Thursday, October 2, 2008

Password policy in 2003 / 2000 AD infrastucture.

Password policy
******************

when password policy is deployed.
->it applies to all users in the domain regardless of OU/group/site.
->Excluding some users by placing them in an OU and by enabling "BLOCK INHERITANCE" on that OU will not work in case of password polcies.
->If "passord never expires" option is checked for a user in (user account properties>account tab>), password policy wont run the thread against this user account.hence these users passwords never expire.
->when we deploy the password policy in the domain, a thread is ran when a user logs on to the domain to check the value of a user attribute named "Lastpwdset" in AD
The value of this attribute is the date when this user changed the password for last time.
->For example,a password policy with settings for "Maximum password age"= 90 days is deployed today.
->user logs in to the domain next day.
->it queries the "lastpwdset" attibute of the user.
->if the value of attribute is a date 90 days before the current date, ->user gets a prompt to change the password.
->user updates the password and the value of "Lastpwdset" attribute changes to current date.
->If the "password never expires" is checked, tis thread is never ran on that users untill administrator unchecks it.
->By default the "passwod never expires" is checked for administrator and other important accounts automatically.


Thanks & Regards

Tuesday, September 23, 2008

Event ID:1202 Security policies were propagated with warning. 0x4b8

We have 50-60 client machines, all XP sp2
All the client machines, including 2 members server logs event ID 1202 Secli warning along with Event ID:1085 & Event ID:1030
*************************************************
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 9/22/2008
Time: 12:39:44 PM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/22/2008
Time: 12:39:44 PM
User: N/A
Computer:
Description:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 9/22/2008
Time: 11:40:31 AM
User: Administrator
Computer:
Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
******************************************
Troubleshooting Steps
*********************

In the XP client machine, we enabled winlogon logging.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
On the Edit menu, click Add Value, and then add the following registry value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2

We ran gpupdate /force
Check the winlogon.log in C:\windows\security\logs
From the winlogon.log we found the following

----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Avance.

Configuration of Registry Keys was completed with one or more errors.


1.Hence the security (permissions) application on registry key is failing on the key HKLM\MACHINE\SOFTWARE\Avance
2. We took a MPS report and analyzed the Appliedsectempl.txt and found these registry settings come from Default domain policy.
3. we went to the domain controller and found the default domain policy >computer configuration >windows settings>security>registry has lot of manually configured registry keys in the policy.
They were assigned with certain security permissions.
4. However in the client machines, they are not able to apply on certain registry keys.
5. Now we need to find why it fails on certain registry

1.we went to the xp clients registry.
2.by default all keys should have following security permissions.

System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control

3.but for the key which was failing in win logon log doesn’t have these permissions
4. they security permission for the key is just “EVERYONE” with Read permissions for the key machine\software\Avance.
5.we added SYSTEM and gave FULL CONTROL
6. as soon as we hit apply, all other default permissions were populated automatically !!!

We did gpupdate /force on the xp machine and analyzed the winlogon.log
Now it passes for machine\software\Avance..
However fails for a different registry key


----Configure Registry Keys...
Configure machine\software.
Configure machine\software\3Com.
Configure machine\software\Acro Software Inc.
Configure machine\software\Adobe.
Configure machine\software\Ahead.
Configure machine\software\Apple Computer, Inc..
Configure machine\software\ATI Technologies.
Configure machine\software\ATI Technologies Inc..
Configure machine\software\Autodesk.
Configure machine\software\Avance. ------------------------------------ it passed here now
Configure machine\software\C07ft5Y.
Configure machine\software\Clients.
Configure machine\software\ColumbiaSoft.
Configure machine\software\Compaq.
Configure machine\software\Corel.
Configure machine\software\Crystal Decisions.
Configure machine\software\ej-technologies.
Configure machine\software\EPSON.
Configure machine\software\FLEXlm License Manager.
Configure machine\software\Forte.
Configure machine\software\Gemplus.
Configure machine\software\GNU.
Configure machine\software\Google.
Configure machine\software\Hewlett-Packard.
Configure machine\software\HP.
Configure machine\software\IGC.
Configure machine\software\InstallShield.
Configure machine\software\Intel.
Configure machine\software\Intel Corporation.
Configure machine\software\Intuit.
Configure machine\software\JavaSoft.
Configure machine\software\Lake.
Configure machine\software\Licenses.
Warning 1336: The access control list (ACL) structure is invalid.
Error setting security on machine\software\Licenses. .---------------------------------------- however this time it failed for this key.

Configuration of Registry Keys was completed with one or more errors


1. We added SYSTEM with FC on the registry key machine\software\Licenses.
2. And did a gpupdate /force
3. In winlogon now if fails for some other key.

This may keep on failing for many keys right after fixing the permissions on each key.
It gave SECLI 1704 after fixing 6 such registry key permissions.

But when we check on a different machine, winlogon may talk about a completely different registry key.
It’s a pain to ckeck all winlogon logs from different machines and then correct registry

We have a good workaround
**********************************
1.Goto registry editor of a client machine.
2. locate HKLM\Software >right click>permissions>
3.check whether we have the following default permissions

System – Full control
Creator owner – special permissions
Computer\users – read
Computer\administrators – full control

4.If yes locate HKLM\Software >right click>permissions> advanced and check the box which reads

“Replace all permissions on child objects”

It may fail to set the permission on some subkeys.
Just press ok- you may avoid it

Then do a gpupdate /force

YOU GET A SECLI 1704 !!!!


Thanks
Jerry

Friday, September 19, 2008

Cannot join a Machine to Single Labeled Domain

We get an error while trying to join a machine to Single labeled domain.
error: "The domain controller for the domain cannot be contacted.Ensure that the domain name is typed corerctly"
Microsoft doesnt recommend Single labeled domain (single-labeled DNS zones.Client computers and domain controllers may require additional configuration (registry changes) to resolve DNS queries in single-label DNS zones.
rference KB : 300684
resoultion:-Copy the below script to a text file and save with extension .vbs and run the script on client machine or make the registry changes (mentioned in script) manually on the client machine.
*************************************************
dim oShell
set oShell = Wscript.CreateObject("Wscript.Shell")
oShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowSingleLabelDnsDomain", 1, "REG_DWORD"
oShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLeveldomainZones", 1, "REG_DWORD"
Set oShell = Nothing
**************************************************
Try joining the machine now.
Thanks & Regards
Jerry

Shortcut Commands for AD Sanp-INs.

RUN/CMD shortcuts for AD management
ADFS.msc AD Federation Services
CERTMGR.msc Certificate Management –Current User
CERTSRV.msc Certification Authority
CERTTMPL.msc Certificate Templates
COMPMGMT.msc Computer Management
COMEXP.msc Component Services C:\windows\system32\com
DCOMCNFG.exe Component Services
DSA.msc ADUC (AD Users and Computers)
DFSGUI.msc DFS Management
DFSMGMT.msc DFS Management R2
DNSMGMT.msc DNS Management
DOMAIN.msc Domains and Trusts
DSSITE.msc Sites and Services
EVENTVWR.msc Event Viewer
GPEDIT.msc Local Policy
GPMC.msc Group Policy Management Console
PKIVIEW.msc PKI management
RSOP.msc Resultant set of Policy
SECPOL.msc Local Security Policy
SERVICES.msc Services
SCHMMGMT.msc Schema Management
TASKMGR.exe Task Manager
TSCC.msc TS Configuration


TSADMIN.exe TS Administrator
LICMGR.exe TS Licensing

The following are contained within the WINDOWS 2003 ADMINISTRATION TOOLS PACK
*Installed from the Windows Server 2003 CD

ADMGMT.msc AD Management –Domains, Sites, DNS and ADUC
PKMGMT.msc PKI Management – Authorities, Templates
IPADDRMGMT.msc WINS,DNS and DHCP in one console

2008 SERVER

SERVERMANAGER.msc Server Manager
NAPCLCFG.msc Network Access Protection Client Configuration
STOREXPL.msc Storage Manager
TSCONFIG.msc TS Configuration
WBADMIN.msc Windows Server Backup
WF.msc Windows Firewall + Advanced Security

RUN shortcuts for Windows OS management

NCPA.CPL Network Properties
APPWIZ.CPL Add remove programs
DEVMGMT.msc Device Manager
FSMGMT.msc File Share Management
SYSDM.CPL System Properties
FIREWALL.CPL Firewall applet
DESK.CPL Display Properties
CONTROL.exe Control Panel
MMSYS.CPL Sound Properties
SYSDM.CPL System Properties
ACCESS.CPL Accessibility Options
APPWIZ.CPL Add/Remove Programs
TIMEDATE.CPL Date/Time Properties
DESK.CPL Display Properties
FINDFAST.CPL FindFast
FONTS.CPL Fonts Folder
INETCPL.CPL Internet Properties
JOY.CPL Joystick Properties
MAIN.CPL Keyboard Properties
MLCFG32.CPL Microsoft Exchange
WGPOCPL.CPL Microsoft Mail Post Office
MAIN.CPL Mouse Properties
MMSYS.CPL Multimedia Properties
PASWORD.CPL Password Properties
MAIN.CPL PC Card
PRINTERS.CPL Printers Folder
INTL.CPL Regional Settings
STICPL.CPL Scanners and Cameras


Thanks & Regards
Jerry