Sunday, September 28, 2014

Change Windows Server 2012 Product Key

 Windows did not allow me to change the key from any of the GUI's

Use the PowerShell....

1.

Clear The Current Key

Open Powershell with admin rights then enter:
slmgr -upk (this removes the current Product Key)
2.

Add The New (or Correct Key)

Now that the key is cleared you can either stay in Powershell and enter the new key with the following:
slmgr -ipk XXXX-XXXX-XXXX-XXXX (with the X's of course being the Key )
or
Go the the activation GUI and you will now be able to enter a Key

Error 0x8007232b or 0x8007007B occurs when you try to activate Windows

Change the product key to an MAK. To do this, follow these steps:
  1. Click Start
    the Start button
    , click All Programs, click Accessories, and then right-click Command Prompt.
  2. Click Run as administrator.

    User Access Control permission
    If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.
  3. At the command prompt, type the following command, and then press Enter:
    slmgr -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
    Note In this command, the placeholder xxxxx-xxxxx-xxxxx-xxxxx-xxxxx represents your MAK product key.

Microsoft Outlook PST File Access Denied

When I open the Outlook archive File (.pst), it displays error message like “Unable to open PST file error details access to the path is denied” on system.

Cause:
File attribute is read-only

Solution:

Right click the .pst file >> Properties >> Uncheck the Read Only.




Thursday, September 18, 2014

12c Client: How to Resolve Error [INS-30131] on Win7 x64 Install?

I got error message when I install Oracle client 12c x64.

  • Downloaded the 12g client for x64 from Oracle's web site.
  • Extracted the zip file.
  • Right-clicked on "Setup.exe" and selected "Run as Administrator."
  • Passed the OUI monitor check and it prepped the install from a temp directory.
  • Installer opens
  • I select a custom installation type (I'm really only looking for the odp.net managed DLLs) and click next.
  • I skip software updates and click Next.
  • I see the following error message: "[INS-30131] Initial setup required for the execution of installer validations failed." Cause: "Failed to access the temporary location".
Solution:
I stop the service OracleRemExecServiceV2 and re-install the client it works.

Wednesday, September 3, 2014

Global Object Access Auditing

Beginning in Windows Vista, a new granular auditing system was added by this guy. It meant you could now specify in more (or less!) detail what types of data you wanted to audit. This allowed fancy moves like auditing what AD attributes were changed and even what their new values became.
image
Garbage in, garbage out
Starting in Windows 7 a new control mechanism called Advanced Audit Policy Configuration was added that let you actuallyset this stuff easily and not juggle some scripts and auditpol.exe.
image
Way better than this
Tucked away here in the new policy is a little known section called Global Object Access Auditing (GOAA – an acronym I just invented).

STOP!!!

At this point you want to start clicking and touching. It’s only human. Unless you are using a test computer, resist that urge.
If you start enabling anything in Advanced Audit policy, it will take effect immediately; even if you do not click Apply. Any pre-existing legacy audit policy will be overwritten and this new policy will start being used. If you enable a few things and then disable them, you will turn policy settings off – meaning that you are now auditing nothing. Undoing this is a pain in the neck, so don’t start touching audit policies until you are done testing and ready to roll out to production.
I’ll be writing more about effective auditing settings and dealing with all this in a follow up post very soon.
Effective audit settings are explained here
When you look at the policy, you will see that it has a curious configuration dialog. In your test computer, note the File and Registry nodes, and that they only contain a “configure” option:
image
Click that button and you will see the usual security dialog where you assign file or registry auditing:
image
Global auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. This means that instead of manually altering and maintaining SACLs on 10TB of shared files, you can instead define them implicitly and not actually modify the files at all. You can then troubleshoot an unexplained file deletion, see who keeps changing permissions on a folder, or satisfy an auditor.
This is extremely cool.
LSASS.EXE is the process that handles Windows security auditing. In the usual on-file auditing system it sees when files and registry keys are being opened, notes the SACL attached to that file, and sends the auditing data into the security event log. When the file is opened using GOAA, LSASS also adds to the SACL in memory, then reads it like it had been assigned on the resource directly. Sort of psyches itself out.
So even though I have no auditing configured on these files:
image
Deleting a file gives me my audit trail:
image
To be clear here: you must also turn on “Object Access \ Audit File System” or “Object Access \ Audit Registry” in order to have the actual auditing end up in your event log, just like always – GOAA does not enable all auditing, it just adds the magic SACL.

