Windows Tips & Tricks UPDATE, November 22, 2004, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.
This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.
Symantec - Taking Remote Management to the next level!
Choosing a smart fax server in today's changing business world
Sponsor: Symantec - Taking Remote Management to the next level!
Symantec's pcAnywhere(TM) 11.5 is the world's leading remote control solution. Now you can use it to manage Linux(R) as well as Windows(R) systems, either from a Windows-based system running pcAnywhere 11.5, or another system running a Java(TM)-enabled Web browser. Enhanced video performance and built-in AES 256-bit encryption help make communications fast and secure. On the go? Access a pcAnywhere host from your Microsoft(R) Pocket PC over any TCP/IP connection, wired or wireless. pcAnywhere also features powerful, efficient file-transfer capabilities that let you transfer files across different platforms. Resolve helpdesk issues quickly, manage remote computers securely, and work across multiple platforms easily with versatile pcAnywhere 11.5.
- Q. How can I view the state of Active Directory (AD) permissions delegations?
- Q. How can I revoke delegated Active Directory (AD) permissions?
- Q. Why do I receive a KERNEL_DATA_INPAGE_ERROR code when I start my computer?
- Q. How can I obtain a list of the available Group Policy options in Windows XP Service Pack 2 (SP2)?
- Q. Why do scheduled tasks that are contained in a disk image of a machine on which I ran Sysprep no longer work correctly?
by John Savill, FAQ Editor, [email protected]
This week, I tell you how to view the state of Active Directory (AD) permissions delegations and revoke delegated AD permissions, and I explain the possible cause of a KERNEL_DATA_INPAGE_ERROR code. I also explain how you can obtain a list of the available Group Policy options in Windows XP Service Pack 2 (SP2) and why scheduled tasks contained in a disk image of a machine on which Sysprep was run no longer work correctly.
Sponsor: Choosing a smart fax server in today's changing business world
Organizations that have been automating fax for years may be missing out on substantial benefits with the more complete automation available in "smart" fax server solutions. Written for business and information technology professionals, this informative white paper helps organizations address fax-related cost and complexity issues as business IT continues to evolve. You'll discover the pitfalls of conventional fax machines and fax servers, ROI potential of fax automation technology, integration with email/messaging platforms such as Microsoft Exchange, integration with enterprise applications such as SAP, and more. Download this free white paper now!
Q. How can I view the state of Active Directory (AD) permissions delegations?
A. Windows Server 2003 and Windows 2000 Server provide helpful wizards for delegating permissions to users in AD. However, no wizard lets you view existing delegations. To do so, you must manually view the security settings that have been applied on containers and objects.
Microsoft recently released a tool that makes it easier to view existing permissions delegations. You can download the tool--called Dsrevoke--at http://www.microsoft.com/downloads/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383&displaylang=en. Dsrevoke reports on the permissions for a domain and/or organizational units (OUs) and lets you remove permissions. For example, the following sample Dsrevoke command checks for permissions on the HelpDesk group in the demo domain and specifies the Testing OU in the demo.test domain:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk
The command displays these onscreen messages:
ACE #1 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: READ PROPERTY WRITE PROPERTY ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User ACE #2 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: EXTENDED ACCESS ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User # of ACEs for demo\helpdesk = 2
You can see in the output that the HelpDesk group has several access control entries (ACEs) for the Testing OU; however, the output information doesn't provide the exact permissions for the HelpDesk group. To determine this information, you must first enable the Advanced view in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Then, at the container's Properties page, select the Security tab and click the Advanced button. To view a group's permissions, select the Permissions tab, then select the group and click Edit, as the figure at http://www.windowsitpro.com/content/content/44767/viewadvancedpermissions.gif shows. In this example, the HelpDesk group has permissions to reset passwords and to force a password change. Dsrevoke is most effective when delegation has been defined by using roles--that is, users are placed in a group, and the group is given permissions at a domain or OU level, instead of via individual objects.
