Find active service accounts

Similar Messages

• How to upgrade firmware on Curve 8520 from v4.6 - v5 (don't have active Blackberry service account)

  Hello
  I have a Blackberry Curve 8520 runningt v4.6 formware. I see5.0 Bundle 1168 (v5.0.0.681 firmware is avaiable, platform 5.2.0.67), but I can't install it because I don't have an active service account. I get that error when I try upgrade it using USB cable and the Blackberry desktop software.
  Any ideas how to upgrade or create and register one of these active service accounts?
  I need to upgrade so that I can use USB MTP (which is not present in the current v4.6 firmware)
  Many thanks
  rich

  Hi and Welcome to the Community!
  From your post, I cannot quite tell the specific process you are attempting...so I will give you everything...
  The simplest way is to, on a PC (you cannot do this on MAC):
  1) Make sure you have a current and complete backup of your BB...you can find complete instructions via the link in my auto-sig below.
  2) Uninstall, from your PC, any BB OS packages
  3) Make sure you have the BB Desktop Software already installed
  http://us.blackberry.com/software/desktop.html
  4) Download and install, to your PC, the BB OS package you desire:
  http://us.blackberry.com/support/downloads/download_sites.jsp
  It is sorted first by carrier -- so if all you want are the OS levels your carrier supports, your search will be quick. However, some carriers are much slower than others to release updates. To truly seek out the most up-to-date OS package for your BB, you must dig through and find all carriers that support your specific model BB, and then compare the OS levels that they support.
  5) Delete, on your PC, all copies of VENDOR.XML...there will be at least one, and perhaps 2, and they will be located in or similarly to (it changes based on your Windows version) these folders:
  C:\Program Files (x86)\Common Files\Research In Motion\AppLoader
  C:\Users\(your Windows UserName)\AppData\Roaming\Research In Motion\BlackBerry\Loader XML
  6) Disconnect your PC from the internet and turn off all radios on your BB (consider also removing the SIM...not likely necessary, but just in case)
  76a) For changing your installed BB OS level (upgrade or downgrade), you can launch the Desktop Software and connect your BB...the software should offer you the OS package you installed to your PC.
  7b) Or, for reloading your currently installed BB OS level as well as for changing it, bypass the Desktop Software and use LOADER.EXE directly, by proceeding to step 2 in this process:
  http://supportforums.blackberry.com/t5/BlackBerry-Device-Software/How-To-Reload-Your-Operating-Syste...
  Note that while written for "reload" and the Storm, it can be used to upgrade, downgrade, or reload any BB device model -- it all depends on the OS package you download and install to your PC.
  If, during the processes of 7a or 7b, your BB presents a "507" error, simply unplug the USB cord from the BB and re-insert it...don't do anything else...this should allow the install to continue.
  Good luck and let us know!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Use service accounts at AlwaysOn Availability Groups

  Valued readers,
  We have a AlwaysOn Availability Group consisting of 2 SQL servers. Both servers have their own service account for the sql services. I read in all sorts of documents on the internet that it is recommended that the sql service account on all servers within
  the same availability group are using the same serviceaccount. This would have to do with registering the SPN of the virtual server for kerberos. What impact does it have if I don’t change the serviceaccount ?

  Hello Sean,
  No I do not think so. Do you mean this :
  “Find your service account and hit the Security tab
  Select “SELF” in the “Groups or user names” listbox
  Find “Write public information” in the “Permissions for SELF” listbox
  and check “Allow”
  After, you’ll need to restart SQL Server for the SPN to register. Use setspn -l domain\account to verify that the account has
  properly registered.
  Should you also register the virtual server name? And what about if you use different service accounts?
  With best regards, Albert

• SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

  I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
  "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
  Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
  ID: 2607"
  What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
  5) Neither service account is locked out
  Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
  Andrew Topp

  That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
  as suggested by 331951, and that made absolutely no difference.
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
  "doesn't have access to AD DS," which is obviously untrue)
  The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

• Query to Find what SQL Server services running, what status and with what service account

  I need to check what SQL Server services are running(engine,agent,IS,AS,RS,browser and Full text) and what is the present status and what service accounts are been used by them on several servers in a single shot.
  Could any one help me in finding a good script for the same.

  I have been looking for the same thing, the issue I am running into is finding the Actual Service Name.  I know this question is old, and I personally do not understand the reply. 
  so Far I have the following:
  DECLARE @ServiceAcount NVARCHAR(128);
  SET @Service = 'No Return Value'
  --MsDtsServer100 (SSIS)
  EXEC master.dbo.xp_regread
  'HKEY_LOCAL_MACHINE',
  'SYSTEM\CurrentControlSet\services\MsDtsServer100',
  'ObjectName',
  @ServiceAccount OUTPUT;
  SELECT @ServiceAccount;
  I am still looking for the correct service naming for Analysis Services, Distributed Replaay Client, Distributed Replay Controller

• Creating Active Directory Accounts for vSphere 5.1 Services

  To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory.  I need to determine how many to create and what permissions they need.
  In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO.  I can use the default admin@system-domain.  Or I can add an account that is configured in Active Directory.  Or, I can also use an active directory group instead of an individual user.  What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server?  (I'm using multisite mode, so I can't use local accounts)
  In SQL Server, I need to choose an account to use for the SQL server service.  Should this account be an active directory account or a local user account?  If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine?  What AD group, if any should it be a part of?  What local permissions does it need?
  In vCenter Server, I need to choose an account to run the "vCenter Server Service" in.  Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
  I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
  For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems.  Or create separate groups for each management piece and assign permissions to the groups.  Is it better to consolidate some of these user names or split them out?  Any experiences / suggestions welcome.  Thanks.

  Hello,
  For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
  VMware View
  XenDesktop
  vCops
  HPSIM
  Solarwinds
  VMTurbo
  NetApp
  etc.
  One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
  For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies.  Once SSO is supported by more than one or two tools, you still need to maintain that separation.
  So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
  Best regards,
  Edward L. Haletky aka Texiwill

• How to find out what service account is assigned to sharepoint services?

  In Sharepoint 2007, I would like to find out a particular service account whether it is used or not in any of the sharepoint services. I went through stsadm operations command but not unable find one - the only command is to list sharepoint services but
  the list does not include service account. Any help?

  There isn't specifically a single place to determine whether a service account is used. You can check the following places:
  1. Services console (services.msc) on the server. Sort by Log On As and check if the account is used by any services.
  2. In IIS Manager (inetmgr) expand the server, expand Application Pools. For each application pool right click and select properties. On the Identity tab note the service account.
  3. In Central Administration go to Operations -> Service Accounts. One at a time, go through the Windows service (these should map to the same account you saw in the services console) and Web application pool (these should map to what you saw in IIS Manager)
  4. For search service accounts, in Central Administration go to Operations -> Services on Server. On each server running the search service click on the Office SharePoint Server Search link (MOSS only) to show the Office search service account, and Windows
  SharePoint Services Search (WSS and MOSS) link to show the WSS search service account and default content access account (crawl account). You can also view these accounts using stsadm -o osearch -action list and stsadm -o spsearch -action list
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• Program to find all active services in SICF

  Hi all,
       Anyone can help me out in finding all the active services in SICF.Is there any program or transaction available for that?
  Thanks
  Senthil

  i guess this table has it
  icfservice
  Regards
  Raja

• Finding Non Standard Service Accounts from all AD Computers / Servers

  Hi Guys,
  I am trying to get the list of all Service Accounts, which are non-standard from an AD domain network using PowerShell. The code is provided below. But it is not working (Through individual cmdlet through console, working fine.) Tried without filtering the
  non-standard accounts, but that also gives no  output in HTML format. The HTML output is of no use.
  $Report= "c:\TEMP\Audit_Report.html"
  $Computers= Get-ADComputer -Filter 'Enabled -eq $True' | Select Name
  # Set the html formatting for the report
  $HTML=@"
  <title>Non-Standard Service Accounts</title>
  <style>
  BODY{background-color :#FFFFF}
  TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;}
  TH{border-width: 1px;padding: 2px;border-style: solid;border-color: black;background-color: ThreeDShadow}
  TD{border-width: 1px;padding: 2px;border-style: solid;border-color: black;background-color: Transparent}
  </style>
  # Processes each computer in the list
  ForEach ($Computer in $Computers)
  # Query the each computer its services
  Get-WmiObject -ComputerName $Computer -class Win32_Service -ErrorAction SilentlyContinue |
  # Filters out the standard service accounts
  #Where-Object -FilterScript {$_.StartName -ne "LocalSystem"} |
  #Where-Object -FilterScript {$_.StartName -ne "NT AUTHORITY\NetworkService"} |
  #Where-Object -FilterScript {$_.StartName -ne "NT AUTHORITY\LocalService"} |
  # Selects content to display in the report
  Select-Object -Property StartName,Name,DisplayName |
  # Converts the output to html format and writes it to a file
  ConvertTo-Html -Property StartName,Name,DisplayName -head $HTML -body "<H2>Non-Standard Service Accounts on '$Computer'</H2>" | Out-File $Report -Append
  #Launches the report for viewing
  Invoke-Item $Report
  The HTML Output contains only :
  Non-Standard Service Accounts on '@{Name=CAP1AD-PDC}'
  Non-Standard Service Accounts on '@{Name=CAP-CLIENTXP}'
  Non-Standard Service Accounts on '@{Name=CAPCLIENTWIN8}'
  Non-Standard Service Accounts on '@{Name=CAP1AD-DB}'
  Non-Standard Service Accounts on '@{Name=BSMLAPI}'
  Requesting your valuable support.
  Thanks in advance
  Bedanta
  Thanks & Regards Bedanta S Mishra

