Required Policy for IIS6 Policy Agent

Similar Messages

• No log for am policy agent for iis6

  Hello!
  Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
  I am running the OpenSSO version of Access Manager.
  I have installed the agent and done the initial cofiguration.
  When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
  I should get redirected to the AM Login page, shouldn't I?
  I tried to look for answers in the log file but the /debug/<id> directory i empty.
  Anyone know what to do?
  The amAgent.properties file:
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  # 0 Disable logging from specified module*
  # 1 Log error messages
  # 2 Log warning and error messages
  # 3 Log info, warning, and error messages
  # 4 Log debug, info, warning, and error messages
  # 5 Like level 4, but with even more debugging messages
  # 128 log url access to log file on AM server.
  # 256 log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level = 5
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = true
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port = true
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

  If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
  For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

• Skipping request for user policy assignments due to agent configuration for authority

  Hello all,
  Symptoms:
  The Configuration Manager only shows the following actions:
  Application Deployment Evaluation Cycle
  Machine Policy Retrieval & Evaluation Cycle
  Software Updates Deployment Evaluation Cycle
  User Policy Retrieval & Evaluation Cycle
  In Software Center there are no applications visible. Also the default 'IT Organization' is shown instead of the 'real' name.
  The Confugration Manager:
  shows in the tab 'General' the correct Management point. Connection type is 'currently intranet' (ok)
  shows in the tab 'Site' the correct site code.
  shows in the tab 'Components' all components as either 'installed' or 'enabled'. Only CCM Notification Agent shows 'Disabled'.
  In SCCM 2012 under 'Client Settings' -> 'Default Settings' -> 'Client Policy' the setting 'Enable User policy on clients' has been enabled.
  Done so far (without success):
  Re-installed the MP
  Run a query on the SCCM Database to check if there are any corrupt records. There are not.
  Installed version 5.00.7958.1000
  CCM Framework: 5.00.7958.1203
  The computer is installed with a task sequence. There is a reboot after 'Setup Windows and ConfigMgr (CM2012 R2 CU1)'.
  Installation command of the SCCM Client (during OSD deployment):
  SMSCACHEFLAGS=PERCENTDISKSPACE SMSCACHESIZE=10 SMSSLP=demo-sccm.demoforest.local SMSMP=demo-sccm.demoforest.local PATCH="%_SMSTSMDataPath%\OSD\TDS00020\KB2938441\configmgr2012ac-r2-kb2938441-i386.msp"
  Content log files on the client:
  PolicyAgent.log:
  Processing PreShutdown event PolicyAgent_RequestAssignments 8/4/2014 11:56:52 PM 2204 (0x089C)
  Processing PostStartup event PolicyAgent_RequestAssignments 8/4/2014 11:57:37 PM 2436 (0x0984)
  Policy Download Endpoint's message queue is empty; proceeding with maintenance work PolicyAgent_Cleanup 8/4/2014 11:57:37 PM 2436 (0x0984)
  Registered for MP notifications. PolicyAgent_PostStartup 8/4/2014 11:57:37 PM 2436 (0x0984)
  Not rerequesting policy on site code change in provisioning mode. PolicyAgent_ReRequestPolicy 8/5/2014 12:01:55 AM 3212 (0x0C8C)
  Processing PostStartup event PolicyAgent_RequestAssignments 8/5/2014 12:02:48 AM 2352 (0x0930)
  Policy Download Endpoint's message queue is empty; proceeding with maintenance work PolicyAgent_Cleanup 8/5/2014 12:02:48 AM 2352 (0x0930)
  Registered for MP notifications. PolicyAgent_PostStartup 8/5/2014 12:02:48 AM 2352 (0x0930)
  Processing PostStartup event PolicyAgent_RequestAssignments 8/5/2014 12:11:36 AM 2720 (0x0AA0)
  Policy Download Endpoint's message queue is empty; proceeding with maintenance work PolicyAgent_Cleanup 8/5/2014 12:11:36 AM 2720 (0x0AA0)
  Registered for MP notifications. PolicyAgent_PostStartup 8/5/2014 12:11:36 AM 2720 (0x0AA0)
  Processing PostStartup event PolicyAgent_RequestAssignments 8/5/2014 1:25:02 AM 3164 (0x0C5C)
  Policy Download Endpoint's message queue is empty; proceeding with maintenance work PolicyAgent_Cleanup 8/5/2014 1:25:02 AM 3164 (0x0C5C)
  Registered for MP notifications. PolicyAgent_PostStartup 8/5/2014 1:25:02 AM 3164 (0x0C5C)
  Processing PostStartup event PolicyAgent_RequestAssignments 8/5/2014 1:26:05 AM 2652 (0x0A5C)
  Policy Download Endpoint's message queue is empty; proceeding with maintenance work PolicyAgent_Cleanup 8/5/2014 1:26:05 AM 2652 (0x0A5C)
  Registered for MP notifications. PolicyAgent_PostStartup 8/5/2014 1:26:05 AM 2652 (0x0A5C)
  Triggered update of user S-1-5-21-1840543543-1948091412-3654635223-1109 settings PolicyAgent_RequestAssignments 8/5/2014 9:00:57 AM 3232 (0x0CA0)
  Requesting User policy assignments for 'S-1-5-21-1840543543-1948091412-3654635223-1109' PolicyAgent_RequestAssignments 8/5/2014 9:02:34 AM 2484 (0x09B4)
  Requesting User policy from authority 'SMS:TDS' PolicyAgent_RequestAssignments 8/5/2014 9:02:34 AM 2484 (0x09B4)
  Skipping request for user policy assignments due to agent configuration for authority 'SMS:TDS'. PolicyAgent_RequestAssignments 8/5/2014 9:02:34 AM 2484 (0x09B4)
  ClientIDManagerStartup.log:
  [----- STARTUP -----] ClientIDManagerStartup 8/5/2014 1:24:34 AM 372 (0x0174)
  Read SMBIOS (encoded): 31003800300035002D0030003700310038002D0035003700330038002D0035003500350033002D0034003800350030002D0038003000390030002D0032003800 ClientIDManagerStartup 8/5/2014 1:24:52 AM 2932 (0x0B74)
  Evaluated SMBIOS (encoded): 31003800300035002D0030003700310038002D0035003700330038002D0035003500350033002D0034003800350030002D0038003000390030002D0032003800 ClientIDManagerStartup 8/5/2014 1:24:52 AM 2932 (0x0B74)
  No SMBIOS Changed ClientIDManagerStartup 8/5/2014 1:24:52 AM 2932 (0x0B74)
  SMBIOS unchanged ClientIDManagerStartup 8/5/2014 1:24:52 AM 2932 (0x0B74)
  SID unchanged ClientIDManagerStartup 8/5/2014 1:24:52 AM 2932 (0x0B74)
  HWID unchanged ClientIDManagerStartup 8/5/2014 1:24:53 AM 2932 (0x0B74)
  GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=FALSE ClientIDManagerStartup 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Computed HardwareID=2:0760033F87CBB92FC5D6343C630C99002655F937
   Win32_SystemEnclosure.SerialNumber=1805-0718-5738-5553-4850-8090-28
   Win32_SystemEnclosure.SMBIOSAssetTag=2522-6626-0190-0004-7023-0906-91
   Win32_BaseBoard.SerialNumber=1805-0718-5738-5553-4850-8090-28
   Win32_BIOS.SerialNumber=1805-0718-5738-5553-4850-8090-28
   Win32_NetworkAdapterConfiguration.MACAddress=00:15:5D:00:2A:0C ClientIDManagerStartup 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Persisted hardware IDs in CCM_ClientIdentificationInformation=@:
   HardwareID1=2:0760033F87CBB92FC5D6343C630C99002655F937
   HardwareID2=98130500010000EE ClientIDManagerStartup 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Failed to open to WMI namespace '\\.\root\ccmvdi' (8007045b) ClientIDManagerStartup 8/5/2014 1:25:02 AM 372 (0x0174)
  [----- SHUTDOWN -----] ClientIDManagerStartup 8/5/2014 1:25:02 AM 372 (0x0174)
  [----- STARTUP -----] ClientIDManagerStartup 8/5/2014 1:25:42 AM 2012 (0x07DC)
