Security Settings on Domain Node in Users and Computers

Similar Messages

• Enable the UAC settings for Domain Controller / Member servers and for end user systems

  Hi
  We are working on hardening the security for all Domain Controllers / Member Servers and end users systems. As part of it we would like to know the best practice for UAC settings for each of these servers. There are 8 settings related to UAC and as of now
  we configured just "User Account Control: Behavior of the elevation prompt for standard users" as disabled for the servers OU. Also not sure about other settings and how it affect the normal operations like installing Windows updates / applications
  through SCCM or manually on servers or end user systems and other stuffs.
  We are looking for experts opinion on this. Thanks in advance
  LMS

  Hi LMS,
  Would you please let us know the current situation? Just check if Martin’s suggestion was helpful for you.
  If any updates, please feel free to let us know.
  Just additional. Please refer to the
  User Account Control Grouping in the following article. It will provide some links about those different UAC settings. Please click those links and read related articles. In these articles, will provide
  Security considerations that may help you to configure those settings.
  Security Options
  http://technet.microsoft.com/en-us/library/jj852268.aspx
  Hope this helps.
  Best regards,
  Justin Gu

• How to create "folders" in Active Directory Users and Computers?

  Hello Community
      In Windows Server 2008R2 when you go to Active Directory Users and Computer
  you will see icons of folders such as:
      -  Builtin has a folder icon
      - Computers has a folder icon
      - ForeignSecurityPrinicpals has a folder icon
      - Domain Controller as a folder icon
      - Managed Service Accounts has a folder icon
      - Users has a folder icon
      All of the above folders are visually identical.
      If you right click and select “File” –  “New”
   on any of the selections the icon
  will not look like the folder icon they have their own icons which look different
  from the "Folder" icon.
      I would like to create a “Folder” that looks just visually exactly like the ones
  mentioned above, how can I create those types of Folders in Active Directory User
  and Computers?
      Note: I would like to put users in the folders.
      Thank you
      Shabeaut

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Active directory users and computers wont start on a dc, "the server is not operational"

  In our environment, we have 3 dc's 
  two which run server 2008 (they work perfectly)
  and one never off branch dc that runs server 2008 r2.
  We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
  We have a third party DNS solution.
  How do i troubleshoot this issue?

  dc01 (which replicates perfectly with dc02, and vise versa)
  dcdiag /test:dns
  C:\Users\adminuser>dcdiag /test:dns
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: Hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... ourDC01 passed test Connectivity
  Doing primary tests
  Testing server: Hostingpartner\ourdc01
  DNS Tests are running and not hung. Please wait a few minutes...
  Running partition tests on : ForestDnsZones
  Running partition tests on : DomainDnsZones
  Running partition tests on : Schema
  Running partition tests on : Configuration
  Running partition tests on : int
  Running enterprise tests on : int.domain.com
  Starting test: DNS
  Test results for domain controllers:
  DC: ourdc01.int.domain.com
  Domain: int.domain.com
  TEST: Delegations (Del)
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
  Summary of test results for DNS servers used by the above domain controllers:
  DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
  2 test failures on this DNS server
  Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Summary of DNS test results:
  Auth Basc Forw Del Dyn RReg Ext
  Domain: int.domain.com
  ourdc01 PASS PASS PASS FAIL n/a PASS n/a
  ......................... int.domain.com failed test DNS
  dcdiag on dc01(which can replicate with dc02)
  C:\Users\adminuser>dcdiag
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... OURDC01 passed test Connectivity
  Doing primary tests
  Testing server: hostingpartner\ourdc01
  Starting test: Replications
  [Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
  Win32 Error 8453.
  ......................... OURDC01 failed test Replications
  Starting test: NCSecDesc
  ......................... OURDC01 passed test NCSecDesc
  Starting test: NetLogons
  [OURDC01] User credentials does not have permission to perform this operation.
  The account used for this test must have network logon privileges
  for this machine's domain.
  ......................... OURDC01 failed test NetLogons
  Starting test: Advertising
  ......................... OURDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
  ......................... OURDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
  ......................... OURDC01 passed test RidManager
  Starting test: MachineAccount
  ......................... OURDC01 passed test MachineAccount
  Starting test: Services
  ......................... OURDC01 passed test Services
  Starting test: ObjectsReplicated
  ......................... OURDC01 passed test ObjectsReplicated
  Starting test: frssysvol
  ......................... OURDC01 passed test frssysvol
  Starting test: frsevent
  ......................... OURDC01 passed test frsevent
  Starting test: kccevent
  ......................... OURDC01 passed test kccevent
  Starting test: systemlog
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:29
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:50
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:10:56
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:11:17
  (Event String could not be retrieved)
  ......................... OURDC01 failed test systemlog
  Starting test: VerifyReferences
  ......................... OURDC01 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Running partition tests on : Schema
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Running partition tests on : Configuration
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Running partition tests on : int
  Starting test: CrossRefValidation
  ......................... int passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... int passed test CheckSDRefDom
  Running enterprise tests on : int.domain.com
  Starting test: Intersite
  ......................... int.domain.com passed test Intersite
  Starting test: FsmoCheck
  ......................... int.domain.com passed test FsmoCheck
  The problematic dc03:
  Dcdiag gives the same output as dcdiag /test:dns
  C:\Users\adminuser>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = OURDC03
  Ldap search capabality attribute search failed on server NTSDC03, return
  value = 81
  We have an infoblox dns server on ip address xxx.y.y.251.
  first error in event logs on dc03:
  error 1863
  This is the replication status for the following directory partition on this directory server.
  Directory partition:
  CN=Configuration,DC=int,DC=domain,DC=com
  This directory server has not received replication information from a number of directory servers within the configured latency interval.
  Latency Interval (Hours):
  24
  Number of directory servers in all sites:
  2
  Number of directory servers in this site:
  2
  The latency interval can be modified with the following registry key.
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
  To identify the directory servers by name, use the dcdiag.exe tool.
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
  i have also go several warning 2088, 2093, 2087.
  And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones

• Hide all except one object in Active Directory Users and Computers.

  Hello,
  I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
  them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
  d.

  I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
  I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
  Description of Remote Server Administration Tools for Windows 7:
  http://support.microsoft.com/default.aspx/kb/958830
  Remote Server Administration Tools for Windows 7:
  http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
  Remote Server Administration Tools for Windows 7
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
  Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
  http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
  Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
  Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
  http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• "The home folder could not be created because the network name cannot be found" error in AD users and computers

  Our home folders are stored on a non-windows NAS device and with Windows XP and 2003 we've always got the above error when creating or modifying users home folders, even when the shares were al ready created and being used.
  However this was never really a big issue as the error that popped up was really for information and finshed with a "we've modified the user properties anyway, please create the share manually" type message.
  Unfortunately now we are moving to windows 7 and 2008R2, this last part of the the message is missing and it won't accept the correct value. 
  This issue may be in the way that the NAS device shares the folder, as only the username that matches the folder name can access the share.  This behaviour can't be modified.
  Is there a way to get Windows 7/2008R2 AD users and computers to behave the same way that Windows XP/2003 does , i.e. don't try and create the share just set the value in the user properties  ?
  The AD is still at 2003 level and we can still use Windows XP/2003 clients to make the changes but this is a bit of a limitation.

  The KB article is almost what we have apart from theitalic underlined
  part
  Consider the following scenario:
  You use a domain administrator account to log on to a computer that is running Windows 7 or Windows Server 2008 R2.
  You use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to connect to a domain controller.
  You open the Properties dialog box of a user account.
  The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
  You set the Remote Desktop Services Home Folderattribute to the shared folder path.
  NoteThis attribute is located on the
  Remote Desktop Services Profiletab.
  You click Apply or OK.
  In this scenario, you receive the following error message:
  The home folder could not be created because: The network name cannot be found.
  Note If you click Apply or OK again, no error message is returned. However, the setting is not saved.
  I think the important bit is
  The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
  We manually create the shares on our NAS and then just want to enter the path in the profile tab, I suppose the question is how to we stop it trying to create the shares ?

