Other Domain Accounts Synchronization Issue

Similar Messages

• SQL server 2012 does not see local disks other than C being started under domain account (which is local admin on the server)

  Hi all. We have a SQL Server 2012 installed to a fresh Windows Server 2012 Server. There is a service account domain\rusystem01 created to run SQL services. It is added as a Local administrator on this server.
  The issue is that SQL Server does not see any local drives (other than C drive) on the server if we run it from this domain service account (for example, we cannot move any databases to any other drives or setup backup).
  It works fine (and other drives ARE available) if SQL Services are started from Network service account or Local service account (which is not recommended by Microsoft). But does not work from domain account.
  Any ideas how to fix this?
  MCP

  >Any ideas how to fix this?
  Apply NTFS ACLs for the folders (and perhaps volumes*) for SQL Server.  Use the Per-Service SID, rather than the Service Account for the ACLs so they survive changing the service account. 
  The per-service SID is "NT Service\MSSQLSERVER" for a default instance and "NT Service\MSSQL$InstanceName" for a named instance.
  *Volume ACLs are set in Disk Management.
  David
  David http://blogs.msdn.com/b/dbrowne/
  David, would you please clarify what do you propose? I open D: volume on the Disk management and grant NT Service\MSSQL$DEV account with Full control permissions. Restarted SQL - no effect. Still only C: is visible for SQL.
  MCP

• Local Account Migrated to Domain Account Issue

  I used the Windows Server 2012 Connector tool to migrate a local profile to a domain account on a WS2012E Server.  The problem is, when the user logs in to the laptop, we will call Laptop1 using his domain account we will call DomainUser1, Laptop1 is
  still using the folder for his old local account (we will call LocalUser1).  Laptop1 was the machine used to migrate the local account to domain account.  When DomainUser1 logs in to another terminal, we will call Desktop1, it takes a long time to
  login.  After this initial long login time, he can then log in to other terminals that are NOT the Laptop1 machine with normal login speed.  As soon as he goes to login to Laptop1, it takes forever again.
  My theory is that Laptop1 is using a different SID for his domain/local account, which is causing the slow login speed, as windows has to update permissions for all his files.  This is a very confusing scenario to explain, so I hope you all are following
  me.
  To recap:
  DomainUser1 logs in to Laptop1 - the local profile uses folder C:\Users\LocalUser1
  If DomainUser1 logs in to any other terminal - the local profile for that computer uses folder C:\Users\DomainUser1
  My theory is that this difference is causing slow login times.  No other users on the domain are having login issues other than those users that had their profiles from their personal computers migrated to the domain accounts.  All other domain
  users that had their files migrated using the tool are having similar slow login times, when access their personal computers and then switching to other terminals.
  How do I go about changing the local profile on Laptop1, when logged in as DomainUser1 to use folder C:\Users\DomainUser1 rather than C:\Users\LocalUser1?

  Hi,
  Thanks for your posting.
  Only the Laptop 1 have this issue?
  Check this thread:
  http://social.technet.microsoft.com/Forums/windows/en-US/5a27b553-0c33-4de6-8219-6356645e6b7e/windows-7-change-local-profile-to-domain-profile-instantly?forum=w7itprogeneral
  For the Windows Server 2012 Essentials, i think you may ask in:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserveressentials
  Regards.
  Vivian Wang

• Can't move iWeb domaine to my other user account

  When I copy my iWeb domaine to my other user account on my iMac by dropping it into idrop it only seems to work for awhile, then by the end of the day it's gone. Very strange.