Other Notes

GOAA and the actual on-file audit entries of NTFS can coexist without issues. So if each has different settings, the combined SACL will be used for auditing. There’s no way they could conflict; worst case, they would be redundant. You only get a discrete audit event per action as well – there’s not a “GOAA event” and a regular event.
You can also use AUDITPOL.EXE /RESOURCESACL to view and set these settings outside of group policy; this is an important distinction as the usual auditpol.exe /get /category:* will not show these effective settings. Note that when specifying the /type value that the arguments are - rather disappointingly - case sensitive. So /type:file will not work but/type:File will.
image
The only reason you’d ever set through this utility would be in an unmanaged environment with no security policy being applied by the domain. And since you can’t manage the computer, odds are you can’t get to the audit logs remotely to see what’s happening, so this is one of those “not very likely” scenarios.
As far as what actions you should audit – that’s up to you. The Book of Fitzgerald states that enabling Failure auditing is usually a bad idea. Auditing “List Folder / Read Data” and their ilk of file access entries are probably not very useful. I recommend you invest in an audit collection product if this is going to be enabled all the time as your logs are only useful if they are retained.
And yes, this works great with DFSR. Since you are not actually changing a file when you use GOAA, you are not going to trigger unnecessary replication with the act of setting up auditing in the first place. For example, here I add a SACL to a replicated file the old fashioned way. Note in the DFSR debug log how this triggers a USN update and the file changes get replicated to all partners via RDC:
20110308 20:08:04.339 2788 USNC  2453 UsnConsumer::UpdateIdRecord ID record updated from USN_RECORD:
+      USN_RECORD:
+      RecordLength:        104
+      MajorVersion:        2
+      MinorVersion:        0
+      FileRefNumber:       0xF00000000E19C
+      ParentFileRefNumber: 0x70000000038A3
+      USN:                 0x85c658
+      TimeStamp:           20110308 20:08:04.339 Eastern Standard Time
+      Reason:              Close Security Change
+      SourceInfo:          0x0
+      SecurityId:          0x0
+      FileAttributes:      0x20
+      FileNameLength:      44
+      FileNameOffset:      60
+      FileName:            I am some user goo.rtf

Auditing File Access on File Servers

Enable Audit Policy

1. Create a Group Policy Object and name it something to the effect of File Server Audit Policy
2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings
The settings below are from the WS2008R2SP1 Member Server Security Compliance baseline of the Security Compliance Manager (SCM) - http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx with the exception of Object Access: File System which I enabled for Success
AUDIT POLICY
VALUE
Account Logon: Credential Validation
Success and Failure
Account Logon: Kerberos Authentication Service
No Auditing
Account Logon: Kerberos Service Ticket Operations
No Auditing
Account Logon: Other Account Logon Events
No Auditing
Account Management: Application Group Management
No Auditing
Account Management: Computer Account Management
Success
Account Management: Distribution Group Management
No Auditing
Account Management: Other Account Management Events
Success and Failure
Account Management: Security Group Management
Success and Failure
Account Management: User Account Management
Success and Failure
Detailed Tracking: DPAPI Activity
No Auditing
Detailed Tracking: Process Creation
Success
Detailed Tracking: Process Termination
No Auditing
Detailed Tracking: RPC Events
No Auditing
DS Access: Detailed Directory Service Replication
No Auditing
DS Access: Directory Service Access
No Auditing
DS Access: Directory Service Changes
No Auditing
DS Access: Directory Service Replication
No Auditing
Logon-Logoff: Account Lockout
No Auditing
Logon-Logoff: IPsec Extended Mode
No Auditing
Logon-Logoff: IPsec Main Mode
No Auditing
Logon-Logoff: IPsec Quick Mode
No Auditing
Logon-Logoff: Logoff
Success
Logon-Logoff: Logon
Success and Failure
Logon-Logoff: Network Policy Server
No Auditing
Logon-Logoff: Other Logon/Logoff Events
No Auditing
Logon-Logoff: Special Logon
Success
Object Access: Application Generated
No Auditing
Object Access: Certification Services
No Auditing
Object Access: Detailed File Share
No Auditing
Object Access: File Share
No Auditing
Object Access: File System
Success
Object Access: Filtering Platform Connection
No Auditing
Object Access: Filtering Platform Packet Drop
No Auditing
Object Access: Handle Manipulation
No Auditing
Object Access: Kernel Object
No Auditing
Object Access: Other Object Access Events
No Auditing
Object Access: Registry
No Auditing
Object Access: SAM
No Auditing
Policy Change: Audit Policy Change
Success and Failure
Policy Change: Authentication Policy Change
Success
Policy Change: Authorization Policy Change
No Auditing
Policy Change: Filtering Platform Policy Change
No Auditing
Policy Change: MPSSVC Rule-Level Policy Change
No Auditing
Policy Change: Other Policy Change Events
No Auditing
Privilege Use: Non Sensitive Privilege Use
No Auditing
Privilege Use: Other Privilege Use Events
No Auditing
Privilege Use: Sensitive Privilege Use
Success and Failure
System: IPsec Driver
Success and Failure
System: Other System Events
No Auditing
System: Security State Change
Success and Failure
System: Security System Extension
Success and Failure
System: System Integrity
Success and Failure
3. Also remember to set the following settings as well under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options -
a. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled
b. Audit: Shut down system immediately if unable to log security audits to Disabled

Event Log Size

You may need to increase the size of the Security event log to accommodate the new events generated configure the following group policy settings. This can be done with the policy setting Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security - Maximum Log Size (KB). For maximum supported sizes see http://support.microsoft.com/kb/957662
Note: if you wish to archive old events, set Retain old events to Enabled and Backup log automatically when full to Enabled. By doing so, the event log file is automatically closed and renamed when it is full and a new file is then started. If you do not wish to retain old events, set Retain old events to Disabled.

Set up Audit System Access Control List (SACL)

The critical part is setting up the right amount of auditing for the right security principal and for the right resources. The image below shows the folder structure for which I will be setting up the audit entries:
clip_image002
I created an entry for UserHomeFolder that applies to the folder, subfolders and files, for the Builtin Administrators group for all accesses.
clip_image003
The rationale behind this is that since the users have exclusive rights to their home folders, besides them, only members of the local administrators group would have the ability to read or modify the contents of the folders.

Sample events

Here’s a selection of some of the types of events you can expect to see with auditing enabled:

Security Event Cleared

Log Name:      Security
Source:        Microsoft-Windows-Eventlog
Date:          8/14/2013 7:59:09 AM
Event ID:      1102
Task Category: Log clear
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
The audit log was cleared.
Subject:
        Security ID:   RESKIT\BWayne
        Account Name:  BWayne
        Domain Name:   RESKIT
        Logon ID:      0x871de

Ownership of File Taken

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 1:39:46 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
        Security ID:           RESKIT\pparker
        Account Name:          pparker
        Account Domain:               RESKIT
        Logon ID:              0x1119f6
Object:
        Object Server: Security
        Object Type:   File
        Object Name:   C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
        Handle ID:     0x290
Process Information:
        Process ID:    0x7cc
        Process Name:  C:\Windows\System32\dllhost.exe
Access Request Information:
        Accesses:      WRITE_OWNER
        Access Mask:   0x80000

Security ACL on File Modified

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 1:41:39 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
        Security ID:           RESKIT\pparker
        Account Name:          pparker
        Account Domain:               RESKIT
        Logon ID:              0x1119f6
Object:
        Object Server: Security
        Object Type:   File
        Object Name:   C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
        Handle ID:     0x360
Process Information:
        Process ID:    0x730
        Process Name:  C:\Windows\System32\dllhost.exe
Access Request Information:
        Accesses:      WRITE_DAC
        Access Mask:   0x40000

Generic File Read

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 1:51:48 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
        Security ID:           RESKIT\pparker
        Account Name:          pparker
        Account Domain:               RESKIT
        Logon ID:              0x17235b
Object:
        Object Server: Security
        Object Type:   File
        Object Name:   C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
        Handle ID:     0x1b4
Process Information:
        Process ID:    0x2f8
        Process Name:  C:\Windows\System32\dllhost.exe
Access Request Information:
        Accesses:      READ_CONTROL
        Access Mask:   0x20000

