Archive for Windows Server 2008

I recently blogged about time and how critical it is in a domain environment. Just this morning I read a post from the Directory Services Team that shows how to configure WMI Filtering through Group Policy to ensure that the PDC Emulator always has the right time configuration.  You need to read through this post really consider implementing a similar policy into your environment.

The only portion that is missing from that post is the location of the W32Time settings in Group Policy.  The policy you will be configuring is located under the Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime ProvidersConfigure Windows NTP Client


After you enable it you will want to change the default setting from NT5DS (which means find and sync with the PDCe) to NTP.  This is because we are configuring this for our PDCe which should be pointing to a reliable time source (internal or external).  You will also configure the location to that reliable source in the NTPServer dialog box.

I haven’t seen a great tip like this in some time.  This is one of those great little finds and I hope you enjoy it.

Quite a few people have asked recently about services in Server Core.  They want to know what’s running and what’s not running.  Below you will find a listing that intended to help those out that need to know the status of Services on Server Core.  It is sorted by Service Name.

Another useful item to note on Server Core (or the CMD Prompt on Server) is that you can still use the SC command.  In particular you should run SC Query, this little useful command will tell you which services are running.  If you want to view the ones that are not running just run sc query state=inactive.  There is a bunch of stuff you can do with the SC command and you should really check out the help. 

A great tip for using commands is to append | more to the end of the command.  This should only display one page at a time.

Service Name Display Name Startup Mode Account
AeLookupSvc Application Experience Auto LocalSystem
AppMgmt Application Management Manual LocalSystem
BFE Base Filtering Engine Auto LocalService
BITS Background Intelligent Transfer Service Auto LocalSystem
Browser Computer Browser Manual LocalSystem
CertPropSvc Certificate Propagation Manual LocalSystem
COMSysApp COM+ System Application Manual LocalSystem
CryptSvc Cryptographic Services Auto Network-Service
DcomLaunch DCOM Server Process Launcher Auto LocalSystem
Dhcp DHCP Client Auto LocalService
Dnscache DNS Client Auto Network-Service
DPS Diagnostic Policy Service Auto LocalService
Eventlog Windows Event Log Auto LocalService
EventSystem COM+ Event System Auto LocalService
FCRegSvc Microsoft Fibre Channel Platform Registration Service Manual LocalService
gpsvc Group Policy Client Auto LocalSystem
hidserv Human Interface Device Access Manual LocalSystem
hkmsvc Health Key and Certificate Management Manual LocalSystem
IKEEXT IKE and AuthIP IPsec Keying Modules Auto LocalSystem
iphlpsvc IP Helper Auto LocalSystem
KeyIso CNG Key Isolation Manual LocalSystem
KtmRm KtmRm for Distributed Transaction Coordinator Auto Network-Service
LanmanServer Server Auto LocalSystem
LanmanWorkstation Workstation Auto LocalService
lltdsvc Link-Layer Topology Discovery Mapper Manual LocalService
lmhosts TCP/IP NetBIOS Helper Auto LocalService
MpsSvc Windows Firewall Auto LocalService
MSDTC Distributed Transaction Coordinator Auto Network-Service
MSiSCSI Microsoft iSCSI Initiator Service Manual LocalSystem
msiserver Windows Installer Manual LocalSystem
napagent Network Access Protection Agent Manual Network-Service
Netlogon Netlogon Manual LocalSystem
netprofm Network List Service Auto LocalService
NlaSvc Network Location Awareness Auto Network-Service
nsi Network Store Interface Service Auto LocalService
pla Performance Logs & Alerts Manual LocalService
PlugPlay Plug and Play Auto LocalSystem
PolicyAgent IPsec Policy Agent Auto Network-Service
ProfSvc User Profile Service Auto LocalSystem
ProtectedStorage Protected Storage Manual LocalSystem
RemoteRegistry Remote Registry Auto LocalService
RpcSs Remote Procedure Call (RPC) Auto Network- Service
RSoPProv Resultant Set of Policy Provider Manual LocalSystem
sacsvr Special Administration Console Helper Manual LocalSystem
SamSs Security Accounts Manager Auto LocalSystem
SCardSvr Smart Card Manual LocalService
Schedule Task Scheduler Auto LocalSystem
SCPolicySvc Smart Card Removal Policy Manual LocalSystem
seclogon Secondary Logon Auto LocalSystem
SENS System Event Notification Service Auto LocalSystem
SessionEnv Terminal Services Configuration Manual LocalSystem
slsvc Software Licensing Auto Network-Service
SNMPTRAP SNMP Trap Manual LocalService
swprv Microsoft Software Shadow Copy Provider Manual LocalSystem
TBS TPM Base Services Manual LocalService
TermService Terminal Services Auto Network-Service
TrustedInstaller Windows Modules Installer Auto LocalSystem
UmRdpService Terminal Services UserMode Port Redirector Manual LocalSystem
vds Virtual Disk Manual LocalSystem
VSS Volume Shadow Copy Manual LocalSystem
W32Time Windows Time Auto LocalService
WcsPlugInService Windows Color System Manual LocalService
WdiServiceHost Diagnostic Service Host Manual LocalService
WdiSystemHost Diagnostic System Host Manual LocalSystem
Wecsvc Windows Event Collector Manual Network-Service
WinHttpAuto-ProxySvc WinHTTP Web Proxy Auto-Discovery Service Auto LocalService
Winmgmt Windows Management Instrumentation Auto LocalSystem
WinRM Windows Remote Management (WS-Management) Auto Network-Service
wmiApSrv WMI Performance Adapter Manual LocalSystem
wuauserv Windows Update Auto LocalSystem
Filed Under (Hyper-V, Windows Server 2008) by on 28-10-2008

