Windows 10: Unable to authenticate as administrator, multiple devices, multiple clients, domain and non...

Hi All,


First time posting here, but though as there is absolutely no information from Microsoft and seems like no other forums have picked up on this I will tell you a story about my frustration. Summery is below if you don't want to read it all.


We started getting strange error late last year, about August/September. What was happening was when logged in as a user no admin rights and helping them install the software using domain admin credentials the installation just pops up with an error the error is always different, but usually related to unable to access a folder or file.


Checking the event logs we found that there was a particular dll that was causing this error credprovhost.dll. As it was only one client at the time, we thought it was a faulty installation so we rebuilt the device and all was good.


A week or two later, the same issue propped up on device belonging to another client then two more clients, even for new clients that we had taken on board and had never touched their devices.


And for every client, it was always the credprovhost.dll that was causing the issue.


We found the only solution so far is to either run SFC scan and DISM to try and fix the problem, but so far we have had 50/50 success rate with this. The other method, which is not ideal is to get a working dll from another machine on the same domain as the affected device, go into recovery, open a command prompt and overwrite the dll.


Since then we have had many devices with the same issue as it and we are all pulling out our hair to resolve this as it makes our work harder and clients are frustrated due to this. We have not found another dll that is causing the issue, and surprise surprise it's from the same group of dll the last one was in cp.dll.



Summary:



Issue: Unable to authenticate whilst on user profile domain and non-domain

Error: Cannot access a file or folder during installation or if opening a windows feature e.g. device manager, will ask for credentials, pause a moment and then the device manager would disappear without error. Error is in Event Viewer

Event Log: shows that the errors are with two dll files eithercredprovhost.dll or cp.dll

What works: replacing the dll file with a working dll file from a computer on the same domain.

What works sometimes: running SFC scan and DISM


Hopefully, the information I've provided is clear, my main thing is that I would like to know if others have also faced this or a similar issue as I really would like Microsoft to engage us on this.

:)

 

Cloning without Sysprep and deploy it on multiple no-joined-domain PCs

I would like to know if I can install windows 10 on a device (let's say reference device) with a master key (Volume key) and then install the software, create the users, configure the local group policies and finally CLONE it without Sysprep (I believe Sysprep removes some local user group policies and registry settings related to users profiles) and deploy it on multiple non-joined-domain devices with similar hardware specs?

• The main reason that I don't want to do sysprep is that the devices (Standalone disconnected Kiosks) have 3 or 4 local user accounts with different user account groups and security settings and probably different shells.

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

Unable to configure WinRM on domain user

Hi everyone,

I'm unable to configure WinRM on a domain computer. I have a simple domain with

1) Windows server 2012

2) A client running Windows 7

If I try to run WinRM on the local Administrator, everything works fine, but if I switch to a domain user, than problems occured.

For example, if i run winrm quickconfig in powershell as the domain Administrator, then I get:

WinRM already is set up to receive requests on this machine.

WSManFault

Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.

Possible causes are:

-The user name or password specified are invalid.

-Kerberos is used when no authentication method and no user name are specified.

-Kerberos accepts domain user names, but not local user names.

-The Service Principal Name (SPN) for the remote computer name and port does not exist.

-The client and remote computers are in different domains and there is no trust between the two domains.

After checking for the above issues, try the following:

-Check the Event Viewer for events related to authentication.

-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use

HTTPS transport.

Note that computers in the TrustedHosts list might not be authenticated.

-For more information about WinRM configuration, run the following command: winrm help config.

Error number: -2144108387 0x8033809D

An unknown security error occurred.

When i run it as local admin, everything goes well.

So, what am I missing?