Keyboard Layout User Account Domain Wide Issue

Similar Messages

• User Account Control FireFox issue in Windows 7 - ULTIMATE SOLUTION!!!

  == Issue
  ==
  I have another kind of problem with Firefox
  == Description
  ==
  Trying to figure out why some people where able to use "Run as Administrator" fix and for others like me it did nothing. The answer is what type of Win7 you have. If you have Win7 Ultimate or Enterprise you can go into the Local Securities Policy Editor and prevent the UAC dialog box opening for an administrator.
  However, if like me you have Home Premium or Home editions there is NO editor in the OS and this setting has to be modified through the registry.
  This page has the full explanation and zip file of the registry hack: http://www.howtogeek.com/howto/windows-vista/disable-user-account-controluac-for-administrators-only/
  So I downloaded the file, unzipped it and merged it with the registry - then set my Compatibility properties for the FireFox shortcut to "Run as Administrator" and it runs GREAT!!
  == Troubleshooting information
  ==
  This page has the full explanation and zip file of the registry hack: http://www.howtogeek.com/howto/windows-vista/disable-user-account-controluac-for-administrators-only/
  Downloaded the file - http://www.howtogeek.com/geekers/DisableUACforAdministrators.zip, unzip it and merge it with the registry - then set your Compatibility properties for the FireFox shortcut to "Run as Administrator" and it runs GREAT!!
  == Firefox version
  ==
  3.6.6
  == Operating system
  ==
  Windows 7 Home Premium
  == User Agent
  ==
  Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
  == Plugins installed

  Check that you do not run Firefox as Administrator.
  Right-click the Firefox desktop shortcut and choose "Properties".
  Make sure that all items are deselected in the "Compatibility" tab of the Properties window.
  * Privilege Level: "Run this program as Administrator" should not be selected
  * "Run this program in compatibility mode for:" should not be selected
  Also check the Properties of the firefox.exe program in the Firefox program folder (C:\Program Files\Mozilla Firefox\).

• Whitespace in User Account Name causes issues with various functions

  I've run into a few issues with users who have whitespace in their account names (for example, a user account name that was: "Joe Smith"). Generally, I think this is a result of windows interpreting the last name as a parameter when it tries to
  run a certain function. One place where this occurs and is easily replicated is in the "Troubleshoot Program Compatibility Wizard" which gives an error about permissions, another place this occurs is in the dx9 web installer which gives an error
  message concerning advpack.dll
  In both of these cases I've been able to 'fix' the issue by relocating the TEMP and TMP environment variables to a folder like C:\TEMP, however I still have some issues with other installers and programs such as the 3rd party Cordova build program and the
  android sdk which both get stumped by spaces in the user account name. From my understanding there is no way to change a user account name (not just the name which displays but the name which Windows reads) without deleting the account and copying often several
  gigabytes of files and settings over to a completely new account. Is this correct? Is there a way to remove the whitespace from an account name without these hackish workarounds? Is there anyway to report this as a bug to Microsoft in the hopes that they either
  remove support for usernames with whitespaces or come up with some way to make their internal features like the Compatibility Wizard operate correctly in these (fairly common) install environments? It's an incredibly pesky bug to identify....

  1. Spaces are allowed but not recommended. I would avoid using space(s) in account names.
  2. I do not understand what you have prevented from changing user name.
  3. For problems with 3rd pty programs ask support/forum of respective software vendors.
  4. If you feel like addressing Microsoft, use
  http://support.microsoft.com/contactus/?ln=en-us
  Regards
  Milos

• Sharing files between user accounts without permissions issues

  I have two user accounts on my iMac and need to make files available to both accounts, back and forth, without having to worry about permissions issues. Files need to be read and edited from both accounts.  I posted previously about this and was told to place the files in Users/Shared.  I've done this but it hasn't accomplished what I need.
  I created a document in one account and saved it to Users/Shared, but when I opened the document from the other account and tried to edit it, I was told that I didn't have permission to edit and that I needed to duplicate the file.  How can I avoid having to set permissions for files that I need to edit from both user accounts?

