Microsoft Supportability e-Newsletter : Active Directory

EFS File Recovery

gbs — Thu, 26 Apr 2007 12:27:00 GMT

Windows XP and Windows Server 2003 provide many enhancements in the area of data protection— especially Encrypting File System (EFS). This article provides some common issues and file recovery practices to prevent encrypted files being inaccessible. We...(read more)

Access Denied, or Other Access Failure to SMB Shares from Vista Clients

gbs — Thu, 26 Apr 2007 11:29:00 GMT

Some of the fun we have in product support is that, once a new product is released nowadays, we get to navigate the uncharted waters of new security settings interoperating with our customers’ real world environments. With Windows XP and Server 2003 we...(read more)

Installing Office 2007 Using Group Policy Software Installation

gbs — Thu, 26 Apr 2007 11:25:00 GMT

The Office team published a great “how to” on installing Office 2007 using Group Policy. The Office 2007 Resource Kit includes this documentation. You can view it online at the Microsoft TechNet site. Here’s a direct link http://technet2.microsoft.com/Office/en-us/library/efd0ee45-9605-42d3-9798-3b698fff3e081033.mspx?mfr=tru...(read more)

Temporary profile issue

gbs — Tue, 27 Mar 2007 09:14:00 GMT

A temporary user profile is issued each time an error condition prevents the user's profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to their desktop settings and files are lost when the user...(read more)

Typical Symptoms when secure channel is broken

gbs — Thu, 18 Jan 2007 06:22:00 GMT

The secure channel is used to validate the member servers or workstations membership in the domain, based upon its hashed password. This discrete communication channel helps provide a more secure communication path between the domain controller and the...(read more)

Ghost trust object caused the network share inaccessible

gbs — Tue, 16 Jan 2007 09:11:00 GMT

A while back we got involved in a weird issue where a network user encountered network share access problems. The symptom or the error message might be different in some scenarios: 1. Domain controller’s share folders cannot be accessed by the NETBIOS...(read more)

Using ADRestore tool to restore deleted objects

gbs — Thu, 14 Dec 2006 11:23:00 GMT

Have ever encountered the following scenarios? User accounts, groups, computers, OUs or other objects in domain accidentally deleted. No system state backup available for authoritative restoration. No other DC's available. When an object is deleted from...(read more)

The comprehensive technical articles and best practice of Windows Time

gbs — Thu, 16 Nov 2006 07:48:00 GMT

Microsoft has put together a comprehensive and technical article Windows Time and the W32TM service explaining how the Windows Time service works and how the time on desktop machines is synchronized with the server. There are some best practices that...(read more)

Regarding AdminSdHolder

gbs — Thu, 16 Nov 2006 07:40:00 GMT

Windows 2000 and 2003 both contain protected groups , called AdminSdHolder . AdminSdHolder is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups. Protected Groups are groups...(read more)

What’s new in GP in Windows Vista

gbs — Thu, 16 Nov 2006 06:54:00 GMT

Group Policy in Windows Vista and Windows Server "Longhorn" provides an infrastructure for centralized configuration management of the operating system and applications that run on the operating system. Expanding on the foundation established in Windows...(read more)

Desktop lockdown in a domain or non-domain environment

gbs — Tue, 19 Sep 2006 10:18:00 GMT

Locking down desktops is becoming more and more prevalent in today’s corporate environment. Malware, viruses and malicious users are putting the pressure on IT staff to remove users as local admin’s and lockdown systems. In order for this to be successful, administrators need a delivery mechanism to install software and hot fixes to users machines. Here is some of our experiences in locking down desktops as a very import step in securing your infrastructure. Specifically, we focused on locking down desktop via Group Policy and how to leverage that in an Active Directory environment. ...(read more)

DFS namespace permissions

gbs — Tue, 19 Sep 2006 10:15:00 GMT

This is a common topic in the DFS_FRS field. Customers often describe how some users are unexpectedly denied access to targets in the namespace while other users can access the targets without problems. Customers also ask whether there are DFS permissions somewhere that must be adjusted. The answer is that DFS clients will respect the combination of NTFS and share permissions set on the particular target the client is trying to access. ...(read more)

Hot issue Errors related to Kerberos authentication

gbs — Tue, 19 Sep 2006 09:52:00 GMT

Kerberos is the default protocol for network authentication in Windows Server 2003. The Kerberos authentication protocol provides a mechanism for mutual authentication between a client and a server, or between one server and another, before a network connection is opened between them. It is more flexible and efficient than NTLM, and more secure. However, if Kerberos authentication fails between computers in a domain, we may encounter problems in DC replication, sharing resources, logon or other operations. ...(read more)

Forcefully demote a Windows Server 2003 domain controller

gbs — Wed, 06 Sep 2006 12:45:00 GMT

Under some circumstances, a domain controller cannot be gracefully demoted due to the required dependency or operation failing. These include network connectivity, name resolution, authentication, Active Directory service replication, or the location of a critical object in Active Directory. As a last resort, we can perform a forced removal of a domain controller from Active Directory to avoid having to reinstall the operating system on a domain controller that has failed and cannot be recovered. When a domain controller can no longer function in a domain (that is, it is offline), you cannot remove Active Directory in the normal way, which requires connectivity to the domain. Forced removal is not intended to replace the normal Active Directory removal procedure in any way. It is virtually equivalent to permanently disconnecting the domain controller. ...(read more)

Hot Security issues after installing Windows 2003 SP1

gbs — Wed, 06 Sep 2006 11:37:00 GMT

Windows 2003 Service Pack 1 makes some significant changes to security including start up account for services, DCOM security and etc. Services such as RPC and DCOM are integral to Windows Server 2003, but they are also an alluring target for hackers. By requiring greater authentication for RPC and DCOM calls, Service Pack 1 establishes a minimum threshold of security for all applications that use these services, even if they possess little or no security themselves. Since SP1 has stronger defaults and privilege reduction on services, it may result in some issues after installing SP1. ...(read more)