Security Settings on Domain Node in Users and Computers
When I open Active Directory Users and Computers (dsa.msc) and right click on the domain node (top node of the tree) and select Properties, there is a security tab with the usual dialog for setting permissions.
I assume the Domain Administrator account, Domain Admins, and Enterprise Admins should have full control. But what other groups or users should have what permissions? Are the permissions I set here applicable only to the folders and OUs
in the tree? Why would anyone but Domain/Enterprise Admins need permissions to these objects?
Are there any KB articles or best practices that offer guidance regarding how to set permissions here?
Hi,
Thanks for your posting.
Please check the following articles,
Security Groups
http://technet.microsoft.com/en-us/library/cc960640.aspx
Managing Domain Users and Groups
http://technet.microsoft.com/en-us/library/cc759353(v=ws.10).aspx
http://ss64.com/nt/syntax-groups.html
Regards.
Vivian Wang
Similar Messages
-
Enable the UAC settings for Domain Controller / Member servers and for end user systems
Hi
We are working on hardening the security for all Domain Controllers / Member Servers and end users systems. As part of it we would like to know the best practice for UAC settings for each of these servers. There are 8 settings related to UAC and as of now
we configured just "User Account Control: Behavior of the elevation prompt for standard users" as disabled for the servers OU. Also not sure about other settings and how it affect the normal operations like installing Windows updates / applications
through SCCM or manually on servers or end user systems and other stuffs.
We are looking for experts opinion on this. Thanks in advance
LMSHi LMS,
Would you please let us know the current situation? Just check if Martin’s suggestion was helpful for you.
If any updates, please feel free to let us know.
Just additional. Please refer to the
User Account Control Grouping in the following article. It will provide some links about those different UAC settings. Please click those links and read related articles. In these articles, will provide
Security considerations that may help you to configure those settings.
Security Options
http://technet.microsoft.com/en-us/library/jj852268.aspx
Hope this helps.
Best regards,
Justin Gu -
How to create "folders" in Active Directory Users and Computers?
Hello Community
In Windows Server 2008R2 when you go to Active Directory Users and Computer
you will see icons of folders such as:
- Builtin has a folder icon
- Computers has a folder icon
- ForeignSecurityPrinicpals has a folder icon
- Domain Controller as a folder icon
- Managed Service Accounts has a folder icon
- Users has a folder icon
All of the above folders are visually identical.
If you right click and select “File” – “New”
on any of the selections the icon
will not look like the folder icon they have their own icons which look different
from the "Folder" icon.
I would like to create a “Folder” that looks just visually exactly like the ones
mentioned above, how can I create those types of Folders in Active Directory User
and Computers?
Note: I would like to put users in the folders.
Thank you
ShabeautHi,
you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
Refer: Delegating Administration by Using OU Objects
http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx
and the sub-articles:
Administration of Default Containers and OUs
http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
Delegating Administration of Account and Resource OUs
http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Active directory users and computers wont start on a dc, "the server is not operational"
In our environment, we have 3 dc's
two which run server 2008 (they work perfectly)
and one never off branch dc that runs server 2008 r2.
We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
We have a third party DNS solution.
How do i troubleshoot this issue?dc01 (which replicates perfectly with dc02, and vise versa)
dcdiag /test:dns
C:\Users\adminuser>dcdiag /test:dns
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Hostingpartner\ourdc01
Starting test: Connectivity
......................... ourDC01 passed test Connectivity
Doing primary tests
Testing server: Hostingpartner\ourdc01
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : int
Running enterprise tests on : int.domain.com
Starting test: DNS
Test results for domain controllers:
DC: ourdc01.int.domain.com
Domain: int.domain.com
TEST: Delegations (Del)
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
Summary of test results for DNS servers used by the above domain controllers:
DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
2 test failures on this DNS server
Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: int.domain.com
ourdc01 PASS PASS PASS FAIL n/a PASS n/a
......................... int.domain.com failed test DNS
dcdiag on dc01(which can replicate with dc02)
C:\Users\adminuser>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: hostingpartner\ourdc01
Starting test: Connectivity
......................... OURDC01 passed test Connectivity
Doing primary tests
Testing server: hostingpartner\ourdc01
Starting test: Replications
[Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
Win32 Error 8453.
