Blog - Title

February, 2009

  • A pair of useful AD books released

    Ned here again. William Stanek has released a couple of new books through Microsoft Press that any AD administrator will find indespensible:

    Active Directory Administrator's Pocket Consultant

    Group Policy Administrator's Pocket Consultant

    In William's own words, the "book is organized by job-related tasks rather than by features. Speed and ease of reference is an essential part of this hands-on guide. The book has an expanded table of contents and an extensive index for finding answers to problems quickly. Many other quick reference features have been added as well. These features include step-by-step instructions, lists, tables with fast facts, and extensive cross-references."

    These are excellent task-oriented handbooks that are especially useful at 3AM when the brain gets fuzzy and the chips are down. You can read more details on what the books include at William's website. They each list at thirty bucks, but a quick look at Amazon shows they are currently a steal at $19.79 plus free shipping. Hussle on over there before they come to their senses. :)

    - Ned "Just flew back from Redmond and boy are my arms tired" Pyle

  • New Directory Services KB Articles 2/14-2/21

    New KB articles related to Directory Services for the week of 2/14-2/21.

    957039

    A Windows Server 2003-based computer becomes unresponsive when a high volume of traffic runs through a network adapter that has a large bandwidth

    956438

    A Windows Server 2003-based or Windows Server 2008-based terminal server stops accepting new connections, and existing connections stop responding

    966319

    During user logon or logoff, you receive stop error code 0x00000050, and the system restarts automatically on a computer that is running Windows Server 2008 or Windows Vista SP1

    954407

    Error message when you create a RODC IFM or RODC Sysvol IFM on a Windows Server 2008-based domain controller

    967170

    Windows Vista and Windows Server 2008 do not correctly audit all the privilege use events

    968005

    A Terminal Server smartcard logon using RDP 6.0 may fail with error code 0x507

     

  • New Directory Services KB Articles 2/7-2/14

    New KB articles related to Directory Services for the week of 2/7-2/14.

    967856

    Best practice for viewing Windows XP and Windows Server 2003 event logs by using Windows Vista

    967500

    The Set path for TS Roaming Profiles and TS User Home Directory Group Policy settings do not work with user environment variables

    967510

    Error message when you try to synchronize Active Directory user objects to ADAM: "Internal Error Occured:MultiByteWideChar"

    967887

    Terminal Licensing Server may not issue Per Device CALs and event id 1004 is generated

    956263

    Description of the UDP Port Reservation Utility for Windows Server 2003

    960077

    Applications or services that call the LSA Kerberos functions by using 32-bit processes encounter an exception and crash in Windows Server 2003 64-bit or Windows XP 64-bit systems

    967890

    Item level targeting in Group Policy Preferences setting s require a hexadecimal value with leading zeros

    961320

    A feature is available for Windows Server 2008 that lets you synchronize the DSRM Administrator password with a domain user account

    959923

    AD FS cannot connect to an ADAM store over an SSL connection on a Windows Server 2003 R2-based server

    954405

    Why you cannot view the msDS-RevealedUsers attribute value on a read-only domain controller that is running Windows Server 2008

    960419

    The logon process stops responding when you try to log on to a Windows XP-based computer by using a cached credential

    958702

    When you copy large files between two Windows Vista or Windows Server 2008-based computers in a high bandwidth WAN network environment, the copy speed may be very slow

  • How to Hide User Information When Computer is Locked

    Hi, this is Amit from the Directory Services team and I am going to discuss a Group Policy setting which is now available in XP SP3 & 2003 SP2.

    Whenever we logon to a Windows workstation, we always see a previously logged on user; we might want to remove that because of Security Reasons. We already have a KB Article for this 324740.

    Ever wonder if we can hide Domain\Username details, when computer is locked? After all, users can still look at the actual username, Domain Name etc. being used (see below).

    image

    If you want to hide these details, then you can configure this using a GPO setting:

    Interactive Logon: Display User Information when the session is locked.

    This setting is available at the following location:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

    This setting has three options when you enable it:

    • User display name, domain and user names (Value = 0x1)
    • User display name only (Value = 0x2)
    • Do not display user information (Value =0x3)

    By choosing the third option, you are not displaying DOMAIN\Username details when the machine is locked (see below).

    image

    Once the policy is applied, it will create a registry key “DontDisplayLockedUserId” with a value of 3 at the following location :

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    When you try to login back on the locked machine, it will not show the user name who is logged on. So you have to provide your username again along with the password.

    Note: - This group policy is only available via the group policy editor XP SP3 & 2003 SP2; however it can also be directly applied by editing the registry to XP SP2, Windows Vista & Windows Server 2008 computers.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
    REG_DWORD: DontDisplayLockedUserId

    We are aware of this issue that this setting is currently not available on Windows Vista & Windows Server 2008.

    You can also refer to KB837022 which talks about hot fix for MSGINA.DLL .

    You cannot change the display behavior of the user display name and of the user ID when a Windows XP-based computer resumes from the locked state.

    If you want to learn more about Group Policy and play around with other settings, check out the following links:

    Group Policy Resources on TechNet

    Download Group Policy Settings Reference for Windows Vista

    Download Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1

    www.gpoguy.com This site has helpful videos, articles, and tools to help you work with Group Policy.  Check that site out regardless, beta or not. It’s got a lot of good information for every level of GP knowledge

    - Amit Khanna

  • New Directory Services KB Articles 1/25-1/31

    New KB articles related to Directory Services for the week of 1/25-1/31.

    Number

    Title

    958612

    Citrix ICA clients are not disconnected from a Windows Server 2008 terminal server as expected when the grace period has expired and a terminal license server is not configured

    959488

    The logon process may take a long time when you try to log on to a Windows Vista-based or Windows Server 2008-based computer

  • New Directory Services KB Articles 2/1-2/7

    New KB articles related to Directory Services for the week of 2/1-2/7.

    Number

    Title

    967336

    A newly promoted Windows 2008 domain controller may fail to advertise after completion of DCpromo

    967539

    Cannot configure ACL to the drive root using icacls.exe

    961515

    The subject name of a computer certificate that is issued by a Windows Server 2003-based server is set to the user principal name (UPN) of the computer account after you apply hotfix 943089

    935834

    How to enable LDAP signing in Windows Server 2008

    967332

    You cannot add V2 or V3 templates after an inplace upgrade was performed using Windows Server 2008 enterprise CA

    959606

    You find that the Drive Maps node is still available even though you disable it by using Group Policy

    967482

    Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

    967623

    You receive a Key Distribution Center "Event ID: 29" event message on a Windows Server 2008-based domain controller

    967542

    Adding Server Features or Roles in Server 2008 may take a very long time

    960151

    Error message when you try to access a network drive that is mapped to a DFS shared folder on a client computer that is running Windows Vista or Windows Server 2008: "Error: Location is not available"

    961477

    On a Windows Vista-based computer or on a Windows Server 2008-based computer, when you use Windows Explorer to view offline files in Remote Storage, the files are recalled

    967531

    Error message when installing Windows Server 2008 Remote Server Administration Tools on Windows Vista SP1: "The update does not apply to your system"

    967475

    How to disable the TCP autotuning diagnostic tool