Hello,
I am trying to reset the Local Administrator password on a Windows 2008 R2 server from the Domain administrator account. I've tried to use PSPasswd, NET USER, but to no avail. It keeps resetting the Domain Administrator password instead of the local. I have also tried resetting it remotely from my machine, but with the same results.
Any help would be greatly appreciated!
Dear all,
I use windows 2012 standard version, how to set up one of administrator not allow to change password of other users,including user and administrator.
the server don't join to domain.
thanks
john
Hello everyone,
I want to add a new attribute for users, i created an attribute from a.d. schema and attached to users. However what I want to do is every user can see its attribute value but not to see other users' attribute value. For example i created an attribute that named "Identity number" and i entered all users values. Now the user "A" can see its identity value but also it can see the identity value of user "B". I want to disable that. How or where can i manage/control this attribute security?
Thanks in advance.
If a domain account has been granted specific rights on a sever such as "Log on as a service" and/or "Adjust memory quotas for a process" does that account also need to be a member of any of the "BUILTIN" groups? For
example, our organization has a requirement to remove "Domain Users" and "NT AUTHORITY\Authenticated Users" from the "BUILTIN\Users" group on all servers leaving just "NT AUTHORITY\INTERACTIVE". While building
out a new SQL Server, I found that even though the domain account that the SQL server service is configured to run as has been granted
as required by Microsoft, the SQL Service service fails to start unless it has been added to either the "BUILTIN\Administrators" (a security no-no) or the "BUILTIN\Users" group. Otherwise the error message received when trying to
start the service is "Event ID 7000 - The SQL Server (MSSQLSERVER) service failed to start due to the following error: Access is denied"
Hello Friends,
During the Security Audit we have been suggested to disable below things on Windows 2012 R2 Server which is our File Server.
| TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) |
| TLS/SSL Server Supports 3DES Cipher Suite |
| TLS/SSL Server is enabling the BEAST attack |
| TLS/SSL Server Supports The Use of Static Key Ciphers |
| TLS Server Supports TLS version 1.1 |
| TLS Server Supports TLS version 1.0 |
Is that safe to disable the TLS 1.0 and 1.1 on File Server?
Regards,
SGH.
MCP, MCTS
Hello All..........We have a Domain Controller that is also hosting Root CA Server based on Windows Server 2008. The DC does not have any FSMO Roles. This is the only DC that is based on Windows Server 2008; all other DCs are based on Windows Server 2012.
Question: We want to raise the Funtional Level to 2012, but we are unable to do so because of the presence of Windows Server 2008-based DC. We have tried uninstalling the DC Role from the server, but it does not allow as it is running the Root CA as well. What can be the possible solution to this?
Hello.
I use MSSQL 2012 and when I define "account lockout thresold" then after some minutes I give below error for logging to web site :
After it I must reset "sa" account manually for fix it . I guess that I have a lot of attack my on DB and... I use Windows Firewall but How can I protect my Server?
Thank you.
Hi
In my Dev machine ( win 2003 ) , i usually enter different credentials depending on the project and page i am testing. so i would like to store these dev credentials some where in the system rather than each time entering. I didn't find any thing equivalent to credential manager / windows vault in Windows 2003. It will really help me, if any one provide me the best solution for storing these passwords.
Thanks in Advance.
Does anybody know if you can have a GMSA for a file share? I am having trouble setting it up. Getting access denied to the share.
Are there any articles you may point me to for the correct steps?
Windows 2012 platform
Thank you
p
How do I update the CDP URLS and should I have a AIA URL?
Cert server is now on 2008 R2 named dc2. I can't find how to change the URLs listed here
ldap:///CN=XYZ%20Associates(1),CN=XYZ01-AD,CN=CDP,CN=Public%20Key%20Servic
es,CN=Services,CN=Configuration,DC=domainX,DC=com?certificateRevocationList?bas
e?objectClass=cRLDistributionPoint
and
http://XYZ01-ad.domainX.com/CertEnroll/XYZ%20Associates(1).crl
XYZ01-ad needs to be changed to dc2
Error
C:\Windows\System32\CertSrv\CertEnroll>certutil -urlfetch -verify c:/temp/cert.cer
Issuer:
CN=XYZ Associates
DC=domainX
DC=com
Subject:
CN=XYZ Associates
DC=domainX
DC=com
Cert Serial Number: 1628ec47db7063ac40d437aa642ff2c9
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=XYZ Associates, DC=domainX, DC=com
NotBefore: 1/23/2015 9:26 AM
NotAfter: 1/23/2020 9:34 AM
Subject: CN=XYZ Associates, DC=domainX, DC=com
Serial: 1628ec47db7063ac40d437aa642ff2c9
Template: CA
73 60 f8 cc 0a 00 6c 4b 69 03 aa 91 64 c4 81 cc dc 9a 05 00
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The system cannot find the file specified. 0x80070002
(WIN32: 2)
ldap:///CN=XYZ%20Associates(1),CN=XYZ01-AD,CN=CDP,CN=Public%20Key%20Servic
es,CN=Services,CN=Configuration,DC=domainX,DC=com?certificateRevocationList?bas
e?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x800
72ee7 (WIN32: 12007)
http://XYZ01-ad.domainX.com/CertEnroll/XYZ%20Associates(1).crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
73 60 f8 cc 0a 00 6c 4b 69 03 aa 91 64 c4 81 cc dc 9a 05 00
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
C:\Windows\System32\CertSrv\CertEnroll>
thanks for the helpI am using two identical smart cards and two identical smart cards readers: one for the enrollment agent and one for the user on behalf of the enrollment agent performs the enrollment.
The certificate for the user is generated on the enrollment agent smart card not on the user smart card.
How the enrollment can be done to obtain the desired outcome?
Hi all,
I have a strange behaviour in my infrastructure. I have two computers certs templates. One is used for wifi and vpn connections and is auto enrolled the second has similar properties but used only for some vpn tests and was manually enrolled. I have revoked the test certs the vpn was refused the connection, so far so good. But I have seen that after a few days my test computers they don't hav any more the revoked cert in instead they have a new one. In template I don't allow computers and users to auto enrol. Also in request handling I have signature and encryption so delete revoked or expired cant be used. My issue is after a few days revoked computers can open a vpn again without problems. In CA I have enabled the option to publish in AD and don't duplicate.
Any suggestions?
Now in gp I have rules like:
What i need?
Loggedon as an User1, to open a CMD (or file explorer, if possible) as another user User2, but User2 have to be started with all privileges
I´ve tried to create a shortcut to runas /user:User1 CMD.EXE and run the shortcut as administrator
But, even doing that, the token stills used the non-admins privileges, as you can see below
whoami /groups
Group Name Type SID Attributes
============================================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Backup Operators Alias S-1-5-32-551 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group,
Enabled by default, Enabled group
One idea is to login as User2 and use the run as administrator option, but in this particular case, i need to be logged on as user1 and open a CMD as User2+FullPrivileges
Hello Friends,
We are planning to implement HTTP CRL for our CA, steps are below..
https://blogs.technet.microsoft.com/nexthop/2012/12/17/updated-creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority/
My Question is..
1. Can we have two CRL Distribution Points in Certificate (ldap:// and url://http: Both), for example current CRL Distribution Point in Issued Certificates are Points to "ldap:///CN=INT-CA,CN=CAServer1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Testing,DC=in."
Can we have both in same certificate and how it will work.
Regards,
SGH.
MCP, MCTS
Greetings, can somone take a look at the .asp pages which ship with Certificate Services and tell me what to modify to generate and use 2048 bit keys? Currently a "default" of 1024 is being used and I have searched wincrypt.h and other locations and can not find how to change this default behavior. Thank you.
Environment:
Stand Alone CA: Windows 2003 (Production) Windows 2008 RC2 (Test Enviornment)
Clients: Use both Xenroll (pre-longhorn clients) and X509 Enrollment WebClassFactory (CertEnrollCtrl.exe)
Code: Certrqbi.asp, certfnsh.asp and xenrprxy.inc
Patrick Henry Tronnier
We are rebuilding our CA server on the network. I understand that from January SHA1 will no longer be supported so we should rebuild with SHA2. We have old devices that dont support SHA2. Is it possible to have both root certs?
Hello.
I have a problem to publish new root certificate.
I use the command with "domain admin" rights:
certutil -dspublish -f <certfilename> RootCA
The command finished successfully, but in enterprise pki still old Root certificate.
But if i check AD Containers in NTAUTH, AIA, Certification Authorities Container, i see new root certificate.
What command i need to use and wich rights to publish new root certificate to CA certificate in Enterprise PKI?
Thanks.
I am using a Microsoft PKI to deploy server certificates. I realised that Windows automatically creates a self-signed certificates in the local Remote desktop certificated store.<o:p></o:p>
I wanted to use the default rdp certificate when connecting to the machine via rdp. After following this manual (<o:p></o:p>
http://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo<o:p></o:p>
) the connection was established using the server certificate.<o:p></o:p>
My problem is that even after deleting the self-signed certificate out of the store, every time I reconnect to the server the self-signed certificate is recreated again. Is there a way to get rid of this certificate?<o:p></o:p>