  Read SMBIOS (encoded): 31003800300035002D0030003700310038002D0035003700330038002D0035003500350033002D0034003800350030002D0038003000390030002D0032003800 ClientIDManagerStartup 8/5/2014 1:25:51 AM 2504 (0x09C8)
  Evaluated SMBIOS (encoded): 31003800300035002D0030003700310038002D0035003700330038002D0035003500350033002D0034003800350030002D0038003000390030002D0032003800 ClientIDManagerStartup 8/5/2014 1:25:51 AM 2504 (0x09C8)
  No SMBIOS Changed ClientIDManagerStartup 8/5/2014 1:25:51 AM 2504 (0x09C8)
  SMBIOS unchanged ClientIDManagerStartup 8/5/2014 1:25:51 AM 2504 (0x09C8)
  SID unchanged ClientIDManagerStartup 8/5/2014 1:25:51 AM 2504 (0x09C8)
  HWID unchanged ClientIDManagerStartup 8/5/2014 1:25:53 AM 2504 (0x09C8)
  GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=FALSE ClientIDManagerStartup 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Computed HardwareID=2:0760033F87CBB92FC5D6343C630C99002655F937
   Win32_SystemEnclosure.SerialNumber=1805-0718-5738-5553-4850-8090-28
   Win32_SystemEnclosure.SMBIOSAssetTag=2522-6626-0190-0004-7023-0906-91
   Win32_BaseBoard.SerialNumber=1805-0718-5738-5553-4850-8090-28
   Win32_BIOS.SerialNumber=1805-0718-5738-5553-4850-8090-28
   Win32_NetworkAdapterConfiguration.MACAddress=00:15:5D:00:2A:0C ClientIDManagerStartup 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Persisted hardware IDs in CCM_ClientIdentificationInformation=@:
   HardwareID1=2:0760033F87CBB92FC5D6343C630C99002655F937
   HardwareID2=98C70600010000EE ClientIDManagerStartup 8/5/2014 1:25:53 AM 2504 (0x09C8)
  ClientAuth.log:
  Error signing client message (0x80004005). ClientAuth 4/22/2014 9:25:01 PM 1612 (0x064C)
  Error signing client message (0x80004005). ClientAuth 4/22/2014 9:25:01 PM 1612 (0x064C)
  Error signing client message (0x80004005). ClientAuth 4/22/2014 9:25:02 PM 1612 (0x064C)
  Error signing client message (0x80004005). ClientAuth 4/22/2014 9:25:02 PM 1612 (0x064C)
  ClientLocation.log:
  Current AD forest name is demoforest.local, domain name is demoforest.local ClientLocation 8/5/2014 1:24:34 AM 372 (0x0174)
  Domain joined client is in Intranet ClientLocation 8/5/2014 1:24:34 AM 372 (0x0174)
  Current AD forest name is demoforest.local, domain name is demoforest.local ClientLocation 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Domain joined client is in Intranet ClientLocation 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Rotating assigned management point, new management point [1] is: DEMO-SCCM.demoforest.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 8/5/2014
  1:24:53 AM 2932 (0x0B74)
  Assigned MP changed from <DEMO-SCCM.demoforest.local> to <DEMO-SCCM.demoforest.local>. ClientLocation 8/5/2014 1:24:53 AM 2932 (0x0B74)
  Rotating assigned management point, new management point [1] is: DEMO-SCCM.demoforest.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 8/5/2014
  1:24:54 AM 2932 (0x0B74)
  Assigned MP changed from <DEMO-SCCM.demoforest.local> to <DEMO-SCCM.demoforest.local>. ClientLocation 8/5/2014 1:24:54 AM 2932 (0x0B74)
  Current AD forest name is demoforest.local, domain name is demoforest.local ClientLocation 8/5/2014 1:25:42 AM 2012 (0x07DC)
  Domain joined client is in Intranet ClientLocation 8/5/2014 1:25:42 AM 2012 (0x07DC)
  Current AD forest name is demoforest.local, domain name is demoforest.local ClientLocation 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Domain joined client is in Intranet ClientLocation 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Rotating assigned management point, new management point [1] is: DEMO-SCCM.demoforest.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 8/5/2014
  1:25:53 AM 2504 (0x09C8)
  Assigned MP changed from <DEMO-SCCM.demoforest.local> to <DEMO-SCCM.demoforest.local>. ClientLocation 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Rotating assigned management point, new management point [1] is: DEMO-SCCM.demoforest.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities> ClientLocation 8/5/2014
  1:25:53 AM 2504 (0x09C8)
  Assigned MP changed from <DEMO-SCCM.demoforest.local> to <DEMO-SCCM.demoforest.local>. ClientLocation 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Getting Assigned Site ClientLocation 8/5/2014 9:02:38 AM 2264 (0x08D8)
  Assigned Site is TDS ClientLocation 8/5/2014 9:02:38 AM 2264 (0x08D8)
  Getting Assigned Site ClientLocation 8/5/2014 1:19:20 PM 2604 (0x0A2C)
  Assigned Site is TDS ClientLocation 8/5/2014 1:19:20 PM 2604 (0x0A2C)
  execmgr.log (with errors):
  Requesting MTC to delete task with id: {C5DCEE82-C903-4CBD-98CC-534646B3EFD7} execmgr 4/22/2014 7:14:28 PM 1872 (0x0750)
  This execution request does not own the corresponding task in MTC, returning without deleting it from MTC. execmgr 4/22/2014 7:14:28 PM 1872 (0x0750)
  Service startup. execmgr 4/22/2014 7:16:09 PM 2332 (0x091C)
  Service startup. execmgr 4/22/2014 9:17:36 PM 2216 (0x08A8)
  Service startup. execmgr 4/22/2014 9:23:02 PM 2348 (0x092C)
  Service startup. execmgr 4/22/2014 9:24:53 PM 1000 (0x03E8)
  Software Distribution site settings (CCM_SoftwareDistributionClientConfig) policy does not yet exist on the client.
  If the client is not yet registered, this is expected behavior. execmgr 8/4/2014 11:56:52 PM 3224 (0x0C98)
  Software Distribution site settings (CCM_SoftwareDistributionClientConfig) policy does not yet exist on the client.
  If the client is not yet registered, this is expected behavior. execmgr 8/4/2014 11:56:52 PM 1292 (0x050C)
  Service startup. execmgr 8/4/2014 11:57:32 PM 3696 (0x0E70)
  Software Distribution site settings (CCM_SoftwareDistributionClientConfig) policy does not yet exist on the client.
  If the client is not yet registered, this is expected behavior. execmgr 8/4/2014 11:57:33 PM 3696 (0x0E70)
  Software distribution agent was enabled execmgr 8/5/2014 12:01:55 AM 3448 (0x0D78)
  Service startup. execmgr 8/5/2014 12:02:44 AM 2272 (0x08E0)
  ExecMgr::GetTaskState - GetTaskState Failed with error code 0x87d00317 execmgr 8/5/2014 12:03:02 AM 1652 (0x0674)
  Policy arrived for child program Install execmgr 8/5/2014 12:03:02 AM 1648 (0x0670)
  Creating mandatory request for advert TDS20014, program Install, package TDS00014 execmgr 8/5/2014 12:03:02 AM 1652 (0x0674)
  An existing MTC token was supplied, this execution request is not owner of MTC object. execmgr 8/5/2014 12:03:02 AM 1652 (0x0674)
  CertificateMaintanance.log:
  HTTP is selected for Client. The current state is 0. CertificateMaintenance 4/22/2014 6:49:04 PM 604 (0x025C)
  Raising pending event:
  instance of CCM_ServiceHost_CertRetrieval_Status
   DateTime = "20140422164904.539000+000";
   HRESULT = "0x00000001";
   ProcessID = 3320;
   ThreadID = 604;
   CertificateMaintenance 4/22/2014 6:49:04 PM 604 (0x025C)
  Raising event:
  instance of CCM_ServiceHost_CertRetrieval_Status
   ClientID = "GUID:7ff40832-4c01-456f-9705-096da67985b3";
   DateTime = "20140422164946.336000+000";
   HRESULT = "0x00000001";
   ProcessID = 3320;
   ThreadID = 3216;
   CertificateMaintenance 4/22/2014 6:49:46 PM 3216 (0x0C90)
  HTTP is selected for Client. The current state is 0. CertificateMaintenance 8/4/2014 11:56:39 PM 2212 (0x08A4)
  Raising pending event:
  instance of CCM_ServiceHost_CertRetrieval_Status
