Delegate lock/unlock privilege to users or group

In this article, we will go through the steps needed to delegate account unlocks using “Active Directory Users and Computers” console. If you want to delegate account unlocks to a particular user or a group in Active Directory, you will first have to make the right visible in this console.

All the rights attribute that can be made visible in Active Directory Users and Computers are stored in the “%windir%\System32\dssec.dat” file. The rights’ attributes are grouped under headings surrounded by square brackets (for example, [user], [computer] etc.). The value filter for each attribute is:

  • 0 – Read and Write is visible
  • 1 – Write is visible
  • 2 – Read is visible
  • 7 – Attribute is hidden

To modify the filter, open dssec.dat file in Notepad. Under the [user] heading, find the lockoutTime attribute. Change the value of the filter to 0 (lockoutTime=0), by default the value is 7. Save the changes and close the file.

For delegating the unlock account right

1. Open “Active Directory Users and Computers”
2. Right-click the Organizational Unit or domain in “Active Directory Users and Computers”. From the context menu, select “Delegate Control”
3. “Delegation of Control” wizard opens up. Click Next on the Welcome dialog box to proceed
4. Click “Add” to select the user/group to which the right will be assigned. Type the name of user or group you want to add and click “Check Names” button to verify itClick “OK”.

This takes you back to the wizard. Click “Next” to go to the next page.

5. In this step, you will have to choose the tasks. Select the 2nd radio button, Create a custom task to delegate, and click Next
6. Select the 2nd option, which is Only the following objects in the folder. Select User objects in the list, and click Next
7. Select the Property-specific checkbox and ensure that only this checkbox is selectedIn the Permissions list, check both the Read lockoutTime and Write lockoutTime boxes, and click Next.

8. On the Completing the Delegation of Control Wizard dialog box, click Finish to close the wizard

Unlocking a user’s account

To unlock a user’s account, first login to the system. Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox. Here you will find written that this account has been locked in this ADDC. Click Apply and OK to unlock the account.


In this article, we have gone through the steps by which you can delegate the Account Read lockoutTime and Write lockoutTime right to a user or a group for a given domain or OU. As account policies are domain-specific, this account lockout policy will be implemented in the entire domain. However, this delegation will not affect rights or policies in other domains, even in the domains of the same forest or if this domain is a forest’s root.

You can also take help of LepideAuditor to unlock the user account and to know what all user accounts would be locked out. Lepide Active Directory Self Service lets you delegate the rights to unlock the user account to other users easily and also allows the users to unlock their account themselves at the logon screen itself.


Create a SAN certificate signing request for IIS web server

How to create a SAN certificate signing request for IIS web server?

  • Open Certificate MMC snap in for your computer
    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Advanced Operations – Create Custom request

  • Click next in Certificate Enrollment Wizard’s welcome window
  • Select “Proceed without enrollment policy” under Custom Request & click next
  • In Custom Request window Select (No template) Legacy key & PKCS #10 as request format
  • And Click Next

  • In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.

  • Under Private Key, select key size. Over here I just left it as default. You may like to select 4096 for production servers.
  • Under Key Type select “Exchange

  • Under Extension tab select Extended Key Usage; add Server Authentication from the available options.

  • Under Subject Tab we will be defining our multiple DNS names for the certificate
  • From Drop down Subnet Name section select Common Name & type the value. Preferably the primary domain name & then click Add.
  • Under Alternative Name select DNS type all alternate DNS Names & add them.

  • Under General Tab type a friendly name.
  • Better to keep add a * in front of the friendly name now. It will help you to bind the certificate from IIS graphical user interface to all websites using same IP & port 443. If you don’t do this now, no worries, you can do it later or you can use Commadline tool to bind this cert. I have discussed the same in certificate installation/import post.
  • Click okay & In certificate information window click next

  • Give a file path to save this certificate request 7 select Base 64 as file format

  • It will generate “.req” file, you can open this file using notepad.
  • You use this file to generate your SAN certificate from external public certificate authority or from your internal certificate authority server.

How to Repair Server 2012 DFS Replication after Dirty Shutdown and Journal Wrap

How to Repair Server 2012 DFS Replication after Dirty Shutdown and Journal Wrap


When a server 2012 stops replicating with another member, changes are entered into a journal database. If the replication process does not begin in a timely manner, the journal database runs out of space and begins to overwrite itself. In DFS parlance this is known as a journal wrap. Once the journal is wrapped, it’s rendered ineffective.

In this blog, I will demonstrate how to begin a new replication process. This of course, is a last resort, since data will have to be replicated across all member servers. However, if you find yourself in a situation that merits such action, the steps are outlined below.

In this scenario, we make the following design assumptions:

  • We have two servers replicating across WAN connection, a source server and a target server.
  • Both have Windows Server 2012 operating systems.
  • The two servers stopped replicating long enough to cause a journal wrap.

After a dirty shutdown (loss of power), the DFS Replication will not commence automatically. It’s needs to be started manually instead. You will know that you are in a dirty shutdown state because you will see the following error in the DFS replication log of the server that is hosting the DFS:

Event 2213 The DFS Replication service stopped replication on volume… This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled.


When you encounter a dirty shutdown error, it’s best to resume the replication process and wait to see if the replication begins again. If the journal is not in a wrapped state, the replication should begin to work. Please note that you should have a backup of all data located in both the source and target server before beginning the recovery processes that is outlined below.

How to Resume from a DFSR Dirty Shutdown State

To resolve the dirty shutdown state, scroll down to the bottom of the Event 2213 error message. Copy the entire WMIC command in step 2, including the GUID to the clipboard. To do this, highlight the entire text and press CRTL+C.


Next, run Windows PowerShell as an administrator. In PowerShell type the command CMD and press enter (this is due to the fact that WMIC will not run from PowerShell natively, it requires the command prompt)

Next, right click on the PowerShell screen and paste the clipboard contents. Once the WMIC command has been pasted, press enter to execute the command.

Once the command is executed successfully, it should return a value of 0.


Monitor your replication folders until you feel that they are all replicating once again. There may be a replication backlog so be patient, replication may take longer than usual. If after waiting sufficient time, some or all of the replication folders are failing to replicate, the folder’s corresponding journal database may be in a wrapped state.

Recovering DFS-R Replication from a Wrapped Journal State

The database that keeps track of DFS-R changes is located in the corresponding replicated folder in a hidden file. We will need to delete this folder from both the source and target servers. This is an easy recovery method however, it should be noted that if user’s have made changes in both the target server’s data, it will be lost and replaced by the data that is located on the source server. For this reason, you should keep a copy of the replication data from all replicating members.

To begin, open the DFS management console and locate the replication group that is not working. Right click on it and select delete. Don’t worry, the contents will not be deleted.


After you have deleted replication group, open the folder on the authorative (source) server (the authorative server is the one that contains the most update versions of all replicated files), . Select View-> Options-> View Tab and Show hidden files to display the Dfsrprivate subfolder folder. This is the folder that contains the journal database.


In order to delete this folder, we must first stop the DFS-Replication service. Open the services management console (services.msc) and stop the DFS Replication service.


Once it’s stopped, delete the DfsrPrivate sub folder. DO NOT delete the data files, we need those to seed the replication process.

Now, for each replicating member (non-authorative server), stop the DFS-Replication service, locate the replicating target folder and rename it to .old. This way you have a copy of the data in case some files were updated on multiple servers during the time that the servers were not replicating and you need to go back to find it.

Create a new folder and share it, this will be the new target folder. Do this for each replicating member server.


When finished, re-start the DFS-Replication service on all of the servers.

Go back to the DFS Manager, right click on the DFS Namespace and select new folder. Name the folder and click on the add button to find the target location. Point the target to the corresponding folder on the authorative server. Expand the folder and make sure that you do not see the DfsrPrivae subfolder. if you properly deleted it as outlined prior, it should not be shown.


Click OK to add the target folder. next, right click on the newly created folder under the DFS namespace and select add folder target. Navigate to the replicating member server and look for the target folder. This folder should be empty.


After you click OK, you should be prompted by the replication group creation dialog box. Proceed to create a replication group with your desired settings.


When finished, open the target locations side by side using a UNC path and monitor the progress.


After a few minutes, you should see a new DfsrPrivate folder appear on the authorative server’s target folder, indicating the creation of a new journal database. Shortly after that, your files will begin to replicate to their target locations.


Extra dat – how to auto/schedule push to clients



I’ve installed the Extra dat for the Petya ransomware that is on the internet at the moment.  I normally have to highlight all the PC in ePo > Update > choose the dat file and push.

