity
  $Output | Export-CSV c:\user.csv -notypeinformation
  Write-Host "Press any Key To continue..."
  $Temp = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
  This will ask user to press any key before it disappears and saves result to c:\user.csv file....

• DCOM permission configuration on 2012 R2 core

  Hi.
  Our DC's are Windows 2012 R2 CORE servers. We need to change DCOM permissions on servers. (grant to one AD group access and launch permissions)
  Launching dcomcnfg.exe on GUI server and connecting to DC (CORE) doesnt work. It needs "COM+ Network Access" feature, part of Application Server Role> requires GUI.
  How can it be accomplished?

  Hi Andres,
  On server core you can use the dcomperm.exe which included the SDK to programmatically set the values,
  You can download Windows SDK version for Windows 8.1
  http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx
  The similar scenario article:
  How to install the DPM agent on a Windows Server 2008 R2 Core computer
  http://blogs.technet.com/b/dpm/archive/2012/05/22/how-to-install-the-dpm-agent-on-a-windows-server-2008-r2-core-computer.aspx
  The similar thread:
  Managing WMI and DCOM locally on Core?
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/d8732706-3753-41aa-979f-e096132b71a6/managing-wmi-and-dcom-locally-on-core?forum=winservercore
  The related third party article:
  How to script DCOM permissions and WMI security for non-admins ?
  http://itworldjd.wordpress.com/2011/10/05/how-to-script-dcom-permissions-and-wmi-security-for-non-admins/
  I’m glad to be of help to you!
  *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these
  sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use
  of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Error accessing reporting services - DCOM

  Hello, after a (somewhat) smooth installation of SCCM 2007 SP1 on Win2k8 server i'm noticing a problem accessing reporting site , i've seen this issue in a lot of tek tips sites pointing to DCOM permissions, however the fixes recommended don't seem to be working for me.
  Accessing the reporting website http://servername/smsreporting_sitecode/ displays the error message (after turning error display on):
  Navigator
  Server object error 'ASP 0178 : 80070005'
  Server.CreateObject Access Error
  /smsreporting_lbt/ReportsNav.asp , line 1046
  The call to Server.CreateObject failed while checking permissions. Access is denied to this object.
  and logs the following on System Event Viewer:
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
  {2D527A8C-A4B6-4E74-A63F-E867360D401C}
   to the user domain\user SID (S-1-5-21-950096678-2834088623-955418618-38307) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  The CLSID {2D527A8C-A4B6-4E74-A63F-E867360D401C} according to the registry refers to SMSRPH , i've tried adding local launch and local activation permissions, to the smsreporting users, dcom users and even everyone. But i still get the same error.
  If it's any use, this is the line from Reportsnav.asp:
  Set myReporting = Server.CreateObject("SMSRPHost.SMSReporting")
  ConnectionStatus = myReporting.Connect(Session("SMSSiteCode"), Session("SQLMachine"), _
      Session("SQLDatabase"), Session("DBConnectionTimeout"), Session("DBCommandTimeout"))
  Could anyone try to give some tips?
  Thanks in advance,
  BQ

  Hi,
  I was having the exact same problem but solved it by adding 'Authenticated Users' to the local 'SMS Reporting Users' group on the SCCM Server.
  Eddie.

• Client stops working and getting DCOM error in event viewer

  Hi
  I am getting these errors after upgrading the client from 2007 to 2012.. the client works for a certain amount of time then stops functioning as expected. Logs not moving and get error when manually cycling policy etc from client.
  The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
  {F80A8D57-D338-43FF-A5E6-5D093EA80775}
   to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services
  administrative tool.
  I have checked the DCOM permissions for launch and activate for system account and they are set to allow...
  its not happening on all clients which is strange

