There was an error opening the windows firewall with Advanced Security snap-in. Error Code: 0x6D9

On February 29, 2012October 7, 2012 By myousufaliIn Microsoft Exchange ServerLeave a comment

Troubleshooting Windows Firewall Service (MPSSVC).

Resolution:

In Windows Vista and later, the firewall service is “Windows Firewall” (MPSSVC); it combines both Firewall and IPsec functionality.

The first thing to check is that the Base Filtering engine (BFE) is running. There are a number of services dependent on the BFE service (including the Windows Firewall) that may also fail to start:

IPsec Policy Agent (PolicyAgent)
Windows Firewall
IKE and AuthIP IPsec Keying Modules
Internet Connection Sharing (ICS)
Routing and Remote Access

In my experience most of the issues starting these services are related to permissions.

Typical errors seen in relation to starting this service are:

Event ID: 7024 – The Windows Firewall service terminated with service-specific error 5 (0x5)
Windows could not start the Base Filtering Engine service on Local Computer. Error 5: Access is denied.
Windows could not start the IPsec Policy Agent service on Local Computer. Error 1068: The dependency service or group failed to start.
Windows could not start the Network Location Awareness on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -1073741288.
The Windows Firewall service terminated with service-specific error 87 (0x57)
Error 0x80004015: The class is configured to run as a security id different from the caller.
The Windows Firewall service terminated with service-specific error 6801 (0x1A91).
“net start mpssvc” in cmd.exe returns the system error 1297.

What to look for (specific details will be shared in a future blog post):

Verify Log On permissions
Verify registry permissions
Verify privilege permissions
Verify Service Dependencies
Reset the default security permissions
Verify that the TxR folder exists : %systemroot%\system32\config\TxR
Verify the following registry keys by comparing them to a default Windows installation:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShareAccess

Windows OneCare

Lastly, I am including information about one issue that may be seen with the Windows OneCare Firewall Service. The following messages may be seen:

The Windows OneCare Firewall Service Could not Start

Urgent – Turn on Firewall

You will see this error in the Windows OneCare interface, with a red status action item asking you to enable the firewall. The action listed does not enable the firewall, however.

This issue is also very specific because the firewall settings in Windows OneCare are grayed out and cannot be modified.

To resolve this issue:

Use the steps below to ensure that the PATH environment variable contains the following path:

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM

Click Start / Control Panel and open the System Icon.
In System, click the Advanced tab and then Environment Variables.
Ensure that in the lower box “System variables” that PATH exists. If Path does not exist click NEW and type in PATH as the variable name and enter the above path in the variable value.
If PATH already exists, highlight it and click Edit.
Under variable name, click at the end of the line to append the above mentioned path to the end of the current path. NOTE: BE SURE TO SEPERATE THE OLD PATH AND THE NEW PATH WITH A SEMI-COLON ( ; ).
Click OK to close the windows and restart the computer.

If this does not resolve the issue, try the following step:

Click Start / Run and type Regsvr32 %SystemRoot%\System32\wbem\wmidcprv.dll and click OK.
Restart the computer and test the firewall again.

If this does not resolve the issue, or if the problem does not match the description, please follow the steps in KB article 910659.

Article taken from technet blogs.

http://blogs.technet.com/b/networking/archive/2011/06/08/the-windows-firewall-service-fails-to-start-introduction.aspx

How to Convert a Physical Server to a Virtual Machine

On February 29, 2012March 14, 2012 By myousufaliIn Hyper-V1 Comment

Disk2vhd is a utility that creates VHDs. The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

Download Link: Disk2vhd

After creating the VHD, you can use that VHD in Hyper-V virtual machine.

Troubleshooting Boot problems.

Windows 2008 R2 (Vista, Windows 7, Windows 2008)

We’re going to fix the entire boot path, despite what part of it is broken. Go find an ISO or DVD of any of the operating systems just listed in the title. Prepare to boot your VM from this media. We’re going to use the recovery console. We’ll assume you are using Windows 7 media.

