Search This Blog

Thursday, December 02, 2010

Interactive logon information

I got into some discussions about these 4 attributes and how they work. Here it is:

msDS-FailedInteractiveLogonCount: The total number of failed Ctrl + Alt + Del (C-A-D) logon attempts at a Windows Vista or Windows Server 2008 domain joined member (or higher) since the Last Interactive Logon Information feature was turned on.

msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: The total number of failed C-A-D logon attempts at a Windows Vista or Windows Server 2008 domain joined member (or higher) up until the last successful C-A-D logon.
msDS-LastFailedInteractiveLogonTime: The time that an incorrect password was presented during a C-A-D logon attempt at a Windows Vista or Windows Server 2008 domain joined member (or higher).

msDS-LastSuccessfulInteractiveLogonTime: The time that a successful C-A-D logon occurred at a Windows Vista or Windows Server 2008 domain joined (or higher).

If the and username/password is correct, it writes the timestamp to the msDS-LastSuccessfulInteractiveLogonTime . If the username/password is wrong it will write the timestamp to the msDS-LastFailedInteractiveLogonTime. Then the values of msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon and msDS-FailedInteractiveLogonCount get raised by one (1). For example, if the msDS-FailedInteractiveLogonCount already have 2 it becomes 3.

When it is configured two things will happen:
1) The domain controller writes the information to AD and replicates it.. [Screenshot 1]
2) On the machine the user logs on to (at least Vista or 2008 server (or higher)) a query is sent to display the information at the logon screen. [Screenshot 2]

[Screenshot 1] The information waiting to be replicated to other DCs:

(0) modify CN=Jimmy Andersson,OU=Users,OU=ADS,OU=Services,OU=_Operations,DC=qadvice,DC=prv
1> objectGUID: 1e8979ba-94f8-47fe-83cc-99e9c28fa016
1> instanceType: 0x4 = ( WRITE )
1> msDS-LastSuccessfulInteractiveLogonTime: 2010-11-14 19:43:54 W. Europe Standard Time

[Screenshot 2] The information displayed to the user after a successful logon

What you need to think about:

Each time a user logon it will create replication traffic as you can see in screenshot 1. This information is then replicated to all domain controllers – in large environments this will most likely be an issue. So this feature should be used with caution!

If a RODC authenticates the user, this will happen:
• msDS-LastSuccessfulInteractiveLogonTime will only be written to the RODC and not forwarded to the RWDC
• msDS-LastFailedInteractiveLogonTime is written to the RODC and the RWDC. Then it will be replicated back from the RWDC to the RODC.
• msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon will only be written to the RODC and not forwarded to the RWDC
• msDS-FailedInteractiveLogonCount is written to the RODC and the RWDC. Then it gets replicated back from the RWDC

Note! If you configure this for an OU, but not configure this on the domain controllers the users will not be faced with this error and not be able to logon:

Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator for assistance.

If a domain controller can’t be located the user will not be able to logon.

If you still see a need to use this feature, this is how you configure it:
Create a GPO and link it to both the domain controllers OU and to the OU you have the clients you want the users to see this logon information on. Of course if you want to be more flexible create two GPOs, one for the domain controllers OU and one for the clients which you then can use groups and filter etc.

Note! Even if you select only a few clients to show this information on, you actually affect all DCs. So even if the users only see this information on a selected number of clients – the information is still written to a DC (for all logons) and then replicates to all DCs. This is because you enable it on the DC(s) and thus all users get affected.

