<p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span>Hi All,<br/><br/>This thread is a summary of the Frequently Asked Questions on Windows Server forums; we consolidate them and post it here for your reference. If you have any further questions, please kindly start <strong>a new thread</strong> in that other community members and we can easily attend to your question and reply. Thanks for your cooperation.<br/></span></p> <p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span><strong>How to Questions</strong><br/> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q1:_How_can"><span style="color:#0000ff">Q1: How can I deploy the number, currency, date and time format via group policy?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q2:_How_can"><span style="color:#0000ff">Q2: How can I deploy the Windows Server 2008 Internet Explorer Enhanced Security option via group policy?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q3:_How_can"><span style="color:#0000ff">Q3: How can I control whether the Language Bar is visible via group policy?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q4:_How_can"><span style="color:#0000ff">Q4: How can I move an AD LDS instance from one computer to another?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q5:_How_can"><span style="color:#0000ff">Q5: How can I export a list of user accounts that are enabled from Active Directory?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q6:_How_can"><span><span style="color:#0000ff">Q6: How can I control local user group membership via group policy?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q7:_How_could"><span><span style="color:#0000ff">Q7: How can I use WMI filter to apply group policy to specific operating system and Server Core computer?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q8:_How_can"><span><span style="color:#0000ff">Q8: How can I configure different password polices for different types of domain users?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q9:_How_can"><span><span style="color:#0000ff">Q9: How can I configure users to apply some specific user configuration group polices only when they logon to some computers, such as terminal server?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q10:_How_can"><span><span style="color:#0000ff">Q10: How can I migrate to or reconstruct a Windows Server 2008 domain?</span></span></a></span></p> <p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span><strong> Problems<br/></strong></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q1:_Windows_Server"><span style="color:#0000ff"><span><br/>Q1: <span>Windows Server 2008 fails to authenticate user account from trusted domain with the error saying that &quot;The security database on the server does not have a computer account for this workstation trust relationship.&quot;</span></span></span></a><a name=KSIAnchor16></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q4:_Internet_Explorer"><span><span style="color:#0000ff">Q2: Internet Explorer Maintenance Group Policies do not apply during subsequent logon procedures.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q3:_DHCP_Server"><span><span style="color:#0000ff">Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q4:_The_&quot;Enterprise"><span><span style="color:#0000ff">Q4: The &quot;Enterprise root CA&quot; option is not available when you try to install the Certificate Services component in Windows Server 2003. </span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q5:_Group_Policy"><span><span style="color:#0000ff">Q5: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q6:_Event_1091"><span><span style="color:#0000ff">Q6: Event 1091 is recorded every 5 minutes on a Windows Server 2008 or Vista SP1 computer.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q7:_DCPROMO_fails"><span><span style="color:#0000ff">Q7: DCPROMO fails with following error: &quot;To install a domain controller into this Active Directory forest, you must first prepare the forest using &quot;adprep /forestprep&quot;</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q8:_The_Active"><span><span style="color:#0000ff">Q8: The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q9:_You_receive"><span><span style="color:#0000ff">Q9: You receive the Event 1030 and 1058 errors from userenv saying that “Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com”</span></span></a></span><span>.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q10:_A_Windows"><span><span style="color:#0000ff">Q10: A Windows Vista-based or Windows Server 2008-based computer needs at least the Read permission for Group Policy Objects in Active Directory Domain Services if the computer is configured for loopback processing</span></span></a></span><span>.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span> </span></p> <p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span>NOTE: Microsoft does not offer formal support for the communities you'll find here. Instead, our role is to provide a platform for people who want to take advantage of the global community of Microsoft customers and product experts. Microsoft may monitor content to ensure the accuracy of the information you'll find, but any information provided by Microsoft staff is offered &quot;AS IS&quot; with no warranties, and no rights are conferred. You assume all risk for your use.</span></p> <br/><br/> <hr class=sig> Laura Zhang - MSFT© 2009 Microsoft Corporation. All rights reserved.Mon, 21 Sep 2009 02:50:02 Z26455b36-26bd-4a44-b594-5a9f67bcd8dfhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#26455b36-26bd-4a44-b594-5a9f67bcd8dfhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#26455b36-26bd-4a44-b594-5a9f67bcd8dfLaura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span>Hi All,<br/><br/>This thread is a summary of the Frequently Asked Questions on Windows Server forums; we consolidate them and post it here for your reference. If you have any further questions, please kindly start <strong>a new thread</strong> in that other community members and we can easily attend to your question and reply. Thanks for your cooperation.<br/></span></p> <p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span><strong>How to Questions</strong><br/> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q1:_How_can"><span style="color:#0000ff">Q1: How can I deploy the number, currency, date and time format via group policy?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q2:_How_can"><span style="color:#0000ff">Q2: How can I deploy the Windows Server 2008 Internet Explorer Enhanced Security option via group policy?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q3:_How_can"><span style="color:#0000ff">Q3: How can I control whether the Language Bar is visible via group policy?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q4:_How_can"><span style="color:#0000ff">Q4: How can I move an AD LDS instance from one computer to another?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q5:_How_can"><span style="color:#0000ff">Q5: How can I export a list of user accounts that are enabled from Active Directory?</span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q6:_How_can"><span><span style="color:#0000ff">Q6: How can I control local user group membership via group policy?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q7:_How_could"><span><span style="color:#0000ff">Q7: How can I use WMI filter to apply group policy to specific operating system and Server Core computer?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q8:_How_can"><span><span style="color:#0000ff">Q8: How can I configure different password polices for different types of domain users?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q9:_How_can"><span><span style="color:#0000ff">Q9: How can I configure users to apply some specific user configuration group polices only when they logon to some computers, such as terminal server?</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q10:_How_can"><span><span style="color:#0000ff">Q10: How can I migrate to or reconstruct a Windows Server 2008 domain?</span></span></a></span></p> <p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span><strong> Problems<br/></strong></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q1:_Windows_Server"><span style="color:#0000ff"><span><br/>Q1: <span>Windows Server 2008 fails to authenticate user account from trusted domain with the error saying that &quot;The security database on the server does not have a computer account for this workstation trust relationship.&quot;</span></span></span></a><a name=KSIAnchor16></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q4:_Internet_Explorer"><span><span style="color:#0000ff">Q2: Internet Explorer Maintenance Group Policies do not apply during subsequent logon procedures.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q3:_DHCP_Server"><span><span style="color:#0000ff">Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q4:_The_&quot;Enterprise"><span><span style="color:#0000ff">Q4: The &quot;Enterprise root CA&quot; option is not available when you try to install the Certificate Services component in Windows Server 2003. </span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q5:_Group_Policy"><span><span style="color:#0000ff">Q5: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q6:_Event_1091"><span><span style="color:#0000ff">Q6: Event 1091 is recorded every 5 minutes on a Windows Server 2008 or Vista SP1 computer.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q7:_DCPROMO_fails"><span><span style="color:#0000ff">Q7: DCPROMO fails with following error: &quot;To install a domain controller into this Active Directory forest, you must first prepare the forest using &quot;adprep /forestprep&quot;</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q8:_The_Active"><span><span style="color:#0000ff">Q8: The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing.</span></span></a></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q9:_You_receive"><span><span style="color:#0000ff">Q9: You receive the Event 1030 and 1058 errors from userenv saying that “Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com”</span></span></a></span><span>.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span><a href="#_Q10:_A_Windows"><span><span style="color:#0000ff">Q10: A Windows Vista-based or Windows Server 2008-based computer needs at least the Read permission for Group Policy Objects in Active Directory Domain Services if the computer is configured for loopback processing</span></span></a></span><span>.