Blog - Title

May, 2009

  • New Directory Services KB Articles 5/10-5/23

    New KB articles related to Directory Services for the week of 5/10-5/23.

    971243

    Gpresult.exe terminates unexpectedly displaying security options when using the "/v" flag on Windows Sever 2003 x64

    970013

    The "Active Directory Users and Computers" MMC window crashes when you try to find any object in Windows Server 2008 and Windows Vista systems

    969308

    You have to enter user credentials again even if you select the "Remember my password" option when you connect to the TS Gateway server from a Windows Vista SP1-based or Windows Server 2008-based Remote Desktop Connection 6.1 client

    971198

    Logoff from Windows Vista computer takes 5-10 minutes if there is no LDAP connectivity to forest root domain

    971152

    The Credentials Manager service does not save credentials when you try to map a drive by using a "net use" command together with the "/savecred" option

    970485

    Duplicate computer names are generated if you use a Windows Setup program to generate random names for a large number of computers

    961715

    Active Directory Certificate Services crashes during its startup process when the Certificate Lifecycle Manager Exit Module setting is enabled on Windows Server 2008-based systems

    957414

    Event Viewer crashes when you open a large event log file and sort log entries by one column on a Windows Vista-based or Windows Server 2008-based computer

    971256

    Error message when attempting to start the Windows Event Log Service: "Access denied"

    971079

    You cannot add a DFS replication member to a replication group on a Windows Server 2008 R2 Beta-based or Windows Server 2008 RC-based system if the added DFSR member comes from another domain

  • MS Security Intelligence Report Volume 6 Released

    Ned here again. If you are at all interested in security, here is a must-read:

    Microsoft Security Intelligence Report volume 6 (July - December 2008)

    This covers trends and perspectives on:

    • Software vulnerabilities (both in Microsoft software and in third-party software)
    • Software exploits
    • Security and privacy breaches
    • Malicious and potentially unwanted software
    • E-mail, spam, and phishing

    It's not for the skimmer - it's 184 pages of very detailed analysis, and some of them are eye-opening. Such as the finding that industry-wide, roughly 90% of all vulnerabilities in this period were found to be in applications and browsers, not operating systems. What's your company's application patching strategy? What about your application vendors' strategy?

    For a quick sum up read, check out the smaller 'Key Findings' download, or stop by the MS Malware Protection portal.

    - Ned "Anti-Social Engineering" Pyle

  • ADMT 3.1 and Windows Server 2008 R2

    Hello All,

    UPDATE June 19 2010 - stop reading and go here:

    http://blogs.technet.com/b/askds/archive/2010/06/19/admt-3-2-released.aspx

    =====

    There’s a known issue with installing Active Directory Migration Tool (ADMT) v3.1 onto a Windows Server 2008 R2 computers that I want to bring to everyone’s attention. At this time it has been acknowledged that version 3.1 (which does require Windows Server 2008) returns the following error when attempting to install it onto R2:

    "ADMT must be installed on Windows Server 2008"

    This issue also occurs with Windows 2008 machines that previously had ADMT installed, and then upgraded to Windows 2008 R2. ADMT will no longer function correctly and returns the same error as detailed above. Microsoft is aware of the issue and diligently working on a resolution. Please stay tuned for further details and updates.

    I’d also like to take this opportunity to ask that you send me any future feature suggestions and requests for the tool, as I’ve been asked to present results of the “voice of the customer”. The ADMT development group would like to hear from our customers on how we could make the product better. Please feel free to post comments or email your recommendations and suggestions in what you’d like to see in a later release of ADMT.

    Happy migrating!

    -Jason Fournerat

  • Temporary User Profiles and the Citrix ICA Client

    Howdy folks, Scott Goad again to talk about an issue that I thought you might find useful.

    I recently worked with a customer who opened a case for an intermittent profile issue. Windows XP workstations would not load the local profile, resulting in the user receiving a temporary profile. The issue seemed to happen when a user logged off and then needed to log back into the workstation, resulting in the temporary profile.