I was playing around with Microsoft’s Hyper-V today and ran into some problems managing the service remotely.  I set my server up and wanted to connect via RSAT from my Vista box but was not able to connect to my server because of permissions.  No biggie there, actually I didn’t expect I would just be able to connect to the server and manage Hyper-V.  I did think that after installing Hyper-V that there would be some groups created to help manage Hyper-V…needless to say I was wrong.

Thankfully I found a great series of posts on delegating access to VM and Hyper-V and thought it would be great to share them here with you.

Delegation Model in Hyper-V – Part 1
Delegation Model in Hyper-V – Part 2
Delegation Model in Hyper-V – Part 3
Delegation Model in Hyper-V – Part 4
Delegation Model in Hyper-V – Part 5
Delegation Model in Hyper-V – Part 6

Basically Hyper-V uses Authorization Manager to delegate what you can do within it.  If you haven’t used AzMan don’t be scared, the posts walk you though several scenarios. 

And for those of you that are interested in the HW aspect of my project…This is simply a development server that I”m using to test some things.  It is an HP DL360 G5 with a single quad core XEON (only 2 Ghz) with 16 GB of RAM.  All my VMs will be hosted locally (not sure on the number yet).  I’m trying to set up an environment that people can use to practice Server 2008.  I don’t think the CPU is going to be that much of a limiter since there won’t be a ton of people on at the same time doing processor intensive operations. 

My daughter Alyssa and I play a game…well she might not consider it a game but she is constantly  asking me “What time is it without looking”.  I’ve actually gotten pretty good at it and can usually get within a few minutes.  Not sure why she likes to play but perhaps time is something they recently talked about at school but she seems obsessed with it.  I keep telling her that at 6 she really shouldn’t worry to much about time.

Although time may not be important for my daughter, it is immensely important for Active Directory.  Most AD admins know that domain controllers and clients need to be within 5 mins of each other to work correctly.  If your time was out by 5 or more minutes the client would not be able to authenticate.  What most AD admins might not know is that time just doesn’t affect AD, it also can affect certain time sensitive applications.   I don’t know of any out of the box ones from Microsoft but organizations have plenty of custom built apps that may use time syncs.  I’ve seen custom applications that need to be accurate within less than a second.

