EzDevInfo.com

How to list windows privileges for any user

I am trying to write a script to list the privileges (eg SeShutDownPrivilege etc) of all user accounts. I'd prefer it if my script could be run as a standard user, but I can run it as an admin account if I had to. Here are the approaches I have tried so far:

• using tokensz (from https://blogs.technet.microsoft.com/askds/2007/11/02/whats-in-a-token/): works (tokensz /compute_tokensize /dump_groups) for the currently logged in user. But when logged in even as a domain administrator, when trying for another user (tokensz /compute_tokensize /dump_groups /user:[another.user]), I get the error SEC_E_LOGON_DENIED

• whoami /all works but only for the currently logged in user

• ntrights.exe doesn't appear to be able to list privileges, only add and remove.

• secedit /export /areas USER_RIGHTS /cfg out.txt: lists all privileges and the SIDs that have that privilege, but that list appears incomplete; the output from tokensz shows a user John.Smith with SeShutdownPrivilege, but the output from secedit for SeShutdownPrivilege lists groups that John.Smith is not a member of.

I can use portable executables (eg tokensz.exe, ntrights.exe) and built in utilities but will not be able to install applications or extensions

How to setup firewall ports via logon script

I work as IT suport for public service. We use domain controller and logon scripts. These scripts are pretty helpful, since they can automatically install printers and add network folders as local drives.

We use VNC to access user's computers so we can give them suport. In some cases their Windows Firewall is active, and the VNC inbound/outbound ports are configured and work pretty fine. In many other cases, we have to ask people to disable their firewall. That's the practice people do here, and they usually don't ask people to enable the firewall again. Since this is a hazard, I'd like to know if are there any commands we can run on these logon scripts so the ports are automatically configured in all machines and we don't have to ask people to run on network without firewall.

Best.

How can I get the Trust Relationship to the domain to stop failing?

I just installed Windows 10. I was part of a domain. When I try to log in I get,

"The trust relationship between this workstation and the primary domain failed."

Since I do not remember my local accounts, am I left with resetting the local administrator password with a third party tool such as the Offline Windows Password & Registry Editor and rejoining the domain or using netdom on the client.

Is there another way to make the trust relationship come back?

edit: I have tried to reset the machine account in Active Directory Users and Computers. Same error. (yes, I rebooted).

Win 8 App Store not working for Domain User

I repaved my laptop over the Thanksgiving weekend with Windows 8.1, installed from a DVD.

Full disclosure - I did do something not exactly approved - I interrupted the installation process and added a junction at the C:\Users directory to point it to U:\Users (U: is my second drive). I used robocopy to copy the installed DefaultUser and Public directories over to U:\Users.

I have created 3 different accounts: a local user ($dave) set up as an administrator account, a login through my Windows Account, and a Domain login (HQ\dave). The local administrator account and the Windows account both seem to to work correctly.

The domain user is unable to access any AppStore apps, including the app store itself, and it is unable to Change PC Settings: Clicking that choice under settings causes it to bring up a royal blue screen with nothing on it except the mouse pointer. There are only 5 tiles shown - Desktop, IE, File Explorer, App Store, and Sky Drive. App Store and Sky Drive don't work. (I wanted to connect the Domain user to the Windows account, but since that is done through the Change PC Settings menu, and I can't get to that, then I can't do that.)

The other symptom (possibly related, possibly not) is that, even though the machine is joined to the domain and I'm logged in as a Domain User with access rights to other shares on the network, any attempt to access a network file on one of the other machines asks for my network credentials. (This is blocking me from getting Outlook working because the mail file is on another machine, and it doesn't ask for credentials, it just fails.) I can open the network shares in the Explorer, but if I actually try to access a file, then it asks for credentials. I don't understand that one.

I have google'd a lot of articles on these subjects looking for a solution, and have not found anything applicable. I would be most appreciative of help from anybody that has seen and solved this problem.

Thanks.

My account gets locked out of the Windows domain

I work in a BYOD environment and my laptop still have Windows 7.

Every so often I get locked out of the domain at our company and have to phone the IS helpdesk and ask them to unlock my account. Apparently they just reset my account on the domain controller.

A colleague pointed out every time I get locked out there's a virtualapp/didlogical generic credential that appeared out of nowhere in Windows' credential manager.

Some Googling tells me that virtualapp/didlogical generic credential comes from Windows Live Essentials, but I can't find any more information on it. I don't use any of the applications in that package, other than Movie Maker on rare occasions.

