Windows Security Group

Morning \ Afternoon all -
We have a Security Group for our support staff, called 'TechSupport'. If a member of the TechSupport group creates a directory on the file server (running Windows 2012), then you check Properties \ Security, it adds the actual tech username to security
as themselves. Whereas, since they are part of TechSupport, it shouldn't add them.
I'm a Domain Admin, and it doesn't add my actual account.
I'm trying to figure out how to prevent the techs personal account from being added to the security section. Any ideas? Can you help?
Thanks
Ivan

Are these folders all under one or more parent folders? If so, configure the ACLs on those higher folders so that when the TechSupport group creates a folder underneath it will inherit the permissions you want it to have.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.
I'll try to explain the best I can. I have a drive (storage array) and it has permissions for all the groups (domain admins, Tech Support Group). Within that drive, I have two directories (Profiles & Docs), thus when a Tech creates a folder within say,
Profiles it SHOULD inherit the permissions from Profiles. Thus is should have Tech Support Group, Domain Admins, etc.
But, when a Tech Support Group person creates a folder within Profiles, it refuses to inherit the same permissions. It merely adds the actual tech's account as list\read only. Hence they can't change the owner, etc. And it doesn't add the group of Tech Support
to the security. Weird really.
I appreciate the effort and ideas Mark...

Similar Messages

Is there a way for an end user to see who has membership in a security group

Windows Server 2008 R2
Active Directory Domain
Windows 7 workstations
I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
Is that possible? Any drawbacks or concerns?

Hi Tod,
Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
More information for you:
Viewing the Direct Members of a Group
http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
Net group
http://technet.microsoft.com/en-us/library/cc754051.aspx
Best Regards,
Amy

Can I deploy 2 computer GPO for 2 different Security Groups to the same machine?

Hi
this is my scenario
I have 2 different security group ( in a domain ) and i would like to deploy 2 different Computer GPO depends by the user SG membership
this is a terminal server ( 2k12) and I would like have the computer GPO policy/admin template/windows components/remote desktop session host/profile different for each security group.
thanks
Marco

> I have 2 different security group ( in a domain ) and i would like to
> deploy 2 different Computer GPO depends by the user SG membership
Not really, but for some settings there is a workaround... ->
http://evilgpo.blogspot.de/2012/03/how-to-save-my-screen.html
> this is a terminal server ( 2k12) and I would like have the computer
> GPO policy/admin template/windows components/remote desktop session
> host/profile different for each security group.
For THIS setting, it definitely does NOT work. The profile path must be
known BEFORE the user is logged on and this means BEFORE any user
specific settings can be processed.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Need to suppress Windows Security dialog when connecting to CRM WCF service from application

I am currently developing a Windows desktop application that uses the CRM WCF service as a data source. The CRM environment uses AD authentication. The problem I have is that our domain enforces a password expiration policy, so every three months each user's
CRM password changes, and the one stored for the user (in encrypted form) in the application becomes invalid.
When that happens, after logging into the application, the user is presented with a Windows Security dialog asking them to enter their network user credentials. If they do so the first time, they're asked up to a dozen more times, to authenticate a bunch
of OrgServiceProxy objects in a pool. This is confusing, frustrating, and dangerous from a security mindset (don't want the user getting too comfortable entering network credentials into every dialog that asks). I want to suppress this popup, and instead have
the CRM authentication immediately throw the SecurityNegotiationException I'm expecting if the credentials passed are wrong. The app will catch that and direct the user to the User Maintenance screen where they can update their credentials.
I know it's possible to put the site in a zone with custom security settings suppressing this prompt, but Group Policy to do that is kind of heavy-handed and could have unintended consequences. I would prefer a programmatic "quick fix" for now,
until we can re-architect the application's security layer to do all authentication against AD.
Thanks.

Hi friend,
This forum is to discuss problems of C# development. Your question is not related to the topic of this forum.
You'll need to post it in the dedicated ASP.Net Forum
http://forums.asp.net for more efficient responses, where you
can contact ASP.NET experts. Thanks for understanding.
Have a nice day!
Kristin

How to make clone of active directory security group

Hi
i am having one Security group in AD, i want to make copy or clone of that group with same members in different name in AD.
Anybody help me out...

Hi Vino1985,
Just do it with ds-tools.
dsquery group -samid %SamidOfYourReferenceGroup% | dsget group -members | dsmod group %distinguishedNameOfYourNewGroup% -addmbr -c
This should work as
"dsquery group -samid " will return the distinguished name of your reference group and pipe it to dsget group
"dsget group -members" will return all distinguished-names of the members and pipe it to dsmod group
"dsmod group -addmbr" will all DN's to the membership-attribute of the new group the switch "-c" will continue on errors.
best regards
Switch
MCITP Enterprise Administrator
MCSA Windows Server 2012
MCTS Windows 7 Configuration
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

File Server Migration - For ORG A Forest to ORG B Forest ( Need to create and Map Security Group automatically on new Migrated Folders - Please Help

I have two forest With Trust works Fine .
I have file server in ORG – A ( Forest ) with 2003 R2 Standard
I have a File server in ORG - B ( Forest ) With Windows server 2012 ( New Server for Migration )
I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
I need to Migrate all the folders from ORG – A to ORG – B.
I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
Example.
Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
Output Looks Like
Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGB

Hi,
I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already.
Migrate Universal Groups
http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
If you have any feedback on our support, please send to [email protected]

Klist Purge is not working when trying to update a computer security group

I cannot get Klist purge to work on any of our computers. After running the command "klist
-lh 0 -li 0x3e7 purge" I have tried internally and externally using VPN. The computer does not see new security group settings.
Windows 7 Clients.

Try klist -li 0x3e7 purge and then "gpupdate /force" to update the security group membership.

Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting
the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox
will still appear in Outlook, but the user isn't able to see new emails.
Any ideas on what may be going wrong?
Environment:
Exchange Server 2010 SP1 Standard
Windows Server 2008 R2 Standard
Outlook 2010 SP1 (tried without SP1 as well)
I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?

I never got a proper fix.
I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
2. New members of groups are added to FULL Access Permissions
3. Members removed from the groups are removed from FULL access permissions
4. Automapping works :)
5. Maintains a log of access added / removed / time taken etc.
Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
# Mailbox Permissions Setter for Exchange #
# v1.1 #
# This script will loop through all mailboxes in Exchange and find any where #
# the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
# and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
# This script will add any members of these ACLs directly to the Full Access Permissions #
# of the mailbox and also remove them if they no longer need the access. #
# Script created by Jon Read, Technical Administration
# Recent Changes
# 15/11/2012
# 1.1 Added exclusions for ACLs that we don't want automapping to happen for
# 12/11/2012
# 1.0 Initial script
#Do not change these values
Add-PSSnapin *Ex*
$starttime = Get-Date
$logfile = "C:\accesslog.txt"
$logfile2 = "C:\accesslog2.txt"
$totaladditionstomailboxes = 0
$totalremovalsfrommailboxes = 0
$totalmailboxesprocessed = 0
$totalmailboxesskipped = 0
# Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
# we don't want FULL access mapping to happen. Seperate array values with commas
$ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
Write-Output "# v1.1 #" >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-output "Start time $starttime ">> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
# Set preferred DCs and GCs
$preferredDC = "preferredDC.domain"
$preferredGC = "preferredGC.domain"
Write-Output " PreferredDC = $preferredDC ">> $logfile
Write-Output " PreferredGC = $preferredGC " >> $logfile
Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
# The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
# Check for all mailboxes where the type is SHARED. These are the only ones we would
# want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
$totalmailboxesprocessed = $totalmailboxesprocessed + 1
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
# For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
# We then need it to be turned into a string to use later.
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$skipACL = 0
#Get the distribution group and put the name in a useable format
$distributiongroup=$distributiongroup.user.tostring()
Write-Output "Found ACL $distributiongroup" >> $logfile
# Check if this distribution group needs to be excluded and if it shouldn't be processed
# then move onto the next ACL. This will stop FULL access being granted if the mailbox is
# used for a non-standard purpose. See the start of this script
# for where these are excluded (ExcludedACLArray)
foreach ($ACL in $ExcludedACLArray )
if ($distributiongroup -eq $ACL)
$skipACL = 1
Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
$totalmailboxesskipped = $totalmailboxesskipped + 1
if ($skipACL -eq 0)
# Get each user in this group and for each of them, add try to add them to full access permissions.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$user="DOMAIN\" + $user.alias.ToString()
# Check to see if the user we have chosen from the ACL group already exists in the full access
# permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
# Set $userexists to 0 as the default
$userexists = 0
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
# See if the user exists in the mailbox access list.
# Change $fullaccessuser to a useable string (matching $user)
$fullaccessuser=$fullaccessuser.user.tostring()
if ($fullaccessuser -eq $user)
$userexists=1
# Break out of foreach if the user exists so we don't unnecessarily loop
break
# Now we know if the user needs to be added or not, so run code (if needed) to add
# the user to full access permissions
if ($userexists -eq 0)
Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
Write-Output "Added $user " >> $logfile
$changes = 1
$totaladditionstomailboxes = $totaladditionstomailboxes + 1
#Now repeat for other users in the ACL
#if changes were 0, then log that no changes were made
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile
# The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
## Check for all mailboxes where the type is SHARED. These are the only ones we would
## want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
# For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
# check if they exist in the ACL
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
# Get the security identifier (SSID) of the FULLACCESS user to store for later.
$fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
$fullaccessuser=$fullaccessuser.User.ToString()
#If user needs to be excluded then skip this bit
#Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
#This stops it trying to remove NT AUTHORITY\SELF and other System entries
if ($fullaccessuser -like "DOMAIN\07*")
# Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
$userexists=0
# Check if this user exists in the ACL, if not, remove.
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$distributiongroup=$distributiongroup.user.tostring()
#Write-Output "Found associated distribution group $distributiongroup" >> $logfile
# Get each user in this group and for each of them, See if it matches the user in the mailbox.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$userguid = $user.Guid.ToString()
$user="DOMAIN\" + $user.alias.ToString()
if ($fullaccessuser -eq $user)
$userexists=1
#we have found the user exists so no need to continue
break
# If userexists = 0, then they are NOT in the ACL, and should be removed from
# the full access permissions. Run the code to remove them from full access.
#CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
if ($userexists -eq 0)
Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
Write-Output "Removed $fullaccessuser " >> $logfile
$changes = 1
$totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
# if changes = 0, no changes were made to this mailbox, so log this fact.
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
#Put the time in a displayable format
$endtime = Get-Date
$runtime = $endtime - $starttime
$runtime = $runtime.ToString()
$runtime1 = $runtime.split(".")
$totaltime = $runtime1[0]
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
Write-output "| Start time : $starttime ">> $logfile
Write-output "| End time : $endtime ">> $logfile
Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile

Looking for "Window Manager\Window Manager Group" SID

Hi. I am trying to find the SID for "Windows Manager\Window Manager Group". If anyone has that, I'd appreciate it. I am trying to build my "base build" Security Template for Server 2012, and I need to assign the default User Rights to that group, as it is
out-of-the-box. Problem is that the GUI does not accept that group name as valid, but I can see that the group is assigned user rights in the Local Security Policy. I typically just use a file ACL to do this (add the ACE and then run
icacls to get the SID), but that group name is not valid within that tool either. My guess if that this new "Windows Manager\Window Manager Group" group is a well-known SID. Thanks.

Ironically the SID is not listed on Microsoft's web page for well know
SIDs. I also noticed that when I dump the local users using powershell, every group and user is listed that I would expect to see, but this one is not in that list. It seems like it should be pretty easy for Microsoft to say what this does and when it can
be safely removed...
I figure one of two possibilities. Either this only matters when a specific feature is installed / active, or it is some remnant from development for a feature or implementation that didn't make it into the release to manufacturing. What ever the case it
would be nice if we could get clarification.

People Picker can resolve users and security group from another domain but no validation for groups

Dear all,
Here is the scenario of our issue:
We are migrating from Domain A to Domain B and in Domain A we currently have a SharePoint 2013 on which we want to set permissions for users and groups that have already migrated to Domain B.
A bi-directional trust exist between the two domains and all applications relying on trust and resolving IDs from on domain to another are working fine (Windows RDS for instance)
The "bug" that we have is when using the PeoplePicker, it can resolve without any issue a user account in Domain A or B, and a security group (type global, I haven't tried local or universal yet) from domain A or B. But for the security groups
only (it works well for users), when I click on "Save" to validate the add of the group to the site permissions, I have the following error:
I have seen a lot of similar issues on the web but no answer so far that work :(
Example: https://social.technet.microsoft.com/forums/sharepoint/en-US/74e8d14b-a0f4-4e21-8cfa-b1a937247160/cant-provision-security-to-old-domain-users
If you have any question that could help you to understand it, do not hesitate.
Thanks a lot in advance for your help ! :)

Can you give the snippet from the ULS log where you're seeing this error?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

AD security group memberships not coming over to SP2013.

This seems to have coincided with applying a number of updates to our SharePoint server via Windows Update over the weekend. Since then, changes in AD security groups are not being reflected by the appropriate access in SharePoint. If somebody
has been a member of an AD group prior to this weekend, their access is fine. But changes made today aren't seeming to propagate. Any suggestions?
Thanks!

Because SharePoint 2013 is based on claims it is normal for users added to AD groups to not gain the permissions for up to 24 hours because the claims tokens are cached.
http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem.

Validating against a Windows NT Group in SQL Server

I am trying to access a SQL Server using a trusted Windows NT group that has been established. I have set up the group in the database's security and assigned it to the appropriate prepared statements but I'm not sure how to access it using Java for authentication of the connection. I can access individual logons with passwords, but it escapes me how to access the group so I dont have to use individual passwords to access the prepared procedures.
I am using JSPs for the front end if that makes a difference in the authentication.

Yes, I am using JDBC-ODBC.
I have gotten further in this problem. Here is where I am now.
I have managed to get the JSP to access the Java application to validate against the SQL Server group, but it is using the login name and password of who signed in to startup Tomcat instead of the person who is accessing the application through the JSP. Therefore, if an autherized person to SQL Server started Tomcat, then everyone can get in otherwise no one can get in.
I am shooting for not requiring the user to sign in to yet another application as they should be able to be authenticated through the trusted NT Domain group.
Is there something I should put in the JSP to pick up their user id to pass it along to the Java application? Should I be going down a different line of logic?

Check Windows security

_Microsoft Baseline Security Advisor_ : http://technet.microsoft.com/en-us/security/cc184923.aspx
Used by many leading third party security vendors and security auditors, MBSA on average scans over 3 million computers each week. Join the thousands of users that depend on MBSA for analyzing their security state.
_Sample as run from Mac Pro Vista U._
Noteable items:
1) Run turned off my Ctl-Alt-Del logon requirement as set in
Run->control userpasswords2
2) Requires Server Service to be active
3) Needs Computer Name entry at *error point: Workgroup\*error
*Security assessment: Potential Risk*
Computer name:
IP address:
Security report name: WORKGROUP -
Scan date: 2009-01-08 08:48
Scanned with MBSA version: 2.1.2104.0
Catalog synchronization date:
Security update catalog: Microsoft Update
Security Updates Scan Results
Issue: SQL Server Security Updates
Score: Check passed
Result: No security updates are missing.
Current Update Compliance
| MS06-061 | Installed | MSXML 6.0 RTM Security Update (925673) | Critical |
Issue: Silverlight Security Updates
Score: Check passed
Result: No security updates are missing.
Current Update Compliance
| 957938 | Installed | Update for Microsoft Silverlight (KB957938) | |
| 957938 | Installed | Update for Microsoft Silverlight (KB957938) | |
Issue: Windows Security Updates
Score: Check passed
Result: No security updates are missing.
Current Update Compliance
| MS08-071 | Installed | Security Update for Windows Vista Service Pack 2 (KB956802) | Critical |
| MS08-075 | Installed | Security Update for Windows Vista Service Pack 2 (KB958624) | Critical |
| MS08-073 | Installed | Security Update for Internet Explorer 7 in Windows Vista Service Pack 2 (KB958215) | Critical |
Operating System Scan Results
Administrative Vulnerabilities
Issue: Local Account Password Test
Score: Check passed
Result: Some user accounts (2 of 3) have blank or simple passwords, or could not be analyzed.
Detail:
| User | Weak Password | Locked Out | Disabled |
| Administrator | Weak | - | Disabled |
| Guest | Weak | - | Disabled |
| xx | - | - | - |
Issue: File System
Score: Check passed
Result: All hard drives (1) are using the NTFS file system.
Detail:
| Drive Letter | File System |
| C: | NTFS |
Issue: Password Expiration
Score: Check failed (non-critical)
Result: All user accounts (3) have non-expiring passwords.
Detail:
| User |
| Administrator |
| Guest |
| xx |
Issue: Guest Account
Score: Check passed
Result: The Guest account is disabled on this computer.
Issue: Autologon
Score: Check passed
Result: Autologon is not configured on this computer.
Issue: Restrict Anonymous
Score: Check passed
Result: Computer is properly restricting anonymous access.
Issue: Administrators
Score: Check passed
Result: No more than 2 Administrators were found on this computer.
Detail:
| User |
| Administrator |
| xx |
Issue: Windows Firewall
Score: Check passed
Result: Windows Firewall is managed through Group Policy on this computer. Windows Firewall is enabled on all network connections.
Detail:
| Connection Name | Firewall | Exceptions |
| All Connections | On | - |
| Local Area Connection 2 | On | - |
| aGetOff | On | - |
Issue: Automatic Updates
Score: Check passed
Result: Updates are automatically downloaded and installed on this computer.
Issue: Incomplete Updates
Score: Best practice
Result: No incomplete software update installations were found.
Additional System Information
Issue: Windows Version
Score: Best practice
Result: Computer is running Microsoft Windows Vista.
Issue: Auditing
Score: Best practice
Result: Logon Success and Logon Failure auditing are both enabled.
Issue: Shares
Score: Best practice
Result: 2 share(s) are present on your computer.
Detail:
| Share | Directory | Share ACL | Directory ACL |
| ADMIN$ | C:\Windows | Admin Share | NT SERVICE\TrustedInstaller - F, NT AUTHORITY\SYSTEM - RWXD, BUILTIN\Administrators - RWXD, BUILTIN\Users - RX |
| C$ | C:\ | Admin Share | NT AUTHORITY\SYSTEM - F, BUILTIN\Administrators - F, BUILTIN\Users - RX |
Issue: Services
Score: Best practice
Result: No potentially unnecessary services were found.
Internet Information Services (IIS) Scan Results
IIS is not running on this computer.
SQL Server Scan Results
SQL Server and/or MSDE is not installed on this computer.
Desktop Application Scan Results
Administrative Vulnerabilities
Issue: IE Zones
Score: Check passed
Result: Internet Explorer zones have secure settings for all users.
Issue: Macro Security
Score: Check not performed
Result: No supported Microsoft Office products are installed.

Hi,
Did you use the same account with the App creator(the account which deployed the app)? You can use the app creator to check whether it works.
Could the other accounts access the apps? You can use the other accounts to check whether it works.
To quickly and accurately find the issue, you can check the event log and ULS log to see if anything unexpected occurred.
For SharePoint 2013, by default, ULS log is at
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support

GPO not applying to all users in the same security groups

If Elaine logs in on Angie's PC does it work?

Using Windows Server 2008 R1. I have a single domain with two DCs (both Server 2008 R1). Both DCs seem to be communicating without issues, as changes on one DC are replicating normally to the other for all services.I have a group policy set up to set drive mapping for my users. However when I run the GP modeling wizard only a few of the users receive the proper mappings. In this specific instance I have two users, Elaine and Angie. 1. Both are members of the Domain Users security group and another security group I created called Staff2. Neither user is a member of any other security groups.3. My group policy Security Filtering setting is set to apply the policy ONLY to the Staff security group4. When running the GP Results Wizard, Elaine's computer successfully processes the policy, but Angie's does not, and returns "Access Denied...
This topic first appeared in the Spiceworks Community

Windows manager\Window Manager Group

Hello - Do any one knows what is the purpose of windows manager\Window Manager Group? I cant find it on local windows group nor local accounts.
Im trying to add windows manager\Window Manager Group to security policy but the account cant be looked up
Thank you,
Adnan
ad

I guess my real question is where are you coming up with the windows manager account? There is no account with such a name by default in Windows, so I am guessing it is something that you have added to your environment or something being talked about
in some third party software install. As such, it would be pretty hard for us to explain its purpose.
.:|:.:|:. tim

Windows Security Group

Similar Messages

Maybe you are looking for