......................... OURDC01 failed test Replications
Starting test: NCSecDesc
......................... OURDC01 passed test NCSecDesc
Starting test: NetLogons
[OURDC01] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... OURDC01 failed test NetLogons
Starting test: Advertising
......................... OURDC01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... OURDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... OURDC01 passed test RidManager
Starting test: MachineAccount
......................... OURDC01 passed test MachineAccount
Starting test: Services
......................... OURDC01 passed test Services
Starting test: ObjectsReplicated
......................... OURDC01 passed test ObjectsReplicated
Starting test: frssysvol
......................... OURDC01 passed test frssysvol
Starting test: frsevent
......................... OURDC01 passed test frsevent
Starting test: kccevent
......................... OURDC01 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:50
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:10:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:11:17
(Event String could not be retrieved)
......................... OURDC01 failed test systemlog
Starting test: VerifyReferences
......................... OURDC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : int
Starting test: CrossRefValidation
......................... int passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... int passed test CheckSDRefDom
Running enterprise tests on : int.domain.com
Starting test: Intersite
......................... int.domain.com passed test Intersite
Starting test: FsmoCheck
......................... int.domain.com passed test FsmoCheck
The problematic dc03:
Dcdiag gives the same output as dcdiag /test:dns
C:\Users\adminuser>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = OURDC03
Ldap search capabality attribute search failed on server NTSDC03, return
value = 81
We have an infoblox dns server on ip address xxx.y.y.251.
first error in event logs on dc03:
error 1863
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Configuration,DC=int,DC=domain,DC=com
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
2
Number of directory servers in this site:
2
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
i have also go several warning 2088, 2093, 2087.
And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones -
Hide all except one object in Active Directory Users and Computers.
Hello,
I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
d.I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
Description of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830
Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Our home folders are stored on a non-windows NAS device and with Windows XP and 2003 we've always got the above error when creating or modifying users home folders, even when the shares were al ready created and being used.
However this was never really a big issue as the error that popped up was really for information and finshed with a "we've modified the user properties anyway, please create the share manually" type message.
Unfortunately now we are moving to windows 7 and 2008R2, this last part of the the message is missing and it won't accept the correct value.
This issue may be in the way that the NAS device shares the folder, as only the username that matches the folder name can access the share. This behaviour can't be modified.
Is there a way to get Windows 7/2008R2 AD users and computers to behave the same way that Windows XP/2003 does , i.e. don't try and create the share just set the value in the user properties ?
The AD is still at 2003 level and we can still use Windows XP/2003 clients to make the changes but this is a bit of a limitation.The KB article is almost what we have apart from theitalic underlined
part
Consider the following scenario:
You use a domain administrator account to log on to a computer that is running Windows 7 or Windows Server 2008 R2.
You use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to connect to a domain controller.
You open the Properties dialog box of a user account.
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
You set the Remote Desktop Services Home Folderattribute to the shared folder path.
NoteThis attribute is located on the
Remote Desktop Services Profiletab.
You click Apply or OK.
In this scenario, you receive the following error message:
The home folder could not be created because: The network name cannot be found.
Note If you click Apply or OK again, no error message is returned. However, the setting is not saved.
I think the important bit is
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
We manually create the shares on our NAS and then just want to enter the path in the profile tab, I suppose the question is how to we stop it trying to create the shares ? -
Can not open Active Directory Users and Computers
Problem Reported:
Out of the blue this has started happening:
When I go to "Active Directory Users and Computers" I get this message.
"MMC cannot open the file C:\WINDOWS\system32\dsa.msc.
This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
Additional information:
This is a server that has been in use for 2+ years with active directory users that can and do login everyday.
As far as I know the system has no backup.
dsa.msc IS located in the system32 folder
I am using the administrator account.