It seems to me that some application in Windows Live Essentials is trying to access some service, maybe through the proxy, using the wrong password and causes my account to be locked.

So my questions:

• Is it the virtualapp/didlogical generic credential that causes me to get locked out?
• If so, what can I do about it?
  • Is it an application in Windows Live Essentials?
  • Can I disable or reconfigure the application?
• If not, how can I troubleshoot the problem?

Can I VPN connect to my work using Windows 8?

Windows 8 comes in a few versions ... with two of them being

• Windows 8
• Windows 8 Pro

Checking the comparison chart on wiki, the pro feature has this (where the non-pro doesn't)..

Can join a Windows domain? Windows 8: no. Windows 8 Pro: yes.

Group Policy? Windows 8: no. Windows 8 Pro: yes.

Currently, when I Vpn from my Windows 7 machine to work I need to provide my domain/username and password.

Does this mean I can't do this with Windows 8 and I need to purchase the Windows 8 Pro edition?

"The master browser has received a server announcement from the computer" error in Windows domain

I have a domain environment with Server 2008 and Windows 7. Since a few days I receive the following errors from many clients:

The master browser has received a server announcement from the computer "NAME" 
that believes that it is the master browser for the domain on transport  
NetBT_Tcpip_{94647C35-65DD-409E-8566-742867B08735}. 
The master browser is stopping or an election is being forced.

How can I have a secure domain login without a complex password?

I have recently gone on a security binge, using a password manager to ensure I have different complex passwords on every service I use. However, there's one hole in this system: the domain login. I cannot start the password manager without first logging into the operating system. Because my domain password is committed to memory, it is significantly less complex than any other password I have.

I do not want to rely on a fingerprint scanner due to dermatitis.

What options can Windows 7 and 8 support to securely log in to a domain account?

What should be taken into consideration when deploying Windows 8 in a domain environment?

Edit: Reformulating the question:

We have ordered new laptops but before they arrive, our development team is trying to decide whether to install Windows 8 or stick with Windows 7. We have already tested on isolated machines, but we have not yet been allowed to add the machines to the domain.

Before we approach the networking group to discuss adding Windows 8 machines to the domain, we need more information on what changes / issues to expect in moving from Windows 7.

Are there any aspects we should consider that are specific to Windows 8 clients?

Thus far, I've gotten the following feedback:

• New set of Group Policy templates
• Changes to proxy server settings

Additional items along these lines would be helpful.

We're not looking for items related to Windows GUI changes, but instead primarily items related to having the machine live and be used on the domain.

Edit

To reiterate, we have tested on isolated machines and do not currently have the ability to test ON THE DOMAIN.

Period character used for local computer name

I'm wondering about the period character . used as a shortcut for the local computer name. You can use it when logging into Windows 7, for example, to specify that the user account you're entering belongs to the local computer rather than to a domain:

.\MyLocalUserAccount

And you can use it within a Windows Management Instrumentation (WMI) query to indicate that the target is the local computer rather than a remote computer. You can also use it when working with named pipes to for similar purposes.

However, you cannot use it as the UNC network name for the computer, like this:

\\.\MyShare

Does this character have an official name (e.g. "LocalHostToken") and when and where can it be used for this purpose?

What is going on when I can't access an SMB server share (not accessible error) until I run cmdkey to delete the credential?

I have a network connection share issue. The first connection works, and seems to stay connected for at least a few hours. However, after each time my windows 7 PC reboots, it can no longer form a network connection to the shared folder, nor browse to it, until I not only unmap and remap the mapped drive, but also, I have to use cmdkey to delete the stored credentials like this:

cmdkey /delete:Domain:target=HOSTNAME

My work PC is on a domain, and I am not the IT administrator, but I'm curious if there is anything I can do to investigate this issue. Any settings in registry or group policy that I could examine to see why the first connection works, but each subsequent attempt (once a stored credential exists) to browse or use the connection, fails with a connection error saying it is "not accessible", like this:

I do not even get any error until at least several minutes go by. THe first thing I see is a window frozen and empty, and then I get this error:

This has happened when connecting to a share on a DROBO device, and on a share which is not on the domain, but which was a Microsoft Home Server. I wonder if there's something broken in WIndows 7 professional with regards to connecting to non-domain shares when an active directory domain controller exists, and a particular workstation is joined to a domain?

