drewhill.net

Error: “You don’t currently have permission to access this folder.  Click Continue to get access to this folder.”

If you click continue the currently logged in user id will be granted security permissions to the folder.  This is not a good idea and the folder permissions will get messy quick if very many domain admin accounts are accessing the folders on the server.  So, what is really going on?

Here’s how to recreate the issue:

1. Create a new account in Active Directory and add it to the Domain Admins security group.
2. Create a Windows Server 2008 server and join it to the domain.
3. By default the Domain Admins security group is added to the local Administrators group when the server is added to the domain.
4. User Account Control (UAC) must be left enabled.
5. Login to the server with the account created in step 1 (Not the default built-in Administrator account for the domain).
6. Create a new folder on the hard drive.
7. Edit the security permissions by removing inheritable permissions from the parent object and adding the local Administrators group and SYSTEM giving them Full Control permission.
8. When trying to access the folder an error will display that says you do not have permission to access this folder.
9. Click Cancel.  If the Continue button is clicked the currently logged in user id will be granted security permissions to the folder, which will gain access to the folder, but will cause folder permissions to get messy.
10. There is NOT an option to elevate privilege to gain access to the folder with the rights that were granted in step 7 which should be sufficient (i.e. full control).

This issue is the result of User Account Control (UAC).  UAC is the feature in Windows Vista and Windows Server 2008 that is designed to apply the principle of least privilege.

If UAC is turned OFF this issue goes away.   Also, if you login with the built-in Administrator account for the domain the issue also goes away.

After digging into UAC a little further, I found that by default UAC applies to all interactive users with the exception of the built-in administrator account.  This is because the group policy Admin Approval mode is on for the built-in administrator account is disabled by default which means the built-in administrator account will logon in XP compatible mode and run all application by default with full administrator privilege with out a filtered access token.  This would seem to explain why the built-in administrator is not affected by the issue created by having UAC turned ON.

Note: If the group policy Admin Approval mode is on for the built-in administrator account is enabled this issue also effects the built-in administrator account in the same way.

All other admin accounts are subject to UAC and the filtered access token.  The group policy Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for Consent by default.  There is not a policy to disable Admin Approval mode for non-built-in administrator accounts.

Check out the Security Policy Settings and User Account Control blog post for more details.

At this point it looks like there are two choices to get around this issue:

1) Leave UAC turn ON and use the built-in Administrator account for the domain and let everyone share the same account which is a bad security practice or

2) Turn UAC OFF and use any user account that is a member of the domain administrators group.  This might not be a bad idea since UAC is really a client feature anyway.

I would consider this issue a bug.  Hopefully, Microsoft will come out with a fix that will allow UAC to be left enabled.

There is a known problem in Hyper-V RC1 in which after you upgrade a perfectly working RC0 server the Hypervisor will not start.

You will see the following error in the event log:

Source: Hyper-V Hypervisor

Event ID: 48

“Hyper-V launch failed; Processor 0×4 does not provide the features necessary to run Hyper-V (leaf 0×80000008, register 0×0: features needed 0×24, features supported 0×26).”

Hyper-V RC1 apparently has issues with my processors which are Intel Quad Core Xeon 2.33Ghz E5345.  This server did have an additional processor added after it was purchased.  Both processors are E5345, but Dell OpenManage Server Administrator is reporting one processor as Model 15 Stepping 7 and the other one as Model 15 Stepping 11.

John Howard, Microsoft Senior Program Manager on the Hyper-V Team reported on his blog the following:

“Yes, we are aware of a bug in RC1 which affects the Hypervisor from launching correctly on a small number machines. The class of machine is where there is more than one physical socket containing processors, and the processors are reporting mismatching capabilities. However, that fix will not be available until a future release.”

There is a temporary solution that will allow Hypervisor to start after a reboot.   

1. Open MSCONFIG
2. Select the Boot tab and click Advanced Options.
3. Select the Number of Processors check box and set the number of processors to 4.
4. Click OK twice.
5. Click Restart.