Run scripts to report on 4663 events

The PowerShell script below queries the Security event log on one or more servers for events with id 4663. This event documents actual operations performed against files and other objects for which auditing is enabled in the Security tab. The script also lists the name of the object and the bitwise equivalent of the permissions were actually exercised.
Save the code below to a file with the .ps1 extension. On the first line, replace machine names with the names of your fileservers. And on the last line, replace the output file and folder name.
$server = "RootMS01","RootDC01" $out = New-Object System.Text.StringBuilder $out.AppendLine("ServerName,EventID,TimeCreated,UserName,File_or_Folder,AccessMask") $ns = @{e = "http://schemas.microsoft.com/win/2004/08/events/event"} foreach ($svr in $server)     {    $evts = Get-WinEvent -computer $svr -FilterHashtable @{logname="security";id="4663"} -oldest
    foreach($evt in $evts)         {         $xml = [xml]$evt.ToXml()
        $SubjectUserName = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='SubjectUserName']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
        $ObjectName = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='ObjectName']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
        $AccessMask = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='AccessMask']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
        $out.AppendLine("$($svr),$($evt.id),$($evt.TimeCreated),$SubjectUserName,$ObjectName,$AccessMask")
        Write-Host $svr         Write-Host $evt.id,$evt.TimeCreated,$SubjectUserName,$ObjectName,$AccessMask
        }     } $out.ToString() | out-file -filepath C:\Temp\4663Events.csv
Here’s some typical output:
ServerName
EventID
TimeCreated
UserName
File_or_Folder
AccessMask
RootMS01
4663
08/14/2013 08:01:09
BWayne
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x20000
RootMS01
4663
08/14/2013 08:01:16
BWayne
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x80
RootMS01
4663
08/14/2013 08:01:16
BWayne
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x20000
RootMS01
4663
08/14/2013 08:01:19
BWayne
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x80
RootMS01
4663
08/14/2013 08:01:19
BWayne
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x20000
RootMS01
4663
08/16/2013 11:39:37
Administrator
C:\Shares\UserHomeFolder\BWayne
0x20000
RootMS01
4663
08/16/2013 11:39:55
Administrator
C:\Shares\UserHomeFolder\BWayne\New Text Document.txt
0x20000
RootMS01
4663
08/16/2013 11:40:05
Administrator
C:\Shares\UserHomeFolder\BWayne\New Text Document.txt
0x10000
RootMS01
4663
08/20/2013 10:58:34
Administrator
C:\Shares\UserHomeFolder\BWayne
0x20000
RootMS01
4663
08/20/2013 10:59:08
Administrator
C:\Shares\UserHomeFolder\LSkywalker
0x20000
RootMS01
4663
08/20/2013 10:59:23
Administrator
C:\Shares\UserHomeFolder\BWayne
0x20000
RootMS01
4663
08/20/2013 10:59:23
Administrator
C:\Shares\UserHomeFolder\BWayne
0x80
RootMS01
4663
08/20/2013 10:59:23
Administrator
C:\Shares\UserHomeFolder\BWayne
0x20000
RootMS01
4663
08/20/2013 10:59:23
Administrator
C:\Shares\UserHomeFolder\BWayne
0x1
RootMS01
4663
08/20/2013 10:59:23
Administrator
C:\Shares\UserHomeFolder\BWayne
0x40000
RootMS01
4663
08/20/2013 11:00:12
Administrator
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x20000
RootMS01
4663
08/20/2013 11:01:15
PParker
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x20000
RootMS01
4663
08/20/2013 11:01:15
PParker
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x1
RootMS01
4663
08/20/2013 11:02:19
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x80000
RootMS01
4663
08/20/2013 11:02:22
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:24
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:36
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:37
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:39
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:53
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:53
PParker
C:\Shares\UserHomeFolder\BWayne
0x20000
RootMS01
4663
08/20/2013 11:02:53
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x40000
RootMS01
4663
08/20/2013 11:02:53
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:56
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x20000
RootMS01
4663
08/20/2013 11:02:56
PParker
C:\Shares\UserHomeFolder\BWayne\HRStuff.txt
0x1
RootMS01
4663
08/20/2013 11:36:07
Administrator
C:\Shares\UserHomeFolder\LSkywalker\Projects.txt
0x20000
RootMS01
4663
08/20/2013 11:38:43
Administrator
C:\Shares\UserHomeFolder\LSkywalker
0x20000
RootDC01
    Administrator
C:\Shares\UserHomeFolder\LSkywalker
0x20000

