SCCM MP Account from accessing across untrusted domain

Similar Messages

• Can't access hotmail account from browser. cerficiate untrusted

  Can't access hotmail account from browsing, I tried to log into my hotmail account by visiting www.live.com and log into my account (add e-mail address and password) when sign in i get a message saying:There was a problem establishing asecure connection.( I get two tabs Details and Stop) I click on Detials I get another message saying: server Certificate Error. untrusted certificate,unable to determine the certificate origin, This has been disallowed by your administrator.. When i press on option Stop i get e message saying: refussing connection.This server has beed previously supporting HTTP Strict Transport Security. Due to SSL certificate warning/errors, a connection will not be made. Please could anybody help me.. I contact Vodafone they said it's microsoft issue then the latter said it's blackberry problem. i have tried everything nothing seems to work.. I don't want to register my hotmail account on my BB, but i want to access it through browsing as i do on my PC.. I will be really gratful.. thank you
  Solved!
  Go to Solution.

  Ggggrrrr, i really hope that's wrong, i would also be moving away from BB sharpish if that's the case. Hoping someone cleverer than me can come up with a solution, the BB manual certainly doesn't help. Like the first poster I have tried getting vodafone to help and also hotmail, both without success.

• Problem migrating account from one active directory domain to another. Using NetBIOS

  Hello,
  I'm migrating a Lion machine from one domain to another. When I try to join it to abc.example.com it joines it to 123.example.com in the list of domains. 123.example.com is the NetBIOS name of abc.example.com. This configuration does not work.
  What is even more strange, is if I go into the Open Directory Utility > Active Directory to set the create mobile account settings, once I apply the settings (or even if I don't apply the settings) when I get back to the list of domains, it show BOTH abc.example.com and 123.example.com as domains I am joined to. If I remove 123.example.com it removes abc.example.com.
  I've only seen this problem one other time and this was with a snow leopard machine that was not bound to AD. I upgraded it to Lion and tried to bind it, and had the exact same thing occur.
  I'm certain there is a "stuck" setting somewhere that is causing this. I have had successful snow leopard > lion upgrades work, and many lion machines joined to AD so this does work normally. Just not sure whats wrong or really where to look.
  The OS is fully patched and updated to the current version.
  Any thoughts?

  Case 1:
  Here you can written pre-update event handler which will check whether minor and major org code changed or not.
  If changed then first starts de-provisioning and then start provisioning.
  If not changed then do nothing.
  This approach will not transfer accounts from one domain to another but it will create fresh accounts and remove accounts from old domain.
  Case2:
  If you want to transfer accounts from one domain to another in that on pre-update you have to change OU of user on process which automatically move to another domain.
  but not sure about exchange it is possible to move to another domain.
  hopping that all domains under same forest otherwise same Connector Sever will not work.

• To Restrict SQL account from accessing Sql server via SSMS

  Hi All,
  We are planning to tighten the security of our SQL Server.
  In the initial phase, we want to restrict all the SQL accounts(except sa) from accessing SQL Server via SSMS
  Since the SQL passwords are used in the connection strings(plain text) of our .NET Applications, developers are able to see it and they are accessing SQL server through SSMS with the credentials in the connection string.
  The requirement is, SQL accounts should only be accessing the databases through .NET applications and not through any other applications like SSMS, SQLCMD...etc
  1) We tried "Logon Trigger", but later we came to know that there is security breach in it.
  2) Application Roles - Password is plain text, again back to square one.
  We are looking for an alternate. Please share some ideas.
  Thanks & Regards,
  K.P.Senthil Kumar

  The basic presumption here is that there is on way you can tie a connection to an application as such. There is app_name(), but since this is passed from the application, the application can call itself whatever you want.
  As long as it is only a matter of keeping business users out, you can solve the issue with some three-tiered solution. Either by having a true middle layer, or just having a web server, or the application running on Terminal Server or Citrix.
  But you want to keep the developers out who work with the code. That makes it difficult to lock them out of the middle layer.
  Then again, you say "our SQL Server" is that singular? Don't you have more than one SQL Server? One for developement, one for test and one for production? If you only want to keep the devs out from development, you have different usernames
  and password for different environments, and they are read from config files. The config files for production should be well-protected.
  By the way, only permitting sa from logging in from SSMS is bad idea. Rather, you should disable sa, and everyone should log in with their individual Windows account. And those who should perform system-administration tasks should be member of sysadmin.
  Erland Sommarskog, SQL Server MVP, [email protected]

• How to prevent guest account from accessing my admin account files/documents?

