[ActiveDir] OT: Know a good SMS list?
Hi, sorry for the OT, but I got an issue and need some SMS help. If you know an SMS list which is as good as this one is for AD, please let me know. I know there are some people on this list who are good with SMS, so I'll post an idea of my issue below. The answer may be simple, as I'm really a beginner in SMS - or may be impossible for all I know :-( We have a single SMS server serving clients on 4 sites, some of which are over slow links (yes, I know, not ideal) which they want to start deploying software from (it gets worse, doesn't it). The task I was given was that we use a preexisting replicated DFS structure to keep a copy of the install software, and expect AD site boundaries to ensure that clients pick up the files from the central location. I can't see any way in SMS to set up a remote distribution point (ie anywhere but the SMS box). Seems no matter what I try, the clients (all advanced) go back to the DP for the install files and not to the DFS (note, they use DFS strangely here, they use it as a single domain root replicating data between sites rather than using it to redirect users to shares on other servers) Is there any way to get a single SMS box to cause advanced clients to install an app from a fileshare local to them? Thanks in advance Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL
RE: [ActiveDir] OT: Possessed PCs
Your father is probably mild http://amasci.com/weird/unusual/zap.html these guys (if you believe them) have real problems. Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 December 2006 23:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL
RE: [ActiveDir] quota issues
Just a couple of thoughts Have you tried searching the disk for other files marked with him as owner – perhaps from a legacy share which no longer exists? Alternatively, is it possible that one of the files he’s copying has streams? I understand the space used by a stream does not get added to the disk space that windows reports, but perhaps it affects the quota? Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: 25 October 2006 15:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] quota issues There seems to be mostly small files; 5 to 7 K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Tuesday, October 24, 2006 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] quota issues I guess he is probably trying to write or copy file which is quite big, may be more than 200Mb in size. Please tell him to write smaller file on the file system where he already using 300MB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, October 24, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] quota issues I’m having weird quota issues. I have a partition that has the default quota set to a 500 MB. There are a good hundred users that wring to that partition but only one is having this issue; he keeps running out of quota even though he has only written about 300 MB to his subdirectory. He can only write to that subdirectory so why is he running out of space? Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL **
RE: [ActiveDir] OT: Issue with remote assistance offers
Thanks for this. I checked the settings. DCOM is unrestricted (for administrators) Users are allowed to access computer from the network. I'm in the remote assistance users list, both as an admin and as my own id We're not using a local (xp or 3rd party) software firewall. The only thing I did find is that an ethereal trace shows the client failing to make a connection on port 4213 - but I can find no docs on this port in Technet so I find this somewhat confusing - why that port? (also a LOT of TCP checksum errors - but I suspect this is ethereal rather than a real network issue) I think I'm gonna just stick with the sms RC tool for now. Thanks all. Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 -Original Message- From: Lucas, Bryan [mailto:[EMAIL PROTECTED] Sent: 24 October 2006 16:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Issue with remote assistance offers I snagged this from my notes on when we deployed XP/GPO's and RA. It was a beating to get this to work, maybe something in this will spark a thought on your part. Edit the new custom GPO to have the following settings 1. CompConfig, Windows Settings, Local Policies, Security Options: a. DCOM: Machine Access Restrictions b. DCOM: Machine Launch Restrictions Grant TCURAP-XYZ full control on all these rights when you define this setting. 2. CompConfig, Windows Settings, Local Policies, User Rights Assignments: a. Access this computer from the network (add the TCURAP-XYZ group) 3. CompConfig, Administrative Templates, System, Remote Assistance a. Offer Remote Assistance - Add the TCURAP-XYZ group (be sure to include the TCU\) 4. Make sure the department has a TCU WinXP Firewall GPO with the following entries: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedAppl ications\List\%systemroot%\PCHEALTH\HelpCtr\Binaries\Helpctr.exe:*:enabl ed:Helpctr.exe %systemroot%\PCHEALTH\HelpCtr\Binaries\Helpctr.exe:*:enabled:Helpctr.exe SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedAppl ications\List\%systemroot%\PCHEALTH\HelpCtr\Binaries\helpsvc.exe:*:enabl ed:helpsvc.exe %systemroot%\PCHEALTH\HelpCtr\Binaries\helpsvc.exe:*:enabled:helpsvc.exe SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedAppl ications\List\%systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe %systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe Bryan Lucas Server Administrator Texas Christian University > > PS: forgot to mention. XP box is a domain member, windows firewall > disabled > > Mike Guest > IT Solutions > *HML > *Padiham DDI: +44 (0)1282 682550 > Internal Extension: (61) 2550 > > ---- > > *From:* Mike Guest > *Sent:* 24 October 2006 10:30 > *To:* activedir@mail.activedir.org > *Subject:* [ActiveDir] OT: Issue with remote assistance offers > > Anyone seen this before? > > I have an xp box sitting behind an internal firewall (long story) that > I want to be able to offer unsolicited remote assistance to. I can > already RDP to the box, but the session on that box I want to offer > assistance to is already an RDP session, so that solution's out. > > I have opened TCP135 and 3389. I can create an offer on the remote > system (as a file), move it to my machine and successfully initiate an > RA