  Hi Jason,
  The service is running and the ccmexec.log does not stop but its rolled over since the issue occurred. About 30% of the logs continue logging and the rest stop with no action.I done a WMIDiag and I could see issues with missing namespaces and DCOM errors.
  I am unistalling the client and reinstalling which fixes the issue for a short period of time, then I will do a WMIDiag once its working then monitor. Once it breaks I will do another WMIDiag and fetch the logs in to see if there are any indicators to why
  this is happening.
  Is there anything else you would do at this point?
  From one client.. WMIDIAG
  An example of missing instance and all were missing in this class!
  root/ccm/Policy/machine, 'Select * From CCM_Service_HostedClass WHERE Description = "CPApplet Client Action" AND CLSID = "{F80A8D57-D338-43FF-A5E6-5D093EA80775}"' did not return any instance while AT LEAST 1 instance is expected.
  From another client and on both
  76815 12:03:57 (0) ** => This is an issue because there are still some WMI classes referencing this list of providers
  76816 12:03:57 (0) **    while the DCOM registration is wrong or missing. This can be due to:
  76817 12:03:57 (0) **    - a de-installation of the software.
  76818 12:03:57 (0) **    - a deletion of some registry key data.
  76819 12:03:57 (0) **    - a registry corruption.
  76820 12:03:57 (0) ** => You can correct the DCOM configuration by:
  76821 12:03:57 (0) **    - Executing the 'REGSVR32.EXE <Provider.DLL>' command.

• File permissions between user accounts on one computer

  Hi!!!
  I have an iMac PowerPC G5 computer which I set with 2 accounts, one for me (the administrator) and another for some workers.
  I´m having problems regarding writing and using files. I have some documents which both accounts need to use, read and save. The original files are not in the administrator account, but on the normal one. What I do when I want to read and write on a file located on the normal account is access to it going into the other user account and open it from the document folder. BUT i have to be givening permissions all the time because it lose them when I switch between both accounts
  Sorry for my english, i´ll try to explain better:
  1-I open a file which is in the normal account from my administrator account
  2- It wont let me save anything so i have to give writing permissions
  3-I switch to the normal account and wont allow me to write again, so I have to give permission again
  4- Everytime I switch accounts i will have to give permission
  How can i solve this?
  Thanks!!
  G.

  Sean Dale1 wrote:
  Very interesting thank you.
  I wondered if it might be possible to modify files copied into such a shared folder with the aid of an AppleScript or Automator action saved as an application
  nothing you can do with applescript or automator can come anywhere close to be as simple or as effective as the ACL method. folder actions only watch the top level of the folder they are attached to and plus they are extremely unreliable. what could be simpler than the method outlined above? you run two terminal commands and you are set. no scripts to run, no cron or launch daemons to make to run some periodic change of permissions scripts. file system does everything itself.
  or would opening a file and then doing a simple 'Save As' to the folder do the trick?
  only if you don't mind creating multiple copies of the same file any time you need to change it.
  the only real problem with the ACL method is that inherited ACLs are not applied to items moved into the shared folder, only to copied or new files. this is not normally an issue except with some applications like photoshop which like to utilize temp files. when photoshop saves chages to a file it does the following. it saves the changed file to a temp file in a temporary directory, deletes the current file and then moves the temp file to where the original file was. because moving is involved this washes out the ACLs. very bad of photoshop. if you are unlucky enough to be using an app like this then there is a different method that can be used that does not have the deficiency of ACLs with respect to moved files but it requires some more prep. although once the prep is complete it works quite well. see my os x hint here
  http://www.macosxhints.com/article.php?story=20100202195536952
  on how to do that. However, in most situations the ACL method is perfectly suitable and is much easier to set up so I recommend you go with that.