The bad news is that I’m losing the benefit of one of my processors, but at least Hyper-V is functional.  I’ll have to remember to set the processors back after Hyper-V RTM has come out.

CableCARD™ and Digital Cable FAQ

Digital Cable Tuner Setup for Windows Media Center in Windows Vista - A Set-by-Step Guide for Professional Technicians (pdf)

Dell XPS Desktop Forum

I got my XPS 420, took an image of HDD (32 bit OEM OS) and installed Vista Ultimate x64, downloaded and installed all the drivers from support.dell.com and then also updated newer drivers for the video and network cards and updated the firmware on the ATI Digital Cable Tuner.   Everything that I’ve tested so far seems to be working OK, except for DVD playback in Media Center and Media Player.  Playback is choppy with video getting hung and buzzing audio. CyberLink’s PowerDVD plays just fine.

It seems that the DVD playback only gets choppy if I try to move around in Media Center while the DVD is playing.  But, if I maximize and/or unmaximize the window it resets the DVD playback and re-syncs the audio/video.  Playback is smooth then.

DVD playback on Media Player is a different story which really doesn’t work at all.

I had previously purchased the CinePlayer DVD Decoder for Windows Vista.  So, I tried that and it didn’t help DVD playback in Media Player.

System Specs:

• Intel® Core™ 2 Quad Processor Q9300 (6MB Cache,2.50GHz,1333FSB)
• 4GB Dual Channel DDR2 SDRAM at 800MHz - 4 DIMMs
• Radeon ATI HD 2600 XT 256MB
• Blu-ray Disc Combo (DVD+/-RW + BD-ROM)
• Integrated Sound Blaster®Audigy™ HD Software Edition
• Single ATITV Wonder™Digital Cable Tuner with Remote

Has anyone seen any issues with DVD playback with the Radeon ATI HD 2600 XT 256MB video card?
 
I’ve not tested a Blu-ray disk playback or digital cable yet.

**Updated 5/29/08 1:15pm -  I just tested Blu-ray disk playback and it worked like a charm in PowerDVD.

During DCPROMO in Windows Server 2008, If you select the option to install DNS, you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution.

If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not need to create the DNS delegation. This is a known issue by Microsoft.  Just click Yes and disregard the message.

Read: Known Issues for Installing and Removing AD DS

“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Domain,DC=suffix”
“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Subdomain,DC=Domain,DC=suffix”
“Adprep could not contact a replica for partition DC=ForestDnsZones,DC=Domain,DC=suffix”

Read: Error message when you run the “Adprep /rodcprep” command in Windows Server 2008: “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com”

Note: I could not get the VB script that Microsoft provided in the above KB article to work.  I received the following error, “fixfsmo.vbs(1, 1) Microsoft VBscript compilation error: Expected statement”. 

Here’s the way I ended up fixing the problem:

• Open ADSIEdit
• Connect to DC=DomainDnsZones,DC=domain,DC=suffix
• Expand it and select CN=Infrastructure
• Right click, click on Properties and look at the fsmoRoleOwner attribute.  In my case it was referencing a deleted domain controller:

CN=NTDS SettingsADEL:0db95bd9-0a15-46d8-9665-951689a3c7f9,CN=PFCSRDC1ADEL:5bcf835e-adb2-4eba-9a3e-bccc9611fc78,CN=Servers,CN=PFCS,CN=Sites,CN=Configuration,DC=pfcs,DC=farm

• This means that AD has a bad value for the infrastructure master because the infrastructure master for the referenced partition or partitions has been forcefully demoted or is offline.
• You will need to copy the correct path to the infrastructure master into the fsmoRoleOwner value. To do this, first determine what server your infrastructure master is supposed to be using AD Users and Computers.
• Once you have the <servername>, go back into ADSIEdit.
• Connect to the Configuration partition.
• Expand CN=Sites, CN=<site where Infrastructure Master server is located>, CN=<server name> and go to properties of CN=NTDS Settings.
• Edit the distinguishedName attribute, select the value and copy it into the clipboard.
• Now go back to the Infrastructure object underneath DomainDNSZones, and copy
  the value you got into the fsmoRoleOwner attribute.
• This will have to be done for each partition with a bad value.
• After AD has been cleaned up rerun the “Adprep /rodcprep” command.

I finally decided to buy a Dell XPS 420 desktop computer this weekend.  Dell is running a great deal for Mother’s Day; $350 off XPS 420 systems.  I’m not a mother, but who cares right?  I can get the configuration that I want cheaper than I can get with my Employee Purchase Program discount mainly because I don’t have to take the 3 year warranty on the Mother’s Day deal.

This system is configured with the ATI TV Wonder Digital Cable Tuner.  I really want to start recording digital/HD TV content including Premium stations with Windows Vista Media Center.  With my current system I’m only able to record the analog stations and the quality leaves a lot to be desired on a 46″ LCD HD TV.

I went down to Charter Cable yesterday to talk to them about Cable Cards.  They were not very helpful.  Both the woman at the front counter and the technician that I eventually talked to really couldn’t answer my questions.  The reason is that they haven’t hooked up that many cable cards in PCs before.  They did say that I would be able to get the digital/HD and premium stations.  But, I could have a problem with voltage feedback into the cable lines.  After further questioning this could be an issue with any TV tuner card hooked up with a coax to the cable company.

Here’s my configuration:

• Intel® Core™ 2 Quad Processor Q9300 (6MB Cache,2.50GHz,1333FSB)
• Genuine Windows Vista® Home Premium with Digital Cable Support
• 4GB Dual Channel DDR2 SDRAM at 800MHz - 4 DIMMs
• Dell USB Enhanced Multimedia Keyboard
• 22 inch E228WFP Widescreen Digital Flat Panel
• Radeon ATI HD 2600 XT 256MB
• 750GB - 7200RPM, SATA 3.0Gb/s, 16MB Cache
• Dell Media Card Reader included in Dell Bluetooth Package
• Dell Optical USB Mouse
• Blu-ray Disc Combo (DVD+/-RW + BD-ROM)
• Integrated Sound Blaster®Audigy™ HD Software Edition
• Dell 19 in 1 Media Reader with Bluetooth
• 1Yr In-Home Service, Parts + Labor,24×7 Phone Support
• Single ATITV Wonder™Digital Cable Tuner with Remote
• McAfee SecurityCenter with anti-virus, anti-spyware, firewall, 24-months
• Adobe® Acrobat® Reader 8.1
• Included 3 GB DataSafe Online Backup for 1Yr
• No speakers (Speakers are required to hear audio from your system)
• No Productivity software pre-installed
• No Modem Requested

I’ve recently been tweaking my data replication schemes.  We’ve got multiple servers spread out all over and seems like we replicate date all over the place.   My most recent brilliant idea was to replicate our offline virtual machine images and software installation ISO files to all of our Hyper-V servers.  In working through some staging quota issues because the files that I wanted to replicate was greater than the default 4GB default staging quota, I found a cool tool that will show a list of the backlogged files waiting to replicate.  The tool is called dfsrdiag and is run from a command prompt.  In Windows Server 2008 with UAC the command prompt window will need to have its credentials elevated to Administrator.

Sample command:
dfsrdiag Backlog /ReceivingMember:vs1 /SendingMember:vs3 /RGName:”Software Library” /RFName:”Software Library”

Sample Output:
Member <vs1> Backlog File Count: 9
Backlog File Names (first 9 files)
     1. File name: win2008×64Ent-disk1.rar.part01.exe
     2. File name: win2008×64Ent-disk1.rar.part03.rar
     3. File name: win2008×64Std.rar.part01.exe
     4. File name: win2008×64Std.rar.part02.rar
     5. File name: win2008×64Std.rar.part03.rar
     6. File name: win2008×86std.rar.part01.exe
     7. File name: win2008×86std.rar.part02.rar
     8. File name: SW_DVD5_Windows_Svr_DC_Ent_Std_2008_English_32bit_MLF_X14-26710.ISO
     9. File name: SW_DVD5_Windows_Svr_DC_Ent_Std_2008_English_x64_MLF_X14-26714.ISO