My recommendation:
Only use it when you really need it. Display the information for normal end-users is useless since they won’t understand it – most users will only click OK without reading it anyway…

Wednesday, November 17, 2010

Dcpromo and DNS installation message

Have you ever seen this?
"A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “FQDN”. Otherwise, no action is required."
This happens when:
- Dcpromo.exe has been configured to install the DNS server role, and enough delegations do not already exist between DNS servers in the immediate parent DNS zone and the subdomain where you are installing the new DC. And the DC is unable to create delegation to the DNS subdomain on a DNS server that is autoritative for the parent zone.
Do you need to care about it?
Not if you don't have users in other domains (Internet included) that have the need to resolve DNS queries in the local domain.
Why does it happen?
- It will try to create the delegation to ensure name resolution from other domains.
- You can also see this in the forest root when it is immediately subordinate to top-level domains.
- Dcpromo can auto-create this delegation, but only for MS DNS and will fail for non-MS DNS servers.
- If the domain (root) is subordinate to an existing intranet namespace that is owned by non-MS DNS servers such as BIND.
- I also heard that this can happen if the AD domain is registered on the Internet, but the ISP have not created necessary delegation yet.
How to avoid it?
- On your non-MS DNS servers, pre-create the delegation in the parent domain.
- If you have MS DNS servers in the parent domain, make sure you have the necessary permissions to create the delegation in the parent zone.

Saturday, October 02, 2010

MVP Award

I received this in my mail yesterday:

"Dear Jimmy Andersson,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.
The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership.""

This is the 12:th year in a row I get honered with this award. I am proud.

Tuesday, September 28, 2010

Active Directory Web Services (ADWS)

This is a service that came with Windows Server 2008 R2 and provides a Web service interface to AD DS, AD LDS and the AD Database Mounting Tool which are running on the same server as ADWS.

ADWS is installed automatically when you add the AD DS or AD LDS role to your server.

What happen if I stop it?
The Powershell module and AD Administrative Center will not be able to access any directory instances on the server. I personally think that in the future even more applications will stop working as well.

Any considerations?
Yes, ADWS requires TCP port 9389 to be open on the servers that run ADWS.

Can I configure how the traffic is handled?
Yes, in the %windir%\ADWS directory there is a file called Microsoft.ActiveDirectory.WebServices.exe.config file you can edit. This is the default values:

Parameter name: MaxConcurrentCalls
Default value: 32
Description: Specifies the maximum number of simultaneous service requests that the ADWS service is configured to process at a given time. Set a higher value for this parameter if the ADWS service on your Windows Server 2008 R2 server must be able to process more than 32 service requests at any given time.

Parameter name: MaxConcurrentSessions
Default value: 500
Description: Specifies the maximum number of client sessions that the ADWS service can accept at any given time. Set this parameter to a higher value if the ADWS service on your Windows Server 2008 R2 server must be able to accept more than 500 concurrent client sessions at any given time.

Parameter name: MaxReceivedMessageSize
Default value: 1 MB
Description: Specifies the maximum message request size, in megabytes (MB), that a client computer can send to the directory service instances that the ADWS service supports. This setting can affect the memory consumption of the ADWS service. For example, if MaxConcurrentCalls is set to 32 and MaxReceivedMessageSize is set to 1 MB, the ADWS service is configured to process a maximum of 32 MB in client message requests at any given time.

Parameter name: MaxStringContentLength
Default value: 32 KB
Description: Specifies the maximum string size, in kilobytes (KB) of a Lightweight Directory Access Protocol (LDAP) attribute that the ADWS service is configured to process in a message request that a client computer sends to a directory service instance that the ADWS service supports. Increasing this value can increase the maximum possible memory consumption of the ADWS service.

Parameter name: MaxPoolConnections
Default value: 10
Description: Specifies the maximum number of LDAP connections for each directory service instance that is used by the ADWS service that is running on a given Windows Server 2008 R2 server.

For example, if MaxPoolConnections on a particular Windows Server 2008 R2 server is set to 10 and there are 3 directory service instances running on this server, ADWS uses a maximum of 10 LDAP connections to each of these directory service instances to process requests that are sent to the ADWS service. Along with MaxConcurrentCalls, this can affect the maximum number of simultaneous requests that the ADWS service can process. Set this parameter to a higher value if you notice that client service requests are timing out while they wait for an LDAP connection to be available to process their request.