  This is what I get when I run MY code: (I lost the format on paste but you can see the line for the title with computername.
  Non-Standard Service Accounts on 'omega'
  StartName
  Name
  DisplayName
  LocalSystem
  AdobeActiveFileMonitor10.0
  Adobe Active File Monitor V10
  LocalSystem
  AdobeARMservice
  Adobe Acrobat Update Service
  LocalSystem
  AdobeFlashPlayerUpdateSvc
  Adobe Flash Player Update Service
  localSystem
  AeLookupSvc
  Application Experience
  NT AUTHORITY\LocalService
  ALG
  Application Layer Gateway Service
  LocalSystem
  AMD External Events Utility
  AMD External Events Utility
  NT Authority\LocalService
  AppIDSvc
  Application Identity
  LocalSystem
  Appinfo
  Application Information
  LocalSystem
  AppMgmt
  Application Management
  NT AUTHORITY\NetworkService
  aspnet_state
  ASP.NET State Service
  Non-Standard Service Accounts on 'omega'
  StartName
  Name
  DisplayName
  LocalSystem
  AdobeActiveFileMonitor10.0
  Adobe Active File Monitor V10
  LocalSystem
  AdobeARMservice
  Adobe Acrobat Update Service
  LocalSystem
  AdobeFlashPlayerUpdateSvc
  Adobe Flash Player Update Service
  localSystem
  AeLookupSvc
  Application Experience
  NT AUTHORITY\LocalService
  ALG
  Application Layer Gateway Service
  LocalSystem
  AMD External Events Utility
  AMD External Events Utility
  NT Authority\LocalService
  AppIDSvc
  Application Identity
  ¯\_(ツ)_/¯

• Weblogic Server cannot find Service accounts  in my MSAD via LDAP

  Hello,
  I've configured an LDAP security provider in my WebLogic server but it's only finding some of my users, not my "service account" users.
  The users are found in the following locations in the tree:
  OU=Users,OU=Accounts,DC=dev,DC=mtb,DC=com
  OU=Service,OU=Accounts,DC=dev,DC=mtb,DC=com
  So I configured the LDAP provider with the following settings:
  User Base DN: OU=Accounts,DC=dev,DC=mtb,DC=com
  All Users Filter: (blank)
  User from Name Filter: (&(cn=%u)(objectclass=user))
  User Search Scope: subtree
  User Name Attribute: cn
  User Object Class: user
  But it cannot find users in the "Service" node, only users in the "Users" node. Both users have CN=, and "user" as part of their objectClass string. Any idea what I might be missing?
  Thank you,
  -Ben

  Hi
  1. I hope you already created a datasource on Weblogic Side using weblogic admin console and create New Data Source. Create a data source preferably with this JNDI Name "jdbc/mydbDSDS". It can be anything, but standard is jdbc/whatevernameyouwant. Once data source is created, you give db details like host, port, sid, username/password. Then deploy to appropriate server(s) like using Targets screen. Once all done. Under your domain/config/jdbc, you should see a .xml file with some unique name that has all the datasource details. The jndi name tag should be like this: <jndi-name>jdbc/mydbDSDS</jndi-name>
  2. Now, edit your persistence.xml file to refer above jndi name. By default, I know, it adds that wierd name with jdbc/jdbc etc etc. But you can edit it always. Take a backup of your persistence.xml file and edit it to look like this.
    <persistence-unit name="mydbDS">
      <provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
      <jta-data-source>jdbc/mydbDSDS</jta-data-source>
      <properties>
        <property name="eclipselink.target-server" value="WebLogic_10"/>
        <property name="eclipselink.cache.shared.default" value="false"/>
      </properties>
    </persistence-unit>
  </persistence>Save it. Redeploy and see how that goes. The above file is simplified version. What it means is, just refer already deployed data source whose jndi name is "jdbc/mydbDSDS". If you really have some extra properties, you can retain them. Otherwise they are not required.
  Thanks
  Ravi Jegga