Attach the Windows 7 installation disc to the virtual machine disc drive, and then start the computer.
Press a key when you are prompted.
Select a language, a time, a currency, a keyboard or an input method, and then click Next.
Click Repair your computer.
Click the operating system that you want to repair, and then click Next.
In the System Recovery Options dialog box, click Command Prompt.
1. If an operating system is not found simply continue anyway
Type the following command in this order to set your system straight:
1. bootrec /fixmbr (Fixes MBR)
2. bootrec /fixboot (Fixes Boot Sector)
3. bootrec /scanos (Scans for Windows installations to add)
4. Reboot! (Type Exit)
If you still do not boot into Windows, or do not have a boot menu, or something is still wrong, follow steps 1 – 6 again. For step 7 type this instead
1. bootrec /rebuildbcd (Rebuilds entire BCD… not a really big deal)
2. Reboot! (type Exit)

You are now either booting into Windows, or you are not… Any blue screens I cannot help you with at this time. Search the internet for a solution, and in the meantime I intend to write an article on this as well. Comments welcome as always.

Further Information:

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows
http://support.microsoft.com/kb/927392

Windows 2003 R2 (Windows XP, Windows 2003)

Again, we’re off to fix the boot path. Things are a bit different in Windows 2003. Same basic goal as with Windows 2008. Go find an ISO or DVD of any of the operating systems just listed in the title. Prepare to boot your VM from this media. We’re going to use the recovery console. We’ll assume you are using Windows 2003 media.

Attach the Windows 2003 installation disc to the virtual machine disc drive, and then start the computer.
When you receive the message that prompts you to press any key to start from the CD, press a key to start the computer from the Windows Server 2003 CD.
When the Welcome to Setup screen appears, press the R key to start the Recovery Console.
Select the Windows installation that you must access from the Recovery Console.
Follow the instructions that appear on the screen, type the Administrator password, and then press ENTER.
Type the following command in this order to set your system straight:

Further Information

How To Use the Recovery Console on a Windows Server 2003-Based Computer That Does Not Start
http://support.microsoft.com/kb/326215

Description of the Windows XP Recovery Console for advanced users
http://support.microsoft.com/kb/314058

(Article taken from TN blog: http://blogs.technet.com/b/jonjor/)

How to set allow domain users to join the workstation to the domain.

On February 29, 2012July 9, 2012 By myousufaliIn Active DirectoryLeave a comment

How to set allow domain users to join the workstation to the domain.

1. Create a security group

2. Make users who will be having rights to join machine to domain members of this group.

3. Using Domain Group policy add group created in Step 1 to following settings..

Computer configuration > Windows settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon locally

Computer configuration > Windows settings > Security Settings > Local Policies > User Rights Assignment > Deny logon through remote desktop services

How to Change the Local Administrator Password on Domain Member Computers.

On February 29, 2012April 5, 2012 By myousufaliIn Powershell | Scripting, Tips & TricksLeave a comment

We will discuss here two methods to change local administrator password.

First method using Power Shell / Script.

Script:

Set WshNetwork = WScript.CreateObject(“WScript.Network”) strComputer = “.”

Set objUser = GetObject(“WinNT://” & strComputer & “/Administrator,user”)

objUser.SetPassword “NEW.PASSWORD” ‘ Enter new password between brackets

objUser.SetInfo

Download the complete powershell script from here.

Second Method using GPP.

There is a Group Policy Preference (GPP) that can do it for you.

Changing the local Administrator password on domain members.

Start the Group Policy snap-in, expand Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New – Local User. Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK.

More information:

Download details: Group Policy Preferences Overview

Making Domain User as a Local Administrator for all PCs

On February 26, 2012February 29, 2012 By myousufaliIn Active Directory, Tips & TricksLeave a comment

Task: How to remote desktop all the PCs in the domain without using domain administrator account.

Resolution:

You can create GPO and link the GPO to domain or OU containing all the computers.