session. > > However, when I try to initiate an RA session without an invite, the > help and support center window freezes for about 30 seconds then tells > me "The remote machine does not exist or is unavailable" - I've tried > both by name and by IP > > I've double-checked with a port scanner and 135 is definitely open (as > is 3389, but I couldn't do the invited RA or RDP without that) > > Anybody? > > Thanks > > > > * > This email is intended only for the addressee named above. As this > email may contain confidential or privileged information, if you are > not the named addressee or receive this message in error, please > notify us immediately, delete it and do not make use of or copy it. > > This message is protected by copyright. HML accepts no responsibility > for viruses found in this message or any file attachment. > > Homeloan Management Limited > Registered in England No. 2214839 > 1 Providence Place, Skipton, North Yorkshire BD23 2HL > > ** > > > > * > This email is intended only for the addressee named above. As this > email may contain confidential or privileged
RE: [ActiveDir] OT: Issue with remote assistance offers
Yes. I can get remote assistance running if the client makes the request (using a file) it's only admins offering assistance that I can't get working. Thanks Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: 24 October 2006 15:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Issue with remote assistance offers In System, Remote in the control panel, under Remote assistance, in advanced the box to allow it to be controlled remotely is checked right? Mike Guest wrote: > > PS: forgot to mention. XP box is a domain member, windows firewall > disabled > > Mike Guest > IT Solutions > *HML > *Padiham DDI: +44 (0)1282 682550 > Internal Extension: (61) 2550 > > ---- > > *From:* Mike Guest > *Sent:* 24 October 2006 10:30 > *To:* activedir@mail.activedir.org > *Subject:* [ActiveDir] OT: Issue with remote assistance offers > > Anyone seen this before? > > I have an xp box sitting behind an internal firewall (long story) that > I want to be able to offer unsolicited remote assistance to. I can > already RDP to the box, but the session on that box I want to offer > assistance to is already an RDP session, so that solution's out. > > I have opened TCP135 and 3389. I can create an offer on the remote > system (as a file), move it to my machine and successfully initiate an > RA session. > > However, when I try to initiate an RA session without an invite, the > help and support center window freezes for about 30 seconds then tells > me "The remote machine does not exist or is unavailable" - I've tried > both by name and by IP > > I've double-checked with a port scanner and 135 is definitely open (as > is 3389, but I couldn't do the invited RA or RDP without that) > > Anybody? > > Thanks > > > > * > This email is intended only for the addressee named above. As this > email may contain confidential or privileged information, if you are > not the named addressee or receive this message in error, please > notify us immediately, delete it and do not make use of or copy it. > > This message is protected by copyright. HML accepts no responsibility > for viruses found in this message or any file attachment. > > Homeloan Management Limited > Registered in England No. 2214839 > 1 Providence Place, Skipton, North Yorkshire BD23 2HL > > ** > > > > * > This email is intended only for the addressee named above. As this > email may contain confidential or privileged information, if you are > not the named addressee or receive this message in error, please > notify us immediately, delete it and do not make use of or copy it. > > This message is protected by copyright. HML accepts no responsibility > for viruses found in this message or any file attachment. > > Homeloan Management Limited > Registered in England No. 2214839 > 1 Providence Place, Skipton, North Yorkshire BD23 2HL > > ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Issue with remote assistance offers
Yes. I’m also an admin on the remote machine. The closest I can find is Q555179 which suggests that I need “File & print” allowing through the (in the article’s case, windows) firewall. If this is the case, we’ll likely not implement it anyway. We don’t really want to allow this level of access Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: David Aragon [mailto:[EMAIL PROTECTED] Sent: 24 October 2006 15:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Issue with remote assistance offers Are you a member of the "Offer Remote Assistance Helpers" group on the system your trying to offer RA to (this can be done via GPO setting)? David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Guest Sent: Tuesday, October 24, 2006 3:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Issue with remote assistance offers PS: forgot to mention. XP box is a domain member, windows firewall disabled Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Mike Guest Sent: 24 October 2006 10:30 To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Issue with remote assistance offers Anyone seen this before? I have an xp box sitting behind an internal firewall (long story) that I want to be able to offer unsolicited remote assistance to. I can already RDP to the box, but the session on that box I want to offer assistance to is already an RDP session, so that solution’s out. I have opened TCP135 and 3389. I can create an offer on the remote system (as a file), move it to my machine and successfully initiate an RA session. However, when I try to initiate an RA session without an invite, the help and support center window freezes for about 30 seconds then tells me “The remote machine does not exist or is unavailable” – I’ve tried both by name and by IP I’ve double-checked with a port scanner and 135 is definitely open (as is 3389, but I couldn’t do the invited RA or RDP without that) Anybody? Thanks * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL ** * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL ** * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL **
RE: [ActiveDir] OT: Issue with remote assistance offers
