HI every one ...

I want to delete Microsoft acces with GPO ...

Is that possible? I have researched  every where in internet but I did't find ant script can do it...

Thank's a lot .

Thanks and Regards

Ishan

Thanks & Regards Ishan Dhawan

Hi all,

This seems to be a common problem! :-)

I have a domain with 10 conventional and 1 RODC and have to migrate the customer from FRS to DFS-R. After a  lot of cleaning-up of DNS and replication, I was confident enough to start dfsrmig. Over a period of days (!) all DCs diappeared from dfsrmig /GetMigrationState EXCEPT the RODC.

I have checked replication (fine), run dfsrmig /CreateGlobalObjects on the PDC Emulator, , repadmin /syncall, sacrificed a chicken and muttered incantations at full moon, but the status remains; <RODC> ('Preparing') - Read-only DC. Migration has not yet reached a consistent state...

Can anyone help please?

Richard

RS

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in October 2019 and must be in English. However, the original blog or forum content can be from beforeOctober 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

Thanks & Regards,
Kamlesh | Blog | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.

I have deployed a Windows 2016 server as a Hyper-V host.  However the server manager is always showing Red for Local Server and All Servers under Services.  The services are Sync Host_3d6a513 and Downloaded Maps Manager. 

I can start the Sync Host service but the Downloaded Maps Manager starts then stops.  Does not seem to be causing issues but I would like to see a Green status in my Server Manager.  Can I just set these to manual?  Do I even need them?

Hi All, 

I have created a task scheduler to run a bat job. 

My company is using O365 and the Encryption Method is TLS. 

Understand from my infra team i am unable to get task scheduler to send email as our email Encryption method is TLS. 

Will like to check is there any way to resolve this?

I am creating a task to attach to an error so that when the task scheduler hit the error it will send me an email notification. 

Please help. 

Thanks! 

Hi Guys,

One of our Server which was running Win2008 R2 crashed due to power & ups failure.

I reinstalled the OS and restored System State backup since then whenever i login to the server i get this message, please check the screenshot and suggest.

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

I am posting this here as my Laptop has been turned into a Windows server without my consnet. I do have Group Policy setup but I have no control over the contents.

I need help with a serious hacker issue. Someone, somehow has complete control over my system. I have a Dell Vostro V13 laptop running Windows 7 Home Premium 64bit. Memory is 4 GB DDR301333MHz SDRAM, 1DIMM with Intel Core Processor ULV i30380UM (3M Cache, 1.33GHz, 800MHz FSB). It has a 500GB SATA Hard Drive. This issue has been going on for some time now (possibly up to 1 year) but it has gotten much worse as time has gone on and the hacker(s) have gained more control over my system. This actually started on a previous laptop I had.

The hackers have turned my machine into a server and are using it to either play games or to resell bootlegged software and or maybe to gain personal information on me. Not entirely certain of their motives but it has caused me many, many problems. At one point I found a reference to allowing up to 100 client connections into my new Dell server. Here are some of the odd things I see.

My OS Build Version shows 6.1.7600 Build 7600. When I run the Dell diagnostics utility is show something in the 4,000 range. This is the same build version I showed on my previous Laptop but it had the Home Starter Windows Package loaded.

My boot device is \device\Harddiskvolume1. I don´t know if this is strange or not. My hard disk is 0.

I have been placed into a domain and do not have complete administrative control over my system. I have admin rights but the domain server admin has more rights than I do and this person is the hacker.

Installed Physical Memory is 4GB
Total Physical Memory is 3.8GB. I believe the hacker has used some of my memory allocation to reside their malicious software.
Available Physical Memory is 3.35. This is after a safe boot load.
Total Virtual Memory is 7.6 GB. I have tried to uninstall the virtual memory but it keeps coming back.
Available Virtual Memory 7.14.
Page File Space 3.8GB. I have tried to delete the page file but I can´t. I also have what is called a hiberfil.sys file on my system and this is currently 4GB in size and I can not delete it.
Page File c:\pagefile.sys

I am now fairly convinced my problem is somewhere in the memory. I think a Ramdrive or Ramdisk loads at boot. I have a 500GB hard drive but I can only see 465BG. The remaining disk space is reserved for a X: drive that I can only see and navigate to when I get into a System Restore mode and get into the command prompt. Once I get into the z: drive I can see all sorts of files that I do not believe belong there. I have attempted to remove the files but they all recover at my next boot. I have even seen them recreate themselves before my very eyes after I deleted them. I can´t delete every file. Many are protected and I do not have the sufficient admin rights to delete them nor can I can gain those rights. I have tried to reformat the z: drive but I have been unsuccessful. I get a write protected error I have however been able to format the c: drive but this did not resolve the problem.  I have now reloaded the OS over 20 times in the past month and this is now becoming clear that it will never solve my problem. When I run the set command from the c: drive many of the settings are different than when I run that command from the z: drive. As an example the Computer Name is different. It is as if I have two computer´s and two OS ´running at the same time. One for the Domain Administrator (i.e, hacker) with complete control and one for me which allows the hacker to see everything I do and to prevent me from gaining access to my own machine.

I believe the hacker has a system image and has a CDROM capable reboot. I do not have the technical knowledge to understand how this all works but I do now this person is accessing my system at blinding speeds. He or she is somehow contacted every time I gain network access as the moment I get online they are in my system. I have tried to prevent this via the firewall but last night the hacker just deleted my firewall. They also took over my USB dongle I was using for Internet access. They change the PIN on one of my SIM Chips which prevented me from accessing the service. I had another SIM Chip with a PIN already programmed into it and they just modified the USB software to disallow the use of a PIN. I watched as this person had internet access via my system and I was denied access somehow. One thing that I am preplexed about is how this hacker is gaining access to my Laptop. They seem to be able to access it even when I am not connected to the internet. I have found hidden files that are called hiddenpbx. I do not know if this is a back door or not. I delete the files but they always come back.

When I look at my memory resources I see IRQ 81 to IRQ 190 reserved for a device called Microsoft ACPI Compliant System. This seems odd to me. This is a lot of upper memory reserved for something.

All my Dell devices that came reinstalled have been replaced with some generic devices of unknown origin or these so called Microsoft Compliant Devices. Every time I reinstall the devices they last a day and then are replaced.

Every time I reload the OS I run across strange log files that reference this x: drive. It appears as if the OS is actually being reloaded with some bogus or bootlegged OS vs the being loaded from the OS CD Dell sent to me.

There is all sorts of information I can provide, but I am not certain what would be most beneficial. I need to leave this up to the experts. So if someone could raise their hand and give me some help I would appreciate. I know someone out there in cyberspace can fix this problem without too much sweat, but I do know this issue has gone on for some time now and this hacker now has complete control over my system. I understand it may take some time to undo what this person or these people have spent many hours creating, but I need my system back. I would be willing to offer some sort of compensation to the person who can get my system back into my hands. I do not have much money but I will certainly offer what is deemed fair in this situation. I am at the point where I just want to throw this Laptop into the thrash can.

I can´t spend a lot of time speculating as to what may be the problem. I need to know what the problem is and to have it fixed. I currently am not using that machine to access the internet or to send this Post. I have to use an Internet Cafe so my access to the internet is much more restricted.

Thanks in advance for any help someone my be able to provide.

We are using Win32 APIs ProcessIdToSessionId and GetSystemMetrics (SM_REMOTESESSION) to identify whether the session is remote or local.

But we currently don’t have a clean way to identify in remote sessions whether they are created from TS clients or for RDP connection to a local station.

Could you provide some technique prompt?

Thanks a lot!

Ray

Hi All , 

I found a problem in a DFS share that i can't access from windows 10 1809 , I realized that a domain controller have the support of SMB V1 and to solve the problem i need to enable SMB V1 support on the windows 10 client which is risky and i just did to verify that this is the issue . 

Now i decided to remove SMB V1.0 feature from the windows server 2012 R2 domain controller , but wondering what is next step? ... should i recreate the new DFS share again ? or once i remove the SMB V1 feature it will automatically start using SMB V2.0 or 3 ?

Hi,

Where to locate more details of error below?

Many Thanks & Best Regards, Hua Min

For the past few months I've been experiencing a lot of Event ID 4625 on my Exchange 2013 CU23. They're occurring at a rate of roughly 3-5 per minute every couple of minutes. It's driving me nuts and filling my security log which means my logs fill up and truncate leaving me with less than 24-hours based on current configurations.

I'm posting here because I have exhausted Google, Microsoft forums, Spiceworks, etc. I feel confident saying I've read just about every other issue but I can't find one that matches my description with a functioning resolution.

I found this person which has the same issue, but when I tried the recommended fixes it didn't resolve it for me: social.technet.microsoft.com/Forums/en-US/d3e6959c-6e81-4c66-a905-594ef7aa93a3/constant-null-sid-schannel-authentication-errors-on-ex2013-cu14-servers-event-4625?forum=exchangesvradmin

I've created or checked the following:

• KB3002657 is NOT installed on any of my DCs
• Rebooted (of course)
• Created the following registry keys: DisbaleStrictNameChecking & BackConnectionHostNames
• Modified local GPO for LAN Manager Authentication Level = Send NTLMv2 response only. Refuse LM & NTLM (have not rebooted since making this change 30 minutes ago)
• Evaluated events before and following the Event 4625 but found no evidence to steer me in any direction
• Disabled AV 
• Verified scheduled tasks are running properly (they're using the domain admin account)
• No Windows services are running as a user account

I'm here because I'm at a loss and don't know where else to turn.

Output from Event Details:

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000006D
	Sub Status:		0x80090325

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Schannel
	Authentication Package:	Microsoft Unified Security Protocol Provider
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

I have a VMware VM with 2008 R2 SP1. Internet Explorer 8 is installed and when trying to install IE11, the installer complains that there is a pre-requisite that needs to be installed. When examining C:\Windows\IE11_main.log, the error is:

Error installing prerequisite file (C:\Windows\TEMP\IE1715D.tmp\KB2834140_amd64.MSU): 0x800f081e (2148468766)

The patch in question , KB2834140 pertains to a situation where a mix of graphics cards may exist in the server, which is not the case here (a VM with just the standard VMware SVGA adapter).

When trying to manually install the KB2834140, it just gives the error "The update is not applicable to your computer", which seems fair since it just has one virtualized display dapter. Still, IE11 requires it.

What I have tried:

* Re-installing SP1 (failed with Event log entry "Service Pack installation failed with error code 0x80070bc9.")

* Running the Microsoft System Update Readiness Tool and then examined the CheckSUR.log file (no errors detected)

* Resetted the Windows Update Components (https://support.microsoft.com/en-us/kb/971058)

Right now I am not sure whether the issue lies just in the KB2834140 refusing to install, or if the whole Windows Update / servicing system is broken. Any hints greatly appreciated.

/Patrik

/Patrik

Thanks & Regards Ishan Dhawan

Hello All,

I have a site where i have 150 users , when user login it's not pointing to Local domain controller instead pointing to some other domain controller in Azure. 

Please let me know what needs to checked.

checks Performed : 

1. DNS record exists

2. Preferred DNS pointed to Local DC on all users machines.

3. Sites and services have the correct Domain Controller in AD Sites & Services.

4.No Time Sync issues noticed.

Previous it was pointing to Local DC, now it's pointing to Azure DC.

Kindly let me know what needs to be checked.

Paramesh KA

Hi, Guys.

Are critical security updates for CVE-2019-1367 considered an out-of-band updates and should be deployed to all applicable systems as an emergency or should be applied as part of normal patching cycle?

Thank you.

Good Day,

I've been trying to patch our remaining 2008R2 servers with 'Security Only update KB4499175 or Cumulative Update KB4499164' but apparently you need to have these two registry keys in place to enable the functionality in the patch.  I've added them thru GPO and verified they've been applied but our security scans (ACAS) keep showing the patch not applied.  Has anybody seen this?  Thanks...

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

I'm looking at implementing ADBA (Active Directory based Activation) for a new domain.

I install the volume activation service on the 2016 domain controller and that sets us up for ADBA. BUT, but my question is, if we want ADBA to be redundant and highly available do we need to install the volume activation role on multiple domain controllers? Or does adding the role to 1 domain controller and after the activation object is created, all the domain controllers replicate that object without needed the volume activation role installed on each domain controller you want participating in activation?

OK, applied the three "re-release" patches requested, and ONCE AGAIN the DC will not BOOT. Had to roll back to the image backup ( NOW THREE MONTHS RUNNING WITHOUT SECURITY PATCHES)

see also https://social.technet.microsoft.com/Forums/windowsserver/en-US/c3feaf46-f5e5-4e78-a1b8-888eada3d6d6/patch-tuesday-08132019-windows-update-killed-our-2008r2-pdc-will-not-boot?forum=winservergen

(AUGUST PATCH TUESDAY FAIL)

and also 

https://social.technet.microsoft.com/Forums/windowsserver/en-US/20134a24-f858-408f-9951-6248e32d52d0/patch-tuesday-09102019-windows-update-killed-our-2008r2-pdc-will-not-boot?forum=winservergen

(SEPTEMBER PATCH TUESDAY FAIL)

This is getting REALLY OLD - people.

I have tried to open a case but getting nowhere with the normal channels ( as suggested in earlier posts) 

PATCH TUESDAY OCTOBER is JUST AROUND THE CORNER, and I am really tired of burning an hour EVERY MONTH with the terrible software...

UNBELIEVEABLE!!!

This happened LAST MONTH.. ( see  https://social.technet.microsoft.com/Forums/windowsserver/en-US/c3feaf46-f5e5-4e78-a1b8-888eada3d6d6/patch-tuesday-08132019-windows-update-killed-our-2008r2-pdc-will-not-boot?forum=winservergen )

eventually the "fix" was published:  "don't install this month's critical security patches - wait for NEXT MONTH".

OK, it's now next month, and I got five "important" patches for our 2008R2 domain controller.

All five applied "successfully". Then... 'TA-DAH!!!"  the machine WILL NOT REBOOT.. Ittries to reboot, but cannot find its HARD DISK.

Restored from backup ( now TWO MONTHS BEHIND on the patches...) 

WHAT GIVES, GOOD PEOPLE OF MICROSOFT UPDATE??