• Hyperion Enterprise web error

  Hi ,
  Thanks a lot on helping me in resolving one issue, "Hyperion Enterprise Error: Module not Found He.hecontainer". But when I click on application setup I am getting the following error message.
  Server Error in '/HEWeb' Application.
  Source File: C:\Program Files (x86)\Hyperion Solutions\Hyperion Enterprise\HEWeb\StartupAdminMain.aspx Line: 795
  Object variable or With block variable not set.
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  Exception Details: System.NullReferenceException: Object variable or With block variable not set.
  Source Error:
  Line 793:
  Line 794: ' Get the application list
  Line 795: vtStatusCode = Application("EntAppObject").EnumApps(vtAppListXML, vtStatusDesc)
  Line 796:if vtStatusCode 0 or vtAppListXML = "" then
  Line 797: ' To display the localized string for Errorloading application list problem
  Source File: C:\Program Files (x86)\Hyperion Solutions\Hyperion Enterprise\HEWeb\StartupAdminMain.aspx Line: 795
  Stack Trace:
  [NullReferenceException: Object variable or With block variable not set.]
  Microsoft.VisualBasic.CompilerServices.Container..ctor(Object Instance) +765074
  Microsoft.VisualBasic.CompilerServices.NewLateBinding.LateGet(Object Instance, Type Type, String MemberName, Object[] Arguments, String[] ArgumentNames, Type[] TypeArguments, Boolean[] CopyBack) +538
  ASP.startupadminmain_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in C:\Program Files (x86)\Hyperion Solutions\Hyperion Enterprise\HEWeb\StartupAdminMain.aspx:795
  System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +115
  System.Web.UI.Page.Render(HtmlTextWriter writer) +38
  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint
  Thanks,
  Rakesh

  Hi Rakesh - looks like you opened a new thread. (not sure which one is active so I've posted to both. I'll look for a reply on both. Cheers. -David),
  Hyperion Enterprise Reporting 6.5 is NOT supported on MS Windows 2008 server.
  Hyperion Enterprise Reporting 6.5.1 is supported.
  Could you please verify your version of Hyperion Enterprise Reporting (again)?
  Please also verify the other components of your build against your version at the following link:
  http://www.oracle.com/technetwork/middleware/bi-foundation/hyperion-supported-platforms-085957.html
  (See Hyperion Enterprise 6.5.1 (XLS) or Hyperion Enterprise 6.5 (XLS) depending on your version)
  Also can you confirm you performed the following steps during your installation of Hyperion Enterprise Reporting?:
  Applies to:
  Hyperion Enterprise Reporting - Version: 6.3.1.0.00 to 6.5.1.0.00 - Release: 6.3 to 6.5
  Information in this document applies to any platform.
  Purpose:
  Configuring Hyperion Enterprise Reporting Web.
  Questions and Answers
  How to Configure Hyperion Enterprise Reporting Web?
  1. Create LOCAL username and password with Administrator rights. This is your impersonation account.
  You may use the local administrator as your impersonation account, but it MUST be local, not a domain admin.
  2. Users IWAM..., IUSER... SYSTEM, INTERACTIVE, Administrator and Everyone are automatically created users/groups.
  In Local Security Settings -> Local Policies -> User Rights Assignment.
  Add the add IUSR, IWAM, SYSTEM, INTERACTIVE, Administrator, Impersonation account and Everyone to:
  a) Act as part of the Operating System.
  b) Log on locally (or Allow log on locally).
  c) Log on as a service.
  d) Log on as a batch job.
  3. In IIS services <server>
  Web Sites -> Default Web Site -> Right click on HSpider -> properties
  Virtual Directory tab.
  Select only Log visits and Index this resource.
  Application name: HER.
  Execute Permissions: Scripts and Executables .
  Application Protection: High.
  Directory Security tab.
  Deselect all except Basic Authentication .
  (Windows 2003) Web Service Extension .
  Select All Unknown ISAPI Extensions.
  Click the Allow button.
  Repeat with all other items starting with HER and Active Server Pages.
  4. In Component Services -> Computer ->
  a) Right click on My Computer -> Properties.
  b) Default security tab (COM security tab).
  c) Access Permissions Edit Default button.
  d) Add IUSR, IWAM, SYSTEM, INTERACTIVE, Administrator, and Impersonation account.
  e) Launch and Activate permissions Edit Default button.
  f) Add IUSR, IWAM, SYSTEM, INTERACTIVE, Administrator, and Impersonation account.
  5. My Computer -> Com+
  a) IIS... HSpider properties -> Identity tab.
  b) Browse to impersonation account and add password.
  6. My Computer ->DCOM Config (or Start-> Run -> DCOMCNFG).
  a) Right click HypPkgrH_Pooler -> Properties -> Identity tab.
  b) Browse to impersonation account and add password.
  c) Repeat with Spider_Pooler.
  7. Internet services must be reset (Start -> Run -> iisreset).
  8. In the Hyperion Enterprise Reporting folder of the Start menu, select Web Server administration
  Program.
  Options button.
  Network tab.
  Select Allow Hyperion Enterprise Reporting Web Server to access other network devices.
  Add the impersonation account and password.
  If desired, select the Preload tab and add your application.
  System is Enterprise6 as found in the repeng.ini.
  If using Distributed Retrieve or Schedules
  9. In the Hyperion Enterprise Reporting folder of the Start menu, select Distributed Server Manager
  a) Network tab
  b) Select Allow client to access other network devices
  c) Add the impersonation user and password
  If you have any questions about these steps please don't hesitate to drop me a note and I'll do my best to explain what is required.
  G'Luck,
  -David

