Enable the UAC settings for Domain Controller / Member servers and for end user systems
Hi
We are working on hardening the security for all Domain Controllers / Member Servers and end users systems. As part of it we would like to know the best practice for UAC settings for each of these servers. There are 8 settings related to UAC and as of now
we configured just "User Account Control: Behavior of the elevation prompt for standard users" as disabled for the servers OU. Also not sure about other settings and how it affect the normal operations like installing Windows updates / applications
through SCCM or manually on servers or end user systems and other stuffs.
We are looking for experts opinion on this. Thanks in advance
LMS
Hi LMS,
Would you please let us know the current situation? Just check if Martin’s suggestion was helpful for you.
If any updates, please feel free to let us know.
Just additional. Please refer to the
User Account Control Grouping in the following article. It will provide some links about those different UAC settings. Please click those links and read related articles. In these articles, will provide
Security considerations that may help you to configure those settings.
Security Options
http://technet.microsoft.com/en-us/library/jj852268.aspx
Hope this helps.
Best regards,
Justin Gu
Similar Messages
-
Windows 2012 Verification of prerequisites for Domain Controller promotion failed
Windows 2012 Verification of prerequisites for Domain Controller promotion failed and gave the below error(In computer management local group and user option is not there as suggested by a solution!)
"Verification of prerequisites for Domain Controller promotion failed. The local Administrator account becomes the domain Administrator account when you create a new domain. The new domain cannot be created because the local Administrator account password
does not meet requirements.
Currently, the local Administrator password is blank, which might lead to security issues. We recommend that you press Ctrl+Alt+Delete, use the net user command-line tool, or use Local Users and Groups to set a strong password for the local Administrator
account before you create the new domain."OK, the reason you see this error is because when you set up and configured your Windows R2 environment you may have logged into the OS with an account other than Administrator. So, if you created your log in account named Bob, this is throwing off the Server.
So, hit Ctrl-Alt-Delete, and look who you are logged in as, and then change the account you are logging in as and use the local Administrator account. What you may find is that the default Admin account password has not been set.
Check that out and see if that is what you are experiencing.
Best wishes -
my question is regarding SharePoint 2013 Farm topology. if i want go with Streamlined topology and having (2 distribute cache and Rm servers+ 2 front-end servers+ 2 batch-processing servers+ cluster sql server) then how distributed servers will
be connecting to front end servers? Can i use windows 2012 NLB feature? if i use NLB and then do i need to install NLB to all distributed servers and front-end servers and split-out services? What will be the configuration regarding my scenario.
Thanks in Advanced!For the Distributed Cache servers, you simply make them farm members (like any other SharePoint servers) and turn on the Distributed Cache service (while making sure it is disabled on all other farm members). Then, validate no other services (except for
the Foundation Web service due to ease of solution management) is enabled on the DC servers and no end user requests or crawl requests are being routed to the DC servers. You do not need/use NLB for DC.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
when opening the iCloud settings I do not see an option for the iCloud T&Cs (OS 10.8 & iOS6)
which Apple says should appear automatically once the update is completed...
I am perplexed where you read that. It isn't true. The iPad is synced to the data available to all devices using the iCloud account if you have authorized it in the settings; PhotoStream, Contacts, Mail, Calendars, etc. That is how the iCloud works. -
I cannot to configure a Gmail account in my ipad 3. I enabled the IMAP settings in gmail configuration.
Using the mail configuration manager one of the choices is GMAIL, Using this way I did not.
I use an other way using MICROSOFT EXCHANGE opcion using like server m.google.com, It´s works but rudimentary.
Help me please.Good article about setting this up:
http://hints.macworld.com/article.php?story=2008041016554622
Hope that helps! -
Time sync monitor for all windows member servers
How to monitor time sync issue on all the member servers and domain controllers. Can we monitor through scom 2007 r2. Specially we need an alert when all the member servers are not in time sync.
B JohnThere is no monitor for exactly your ask.
The AD management pack includes a Time Service Health monitor for DCs that makes sure the time service is running:
http://social.technet.microsoft.com/Forums/en-US/0c921fa7-45ed-4bee-8f53-c92c750f6cbf/scom-module-for-monitoring-time-sync-issues?forum=operationsmanagergeneral
Here is my "domain time tip:"
Select your preferred time server from this list
http://tycho.usno.navy.mil/NTP/. For example 'tick.usno.navy.mil'.
Then run these commands on your PDC emulator of the domain:
W32tm /config /syncfromflags:manual /manualpeerlist:"<DNS-name-of-time-server>"
W32tm /config /reliable:yes
W32tm /config /update
W32tm /resync
Net stop w32time
Net start w32time
If you execute these commands, AD defaults will cause all your member servers to discover the domain time standard and update to it.
Good luck,
John Joyner MVP-SC-CDM -
Question?
I have accidentally deleted a large number of develped images in Lightroom before I did a backup. I reimported the original raw files back into Lightroom hoping the develop settings would be re-established but no luck. Notice system mau have done an auto-backup as have an lrcat-journal file. Can I use this to restore my develop settings. I also have jpgs generated from all the deleted images.Hello,
if you have a backup of your catalog you can do the following:
1. Backup your catalog first
2. Restore your backup catalog to some location
3. Open your current catalog and select "files->import from another catalog".
4. Select your backup catalog and your lost images. LR ask you if you want to overwrite the current settings or save them as a virtual copy.
As an alternativ you can open your backup catalog, select the "lost" images and save the development settings as xmp sidecar fiels (using ctrl-s). Then open your current catalog, seletct the images and use "Metadata->Read Metadata from files". -
i create an id. on review option when i enter visa card and security code, it always gives an error msg "Invalid Secruity code". but i use this code for money withdraw from ATM and for shopping also. plz tell the solution ????
The code they are asking for is the last three digits of the number on the back of the card (you don't use this when using an ATM or presenting the card in shops).
-
The customized settings on my toolbar periodically disappear, and I have to re-set them. How can I avoid this nuisance?
If you mean you're about to perform a restore from a backup to a new device, it depends on the app. Some will retain their passwords, some will not. That's my experience.
-
how do I enable the feature that allows you to left-click and drag cursor left to be same as back button?
Do you mean something like clippings?
*Clippings: https://addons.mozilla.org/firefox/addon/clippings/ -
When downloading application updates, which are over a GB, my MacBook Air keeps logging me out and I have to start the download over. I have the power settings set to never turn off, and the display set to never go to screen saver. Any suggestions?
I have the exact same problem/situation since a few days
I have not intalled a program lately.
Any progress Voratima??
Software Mac OS X Lion 10.7.5 (11G63) -
Help with setting up active directory domain controller/DNS - need this for Clustering
Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
When I look at my server manager AD DS complain about DNS:
NASE-2012-234 4015 Error Microsoft-Windows-DNS-Server-Service DNS Server 1/14/2014 12:54:06 AM
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
When I click on DNS this is the error:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Output of DCDiag -v is below.
PS C:\Users\Administrator> dcdiag -v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine NASE-2012-234, is a Directory Server.
Home Server = NASE-2012-234
* Connecting to directory service on server NASE-2012-234.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
e,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
SDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=lab,DC=nase,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NASE-2012-234
Starting test: Connectivity
* Active Directory LDAP Services Check
The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... NASE-2012-234 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NASE-2012-234
Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : lab
Starting test: CheckSDRefDom
......................... lab passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... lab passed test CrossRefValidation
Running enterprise tests on : lab.nasecom
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
PDC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
Time Server Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
KDC Name: \\NASE-2012-234.lab.nasecom
Locator Flags: 0xe000f3fd
......................... lab.nase.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... lab.nasecom passed test Intersite
PS C:\Users\Administrator>http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions. You might want to post your question there.
.:|:.:|:. tim -
Which Server Version for Domain Controller do I Need
Hello
We are currently running two domain controllers with Server 2003 on them. We have a standard TCP/IP star topology networking including web servers, files servers, sql, iis etc.
We are upgrading 5 of our servers to 2012r2 and are using them as "host" servers for upgraded IIS (2012r2) and WebGrabber (2008r2) servers and these servers will be set up as virtual machines (the IIS and web grabbers) on the hosts.
My question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
Thanks!
Theresa Greene
Theresa GreeneMy question is will using Windows Server 2003 domain controllers cause issues in the advanced settings in 2012r2 and Hyper-V? Should we upgrade our Domain Controllers and if so to what version? 2008r2 or 2012r2?
