Hi,

We have this scenario (Windows Server 2008 R2 Enterprise):

1) Certain staff are in a local group "BCA Power Admin".  This local group is in the local Administrators group, as these staff need full admin access on the server.

2) The Administrators group also contains a mix of other local and domain userids.  These are generally IT staff and service accounts for maintenance, backups, etc.

3) Under drive T:\, we have a folder that needs to be locked down, with only those users given explicit access having access.  Everything in this folder and below contains sensitive, need-to-know data.

4) For certain sub-folders, we also want to prevent Write access even from the "BCA Power Admin" group (who are of course Administrators).  These folders should only be updated by a service account which runs our nightly ETL process.  This is done to prevent those staff from accidentally corrupting data during development.  Only production jobs should update these folders.

5) I'm also happy if these sub-folders were locked down from all administrators.  However, I don't want the "Click Continue to permanently get access to this folder" to explicitly add their userid the the NTFS permissions for that folder. (This last bit is optional).

I've setup some sample folders.  Here are the ACL's:

PS T:\> Get-Item T:\, T:\prod, T:\prod\Folder1, T:\prod\Folder2 | Get-Acl | Format-List Path, AccessToString


Path           : Microsoft.PowerShell.Core\FileSystem::T:\
AccessToString : Everyone Allow  ReadAndExecute, Synchronize
                 CREATOR OWNER Allow  FullControl
                 NT AUTHORITY\SYSTEM Allow  FullControl
                 BUILTIN\Administrators Allow  FullControl
                 BUILTIN\Users Allow  ReadAndExecute, Synchronize

Path           : Microsoft.PowerShell.Core\FileSystem::T:\prod
AccessToString : MYSERVER\BCA Power Admin Allow  FullControl

Path           : Microsoft.PowerShell.Core\FileSystem::T:\prod\Folder1
AccessToString : MYSERVER\BCA Power Admin Allow  FullControl

Path           : Microsoft.PowerShell.Core\FileSystem::T:\prod\Folder2
AccessToString : MYSERVER\BCA Power Admin Allow  FullControl

So, the default ACL's for T:\ (which I don't want to change) includes Everyone - Read and BUILTIN\Users - Read.

For T:\prod, I've removed all inherited permissions, then explicitly added "BCA Power Admin" - Full Control.

Folders T:\prod\Folder1 & Folder2 inherit from T:\prod.  

Questions:

1A) If I login (RDP) with an administrator account, that's not in "BCA Power Admin", I get the "Click Continue to permanently get access to this folder" dialog.  How do I prevent that?  I believe I need to change the UAC settings?  What are the repercussions if I do so?

1B) Ok, one way I've prevented the "Click Continue ..." dialog is to add Administrators to the NTFS permissions.  Even Read access prevents the dialog.  Again, #5 is optional; perhaps best practice is to add Administrators with Full Control, so IT and backups won't have problems with these folders?

2) But, how do I prevent "BCA Power Admin" having Full Control?  Do I need to add an explicit Deny for "BCA Power Admin" for those folders where only the service account should have Write access?

3) Finally, since I've removed BUILTIN\Users, Everyone, etc. from the T:\prod folder, I assume this folder and all sub-folders would be locked down (no access at all) for any users not an Administrator.  Is this correct?

Regards,

Scott

I am trying install the update for 2064460 on a 2008 R2 64-bit system.   I always get the message "The update does not apply to your system".  When I review the list of installed updates it is not in the list.  Is there are problem with this update or is not really for 2008 R2 64-bit?

I have 2 virtual Server 2008 R2 servers that are prompting for credentials twice on login and its happening on both RDP and ICA connections.  The RDP connection is a direct connection to the server, and obviously the ica sessions are handled by a connection broker.  

This happens on all clients connecting to the server (XP, 7, 8) all running at least ver 6.1 RDP or newer.  I have checked to make sure that the connection settings on the server is not "Always prompt for users password".  

I have read through other posts that are similar, however most of those have to do with a RDCB which we are not using for RDP.  I believe by fixing the RDP problem the ICA problem will go away as well.  

Hello staff
 
I know you have several articles talking about this problem, this put me a little strange:
 
I have a domain, and does not have branches, the servers are Windows 2008R2, and I have two domain controllers, primary and secondary that replicate each other.
 
I have AD-integrated zones.
 
When I run the command dcdiag / test: dns, the result appears without a problem, however in the event viewer the following message appears:
 
DCOM can not communicate with the computer 200.175.5.139 using any of the configured protocols
 
DCOM can not communicate with the computer 8.8.8.8 using any of the configured protocols
 
DCOM can not communicate with the computer 8.8.4.4 using any of the configured protocols

THESE ARE CONFIGURED IPS forwarders, IF I DO A TEST IN ABA MONITORING, AND APPEARS NORMAL
 
HAVE ALSO CREATED A REVERSE ZONE.
 
LAST PERSONAL NOT KNOW EXACTLY WHY THIS PROBLEM
 
IF SOMEONE CAN HELP.

Hello,

I have configured new GPO which redirects users Documents folder to new network share. This GPO is linked to OU2. There is existing Documents redirection GPO linked to OU1. Our workstations are W7 SP1, DCs are W2008R2.

During testing, I noticed W7 workstation not redirecting Documents to new network share and still pointing to old one. Application Log keeps displaying following error. Why? My test user can access the path. Thank you guys!!

\\SERVER02\Shares\Users\levytesti\Documents".

\\SERVER02\Shares\Users\levytesti\Documents" is offline".

Hi, Suspecting we have some issues with VSS like eating up most of the space on C Drive , so can you please let me know how can I fixed that. i know while restarting the VSS service this can be fixed but i am looking for in which we should not restart the any service or any thing , just a permanent fix.

This is happening on few of the servers, so while check the below URL I found that there is something to do with Reduce, or Change the Maximum Allocated Shadow Copy (System Restore) Space Size and when I checked on my servers I got the below but I do not know what exact space should I mentioned and what to set.

http://www.mydigitallife.info/how-to-change-and-limit-system-restore-storage-space-usage-size-in-vista-with-vssadmin/

As I mentioned that this is happening on other servers as well so do we have any script or some way through which I can fix for all there server of if manual intervention is required then what would be the best way to accomplish this .

C:\Users\Administrator>vssadmin List ShadowStorage

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2005 Microsoft Corp.

Shadow Copy Storage association

   For volume: (\\?\Volume{542c5846-2eca-11e2-9877-806e6f6e6963}\)\\?\Volume{542

c5846-2eca-11e2-9877-806e6f6e6963}\

   Shadow Copy Storage volume: (C:)\\?\Volume{542c5847-2eca-11e2-9877-806e6f6e69

63}\

   Used Shadow Copy Storage space: 4.031 MB (0%)

   Allocated Shadow Copy Storage space: 2.035 GB (2%)

   Maximum Shadow Copy Storage space: UNBOUNDED (100%)

Shadow Copy Storage association

   For volume: (C:)\\?\Volume{542c5847-2eca-11e2-9877-806e6f6e6963}\

   Shadow Copy Storage volume: (C:)\\?\Volume{542c5847-2eca-11e2-9877-806e6f6e69

63}\

   Used Shadow Copy Storage space: 3.514 GB (4%)

   Allocated Shadow Copy Storage space: 5.666 GB (7%)

   Maximum Shadow Copy Storage space: UNBOUNDED (100%)

Ray Pietrzak

Hello to all,

I would know if there is a risk exposure to give Rights (R/W) on the HK Classes Root Hive ?

In order to allow a user group  to launch/install XenAPP published applications, this is the only solution I can provide to my customer.

In advance thanks you.

Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization

Hello,

I've got a problem with a scheduled task. The task starts a cmd-script which calls rasdial to dial into a VPN. The task works like a charm whenever I start it manually. But if it starts by a trigger, it fails with 0x80070364. I couldn't find any information about that error code.

The triggers are system start and event with id 20226 (vpn connection closed - I use this to re-dial into the VPN).

Thank you very much for any help and information!

I was going to install DPM2012 on a Storage Server 2012 box. DPM kept saying could not install Dot Net 3.5 so I figured the installed 4.5 version was stopping it. After I uninstalled the 4.5 version I now have no way to get to the control panel or server manager to add it back. Any advice would be helpful.

Thanks

RSG

I have seen several posting related the same but never did see a solution so I thought I would try again.

I have windows 2008 r2 server installed and it has been running fine for roughly a year.  I did some windows updates one night then all of a sudden the Software protection service starts every 5 minutes and logs the following:

I have a setup with AD servers in one network and the clients behind a NAT firewall. Is this a supported configuration? I have read kb978772 and am looking to clarify the information.

In one paragraph it says

"The Microsoft statement regarding Active Directory over NAT is: Active Directory over NAT has not been tested by Microsoft. We do not recommend Active Directory over NAT. Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly."

In a later paragraph the KB states

"The only configuration with NAT that was tested by Microsoft is running client on the private side of a NAT and have all servers located on the public side of the NAT. The NAT would also function as a DNS server."

I need to know if Microsoft supports the servers on a public side of the NAT and the clients on the private side of the NAT.

Hola,

Buenas Tardes,

Escribo este problema ya que me a traido muchos dolores de cabeza y es que me pasa lo siguiente:

Tengo un Servidor Windows 2008 Server 64 que es mi Domain Controller,

En Group Policy Management tengo una politica Default que es la que posee el fondo de pantalla oficial (Wallpaper)

Pero he creado una Unidad Organizacional a la cual le he creado y vinculado una nueva GPO con el nuevo Fondo (Especifico para su Dpto.)

El problema es que sigue heredado el fondo del Default siendo que tengo habilitada la opcion de BLOQUEA HERENCIA (Adjunto imagen)

He realizado GPUPDATE /FORCE pero siempre hereda, no funciona bloquear la herencia.....

Por favor les solicito de su ayuda,

Muchas Gracias!!!!!!!!!!!

-------------------------------------------------------

Hello,

Good afternoon,

I writethis problemas itbroughtme alot of headachesandI getthe following:

I havea Windows Server2008Server 64which is myDomainController,

InGroup Policy ManagementDefaultI havea policythatis the one withtheofficial wallpaper

But Icreated anOrganizationalUnitto whichI havecreatedand linkeda newGPOwiththe new Wallpaper(SpecificforDepartment)

The problem is thatisinheritedfrom theDefaultbackgroundbeingthatI haveenabledthe option toBLOCKINHERITANCE(Attachedimage)

I madeGPUPDATE/ FORCEbut alwaysinherited,block inheritancedoes not work.....

PleaseI askforyour help,

Thank You!!!!

Hey guys, first post with a new profile.

I've got a strange problem with a couple of servers that I've configured from scratch, I can't see why this has happened, and after ages searching the web, I can't find a solution. The server in question is a Server Enterprise 2008 R2, with IIS, DFSR, FSRM and related features installed. Here's the issue:

I've got 2 volumes, C for the OS, Boot, Pagefile, Crash dump and all things OS and D which is for storing web site data.

The problem is that when I try and install a new application on the server, the default location for any files that need to be stored / created is the root of the D drive. I've got FSRM configured not to allow executables on D, so any and every install fails. This also applies to windows updates.

How has this happened and how can it be rectified?

I've searched the registry and can't find any reference to D:\ other than unrelated things such as web root locations etc.

Any help on this would be much appreciated. Thanks

Dave

Hi There,
I have a windows 2003 server that is having some non paged pool memory issues.
The server is patched with all the latest Microsoft updates and I've run the latest IBM express update iso over the server to make sure all the drivers are up to date.

When the non paged pool hits less than 20MB free HTTP.sys starts rejecting HTTP connections to the server, which means users who connect to email via their mobile phones / active sync can no longer retrieve their emails.

I've read through all of the following articles and I've tracked down memory leaks before, but this one has me stumped.

Articles:
http://blogs.msdn.com/b/ntdebugging/archive/2012/07/31/troubleshooting-pool-leaks-part-1-perfmon.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2012/08/30/troubleshooting-pool-leaks-part-2-poolmon.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2012/08/31/troubleshooting-pool-leaks-part-3-debugging.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2012/09/28/troubleshooting-pool-leaks-part-4-debugging-multiple-users-for-a-tag.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2012/09/28/troubleshooting-pool-leaks-part-5-poolhittag.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2012/10/31/troubleshooting-pool-leaks-part-6-driver-verifier.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2012/11/30/troubleshooting-pool-leaks-part-7-windows-performance-toolkit.aspx

Poolmon.exe -b screen capture:

I have completed a full Live KD dump so I have a 4GB dump file that I can analyse.

Live Kernel Debugger Results from the server:

0: kd> !vm 1

*** Virtual Memory Usage ***
        Physical Memory:     1048341 (   4193364 Kb)
        Page File: \??\C:\pagefile.sys
          Current:   2095104 Kb  Free Space:   1379776 Kb
          Minimum:   2095104 Kb  Maximum:      4190208 Kb
        Page File: \??\E:\pagefile.sys
          Current:   4193364 Kb  Free Space:   3468912 Kb
          Minimum:   4193364 Kb  Maximum:     12580092 Kb
        Available Pages:       81311 (    325244 Kb)
        ResAvail Pages:       944919 (   3779676 Kb)
        Locked IO Pages:        7819 (     31276 Kb)
        Free System PTEs:     164100 (    656400 Kb)
        Free NP PTEs:           2005 (      8020 Kb)
        Free Special NP:           0 (         0 Kb)
        Modified Pages:           80 (       320 Kb)
        Modified PF Pages:        78 (       312 Kb)
        NonPagedPool Usage:    62765 (    251060 Kb)
        NonPagedPool Max:      65251 (    261004 Kb)
        ********** Excessive NonPaged Pool Usage *****
        PagedPool 0 Usage:     27488 (    109952 Kb)
        PagedPool 1 Usage:      3998 (     15992 Kb)
        PagedPool 2 Usage:      4004 (     16016 Kb)
        PagedPool 3 Usage:      3965 (     15860 Kb)
        PagedPool 4 Usage:      4006 (     16024 Kb)
        PagedPool Usage:       43461 (    173844 Kb)
        PagedPool Maximum:     90624 (    362496 Kb)

        ********** 4759 pool allocations have failed **********

        Shared Commit:         18376 (     73504 Kb)
        Special Pool:              0 (         0 Kb)
        Shared Process:        15755 (     63020 Kb)
        PagedPool Commit:      43408 (    173632 Kb)
        Driver Commit:         11384 (     45536 Kb)
        Committed pages:     1250504 (   5002016 Kb)
        Commit limit:        2577113 (  10308452 Kb)

0: kd> !poolused /t5 2
   Sorting by  NonPaged Pool Consumed

  Pool Used:
            NonPaged            Paged
 Tag    Allocs     Used               Allocs     Used
 Devi     435808 136278208         0        0    Device objects
 MmCm     1145   19269552         0        0    Calls made to MmAllocateContiguousMemory , Binary: nt!mm
 SNDc     21539   14981544         0        0    UNKNOWN pooltag 'SNDc', please update pooltag.txt
 Irp      13134        6385280         0        0    Io, IRP packets

If I go searching for the Tag "Devi" you get a massive list of drivers that contain the string.
Devi - Device Objects
How do I figure out what is the cause of my memory leak?

Kind Regards,
Philip Lakic

Guys,

Please HELP!!!!!!

I have spent the whole day doing all sort of stuff to get this server to get updates from WSUS or directly from Microsoft with no luck. Here is the log from the server. 

Hi,

I understand that the Windows Server Backup is a way of backing up Domain Controllers using the systemstatebackup,which prevents getting into USN rollback issue. However if a Windows Server (2008 R2) has been backed up (all fixed and non fixed drives) using some Software (this uses VSS snapshots to create backups) is there a way of restoring this Domain Controller position from the backups without getting into a USN rollback state? A non authorative restore would be fine.

Thanks in advance and please tell me if you require some more information.

Thanks