SID only shows up when adding a domain user account from an external trusted domain

Similar Messages

• Adding an existing user account from one computer to another?

  hey all,
  i fried my Macbook. it's wrecked.
  while i save for another i plan on borrowing my sister's computer (she's going overseas for 3 months).
  Now im sure the HD of my Macbook is fine, and my mum has one too. So i want to take the HD out of hers (apparently this wont void the warranty) and put my HD into it, booting it from mine, so that it is essentially my computer.
  Then i want to transfer my account details to my sister's iMac - but i dont want to wipe her account off. I just want to add an account to her iMac, that account being the one that was on my Macbook (via my mum's Macbook).
  How can i do this? Can i do it? Does it matter that my Macbook (and therefore my account) was running OS 10.5, while her iMac is on OS 10.4?
  Id love to hear back from anyone that can help. I haven't had much luck so far... my Macbook was only a few months old, and i was literally a week from insuring it when i bumped a glass of orange juice.... you can imagine the rest : (
  thanks all : )

  Leopard itself, unlike Tiger, is a "universal boot" OS - it does not come in separate Intel and PPC versions. So if you can get your MacBook HD image cloned onto an APM-formatted external Firewire drive, it MIGHT still boot and run in the G5 iMac.
  You said you got an external drive - did you mean a Firewire enclosure which now holds the MB HD?
  If so, you could now obtain another external Firewire drive, not just an enclosure. They are quite cheap at OWC (much cheaper than another computer) and can be put to good use later for backup whatever happens.
  Then the idea would be to connect the new empty drive to the G5 iMac, and use Disk Utility there to partition it as APM if it is not already that way. Then also connect the FW enclosure containing your MB HD. From the G5, use a program like Carbon Copy Cloner to clone the old GUID-partitioned MB volume (source) to the new APM-partitioned external drive volume (target).
  Next try to boot from the new external drive, and cross your fingers!
  Again this might not work, but an external FW drive is always a good investment for future backup.
  You mentioned an eMac - if you want to try it instead of the G5, be sure it meets the requirements for Leopard.
  jd

• My iPhone 4s is stuck on a black screen that shows a USB cable connecting to iTunes. The phone will not turn on and the iTunes logo as I described only shows up when I plug the phone into the charger or my computer. I have tried the reset in restore mode

  My iPhone 4s is stuck on a black screen that shows a USB cable connecting to iTunes. The phone will not turn on and the iTunes logo as I described only shows up when I plug the phone into the charger or my computer. I have tried the reset in restore mode as well as the DFU? mode and it still will not work. I have the latest version of iTunes on my Mac. My error code was 2002. I also tried it on my laptop (windows 8.1) and none of the above worked. My error code on my laptop was 02. The phone is through Verizon and it has absolutely no damage. It was working fine up until this and I have been trying to fix it for 2 days. Please help! I am unsure of what version the phone was currently running on before this because I have another iphone that's my primary phone and have not used this one in about a month. I do not believe it was updated to IOS 7.

  Your iPhone is in recoverty mode at the moment so to possibly get it back up and running you would need to do a restore as you have been trying. Follow the steps in the article below for the specific error messages you have been receiving. If after following all steps the issue remains book an appointment at a local Apple Retail Store to have the iPhone evaluated.
  Resolve specific iTunes update and restore errors

• My iPhone 5 is not showing up in iPhoto over WiFi. Is this normal? Or will it only show up when I connect with USB ?

  My iPhone 5 is not showing up in iPhoto over WiFi.
  Is this normal?
  Or will it only show up when I connect with USB ?

  It will show up, when connected directly by USB as a camera.

• My podcasts do not show the pictures only the sound when I import them to iTunes from Garage Band.  How do I get the pictures to show up in iTunes?

  My podcasts do not show the pictures only the sound when I import them to iTunes from Garage Band.  How do I get the pictures to show up in iTunes?

