How to Limit the Size of the ACS Database by filtering the Security Events

After adding the following ACS filter, the new incoming events cannot be reflected in ACS reports.

adtadmin /setquery /query:"SELECT * FROM AdtsEvent WHERE (HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') AND (EventID=671 OR EventID=675 OR EventID=681 OR EventID=529 OR EventID=531 OR EventID=532 OR EventID=535 OR EventID=536 OR EventID=539 OR EventID=517 OR EventID=624 OR EventID=627 OR EventID=628 OR EventID=630 OR (EventID>=631 AND EventID<=639) OR (EventID>=641 AND EventID<=668) OR EventID=684 OR EventID=685)"

Problem Description
==================
ACS(Audit Collection Services) Database can quickly fill up due to unwanted security events,
Resolution

Solution
======
The Solution is to avoid unwanted events by uing AdtAdmin along with WQL Query as listed below
An ACS collector can use Windows Management Instrumentation (WMI) Query Language (WQL) queries as filters to limit the events that are stored in the ACS database.
The /SetQuery parameter implements the filter before events are saved to the ACS database.
For more information about WQL and WQL queries,see Retrieving Managed Resources Using WMI Query Language at http://go.microsoft.com/fwlink/?LinkId=74151 and Querying with WQL at
http://go.microsoft.com/fwlink/?LinkId=74152.
AdtAdmin.exe /SetQuery [/Collector:CollectorName] /Query:QuerySyntax

Example
This example uses the /SetQuery parameter to define a WQL query that filters out specified events. When applied, this query filters out events generated by System, Local Service, and Network Service services, and it also filters events that have specified event ID numbers.
adtadmin /setquery /collector:"Collector Name" /query:"SELECT * FROM AdtsEvent WHERE NOT ((HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680) OR (EventId>=541 AND EventId<=547))"

PROBLEM
=========
Customer says that alerts in the Active Alerts view in OpsMgr console (Monitoring Section) are not updated as expected. It takes a lot of time for those alerts to be Closed. Or the alerts may change to Closed State but may not dissapear from the console.

Action Plan
=========
To identify computers with future time stamps, run the following query

SELECT * FROM dbo.AlertView WHERE TimeRaised > getutcdate() OR StateLastModified > getutcdate()

- We ran the following t-sql commands to update the OperationsManager Database

UPDATE dbo.AlertView SET TimeRaised = getutcdate() WHERE TimeRaised > getutcdate()

UPDATE dbo.State SET LastModified = getutcdate() WHERE LastModified > getutcdate()

Solution
=========
Apply hotfix 957135

一、前言:
Windows Server 2008提供了新的 [Fine-Grained Password Policies]來處理這類的需求。要使用這個功能必須網域的功能等級先提昇為Windows Server 2008等級，接著透過AD網域中新的[Password Settings Container]的位置來進行設定，這個位置可使用[AD Users and Computers]管理工具，使用[Advanced Features]來開啟System位置就可看到，不過您必須要使用[Adsiedit.msc]或[Ldifde]工具來設定!

二、做法:
1. 請先建立一個全域安全性群組，例如：GSGroup1.
2. 將您想要排除的Account加為GSGroup1的成員.
3. 建立PSO

4. To create a PSO using ADSI Edit

1. Click Start, click Run, type adsiedit.msc, and then click OK.
2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.
4. Double-click the domain.
5. Double-click DC=<domain_name>.
6. Double-click CN=System.
7. Click CN=Password Settings Container.

All the PSO objects that have been created in the selected domain appear.

1. Right-click CN=Password Settings Container, click New, and then click Object.
2. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.
3. In Value, type the name of the new PSO, and then click Next.
4. Continue with the wizard, and enter appropriate values for all mustHave attributes.

Attribute sample:

Attribute name	Description	Acceptable value range	Example value
msDS-PasswordSettingsPrecedence	Password Settings Precedence	Greater than 0	10
msDS-PasswordReversibleEncryptionEnabled	Password reversible encryption status for user accounts	FALSE / TRUE (Recommended: FALSE)	FALSE
msDS-PasswordHistoryLength	Password History Length for user accounts	0 through 1024	24
msDS-PasswordComplexityEnabled	Password complexity status for user accounts	FALSE / TRUE (Recommended: TRUE)	TRUE
msDS-MinimumPasswordLength	Minimum Password Length for user accounts	0 through 255	8
msDS-MinimumPasswordAge	Minimum Password Age for user accounts	· (None) · 00:00:00:00 through msDS-MaximumPasswordAge value	1:00:00:00 (1 day)
msDS-MaximumPasswordAge	Maximum Password Age for user accounts	· (Never) · msDS-MinimumPasswordAge value through (Never) · msDS-MaximumPasswordAge cannot be set to zero	42:00:00:00 (42 days)
msDS-LockoutThreshold	Lockout threshold for lockout of user accounts	0 through 65535	10
msDS-LockoutObservationWindow	Observation Window for lockout of user accounts	· (None) · 00:00:00:01 through msDS-LockoutDuration value	0:00:30:00 (30 minutes)
msDS-LockoutDuration	Lockout duration for locked out user accounts	· (None) · (Never) · msDS-LockoutObservationWindow value through (Never)	0:00:30:00 (30 minutes)
msDS-PSOAppliesTo	Links to objects that this password settings object applies to (forward link)	0 or more DNs of users or global security groups	“CN=u1,CN=Users,DC=DC1,DC=contoso

12. On the last screen of the wizard, click More Attributes.

13. On the Select which property to view menu, click Optional or Both.

14. In the Select a property to view drop-down list, select msDS-PSOAppliesTo.

15. In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add.

16. Repeat step 15 to apply the PSO to more users or global security groups.

17. Click Finish.

5. To apply PSOs to users or global security groups using the Windows interface

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, click Password Settings Container.

Where?

• Active Directory Users and Computers\domain node\System\Password Settings Container.
1. In the details pane, right-click the PSO, and then click Properties.
2. Click the Attribute Editor tab.
3. Select the msDS-PsoAppliesTo attribute, and then click Edit.
4. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.
   請選擇您在先前已定義好的群組(GSGroup1)。

三、注意事項:
透過PSO物件的屬性設定來套用，極可能會有衝突的情形產生（多個PSO設定到單一物件），因此PSO有一個重要屬性[msDS-PasswordSettingsPrecedence]!
這屬性是一個1以上的整數值，越低的數字代表有較高的排序（優先權），例如有兩個PSO分別的屬性值為10與20，10的優先權比較高因此會真的套用到物件上；此外，如果屬性值一樣的話，那就以PSO的GUID比較小的會套用!
另外如果有分別的PSO設定到使用者帳戶與使用者所隸屬群組的話，則套用到使用者帳戶的才是結果PSO!

參考資訊連結：
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc770842.aspx

SYMPTOM
===================
Server - Windows server 2003 SP2 Standard.
Role of the server - File server and Citrix server.
- Unable to access admin shares on the file server.
- SMS remote desktop from Vista to XP prompts for credentials if it has the patch installed
- Issue started after 968389 patch installation.
- Interesting point to note - this problem is only evident on some servers whilst some are not being affected at all.

This issue is there when you access the admin shares or c$ on the server itself:
Error messages
\\localhost\c$ - No network provider accepted the given network path
\\servername\c$ - No network provider accepted the given network path.
\\ip\c$ - No network provider accepted the given network path.
\\FQDN\c$ - No network provider accepted the given network path

RESOLUTION/WORKAROUND
===================
Uninstall and reinstall the patch will guarantee solve the problem

問題描述︰
您無法遠端連線 (RDP) 到您的 Windows Server 2003 伺服器
經過進一步的分析您發現:
1. 伺服器沒有在聽 TCP port 3389 (netstat -ano)
2. Terminal Services 服務有啟動
3. MSINFO32 顯示 TDTCP & RDPWD system driver 狀態 (Status) 呈現停止 (Stop)
4. TDTCP.sys 有在 system32 目錄下，版本及檔案大小也是正確的
5. 裝置管理員中已經找不到 TDTCP 裝置 (顯示隱藏裝置然後設定依連線顯示裝置 view "Devices by Connection")



說明與方法︰
Analysis
===========
- Reinstall the RDP-TCP connection and the problem persisted still
- Reinstall the TDTCP device with Devcon script,TDTCP device was added back, and RDP worked successfully.
    Run the following commands:
    devcon install %windir%\inf\machine.inf root\RDP_MOU
    devcon install %windir%\inf\machine.inf root\RDP_KBD
    devcon install %windir%\inf\machine.inf RDP.serviceinstall
    devcon install %windir%\inf\machine.inf root\legacy_RDPWD
    devcon install %windir%\inf\machine.inf rdpdr.serviceinstall
    devcon install %windir%\inf\machine.inf rdpdr.serviceinstall
    devcon install %windir%\inf\machine.inf legacy_TDPIPE
    devcon install %windir%\inf\machine.inf legacy_TDPTCP
    devcon install %windir%\inf\machine.inf legacy_termservice
    Note: Ignore any error messages you may encounter, provide us the output result (including the error messages if there is any)
- You may get the following devices with exclamation mark after running the devcon script, they can be safely deleted