OS:
Microsoft Windows Server 2003 R2
Standard x64 Edition
Service Pack 2
Please help with detail. Thank you.Have you tried to uninstall ADUC administrative tool and re-install it again? If no, please give a try.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Windows 2008 Server - Cannot run Active Directory Users and Computers
Hi,
I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
I attempt to open Active Directory Users and Computers tool and I get a;
Microsoft Visual C++ Runtime Library error;
"The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
I click ok, then get the following debug info;
Problem signature:
Problem Event Name: APPCRASH
Application Name: mmc.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47919524
Fault Module Name: msvcrt.dll
Fault Module Version: 7.0.6001.18000
Fault Module Timestamp: 4791ad6b
Exception Code: 40000015
Exception Offset: 0000000000029b06
OS Version: 6.0.6001.2.1.0.272.7
Locale ID: 3081
Additional Information 1: 43aa
Additional Information 2: cf3a46656318492c1997480001b6b0e0
Additional Information 3: 3837
Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
If someone could please assist, it would be very much appreciated.
Regards
B
Hi,
To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
However, I am also glad to share my research.
Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
Also, please follow the article below to perform necessary steps to see how it's going?
FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
http://support.microsoft.com/kb/190536/en-us
Hope this helps.
Best wishes
Morgan Che -
RSAT - Active Directory Users and Computers
After installing build 9879, I cannot open Active Directory Users and Computers. I get error message: MMC could not create the snap in. I do not see KB2693643 under installed updates anymore. I've tried to reinstall KB2693643
but I get error code 0x8024001d. Any help would be appreciated.Hi readabook,
To resolve windows update error 0x8024001d, please rename Software Distribution folder:
1. Click on Start, choose run type in CMD and click OK.
2. Type NET STOP WUAUSERV and press Enter. (leave this window open for later use)
3. Open My Computer
4. Find the folder c:\Windows\SoftwareDistribution
5. Right mouse click on SoftwareDistribution and choose rename call the folder "SDold"
6. Return to the black Window that opened in step 1 type NET START WUAUSERV and click enter
Alex Zhao
TechNet Community Support -
Working with multiple users and computers, but shared data
Sorry if this is posted in a poor place, I'm not sure where the best place is. This is sort of a general questions.
For a long time, my wife and I have had either one computer, or two machines but one has definitely been just a terminal. We've basically set up all of our data to be one one primary machine, and if we want to view/edit that data we have to use that machine.
We just got a new MacBook Pro and I would like to be able to use two machines as equals. Sadly, this idea of multiple computers, with two users and some shared data is really giving me difficulty. I was wondering if anyone has any suggestions on how to best manage things like:
Synchronizing portions of our contact list (We share about 50% of the combined library -- we don't have to share all though).
How to manage iPhoto so that we can each have access to the photos. As an added difficulty (or maybe this is easier?) my Wife just wants to have access to the pictures for viewing and sharing on Facebook/Picassa/etc. I am the only one who wants to edit, correct and cull our library. That said, I always edit when I first put the data on the machine, and almost never again; so it would be fine to have one (or both accounts) set up as view only for the iPhoto data.
How to manage iTunes so that we can each have access to the music. As a super awesome bonus, it would be great if we could have three libraries: His, Hers and Shared. Maybe as much as 30% of our music library is similar, the rest just gets in the way.
What is the best solution people have found for calendars? (I'm thinking two separate calendars, and we each subscribe to each others iCal feed)
Mail.app and bookmark synching is not really a problem for us.
Two extra points:
* One machine is portable, and the other isn't. Ideally, when the laptop is out of the house, both machines should still have reasonable access to the shared data. That is: Just dumping things in the shared folder won't work because when the laptop is out of the house we will be disconnected from the source data.
* We just got a second iPhone. This means that both of us will be taking photos/video separately and trying to synch back to the master data store.
* Basically, I'm trying to minimize data duplication as much as possible, and just synchronize the systems to each other.
Thanks a ton in advance. If anyone has any suggestions at all, I would love to hear them. Including "This is in the wrong forum, go ask here instead..."So you have a desktop Mac and a laptop Mac, right? Two user accounts (and a third admin account) on each computer, right?
I profess that I haven't tried this, but here is how I would approach your problem:
Sharing Music and Photos between multiple user accounts on the same computer:
See if http://forums.macrumors.com/showthread.php?t=194992 and http://forums.macrumors.com/showthread.php?t=510993 provide any useful information to assist you in this endeavor.
Sharing across multiple computers:
Turn on file sharing on the Desktop (System Preferences > Sharing). Now you can mount the Desktop as an external drive on the laptop's Desktop. Copy the music and photo folders across. Will take awhile to do the first time. Then, for future use, get a copy of the donationware CarbonCopyCloner or equivalent. You can use CCC to selectively sync specific folders from one computer to the other. There may be a hassle with digital copyright issues on music and movies, though.
Calendars:
As you have suggested yourself, publishing yours and subscribing to hers is probably the best way to do it, on the same computer. Across computers, syncing with CCC or equivalent would probably be the way to go. -
LogonServer name for user and computers
Hello,
I would like to capture the DC logon server name for which user and computer got authenticated with and report it to SCCM. Could you please help me with the location where this information is stored? Thanks very much in advanced.
RajivI usually just type in a command prompt:
set L
or
%logonserver%, and it will give it to me.
My thoughts are to run your script with administrator elevation, since I don't think running it below that will pull that type of data out.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Hello.
We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
In Events I can see these messages:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 04.03.2014 12:37:58
Event ID: 1173
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: domain\admin
Computer: NODE2.domain.example
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
c0000005
Parameter:
0
Additional Data
Error value:
7ffc7c38e45d
Internal ID:
0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="32768">1173</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
<EventRecordID>881</EventRecordID>
<Correlation />
<Execution ProcessID="572" ThreadID="2580" />
<Channel>Directory Service</Channel>
<Computer>NODE2.domain.example</Computer>
<Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
</System>
<EventData>
<Data>c0000005</Data>
<Data>7ffc7c38e45d</Data>
<Data>0</Data>
<Data>0</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 04.03.2014 12:37:58
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="49152">1015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189578</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>c0000005</Data>
</EventData>
</Event>
Log Name: Application
Source: Application Error
Date: 04.03.2014 12:37:58
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: NODE2.domain.example
Description:
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x23c
Faulting application start time: 0x01cf3773fe973e1b
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
<EventRecordID>189576</EventRecordID>
<Channel>Application</Channel>
<Computer>NODE2.domain.example</Computer>
<Security />
</System>
<EventData>
<Data>lsass.exe</Data>
<Data>6.3.9600.16384</Data>
<Data>5215e25f</Data>
<Data>ntdsai.dll</Data>
<Data>6.3.9600.16421</Data>
<Data>524fcaed</Data>
<Data>c0000005</Data>
<Data>000000000019e45d</Data>
<Data>23c</Data>
<Data>01cf3773fe973e1b</Data>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>C:\Windows\system32\ntdsai.dll</Data>
<Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
<Data>
</Data>
<Data>
</Data>
</EventData>
</Event>
In node2 we installed all available updates and hotfixes.Hi Azamat Hackimov,
Regarding to error messages, it seems that the
ntdsai.dll file caused the issue. Based on current situation, please use
sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
to the following KB.
How to read the small dump memory dump file that is created by Windows if a crash occurs.
http://support.microsoft.com/kb/315263/en-us
By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu -
Security Settings won't reset "Launching applications and unsafe files"
Hi,
I'm using Windows 8.1 update 1 with IE.
I found a very strange problem,
If I changed the setting of:
Security tab-> Internet -> Custom level -> Miscellaneous -> Launching applications and unsafe file,
for example, I changed the setting from default "Prompt" to
"Enable",
Then I tried to reset all setting to "Medium-high(default)" at "Reset custom settings",
The setting I changed above never goes back to its default setting, it keeps the status "Enable".
All other settings I changed would be reset normally but only this one refuse to be reset.