Operation Succeeded

Command “Backlog” Help:
Usage: DFSRDIAG Backlog [/ReceivingMember:name] </SendingMember:name>
   </RGName:name> </RFName:name>

</RGName>
  The display name for the replication group
  Example: /RGName:Applications
</RFName>
  The display name for the replicated folder
  Example: /RFName:”Applications Distribution”
</SendingMember> or </SMem>
  The DNS or NetBIOS name of the member that is sending the replication
  data
  Example: /SendingMember:Branch01.sales.contoso.com,
  /SendingMember:sales\Branch01, /SendingMember:Branch01
[/ReceivingMember] or [/RMem]
  The DNS or NetBIOS name of the member receiving the replication data.
  Uses local computer if not specified
  Example: /ReceivingMember:Branch01.sales.contoso.com,
  /ReceivingMember:sales\Branch01, /ReceivingMember:Branch01
[/Help] or [/?]
  Display help message for the command
  Example: /?
[/Verbose] or [/V]
  Enable verbose logging
  Example: /v

I guess most have heard the news of the 5.2 magnitude earthquake that shook the Central U.S. early Friday morning at 4:36AM.  The epicenter of the earthquake was about 150 miles from me in Southern IL.  The quake was strong enough to wake me up out of a deep sleep.  I thought someone was shaking the bed and it wasn’t me.  My first thought having been still part asleep was this house needed a firmware upgrade and a reboot to fix it.  You have to know that yesterday I spent the biggest part of the day upgrading server firmware.  OK, so I was crazy just a little bit.  But, after I started to come around, I heard stuff rattling in the house.  Then, I thought this is the BIG ONE!  I should lay here and just listen.   The shaking stopped.  Everything was quiet outside except for a few sirens.  I guess it was alarms going off.  I made it unharmed.

To confirm that what I just encountered was an earthquake, I quickly turned on the news and ran all the stations.  Not a word at 4:40AM in the morning.  I would have to wait until my local news came on at 5:00AM to be reassured that my experience was in deed an earthquake.  The local news is a whole other story for another day.  But, when they talked to some guy via phone as a witness to the event in Southeast Missouri and he was describing the shaking.  I decided it was time to go back to sleep.

This was only the second quake that I remember feeling.  The first was the 4.6 New Hamburg quake on September 26, 1990 during the time of Iben Browning’s prediction. I was a Junior at Southeast Missouri State University in Cape Girardeau in Academic Hall when it hit and scared us to death.  This is when we all were making earthquake kits and taping up our windows waiting for the BIG ONE.  Well, I hope the BIG ONE will wait at least another century before it hits.

Read: Earthquake rattles Illinois
Read: Ode to Iben Browning: Ten Years After

BGInfo, a really cool tool that allows you to create a custom bitmap images to use as your desktop wallpaper that can include things like your host name, IP address and other aspects of the PC’s configuration.  

Download: BgInfo v4.12

The image can be set to auto update by creating a shortcut and placing it in the Startup folder.  The shortcut target should be set to:

<path>:\bginfo.exe config.bgi /timer:0

The path is the location where bginfo.exe is saved and config.bgi is the saved configuration file to be used.

Sample:

To add a custom field follow these steps:

1. Click on the Custom button underneath the list of Fields.
2. Click User Defined Fields dialog box click, New.
3. In the Define New Field dialog box, type the name of the field (i.e. MyDNSServer).
4. Click WMI Query radio button.
5. In the path text box enter the WMI query (i.e. SELECT DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE)
6. Continue the process for each custom defined field.
7. Click OK to close the User Defined Fields dialog box.
8. Add the custom fields to the background image.

I’ve come up with some custom fields that can be added to BGInfo.  Follow the steps above to add each of these fields.