I need to disable the following group policy in Windows 7 programatically, for example by modifying a registry key using Powershell:
"Turn Off Automatic Root Certificates Update"
Does anybody know which registry key needs to be set or unset in order to make this work?
I had a similar issue when i was creating an application that communicated with a server over HTTPS using two-way SSL.
This was causing a delay of a full minute when the initial request was made
It ran in WinPE where hand clicking through the local group policy editor was not an option.
There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).
The registry value you are looking for is
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
DWORD DisableRootAutoUpdate = 1
Source: http://www.group-policy.com/ref/policy/452/Turn_off_Automatic_Root_Certificates_Update
To turn off Automatic Root Certificates Update via Local Group Policy Editor:
Click Start, and then click Run.
Type gpedit.msc, and then click OK.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
Close the Local Group Policy Editor.
Domain policies override local settings. That's how they're supposed to work (they'd be rather useless otherwise). If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain.
Related
My main problem is I am facing the problem ->
when i am trying to execute my exe file (which i written and compiled in C using GCC). I have found the solution and the solution is to change some of the settings under gpedit.msc
run -> gpedit.msc -> computer configuration -> windows settings -> security settings ->
local policies -> security options
there are multiple files. I just want to edit files whose name starts with "User Account Control: "
Either i want to enable or disable them. How can i do that programatically using cmd/batch script?
till now i have found secdit but that does not edit the values. link -> scroll down little bit and you will find secedit. I also used resource monitor to observe registry changes when i disable something according to this link -> Use Process Monitor to Find Registry Changes. But nothing shows up. Somewhere in the internet i also found that security policies are not always associated with registry values. But i forgot to save the link. I also found this stackoverflow article Modify Local Security Policy using Powershell
. But i can't understand anything as i know nothing about powershell programming and secedit or "how to edit database". Please provide some juicy resources to learn about editing security policies.
For your information i am building my program.exe in my local computer (house pc) and transferring the generated exe in "Amazon EC2 instance". If you say compile the program in "Amazon EC2" RDP i will say that i dont need to do that because my program.exe is running fine in "Amazon EC2" if i disable or enable some of the "User Account Control: " settings
Here is everything I wanted to know -> Registrykey Values Associated with local policies and thanks to -> Grzegorz Ochlik.
To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.
I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did:
In Chrome it all works. In Firefox I get the error below:
So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net
I also checked this other post.
There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.
I then took these steps found here:
Open the Certificates Microsoft Management Console (MMC) snap-in.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and
then click OK.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select computer dialog box, click Finish.
I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.
How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?
UPDATE 1
Based on #rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.
UPDATE 2
Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically:
Should I leave those or delete those mail+smtp records here?
Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal):
The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.
To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.
After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.
Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.
For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).
My issue is while launching the RemoteApp it keeps spinning and says "Configuring remote session". Not all the time, though. It was launching a while ago and signed off. Now again launched the RemoteApp it just spinning.
And when I try to cancel it won't Cancel the RemoteApp I have to kill through the Task manager.
After killing it, I launched again and it just worked as expected
I need to get this fixed. Please suggest a resolution for me.
RDS is on Windows server 2012 R2
Client launching from Windows 10
Could you please let us know the following details.
Is this a recurring issue or 1 time occurred issue?
Please try to telnet the remote machine and check whether it's reachable or not when this problem occurs and share the feedback with us.
And also try the below solutions also, may be it'll fix this RDB freezing issue.
Try to see whether reducing Graphics helps.
This seems to have helped in few cases. This verifies whether you have the correct graphics driver.
Here’s how:
Right click the Windows desktop and choose Personalize.
Click "Display Settings".
Click "Advanced Settings”.
Click on "Troubleshoot" tab.
Click on "Change Settings".
On the resulting Display Adapter Troubleshooter dialog box, drag the slider one notch to the left.
If changing the video hardware acceleration solves the problem, it's a signal that your computer's video driver isn't quite perfect.
In such cases, download the driver from the link below.
http://support.dell.com/support/downloads/driverslist.aspx?c=us&cs=19&l=en&s=dhs&os=WW1&osl=en&catid=&impid=&SystemID=STUDIOXPS8100
Connect and see if there’s any improvement.
Security software could also be one of the reasons.
Temporarily disable them and verify the result.
Try disabling Receive Window Auto-Tuning.
Here is what you need to do:
Go to Start and type cmd.
Right-click on cmd and select “Run as administrator”.
Type: netsh interface tcp set global autotuninglevel=disabled and press Enter.
If you want to to re-enable it:
Type: netsh interface tcp set global autotuninglevel=normal and press Enter.
If this doesn’t help, please post your concerns at Technet forums for further support.
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/threads
Note: Ensure to enable all your security software by now.
If the above steps unsuccess, use below steps and try the same.
Logon to the Remote Desktop Services Session Host computer as an administrator
Start--Run gpedit.msc
In the left pane, under Computer Configuration, navigate to following:
Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
In the right pane, double-click on Set compression algorithm for RDP data
Select Enabled, and choose Balances memory and network bandwidth
Click OK to save the change
In Windows XP, I'm going to add a new user with a simple password. It prompts that the password does not meet the password policy requirements. I've not set a policy!
Then I found that i should use gpedit.msc to change this policy. But it's disabled and I'm unable to change the default policy. I don't know how to change this policy.
Can you use Start -> Run -> secpol.msc, and then navigate to Account Policies and then Password Policy and change it there?
If not, then maybe you can do this by editing the registry directly using this:
Set strong password policy in Windows XP
Oh, I found it! The computer was joined to a domain. So I couldn't create a user with a simple password, even in the local Windows. I left the domain and the fields got changeable!
Microsoft is always weird.
First i couldn't start MSDTC service.I tried following link and solve that problem. link : http://social.technet.microsoft.com/Forums/en-ZA/winserverhyperv/thread/d3de5460-fb42-4af0-ac75-27c22741c7e9 .Now I'm having problem with missing Local DTC in MSDTC.(I checked with component services).I'm using windows 7(64bit).
I tried following steps too.But still no luck.
1)Stop the Distributed Transaction Coordinator service in the Services Control Panel
2)At a command prompt run "msdtc -uninstall" without quotes. This removes the MSDTC service from the Services Control Panel and the associated service hive along with the CIDs and CID.Locals from the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSDTC
HKEY_CLASSES_ROOT\CID
HKEY_CLASSES_ROOT\CID.Local
3)Skip this step if you want to preserve existing configuration, such as network transactions and other MSDTC security settings. Otherwise manually delete the following registry keys if they exist:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSDTC
HKEY_CLASSES_ROOT\CID
HKEY_CLASSES_ROOT\CID.Local
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC
4)At a command prompt run "msdtc -install" without quotes. This reinstalls the MSDTC service and the 4 registry hives above.
5)At a command prompt run “msdtc –resetlog” without quotes
Any tips on how i can resolve this?
Now Im bored with solving my own issues.I post it in my blog. http://littlerasika.wordpress.com/2012/06/28/problem-with-starting-msdtc-and-missing-local-dtc-in-windows-7/
There is a section under the
Control Panel -> Administrative Tools -> Component Services -> Computers -> My Computer -> Distributed Transactions -> Local DTC
If you go to properties you should be able to check the "Network DTC Access" box and fill the DCT Logon.
I had to mess around with it quite a few times (since my permissions were too tight) also I would suggest to restart after the new settings and do not forget to disable the firewall just for the duration of testing to make sure it is not getting blocked there.
There you go :)