B.T.W, I noticed this because somehow my IE refused to allow me download any exe file, even though I tried to reset the security setting. The only way which could let me reset this is to click the reset button in "Advanced" tab.
I don't know if this is intended or a bug or something wrong with my PC, but this is dangerous I think, because it made me believe that I have reset my security setting but actually not.
I tried to scan my PC with windows defender and MalwareBytes and found no threat. Windows update is also in an up-to-date state. I also tried to launch IE as admin then reset the security setting and with no luck.
I'm worrying about my PC is getting some kind of virus which caused this problem, so if any information will be appreciated.
Thanks in advance!Hi,
Reset button indeed can't change it as default. I also could reproduce this issue.
Thanks for your feedback and I have already submitted to our development team.
If you want to go back to "Prompt" status now, you need to uncheck "Enable" and check "Prompt" checkbox manually.
Karen Hu
TechNet Community Support -
Windows 10: new security features make PCs safer for users and businesses
Windows 10 doesn't only deliver various visual and functional updates.
The latest and most advanced OS from Microsoft has an abundance of new security features under the hood which ensure safer computing for consumers and businesses.there is a new windows service installed with this beta vrsion of the console launcher
why the hell do you?need to add a new serivce all the time. First you added CTAudSVC.exe with the?latest drivers... and now there is some sort?of ct engine licensing service..... We?need fixes not?memory hogging services. -
Since OES 11 SP2 computer members of groups are not shown in AD Users and Computers mmc snapin
I have several groups of computers in my DSfW Domain, They are mainly
used to apply different GPOs to different groups.
If you look via iManager or C1 at the properties of the groups you see
the computers, which are members of the groups on the membership and
security self equivalancy pages.
If you use the MS AD snapin the memberlist of the group shows not any
computer - but the computer(user) template shows, that the computer is
member of the groups in question. It seems as if the GPOs are applied
correctly using the group membership.
But the question remains, why are the computer members not shown in the
group template. They did show up there before OES 11SP2, so it seems
some attribute got lost or is not correctly interpreted on the AD side.
W. PrindlOriginally Posted by W_Prindl
I have several groups of computers in my DSfW Domain, They are mainly
used to apply different GPOs to different groups.
If you look via iManager or C1 at the properties of the groups you see
the computers, which are members of the groups on the membership and
security self equivalancy pages.
If you use the MS AD snapin the memberlist of the group shows not any
computer - but the computer(user) template shows, that the computer is
member of the groups in question. It seems as if the GPOs are applied
correctly using the group membership.
But the question remains, why are the computer members not shown in the
group template. They did show up there before OES 11SP2, so it seems
some attribute got lost or is not correctly interpreted on the AD side.
W. Prindl
This might be the side-effect of some bug fix we did in oes11sp2, and will require deeper debugging. Please raise the SR with appropriate priority so that we give greater attention.
Maybe you are looking for
-
Slow performance of JDBC - ODBC MS ACCESS
I experience a very slow performance for jdbc-odbc using ms access as the database. This program works fine with other computer (in term of performance). However, the harddrive is cranking big time with this computer (this is the fastest one among th
-
Downloaded iBooks on my Macbook Pro but when I tried to sync it on my iPhone, this appeared: "Are you sure you want to sync books? All existing songs, movies and TV shows on the iPhone "My iPhone" will be removed". Love the iBooks as well as music. I
-
Slow performance while integrating data with ODI while open report
In ODI i have a schedulled package that runs every 4 hours, this package loads data from an DB table to BAM. Normally each execution loads about 4000 records and takes about 7 seconds to be completed. However, in some executions the same 4000 records
-
Siri won't recognize certain words
I tried to create a reminder today for a Parents evening I had to attend . I used Siri as usual and when asked what the reminder was for I said "parents evening". The two words came up but the reminder just said "parents" I tried it again and the sam
-
Efficiency of data warehouse sql and star/snowflake schema
Hi, We are using 11.2.0.3 and need to improve query performance of reports. data warehouse star/snowflake schema In addition to indexing, partitioning having star_transformation enabled etc I am condisriing impact of the following on query performan