  Not familiar with iDropd and how it works.  Just copy the domain.sites file to the new Mac and place it wherever you want.  The default location is in the User/Library/Application Support/iWeb folder.
  In Lion and Mountain Lion the Home/Library folder is now invisible. To make it permanently visible enter the following in the Terminal application window: chflags nohidden ~/Library and press the Return key - 10.7: Un-hide the User Library folder.
  To open your domain file in Lion or Mountain Lion or to switch between multiple domain files Cyclosaurus has provided us with the following script that you can make into an Applescript application with Script Editor. Open Script Editor, copy and paste the script below into Script Editor's window and save as an application.
  do shell script "/usr/bin/defaults write com.apple.iWeb iWebDefaultsDocumentPath -boolean no"delay 1
  tell application "iWeb" to activate
  You can download an already compiled version with this link: iWeb Switch Domain.
  Just launch the application, find and select the domain file in your Home/Library/Application Support/iWeb folder that you want to open and it will open with iWeb. It modifies the iWeb preference file each time it's launched so one can switch between domain files.
  WARNING: iWeb Switch Domain will overwrite an existing Domain.sites2 file if you select to create a new domain in the same folder.  So rename your domain files once they've been created to something other than the default name.
  OT

• Error while Assigning database level role (db_datareader) to SQL login (Domain Account)

  Team,
  I got an error while creating a User for Domain Account. Below is the screen shot of the error (error : 15401)
  Database instance is on SQL 2000 SP3. ( I know it is out of support, But the customer is relutanct to upgrade)
  On Google search, i found below article which is best matching for this error
  http://support.microsoft.com/kb/324321
  I have follows each step of troubleshooting. But still the issue persists.
  Step 1. The login does not exist == The login is very much exist in the domain as i am able to add the same domain id to other database instances
  Step 2. Duplicate security identifiers == i have used this query to find duplicate SID
  /*  SELECT name FROM syslogins WHERE sid = SUSER_SID ('YourDomain\YourLogin') */
  But there was only one row returned with create date of today's.
  Error while Assigning database level role (db_datareader) to SQL login (Domain Account) 
  Step 3. Authentication failure == Domain is available. User is able to login on other servers via RDP connection.
  Step 4. Case sensitivity == Database collation is set to Case insensitivity. (CI)
  Other two 5. Local Accounts & 6. Name resolution == is not applicable to me.
  I tried other ways also.
  A. Creating login and providing permission in one go only = User account is not created
  B. Instead of GUI, use query to create login and provide required permission = Same error.
  Does anybody has faced any such situation
  Chetan

  See the below output
  srvid
  sid
  xstatus
  xdate1
  xdate2
  name
  password
  dbid
  language
  isrpcinmap
  ishqoutmap
  selfoutmap
  NULL
  0x010500000000000515000000A1F66E1BFC1DC75D26E72530A2B80400
  14
  20:25.9
  57:33.4
  UKBAA\LHRAPPMuttavarapuS
  NULL
  1
  us_english
  0
  0
  0
  Chetan

• Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

  Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information. 
  I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is. 
  The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
  setup.)
  For 6+ months everyone had access to the shared files and databases on each workstation without issue. 
  In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already. 
  Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
  no logon servers available to service the logon request”.  While access is rejected I’m still able to ping the DC both via its name and IPV4 address. 
  (Pinging via its name results in an IPv6 address in the response.) 
  Other network connectivity appears intact (able to browse the web, perform network discovery.)
  Things that ‘seem’ to allow access on this computer until the next failure:
  Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
  Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
  After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username. 
  Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
  Most Problematic Computer:
  Event ID 8016:  System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.) 
  Event ID 131:  NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’ 
  ‘No such host is known.”
  Event ID 5719:  NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
  And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
   The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  Event 1030:  The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
  at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
  On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
  Ipconfig/all from the server:
     Connection-specific DNS Suffix 
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
     Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
   10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 234638804
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
     DNS Servers . . . . . . . . . . . : ::1
  127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ipconfig/all from the problematic computer:
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix 
  . : wp.comcast.net
     Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
     Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
  rred)
     Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
     Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
  10.1.10.1
     DHCP Server . . . . . . . . . . . : 10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 54535618
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
     DNS Servers . . . . . . . . . . . : 2001:558:feed::1
  2001:558:feed::2
                  10.1.10.42
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next.  Could a failing piece of hardware be the culprit? 
  Thanks,
   -JT

