Daniel Ramawidjaja Blog

July 25, 2009

Delegation Control to Modify Only Certain User Attributes (Part 2)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:33 am

In this post, I will explain how to delegate certain users to be able to modify attributes that can not be delegated by using Delegation of Control Wizard. Not all attributes can be delegated using the wizard, without allowing other attributes that you do not want to delegate.
For example, Office location. You can delegate the Office location attribute by selecting Read/Write Permissions for Private Information. But, may be you need to for the delegation to be more specific. In this case, using ADSIEDIT.MSC.

If you do not have ADSIEDIT.MSC ready (test by run ADSIEDIT.MSC from Run), you should install first.
It’s available on the Windows Server 2003 CD, in folder \Support\Tools. Install by double-click on suptools.msi.
For Windows Server 2008, it has been available on the Domain Controller since you installed the Active Directory.

Create connection to open the Domain partition.
Then you can modify the permissions of an OU just like the following picture:

Custom Delegation (Part 2)

This tip has been tested to work successfully, such as in the following picture.

Custom Delegation (Part 2)

The Office location attribute was changed to Semarang.

Custom Delegation (Part 2)


Delegation Control to Modify Only Certain User Attributes (Part 1)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:14 am

Based on my student request, I post an article about custom delegation task in Active Directory. This delegation will allow user with specific function, for example, Human Resource to edit only certain properties of users in certain OUs.

User Attributes that can be changed after the custom delegation:
Job Title, Department, Company, Manager, and Direct Reports.

Testing will be done by user Jet Lee (JetL) as a member of Human Resources group.


Attributes that Will Be Allowed to Be Changed in This Custom Delegation Example

Custom Delegation


Delegation Control Steps
Right-click on Finance OU, for example, and then click Delegate Control. It will launch the Delegation of Control Wizard.

Custom Delegation

Select users or groups for delegation

Custom Delegation

Select Create a custom task to delegate

Custom Delegation

Select Only the following objects in the folder, then select User objects.

Custom Delegation

On the Permissions page, select Property-specific. Then select read and write permissions for the following attribute:
– Department
– Job Title
– Company
– Direct Reports
– Manager
Click Next, and then click Finish.

Custom Delegation


Test the Delegation
For testing I use user Jet Lee (JetL) that is a member of Human Resources group.

Custom Delegation

Now, JetL can modify the user properties in the Organization tab like the following picture:

Custom Delegation

Here the result of setting the Manager property as you can see in Direct Reports list in the user properties for the manager (NaomiW)

Custom Delegation

June 27, 2009

Group Policy Management Console (GPMC) Installation on Windows Server 2003 R2 x64

Filed under: Group Policy,Windows Server 2003 R2 — Daniel Ramawidjaja @ 4:41 am
Tags: ,

You can download the GPMC here:

Unfortunately, GPMC need the .NET Framework 1.1 while the Windows Server 2003 R2 x64 includes only .NET Framework 2.0.

GPMC Installation Needs .NET Framework 1.1

You can install .NET Framework 1.1, but you may find error on other web applications. See my previous post, Error on Certificate Services Web Enrollment After Installing .NET Framework 1.1 on Windows Server 2003 R2 x64.

After installing .NET Framework 1.1 and some troubleshooting when necessary, you can install install GPMC sucessfully.

GPMC Installation completed


Here the test of GPMC usage after installation

GPMC Testing

GPMC Testing

GPMC Testing


To avoid problems with incompatibility of .NET Framework 1.1, it is recommended for you to install GPMC on client computers, such as Windows XP or Windows Vista. I wrote this post just to show you that actually we can install GPMC on Windows Server 2003 x64 that includes only .NET Framework 2.

Error on Certificate Services Web Enrollment After Installing .NET Framework 1.1 on Windows Server 2003 R2 x64

I won’t recommend someone to do this. I meant the installation of .NET Framework 1.1 on Windows Server 2003 R2 x64 that includes only .NET Framework 2.0. Here I found the problems with the Certificate Services Web Enrollment, you may find other problems on your web applications.
This tip only to show you how to solve the problem on Certificate Services Web Enrollment after the installation of .NET Framework 1.1.

