Thursday, April 28, 2011

Enable FIM 2010 and PCNS logging

 

Diagnostics and maintenance

Whenever a password change operation completes, the history is saved in the FIM Synchronisation Service database in SQL Server. Because a large number of password change operations can increase the size of the database, it is recommended that you save and clear the password change history on a regular basis to limit performance issues on the server running SQL Server. For information about clearing the password change history, see the FIM Developer Reference.

Both FIM and the PCNS use the Application log to record activity and failure events. For learning about password synchronisation, it is recommended that you set the logging level to high and monitor the Application log closely during the initial configuration and rollout of password synchronisation.

For FIM, there are four logging levels that are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationServices\Logging

  • 0 = Minimal Logging
  • 1 = Normal logging (default)
  • 2 = High logging
  • 3 = Verbose logging

For PCNS, there are four logging levels that are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

  • 0 = Minimal Logging
  • 1 = Normal logging (default)
  • 2 = High logging
  • 3 = Verbose logging

Does not always seem to work without a reboot.

 

Hat-tip: http://certsrv.ru/fim2010.en/html/9537ebeb-80bb-4389-9538-1b65302b70eb.htm

PCNFCFG deleteTarget /N:name & Error deleting the target

 

pcnscfg list shows a target which is wrong but cannot be changed or deleted.

Error message from pcnscfg: Error deleting the target. The target was not found.

This target listed causes PCNS to target this server to sent the passwords to but it can't find it and gives me a 6025 error in eventviewer.

Open ADSIEDIT.MSC

Open the domain, select new Query

Name the query, the query string is ObjectClass=MS-MIIS-PCNS-Target

Find the target, right click and delete.

Restart PCNS and try again.

Hat-tip: http://social.technet.microsoft.com/Forums/en/identitylifecyclemanager/thread/80e13fb6-a09d-4bfa-b70f-e664ec4c0074

Error: The zone cannot be created. A conditional forwarding zone already exists for that name.

 

I tried to create a secondary DNS zone, but I received the following error: The zone cannot be created. A conditional forwarding zone already exists for that name.

  • Connect to the domain controller.
  • Go to Start > Run > Dnsmgmt.msc
  • Point to the server’s name > Properties > Forwarders ,and remove the domain  that you are trying to create the secondary DNS zone.
  • Re-create the zone from the start.

Thanks to: http://vvirtual.wordpress.com/2010/09/28/error-the-zone-cannot-be-created-a-conditional-forwarding-zone-already-exists-for-that-name/

Tuesday, April 19, 2011

User account control settings (kb305144)

 

The following table lists possible flags that you can assign. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

 

Property flag

Value in hexadecimal

Value in decimal

SCRIPT

0x0001

1

ACCOUNTDISABLE

0x0002

2

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE * You cannot modify

0x0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

NORMAL_ACCOUNT

0x0200

512

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

DONT_EXPIRE_PASSWORD

0x10000

65536

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

PASSWORD_EXPIRED

0x800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

Note In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed.

Property flag descriptions

· SCRIPT - The logon script will be run.

· ACCOUNTDISABLE - The user account is disabled.

· HOMEDIR_REQUIRED - The home folder is required.

· PASSWD_NOTREQD - No password is required.

· PASSWD_CANT_CHANGE - The user cannot change the password.

· ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.

· TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.

· NORMAL_ACCOUNT - This is a default account type that represents a typical user.

· INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.

· WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Windows NT 4.0, Windows 2000 and is a member of this domain.

· SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.

· DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.

· MNS_LOGON_ACCOUNT - This is an MNS logon account.

· SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.

· TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.

· NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.

· USE_DES_KEY_ONLY - (W2K/W2K3) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

· DONT_REQUIRE_PREAUTH - (W2K/W2K3) This account does not require Kerberos pre-authentication for logging on.

· PASSWORD_EXPIRED - (W2K/W2K3) The user's password has expired.

· TRUSTED_TO_AUTH_FOR_DELEGATION - (W2K/W2K3) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.


UserAccountControl values

These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Wednesday, April 06, 2011

An Important Message from Dell Australia


Dell's global email service provider, Epsilon, recently informed us that their email system was exposed to unauthorised entry. As a result, your email address, and your first name and last name may have been accessed by an unauthorised party. Epsilon took immediate action to close the vulnerability and notify US law enforcement officials.

Whilst no credit card, banking or other personally identifiable information was involved, we felt it was important to let you know that your email address may have been accessed. While we hope that you will not be affected, we recommend that you be alert to suspicious emails requesting your personal information.

To help protect your personal information online we recommend that you do not provide any sensitive information through email, or open emails from senders you do not know. Dell will never ask for your financial information through email.

Dell takes its commitment to protecting customer data very seriously and has notified the Australian Privacy Commissioner and ACMA (Australian Communications and Media Authority). Dell continues to work closely with regulatory bodies and manage customer concerns.

We sincerely regret that this incident has taken place and we will continue to work with Epsilon to ensure that all appropriate measures are taken to protect your personal information.
Please contact us at anz_cust_serv@dell.com should you have any questions.
Sincerely

Deborah Harrigan
Dell Consumer and Small Business Executive Director
Dell Australia Pty Limited

Blog Archive