Note: To improve performance, the ADWS service on a Windows Server 2008 R2 server maintains a separate LDAP connection pool for every directory service instance that is running on this server. For example if your Windows Server 2008 R2 server is a domain controller (and is, therefore, running the AD DS server role) and also a global catalog server and if it is running two AD LDS instances and one Active Directory Database Mounting Tool instance (a total of five directory service instances), the ADWS service on this Windows Server 2008 R2 server maintains five separate LDAP connection pools. Because a global catalog does not share the same LDAP port as AD DS, it is considered a separate directory instance.

Parameter name: MaxPercentageReservedConnections
Default value: 50%
Description: Specifies the percentage of LDAP connections that are reserved for performing query operations for each directory service instance that the ADWS service supports on a given Windows Server 2008 R2 server. Set this parameter to a higher percentage if the ADWS service on this Windows Server 2008 R2 server is used mostly for running queries.

Parameter name: MaxConnectionsPerUser
Default value: 5
Description: Specifies the maximum number of LDAP connections (to a single directory service instance) that the ADWS service permits to be used at one time for operations that are associated with a single set of client credentials (one user). Set this parameter to a higher value if you are experiencing more than five concurrent client requests by one user to a single directory service instance running on your Windows Server 2008 R2 server. The value of MaxConnectionsPerUser cannot be greater than the value of MaxPoolConnections. If the value of MaxConnectionsPerUser is equal to the value of MaxPoolConnections, it will allow a single set of client credentials (for a single client computer) to consume all available LDAP connections for a given directory service instance.

Parameter name: MaxEnumContextExpiration
Default value: 30 minutes
Description: Specifies the maximum allowed time period during which the ADWS service processes and retrieves the results of a query request from a client computer.

Caution: Changing the default value of this parameter is strongly discouraged. Most of the search results are returned within 30 minutes.

Parameter name: MaxPullTimeout
Default value: 2 minutes
Description: Specifies the maximum allowed time-out value that a client computer can set when it retrieves one page of search results. Set this parameter to a higher value if slow wide area network (WAN) traffic results in a time-out value for returning one page of search results that is longer than two minutes

Note: The ADWS service processes search requests from client computers in the following manner:
- A client submits a search request.
- The ADWS service establishes a search context and returns a search context ID to the client computer.
- Using this search context ID, the client computer issues a page request to extract the search results specifying how many LDAP objects can be returned per page.

MaxPullTimeout controls the maximum amount of time a client can ask the ADWS service to spend retrieving a page of results, while MaxEnumContextExpiration is the maximum time that the search context can be kept open.

Parameter name: MaxEnumCtxsPerSession
Default value: 5
Description: Specifies the maximum number of search requests (search contexts) that can be submitted over a single client session to the ADWS service.

Parameter name: MaxEnumCtxsTotal
Default value: 100
Description: Specifies the maximum number of search requests (search contexts) that can be submitted over all active client sessions to the ADWS service.

Parameter name: MaxGroupOrMemberEntries
Default value: 5000
Description: Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.

Note: This setting can affect the memory consumption of the ADWS service.
This configuration parameter is applicable only to the three Active Directory module cmdlets mentioned above.
If your operation returns an exceptionally large results set, you might run into a non-configurable 5-minute timeout.

Parameter name: OperationTimeout
Default value: 2 minutes
Description: Specifies the timeout limit for any ADWS service-based query request. Set this parameter to a higher value if you expect your query to return an exceptionally large results set that might take longer than 2 minutes to retrieve.

- Let ADWS run on all domain controllers.
- Don't edit the config file unless you really need to.
- Do remember that this config file is not replicated. You need to edit it on all domain controllers.

Down-level servers (Windows Server 2003 SP2, R2, 2008, 2008 SP2):
The Active Directory Management Gateway Service provides the same functionality as ADWS on 2008 R2. It is available as a download on the Microsoft web site.

Are there absolutely no differences between ADWS and AD Management Gateway Service?
Yes, there is one difference that you will see, the AD Management Gateway Service do not support instances of the AD Database Mounting Tool running on Windows Server 2008.

Authentication Mechanism Assurance

Many people ask me about this feature and how it works. Let me first give an example scenario:

Let's say you have a user named Mark, this user is a member of the department Section5. Section5 deals with classified development. In the classical Windows way, you would create a group, let's name it "S5-Classified" (stupid name but it is just an example) and add the users within the department Section5 to it.

Let's say you have a file server with a share with top secret material, and you want only the members of the group S5-Classified to have access to it. You obviously grant the S5-Classified group the needed access, right?

This is all good, except that you now want them only to be able to access the files when they logon with a certifiacate-based logon. I.e. they should not be able to access it without the smart-card.

So this is what it is all about, granting access based on the logon method. With certificate-based logon you will get a certain access, without a smart-card - you get less access.

What happens behind the GUI:
First, it is not enabled by default in Windows Server 2008 R2 and it requires DFL Windows Server 2008 R2. What happens when you enable it is that authentication mechanism assurance adds a universal group (which you as an admin designate) to the user's access token when the user logon with a certificate-based method.

So if access is granted based on the designated universal group, the user Mark have only access if using a certificate-based logon. If using another logon method the universal group will not be present in the access token, and thus no access.

Thursday, August 12, 2010

Powershell script to put migrated users into a group

My friend Tony Murray has written a very good script that helps you keep track of migrated users that I wanted to share:

Note: I couldn't get the tabs in so it looks a little funny :(

-Script Begins-


# Name: SIDHistoryBasedGroupMembership.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 11/07/2010
# Comment: PowerShell 2.0 script to
# populate group membership based on sIDHistory values

#Import the Active Directory Powershell Module
Import-Module ActiveDirectory -ErrorAction SilentlyContinue

#Create a new Event log source for the script (only needs to be run once)
New-EventLog -logName Application -Source "Legacy Users Group Management" `
-ErrorAction SilentlyContinue

$SearchBase = "OU=User Objects,DC=fabrikam,DC=local"
$OUArr = Get-ADUser -LDAPFilter "(samaccounttype=805306368)" `
-SearchBase $SearchBase -SearchScope SubTree

# Now we need the domain security identifier or at least a portion of it
$DomSID = "S-1-5-21-1584567894-2535104369-4141123456"

$Group = "Legacy Users"
$MbrArr = get-adgroupmember -identity $Group

# Loop through the Users found beneach the OU tree
# and check to see if the user is already
# a member of the group. If so, do nothing.
# If not, then add the user as a member.
Foreach ($User in $OUArr)
$object = [ADSI]"ldap://$User/"
$objectsidh = $object.sIDHistory.value
If (!$objectsidh)
# write-host "sIDHistory is blank"
$objectsidh = $Object.getex(“sidhistory”)
#write-host "Error: $_"
foreach($sid in $objectSidh)
$sidh = new-object System.Security.Principal.SecurityIdentifier $sid,0
if ($sidh -Match $DomSID)
if ($MbrArr -Match $User.distinguishedName)
#The user is already member - do nothing
# We need to add the user as a member
write-eventlog -logname Application `
-source "Legacy Users Group Management" `
-eventID 3001 -entrytype Information -message "$User added to $Group"
Add-ADGroupMember -Identity $Group -Members $User
# No match with sidHistory - do nothing
-Script Ends-

Friday, July 23, 2010

TechEd sessions

If you couldn't attend, you will find the sessions here:

Sunday, July 18, 2010


And people say I look funny when I'm tired and sleep with the laptop on my knees.....

New member in the Andersson family

Yep, there is a new member in our family. A very charming Boarder Collie that is 8 weeks and 4 days. She will most certainly make me leave the computer once in a while :)

Monday, April 12, 2010

Windows Summit 2010

Attend Windows Summit 2010: May 25–27

This is a special opportunity to learn—straight from the Windows team—how you can best use Windows 7 and Internet Explorer to enable great solutions for your customers. This three day event takes place at the Microsoft Conference Center on Microsoft's campus in Redmond, WA and is designed for people who engineer and test Windows 7 PCs, devices, and software. Take advantage of this uniquely intimate event on the Microsoft campus to network with Microsoft technical experts and leaders at breakout sessions, chalk talks, and an Ask the Experts evening and social event.

