Search This Blog

May 29, 2015

After migrating to EXO users cannot change the DL they should be as owners/manager

Scenario: Many users after migrating to EXO will call to Service Desk asking why they lost the permissions to change the Distribution List.

They will investigate and confirm the permissions are right and nothing was change, right? No, wrong. This/These users were migrated to EXO and they cannot access the DL on-premises.

To solve this situation follow the simple instructions:


Open the CMD and type the following
"C:\Windows\System32\rundll32.exe dsquery,OpenQueryWindow"

Apr 27, 2015

After migrating users to O365 the Lync Client 2013 (on-premises) stopped displaying the meeting icon

In a hybrid scenario where you can have different version of Office installed on your machine you may notice a new issue with Lync Client.

In this particular scenario, and I believe only at the company that I'm working we have that. See below:

Win7 and Office 2010 + Lync Client 2013 (we have a Lync 2013!)

In that scenario after moving the Exchange mailbox (on-premises) to a new Exchange Online environment all users cannot see the meeting icon in their Lync Client.

That happens because the EWS cannot contact the properly both environment.


• As a workaround changed the default URL to use HTTPS instead:
• With this key set the calendar icon appears and EWS status shows OK in Lync configuration information

That key already exist in Office2013! :)

Apr 13, 2014

Error 1207 ID - The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements

Here a way to find out and fix the pain in the ass ID 1207 when you don't have the default access denied message. That it's to help who has the following error below: Hope it helps.

ID 1207 being logged on the DAG member servers (Host Owner) each 15 minutes.Even if you tried move the "Cluster Group" to another servers the ID still being generated on the server that now it's hosting the "Cluster Group"

Log Name:      System
Source:        Microsoft-Windows-FailoverClustering
Date:          4/12/2014 2:33:32 PM
Event ID:      1207
Task Category: Network Name Resource
Level:         Error
User:          SYSTEM
Description: Cluster network name resource 'Cluster Name' cannot be brought online. The computer object associated with the resource could not be updated in domain '' for the following reason:
Unable to update password for computer account.
The text for the associated error code is: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
The cluster identity 'DAG01$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.

<Troubleshooting Actions >
The first though was review all the permissions and compare the DAGs account with the EUR since the EUR Servers was not generating any ID 1207 on the DAG members servers.
Second step was review the cluster.log and check the communication between the server impacted and domain controler (PDC).

000021a8.00003948::2014/04/12-14:26:09.160 INFO  [RES] Network Name <Cluster Name>: Trying to find computer account DAG02 object GUID(913b4ecd1bd89047a6186b15a9f69e21) on any available domain controller.
000021a8.00003948::2014/04/12-14:26:09.300 INFO  [RES] Network Name <Cluster Name>: Found computer account DAG01 on domain controller \\
000021a8.00003948::2014/04/12-14:26:09.300 INFO  [RES] Network Name <Cluster Name>: Trying to obtain the VSToken for Core Cluster Name resource
000021a8.00003948::2014/04/12-14:26:09.316 INFO  [RES] Network Name <Cluster Name>: GetCoreNetnameObject_VSToken returning status 0
000021a8.00003948::2014/04/12-14:26:09.316 INFO  [RES] Network Name <Cluster Name>: Obtained the security token for cluster name account.
00001a5c.00004e2c::2014/04/12-14:26:12.373 INFO  [GUM] Node 5: Processing RequestLock 7:211485
00001a5c.00004e2c::2014/04/12-14:26:12.373 INFO  [GUM] Node 5: Processing GrantLock to 7 (sent by 5 gumid: 11988005)
00001a5c.00001d1c::2014/04/12-14:26:12.623 INFO  [GUM] Node 5: Processing RequestLock 3:223687
00001a5c.00004e2c::2014/04/12-14:26:12.623 INFO  [GUM] Node 5: Processing GrantLock to 3 (sent by 7 gumid: 11988006)
000021a8.00003948::2014/04/12-14:26:14.760 ERR   [RES] Network Name <Cluster Name>: Unable to update password for computer account DAG02 on DC \\, status 2245.
00001a5c.00002eb4::2014/04/12-14:26:14.776 INFO  [GUM] Node 5: Processing RequestLock 5:221212
00001a5c.00001d1c::2014/04/12-14:26:14.776 INFO  [GUM] Node 5: Processing GrantLock to 5 (sent by 3 gumid: 11988007)
000021a8.00003948::2014/04/12-14:26:14.776 WARN  [RES] Network Name <Cluster Name>: Automatic Password rotation failed with status 2245.Will retry in  2245 seconds
000021a8.00003948::2014/04/12-14:26:14.776 INFO  [RES] Network Name <Cluster Name>: TimerQueueTimer rescheduled to fire after 900 secs

