Archive for the ‘Active Directory’ Category

Cannot access adapter options or control panel

There seems to be an issue with recent server versions where after promoting a server to be a Domain Controller you loose access to several key functions. The main one seems to occur when trying to access “Change adapter Options” which results in a pop up “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item”. In addition, in some cases when you try clicking on management tools such as Gpedit.msc and Control Panel, nothing happens. You can to try to access these using “run as administrator” which doesn’t always work, or create a desktop icon for the app and click the advanced options check box for run as administrator, but I see these as tedious work arounds.

The issue seems to be related to UAC (User Access Control) which can be “tweaked” with Group Policy. Since this occurred after promoting to a DC, one should use the Group Policy Management console rather than the Local Group Policy editor.

Run the GP Management console and edit the Default Domain Policy or a Computer OU of your choice. Locate the following policy, and enable:

Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options || User Account Control: Admin approval mode for the built-in administrator account

Once changed, from an elevated Command prompt run:

gpupdate /force

If not prompted to do so, you will need to log out and back in.

You should now be able to access your various admin tools that were blocked before.

Advertisement

Category:

Active Directory, Registry, Troubleshooting, Uncategorized

Tagged with:

Intro to PowerShell

For those not knowing where to start with learning PowerShell, Netwrix is offering a free 47 page document “Windows PowerShell Tutorial for Beginners” which includes numerous simple, common, tasks.  One of the best intros I have seen.

https://try.netwrix.com/powershell-tutorial

Category:

Active Directory, PowerShell, Training, Uncategorized

Tagged with:

100’s of Windows Commands

This is a must have pdf reference file: 

An amazing, free, current, searchable, compilation of hundreds Windows commands with explanations, syntax, and examples of their use.  And, it’s free !

https://www.microsoft.com/en-us/download/details.aspx?id=56846

Windows Commands

Category:

Active Directory, Networking, Registry, Training, Troubleshooting, Uncategorized, Windows 10

Tagged with:

An Authentication error has occurred

It seems recently many users are receiving an error logging into Remote Desktop Servers (Terminal Servers) from off-site. The error reads:

KB4103725

An authentication error has occurred.
The function request is not supported.
Remote computer <ServerName>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

This is a result of a March 13th update. The previous error message was shorter, but an Apr 17 update elaborated the error message to read as above.

The link explains how to resolve using group policy but the simple fix, as of May 8th, is to apply the KM4103725 monthly rollup update. This will require a reboot on most servers, but should resolve the problem once complete.

 

Category:

Active Directory, Server 2012, Troubleshooting, TS/RDS, Uncategorized

Tagged with:

Disable WSUS on Managed Computers

The past 8 or more years most of us have managed PC updates using WSUS (Windows Server Update Service) and Group policy.  However, the structure of the modern office has changed to a large percentage of mobile employees who never ‘touch down’ at headquarters.   If these devices do not connect to the domain they do not have updates applied.

A client who has not returned to the office in 18 months, and likely will not for the life of their laptop, recently asked how they could update their machine manually.  Currently they were not able to do so as Windows Update showed “settings are managed by your system administrator”, in other words, by WSUS

image

It is quite simple to disable WSUS management in the registry, however remember if the device is reconnected to the domain, the WSUS policies will be reapplied.  Therefore you may want to move the device to an OU not linked to the WSUS policy or remove the device in the policy under security filtering.

Disclaimer:  Be aware making incorrect registry changes can have disastrous effects to the health of the device.  Be sure to backup the registry before editing.  To do so see the following Microsoft article; “How to back up and restore the registry in Windows”  http://support.microsoft.com/kb/322756 

  • Open the registry editor, by entering Regedit in the Start / Run box, and browse to:  HKLM\Software\Policies\Microsoft\Windows\
  • Locate the WindowsUpdate  Key and delete it
  • Reboot the PC (may take 2 reboots)
  • Now you can manually update and configure Windows updates to automatically check for and install updates directly from the Microsoft Update site

image

You may want to consider using a newer service such as Windows Intune to manage your computers, especially mobile devices.  http://www.microsoft.com/en-us/server-cloud/products/windows-intune/

Category:

Active Directory, Registry, SBS 2008, SBS 2011, Server 2012, Troubleshooting, Uncategorized, Windows 7, Windows 8

Tagged with:

Locate default Computer or User OU

In troubleshooting an issue with the SBS user creation wizard, I wanted to know what was set as the default Organizational Unit in which users would be placed.   Though the following works with any server version which is domain functional level Server 2003 or newer, SBS defaults to placing users in the MyBusiness\Users\SBSUsers OU and I wanted to verify this was set appropriately.  There are 100 articles explaining how to change the default users OU using the command “Redirusr”, or “Redircmp” for computers, but it was difficult to find a link explaining how to locate the current defaults.  There are a few links explaining where the information is stored, which is in the “wellKnownObjects” attribute of the properties of the domain, in Active Directory Users and Computers.

image

However when you click on “View”, to inspect the settings for that attribute, you get a popup warning; “There is no editor to handle this attribute”, and the same happens when using ADSI Edit.

image

Thanks to a tip by Alex Verboon, using Microsoft’s (Sysinternal’s) Active  Directory Explorer will allow you to see the settings of this attribute.  Download AD Explorer, run the app, on a single domain server you can live all fields blank and click OK.

image

Click on your domain, then in the right hand window right click on wellKnownObjects”, and choose properties.

image

In the resulting window you can review the current settings for the default OU’s for Computers and Users

image

image

Category:

Active Directory, SBS, SBS 2003, SBS 2008, SBS 2011, Server 2012, Troubleshooting, Uncategorized

Tagged with:

Tag Cloud