Browse by Tags

Tagged Content List
  • Blog Post: Getting a CMD prompt as SYSTEM in Windows Vista and Windows Server 2008

    Ned here again. In the course of using Windows, it is occasionally useful to be someone besides… you. Maybe you need to be an Administrator temporarily in order to fix a problem. Or maybe you need to be a different user as only they seem to have a problem. Or maybe, just maybe, you want to be...
  • Blog Post: Friday Mail Sack: Newfie from the Grave Edition

    Heya, Ned here again. Since this another of those catch up mail sacks, there’s plenty of interesting stuff to discuss. Today we talk NSPI, DFSR, USMT, NT 4.0 (!!!), Win2008/R2 AD upgrades, Black Hat 2010, and Irish people who live on icebergs. Faith and Begorrah! NSPI max sessions per...
  • Blog Post: Auditing Password and Account Lockout Policy on Windows Server 2008 and R2

    Ned here again. Let’s talk about auditing your domain for changes made to Password and Account Lockout policies. Frankly, it’s a real pain in the neck to figure out Password and Account Lockout auditing and there are legacy architectural decisions behind how this all works, so I’ll...
  • Blog Post: Friday Mail Sack: Saturday Edition

    Ned here. As you may have noticed, it is not Friday. You may also have noticed that this post is awesome and packed with many weeks of delayed content goodness. This notice may extend to the fact that I have no life. You notice a lot, don’t you smarty? I cannot imagine someone looking...
  • Blog Post: Friday Mail Sack: Guest Reply Edition

    Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion...
  • Blog Post: Special Groups Auditing via Group Policy Preferences

    Ned here again. Today I’m going to talk about a new feature of Windows Server 2008 and Windows Vista called Special Groups auditing . While we’re in here, I’ll run through how we can use the new Group Policy Preferences (GPP) client-side extensions to make deploying this fast and easy...
  • Blog Post: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

    Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems caused by name resolution informative and learned something about how to review network captures as well as how the SMB protocol works at a high level when reviewing a network trace. This time...
  • Blog Post: Addendum: Making the DelegConfig website work on IIS 7

    Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [ I sure did. Rob’s revenge was to make a blog post...
  • Blog Post: Friday Mail Sack: Walking Tall Edition

    Hello folks, Ned here again. After a week in Las Colinas Texas, the blog migration, and Jonathan’s attempted coup, we are still standing. Since I’m sure your whole day has been designed around this post I won’t keep you waiting. RODC WAN down behavior DFSR and the PDCE RPC...
  • Blog Post: Monthly Mail Sack: Yes, I Finally Admit It Edition

    Heya folks, Ned here again. Rather than continue the lie that this series comes out every Friday like it once did, I am taking the corporate approach and rebranding the mail sack. Maybe we’ll have the occasional Collector’s Edition versions. This week month, I answer your questions on: The semi-myth...
  • Blog Post: Conficker causes LSASS to consume CPU Time on Domain Controllers

    Hi Gautam here, I wanted to blog about a high-impact problem we have been seeing recently. The problem has to do with LSASS consuming a lot of CPU time on your Domain Controllers (DC's). The cause of this high CPU turns out to be Conficker infected computers throwing bad passwords against the DC's...
  • Blog Post: Windows Logon Options in Vista/2008: Part Two of Two

    Mike here. Blog time again… Previously, I wrote about two of the policy settings under the computer configuration. Today, I’ll finish writing about the Windows Logon Options policy category by covering the remaining policy setting under the computer configuration and all of the policy settings...
  • Blog Post: Friday Mail Sack: Now with 100% more words

    Hi folks, Ned here again. It’s been nearly a month since the last Mail Sack post so I’ve built up a good head of steam. Today we discuss FRS, FSMO, Authentication, Authorization, USMT, DFSR, VPN, Interactive Logon, LDAP, DFSN, MS Certified Masters, Kerberos, and other stuff. Plus a small...
  • Blog Post: Friday Mail Sack: LeBron is not Jordan Edition

    Hi folks, Ned here again. Today we discuss trusts rules around domain names, attribute uniqueness, the fattest domains we’ve ever seen, USMT data-only migrations, kicking FRS while it’s down, and a few amusing side topics. Scottie, don’t be that way. Go Mavs. Creating trusts...
  • Blog Post: RSA SecurID Do Over

    Ned here. If you are using RSA SecurID, you’re probably aware they were compromised several months ago . You may also have heard that since then, hackers have been using that stolen info to attack or compromise various organizations. What you may not know is RSA is now issuing replacement tokens...
  • Blog Post: New Slow Logon, Slow Boot Troubleshooting Content

    Hi all, Ned here again. We get emailed here all the time about issues involving delays in user logons. Often enough that, a few years back, Bob wrote a multi-part article on the subject. Taking it to the next level, some of my esteemed colleagues have created a multi-part TechNet Wiki series on understanding...
  • Blog Post: Fun with the Kerberos Delegation Web Site

    Hi, Rob here. First I want to thank you guys for reading and participating in our blogging efforts. I had one of you e-mail us and ask about the web site I used in the Kerberos Authentication Troubleshooting blogs and if they could get a copy of it. The web site was created by our IIS support counterparts...
  • Blog Post: “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”

    Warren here. In Windows Server 2003 we introduced the lastLogontimeStamp attribute. Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and...
  • Blog Post: NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7

    Ned here again. Windows 7 and Windows Server 2008 R2 introduce a long sought feature known as NTLM blocking. This prevents NTLM from being used for authentication. IT works in both a send or receive mode, and allows you to create exceptions. There’s currently very little documentation on this...
  • Blog Post: SQL Bulk Insert - Access is Denied

    Hey all, Mark from DS again. I have found that numerous cases have been opened where Microsoft customers are upgrading from SQL 2000 to SQL 2005. After the upgrade they were attempting to run a bulk insert statement either in the Enterprise Manager or the Management Studio application and getting an...
  • Blog Post: Windows Logon Options in Vista/2008: Part One of Two

    Mike here again. This is the first of a two part series that originally published on the Group Policy Team blog - updated for Windows Server 2008. I wanted to bring to your attention some new policy settings for Windows Server 2008 and Windows Vista. The Windows Logon Options policy settings are located...
  • Blog Post: Understanding “Read Only Domain Controller” authentication

    Hello there. Bob Drake here to discuss how Windows Server 2008 “Read Only Domain Controllers” (RODC’s) authenticate users differently from the way Windows Server 2003 and Windows Server 2008 standard domain controllers do. The “ Read Only Domain Controller ” is new to Windows...
  • Blog Post: Troubleshooting Kerberos Authentication problems – Name resolution issues

    Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot...
  • Blog Post: Friday Mail Sack: Anchors Aweigh Edition

    Hiya folks, Ned here again. I finally have an editor that allows anchors on all the questions, so I am adding a quasi “table of contents” for these posts that allow easier navigation and linking. I’ll retrofit all the old mail sack articles too… eventually. This week we discuss...
  • Blog Post: Friday Mail Sack: Charlotte Edition

    Hiya folks, Ned back with a palette-cleansing Mail Sack after this monstrosity . This week we talk about: To customize AD schema or not DC and root hints USMT and the case of the missing apps DFSR and %SYSTEMROOT% More fun with DC Same As Parent domain zone records Speeding up DFSN...