Brazilian laptop and the ?/ᴏ key does not function.

It always happens on a Sunday.

Whilst working on a rollout on the outskirts of Rio, I discovered that the ?/ᴏ key was not working on the laptops I was deploying.

Keyboard

The machine did not have an OEM installation of Windows 7, but a customised image with the Brazilian MUI installed.

To resolve I had to add this registry key and reboot.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
“Scancode Map”=hex:00,00,00,00,00,00,00,00,02,00,00,00,73,00,1d,e0,00,00,00,00

This issue occurs with ABNT and ABNT2 keyboards.

Active Directory: A user cannot be in more than 1015 groups.

In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.

Type

ntdsutil

group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run clickclicknext.com mark.parris

clickclicknext.com is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
SamAccountName
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.

2014-07-31_17-41-38

 

As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft

 

 

 

Recommended Reading: Start with Why – Simon Sinek.

Why

This is a book that I have read a few times and I have found it invaluable in how I approach issues in life, the office and specifically issues around IT.

This book has made me no longer approach the problem with the question “What are you trying to do?”, but with “Why are you doing this?“.

Understanding the “Why

Attempting to understanding the “Why” has helped me immensely when implementing a solution or service, if it does meet the “Why”, it has made me think perhaps I should not be doing it.

Amazon Link

 

Active Directory: Disaster Recovery (Recap)

In preparation for the Active Directory forest to be upgraded (to Windows Server 2012 R2), it may be prudent to re-evaluate Active Directory disaster recovery plans.

Active Directory if configured correctly will just sit there and work; servicing all requests that are presented and because of this robustness, its importance is often overlooked and its criticality not understood.

Management buy in.

The most critical component in the disaster recovery plan, is the education of management and key stakeholders in the criticality of Active Directory to the business. No Active Directory can mean, no authentication; no authorisation; no name resolution or no printing;  effectively the IT function may cease to operate until the Active Directory is restored or made available.

Plan and approach.

Define what Active Directory recovery scenarios that are being catered for, is it total loss of the Active Directory or the loss of objects within the Active Directory?

Agree with the business and calculate realistic Recovery Point Objectives (RPO’s) and Recovery Time Objective (RTO’s) for Active Directory.

RPO – this is the point where you have to recover to (or the amount of information you can afford to lose).

RTO – this is the time you have to recover the environment back to the RPO.

Choose your method of backup

When if actually comes to backing up Active Directory, technical insight is needed to understand the scenarios that are being protect against.  Ensure that each scenario is catered for so that Active Directory can be recovered.

Domain/Forest Recovery.

In a worst case scenario it would mean restoring a single domain controller from backup and then rebuilding all the existing domain controllers to be domain controllers to this restored domain.

This could be a logistical nightmare to perform and orchestrate.

Object Recovery

This would usually mean restoring a domain controller from backup and then marking the object(s) that are to be recovered as authoritative.

Active Directory Recycle Bin.

The Active Directory Recycle Bin provides a certain degree of insurance in protecting Active Directory, but it will only enable the recovery of deleted items and not for example the recovery of modified users or groups. All domain controllers must be running at a minimum Windows Server 2008 R2 and the forest mode is Windows Server 2008 R2.

Backup

All of the well-known backup providers support the backing up of Active Directory, a key component of backing up the AD is that it is not only the Operating System that needs to be backed up, but the entire system state, which includes all the underlying  components of the Operating System and Active Directory.

Quest Recovery Manager for Active Directory – Forest Edition.

The only tool I have found on the market that provides Active Directory Disaster Recovery from a single pane of glass, it enables recovery from a single attribute to a full forest recovery.

Recovery Manager for Active Directory

Test your processes

Whatever process or method you take to back up your Active Directory, ensure that you are confident and able to recovery your Active Directory not only in the time required, but also physically able to do so.

As I review and update my old consulting notes I have decided to publishing them. These are by no means definitive and are intended as an ‘aide memoire’ to enable discussion.
Please feel free to comment.

Microsoft accounces MUTE for Enterprises.

What’s in a name?

Microsoft have announced a new conference “MUTE for Enterprises” which is a wordplay on their current working title of “Microsoft’s Unified Technology Event for Enterprises”.

MUTE is scheduled to take place the week of 4th May 2015 in Chicago and will be every single Microsoft conference rolled into one. Initially I thought fantastic, but now I have had time to analyse the concept I am not sure if it’s a good idea or not. I used to like the technical focus of the dedicated events and the generalisation on TechEd. Let’s hope it’s not another Vista or Windows 8, but only time will tell.

Further details can be found at.

http://channel9.msdn.com/Blogs/TechEd/SavetheDateMay4

As a side note:

May the 4th is Star Wars Day, will we get Stephen Elop as Darth Vader and Brad Anderson as Han Solo on stage?

Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow

Blatant self-promotion, but I wanted to share a blog post from OneLogin that gives their list of top Active Directory experts (including me) and our top tips on “What you should never do when working with Active Directory“.

Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow

Experts

Does anyone else have any other “No No’s” they would like to share?

Performance Tuning Guidelines for Windows Server 2012 R2

Unlike previous versions of this vital information, this is not currently available as a word download, but only as web based information.

These can now be downloaded in PDF format from here.

Performance Tuning Guidelines for Windows Server 2012 R2