Tag: active directory

User getting App Layering error at logon- “This system was not shutdown properly”

Citrix Leave a comment
This issue can be caused if the machine was not properly reverted when it was rebooted. It can also be caused if the image was put in a persistent mode such as editing a master image or putting a PVS image in private mode and then logging on as any domain user. If you logon as any domain user while the image is persistent and then deploy that image, the user layer service will think the disk has not been properly reverted.

In the case of Horizon View, the pool must bet floating, not dedicated. The machines must be non-persistent.

Related:

  • No Related Posts

Unable to use the O365 Proplus in Citrix session

Citrix Leave a comment
1) Make sure that the Office is installed as per the Microsoft best practice with SharedComputerLicense

2) to verify that we have installed the correct version you should open the registry and find the following key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunConfiguration.: SharedConputerLicensing: value 1

3) Download the O365 ADMX files from the following location

https://www.microsoft.com/en-us/download/details.aspx?id=49030

4) Copy the ADML and ADMX files to the respective folders under Policy definition of the Domain controller

5) Open gpmc.msc and navigate to the following policies.

Computer ConfigurationPoliciesAdministrative TemplatesMicrosoft Office 2016 (Machine)Licensing Settings.

6) Enable “Use shared computer activation” policy

7) Reboot the VDA machines

Related:

  • No Related Posts

Active directory import, then moving object causes double objects

Symantec Community Leave a comment
I need a solution

Hi,

We want to start using the Active Directory import function to make sure all domain joined servers will have Symantec installed but are running into a problem.

The AD import function is working ok, we get a new group in the console containing all computer objects from the coresponding OU. But since we have multiple roles of servers in that OU that need different and sometimes overlapping exception policies we want to move the computer objects out of the created client group and into a client group that has the specific exception policy in place. But when we do that the it seems like a copy of the moved object is created in the correct client group but the from AD imported object stays in the client group corresponding to the OU.

For example. In AD we have an OU named Servers 2012 R2, in that OU we have multiple SQL servers and those SQL servers have different configurations so they need different exception policies in Symantec. So we move one of the SQL servers from the Servers 2012 R2 client group to the client group named SQL Servers 1 (for example). When we do that a computer object in the SQL Servers 1 is created, the object shows it is online and everything is working ok. But when we look at the Servers 2012 R2 client group the originally imported object is still there and the info says that it is offline.

This situation is causing confusion and is undesired.

Is this normal behaviour for Symantec?
Is there a way to import objects from AD and move those around to different client groups after initial import and not have double entries in the console?

Or are we doing things wrong and is it possible to have multiple exception policies placed on one client group in Symantec that handles specific computers in that client group but not all others and vice versa?

Kind regards,
Michiel

0

Related:

  • No Related Posts

Upgrade Error 14.2.1031.0100 – After Schema upgrade

Symantec Community Leave a comment
I need a solution

I have this error when upgrading to the latest SEPM version (14.2.1031.010).

– I have a GPO with these settings:  “logon as a service permission” to these 3 accounts  (NT SERVICEsemsrv ,NT SERVICEsemwebsrv, NT SERVICEsemapisrv) and this one in “Replace a process level token”  (NT SERVICEsemwebsrv).

I have this log error:

I would appreciate any help.

0

Related:

  • No Related Posts

Error 0x80070005 displayed when opening a PureMessage remote console

Sophos Leave a comment

Issue

When you try to open a remote PureMessage console, an error is displayed:

Error retrieving data from the server. Ensure server / database is started and try again

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

First seen in

PureMessage for Microsoft Exchange 3.1.4

PureMessage for Microsoft Exchange 4.0.4

Cause

The user who is trying to log on is not a member of the group ‘Sophos PureMessage Administrators’, which is a group created in Active Directory by PureMessage.

What To Do

To add the user to this group, go to the Windows ‘Active Directory Users and Computers’ window and open the Users folder. Follow the instructions in Windows documentation/Help for details of how to add the user to this group.

Related:

  • No Related Posts

Managing Group Policies for Citrix Cloud From Local Group Policy Management Console

Citrix Leave a comment

1.Download Group Policy Templates 7.15.zip folder provided in this article.

2. Extract the necessary files from the zip folder after download.

To create new policy and associate the same to proper filter, following should be performed:

1. Start the Active Directory Group Policy Management console;

2. Create new policy;

3. Edit the policy, and select appropriate Citrix Computer or User policy, or Profile Manager Computer or User policy;

4. Close the Group Policy Management Editor window;

5. Under the New policy window, associate the policy to appropriate Active Directory OU or Group.

Important Note

To install the Citrix Group Policy snap-in:

Locate and run the appropriate Citrix Group Policy MSI file on the machine where you intend to manage Group Policy (domain controller or other server)

To install User Profile Management admin templates

  • In the Group Policy Object Editor, right-click Administrative Templates under Computer Configuration and then select Add/Remove Templates.
  • Click Add, browse to the ADM Template file, and click Open.
  • Click Close to apply the policy settings in the ADM Template file to the GPO