Q. How can I revoke delegated Active Directory (AD) permissions?
A. You can revoke permissions on all containers under a passed root--for example, a domain or an organization unit (OU)--by using the Dsrevoke tool, which I describe in FAQ "How can I view the state of Active Directory (AD) permissions delegations?" To revoke permissions, you use the command syntax that I provided in that FAQ but replace the /report switch with the /remove switch, like this:
dsrevoke /remove /root:ou=testing,dc=demo,dc=test demo\helpdesk
After you run Dsrevoke, the access control entries (ACEs) that match your criteria are displayed on screen, like this:
ACE #1 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: READ PROPERTY WRITE PROPERTY ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User ACE #2 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: EXTENDED ACCESS ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User # of ACEs for demo\helpdesk = 2 Do you want to remove the above listed ACEs (y/n): y All ACEs successfully removed
To remove the ACEs, you must enter "y" (yes) at the prompt. You can then confirm the removal by running Dsrevoke to output a report:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk
The command outputs this message:
No ACEs for demo\helpdesk
Q. Why do I receive a KERNEL_DATA_INPAGE_ERROR code when I start my computer?
A. The KERNEL_DATA_INPAGE_ERROR code indicates that the paging-file access process failed to find a page of kernel data. This problem has several possible causes. To determine the cause, look at the line that's under the main error message, which provides diagnostic information. The second parameter in this line is the I/O status code, which gives detailed information about the actual cause of the problem. The table at http://www.windowsitpro.com/content/content/44767/kernel_data.htm lists common KERNEL_DATA_INPAGE_ERROR error codes and their meanings. For example, on my computer I received the 0xC000009C error code--STATUS_DEVICE_DATA_ERROR--which indicates bad blocks (sectors) on the hard disk. To resolve the error, I booted to the Recovery Console (RC) and ran the command
chkdsk c: /r
The Chkdsk command found the bad blocks and fixed them; the machine then rebooted correctly.
Q. How can I obtain a list of the available Group Policy options in Windows XP Service Pack 2 (SP2)?
A. You can download a list of Group Policy settings in Administrative Template (.adm) files and security settings that Microsoft has updated for XP SP2 at http://go.microsoft.com/fwlink/?linkid=15165.
Q. Why do scheduled tasks that are contained in a disk image of a machine on which I ran Sysprep no longer work correctly?
A. Scheduled tasks that are configured to run with a particular set of credentials have an encrypted password. When you run the Sysprep utility on a system, the information that the computer needs to decrypt the password no longer exists. As a result, the following error is written to the %systemroot%\schedlgu.txt file:
0x8004130f: No account information could be found in the Task Scheduler security database for the task indicated.
To solve this problem, you must reenter the credentials for each task that's experiencing the error by performing these steps:
- Start the Tasks interface (Start, Run, %systemroot%\tasks).
- Right-click the task and select Properties from the context menu.
- At the Task tabbed page, reenter the credentials in the "Run as" box.
- Click the "Set password" button, enter the correct password twice in the displayed boxes, and click OK.
- Click Apply, then click OK.
You might also receive this error when you uninstall Windows 2000 Service Pack 4 (SP4). Because the password-encryption method changed in SP4, the scheduled tasks can no longer decrypt the password after you remove SP4.
(from Windows IT Pro and its partners)
The Email Security Center provides valuable tools and expertise to help secure your messaging services against attacks and unsolicited email. Our experts share the latest trends, guidance, and resources for understanding and blocking spam, viruses, and attacks while saving bandwidth, conserving server capacity, and minimizing administration costs. Sign up today!
You are if you have an Internet connection faster than 384Kbps. In this free live Web seminar, Alan Sugano will examine two attacks (an SMTP Auth Attack and a SQL Attack) that let spammers get into the network and relay spam. Find out how to keep the hackers out of your network and what to do if your mail server is blacklisted as an open relay. Register now!
Did you know Windows IT Pro has 12 free eNewsletters to help you find up-to-date fast information on the topics you care about? Sign up now for any of our eNewsletters and be entered for a chance to win a TiVo and a lifetime subscription to TiVo service.
The deadline is looming for compliance with the final set of Sarbanes-Oxley requirements. Are you ready, or are you still struggling with Section 404 issues? In this free on-demand Web seminar, let the experts of Ernst & Young LLP and NetIQ provide you with the tips and techniques required to maintain proper internal control frameworks. Register today!
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )
More and more companies are taking the first steps toward leaving passwords behind and implementing tokens for at least a portion of their users and systems. In this free live Web seminar, find out the advantages of implementing tokens and learn how you can you make a solid business case to management that justifies the costs. And, you'll receive checklists of key evaluation, testing points, and critical success factors for rollout time. Register now!
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.windowsitpro.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
This weekly email newsletter is brought to you by Windows IT Pro, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.