More info here.

Monday, March 15, 2010


I will speak on TechDays this year together with my colleague Fredrik Pålerud (scroll down and you'll see him). If you want to know what it is, see this. TechDays is a Microsoft Sweden event and is held once per year. This year it is fully booked already so I'm looking forward to it!

Crayon also have a booth that we will spend as much time as possible in, please come and join us! And despite what the Crayon website says - we do have some seriously good consultants (they just haven't updated it with the consultant department yet....).

Friday, February 19, 2010

Install DFS Management Console - when you can't use the mouse

ServerManagerCmd -install RSAT-DFS-Mgmt-Con

Installing DFS replication - when you can't use the mouse

If you want to install DFS replication on web edition or server core. You need to do it from a command prompt:

OCSetup DFSR-Infrastructure-ServerEdition

ServerManagerCmd -install FS-DFS-Replication

Tuesday, February 09, 2010

Protect "old" OUs from accidental deletion

In Win 2K8 and newer. There is a a check-box you can set to protect an OU from accidental deletion. This is good, but if you don't use ADUC in Win 2K8 (or R2) it will not be set by default. Also if you upgraded or migrated to a Win 2K8 (or R2) it won't be set automagically on "old" objects. So here is two ways of doing it.

for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT


Get-ADOrganizationalUnit -filter * |

Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
(the above should be one line)
Thank you Ulf for posting these two one-liners!

Friday, January 22, 2010

Defining a new attribute - version 2

My colleague, Fredrik Pålerud, just saw what I blogged and he has another recommendation. Use Active Roles and you don't have to touch the actual Schema. Wanna lear more.... Click here.

Defining a new attribute

I just stumbled over a pretty good article. It describes how to define a new attribute when you extend the Schema. Take a look at it if you haven't memorized it yet....

Outlook signature based on user info from AD

My colleague from Crayon Norway, Jan Egil Ring, have written a cool Powershell script that creates an Outlook signature based on information from AD. Take a look at it, it is posted here

Friday, January 15, 2010

Enable Recycle Bin - with Powershell

This is the Powershell way to enable Recycle Bin in a domain called DEMO.PRV:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=demo,DC=prv’ –Scope ForestOrConfigurationSet –Target ‘demo.prv’

Enable Recycle Bin - but not with Powershell

A question from yesterday: "Must I use Powershell to enable Recycle Bin in AD?"
The answer is: No.

You can also use LDP to do it. What you need to know is the GUID of the Recycle Bin and where to add it.

To find the GUID you need to browse to:
CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domainName,DC=xxx

And look at the msDS-OptionalFeatureGUID value (which is 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a).

Then you need to modify the CN=Partitions,CN=Configuration, DC=domainName,DC=xxx container:
1. Right-click it and select: "Modify"
2. Delete everything in the "DN:" box, it MUST be empty!
3. In the "Edit Entry Attribute:" box type: enableOptionalFeature
4. In the "Values" box type: CN=Partitions,CN=Configuration, DC=domainName,DC=xxx:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
5. In "Operation" you select "Add" click "Enter" and last you click "Run"

You have now enabled the Recycle Bin feature in AD!

Note - this is a Windows 2008 R2 feature so it won't work on legacy OS. You must also replace domainName and xxx with whatever your environment is called.

Wednesday, January 06, 2010

Tuesday, January 05, 2010

Windows 7 God Mode

My good friend Wolfgang Schedlbauer sent me a mail today. The subject was "GodMode in Windows 7". So that got my attention and I needed to try it. It is cool! If you want to know what it is and try it (below text copy/pasted from his mail):

What is God Mode? This is a secret Windows 7 Feature (If you can call so!!), which provides you an extended control panel to control your machine.

Here are the Steps to invoke the God Mode:

Create a new folder (right-click and click on “New Folder”). Right-click on the folder and click on rename, copy and paste this: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

This folder will now be a shortcut to the Windows 7 God Mode. The GodMode allows you to quickly access many Windows 7 functions via a GUI.