بحث هذه المدونة الإلكترونية

الثلاثاء، 30 أكتوبر، 2012

on the go: how to stop a scheduled backup task

بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

how to stop a scheduled backup task

 

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

الخميس، 25 أكتوبر، 2012

Create Users, Home Folders, And set Permissions all in one script


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم


Create Users, Home Folders, And set Permissions all in one script

Again back to our scripts, the following script not only ceates users but also creates home folders and grant users permissions over their home folders. Also the home folder will be mapped will be mapped automatically to driver Z:. the following video shows how to use the script. 

Note:
In the following video i had granted the "Everyone" a full control over the "HomeDir$", this may be a security hole, so you can replace the "Everyone" by the "Authenticated Users" group and only give them the "change" and "read" permissions not the full control.
 
first download the script from the following link:


 
I hope that has been informative to you.

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

الاثنين، 22 أكتوبر، 2012

How To Configuring Fine-Grained Password Policies


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

How To Configuring Fine-Grained Password Policies

Prior to Windows Server 2008, an Active Directory administrator was only able to configure a single Password Policy and Account Lockout Policy for any Active Directory domain. If you were faced with a subset of users whose password policy requirements were different, you were left with the choice of configuring a separate domain or forcing all users within the domain to conform to a single password policy. Beginning in Windows Server 2008, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain. 
To enable Fine-Grained Password Policies, Windows Server 2008 introduces a new object type called msds-PasswordSettings, also called a Password Settings Object (PSO). Each PSO has the following mandatory attributes:
• cn. The common name for the PSO, such as "ServiceAccountNoLockout."
• msDS-PasswordSettingsPrecedence. In a case where multiple PSOs apply, this attribute of the PSO is used as a tie-breaker to determine which PSO should apply: a PSO with a precedence of 1 will be applied over a PSO with a precedence of 5, a PSO with a precedence of 10 will be applied over a PSO with a precedence of 100, and so on.
• msDS-PasswordReversibleEncryptionEnabled. This attribute indicates whether the PSO allows passwords to be stored in Active Directory using reversible encryption. This setting should only be enabled if a particular application requires it, because it presents a significant security risk. Use “true” or “false”.
• msDS-PasswordHistoryLength. This attribute indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password. Setting this attribute to a value of "2," for example, would prevent someone from reusing the previous two passwords that they had configured for their user account. This setting corresponds to the Enforce Password History setting in Group Policy.
• msDS-PasswordComplexityEnabled. This attribute indicates whether the PSO requires a complex password; that is, a password that uses a mixture of uppercase and lowercase letters, numbers, and symbols. The default password policy in Windows Server 2008 requires the use of complex passwords.
• msDS-Minimum Password Length. This attribute indicates the minimum length of a password defined by this PSO.
• msDS-MinimumPasswordAge. This attribute is a negative number that indicates the number of milliseconds old a password must be before it can be changed. The default value is -864000000000, which equates to one day. It should be entered in the form of: Days:Hours:Minutes:seconds

• msDS-MaximumPasswordLength. As the name indicates, this attribute identifies the maximum length of a password defined by this PSO.
• msDS-MaximumPasswordAge. This attribute is a negative number that indicates in milliseconds when a password will expire. The default value is —36288000000000, or 42 days.
It should be entered in the form of: Days:Hours:Minutes:seconds
• msDS-LockoutThreshold. This attribute indicates the number of bad login attempts permitted before an account is locked out.
• msDS-LockoutObservationWindow. This attribute is a negative number that indicates the number of milliseconds that must pass before the counter for failed logon attempts should be reset. It should be entered in the form of:
Days:Hours:Minutes:seconds, for example make it 2 minutes which is the default for the AD policy.
• msDS-LockoutDuration. This attribute is a negative number expressed in milliseconds that indicates how long an account will remain locked out. A value of "0" indicates that the account will stay locked out until it is manually unlocked by an administrator.
It should be entered in the form of:  Days:Hours:Minutes:seconds, for example make it 2 minutes which is the default for the AD policy.

Note:

The “msDS-LockoutObservationWindow” could not be longer than the “msDS-LockoutDuration”.  Also the "msDS-MaximumPasswordAge" cannot be set to 00:00:00:00


You can create one or more PSOs within a domain and then configure each PSO to apply to one or more user or group accounts within the domain; these objects are not created using the Group Policy Management Editor, but by manually creating the object using ADSIEdit or LDIFDE. When a user logs on to the domain, Windows Server 2008 uses the following steps to determine the user's effective password requirements:
1. Are one or more PSOs assigned to the individual user account? If so, use the PSO that has the winning precedence. If not, continue to step 2.
2. Are one or more PSOs assigned to a group that has the user account as a member, either directly or through nested group membership? If so, use the PSO that has the winning precedence. If not, continue to step 3.
3. If PSOs are not assigned to the user or to any group that has the user as a member, apply the domain-wide password policy and account lockout requirements “Defined by Group Policy”.

Configuration Example:




ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

الأحد، 21 أكتوبر، 2012

Error code: 0x20e7


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

Error code: 0x20e7

I was trying to create an object to apply a fine grained password policy, which allows us to make a different password policy for some users. but i came up with the following error:


I have set the  msDS-LockoutObservationWindow to 00:00:30:00 and the msDS-LockoutDuration value to 00:00:02:00.
• msDS-LockoutObservationWindow. This attribute is a negative number that indicates the number of milliseconds that must pass before the counter for failed logon attempts should be reset. It should be entered in the form of:

• msDS-LockoutDuration. This attribute is a negative number expressed in milliseconds that indicates how long an account will remain locked out. A value of "0" indicates that the account will stay locked out until it is manually unlocked by an administrator.

the problem was that: The “msDS-LockoutObservationWindow” should not be longer than the “msDS LockoutDuration”.  

so to get out of this, i have set the tow values to 00:00:02:00, and it worked,thanks to Allah.

I hope that has been informative to you.

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

السبت، 20 أكتوبر، 2012

This may be caused by allowing dsadd to au to-generate the downlevel computer name


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

I was trying to add some computers to the computers subOU  in the Accounting department OU. I used the script posted in  a previous post:


but i have faced the following erro:

C:\Users\Administrator\Desktop>dsadd computer "cn=PC-ACCOUNTING-08,ou=Computers,
ou=Accounting,dc=ibnsina, dc=local"
dsadd failed:cn=PC-ACCOUNTING-08,ou=Computers,ou=Accounting,dc=ibnsina,dc=local:
The specified account already exists.:This may be caused by allowing dsadd to au
to-generate the downlevel computer name. Try specifying the -samid switch with a value.














as the error message states, we need to add the -smid parameter to the command. so i have updated my script to add the -smid paramter. the samid could be the same as the comuter name "cn". you cand consdier it as the login name of the computer to the domain.
you can download the new script from this link:
I hope that has been informative to you.

ولا تنسوني و المسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

الجمعة، 19 أكتوبر، 2012

"You must be granted the Allow log on through the Terminal Services Right"


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

"You must be granted the Allow log on through the Terminal Services Right"


You're seeing this error message because the user you're trying to log in as does not have the correct permissions to use Remote Desktop. To fix this, we'll grant these permissions to your user account. Note: Please be careful when following these steps, make sure you follow these steps as listed here.
  1. First we'll make sure your user account is a member of the Remote Desktop Users group:
    1. Right click Computer or My Computer and then click Properties.
    2. Click the Remote Settings link or the Remote tab if you are on XP.
    3. Click the Select Users or Select Remote Users button.
    4. If your user name is not listed in there, click Add and enter your user name.
    5. Click Ok and Ok again to dismiss both dialogs.
  2. Once you are done, try reconnecting. If you can connect, stop here - we're done. If you still see the error message continue to step 3.
  3. We're almost done. Next, we'll grant the Remote Desktop Users group the right to log on:
    1. Click Start then click Run. Enter secpol.msc and click Ok.
    2. The Local Security Policy window should open up.
    3. Expand the Local Policies node and click User Rights Assignment.
    4. On the right hand side, double click Allow log on through Terminal Services or Allow log on through Remote Desktop Services.
    5. Click Add User or Group and enter Remote Desktop Users.
    6. Click Ok and Ok again to dismiss both dialog boxes.
 Watch the Video Tutorial




I hope that has been informative to you.
  ولا تنسوني والمسلمين من صالح الدعاء
وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم.

الخميس، 18 أكتوبر، 2012

Add Mass Computers in Active Directory Using Script


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

Add Mass Computers in Active Directory Using Script

 

Download the patch file used in this video:

بسم الله

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله  وصحبه وإخوانه وسلم

الأربعاء، 17 أكتوبر، 2012

Add A Bulk Of Users In Active Directory Using Script


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

 Add A Bulk Of Users In Active Directory Using Script
Download the script used in this video:

I hope that has been informative to you.

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

الثلاثاء، 16 أكتوبر، 2012

How to Delete protected Items in Active Directory

بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

How to Delete protected Items in Active Directory

 

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله  وصحبه وإخوانه وسلم

السبت، 13 أكتوبر، 2012

The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

The following error poped up when i was trying to set up a new child domain in a third site:

The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner


first this is my topology:

So, as the error message states, the CA-DC-01 which is the replication partner for GZ-DC-01 is not fully replicated with AL-DC-01 and this is because i have turned off AL-DC-01 to save some memory.
Though after i have powered AL-DC-01 again the process of promoting GZ-DC-01 to the directory was successful, thank to Allah.


Hope that has been ifnormative to you.

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم.

الخميس، 11 أكتوبر، 2012

Do you want to reinstall that domain?


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

Do you want to reinstall that domain?


I was creating a child domain, but the installation wizard poped up with the previous error message:

"Directory configuration information indicates that the domain child.mydomain.com already exists. Do you want to reinstall that domain? If you click Yes, all information about the prior Active Directory Domain Services domain installation will be deleted."

 some search on the internet for this problem i have seen som solutions but they did not work.
finally i came across a thread in a forum, which stated that:

"This problem occurs when you are using cloned virtual machines that have the same SID".

I have mad a new virtual machine "clean installation" from the beginning.

Finally thanks to Allah it worked.

Hope that has been informative to you.

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

Solved: I Can Ping The DNS Server But I Can Not Resolve Names ! !!


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

Solved: I Can Ping The DNS Server But I Can Not Resolve Names!


























Consider the previous topology, i was creating a child domain in Alex, i have set the DNS in the network properties to use 192.168.1.1 which is the ip address of Cairo_DC, however i could ping the ip address but i couldn't resolve names consequently i could not promote the Alex_DC to the active directory.
playing around this issue for sometime, i remembered that the ip helper address command used on Cisco router could also be used to forward traffic to DNS that is not located on the same subnet. As you know this command is used commonly for DHCP relay agent feature.
to sum up:
I have entered the following command under  interface f1/0:
ip helper address 192.168.1.1
And finally thanks to Allah it worked.

Hope that has been informative to you.

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

الاثنين، 8 أكتوبر، 2012

Change Windows Hostname Using CLI


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

Change Windows Hostname Using CLI

1- Open the CMD and enter the follwoing:
 
wmic computersystem where name="Old_Name" call rename name="New_name"

2- Reboot:

shutdown /r

3- Verify:

hostname 

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم

How To Enable Remote Desktop Connection To Windows 2008 Core Installation


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

 How To Enable Remote Desktop Connection To Windows 2008 Core Installation

1- Enable the Remote Desktop for Administration mode to accept connections:

cscript C:\Windows\System32\Scregedit.wsf /ar 0

in order to view your current settings you can type:

cscript C:\Windows\System32\Scregedit.wsf /ar /v
 
If you see "1" in the script output, that means that RDP connections are denied.
If you see a "0", they will be allowed.
for example:
 
2-  If you are running the Terminal Services client on a previous 
version of Windows, you must turn off the higher security level that is 
set by default in Windows Server 2008. To do this, type the following 
command at the command prompt: 
cscript C:\Windows\System32\Scregedit.wsf /cs 0 

3- Allow the RDP to pass through the firewall:
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
 
 Also this is a short video showing the whole process:
  
 
ولا تنسوني والمسلمين من صالح الدعاء
 
وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه  وسلم 

الثلاثاء، 2 أكتوبر، 2012

Installing Loopback Interface in Server 2008 R2


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

Installing Loopback Interface in Server 2008 R2


 

ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم