Press a button–get the result

Do you know at which moment exactly does your GPO apply really? When you switch the radio button to “Enabled”? Or when you close a GPO console? I’ve been wondering about it for some time (but of course I was to lazy to test it myself 😉 ), but some time ago, while being on a training I asked a trainer and we conducted experiment on spot, because he didn’t know it either. During the experiment we got proof that the settings you change are implemented as soon as you press the “OK” or “Apply” button with this particular setting. … Continue reading Press a button–get the result

Delegate permissions for creating GPO objects in other domain

The task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed. At least I don’t know a way … Continue reading Delegate permissions for creating GPO objects in other domain

Too many smart-cards inserted. Good thing: no need to throw them away

Some time ago I used to issue certificates on Aladdin (now SafeNet) eToken  smart-cards through a CA web-nterface. Occasionally it was hard to accomplish, because when I tried to do that I received the following error: "Too many smart-cards inserted. please insert only one smart-card" Wow! But I need two: one – eToken with a certificate for enrollment the second – for a new certificate May be CA thinks that I have too much of them generally and I need throw away them? No, fortunately (they cost much when in bulk, you know) it is not the case. Moreover, there … Continue reading Too many smart-cards inserted. Good thing: no need to throw them away

%SystemRoot%\System32 secrets: BITSAdmin

Another deprecated friend of mine. But I still like it, really. First of all because I haven’t still found enough time to get acquainted with all that *-BITSTransfer PowerShell comandlets. Second… Well, there is nothing for the “second”, naturally =) But still – it is a great command and I’d like to make a tribute to it with this article, because it is AWESOME! It is soooo powerful! Even though I used it usually just to be sure I would download the file regardless of network loss or whatever, it can do much more. Download or upload, retry these tasks, … Continue reading %SystemRoot%\System32 secrets: BITSAdmin

Do you miss your search results? Kill’em.

I’ve had one more case recently: an employee reported that his outlook wouldn’t search any item for the last three weeks or so. Rebuilding indices didn’t help and moreover he was not using cached outlook mode. Well, while my search seemed to be ok, I needed to reproduce the problem somehow, so I went nuts and removed cached mode too. Bingo! My search results were restricted by the period from the same three-weeks-ago and to the beginning of time. No results from yesterday or last week. Considering the fact that mailboxes, both the employee’s and mine were in the same … Continue reading Do you miss your search results? Kill’em.

The case of jammed permissions

Once I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the … Continue reading The case of jammed permissions

Manage your Windows 2008 R2 DNS Server from XP

Being an MS MVP involves answering questions. I don’t receive many of them, but this happens sometimes. The latest one was quite interesting. After reading my article about delegating administration of DNS one of my readers discovers that he cannot implement my solution in his environment. You see, he has got Windows XP workstation for administrators but windows Server 2008 R2 DNS servers. This configuration leads to either “access denied”, this: or other errors error while trying to connect from XP DNS console to W2K8R2 DNS server. I hadn’t ever encounter such a problem, seems like I pass it and … Continue reading Manage your Windows 2008 R2 DNS Server from XP

%SystemRoot%System32 Secrets: Auditpol

This command is very useful in case you need to fine-tune audit. For example you cannot set “Audit directory service changes” without setting “Audit directory service replication” using only GUI, because “There is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories”. therefore, you need auditpol badly in case you need to set those subcategories. You also need it in order to script changes to or audit of SACL. You need it also to backup or restore those policies quickly (say you need to turn some auditing settings on for some time and … Continue reading %SystemRoot%System32 Secrets: Auditpol

%SystemRoot%System32 Secrets: Schtasks

After my previous post about AT command I received some feed back from people who obviously enough hadn’t read my post in its entirety =) The feedback stated that “AT is deprecated and is to be replaced with schtasks”. You bet I knew that! =) Nevertheless, schtasks is really more powerful and since my article touched more than one heart I decided to write next message not about auditpol, which is next in my alphabetical list of interesting apps in System32 folder, but about schtasks. Let’s begin. Schtasks Comparing to AT it is a huge advancement. Really, here are its … Continue reading %SystemRoot%System32 Secrets: Schtasks

Creating self-signed certificate for code-signing

Just in case you cannot google it or you don’t like solutions longer then two strings of command line… Sometimes you need to assure yourself that scripts or code you are about to run are the same as you’ve created them. One of the ways to achieve it is to put a flash drive with them into a safe. Another – get them signed. The second option seems to be a more convenient mean, but it requires a code-signing certificate. Buying one is quite an expense: I have failed to find any cheaper then $99 per two years. Well, it … Continue reading Creating self-signed certificate for code-signing