The problem only occurs if I click "remember credentials". It is not fixed by any amount of working with net use. Usingcmdkey to delete all stored credentials for the host is the only way to get back in, and it affects all non-domain shared folders.

Update I'm hoping there are some registry locations I could check that could be misconfigured in some way that might explain why SMB/CIFS stored credentials for non-domain systems seem to be auto-invalidated in this weird way. Knowing how whacko Microsoft Windows domain and security handling is sometimes, this could be some kind of stupid "feature".

Change A Password

I have a non-domain machine that I use with our company's domain resources over vpn regularly. I switched to Windows 8 (fresh install), and the "Change a password" option went away from the Ctrl-Alt-Del window.

Can't seem to google anything about this subject, or find a way to access that password change dialog.

I tried running the .reg file from http://www.sevenforums.com/tutorials/63014-ctrl-alt-del-screen-add-remove-change-password.html with no luck. I also tried to Disable "Remove Change Password" via gpedit.msc.

I could do it from my domain laptop, but I like to do it on this machine because it updates all my saved copies of those credentials.

My local account is tied to my hotmail account if that matters.

Updates: Administrator account. I apologize for stating this was an upgrade, it was a fresh install to a diff't drive. 64-bit Pro install.

Bounty's almost up If someone can just confirm that the Change A Password... should or should not be present on a non-domain, Live tied, Win8 install, I'll be satisfied that I can or cannot expect to fix it.

What are reasons for local Windows named-pipes to fail?

I've been working hard on this one all day and I'm stuck. This morning our asian collegues called me because a SolidWorks addin for our product data management system could not communicate with the local main application. The problem affects end user computers in a Windows domain. We used the READPIPE and MAKEPIPE utils from SQL server toolbox to figure out that the underlying problem was the Windows pipe feature.

• The MAKEPIPE util creates a pipe and is waiting for a client. The READPIPE util returns: "Failed to Open Pipe. Status 53." According to http://support.microsoft.com/kb/110905 it means that the network name was not found. On my local computer the pipes sents a "hello" from READPIPE to MAKEPIPE without problems.
• The server process which enables named-pipes is running.
• The settings under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters look okay. No pipes firewall setting.
• The problem affects some users but not all. We did not make changes to the domain groups except for some network share groups.
• I logged on as administrator and still the pipes won't work.

Any help is appreciated! Thank you.

Windows 10 Offer Icon (GWX) - How to get it on AD/Domain joined PCs?

I know there´s no need to rush getting Windows 10 as I should receive it for free in the future, at least according to what I´ve read.

However, information about the upgrade offer popping up in the taskbar tray icon area are showing up and I didn't get those yet.

I think I found the reason. My 3 PCs are members of a small private Active Directory, all are Windows 8 Pro, upgraded to Windows 8.1 and have genuine keys applied to them. Opening the config in "C:\Windows\System32\GWX" shows, that the following value is set:

 <EnableDomainJoined>false</EnableDomainJoined>

The file is write protected and can only be edited as an Administrator. Doing so and setting that value to true I am still not getting the icon. I tried running the GWX executable before and after running the pre-defined scheduled tasks "Microsoft/Windows/Setup/gwx*".

There's another value, where the current phase is defined. I´ve set the following to "AnticipationUX" since for that phase "TrayIcon" is defined as true.

<Phase>None</Phase>

This didn't change anything either.

Does anyone know how to activate the upgrade offer on PCs that are members of a domain? I don't want to take the PCs out of it just for this.

How can I connect a Windows 8 PC to a Samba domain

I am using Samba 3, and want to join my Windows 8 PC to the Samba domain.

Windows 8 cannot join out of the box, so I added the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
        DWORD DomainCompatibilityMode 1
        DWORD DNSNameResolutionRequired 0 

And now it talks to the Samba server ok, however I get the following error:

And I notice that the machine name created on the samba server does not match its name:

win-8jq3fg1n74e$:x:30003:30003:Machine:/var/lib/nobody:/bin/false

It is like it is using an internal name.

The following is the error in the smb.log

[2012/10/21 14:26:16.099520,  0] passdb/pdb_interface.c:348(pdb_default_create_user) _samr_create_user: Running the command `/usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false win-8jq3fg1n74e$' gave 9        
[2012/10/21 14:26:28.143224,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2012/10/21 14:26:28.143420,  0] lib/util_sock.c:1441(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not  connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.