   DateTime = "20140804215639.612000+000";
   HRESULT = "0x00000001";
   ProcessID = 2144;
   ThreadID = 2212;
   CertificateMaintenance 8/4/2014 11:56:39 PM 2212 (0x08A4)
  Raising event:
  instance of CCM_ServiceHost_CertRetrieval_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804215651.440000+000";
   HRESULT = "0x00000001";
   ProcessID = 2144;
   ThreadID = 3348;
   CertificateMaintenance 8/4/2014 11:56:51 PM 3348 (0x0D14)
  Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 8/4/2014 11:56:56 PM 1096 (0x0448)
  Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 8/5/2014 12:02:33 AM 1656 (0x0678)
  Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 8/5/2014 12:11:17 AM 384 (0x0180)
  Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 8/5/2014 1:24:34 AM 372 (0x0174)
  Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 8/5/2014 1:25:42 AM 2012 (0x07DC)
  smscliui.log:
  Perform Action: Request & Evaluate User Policy - {3A88A2F3-0C39-45fa-8959-81F21BF500CE}. Message sent, id={FC736B58-2635-45B8-8002-E7C8D6CCEB8D} smscliui 8/5/2014 9:02:34 AM 2484 (0x09B4)
  Current Assigned Site: TDS smscliui 8/5/2014 9:02:38 AM 868 (0x0364)
  Currently assigned FQDN:  smscliui 8/5/2014 9:02:41 AM 868 (0x0364)
  Failed to set DNSSuffix value to the registry. smscliui 8/5/2014 9:02:58 AM 868 (0x0364)
  SMS Site code has not been changed. smscliui 8/5/2014 9:02:58 AM 868 (0x0364)
  Current Assigned Site: TDS smscliui 8/5/2014 1:19:20 PM 2160 (0x0870)
  CcmMessaging.log:
  Queue 'StateMessageManager' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'StateMessageManager'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'CTMDTSReply'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'CTMDTSReply' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'CTMDTSReply'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'execmgr'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'execmgr' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'execmgr'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'PolicyAgent_RequestAssignments'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'PolicyAgent_RequestAssignments' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'PolicyAgent_RequestAssignments'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'ClientRegistration'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'ClientRegistration' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'ClientRegistration'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'EndpointProtectionAgent'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'EndpointProtectionAgent' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'EndpointProtectionAgent'. Enabled=true Concurrency=20 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'LS_ScheduledCleanup'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'LS_ScheduledCleanup' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'LS_ScheduledCleanup'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'PolicyAgent_Cleanup'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'PolicyAgent_Cleanup' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'PolicyAgent_Cleanup'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'DCMAgent'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'DCMAgent' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'DCMAgent'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'CertEnrollAgent'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'CertEnrollAgent' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'CertEnrollAgent'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'ExternalEventAgent'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'ExternalEventAgent' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'ExternalEventAgent'. Enabled=true Concurrency=20 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'UpdateStore'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'UpdateStore' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'UpdateStore'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'PolicyAgent_ReplyAssignments'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'PolicyAgent_ReplyAssignments' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'PolicyAgent_ReplyAssignments'. Enabled=true Concurrency=5 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'SMSSHA'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'SMSSHA' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'SMSSHA'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'lmp_[http]mp_locationmanager'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'lmp_[http]mp_locationmanager' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'lmp_[http]mp_locationmanager'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'mp_statusreceiver'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'mp_statusreceiver' initialized with 0 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'mp_statusreceiver'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initializing queue 'mp_[http]mp_locationmanager'... CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Queue 'mp_[http]mp_locationmanager' initialized with 1 messages. CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Initialized queue processor 'mp_[http]mp_locationmanager'. Enabled=true Concurrency=1 CcmMessaging 8/5/2014 1:25:50 AM 2192 (0x0890)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232553.423000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2504;
   CcmMessaging 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232553.485000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2504;
   CcmMessaging 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232553.563000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2504;
   CcmMessaging 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232553.657000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2504;
   CcmMessaging 8/5/2014 1:25:53 AM 2504 (0x09C8)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232606.048000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2508;
   CcmMessaging 8/5/2014 1:26:06 AM 2508 (0x09CC)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232606.110000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2188;
   CcmMessaging 8/5/2014 1:26:06 AM 2188 (0x088C)
  Raising event:
  instance of CCM_CcmHttp_Status
   ClientID = "GUID:b8d72095-2590-4724-9db9-b721efc05007";
   DateTime = "20140804232606.188000+000";
   HostName = "DEMO-SCCM.demoforest.local";
   HRESULT = "0x00000000";
   ProcessID = 1996;
   StatusCode = 0;
   ThreadID = 2504;
   CcmMessaging 8/5/2014 1:26:06 AM 2504 (0x09C8)
  CcmNotificationAgent.log:
  Bgb client agent is starting... BgbAgent 8/5/2014 1:26:05 AM 2504 (0x09C8)
  Bgb client agent is disabled BgbAgent 8/5/2014 1:26:05 AM 2504 (0x09C8)
  TCP Listener is disabled. BgbAgent 8/5/2014 1:26:05 AM 2504 (0x09C8)
  BgbController main thread is started with settings: {bgb enable = 0}, {tcp enabled = 0}, {tcp port = 0} and {http enabled = 0}. BgbAgent 8/5/2014 1:26:05 AM 2504 (0x09C8)
  Wait 3600 seconds for event notification. BgbAgent 8/5/2014 1:26:05 AM 3076 (0x0C04)
  Wait 3600 seconds for event notification. BgbAgent 8/5/2014 2:26:05 AM 3076 (0x0C04)
  Any help is appreciated and with kind regards,
  Willem-Jan

