import-module activedirectory
get-adobject -LDAPFilter "(&(objectclass=OrganizationalUnit)(gPOptions=1))"
Showing posts with label GPO. Show all posts
Showing posts with label GPO. Show all posts
Thursday, October 30, 2014
Thursday, May 29, 2014
Windows Time Service event 46 - access denied
I recently worked on a case where a domain controller came online with its clock time several hours out of sync (virtualized DC). In this case, when looking at the system log, during the service start up events, there was a critical error for the windows time service:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>46</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-02-21T07:25:24.140175500Z" />
<EventRecordID>260042</EventRecordID>
<Correlation />
<Execution ProcessID="452" ThreadID="3648" />
<Channel>System</Channel>
<Computer>MyDC1.contoso.com</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData Name="TMP_EVENT_ERROR_SHUTDOWN">
<Data Name="ErrorMessage">0x80070005: Access is denied.</Data>
</EventData>
</Event>
Googling around came up with some details that this error can occur when netlogon service is not started. Going back to the log showed a Service Control Manager 7022 netlogon service hung during startup. After a few weeks back and forth with microsoft with netlogon tracing and memory dumps, it just came down to the fact that there were a lot of subnets being processed. The servers being effected by the slow netlogon startup were all low spec virtualized domain controllers, so they weren't going to perform at their best anyways. During the service startup, all subnets must be read into memory, which can take a while. There is also no registry tweaks or configuration changes to get around this...other than cleaning up subnets. The one thing that we had thought of before the whole case was, if time service needs netlogon running for it to function, why isn't it configured with service dependencies. Even though the OS doesn't do this by default, some registry hacking will allow you to add a DependsOnService value to the w32time service key to ensure netlogon is started before time service tries to start. This can be pushed through GPO as well. For a .REG file you can use this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time]
"DependOnService"=hex(7):6e,00,65,00,74,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,\
00,00
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>46</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-02-21T07:25:24.140175500Z" />
<EventRecordID>260042</EventRecordID>
<Correlation />
<Execution ProcessID="452" ThreadID="3648" />
<Channel>System</Channel>
<Computer>MyDC1.contoso.com</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData Name="TMP_EVENT_ERROR_SHUTDOWN">
<Data Name="ErrorMessage">0x80070005: Access is denied.</Data>
</EventData>
</Event>
Googling around came up with some details that this error can occur when netlogon service is not started. Going back to the log showed a Service Control Manager 7022 netlogon service hung during startup. After a few weeks back and forth with microsoft with netlogon tracing and memory dumps, it just came down to the fact that there were a lot of subnets being processed. The servers being effected by the slow netlogon startup were all low spec virtualized domain controllers, so they weren't going to perform at their best anyways. During the service startup, all subnets must be read into memory, which can take a while. There is also no registry tweaks or configuration changes to get around this...other than cleaning up subnets. The one thing that we had thought of before the whole case was, if time service needs netlogon running for it to function, why isn't it configured with service dependencies. Even though the OS doesn't do this by default, some registry hacking will allow you to add a DependsOnService value to the w32time service key to ensure netlogon is started before time service tries to start. This can be pushed through GPO as well. For a .REG file you can use this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time]
"DependOnService"=hex(7):6e,00,65,00,74,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,\
00,00
Wednesday, September 4, 2013
IE compatibility modes
Hello,
Let me start by saying, I'm no expert in web applications and browsers, however I have run into HTML compatibility issues on and off for many years. For those that were developing sites way back in the day when the internet was just starting to be something that people were adopting in the home, you may remember having to write javascript to detect the browser version to see what little nuances were going to work for Netscape and what would work for Internet Explorer. Now that browser technology is even more all-over-the-place with additional players in the browser field, and a wide range of versions for each. With IE specifically, you may see anything from IE7 to the latest...if not even older. Later versions of IE (I believe starting with IE8) have various options in them for compatibility. Certain websites may fail to work correctly in one version of IE, while they work fine in another. Newer versions of the browser have the F12 debugging tools, which makes it easy to test sites with. Whenever you have IE open, you can hit the F12 key and you will get a popup window with various tools for website debugging. Along the menu bar, the last two items on the right site are browser mode and document mode. In each, you can see a list of versions that you want to display with.
Typically your pages will load at whatever settings you had it at the last time you set it. However there are some places that can override these.
#1 Group policy.
In both user and computer settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Compatibility View, you will see a list of settings
In this list we can see various options. Some allow you to provide a list of domain names. So if you put: contoso.com in there, anything in the whole contoso.com namespace (ie: www.contoso.com, myapp.contoso.com) will all be effected. Looking through the details will help you decide what may be needed. The last two options allow lists of sites to be defined. These settings will effect the Document Mode option in the compatibility functions. Changing it to IE7 will break HTML5 and newer technologies not supported.