• Can not open Active Directory Users and Computers

  Problem Reported:
  Out of the blue this has started happening:
  When I go to "Active Directory Users and Computers" I get this message.
  "MMC cannot open the file C:\WINDOWS\system32\dsa.msc.
  This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
  Additional information:
  This is a server that has been in use for 2+ years with active directory users that can and do login everyday.
  As far as I know the system has no backup.
  dsa.msc IS located in the system32 folder
  I am using the administrator account.
  OS:
  Microsoft Windows Server 2003 R2
  Standard x64 Edition
  Service Pack 2
  Please help with detail. Thank you.

  Have you tried to uninstall ADUC administrative tool and re-install it again? If no, please give a try. 
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Windows 2008 Server - Cannot run Active Directory Users and Computers

  Hi,
  I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
  I attempt to open Active Directory Users and Computers tool and I get a;
  Microsoft Visual C++ Runtime Library error;
  "The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
  I click ok, then get the following debug info;
  Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mmc.exe
  Application Version: 6.0.6001.18000
  Application Timestamp: 47919524
  Fault Module Name: msvcrt.dll
  Fault Module Version: 7.0.6001.18000
  Fault Module Timestamp: 4791ad6b
  Exception Code: 40000015
  Exception Offset: 0000000000029b06
  OS Version: 6.0.6001.2.1.0.272.7
  Locale ID: 3081
  Additional Information 1: 43aa
  Additional Information 2: cf3a46656318492c1997480001b6b0e0
  Additional Information 3: 3837
  Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
  Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
  If someone could please assist, it would be very much appreciated.
  Regards
  B

   
  Hi,
  To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request please take a look at the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  However, I am also glad to share my research.
  Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
  Also, please follow the article below to perform necessary steps to see how it's going?
  FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
  http://support.microsoft.com/kb/190536/en-us
  Hope this helps.
  Best wishes
  Morgan Che

• RSAT - Active Directory Users and Computers

  After installing build 9879, I cannot open Active Directory Users and Computers. I get error message:  MMC could not create the snap in.  I do not see KB2693643 under installed updates anymore.   I've tried to reinstall KB2693643
  but I get error code 0x8024001d.  Any help would be appreciated.

  Hi readabook,
  To resolve windows update error 0x8024001d, please rename Software Distribution folder:
  1. Click on Start, choose run type in CMD and click OK.
  2. Type NET STOP WUAUSERV and press Enter. (leave this window open for later use)
  3. Open My Computer
  4. Find the folder c:\Windows\SoftwareDistribution
  5. Right mouse click on SoftwareDistribution and choose rename call the folder "SDold"
  6. Return to the black Window that opened in step 1 type NET START WUAUSERV and click enter
  Alex Zhao
  TechNet Community Support

• Working with multiple users and computers, but shared data

  Sorry if this is posted in a poor place, I'm not sure where the best place is. This is sort of a general questions.
  For a long time, my wife and I have had either one computer, or two machines but one has definitely been just a terminal. We've basically set up all of our data to be one one primary machine, and if we want to view/edit that data we have to use that machine.
  We just got a new MacBook Pro and I would like to be able to use two machines as equals. Sadly, this idea of multiple computers, with two users and some shared data is really giving me difficulty. I was wondering if anyone has any suggestions on how to best manage things like:
  Synchronizing portions of our contact list (We share about 50% of the combined library -- we don't have to share all though).
  How to manage iPhoto so that we can each have access to the photos. As an added difficulty (or maybe this is easier?) my Wife just wants to have access to the pictures for viewing and sharing on Facebook/Picassa/etc. I am the only one who wants to edit, correct and cull our library. That said, I always edit when I first put the data on the machine, and almost never again; so it would be fine to have one (or both accounts) set up as view only for the iPhoto data.
  How to manage iTunes so that we can each have access to the music. As a super awesome bonus, it would be great if we could have three libraries: His, Hers and Shared. Maybe as much as 30% of our music library is similar, the rest just gets in the way.
  What is the best solution people have found for calendars? (I'm thinking two separate calendars, and we each subscribe to each others iCal feed)
  Mail.app and bookmark synching is not really a problem for us.
  Two extra points:
  * One machine is portable, and the other isn't. Ideally, when the laptop is out of the house, both machines should still have reasonable access to the shared data. That is: Just dumping things in the shared folder won't work because when the laptop is out of the house we will be disconnected from the source data.
  * We just got a second iPhone. This means that both of us will be taking photos/video separately and trying to synch back to the master data store.
  * Basically, I'm trying to minimize data duplication as much as possible, and just synchronize the systems to each other.
  Thanks a ton in advance. If anyone has any suggestions at all, I would love to hear them. Including "This is in the wrong forum, go ask here instead..."

  So you have a desktop Mac and a laptop Mac, right? Two user accounts (and a third admin account) on each computer, right?
  I profess that I haven't tried this, but here is how I would approach your problem:
  Sharing Music and Photos between multiple user accounts on the same computer: 
  See if http://forums.macrumors.com/showthread.php?t=194992 and http://forums.macrumors.com/showthread.php?t=510993 provide any useful information to assist you in this endeavor.
  Sharing across multiple computers:
  Turn on file sharing on the Desktop (System Preferences > Sharing). Now you can mount the Desktop as an external drive on the laptop's Desktop. Copy the music and photo folders across. Will take awhile to do the first time. Then, for future use, get a copy of the donationware CarbonCopyCloner or equivalent. You can use CCC to selectively sync specific folders from one computer to the other. There may be a hassle with digital copyright issues on music and movies, though.
  Calendars:
  As you have suggested yourself, publishing yours and subscribing to hers is probably the best way to do it, on the same computer. Across computers, syncing with CCC or equivalent would probably be the way to go.

• LogonServer name for user and computers

  Hello,
  I would like to capture the DC logon server name for which user and computer got authenticated with and report it to SCCM. Could you please help me with the location where this information is stored? Thanks very much in advanced.
  Rajiv

  I usually just type in a command prompt:
  set L
  or
  %logonserver%, and it will give it to me.
  My thoughts are to run your script with administrator elevation, since I don't think running it below that will pull that type of data out.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

  Hello.
  We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
  In Events I can see these messages:
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          04.03.2014 12:37:58
  Event ID:      1173
  Task Category: Internal Processing
  Level:         Warning
  Keywords:      Classic
  User:          domain\admin
  Computer:      NODE2.domain.example
  Description:
  Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
  Exception:
  c0000005
  Parameter:
  0
  Additional Data
  Error value:
  7ffc7c38e45d
  Internal ID:
  0
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
      <EventID Qualifiers="32768">1173</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>9</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
      <EventRecordID>881</EventRecordID>
      <Correlation />
      <Execution ProcessID="572" ThreadID="2580" />
      <Channel>Directory Service</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
    </System>
    <EventData>
      <Data>c0000005</Data>
      <Data>7ffc7c38e45d</Data>
      <Data>0</Data>
      <Data>0</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Microsoft-Windows-Wininit
  Date:          04.03.2014 12:37:58
  Event ID:      1015
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
      <EventID Qualifiers="49152">1015</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189578</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>c0000005</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Application Error
  Date:          04.03.2014 12:37:58
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
  Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
  Exception code: 0xc0000005
  Fault offset: 0x000000000019e45d
  Faulting process id: 0x23c
  Faulting application start time: 0x01cf3773fe973e1b
  Faulting application path: C:\Windows\system32\lsass.exe
  Faulting module path: C:\Windows\system32\ntdsai.dll
  Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
  Faulting package full name:
  Faulting package-relative application ID:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189576</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>lsass.exe</Data>
      <Data>6.3.9600.16384</Data>
      <Data>5215e25f</Data>
      <Data>ntdsai.dll</Data>
      <Data>6.3.9600.16421</Data>
      <Data>524fcaed</Data>
      <Data>c0000005</Data>
      <Data>000000000019e45d</Data>
      <Data>23c</Data>
      <Data>01cf3773fe973e1b</Data>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>C:\Windows\system32\ntdsai.dll</Data>
      <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
      <Data>
      </Data>
      <Data>
      </Data>
    </EventData>
  </Event>
  In node2 we installed all available updates and hotfixes.