  Well, all I can tell you is that if your file is an m4a with chapter markers, those markers having suitably sized images attached, and you drag it into the Music area of iTunes (so that it appears as a song) in List view, when you play it and then command-click on the small image in the header (next to the progress bar) you should see your embedded images.
  If this isn't happening the best place to ask would be in the GarageBand forum: my own experience of GB is rather out of date and in any case I've never used it for podcasting.

• Custom splash screen only shows up when command line is used...

  Hi,
  Everything in my Java web start application works perfectly but, the custom splash screen only shows up when command line is used ("C:\Program Files (x86)\Java\jre7\bin>javaws -verbose http://www.xxx.eu/AcSentVivresCrus/AcSentJnlp/AcSent.jnlp"), if I use the shortcut on the desktop or in the start menu, the Java 7 splash screen shows up (tested under Windows Vista and Seven). Does someone have any clues?
  Thanks...
  My jnlp file :
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp spec="6.0+" href="AcSent.jnlp">
    <information>
      <title>AcSent : Commande de repas</title>
      <description>AcSent - Commande de repas</description>
      <vendor>AcSent</vendor>
      <homepage href="http://www.xxx.eu" />
      <icon href="acSentIconBiseau.png" />
      <icon href="splashAcSentRC.png" kind="splash" />
      <shortcut online="true">
        <desktop />
        <menu submenu="AcSent" />
      </shortcut>
    </information>
    <security>
      <all-permissions />
    </security>
    <resources>
      <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se" max-heap-size="128m" />
      <jar href="AcSentJnlpProgressIndicator.jar" download="progress" />
      <jar href="AcSentJnlp.jar" main="true" version="1.0" />
      <property name="jnlp.packEnabled" value="true" />
      <property name="jnlp.versionEnabled" value="true" />
    </resources>
    <application-desc name="AcSent" main-class="eu.acsent.jnlp.AcSentApplication"
         progress-class="eu.acsent.jnlp.progressindicator.CustomProgress"> 
    </application-desc>
  </jnlp>

  Hi again,
  I made some researches :
  - The link in the generated shorcuts ("C:\Windows\SysWOW64\javaws.exe -localfile -J-Djnlp.application.href=http://www.xxx.eu/AcSentVivresCrus/AcSentJnlp/AcSent.jnlp "C:\Users\Arnaud\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\69c1e9ee-1f252d1a") is not the same as the one I use in the command line ("C:\Program Files (x86)\Java\jre7\bin>javaws -verbose http://www.xxx.eu/AcSentVivresCrus/AcSentJnlp/AcSent.jnlp"). Is there a way in the the JNLP file to tell how to generate shortcuts (not the icon, etc., but command line options)?
  - This sample (https://blogs.oracle.com/thejavatutorials/entry/changing_the_java_web_start) displays the splash screen when I click on the the generated shortcuts (I use Windows 7). I have copied the ButtonDemo jar file and the JNLP file on my IIS web server (Windows 2008 Server), this time the splash screen does not show up when I click the generated shortcuts but always shows up when I use the command line. Can someone tell me if it is a trouble with IIS ?
  Thanks again...

• When adding a yahoo email account I keep getting "Server Unavailable" notification.  This started after I updated my software.  I deleted my accounts and tried to re-add them but continue to get this notification??

  When adding a yahoo email account I keep getting "Server Unavailable" notification.  This started after I updated my software.  I deleted my accounts and tried to re-add them but continue to get this notification??

  hello, this is a scam tactic that is trying to trick you into installing malware, so don't download or execute this kind of stuff! as you've rightly mentioned, you're already using the latest version of firefox installed and you can always initiate a check for ''updates in firefox > help > about firefox''.
  you might also want to run a full scan of your system with the security software already in place and different tools like the [http://www.malwarebytes.org/products/malwarebytes_free free version of malwarebytes], [http://www.bleepingcomputer.com/download/adwcleaner/ adwcleaner] & [http://www.kaspersky.com/security-scan kaspersky security scan] in order to make sure that there isn't already some sort of malware active on your system that triggers these false alerts.
  [[Troubleshoot Firefox issues caused by malware]]

• Hi. NOT CALL ME FOR I AM DEAF BETTER U WRITE ONLY EMAIL. When I run the app ALLMYMUSIC FROM WONDERSHARE after installing I get this window up. When I log in with my Apple ID I just get: The Apple ID you entered couldn't be found or your password was incor

  Hi. NOT CALL ME FOR I AM DEAF BETTER U WRITE ONLY EMAIL.
  When I run the app ALLMYMUSIC FROM WONDERSHARE after installing I get this window up.
  When I log in with my Apple ID I just get:
  The Apple ID you entered couldn't be found or your password was incorrect. Please try again.
  I have however made sure that this is the correct Apple ID and password that I am putting in. In the Mac App Store it works.
  Do you have any solution?
  I am running Mavericks 10.9.2.

  To post a screenshot click on the "Camera" button at the top of the reply box and upload it there.
  MtD

• Why does my internet password show up when I reply to an email from my cell?

  Why does my internet password show up when I reply to an email from my cell?

  this question is extremely broad. can you describe what you mean? where does the password show up? in the signature line? as the subject? in the body? and what internet password? your home provider? your cell provider? what's the password for? your email account? or is your phone password protected? details.

• SSAS issue with Domain user account

  Hi
  I have SSAS 2008 R2 set up running on Windows Server 2012 Standard.
  The server is registered as a part of domain.
  I have had an issue of domain user accounts accessing to a cube and it's starting to get worse. There has been no problem with a local user account (I set up a few for testing purpose). 
  I ran the role report from BIDS Helper and it finds all the domain user accounts invalid. 
  It looks like SSAS is not talking well with the domain server (Windows 2003 server standard) to verify user credentials. But the thing is that everyone is ok with the domain server except for SSAS. IT does not have a clue what's going on here and everything
  is just pointing at me right now.
  I'd like to know if there is anyway to monitor that communication between SSAS and domain server for user credential verification and any guideline on how to resolve it. Most of time, it just works again..  like 10 minitues later.. it resolves by itself.
  But this time, not!!!
  All I know is that 1. Registering the server as a part of domain 2. use domain user account to set the security. 
  MY IT department has set up network monitoring tool and says that they are 100% percent working (No connection loss. It's monitoring Active directory as well). The application installed is 'ManageEngine Applications Manager' 
  I don't know what to do here. 
  P.S Will it be related something like 'Error
  while Add user to SSAS Server - The trust relationship between the primary domain and the trusted domain failed' but it's all the domain accounts including mine are not working.
  Cheers!!!

  First check your DNS servers setting on the server you have SSAS installed. You should only use the IP addresses of the DNS servers (e.g. Domain Controllers) of your domain. Active Directory relies on proper DNS server settings. Adding public DNS servers,
  even if they are on the bottom of the list, will mess up name resolving Active Directory names. This should have been done when IT had provisioned the server. Same goes for own workstation if you run your development/management software not on the server.
  Second make sure SSAS is running under a service account that has access to Active Directory. This can be either a domain account, the local system account, or the network service account. Running SSAS under a local account or the local service account will
  not work because local accounts do not have access to Active Directory. Running SSAS under either a Managed Service Account or a Virtual Account will not work because those features require the domain at least the Windows Server 2008 R2 functional
  level.
  Third make sure the account you use to log on to SSAS is a domain account and has appropriate permissions in SQL Server and SSAS. Local accounts and SQL Server account do not have access to Active Directory