  Hello all,
  I modified the TS, but the problem is still there.
  smsts.log:
  ==============================[ OSDSetupHook.exe ]============================== OSDSetupHook 8/5/2014 4:51:30 PM 856 (0x0358)
  Executing task sequence OSDSetupHook 8/5/2014 4:51:30 PM 856 (0x0358)
  Loading the Task Sequencing Environment from "C:\_SMSTaskSequence\TSEnv.dat". OSDSetupHook 8/5/2014 4:51:30 PM 856 (0x0358)
  Environment scope successfully created: Global\{51A016B6-F0DE-4752-B97C-54E6F386A912} OSDSetupHook 8/5/2014 4:51:30 PM 856 (0x0358)
  Environment scope successfully created: Global\{BA3A3900-CA6D-4ac1-8C28-5073AFC22B03} OSDSetupHook 8/5/2014 4:51:30 PM 856 (0x0358)
  Debug shell is enabled OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Successfully enabled debug command shell support. OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Configuring local administrator account OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Re-assign all drive letters... OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Could not open drive Q:\ (80070005) OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Ignoring inaccessible volume 'Q:' with error 0x80070005 OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  No partition needs to be udpated. OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Installing SMS client OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Client already installed. OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Moving logs to SMS client directory OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Successfully moved logs to SMS client log directory: C:\Windows\CCM\Logs\SMSTSLog OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Executing task sequence manager bootstrap OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  Executing command line: "C:\Windows\CCM\TSMBootstrap.exe" /env:Gina /configpath:C:\_SMSTaskSequence /bootcount:5 OSDSetupHook 8/5/2014 4:51:39 PM 856 (0x0358)
  ==============================[ TSMBootStrap.exe ]============================== TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Command line: "C:\Windows\CCM\TSMBootstrap.exe" /env:Gina /configpath:C:\_SMSTaskSequence /bootcount:5 TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Current OS version is 6.1.7601.1 TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Logging successfully initialized. TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Resuming Task Sequence in Full OS TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  We are going in GINA and potentially need to set the authenticator TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  setting the authenticator TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Executing command line: "C:\Windows\CCM\TsProgressUI.exe" /Register:WinPE TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  ==========[ TsProgressUI started in process 2196 ]========== TsProgressUI 8/5/2014 4:51:39 PM 2200 (0x0898)
  Command line: "C:\Windows\CCM\TsProgressUI.exe" /Register:WinPE TsProgressUI 8/5/2014 4:51:39 PM 2200 (0x0898)
  Registering COM classes TsProgressUI 8/5/2014 4:51:39 PM 2200 (0x0898)
  sbModulePath = C:\Windows\CCM\TsProgressUI.exe TsProgressUI 8/5/2014 4:51:39 PM 2200 (0x0898)
  Unregistering class objects TsProgressUI 8/5/2014 4:51:39 PM 2200 (0x0898)
  Shutdown complete. TsProgressUI 8/5/2014 4:51:39 PM 2200 (0x0898)
  Process completed with exit code 0 TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Successfully registered TS Progress UI. TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Found network adapter "Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)" with IP Address 5.5.5.101. TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Starting Task Sequence Manager. TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  executing TS Manager not in full media TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  executing TS Manager in c:\windows\ccm TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Executing command line: "TsManager.exe" TSMBootstrap 8/5/2014 4:51:39 PM 2152 (0x0868)
  Successfully intialized Logging for TS Manager. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Commandline: "TsManager.exe" TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  /service parameter found at index: -1 TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  /standalone parameter found at index: -1 TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  /noclient parameter found at index: -1 TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Successfully registered Task Sequencing COM Interface. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Executing as a standalone exe TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Initializing TS Environment TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Opening Task Sequencing Environment TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Deleting volume ID file C:\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca ... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  pwszPath && *pwszPath, HRESULT=80070057 (e:\qfe\nts\sms\framework\tscore\resolvesource.cpp,228) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  pwszPath && *pwszPath, HRESULT=80070057 (e:\qfe\nts\sms\framework\tscore\resolvesource.cpp,228) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  pwszPath && *pwszPath, HRESULT=80070057 (e:\qfe\nts\sms\framework\tscore\resolvesource.cpp,228) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  pwszPath && *pwszPath, HRESULT=80070057 (e:\qfe\nts\sms\framework\tscore\resolvesource.cpp,228) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  NOT executing in WinPE TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling Config policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling config policies... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling SysHealthConfig policy... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Retrieving value from TSEnv for '_SMSTSSysHealthClientConfig' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  ::DecompressBuffer(65536) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Decompression (zlib) succeeded: original size 684, uncompressed size 4652. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_SystemHealthClientConfig.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling SoftUpdConfig policy... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Retrieving value from TSEnv for '_SMSTSSWUpdateClientConfig' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  ::DecompressBuffer(65536) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Decompression (zlib) succeeded: original size 1922, uncompressed size 19242. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_SoftwareUpdatesClientConfig.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling SoftDistClientConfig policy... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Retrieving value from TSEnv for '_SMSTSSoftDistClientConfig' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  ::DecompressBuffer(65536) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Decompression (zlib) succeeded: original size 1327, uncompressed size 13740. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_SoftwareDistributionClientConfig.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling NAAConfig policy... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Retrieving value from TSEnv for '_SMSTSNAAConfigPolicy' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  ::DecompressBuffer(65536) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Decompression (zlib) succeeded: original size 1022, uncompressed size 6494. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_NetworkAccessAccount.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_NetworkAccessAccount.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling RebootSettingsConfig policy... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Retrieving value from TSEnv for '_SMSTSRebootSettingsConfigPolicy' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  ::DecompressBuffer(65536) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Decompression (zlib) succeeded: original size 433, uncompressed size 1556. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_RebootSettings.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Compiling AppManClientConfig policy... TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Retrieving value from TSEnv for '_SMSTSAppManClientConfigPolicy' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  ::DecompressBuffer(65536) TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Decompression (zlib) succeeded: original size 982, uncompressed size 6358. TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Instance path = 'CCM_ApplicationManagementClientConfig.SiteSettingsKey="1"' TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Start to compile TS policy TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Failed to find property 'AutoApplyDeployment' in 'CCM_ApplicationManagementClientConfig' class defintion. Error 0x80041002. Default value will be used for this property TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Policy complied successfully in WMI 'root\ccm\policy\defaultmachine\requestedconfig' namespace TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  End TS policy compilation TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Get Install Directory for SMS Client TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  Updating settings in \\.\root\ccm\policy\machine\actualconfig TSManager 8/5/2014 4:51:40 PM 2244 (0x08C4)
  RequestedConfig policy instance(s) : 435 TSManager 8/5/2014 4:51:49 PM 2244 (0x08C4)
  Locked \\.\ROOT\ccm\policy\machine\RequestedConfig for source SMS:Client:Default:{BFDADC41-FDCD-4B9C-B446-8A818D01BEA3} successfully TSManager 8/5/2014 4:51:49 PM 2244 (0x08C4)
  Namespace: \\.\ROOT\ccm\policy\machine\RequestedConfig, Query: SELECT PolicyID FROM CCM_Policy_Policy5 WHERE (PolicySource = "SMS:Client:Default:{BFDADC41-FDCD-4B9C-B446-8A818D01BEA3}") AND (PolicyState
  = "Active") AND (PolicyType = "Machine") TSManager 8/5/2014 4:51:49 PM 2244 (0x08C4)
  There is no ccm_policy_policy instance, skipping addition to realinst map TSManager 8/5/2014 4:51:49 PM 2244 (0x08C4)
  Unlocked \\.\ROOT\ccm\policy\machine\RequestedConfig for source SMS:Client:Default:{BFDADC41-FDCD-4B9C-B446-8A818D01BEA3} successfully TSManager 8/5/2014 4:51:49 PM 2244 (0x08C4)
  RequestedConfig policy instance(s) : 0 TSManager 8/5/2014 4:51:50 PM 2244 (0x08C4)
  Locked \\.\ROOT\ccm\policy\machine\RequestedConfig for source SMS:TDS successfully TSManager 8/5/2014 4:51:50 PM 2244 (0x08C4)
  Namespace: \\.\ROOT\ccm\policy\machine\RequestedConfig, Query: SELECT PolicyID FROM CCM_Policy_Policy5 WHERE (PolicySource = "SMS:TDS") AND (PolicyState = "Active") AND (PolicyType = "Machine") TSManager 8/5/2014
  4:51:50 PM 2244 (0x08C4)
  There is no ccm_policy_policy instance, skipping addition to realinst map TSManager 8/5/2014 4:51:50 PM 2244 (0x08C4)
  Unlocked \\.\ROOT\ccm\policy\machine\RequestedConfig for source SMS:TDS successfully TSManager 8/5/2014 4:51:50 PM 2244 (0x08C4)
  RequestedConfig policy instance(s) : 0 TSManager 8/5/2014 4:51:51 PM 2244 (0x08C4)
  Locked \\.\ROOT\ccm\policy\machine\RequestedConfig for source CcmPortal successfully TSManager 8/5/2014 4:51:51 PM 2244 (0x08C4)
  Namespace: \\.\ROOT\ccm\policy\machine\RequestedConfig, Query: SELECT PolicyID FROM CCM_Policy_Policy5 WHERE (PolicySource = "CcmPortal") AND (PolicyState = "Active") AND (PolicyType = "Machine") TSManager 8/5/2014
  4:51:51 PM 2244 (0x08C4)
  There is no ccm_policy_policy instance, skipping addition to realinst map TSManager 8/5/2014 4:51:51 PM 2244 (0x08C4)
  Unlocked \\.\ROOT\ccm\policy\machine\RequestedConfig for source CcmPortal successfully TSManager 8/5/2014 4:51:51 PM 2244 (0x08C4)
  RequestedConfig policy instance(s) : 0 TSManager 8/5/2014 4:51:53 PM 2244 (0x08C4)
  Locked \\.\ROOT\ccm\policy\machine\RequestedConfig for source Local successfully TSManager 8/5/2014 4:51:53 PM 2244 (0x08C4)
  RequestedConfig policy instance(s) : 9 TSManager 8/5/2014 4:51:53 PM 2244 (0x08C4)
  Unlocked \\.\ROOT\ccm\policy\machine\RequestedConfig for source Local successfully TSManager 8/5/2014 4:51:53 PM 2244 (0x08C4)
  RequestedConfig policy instance(s) : 11943 TSManager 8/5/2014 4:51:57 PM 2244 (0x08C4)
  Locked \\.\ROOT\ccm\policy\machine\RequestedConfig for source CcmTaskSequence successfully TSManager 8/5/2014 4:51:57 PM 2244 (0x08C4)
  Namespace: \\.\ROOT\ccm\policy\machine\RequestedConfig, Query: SELECT PolicyID FROM CCM_Policy_Policy5 WHERE (PolicySource = "CcmTaskSequence") AND (PolicyState = "Active") AND (PolicyType = "Machine") TSManager 8/5/2014
  4:51:57 PM 2244 (0x08C4)
  There is no ccm_policy_policy instance, skipping addition to realinst map TSManager 8/5/2014 4:51:57 PM 2244 (0x08C4)
  Unlocked \\.\ROOT\ccm\policy\machine\RequestedConfig for source CcmTaskSequence successfully TSManager 8/5/2014 4:51:57 PM 2244 (0x08C4)
  Total RequestedConfig policy instance(s) : 12387 TSManager 8/5/2014 4:52:00 PM 2244 (0x08C4)
  New/Changed ActualConfig policy instance(s) : 0 TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Policy evaluation initiated TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Waiting for policy to be compiled in 'root\ccm\policy\machine' namespace  TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Query = 'CCM_SystemHealthClientConfig.SiteSettingsKey="1"'  TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Verified policy for instance path 'CCM_SystemHealthClientConfig.SiteSettingsKey="1"' compiled in 'root\ccm\policy\machine' namespace TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Query = 'CCM_SoftwareUpdatesClientConfig.SiteSettingsKey="1"'  TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Verified policy for instance path 'CCM_SoftwareUpdatesClientConfig.SiteSettingsKey="1"' compiled in 'root\ccm\policy\machine' namespace TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Query = 'CCM_SoftwareDistributionClientConfig.SiteSettingsKey="1"'  TSManager 8/5/2014 4:52:04 PM 2244 (0x08C4)
  Verified policy for instance path 'CCM_SoftwareDistributionClientConfig.SiteSettingsKey="1"' compiled in 'root\ccm\policy\machine'
  The Powershell command as described by NPerson give the output:
  C:\Windows\system32>powershell Invoke-WmiMethod -Namespace root\CCM -Class SMS_C
  lient -Name SetClientProvisioningMode -ArgumentList $false
  __GENUS          : 1
  __CLASS          : __PARAMETERS
  __SUPERCLASS     :
  __DYNASTY        : __PARAMETERS
  __RELPATH        : __PARAMETERS
  __PROPERTY_COUNT : 1
  __DERIVATION     : {}
  __SERVER         : DEMO-CAPTURE
  __NAMESPACE      : ROOT\ccm
  __PATH           :
  \\DEMO-CAPTURE\ROOT\ccm:__PARAMETERS
  ReturnValue      :
  PSComputerName   : DEMO-CAPTURE
  It is about the PSComputerName: that is the name of the machine on which the capture was made. So I suppose the problem is already in the image. Is my statement correct or is it not relevant?
  With kind regards,
  Willem-Jan