  Hi,
  According to the error you have posted.
  A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
  Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
  Netlogon 5719 and the Disappearing Domain [Controller]
  http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
  Did you refer to this KB article?
  Event ID 5719 is logged when you start a Domain Member
  http://support.microsoft.com/kb/938449
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Yoga 2 Pro - Veriface doesnt work with Domain Account

  I have a Yoga 2 Pro and I can get Veirface to work fine with a local account but it will not work with a Domain Account. I can get it to where it prompts me for the Domain Account Password (as it should the 1st time) but when you enetr the proper password, it tells you ints invalid etc. I have tried changing the Domain Password but it acts like it just cant locate the account etc. Does anyone know if this is a known issue or if there is a resolution to this?
  I am using Veriface 5.0.13.5261 on a Windows 8.1 Pro Operating System

  Hi there, i had the same problem.
  I have two accounts
  1. valentia\mubi (which is domain account)
  2. Mubi (which is local laptop account)
  When i use register my account with veriface, it work fine with Mubi
  When i use to register my account with valentia\mubi it say wrong password..
  I even deleted local i.e. Mubi account but still no luck!
  This is great feature, but pretty much useless if not working with domain. I have to use domain account, 

• SBS 2011 Domain Accounts Can't Login To Windows 8 PC

  One of our Windows 8.1 machines is no longer allowing domain accounts (except admin) to login to the PC.  This PC was a fresh setup and was joined to the domain in January.  When I log into the PC with the network admin and go to logs I get the
  following message related to group polocies not being able to be applied (now it won't let me connect at all).  I'll upload log files as soon as I can connect again.
  We are running an SBS 2011 server that handles all ad, dns, exchange 2010, remote web access, etc.
  Any ideas on what may be going wrong or how I should troubleshoot the issue?
  Thanks!

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet
  Subscriber Support
  If you are TechNet
  Subscription user and have any feedback on our support quality, please send your feedbackhere.
  Andy Qi
  TechNet Community Support

• Yoga 2 Pro - Win 8.1 x64 Pro - VeriFace doesn't work for Domain accounts

  First - Lenovo's own tech support team seems completely unprepared for this product.  There are no install packages online for anything but core drivers and the support teams really don't know much about the custom Lenovo software like VeriFace.  Not bashing, just a disappointing reality.  I'm hearing Lenovo does this all the time and that in a few months, stuff will appear.  Great.
  REAL issue: VeriFace won't work for Domain accounts.  Pure and simple.  I'm a geek, so I know the right account name shows up at the lock screen.  When I type in the password, it says Incorrect.  If I use a local account, bingo, works perfectly.  I Googled some notes back in 2008/2009 where some people found a work-around by creating a local account with the same login name (obviously without the "domain\" part) to trick VeriFace.  I tried it and it didn't work.
  Can anyone else confirm this?
  p.s. I tried uninstalling / reinstalling and you DON'T want to do that.  See my first point.  You can't re-install b/c the software ONLY exists in the hidden reset partition in OneKey Recovery.  You have to completely reset your PC in order to get it back.

  Confirmed. I even tried this trick, but this did not work for me
  http://forums.lenovo.com/t5/IdeaPad-Y-U-V-Z-and-P-series/VeriFace-with-XP-Domain-Accounts-Upside-dow...

• OneDrive Sync Settings with Domain Account Roaming Profile

  This question seems to have been asked in various manners online including here at TechNet but it has never actually been answered that I can find.
  Home domain using Windows Server 2012 R2 Essentials, client is Windows 8.1 Pro 64-bit with Update 1. Logged in as a domain user account with a Roaming Profile and Folder Redirection connected to a Microsoft Account.
  Under PC Settings > OneDrive > Sync Settings, everything is greyed out and disabled. I wasn't too bothered about it previously however with Windows Phone 8.1 out now it means that I cannot use Tab Sync with Internet Explorer 11 on the phone.
  I have a GPO which excludes the following folders from the Roaming Profile to both allow Folder Redirection to function and also to allow the OneDrive app to function: "Downloads;Pictures;My Pictures;Music;My Music;Videos;My Videos;Dropbox;SkyDrive;OneDrive"
  I am using the Primary Computer attribute with a second GPO which limits profile redirection to the users primary computer.
  When logging on to my Primary Computer with the Roaming Profile activated, all of the Sync Settings are disabled but on another machine which is non-primary and therefore my roaming profile does not sync, I can connect my Microsoft Account to the local
  profile generated on this machine and all of the Sync Settings are available, clearly linked to the Roaming element of the profile.
  Is the non-functionality of Sync Settings on domain accounts with Roaming Profiles by design or by virtue of the fact that things are trying to steer away from Roaming Profiles now? I love the Sync features but in that they don't sync everything (3rd party
  Application Settings for example) there is a need for both features to exist in parallel.
  There is a new section in Group Policy to limit the use of the Sync Settings features for Enterprises which wish to prevent users from using these features so I don't understand the reason for it to not function at all for anyone.
  Richard Green | MCSA 2012, MCSE 2003, MCTS Desktop Virtualization, VCP5-DV http://richardjgreen.net

  Hi,
  Was your issue resolved?
  If yes, we will archive this thread temporarily.
  If no, please reply and tell us the current situation.
  If you have any other question, feel free to contact us. We will try our best to help you.
  Karen Hu
  TechNet Community Support

• SQL Server Service Account - Domain Account - WMI Provider Error - 0x80092004

  Hi,
  if I try to use an domain account for SQL service start using SQL configuration Manager I receive the error
  WMI Provider Error - 0x80092004
  in Popup Window and in Eventlog 5 Error Events from Source MSSQLSERVER:
  26014:
  Unable to load user-specified certificate [Cert Hash(sha1) "BA78B5DBF93CCD7EFA1860C99B0D6141D480199A"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for
  Use by SSL" in Books Online.
  17182:
  TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property. "
  17182:
  TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
  17826:
  Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
  17120:
  SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
  After I put the account in local administrator group the service starts up.
  I want to use the lowest privileges. Do I really need the SQL server service account in local administrator group? How to fix the error?
  thanks

  Hi baschuel,
  It is recommended to run SQL Server service by using the lowest possible user rights and it is supported to use a domain account instead of an account from local Administrators group to configure SQL Server service. According to your error messages, the
  issue could be due to that the incorrect certificate is used, or the domain account has no access to the Crypto folder(C:\ProgramData\Microsoft\Crypto). To troubleshoot the issue, you could follow the two solutions below.
  1.Import the correct certificate following the steps in the article:
  http://windows.microsoft.com/en-hk/windows/import-export-certificates-private-keys#1TC=windows-7
  2.Grant the domain account full access to the Crypto folder.
  Regards,
  Michelle Li
  If you have any feedback on our support, please click
  here.

• Moving preferences from local to domain account

  I've been given the task of adding a handful of Macs to an AD domain. So far I've added 2 with no issues.
  My problem is this: all of the Macs have been in use for months or more and have local accounts on them. I'm looking for a way to bring my users application, browser, and OS preferences from the local accounts of my users into their new domain accounts using the least administrative effort. I'm assuming that this will be as simple as copying parts of the users library over, but am unsure if this is the best way to go about it or what specific folders need to be copied.
  I was also asked (and I think the answer to this is no) whether or not a local account can simply be changed into a domain account.
  Models are MacBook Pros, iMacs, and I believe 1 Macbook Air. All are Intel. If there is any more info that I can provide let me know.
  Any help or advice would be greatly appreciated.

  You can delete the AD profile, rename the local profile as the AD profile, then change the owner of the profile to the AD account. From the command line it'd go something like this:
  sudo rm -R /Users/<AD_username>/
  sudo mv /Users/<local_username>/ /Users/<AD_username>
  sudo chown -R <AD_username> /Users/<AD_username>
  Make sure, of course, there is nothing in the original AD profile you wish to keep before removing it.
  leslie

• Domain accounts in Windows 8.1

  I have a tablet with Windows 8.1 pre-installed.  I have joined the domain where I work and added a domain user account.  I assigned Administrator
  privileges to the account (with the control panel on the local machine), but I can't access some files.  The file properties say that the local administrator group has full control, but my domain account is refused access.  How do I assign administrator
  privileges on the local machine for a domain user?  Or, how do I include a domain account in the local administrator group?

  Hi,
  Did you mean to add the domain account under Computer management as below?
  If so, the domain account should have the permission to access the files of which Admin has full control.
  Would you please let me know what files your domain account fail to access? Please help to list some.
  Also, I suggest you use the Process Monitor to capture the system event when you repro this issue.
  Process Monitor v3.05
  http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
  You can also try to use this article to troubleshoot this issue.
  Solving Access Denied Errors Using Process Monitor
  http://improve.dk/solving-access-denied-errors-using-process-monitor/
  If there is any difficulties, please upload the saved pml file from this tool here for our research.
  Kate Li
  TechNet Community Support

• Active directory account lockout issue

  I have 1 main AD server which is on windows 2003 R2 and all users are authenticated from this server and second ADC i.e backup ADC which is on windows 2003 R2, we have 3rd ADC on windows 2008 R2 which is created for Exchange 2010 on windows
  2008R2,
  Users are getting Account lock out issue randomly.
  Can any one help on this.
   

  Hi,
  You can start with the below threads to see if you have prepared to determine lockouts sources.
  http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx
  Use Lokoutstatus from Altools (http://www.microsoft.com/en-us/download/details.aspx?id=18465) then check the source DC where lockouts are being reported. Use the event viewer on
  that DC and look for "failure audits" for that particular user acocunt or during that time frame reported on lockoutstatus. Use the event description to find the source workstations/server where the lockout is coming from and verify that server for
  any (disconnect RDP sessions, credentials manager, services running with domain accounts,applications,etc).
  Hope this helps.
  Regards,
  Calin

• Connect Microsoft Account to Multiple Domain Accounts

  We are currently trialing windows 8.1 tablets in a school environment and would like for the students to have access to the 'Windows Store'
  All students log in with a domain account. (Their own domain account)
  All of these tablets are being imaged Via SCCM 2012 Task Sequence.
  What I would like to see happen either during the SCCM TS or via GPO or some other method would be to have the same Microsoft account connected to anyone logging into these devices this way the student would never require the account credentials
  and they would never be prompted to log into the store as well as be able to openly download and install free apps... I'll tackle the paid app issue separately...
  I would enable the GPO:
  computer configuration\windows settings\security settings\local policies\security options\'accounts: block Microsoft account'
  so that they couldn't link any additional personal Microsoft accounts.
  thoughts?

  More update...
  created the following script (autoit) to create the appropriate reg key entries to connect a Microsoft account to the current logged on user.
  #include <Security.au3>
  Local $aArrayOfData = _Security__LookupAccountName(@UserName)
  $SID = $aArrayOfData[0]
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\", "AccountsCount", "REG_DWORD", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\", "AssociatedCount", "REG_DWORD", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\", "CID", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\", "Keywords", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "AccountType", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "ChildFlags", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "DefaultCredSaved", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "DisplayName", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "FirstName", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "Flags", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "Keywords", "REG_SZ", "<Enter Applicable Value>")
  RegWrite("HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\<Microsoft Live Account Name>\" & $SID, "LastName", "REG_SZ", "<Enter Applicable Value>")
  I am applying this script on logon to the users so they all end up using the same account to access the store.
  last challenge is to set it so they don't have to enter a password. where is the password stored?????