Active Directory groupType Attribute
-2147483640 universal security group
-2147483646 global security group
-2147483644 domain local security group
-2147483643 builtin security group
2 global distribution group
4 local distribution group
8 universal distribution group
This is used by all ManageRED ADUM softawre, OEM and ManageRED ADSearch software as group type coding.
Tuesday, January 17, 2012
Wednesday, July 6, 2011
ManageRED PasswordCopy Requirements
In order to copy passwords the minimum requirements must be met:
Windows 64bit (Windows 2008R2) ***
When Windows 2008R2 or any Windows 64bit server is involved in the password copy process the LSA must be manually edited before starting the process.
On the 64bit computer(s), DC or member server, navigate to:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa\
List: SecurityPackages
The SecutityPackages key must contain only: kerberose, msv1_0, schannel, wdigest, tspkg
Edit this key to be exact as above by removing any extra entries and reboot the server for the change to take effect.
Virus scan software must be disabled during a password migration. False Trojan readings and required files may be quarantined.
PDC - PDC Emulator (Windows 200x FSMO Server) requirements:
Drive letters must be shared example C$, D$ etc
The Windows directory must have the Administrative Share ADMIN$
Remote registry services must be running
The DCs must be reachable by Name (NETBIOS name Resolution must be working across subnets)
The DCs must be remotely manageable (Windows Firewall issues)
Service Account and the operator must have domain Administrative rights
Service Account must have logon Locally and Run as a Service Right.
The Target Domain Password Policy must be less restrictive then the Source Domain Password Policy
2 way trusts must be in place and functional
Password Copy in Workgroups
Drive letters must be shared example C$, D$ etc
The Windows directory must have the Administrative Share ADMIN$
Remote registry services must be running
The servers must be reachable by Name (NETBIOS name Resolution must be working across subnets)
The servers must be remotely manageable (Windows Firewall issues)
Service Account and the operator must be ADMINISTRATOR
Service Account must have logon Locally and Run as a Service Right.
The Target Password Policy must be less restrictive then the Source Password Policy
Password Copy Console Computer
Service Account and the operator must have domain Administrative rights
Service Account must have logon Locally and Run as a Service Right.
Windows Firewall must be turned off or set in the remote manage state
All DC must be reachable by name
Administrative Rights Domain Recommendations
Install the PasswordCopy Software on a computer in the Target Domain
Create or select an account from the Target Domain
Add or verify the account is a member of the Target Domain Admins group
Add or verify the Target Domain Admins group is a member of the Source domain Administrators local group
Add or verify the account can logon locally and run as a service on the source, target DCs and the local computer.
Use the account as the service account
Logon to the console computer with the account.
Windows Vista, Windows 2008 and Windows 7
PasswordCopy supports Windows Vista, Windows 2008 and Windows 7. However in order to run administrative tools on these platforms, Windows firewall and Windows User Account Control must be turned OFF
RemoteRegistry services must be running and netBIOS over IP resolution must be enabled
Windows 64bit (Windows 2008R2) ***
When Windows 2008R2 or any Windows 64bit server is involved in the password copy process the LSA must be manually edited before starting the process.
On the 64bit computer(s), DC or member server, navigate to:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa\
List: SecurityPackages
The SecutityPackages key must contain only: kerberose, msv1_0, schannel, wdigest, tspkg
Edit this key to be exact as above by removing any extra entries and reboot the server for the change to take effect.
Virus scan software must be disabled during a password migration. False Trojan readings and required files may be quarantined.
PDC - PDC Emulator (Windows 200x FSMO Server) requirements:
Drive letters must be shared example C$, D$ etc
The Windows directory must have the Administrative Share ADMIN$
Remote registry services must be running
The DCs must be reachable by Name (NETBIOS name Resolution must be working across subnets)
The DCs must be remotely manageable (Windows Firewall issues)
Service Account and the operator must have domain Administrative rights
Service Account must have logon Locally and Run as a Service Right.
The Target Domain Password Policy must be less restrictive then the Source Domain Password Policy
2 way trusts must be in place and functional
Password Copy in Workgroups
Drive letters must be shared example C$, D$ etc
The Windows directory must have the Administrative Share ADMIN$
Remote registry services must be running
The servers must be reachable by Name (NETBIOS name Resolution must be working across subnets)
The servers must be remotely manageable (Windows Firewall issues)
Service Account and the operator must be ADMINISTRATOR
Service Account must have logon Locally and Run as a Service Right.
The Target Password Policy must be less restrictive then the Source Password Policy
Password Copy Console Computer
Service Account and the operator must have domain Administrative rights
Service Account must have logon Locally and Run as a Service Right.
Windows Firewall must be turned off or set in the remote manage state
All DC must be reachable by name
Administrative Rights Domain Recommendations
Install the PasswordCopy Software on a computer in the Target Domain
Create or select an account from the Target Domain
Add or verify the account is a member of the Target Domain Admins group
Add or verify the Target Domain Admins group is a member of the Source domain Administrators local group
Add or verify the account can logon locally and run as a service on the source, target DCs and the local computer.
Use the account as the service account
Logon to the console computer with the account.
Windows Vista, Windows 2008 and Windows 7
PasswordCopy supports Windows Vista, Windows 2008 and Windows 7. However in order to run administrative tools on these platforms, Windows firewall and Windows User Account Control must be turned OFF
RemoteRegistry services must be running and netBIOS over IP resolution must be enabled
Tuesday, April 12, 2011
ManageRED Software to Release Password Copy with 64bit Support
With the development of a 64 bit password copy solution, ManageRED Software will be the first software provider to release a complete password copy software solution set to migrate customers to Microsoft Windows 64 bit server platforms on April 15, 2011.
Many businesses are considering moving to Microsoft 64 bit platforms such as Microsoft Server 2008 and Microsoft Server 2008R2 from their current 32 bit platform. ManageRED will integrate the new 64bit solution set into PasswordCopy designed to migrate or synchronize Windows servers and domains.
ManageRED's PasswordCopy will make it possible to migrate local server account and domain account passwords for organizations wishing to transition off Microsoft 32 bit platforms in one operation. With support for selective account password copy and synchronization, allows for co-existence of multiple platforms. Businesses will be able migrate local server account or domain account with passwords incrementally into Windows 64 bit servers as they transition away Windows 32 bit.
As customers begin to adopt Windows 64 bit Servers, we want them to know that ManageRED Software offers the best of breed password copy solution with technical expertise to help them move successfully, cost-effectively, with reduced downtime to their new 64 bit platforms' said Akos Sandor, chief technology officer, ManageRED Software.
Availability
ManageRED Software will release the new 64 bit password copy solution as a significant upgrade to their existing software line. PasswordCopy will be available directly from the ManageRED website starting April 15, 2011 for an introductory price of $249.00 USD for an unlimited enterprise license.
About ManageRED
ManageRed Software is a leading provider of Microsoft Windows management software worldwide enabling customers to centralize and reduce repetitive administration, migration and ongoing day to day Windows management while benefiting from reduced risk and improved operational efficiencies.
Sunday, April 3, 2011
WADMigrator-ServerMigrator Permission Issues
Windows 7 Operating Systems - Desktop/Laptops:
Issue:
Unable to install the scheduling service client on any Windows 7 workstation within the environment. Console indicates that “the installation path cannot be determined”
Diagnosis:
Remote Registry is set to Manual and is not started
UAC is enabled on the workstations
Resolution:
Set the Remote Registry service to Automatic
Disable UAC on the Windows 7 Desktops/laptops/Tablets/Workstations.
Both Items can be modified via Active Directory Group Policy. The latter policy requires a reboot.