Related:

  • No Related Posts

InsightIQ 4.1: Configuring Active Directory authentication

Dell Community Leave a comment

Article Number: 494592 Article Version: 4 Article Type: How To



Isilon,Isilon InsightIQ

InsightIQ configuration:

  1. Log in to InsightIQ web administration interface.
  2. Click SETTINGS tab.
  3. Click Users on the SETTINGS ribbon.
  4. Click Configure LDAP.
  5. Check Enable LDAP. Enabling LDAP allows you to edit the remaining fields on this page.
  6. Type Active Directory (AD) server (Domeain Controler) URI into the LDAP server field. Server URI should begin with ldap:// or ldaps://. Port is optional
  7. Type the Base Search Entry. Distinguished Name (DN) of the entry to start searches at. If your AD domain is domain.com, your DN would be dc=domain,dc=com.
  8. Type AD server credentials in the Bind entry and Bind password fields. The Bind Entry should have the format of “user@domain”. For example: ldap_service@emc.com
  9. Click link: Show optional setings.
  10. Type user into Object Class for users field. Attribute that defines a user on this server.
  11. Type group into Object Class for groups field. Attribute that defines a group on this server.
  12. Click Submit.

Active Directory server configuration:

**NOTE** InsightIQ 4.1.2 supports logging in via sAMAccountName.

If you are running InsightIQ4.1.2, you do not need to configure gidNumber or uid attributes in your Active Directory server.


On the Active Directory server confirm following attributes for groups and users.

1. Groups have to have a valid, configured gidNumber attribute.

2. Users have to have their uid set and it should be the same as their sAMAccountName attribute

Tools, resources used while reproducing the issue/configuration in a lab environment:

  • IIQ 4.1 vm
  • Windows 2012 AD
  • Wireshark to verify IIQ LDAP requests and responses from AD
  • Softerra LDAP Browser to verify LDAP / AD servers Distinguished Names and users and groups attributes

To verify groups and users attributes in the Active Directory:

  1. Log in to Domain Controller.
  2. Go to Active Directory Users and Computers.
  3. Click Viewtab.
  4. Click/check Advanced Features.
  5. Navigate to Users and open Properties window of related group or user.
  6. Navigate to and click on the Attribute Editor.

Related:

  • No Related Posts

How to manage Citrix GPOs outside of the DDC using MS’ gpmc?

Citrix Leave a comment
Install the Group Policy Management feature on the machine:

1. On a Windows Server machine, use the “Add Roles and Features” wizard from Server Manager to add the “Group Policy Management” feature.

2. On a Windows Desktop machine, install the Remote Server Administration Tools for the specific OS, once the installation is complete you will find the Group Policy Management console in the Start Menu.

Take into account the installation has to be performed with a domain admin account.

AddFeatures

When opening the Group Policy Management Editor on a Windows 10 machine you might get the following warning:

warning

According to the following Microsoft article, this is an informational event and can be safely ignored:

https://support.microsoft.com/en-us/help/3077013/microsoft-policies-sensors-windowslocationprovider-is-already-defined

Install the Citrix Group Policy management package (CitrixGroupPolicyManagement_x64.msi).

This msi can be found in the XD/XA installation media under x64Citrix Policy.

gpmmsi

At this point you should be able to create and configure Citrix policies using the MS gpmc:

gpmcedit

However, you will notice that if you try to use GPO filters that are specific to Citrix policies like the Delivery Group filter or the Tag filter you might get an error like:

error

In order to be able to use these filters from the gpmc you need to install Citrix Studio on the machine:

studio

The following article explains the details in case you want to manually install Studio (for scripted installations):

https://support.citrix.com/article/CTX127527

Once Studio is correctly installed, you will now be able to use the mentioned filters:

working

Related:

Dell EMC Unity: Common CAVA Errors (User Correctable)

Dell Community Leave a comment

Article Number: 524675 Article Version: 3 Article Type: Break Fix



Dell EMC Unity Family,Dell EMC Unity 300,Dell EMC Unity 300F,Dell EMC Unity 350F,Dell EMC Unity 400,Dell EMC Unity 400F,Dell EMC Unity 450F,Dell EMC Unity 500,Dell EMC Unity 500F,Dell EMC Unity 550F,Dell EMC Unity 600,Dell EMC Unity 600F

Common Errors, Causes and Actions

Error: AUTH_ERROR 5

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 5 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause:The account being used for checking does not have the virus checking privilege assigned to it.

Actions: Ensure that the CAVA service in services.msc is set to logon as a user and not a local system account.

_____________________________________________________________________________________________________________________________________________________________

Error: ERROR_AUTH 64

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx ERROR_AUTH 64 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Kerberos error caused by out of sync ‘Time’ between the Data Mover and Anti-Virus Server

Action: Implement NTP or sync ‘Time’ manually.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 86

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 86 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Password inconsistency between the CAVA service and user password in AD. / e.g. : Password expired and was changed, but was not updated on the CAVA service.

Action: Right-click the EMC CAVA service inservices.msc> Properties > Log On tab > update the user password to reflect that in AD.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1265

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 1265 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The user account that CAVA uses has expired in AD – won’t be able to login to the server at all using the credentials.

Action: Unlock the account and set it to never expire and try again.

_____________________________________________________________________________________________________________________________________________________________

Error: ERROR_AUTH 1326

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx ERROR_AUTH 1326 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Password for the account running CAVA has expired.

Action: Reset the password and set it to never expire. Make any changes to CAVA service as required.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1331

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 1331 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The user account for CAVA has been disabled in AD or is only allowed to logon during certain hours.

Action: Re-enable account and remove any logon restrictions in AD.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1909

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 1909 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: User account locked due to too many invalid login attempts.

Action: Unlock account/reset password. Make any changes to CAVA service as required.

_____________________________________________________________________________________________________________________________________________________________

Error: AV_NOT_FOUND

1533198284: VC: 5: xx.xxx.xxx.xx AV_NOT_FOUND at Thu Aug 2 08:24:39 2018 (GMT-00:00)

1533198284: VC: 5: HTTP, CAVA version: 8.5.1.0

1533198284: VC: 5: AV Engine: Unknown third party antivirus software

1533198284: VC: 5: Server Name: xx.xxx.xxx.xx

Cause:

AV_NOT_FOUND indicates that the viruschecking service on the VDM cannot communicate with the CAVA client on the AV server.

You must assign local administrative rights to the AV user on each AV server in order to successfully start CAVA and the viruschecking service on the Data Mover.

The “OpenProcess” failing usually indicates that the “emc cava” service is running in a user context that has not been given “local admin” rights on the system or that some rights are missing on that group. The “local admin” account on CAVA systems doesn’t have the “SeDebug” right (debug programs) that is needed by CAVA facility to track state of AV engines.

Action:

Please follow:

  1. Recommended Troubleshoot for AV_NOT_FOUND at the Resolution Section, in this article.
  2. Document “Using the Common Event Enabler on Windows Platforms“:
  • Restricted Group GPO – page 13
  • Assign rights – page 23

Background Explanation

  • The Active Directory (AD) Domain Controller (DC) doesn’t allow anonymous access with the CIFS server machine account as it should be performing with NTLM and machine accounts.
  • Other DC’s in the environment may allow for anonymous access to the CAVA user with the CIFS server machine account.
  • The authentication method between the Virtual Data Mover (VDM) and DC is NTLM (Microsoft) however Kerberos could also be used.
  • The DC in the environment should allow anonymous access as part of establishing a secure channel between the VDM and the DC.
  • Other option is to configure the AV servers to use Kerberos authentication instead of NTLM.

Background Events

  • The AV servers are not being authenticated by the AD DC.
  • The VDM server logs an error whenever the authentication to the DC fails for the Viruschecker Domain user.
  • With NTLM Authentication the VDM must forward the user’s credentials on to a Domain Controller (pass-through authentication) using DCERPC NetrLogonSamLogon asking it to authenticate the user.
  • The DM is using the computer account of the CIFS Server for DCERPC NetrLogonSamLogon function
  • The DC will treat access using the computer account as equivalent to anonymous access.
  • This can be seen in the network trace when the DM is sending the pass-through authentication to on the DC’s.

Recommended Troubleshoot for ERROR_AUTH:

  • Confirm the domain CAVA user has sufficient rights, which means, it’s correctly added to the local CAVA group on the Data Mover and assigned the EMC Virus-Checking privilege.
  • For details on the correct configuration, visit our Support Page at https://www.dell.com/support and look for “Using the Common Event Enabler on Windows Platforms”.
  • For more information, investigate MicroSoft Developer Network at https://msdn.microsoft.com for a complete list of Microsoft error codes.
  • In that list, look for the numerical code that follows the “ERROR_AUTH” message and check its definition.

_____________________________________________________________________________________________________________________________________________________________

Recommended Troubleshoot for AV_NOT_FOUND:

  • Confirm viruschecker.conf settings.
  • Confirm The CAVA service is running with the AV user account.
  • Confirm the installed Anti-Virus (TrendMicro, McAfee, others) service is running with the local system account.
  • Confirm the AV user is member of the local admin group on each AV server.
  • Confirm that the Anti-virus and CEE have been un-installed and re-installed (using the correct order, CEE first, then Anti-virus).
  • Rebooted the CAVA server multiple times.
  • Confirm that the CAVA servers have one network interface only.

if your unable to resolve this AV_NOT_FOUND, next step is to Please contact Dell EMC Technical Support or your Authorized Service Representative, and quote this Knowledgebase article ID.

Related:

  • No Related Posts