the-wabbit's questions

I want to run a Set-ACL on an AD DS object¹ with "Domain Admins" set as the owner in my constructed ACL object. The code looks basically like this²:

Function SetDSAcl {
       Param (
        [Microsoft.ActiveDirectory.Management.ADObject]$targetObject   # target object
    )

    $targetACL = Get-Acl "AD:\$($targetObject.DistinguishedName)"
    # [some voodoo to get the values for my new ACE]
    # Create a new AccessRule using the object constructor
    # $newAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule([...])

    # Add the generated ACE to target's ACL
    $targetAcl.AddAccessRule($newAce)

    # Persist the changed ACL to the object
    Set-ACL -AclObject $targetAcl "AD:\$($targetObject.DistinguishedName)"
}

But the Set-ACL call returns this error when the code is executed on a Server 2008 R2 DC (Powershell v5):

Set-ACL : This security ID may not be assigned as the owner of this object

or a more generic "Access denied" exception when using the same security principal to run it from a Server 2012 R2 management station (Powershell v4):

Set-ACL : Access is denied

I am not even changing the owner in this particular case, but apparently Set-ACL simply is rewriting the entire security descriptor.

"Modify permissions" and "Modify owner" have explicitly been set on the destination object and I am perfectly able to change the owner of this very object using the gpmc.msc GUI to anything I want on both the DC and the management station, so it is not an obvious permission issue. On the other hand, I also see that the code is working as soon as it is run by a user who is member of the Domain Admins group.

The account I am using is deliberately lacking the "Domain Admins" membership itself (it is a member of the "BUILTIN\Server Admins" group instead), yet needs to freely be able to set the owner of the object. I see that the MSDN article covering this error message is suggesting to "learn which users and groups you have the right to assign as owner", which is not helpful in my case.

So what am I doing wrong?

¹ a GPO in my case, but the type of object does not matter as much, I also have seen it happening for OUs, for instance.

² The Set-Acl -AclObject $targetAcl -Path "AD:\$($targetObject.DistinguishedName)" call looks like a hack and it indeed is. I cannot just pass -InputObject $targetObject to Set-ACL as InputObject expects an object type implementing the SetSecurityDescriptor method, which [Microsoft.ActiveDirectory.Management.ADObject] is not doing for some mysterious reason.

I have File Service cluster where one of the file server resources is hosting ~50,000 user home directories. The home directories do have a quota template assigned through the FSRM.

When trying to add a new share using the Failover Cluster Manager's "Add File Share" wizard, it starts by retrieving all quotas on all shared folders over all defined file server cluster resources. Which is taking ~10 minutes in this environment.

How could I either

• speed up the process of quota enumeration
• limit the quota enumeration process to just a single file server cluster resource
• disable the quota enumeration completely for the New Share Wizard

?

I need to retrieve the list of backups on a system's backup volume via script. The information I am after can be found in the WSB GUI after clicking "View details" of the "Destination usage" part in the "Scheduled Backup" section:

I know about the Get-WBBackupSet cmdlet, but this is only the list of backups WB knows it has done in the past, not necessarily what is present on the backup destination, which seems to be re-read dynamically each time I click "Refresh information":

How is Windows Server Backup gathering the destination information?

Rationale: I would like to set up monitoring for the backup runs performed by WB to make sure a sufficiently deep backup history is present. The list of backup sets returned by Get-WBBackupSet seems not always consistent with what's on disk, so I rather would not rely on this information for the monitoring check.

When installing the Volume Activation role on Windows Server 2012 R2 and activating it with a Server 2012 Std/Datacenter KMS host key, would I still need to install the older product versions' keys (Server 2008 - Server 2012) to get the Vista+ and Server 2008+ instances activated?

The same question goes for Office 2013 - will an Office Pro Plus 2013 key activate Office Pro Plus 2010 as well?

Our "old" Server 2008R2-based KMS server which is due to be phased out is listing a plethora of keys as the output of slmgr.vbs /dlv /all, most of them with License Status: Unlicensed, but I simply do not know if this means they are never ever used again.

I am doing a lot of work in higher education where it is a rather common requirement to reconfigure a number of Windows domain members (e.g. PCs in a classroom) for the duration of a specific course or event and have this configuration undone afterwards.

