IS DEFENDER ABLE TO BE TURNED ON WHEN RUNNING ESSENTIALS, I CANT GET IT TO TURN ON NOT SURE WHY ANY SUGGESTIONS.?
↧
WINDOWS DEFENDER VS ESSENTIALS
↧
Disable UAC for a specific user account on a domain controller
I have a task scheduled to run a program on a DC under a domain user account.
Is there a way to disable the UAC for this domain account on this DC? The program requires admin privileges to run and the task will just time out if no one is there to accept.
↧
↧
Windows Server 2008R2 Security Patch List
Hi,
Are there any security patch list for windows server 2008R2? As my company deploy group policy to use WSUS without server patch delivery, and block microsoft update site in proxy.
The server guys said download patch manually, are there anything like this?
Thanks
↧
Event log filtering for remote connections
Hi! I was looking through the event log filtered on Event ID 4624, which is OK to find logon events on a server
But I'd like to know if there are any further possibilities to search from the results of this filter to find real users (not service accounts etc.) that have connected remotely to a server...
With only the 4624 filter on, I have 11000 events, and a lot of them are service accounts
I found out I could search for Logon Type: 10 to find users who connected to remote desktop or terminal services.
What about users that connected to shared folders?
How would that search be, if its possible?
Freddy
↧
Why are we getting false positives for event id 644 (User Account Locked Out)
So I'll give an example of the content of the event in event viewer that I'm sure many are familiar with...
----------------------------------------------------------------
Type: Success A Event ID: 644
User: NT AUTHORITY\SYSTEM
Computer: (PDC)
Description
User Account Locked Out:
Target Account Name: (Username)
Target Account ID: (Domain\Username)
Caller Machine Name: (Hostname)
Caller Username: (Hostname$)
Caller Domain: (Domain NetBios)
Caller Logon ID: (0x0,0x3E7)
---------------------------------------------------------------------
So, that's great. That's the event for user account lock outs within event viewer. What is interesting is not only that we get numerous occurrences of these a day, but that none of the accounts in question are ACTUALLY locked out. I hate to sound redundant, but I want to be clear. None of the accounts that we receive this error for are actually locked out. Event viewer says that an account is locked out, but it is NOT. A few details I would like to add. The username in question varies but for one day it might be several instances of the same username, later it will be a different one. Also, it is frequently the "Guest" account that is throwing the error. The Caller Machine Name is quite often the PDC or our Exchange server. On occasion, the caller machine name will be some random workstation but it is most often the PDC or Exchange server. These events are sprinkled throughout each day at various times. I am posting this question because all my googling and forum surfing have found many dialogues regarding the possible causes of frequent account lock outs but I haven't found anything mentioning false positives and what might cause them or how such a thing could even occur. Please feel free to probe me for any more information. There is the one question... what could even cause a false positive in any environment... and then the questions of what is causing it in my environment...
↧
↧
Track RDP user session activity in windows 2003
The users are connected to windows 2003 server remotely through RDP. At times the users remain connected but inactive with their remote desktop session minimized on their desktop machine.
How can we track the user such as since when the user is logged in? I know one is through the Event viewer Date and Time. Do we have any other tool to determine logon time?
Is there any tool to determine session activity such as for how long the user has been active or how long the user has been idle?
How is Terminal service manager reliable for monitoring both the logon time as well as the idle time?
dhomya
↧
windows 2003 event log
In an event a user deletes system security logs does the system
generate a clear log in all situations?
If the user tires to delete that clear log what happens?
How long the clear log is preserved in the system?
Can a user delete his own logoff log?
dhomya
↧
Secondary UPN suffix not showing up for Domain Admins
Having a strange issue that I can't find anything about. I recently added a second UPN suffix to our domain. Everything is working swimmingly in regards to end user functionality. However if a Domain Admin opens ADUC, clicks on a user, and goes to the Account tab, they get the following error:
There is no such object on the server.
Then when they click OK, the account tab opens and the drop-down menu for the UPN is blank. If I click on it, it only shows the domain suffix (not the added one).
Now, if I am a member of the Enterprise Admin group, I can see both suffixes and no errors. Why would the domain admin group not have "read" access to the second UPN suffix? Their documentation on creating these is pretty straight forward and says either Domain Admins or Enterprise Admins have rights to create so I am confused as to why this is happening.
Edit: If I run Domains and Trusts as the Domain Admin, right click and properties I get an error:
The configuration information describing this enterprise is not available.
Directory object not found
↧
Secondary UPN suffix not showing up for Domain Admins
Having a strange issue that I can't find anything about. I recently added a second UPN suffix to our domain. Everything is working swimmingly in regards to end user functionality. However if a Domain Admin opens ADUC, clicks on a user, and goes to the Account tab, they get the following error:
There is no such object on the server.
Then when they click OK, the account tab opens and the drop-down menu for the UPN is blank. If I click on it, it only shows the domain suffix (not the added one).
Now, if I am a member of the Enterprise Admin group, I can see both suffixes and no errors. Why would the domain admin group not have "read" access to the second UPN suffix? Their documentation on creating these is pretty straight forward and says either Domain Admins or Enterprise Admins have rights to create so I am confused as to why this is happening.
Edit: If I run Domains and Trusts as the Domain Admin and right click > Properties, I get the following error message:
The configuration information describing this enterprise is not available.
Directory object not found.
↧
↧
Smart Card Enrollment
I have been trying to get Smart Card(PIV) setup in my lab now for a few days. I got the CA stood up and I got the smart card user and enrollment templates setup. I enrolled my admin user with the Enrollment user. I can enroll a smart card user on behalf
of someone but it never prompts me to insert the smart card. I tried to use a command line to manually import the cert into the smart card but it tell me "The Smart Card is read-only." I am not sure what I am doing wrong. I am using Gemalto Protiva
card which it is my understand are compatible with a windows smart card deployment. I followed Microsoft's smart card deployment guide which was written for Windows server 2000 so I feel like I am missing something.
↧
unauthorized login?
Recently had a few of these show up on my event log. Using Windows 7 pro and on a domain. Have a suspicion someone logged in to my computer. I also found the group policy on my Server 2003 changed. "Act as part of the operating system has my admin account listed as a user. So don't know if this change in group policy allowed the following on my computer.
I have also tried removing my admin account from the group policy but it is grey out and I don't know how to remove it.
Can anyone tell me if my suspicions are correct, and also how I can remove my user account from the "Act as part of the operating sytstem?"
I have gotten mixed answers.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x1c395954
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: User-1
Source Network Address: 10.0.0.29
Source Port: 53025
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
↧
Obtaining the Subject Alternate Names (if any) from a Cert
Hello All
Can someone please help me with the following question.
I have a certificate flat file so I used the following .NET type in PowerShell to get it into an object
$IssuedCertInfo = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile("C:\cert.cer")
Now I can get certain pieces of information about the cert like Issuer e.g.
$IssuedCertInfo.Issuer
etc...
However I do not see a property or a method to object the Subject Alternate Names (if any)
So I came up with the following piece of code utilizing Certutil and a bit of RegEx, which works OK
$subject_alternate_name = $((certutil -dump -v C:\Cert.cer | Select-String "Altname.*`"(.*)`"" -allmatches).Matches.groups.captures | % {$_.value} | where {$_ -match '"'} | out-string)
However, I would rather not shell out to an exe like certutil if possible etc..
Is there a .NET type I can use to get the info I want?
Thanks All
Ernie
↧
Getting loads of Audit Failures in the event viewer
Hi. Getting loads of message like this in the event viewer, they are happening every few seconds, and although the Account Name changes, they are all pretty much the same.
What I don't get is the Workstation Name (DEDICAT-93I3U5A), is the server itself.
Is someone attempting to hack the server?
This is Windows Server 2008 R2, by the way.
An account failed to log on. Subject: Security ID: SYSTEM Account Name: DEDICAT-93I3U5A$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: guest1@seymourhorwell.com Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x630 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DEDICAT-93I3U5A Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Would appreciate any help at all.
Big thanks.
↧
↧
Microsoft Root certificate Authority
I am hoping someone can help me. I recently migrated a windows 2003 root ca to windows 2012. I also have two subca's that are configured (one running windows 2003 and one running windows 2012). The issue I currently have is with the root CA certificate.
The new root ca has a different computername and I did renew the subca certificates which have the updated and correct crl distribution points.
The problem is with the root ca certificate itself. I renewed the certificate with the same key pair, but for some reason the crl distribution points are still showing the old computer name. Not sure how to get this corrected without requesting a new certificate with a new key pair.
I did renew the certificate but the CRL list on the certificate itself still pointing to the old.
Also is there a way to revert back to the old certificate?
↧
2012R2 Certificate Authority - Does it matter with Edition
Under Windows 2003, the functionality of a Certificate Authority (eg: Editing Certificate templates) was decided by the server edition (Either Standard or Enterprise).
As 2012R2 doesn't have the Enterprise edition, does the standard edition have full functionality, or do you require DataCentre??
Thanks
↧
reg
why all the reg errors I cant do much after update to 10074 help
↧
Certificate for MAC computers
Hello, We are currently using Windows 2012 Enterprise CA to deploy computer certificate to all our domain workstations ( windows laptops) for authenticating them to wireless network. How can we deploy or roll out computer certificates to MACs ? What template can i use to publish ? By default if i look in a computer template, there is a tab where it shows OS versions for compatibility purporses. There it only has Windows versions. Also, do MAC's first need to be joined to our domain in order to get this certificate ? Please advise
↧
↧
Audit group and users
Hi Folks!
I wonder if there is a way (PowerShell?) to get the date a user was added to a security group and the name of the account they use to add the user to the group.
\Emilio
↧
Self issued Kerberos tickets
Hi,
Can domain controller (in multi domain controllers environment) using Kerberos, issue tickets for itself. So if the DC needs access to another service in the domain, could it issue the necessary ticket to itself?
↧
Client based certificate authentication
Hi,
I have a TMG 2010 and Exchange 2007.
Need to enable client based certificate authentication for Outlook anywhere clients who connect remotely to exchange through TMG server. So only AD machines with a valid client certificate can use Outlook anywhere remotely.
I have a couple of questions and any advise would be appreciated.
1- Do I need an enterprise or standalone CA?
2- Do I need to use "SSL client certificate" authentication on TMG or just if I tick "require client certificate" on the rule that should be enough?
3- Do we need a user certificate to be used as client side certificate on the client machine or computer certificate can do it too?
4- Is there any specific configuration required on Outlook?
Thanks a lot
ras
↧