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt 24pt;line-height:normal"><span> </span></p> <p class=MsoNormal style="margin-bottom:0pt;line-height:normal"><span>NOTE: Microsoft does not offer formal support for the communities you'll find here. Instead, our role is to provide a platform for people who want to take advantage of the global community of Microsoft customers and product experts. Microsoft may monitor content to ensure the accuracy of the information you'll find, but any information provided by Microsoft staff is offered &quot;AS IS&quot; with no warranties, and no rights are conferred. You assume all risk for your use.</span></p> <br/><br/> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:00:52 Z2009-04-02T07:10:31Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#c4bfc4da-1c45-4794-b414-a00dba8e8037http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#c4bfc4da-1c45-4794-b414-a00dba8e8037Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q1:_How_can"></a><span style="font-size:medium"><span style="color:#4f81bd"><span style="font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q1: How can I deploy the number, currency, date and time format via group policy?</span></span></span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"><br/><strong>A:</strong> You can use the following methods to deploy the number, currency, date and time format via group policy:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong>Method 1</strong><strong><span>: Use Group Policy Preference</span></strong></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>========</span><span>========================</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>If there is a Windows Server 2008 or Windows Vista SP1 with RSAT machine in the </span><span>Windows Server 2003/2008 </span><span>domain, you can deploy the Regional Options </span><span>group policy </span><span>preference policy to manage the time and data format for a set of users. </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small"><span style="font-family:Calibri"><span>[</span>User Configuration\Preferences\Control Panel Settings\Regional Options<span>]</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri">For more information, please refer to the following TechNet articles:</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Regional Options Extension</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc754496.aspx"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc754496.aspx</span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Enable and Disable Settings in a Preference Item</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc754299.aspx"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc754299.aspx</span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Overview of Preferences</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc732027.aspx"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc732027.aspx</span></a><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri">You do not need to upgrade to Windows Server 2008 to use Group Policy Preference policies. You can configure a Group Policy preference item in a Windows Server 2003 environment from either <span>a </span>Windows Server 2008 <span>server </span>or a Windows Vista with Service Pack 1 client with RSAT update installed. If you do not have Windows Server 2008 server, you can download and </span><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&amp;displaylang=en"><span style="font-size:small;color:#0000ff;font-family:Calibri">install Remote Server Administration Tools on Windows Vista with SP1</span></a><span style="font-size:small;font-family:Calibri"> on a Vista client to manage and configure them. </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri">The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><span style="font-size:small;font-family:Calibri">Information about new Group Policy preferences in Windows Server 2008</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:206.25pt"><a href="http://support.microsoft.com/kb/943729"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/943729</span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong>Method 2</strong><strong><span>: Use Logon Script </span></strong></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>=========</span><span>==============</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>The </span><span>regional setting </span><span>related registry entries are located in:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"><span> </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>HKEY_CURRENT_USER\Control Panel\International</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>If there is no Windows Server 2008 </span><span>server </span><span>or Windows Vista SP1 with RSAT machine, you can deploy a logon script or creat</span><span>e</span><span> a custom.adm file to configure the registry entry.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">You may perform the following steps to deploy these settings via logon script:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">1.<span>         </span>Logon as an administrator and configure the regional settings as desired. </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>2.<span>         </span>Export the [HKEY_CURRENT_USER\Control Panel\International] registry key to </span><span>a </span><span>registry file and put this registry file in a share folder.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">3.<span>         </span>Create a new Windows Batch File with the following command:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">regedit /s &lt;Path of the registry file&gt;</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">For example, if the path to the registry file is \\server\share\RegionalSetting.reg, you can include the command below in the batch file:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">regedit /s \\server\share\RegionalSetting.reg</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">4.<span>         </span>Create a GPO to deploy a logon script to run the newly created batch file to users.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small;font-family:Calibri"> </span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">If you do not want to deploy these settings via logon script, you may also create a custom administrative template and then deploy these settings via it. To create a custom administrative template, please refer to the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">How to create custom administrative templates in Windows 2000 (Apply to Windows Server 2003)</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/323639"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/323639</span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:22:15 Z2009-03-31T06:46:58Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#b0d865c9-0b30-4e4d-acd0-a40ac1d2a308http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#b0d865c9-0b30-4e4d-acd0-a40ac1d2a308Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q2:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q2: How can I deploy the Windows Server 2008 Internet Explorer Enhanced Security option via group policy?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small;font-family:Calibri"> </span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong>A:</strong><span> The administrative template file inetesc.adm can also be used to deploy the Internet Explorer Enhanced Security Configuration setting</span><span>s</span><span> on Windows Server 2008.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">To do so, you can Download the adm file from the following link and import it to the GPO.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&amp;DisplayLang=en"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&amp;DisplayLang=en</span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Here are the detailed steps:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <ul> <li> <div class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span style="font-size:small"><span style="font-family:Calibri"><span>1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.</span></span></span></div> </li> <li> <div class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">2. Right-click a GPO and select <strong>Edit</strong>. </span></span></span></div> </li> <li> <div class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">3. Expand <strong>Computer Configuration</strong>\<strong>Policies</strong>, right-click <strong>Administrative Templates</strong>, and then select <strong>Add/Remove Templates</strong>. </span></span></span></div> </li> <li> <div class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">4. Click the button <strong>Add</strong>, and then double-click the adm file to import it. </span></span></span></div> </li> <li> <div class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">5. After that, you should see the item <strong>Classic Administrative Templates (ADM)</strong> under <strong>Administrative Templates</strong>. </span></span></span></div> </li> <li> <div class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">6. Expand the item, and then you can configure the <strong>Internet Explorer Enhanced Security Configuration</strong> policies as you did in Windows 2003 domain.</span></span></span></div> </li> </ul> <br/><br/> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:28:14 Z2009-03-31T06:47:14Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#aa00a048-ee80-4a05-a618-055b39601287http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#aa00a048-ee80-4a05-a618-055b39601287Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q3:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q3: How can I control whether the Language Bar is visible via group policy?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span><br/><strong>A:</strong> Currently, there is no group policy available to control whether the Language Bar is visible. However, the language bar settings are </span><span>stored in</span><span> the following registry key:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">The ShowStatus value becomes 0 when we select the option &quot;<strong>Floating on desktop</strong>&quot;</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>The ShowStatus value becomes &quot;3&quot; when set to &quot;</span><strong><span>H</span>idden</strong><span>&quot; which is the default. </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>The ShowStatus value becomes &quot;4&quot; when set to &quot;</span><strong><span>D</span>ocked on the taskbar</strong><span>&quot;</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">As a result, you can control the language bar by using a logon script to set the ShowStatus value. Here is a sample script to enable the language bar:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"><br/></span></span></span></p> <div style="color:black;background-color:white"> <pre><p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="background:#d9d9d9"><span style="font-size:small"><span style="font-family:Calibri">Dim WshShell</span></span></span></p><p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="background:#d9d9d9"><span style="font-size:small;font-family:Calibri"> </span></span></p><p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="background:#d9d9d9"><span style="font-size:small"><span style="font-family:Calibri">Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;)</span></span></span></p><p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="background:#d9d9d9"><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span></p><p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="background:#d9d9d9"><span style="font-size:small"><span style="font-family:Calibri">WshShell. RegWrite&quot; HKCU\Software\Microsoft\CTF\LangBar\ShowStatus&quot;, 4, &quot;REG_DWORD&quot;</span></span></span></p></pre> </div> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><br/>Note.</strong><span> You need to logoff and then logon again for the change to take effect, even though you modify it by using logon script.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span>If you do not want to deploy these settings via logon script, you may also create a custom administrative template and then deploy these settings via it. To create a custom administrative template, please refer to the following Microsoft Knowledge Base article:</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span>How to create custom administrative templates in Windows 2000 (Apply to Windows Server 2003)</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/323639"><span><span style="color:#0000ff">http://support.microsoft.com/kb/323639</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"> </p> <span style="background:#d9d9d9"> <hr class=sig> Laura Zhang - MSFT</span><span><span style="font-size:small"><span style="font-family:Calibri"> </span></span></span>Tue, 31 Mar 2009 06:32:29 Z2009-03-31T06:47:25Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#5605dd41-f123-4b2b-94d8-53873499b7echttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#5605dd41-f123-4b2b-94d8-53873499b7ecLaura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q4:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q4: How can I move an AD LDS instance from one computer to another?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong><br/>A: </strong><span>You can move an AD LDS instance from one server to another with a backup taken with dsdbutil.exe. To do so, you can perform the following steps:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">On source computer</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">----------------------------</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Follow the steps described in the following TechNet link to create an AD LDS instance backup:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Step 1: Back Up AD LDS Instance Data</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc730864.aspx"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc730864.aspx</span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">On target computer</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">----------------------------</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Please perform the following steps:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <ol style="margin-top:0in" type=1> <li class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">Create a new AD LDS instance using the same settings that were specified during the installation of the AD LDS instance that you want to recover or move. In this case, do not create an application directory partition during setup. You can restore your original application directory partition from your backup. Therefore, on the <strong>Application Directory Partition</strong> page in the <strong>Active Directory Lightweight Directory Services Setup Wizard</strong>, click <strong>No, do not create an application directory partition</strong>.<strong></strong></span></span></span> </li> <li class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">Restore the instance with the backup taken with <strong>dsdbutil.exe</strong>. For the detailed steps, refer to:</span></span></span> </li> </ol> <p class=MsoNormal style="margin:0in 0in 0pt 0.5in;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 0.5in;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Step 2: Restore AD LDS Instance Data</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt 0.5in;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc725903.aspx"><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc725903.aspx</span></a></p> <br/><br/> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:37:27 Z2009-03-31T06:47:39Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#cec1bcde-867c-493d-b08d-b24b028d5808http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#cec1bcde-867c-493d-b08d-b24b028d5808Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q5:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q5: How can I export a list of user accounts that are enabled from Active Directory?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span><br/><strong>A: </strong>When you </span><span>configure the “Account options” settings for a user in Active Directory, </span><span>numerical values are assigned to the <strong>UserAccountControl</strong> attribute. When a user account is disabled, the following property flag is set:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <table class=MsoNormalTable border=0 cellspacing=1 cellpadding=0> <tbody> <tr> <td style="padding-right:3.75pt;padding-left:3.75pt;border-left-color:#f0f0f0;background:#cecfce;border-bottom-color:#f0f0f0;padding-bottom:3.75pt;border-top-color:#f0f0f0;padding-top:3.75pt;border-right-color:#f0f0f0"> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;text-align:center" align=center><strong><span style="font-size:8.5pt;color:black;font-family:'Verdana','sans-serif'">Property flag<em></em></span></strong></p> </td> <td style="padding-right:3.75pt;padding-left:3.75pt;border-left-color:#f0f0f0;background:#cecfce;border-bottom-color:#f0f0f0;padding-bottom:3.75pt;border-top-color:#f0f0f0;padding-top:3.75pt;border-right-color:#f0f0f0"> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;text-align:center" align=center><strong><span style="font-size:8.5pt;color:black;font-family:'Verdana','sans-serif'">Value in hexadecimal<em></em></span></strong></p> </td> <td style="padding-right:3.75pt;padding-left:3.75pt;border-left-color:#f0f0f0;background:#cecfce;border-bottom-color:#f0f0f0;padding-bottom:3.75pt;border-top-color:#f0f0f0;padding-top:3.75pt;border-right-color:#f0f0f0"> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;text-align:center" align=center><strong><span style="font-size:8.5pt;color:black;font-family:'Verdana','sans-serif'">Value in decimal<em></em></span></strong></p> </td> </tr> <tr> <td style="padding-right:3.75pt;padding-left:3.75pt;border-left-color:#f0f0f0;background:#f7f7ff;border-bottom-color:#f0f0f0;padding-bottom:3.75pt;border-top-color:#f0f0f0;padding-top:3.75pt;border-right-color:#f0f0f0" valign=top> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:8.5pt;color:black;font-family:'Verdana','sans-serif'">ACCOUNTDISABLE<em></em></span></p> </td> <td style="padding-right:3.75pt;padding-left:3.75pt;border-left-color:#f0f0f0;background:#f7f7ff;border-bottom-color:#f0f0f0;padding-bottom:3.75pt;border-top-color:#f0f0f0;padding-top:3.75pt;border-right-color:#f0f0f0" valign=top> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:8.5pt;color:black;font-family:'Verdana','sans-serif'">0x0002<em></em></span></p> </td> <td style="padding-right:3.75pt;padding-left:3.75pt;border-left-color:#f0f0f0;background:#f7f7ff;border-bottom-color:#f0f0f0;padding-bottom:3.75pt;border-top-color:#f0f0f0;padding-top:3.75pt;border-right-color:#f0f0f0" valign=top> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:8.5pt;color:black;font-family:'Verdana','sans-serif'">2<em></em></span></p> </td> </tr> </tbody> </table> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><br/><span style="font-size:small;font-family:Calibri">To export all enabled accounts, we could specify the filter as the following:<br/><br/></span><span style="font-size:small"><span style="font-family:Calibri"><strong>(&amp;(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))<br/></strong><br/>For example we could export all enabled user accounts via the following command, <br/><br/></span></span><span style="font-size:small"><span style="font-family:Calibri"><strong>csvde -d &quot;dc=&lt;Domain&gt;,dc=&lt;com&gt;&quot; -r &quot;(&amp;(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))&quot; -f enabled.csv<br/></strong><br/>Likewise, we could export all disabled user accounts via the following command.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small;font-family:Calibri">csvde -d &quot; dc=&lt;Domain&gt;,dc=&lt;com&gt;&quot; -r &quot;(&amp;(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))&quot; -f disabled.csv<br/></span></span></strong><span><br/><span style="font-size:small"><span style="font-family:Calibri">NOTE: There is no &quot;!&quot; before &quot;userAccountControl&quot;.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small;font-family:Calibri"> </span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri">For more information about UserAccountControl flags and how to manipulate them, please refer to the following article:<br/><br/>How to use the UserAccountControl flags to manipulate user account properties <br/></span></span><a href="http://support.microsoft.com/?id=305144"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/?id=305144</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small;font-family:Calibri"> </span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">How to query Active Directory by using a bitwise filter</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/269181"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/269181</span></span></a></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:40:00 Z2009-03-31T06:47:54Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#2093c695-cbb9-4de0-9c78-fa279638e9e7http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#2093c695-cbb9-4de0-9c78-fa279638e9e7Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q6:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q6: How can I control local user group membership via group policy?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong><span><br/>A: </span></strong><span>You can use Restricted Groups policy to control group membership on domain clients. Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups: </span></span></span></p> <ul style="margin-top:0in" type=disc> <li class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">Members </span></span></span></li> <li class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">Member Of</span></span></span> </li> </ul> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">The &quot;Members&quot; list defines who should and should not belong to the restricted group. The &quot;Member Of&quot; list specifies which other groups the restricted group should belong to.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">For example, if you would like to add a global group to be a member of Administrators group on all workstations, you can configure the Restricted Group group policy. For the detailed steps, please refer to the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/320065"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/320065</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">For more information about Restricted Group group<span>  </span>policy, please refer to the following articles:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Description of Group Policy Restricted Groups</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/279301"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/279301</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Updates to Restricted Groups (&quot;Member of&quot;) behavior of user-defined local groups</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/810076"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/810076</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">When you use the Restricted Groups &quot;Member of&quot; functionality, Windows Server 2003 Group Policy objects may not be processed in the order that you expect</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/925443"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/925443</span></span></a></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:41:05 Z2009-03-31T06:48:05Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#3f1b3561-8a52-4f5f-9b77-a5a80a22d4e0http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#3f1b3561-8a52-4f5f-9b77-a5a80a22d4e0Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q7:_How_could"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q7: How <span>can</span> I use WMI filter to apply group policy to specific <span>versions of </span>operating system and <span>to </span>Server Core computer?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong><span><br/>A:</span></strong><span> If you would like to control group policy application by the operating system version of computer, you may consider using WMI filter in this scenario. Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer. For more information about WMI Filter, please refer to the following links:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">HOWTO: Leverage Group Policies with WMI Filters</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/555253"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/555253</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">WMI filtering</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc779036.aspx"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc779036.aspx</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">To differentiate operating systems of computers, you may build WMI Filters by using the Version and OperatingSystemSKU properties of Win32_OperatingSystem WMI Class. The following are some examples:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small"><span style="font-family:Calibri">SELECT Version FROM Win32_OperatingSystem WHERE Version &lt; &quot;6&quot;</span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Version &lt; &quot;6&quot; &lt;&lt;-- OS is anything less than Vista/Windows Server 2008, which are version 6.X.X</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small"><span style="font-family:Calibri">SELECT Version FROM Win32_OperatingSystem WHERE Version = &quot;5.1.2600&quot;</span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Version = &quot;5.1.2600&quot; &lt;&lt;-- OS is specifically Windows XP SP2</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small"><span style="font-family:Calibri">SELECT Version FROM Win32_OperatingSystem WHERE Version LIKE &quot;6.0.%&quot;</span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Version LIKE &quot;6.0.%&quot; &lt;&lt;-- OS is either Vista or Windows Server 2008 only</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><strong><span><span style="font-family:Calibri">SELECT * FROM Win32_OperatingSystem WHERE Version LIKE “6.0.%” AND ProductType &lt;&gt; </span></span></strong><strong><span style="font-family:SimSun" lang=ZH-CN>“</span></strong><strong><span><span style="font-family:Calibri">1”</span></span></strong></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Version LIKE “6.0.%” AND ProductType &lt;&gt; “1” &lt;&lt;-- OS is specifically Windows Server 2008 server/DC only</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small"><span style="font-family:Calibri">SELECT OperatingSystemSKU FROM Win32_OperatingSystem WHERE OperatingSystemSKU = 12 </span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small"><span style="font-family:Calibri">OR OperatingSystemSKU = 39 OR OperatingSystemSKU = 14 OR OperatingSystemSKU = 41 OR </span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small"><span style="font-family:Calibri">OperatingSystemSKU = 13 OR OperatingSystemSKU = 40 OR OperatingSystemSKU = 29</span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"><br/>Server Core computer. These values map back to HEX values, which map back to:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_DATACENTER_SERVER_CORE</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_DATACENTER_SERVER_CORE_V</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_ENTERPRISE_SERVER_CORE</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_ENTERPRISE_SERVER_CORE_V</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_STANDARD_SERVER_CORE </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_STANDARD_SERVER_CORE_V</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">PRODUCT_WEB_SERVER_CORE</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">More Information</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">-------------------------</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://msdn.microsoft.com/en-us/library/ms724358.aspx"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://msdn.microsoft.com/en-us/library/ms724358.aspx</span></span></a></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:42:00 Z2009-03-31T06:48:20Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#c5bf5f47-2c51-4252-8a82-c1760b1da4aahttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#c5bf5f47-2c51-4252-8a82-c1760b1da4aaLaura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q8:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - </span>Q8: How can I configure different password polices for different types of domain users?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span><br/><strong>A: </strong>In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain.</span> <span>These policies were specified in the Default Domain Policy for the domain. The Windows Server 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain.</span> It is the<span> Fine-Grained Password policy. </span><span> </span><span>For example, you can apply more strict settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">For more information on Fine-Grained Password policy, please refer to the following Microsoft TechNet link:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">AD DS: Fine-Grained Password Policies</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc770394.aspx"><span><span style="font-size:small;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc770394.aspx</span></span></a></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:42:53 Z2009-03-31T06:48:34Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#bce31deb-d997-433a-bd59-48ed5d9baf42http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#bce31deb-d997-433a-bd59-48ed5d9baf42Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q9:_How_can"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">How To - Q9: How can I configure users to apply some specific <span>user configuration </span>group polices only when they logon to some computers, such as terminal server?</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"><br/><strong>A: </strong>Generally speaking, Group Policy applies to users or computers in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">To set user configuration per computer, follow these steps: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <ol style="margin-top:0in" type=1> <li class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">In the Group Policy Microsoft Management Console (MMC), click <strong>Computer Configuration</strong>. </span></span></span></li> <li class=MsoNormal style="margin:0in 0in 0pt;line-height:normal;tab-stops:list .5in"><span><span style="font-size:small"><span style="font-family:Calibri">Locate <strong>Administrative Templates</strong>, click <strong>System</strong>, click <strong>Group Policy</strong>, and then enable the <strong>Loopback Policy</strong> option.</span></span></span> </li> </ol> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used, for example, computers in public areas, in laboratories, and in classrooms, etc.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">For more information about the Loopback policy, please refer to the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">231287 Loopback Processing of Group Policy</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/?id=231287"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/?id=231287</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">The Loopback group policy setting is especially useful in a terminal server environment. Administrators usually want to lock down a terminal session so that all users get a restricted environment when they log on to terminal session; however, this restriction should not affect other logon sessions when users log on to other domain computers.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">To lock down a terminal session, you can refer to the following Microsoft Knowledge Base articles and links:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">278295 How to lock down a Windows Server 2003 or Windows 2000 Terminal Server</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/?id=278295"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/?id=278295</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Locking Down Windows Server 2003 Terminal Server Sessions</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&amp;DisplayLang=en"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&amp;DisplayLang=en</span></span></a></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:44:00 Z2009-03-31T06:46:29Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#94628317-c40a-4b34-96b4-8131a4ab0946http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#94628317-c40a-4b34-96b4-8131a4ab0946Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q10:_How_can"></a><span style="font-size:medium"><span style="color:#4f81bd"><span style="font-family:Cambria">How To - Q10: How can I migrate to or reconstruct a Windows Server 2008 domain?</span></span></span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri"><br/><strong>A:</strong> Sometimes you might choose to restructure your existing environment and migrate to a complete new Windows Server 2008 domain due to the following considerations:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:SimSun" lang=ZH-CN>•</span><span><span style="font-family:Calibri"><span>          </span>To optimize the arrangement of elements within the logical Active Directory structure</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:SimSun" lang=ZH-CN>•</span><span><span style="font-family:Calibri"><span>          </span>To assist in completing a business merger, acquisition, or divestiture</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span>Restructuring involves the migration of resources between Active Directory domains in either the same forest or in different forests. You can use the Active Directory Migration Tool version 3.1 (ADMT v3.1) to perform object migrations and security translation as necessary so that users can maintain access to network resources during the migration process.</span><span> To download the ADMT v3.1 tool, please refer to the following link:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">Active Directory Migration Tool version 3.1</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&amp;displaylang=en#Instructions"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&amp;displaylang=en#Instructions</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">As domain migration is a rather complex task, please read the following white paper before you perform the migration task:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&amp;displaylang=en"><span><span style="font-size:small;color:#0000ff;font-family:Calibri">http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&amp;displaylang=en</span></span></a></p> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:45:22 Z2009-03-31T06:46:13Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#febf6f37-f7c4-4e75-a580-8d44fc9396c2http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#febf6f37-f7c4-4e75-a580-8d44fc9396c2Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q1:_Windows_Server"><span style="font-size:medium"><span style="color:#4f81bd"><span style="font-family:Cambria">Question - Q1: Windows Server 2008 fail<span style="">s</span> to authenticate user account from trusted domain with the error saying that &quot;The security database on the server does not have a computer account for this workstation trust relationship.&quot;</span></span></span></a></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">In a multi-domain environment, you may find that the computer fails to authenticate the user accounts from a trusted domain<span style=""> </span>in Windows Server 2008 or Windows Vista Service Pack 1 based computer. </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">If you try to use that user account from the trusted domain to log on to this computer, the following error may occur</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">&quot;The security database on the server does not have a computer account for this workstation trust relationship.&quot;</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">This behavior may occur if the trust relationship between these two domains is the &quot;<strong style="">downlevel</strong>&quot; type. If the trust type is considered <strong style="">downlevel</strong> and the logon attempt fails with Kerberos error &quot;0xc000018b - STATUS_NO_TRUST_SAM_ACCOUNT&quot;, Windows Server 2008 or Windows Vista SP1 will not fall back to NTLM authentication.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">NOTE:<span style=""> </span>To check the trust status, you may run the NLTEST.exe tool. Use the following command:</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">    nltest /domain_trusts</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">The output would be like as follows:</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">    0: &lt;Domain 1&gt; (NT 4) (Direct Inbound)<br/>    1: &lt;Domain 2&gt; (NT 5) (Direct Inbound)<br/>    2: &lt;Domain 3&gt; (NT 5) (Direct Inbound)</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">If the type is &quot;NT 4&quot;, it means the trust is downlevel trust.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To resolve this issue, recreate the trust between the Active Directory domains to eliminate the downlevel trust type.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">After recreating the trust, run &quot;nltest /domain_trusts&quot; again to verify the trust type is &quot;NT 5&quot;.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style=""><span style="font-size:small"><span style="font-family:Calibri">More Information</span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong>========</strong><strong><span style="">=======</span></strong></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">When the trust level is downlevel and when Kerberos failed with the &quot;STATUS_NO_TRUST_SAM_ACCOUNT&quot; error, Windows Server 2008 or Vista SP1 behaves differently as Windows Server 2003 or Vista RTM. Windows Server 2008 and Vista SP1 will not fall back to NTLM.  </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">This was a design change made to address security concerns regarding a Downgrade attack.<br/></span></span></span></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 06:50:36 Z2009-03-31T06:50:36Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#64332ffb-b1b9-4ab6-8b49-22ac714189d3http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#64332ffb-b1b9-4ab6-8b49-22ac714189d3Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q4:_Internet_Explorer"><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q<span>2</span>: Internet Explorer Maintenance Group Policies do not apply during subsequent logon procedures.</span></a></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">You configure Internet Explorer on Windows client computers by using the Active Directory Internet Explorer Maintenance Group Policies to customize the Internet Explorer Home page.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">The policy is applied only the first time that the user logs on. <span>For example, t</span>he user's home page is changed to the home page that is specified in the Group Policy Object (GPO). If the user later changes their home page to a different one, the GPO never sets it back to the page that the user specified in the GPO during a subsequent logon procedure.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">This behavior is applicable to all Internet Explorer Maintenance Policies</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">There are two possible causes:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoListParagraphCxSpFirst style="margin:0in 0in 0pt 0.5in;text-indent:-0.25in;line-height:normal;tab-stops:list .5in"><span><span><span style="font-size:small;font-family:Calibri">1.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">During subsequent logon procedures, Gpt.ini is queried and the version is checked. The client believes that the GPO has already been applied and therefore the IEAK\Install.ins file is not requested during the second logon procedure. Because the Install.ins file is not requested, the Home_Page value is not processed and is not reset to the home page that is specified in the GPO.</span></span></span></p> <p class=MsoListParagraphCxSpLast style="margin:0in 0in 0pt 0.5in;text-indent:-0.25in;line-height:normal;tab-stops:list .5in"><span><span><span style="font-size:small;font-family:Calibri">2.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span style="font-size:small"><span style="font-family:Calibri"><span>The Internet Explorer Maintenance policy is configured in Preference Mode.</span> <span>The Internet Explorer Maintenance preference mode is designed to provide initial settings for a user without enforcing these settings. For example, the user may set the corporate intranet portal page as the home page. If no other restrictions apply, the user may modify these settings. When an Internet Explorer Maintenance policy is in preference mode, the policy will only be applied to a client computer again when the policy has changed. At that time, the new preferences will be introduced on the client computer.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">1. Enable the &quot;<strong>Internet Explorer Maintenance Policy Processing</strong>&quot; policy under [Computer Configuration\Administrative Templates\System\Group Policy] and check the option &quot;<strong>Process even if the Group Policy objects have not changed</strong>&quot;. This option updates and reapplies the policies even if the policies have not changed. To do so, please perform the following steps:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoListParagraphCxSpFirst style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">a.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">Open the corresponding group policy in the <strong>Group Policy Editor</strong>.</span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">b.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">Locate the [ <strong>Computer Configuration\Administrative Templates\System\Group Policy\ Internet Explorer Maintenance Policy Processing</strong>] group policy, double click it to open the <strong>Properties</strong> dialog.</span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">c.</span><span style="font:7pt 'Times New Roman'">       </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">Select the “<strong>Enabled</strong>” option and check the “<strong>Process even if the Group Policy objects have not changed</strong>” option.</span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">d.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">Click <strong>OK</strong>.