Solving Event Log Subscription Error "0x138C"

Today I saw some collector-initiated event log subscriptions that displayed a weird error, something like

Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to ...
more ...

Group Policy Security Filtering and Loopback

I recently discovered that when applying a GP object using loopback and user security filtering (allowing only specific users to apply the GP), the computer still needs read access to the GP.

Otherwise, the GP will show up as not applied due to it being "inaccessible":

My guess is that ...

more ...

Mass Setting Permissions on Remote Shares

I was recently asked by one of my teammates to add several NTFS permissions to the root folders of a bunch of shares. Seems easy, but I had two problems:

  1. The shares were stored on a NetApp Filer, so I couldn't use any WMI trickery (or the new SMB ...
more ...

Brute Force Guessing for User Passwords

Our security team complained to me that they found a lot of users with trivial passwords simply by trying to log in as them.
They asked me to write them a script to speed up the process, so I wrote them my brute force guessing script.
It's not very ...

more ...

Windows Event Collection

I've recently implemented an enterprise-wide solution of event collection in our organization, using Windows' built-in mechanism called the Windows Event Collector.
This mechanism allows you to collect events from computers running Windows NT5+ (XP/Server 2003 and greater) into Windows NT6+ (Vista/Server 2008 and greater) machines. The only ...

more ...

Remotely Viewing Machine Certificates With Minimal Permissions

We've started remotely monitoring our certificate stores on critical servers, and wanted the monitoring software to be able to remotely connect to our servers' personal certificate stores.
I quickly found a script to enumerate all certificates in a specific store on a remote computer:

function Get-Cert( $computer=$env:computername ...
more ...

Active Directory's Object Specific ACEs and PowerShell

I recently checked the option of handing out AD permissions through PowerShell scripts, and I found out that setting object-specific ACEs is not trivial scriptwise.
Active Directory ACE (access control entries) are different from your regular ACEs (for example, NTFS), because they can be used to grant permissions only on ...

more ...

Enabling Remote Desktop Remotely

According to this Technet article, to enable remote desktop remotely by using the registry you need to set the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server:fDenyTSConnections=0

and then reboot the server.
Rebooting is actually unnecessary - you can just restart the service TermService
If you'd like to script ...

more ...


Vanishing permissions on AD objects

I recently managed to solve a problem that bugged me for a ~ year - permissions on a specific group on AD would vanish, and the change won't show up on the security logs of any DC (as audit success).

The Story

We've made groups for our helpdesk teams, and ...

more ...