Using LocalGPO, applying SCM Member Server Baseline Policy for 2008R2

Similar Messages

• Memory used to host Oracle VM server, whats left for the guests?

  I've built my first test Oracle VM server on a small celeron powered machine with 1.5GB RAM. I created a PV OEL5 guest and initially gave it 512MB RAM. Now if I increase this to 1024MB and try to start the system I get the error...
  failed:<OVSException: no server selected to run vm('/OVS/running_pool/50_OELr5r3') memory=1024> StackTrace: File "/opt/ovs-agent-2.2/OVSSiteVM.py", line 77, in start_vm raise e
  A little research implies this error is because not enough memory is available to run the OS. So how much from the 1.5GB of RAM is actually available for guests? I would be surprised to learn that 512MB is used JUST for the host environment. Doing a cat /proc/meminfo gives me the following;
  *[root@ovm ~]# cat /proc/meminfo*
  MemTotal:       545968 kB
  MemFree:        335464 kB
  Buffers:         75120 kB
  Cached:          58392 kB
  SwapCached:          0 kB
  Active:         143920 kB
  Inactive:        22356 kB
  So 533MB available to the host OS... This leaves just under a gig For the guests, but I can't find where the max is detailed. I can't find anything in the docs which detail how much resources the base Oracle VM server uses and if it's possible to tune this.

  Simon Thorpe wrote:
  So 533MB available to the host OS... This leaves just under a gig For the guests, but I can't find where the max is detailed. I can't find anything in the docs which detail how much resources the base Oracle VM server uses and if it's possible to tune this.Check /boot/grub/menu.lst -- the memory for Dom0 is set on the kernel boot line. You can lower this, but don't go too low. I usually recommend about 10% of total memory be dedicated to Dom0 up to a max of 3.5GB, so on a 1.5GB box, you could probably drop to 150MB or so. Keep in mind that Dom0 is a 32-bit kernel, so you don't want to go over 3.5GB without good reason.

• Using iws4.1 and Directory Server 5.0 for authentication, is  there a way to force a log off ?

   

  Hi,
  You can set this in "iPlanet Diretory Server", to force the user to log off after particular time. For more info. check iPlanet Directory server guide.
  Regards,
  Dakshin.

• Need help Using Time Capsule As Media Server

  New time capsule owner was wondering if someone could help me set it where i can put all my digital media, Itunes, Dvd-rips on to the TC and use it as a Media Server.
  Thanks for your help fellas

  You will need to run media server on a PC / Mac and use TC as NAS that stored your media files.

• URGENT ! Using Sun's J2EE RI Server with MS SQL Server 2000

  I'm using the J2EE Server that comes with the J2EE 1.3.1 package from Sun. I'm trying to load a datasource using the free MS SQL Server 2000 Driver for JDBC, but I'm always getting this error (I've run out of ideas so maybe someone in this forum can help):
  java.rmi.ServerException: RemoteException occurred in server thread; nested exception is: java.rmi.RemoteException: nested exception is: javax.ejb.EJBException: Unable to connect to database. No suitable driver; nested exception is: javax.ejb.EJBException: Unable to connect to database. No suitable driver ...
  I'm using MS SQL Server 2000 Driver for JDBC, my classpath setting is:
  CLASSPATH=D:\j2sdk1.4.0_01\jre\lib\ext\mysql-connector-j-2.0.14;D:\MS-JDBC-Driver\lib\msbase.jar;D:\MS-JDBC-Driver\lib\mssqlserver.jar;D:\MS-JDBC-Driver\lib\msutil.jar;E:\Installers\Java Related\jdbc dirvers\JSQLConnect3_27\JSQLConnect.jar
  I have the same J2EE_CLASSPATH setting in my userconfig.bat file.
  I've loaded this driver class in deploytool:
  com.microsoft.jdbc.sqlserver.SQLServerDriver
  and my connection url is:
  jdbc:microsoft:sqlserver://localhost:1433;databasename=test
  What's weird is that I've also tested these settings with a simple Java Application and they worked fine, but when I try to use the same for the j2ee server from sun, I always get the annoying "no suitable driver" error.
  If anyone has ever come up with a solution that works, please help. You may post you reply here or better yet, email me at [email protected]
  Thanks a lot in advance !