After reviewing the PDC server and capture network traces between the PDC x EX01, we could see the communications were working fine.
Reviewed the code error 2245 and that means the object could not reset the password account.

Found the "Computer Account" in the 'userAccountControl' attribute was set with the incorrect value (0x220 - for User Account).

Using as example another DAG01, the first pic show the wrong configuration

This second picture show us how is the correct value. Checked and the ID 1207 has been generated only for DAG02 servers.

One part of the symptom was when we try find the DAG0X account using the ADUC snap-in the return value is empty. After resetting the value we can find the computer account in the ADUC snap-in.

UserAccountControl must be changed from 0x220  to 0x1000 value.
Now you can see the account as Workstation/Server Computer Account under ADUC snap-in.

Aug 29, 2012

Outbox remains items or duplicate itens in Outbox folder

Hello Everyone,

It's one more issue that we need some help from Microsoft to identify and try make the easy as possible to end users. You will see during the description below


  • Some end users cannot send emails because their Outbox Folders (when view with cache mode disabled) has more than their Default limit size and their messages looks like duplicated. Messages were already sent but still being archived under Outbox folder.
  • This symptom has been increased the number of the user impacts since they were migrated to Exchange 2010 Mailbox.



General recommendations to narrow down the causes as follows:

  1. Verify the users have only one Outlook client open for their mailbox.  If they have multiple workstations with Outlook open, instruct them to only have one open at a time.

  1. Verify if the affected users are on Outlook 2007 or Outlook 2010
  2. For users on Outlook 2007, educate users in Cached mode to avoid: known causes and help them to change their behaviors to prevent them from triggering the failure:
    1. Avoid Rules on items as they are sent
    2. Avoid moving items you have sent without waiting a significant amount of time (5 minutes or more)
    3. Do not have your Outlook/Exchange profile configured to deliver mail to a PST
    4. Do not select the option “In folders other than Inbox, save replies with original message”

  1. Even if users are updated to Office 2010, they still need to avoid having their mail delivered to PST or they can see similar symptoms
  2. Go ahead and deploy the SendOne reg key for Outlook 2007 users.  This is the KB948984 you already have noted below and will help mitigate many of the known issues in that version.



Used the article and apply the registry 'SendOne' = 0 and restart the Outlook. After applying the SendOne reg key to your Outlook 2007 users, continue periodically reviewing the Mailbox Folder Statistics for the Outbox folder counts to verify the counts are no longer growing. 

Outlook 2007 attempted to optimize the submission process with Exchange and it left some openings for certain client/user behaviors to interrupt that optimization.  The “SendOne” reg key reverts to Outlook 2003 and prior cached behavior and removes the submission optimization.
PS: After deploying the registry entry for end users you should instructed the end users to cleanup their Outbox. Probably it will not be an easy way.

Aug 20, 2012

Use Mailbox Search to Delete Messages

Hello ALL,


Sometimes in the Exchange organization you have to find and delete some emails that someone sent by mistake, delete inappropriate or potentially harmful e-mail messages sent to multiple mailboxes across their organization and you have to do this ASAP to avoid this email be read for people supposed to NOT read.

Below a short example about how to find and delete email was sent by mistake.


Scenario: Delete for all users under OU (let’s call "São Paulo") the email with the subject "MARCELOCHANGTESTE" .


PS:  Can't use Multi-Mailbox Search in the Exchange Control Panel for this purpose, but, in Windows PowerShell, can do it, using theSearch-Mailbox cmdlet with the DeleteContent switch parameter.


Important: When use the Search-Mailbox cmdlet with the DeleteContent parameter, messages are permanently deleted from the user's mailbox and can't be recovered.




First you need have the correct permission to execute the cmdlet 'search-mailbox'. To do this you have to add the permissions below:

Assign the required RBAC roles

Mailbox Search   This role allows search for messages across multiple mailboxes in your organization.Administrators aren't assigned this role by default. To search multiple mailboxes, add yourself as a member of the Discovery Management role group.

Mailbox Import Export   This role allows delete messages from a user's mailbox. This role isn't assigned to administrators by default. To delete messages from users' mailboxes, add the Mailbox Import Export role to the Organization Management role group.




In that case added the Roles under the Organization Management role group.

Without the Roles above it's not possible run the cmdlet.


Commands and Results:

The following command searches all mailbox under the OU "SaoPaulo" for messages with a specific value in the Subject line “in that case MARCELOCHANGTESTE”and then sends a message with the results to the target mailbox.

Get-Mailbox -OrganizationalUnit "mpc.lab/Organizations/Users and Groups/SaoPaulo" |Search-Mailbox -SearchQuery 'Subject:"MARCELOCHANGTESTE"' -TargetMailbox "MCHANG" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full


RunspaceId       : 0d671b70-775b-4a66-84e9-ae3d8bddc407

Identity         : mpc.lab/Organizations/Users and Groups/SaoPaulo/JOAODASILVA

TargetMailbox    : mpc.lab/Organizations/Users and Groups/SaoPaulo/MCHANG

TargetPSTFile    :

Success          : True

TargetFolder     : \SearchAndDeleteLog\UserName UHT-6/16/2012 6:21:18 PM

ResultItemsCount : 14

ResultItemsSize  : 119.8 KB (122,687 bytes)

The following command searches for messages with the subject line  and then permanently deletes them.

Get-Mailbox -OrganizationalUnit "mpc.lab/Organizations/Users and Groups/SaoPaulo" |Search-Mailbox -SearchQuery 'Subject:"MARCELOCHANGTESTE"' -DeleteContent

RunspaceId       : 0d671b70-775b-4a66-84e9-ae3d8bddc407

Identity         : mpc.lab/Organizations/Users and Groups/SaoPaulo/JOAODASILVA

TargetMailbox    :

TargetPSTFile    :

Success          : True

TargetFolder     :

ResultItemsCount : 8

ResultItemsSize  : 113.9 KB (116,677 bytes)


Additional Information



Use Mailbox Search to Delete Messages

Pasted from <>

Search For and Delete Messages from Users' Mailboxes

Pasted from <>

Mar 19, 2012

Logging event id 1069 and 1558 every 15 minutes


    I'm posting a new issue that I saw in few days and was solved with a solution that it's not so simple. Actually the solution is simple but the way to do that in same cases could create a second problem :)

    Let's check the scenario and actions takens.


    Getting Events 1069 and 1558 logged every 15 minutes on the server USPHXE0251 which has the Cluster Group.
    In this scenario we had Exchange 2010 DAG impacting but these "errors" can appears on SQL or any Cluster activity.

    Typed "cluster res" command
    Listing status for all available resources:

    Resource             Group                Node            Status
    -------------------- -------------------- --------------- ------
    Cluster IP Address   Cluster Group        E0251      Online
    Cluster Name         Cluster Group        E0251      Online
    File Share Witness (\\\ Cluster Group      E0251      Online

    Log Name:      System
    Source:        Microsoft-Windows-FailoverClustering
    Event ID:      1069
    Task Category: Resource Control Manager
    Level:         Error
    User:          SYSTEM
    Description: Cluster resource 'File Share Witness (\\\' in clustered service or application 'Cluster Group' failed.

    Log Name:      System
    Source:        Microsoft-Windows-FailoverClustering
    Event ID:      1558
    Task Category: Quorum Manager
    Level:         Warning
    User:          SYSTEM
    Description: The cluster service detected a problem with the witness resource. The witness resource will be failed over to another node within the cluster in an attempt to reestablish access to cluster configuration data.

  1. In this case my Failover Cluster is running with Exchange 2010 SP1 and we've configure the Quorum with FSM option. The File server is Hub Server.

  2. Actions Takens

    • Looking to HUB server (Witness Disk Servers) we see the following drivers are with the same driver level for SMB:
      • contains the MRXSMB10.sys = 6.1.7601.21767 and MRXSMB20.sys = 6.1.7601.17605

    • Generated the Cluster.log using the command "cluster log  /gen"

    00002bcc.00001eb8::2012/02/28-21:47:49.278 ERR   [QUORUM] Node 4: Failing quorum resource due to witness failure
    00002bcc.00002c90::2012/02/28-21:47:49.278 INFO  [GUM] Node 4: Processing RequestLock 4:368
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] HandleMonitorReply: FAILURENOTIFICATION for 'File Share Witness (\\\', gen(578) result 0.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] TransitionToState(File Share Witness (\\\ Online-->ProcessingFailure.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] rcm::RcmGroup::UpdateStateIfChanged: (Cluster Group, Online --> Failed)
    00002bcc.00001eb8::2012/02/28-21:47:49.278 ERR   [RCM] rcm::RcmResource::HandleFailure: (File Share Witness (\\\
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [QUORUM] Node 4: PostRelease for 0dd9ec96-71d1-4949-806d-7d5403ff3f6d
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] resource File Share Witness (\\\ failure count: 2, restartAction: 2.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] Greater than restartPeriod time has elapsed since first failure, resetting failureTime and failureCount.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] Will restart resource in 500 milliseconds.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] TransitionToState(File Share Witness (\\\ ProcessingFailure-->[WaitingToTerminate to DelayRestartingResource].
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] rcm::RcmGroup::UpdateStateIfChanged: (Cluster Group, Failed --> Pending)
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] TransitionToState(File Share Witness (\\\ [WaitingToTerminate to DelayRestartingResource]-->[Terminating to DelayRestartingResource].
    00002284.000042a4::2012/02/28-21:47:49.278 INFO  [RES] File Share Witness <File Share Witness (\\\>: Terminating resource ...
    00002284.000042a4::2012/02/28-21:47:49.278 INFO  [RES] File Share Witness <File Share Witness (\\\>: Resource is offline.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] HandleMonitorReply: TERMINATERESOURCE for 'File Share Witness (\\\', gen(579) result 0.
    00002bcc.00001eb8::2012/02/28-21:47:49.278 INFO  [RCM] TransitionToState(File Share Witness (\\\ [Terminating to DelayRestartingResource]-->DelayRestartingResource.
    00002bcc.00001d1c::2012/02/28-21:47:49.278 INFO  [GUM] Node 4: Processing GrantLock to 4 (sent by 6 gumid: 140952)
    00002bcc.00002c90::2012/02/28-21:47:49.278 INFO  [QUORUM] Node 4: Witness Failed Gum Handler [QUORUM] Node 4
    00002bcc.00002c90::2012/02/28-21:47:49.278 INFO  [QUORUM] Node 4: witness attach failed. next restart will happen at 2012/02/28-22:02:49.278
    00002bcc.0000238c::2012/02/28-21:47:49.278 INFO  [QUORUM] Node 4: quorum is not owned by anyone
    00002bcc.00004178::2012/02/28-21:47:49.792 INFO  [RCM] Delay-restarting File Share Witness (\\\ and any waiting dependents.
    00002bcc.00004178::2012/02/28-21:47:49.792 INFO  [RCM] TransitionToState(File Share Witness (\\\ DelayRestartingResource-->OnlineCallIssued.
    00002284.00002360::2012/02/28-21:47:49.792 INFO  [RES] File Share Witness <File Share Witness (\\\>: Beginning arbitration ...
    00002284.00002360::2012/02/28-21:47:49.792 INFO  [RES] File Share Witness <File Share Witness (\\\>: Opening file \\\\0dd9ec96-71d1-4949-806d-7d5403ff3f6d\Witness.log.
    00002284.00002360::2012/02/28-21:47:49.808 INFO  [RES] File Share Witness <File Share Witness (\\\>: Attempting to lock file \\\\0dd9ec96-71d1-4949-806d-7d5403ff3f6d\Witness.log, try 1 of 30.
    00002284.00002360::2012/02/28-21:47:49.808 INFO  [RES] File Share Witness <File Share Witness (\\\>: Succeeded in locking file \\\\0dd9ec96-71d1-4949-806d-7d5403ff3f6d\Witness.log
    00002bcc.00004178::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4: PostArbitrate => 0 for 0dd9ec96-71d1-4949-806d-7d5403ff3f6d
    00002bcc.00004178::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4 CompareAndSetWitnessTag: ignoring any existing data on witness resource.
    00002bcc.00004178::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4 CompareAndSetWitnessTag: writing witness tag 164:164:509200
    00002284.00002360::2012/02/28-21:47:49.824 INFO  [RES] File Share Witness <File Share Witness (\\\>: Writing file share witness epoch data.
    00002284.00002360::2012/02/28-21:47:49.824 INFO  [RES] File Share Witness <File Share Witness (\\\>: Wrote 88 bytes to the witness file share.
    00002bcc.00004178::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4 CompareAndSetWitnessTag: releasing witness share lock
    00002284.00002360::2012/02/28-21:47:49.824 INFO  [RES] File Share Witness <File Share Witness (\\\>: Releasing locked witness share.
    00002284.00002360::2012/02/28-21:47:49.824 INFO  [RES] File Share Witness <File Share Witness (\\\>: Bringing resource online ...
    00002284.00002360::2012/02/28-21:47:49.824 INFO  [RES] File Share Witness <File Share Witness (\\\>: Resource is online.
    00002bcc.00000c60::2012/02/28-21:47:49.824 INFO  [RCM] HandleMonitorReply: ONLINERESOURCE for 'File Share Witness (\\\', gen(579) result 0.
    00002bcc.00000c60::2012/02/28-21:47:49.824 INFO  [RCM] TransitionToState(File Share Witness (\\\ OnlineCallIssued-->Online.
    00002bcc.00000c60::2012/02/28-21:47:49.824 INFO  [RCM] rcm::RcmGroup::UpdateStateIfChanged: (Cluster Group, Pending --> Online)
    00002bcc.00000c60::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4: PostOnline for 0dd9ec96-71d1-4949-806d-7d5403ff3f6d
    00002bcc.0000238c::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4: quorum is arbitrated by node 4
    00002bcc.0000238c::2012/02/28-21:47:49.824 INFO  [QUORUM] Node 4: releasing witness lock (if held) because witness is not needed for quorum in new view.
    00002284.000029f4::2012/02/28-21:47:49.886 INFO  [RES] File Share Witness <File Share Witness (\\\>: Ignoring request to release witness share because it is not currently locked.

    • Restarted the all Servers involved for tests (Cluster nodes and File Server).
    • After rebooting new "Host Current Server" is generating the event ID 1069 and 1558
    • Checked the Links below:

    • Basically in that articles Microsoft request to update some drivers like SMB, Clussvc.exe and TCPIP.
    • Changed the Cluster parameters
    cluster /prop SameSubnetDelay=2000 (The default value is 1000 milliseconds, we could set it to 2000 milliseconds.)
    cluster /prop CrossSubnetDelay=2000

    • Installed Updates

    KB2550886 - A transient communication failure causes a Windows Server 2008 R2 failover cluster to stop working
    Clussvc.exe 6.1.7601.21772

    KB2661010 - IP packets are not routed through a Windows Server 2008 R2–based LAN router in a VLAN environment
    Fwpkclnt.sys 6.1.7601.17514
    Tcpip.sys 6.1.7601.17754

    Fwpkclnt.sys 6.1.7601.21889
    Tcpip.sys 6.1.7601.21889

    KB2616514 - Cluster service sends unnecessary registry key change notifications among cluster nodes in Windows Server 2008 or in Windows Server 2008 R2
    Clussvc.exe 6.1.7601.17730
    Clussvc.exe 6.1.7601.21867

    KB2612966 - Paged pool memory leak when you access some shared files in Windows 7 or in Windows Server 2008 R2
    Mrxsmb10.sys 6.1.7601.21819
    Mrxsmb20.sys 6.1.7601.21819


    • Installed the following updates and rebooted all DAGs and Hub (FSW Server).
    • Changed the Quorum model to Node and Majority and then go back to FSW.
    • AV exclusion contains the correct drive "X:\Witnesses"
    • Generated Cluster.log again. Getting the same issues on Cluster.log. Nothing changed so far.

    00001738.00002760::2012/03/12-22:23:21.225 ERR   [QUORUM] Node 3: Failing quorum resource due to witness failure
    00001738.00001b38::2012/03/12-22:23:21.225 INFO  [RCM] HandleMonitorReply: FAILURENOTIFICATION for 'File Share Witness (\\\', gen(7) result 0.
    00001738.00001b38::2012/03/12-22:23:21.225 ERR   [RCM] rcm::RcmResource::HandleFailure: (File Share Witness (\\\
    00002168.00002808::2012/03/12-22:23:21.771 INFO  [RES] File Share Witness <File Share Witness (\\\>: Ignoring request to release witness share because it is not currently locked.

    • Running a Validate this Cluster and everything is up, running and OK.
    • Checked Network Provider status inside regedit.
    • Our HUB Server is running under VM  technology and contains the following info:   on the fileshare witness server following value exist. "vmhgfs,RDPNP,LanmanWorkstation"  - but it doesn't impact anything. The values are correct.
    • File Share witness is on  a Virtual Machine. Checked on Microsoft technet that recommend configuration sould be use a File Server running on physical box .
    • Changed the FSW server to a physical server. (It doesn't worked).

    • Shutdown all nodes leaving just one online.
    • The last one need to be restarted to perform the FORM process.
    • After completing the reboot process turned on all others nodes.

Update: 2014/10/30 : Based on anomynous feedback the article listed below it seems to fix the problem.
I'm not able to make this test but it's important to keep the troubleshooting mindset to figure out the root cause.

    Forming a Cluster
    The first server that comes online in a cluster, either after installation or after the entire cluster has been shut down for some reason, forms the cluster. To succeed at forming a cluster, a server must:
    • Be running the Cluster service.
    • Be unable to locate any other nodes in the cluster (in other words, no other nodes can be running).
    • Acquire exclusive ownership of the quorum resource.

    • According to Microsoft this logs although being generated every 15 minutes doesn’t means Cluster impact, but so far the only way to fix is using the form procedure. The Quorum (Witness Disk) is the first resource brought online when cluster service attempts to form a cluster.

Feb 14, 2012

Activation Issue - The following Failure occurred while trying to use the product by: Code: 0x80070005 Description: Access is denied

Hello ALL,

Today I was reading some old emails with the solutions done and I would like to share another issue it happens all the time. Hope it helps.


Sometimes you may have Access Denied message when you're trying activate your Windows edition.
The message error is:

Invalid Product key
The following Failure occurred while trying to use the product by: Code: 0x80070005 Description: Access is denied.

  • Probably if you have facing an issue like this one if you try run the command (even using Administrator account) "slmgr.vbs /dlv" on the server the activation error will show you the following message:

  • For this case the best way is use one generic key to try install it and check if the Windows recognize it. After activating with that generic key we will be able to install the correct one to activate the Window properly.

        C:\Windows\System32>cscript slmgr.vbs /ipk 489J6-VHDMP-X63PK-3K798-CPX3Y
             Microsoft (R) Windows Script Host Version 5.8
             Copyright (C) Microsoft Corporation. All rights reserved.

              Error: 0x80070005 Access denied: the requested action requires elevated privileges

Actions Taken

  • When attempting to activate any type of licensing (MAK or KMS client) received the following error message to permissions issues.
  • Validated using RSOP.MSC the path "Computer Configuration/Policies/Windows Settings/Security Settings/System Services" and service "Plug and Play" has been set as "Not Defined".
  • Checked the permission within the Regedit to the following key "HKEY_USERS\S-1-5-20" and the local account 'Network Service' has Full Control permission.