Windows 2008 Server’s
Issue:
Unable to install the scheduling service client on any Windows 2008 Servers within the environment. Console indicates that “the installation path cannot be determined”
Diagnosis:
UAC is not completely disabled. The following registry key has the following value set:
HKLM\Software\Microsoft\Windows\Currentversion\Policies\System\ConsentPromptBehaviorUser. This key has a value set to 1. This is not the default setting.
An explanation of this setting is as follows:
User Account Control: Behavior of the elevation prompt for standard users
The User Account Control: Behavior of the elevation prompt for standard users policy setting controls the behavior of the elevation prompt for standard users.
The options are:
Automatically deny elevation requests. When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. *****Has a value of 0 in the registry*****
Prompt for credentials on the secure desktop. (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. *****Has a value of 3 in the registry*****
Prompt for credentials. When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. *****Current Setting****** and has the value of 1
These are the available settings:
0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials on the secure desktop
Please refer to the following link: http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx#BKMK_StandardUserPromptBehavior
Resolution:
On all Windows 2008 Servers, the ConsentPromptBehaviorUser key must have a value of 3 (which is the default Windows 2008 setting). A reboot is not necessary for this change to take effect.
The above changes are mandatory and were part of the Checklist provided to the customer as part of the pre-migration checklist.
Special Thanks
A special Thanks goes to Bruno Zaffino from Compucom for his diligence and relentless effort to trouble shoot the challenges faced by the domain migration at the Government of Ontario Migration Project.
Issue:
Unable to install the scheduling service client on any Windows 7 workstation within the environment. Console indicates that “the installation path cannot be determined”
Diagnosis:
Remote Registry is set to Manual and is not started
UAC is enabled on the workstations
Resolution:
Set the Remote Registry service to Automatic
Disable UAC on the Windows 7 Desktops/laptops/Tablets/Workstations.
Both Items can be modified via Active Directory Group Policy. The latter policy requires a reboot.
Windows 2008 Server’s
Issue:
Unable to install the scheduling service client on any Windows 2008 Servers within the environment. Console indicates that “the installation path cannot be determined”
Diagnosis:
UAC is not completely disabled. The following registry key has the following value set:
HKLM\Software\Microsoft\Windows\Currentversion\Policies\System\ConsentPromptBehaviorUser. This key has a value set to 1. This is not the default setting.
An explanation of this setting is as follows:
User Account Control: Behavior of the elevation prompt for standard users
The User Account Control: Behavior of the elevation prompt for standard users policy setting controls the behavior of the elevation prompt for standard users.
The options are:
Automatically deny elevation requests. When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. *****Has a value of 0 in the registry*****
Prompt for credentials on the secure desktop. (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. *****Has a value of 3 in the registry*****
Prompt for credentials. When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. *****Current Setting****** and has the value of 1
These are the available settings:
0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials on the secure desktop
Please refer to the following link: http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx#BKMK_StandardUserPromptBehavior
.aspx#BKMK_StandardUserPromptBehavior){kind=link}
Resolution:
On all Windows 2008 Servers, the ConsentPromptBehaviorUser key must have a value of 3 (which is the default Windows 2008 setting). A reboot is not necessary for this change to take effect.
The above changes are mandatory and were part of the Checklist provided to the customer as part of the pre-migration checklist.
Special Thanks
A special Thanks goes to Bruno Zaffino from Compucom for his diligence and relentless effort to trouble shoot the challenges faced by the domain migration at the Government of Ontario Migration Project.
Monday, March 28, 2011
How to Find Sam Watson with N-able Free Security Software
Find any account, user or group, on one or more Windows servers. Find folder access, find share access, find group membership with N-able ACLReporter your free security report software.
Now you have no excuse to prove that your server security settings are accurate when demanding auditors or CIOs demand documentation. No excuses, because now you can download N-able ACLReporter for FREE!
Learn how to get your FREE COPY OF ACLREPORTER today
Subscribe to:
Posts (Atom)