• Microsoft Intune was unable to set the desired mobile device policy for one or more users due to the following error: A2CE0100

  Hi!
  We have fatal or critical error message on Microsoft Intune Portal but all agents are working just fine. Before opening support ticket we would like to hear comments from the experts on this forum. We would also like to fix this error before starting to
  manage mobile devices with Intune.
  Error message on Intune Portal:
  "Microsoft Intune was unable to set the desired mobile device policy for one or more users due to the following error: A2CE0100"
  Repeated: 19 times.
  Class: (System) Policy
  Random Fatal error message on C:\Program Files\Microsoft\OnlineManagement\Logs\PolicyAgent.log found from one Windows 8.1 client:
  2015-02-21 08:49:20:704 2852 1ab0 FATAL: DocumentProvider::IndicateToConsumer/pp->ProcessPolicies(NULL, NULL, NULL, NULL) failed with error 0x800704d5.
  That said, we are not facing any specific problem but we would like to find symptom of this repeating error message on Intune Portal . We would appreciate to get any thoughts about this case.
  Br.
  Jukka

  Hi Jukka,
  Mobile policy doesn't apply to clients using the Full Client download.  Please open a support case so the team can assist in further troubleshooting.
  Thanks,
  Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

• Different Password Policy for Different User Groups in ACS 4.2

  Hi All,
  Can some one provide a solution for the below requirement?
  We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?
  It seems that these password policies are global & affects all the users.
  This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.
  For my knowledge, i think that this is not possible. But, thought to cross-check with experts!
  -Jags.

  Hi jags,
  Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users
  Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.
  HTH
  Regards,
  JK

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• How to change an OD policy for existing accounts

  OS X server 10.4
  I set up Open Directory with one of the policies being specification to reset password upon first login.
  I then imported a batch of accounts from a unix /etc/passwd file with the standard settings header.
  I changed my mind about the reset password policy and made the change in Server Admin.
  I also am changing password type from crypt to open directory in the Work Group Manager (WGM) for each user. Upon each change, a new password is prompted for and set.
  I now find that accounts created via the import process and had password type changed in WGM, along witha a new password setting, cannot get authorization services, for example ssh login or mail, unless the user logs in at an OS X login screen where they are prompted for a new password as required by the policy when their account was created but after the policy is changed in Server Admin.
  1. Are OD Server Admin policy changes only applied to accounts made after a policy change save?
  2. How do I change the OD policy for a single account, or perhaps a collection of accounts?
  -Thanks

  Policies can be set for all users at a site in Server Admin, or they can be set for users in Workgroup Manager. In WGM, the options are in the Advanced tab. Policies set on a specific user generally override those set in Server Admin. When policies are set, they become active for all existing and new users. The option, "password must be reset on first user login" is the exception. It dictates how accounts are created. Once an account is flagged for a password change, it must be unset in WGM. Go to the Advanced tab for the user and click the Options button.

• Update Policy for multiple networks with specific DNS servers

  I have a mid size network with 5 locations all with different IP addresses. All sites host their own DNS servers and connect directly through an ISP dedicated VLAN.
  Main Site
  10.1.1.1
  255.0.0.0
  Remote Site 1
  192.168.100.1
  255.255.255.0
  Remote Site 2
  192.168.101.1
  255.255.255.0
  Remote Site 3
  192.168.102.1
  255.255.255.0
  Remote Site 4
  192.168.103.1
  255.255.255.0
  All sites can be managed through the main site, but have their own DNS servers on location.
  My purpose is to point all computers and devices to a new DNS server from their previous static assignment. (XP and later versions)
  My question is can I use GP or DHCP* to push DNS server information to each device making them site specific without having to travel to those locations?
  Requirements:
  All devices on 10.1.1.1 will be changing from 10.1.1.2 to 10.1.1.4 (decom of old 2k3 server)
  DNS servers at each 192 location will need to point secondary server to 10.1.1.4
  Devices at main will need to use 10.1.1.4 as primary and 10.1.1.3 as secondary.
  Devices at each site will need to keep their respective DNS server.
  *If I use DHCP to change the information on a per scope level, can I use GP to force computers with locally set static assignments to update to DHCP static assignments
  Bonus: If anyone can give me an estimate on how much network traffic/bandwidth this would create that would be great because I would consider staggering the assignments as I am a 24 hour business.

  Hi,
  You may configure a Scheduled Task Item in Group Policy.
  To create a new Scheduled Task preference item, please follow the steps below,
  Open the Group Policy Management Console . Right-click the Group Policy object (GPO) that should contain the new preference item, and then click
  Edit .
  In the console tree under Computer Configuration or
  User Configuration , expand the Preferences folder, and then expand the
  Control Panel Settings folder.
  Right-click the Scheduled Tasks node, point to
  New , and select Scheduled Task .
  In the New Scheduled Task Properties dialog box, select an
  Action for Group Policy to perform. (For more information, see "Actions" in this topic.)
  On the Task tab, enter task settings for Group Policy to configure or remove. (For more information, see "Task settings" in this topic.)
  If creating, updating, or replacing a task:
  Click the Schedule tab, and configure one or more schedules for the task. (For more information, see "Schedule settings" in this topic.)
  Click the Settings tab, and enter any additional task settings for Group Policy to configure. (For more information, see "Other scheduled task settings" in this topic.)
  Click the Common tab, configure any options, and then type your comments in the
  Description box. (For more information, see
  Configure Common Options.)
  Click OK . The new preference item appears in the details pane.
  In the task, you may use netsh to set the DNS address.
  netsh interface ip set dns name="Local Area Connection" static yourdnssetting
  Here is an article about netsh command,
  http://technet.microsoft.com/en-us/library/cc738592(v=WS.10).aspx#BKMK_5
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Configuring socket policy for flex apps(with blocked port 843)?

  We have built several flex-based ecommerce apps for a fortune 500 customer of ours, that for various reasons, we need to use sockets to a different domain and requires a socket policy file, but were having trouble configuring our flex apps for deployment in thier enviornment where they are blocking virtually everything except port 80 . The current documentation in in regards to socket policy files and crossdomain files in a non-standard configuration not using port 843 is not providing any useful help to us.
  Here is the scenario:
  Flex apps are served from domain www.a.com in  to users browsers via http. The apps then make socket connections to domain www.b.com:80 where there are php scripts serving json data to the flex apps via port 80 using http(we use sockets because we need to set and read back http headers). The problem is the flex apps cannot make socket connections to the www.b.com domain without errors like below(unless we setup a socket policy server on port 843 of www.b.com, in which case everything works):
  Warning: Timeout on xmlsocket://www.b.com:80 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com.us/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Since we cannot use port  843 for the socket policy file server, we setup the socket policy server on a different ip in the same domain: spf.b.com:80 (using the sample perl code Adobe provides), and per the docs(cited below), use Security.loadPolicyFile("xmlsocket://spf.b.com:80") before we invoke "socket.connect", to supposedly tell the flash player to check there for the socket policy file. The problem, as you can see from the error log, is that the  loadPolicyFile("xmlsocket://spf.b.com:80") is ignored.
  No matter what we do or how we set things up, we cannot get the flash player to recognize the loadPolicyFile(), it always wants to go to the port were making the socket connection on. It is unclear how to properly configure the flex app, socket policy file and crossdomain file for the above scenario. The docs allude to being able to serve  the socket policy file from a different port 80 in the same domain as the socket connection were trying to make, but were having no luck with that.
  ->Can anyone shed some light on how to make this work or what are we  missing/doing wrong? Also, if we can get this to work, are we  stuck with a 3 second delay because this(very large) customer is blocking port 843?
  As an aside,  the documentation for all this is a bit scattered, unclear and contrdictory:
  One document says:(http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_07.html)
  "This warning usually means one of two things: first, that you need to set up a
              socket policy file server on port 843, which is the first location that Flash
              Player checks by default; or second, that you need to provide more explicit
              guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location
              of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check
              locations by default, Flash Player will wait as long as necessary for a
              response from a socket policy file server, rather than timing out after 3
              seconds."
  Another document says(http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html):
  "If an ActionScript Security.loadPolicyFile() command exists within               the SWF file, then the Flash Player runtime checks that location. Flash Player checks               the destination of the loadPolicyFile() only after it has checked the               master policy file on port 843 for permission to acknowledge other policy               files. If the developer has not specified a loadPolicyFile() command,               then Flash Player checks the destination port of the connection."

