Wednesday, April 27, 2016

Start menu won't open in Windows 10 Home

Recently my kids were complaining that they needed Microsoft Office for their school work, and libre office wasn't compatible enough with what they wanted to do.  So we had to get a new machine to have something that would run Windows.  Within the first week, one of the kids managed to do something to screw up his user profile to the point that it took several minutes to logon.  Once on, the start menu wouldn't open, half of the task bar tray icons weren't working, and none of them would give any menu's when right clicking.

In the event logs, they were full of ESENT events:

Event 465: ESENT

svchost (2972) TILEREPOSITORYS-1-5-21-1971466138-3024181641-1488003878-1003: Corruption was detected during soft recovery in logfile C:\Users\thekid\AppData\Local\TileDataLayer\Database\EDB.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 279 (0x00000117). This logfile has been damaged and is unusable.

Event 477: ESENT

svchost (2972) TILEREPOSITORYS-1-5-21-1971466138-3024181641-1488003878-1003: The log range read from the file "C:\Users\thekid\AppData\Local\TileDataLayer\Database\EDB.log" at offset 1142784 (0x0000000000117000) for 4096 (0x00001000) bytes failed verification due to a range checksum mismatch.  The expected checksum was 9075318455674107058 (0x7df2020d660074b2) and the actual checksum was 9075318455674107058 (0x7df2020d660074b2). The read operation will fail with error -501 (0xfffffe0b).  If this condition persists then please restore the logfile from a previous backup.

Event 454: ESENT

svchost (2972) TILEREPOSITORYS-1-5-21-1971466138-3024181641-1488003878-1003: Database recovery/restore failed with unexpected error -501.

When I went into Settings -> Accounts -> Family & other users area to try to delete the account, the only options are change account type and block.  To actually delete it, I had to use the "Manage family settings online" option.  Under the more menu pull down, there is an option to remove from family.  This shifts the account from "Your Family" down to "Other Users", where you will have an option to remove them from the machine once you click on the name.  It takes a bit of time to wipe out their profile, but once its done, their user account folder is empty.

As some Microsoft people will write, user profile corruption really doesn't exist, but in reality it happens a lot.  Windows 10 seems to be pretty sensitive to it and fails catastrophically.  I wish schools would just use free office apps so we can stick to Linux.

There are several write ups that could help resolve this type of problem if you go searching for the specific event ID's above.  If you just search for the start button not working, the tips you may come across seem pretty useless.  Deleting a user account has its own issues (loss of data, or requirement to backup before doing so).  For some other methods of dealing with this issue check out this post.

Thursday, April 14, 2016

Active directory related reference material

1) Domain controller client dns entry best practices
2) Tracing and monitoring ldap, kerberos and ntlm traffic on a domain controller
3) SChannel error codes
4) Deleting smartcard certificates

Tuesday, April 12, 2016

Active Directory ACL's explained

In a previous post on decoding AD ACL's, I provided some code which took BSonPosh's get-adacl output and decoded the SID's and GUID's to help provide more readable output.  The example of this is below, however you may find some of the other fields to be a bit confusing.  So I created a few different types of test permissions on an OU to show how they are reflected in the Powershell output of these two commands.

Permission set in GUI: "Apply to: All Descendant objects, create/delete Conference Site objects"

ActiveDirectoryRights :  CreateChild, DeleteChild
InheritanceType       :     Descendents
ObjectType            :      msExchConferenceContainer
InheritedObjectType   :   00000000-0000-0000-0000-000000000000
ObjectFlags           :       ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :    TEST.LOCAL\Nathan
IsInherited           :        False
InheritanceFlags      :    ContainerInherit
PropagationFlags      :   InheritOnly

Permission set in GUI:  "Apply to: This object and all descendant objects, create/delete Contact objects"

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       :    All
ObjectType            :     contact
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           :      ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :     TEST.LOCAL\Nathan
IsInherited           :        False
InheritanceFlags      :    ContainerInherit
PropagationFlags      :   None

Permission set in GUI:  "Apply to: This object only, create/delete Computer Objects"

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       :    None
ObjectType            :     computer
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           :     ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :    TEST.LOCAL\Nathan
IsInherited           :        False
InheritanceFlags      :    None
PropagationFlags      :  None

Permission set in GUI:   "Apply to: Descendent Computer objects, Modify Owner"

ActiveDirectoryRights : WriteOwner
InheritanceType       :    Descendents
ObjectType            :     00000000-0000-0000-0000-000000000000
InheritedObjectType   : computer
ObjectFlags           :      InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :    BHI-MASTER\adminlinlnat
IsInherited           :        False
InheritanceFlags      :    ContainerInherit
PropagationFlags      :  InheritOnly

InheritedObjectType:  Notice this will be all zero's when the permission is for creating a child object in a container.  When it is permissions being set on a specific type of child objects, then it will be set that that object type, and the ObjectType value will be all zero's.  When setting a permission on a specific property of a specific type of child object, you will get both fields filled in with the ObjectType being the specified property, and InheritedObjectType being the AD object's type.

PropagationFlags: InheritOnly exists when applying to something other than the current OU.  (

InheritenceFlags: ContainerInherit when applying to anything below the current level, ObjectInherit when applying to child objects (

InheritanceType: All (everything from this level down), Descendents (children and descendants, not the current object), None (current level only)   (