  I have an iMac 21" running OS 10.6.8.    I have a guest account set up in addition to my own administrators account.  When I log on as a guest, I am able to access all of the file documents on my computer, including the ones created on my administator's account.  These are files I do not want a guest to be able to access.  My question is how to change the settings so these do not show up when logged in to the guest account.  I have tried changing Finder Preferences in the guest account - this can be easily changed back by the guest user, and the settings also revert back after I log out.  In the admin account I checked System Preferences settings - the only thing on is printer and bluetooth sharing.  Any suggestions would be appreciated.

  Here's a way to reset the Home folder permissions and ACLs posed by Linc Davis that may do the job. 
  Linc Davis
  Re: Reset Home Folder Permissions and ACLs not working?
  This helped meRe: Reset Home Folder Permissions and ACLs not working?
  Apr 30, 2014 10:06 PM (in response to plcmms)
  Triple-click anywhere in the following line on this page to select it:
  { sudo chflags -R nouchg,nouappnd ~ $TMPDIR..; sudo chown -R $UID:staff ~ $_; sudo chmod -R u+rwX ~ $_; chmod -R -N ~ $_; } 2>&-
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting.
  You'll be prompted for your login password. Nothing will be displayed when you type it. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
  The command may take a few minutes to run, or perhaps longer if you have literally millions of files in your home folder. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.
  Here's another way to do the same thing but this time when booted into the Recovery volume:
  You may need to rebuild permissions on your user account. To do this,boot to your Recovery partition (holding down the Command and R keys while booting) and open Terminal from the Utilities menu. In Terminal, type:  ‘resetpassword’ (without the ’s), hit return, and select the admin user. You are not going to reset your password. Click on the icon for your Macs hard drive at the top. From the drop down below it select the user account which is having issues. At the bottom of the window, you'll see an area labeled Restore Home Directory Permissions and ACLs. Click the reset button there. The process takes a few minutes. When complete, restart.

• SID only shows up when adding a domain user account from an external trusted domain

  This is sort of an interesting situation which may wind up being more of a network port not being open.
  There are two Windows 2008 R2 domains, AlphaCo and BravoCo, that have an external one-way trust setup between them where AlphaCo trusts BravoCo. The member servers on the AlphaCo domain have BravoCo users added to it's local groups. The problem is on one
  of the member servers (SRV-05) on the AlphaCo domain. When any user from the BravoCo domain is added to the local Administrators group it will show up when doing a search with the "friendly name" but when you click on "Apply" and/or "OK"
  it changes to the SID. This only happens on the SRV-05 server. The other member servers on the AlphaCo domain (SRV-01, 02, 03, 04, 06) are not having this issue.
  Any idea what may be causing this user identity crisis and what could be done to resolve it?

  There are no other differences between SRV-05 and the other members servers on the AlphaCo
  domain (SRV-01, 02, 03, 04, 06). I did download and run the PortQryUI tool to check the status of port 135 on SRV-05
  and the other servers which came back with the same results. I also checked the
  AlphaCo domain
  security settings (Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options) Network access: Allow anonymous SID/Name translation which was disabled. But I do not believe this is the cause since
  it would impact the other servers (SRV-01, 02, 03, 04, 06) in the domain.

• Is it recommended practice to add SCCM service accounts to the Domain Admins group?

  I am working with an external consultant that is recommending that all of the SCCM service accounts be added to the Domain Admins group.  I am not the SCCM engineer, I am the AD guy, this is the reason I am questioning this methodology.  I have
  read several articles that seem to provide the appropriate configuration options for all of the SCCM accounts so I see no need to allow these accounts to have Domain Admin level access to the environment.  I don't see a reason for ANY of the service accounts
  to have Domain Admin, let alone all of them.  I have referenced several TechNet articles but there does not seem to be definitive guidance around this.  Could anyone assist with settling this?  Thanks in advance.

  No, there's absolutely no reason for the service accounts to be domain admins.
  All of the required service accounts used in a SCCM environment can be given the proper permissions given their purpose.
  Example: Join Domain Account can be given the permissions to join computer objects in the very specific OU in AD, and nothing else.
  Network Access Account only need read access to your distribution points.
  Client Push Account needs local administrative permissions on your clients.
  What i'm trying to say is. None of any of the service accounts needs to be domain admin. Hope that helps.
  Martin Bengtsson | www.imab.dk

• IPhone stopping Outlook from accessing the servers

  A newly purchased iPhone 4 (VZW) is blocking the PC outlook account from accessing the mail servers.  All of server info is correctly entered inot the phone and for some reason the phone applications are stopping the PC from accessing the accounts.  The only way currently to get all of the messages onto the PC is to either make the accounts inactive or to turn off the phone completely.  I beleive that it is a specific phone issue because their are others that are also using iPhones to access their mail accounts without problems.  The other odd thing is that it is not just one POP account but two different POP accounts that are having issues.  Yet the hotmail POP account is fine? 
  Any thought or insights are great appreciated. 