Let’s take a look at how time synchronization works in an Active Directory forest.  The magic all starts in the root domain (I always wanted to use that in my blog).  The PDC Emulator (PDCe) is solely responsible for time synchronization and uses the Network Time Protocol (NTP) on port UDP 123.  You will want to sync the PDCe with a reliable source, either internal (perhaps a router) or external.  The problem with going external is that there is less security because of the lack of authentication and verifiable authenticity. 

Clients and servers in your forest root domain will sync their time with any DC in the forest root.  This is all configured in the registry at the following location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters.  Domain members have Nt5DS set for the TYPE key which configures them to use the domain hierarchy for time.  Some people change this to NTP which means it will go to a specific time source besides the PDCe but I prefer to keep the default here because it works!  If you’re crazy enough you could configure it so that it relies on the CMOS clock…I just don’t have enough faith in the batteries for that.

If you have child domains or other tree roots in your forest realize that the forest root PDCe is STILL the authority for forest wide time synchronization.  The PDCe for the child domains will sync their time with the forest root PDCe or any DC in the root (but those root DCs get their time from the PDCe).  The clients and servers in the child domain will always go to a DC in their domain, so they should never go up to the forest root domain.  Clients poll the time every 45 minutes by default.  After three successful synchronizations it will increase that polling time to 8 hours.  Below is a great illustration of how time works in a multi domain forest.


To configure your forest root PDCe with a valid time source you should use the w32tm command:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
You can and I recommend adding multiple peers but simply putting a space between them.  Please don’t forget to run this command on the DC that you have designated as the DC to fail the PDCe role over to during downtime (for example, patching).

To test how close your time is synced you can use the w32tm command again, except this time we can get a really cool command prompt chart…hey its the simple things in life that get me.
w32tm /stripchart /computer:target /samples:n
Replace target target with the name of the forest root PDCe.  I prefer to get 10 samples but you can go for whatever amount you like.  This will tell you the difference between the clocks.   More info can be found on the w32tm here.

The Microsoft Directory Services team has a great blog that talks about high accuracy in w32tm and why they don’t support it.  This is a must read for all AD admins.  Don’t forget to set up an RSS feed to the Windows Time Service blog as well.

I would recommend baseline the time difference in your environment so that if an issue does occur you will know what the norm state is for your time differential.  You may also want to include some monitoring that can alert you of time drift using the baseline numbers you’ve collected.  I would also recommend talking to your developers and ensure they understand how time works in the environment.

Hopefully this sheds some light on how time works in an Active Directory forest but also how you can control and tweak it.  Oh and if you’re bored try playing the time game…its a great exercise for your mind and internal clock! :,,)

Repost from…I will be moving several of the articles over to this blog.

Before all this starts, credit must go where credit is due.  I did not come up with all of the info within this article.  A lot of people have felt my pain and have contributed in their own ways.  One place you should know about is the Official Server Core Blog, as it is where I learned my all time favorite command which embeds the time into the Command Prompt (read on to see that one!).  As I”ve collected my own list internally and blogged on for about a year now I see a lot of the same commands there.  The Windows Server 2008 Administrator”s Companion has a nice chapter on Server Core but by far the best resource are the scripts that accompany the book.  They allow you to very easily configure common settings.  One last area you should look into is of course Guy Teverovsky”s Server Core Configurator…if you haven”t see it check it out now!

Server Core is a version of Windows Server 2008 that has a minimal Graphical User Interface (GUI).  I say minimal when most say command-line only because there are GUI tools available such as Notepad and Task Manager.  One thing that definitely doesn”t run on Server Core is the Explorer process.  If you”re unaware of what that process does, just end the explorer.exe process in Task Manager from your client and look what happens…don”t freak out, all you need to do is then go back to Task Manager and select File -> New Task (Run…) and then type explorer.exe.

The purpose of this article is not to give you every last detail to Server Core but to provide you with what you need to know it get it up and running in your environment.