Step 1 : Creating a Security Group

First you need to create a security group called Local Admin

Log onto a Domain Controller, open Active Directory Users and Computers (dsa.msc)

Create a security Group name it Local Admin

Add the Help Desk members. I will add two users say Tom and Bob.

Step 2: Create Group Policy.

Next you need to create a group policy called “Local Admin GPO”

Open Group Policy Management Console ( gpmc.msc )

Right click on Group Policy Objects and Select New.

Type the name “Local Admin GPO“

You need to configure and link this GPO to OU or Domain.

Step 3: Configure the policy to add the “Local Admin” group as Administrators

Here you will add the Local Admin group to the Local Admin GPO policy and put them in the groups you wish them to use.

Right click “Local Admin GPO” Policy then select Edit.

Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups

In the Left pane on Restricted Groups, Right Click and select “Add Group“

In the Add Group, select browse and type Local Admin and then click “Check Names“

Click OK

Click Add under “This group is a member of:”
Add the “Administrators” Group.
Add “Remote Desktop Users”
Click OK twice

NOTE# When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Local Admin” in that group.

Step 4: Linking GPO

In Group policy management console, right click on the domain and select Link an Existing GPO

Select the Local Admin GPO

Step 5: Testing GPOs

Log on to a PC which is join to the domain and then run gpupdate /force and check the local administrators group. You should see Local Admin in that group now.

Tom and Bob help desk admins can now access all PCs remotely as a local administrator.

Edit Permissions with SubInAcl

On February 17, 2012March 21, 2012 By myousufaliIn Tips & TricksLeave a comment

SubInACL is a Microsoft utility which can be downloaded as part of Windows Resource Kits.

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and
services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

SubInACL’s help screen:

SubInAcl version 5.2.3790.1180

Each command line switch has its own help screen, which can be summoned using the command SUBINACL /help /switch

For example, SUBINACL /help /grant will call the following help screen:

SubInAcl version
5.2.3790.1180

Some examples of granting access permissions:

Allow the group “MYDOMAIN\Marketing” Read access to the folder
“D:\Departments\Marketing” and all of its subfolders, but not on the files:

SUBINACL /verbose=1 /subdirectories “D:\Departments\Marketing” /grant=Users=R

Grant Read access to “Everyone” on a share:

SUBINACL /verbose=1 /share \\server\share /grant=Everyone=R

Allow the group “MYDOMAIN\Marketing” to Print and Manage documents on the printer “Color Laser”:

SUBINACL /verbose=1 /printer “Color Laser” /grant=MYDOMAIN\Marketing=MP

Allow “Authenticated Users” to start and stop the “Printer Spooler” service (use its short name: “Spooler”):

SUBINACL /verbose=1 /service Spooler /grant=”Authenticated Users”=LQSTOP

Grant “Authenticated Users” write access to “HKEY_LOCAL_MACHINE\SOFTWARE\MyProgram”, but not to subkeys:

SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SOFTWARE\MyProgram” /grant=”Authenticated Users”=QEDS

To check permissions, remove the /grant switch: if no “action” is specified, the default /display is used.

Other References:

Dive Deep with SubInACL

Edit Permissions with Subinacl

Example Secnarios

Hardware Malfunction BSOD

On February 14, 2012February 29, 2012 By myousufaliIn Tips & TricksLeave a comment

*** Hardware Malfunction

Call your hardware vendor for support

*** The system has halted ***

Before you call log with your hardware vendor, take a look what this error means.

Cause:

After deploying Symantec Endpoint Protection 12.1 package, hardware malfunction messages can be generated by software.

Resolution:

Restart the server in safe mode by pressing F8 function while booting.

Try to stop Symantec services. You can not change the service startup state using services.msc , we need to disable the Symantec services using registry editor.

First we take backup of the registry using Export option from Registry Editor regedit.exe

Now from the register editor disable the Service startup state for the SepMasterService.

Disable another Symantec service SmcService.