Quickie: I really don’t like Antiviruses especially ESET

February 22nd, 2013 No comments

Here is one reason why I don’t like ESET Antivirus:

Fuck the ESET

I don’t think it needs any comments 😀

Here is official website I saw it at.

TrendMicro Worry-Free Business Security debug logs

February 22nd, 2013 2 comments

Problem

Today I was at one customer which recently installed TrendMicro Worry-Free Business Security solution. It’s firewall and anti-* product. Today I noticed there is no free space on C:\ disk. Trend Micro ate 19 GB! The biggest portion of space was located at C:\Program Files\Trend Micro\Security Server\PCCSRV\Log. There were files called ofcdebug-*.log which were about 150 MB of size and there was lots of them. And there new comming and comming 🙂

Solution

Those file are debugging log files. There is really weird way to disable them. In management website you need to click on little small letter “M” in the logo:

TrendMicro Worry-Free

New window appears where you can enable/disable debug logs:

TrendMicro Debuging Log

This is really weird way to set logging by looking for some small letter “M” 🙂

More about it on official site.

Prezentácia BranchCache

February 19th, 2013 No comments

ShowIT-BrachCache_Zilinec

Ak by ste mali nejaké otázky, sem s nimi.

 

Categories: Windows Tags: , ,

Maximum Validity For Certificates

February 19th, 2013 No comments

You can configure expiration period for Certification Template. By default there are default maximum validation periods set to:

  • One year for Stand-alone Certification Authority
  • Two years for Enterprise Certification Authority

This means you have Certification Template set its validity for example for 10 years, but you can enroll certificates with validity 1 or 2 years (Stand-alone / Enterprise Certification Authority).

This can be changed via registry keys described in KB254632.

Thank you for my colleague Róbert Švec.

Quickie: Remove Domain Controller role from Exchange 2007 server

January 29th, 2013 No comments

Last night I removed Domain Controller Role from Exchange 2007 server and we had problem in the morning with Exchange Outlook Web Access (OWA). We couldn’t log in at all. Symptomps:

  • Form based authentification was enabled, but Basic was proposed to clients instead
  • When users logged in they received 440 Login Timeout error

After couple minutes of googling I found this article which solved problem.

IMHO when computer was demoted from domain controller role it created local SAM database and didn’t use domain created accounts IUSR_ComputerName and IWAM_ComputerName.

 

Disable Exclusive Rights for roaming profiles

January 25th, 2013 No comments

When administrators implement Roaming Profiles they define folder where roaming profile should be stored on fileserver. By default file permissions for the newly generated profile are full control for the user, full control to SYSTEM and no file access for the administrators group. You can not access this profiles with administrator account and clean it up. First you had to take ownership and then you can change ACL, but this is not what you want, because owner should be user.

You can fix this in two steps:

New roaming profile folders

You can change default behaviour on new profile folder creation. It can be changed by applying GPO to domain controllers with following setting Enabled:

Change new roaming profile security

Change ACLs for existing profile folders

This will be in couple steps:

  • Download SubInACL.exe
  • Download PsExec
  • Log into fileserver where profiles are stored
  • Run cmd.exe under SYSTEM account by running command

psexec -sid cmd.exe

  •  In new cmd.exe window go into directory where roaming profiles are stored. For example: cd G:\Profiles\
  • Add BUILTIN\Administrators into ACLs of roaming profiles by running following command:

subinacl /subdirectories=directoriesonly G:\Profiles\*.* /GRANT=Administrators=F

Enjoy accessible roaming profile  folders 🙂

 

Quickie: GPO Preferences variables

January 21st, 2013 1 comment

When you want to use system variables in GPO Preferences you can do so. For example: if you want to create folder on user’s desktop called as computer name, you can use variable in New Folder Properties:

 

GPO Preferences for New Folder

If you don’t know what variables you are able to use in Preferences input fields you can press F3 and it will display you a list of variables you can use:

 

List of variables in GPO Preferences

 

I just found info at Microsoft.

Categories: GPO, Microsoft, Quickie Tags: , , ,

DFS Problem in multi domain environment

January 21st, 2013 No comments

Couple months ago we have created Active Directory domain for one of our customer. His AD was subdomain of existing AD domain hosted in Germany. Let’s call them following:

  • DOMAIN.LOCAL <– Main AD in Germany
  • SK.DOMAIN.LOCAL <– New created domain in Slovakia

To make administrators life easier in future, we have created DFS Shares in domain SK.DOMAIN.LOCAL. One of those DFS shares is called “Common”. So people in Slovakia were accessing DFS share \\\\SK.DOMAIN.LOCAL\\Common and share data. Under this DFS Namespace following share was hidden \\\\FSSERVER\\Common.

Everything worked just fine.

Problem

Problem appeared when users from Germany (from domain DOMAIN.LOCAL) wanted to access this share. There were following symptomps:

There were no firewalls between two domains. All ports were accessible.

Solution

After couple tries (and using dfsutil) I figured out that client machine from DOMAIN.LOCAL get as DFS Refferal NetBIOS server name FSSERVER and it cannot translate FSSERVER to IP (FSSERVER is from SK.DOMAIN.LOCAL). Client machine from DOMAIN.LOCAL although can translate FQDN of FSSERVER.SK.DOMAIN.LOCAL. I tried to put FSSERVER IP record into client machine’s hosts file and everything started to work perfectly. So we have more solutions to solve issue:

  • Synchronize NetBIOS names between two domain (weird)
  • Add DNS Search suffixes to clients in domain (not nice solution and can slowdown DNS queries)
  • Force DFS to propagate FQDN as refferals (winner)

I decided to force DFS to propagate FQDN as refferals. It’s made by change in registry keys for DFS service. More about it is at http://support.microsoft.com/kb/244380/en-us. One more important thing is that you need to remove and re-add refferal servers from DFS Namespaces. I used DFS console because I didn’t use DFS Replication. If you do use DFS Replication it’s recommended to do it using cmd line (dfscmd.exe).

That’s all folks,

Quickie: Service Accounts description

January 14th, 2013 No comments

More often I see people (IT admins) not understand differences between Local Service Accounts so I decided to write more about it:

SYSTEM

This account has full access to local computer. It can access network resources with rights (account) of the computer. This account has full access to domain it self when used on Domain Controller.

LOCAL SERVICE

This account has same right as local Users group. It goes to network as annonymous user (null session).

NETWORK SERVICE

It’s almost same as LOCAL SERVICE. Only difference is that it uses computer account to access network resources.

Quickie: Exchange Empty Submission queue

January 14th, 2013 No comments

Today I was solving problem with open relay Exchange server. I came to server and it was full of SPAM e-mail messages. I needed to clean all this mess from Submission queue. I used following command:

Get-Message -Filter {FromAddress -eq “<>”} -Server MAILSERVER | Remove-Message

That’s all folks 🙂