How do I get this to automatically get pushed when the agent checks in?  the normal sdat does get automatically push when the a new sdat come into the ePolicy server though.

  • Hello,


    This sounds like what I need.  I found these instructions, but set the run immediately with a randomise of 15mins as we have 500 PCs.  Does t look good?


    First, under Menu –> Policy –> Client Task Catalog, Hit the ‘New Task’ button at the bottom of the page. Select ‘Product Update’ and hit ‘OK’. Name your new task (I chose Deploy Extra.DAT). See the attached picture for settings. Then save.

    Next, Go to ‘System Tree’, and choose ‘Assigned Client Tasks’ at the top of the page. Click ‘Actions’ at the bottom of the page, and choose ‘New Client Task Assignment’. Choose ‘McAfee Agent’ in the first column, ‘Product Update’ in the second, and you new task (Deploy Extra.DAT) in the third, then click ‘Next’. Set Schedule Type to ‘Run Immediately’, and if you have many systems, you’ll want to check ‘Enable Randomization’ and set the interval over which you want ePo to spread out the deployment (Keeps you from flooding your network). Click ‘Save’.

  • t is good to set randomization. I had over 1700 systems and set mine to 10 minutes. I did perform a wakeup call to groups of 200 systems at a time. Didn’t notice any real slow down on my ePO server when deploying the extra.dat. Managed to get it out to 1700 system within about 45 minutes. What you are doing looks good.

  • How can I tell it has been installed on the client machines without visit them?  For example I can see my laptop has the extradat, but via the ePo server I can see where this might show?

  • What I did was to create a query that lists the extra.dat and called it find Ransomware extradat. Below are some screen captures.


    when run, it will list if the system got the ransomware extra dat as shown below;


Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

By default, domain users cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration due to insufficient permissions. Only users with local administrator rights on the target computer can remotely access Group Policy Results data.
Figure 1: Gpresult of a domain user
Figure 2: The warning of “Resultant Set of Policy
Figure 3: “Resultant Set of Policy” is being processed
Figure 4: The result of “Resultant Set of Policy
To allow domain users generating the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration, we can delegate the permission for domain users by using GPMC. The permission can be assigned in a domain or organization unit level.
Remark: To delegate the permission, make sure the forest functional level of the domain environment is Windows Server 2003 or later.
Allow the domain user,Terry, reading the “Group Policy Results” of Computer Configuration in “Win7 Workstations” OU.
Lab environment
  • 1 domain controller named DC02 which is installed Windows Server 2008
  • 1 workstation named W701 which is installed Windows 7 is under Win7 Workstation OU
  • 1 server named FS01 which is installed Windows Server 2008 R2 is under Computer container
  • 1 domain user account named Terry
1. On DC02, log in as Domain Administrator.
2. Launch “Group Policy Management Console“.
3. Expand “Forest > Domains > Domain Name > Win7 Workstations“.
4. Select “Delegation” tab.
5. Next to “Permission“, select “Read Group Policy Results data“.
6. Click “Add“.
7. In “Select User, Computer, or Group” window, enter “Terry“.
8. On “Add Group or User” window, next to “Permissions“, select “This container and all child containers“.
Remark: The child OU of “Win7 workstations” will inherit the permission because “This container and all child containers” is selected.
9. Click “OK“.
10. Click “Advanced“.
11. Next to “Security“, select “Terry“.
The “Generate resultant set of policy” permission is granted Terry.
12. Click “Cancel“.
Now, Terry can generates the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration on workstations which  is under “Win7 Workstations” OU.
Test result
1. On W701, log in as Terry.
2. Launch “Command Prompt“.
3. Perform “gpresult /r“.
The “Group Policy Results” of Computer Configuration can be generated by Terry.
4. Perform “rsop.msc“.
When the “Resultant Set of Policy” is being processed, there is no warning message. Terry can generate “Resultant Set of Policy” of Computer Configuration.
5. Log out W701.
6. On FS01, log in as Terry.

7. Launch “Command Prompt“.
8. Perform “gpresult /r“.

9. Perform “rsop.msc“.
Because the “Generate resultant set of policy” permission isn’t granted on domain level, Terry cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration.
For more information:
Delegation and policy-related permissions