At least Windows Server 2012
I highly recommend to upgrade the Domain Controllers to at least Windows Server 2012.
Besides the new functionality described by others in this thread, Windows Server 2012-based Domain Controllers (and beyond) offer virtualization safeguards, building on the VM-GenerationID offered by your new virtualization platform. This functionality helps
to protect your Domain Controllers from USN rollbacks and Lingering Objects. It also unlocks the Domain Controller Cloning functionality, that may help you deploy your five Domain Controllers faster and more streamlined.
More information:
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe
Active Directory
New features in AD DS in Windows Server 2012, Part 13: Domain Controller
Cloning
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
1
Cases where VM-GenerationID doesn’t help make Active Directory virtualization-safe, Part
2
Getting to Windows Server 2012
In terms of getting your Active Directory to Windows Server 2012, there's good news and slightly bad news. The bad news is you can't in-place upgrade your Domain Controllers to Windows Server 2012. The good news: This makes the transition scenario
more appealing.
Instead of upgrading your Domain Controllers on their physical hardware, and, then, convert them to virtual machines, you can build new virtual Windows Server 2012 Domain Controllers, while your Windows Server 2003 Domain Controllers remain running.
Then, when you're ready to get rid of your Windows Server 2003 Domain Controllers, you simply demote them and remove them from your network. I've written a detailed step-by-step on this:
Transitioning your Windows Server
2003 Domain Controllers to Windows Server 2012 -
Certificate for Domain Controller Will not import
Hi,
I am having an issue importing a Certificate .crt file on a Windows Server 2008 R2 Domain Controller. The Certiificate is needed for migrating our 2003 Domain Controllers to 2008r2. When I try to use the command line to import the certificate
using the following:
I receive the following output:
Cannot find object or property. 0x80092004 (-2146885628)
I also tried this command
certreq.exe -accept hostname.crt -machine and received the same error.
When I try to import the Certificate using the GUI it works but there is no "private key" found.
The Certificate was issued from Digicert.
Does anyone know how to resolve this so my certificate imports correctly with a private key intact?
Thanks,
Kevin C.Here are the steps as explained by Digicert:
How to Import and Export your SSL Certificate
https://www.digicert.com/import-export-ssl-certificate.htm
Note that I've used Digicert and haven't had a problem with the private key. If the private key's missing, there will be missing functionality. And also note, that Digicert's tech support is free and they are actually pretty good and can help almost immediately
as soon as you call them. They've helped me a number of times.
Give them a call 24/7: 1.801.701.9600
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Is there a way to enable the "protect tones" box while working in Lab Color mode for dodging and burning?
Don't think so. Those algorithms are built around the RGB color model as far as I know and there is no way to achieve the same result in other color modes. It may not be programmaticalyl and matehmatically impossible, but it's probably too complicated for a quick solution due to constant color space conversion math getting involved.
Mylenium
Maybe you are looking for
-
Regarding HP Envy Line Of Products
Hi Guys, I really want to order one of HP Envy product, but everywhere reviews of Keyboard issues and Trackpad issues surface wherever i read a review. Some people even say they have tried so hard to fall in love with this beast but had to return due
-
I cant get screen sharing to work on my home network
I am trying to connect my macbook pro to screen sharing so i can access it at my school computers, which are all iMacs running 10.6.6. When i was at school, and connected to the wireless network at my school i could screen sharing through the finder>
-
Problem creating an excel with ALV GRID
Hi all, this is my problem: i have an ALV GRID in which I display several columns in a proper order, es : A B C D E F G when i create an excel from this display i obtain a different order of the columns! in particular the 3 columns which represent nu
-
IMac 3.06 dual core beachballing after disk repair
Can't get to the bottom of what's going on with my machine. It's very slow after start or wake-up, beachballs with lots of disk activity even when no apps are open. After twenty minutes or so everything seems OK, well nearly OK as it will still beach
-
Can't use my Trackpoint (Thinkpad SL300) to scroll in FF4 RC
Hi all, today I updated to FF 4 RC 4. I'm not able to use my Trackpoint of my Lenovo Thinkpad SL300 to scroll the sites. That's very annoying! Anybody got a idea? EDIT: THe Trackpoint is working perfect with the rest of my programs and was working wi