  What do you mean by "blocking PC Outlook from accessing the serves"?  What error message do you get from Outlook?  There's no way the iPhone, or any other cell phone, can "block" anything on your PC. 
  If these are POP accounts and you downloaded mail on the phone BEFORE accessing on your computer, the emails were already deleted from the server and there's nothing left to download on your computer.  That's the problem when using POP accounts with multiple clients.
  You can try to avoid this by:
  Settings > Mail.... > (your account) > Advanced > Delete from server > Never
  However this doesn't always work with POP servers, and emails get deleted anyway.  Also, if it does work, you may end up re-downloading  messages to your phone that you deleted on the phone.  The optimal solution for multiple clients is to use IMAP or Exchange accounts.
  Message was edited by: modular747

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

  I have SCOM 2012 R2 Update Rollup 4 installed with 2 management servers running WS12R2 in a single management group in my main AD domain. One of the management servers is also an ACS collector. I have an untrusted AD domain, with a SCOM gateway server in
  it, and I used the gateway to install a SCOM agent on a domain controller in that domain. Now I am trying to configure an ACS forwarder on that untrusted domain controller to talk to the ACS collector back on the management server.
  However, when I restart the
  Microsoft Monitoring Agent Audit Forwarding service on that domain controller, I get this error in its
  Event Viewer > Apps and Services > Operations Manager:
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: <IP>:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  I followed these two articles in order to set up the ACS forwarder on the DC in the untrusted domain: "How to configure security events collection by using Audit Collection Services from computers in untrusted environment?" {1/3/12}https://gefufna.wordpress.com/2012/01/03/how-to-configure-security-events-collection-by-using-audit-collection-services-from-computers-in-untrusted-environment/ "Forwarder
  is unable to connect to collector Event id 4369 in forwarder event view" {5/5/14}
  http://jimmy-scom.blogspot.com/2014/05/forwarder-is-unable-to-connect-to.html
  EXTRA INFO Here are the detailed steps that I took (sorry for all this, but there are an awful number of steps!):
  1) I confirmed that the agent for the DC shows as Healthy in OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (right) pane.
  2) On the ACS collector, I stopped
  Operations Manager Audit Collection Service, then from Admin cmd prompt I did this:
  c:> cd \windows\system32\security\adtserver
  c:> adtserver –c
  } 1 certificates found for server authentication usage.
  Enter the number of the certificate you want AdtServer to use for authenticating to AdtAgent or 0 to quit without saving: 1
  Certificate 1 selected. Attempting to save thumbprint to registry ...
  success.
  Then I started
  Operations Manager Audit Collection Service.
  3) On the DC in the untrusted domain, from Admin cmd prompt I did this:
  c:> cd c:\windows\system32
  c:> adtagent -c
  } No  Issued To                   Issued By                   Expires   
  Thumbprint
   1: <untrustedDCfqdn> <untrustedDomainCA>             2015-11-30 02:44:58    <thumbprint>
  2 certificates found for client authentication usage.
  Enter the number of the certificate you want AdtAgent to use for authenticating to AdtServer or 0 to quit without saving: > 1
  } Certificate 1 selected. Attempting to save thumbprint to registry… success.
  4) On the DC in the untrusted domain, I opened mmc > Certificates > Local Computer > Personal > Certificates > I exported the certificate from step 3 to a DER encoded binary X.509 (.CER) file.
  5) I also looked at the Certification Path for the certificate, and figured out which certificate is its Root CA certificate. I copied that certificate to a DER encoded binary X.509 (.CER) file.
  6) I copied the first .CER file to a computer in my main domain, which is at 2012 R2 level. From AD Users and Computers, I created a "dummy" computer object using the NetBios name of the DC back on the untrusted domain. I right clicked the computer
  object > Named Mappings > I added the .CER file, and left "Use Subject for alternate identity" checked. I unchecked "Use Issuer for alternate security identity".
  7) I copied the Root CA certificate .CER file over to the SCOM management server that doubles as my ACS collector, and from there I did mmc > Certificates > Local Computer > Trusted Root Certificates > Certificates > I imported the Root
  CA certificate.
  8) I also went to my CA server on my main domain, I ran pkiview.msc > right clicked “Enterprise PKI” > Manage AD Containers > NTAuthCertificates tab > and I imported the Root CA certificate there as well.
  9) I ran telnet from the DC on the untrusted domain, and confirmed that port 51909 is open from there to the ACS collector on the main domain.
  10) I enabled audit collection fot the DC on the untrusted domain. I did this from OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (second column in middle pane) > I selected the Healthy <untrustedDCfqdn>
  > I clicked Enable Audit Collection.
  Then under "Task Parameters" > i clicked [Override] > for New Value I specified <ACScollectorFQDN>. For task credentials I specified Other account, and specified a domain admin account in the untrusted domain. The result was "The
  task completed successfully. Enable Audit Collection, status:Success".
  11) On the ACS collector, I restarted Operations Manager Audit Collection Service. On the DC in the untrusted domain I restarted Microsoft Monitoring Agent Audit Forwarding service.
  12) Result was this error on the DC in the untrusted domain, in its
  Event Viewer > Apps and Services > Operations Manager
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: 10.1.1.91:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  13) On the DC in the untrusted domain I created DWORD reg value
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters\TraceFlags and set it to 524420 decimal. The resulting c:\windows\temp\AdtAgent.log file only confirmed that I'm getting 0x80090325 errors.
  After all this, why am I getting 0x80090325, which translates to SEC_E_UNTRUSTED_ROOT ??? Did I do something wrong in steps 5, 7 and 8? Thanks for reading all the way through :)
  Marko

  Thanks Yan Li, you gave me an idea. I got the ACS forwarder in the untrusted domain to work (!), by analyzing the setup on the SCOM gateway that I set up in the untrusted domain. I issued the ACS forwarder a certificate from the domain that SCOM is in, INSTEAD
  of configuring the ACS forwarder to use the certificate that it already had from its own domain.
  So the new procedure is: do steps 1 and 2, then instead of step 3 I did this…
  2B) I issued a certificate from the AD domain containing SCOM to the domain controller in the untrusted domain that is my ACS forwarder. I did this from the AD Certificate Services web site, and asked it to use certificate template that I created for the
  SCOM gateway server in the untrusted domain.
  2C) The new certificate appeared in the Personal store of the domain controller. I exported it, then ran the MomCertImport utility so that I would not get an error in the next step (per
  http://www.systemcentercentral.com/scom-deployment-across-multiple-networks/)
  3) On the domain controller in the untrusted domain, I re-ran "adtserver -c", and selected the new certificate.
  3B) I then ran “MomCertImport /Remove”, since I already have a SCOM gateway in the untrusted domain.
  Then I proceeded with steps 4, skipped 5, did 6, skip 7-8, did 9-11, result was this on the DC in the untrusted domain, in its Event Viewer > Apps and Services > Operations Manager
  2/3/2015 12:20:01 PM Source AdtAgent Event ID 4368 Forwarder successfully connected to the following collector:
  <ACScollectorFQDN>:51909, status: 0x0 (success), source: registry
  addresses tried: <IPaddress>:51909
  ACS forwarding works now! I will confirm by repeating the procedure for another domain controller in the untrusted forest.
  Marko

• How can I access my iTunes account from my iPhone.

  1- I can't access my iTunes account from my iPhone.
  Do I have to sync them or can I download the songs I bought without connecting with my macbook?
  Last time i connected the two, all my music got deleted. Must have done something wrong, but have no idea how to prevent that from happening again.
  2- My "preferences" panel in iTunes, only shows apps and books, not music- Why?
  3- I can't save any music on iClod.

  hello. 
  i followed your link on how to delete content from all things Apple, and nothing removes books, movies, music... it just gives said device(s) the iCloud/download icon on top of the book, movie...  not sure what the 'hide' purchase actually does - after X'ing/hide, everything STILL appears across all devices using that account.  could you clarify this any further?
  if i am understanding iTunes correctly, then EVERYTHING we download (free or purchased) will be FOREVER accessible with zero way for us to control what is filling up this mysterious vault called the cloud?  (creepy- apple is keeping EVERYTHING, what happens when the cloud gets full?)
  since we have iCloud.com and it shows our "stuff" that we iCloud sync from our devices such as notes, contacts, calendar... then why doesn't apple provide an iCloud.com tab that shows ALL of our purchases so we as CONSUMERS control/delete what is in our account? 
  we download ALOT of apps to try and then delete them off our devices.  that works fine, but movies and books are always there.  maybe a glitch?

• How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

  Dear All,
  We are having an infrastructure setup of around 500 client computers managed through group policy.
  Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
  Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
  It would be great if you can assist me with the following query.
  How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
  Can we disable Network Tab on the left hand pane ?
  explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

  >   * explorer.exe is blocked already, but users are able to enter the
  >     Windows Explorer by clicking on the name which is visible on the
  >     Start Menu.
  You cannot block explorer.exe when you do not replace the shell - the
  desktop you see effectively IS explorer.exe...
  Your requirement sounds like you need a custom shell:
  http://gpsearch.azurewebsites.net/#2812
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.