• Retrieving the COM class factory for component with CLSID {0002DF01-0000-0000-C000-000000000046} error: 80070005

  Hey guys,
  I've used xp_cmdpowershell from SQL Server 2008 R2 to execute a powershell scripts.
  One of this scripts creates a internetexplorer.application object.
  When I execute this script on powershell(version 2.0), it runs.
  But when trie to execute for xp_cmdpowershell it fails.
  error output:
  Retrieving the COM class factory for component with CLSID {0002DF01-0000-0000-C000-000000000046} error: 80070005
  script example:
  $ie = New-object -com 'internetexplorer.application'
  $ie.navigate("http://www.google.com")
  $ie.visible = 1
  sleep -s 10
  $ie.quit()
  xp_cmdpowershell example:
  EXEC master..xp_cmdshell 'powershell C:\DataLocalTopRonda\scr.ps1';
  Anyone have any ideas? Any help will be appreciated.

  8007005 is typically 'Access Denied'. Did you verify DCOM permissions to this class object? Are you using the same credentials in the PowerShell console as what is being done in SQL?
  Boe Prox
  Blog |
  Twitter
  PoshWSUS |
  PoshPAIG | PoshChat |
  PoshEventUI
  PowerShell Deep Dives Book

• InstallUpdates - System.UnauthorizedAccessException - 0x80070005

  Hello,
  I'm running into the following problem which I'm certain isn't an issue with the SDK but checking to see if anyone else ran into this problem and found a solution.
  I have a PS script to find all the updates made available to an endpoint via CM2012 and initiate the installation using the SDK.  The following two lines in the script is what I'm using and they work...most of the time.
  $MissingUpdates = @(Get-WmiObject -ComputerName $ServerName -Credential $credential -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK | foreach {[WMI]$_.__PATH})
  Invoke-WmiMethod -ComputerName $ServerName -Credential $credential -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdates) -Namespace root\ccm\ClientSDK
  The times where it's not working I receive a "System.UnauthorizedAccessException" error message.  Problem is after reviewing two different endpoints, one where it works and one where it doesn't work, I'm at a loss as to what could be blocking the script
  to invoking the method 'InstallUpdates'. 
  I'm using a domain admin account to run the script and have verified that the account is showing up in the Administrators group on the problematic endpoint.  I've also manually added the account to the Administrators group (just to be safe), within
  the WMI Control (and afterwards restarted the WMI service), DCOM permissions to local/remote launch, to the WMI DCOM Application, changed the PS execution policy and used wbemtest.exe to see the error...
  Number: 0x80070005
  Facility: Win32
  Description: Access is denied.
  The error 0x80070005 lead me to check the DCOM permissions per WMI Troubleshooting article out on MSDN.
  Inspite of all these checks, still can't invoke the method successfully.  Both endpoints are running Windows Server 2008 R2. 
  Any insight would be appreciated.  Thanks!