    We started the usual troubleshooting steps for working on this type of profile load problems. We enabled USERENV debug logging (more on that here). The customer readily enabled the logging and proceeded to reproduce the issue. They were able to gather a problematic log along with a saved copy of MSINFO32, which grabs the processes running and their associated Process ID. This is useful to identify what process is running, which is recorded in the USERENV log. The USERENV log did show a problem:

    USERENV(350.354) 10:32:02:454 Local Existing Profile Image is reachable
    USERENV(350.354) 10:32:02:454 Local profile name is <C:\Documents and Settings\**********>
    USERENV(350.354) 10:32:02:454 RestoreUserProfile:  No central profile.  Attempting to load local profile.
    USERENV(350.354) 10:32:02:485 MyRegLoadKey:  Failed to load subkey <S-1-5-21-*********-1284227242-725345543-121116>, error =32
    USERENV(350.354) 10:32:02:485 MyRegLoadKey: Returning 00000020
    USERENV(350.354) 10:32:02:501 RestoreUserProfile:  MyRegLoadKey returned FALSE.
    USERENV(350.354) 10:32:02:501 ReportError: Impersonating user.
    USERENV(350.354) 10:32:02:501 ReportError: Logging Error <Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.

    DETAIL - The process cannot access the file because it is being used by another process.
    >

    USERENV(350.354) 10:32:02:501 ErrorDialogEx: Calling DialogBoxParam
    USERENV(350.354) 10:32:02:501 ErrorDlgProc:: DialogBoxParam

    At this point we knew the problem was an issue with WINLOGON trying to load the profile, but couldn’t because another process was holding a file hostage within the profile. The USERENV log will tell us what process is being called, but here 350 (hexadecimal for 848) is WINLOGON:

    image

    This was good to know, but not helpful as to why the profile could not be loaded. The next step in the troubleshooting process was to get a Process Monitor trace of the issue. This provided a bit of a challenge, since this happens at logon. We used Process Monitor and enabled boot logging, which started a trace in the background. The customer had to restart the workstation for the logging to start, and try to reproduce the problem.

    When the problem was reproduced, USERENV logged the following 1508 event in the Application Log:

    image

    Now we knew what to look for in the Process Monitor trace, so we cracked the PML file open and set a few filters. After filtering the trace, we saw where the problem resides. We started with including the path of UsrClass.dat and also to exclude RESULT is SUCCESS. This showed the problem, which is a SHARING VIOLATION. Here is a screenshot of the trace, with the surrounding events displayed (removing the RESULT is SUCCESS filter):

    The culprit process in this trace appears to be SSONSVR.exe. The details can be seen here:

     

    image

    image

    At this point we engaged Citrix and looked into the issue. This has been documented as a known problem with the 10.200 release of the Citrix ICA client, and is fixed in a future release. Citrix has documented the issue in their knowledge center, and a link is detailed below.

    The issue presents itself in Windows XP (all current service packs) where prefetch loads SSONSVR.exe into memory to enhance boot time performance. This is causing a race condition with WINLOGON and SSONSVR trying to both access the profile, resulting in the SHARING VIOLATION.

    The customer was in the process of rolling out the 10.200 version of Citrix ICA Client, so they decided to go with disabling prefetch for the SSONSVR.exe process, as outlined in KB 969100, by deleting the SSONSVR*.pf from %SYSTEMROOT%\prefetch directory at logoff.

    Resources:

    969100 When you log on to a Windows XP-based computer that is running version 10.200 of the Citrix ICA client, Windows XP may create a user profile instead of loading your cached profile

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;969100

    Citrix Knowledge Center – User Client Computer Profile is not Loaded Properly when Single Sign-on is Enabled - http://support.citrix.com/article/CTX118226

    221833 How to enable user environment debug logging in retail builds of Windows

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

    Understanding How to Read USERENV logs – AskDS Blog by Mark Ramey

    http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx

    http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx

    Process Monitor v2.04

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

     

    Until next time,

    Scott “Scooter” Goad

  • Understanding Password Policies

    Hey everybody, its Randy again to discuss Password Policies. I recently had a case that required excruciating detail of how Password Complexity is calculated and I will now take that opportunity to discuss some interesting facts. I need to begin this discussion by directing you to the Account Lockout Best Practices Whitepaper. This paper explains all the meanings of the various password policy settings that can be defined in the domain group policy.

    Most of these settings are pretty self explanatory. If you open your default domain policy and editAccount Lockout Policy, you will see that we have several settings listed.

    Enforce Password History: When changing your password, will you be required to use a different password than previous passwords and how many previous passwords are remembered. One additional note to Password History is that it is not case sensitive. See example below:

    - For uniqueness comparison, a new password must be at least one character different than the passwords in history, with the exception that upper and lower letters do NOT count.

    That is, if “Password1” is in password history then the following will be unique since there is at least 1 character different.

    Password2 (due to 2).

    Passw0rd1 (due to numeral “0” instead of o).

    Password[ (due to symbol “[” instead of 1).

    But following will NOT be unique since upper and lower letters are the same.