Server Core has a limited amount of roles that can be installed on it, which include:

  • Active Directory Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS)
  • DNS Server
  • Internet Information Services (IIS) (No ASP.NET support)
  • DHCP Server
  • File Services
  • Print Services
  • Streaming Media Services
  • Hyper V

Now that doesn”t mean that Server Core can”t do other things.  In fact it can, but Microsoft calls those other items Features and not Roles.

  • Microsoft Failover Cluster (not available in Standard Edition)
  • Network Load Balancing
  • Subsystem for UNIX-based applications
  • Backup
  • Multipath IO
  • Removable Storage Management
  • Bitlocker Drive Encryption
  • Simple Network Management Protocol (SNMP)
  • WINS
  • Telnet

Later on in the article I will explain how to install these services.  But first its time to go over what I believe to be the most commonly requested commands for administrating a Server Core environment.

Server Core Common Networking and Firewall Commands

Here is the start of you Networking and Firewall related commands for Server Core:

Server Core Common Networking Commands

To configure the IP address we will have to remember (or learn) Netsh.

Configure a Static IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” static
Netsh int ipv4 set dnsserver “Local Area Connection” static primary
Netsh int ipv4 set winsserver “Local Area Connection” static primary

Configure a Dynamic (DHCP) IP Address on Server Core:
Netsh int ipv4 set address “Local Area Connection” source=dhcp

Change the name of the network interface on Server Core:
Netsh int set interface name = “Local Area Connection” newname = “Primary Network”

Server Core Common Windows Firewall Commands:

The Windows Firewall is a blessing to some and a curse to others. Either way it is installed by default and you have to understand the commands that are needed to configure the basics and in some cases some advanced commands.

Disable firewall:
netsh firewall set opmode disable

Server Core can be managed by using MMCs from a remote server. However with the firewall being on by default you will have to allow these tools to work remotely.  The first thing to note here is how to translate the MMC Snap-in to Windows Firewall Rule Group.

MMC Snap-in – Event Viewer
Windows Firewall Rule Group – Remote Event Log Management

MMC Snap-in – Services
Windows Firewall Rule Group – Remote Services ManagementMMC Snap-in – Shared Folders
Windows Firewall Rule Group – File and Printer Sharing

MMC Snap-in – Task Scheduler
Windows Firewall Rule Group –
Remote Scheduled Tasks Management

MMC Snap-in – Reliability and Performance
Windows Firewall Rule Group – Performance Logs and Alerts
Windows Firewall Rule Group – File and Printer Sharing

MMC Snap-in – Disk Management
Windows Firewall Rule Group – Remote Volume Management

MMC Snap-in – Windows Firewall with Advanced Security
Windows Firewall Rule Group – Windows Firewall Remote Management

To enable all of these rules follow use this command:
Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

To enable specific commands follow this format:
Netsh advfirewall firewall set rule group=“” new enable=yes

Server Core Common Domain Management Commands

Join a domain:
netdom join ComputerName /domain:DomainName /userd:UserName /passwordd:*
Yes, /passwordd:*
needs to have that second d at the end of it.

Remove from domain:
netdom remove

Rename a Domain Member:
netdom renamecomputer %computername% /NewName: /userd: /passwordd:*

Rename Administrator:
wmic UserAccount where Name=”Administrator” call Rename Name=”new-name”

Add User to a Local Group
net localgroup GroupName /add

Remove User from a Local Group
net localgroup GroupName /delete

Confirm Domain and/ New Computer name

Update User Passwords:
Net user [/domain] *

Server Core Common Server Management Commands

Toggle Remote Desktop on and off:
Cscript windowssystem32scregedit.wsf /ar 0

Enable reduced security for RDP connections:
Cscript windowssystem32scregedit.wsf /cs 0

Active Server Core:
Local method – Slmgr.vbs –ato
Remote method – Cscript windowssystem32slmgr.vbsServerName UserName password:-ato

Rename a Stand-Alone Member:
netdom renamecomputer /NewName:

List of installed patches:
wmic qfe list

Install Updates:
wusa .msu /quiet

Configure for AutoUpdates:
cscript scregedit.wsf /AU /4

Disable AutoUpdates:
cscript scregedit.wsf /AU /1

View AutoUpdate Setting:
cscript scregedit.wsf /AU /v

Configure the Page File:
wmic pagefileset where name=”” set InitialSize=,MaximumSize=

Configure a Proxy Server: (Server Core cannot use a proxy that requires a proxy)
netsh Winhttp set proxy :

All your favorite TCP/IP commands work including the following:

List Running Services:
sc query

Start and/or Stop a Service:
sc start
sc stop

Task Manager: (Ctrl+Shift+Esc)

Manage Disk Volumes:
Diskpart /?

Defrag a Volume:
defrag /?

Change Time and Time Zone:
control timedate.cpl

Change the Desktop Resolution: (requires you to log off and back on)
Regedit – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlVideo

Display the Time in the Command Prompt:
prompt [$t]$s$p$g

Log off:
shutdown /l

Restart Now:
shutdown /r /t 0




To get the Roles and Features installed you are going to need to use the ocsetup.exe command.  The OC is short for Optional Components.  The most important thing to remember about this command is that IT IS CASE SENSITIVE!!! As a best practice you should always use the /w switch with ocsetup.exe as this will hold the Command Prompt from being active (when you can type again) until the setup is complete.  Below you will find a list of the commands that are required to install Roles and Features on Server Core.

start /w ocsetup DNS-Server-Core-Role

start /w ocsetup DHCPServerCore

File Services (Server service is installed by default) but there are other role features

File Replication Service
start /w ocsetup FRS-Infrastructure

Distributed File System
start /w ocsetup DFSN-Server

Distributed File System Replication
start /w ocsetup DFSR-Infrastructure-ServerEdition

Services for Network File System (NFS)
start /w ocsetup ServerForNFS-Base
start /w ocsetup ClientForNFS-Base

Hyper V
start /w ocsetup Microsoft-Hyper-V

Print Server feature
start /w ocsetup Printing-ServerCore-Role

Line Printer Daemon (LPD) service
start /w ocsetup Printing-LPDPrintService

Active Directory Lightweight Directory Services
start /w ocsetup DirectoryServices-ADAM-ServerCore

Active Directory Domain Services
dcpromo /unattend:

Streaming Media Services
Follow directions found in Article ID 934518

start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel
To uninstall IIS use the following command
start /w pkgmgr /uu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel

NOTE: If you need to install a Role that you installed with ocsetup all you need to do is to append the commands above with /uninstall.

Now let”s take a look at how we install Features on Server Core:

Microsoft Failover Clustering
start /w ocsetup FailoverCluster-Core

Network Load Balancing
start /w ocsetup NetworkLoadBalancingHeadlessServer

Subsystem for UNIX-based applications
start /w ocsetup SUACore

Multipath IO
start /w ocsetup MultipathIo

Removable Storage
start /w ocsetup Microsoft-Windows-RemovableStorageManagementCore

Bitlocker Drive Encryption
start /w ocsetup BitLocker

start /w ocsetup WindowsServerBackup

Simple Network Management Protocol (SNMP)
start /w ocsetup SNMP-SC

Windows Internet Name Service (WINS)
start /w ocsetup WINS-SC

Telnet client
start /w ocsetup TelnetClient

NOTE: If you need to install a Feature that you installed with ocsetup all you need to do is to append the commands above with /uninstall.

Having the Role or Feature installed doesn”t do much without going in and configuring the service.  The quick and easy way to manage these Roles and Features is to have either a dedicated Terminal Server have the AdminPak or Remote Server Administrative Tools (RSAT) installed or just install those same tools on XP or Vista. 

Take a look here for more info on how to manage DNS with DNSCMD and then head over here for installing Active Directory via an answer file on Server Core.

I know this isn”t a complete listing of the commands but I really believe this should help you get started in the right direction.  One of the best resources out there is from the Windows Server 2008 Step-by-Step Guides.. For this case you will want to download the Server_Core_Installation_Option_of_Windows_Server_2008_Step-By-Step_Guide.doc guide.

Please don’t just read this post…participate by answering the questions I ask using the comments.  Don’t worry you don’t have to register.  :,,)

One of the things that I’ve been waiting awhile for, was a Windows operating system that is smart enough to not have to reboot as much as previous versions.  I thought that wait would end with Windows Server 2008 but unless someone can prove me wrong I think there is actually potential for more reboots.

The first and obvious one that we still have to deal with is patching.  Didn’t Microsoft mention that reboots after patching would be much fewer?  I can’t seem to find anything from the early hype days but, the excellent ASKPERF blog does go into some detail as why there should be fewer reboots.  The problem is system DLL”s such as NTDLL.DLL and Kernel32.DLL still require a reboot when they are updated.  Have you seen fewer reboots because of patching?

My next big complaint about Server 2008 reboots has to do with Features and Roles.  I first experienced this after installing the limp Windows Server Backup.  I know many people don’t like the old built in tool but if you manage an AD environment it was perfect for doing AD backups while not allowing domain Backup Operators the ability to restore your AD to their desktop. I know other ways to do this in Server 2008 but that is not my point of this post.

I installed the Windows Server Backup and quickly decided to uninstall it.  What do you know…I have to reboot my server to uninstall backup software.  I couldn’t believe that.  During some testing I had to uninstall AD and DNS on a DC.  I go and run DCPROMO on the DC and of course afterwards I have to reboot.  So I do.  Next I go to uninstall DNS from Server Manager (also removed the AD Binaries) and sure enough not 5 mins after rebooting for DCPROMO I had to reboot again.  This was not an issue with Server 2003.

COME ON MICROSOFT!!!  The last time I had to reboot this frequently was with Windows NT.  Heck I was surprised after a right-click it didn’t ask me to reboot…Okay, so maybe it isn’t that bad but it definitely seems to be more now than it was in Server 2003, especially with Services.  Have you experienced reboots doing tasks that didn’t require them in Server 2003?  Are you happy with that?

The problem with this is when I want to install an additional Feature or Role it won’t let me because it is pending an uninstall.  I’d love to hear what others think of this.

Conditional Forwarders was a new feature within the Microsoft DNS server for Windows Server 2003.  It was a great addition that allowed you to specify a specific DNS server for clients trying to resolve hosts in a specific domain.  This way you could tell the DNS server to always go to a specific DNS server for specific domain names.

One of the things that you will find different in Windows Server 2008’s DNS is how it displays Conditional Forwarders.  Previously you needed to view the Forwarders tab in the DNS server’s properties. Here is shot of the old way.


The new way is in plain site…but it still seems like people miss it.

Now here is a look at what type of options you have for it:

You just place the DNS domain name in the top section and the IP address of the DNS server that is authoritative for that domain below.  Notice you also can store this Conditional Forwarder in Active Directory if you want.  It is NOT the default.  Behind that drop down is the amount of time the DNS server will wait before it times out…which is 5 seconds by default.

Hopefully that helps you figure out how DNS Conditional Forwarders are set up in Windows Server 2008

If you haven’t noticed yet, Windows Server 2008 has several more User Right Assignments in the Local Policy settings.  If you’re looking for a definition of one or all take a look below.  These are the same settings that are found in Group Policy located at this path – Computer ConfigurationWindows SettingsLocal PoliciesUser Right Assignment.


Access Credential Manager as a trusted caller

This policy setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users” saved credentials might be compromised if this user right is assigned to other entities.

By default, no accounts are assigned this right. However, to enforce the default setting, the Access Credential Manager as a trusted caller setting is restricted to No One for the SSLF environment discussed in the security guide.

Act as part of the operating system

This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. For this reason, the Act as part of the operating system setting is restricted to No one for both of the environments that are discussed in this guide.

Add workstations to domain

This policy setting only takes effect when applied to domain controllers.

Adjust memory quotas for a process

This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, this setting could be used to launch a denial of service (DoS) attack.

For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service groups for the SSLF environment. The setting is configured to Not Defined for the EC environment.

Allow log on locally

This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the computer keyboard require this user right.

Microsoft recommends that you enable this setting through Group Policy and restrict this right to members of the Administrators group. Assign this user right to the other Operator level administrative security groups,such as Backup Operators or Server Operators,if your organization requires that they have this capability.

Allow log on through Terminal Services

This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. Microsoft recommends that you restrict this user right to the Administrators group to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. Dedicated Terminal Servers will require additional configuration.

Back up files and directories

This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.

Bypass traverse checking

This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.

Change the system time

This policy setting determines which users and groups can change the time and date of the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, which may not be the actual time that the events occurred.

Change the time zone

This setting determines which users can change the time zone of the computer. This setting capability poses no great risk for the computer. However, modifications to this setting affect all users and applications on the computer, which could cause confusion in shared terminal server environments.

Create a pagefile

This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.

Create a token object

This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments in which security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.

Create global objects

This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.

Users who can create global objects could affect processes that run under other users” sessions. This capability could lead to a variety of problems, such as application failure or data corruption.

Create permanent shared objects

This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.

Create symbolic links

This policy setting determines which users can create symbolic links. In Windows Server 2008, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk file) to another file system object, which can be a file, folder, shortcut or another symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only works from within the Windows shell. To other programs and applications, shortcuts are just another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature of the NTFS file system.

Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only members of the Administrators group can create symbolic links.

Debug programs

This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right. However, developers who are debugging new system components need it.

Deny access to this computer from the network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Deny log on as a batch job

This policy setting prohibits users from logging on to a computer through a batch-queue facility, which is a feature in Windows Server 2008 that you can use to schedule jobs to run automatically one or more times in the future.

Deny log on as a service

This policy setting determines whether users can log on as a service. Accounts that can log on as a service could be used to configure and launch new unauthorized services, such as a keylogger or other malware.

Deny log on locally

This policy setting prohibits users from logging on locally to the computer console. If unauthorized users can log on locally to a computer, they can download malicious code or elevate their privileges on the computer. In addition, if attackers have physical access to the console, there are other risks to consider. This user right should not be assigned to those users who need physical access to the computer console.

Deny log on through Terminal Services

This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.

Enable computer and user accounts to be trusted for delegation

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory®. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

Force shutdown from a remote system

This policy setting allows users to shut down Windows–based computers from remote locations on the network. An unauthorized shut down of a server is a type of denial of service (DoS) condition that makes the computer unavailable to service user requests. Microsoft recommends to only assign this user right to highly trusted administrators.

Generate security audits

This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.

Impersonate a client after authentication

This policy setting allows programs to impersonate a user so that the program can act on behalf of the user. Requiring authentication first helps prevent elevation of privilege attacks.

Services that the Service Control Manager starts have the built-in group "Service" added by default to their access tokens. COM servers that the COM infrastructure starts and configures to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started.

In addition, a user can impersonate an access token if any of the following conditions exist:

  • The access token that is being impersonated is for the same user that is making the request.
  • The user, in this logon session, logged on to the network with explicit credentials to create the access token.
  • The requested level is less than Impersonate, such as Anonymous or Identify.

An attacker with the Impersonate a client after authentication user right could create a service that impersonates any logged on user in order to elevate the attacker”s level of access to that of the logged on user or to the level of the client computer”s system account.

Increase a process working set

This policy setting determines which user accounts can increase or decrease the size of a process working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

This right is granted to all users by default. However, increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. It would be possible for malicious code to increase the process working set to a level that could severely degrade system performance and potentially cause a denial of service. Certain environments can help mitigate this risk by limiting which users can increase the process working set.

Increase scheduling priority

This policy setting allows users to change the amount of processor time that a process uses. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service (DoS) condition for a computer.

Load and unload device drivers

This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required to add local printers or printer drivers in Windows Server 2008.

