Search the Community

Esteemed readers After updating multiple times a server with W2k8R2, the Security Update for .NET KB2894854 becomes available over and over again in WU (control panel). Why is this happening? Apparantly .NET version installed is 4.5.52022. Thanks for your time. Faithfully, Ivan

Good Morning Guys / Niall - I need help with an important issue, please. Our domain currently has numerous AD Groups for both devices and users. Our SCCM environment (2012 R2 SP1 CU3) has discovery set to add all of them and the default user collection "All User Groups" has 6,396 members from which I may search and locate individual groups. However - when adding a query to add a user group to a User Collection (or group with systems to a Device collection); none of the members are added to the collection. Below is the statement used which I typed in to directly specify the group: select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "company\\ABQ-Techs" If I choose to build the query via wizard, choose User Resource, User Group Name, then click Value (which should list all User Groups), only about 10 are listed - perhaps less than a percent of the ones we have. The same applies to Device Collections as when I try to create a query to include devices in a collection and click Value after setting "Security Group Name" or "System Group Name", I get just a handful of items to pick from. I found that this post describes the exact same issue, but there's no resolution listed despite many seemingly having the issue. All discovery properties are basically at defaults and logs don't seem to show any errors. I just ran a full discovery then edited a copy of the log to include only events during the process plus change sensitive info which is attached. Any suggestions? Thanks!

I am new to active directory and I am having issues with folder rights. This is my situation - Folder Structure Folder A Subfolder B Subfolder C Share folder "A" with GrpAdmin Read only Change Security for Folder "B" with user Teacher - who is a member of GrpAdmin - to have full Control User Teacher still cannot create files in folder B. Do i need to share folder B with user Teacher?

We have a pretty basic SCCM 2012 setup for now with a single primary site with AD intergration. Things are working great but we are at the point where we would like to begin implementing security for the rest of the IT staff. I'm hoping that someone can help me with an issue that I'm having or suggest a better way of doing things. I'm new to the SCCM world and am learning as I go so if you need to ask any additional questions, please ask away. Basically, we are implementing device collections based on software needs. So if a computer requires MS Project, we have a collection to which that application has been deployed to. We then add the computer resource to that collection. The issue that I'm having is from a security perspective. Essentually, we would like to be able to have our helpdesk staff add or remove resources from these collections based on their software needs. The only way that I've been able to achive this is to give them "modify" permissions on collections via a security role. The problem with this is that they are able to modify the collection properties. I don't want them to be able to do this.... What am I doing wrong or missing? Thank you for your time.

I've been getting my info from this site for some time now. Great stuff and a big thank you for that! But I've come across a problem which I can't seem to find a solution for. I want to deploy software through AD security groups in which I put our computer objects. SCCM doesn't seem to cope with that though. You can create a user collection and link it to a security group, but then only users which are linked to the group get the software. That works just fine. I tried putting computer objects in there, but they won't get it. Only users will. Since I want the installation to be computer based instead of user based, that doesn't work for me. I then tried to create a device collection (which seems more logical to me than a user collection) and I thought I chose the perfect membership rule by using "System Resource/Security Group Name". But to my surprise no security groups are found. When I enter a wildcard in the value box, I only get to see client names. No security groups whatsoever. Security groups seem to be only linked to user collections. Why can't I see them? If the option is there, I should get to see them, right? This part really confuses me. Of course I can create device collections within SCCM as a solution, but I want to be able to manage software deployment through AD so we can drag a computer to a security group in order for the client to get the software. Is this the way it is designed, or am I overlooking something here? Or is there a way to get around this? I really hope there is, but I can't seem to find much about it on the Net. I don't understand why this doesn't seem possible. It just seems so logical. Any help/thoughts would be greatly appreciated.