  • Added to Full Control permission to the 'Everyone' account in the following folders
    • "C:\users\default\AppData\Roaming\Microsoft"
    • "C:\Windows\serviceprofiles\networkservice\appdata\roaming\microsoft"

  • Restarted the service "Software Protection" and and made Activation of Windows Server with a generic key as below:

C:\Windows\System32>cscript slmgr.vbs /ipk 489J6-VHDMP-X63PK-3K798-CPX3Y
                                     Microsoft (R) Windows Script Host Version 5.8
                                     Copyright (C) Microsoft Corporation. All rights reserved.

Installed product key 489J6-VHDMP-X63PK-3K798-CPX3Y successfully.

  • Started the "Activate Now" Wizard. Typed the correct license successfully.
  • Double check the license thru command "cscript slgmr.vbs /dlv"

C:\Windows\System32>cscript slmgr.vbs /dlv
                                    Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Software licensing service version: 6.1.7600.16385
Name: Windows Server(R), ServerEnterprise edition
Description: Windows Operating System - Windows Server(R), VOLUME_MAK_B channel
Partial Product Key: G7X78
License Status: Licensed
Remaining Windows rearm count: 3


  • This issue was related to insufficient permissions on the folders mentioned above.

User unable to connect to OCS because token size was too large

Hello ALL,

A small issue that occurred and I'd like to share. Simple but sometimes you need to read.


A user was unable to connect to OCS with Office Communicator.


 Error message was: Cannot sign in to Communicator. You may have entered your sign-in address, user name incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator.

System Event log entry was:

The kerberos SSPI package generated an output token of size 12175 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 6492.

The output SSPI token being too large is probably the result of the user blablabla@mpc.local being a member of a large number of groups.

It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

Reduce the number of groups to which the user belongs.

Explanation: The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003 and and still remains in Windows 7 and Windows 2008 R2, the MaxTokenSize value is 12,000 bytes.

If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an "out of memory" error message.

This is why the default value is not a hard limit, the maximum recommended configuration is 65535 bytes or 64k. It is recommended that you do not set the MaxTokenSize greater than 65535 bytes or 64k. If you set the MaxTokenSize greater than 65535 bytes applications using Kerberos authentication could potentially fail.

If you want the another solution for this same case is change the MaxTokenSize.

Articles Related

New resolution for problems with Kerberos authentication when users belong to many groups

MaxTokenSize and Kerberos Token Bloat

Feb 13, 2012

An SMB share is displayed incorrectly as an NFS share

Hello ALL,
I was reading some old emails and I'd like to share one more case that I worked. It was an interesting case where we have 2 scenario and 2 separates solution. Unfortunately one hasn’t solution found.
Let's go!

We have a Windows Server running 'Client for NFS' (Windows 2K8R2 SP1) and a File Server running UNIX OS (NFS). When some user log onto Windows Server the end user needs to map the Unix File Shared using one letter. When that end user select the option for map an UNIX NFS server with the "Reconnect at logon" the message below is displayed if tries use the mapped drive letter after logoff/logon is done.
"Z:\ is not accessible. The filename, directory name, or volume label syntax is incorrect".

Actions and Solution PART I

  • First action is use the article KB2025723 to review the Security Option.
    • Client for NFS on Windows 2008 R2 does not work properly

  • The resolution is to select only sys option and reboot the system.


  • After that you should deploy the KB2485529 to fix the error message "Z:\ is not accessible. The filename, directory name, or volume label syntax is incorrect" and for best practices update the Windows Server with the KB2580164.
  • Now we have fix the error message and the drive Z:\ can be accessible.

  • Now the interesting part ... After logoff and logon the mapped drivers (Z:) is working however just if we click again in Explorer Window on the drive letter Z:\
  • Now we see after logon the driver letter is being displayed with Red Cross. "X"

  • Event Viewer

Event 16397, NfsClnt

General Details

Windows(R) Lightweight DirectoryAccess Protocol (LDAP) failed a request to connect to Active Directory Domain Services(R) for Windows user< BLABLA\XYZ.ABC>.

Without the corresponding UNIX identity of the Windows user, the user cannot access Network File System (NFS) shared resources.

Verify that the Windows user is in Active Directory Domain Services and has access permissions.

Windows NFS client is known not to handle multiple path NFS shares. The issue is by design and comes when the client is mounting an NFS share which is more than 26 characters in length.
Users would be able to access the NFS shares after mounting it to a drive letter but a red X (disconnected) sign would be there on the mounted volume. The NFS mounted drives will be in connected state even if UI shows disconnect.
The recommendation would be to have a single path nfs share like “\\servername\sharename” or a multipath NFS share having less than 25 characters.

  • In that case the number of characters was 20.
  • No more actions to do. This is by design.

Solution PART II

NFS share are session specific and are not persistent mount. Even if we check the persistent mapping option while doing a Map network driver or put the parameter persistent=yes with the mount command.
Unlike CIFS shares where the drive mapping is persistent, NFS is not. So once the user logs off and logs back in, he will see the disconnected sign on the drive. The same observation would be there, if he runs the mount command from the cmd.
This is a known behavior.
Hope it helps!

Feb 10, 2012

Risks and Best Practices related to the introduction of the first Win2K8 DC in a Win2K3 Forest

Hello ALL,

Sometimes you think ... "Hey it's too easy to install a Windows Server and upgrade it or too easy is add a new domain controller", but sometimes you really need to take care of small things you cannot imagine it will impact you.

Let's starting think about this scenario:

The first DC running Windows Server 2008 R2 was added in the forest which has the side-effect of stamping the isrecycled attribute on live objects AND deleted objects that reside in the deleted objects container, including objects that are @ the cusp of TSL expiration and about to be garbage collected. This update triggers an outbound replication event to replica DCs hosting common partitions.

NTDS Replication Event 1988 is logged on strict mode destination DCs that received a request to inbound replicate an update to an object from the source DC cited in the event that the destination DC has already seen, deleted and garbage collected.

This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.  This replication attempt has been blocked.

" The best solution to this problem is to identify and remove all lingering objects in the forest."


The problem occurs when introduction of the First Windows Server 2008 R2 DC outbound replicates updates objects deleted (@ the cusp of) TSL # of days in the past to strict mode destination DCs that have independently garbage collected the deleted objects

An up-to 12 hour "race condition" exists that can block AD replication when source DCs that have not yet garbage collected objects deleted at the cusp of TSL expiration outbound replicate IsRecycled stamps to strict mode destination domain controllers that have seen, deleted and garbage collected those same objects.

There is a known issue when you add your first Windows 2008 R2 domain controller in an Active Directory forest. It is caused by the Active Directory Recycle Bin feature, which requires updating all Active Directory objects to fill the new attribute named isRecycled even if this feature is not enabled.

When this DC is added, it will update the objects to set the isRecycled attribute. This attribute change has to be replicated to other DCs. As the objects deleted about Tombstone_Lifetime days earlier may have already been garbage collected on the target DCs, this update will concern a non-existing object. This scenario is the lingering object one, and its effect is to block replication (if strict replication is configured) until this lingering object is removed.

In this case, this situation will disappear after a maximum of 12 hours, the interval between to execution of the garbage collection.


Wait up to 12 hours for all domain controllers logging the NTDS Replication 1988 event to garbage collect lingering object


Accelerate the execution of garbage collection on DCs that have yet to garbage collect objects deleted TSL # of days in the past on the source DCs referenced in the 1988 events using the ROOTDSE "DoGarbageCollection control.

  1. In Ldp.exe, when you click Browse on the Modify menu, leave the Distinguished name box empty.
  2. In the Edit Entry Attribute box, type "DoGarbageCollection" (without the quotation marks),
  3. In the Values box, type "1" (without the quotation marks).
  4. Set the Operation value set to Add and click the Enter button, and then click Run.


Increase the garbage collection interval prior to the introduction prior to the introduction of the 1st Win2K8 R2 DC.

The garbage collection interval can be configured by entering a value in the garbageCollPeriod attribute at:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=forest,DC=root
                           Default - 12 hours
                           Minimum - 1 hour
                           Maximum - Not documented.

Articles Related


Enable Strict Replication Consistency

Troubleshooting Active Directory operations that fail with error 8606 Insufficient attributes were given to create an object

Event ID 1988 Logged in Directory Service Log after Schema Update

Problems with introducing a new Windows Server 2008 DC into a Windows 2003 forest