Distribute active directory allow administration by

Similar Messages

• Windows 2008 Active Directory network administration

  We have a Windows 2008 Active Directory Environment, how we want to allow our helpdesk team to do some of our AD administration without giving full blown domain admin permissions.
  What is the best way to do this?

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback
  on our support quality, please send your feedback here.
  Andy Qi
  TechNet Community Support

• Windows Active directory server administration

  can member of domain admin user install software  to  client computers in active directory client computers

  Hello,
  by default the domain admins security group is added to the local administrators security group on EACH machine in the domain. So check the Administrators security group on the local machine.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Two account with same UPN in Active Directory

  Is it possible to have two accounts with same UPN in AD? 
  I'm using Windows Server 2012 R2

  To expand on what Mr X said. Active Directory allows you to assign just about anything to the userPrincipalName attribute, as long as the value is unique. The value of this attribute is generally referred to as the UPN. But you could assign values with no
  "@" symbol, for example, or more than one "@" symbol. Also, Active Directory does not require that any value be assigned. It is an optional attribute.
  If no value is assigned to the userPrincipalName attribute, then the user can use a "default" UPN, which is <sAMAccountName>@<DNS domain name>, where <sAMAccountName> is the "pre-Windows 2000 logon" name of the user
  (the value of the sAMAccountName attribute), and <DNS domain name> is the DNS name of the domain.
  If a user has a value assigned to userPrincipalName that does not match this "default" form, then they can logon with either UPN, as long as no one else has either value assigned to their userPrincipalName attribute. You will note that Active
  Directory enforces uniqueness in the domain on sAMAccountName values.
  If in domain "domain.com" a user has a sAMAccountName of "jsmith" but userPrincipalName "[email protected]", then another user can have userPrincipalName of "[email protected]" (as long as no one else
  has that value assigned to userPrincipalName). They can each logon with their assigned values for userPrincipalName. But the first user can no longer also logon with their "default" value, based on their sAMAccountName, because it is now
  used by someone else. But if you attempt to assign a value to userPrincipalName that is also assigned to another user, you get an error.
  Bottom line, only one person can logon with any given UPN.
  Richard Mueller - MVP Directory Services

• How can I restrict Lion to only allow certain network users to login when bound to an Active Directory?

  Hi,
  I'm trying to find a way to configure which network users can login to a lab of iMacs running 10.7.4. They're being deployed using DeployStudio, and the Macs are bound to an MS Active Directory by a script that runs as part of the workflow. I'd like to have another script run after the AD binding to permit only users in certain AD groups to be able login to them.
  I'm halfway there, in that using dseditgroup I can easily add AD groups or individual users to the relevant group (deseditgroup -o edit -a <domain\\group name> -t group com.apple.loginwindow.netaccounts. After running this I can see the desired groups added to the list in Sys Prefs -> Users & Groups -> Login Options -> Options. However, membership of this group is deemed irrelevant by the fact the radio button above this list for 'Allow these users to log in at login window' is still set to 'All network users' and not 'Only these network users'.
  Does anyone know of a way to enable the 'Only these network users' option via the Terminal/a shell script?
  Thanks,
  Chris

  I tried that, thinking it was exactly what I wanted, but it still sends stuff as SMS (green bubble).

• Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

  Hello.
  We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
  In Events I can see these messages:
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          04.03.2014 12:37:58
  Event ID:      1173
  Task Category: Internal Processing
  Level:         Warning
  Keywords:      Classic
  User:          domain\admin
  Computer:      NODE2.domain.example
  Description:
  Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
  Exception:
  c0000005
  Parameter:
  0
  Additional Data
  Error value:
  7ffc7c38e45d
  Internal ID:
  0
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
      <EventID Qualifiers="32768">1173</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>9</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
      <EventRecordID>881</EventRecordID>
      <Correlation />
      <Execution ProcessID="572" ThreadID="2580" />
      <Channel>Directory Service</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
    </System>
    <EventData>
      <Data>c0000005</Data>
      <Data>7ffc7c38e45d</Data>
      <Data>0</Data>
      <Data>0</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Microsoft-Windows-Wininit
  Date:          04.03.2014 12:37:58
  Event ID:      1015
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
      <EventID Qualifiers="49152">1015</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189578</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>c0000005</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Application Error
  Date:          04.03.2014 12:37:58
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
  Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
  Exception code: 0xc0000005
  Fault offset: 0x000000000019e45d
  Faulting process id: 0x23c
  Faulting application start time: 0x01cf3773fe973e1b
  Faulting application path: C:\Windows\system32\lsass.exe
  Faulting module path: C:\Windows\system32\ntdsai.dll
  Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
  Faulting package full name:
  Faulting package-relative application ID:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189576</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>lsass.exe</Data>
      <Data>6.3.9600.16384</Data>
      <Data>5215e25f</Data>
      <Data>ntdsai.dll</Data>
      <Data>6.3.9600.16421</Data>
      <Data>524fcaed</Data>
      <Data>c0000005</Data>
      <Data>000000000019e45d</Data>
      <Data>23c</Data>
      <Data>01cf3773fe973e1b</Data>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>C:\Windows\system32\ntdsai.dll</Data>
      <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
      <Data>
      </Data>
      <Data>
      </Data>
    </EventData>
  </Event>
  In node2 we installed all available updates and hotfixes.

   Hi Azamat Hackimov,
  Regarding to error messages, it seems that the
  ntdsai.dll file caused the issue. Based on current situation, please use
  sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
  In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
  to the following KB.
  How to read the small dump memory dump file that is created by Windows if a crash occurs.
  http://support.microsoft.com/kb/315263/en-us
  By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
  and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request, please refer to the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  Hope this helps.
  Best regards,
  Justin Gu

• Cannot connect to Domain\administrator from ny RDC after assigning an active directory domain to my server

  hi, I'm using windows server 2012 R2 and I was Just wondering how to make the Remote Desktop enable connection through domain\administrator before actually creating the domain... In other words, I wanted to create an Active Directory Domain User and connect
  to the server from the RDP. The problem is that I can only connect through the RDP considering that I'm using Windows Azure, so the physical server isn't actually sitting on my desk... Anyway when I create an AD DS the system automatically reboots and I'm
  not able to connect to it anymore, so all I need to do right now is enable somehow the Remote Desktop Services to connect through "Domain\Administrator" before I actually create the AD DS and assign it to my server so that when the system reboots
  and I open the RDP I can connect to the server.
  Thanks in advance.

  Hi,
  Thank you for posting in Windows Server Forum.
  As per your comment, it seems that you are managing the server with .RDP file. I can suggest you to run
  "Remote Desktop Connection Manager” for maintaining server. With that you can specify the credential for domain\administrator and when you setup the AD DS, after that you can open the connection through domain\administrator and not as local user.
  Hope it helps!
  Thanks,
  Dharmesh

• Disabling computer account in Active Directory will still allows the workstation to login

  I have a special scenario. A Widows 7 workstation was in lock mode (waiting for CTRL+ALT+DEL). As an administrator, I disabled the computer account, user account and even reset the password for that user and the workstation. My requirement
  is that the user can not login to the workstation again.
  However, the user able to login to the workstation.
  What AD registry parameter could lock down the computer completely? or is there any parameter in GPO that could lock down the computer?
  Thanks in advance.
  Pingala
  SP

  Hello Karen,
  I am testing with the DOMAIN Account, not local account. With your instructions,
  Control Panel\All Control Panel Items\User Accounts\Manage your credentials
  Select the corresponding credential and click Remove.
  I am able to see local accounts and not the DOMAIN account locally cached.
  BTW, I am not seeing "Manage your credentials", instead, I am seeing "Manage Your Accounts" in User Accounts.
  Secondly, I am looking for a setup with AD GPO so that,  for most of the Enterprise Windows 7 workstations, I would like to apply the policy across the board - "Once a workstation is disabled by the administrator, the domain
  user for that workstation can not login again - especially when the workstation is in lock mode.
  The article you cited did not give any technical details that could help me to clean both local and domain credential caching.
  Please help me with the steps how I can disable the caching for local and domain credentials on the workstation to check this manually first.
  Eventually, I would like to disable a "computer" in Active Directory that should lockdown the targeted workstation for further use. Or let me know what steps are needed to lockdown a workstation immediately when a user is fired before further
  damage occurs to the enterprise resources.
  Thanks,
  Pingala
  SP

• Active Directory User which can Create a User but not Allowed to Enable Disabled Users

  Hi Guys, we have a requirement to create a User Group in Active Directory which will grant its members permission to 'Create Users' but not be allowed to 'Enable' 'Disabled Users'.
  We have tried delegating control and assigning permissions by going to 'Security Tab>Advanced'.
  It seems like when a group is granted permission to create users, it will also be allowed to enable, disabled users.
  Kindly advise if it is possible to create a user group with permissions to 'Create Users' but not be allowed to 'Enable', 'Disabled Users'.

  Hi,
  According to my experience, you can assign permission with create/delete user objects. If you want to disable/enbale
  a user, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
  In general, if you just give a user group the permission to create user objects, it cannot disable or enable user accounts. Please make sure that the permission you assigned is correct and the
  user group are not the member of Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory.
  Best regards,
  Susie

• Using Active Directory to control WLS administration console access

  Hello,
  We have bound our WLS 12c instance to our Active Directory service for authentication, and this appears to be working. Next I would like to create an AD group - let's call it "WebLogic-Admin" - whose members (in AD) will have access to the WLS admin console just as if they were a member of the local Administrators group. When I load my WebLogic-Admin group and click on the Membership tab, I have no option to add it to any Parent Groups.
  So how can I use my AD group to delegate administrator privilege?
  Thanks,
  Bill

  cd ('/SecurityConfiguration/' + domain_name + '/Realms/myrealm/RoleMappers/XACMLRoleMapper')
  cmo.setRoleExpression(None,"Admin","{Grp(Administrators)|Grp(WebLogic-Admin)}")
  or
  Home >Summary of Security Realms >myrealm >Realm Roles >Edit Global Role >Realm Roles >Edit Global Role and add your AD group to admin global role.
  Edited by: 923288 on 5.10.2012 16:53

• CCE Web Administration - Active Directory issue when managing agent attributes

  I am experiencing an issue when managing agents (supervisors specifically) in CCE Web Admin.  When attempting to add / remove / modify an Attribute for a supervisor agent we are getting an error that the supervisor must have a valid active directory account.  (Screenshot attached)  The agents that this is affecting are correctly configured in ICM as a supervisor and ICM was able to successfully move their AD account into the 'Config' AD Security Group.  From looking at the logs on the AWS it appears that the Web Admin tool is attempting to lookup their account in AD via UPN by appending their username to the domain name.  
  Log Snippet:  
  exception=com.cisco.ccbu.api.jaxb.error.ApiException: supervisorUserInfo.userName: Could not find user. Check if a domain account exists for [email protected]
  This isn't going to work for some users in our account because we have multiple suffixes in our domain.  (Our domain is a single forest and I'm not aware of a requirement to have a single suffix.)
  I'm curious why it wouldn't use samaccountname which is what I believe ICM Configuration Manager is using.  Has anyone else experienced this issue?

  Lo and behold, my AD sync started working.
  Though I have added the site to my local intranet sites, I'm not very confident whether this was the actual solution. I've performed several actions configuring my farm before I started troubleshooting this issue again, so it might be another action that
  solved this.
  Alemaitre: can you try the following please:
  See if the SharePoint Web Service site is started in IIS.  If not, start it, see if that works.
  Instead of adding the site to your Trusted Sites, try Local Intranet Sites (click Advanced to add sites besides using auto-discovery)
  Turn the Security Level for the zone all the way down.
  Turn off Compression for your site in IIS, do an iisreset, see if that works.
  I've also had to remove a host header from my MySite portal (running on port 8080 here), unlikely for this to be the cause but it's just one of the things I did this morning :-)
  Should I think of anything else, I'll let you know.
  Bonne chance.

• Cannot login with Active Directory Account

  Hello,
  I am testing SnowLeopard (10.6.1) for deployment in my labs for the Spring 2010 semester. We use local home directories. This is a brand new fresh install of SL, on a freshly formatted Hard Drive.
  When bound to Active Directory I can get any AD account that I've tested (5 different accounts) to authenticate except one, which happens to be my own personal AD account.
  The secure.log shows these entries when I attempt to login:
  Oct 9 14:18:29 mac-0017f20fc40 SecurityAgent[209]: User info context values set for ctarbox
  Oct 9 14:18:29 mac-0017f20fc40 authorizationhost[208]: Failed to authenticate user <ctarbox> (tDirStatus: -14090).
  Considering that I could log in with other accounts, and after resetting my AD password then still not being able to authenticate, I came to the conclusion that I had a corrupt OU in Active Directory.
  I contacted one of our AD admins and had him delete both of my AD accounts: ctarbox and ctarbox1 then recreate both accounts. I still cannot login to AD with my ctarbox account.
  I can still login to my current lab machines anywhere on campus running 10.5.8 with ctarbox.
  I am baffled by this. I have been authenticating to Active Directory since 10.1 and have never seen anything like this.
  Any idea, anyone?
  Cheryl Tarbox
  Macintosh Support Specialist
  Binghamton University

  I have found the solution to my problem. I have accounts in two different domains in our AD tree. I'll called these domains Domain A and Domain B.
  Domain A is the primary domain for authentication to our public computing labs.
  Domain B is a secondary domain for authentication to shared resources for faculty/staff.
  Both accounts have the same user ID, but different passwords. In my Directory Utility>Advanced>Administrative window I have the option "Allow authentication from any domain in the forest' checked.
  With this option checked Directory Utility in 10.6.1 will allow me to authenticate Domain B, but not Domain A.
  With this option checked in Directory Utility in 10.5.8 just the opposite is taking place, I can authenticate to Domain A, but not Domain B.
  It seems that somewhere in the upgrade to 10.6.1 the search policy for Active Directory has changed. My workaround is to uncheck this option and specifically choose Domain A in the search policy.