#2 Controlled by the site via META Tags
The X-UA-Compatible meta tag is something you can define in your application. In this article, you can view the allowed values. From my basic testing with this, using the Emulate values seems to force the browser to use that mode. While the others seem to be guidelines which may be ignored if higher version level functionality is implemented in the site. In my case, I threw a canvas tag into a basic website with !DOCTYPE html. When playing with the numbers, it displays with IE9 mode, and with emulate at lower versions, my Canvas disappeared. One interesting thing to note here is that the X-UA-compatible tag seems to override whatever group policy you have in place. That way if you have contoso.com set for one level, but one outlying site mynewapp.contoso.com needs HTML5 support, you can override it from the application itself.
example of tag:
<meta http-equiv="X-UA-Compatible" content="IE=8">
NOTE: This tag needs to be the first tag in the HEAD block
Let me start by saying, I'm no expert in web applications and browsers, however I have run into HTML compatibility issues on and off for many years. For those that were developing sites way back in the day when the internet was just starting to be something that people were adopting in the home, you may remember having to write javascript to detect the browser version to see what little nuances were going to work for Netscape and what would work for Internet Explorer. Now that browser technology is even more all-over-the-place with additional players in the browser field, and a wide range of versions for each. With IE specifically, you may see anything from IE7 to the latest...if not even older. Later versions of IE (I believe starting with IE8) have various options in them for compatibility. Certain websites may fail to work correctly in one version of IE, while they work fine in another. Newer versions of the browser have the F12 debugging tools, which makes it easy to test sites with. Whenever you have IE open, you can hit the F12 key and you will get a popup window with various tools for website debugging. Along the menu bar, the last two items on the right site are browser mode and document mode. In each, you can see a list of versions that you want to display with.
Typically your pages will load at whatever settings you had it at the last time you set it. However there are some places that can override these.
#1 Group policy.
In both user and computer settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Compatibility View, you will see a list of settings
In this list we can see various options. Some allow you to provide a list of domain names. So if you put: contoso.com in there, anything in the whole contoso.com namespace (ie: www.contoso.com, myapp.contoso.com) will all be effected. Looking through the details will help you decide what may be needed. The last two options allow lists of sites to be defined. These settings will effect the Document Mode option in the compatibility functions. Changing it to IE7 will break HTML5 and newer technologies not supported.
#2 Controlled by the site via META Tags
The X-UA-Compatible meta tag is something you can define in your application. In this article, you can view the allowed values. From my basic testing with this, using the Emulate values seems to force the browser to use that mode. While the others seem to be guidelines which may be ignored if higher version level functionality is implemented in the site. In my case, I threw a canvas tag into a basic website with !DOCTYPE html. When playing with the numbers, it displays with IE9 mode, and with emulate at lower versions, my Canvas disappeared. One interesting thing to note here is that the X-UA-compatible tag seems to override whatever group policy you have in place. That way if you have contoso.com set for one level, but one outlying site mynewapp.contoso.com needs HTML5 support, you can override it from the application itself.
example of tag:
<meta http-equiv="X-UA-Compatible" content="IE=8">
NOTE: This tag needs to be the first tag in the HEAD block
In any case, whenever working with web site problems, its always good to check different version levels to see if a site supports all the variations of browsers that may be in the environment, and make adjustments accordingly using whatever method is best. Also play around with the F12 tools as they can be quite useful. Similar tools exist in Chrome, and as extensions in firefox.
Tuesday, August 10, 2010
Managing odd services in group policy
If you feel that using group policy to manage system services for security purposes is a good idea, and you want to block certain services that typically won't be in the list of services in the edit console, there are several ways to get around this. One suggestion (the hard way, and bad way), is to have the service installed on a machine, and edit the GPO from that machine. That will work, but it is time consuming, and may open up security problems just to set up the GPO.
The easier way is to create a GPO and pick any service from the list. Use this service to set whatever permissions, start type, and other options you want. From here you can either backup the GPO, or just directly edit the files in sysvol. In the policy you will see 3 folders:
Adm
Machine
User
The services are under machine, so open this. Drill down through Microsoft-> Windows NT->SecEdit and open the GptTmpl.inf in notepad. From here you can see a section called [Service General Settings]. One example line here for a vnc service:
"WinVNC4",4,"D:AR(D;;DCRPWPDTSDRC;;;BA)(A;;CCLCSWLOCRRC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Here we have the service name (this is not the display name you see in the services MMC. It is the service name you use with "net start" or how you find it in the registry. You can get this with psservice or sc.exe). Since we already set up all the other settings that we want, we can keep all the ACL information in place, and just change the name of the service that is in the first set of quotations. Edit what you want, add more services if you need and save.
If you backed up the GPO before editing it, you can just import this information into a new GPO object. If you are directly editing sysvol files you may need to update the version details in the same file (and possibly in other files and the GPO AD object), so it is best to go with the backup/restore method and create a new group policy object. This gives versioning flexibility and an easier backout path in case of problems.
The easier way is to create a GPO and pick any service from the list. Use this service to set whatever permissions, start type, and other options you want. From here you can either backup the GPO, or just directly edit the files in sysvol. In the policy you will see 3 folders:
Adm
Machine
User
The services are under machine, so open this. Drill down through Microsoft-> Windows NT->SecEdit and open the GptTmpl.inf in notepad. From here you can see a section called [Service General Settings]. One example line here for a vnc service:
"WinVNC4",4,"D:AR(D;;DCRPWPDTSDRC;;;BA)(A;;CCLCSWLOCRRC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Here we have the service name (this is not the display name you see in the services MMC. It is the service name you use with "net start" or how you find it in the registry. You can get this with psservice or sc.exe). Since we already set up all the other settings that we want, we can keep all the ACL information in place, and just change the name of the service that is in the first set of quotations. Edit what you want, add more services if you need and save.
If you backed up the GPO before editing it, you can just import this information into a new GPO object. If you are directly editing sysvol files you may need to update the version details in the same file (and possibly in other files and the GPO AD object), so it is best to go with the backup/restore method and create a new group policy object. This gives versioning flexibility and an easier backout path in case of problems.
Subscribe to:
Posts (Atom)