</span></span></span></p> <p class=MsoListParagraphCxSpLast style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">e.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">Refresh group policy to test this problem again.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span><span style="font-size:small;font-family:Calibri"> </span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">2. Ensure that the policy is not configured in <strong>Preference Mode</strong>.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoListParagraphCxSpFirst style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">a.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">Open and edit the GPO where you configured these IE Maintenance settings.</span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">b.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri"><span> </span>Expand to the branch [<strong>User Configuration\Windows Settings\Internet Explorer Maintenance</strong>]. </span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">c.</span><span style="font:7pt 'Times New Roman'">       </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri"><span> </span>Right-click the above &quot;<strong>Internet Explorer Maintenance</strong>&quot; item, please verify if the &quot;<strong>Preference Mode</strong>&quot; option is checked. </span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;text-indent:-0.25in;line-height:normal"><span><span><span style="font-size:small;font-family:Calibri">d.</span><span style="font:7pt 'Times New Roman'">      </span></span></span><span><span style="font-size:small"><span style="font-family:Calibri">If it is checked, we need to reset settings and disable the &quot;<strong>Preference Mode</strong>&quot;. To do this, </span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;line-height:normal"><span><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">- Note down all the settings you have configured. We need to re-configure them later.</span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">- Right-click the &quot;<strong>Internet Explorer Maintenance</strong>&quot; in the left pane, and click &quot;<strong>Reset Browser Settings</strong>&quot;.</span></span></span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 0.25in;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">- Right-click the &quot;<strong>Internet Explorer Maintenance</strong>&quot; in the left pane, and make sure to uncheck &quot;<strong>Preference Mode</strong>&quot;.</span></span></span></p> <p class=MsoListParagraphCxSpLast style="margin:0in 0in 0pt 0.25in;line-height:normal"><span><span style="font-size:small"><span style="font-family:Calibri">- Re-configure your settings.</span></span></span></p> <span style="font-size:12pt;line-height:115%;font-family:'Calibri','sans-serif'">      - Refresh group policy and wait until this change has been replicated to all other DC's and then check this issue again.<br/></span> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:51:53 Z2009-03-31T07:05:44Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#aca843fa-0e66-4df0-a175-65218eff63c4http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#aca843fa-0e66-4df0-a175-65218eff63c4Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q3:_DHCP_Server"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">On a Windows Server 2008 based Read-Only Domain Controller (RODC), the DHCP Server service does not start. When you try to start the service, the following error message will occur:</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">An error occurred while trying to start the DHCP Server service on &lt;computername.domainname.com&gt;. For more information about the error, see Event Viewer.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">The request is not supported.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">In the system event log, the following events may be logged:</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">Product: Windows Operating System<br/>ID: 1035<br/>Source: Microsoft-Windows-DHCP-Server<br/>Version: 6.0<br/>Symbolic Name: EVENT_SERVER_READ_ONLY_GROUP_ERROR<br/>Message: The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Product: Windows Operating System<br/>ID: 1036<br/>Source: Microsoft-Windows-DHCP-Server<br/>Version: 6.0<br/>Symbolic Name: EVENT_SERVER_ADMIN_GROUP_ERROR<br/>Message: The DHCP server was unable to create or lookup the DHCP Administrators <br/>local group on this computer. The error code is in the data.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">This behavior is as expected. DHCP service is trying to create and read the “DHCP Users” and “DHCP Administrators” groups in Active Directory. However, this cannot be done<span style=""> </span>on Read-Only Domain Controllers. The objects can only be replicated into an RODC from a writable DC.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">To work around this behavior, use either of the methods below:</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong style="">Method </strong><strong style=""><span style="">1</span></strong></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">-------------</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span style=""> </span>Create the groups manually on a writable domain controller and allow them to replicate to the RODC.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong style="">Method </strong><strong style=""><span style="">2</span></strong></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">--------------</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">1. Install DHCP on a writable domain controller to allow the groups to be created automatically, then allow them to replicate to the RODC.<br/>2. Uninstall the DHCP server service from the writable DC and the groups will remain.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style=""><span style="font-size:small"><span style="font-family:Calibri">More Information</span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong>============</strong><strong><span style="">====</span></strong></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Applications That Are Known to Work with RODCs</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://technet.microsoft.com/en-us/library/cc732790.aspx"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://technet.microsoft.com/en-us/library/cc732790.aspx</span></span></a></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 06:53:54 Z2009-03-31T06:53:54Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#cd4f08d5-1d46-4f23-afc4-dd178cb0437ehttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#cd4f08d5-1d46-4f23-afc4-dd178cb0437eLaura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q4:_The_&quot;Enterprise"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q4: The &quot;Enterprise root CA&quot; option is not available when you try to install the Certificate Services component in Windows Server 2003. </span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">In Microsoft Windows Server 2003, the Enterprise root CA option is not available. This issue occurs when you try to install the Certificate Services component and set up a certification authority.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">This issue can occur if the <strong>Public Key Services</strong> container does not exist in Active Directory. For example, this issue can occur if the <strong style="">ADSIEdit</strong> tool (Adsiedit.msc) was used to delete the <strong>Public Key Services</strong> container.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To resolve this issue, please refer to the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">In Windows Server 2003, the &quot;Enterprise root CA&quot; option is not available when you try to install the Certificate Services component</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/938613/en-us"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/938613/en-us</span></span></a></p> <br/> <hr class=sig> Laura Zhang - MSFTTue, 31 Mar 2009 06:54:16 Z2009-03-31T06:55:14Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#7639a2dd-3b58-4f12-af32-96247fe403b7http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#7639a2dd-3b58-4f12-af32-96247fe403b7Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q5:_Group_Policy"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q5: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled.</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Consider the following scenario: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">• The following policies are enabled on a domain controller that is running Windows Server 2003 in a domain: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span style="">[</span>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)<span style="">]</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span style="">[</span>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)<span style="">]</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:SimSun">•</span><span style="font-family:Calibri"> The following policies are enabled on a member computer that is running Windows Vista Service Pack 1 or Windows Server 2008 in the same domain: </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span style="">[</span>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)<span style="">]</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span style="">[</span>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (If server agrees)<span style="">]</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">In this scenario, Group Policy settings are not applied on the member computer. Additionally, the following event is logged in the System log on the member computer: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Date: Date </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Event ID: 1058 </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Level: Error </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Keywords: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">User: UserSID </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Computer: CompuerName </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Description: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">The processing of Group Policy failed. Windows attempted to read the file \\ path \gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">a) Name Resolution/Network Connectivity to the current domain controller. </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">c) The Distributed File System (DFS) client has been disabled. </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">Note<span style="">:</span> This problem occurs only on member computers that are running Windows Server 2008 or Windows Vista Service Pack 1 (SP1). It does not occur on member computers that are running Windows Server 2003, Windows XP, or the release version of Windows Vista.