You can use the table below (taken from http://msdn.microsoft.com/en-us/library/windows/desktop/aa822867(v=vs.85).aspx ) to interpret the AccessMask values to the file and directory access rights.
AccessMask Value
Constant
Description
0 (0x0)
FILE_READ_DATA
Grants the right to read data from the file.
0 (0x0)
FILE_LIST_DIRECTORY
Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.
1 (0x1)
FILE_WRITE_DATA
Grants the right to write data to the file.
1 (0x1)
FILE_ADD_FILE
Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.
4 (0x4)
FILE_APPEND_DATA
Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.
4 (0x4)
FILE_ADD_SUBDIRECTORY
Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.
8 (0x8)
FILE_READ_EA
Grants the right to read extended attributes.
16 (0x10)
FILE_WRITE_EA
Grants the right to write extended attributes.
32 (0x20)
FILE_EXECUTE
Grants the right to execute a file.
32 (0x20)
FILE_TRAVERSE
Grants the right to execute a file. For a directory, the directory can be traversed.
64 (0x40)
FILE_DELETE_CHILD
Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.
128 (0x80)
FILE_READ_ATTRIBUTES
Grants the right to read file attributes.
256 (0x100)
FILE_WRITE_ATTRIBUTES
Grants the right to change file attributes.
65536 (0x10000)
DELETE
Grants the right to delete the object.
131072 (0x20000)
READ_CONTROL
Grants the right to read the information in the security descriptor for the object.
262144 (0x40000)
WRITE_DAC
Grants the right to modify the DACL in the object security descriptor for the object.
524288 (0x80000)
WRITE_OWNER
Grants the right to change the owner in the security descriptor for the object.
1048576 (0x100000)
SYNCHRONIZE
Grants the right to use the object for synchronization.
Remember to also report on the following events:
  1. 4670 (Authorization Policy Change)
  2. 4907 (Audit Policy Change), and
  3. 1102 (Log clear)

Setting up Custom Views in Event Viewer

You can create a filter that includes events from multiple event logs that satisfy specified criteria. You can then name and save that filter as a custom view. To apply the filter associated with a saved custom view, you navigate to the custom view in the console tree and click its name. See http://technet.microsoft.com/en-us/library/cc709635.aspx for steps on how to create a Custom View.
As an example, the following filter looks for file access events by a user with sAMAccountName pparker:

 
   
 

clip_image004
clip_image005

Final Thoughts

1. If you need to set up audit SACLs on a large number of files, Global Object Access Auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. See http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx for more information
2. Enabling Object Access: File Share audit policy will generate very helpful 5145 events like the one below:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 2:08:25 AM
Event ID:      5145
Task Category: Detailed File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
A network share object was checked to see whether client can be granted desired access.
Subject:
        Security ID:           RESKIT\Administrator
        Account Name:          Administrator
        Account Domain:               RESKIT
        Logon ID:              0x49199
Network Information:   
        Object Type:           File
        Source Address:               10.10.10.11
        Source Port:           61361
Share Information:
        Share Name:            \\*\Shares
        Share Path:            \??\C:\Shares
        Relative Target Name:  UserHomeFolder\LSkywalker\Projects.txt
Access Request Information:
        Access Mask:           0x120089
        Accesses:              READ_CONTROL
                              SYNCHRONIZE
                              ReadData (or ListDirectory)
                              ReadEA
                              ReadAttributes
Access Check Results:
        READ_CONTROL:  Granted by Ownership
                              SYNCHRONIZE:   Granted by        D:(A;;FA;;;WD)
                              ReadData (or ListDirectory):  Granted by        D:(A;;FA;;;WD)
                              ReadEA: Granted by     D:(A;;FA;;;WD)
However, since there are no SACLs for shares, once this setting is enabled, access to all shares on the system will be audited and a large volume of these events will be generated.

3. A backup job running under the context of a local administrator on the file server will also generate a large volume of 4663 events. The command AuditPol /Set /User:Reskit\BackupAcct /Subcategory:”File System” /Success:Enable /Exclude can be used for a user-level exclusion. However this setting is not honored for users who are members of the Administrators local group.

Tuesday, September 2, 2014

DFS Namespaces and DFS Replication Overview

Applies To: Windows Server 2012, Windows Server 2012 R2


This topic discusses the DFS Namespaces (DFSN or DFS-N) and DFS Replication (DFSR or DFS-R) role services, which together comprise Distributed File System (DFS) in Windows Server 2012 R2 and Windows Server 2012. This topic discusses how to install DFS, what’s new, and where to find evaluation and deployment information.
Did you mean…

Role service descriptions

DFS Namespaces and DFS Replication are role services in the File and Storage Services role.
  • DFS Namespaces   Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. However, the underlying structure of the namespace can consist of numerous file shares that are located on different servers and in multiple sites.
  • DFS Replication   Enables you to efficiently replicate folders (including those referred to by a DFS namespace path) across multiple servers and sites. DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file, and it enables DFS Replication to replicate only the changed file blocks instead of the entire file.