I installed .NET Framework 1.1 on Windows Server 2003 R2 x64 that includes only .NET Framework 2.0 in Add/Remove Windows Components.

Install .NET Framework 1.1 on Windows Server 2003 R2

The installation completed successfully, then the problem come when I run Certificate Services Web enrollment.

Error after install NET FX 1.1 on Windows Server 2003 R2 x64

Even access to the Default Web Site or http://server-name returns errors.



To Resolve the Problem:
Open Command Prompt. Go to Windows\Microsoft.NET\Framework64\v2.x.xxx (replace x.xxx with the correct version of the .NET Framework installed). Type:

> aspnet_regiis -i

How to resolve the problem

The Result of Previous Step:

Result after run: "aspnet_regiis.exe -i"


I also got another problem when running Certificate Services Web Enrollment. You may find another error message like “Unexpected Error getting the templates list”.

Go to see another error..

Another Error comes


How to Resolve the Second Error:
I have to Unregister and Register some DDLs

  • regsvr32 /u scrdenrl.dll
  • regsvr32 scrdenrl.dll
  • regsvr32 /u xenroll.dll
  • regsvr32 xenroll.dll

Step to Resolve the Second Error

Then I can continue the certificate enrollment process till completed.

The Result


I can solve the problem after googling the related error message and found this answer.

June 22, 2009

Restore Deleted Objects from Active Directory Database Using Tombstone Reanimation (AdRestore.exe and ADRestore.NET)

By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

I wrote the previous post to make deep understanding of the tombstone reanimation concept.

Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality.

You can download this tool from here:



Restoring objects with ADRestore.net
Guy Teverovsky has written a GUI version that allows you to easily restore deleted AD objects.
I found this tool will help you a lot when you need to restore more than one deleted objects, for example, an OU contains some objects.

You can download the ADRestore.NET here:

Here the demo steps:
I deleted an OU named Accounting contained some objects including users and groups.
Delete an OU

Enumerating Tombstones

First restore the OU.

Then restore the other objects one by one.

Until the last object

Then view the result
ADRestore.NET - The Result

You can see from the steps above that using ADRestore.NET will be a lot of easier to restore more than one objects.

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.

For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots


The previous condition
Jenny Gates (username: JennyG) has the following attributes:

Tombstone Reanimation - Before Deletion

Tombstone Reanimation - Before Deletion

Jenny has permissions set to C:\Data\Marketing folder.

Tombstone Reanimation - Before Deletion

Delete the user account Jenny

Tombstone Reanimation - Deletion

As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.

Tombstone Reanimation - Impact of Deletion


For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Tombstone Reanimation - Support Tools


Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Tombstone Reanimation

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.

Right click on the Jenny account, then click Modify.

Tombstone Reanimation

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

Tombstone Reanimation

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

Tombstone Reanimation - The Result

But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.

Tombstone Reanimation - The Result

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

Tombstone Reanimation - The Result

Tombstone Reanimation - The Result

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.

June 17, 2009

Error in Windows Server 2008 SP2 Installation

Filed under: Windows Server 2008 — Daniel Ramawidjaja @ 4:56 pm

If you experience errors when installing Windows Server 2008 SP2, such as

Error in Installing Windows Server 2008 SP2

You need to download and install the System Update Readiness Tool.
Here the download link


The result after installing the System Update Readiness Tool

Windows Server 2008 SP2 installed successfully

Windows Server 2008 SP2 has been installed successfully

Windows Server 2008 SP2

Filed under: Windows Server 2008 — Daniel Ramawidjaja @ 4:28 pm

just a copy paste from

Windows Server 2008 SP2

Windows Server 2008 Service Pack (SP) 2 is the latest service pack for Windows Server 2008. SP2 supports new types of hardware and emerging standards that will grow in importance in the coming months and years. Building on the solid foundation and proven security benefits of SP1, SP2 includes the latest set of system updates, ensuring your system is as secure and reliable as possible. SP2 simplifies administration by enabling IT administrators to deploy and support a single service pack for clients and servers.