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

• Error while trying to provision OIM user to Active Directory using SSL

  Hi All,
  I am able to see the users through LDAP browser using SSL but am getting the following error while trying to provision OIM users to AD using SSL.
  I am using Microsoft Active Directory connector type 9.11.
  Response: Connection Error encountered
  Response Description: Error encountered while connecting to target system
  I did some testing using "Diagnostic Dashboard" and the following are the results.
  Test Name: Target System SSL Trust Verification: Passed
  Test Name: Test Basic Connectivity: Failed
  Exceptions:
  ITResource information values are not correct. Enter the correct values.
  java.lang.reflect.InvocationTargetException
  javax.naming.CommunicationException: simple bind failed:
  unable to find valid certification path to requested target.Test Name: Test Provisioning:Failed
  Note: Without SLL all the above tests got Passed.
  Can anybody help me out from this issue.
  Thanks in advance.
  Pradeep Kumar.

  I am able to connect to AD using 636 port number from LDAP browser and as the following test got Passed i think that my certificatee should be correct.
  Test Name: Target System SSL Trust Verification.
  Input Parameters
  Target System: idm.orademo.com
  Port: 636 Certificate Store
  Location: /usr/java/jdk1.6.0_14/jre/lib/security/cacerts
  Result : Passed
  ITResource Values:
  ADAM LockoutThreshold Value     
  ADGroup LookUp Definition     Lookup.ADReconciliation.GroupLookup
  Admin FQDN     cn=Administrator,cn=Users,dc=orademo,dc=com
  Admin Password     *******
  Allow Password Provisioning     yes
  AtMap ADGroup     AtMap.ADGroup
  AtMap ADUser     AtMap.AD
  Invert Display Name     no
  Port Number     636
  Remote Manager Prov Lookup     AtMap.AD.RemoteScriptlookUp
  Remote Manager Prov Script Path     
  Root Context     dc=orademo,dc=com
  Server Address     idm.orademo.com
  Target Locale: TimeZone     GMT
  UPN Domain     orademo.com
  Use SSL     yes
  isADAM     no
  isLookupDN     no
  isUserDeleteLeafNode     no
  Thansk & Regards,
  Pradeep Kumar.

• Active Directory user passwords on mobile account with File Vault

  Hi all,
  I enabled file vault when I moved to my MacBook Pro. I joined the computer to the domain (after enabling file vault), and logged in with my domain account, creating a managed, mobile account so that I could use the computer when not connected to the domain.
  Active Directory has forced a change in my password for the domain account but I cannot get the password on the Mac to change the password and sync with the domain.
  My account (the one with the changed network password) on the Mac is a standard user account. When I open system preferences, go to Security & Preferences, General, click on the lock to unlock and allow change and then click Change Password  ..., I receive the following error message after going through the steps to change the password:
  The password for the account "user" was not changed. There was a problem with your password. It's possible your system administrator doesn't allow you to change your password. Contact your system administrator for help.
  For Old Password, I used the old network password, the one that I use to log into the Mac. For New Password, I used my new, current password.
  The same result happens when I attempt to change the password from the Users & Groups section of the System Preferences.
  I have logged out and logged in with the user account that is identified as the admin and get a similar (same ?) error when attempting to change the password.
  Any suggestions? How do I get the passwords to be one so that I can forget the old password?

  Thanks for your insights.
  The Tech Tool report happened after AppleJack, and never showed up before that. Restarting again just now, it showed up again.
  I had not emptied the trash, but did now, and the 'get info' on my hard drive still shows that I have used nearly all of my 160 GB.
  Re Disk Warrior: I do have it and just ran it. I emptied trash again and checked to see available disk space: I have 2.47 GB, so the problem still exists.
  Here is the disk warrior report for the first part of its tests:
  DiskWarrior has successfully built a new optimized directory for the disk named "Hildegarde." The new directory is
  ready to replace the original directory.
  There is not enough contiguous free space for a fail-safe replacement of the directory. It is highly recommended that
  you create 204 MB of contiguous free space before replacing the original directory.
  All file and folder data was easily located.
  Comparison of the original and replacement directories indicates that there will be changes to the number, the
  contents and/or the attributes of the files and folders. It is recommended that you preview the replacement
  directory and examine the items listed below. All files and folders were compared and a total of 14,627,488
  comparison tests were performed.
  • Errors, if any, in the directory structure such as tree depth, header node, map nodes, node size, node counts, node
  links, indexes and more have been repaired.
  • 1 folder had a directory entry with an incorrect custom icon flag that was repaired.
  Disk Information:
  Files: 552,652
  Folders: 131,014
  Free Space: 2.47 GB
  Format: Mac OS Extended
  Block Size: 4 K
  Disk Sectors: 321,410,736
  Media: HDT722516DLAT80
  Time: 11/28/08 6:54:19 PM
  DiskWarrior Version: 4.1