• To view "Daily ID Administrators Activity" & "Dormant Accounts"

  Dear Hyperion Users,
  I am looking out for the below ones on Hyperion 9.3.1.
  1. Daily ID Administrators Activity [User maintenance, to track any changes on user's access, etc]
  2. Dormant Accounts - Account which are not used or which are idle for certain time [Lets say user who hasn't logged on for 3 months] and remove/clean up the accounts.
  I have opened SR with Oracle on the above 2 points and they conveyed that Hyperion 9.3.1 doesn't provide any of the above information.
  3. User Access Profile Listing : I could log on to Shared Services and create User access listing report via "Administration" -> "View Report".
  We have Hyperion Planning, HFM, Essbase and BI+ applications and I need your help in finding posibility of creating customised query or find way to get these "Daily ID Administrators Activity" & "Dormant Accounts" information for my Hyperion Applications.
  Thanks in advance.

  Finding dormant accounts in Essbase specifically (so it depends what you mean by 'Hyperion', but you are posting in the Essbase forum :) ) comes up frequently. I believe the information in this thread - Info of Last login details of Users - is still accurate, and I'm sure it would be correct regarding 9.3.1.
  EDIT: Must have read that too quickly, as I see you've listed your apps - but what I wrote above stands re Essbase!
  Edited by: TimG on Oct 24, 2011 11:52 AM

• Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts

  Hi Folks,
  I am an experienced .NET apps developer who has been tasked with writing a bunch of technical controls for all the SQL Server instances on a domain.
  So for the last month I have been diving in the deep end learning Powershell, dba and infrastructure tasks. This is still a work in progress, so be kind to me.. ;o)
  So the task I am stuck on is described in the section on 'Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts' http://technet.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
  I have not been able to find cmdlets that gives me this information. I have found some exes which come frustratingly close like NTRights.exe. This lets me specify a computer name which is great, but only seems to let you set or deny permissions, not just
  list them!
  Any help with this would be very much appreciated as I am firmly stuck. As per comments above also bear in mind that up until around 1.5 months ago I had never used powershell / knew very much at all about SQL server admin etc. Feeling much more comfortable
  with them now, but much less so with Active Directory/ windows permission structures etc so please can I ask anyone kind enough to reply to try and keep the acronyms down as much as humanly possible.. ;o)
  Cheers 
  Kieron

  Hi Kieron,
  Take a look at this module, it makes permissions much easier to work with than what's currently available:
  https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Group managed service accounts for SQL Server

  Hey guys,
  Unfortunately I missed that (g/s)MSAs aren't supported yet for SQL Servers but I'm using them without any worries since ages.
  As i digged a bit deeper I could find different informations due to the related TechNet entrys. So it seems Microsofts Informations about (s)MSAs and gMSAs aren't consistent.
  I'm not a SQL Server guy and use SQL only for System Center testing stuff so i would like to get a real world exps of SQL Server guys.
  Should I continue using gMSAs or are there any worries I should know?
  some sources I found so far:
  Not supported:
  "Hi Adam,
  Thank you for your feedback. Windows Server 2012 Group Managed Service Account is not currently supported as SQL 2012 released earlier than Windows Server 2012. We will consider to support gMSA in future SQL Server release.
  Regards,
  Min He, Program Manager, SQL Server"
  11.2012 -
  https://connect.microsoft.com/SQLServer/feedback/details/767211/gmsa-for-sql-server-failover-Clusters
  gMSA are not yet available, are not yet supported for SQL Server.  gMSA exist and are available and supported in Windows Server 2012 and higher.  SQL does not support them , but
  from an OS perspective, they exist and are supported.    
  http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
  Within the FAQ Task Scheduler isn't supported as well ...
  http://technet.microsoft.com/en-us/library/ff641729%28WS.10%29.aspx
  ... but also PFEs using them for Tasks... this is confusin... 0o
  http://blogs.msdn.com/b/arvindsh/archive/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips.aspx
  supported?:
  Configure Windows Service Accounts and Permissions
  ... New Account Types Available with Windows 7 and Windows Server 2008 R2
  http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx#Default_Accts
  The MSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
  others sources won't mentioning s/gMSAs...
  I couldn't find clear informations about using gMSA for SQL Server 2014. 
  only the same page which also Looks like the page for 2008 R2 and SQL 2012.
  Configure Windows Service Accounts and Permissions
              SQL Server 2014        
  http://msdn.microsoft.com/en-us/library/ms143504.aspx
  annoying topic so far... ;) 

