Browse by Tags

Tagged Content List
  • Blog Post: Getting a CMD prompt as SYSTEM in Windows Vista and Windows Server 2008

    Ned here again. In the course of using Windows, it is occasionally useful to be someone besides… you. Maybe you need to be an Administrator temporarily in order to fix a problem. Or maybe you need to be a different user as only they seem to have a problem. Or maybe, just maybe, you want to be...
  • Blog Post: Friday Mail Sack: Newfie from the Grave Edition

    Heya, Ned here again. Since this another of those catch up mail sacks, there’s plenty of interesting stuff to discuss. Today we talk NSPI, DFSR, USMT, NT 4.0 (!!!), Win2008/R2 AD upgrades, Black Hat 2010, and Irish people who live on icebergs. Faith and Begorrah! NSPI max sessions per...
  • Blog Post: The Security Log Haystack – Event Forwarding and You

    Hi. This is your guest writer Mark Renoden . I’m a Senior Premier Field Engineer based in Sydney, Australia and I’m going to talk to you about the use of Event Forwarding to collect security events. This is particularly useful when: You have specific events you’re looking for...
  • Blog Post: Special Groups Auditing via Group Policy Preferences

    Ned here again. Today I’m going to talk about a new feature of Windows Server 2008 and Windows Vista called Special Groups auditing . While we’re in here, I’ll run through how we can use the new Group Policy Preferences (GPP) client-side extensions to make deploying this fast and easy...
  • Blog Post: Addendum: Making the DelegConfig website work on IIS 7

    Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [ I sure did. Rob’s revenge was to make a blog post...
  • Blog Post: Friday Mail Sack – I live again edition

    Hello all, Ned here again. After a brief absence, the rocket sled that I use to carry my disembodied head around has brought me back to AskDS headquarters. The coup is over and I have emerged triumphant again. You won’t be hearing from Jonathan until the truth serum wears off. So let’s...
  • Blog Post: Monthly Mail Sack: Yes, I Finally Admit It Edition

    Heya folks, Ned here again. Rather than continue the lie that this series comes out every Friday like it once did, I am taking the corporate approach and rebranding the mail sack. Maybe we’ll have the occasional Collector’s Edition versions. This week month, I answer your questions on: The semi-myth...
  • Blog Post: Security Policy Settings and User Account Control

    Hi, Mike here. This post was originally published in the Group Policy Team blog in September 2006—anticipating the launch of Windows Vista. Here it is again—refreshed—for the upcoming launch of Windows Server 2008. User Account Control in Windows Server 2008 and Windows Vista requires...
  • Blog Post: Friday Mail Sack: Now with 100% more words

    Hi folks, Ned here again. It’s been nearly a month since the last Mail Sack post so I’ve built up a good head of steam. Today we discuss FRS, FSMO, Authentication, Authorization, USMT, DFSR, VPN, Interactive Logon, LDAP, DFSN, MS Certified Masters, Kerberos, and other stuff. Plus a small...
  • Blog Post: The Security Descriptor Definition Language of Love (Part 2)

    Hi. Jim here from DS here with a follow up to my SDDL blog part I. At the end of my last post I promised to dissect further the SDDL output returned by running the CACLS with the /S switch on tools share as follows: Here is the output exported to a .txt file: "D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA...
  • Blog Post: New Slow Logon, Slow Boot Troubleshooting Content

    Hi all, Ned here again. We get emailed here all the time about issues involving delays in user logons. Often enough that, a few years back, Bob wrote a multi-part article on the subject. Taking it to the next level, some of my esteemed colleagues have created a multi-part TechNet Wiki series on understanding...
  • Blog Post: AzMan MMC with a sample application

    Hey everyone, Mark from Directory Services again. Just the other day I ran across something that may be useful to the public. Here in Directory Services we support the Authorization Manager snap-in, aka AzMan.msc . This tool can configure role-based access control on applications using an AzMan store...
  • Blog Post: Default Security Templates in Windows 2008

    Hi, David here again. You might be familiar with Security Templates that we use in Windows 2000 and 2003. The template is sort of the master set of security settings that we apply to a server when you either set it up or configure it using the Security Configuration and Analysis tool. Here in DS we often...
  • Blog Post: Five common questions about AdminSdHolder and SDProp

    Ned here again. After a few years of supporting Active Directory, nearly everyone runs into an issue with AdminSdHolder . This object and its AD worker code is used by Domain Controllers to protect high-privilege accounts from inadvertent modification – i.e. if an administrator account was moved...
  • Blog Post: Friday Mail Sack: Gargamel Edition

    Hi folks, Ned here again. This week we talk about 10 reasons not to use list object access dsheuristics, USMT trivia nuggets, poor man’s DFSDIAG, how to get network captures without installing a network capture tool, and some other random goo. Oh yeah, and friggin’ Smurfs. The downsides...
  • Blog Post: NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7

    Ned here again. Windows 7 and Windows Server 2008 R2 introduce a long sought feature known as NTLM blocking. This prevents NTLM from being used for authentication. IT works in both a send or receive mode, and allows you to create exceptions. There’s currently very little documentation on this...
  • Blog Post: Understanding Kerberos Double Hop

    Hi, Steve here. Kerberos Double Hop is a term used to describe our method of maintaining the client's Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers. ...
  • Blog Post: SQL Bulk Insert - Access is Denied

    Hey all, Mark from DS again. I have found that numerous cases have been opened where Microsoft customers are upgrading from SQL 2000 to SQL 2005. After the upgrade they were attempting to run a bulk insert statement either in the Enterprise Manager or the Management Studio application and getting an...
  • Blog Post: Saturday Mail Sack: Because it turns out, Friday night was alright for fighting edition

    Hello all, Ned here again with our first mail sack in a couple months. I have enough content built up here that I actually created multiple posts, which means I can personally guarantee there will be another one next week. Unless there isn't! Today we answer your questions around: Detecting...
  • Blog Post: What occurs when the Security Group Policy CSE encounters a null DACL

    Mike here. The Group Policy security client side extension can distribute security descriptors on files and registry keys. This extension is difficult to troubleshoot because it is considerably durable when it comes to failures. In most situations, it completes processing, but not without leaving behind...
  • Blog Post: What's in a Token

    Hi, Randy here. This is my first blog post to help explain authentication and authorization. This post will be helpful in understanding "Access is Denied" messages and how to troubleshoot when these happen. I'd like to start with an explanation of the security token. When you log on to a system, you...
  • Blog Post: What’s in a Token (Part 2): Impersonation

    It’s Randy again. In my last blog post , we discussed that the token is the identification for a process . The token object contains a list of security identifiers, rights and privileges that the Windows Security Subsystem uses to grant access to secured resources and tasks. Each process running...
  • Blog Post: How to Back Up and Restore NTFS and Share Permissions

    Note that this content has also been added to the TechNet Wiki to allow for community editing. http://social.technet.microsoft.com/wiki/contents/articles/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx From time to time we are asked how to backup and restore NTFS file system permissions...
  • Blog Post: Friday Mail Sack: Anchors Aweigh Edition

    Hiya folks, Ned here again. I finally have an editor that allows anchors on all the questions, so I am adding a quasi “table of contents” for these posts that allow easier navigation and linking. I’ll retrofit all the old mail sack articles too… eventually. This week we discuss...
  • Blog Post: Friday Mail Sack: Get Off My Lawn Edition

    Hi folks, Ned here again. I know this is supposed to be the Friday Mail Sack but things got a little hectic and... ah heck, it doesn't need explaining, you're in IT. This week - with help from the ever-crotchety Jonathan Stephens - we talk about: Multiple WMI Filters LDAP MaxPoolThreads Many...