  Again thanks AGS_MN.  Just to be sure I also ran your code. 
  $Namespace = "root\ccm\Policy\Machine\ActualConfig"
  $Class = "CCM_ClientAgentConfig"
  $Current_ClientAgentConfig = Get-WmiObject -Namespace $Namespace -Class $Class -ComputerName '<myservername>' -ErrorAction Stop
  $Current_ClientAgentConfig.InstallRestriction
  Set-WmiInstance -InputObject $Current_ClientAgentConfig -ErrorAction Stop
  $MissingUpdates = @(Get-WmiObject -ComputerName '<myservername>' -Credential $credential -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace
  root\CCM\ClientSDK | foreach {[WMI]$_.__PATH})
  Invoke-WmiMethod -ComputerName '<myservername>' -Credential $credential -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdates)
  -Namespace root\ccm\ClientSDK
  Only difference is the code (because of the -Credential) prompts me for username and password, but still errors the same as mine.

• Unable to close Safari windows

  I am unable to close any windows in Safari.
  I am able to expand and minimize them.
  I had been unable to open Safari which I resolved by removing the Safari preferences file and have tried repeating this as well as resetting Safari and running general maintenance proceedures such as permissions, scripts, etc. with no success.
  Is it possible to reinstall just Safari ( mine is version 2.03) or can this only be done through a system update?
  Thanks for your help!
  733 MHz Power PC G4   Mac OS X (10.4)  

  After attempting various fixes and several unsuccessful attempts at using the 10.4.7 combo updater I was finally able to update to 10.4.7 from my Tech Tool eDrive.
  Somewhere along this process, I think after the System update, my window problem was resolved.
  Thanks.
  733 MHz Power PC G4   Mac OS X (10.4)  

• Trying to configure a Win 2003 Server to use TLS server authentication . . .

  I am trying to
  configure a Win 2003 Server to use TLS server authentication following Method 2 in KB 895443 - see below:-
  Method 2: By using the Certificate Request Wizard
  The following steps describe how to obtain a certificate from a Windows Server 2003 Certification Authority. You can also request a certificate from a Windows 2000
  Certification Authority. Additionally, you must have Read permissions and Enroll permissions on the certificate template file to successfully request a certificate. Use this method if one or more of the following conditions are true:
  You want to request a certificate from an Enterprise Certification Authority.
  You want to request a certificate that is based on a template where the subject name is generated by Windows.
  You want to obtain a certificate that does not require administrator approval before the certificate is issued.
  To obtain a certificate, follow these steps:
  Click Start, click Run, type mmc, and then click OK.
  On the File menu, click Add/Remove Snap-in.
  Click Add, click Certificates, and then click Add.
  Click Computer account, and then click Next.
  If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another
  computer, and then type the name of that remote computer in the Another computer box.
  Click Finish.
  In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove
  Snap-in dialog box.
  Under Console Root, click Certificates (Local Computer).
  Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername)instead of Certificates (Local Computer).
  On the View menu, click Options.
  In the View Options dialog box, click Certificate purpose, and then click OK.
  In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
  In the Certificate Request Wizard that starts, click Next.
  In the Certificate types list, click Server Authentication, click to select the Advanced check box,
  and then click Next.
  In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
  I get as far as step 11 and I get the error message:-
  The wizard cannot be started because of one or more of the following conditions:
  - There are no trusted certification authorities (CAs) available.
  - You do not have the permissions to request certificates from the available CAs.
  - The available CAs issue certificates for which you do not have permissions.
  This is covered in KB 927066 – see below:-
  To resolve the problem, follow these steps:
  Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
  To do this, follow these steps:
  Click Start, click Run,
  type Dsa.msc, and then click OK.
  In the left pane, click the Users container.
  Verify that the CERTSVC_DCOM_ACCESS group is in the right
  pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
  Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
  Domain Users
  Domain Computers
  If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4. 
  Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain
  controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers
  do not have sufficient DCOM permissions.
  Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification
  authority.
  Click Start, point to Program,
  point to Administrative Tools, and then click Component Services.
  Expand the Component Services node.
  Expand the Computers node.
  Right-click the My Computer node, and
  then click Properties.
  Click the COM Security tab.
  Under Access Permission, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow
  Remote Access permissions, and then click Cancel.
  Under Launch and Activation Permissions, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow
  Remote Activationpermissions, and then click Cancel.
  Click Cancel, and then close the Component
  Services console.
  Settings may be incorrect if any one of the following conditions is true:
  The CERTSVC_DCOM_ACCESS group does not exist.
  The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
  The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
  If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
  certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
  net stop certsvc
  net start certsvc
  Repeat steps 1 through 3 to verify that all the settings are correct.
  Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
  The only part of the above instructions which I have not been able to complete is:-
  “you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group”.
  When I click on the CERTSVC_DCOM_ACCESS user then click the Members tab & go to add Enterprise Domain Controllers the option is not there.

  Hi Nick,
  Have you successfully set up an enterprise CA?
  If yes, is the enterprise CA’s certificate located under the Trusted Root Certification Authorities store?
  Best Regards,
  Amy

• Error authenticating proxy while running agent job

  I am trying to schedule a SSIS2014 package via SQL Server Agent job. Both SSIS and SSMS are running on my local machine in the same domain. I am running SSMS with the same user
  Domain\Admin which is the creator of the SSIS package. SSMS 32-Bit and SSIS 32-Bit are running on Windows 7 64-Bit machine. I can run the package within SSIS without problems.
  When I use a proxy account to run the job step, the following message occurs:
  Unable to start execution of step 1 (reason: Error authenticating proxy `Domain\Admin`, system error: Logon failure: unknown user name or bad password.). The step failed.
  The proxy account uses the credentials identity Domain\Admin. Since the password fields for credential properties in SSMS cannot be left blank, I typed any password although my corresponding windows account has no password. So as mentioned above
  it's the same user account that created the SSIS package since Domain\Admin is stated in the CreatorName property of the SSIS package.
  With this proxy, I tried to run SSIS jobs using the package ProtectionLevel's
  EncryptSensitiveWithUserKey and EncryptSensitiveWithPassword. Running the package manually within SSDT without problems, but from SSMS agent job the same error message appears. I tried the package sources "File System" and, after
  importing the package to MSDB, "SQL Server" and "SSIS Package Store". But exactly the same error message appears with each method.
  Task manager shows that SSMS is running in administrator mode. Using Windows Component Services I added DCOM permissions for
  Domain\Admin to start and activate "Microsoft SQL Server Integration Services 12.0" from local. But the same error message appears. So in my opinion it's a problem with SSMS user account permissions (???) but unfortunately I don't know
  what exactly to do here. I tried the following:
  In the system database MSDB (full path: Databases / System Databases / MSDB / Security / Logins) I assigned all available role memberships (Including db_ssisoperator, db_ssisltduser, db_ssisadmin) to
  Domain\Admin.
  In server security (full path: Security / Logins) I assigned all available server roles. In the tab User Mapping, I assigned the MSDB database.
  Still the same error message appears when I try to run the job. Does anybody have some ideas what I can try?

  If you use the Agent then set the package protection to "Rely on server".
  Then Domain/Admin is probably not an actual proxy but the account the Agent is running under, in this or even any case follow http://www.mssqltips.com/sqlservertip/2163/running-a-ssis-package-from-sql-server-agent-using-a-proxy-account/ to create the
  proper proxy for the packages.
  Arthur My Blog

• Snow Leopard and hard disk problems?

  This may just be a coincidence but I and several colleagues have had problems with Macs over the past week.
  a) My Macbook Pro lost the date/time and wi-fi settings. Next reboot wi-fi was still lost. Now seems OK again.
  b) At times my 24" iMac is running slowly when nothing seems to be hogging resources (eg just copying a 3Gb file to an external hard disk). Time Machine also seems to be taking much longer to backup.
  c) Hard disk failed on a Macbook Pro of a colleague
  d) iMac 27" seems to be having severe hard disk problems for another colleague - Applecare will be visiting after trying numerous fixes over the phone.
  On my machines I have run the Cocktail suite (permissions, scripts and caches) Disk Utility Repair and Techtools Deluxe (no reported problems) but the iMac problems seem to creep back.
  It is like a disk caching process (or Spotlight?) is not cleaning up properly and is clagging up the system. Or maybe a hard disk is close to failure but the problem is not severe enough to show up in diagnostics? In any case I am diligent about backing up at the moment!