  I found the reason why the Flex application was ignoring the socket policy (crossdomain.XML). I have a policy server that listens to port 843 and submits the policy to the Flex client. My policy was getting ignored by the Flex application and I was getting the sandbox security error you were getting. The solution to this problem isto write a null byte right after the policy server sends the policy. I'm using Apache Mina that is wrtten is Java and the null byte is written as follows:
  public void sessionCreated (IoSession session)
          throws Exception
          session.write(_policy);  -- > policy string
          session.write("\u0000"); --> null byte
           //session.close(true); ---> No need to close the session because it is closed by the Flex client after it receives the null byte.
  Now my Flex application can read and accept the policy from port 843 and I'm not getting more security violations.
  Thanks for your reply,
  Alberto

• How to trace policy for native FTP

  Hi guys,
  I am trying to troubleshoot policy for native FTP (proxy port 8021 where FTP proxy is listening). The main reasons are wrong probably policy: we have usersA that are able to log into ftp via FTP proxy, but another usersB (another subnet) are not able to do the same (receiving "530 Login denied").
  Questions:
  - is there any way how can I troubleshoot/trace policy for native FTP?
  - where/what access rules are applied to request placed to FTP proxy from users? I can see that there is option to disable "Native FTP" within access policies ("Protocols and User Agents" column) but all those checkboxes within all access policies rules are unchecked.
  thanks for any help
  michal

  Hi Michal,
  Yes you can trouble shoot the FTP connection issues that you are having. Follow these steps below:
  To grep the access logs for an entry, SSH into the WSA and run the following command from the CLI:
  1. Grep
  2. Enter the number of the log you wish to grep.
  []> 1
  3. Enter the regular expression to grep.
  []> IP of the PC that the issue is being re produced on.
  4. Do you want this search to be case insensitive? [Y]>
  5. Do you want to search for non-matching lines? [N]>
  6. Do you want to tail the logs? [N]> Yes
  7. Do you want to paginate the output? [N]>
  If you have any questions or concerns please feel free to email or call me.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• Sample of weblogic.policy for WLS6.0

  Dear all,
  I had installed WLS6.0 on Solaris 2.6 and try to turn on
  java security manager with this option
  -Djava.security.policy==/usr/home/bea/wlserver6.0/lib/
  weblogic.policy -Djava.security.manager
  This make me unable to boot WLS. Here is contents of my weblogic.policy
  grant {
  // Permission "enableSubstitution" needed to run the WebLogic console
  permission java.io.SerializablePermission "enableSubstitution";
  // Permission "modifyThreadGroup" required to run the WebLogic Server
  permission java.lang.RuntimePermission "modifyThreadGroup";
  permission java.lang.RuntimePermission "setContextClassLoader";
  // Permission "setIO" needed to start a server from the WebLogic console
  permission java.lang.RuntimePermission "setIO";
  // Permission "getClassLoader" needed for many EJB clients
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "stopThread";
  permission java.net.SocketPermission "localhost:1024-", "listen";
  permission java.util.PropertyPermission "*", "read,write";
  permission java.io.FilePermission "${/}usr${/}home${/}bea${/}wlserver6.0${/}-",
  "read,write,delete,execute";
  And here is the error occurs
  java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/bea/wlserver6.0
  read)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
  at java.security.AccessController.checkPermission(AccessController.java:399)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
  at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
  at java.io.File.exists(File.java:535)
  at weblogic.utils.classloaders.ClasspathClassFinder.<init>(ClasspathClassFinder.java:61)
  at weblogic.Home.getFileSource(Home.java:64)
  at weblogic.Home.<init>(Home.java:29)
  at weblogic.Home.getInstance(Home.java:82)
  at weblogic.Home.getPath(Home.java:90)
  at weblogic.security.internal.ServerAuthenticate.main(ServerAuthenticate.java:76)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:167)
  at weblogic.Server.main(Server.java:35)
  Could anyone give me what goes wrong. If you have a working version of weblogic.policy,
  please share with me.
  Regards,
  Khemchart

  Here's a snippet from upcoming release notes about the Java
  security manager and the example weblogic.policy file.
  Using the Java Security Manager with WebLogic Server
  When you run WebLogic Server under Java 2 (JDK 1.2 or 1.3), WebLogic
  Server can use the Java Security Manager in Java 2 to provide
  additional access control for WebLogic Server resources. The Java
  Virtual Machine (JVM) has security mechanisms built into it which can
  be managed via a security policy file. The Java Security Manager can
  enforce a set of permissions granted to CodeSource or SignedBy
  classes. The permissions allow certain classes running in that
  instance of the JVM to do or not do certain runtime operations. In
  many cases, where the threat model does not include malicious code
  being run on the JVM, the Java Security Manager is unnecessary. In
  cases such as when an Application Service Provider uses WebLogic
  Server and unknown classes are being run, the Java Security Manager is
  necessary. To use the Java Security Manager with WebLogic Server,
  specify the -Djava.security.manager property when starting WebLogic
  Server.
  Note: In past releases of WebLogic Server, the Java Security Manager
  was enabled by using the -Dweblogic.security.manager property when
  starting WebLogic Server. Please note the change in the property for
  WebLogic Server version 6.0 and greater.
  The Java Security Manager uses a security policy file that defines
  permissions. The full pathname of security policy is specified in the
  -Djava.security.policy property when starting WebLogic Server. If you
  enable the Java Security Manager but do not specify a security policy
  file, the Java Security Manager uses the default security policies
  defined in the java.security and java.policy files in the
  $JAVA_HOME/lib/security directory.
  WebLogic Server includes an example security policy file named
  weblogic.policy. This file contains a set of default permissions.
  You need to make the following edits to the file in order to use the
  file with your WebLogic Server deployment.
  1. Edit the following lines in the weblogic.policy file, replacing the
  specified location with the location of your WebLogic Server
  installation:
  grant codebase "file://BEA/-"{
  permission java.io.FilePermission "D:${/}BEA${/}=", ...
  Note: This change assumes your installation directory structure is the
  same as the one described in the BEA Home Directory topic in the BEA
  WebLogic Server Installation Guide.
  2. If you want to run the Administration Console, add the following
  grant block and permissions to the weblogic.policy file:
  grant {
       permission java.io.FilePermission
  "D:{/}BEA${/}wlserver600${/}weblogic${/}management${/}console${/}-",
  "read";
       permission java.io.FilePermission
  "D:{/}BEA${/}wlserver600${/}config${/}mydomain${/}applications${/}.wl_te\
  mp_do_not_delete${/}weblogic${/}management${/}console${/}-", "read";
       permission java.util.PropertyPermission "user.*", "read";
  3. If you have extra directories in your CLASSPATH or if you are
  deploying applications in extra directories, you need to add specific
  permissions for those directories to your weblogic.policy file.
  BEA also recommends taking the following precautions:
  ? Make a backup copy of the weblogic.policy file and put the backup
  copy in a secure location.
  ? Set the permissions on the weblogic.policy file such that the
  adminstrator of the WebLogic Server deployment has write and read
  privileges and no other users
  To use the Java Security Manager and the weblogic.policy file with
  your WebLogic Server deployment, use the following properties when
  starting WebLogic Server:
  $java... -Djava.security.manager \
  -Djava.security.policy==D:/BEA/wlserver600/lib/weblogic.policy
  For more information about the Java Security Manager, see the Javadoc
  shipped with Java 2.
  The RecordingSecurityManager utility can be used to detect permission
  problems that occur when starting and running WebLogic Server. The
  utility outputs permissions that can be added to your security policy
  file to resolve the permission problems that the utility finds. The
  RecordingSecurityManager is available at the BEA Developer's Center.