  Hi,
  The error "no suitable driver" occurs when something goes wrong with the connection URL.so make sure that u are using the correct URL format (check if any of the info is case sensitive etc) or atleast try other URL alternatives (for MS jdbc driver).
  try these changes only through deployment tool->tools->server configuration->datasources->standard.(instead of editing resource.properties directly).
  last not the least - make sure that there is NO "rem" keyword before "set J2EE_CLASSPATH" in the userconfig.bat file :)
  HTH,
  - asharafkk

• Not Understanding Audit Policy with SCM 8.1 Baseline

  We want to configure Audit Policy on all standalone Windows 8.1 computers to log Success and Failure for Logon attempts.
  The Beta Baseline for Windows 8.1 contains a setting for this, but it is read only and you cannot change it.  Why?
  When that baseline is put into effect on the computer with the LocalGPO tool from the command line, Logon attempts are logged.   However what is bizarre is that both SecPol.msc and GPEdit.msc fail to see this setting for Audit policy.  Why?
  Equally bizarre, if you modify the settings for Audit Policy in SecPol.msc and GPEdit.msc, they show as modified, but as soon as you quit and restart those tools, the settings are lost and the items show up as not configured again.
  So, I'm not understand the behavior at any level here, which looks quite different than other settings in the Baseline.  For other settings, we are able to edit them in the Baseline, and further the local SecPol and GPEdit tools are able to change them.
  Will

  Turns out this question is actually fairly complicated to answer.   The historical "audit policy" contains fewer options than what Windows Vista or later can express.  So, for example, instead of just auditing Logon and Logoff with a single setting,
  later versions of Windows are able to audit Logon and Logoff through separate settings.
  The SCM baseline for 8.1 and the GPEdit both have access to a setting to affect whether Windows uses the historical audit behavior or the newer finer-category "subcategory" settings.  Under local policies | security options there is a setting "Audit:
  Force audit policy subcategory settings"   When this is enabled, your attempts to use the historical audit settings will not change behavior on the computer, and when you quit GPEdit and restart your changes to the historical settings will simply have
  disappeared.
  Will

• Bit Locker Implementation in Windows 8.1 machine using Windows server 2008 r2 server group policy.

  is it possible to enable the bit locker only for windows 8.1 machines through windows 2008 r2 server group policy ?
  Thanx and Regards,
  Shanif

  Hi Shanif,
  Yes, we can do this.
  Regarding how to enable Bitlocker via group policy, the following article can be referred to as reference.
  Cannot Save Recovery Information for Bitlocker in Windows 7
  http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx
  After configuring the settings, we can use security filtering or WMI filtering to apply the policy to specific computers.
  Regarding this point, the following blog can be referred to for more information.
  Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
  http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
  Best regards,
  Frank Shen

• How to apply  special right  to the PDF  file using the LiveCycle Rights Management Server.?

  How to apply special right to the PDF  file using the LiveCycle Rights Management Server.?
  I want  to edit bar code field data using Adobe Reader. Bar Code field was designed and data was changing using Acrobat X1 Professional (Trial Version). But can't do so in adobe reader.

  I think that product has nothing to do with it. You would use LiveCycle Reader Extensions.

• Workgroup users policy applying through AD server

  Hi All.
  Can anyone guide me how to create policy for workgroup users from the AD server.
  Thanx In Adavance

  Hi,
  Based on my knowledge, you goal may not be achieved.
  In a workgroup:
  a. All computers are peers; no computer has control over another computer.
  b. Each computer has a set of user accounts
  As a workaround, you may add the PCs in workgroup to domain. Please also add the users to domain.
  In this way, you can use Server to manage these PC.
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• Setting up ACS 3.3 on a member server / use external windows user db

  Hi,
  I´ve a question referring to setting up an ACS (Version 3.3(1)Build 17 ) on a member server to use windows external user db.
  In step 2 of the installation guide you have to create am computer account named CISCO.
  Is it possible to use an other name instead? If yes, how can I amnage this?
  Does ACS support a more detailed logfile than the "Failed Attempts" report?
  Any replies appreciated.
  Thanks in advance.
  Regards.

  Dr. Livingstone wrote:
  For Address, I enter 192.168.1.102/ipp/2 and I get 'invalid or incomplete address' for any text entered after 102.
  Like I said, it's been a while...but have you tried 192.168.1.102/ipp/port2 (not just /2) ?

• Installing Ciscoworks LMS 4.0 on Windows domain member server.