   Hi Azamat Hackimov,
  Regarding to error messages, it seems that the
  ntdsai.dll file caused the issue. Based on current situation, please use
  sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
  In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
  to the following KB.
  How to read the small dump memory dump file that is created by Windows if a crash occurs.
  http://support.microsoft.com/kb/315263/en-us
  By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
  and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request, please refer to the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  Hope this helps.
  Best regards,
  Justin Gu

• Security Settings won't reset "Launching applications and unsafe files"

  Hi,
  I'm using Windows 8.1 update 1 with IE.
  I found a very strange problem,
  If I changed the setting of:
  Security tab-> Internet -> Custom level -> Miscellaneous -> Launching applications and unsafe file,
  for example, I changed the setting from default "Prompt" to
  "Enable",
  Then I tried to reset all setting to "Medium-high(default)" at "Reset custom settings",
  The setting I changed above never goes back to its default setting, it keeps the status "Enable".
  All other settings I changed would be reset normally but only this one refuse to be reset.
  B.T.W,  I noticed this because somehow my IE refused to allow me download any exe file, even though I tried to reset the security setting. The only way which could let me reset this is to click the reset button in "Advanced" tab.
  I don't know if this is intended or a bug or something wrong with my PC, but this is dangerous I think, because it made me believe that I have reset my security setting but actually not.
  I tried to scan my PC with windows defender and MalwareBytes and found no threat. Windows update is also in an up-to-date state. I also tried to launch IE as admin then reset the security setting and with no luck.
  I'm worrying about my PC is getting some kind of virus which caused this problem, so if any information will be appreciated.
  Thanks in advance!

  Hi,
  Reset button indeed can't change it as default. I also could reproduce this issue.
  Thanks for your feedback and I have already submitted to our development team.
  If you want to go back to "Prompt" status now, you need to uncheck "Enable" and check "Prompt" checkbox manually.
  Karen Hu
  TechNet Community Support

• Windows 10: new security features make PCs safer for users and businesses

  Windows 10 doesn't only deliver various visual and functional updates.
  The latest and most advanced OS from Microsoft has an abundance of new security features under the hood which ensure safer computing for consumers and businesses. 

  there is a new windows service installed with this beta vrsion of the console launcher
  why the hell do you?need to add a new serivce all the time. First you added CTAudSVC.exe with the?latest drivers... and now there is some sort?of ct engine licensing service..... We?need fixes not?memory hogging services.

• Since OES 11 SP2 computer members of groups are not shown in AD Users and Computers mmc snapin

  I have several groups of computers in my DSfW Domain, They are mainly
  used to apply different GPOs to different groups.
  If you look via iManager or C1 at the properties of the groups you see
  the computers, which are members of the groups on the membership and
  security self equivalancy pages.
  If you use the MS AD snapin the memberlist of the group shows not any
  computer - but the computer(user) template shows, that the computer is
  member of the groups in question. It seems as if the GPOs are applied
  correctly using the group membership.
  But the question remains, why are the computer members not shown in the
  group template. They did show up there before OES 11SP2, so it seems
  some attribute got lost or is not correctly interpreted on the AD side.
  W. Prindl

  Originally Posted by W_Prindl
  I have several groups of computers in my DSfW Domain, They are mainly
  used to apply different GPOs to different groups.
  If you look via iManager or C1 at the properties of the groups you see
  the computers, which are members of the groups on the membership and
  security self equivalancy pages.
  If you use the MS AD snapin the memberlist of the group shows not any
  computer - but the computer(user) template shows, that the computer is
  member of the groups in question. It seems as if the GPOs are applied
  correctly using the group membership.
  But the question remains, why are the computer members not shown in the
  group template. They did show up there before OES 11SP2, so it seems
  some attribute got lost or is not correctly interpreted on the AD side.
  W. Prindl
  This might be the side-effect of some bug fix we did in oes11sp2, and will require deeper debugging. Please raise the SR with appropriate priority so that we give greater attention.