  Or not.
  I butt up against this lunacy frquently.
  I have just created a file saved to my external NAS - no problem - tried to save my edits - now don't have permission to do so.  Again - checked - custom access - again.  Ridiculous.
  Why can Apple not sort out this fundamental problem - if I create a file and put it on my network where I WANT IT - the OS should not then prevent me from accessing it.
  I spend hours, regularly, trying to sort this out.  Apple OS is a joke.
  And to be kept being told - do this, do that, use terminal, reset passwords is ridiculous.
  Sorry for the rant.
  But this is the limit.
  Mike

• User account disk space issues

  My Mac has recently started stating that there is no hard drive space.  Upon checking free space, it shows over 90GB available.  However, when I enter the (only) account's user folder, it states that the total space is only about 30GB which is all full.  Why is this and how do I fix it?

  Are you by any chance using FileVault? 

• Keyboard layout toggle problem, downgrading libxi issue

  Hello,
    As I've read so far, this issue is probably due to a new version of libxi=1.2.0. When trying to downgrade to 1.1.4, pacman yells that gtk2 depends on libxi>=1.2.0. Since I don't want to break my system, I'd wish to ask about the cleanest way to solve my problem?
  Best regards,
  kuni_zdenek

  upgrade to xorg from testing or wait until it will be moved

• 3G having issues with my User Account

  My iPhone 3G will not connect to my user account in iTunes. It gives a bogus error that is apparently (per Apple) a "time out error for PC's"
  Upon creating a new user account on my Mac the iPhone connects just fine to the new accounts iTunes. Is there any way I can find out what is corrupt in my user account creating this issue? I do not want to have to delete my account. I have done an archive and reinstall, reinstalled iTunes 7.7, restored the phone, it isn't the cord, and it connects in other computers/accounts just fine.
  Please help!
  Thanks in advance

  See this... http://support.apple.com/kb/HT2109

• Why domain users account allowed to logon to servers directly?

  I'm using Windows Server 2008 R2 with ADDS.
  By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
  "You cannot log on because the logon method you are using is not allowed on this computer"
  I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
  Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
  And, nothing set on the Deny Logon Locally.
  But, tested that, those accounts with just Domain User Group are able to logon to Server!?
  How or where should I check, to not allow normal user account to logon to server directly?
  Thank you.

  Hi,
  >>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
  By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
  policy.
  By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
  Regarding allowing log on locally, the following article can be referred to for more information.
  Allow log on locally
  http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
  Regarding remote desktop user groups, the following article can be referred to for more information.
  Configure the Remote Desktop Users Group
  http://technet.microsoft.com/en-in/library/cc743161.aspx
  >>How or where should I check, to not allow normal user account to logon to server directly?
  We can utilize group policy setting
  Deny logon locally to prevent users from locally logging onto the targeted computers.
  Regarding this setting, the following article can be referred to for more information.
  Deny logon locally
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• SSAS issue with Domain user account

  Hi
  I have SSAS 2008 R2 set up running on Windows Server 2012 Standard.
  The server is registered as a part of domain.
  I have had an issue of domain user accounts accessing to a cube and it's starting to get worse. There has been no problem with a local user account (I set up a few for testing purpose). 
  I ran the role report from BIDS Helper and it finds all the domain user accounts invalid. 
  It looks like SSAS is not talking well with the domain server (Windows 2003 server standard) to verify user credentials. But the thing is that everyone is ok with the domain server except for SSAS. IT does not have a clue what's going on here and everything
  is just pointing at me right now.
  I'd like to know if there is anyway to monitor that communication between SSAS and domain server for user credential verification and any guideline on how to resolve it. Most of time, it just works again..  like 10 minitues later.. it resolves by itself.
  But this time, not!!!
  All I know is that 1. Registering the server as a part of domain 2. use domain user account to set the security. 
  MY IT department has set up network monitoring tool and says that they are 100% percent working (No connection loss. It's monitoring Active directory as well). The application installed is 'ManageEngine Applications Manager' 
  I don't know what to do here. 
  P.S Will it be related something like 'Error
  while Add user to SSAS Server - The trust relationship between the primary domain and the trusted domain failed' but it's all the domain accounts including mine are not working.
  Cheers!!!