Lock pages in memory

This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned and abused, significant degradation of system performance can occur.

Log on as a batch job

This policy setting allows accounts to log on using the Task Scheduler service. Because the Task Scheduler is often used for administrative purposes, you may need this right in the EC environment. However, Microsoft recommends restricting its use in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.

Log on as a service

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on all computers in an SSLF environment, but because many applications may require this right, you should carefully evaluate and test this setting before configuring it in an EC environment. On servers running Windows Server 2008, no users or groups have this right by default.

Manage auditing and security log

This policy setting determines which users can change the auditing options for files and directories and clear the Security log. Because this capability represents a relatively small threat, this setting enforces the default value of the Administrators group for both the EC and SSLF environments.

Modify an object label

This policy setting determines which users can change the integrity level of objects, such as files, registry keys or processes owned by other users. Note that a user can change the integrity level of an object that is owned by that user to a lower level without holding this privilege.

Modify firmware environment values

This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values could lead to a hardware failure that would result in a DoS condition.

Because this capability represents a relatively small threat, this setting enforces the default value of the Administrators group for both the EC and SSLF environments.

Perform volume maintenance tasks

This policy setting allows users to manage the system”s volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a DoS condition.

Profile single process

This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that they could use to mount an attack on the system.

Profile system performance

This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system”s active processes and provide insight into the potential attack surface of the computer. This setting enforces the default of the Administrators group for both the EC and SSLF environments.

Remove computer from docking station

This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. This setting is not usually relevant in server scenarios.

Replace a process level token

This policy setting allows one process or service to start another service or process with a different security access token, which an intruder can use to modify the security access token of that sub-process to escalate privileges. This setting enforces the default values of Local Service and Network Service for both the EC and SSLF environments.

Restore files and directories

This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Server 2008. This right also determines which users can set valid security principals as object owners; it is similar to the Back up files and directories user right.

Shut down the system

This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a DoS condition.

Synchronize directory service data

This policy setting determines which users have the authority to synchronize all directory service data.

Take ownership of files or other objects

This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user. This setting enforces the default value of the Administrators group for both the EC and SSLF environments.

That has to be the longest title I’ve ever had in any blog.  In my opinion this has the ability to the best post I’ve ever created too.  The reason being that I’m always looking for ways to make my life easier…and then share them with you.  EVERY single person I’ve spoken to about Windows Server 2008 has been frustrated with the amount of clicks and initial confusion on how to get to the Network Card properties.  Hopefully this will help.

The plan is the create a custom shortcut and copy it to the desktop for easy access (isn’t it always about easy access?).

1. From where ever you want the shortcut create, Right click and select New –> Shortcut  (I recommend the Desktop)


2. Put the following path into location C:windowsSystem32ncpa.cpl

3. Click Next and type what ever you would like the name of the Shortcut Icon to appear as.

4. Time to change the way the Icon looks – Right Click on the newly created Shortcut and select Properties

5. Click the Change Icon… button and pick whichever Icon you prefer.

6. We finally have an icon available to view the Network Interfaces on our Windows Server 2008 and Vista machines



Unlike Windows 2000 and 2003 where you had to right-click and select Properties here you will have to double click the icon…which I think is just a bit easier.

Just saw this on the “Ask the Directory Service Team” blog that they are going to have a webcast on Directory Service on the 21st of August.  Here is the overview of what will be discussed:

This session will look at core infrastructure services, focusing on the decisions commonly faced by enterprises when deploying Active Directory. We’ll look at how the improvements in Microsoft Windows Server 2008 can help rationalize the Active Directory infrastructure while still supporting complex and disperse environments. We will cover the design process for an Active Directory Domain Services (AD DS) upgrade and consolidation project, considering the key decisions which must be made and how these will benefit an enterprise environment. New features such as read-only domain controllers (RODCs) and fine-grained password policies will be covered as well as more general design principles and considerations for remote workers. Finally we will cover how it is possible to take advantage of new virtualization technologies in supporting Active Directory.

Looks like some good stuff.