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">When a Server Message Block (SMB) version 1 client establishes a non-guest session or a non-anonymous session with a server, the client enables security signatures for the server. Later sessions then inherit the security signature sequence that is already established. </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">To improve security, Windows Server 2008 and Windows Vista SP1 prevent server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session. However, this improved security does not address the scenario that is described in the &quot;Symptoms&quot; section.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To resolve this issue, please download and install the hot fix described in the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/950876"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/950876</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To work around this problem, use one of the following methods. </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style=""><span style="font-size:small"><span style="font-family:Calibri">Method 1 </span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Disable the following policy on the member computers that are running Windows Server 2008 or Windows Vista SP1: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style=""><span style="font-size:small"><span style="font-family:Calibri">Method 2 </span></span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">On the member computers that are running Windows Server 2008 or Windows Vista SP1, follow these steps: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">1.<span style="">  </span>Click <strong>Start</strong> , type <strong>regedit</strong> in the Start Search box, and then press ENTER.<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">2.<span style="">  </span>Locate the <strong>RequireSecuritySignature</strong> registry entry under the following registry subkey: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">3.<span style="">  </span>Right-click <strong>RequireSecuritySignature</strong> , and then click Modify .<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">4.<span style="">  </span>In the Value data box, type <strong>0 </strong>, and then click <strong>OK</strong> .<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">5.<span style="">  </span>Exit Registry Editor.<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><strong><span style="">Method 3</span></strong><span style=""> </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">On the member computers that are running Windows Server 2008 or Windows Vista Service Pack 1, <span style=""> </span>follow these steps: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">1.<span style="">  </span>Click <strong>Start</strong>, type <strong>regedit</strong> in the Start Search box, and then press ENTER.<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">2.<span style="">  </span>Locate the <strong>AllowGuestAuthWhenSigningRequired</strong> registry entry under the following registry subkey: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">3.<span style="">  </span>Right-click <strong>AllowGuestAuthWhenSigningRequired</strong> , and then click Modify .<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">4.<span style="">  </span>In the Value data box, type <strong>1</strong>, and then click <strong>OK</strong> .<span style="">  </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">5.<span style="">  </span>Exit Registry Editor.<span style="">  <br/></span></span></span></span></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 06:56:39 Z2009-03-31T06:56:39Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#c27a4967-81bb-4b1e-9c9b-8c18ba62a34ahttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#c27a4967-81bb-4b1e-9c9b-8c18ba62a34aLaura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q6:_Event_1091"></a><span style="font-size:medium"><span style="color:#4f81bd"><span style="font-family:Cambria">Question - Q6: Event 1091 is recorded every 5 minutes on a Windows Server 2008 <span style="">or Vista SP1 computer.</span></span></span></span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">Event 1091 is recorded every 5 minutes on domain member computers that are running Windows Vista Service Pack 1 or Windows Server 2008</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Eventlog: System</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Source: Microsoft-Windows-GroupPolicy</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Eventid: 1091</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension &lt;Group Policy Registry&gt;. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">1. Some MOF files which are needed to generate the RSoP result are missing.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">2. You configure a file security policy to set file permissions on a folder. In addition, the path that you specified for the folder contains some environment variables. For example, you specify the following path for the folder: </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">%ALLUSERSPROFILE%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">The Group Policy engine translates the environment variables incorrectly</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">1. Verify you have the following files:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">%SYSTEMROOT%\system32\wbem\polprocl.mof</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">%SYSTEMROOT%\system32\wbem\en-US\polprocl.mfl </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">NOTE: &quot;en-US&quot; should be replaced with the actual language that is installed</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">2. If those files are missing you can copy them from a working full Windows Server 2008 installation and then run the following command to recompile the .mof file in an administrative elevated Command window:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">mofcomp %SYSTEMROOT%\system32\wbem\polprocl.mof</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">gpupdate /force</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">3. If you configure file security policy and use environmental variables in the file path, please download and install the hot fix described in the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">The RSoP snap-in does not display some file security policies, and Event ID 1091 is logged on domain member computers that are running Windows Vista Service Pack 1 or Windows Server 2008</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/955248"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/955248</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> <br/></span></span></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 06:57:39 Z2009-03-31T06:57:39Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#2428bd71-e361-4154-821f-b3a942b5df56http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#2428bd71-e361-4154-821f-b3a942b5df56Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q7:_DCPROMO_fails"></a><span style="font-size:medium"><span style="color:#4f81bd"><span style="font-family:Cambria">Question - Q7: DCPROMO fails with following error: &quot;To install a domain controller into this Active Directory forest, you must first prepare the forest using &quot;adprep /forestprep&quot;<span style="">.</span></span></span></span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">You would like to install a Windows Server 2008 domain controller in a Windows Server 2003 domain. You have run the “adprep /forestprep&quot; and &quot;adprep /domainprep&quot; commands by using the &quot;sources/adprep&quot; files from the Windows Server 2008 server. However, when you run dcpromo on the 2008 server, you still receive the following error message:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To install a domain controller into this Active Directory forest, you must first prepare the forest using &quot;adprep /forestprep</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">This issue can occur if you are using pre-RTM media to do the ADPrep commands.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To verify it, open adsiedit.msc on the domain controller that holds the infrastructure operations master role, expand to cn=ActiveDirectoryUpdate,cn=DomainUpdates,cn=system,DC=domain, right click cn=ActiveDirectoryUpdate, and then check the value of the attribute revision.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri"><span style=""> </span></span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">If you are using a pre-RTM media, the revision is 2.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">If you are using a RTM media, the revision is 3.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri"><span style="">If it is pre-RTM media, please find a RTM version of Windows Server 2008 media to </span><span style="">run the “adprep /forestprep&quot; and &quot;adprep /domainprep&quot; commands again.</span></span></span></p> <p> </p>Tue, 31 Mar 2009 06:58:12 Z2009-03-31T06:59:19Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#e1a5b94f-1597-47b5-9c2c-5924556c03d5http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#e1a5b94f-1597-47b5-9c2c-5924556c03d5Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q8:_The_Active"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q8: The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing.</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">Consider the following scenario: </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">• You are running a Windows Server 2008-based computer that has a third-party key storage provider (KSP) installed.<span style="">  </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:SimSun">•</span><span style="font-family:Calibri"> The third-party KSP does not allow for SHA1 hash signing. The KSP may be configured to disallow SHA1 hash signing or may not support it.<span style="">  </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:SimSun">•</span><span style="font-family:Calibri"> You install the Active Directory Certificate Services role on the computer. When you do this, you configure Certificate Services to use the KSP for the certification authority (CA) private key.<span style="">  </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">In this scenario, the Active Directory Certificate Services service does not start. Additionally, the following event is logged in the System log: </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Event Type: Error </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Event Source: CertSvc </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Event Category: None </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Event ID: 100 </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Date: Date </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Time: Time </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">User: N/A </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">Computer: ComputerName </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">Description: &quot;Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. CAName ErrorDescription &quot;</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">When the Active Directory Certificate Services service starts, it tests the private key by signing a random SHA1 hash. If the KSP that is used for the private key does not allow for SHA1 hash signing, the Active Directory Certificate Services service does not start.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">To resolve this issue, please download and install the hot fix described in the following Microsoft Knowledge Base article:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/952722"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/952722</span></span></a></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 07:00:22 Z2009-03-31T07:00:22Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#b87ff421-9c78-45bd-b2d2-052cef08d1e1http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#b87ff421-9c78-45bd-b2d2-052cef08d1e1Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q9:_You_receive"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q9: You receive the Event 1030 and 1058 errors from userenv saying that “Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com”.</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri"><br/>Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">You experience one or more of the following symptoms on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP or Microsoft Windows 2000: </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoListParagraphCxSpFirst style="margin:0in 0in 0pt 21pt;text-indent:-21pt;line-height:normal"><span style="font-family:Wingdings"><span style=""><span style="font-size:small">l</span><span style="font:7pt &quot;Times New Roman&quot;">  </span></span></span><span style="font-size:small;font-family:Calibri">Group Policy settings are not applied to the computers.</span></p> <p class=MsoListParagraphCxSpMiddle style="margin:0in 0in 0pt 21pt;text-indent:-21pt;line-height:normal"><span style="font-family:Wingdings"><span style=""><span style="font-size:small">l</span><span style="font:7pt &quot;Times New Roman&quot;">  </span></span></span><span style="font-size:small;font-family:Calibri">Group Policy replication is not completed between the domain controllers on the network. </span></p> <p class=MsoListParagraphCxSpLast style="margin:0in 0in 0pt 21pt;text-indent:-21pt;line-height:normal"><span style="font-family:Wingdings"><span style=""><span style="font-size:small">l</span><span style="font:7pt &quot;Times New Roman&quot;">  </span></span></span><span style="font-size:small"><span style="font-family:Calibri">You cannot open Group Policy snap-ins. For example, you cannot open the Domain Controller Security Policy snap-in, or the Domain Security Policy snap-in.</span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">If you view the Application log in Event Viewer on Windows XP or Windows Server 2003, you see events that are similar to the following events:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri">Event Type: Error <br/>Event Source: Userenv <br/>Event Category: None <br/>Event ID: 1058 <br/>Date: Date<br/>Time: Time<br/>User: User_Name<br/>Computer: Computer_Name<br/>Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com . The file must be present at the location &lt;\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini&gt;. (Error_Message). Group Policy processing aborted. For more information, see Help and Support Center at </span></span><a href="http://support.microsoft.com/"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com</span></span></a><span style=""><span style="font-size:small"><span style="font-family:Calibri">.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Event Type: Error </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Event Source: Userenv </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Event Category: None </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Event ID: 1030 </span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Date: Date</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Time: Time</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">User: User_Name</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Computer: Computer_Name</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://support.microsoft.com.</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small"><span style="font-family:Calibri">These issues occur if the computers that are on your network cannot connect to certain Group Policy objects. Specifically, these objects are in the Sysvol folders on your network's domain controllers. </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Because there are many possible causes for this event error, we suggest that you refer to the following Microsoft Knowledge Base article to troubleshoot the configuration of your network to narrow down the cause and then correct the configuration:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a href="http://support.microsoft.com/kb/887303"><span style=""><span style="font-size:small;color:#0000ff;font-family:Calibri">http://support.microsoft.com/kb/887303</span></span></a></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">The main steps include the following:</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step one: Examine the DNS settings and network properties on the servers and client computers</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step two: Examine the Server Message Block signing settings on the client computers and member servers</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step three: Make sure that the TCP/IP NetBIOS Helper service is started on all computers</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step four: Make sure that Distributed File System (DFS) is enabled on all computers</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step five: Examine the contents and the permissions of the Sysvol folder</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step six: Make sure that the Bypass traverse checking right is granted to the required groups</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step seven: Make sure that the domain controllers are not in a journal wrap state</span></span></span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style=""><span style="font-size:small"><span style="font-family:Calibri">Step eight: Run the Dfsutil /PurgeMupCache command<br/></span></span></span></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 07:01:16 Z2009-03-31T07:01:16Zhttp://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#f90d0aa3-9372-4dc0-9ce5-cefe6296a540http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#f90d0aa3-9372-4dc0-9ce5-cefe6296a540Laura Zhang - MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Laura%20Zhang%20-%20MSFT<h2 style="margin:10pt 0in 0pt"><a name="_Q10:_A_Windows"></a><span style="font-size:medium;color:#4f81bd;font-family:Cambria">Question - Q10: A Windows Vista-based or Windows Server 2008-based computer needs at least the Read permission for Group Policy Objects in Active Directory Domain Services if the computer is configured for loopback processing.</span></h2> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style=""><span style="font-size:small;font-family:Calibri"> </span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">Symptom</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">=========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">If a Windows Vista-based or Windows Server 2008-based computer is configured for loopback processing, the computer does not receive any settings from GPOs in AD DS.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a name=KSIAnchor3></a><strong><span style="font-size:small"><span style="font-family:Calibri">Possible Cause</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">============</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri">This behavior in Windows Vista and Windows Server 2008 is changed from the behavior in Windows XP and in Windows Server 2003. Windows Vista and Windows Server 2008 try to retrieve the attributes of GPOs for users from the computer. In Windows Vista or in Windows Server 2008, the loopback policy does not apply if the computer does not have at least the Read permission on the GPOs.</span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><span style="font-size:small;font-family:Calibri"> </span></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><a name=KSIAnchor4></a><strong><span style="font-size:small"><span style="font-family:Calibri">Resolution</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 0pt;line-height:normal"><strong><span style="font-size:small"><span style="font-family:Calibri">========</span></span></strong></p> <p class=MsoNormal style="margin:0in 0in 10pt"><span style="font-size:small;font-family:Calibri">To read the attributes of the GPOs, the computer needs at least the Read permission for the GPOs. Please ensure that the computer object has the Read permission on the group policy object.</span></p> <p class=MsoNormal style="margin:0in 0in 10pt"><span style="font-size:small;font-family:Calibri">1. Open the Group Policy Management console, expand the forest and domain tree on the left panel.</span></p> <p class=MsoNormal style="margin:0in 0in 10pt"><span style="font-size:small;font-family:Calibri">2. Select the loopback group policy. The settings will be displayed on the right side of panel.</span></p> <p class=MsoNormal style="margin:0in 0in 10pt"><span style="font-size:small;font-family:Calibri">3. In the “Scope” tab, check the “Security Filtering” configuration to ensure that the computer object has at least “Read” permission. By default, “Authenticated Users” group has this permission. If you have not customized the security settings for the group policy, it should be fine as a domain computer belongs to the “Authenticated Users” group. <br/></span></p><hr class="sig">Laura Zhang - MSFTTue, 31 Mar 2009 07:02:03 Z2009-03-31T07:02:03Z