  Hello.
  I'm looking for some suggestions about installing CiscoWorks LMS 4.0, and upgrade, on a domain member server running Windows 2008 R2 SE 64 bit.
  Thanks.
  Andrea

  Here are the basic install best practices:
  1) Install as a local administrator (this means create a local account and add it
  the "Administrators" group).
  2) My Computer -> Properties -> Advanced -> Environment Variables
  Set the USER TMP and TEMP to a shorten path like
  C:\Windows\temp
  3) Make sure you have FIXED pagefile size like 8182
  My Computer -> Properties -> Advanced -> Performance Options -> Advanced
  4) May need to reboot, certainly log out an back in to make sure step 2 applies.
  5) Stop all anti-virus and firewall during the installation.  Disable them in services and reboot if necessary.
  *  NOTES: Anti-virus can be re-enabled after installation, but you should  EXCLUDE
  the NMSROOT directory as long as LMS is installed on the  server. DEP should
  remain off (that is, set to only protect critical  Windows system files) as long as LMS
  is installed on the server.
  *  If Internet Information Services (IIS) is detected on your system and  if you have
  continued the installation with IIS services, you cannot use  the port number 443 for
  HTTPS. Instead, you must use the port numbers  ranging from 1026 to 65535 for
  HTTPS to avoid this conflict.
  When performing the installation, make sure these two steps are followed:
  *  Install from original, locally attached media
  *  NEVER abort the installation after the installer says not to
  It may not always be possible to install from original, locally attached  media
  (especially on VMs). But you should avoid from installing over  the network as hiccups
  can cause bad installations. If you are  installing on a virtual machine, convert the DVD
  to an ISO image, then  mount that within the VM.
  Here is the document detailing all ports needed to be allowed (excluded from policy)
  for LMS 4.0
  LMS 4.0 Port Usage
  General Notes:
  If you want to upgrade the operating system from Windows 2003 or Windows
  2008 to Windows 2008 R2, you must first complete upgrading the operating
  system, and then install the LMS 4.0.x Windows 2008 R2 patch.
  *  You can install the LMS 4.0.x Windows 2008 R2 patch only on LMS 4.0.x
  and not on the lower version of LMS.
  *  You cannot install Integration Utility and HP Open View 7.x or 8.x on
  Windows 2008 or Windows 2008 R2 servers.
  Check out:
  System and Browser Requirements for Server and Client
  LMS Patches-Windows

• Auto reboot / Manual reboot : easy way to apply group policy for each group without multiple AD links? Help appreciated

  Good morning,
  I have two policies for WSUS, one that auto-reboots the client and one that allows for manual reboots.  I'm sure this is very obvious, but i'm wanting to make sure I do this correctly.
  What's the easiest way to apply the policy for manual/auto reboots without having to go through my entire active directory tree and link it to each OU containing mixed computers?  
  I hope this makes sense, but I know i can set security groups and then set it for the scope, but if I go that route is there a way to apply it to all Domain Computers, EXCEPT those who are a member of security group "MPS - WSUS Manual" for example?
  Any input here is greatly appreciated
  Thank you

  If all the machines that you want to have the manual option are in a few select OUs then you could apply the auto reboot GPO to the root of the domain, and then link the manual GPO just to those GPOs containing the relevant machines. As explained here
  http://technet.microsoft.com/en-gb/library/cc785665(v=ws.10).aspx a policy applied to an OU overrides a policy applied to the domain as a whole.
  While I'm not sure, from your description I'm guessing that's the case, and they're actually mixed in throughout the domain? In which case, the other option might be to make use of group policies order or precedence. As described here
  http://blogs.msdn.com/b/muaddib/archive/2012/08/22/determine-gpo-precedence-with-gpmc-gpresult.aspx you'll see that the order that the GPOs are listed makes a difference to the order that they are applied, and the last to be applied takes precedence over
  those that come before. Therefore using that, if you applied the reboot policy to everyone, and then applied the manual one with a security filter so it only applied to your "MPS - WSUS Manual" group such that it had a higher precedence, all machines would
  receive the first GPO, but those machines in that group would have that overridden by the second policy.

• Hi, I am using HP11 and iPlanet web server. When trying to upload files over HTTP using FORM ENCTYPE="multipart/form-data" that are bigger than a few Kilobytes i get a 408 error. (client timeout).

  Hi, I am using HP11 and iPlanet web server. When trying to upload files over HTTP using FORM ENCTYPE="multipart/form-data" that are bigger than a few Kilobytes i get a 408 error. (client timeout). It is as if the server has decided that the client has timed out during the file upload. The default setting is 30 seconds for AcceptTimeout in the magnus.conf file. This should be ample to get the file across, even increasing this to 2 minutes just produces the same error after 2 minutes. Any help appreciated. Apologies if this is not the correct forum for this, I couldn't see one for iPlanet and Web, many thanks, Kieran.

