In Windows (say Windows 10), I'd like to put in an address, and then the relevant line from the routing table is shown (if any). So, pretend you are pinging an address and the computer processes the routing table and figures out which route to use. It would also be nice for the program to show which of the various network adapters/interfaces it would use. That way, if I suspect there is a routing issue, I can quickly figure out if there is a route and if so, is that the route I would expect. With modern configurations having like 80 lines in the routing table and multiple physical adapters as well as VPN adapters and such, there can be a lot to look through to figure out what's happening.
When I click the Powershell icon, it comes up with a blue background and a certain look. If I run Powershell from a batch file, it comes up with a black background that looks like cmd.exe. Is there a way to run Powershell from a batch file such that it looks normal rather than like cmd? I got really close by using start at the beginning. So the batch file is: start powershell -noexit -command "cd 'C:\Myscripts\start path'" But that creates a Powershell window that is larger with larger font. It just looks stretched out. I just want to double-click on an icon and get a totally normal looking powershell window that ran the specified command when launched.
How can I add "NT SERVICE\ALL SERVICES" back to the "Log on as a service" permission? By default it is the only thing in "Log on as a service". It can be removed, but not added back with the local group policy editor. I have an image created by someone else with different stuff in that permission and not having NT SERVICE\ALL SERVICES appears to be creating trouble for an application installer. This is Windows Server 2019.
I am trying to run a scheduled task with a user account that only has "domain users" group membership. I can also run the Powershell ISE as this alternate user to simulate this. I am getting the same error. If I run any Active Directory Powershell command like get-aduser or Get-ADDomainController, I get the error: "Either the target name is incorrect or the server has rejected the client credentials." If I specify the argument -server aDomainController.MyDomain.com, then it works. Specifying -server MyDomain.com also does not work. The machine I'm running the command from, my account, and the alternate account are all in the same domain.
Can anyone explain to me what is happening here? Or, how can I make this work? I don't want to specify a domain controller because I want to keep the script generic and also not assume the availability of a particular domain controller. Usually, the Windows authentication process takes care of domain controller selection for us. I don't want to have to build in domain controller discovery into my script just so that I can run it with a read-only account instead of a domain admin.
- There is no firewall involved.
- I'm running Windows Server 2019 on my machine, 2012 R2 on the domain controllers.
Edit: this also happens with a domain admin. So, apparently anything other than my logged on account. So, a scheduled task isn't possible if it queries Active Directory? Now, I'm thinking some policy setting is breaking this.
The VMware Remote Console is not resizing the virtual machine to fit the window, even though I have that setting set. Does anyone have any suggestions to make this work?
- VMware Remote Console version 12
- vCenter 6.5
- VM version 10
- VMware Tools is of course installed: v.10.0.9
- launched from Chrome
- guest OS that is having a problem: Windows Server 2019
I'm trying to install a subordinate CA with Microsoft ADCS and when I do, it creates a .req file. Then I use that at the root CA to issue a certificate. The resulting certificate is always for 5 years. I want it to be 10. I have tried setting ValidityPeriod=Years and ValidityPeriodUnits=10 in the CAPolicy.inf file on the subordinate CA. And I have tried various other things, but nothing seems to make any difference. The installation command I'm using is:
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "IssuingCA" -KeyLength 2048 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
I uninstalled and tried to reinstall with -ValidityPeriod years -ValidityPeriodUnits 10 in the command, but got an error: Install-AdcsCertificationAuthority : Property cannot be modified in current state of object. Current CA Type does not allow this property to be modified. Two or more parameter values specified for a resource's properties are in conflict. 0x80071709 (WIN32: 5897 ERROR_CLUSTER_PARAMETER_MISMATCH)
Does anyone else know how to do this?
I have followed the Microsoft test lab instructions for setting up a two-tier CA hierarchy. I have the Certificate Enrollment Policy Web Service (CEP) installed on the same machine as the issuing Certificate Authority (CA). And the Certificate Enrollment Web Service (CES) installed on a separate machine. All three of those in the same domain: a.local.
I have serverB1 in another domain b.local which has received a server certificate. The instructions told me to simulate a certificate renewal by running the following two commands 1. certutil -f -policyserver * -policycache delete. Output:
Cache Directory: C:\ProgramData\Microsoft\Windows\X509Enrollment
Name: SSL-TLS Server Certificates (Default)
Id: {B85DA5F6-850F-4C44-A80C-F60747D4DD77}
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
Cache file exists: 48b23e1bb48a2bf09ce15b2526ef67eb32fe1251
1662 (5730) Bytes
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
LastUpdate 2/18/2022 4:36 PM
Deleting cache entry!
Orphaned Cache file:
Cache file exists: 83b7376cb9815a475c54a66bd64eb8bfd31d6005
1662 (5730) Bytes
Url: https://IssuingCA.a.local/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
LastUpdate 2/18/2022 1:38 PM
Deleting cache entry!
CertUtil: -PolicyCache command completed successfully.
certreq -machine -q -enroll -cert <thumbprint> renewof course with the correct thumbprint substituted. Output:
https://ces1.a.local/IssuingCA_CES_Certificate/service.svc/CES
The certificate request could not be submitted to the certification authority.
Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
Certificate Request Processor: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
The Application Pool on CES is delegated to a user a\ces. The CEP was just using the default application pool identity. I tried also changing that to a\ces (and creating the corresponding SPN), but that didn't make any difference. I'm changing that back. Any ideas what is going wrong here? I'm very new to all of this. Just following instructions.
source: SQL Server 10.50.x
destination: SQL Server 11.x (Not SQL Express. It was installed with en_sql_server_2012_standard_edition_with_service_pack_4_x64_dvd_100075944.iso)
I'm afraid I don't know much about modern MS SQL Server. I am trying to migrate from one machine to another and it looks like I need to import the maintenance plan. I found instructions that said to use SQL Server Management Studio to connect to Integration Services and export. I was able to do that from the source server, but on the intended destination server, the connect dialog box has "server type" grayed out. I installed the latest version of SSMS (18) and I was able to get the Integration Services option, but it gave an error "Class Not Registered".
Does anyone know how I can make this happen so that I can import those maintenance plans?
Edit: I just tried to manually create a maintenance plan and got this; so, maybe I need to start over and figure out how to install SQL Server. Something seems very wrong.
When I remote into a server, I get a message and have to click ok before the desktop will load. If I don't click ok after a few minutes, the remote desktop session goes away and I have to go through the connection process again. Is there a way to increase the timeout on that to more like an hour? The message is from Group Policy setting - Interactive logon: Message text for users attempting to log on The OS is any version of Windows connecting to Windows Server ( 2008R2/2012R2/2016). I am using mRemoteNG as the remote desktop client, but I think it is the same regardless of client. So, I'm guessing the timeout is on the server side.
I have a Windows Server 2008 R2 server we'll call server1. It is in domain A. Another machine, server2 is in domain B. If I try to do an nslookup on server1 with just the host name server2, as you'd expect, the lookup fails because the lookup appends the wrong DNS suffix. Server2 is also not in the hosts file. Netbios is also disabled; so, I assume that no Netbios name resolution is happening. I even checked ipconfig /displaydns to make sure that it wasn't cached in there, but it shows as "Name does not exist."
But, I can ping server2 and it works. It resolves the name to an IP. So, any idea how this name is being resolved to an IP?
Could someone explain WSUS version compatibility? Specifically, if I have Windows Server 2016 and Windows 10, what is the oldest version of WSUS that can update these? I don't need to upgrade the OS, just install patches/hotfixes.
I have winrm enabled on a remote server and from a member of that server's domain, I am able to run Powershell commands using PSSession. However, from a client in another domain, I get "Connecting to remote server ... failed with the following error message : The connection to the specified remote host was refused. + CategoryInfo : OpenError: (server FQDN:String) [], PSRemotingTransportException"
I did put the remote server into my client's TrustedHosts list. Here's an example command:
icm -comp ServerFQDN {dir} -cred domainShortName\MyUserID
Can anyone tell me what I need to do to make this work?
I want to uncheck "register this connection's addresses in DNS" on my domain controller (for reasons) to prevent it from doing that. Will that prevent Active Directory entries from being created? Also, eventually we might need to disable dynamic DNS. Would that prevent those entries from being automatically created? I know how to export an entire zone with dnscmd and import a zone. But, what about just creating the Active Directory DNS entries with either the above mentioned check box unchecked and/or DDNS being disabled? Is there a command that will recreate the AD entries if necessary for some reason?
Microsoft puts out different versions of rollups/patches monthly via WSUS. One really bizarre one is "Preview of quality rollup for .Net framework". Preview? WTF does that mean? It appears to be an installable patch bundle like the others, but it's name has preview. How could I preview an installation by installing it? So, there is also "security only update for .Net framework" and I think there's a "security and quality rollup for .Net framework". So, there's "security and quality rollup", "security only update", and "preview of quality rollup". Microsoft couldn't make this any more confusing. And even though some appear to be a subset of others, I can select to install all of them. What happens if I do? I clicked the "more information" thing and it says nothing to describe what this means. I Googled and found nothing. Can anyone explain (particularly "preview" WTF!?) or point me to a good article? Thanks!!!
I have a user object from Active Directory that has properties like distinguished name. I can easily get the domain portion from that, like dc=somedomain,dc=com. If it were the local domain, I could use Powershell: (get-addomain -Identity "dc=mydomain,dc=com").netbiosname to get the short name. But for this external trusted domain, that doesn't work because it just searches within the local domain. Does anyone know of another way to use Powershell to get the short name for the domain of an arbitrary AD user/group?
A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.
An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:
•
• Task Scheduler (Schedule) : DC, WD, WO
I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?
I have an external trust with my Active Directory domain. I want to validate the trust from a command so that I can do it remotely and don't have to open Remote Desktop and navigate to the AD domains and trusts console. I have read that netdom trust TrustingDomainName /d:TrustedDomainName /verify should work, but it does not. Whether locally or via psexec, I get The command failed to complete successfully. with an error code of 5.
Anyone know a command that does work?