  First check your DNS servers setting on the server you have SSAS installed. You should only use the IP addresses of the DNS servers (e.g. Domain Controllers) of your domain. Active Directory relies on proper DNS server settings. Adding public DNS servers,
  even if they are on the bottom of the list, will mess up name resolving Active Directory names. This should have been done when IT had provisioned the server. Same goes for own workstation if you run your development/management software not on the server.
  Second make sure SSAS is running under a service account that has access to Active Directory. This can be either a domain account, the local system account, or the network service account. Running SSAS under a local account or the local service account will
  not work because local accounts do not have access to Active Directory. Running SSAS under either a Managed Service Account or a Virtual Account will not work because those features require the domain at least the Windows Server 2008 R2 functional
  level.
  Third make sure the account you use to log on to SSAS is a domain account and has appropriate permissions in SQL Server and SSAS. Local accounts and SQL Server account do not have access to Active Directory

• I mistakenly moved my apple keyboard layout bundle to the trash can and now I am unable to log onto my computer.  I can't type anything so I can't access my account to get back onto my computer.

  I mistakenly moved my apple keyboard layout bundle to the trash can and now I am unable to log onto my computer.  I can't type anything so I can't access my account to get back onto my computer.

  restart and hold Command+r to enter in recovery mode and ill allow you to repair your OS X installation. If you cannot repair it, then just create a new user, as usually issues with keyboards are rooted in the user's account.
  Good luck

• Two different keyboard layout issues

  I have two computers, each with a separate issue that's been driving me nuts:
  1. My G5 PowerMac (running 10.4) is set to use the Dvorak layout. That's it. It's the only one selected in the input menu list. Not even the standard US layout is selected. However, what kills me is that if I have to start up the computer holding down keys (like booting to a CD, resetting the Pram or PMU, etc.), or when I logout as one user and have to enter a password to log in again (yes, I know fast user switching bypasses this, but I still have to do it this way on occasion), the computer defaults to the US Qwerty keyboard layout. Is there a way to shut that off completely? It's driving me nuts because my keyboard doesn't show me the Qwerty layout and I have to rack my brain trying to remember where the letters are.
  2. On my G4 PowerMac (running 10.4) I have to toggle between Dvorak and Qwerty (my wife uses one, I use the other, and I don't want to set us up on different accounts). The problem is, the system toggles it back and forth all the time without warning--going to form fields, switching between apps, etc. There was a time (back with Panther for one of the updates), when a layout would stick the whole time until I switched it to the other, but it hasn't done it for a while. Is this a bug, or is there a workaround?
  Thanks.

  Here is a solution to problem 1, i had this problem a couple of months ago and eventually managed to figure it out.
  1. Go to: System preferences->accounts->login options
  2. Turn on: Show input menu in login window
  u can now use whatever language for login
  if u want it as default
  1. log out
  2. change language
  3. sign in
  4. Turn off the thing u just turned on
  it is now the default
  it seems to be another setting entirly
  As for the second issue i am currently having that issue and as yet have not found a solution.
  let me know if u figure something out for it

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Local user account is trying to autenticating against domain controller

  Hi all.  I am seeing a weird user logon issue on one of my laptop and on another user's PC.  Both of the laptop and the PC is a member of our domain.  However, on this particular laptop and PC, we are not login with a domain user account,
  rather we've created a local user account, grant it the local admin access, and login with this local user account.  Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
  the domain controller security log.  For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc).  I've checked all group policy to ensure there
  are no service or connection that requires domain credential access that have applied to this laptop (or the PC).  I am not sure why this local user is trying to authenticating to our domain controller.  This user account doesn't exist in our domain. 
  The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this.  Did anyone encountered this issue in their environment? 
  Thank you.
  Below is a copy of the event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          13/06/2014 8:56:27 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      domaincontroller.mydomain.local
  Description:
  An account failed to log on.
  Subject:
      Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  Logon Type:            3
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        dummy
      Account Domain:        l-sparet400sc
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc0000064
  Process Information:
      Caller Process ID:    0x0
      Caller Process Name:    -
  Network Information:
      Workstation Name:    L-SPARET400SC
      Source Network Address:    192.168.2.181
      Source Port:        60720
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
      <EventRecordID>299829083</EventRecordID>
      <Correlation />
      <Execution ProcessID="488" ThreadID="640" />
      <Channel>Security</Channel>
      <Computer>domaincontroller.mydomain.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">dummy</Data>
      <Data Name="TargetDomainName">l-sparet400sc</Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc0000064</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">NtLmSsp </Data>
      <Data Name="AuthenticationPackageName">NTLM</Data>
      <Data Name="WorkstationName">L-SPARET400SC</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">192.168.2.181</Data>
      <Data Name="IpPort">60720</Data>
    </EventData>
  </Event>

  its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
  Interesting log section is NULL SID which doesn't corresponds to any account name.
  Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  and the below section explains , the request is made over network, which is most of the times by the service
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
  can you disable
  a) Server service
  b) Workstation service
  c) Disable RPC dependent service and services which depend on RPC and test
  Question:
  What is the level of DC hardening you have in your environment ?

• File associations are lost when user account is migrated from one domain to another domain (SID changes)

  Hello,
  Currently we are in the middle of a migration project. We are migrating users from child domains to the root domain of one organization.
  The user accounts are migrated with powershell using Move-ADObject cmdlet. This works as expected. The SIDHistory attribute is updated correctly.
  Recently we received complaints from some *migrated* users - they lost their default/custom file associations. This happens only on Windows 8/Windows 8.1.
  What happens:
  the user is migrated and logs on
  her profile loads and everything's preserved (as expected)
  the user clicks on a .jpeg file (previously associated with program XYZ)
  OS asks the user to choose a program to open the file with
  the user chooses a default program XYZ and the file opens
  when the user clicks on a .jpeg file again - OS asks to choose a program again
  i.e. the settings are not preserved.
  Our investigation shows that it is connected with the UserChoice registry key and the HASH value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SomeExt
  According to this blog 
  the HASH is calculated based on user's SID. But after the migration the user has new SID and the HASH becomes invalid and we hit this:
  "However In Win 8, the registry changes are verified by a hash (unique per user and app)  that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry."
  Currently deleting the UserChoice key for all associations solves the problem. But the user has to make all her customizations again which is undesirable.
  Is there any supported way to fix this? Why the OS doesn't update the HASH after the first logon when the SID has changed as it updates the SID for the ProfileList key? 
  This could become big issue in large migrations.

  Hello Petar K. Georgiev,
  Please check the following article to change the registry key to change back to the default file type associations.
  http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html
  Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Best regards,
  Fangzhou CHEN
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• User Accounts in Domain Admins group do not have full administrative rights to the server

  Our server was fine until recently one day we lost admin access for admin user accounts. If we log in to the server with the Domain Admin account, this account has full admin access to the server and can install and launch all programs and even all server
  admin tools. If we log into the server with a user account which is in the Domain Admins group, that account cannot install software or launch Services.MSC. Even IE will not load any page and crash with a "Not Responding" Error.
  The server has no viruses we even ran SFC /SCANNOW and it did repair from corrupted files but that didn't fix the issue.
  Any ideas?

  Hi Rick,
  May be UAC is blocking installtion. Have it disabled and see if it helps.  Ensure you have domain admin groups added into local administrators group.
  Alos Check these links please.
  https://social.technet.microsoft.com/Forums/en-US/b5300f28-6a2a-4760-8b80-97a2da0f87c1/2012-domain-admin-user-cannot-install-programs-on-a-domain-windows-7-pc?forum=winserverDS
  https://social.technet.microsoft.com/Forums/en-US/0ca040de-52ac-4259-bf78-c22436fd04d4/domain-users-with-domain-admins-right-cannot-install-programs-or-open-server-manager?forum=winserverDS
  Thanks,
  Umesh.S.K