I’m using remote desktop on Windows Server 2008 r2 and I’m trying to find a way to prevent users from kicking off admin users. I understand that according to MS a regular user should not be able to kick off an admin user however if a user attempts to log in while the admin user is on (and all other sessions are in use) the admin user has 30 seconds to click the box telling Windows that they are still using this session or they will be kicked.

The behavior that I am trying to create is for the admin to not be able to be kicked under any circumstances. Is this possible?

Edit: Allow me to clarify. I don’t need more than 2 users to be able to log on. I just need for no normal user to be able to kick the admin user regardless of the number of users. If the admin user is on and someone else tries to log in I would like for them to be denied access. Is this possible?

Without purchasing and installing Remote Desktop Services CALs, you are only entitled to use Remote Desktop for administrative purposes. This is per the Windows Server license terms. If you have two non-administrative users that need to log in to run applications, you still need to purchase RDS CALs. The default two connections are only for administrative purposes. It’s not two freebie RDS entitlements per server.

When you properly license your environment, your issue will go away since the proper amount of limited connections will be allowed in addition to two administrative sessions per server.

Check more discussion of this question.

ISSUE:

I have a Windows 2008 R2 VM that runs a 3rd party ERP system. They have a utility that will run scheduled jobs to backup the Oracle database and their app data nightly with a 7 day rotation.

The problem is that it must run as a desktop app interactively within a session. It can’t run as a service. While I’m not thrilled about leaving an account logged in, I’ve learned to allow it. The primary issue here is that if the server gets rebooted it can be days before I realize that the account is no longer logged into the server with the app open.

QUESTION:

Can (and if so, how) I create a task that runs at startup that logs a user onto the VM (creating a session) and launches an app on that session’s desktop?

OR

If this is too difficult or not possible, anyone got ideas on how to check and see if this app is running in that account’s session and if not send an alert? I’m cool with even a custom event log error since I can pick that up through remote monitoring.

I’m assuming that the program needs to display its UI and that you can’t just run it non-interactively. (I love these “gems” of software…)

Here’s what I’d do, personally:

• Configure the server computer with an AutoAdminLogon as the user you want to run the application as. This will cause the server’s console to logon as this user automatically on boot.

• Add a script to the autologon user’s personal “Startup” group that starts the task asynchronously, monitors the process list for the task being present (I’d use WMIC PROCESS LIST, personally), alert if the task goes missing from the process list and, if so-desired, restart the process. I’d also lock the workstation, too.

The script in the Startup group could be as simple as (calling the program you’ve got to run eqalert.exe):

@echo off
:restart
start "" "C:\Program Files\EQFU\EQWin32\eqalert.exe"
:check_loop
rem Delay 30 seconds between checks
ping -n 30 127.0.0.1 >NUL 2>NUL
wmic process list | find /i "eqalert.exe" >NUL 2>NUL
if not errorlevel 1 goto check_loop
echo eqalert.exe not running - restarting
eventcreate /T ERROR /ID 1 /L APPLICATION /D "eqalert.exe not running - restarting"
goto restart

This script assumes that there will only be one instance of the task running and is only check for the task’s presence in the process list. If the process hangs and otherwise dies this script wouldn’t catch that. (Monitoring if the program is “responding” to Windows– i.e. if its message pump is still– erm– pumping– is a more involved prospect.)

Check more discussion of this question.

For a proof of concept I am building a server which will host 2 users.

Both users are local admin, and both users are domain users.

User1 will encrypt the files with EFS so he can get transparent access.

Is it possible to for User2 to get access to those files?

If so, are there other ways to prevent access to those files?

Thanks!

No.

• EFS encryption doesn’t occur at the application level but rather at the file-system level; therefore, the encryption and decryption process is transparent to the user and to the application. If a folder is marked for encryption, every file created in or moved to the folder will be encrypted. Applications don’t have to understand EFS or manage EFS-encrypted files any differently than unencrypted files. If a user attempts to open a file and possesses the key to do so, the file opens without additional effort on the user’s part. If the user doesn’t possess the key, they receive an “Access denied” error message.

• File encryption uses a symmetric key, which is then itself encrypted with the public key of a public key encryption pair. The related private key must be available in order for the file to be decrypted. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, then the file may be recoverable. If key archival has been implemented, then the key may be recovered, and the file decrypted. If not, the file may be lost. EFS is an excellent file encryption system—there is no “back door.”

Sort of.

• EFS keys are protected by the user’s password. Any user who can obtain the user ID and password can log on as that user and decrypt that user’s files. Therefore, a strong password policy as well as strong user education must be a component of each organization’s security practices to ensure the protection of EFS-encrypted files.

• EFS-encrypted files don’t remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext, and, if saved to a folder on the local drive that’s marked for encryption, is encrypted locally. EFS-encrypted files can remain encrypted while traversing the network if they’re being saved to a Web folder using WebDAV. This method of remote storage isn’t available for Windows 2000.

Yes.

Check more discussion of this question.

My work is going to roll out a new application (HR, Payroll, etc.) called springbrook to our remote employees. The application runs on one of our physical servers (Win 2008 R2) and to use it locally, I had to map a network drive to the server on the local employee’s computer. I created a desktop shortcut to the app so the user doesn’t have to go inside the mapped drive and run it that way. They just click on the desktop shortcut.

Springbrook uses the LDAP protocol (in our case Active Directory) to authenticate the user trying to login against the login id’s already inside of Springbrook, so when the session is established it requires that the user logs in and is authenticated to the domain which in turn makes the connection to the LDAP connector which verifies user info and allows them access.

Our hardware firewall is a Sonicwall TZ210 device. I have the VPN setup in that device. At the remote site on the user’s workstation who will be using Springbrook I have correctly setup the sonicwall VPN client. At the remote worksation I can establish a connection to our network, map the network drive and bring up the Springbrook login page. When I put in the credentials, a Springbrook error message pops up telling me I put in an incorrect password. That’s not the case because I know the credentials are correct.

I contacted Springbrook about this and the tech told me that somehow the authentication isn’t happening in the VPN tunnel.

Okay. I knew that, haha

He then said that they use Citrix for their remote employees. I’m sure Citrix has a very nice WebApp tool, but if I can do this through a VPN tunnel and save us money that would be great.

Any suggestions my fellow techies?

Server: Win 2008 r2
Firewall\VPN: Sonicwall tz210
Active Directory Domain

I’ve enabled LDAP in our firewall and got the same results. That didn’t work. Other than that, I haven’t tried anything. The remote workstation runs the same “stuff” as the local workstations that are running springbrook just fine.

Use Windows RRAS as the VPN server. The users will then authenticate to the domain via the VPN instead of authenticating to the SonicWall via the VPN. When they launch the app it should use the AD credentials of the VPN user, which is their AD account.

Check more discussion of this question.

We’re experiencing some weird stuff with our roaming user profiles. We use folder redirection for Documents/Pictures/Music/Destkop/Downloads, yet these folders are being created in the roaming user profile (they shouldn’t).

Looking at the dates for these folders it’s quite obvious that we’re hitting some kind of bug with NTFS. How else is this possible (pic)?

The folder was copied on 18.01.2013 (1/18/13) from one that was last modified 14.07.2009 (7/14/09).

Check more discussion of this question.

Is there a way to find out when user was added to distribution group and by who? Probably thru AD or Exchange Management Console? Or such information is not stored anywhere?

If you have Directory Service Change auditing enabled, there would be a 5136 event in the security event log on the domain controller where the change was made.

You can also identify when the member attribute was last changed. If the dl does not change often, this may help if the last change was when that account was added to the dl.

repadmin /showobjmeta <dcname> "<dn of distribution list>"  

results:

29 entries.
Loc.USN                           Originating DSA  Org.USN  Org.Time/Date        Ver Attribute
=======                           =============== ========= =============        === =========
 409215      1b022a66-0f20-440d-b6f6-9a9b3b83b83c  36538059 2006-01-24 16:04:24    1 objectClass  
 409215      90864325-7d94-48ef-b941-9a1595ce749c 103330135 2008-06-02 09:22:57   22 member  

Audit Directory Service Changes
http://technet.microsoft.com/en-us/library/dd772641%28v=ws.10%29.aspx

Check more discussion of this question.

I have several shares on a server running 08r2 that I have users dumping files to.

I would like to limit each user to be able to use only a specific amount of the space (quota)

Any help on how to configure this is appreciated. Thanks.

You would use the File Server Resource Manager and make per-user quotas.

You can use templates to enforce queries per-user or per-folder. In your case, you’ll want user likely.

Check more discussion of this question.

I would like to have one rule that allows Internet Explorer to connect to my proxy-server, but block all other applications to connect to the proxy-server.

Is that possible?

I’ve tried one rule that opens “Internet-Explorer” -> “Proxy” and a second rule that blocks any “any application” -> “Proxy” but that is not working because deny-rules are higher prioritized than allow-rules.

Is there any way to do this?

Not out of the box. Simple like that. You can filter in the proxy based on browser identification string – and hope noone fakes that.

Check more discussion of this question.

Wondering if someone could help me, i want to query active directory.

My aim is to produce a list of users and a total number of users, now our AD is full of meeting rooms, auto users, test users etc.

So i thought if add a word into these auto users descriptions i could write a script that excluded all users that have a “description = auto”.

Only problem is im not the best programmer, any chance anyone could help me achieve this.

The reason for this i want to ensure we have the correct amount of CALs as CALs are not required for autp users only real people who access the system

Cheers for the help in advanced.

While you could certainly do this using a command line tool, you could also do this just as easily using ADUC by creating a Saved Query.

Edit

I missed the part where you wanted to set the description for all non human user accounts in order to filter your query for real users. That being said, you could still set the description en masse and perform a query for users not having that description in ADUC in about 90 seconds.

Check more discussion of this question.

I have a very powerful PC that is capable of running several environments.

This computer is running Windows Server 2008 R2 with Hyper-V feature

I want to allow a user to physically use the computer while Hyper-V is running,
to do so I created another user account.

Is there any option to disable, restart or shutdown and still let the user have admin privileges?

Are there any other possibilities that I can do with the situation? Or other options?

Mathias suggest the correct action but with incorrect parameters.

Open secpol.msc and navigate to Security Settings – Local Policies – User Rights Assignment:

Find the ‘Shut down the system’ policy which determines who can shut down the server.

There are two entries in there on a 2008R2 Server: Administators and ‘Backup Operators’.

Because you want to keep the user in the administators group, you need to remove that group but add another group or users who should still be able to shut down the server.

The problem with the user still being an administator is that he can just open secpol.msc and just add himself back to the ‘Shut down the system’ policy.

So you would need to prevent him from using the Local Group Policies, which may be possible but may also break other things he should be able to do as an administrator.

Check more discussion of this question.