• VNIC Placement Policy for VMWare

  I'm setting up a new UCS system to run ESXi 5.0 and would like to set up the service profile so that the vNICs get placed in a particular order. I've looked at the vNIC/vHBA placement policy and I think that between this and the service profile this is where I want to configure the required placement. What I'm not sure of is how to configure the placement policy for optimal efficiency.
  I have a VIC 1280 card in each B230 M2 blade. I have 12 vNICs (6 on Fabric A and 6 on Fabric B) that I'm creating for the various networks (Prod, DMZ, Management, vMotion, etc...) on each server. When I look at my current vNIC placement on one of the ESXi hosts where I let the system place the vNICs it looks like they are all on vCon1.
  Shouldn't my vNICs be split across the vCons? If so how should I split them? Any best practices or suggestions on how I should configure my placement?
  Thanks.

  This question has been answered pretty heavily here on CSC and on other blogs - so I wont go into great detail. 
  In short:
  vCon's refer to Adapters.  One adapter (1280) = 1 vCon.
  PCI ordering is managed within the vCon by vNIC/vHBA placement Policy.
  Regards,
  Robert

• Archivelog deletion policy  for GG

  Hi All,
  We have GG on one of the database.
  The archivelog is getting deleted before it is applied to GG. The archivelog needs to be restored manually to proceed GG to work properly.
  This is very frequent. Now every time the archivelog needs to be restored manually.
  As far is i know there is archivelog deletion policy is there for standby. which will not delete the archivelog until it is applied to standby.
  Is there any policy for GG so that archivelog which is required by GG should not delete by RMAN until it is applied to GG.
  Kindly suggest.
  Thanks,

  Hi,
  To ensure that RMAN retains all archive logs required by Oracle Golden Gate, when you add or register an Extract group in GGSCI with ADD EXTRACT (TRANLOG option) or REGISTER EXTRACT.
  You can configure Extract to retain enough logs through RMAN for a normal recovery by using the TRANLOGOPTIONS parameter with the LOGRETENTION option set to SR.
  You can read more about this feature in detail in the OGG Installation Guide on Oracle database, pages 58 & 59.
  Regards,
  RB

• Password policy for 2003

  Experts,
  We have windows server 2003 domain functional level and password policy is defined in Default domain policy. Now our password policy does not have Max pswd age and min pswd age settings defined. So we want to test these settings.
  I created a new GPO and just defined those two policies and linked it to a test OU. Moved the required computer to that OU. I read computer should be in that OU and not the user. It is not getting applied. I have two questions:
  1. Even those two settings are not defined in default password policy, can we create a separate policy for that? or all password policy settings has to be defined in 1 GPO?
  2. OU where we want to test this password policy, should have computer, user or both in that OU?
  Appreciate any help!!!!

  Hello,
  password and account lockout settings MUST be configured on domain level. On OU it has not any effect for domain users logging on to domain machines. 3rd party tools may still exist that provide that option.
  For additional settings you need Windows Server 2008 or higher then you can use Fine grained password policy settings for security groups and user accounts.
  http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Good exception handling policy for Java web application

  I'm looking for a good exception handling policy for Java web application. First I found this Java exception handling best practices - How To Do In Java which says that you should never catch the Trowable class nor use e.printStackTrace();
  Then I found this Oracle page The Message-Driven Bean Class - The Java EE 6 Tutorial, which does just that. So now I'm confused. Is there a good page online for an exception handling policy for Java EE Web applications? I have a hard time finding one. I've read that you should not catch the Exception class. I've been catching it previously to make sure that some unknown exception doesn't slip through early in the loop and stops all other customers from executing later on in the loop. We have a loop which runs once a minute implemented using the Quartz framework. Is it OK if you just change the implementation to catch the RuntimeException class instead of the Exception class? We're using Java 7 and the Jetty Servlet Container.

  I'm looking for a good exception handling policy for Java web application.
  If you have not done so I suggest you start by reviewing the several trails in The Java Tutorials.
  Those trails cover both HOW to use exceptions and WHEN to use them.
  This trail discusses  the 'controversy' you mention regarding 'Unchecked Exceptions'
  http://docs.oracle.com/javase/tutorial/essential/exceptions/runtime.html
  Unchecked Exceptions — The Controversy
  Because the Java programming language does not require methods to catch or to specify unchecked exceptions (RuntimeException, Error, and their subclasses), programmers may be tempted to write code that throws only unchecked exceptions or to make all their exception subclasses inherit from RuntimeException. Both of these shortcuts allow programmers to write code without bothering with compiler errors and without bothering to specify or to catch any exceptions. Although this may seem convenient to the programmer, it sidesteps the intent of the catch or specify requirement and can cause problems for others using your classes.
  Why did the designers decide to force a method to specify all uncaught checked exceptions that can be thrown within its scope? Any Exception that can be thrown by a method is part of the method's public programming interface. Those who call a method must know about the exceptions that a method can throw so that they can decide what to do about them. These exceptions are as much a part of that method's programming interface as its parameters and return value.
  The next question might be: "If it's so good to document a method's API, including the exceptions it can throw, why not specify runtime exceptions too?" Runtime exceptions represent problems that are the result of a programming problem, and as such, the API client code cannot reasonably be expected to recover from them or to handle them in any way. Such problems include arithmetic exceptions, such as dividing by zero; pointer exceptions, such as trying to access an object through a null reference; and indexing exceptions, such as attempting to access an array element through an index that is too large or too small.
  Generally don't catch an exception unless you plan to HANDLE the exception. Logging, by itself is NOT handliing.
  First I found this Java exception handling best practices - How To Do In Java which says that you should never catch the Trowable class nor use e.printStackTrace(); 
  That article, like many, has some good advice and some poor or even bad advice. You get what you pay for!
  I've read that you should not catch the Exception class.
  Ok - but all that does is indicate that a problem of some sort happened somewhere. Not very useful info. Java goes to a lot of trouble to provide specific exceptions for specific problems.
  I've been catching it previously to make sure that some unknown exception doesn't slip through early in the loop and stops all other customers from executing later on in the loop.
  If the exception is 'unknown' then maybe it NEEDS to 'stop all other customers from executing later on in the loop'.
  That is EXACTLY why you don't want to do that. You need to identify which exceptions should NOT stop processing and which ones should.
  Some 'unknown' exceptions can NOT be recovered and indicate a serious problem, perhaps with the JVM itself. You can NOT just blindly keep executing and ignore them without risking data corruption and/or the integrity of the entire system Java is running on.
  Is it OK if you just change the implementation to catch the RuntimeException class instead of the Exception class? We're using Java 7 and the Jetty Servlet Container.
  No - not if you want a well-behaved system.
  Don't catch exceptions unless you HANDLE/resolve them. There are times when it makes sense to log the exception (which does NOT handle it) and then raise it again so that it gets handled properly later. Yes - I know that is contrary to the advice given in that article but, IMHO, that article is wrong about that point.
  If you have ever had to maintain/fix/support someone else's Java code you should already understand how difficult it can be to find WHERE a problem occurs and WHAT the exact problem is when exceptions are not handled properly.