Good morning, I am struggling with an issue of changing the password on my network account. I first noticed when connecting to my network share after the 'Applying image' phase, it said invalid password. So I thought I would change the service account, located in "Administration Tab -->Security --> Accounts", which is the account I use as my service account. I reset the password and tested it via the 'Verify' button. That worked, I tried deploying again, and still invalid password. It would not change. After a day or 2 of pulling my hair out, I decided to use a different service account. So, I went thru all my distro points and and everything else, to change the service account. Now I'm getting "Failed with Credential conflict" Below is a snippit of the logs I retrieved. <![LOG[==============================[ OSDCaptureCD.exe ]==============================]LOG]!><time="08:03:13.069+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="osdcapturecd.cpp:114"> <![LOG[Command line: "OsdCaptureCD.exe"]LOG]!><time="08:03:13.069+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="osdcapturecd.cpp:115"> <![LOG[Loading vista instructions.]LOG]!><time="08:03:13.131+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="welcomepage.cpp:63"> <![LOG[Activating Welcome Page.]LOG]!><time="08:03:13.131+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="welcomepage.cpp:92"> <![LOG[Verifying that this machine meets the capture requirements.]LOG]!><time="08:03:16.423+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="welcomepage.cpp:141"> <![LOG[Local machine is not a domain controller.]LOG]!><time="08:03:16.423+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="deployutil.cpp:569"> <![LOG[system partition is NTFS]LOG]!><time="08:03:16.423+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="deployutil.cpp:494"> <![LOG[Verified deploy tools are present.]LOG]!><time="08:03:16.423+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="deployutil.cpp:415"> <![LOG[Local machine is not part of a domain]LOG]!><time="08:03:16.423+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="deployutil.cpp:534"> <![LOG[Activating Destination Page.]LOG]!><time="08:03:16.438+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="destinationpage.cpp:97"> <![LOG[Verifying credentials can be used to write image file.]LOG]!><time="08:04:08.886+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="wizardcontrol.cpp:428"> <![LOG[Deleting any existing network connections to "\\Server\File Repository\SCCM\*".]LOG]!><time="08:04:08.886+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="wizardcontrol.cpp:432"> <![LOG[Verifying connection to: \\Server\File Repository\SCCM]LOG]!><time="08:04:08.901+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="wizardcontrol.cpp:440"> <![LOG[Connection to "\\Server\File Repository\SCCM" failed with credential conflict. Using existing connection.]LOG]!><time="08:04:26.420+300" date="06-29-2012" component="OSDCaptureCD" context="" type="2" thread="776" file="tsconnection.cpp:328"> <![LOG[Activating Welcome Page.]LOG]!><time="08:04:26.451+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="infopage.cpp:68"> <![LOG[Activating Finish Page.]LOG]!><time="08:04:54.329+300" date="06-29-2012" component="OSDCaptureCD" context="" type="0" thread="776" file="finishpage.cpp:59"> <![LOG[saving capture information in the environment.]LOG]!><time="08:04:55.296+300" date="06-29-2012" component="OSDCaptureCD" context="" type="1" thread="776" file="wizardcontrol.cpp:499"> smsts.log

For those not familiar with the Security Compliance Manager, SCM is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager. In addition to Windows 7 SP1, Windows Vista SP2, Windows XP SP3, Office 2010 SP1, and Internet Explorer 8, SCM 2.5 now offer additional baselines for Exchange Server 2007 and Exchange Server 2010. Updated configuration baselines now include Windows 7 SP1, Windows Vista SP2, , Windows XP SP3, Microsoft Office 2010 SP1, and Internet Explorer 8. SCM 2 provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported. Our product baselines are based on Microsoft security guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats. Key Features Include: Integration with the System Center 2012 IT GRC Process Pack for Service Manager—Beta: Product configurations are integrated into the IT GRC Process Management Packs to provide oversight and reporting of your compliance activities. Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project. Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature. Updated security guides: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important. Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest versions of Windows client and server operating systems, Microsoft Office applications, and Internet Explorer. Source: http://blogs.technet...a-download.aspx Download and more information: http://technet.micro...s/cc835245.aspx

TechNet Webcast: Information about Microsoft Security Bulletins for January (Level 200) Event ID: 1032499498 Language(s): English. Product(s): computer security and information security. Audience(s): IT Decision Maker and IT Generalist. Join us for a brief overview of the technical details of this month's Microsoft security bulletins. We intend to address your concerns in this webcast. Therefore, Microsoft security experts devote most of this webcast to answering the questions that you ask. Presented By: Pete Voss, Senior Response Communications Manager, Trustworthy Computing Dustin Childs, Senior Security Program Manager, Microsoft Security Response Center, Microsoft Corporation https://msevents.microsoft.com/cui/EventDetail.aspx?EventID=1032499498&culture=en-US

Hi everybody! We have a SCCM 2007 R2 environment with nearly 20 secondary sites under 1 central site. Now it comes to security permissions delegations to the local admin at the local sites that they can do their Windows 7 Rollout. I created a security structure in SCCM with a flat hierarchie of groups in the AD. For the moment it works fine. A few days ago we had the situation that seems to clear all PXE flags to the "All Systems" collections. Many machiens that will get an OS over a Task Sequence were still in the OS Deployment collection (mandentory advertised), that means that these machine would have get a new OS after the next PXE request (default value!). In the end nothing happens, because we noticed that very fast. I just stopped our local WDS Service and deleted the direct membership of the machines in the OSD collections. Pig had I'm very scared about that, because the next time that happens we may be not so fast. The first question that I have: How can I figure out who deleted the PXE flag? I searched in several log files, queried the Status Messages, but nothing. Anybody knows where I can find that? The second interesting is: How can I prevent that a delegated user (also like everybody!) can clear the PXE flags on a completly collection?? (What also might be possible to use a script that the direct membership of the computers will be deleted after a successful OSD. I guess I saw somewhere a script like this...) Thanks in advance! Christian