• Domain user network share browsing slow, but domain admin is fast

  I've seen quite a few threads about slow network share browsing in Windows 7, and I've tried every fix to no avail.  I did notice something that has not been mentioned in any threads that I've seen though, and that's the behavior is different when using
  a user account with administrative privileges.
  Environment: SBS2011, domain, 14 Windows 7 PC's that all exhibit the same behavior
  As an account in the domain users group, browse to a network share with approx. 400 items to display, and it takes 4-5 seconds for explorer to show them.  Same delay exists when creating new folders in this folder.  Displaying this folder in any
  way reproduces this delay, whether navigating up or down the file system, or by going straight to the share's UNC path.
  Folders with fewer items have less of a delay, the effect seems proportional.
  As an account in the domain admins group, navigation is lickety split.  Tested with two different administrative accounts.  Tested on multiple PC's.  Also took a user account that exhibited the issue, added them as a member of domain admins,
  and this resolved the issue for that user account.
  Any ideas?

  Did you ever find a solution to this issue?  
  We are running into a similar issue.  We have a few specific Domain Users who are reporting difficulty navigating or searching network shares.  Searching a small folder of files is taking 30+ seconds.  All of our domain admins can search the
  same folder instantly.  If we add this Domain User into Domain Admins his searching is instant, when we demote him back down to Domain user its slow again.  The Domain User is having the same issue no matter what computer he uses.  Us Domain
  Admins can log into the same computer and it comes up with search results instantly, log out and log back in as the Domain User and suddenly its slow again.
  Any help would be appreciated.

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• By default, which right has a user on a "external trusted" domain ?

  Hi,
  I would like to know what are the rights for users in DomA when a bidirectionnal external trust is in place with DomB ?
  By default, the user in DomA is member of "DomB\Domain User" (otherwise, how can the user in DomA can list the users in DomB for example ?)
  Is there any specifics things to know if DomB is in Win2000 compatibility domain/forest level ?
  I know this ressource
  https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx and this
  https://technet.microsoft.com/en-us/library/cc757352(v=ws.10).aspx but didn't find my answer.
  Thank you ! :)

  I've created many trusts in my day and they can get confusing... quickly...
  #1 Who is the "trusting Domain" (who is saying "yeah I, domA, will let DomB in the door")
  #2 Who is the "trusted domain" (who is "walking through the door (DomB)")
  *** I know you said "bidirectional" but it helps you visualize the "security trust" for what is actually required. **
  #3 Is that "Domain User" part of a Group? Is the Group Domain or Universal? Only certain types of groups can work across a trust.
  #4 Are you doing a domain level trust or a forest level trust? External trusts are "domain to domain". However the domains can exist in separate, non-related forests.
  If you do a two-way domain External trust -- Domain Users from DomA can access all the resources on DomB, if explicitly provided they have access to those resources. What I mean by that is if Domain User Doesn't have domain admin privileges in DomA, it won't
  get domain admin privileges to DomB and vice versa.
  This is where the trick is though. In a two-way domain External Trust -- All domain / enterprise admins in DomA will have domain /enterprise admin access in DomB and vice versa. They can grant themselves privileges to any servers and resources.
  This is why one way trusts are popular...because you only want to let one domain into the other domain. "big brother" type of trust.
  Kind of make sense?
  Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015!

• Why domain users account allowed to logon to servers directly?

  I'm using Windows Server 2008 R2 with ADDS.
  By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
  "You cannot log on because the logon method you are using is not allowed on this computer"
  I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
  Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
  And, nothing set on the Deny Logon Locally.
  But, tested that, those accounts with just Domain User Group are able to logon to Server!?
  How or where should I check, to not allow normal user account to logon to server directly?
  Thank you.

  Hi,
  >>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
  By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
  policy.
  By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
  Regarding allowing log on locally, the following article can be referred to for more information.
  Allow log on locally
  http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
  Regarding remote desktop user groups, the following article can be referred to for more information.
  Configure the Remote Desktop Users Group
  http://technet.microsoft.com/en-in/library/cc743161.aspx
  >>How or where should I check, to not allow normal user account to logon to server directly?
  We can utilize group policy setting
  Deny logon locally to prevent users from locally logging onto the targeted computers.
  Regarding this setting, the following article can be referred to for more information.
  Deny logon locally
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen