Why domain users account allowed to logon to servers directly?

Similar Messages

• Does my Domain user account get cached so I can Logon of the network?

  Does my Domain user account get cached so I can Logon of the network?
  Thanks your help.
  Lou

  In windows or in os x? In windows if it's a windows network for domain profile is usually auto-cached. In OS X this has to be enabled in directory utility as part of your Active Directory settings, otherwise it won't allow logon off network.

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• How do I configure a user account to have 'logon as a service' permissions?

  How do I configure a user account to have ‘logon as a service’ permissions?
  This is for CRM application use and need to enable permission via GPO
  Microsoft TechNet Forum Bandara

  Hi,
  It seems that you know the group policy “Log on as a service” can achieve your goal, so I would like to confirm what do you want to ask?
  If you do not know the path of the group policy “Log on as a service” in domain, you may expend Computer Configuration\Windows Settings\Security
  Settings\Local Policies\User Rights Assignment\Log on as a service in GPMC.
  Regards,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• Query to retrieve windows domain user account

  I am totally new to Oracle. Right now, I have a requirement which needs the windows domain user account and local user accounts to be found and linked to. I ve been searching on google, but no use. Frankly, I have no idea even what I am supposed to do and I am not sure what I wrote here is even framed correct. Please help me out. Thanks a lot.

  Hi,
  I think you've made your first Oracle mistake: think that Oracle is working just the same as MS SQL Server :-)
  First, before trying to do anything, you must read the TFM: Database Concepts(click) in order to begin to understand how Oracle works.
  I'm going to try to explain fast and simple.
  Oracle user accounts are different accounts than OS accounts. That is the first important point to get. A domain user "toto" will not automatically gat an Oracle "toto" account.
  There are 3 types of user authentication:
  . Password: typical authentication, no link between OS account and Oracle account
  . External: User is authentified by the O.S. This means that the DBA has to create a special account that'll be "linked" to the O.S. account (whether it's a local or domain account)
  . Global: The user is authentified by the enterprise directory service.
  You can see these 3 approaches in the SQL Statements: CREATE USER doc(click). So, there is some way to link the Oracle user account to the O.S. user account, but not straight forward!
  I need to verify if my oracle database user account is a windows domain user or not, if he/she is one, then if he/she is a local user account or a global user accountWhen I read this, the closest thing I can think of is the 3 types of authentication. And the info can be found in DBA_USERS (columns USERNAME, EXTERNAL_NAME and PASSWORD - obfuscated of course).
  With these info, maybe can you see why your requirement is a bit strange? Anyway, read the references I linked and come back here with more questions / comments :-)
  HTH,
  Yoann.

• Using Assigned Access on a Domain user account

  We would like to use Assigned Access in Windows 8.1 Enterprise, but it appears to only allow locking down a local user account. Is there any way to lock down a Domain user account with Assigned Access?

  No, it is designed for local user account. Regarding domain user, I think group policy is a better choice.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Domain user account limit exceeded

  My company is running Windows Server 2012 R2 Essentials. I receive the error:
  Domain user accounts limit exceeded
  Alert details: Windows Server 2012 R2 Essentials supports a maximum of 25 domain users. If you want to upgrade your server to Windows Server 2012 R2 Standard, please follow the steps in resolution.
  I am aware that the Domain User limit is set to 25. However, we have created, and have less than 25 active domain user accounts. The rest are 'system' users that are either disabled, or active but not real user accounts, and they became active within the system
  themselves; in other words, we have less that 25 real people who have been created an account to use the domain.
  Can someone please tell me what they count? 25 user accounts? Or 25 real, active users?
  If it is 25 accounts in total, then it is slightly unfair as most of the accounts are therefore already taken before we add a single domain user.
  If it is 25 real, active users, why do I receive the error message in the logs?

  Hi William Kirkman,
  à
  The rest are 'system' users that are either disabled, or active but not real user accounts, and they became active within the system themselves.
  I’m a little confused with this sentence. Would you please provide some details of system users and let me
  understand it clearly? Did you mean some Administrator accounts or any other?
  Regarding to how count 25 user accounts, “Any user that appears in the dashboard counts against your total
  of 25.” Robert answered in the following thread. Please refer to.
  Admin
  Account Setup as Part of Wizard Count Against 25 Users?
  Hope this helps.
  Best regards,
  Justin Gu

• SSAS issue with Domain user account

  Hi
  I have SSAS 2008 R2 set up running on Windows Server 2012 Standard.
  The server is registered as a part of domain.
  I have had an issue of domain user accounts accessing to a cube and it's starting to get worse. There has been no problem with a local user account (I set up a few for testing purpose). 
  I ran the role report from BIDS Helper and it finds all the domain user accounts invalid. 
  It looks like SSAS is not talking well with the domain server (Windows 2003 server standard) to verify user credentials. But the thing is that everyone is ok with the domain server except for SSAS. IT does not have a clue what's going on here and everything
  is just pointing at me right now.
  I'd like to know if there is anyway to monitor that communication between SSAS and domain server for user credential verification and any guideline on how to resolve it. Most of time, it just works again..  like 10 minitues later.. it resolves by itself.
  But this time, not!!!
  All I know is that 1. Registering the server as a part of domain 2. use domain user account to set the security. 
  MY IT department has set up network monitoring tool and says that they are 100% percent working (No connection loss. It's monitoring Active directory as well). The application installed is 'ManageEngine Applications Manager' 
  I don't know what to do here. 
  P.S Will it be related something like 'Error
  while Add user to SSAS Server - The trust relationship between the primary domain and the trusted domain failed' but it's all the domain accounts including mine are not working.
  Cheers!!!

  First check your DNS servers setting on the server you have SSAS installed. You should only use the IP addresses of the DNS servers (e.g. Domain Controllers) of your domain. Active Directory relies on proper DNS server settings. Adding public DNS servers,
  even if they are on the bottom of the list, will mess up name resolving Active Directory names. This should have been done when IT had provisioned the server. Same goes for own workstation if you run your development/management software not on the server.
  Second make sure SSAS is running under a service account that has access to Active Directory. This can be either a domain account, the local system account, or the network service account. Running SSAS under a local account or the local service account will
  not work because local accounts do not have access to Active Directory. Running SSAS under either a Managed Service Account or a Virtual Account will not work because those features require the domain at least the Windows Server 2008 R2 functional
  level.
  Third make sure the account you use to log on to SSAS is a domain account and has appropriate permissions in SQL Server and SSAS. Local accounts and SQL Server account do not have access to Active Directory

• SharePoint farm - SQL Server - MSSQLSERVER service is running as "Local System" - Can I change it to Domain User account?

  Hi there,
  In my SharePoint 2010 farm - on the SQL Server:
  The MSSQLSERVER service is running under Local System.
  1. Can I change it to run as a normal Domain User account?
  2. Does it need any extra privileges?
  3. Is it a safe thing to do?
  Brief description will be very useful.
  Thanks so much.

  You need to create Service account with password never expire option+ User never change password
  Then you need to go through below recommendation from Microsoft
  Security Considerations for a SQL Server Installation
  Planning for Services, Accounts, and Connections
  Hope you got starting point
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

• Should I use Managed Service Accounts or individual, Domain User accounts?

  I'm setting up a new SP 2013, and I'm trying to be very granular as it relates to "Least Privilege".
  I'm trying to figure out which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint services.
  At face value, I *think* any service could be successfully run using an MSA and yet any installation of either SQL Server 2012 and/or SharePoint 2013 should be done using a Domain User account created for that specific purpose (i.e., SP_FARM, SP_ADMIN, SQL_ADMIN,
  etc.). In fact, I *think* the installation would HAVE to be done with an actual Domain User account, because (unless I'm wrong), MSA's do not have a shell and therefore CAN'T log on...which is by design?
  Here's a Microsoft TechNet article that lists many of the accounts I'm referring to:
  https://social.technet.microsoft.com/wiki/contents/articles/14500.sharepoint-2013-service-accounts.aspx
  Note that it says MOST of the accounts are Domain accounts, but I don't *think* all of these need to BE
  Domain accounts - I think MOST of them could be created as MSA's and assigned to run the specific service without any problems whatsoever?
  So again, my question is: which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint service or to even perform a
  successful installation of the software?
  Ed

  No, script 1 does not create Active Directory Managed Service Accounts (see here:
  http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) These are not applicable to SharePoint and are not mentioned in any of those scripts, look at the PowerShell
  commandlets, they are very different.
  Script 1 creates active directory users. These are, as far as AD cares, just standard user objects. There is nothing at all special about them in AD.
  At some point you would install SharePoint using those accounts, during that process they get resisted in SharePoint as SharePoint Managed Accounts.
  Script 2 updates the settings on those managed accounts in bulk.

• Acrobat x pro crashes (error 6) under domain user account

  Acrobat X Pro (installed under CS6 Suite) crashes when run under a domain users account (receives error 6, uninstall/reinstall product). I've done this many times with the same result. My feeling is that the problem is related to permissions/rights issues as the product works fine when logged into the local administrator account. Any thoughts/comments would be appreciated.

  Acrobat X Pro (installed under CS6 Suite) crashes when run under a domain users account (receives error 6, uninstall/reinstall product). I've done this many times with the same result. My feeling is that the problem is related to permissions/rights issues as the product works fine when logged into the local administrator account. Any thoughts/comments would be appreciated.

• Java SE Ver 7 Uxx locking out domain user account failing Kerberos PreAuth

  Java SE Ver 7 all updates are failing Kerberos Pre_Auth and locking domain user accounts because of truncated UDP packets.
  When a user opens a page that uses JavaScript their domain account gets a bad password, subsequent openings in the lockout threshold window (5 in 30 minutes for us) results in a domain account lockout.
  I have done extensive troubleshooting of this issue and have root caused and been able to prevent it with a less desirable solution. Oracle fixes for the bug below (basically same issue) do not work for me or i'm implementing them incorrectly.
  This effects XP\Win7 (32Bit browsers with IE 8 and 9).
  Java SE Ver 7 U21 and lesser updates are failing Kerberos Pre_Auth (KRB5KDC_ERR_PREAUTH_FAILED)due to the use of UDP instead of TCP. Starting with the SRV request, UDP exceeds MTU and gets truncated enroute to the KDC. This results in the eventual response from the KDC as bad credential and eventual account lockout if user repeats call for Java.
  We have been able to force TCP by blocking UDP 88 on a test station's windows firewall. This prevents the bad password, but injects a delay while kerberos times out UDP and fails to TCP.
  Java BUG 8009875 lists the "udp_preference_limit=1" value that forces Java to use TCP, but i can't get this working with a KRB5.config or KRB5.ini file in the c:\windows directory. Even utilizing an environment variable KRB5_CONFIG does not work.
  Our expected result is to force Java 7 to use TCP for Kerberos transactions and not UDP. This will be a stop gap until the release of Version 8 next year, which BUG 8009875 says corrects the default UDP call to TCP.

  I had this same issue. My fix was to create a custom jass config file that specific to not use the local tgt cache.
  If you would like I could provide you with this setup.  1.7 uses GSS/SPNEGO as the first method of auth, this will essentially disable this method of single-sign on.
  Http Authentication
  GSS/SPNEGO -> Digest -> NTLM -> Basic
  It looks like you got a fix so this post could be worthless

• R12 using domain user account

  Hi All,
  Our architecture is R12.1.3 Apps and 11.2.0.3 database.we are trying to clone from PROD to test.
  Copyright (c) 1991, 2011, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ppclone15db.ppgpl.co.tt)
  (PORT=1524)))
  The command completed successfully
  ECHO is off.
  Listener DB15 has already been started.
  ECHO is off.
  addlnctl.cmd exiting with status 0
  [SC] OpenService FAILED 1060:
  The specified service does not exist as an installed service.
  oracleserviceTest is created with path executable /orant/bin oracle.exe instead of ORACLE_HOME/bin oracle.exe.
  we are doing rapidclone using Domain user account (with local administrator privilege)
  As per metalink note id 406982.1 Note: On Microsoft Windows, Rapid Clone is not currently certified for use from Domain User Accounts
  kindly provide us suitable solutions to overcome rapid clone issue in windows machine.
  Regards,
  Dinesh

  Hi,
  As a workaround, always keep a copy of your configuration files like (XML files, .ora files etc) from the TEST environment before removing all the files for cloning.
  Original files can be copied over from backup copies and can be reused after running the autoconfig.
  You can take a backup of your existing Oracle services running on windows for TEST environment before removing it for Clone.
  To view the oracle services running and their location on windows OS you can view the services by:
  go to Run --> services.msc to get to the services page.
  Regards
  Neeraj Sharma
  Edited by: NeSharma on Jul 9, 2012 2:13 AM

• Domain Users are allowed by default to join domain

  Hi everyone !
  Recently i install Windows Server 2012 Standard
  Configure Active Directory Domain Services
  Create simple user "test1"
  then i go to windows 7 client and join domain with this "test1" user.
  and i shocked how is it possible that a simple domain user which is not a part of any domain admin or admin group and can join or rejoin domain successfully.
  Help me to get out of this how can i restrict simple domain user to join domain and why it was by default ?

  > then i go to windows 7 client and join domain with this "test1" user.
  By default, EVERY user can join up to 10 clients to the domain.
  > and i shocked how is it possible that a simple domain user which is not
   Why shocked? What's the issue when users join computers to the domain?
  > Help me to get out of this how can i restrict simple domain user to join
  > domain and why it was by default ?
  Create a GPO, link it to the domain, move it up to above "Default Domain
  Policy" and configure Computer - Policies - Windows Settings - Security
  Settings - Local Settings - User Rights Assignment: Add Workstations to
  the domain.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))