    PASSWORD1

    pAsSWoRd1

    password1

    Minimum Password Length, Maximum Password Age, and Minimum Password Age are all self-explanatory and are well explained in the Account Lockout Best Practices Whitepaper.

    Password Complexity: When changing a password, you will be required to use a password that meets the domain password complexity requirements. In Windows NT, this was controlled by an add-on password filter named passfilt.dll. A password filter is a procedure that is called during the password change request. LSA (Local Security Authority) will take the incoming password change request and load the password filter and then perform whatever task the filter has defined. You can make a password filter do just about anything, but typically it is used for password synchronization between separate platforms or a series of validations to confirm that a password change meets the company requirements. It is possible to create your own password filters as well, if you’re handy with C++. In Windows 2000 and later password complexity policies are now coded directly into the operating system as part of LSA, but the complexity requirements remain the same. You can find articles on MSDN with simplified explanations of these grammar checks, hopefully the information below will provide more detail:

    From this Microsoft TechNet article, I found the following discrepancies in our documentation:

    If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

    From this Technet article:
    1. Not contain significant portions of the user's account name or full name.

    Actually:
    We look at the entire Account Name and the Full Name. We ensure that the Password does not contain the entire name of either. We also parse through the Account Name and Full Name for delimiters: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. If any are found, the Account Name or Full Name are split and all sections are verified not to be included in the password. We do not check for any character or any three characters in succession.

    From this Technet article:
    2. Be at least six characters in length.

    Actually:
    Password complexity does NOT check password length.

    From this Technet article:
    3. Contain characters from three of the following four categories:

    English uppercase characters (A through Z)
    English lowercase characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphabetic characters (for example, !, $, #, %)

    Actually:
    It is three of 5 categories. The four categories listed above and a catch-all category of any Unicode character that does not fall under the above four categories. This fifth category can be regionally specific.

    Complexity requirements are enforced when passwords are changed or created.

     The last setting, Store Passwords using reversible encryption, should never be used with a specific need. It is just available for compatibility with legacy apps using CHAP authentication. If you have an application or remote access policy requiring this setting then update it or replace it. You are essentially storing your passwords in plaintext.

    I just touched on a couple of points here, but the Account Lockout Best Practices Whitepaper is filled with a lot of really good information. I can’t leave without dropping some Windows 2008 science on you. So here is a tidbit of information on Fine-Grained Password Policies:

    One big concern from customers of Windows Server 2003 was that you could only set Password Policy at one location in the domain and the only way to separate these policies in your organization was to create separate domains. This has changed with Windows 2008 and Fine-Grained Password Policy. With Fine-Grained Password Policy, you can create different Password Settings Objects (PSO) and assign these PSOs to security groups in your organization. A PSO is simply a Password Policy stored in Active Directory to hold all the defined settings of that Password Policy. You can then associate the PSO to the security groups that you want to adhere to these settings. Here is a good step-by-step to setting this up in your 2008 domain.

    [Editors note: We are working to get that TechNet article with the incorrect info (and any others like it) hunted down and fixed.]

    - Randy Turner

  • New Directory Services KB Articles 5/3-5/9

    New KB articles related to Directory Services for the week of 5/3-5/9.

    969710

    How to enable the half-open TCP connections limit in Windows Vista with Service Pack 2 and in Windows Server 2008 with Service Pack 2

    971133

    Verbose logging may have adverse effects on system performance

    969902

    Many services do not start when you enter a computer name that exceeds 15 bytes during the initial setup of Windows Vista or of Windows Server 2008

    970914

    How to Manually Restore Files Backed Up Using Windows Backup

    971070

    The Debug Diagnostics 1.1 Whitepaper is now available

    967358

    You receive error messages when you try to create a domain GPO or edit an existing domain GPO in a Windows Server 2008 Active Directory domain environment

     

  • Now we're multilingual

    Translate this page

    Ned here. The invite finally came through, and AskDS now supports a built-in MS Translation widget. It's linked on the left column (scroll down a bit). Simply select your native language and the blog will magically turn from English to Spanish, German, French, Italian, Russian, Polish, Chinese, Dutch, Japanese, Korean, Portuguese, or Arabic. Probably with occasionally hilarious mistranslations, but overall hopefully quite accurate and helpful. 

    Cool!