PS: forgot to mention. XP box is a domain member, windows firewall disabled Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 From: Mike Guest Sent: 24 October 2006 10:30 To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Issue with remote assistance offers Anyone seen this before? I have an xp box sitting behind an internal firewall (long story) that I want to be able to offer unsolicited remote assistance to. I can already RDP to the box, but the session on that box I want to offer assistance to is already an RDP session, so that solution’s out. I have opened TCP135 and 3389. I can create an offer on the remote system (as a file), move it to my machine and successfully initiate an RA session. However, when I try to initiate an RA session without an invite, the help and support center window freezes for about 30 seconds then tells me “The remote machine does not exist or is unavailable” – I’ve tried both by name and by IP I’ve double-checked with a port scanner and 135 is definitely open (as is 3389, but I couldn’t do the invited RA or RDP without that) Anybody? Thanks * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL ** * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL **
[ActiveDir] OT: Issue with remote assistance offers
Anyone seen this before? I have an xp box sitting behind an internal firewall (long story) that I want to be able to offer unsolicited remote assistance to. I can already RDP to the box, but the session on that box I want to offer assistance to is already an RDP session, so that solution’s out. I have opened TCP135 and 3389. I can create an offer on the remote system (as a file), move it to my machine and successfully initiate an RA session. However, when I try to initiate an RA session without an invite, the help and support center window freezes for about 30 seconds then tells me “The remote machine does not exist or is unavailable” – I’ve tried both by name and by IP I’ve double-checked with a port scanner and 135 is definitely open (as is 3389, but I couldn’t do the invited RA or RDP without that) Anybody? Thanks * This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL **
RE: [ActiveDir] Disk Space Hogs
Try "treesize pro" Last time I checked there was a trial license http://www.jam-software.com/treesize/ -Original Message- From: Steve Comeau [mailto:[EMAIL PROTECTED] Sent: 06 October 2006 16:01 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disk Space Hogs Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of "by date". Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
One help might be to run in admin mode (since you have to) but launch ie and outlook from shortcuts which run as unprivileged accounts - that might cut down on SOME vectors. HTH(PS - the following info from Mark Russinovich uses this approach - I can't get it to open on blogger (it's from his old pre-microsoft blog), so i've cut & pasted it from the RSS feed FYI - all rights to Mark.)Malware has grown to epidemic proportions in the last few years. Despite applying layered security principles, including running antivirus, antispyware, and a firewall, even a careful user can fall victim to malware. Malware-infected downloads, drive-by exploits of Internet Explorer (IE) vulnerabilities, and a careless click on an Outlook attachment sent by a friend can render a system unusable and lead to several hours with the Windows setup CD and application installers.As this eWeek study shows, one of the most effective ways to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users group). The vast majority of Windows users run as members of the Administrators group simply because so many operations, such as installing software and printers, changing power settings, and changing the time zone require administrator rights. Further, many applications fail when run in a limited-user account because they’re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.Process Explorer’s Run as Limited User menu item in the File menu opens a dialog that looks like and acts like the standard Windows Run dialog, but that runs the target process without administrative privileges: PsExec with the –l switch accomplishes the same thing from the command line: An advantage to using PsExec to launch limited-user processes is that you can create PsExec desktop shortcuts for ones you commonly launch. To make a shortcut for Outlook, for example, right-click on the desktop, choose New->Shortcut, enter the path to PsExec in the location field and click Next. Enter Outlook as the name of the shortcut and press Finish. Then right click on the shortcut to open its properties, add “-l –d“ and the path to Outlook (e.g. C:\Program Files\Microsoft Office\Office11\Outlook.exe) to the text in the Target field. Finally, select Change Icon, navigate to the Outlook executable and choose the first icon. Activating the shortcut will result in a Command Prompt window briefly appearing as PsExec launches the target with limited rights.Both Process Explorer and PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token.You can use Process Explorer itself to compare the token of a process running with full administrative rights and one that’s limited by viewing the Security tab in the Process Properties dialog. The properties on the left are for an instance of IE running in an account with administrative group membership and the one on the right for IE launched using Run as Limited User: The privilege lists immediately stand out as different because the limited-user token has so few privileges. Process Explorer queries the privileges assigned to the Users group and strips out all other privileges, including powerful ones like SeDebugPrivilege, SeLoadDriverPrivilege and SeRestorePrivilege.The difference between the group lists is more subtle: both tokens contain the Builtin\Administrators group, but the group has a Deny flag in the limited-user version. Fully understanding the effect of that flag requires a quick background on the Windows security model.Windows stores an object’s permissions in a Discretionary Access Control Lists (DACL) that consists of zero or more Access Control Entries (ACEs). Each ACE specifies the user or group to which it applies, a type of Allow or Deny and the accesses (e.g. read, delete) it allows or denies. When a process tries to open an object Windows normally considers each ACE in the object’s DACL that matches the user or any of the groups in the process’ token. However, when the Deny flag is present on a group that group is only used by during a security access check to deny ac