What’s New in SP2?

  • P2 adds support for 64-bit central processing unit (CPU) from VIA Technologies
  • SP2 introduces an improved power management policy that is up to 10% more efficient than the original in some configurations (both on the server and the desktop), and includes the ability to manage these settings via Group Policy
  • SP2 adds support for UTC timestamps to the exFAT file system, enabling correct file synchronization across time zones
  • SP2 adds the ability to natively record data on to Blu-Ray media
  • SP2 increases the authentication options for WebDAV redirector, enabling Microsoft Office users greater flexibility when authenticating custom applications using the WebDAV redirector
  • SP2 provides the Hyper-V virtualization environment as a fully integrated feature of Windows Server 2008, enabling customers to run one instance of the OS in the virtual operating environment (VOSE) with Windows Server 2008 Standard license, four instances of the OS in the VOSE with Windows Server 2008 Enterprise license and an unlimited number of OS instances in the VOSE with Windows Server 2008 Datacenter license.
  • SP2 improves backwards compatibility for Terminal server license keys
  • Additional Power Improvements over Windows Server 2008 RTM


You can download the Windows Server 2008 SP2 here:

New Backup Features on Windows Server 2008 R2

Filed under: Windows Server 2008 R2 — Daniel Ramawidjaja @ 2:23 am

If you have used Windows Server Backup in the first release of Windows Server 2008, may be you notice that it missed some of the features that usually available on the other backup software.

Now, Windows Server 2008 R2 comes with more features that you may need, such as:

  • Backup the system state.
  • Backup selected folders and files.
  • Backup Schedule that support network drives (shared folders)


The Windows Server Backup interface still look similar to the previous version in Windows Server 2008, but give you more backup features when you try the backup wizard, both for Backup Once and Backup Schedule.
Here the snapshots to give ideas what’s different for the Backup feature in Windows Server 2008 R2.


Backup Once

Backup Once, Select Items to Backup

You can backup only certain folders or the System State
Backup Folders or System State only

Also you may exclude certain files, folders, or files with certain extensions.

Backup can exclude files, folders, or files with certain extensions.


Backup Schedule

Backup Schedule, select items

Backup Schedule, select items

Backup Schedule, backup to shared folder

Backup Schedule, backup to shared folder

For more information, go here:
Windows Server Backup Overview
Applies To: Windows Server 2008 R2


June 15, 2009

Restore Deleted Objects with Active Directory Recycle Bin

Filed under: Active Directory,Windows Server 2008 R2 — Daniel Ramawidjaja @ 10:51 am
Tags: ,

Active Directory Recycle Bin is a new feature on Windows Server 2008 R2, so this tip applies only to Windows Server 2008 R2.

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

You can restore deleted Active Directory objects  by using PowerShell command. Here the snapshots:

Import Active Directory module

> Import-Module ActiveDirectory

Get information about Recycle Bin feature

> Get-ADOptionalFeature -Filter { name -like “Recycle*” }

Enable Recycle Bin feature

> Enable-ADOptionalFeature “Recycle Bin Feature” -Scope ForestOrConfigurationSet -Target MiniSoft.com

Active Directory Recycle Bin

For example here, I deleted the Finance OU

Example: Delete Finance OU

List the deleted objects

> Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=minisoft,dc=com” -includeDeletedObjects -filter { name -notlike “Deleted*” }

List the Deleted Active Directory Objects

Restore the deleted objects

> Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=minisoft,dc=com” -IncludeDeletedObjects -filter { name -notlike “Deleted*” } | Restore-ADObject

Restore Objects

Verify that the Active Directory objects has been restored

Verify the Restored Objects

Next Page »

Blog at WordPress.com.