    - Ned Pyle

  • Five common questions about AdminSdHolder and SDProp

    Ned here again. After a few years of supporting Active Directory, nearly everyone runs into an issue with AdminSdHolder. This object and its AD worker code is used by Domain Controllers to protect high-privilege accounts from inadvertent modification – i.e. if an administrator account was moved into an OU that was being maintained by an delegated OU admin, it makes sure the high-privilege permissions are not stripped away. You can probably think of a few reasons why allowing a member of Enterprise Admins to be monkeyed with is a Bad Thing™.

    Anyhoo, the way this works is there’s a special object located at:

    cn=adminsdholder,cn=system,dc=contoso,dc=com

    Any security descriptors for those groups listed on that object are re-stamped on the user object members every 60 minutes. So you may have run into this where you had made some custom ACL changes on your Administrator user that was a member of some OU, then found an hour later that your changes had disappeared. All by design, all well-and-good. There is also the related SDProp code, which computes and fixes up group memberships for Administrative groups. Both tasks operate only on the PDC Emulator.

    So here are the questions Microsoft gets asked most commonly about this system, and where we haven’t always done the best job documenting answers – until now. :-)

    Question: How does the AdminSdHolder operation determine whether or not to ACL an account?

    Answer: It is based on transitively expanding the list of (possibly nested) protected groups. The attribute AdminCount was originally used only as an optimization to improve performance, since it was assumed that regardless of group membership, AdminCount being 1 should trigger protection. However from repro's on Windows Server 2003 and source code review, it appears this is no longer enough to actually trigger the AdminSdHolder operation all on its own.

    When a Security Principal is a member of a protected group its Security Descriptor is stamped with the SD of the AdminSDHolder Object for that domain. Also the Security Principal's adminCount attribute is set to value 1. If the SD of the security principal in question already matches the SD of the AdminSDHolder Object, the object is left untouched. Consequently its adminCount value could potentially remain 0. So using AdminCount is a pure mark of whether or not a user is protected is not always a good idea – the group membership is the key.

    Question: What is AdminCount, and why is it not being decremented to ‘0’ or ‘<not set>’ when I remove a user from a Protected Group?

    Answer: AdminCount is an attribute on the user account that is set to 1 on any users being protected by AdminSdHolder. When protected, the user gets this attribute set and the security inheritance bit is removed from their account.

    The reason AdminCount isn’t set back to 0 when the user is removed from a protected group is that you told us not to! A survey of customers early on in Windows 2000's design found that they favored deleting a user account after its high-privilege rights were revoked, as the account could have created explicit backdoors before having its rights stripped. Therefore the DC does not remove the AdminCount attribute entry, as it is assumed that the account is going to be disabled or deleted.

    If for some reason you didn’t want to get rid of that account after ‘de-admining’ it, you must manually set back to allowing inheritance and set AdminCount to 0, usually through ADSIEDIT.MSC..

    Question: Is it possible to make AdminSDHolder code run more or less frequently? What about SDProp?

    Answer: Yes, with a big caveat.

    To change the frequency of AdminSdHolder in SDPRop, set the following through regedit:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
    "AdminSDProtectFrequency"= <something>

    The value is a DWORD and you can set a range from 60 to 7200 decimal (it's in seconds). By setting it to 60 you would override the default 60 minute wait time and it would fire every minute. By setting to 7200 it would run every 2 hours.

    Note that lowering the default is NOT recommended except for lab testing due to the potential LSASS performance ramifications in a large environment. I.e. doing this could cause your DC’s processor to spike to very high sustained levels and drastically hurt you.

    You can cause SDProp to run once ‘right now’ by using the steps in KB 251343 to execute FixUpInheritance.

    Question: Is there a way to warn administrators that a user being manipulated is covered under AdminSDHolder and SDProp? How do we stop Admins from doing ‘bad’ stuff like this?

    Answer: Nope, you just gotta know.

    As to how you stop Administrators from doing theoretically ‘bad’ stuff – with great power comes great responsibility; AdminSDHolder can only protect you so far from yourself. This is similar to customers who ask us ‘how do I keep administrators from reading all the files on the network?’ The answer is: you cannot. Trust your administrators, bond your administrators, or get different administrators.

    Question: Where are all the best articles on AdminSdHolder and related… stuff?

    Answer:

    • Description and Update of the Active Directory AdminSDHolder Object - KB 232199.
    • Delegated permissions are not available and inheritance is automatically disabled - KB 817433.
    • How To Delegate the Unlock Account Right (which is often why you run into this) – KB 294952.
    • AdminSdHolder Open Specification Document - 3.1.1.6.1 AdminSDHolder.
    • Michael B. Smith has an excellent and very readable article on his blog here.

    And that’s that.

    - Ned ‘Turboprop’ Pyle