As most of the configuration changes we are requested to do can be done through Group Policy Objects and those changes automatically get reversed when the GPO is unlinked or deactivated at the OU level, this is a very comfortable route to take.

The only downside is that repeated manual linking and un-linking of GPOs on OUs needs a lot of reminders and IT staff on duty before the courses start and after they end - something the operations team cannot guarantee at all times.

Is there a way to specify a time frame for the validity of a specific GPO?

Is it safe to delete the old cumulative update directories from the %ProgramFiles%\Microsoft SQL Server\110\Setup Bootstrap\Update Cache folders?

At least this MSDN blog post tells to leave anything in place in this directory. Is there any reference or supportability statement anywhere telling that I could or must not do that?

Rationale: Due to the infamous "incremental service model" for SQL Server, the SP1 for SQL Server 2012 has so far seen 9 cumulative update releases. The Update Cache directory is growing with each CU install and in environments where each CU since SP1 has been installed, it is at 9 GB already. We have the prospect of adding another 3 GB for the next 3 CU releases before the next SP is out "later this year". Since the updates are "cumulative" I am trying to determine if it would be safe to delete all but the latest cumulative update directory from the Update Cache.

For a single server I probably would not bother, but the storage team members (who have not managed to implement storage-based deduplication yet) are crying frequently because of the growing storage requirements for SQL server instances and my office's carpet is soaking wet already.

I am trying to figure out how to allow a group of users to offer unsolicited remote assistance using msra /offerra to their fellow domain members.

I have created a policy enabling "Offer Remote Assistance" and filling the DOMAIN\RAHelpers user group into the "Helpers" list. I can see the DOMAIN\RAHelpers group turning up as a member in the local "Offer Remote Assistance Helpers" group of the targeted domain computers after the policy is applied. Yet, I am unable to set up a remote assistance connection with one of these users unless they are also a member of the local Administrators group of the to-be-assisted machine. The error message is rather unspecific ("Your offer to help could not be sent"), but I suspect a DCOM permission issue since RA seems to use DCOM and local administrators can connect for help just fine.

What minimal permission set would I need to allow for unsolicited remote assistance? I obviously do not want to promote all helpers to local administrators.

I have created a service account using the Add-ADComputerServiceAccount cmdlet and bound it to a computer account using Install-ADServiceAccount. When looking into the ACL of the created service account object, I noticed that the "Everyone" group has the "Change Password" permission assigned for this object, while "SELF" mysteriously has not:

This looks like a security problem and a denial-of-service attack vector. Why is this so? Does it have to stay this way?

I need a way to track and limit web sessions to a web app. A "session" is loosely defined as the single user browsing the pages of the said web app. I think it can be translated to:

• a session is defined as a tuple <clientIP,vHost> alternatively as <clientIP,serverIP,serverPort> or <cookie,vHost>, depending on the layer and the data available
• a session starts after the user has sent authentication data to a defined login URI
• a session ends after the user has hit the defined logout URI
• a session ends if a specified timeout has expired after the client has requested the last object

After the specified session limit has been reached, the next user should be directed to a custom error page. I also need a way to track the current number of sessions for monitoring purposes and the ability to whitelist the monitoring server (which is issuing queries to the webapp periodically) and exempt it from the limit.

What I can work with:

• RadWare AppDirector where the web application has an own farm defined and is running in reverse proxy mode
• Apache 2.2
• SLES 11 SP2

I would prefer not involving an additional proxy server, although would consider it if no other options remain.

The rationale behind all of this is that the aforementioned web app is easily overloaded and starts denying requests erratically, pissing off working users who (usually) lose form entry data in the process. By specifying a limit where an overload condition is less likely, we hope to create a well-defined failure condition where users would be told to return later if the load is likely to spike.

Edit: the web app is a 3-tier implementation with the first tier (presentation layer, implemented as CGI code in an Apache vHost) being rather simplistic and apparently limited to basic error handling and request load balancing among the application servers. It does not impose any significant load on the web servers it runs on - this is why we are running it in mere failover mode (no load balancing) in the AppDirector farm, which is supposed to somewhat simplify things.

Everything beyond this point is basically a black box to us - at the data tier we have an MSSQL database, but it is near impossible to get any meaningful information about the table structure from the vendor. The application servers are closed-source, the vendor has used a rather comprehensive framework for the implementation, but seems unable to answer even less complex operation-related questions.

I am profoundly annoyed by UAC and switch it off for my admin user wherever I can. Yet, there are situations where I can't - especially if those are machines not under my continuous administration.

In this case, I am always challenged with the task of traversing directories using my administrative user via the Windows Explorer where regular users do not have "read" permissions. The possible two approaches to this problem so far:

1. change the ACLs to the directory in question to include my user (Windows conveniently offers the Continue button in the "You don't currently have permissions to access this folder" dialog. This obviously sucks since more often than not I do not want to change ACLs but just look into the folder's contents

2. use an elevated cmd.exe prompt along with a bunch of command line utilities - this usually takes a lot of time when browsing through large and / or complex directory structures

What I would love to see would be a way to run Windows Explorer in elevated mode. I have yet to find out how to do so. But other suggestions solving this problem in an unobtrusive way without changing the entire system's configuration (and preferably without the need for downloading / installing anything) are very welcome, too.

I have seen this post with a suggestion for altering HKCR - interesting, but it changes the behavior for all users, which I am not allowed to do in most situations. Also, some folks have suggested using UNC paths to access the folders - unfortunately this does not work when accessing the same machine (i.e. \\localhost\c$\path) as the "Administrators" group membership is still stripped from the token and a re-authentication (and thus the creation of a new token) would not happen when accessing localhost.

I do have a domain where the default ACLs have been altered on all user and computer objects and the List Object Mode (Access Based Enumeration for directory objects) has been enabled. Most notably, the Everyone:Read permission has been removed from the list for most directory objects so users are unable to read "foreign" objects to comply with a privacy protection policy.

In this constellation, an application's client (based on the UniPaas Framework if this matters) is trying to read a specific user's group memberships and fails for an unknown reason. From the software manufacturer we got a simple test case where a net user %USERNAME% /domain is failing with an Error 5 - Access is denied in this infrastructure. The network protocols net use is using and the way how it is failing corresponds to what we are seeing when taking network traces of the application.

I am now somewhat as a loss as I do not know anything about the internals of the net user call (especially what API it is using to read the attributes and which permission the user has to have to get them). How do I start debugging this?

Edit: one thing I came up with was running Wireshark to record the network traffic induced by a net user %username% /domain call. Everything looks good up to the point where a SAMR OpenDomain call is issued for the BUILTIN domain (S-1-5-32) which returns STATUS_ACCESS_DENIED, after which all connections are torn down. See packets 33 and 34 in this pcap trace. This seems to be the reason for the Access denied response from net user, although I have no idea what is going wrong here.

On a Windows Server 2012 Remote Desktop Session Host with the Desktop Experience feature enabled and the desktop wallpaper disabled, users wish to configure own color schemes and define an own desktop background color. However, I seem unable to find an easy way to change the desktop color via the GUI.

I would expect the settings to reside under Appearance settings -> Colors -> Advanced Appearance Settings but those are unavailable in Windows 8 and Server 2012. Is there a replacement GUI dialog for this or do I have the ability to allow users to create their own design schemes containing the appropriate desktop background color?

Folks,

I am trying to craft a custom XML / Xpath filter to the Windows Event Log viewer to exclude the countless "SYSTEM" Logons from the security log's view. I have managed to get this far with the help of the Technet blog on XML filtering:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4624)]] 
      and
      *[EventData[Data[@Name='TargetUserSid'] and  (Data!='S-1-5-18')]]
</Select>
  </Query>
</QueryList>

But against all expectations I still have events like this one (among others, of course) in the view:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2013-07-18T15:12:55.797049800Z" />
    <EventRecordID>199135861</EventRecordID>
    <Correlation />
    <Execution ProcessID="496" ThreadID="3028" />
    <Channel>Security</Channel>
    <Computer>SBS.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-5-18</Data>
    <Data Name="TargetUserName">SBS$</Data>
    <Data Name="TargetDomainName">DOMAIN</Data>
    <Data Name="TargetLogonId">0x684af79a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Kerberos</Data>
    <Data Name="AuthenticationPackageName">Kerberos</Data>
    <Data Name="WorkstationName">
    </Data>
    <Data Name="LogonGuid">{9D5E970C-928D-E3FD-8D96-09044670F33E}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">fe80::cc18:cb50:1710:c2a7</Data>
    <Data Name="IpPort">6413</Data>
  </EventData>
</Event>

I have trouble understanding why an event with the TargetUserSid attribute of S-1-5-18 has been included in the view while it should not be. It works in the other direction too - if I define the filter to be *[EventData[Data[@Name='TargetUserSid'] and (Data='S-1-5-18')]], I see events with a different TargetUserSid "slipping through".

Chosing a different (long) SID from a domain object seems to work as expected and gives me a view with the events having TargetUserSid set accordingly only.

I also tried filtering on other attributes like TargetUserName, but only to encounter similar problems.

Any hints on how to fix my query or working examples of similar cases greatly appreciated.

How do I find out which VM is responsible for the majority of the I/O I see with Hyper-V?

The situation: I do have Hyper-V hosts with a number of VMs (around 30 per host) where I occasionally see prolonged periods of high disk utilization. I would like to know which VM is causing this.

I tried using Process Explorer, but it reported all Hyper-V related I/O to be handled by the "System" process, so no help there:

It already would help to have a breakdown by files accessed. The full GUI install of Windows Server has the Resource Monitor which is providing this information. However, Resmon seems to be unavailable in Core and Hyper-V installations.

Since Remote Control (aka Session Shadowing) is gone for good in Server 2012 Remote Desktop Session hosts, I am looking for a replacement to support users in a cross-domain environment.

Since Remote Assistance is supposed to work for Remote Desktop Sessions as well, I tried leveraging that for support purposes by enabling unsolicited remote assistance for all Remote Desktop Session Hosts via Group Policy.

All seems to be working well except that the "expert" seems to be unable to actually excercise any mouse or keyboard control when the remote assistance session has been initiated from a Remote Desktop session itself. Mouse clicks and keyboard strokes from the "expert" session (Server 2012) seem to simply be ignored even after the assisted user has acknowledged the request for control.

I would like to see this working through RD sessions for the support staff due to a number of reasons:

• not every support agent would have the appropriate client system version to support users on a specific terminal server (e.g. an agent might have a Windows Vista or Windows 7 station and thus be unable to offer assistance to users on Server 2012 RDSHs)
• a support agent would not necessarily have a station which is a member of the specific destination domain (mainly due to the reason that more than a single domain's users are supported)

what am I missing?

I got used to tsconfig.msc and tsadmin.msc (aka Terminal Services Configuration / Terminal Services Administration MMC snapins) from the previous Windows versions and thus profoundly hate the new-style RDMS user interface which is intended as the replacement according to the documentation (Hyper-V as a requirement? Why would I ever need Hyper-V on a terminal server?!).

With Server 2012, they seem to be gone for good. Any way to get them back locally? Although remote connections from Server 2008 R2 machines seems to work using both consoles, I would prefer to have them run locally on the Server 2012 Remote Desktop role holders as well.

Now that Windows Server 2012 comes with de-duplication features for NTFS volumes I am having a hard time finding technical details about it. I can deduce from the TechNet documentation that the de-duplication action itself is an asynchronous process - not unlike how the SIS Groveler used to work - but there is virtually no detail about the implementation (algorithms used, resources needed, even the info on performance considerations is nothing but a bunch rule-of-thumb-style recommendations).

Insights and pointers are greatly appreciated, a comparison to Solaris' ZFS de-duplication efficiency for a set of scenarios would be wonderful.

How would I do a QoS setup where a certain low-priority data stream would get up to X Mbps of bandwidth, but only if the current total bandwidth (of all streams/classes) on this interface does not exceed X? At the same time, other data streams / classes must not be limited to X.

The use case is an ISP billing the traffic by calculating the bandwidth average over 5 minute intervals and billing the maximum. I would like to keep the maximum usage to a minimum (i.e. quench the bulk transfer during interface busy times) but get the data through during idle/low traffic times.

Looking at the frequently used classful schedulers CBQ, HTB and HSFC I cannot see a straightforward way to accomplish this.

On a Small Business Server 2011 installation a whole number of w3wp.exe processes appear to be using a disproportional lot of memory. The SBS out-of-the-box installations comes with a total of 7 sites and 20 ASP.NET application pools (Sharepoint, Exchange, WSUS and SBS-specific stuff like Remote Web Workplace).

The resulting dozen of w3wp.exe processes tends to consume more than 4 GB of the server's memory over time with the peak application pool being the one belonging to WSUS with around 800 MB in the working set. Manually recycling the application pools through the IIS MMC helps temporarily reduce the memory usage (the w3wp.exe processes shrink back to 10 MB, some of them regrowing quickly), but obviously is not something an admin wants to do all day. I was unable to find any recommendations on automatic recycling of the SBS-preinstalled application pools, so I am somewhat reluctant to "just do it" on production systems.

My research on the net on how to limit this only threw up a number of posts stating that w3wp memory consumption would not hurt but benefit performance as memory would be "freed when needed by other applications". The trouble is that it does not work out:

• for one, an SBS is a multi-role server, one of the roles (the major one) being CIFS network storage which immensely benefits from filesystem caching which again relies on memory being "free" as in "not used by other processes in any way" - ASP.NET application pools which are hardly ever seeing users and eating memory are counterproductive
• another thing is that I still have to see substantial decrease of the w3wp instances memory consumption upon memory shortage - what I see is a minor decrease by significantly less than 100 mb and excessive swapping instead - again hurting performance

I hardly ever administer IIS or ASP.NET apps, so any ideas on how to effectively trim the memory requirements for the application pools are welcome.

I've set up a Solaris Express 11 machine with some reasonably fast HDDs behind a RAID controller, set the device up as a zpool with compression enabled and added a mirrored log and 2 caching devices to it. The datasets are exposed as FC targets for use with ESX and I've populated it with some data to play around with. The L2ARC partially filled up (and for some reason not filling anymore), but I hardly see any use of it. zpool iostat -v shows that not much has been read from the cache in the past:

tank           222G  1.96T    189     84   994K  1.95M
  c7t0d0s0     222G  1.96T    189     82   994K  1.91M
  mirror      49.5M  5.51G      0      2      0  33.2K
    c8t2d0p1      -      -      0      2      0  33.3K
    c8t3d0p1      -      -      0      2      0  33.3K
cache             -      -      -      -      -      -
  c11d0p2     23.5G  60.4G      2      1  33.7K   113K
  c10d0p2     23.4G  60.4G      2      1  34.2K   113K

and the L2ARC-enabled arcstat.pl script shows 100% misses for L2ARC for the current workload:

./arcstat.pl -f read,hits,miss,hit%,l2read,l2hits,l2miss,l2hit%,arcsz,l2size 5
read  hits  miss  hit%  l2read  l2hits  l2miss  l2hit%  arcsz  l2size
[...]
 243   107   136    44     136       0     136       0   886M     39G
 282   144   137    51     137       0     137       0   886M     39G
 454   239   214    52     214       0     214       0   889M     39G
[...]

I first suspected it might be an impact of the recordsize being too large so that L2ARC recognizes everything as a streaming load, but the zpool contains nothing but zfs volumes (I've created them as "sparse" using zfs create -V 500G -s <datasetname>) which do not even have a recordset parameter to change.

I also have found many notions about L2ARC needing 200 Bytes of RAM per record for its metadata, but was so far unable to find out what L2ARC would consider a "record" with a volume dataset - a single sector of 512 Bytes? May it be suffering from RAM shortage for metadata and just so far be filled up with junk that is never read again?

Edit: Adding 8 GB of RAM on top of the 2 GB alredy installed worked out nicely - the additional RAM is happily used even in a 32-bit installation and the L2ARC now has grown and is getting hit:

    time  read  hit%  l2hit%  arcsz  l2size
21:43:38   340    97      13   6.4G     95G
21:43:48   185    97      18   6.4G     95G
21:43:58   655    91       2   6.4G     95G
21:44:08   432    98      16   6.4G     95G
21:44:18   778    92       9   6.4G     95G
21:44:28   910    99      19   6.4G     95G
21:44:38  4.6K    99      18   6.4G     95G

Thanks to ewwhite.