a) In DHCP console, locate the DHCP scopes that the computer with static IP address may belongs to.
b) Right click on the “Address leases”, click export list.

c) Type a name for the exported list, select csv format, click save.
d) Open the exported file with MS excel, filter out the active lease.
e) Now we get the whole IP address of DHCP lease.

Reference:
=========
How to use the Netsh utility to export and import DHCP scopes
http://support.microsoft.com/kb/281626/en-us

問題描述︰
Security Event 528 with Logon Type = 2 (Interactive) 可以用來查詢使用者的互動式登入
但是某些程式 (像是DameWare 遠端遙控) 也會產生 Event 528 with Logon Type = 2 互動式登入事件
應該如何區分呢? 

說明與方法︰
BACKGROUND
======================
Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons (see event 540).
Event 528 is logged whether the account used for logon is a local SAM account or a domain account.

Example:

Successful Logon:
User Name:administrator
Domain:ELM
Logon ID:(0x0,0x558DD)
Logon Type:2
Logon Process:User32
Authentication Package:Negotiate
Workstation Name:W2MS
Windows XP and Windows Server 2003 add:
Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: -
Transited Services: -
Source Network Address:10.42.42.170
Source Port:3165

This message also includes a logon type code. The logon type code indicates the manner in which the user logged on.

The following table explains the logon type code:
================================
Logon type, Logon title, Description
================================
2, Interactive, A user logged on to this computer at the console.
3, Network, A user or computer logged on to this computer from the network.
4, Batch, Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
5, Service, A service was started by the Service Control Manager.
7, Unlock, This workstation was unlocked.
8, NetworkCleartext, A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9, NewCredentials, A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10, RemoteInteractive, A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11, CachedInteractive, A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

SUGGESTION
======================
當 "Source Network Address" 是 "-" 時 (沒有 IP) 就有很大的可能是程式產生的
另一個方法就是看 Logon Process 這個欄位~

There is no definite way to distinguish/identify whether or not  a event 528 of logon type 2 is triggered by a real user or just a program.
However, from our experience, we know that programs most often and are likely to use "Advapi" logon process.  (whereas RDP/User uses "User32" logon process.)

Logon Process: (User32 or Advapi)

For interactive (console) logons to a server, the User32 logon process is used, and will be reflected in the security logs in Event ID 528 as you've seen.
Remote connections are able to use both the User32 or Advapi logon processes - which one is used depends on the particular API that a given connection application uses.
(ie: authentication calls to winlogon.exe will use user32.dll - calls to the "logonuser" API will use Advapi)

Microsoft RDP connections use User32 but specify the connection over the network with a '10' as the Logon type.
Other third party remote tools such as Dameware however, just happens to call the Advapi, which is the advanced Win32 API that handles many security functions.
Different remote connection solutions could use either, depending on their design.

Both the advapi.dll and the usere32.dll are capable of servicing a logon request from across the network.
(Note: .dll is short for Dynamic Link Library, a library of executable functions or data that can be used by a Windows application.)

Typically, a DLL provides one or more particular functions and a program accesses the functions by creating either a static or dynamic link to the DLL.
Some DLLs are used only by a specific application, while others, such as advapi.dll, are used by a wide variety of applications.
The name refers to the fact that DLL's contain a library of functions that can be accessed [linked] on demand). The reason one is called over the other depends on which API (application programming interface) the specific application is programmed to call on in order to facilitate a user logon.
If the remote connection application (ie: Dameware, Citrix, RDP etc) is programmed to call the Winlogon API, then the logon process used will be user32.dll. If, however, the application has been written to call LogonUser, then it is the advapi.dll that is used. The reason why advapi is called over user32 comes down to the preference of the person developing the remote access application.

相關參考文件︰
http://support.microsoft.com/KB/326985
http://support.microsoft.com/KB/174073
http://blogs.msdn.com/ericfitz/archive/2004/12/09/279282.aspx
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=528&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2
http://www.windowsecurity.com/articles/Logon-Types.html

問題描述︰
[ADMP "Client Monitoring" feature not working]
您用下面的步驟把 "Client Monitoring" 功能設定好並啟用
但是設定好之後這些 AD Client 不會去去監控 DC 就算 DC 離線也不會發出警告
Forced DC offline (or detach DC from network), AD clients does not generate connectivity alert (to notify that DC cannot be reached)

After you import the Active Directory Client Management pack, client monitoring is done on computers that are added to the AD Client Monitoring Discovery.

To add a computer to the AD Client Monitoring Discovery
1. Open the Operations console, and then click Authoring.
2. Expand Management Pack Objects, and then click Object Discoveries.
3. Locate the AD Client Monitoring Discovery rule. If you do not see the rule, check that your scope is set to include the Active Directory Client Perspective by clicking the Change Scope link at the top of the Actions pane.
4. Right-click the rule and select to override the object discovery for the computer you want to monitor from or for all objects in a group.
Note
To avoid manually overriding the rule for each client computer, create a group that contains all of the client computers. Then override the AD Client Monitoring Discovery rule for this group.
5. In the Override Properties window, select Override.
6. Change Override Setting to True. In the Select destination management pack pull-down menu, select a management pack.
Note
Store all Active Directory Management Pack overrides for a specific management server or management group in a custom management pack that is used only for overrides. If you have not yet created a management pack for your overrides, you can click New to create one now.
7. Click OK to enable the Client management pack.

說明與方法︰
SYMPTOM
========================
You will see the following event in AD client's OpsMgr event log

Event Type: Warning
Event Source: Health Service Modules
Event Category: None
Event ID: 21413
Computer: <MACHINE NAME>
Description:
The Event Policy for the process started at 9:19:52 PM has detected errors in the
output. The 'ExitCode' policy expression:
[^0]+
matched the following output:
-1

Command executed: "C:\WINDOWS\system32\cscript.exe" /nologo
"AD_Client_Update_DCs.vbs" <machinename.domainname.com> <NetBIOS domain name> true
3 {61C1C088-CAFE-8F7A-21AF-09122869F4A1}

CAUSE
========================
In the event description we discovered that we are only passing 5 parameters to the script (AD_Client_Update_DCs.vbs)
but the script is hard coded to fail if there are less than 6 parameters

WORKAROUND
========================
This is a known issue with ADMP (last version checked to have this problem includes 6.0.6278.10 & 6.0.6452.0)

Configure the following overrides on "AD Client Update DCs" rule:
1. Domain Controllers: enter a DC's FQDN that is located in your local site
2. Site Discovery Mode: enter "3" (local site mode)

After you configured above overrides, you should see "MonitoredDCs.txt" generated under C:\Windows\temp folder on the AD clients computers
This file contains the DCs discovered and these DCs will be monitored, the file does not get created before the overrides.

設想以下狀況：

在IE8 中，您使用晶片金融卡讀卡機並且使用網路ATM的功能。剛開始一切正常，但是在可能會跳出第二個視窗(驗證或是第二代金融讀卡機要輸入密碼)的時候，IE8可能會整個停止回應，或是完全沒有任何接下來的動作。

問題原因：

由於IE8的新開視窗或是新開分頁，基於穩定性的理由，預設將會開啟額外的Process來處理各分頁的動作，若網路銀行的Active X Control設定需要獨佔晶片卡的連線時，另外一個分頁的Process將無法存取晶片卡讀卡機，因而導致這個問題。

建議做法：

如果我們暫時無法等到網路銀行更新相關的作業模式(就是網路銀行修改WebATM程式來相容IE8)，使用者可以透過一個簡單的方案來暫時解決這個問題：

1. 請您開啟登錄檔案編輯器：
   請您執行以下命令： regedit。
   開啟登錄檔案編輯器
   
2. 找到以下的機碼位置：HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
   
3. 新增以下機碼：
   Type:DWORD
   Name:TabProcGrowth
   Value:0
   
   
4. 將所有現有的IE關閉，並且重新啟動IE。

Problem Description:
================
When Customer try to start the ACS Collection Service

Customer receive

Could not start Operations Manager Collection Service on Local Computer.

ERROR 0x80092004: Cannot find object or property.

Event ID 4661 error
===================
AdtServer encountered the following problem during startup:
Task: Load Certificate
Failure: Certificate for SSL based authentication could not be loaded
Error: 0x80092004
Error Message:
Cannot find object or property.

Solution
=======
Please run %systemroot%\system32\Security\AdtServer\adtserver.exe -c and select the correct certificate to use.