Thursday, May 31, 2012

Updating security group membership on a computer without rebooting by Klist

To update security group membership on a computer, we need to restart the computer to take effect. However, we can update security group membership on a computer without rebooting in domain environment by performing "Klist". 

What is "Klist"?

"Klist" is a tool which can list and purge the service tickets and ticket-granting-ticket (TGT). By performing "Klist", we can delete all the tickets of the computer logon session.

Remark: "Klist.exe" is available in Windows Server 2008, Windows Server 2008 R2 and Windows 7. To perform "Klist.exe" in Windows Vista, Windows XP, Windows Server 2003 and Windows 2000, you have to install Windows Server Resource Kit Tools.

How come the TGT is deleted on the computer but the computer doesn't restart to update security group membership?

Generally speaking, the existing TGT includes the data of current security group membership. If I delete the existing TGT on the computer, the computer can receive a new TGT which includes the data of the latest security group membership.

When will the computer update the TGT?

By default, restating the computer can update the TGT because the Key Distribution Center (KDC) provides the TGT when the computer logs on.  

Goals
Updating the security group membership without restarting the servers.

Test method
I will create a security group named "CA Servers" in the domain controller. Creating a new GPO with "Security Filtering", I will add the servers in "CA Servers" group. I will perform "Klist"  and "gpupdate" on the servers to test the result.

Lab environment
  • 1 domain controller which is installed Windows Server 2008
  • 2 member servers which is installed Windows Server 2008

Prerequisites
2 servers named CA01 and CA02 are under "Servers" OU in "pro.corp.contoso.com" domain and make sure the servers has been powered on.
The domain controller is named DC02.

Lab
1. On DC02, log in as Domain Administrator.
2. Launch "Active Directory Users and Computers".
3. Create a group named "CA Servers" in "Servers" OU.


4. Launch "Group Policy Management Console".
5. Navigate to "Servers" OU.
6. Right-click "Servers" OU, select "Create a GPO in this domain, and Link it here".
7. Under "Name", type "CA Servers GPO", click "OK".
8. Next to "Security Filtering", remove "Authenticated Users".
9. Click "Add" to add "CA Servers" group.


10. Right-click "CA Servers GPO", select "Edit".
11. Expand "Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections".
12. On the right-pane, double-click "Allow users to connect remotely using Terminal Services".
13.  Select "Disabled".


14. Click "OK".
15. Close "Group Policy Management Editor".
16. Close "Group Policy Management Console".
17. Back to "Active Directory Users and Computers".
18. Add "CA01" and "CA02" as the member of "CA Servers" group.


19. Click "OK".
20. Close "Active Directory Users and Computers".

Test result
1. On CA01, log in as Domain Administrator.
2. Launch "Command Prompt" with "Administrative privilege".
3. Perform "klist -li 0x3e7 tgt".


The "0x3e7" is the logon identifier of the computer account logon session. You can use "logonsession.exe" from the Sysinternals to find the logon session.


4. Perform "gpupdate /force" to update the group policy.
5. Perform "rsop.msc" to verify the group policy.


The CA Servers GPO doesn't apply to CA01 because the security group membership on CA01 doesn't update.

6. Close "Resultant Set of Policy".
7. Back to "Command Prompt", perform "klist -li 0x3e7 purge".


All tickets of the computer has been deleted.

8. Perform "gpupdate /force" to update the group policy.
9. Perform "rsop.msc" to verify the group policy.


As a result, the GPO has been applied to CA01. It means CA01 received  a new TGT which includes the data of the latest security group membership.

10. Close "Resultant Set of Policy".
11. Perform "klist -li 0x3e7 tgt" to verify the TGT.


The TGT of CA01 was updated.

12. Go to CA02, log in as Domain Administrator.
13. Launch "Command Prompt" with "Administrative privilege".
14. Perform "gpupdate /force" to update the group policy.
15. Perform "rsop.msc" to verify the group policy.


16. Close "Resultant Set of Policy".
17. Restart CA02.
18. Perform "rsop.msc" to verify the group policy.


The GPO has been applied to CA02 because CA02 received  a new TGT which includes the data of the latest security group membership.

Reference:
Updating a server's security group membership without rebooting

For more information:
Klist

LogonSessions

Kerberos Explained

Understanding Microsoft Kerberos PAC Validation

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at 1 comment:
Labels:

Saturday, May 26, 2012

An article for Active Directory Auditing on Windows Server 2008 R2

I would like to share a good article ,"Who Moved the AD Cheese?", for you. This article was written by Michael Hildebrand [MSFT]. Enabling detail auditing for Active Directory on Windows Server 2008 R2 domain environment. If you have time, please take a look.

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at 1 comment:
Labels:

Thursday, May 24, 2012

How to check unexpectedly shut down on Windows (Event ID 6008)

When the Windows system shuts down unexpectedly, the Windows system creates a Event which is ID 6008 in System Log. The event provides the date and time for last unexpected shut down.


To check the boot up time of the system, you can perform "systeminfo" at "Command Prompt".


I hope this information can help you to troubleshoot unexpected shutdown.

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Wednesday, May 23, 2012

Remote Group Policy Update on Windows Server 2012

In Windows Server 2012, administrators can remote refresh group policy settings on a group of remote computers by Group Policy Management Console (GPMC). To remote refresh group policy settings by Group Policy Management Console (GPMC), the computers need to under OUs.

Goals
I will remote refresh the group policy for a workstation and a user in "Contoso.com" and test the result.

Prerequisites
  • The server named "DC01", is installed Active Directory Domain Services server role.
  • The server named "App01", is installed "Windows Server 2012", is under "Servers" OU. The GPO named "Servers GPO" has been linked on "Servers" OU.



Steps
1. On a domain controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Expand "Forest: contoso.com > Domains > contoso.com > Servers".
4. Right-click "Servers GPO", select "Edit".
5. Expand "Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP://<Name> > Inbound Rules".
6. Right-click "Inbound Rules", select "New Rule".


7. Select "Predefined", select "Remote Scheduled Tasks Management".


8. Click "Next" twice.
9. Select "Allow the connection".


10. Click "Finish".
11. Right-click "Inbound Rules", select "New Rule".
12. Select "Predefined", select "Windows Management Instrumentation (WMI)".


13. Click "Next" twice.
14. Select "Allow the connection", click "Finish".


15. Right-click "Windows Management Instrumentation (ASync-In)", select "Properties".
16. Select "Advanced" tab.
17. Clear "Private" and "Public" check boxes.


18. Click "OK".
19. Repeat steps 15 -18 for other rules.


If you don't configure the above firewall rules for computers, you can't perform remote "Group Policy Update" successfully.

20. Close "Group Policy Management Editor".

Test result
1. On App01, log in as Domain Administrator.
2. Launch "Task Scheduler".
3. Expand "Task Scheduler Library > Microsoft > Windows > GroupPolicy".


4. Back to DC01, still in "Group Policy Management Console".
5. Right-click "Servers" OU, select "Group Policy Update".


6. On "Force Group Policy update" window, click "Yes".



It updates all the computers in the "Servers" OU.

7. Back to the "Task Scheduler" of "App01", right-click "GroupPolicy", select "Refresh".




The schedule jobs of Group Policy have been created by GPMC. It will force to update the computer and current log on user within 10 minutes. After updating the policy, the schedule jobs will be deleted automatically.


When the group policy is updating, the Command Prompt will be shows in the current user session.


Remark: "Remote Group Policy Update" supports Windows Vista, 7, 8, Windows Server 2008, 2008 R2 and Windows Server 2012.

If you would like to remote update group policy on a computer, you can perform PowerShell cmdlet to update it.

Prerequisites
The server installed "Group Policy Management" is joined domain.

1. On a domain controller, log in as Domain Administrator.
2. Launch "PowerShell" with "Run as Administrator".
3. Perform "Import-Module GroupPolicy".
4. Perform "Invoke-Gpupdate -Computer App01".


The schedule jobs of Group Policy have been created. It will force to update the computer and current log on user within 10 minutes. After updating the policy, the schedule jobs will be deleted automatically in App01.

Reference:
Group Policy Overview

How to configure and use "Group Policy Update" in Windows 8

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Friday, May 18, 2012

Event ID 1085, Group Policy

Symptom
1. There is a warning event in "System" Event log.

Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More information" link.

2. When you performed "gpupdate", you will get the same error:


3. After performing "GPRESULT /H", you will find the following error message in the "Component Status" of the html report.

Deployed Printer Connections failed due to the error listed below.

The RPC server is unavailable.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between <Date and Time>.


Cause
The "Print Spooler" service has been stopped.


Resolution
Make sure the "Service Status" has been "Started".

Posted by at 1 comment:
Labels:

Thursday, May 17, 2012

Using "Stored User Names and Passwords"

"Stored User Names and Passwords" allows users to verify which Network logon credentials are stored in the computer. The credentials are including, but note limited to, Outlook, Internet Explorer and map the network drive.   "Stored User Names and Passwords"  also can add,  remove, edit, back up and restore the credentials.

Remark: Backup and Restore supports Windows Vista or later.

To launch "Stored User Names and Passwords", perform "rundll32.exe keymgr.dll,KRShowKeyMgr" in "Run".



1. To back up the credential, click "Back up".
2. Click "Browse", provide a file name for the backup file.


3. Click "Next".
4. Press "Ctrl + Alt + Delete".


5. Provide the password to protect the backup file.


6. Click "Next".
7. Click "Finish".

Then I try to restore the credential from backup file.

8. Remove the credential.


9. Click "Restore".
10. Click "Browse", select the backup file.


11. Click "Next".
12. Press "Ctrl + Alt + Delete".
13. Enter the password of the backup file.


14. Click "Next".
15. Click "Finish".


As a result, the credential has been restored.

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: ,

Tuesday, May 15, 2012

Enable logging and tracing for Group Policy Preference

It's not easy to troubleshoot "Group Policy Preference" by "Event Viewer", "Rsop" and "Gpresult". In order to troubleshoot the "Group Policy Preference" easily, we can enable the logging and tracing for "Group Policy Preference". By default, the setting isn't enabled. Now, I would like to enable this settings.

Goals
Tracing the "Services Policy Processing" of "Group Policy Preference" on a workstation.

Prerequisites
The "Services" setting of "Group Policy Preference" which under "Computer Configuration" has been applied to the workstation.


1. On a domain controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Navigate to the OU which contains the workstation, create a new GPO named "GPP tracing".


4. Right-click "GPP tracing". select "Edit".
5. Expand "Computer Configuration > Policies > Administrative Templates > System > Group Policy > Logging and tracing".


6. Double-click "Services Policy Processing".
7. Select "Enabled".
8. Next to "Tracing", select "On".

Remark: The default path of the log files is "%COMMONADDATA%\GroupPolicy\Preference\Trace\". For Windows XP and Windows Server 2003, "%COMMONADDATA%" expands to "%SYSTEMDRIVE%\Documents and settings\All Users\Application Data". The equivalent path for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7 is "%SYSTEMDRIVE%\ProgramData" (this folder is hidden by default, but you can manually type the path in Windows Explorer).

Reference:
Enable Group Policy Preferences Debug Logging using the RSAT
http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx


9. Click "OK".

Now, I can trace the Services processing of "Group Policy Preference" only. To trace another process, you need to enable the other process in the GPO.

10. Close "Group Policy Management Editor".
11. Go to a workstation which joined to the domain, log in as Domain Administrator.

Remark: The workstation which I'm using is installed Windows 7.

12. Perform "gpupdate".
13. Launch "Windows Explorer", navigate to "C:\ProgramData\GroupPolicy\Preference\Trace".


The log file of computer has generated.

14. Double-click "Computer.txt"


As a result, I can trace the result in the log file.

Reference:
Tips for Troubleshooting Group Policy Preferences
http://www.scriptlogic.com/smbit/article/tips-for-troubleshooting-group-policy-preferences
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)