  Or maybe a hard disk is close to failure but the problem is not severe enough to show up in diagnostics?
  Common symptoms of a dying hard drive
  Hard drive is making a clicking, whirring, grinding, ping pong ball noise or any other type of unusal noises.
  Hard drive is not spinning.
  Computer is not recognizing the hard drive.
  Sluggish loading of applications.
  System freezes and hangs.
  An interesting site - Hard Drive Sounds by drive manufacturer.
  How much hard drive space do you have left?
  Disk Inventory X
  OmniDiskSweeper
  WhatSize
  SpaceControl
  Disconnect all peripherals from your computer. Boot from your install disc & run _*Repair Disk*_ from the utility menu. To use the Install Mac OS X disc, insert the disc, and restart your computer while holding down the C key as it starts up.
  Select your language.
  Once on the desktop, select Utility in the menu bar.
  Select *Disk Utility.*
  Select the disk or volume in the list of disks and volumes, and then click *First Aid.*
  Click _*Repair Disk.*_
  Restart your computer when done.
  Repair permissions after you reach the desktop-http://docs.info.apple.com/article.html?artnum=25751

• CS4 problems copying and pasting masked items

  The problem: Copying and pasting a placed image combined with other Illustrator art with multiple gausian blurs that have been masked/grouped. Placed image type does not matter. PDF, JPG, TIFF, etc placed in Illustrator CS4 (or 3). Some images are complex and others are not.
  What happens: After copying and pasting, the masked (grouped) image breaks apart into separate components that are no longer masked/grouped. Happens with different files with different images on different computers. WIth or without text in document. Sometimes image pastes correctly but most times it does not.
  Hardware/OS: 3 separate iMacs (20" and two 23") all with intel chips but different processing speeds. All running latest and most updated version of Leopard. All with 4 MB Ram and more than a 100 GB of free hard drive space.
  Software: Illustrator CS4 (latest update) and CS3 on one of the 23" iMacs.
  Solutions tried so far: Ran Onyx, repaired permissions, scripts, cleaned caches, zapped PRAM and on one iMac, ran Disk Warrior. Tried in Safe boot mode and tired with a new user account. Created new files with new images and tried old files. Tried opening files from the server and from the desktop. Threw out illustrator prefs and emptied trash.
  Thought it may have to do with font conflicts but some files don't have fonts. Turned off font management programs (Suitcase on one iMac, Font Explorer Pro on others, all updated to latest version) and restarted so only system fonts loaded. No luck. Turned on fonts used in various documents, still no luck.
  Thought it may have to do with memory issues after copying masked items. Sometimes the copied image would paste correctly and then the next time I pasted it, it would not. Before pasting a second time I would copy a small item (to clear the memory) and then paste it and then recopy the masked item and paste that. Still no luck.
  Checked activity monitor but nothing looks to be a memory hog or out of place. Happens on all three iMacs and while the OS and Illustrator are common to all three, Fonts and font management tools are not. No weird plug-ins or third party extensions installed. Plus it happened in safe boot mode so all extraneous fonts and such should have been deactivated.
  Curiously, if I drag copy the masked item using the option key, the masked item copies fine. I know this can be used as a work-around but I would like to resolve this as sometimes the designers need/want to use command-c/command-v.
  Not sure what else to try. Any thoughts would be greatly appreciated. Thanks you.

  This might work, this might not. I have copy paste problems
  on a regular basis and all that works for me is closing Captivate
  down and then re open and continue. At worst, a reboot tends to
  solve this glitch in my experience.
  Good Luck