  Hi,
  You didnt mention which version of IWS. follow these steps.
  (1)Goto Web Server Administration Server, select the server you want to manage.
  (2)Select Preference >> Perfomance Tuning.
  (3)set HTTP Persistent Connection Timeout to your choice (eg 180 sec for three minutes)
  (4) Apply changes and restart the server.
  *Setting the timeout to a lower value, however, may    prevent the transfer of large files as timeout does not refer to the time that the connection has been idle. For example, if you are using a 2400 baud modem, and the request timeout is set to 180 seconds, then the maximum file size that can be transferred before   the connection is closed is 432000 bits (2400 multiplied by 180)
  Regards
  T.Raghulan
  [email protected]

• Windows 2008 member server, repeating event 4625 in the security log

  Hello,
     I'm having an issue with a member server on our 2008 domain, security log is filling up with event 4625, here are the details:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          4/23/2014 2:04:42 PM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      my.member.server
  Description:
  An account failed to log on.
  Subject:
   Security ID:  NULL SID
   Account Name:  -
   Account Domain:  -
   Logon ID:  0x0
  Logon Type:   3
  Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  
   Account Domain:  
  Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xc000006d
   Sub Status:  0xc000006a
  Process Information:
   Caller Process ID: 0x0
   Caller Process Name: -
  Network Information:
   Workstation Name: -
   Source Network Address: 10.0.0.115
   Source Port:  51366
  Detailed Authentication Information:
   Logon Process:  Kerberos
   Authentication Package: Kerberos
   Transited Services: -
   Package Name (NTLM only): -
   Key Length:  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-04-23T18:04:42.197Z" />
      <EventRecordID>99893119</EventRecordID>
      <Correlation />
      <Execution ProcessID="744" ThreadID="844" />
      <Channel>Security</Channel>
      <Computer>KLINEWEB.kline.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">
      </Data>
      <Data Name="TargetDomainName">
      </Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc000006a</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">Kerberos</Data>
      <Data Name="AuthenticationPackageName">Kerberos</Data>
      <Data Name="WorkstationName">-</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">10.0.0.115</Data>
      <Data Name="IpPort">51366</Data>
    </EventData>
  </Event>
  The IP address that appears in source network address all belong to VPN clients. And it looks like its only happening with 4-5 IPs, all of which are VPN clients. These clients shouldn't be connecting to anything on this server, which is why its puzzling.
  Our DC is Windows 2008 and the VPN server is another member server on the domain. I suspect the issue is at the client PCs since there are many other VPN clients connected that don't generate the event ID.
  Can anyone tell what the issue might be?
  Thanks.

  Hi Rayminette,
  There are multiple login sources that could possibly be generating the errors:
  FTP logins - check your FTP log to see if login failures are showing up at the same time.
  Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site).
  ASP scripts.
  This logon type 8 indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation
  I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous
  if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source
  code and thereby gain the password.
  Reference from:
  What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?
  I hope this helps.

• SQL 2008 R2 small business server OS edition check fails on SBS 2011 premium install on SBS member server.

  I am having trouble installing SQL 2008 Small Business Edition on top of MS 2008 std from the SBS premium suite. I recieve the SQL Server 2008 R2 setup log error stateing "Operating system supported for edition "Failed". The specific error is "EditionRequirementCheck
  Failed" This SQL server edition is not supported on this operating system.
  The SQL 2008 server is a valid SBS domain member server and sees the SBS domain just fine. I have tried re-installing the OS. Not selecting any options except the SQL engine, verbose logging as per How to diagnose "Operating system supported for edition"
  pre-requisite errors while installing SQL 2008 Standard Edition for Small Business with no success. (no log.txt generated), enabled browsing, and other items with no luck.
  I got the software from MVLS under the specific SBS 2011 premium section. It doesnt seem right or sees something to keep it from installing. The SBS AD box is clean with all FSMO and root functions assigned to it. There are no trust relationships or
  child domains. I have licenses for 75 users. Of course there is no tool, log or utility to find what the actual issue the SQL installation is seeing. SOS! Help!!!

  I meet all prerequisites that can be verified.
  I am installing it on the SBS Premium Server 2008 R2 OS from MVLS with the ISO file ending in 29732.
  I am on a valid SBS 2011 domain.
  The new SQL box is joined to the domain as a member server.
  THe SBS server contains alll FSMO roles and is the root of the AD.
  There are no trust relationships or child domains.
  There is NO way that I can find to determine the number of user and device licenses that it "senses" on the domain. I dont know which ones to count. I am licensed for 75 users and have less than that useing the network. There is no licensing monitor or meathod
  I can find to actually verify what the SQL install sees.
  I am doing all this logged in as the domain admin.
  The troubleshooting steps at the bottom of the post refrenced do not work or I am doing them wrong. I cannot find an output file when I enable verbose logging for the SQL install. I believe if I figure out how it may point the way to the block. Thanks