使用PowerShell获取用户权限

1 前言

日常工作中,我们可能会需要查询某个用户在文件服务器上对哪些文件具有何种权限。这个需求看起来很简单,但实际操作起来却没那么容易。

icacls可以导出一个aclfile,但这个aclfile的内容很不友好,也难以搜索。如果牵扯到的文件非常多,基本无使用价值。Sysinternals有一个AccessChk工具倒是可以获取用户的权限,但目前的版本无法支持中文。

PowerShell可以实现这个需求。

Continue reading ‘使用PowerShell获取用户权限’ »

点击量:138

Windows Server Backup 2155348301错误

2016年11月27日更新:文件服务器杀毒软件用的是Kaspersky Security 10 for Windows,更换成Kaspersky Security 10 for Windows Server才最终解决。下面的内容权当参考好了。

1 现象

文件服务器,操作系统是Windows Server 2008 R2 Enterprise。E:\SharedFiles目录使用Windows Server Backup备份到本地磁盘G上,每天备份一次。

实际执行此备份计划的时候,只能成功备份2天,从第3天开始,备份就无法成功。删除备份数据后,又可以成功备份2天,从第3天开始,备份依然失败。

“事件查看器->Windows 日志->应用程序”中会有这样的错误信息:

windows-server-backup-error-2155348301_01

Continue reading ‘Windows Server Backup 2155348301错误’ »

点击量:128

How to create or move a global catalog in Windows Server 2003, Windows 2000, or Small Business Server 2000

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/313994

SUMMARY

This article explains how to create a new global catalog server. This may be necessary if you need additional global catalog servers (e.g. to support an Exchange 2000 roll out) or if you want to move the global catalog server role to a different domain controller.

There may be occasions when it is necessary to create a new global catalog to replace an existing one, or to add a new global catalog. Microsoft recommends the following method:

  1. Create a new global catalog on a second domain controller.
  2. Wait for the account and the schema information to replicate to the new global catalog. For single domains, this is relatively straightforward. For multiple domain networks, full replication will take additional time, depending on the complexity of the network. The new global catalog will be created by normal Active Directory (AD) replication and depending on the structure of your AD forest, this replication could take considerable time.
  3. Remove the global catalog from the original domain controller (optional).

By default, Windows 2000 will only place a Global catalog on the first Domain Controller in each AD forest.
Continue reading ‘How to create or move a global catalog in Windows Server 2003, Windows 2000, or Small Business Server 2000’ »

点击量:53

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/255504

SUMMARY

This article describes how to use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

MORE INFORMATION

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

  • Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
  • Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
  • RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
  • Continue reading ‘Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller’ »

点击量:58

How to remove data in Active Directory after an unsuccessful domain controller demotion

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/216498

SUMMARY

This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

Continue reading ‘How to remove data in Active Directory after an unsuccessful domain controller demotion’ »

点击量:83

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/332199

SYMPTOMS

Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).

CAUSE

This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory.

RESOLUTION

To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

Continue reading ‘Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server’ »

点击量:84

How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/875495

SUMMARY

This article describes a condition that occurs when a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 starts from an Active Directory database that has been incorrectly restored or copied into place. This condition is known as an update sequence number rollback, or USN rollback.

When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest. Because replication partners believe that they have an up-to-date copy of the Active Directory database, monitoring and troubleshooting tools such as Repadmin.exe do not report any replication errors.

After hotfix 875495 or Windows Server 2003 Service Pack 1 is installed, a Microsoft Windows Server 2003 domain controller logs Directory Services event 2095 when it encounters a USN rollback. The text of the event message directs administrators to this article to learn about recovery options.

Continue reading ‘How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2’ »

点击量:60

域用户被锁定问题

1 前言

当用户密码输错次数达到设定值以后,会触发账户锁定,用户在一定的时间长度内无法再尝试登录。这是一种安全策略,拉长密码重试的时间长度,增加暴力破解密码的难度。

公司是古老的Windows2000域控制器,前一段时间出现用户账户莫名其妙被锁定的情况,锁定时间不固定,被锁定的账户不固定。解决这个问题颇费了些功夫。下面简单说一下解决方法。

2 开启账户审计

开启账户审计后,在域控制器事件查看器的安全性日志中会保存每个账户登录成功失败的记录,这是排除问题的基础。 Continue reading ‘域用户被锁定问题’ »

点击量:34

Win 8.1 共享无线网络

1 前言

有笔记本,能上网,但没有无线AP或无线路由器。在这种情况下,如何让手机通过笔记本电脑上网?这是本文要解决的问题。

软件:Windows 8.1操作系统

硬件:带无线网卡的笔记本电脑

理论上,本文的内容也适用于Windows 7、Windows 8,以及安装了“无线LAN服务”的Windows Server 2008 R2和Windows Server 2012。

2 实现

 功能的实现牵扯到Windows的两个特性:Internet连接共享,承载网络。

2.1 启用承载网络

  1. 查看无线网卡是否支持承载网络。使用命令 Continue reading ‘Win 8.1 共享无线网络’ »

点击量:27

备份用批处理

1 环境

操作系统:Windows Server 2003 SP2 简体中文版

2 备份

2.1 批处理

重命名现有文件,加上当天日期。sampledb重命名后会变为sampledb_2014-09-18。

@echo off  
::备份sampledb数据库
::给数据库备份文件添加备份日期   
  
rem 指定需要备份的源文件名 
set SrcFile1=E:\backup\sampledb
rem 指定目标文件名(部分)
set DstFile1=sampledb

rename %SrcFile1% %DstFile1%_%date:~0,10%

2.2 解释

@
在执行时不显示它后面这一行命令本身。就本例来说,批处理执行时让屏幕上不显示echo off。 Continue reading ‘备份用批处理’ »

点击量:31