Archive for the ‘Active Directory’ Category

View MSS group policy settings in a Domain controller GPMC

October 5, 2013 5 comments

View MSS group policy settings in a Domain controller GPO

By default MSS settings are not visible in Group policy(GPO).MSS settings is used to hardening the DC’S .The MSS settings normally to be exist in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

MSS settings can be view using LocalGPO Tool (LGT) tool.The LocalGPO Tool (LGT) tool is available in the SCM package( Microsoft Security Compliance Manager)

Please follow below steps to available ‘MSS’ settings in your domain controller or any other GPO’s

Step 1: Download the Microsoft security Compliance Manager and install it on member of or any windows 7 workstations

Download Link: < >

Step 2: Then navigate to SCCM installation directory ( c:\Program Files\Microsoft Security Compliance Manager\LGPO ) and copy LocalGPO.msi to domain controller

Step 3 : Then run the LocalGPO.msi

Step 4 : After the Local GPO is installed, find the path of file . Such as C:Program Files (x86)LocalGPO

Step 5 : Configure Security Configuration Editor to display MSS setting in your DC .

a. Run the command-line as an administrator

b. Enter the path of file GPO by command CD C:\Program Files (x86)\LocalGPO
then run the below command

Cscript LocalGPO.wsf /ConfigSCE

Please check the success or failure by reference the following screenshot.

Now MSS settings is visible under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.


Active Directory Certificate Services setup failed with the following error: The parameter is incorrect. 0×80070057 (WIN32: 87)

August 11, 2013 3 comments

Install CA Web Enrollment role is failed with following error when migrating or restoring a CA:

Cannot install Certification Authority Web Enrollment
Active Directory Certificate Services setup failed with the following error: The parameter is incorrect. 0x80070057 (WIN32: 87)



Modify that registry setting with the following certutil command from Windows PowerShell or a command prompt run as Administrator:

Step 1: Open Command window by administrator
Step 2: Type the command certutil -setreg config\setupstatus 0x6001 and enter
Step 3: net stop certsvc && net start certsvc

“Access Denied” Error Message During Active Directory Demotion

July 23, 2013 1 comment

Decommissioning a windows 2008 DC failed with following error .

Error – Active Directory Domain Services could not configure the computer account …$ on the remote Active Directory Domain Controller . (5)

NtdsDemote returned 5

DsRolepDemoteDs returned 5

[ERROR] Failed to demote the directory service (5)


In my scenario above error due to affected domain controller object was enabled “protect object from accidental deletion” .Demotion of DC is worked once uncheck the protect object deletion.

Change Outlook Calendar work Week and the work time through Group Policy

July 19, 2013 14 comments

In most of countries work days is Monday to Friday and weekend included Saturday and Sunday. But Saudi Arabia and other Middle East counties official work days from Sunday to Thursday. By default in Microsoft Office Outlook, the work week is set from Monday through Friday with a work day extending from 8 A.M. to 5 P.M..

Well how to change default settings of outlook work week and work time automatically to all users ?

By using customized group policy ADM templates can be set work week for example from “ Sunday until Thursday ” Read more…

How to view and export Active Directory Delegated Permissions?

June 11, 2013 3 comments

How to view and export AD delegate permissions assigned to an OU ?

Let’s check what’s the permission has been delegated to a OU.

View delegate permissions assigned to OU

1. Please open the ADUC and click View menu and check Advanced Features.

2. Please locate the specific OU and right click, then choose Properties.

3. Click the Security tab, click Advanced tab. All the permissions as well as the delegated permissions listed.

Export all permission assigned on specific OU to a text file

Moreover, we can use the dsacls tool to export all the security ACL on specific OU to a text file.

Please open a command prompt on the DC and run dsacls “<distinguish name of the ou>” > c:acl.txt

Syntax example:

For example, dsacls “ou=Marketing,dc=seneej,dc=com” > c:acl.txt

The dsacls tools is used for view and edit security ACL for AD objects.

%d bloggers like this: