FIX: ipconfig /registerdns results in RPC server unavailable error

A new Windows 2003 R2 server was not automatically registering itself in DNS despite having “Register this connection’s addresses in DNS” selected.

Performing an ipconfig /registerdns resulted in a “RPC server unavailable” error message.
The solution was to temporarily enable the DHCP Client service, which we disable as a part of our server build process.  Once the server was registered in DNS we disabled the DHCP Client service again.

Find Windows system uptime from the command line

Here’s a quick and easy way of checking how long a Windows server or workstation has been up, via the command line.  It pipes the results of Net Statistics Workstation into find.  Run the following from a command prompt:

net statistics workstation | find /i “statistics since”

The results will look like

Statistics since 8/12/2009 11:08 PM

Which shows the machine has been up since 11:08pm on August 12, 2009.

Fix: The IP address you have entered for this network adapter is already assigned to another adapter that is hidden from the Network Connections folder because it is not physically in the computer

I brought up a snapshot of a Windows Server 2003 R2 guest today and could not login to the domain.  After further review I found the server had lost its static TCP/IP settings – both NICs were set to DHCP (they had previously been statically set).  When I attempted to add the TCP/IP addresses back to the NICs, I received the following error message:

“The IP address you have entered for this network adapter is already assigned to another adapter “Fast Ethernet Adapter #2”. “Fast Ethernet Adapter #2″ is hidden from the Network Connections folder because it is not physically in the computer. If the same address is assigned to both adapters and they both become active, only one of them will use this address. This may result in incorrect system configuration. Do you want to enter a different IP address for this adapter in the list of IP addresses in the Advanced dialog box?”
Solutions – KB825826 outlines several potential fixes.  I ended up using Method #6 to remove the hidden network adapter.  To uninstall the ghosted network adapter from the registry, complete these steps:
  1. Click Start, click Run, type cmd.exe, and then press ENTER.
  2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
  3. Type Start DEVMGMT.MSC, and then press ENTER.
  4. Click View, and then click Show Hidden Devices.
  5. Expand the Network adapters tree.
  6. Right-click the dimmed network adapter, and then click Uninstall.
Next I configured the static IP on the NIC, and regained network connectivity.  A reboot was required in my case, only because services dependant on domain availability did not automatically startup.

Howto: Delegate the enable/disable accounts permission in Active Directory

To delegate the ability to enable and disable user accounts in Active Directory:

  1. Launch Active Directory Users and Computers with adminsitrative credentials
  2. Right click on the OU where you want to delegate the ability to enable and disable user accounts
  3. Select the Active Directory security group that you want to delegate the ability to and press Next
  4. Select Create Custom Task to Delegate and press Next
  5. Under Delegate Control Of select the Only the following objects in the folder radio button
  6. Select the User objects check box and press Next
  7. Under Show these permissions uncheck General and select Property-specific
  8. Select the Read userAccountControl and Write userAccountControl check boxes and press Next and Finish
You’ve now delegated the ability to enable and disable AD user accounts to a security group.
Additional References

Access is denied when attempting to view or restore Volume Shadow Copy contents

I setup our help desk users to be able to restore documents using Microsoft’s Volume Shadow Copy client on remote servers yesterday.  Everything worked just fine for me as an administrator, and for users who owned the files, but it didn’t work for the help desk folks.  I found out they didn’t have NTFS rights to the files and folders, so I assumed all I had to do was assign them change permissions, and they’d be able to do the restore.

I made the permission change, but when the help desk folks tried to view the contents of the shadow copy snapshots they received “Access Denied” errors.  I had them confirm they could UNC to the location where the snapshots were located, and they could create and delete files there.

After much Googling didn’t provide many troubleshooting ideas, I decided to manually create a snapshot of the same volume.  I had them test again, and they were able to view the snapshot’s contents and restore files.  Underlying cause was the help desk group didn’t have permissions to the original snapshot, so they couldn’t see the files to restore them.  Hope this helps someone else out.

Fix: Userenv event 1521 and Userenv 1511 errors in Windows Server 2003 Application log

The following events were listed in the Windows 2003 event log when one of our second level help desk staff connected to the server console via RDP:

Event 1521 Source Userenv 

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.   

DETAIL – The network name cannot be found.
Event 1511 Source Userenv
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
The solution, as outlined in KB941339, is to delete the SID entries for the source user account from the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
To determine the user’s SID, save the script found at
as a .vbs file.  
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)
Set objAccount = objWMIService.Get _
Wscript.Echo objAccount.SID
Change the Win32_UserAccount.Name=’kenmyer’,Domain=’fabrikam
from kenmeyer and fabrikam to the user account in question and your domain name.

I saved the script as getsid.vbs.  Open a command prompt, and execute the script using cscript:

cscript.exe getsid.vbs

The script will display the SID associated with the user account specified.  Delete this from:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

to correct the Userenv errors.

Howto: Do not display the name of the user who has locked a Windows computer or server

Normally when a Windows workstation or server is locked, you’ll see something similar to the following Windows Security message:  

This computer is in use and has been locked.
Only DOMAIN\USER (user name) or an administrator can unlock this computer.
To not show the name of the user who has locked a computer, the following can be defined in a workstation level GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked.
There are three choices if you enable this policy:
  • User display name, domain and user names (default setting)
  • User display name only
  • Do not display user information
Besides being able to apply this to Active Directory GPOs, this setting appears in the local security policy on my Windows XP SP3 VM.  The setting is not available on my XP SP2 laptop, but I see from KB837022  there is a hotfix that corrects this problem in XP SP2.

Alternatively, the following DWORD can be created in the registry of XP SP2, Windows Vista, and Windows Server 2008 machine to accomplish the same thing:
User display name, domain and user names = 1
User display name only = 2
Do not display user information =3
You need to restart the machine for the change to take effect.
You may also be interested in the related Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name setting. This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.

If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box.  If this policy is disabled, the name of the last user to log on is displayed.