  Hi Enrico
  aside from what Dan says about the risk for support, on which I agree, the following thread may clear it up a bit:
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/acb2048c-ffce-4d44-b882-6aafc7eb689d/managed-service-accounts-to-run-sql-server-service?forum=sqlsecurity
  Andreas Wolter (Blog |
  Twitter)
  MCM - Microsoft Certified Master SQL Server 2008
  MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
  www.andreas-wolter.com |
  www.SarpedonQualityLab.com

• Make WDS Service account approve pending devices in WINDOWS DEPLOYMENT SERVICES

  Hi Technet and all other people reading this.
  I am at the moment trying to get a Service account(WDSService) to approve pending devices in Windoes Deployment Services on a WDS server.
  I have created a domain called LALALA.dk on a server(DNS is included in the domain), and installed windows deployment services on another server. The Deployment service is setup to prestage devices, and therefore devices needs to be approved before it can
  be deployed.
  My problem is that at the moment, we are using Domain Admin accounts to do the approving and i wish to change that to a service account, made specially for this job which ofc. should have minimum right. Because i have a very hard time understanding
  why i NEED to grant domain admin rights or local admin rights to a person just so that he can approve pending devices. There has to be a way to use a service account to do the job.
  I have done some research and found out that local admin, domain admins and enterprise admins are the only onces that have the permission to approve pending devices, and that a problem for me, when i want a service account to do it for me(Not automatically)
  but a service account that can name and approve devices manually.
  Here is what i have allready tried.
  1. making WDSService run the Windows Deployment Services (service), but this didnt work because it lacks the permissions needed.
  2. I have given the read+write permissions on the remoteinstall folder, even tried with full control.
  3. Delegate control on the OU in active directory, to create computer object, with full write permissions. I also tried with full control. I added both WDSServer$ and the service account(WDSService) on the OU. Still nothing.
  4. I then downloaded subinacl tool, and granted WDSService account permission to start, stop the service, even tried with full control on the Windows Deployment Service(WDSServer as server_name). I get error 1297 something with priviledge missing from the
  service account to perform the actions. So still nothing. Which is really weird when i ran a command i cant remember now, where i could see that the service account had full permission granted to the service, and still was'nt able to start the service.
  5. I then tried to create a script using WDSUTIL, but was not able to grant the service account permissions to perform the action of approving pending devices. And i dont want to use a script everytime i need to approve a device.
  6. Since the local system account is running the Windows Deployment Service , my thought was to join the WDSService account to the built-in NT AUTHORITY/local system or NT AUTHORITY/local service, this seems impossible from what i experienced, unless you
  are super powershell geek i quess you can, so this option didnt get me anywhere as well.
  6. I then created a gpo granting wdsservice account the "log on as a service" policy on the Windows deployment service Server, still nothing works as attended. I still get error 1297.
  7.I tried copying the registry keys (WDSSERVER) from the HKEY_LOCAL_MACHINE hive on the WDS Server, and imported it into my Domain's registry, but could'nt find the service i wanted to grant permissions to in the group policy settings (computer configuration/policies/windows
  settings/security settings/System Services) I then created a registry entry with group policy (computer configuration/policies/windows settings/security settings/registry) to point to (local machine/system/controlset001/services/WDSServer) and granting
  WDSService account full control and deployed the policy to the Deployment server. Nothing happend and i still cant approve pending devices with my service account.
  from my understanding service account where created to maintain small certain tasks or actions with limited permissions, so if comprimised they could only do very little damage, and so that this account can be setup to perform the tasks without any administation
  of the account. So my question is, is it even possible to achieve what i want = granting a service account the permission to perform the action of approving pending devices on a Windows Deployment Server, and if so how ? 
  I am so confused over this and I am really reaching the limits of my understanding of this.
  Help is very much appreciated.
  Henrik Larsen

  Hi ZeR1X,
  The Require Administrator approval is for unknown computers.
  The similar thread:
  WDS - Request administrator approval not working
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/b9088be7-7afe-4e2b-b5fb-4554a92c4a2a/wds-request-administrator-approval-not-working
  More information:
  Windows Deployment Service fails to start with error information of 0x5
  http://support.microsoft.com/kb/2009647
  WDS 3.01 Troubleshooting Guide
  http://technet.microsoft.com/en-us/library/cc754828(v=ws.10).aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!