Apple ip

i in process of implementing wap owa , activesync.  everything configured pass-through authentication due exchange 2007/2013 coexistence/  my security wants consume logs splunk.  where find these logs?  i checked adfs event logs , wap event logs, neither show authentication attempts or source ips. brian smith hi brian, yes, should work.   since using pass-through pre-authentication, wap not authenticate users before allowed connect published web applications, authentication can required backend server. more information you: step 5: plan publish applications using pass-through preauthentication http://technet.microsoft.com/en-us/library/dn383655.aspx planning publish applications using web application proxy http://technet.microsoft.com/en-us/library/dn383650.aspx best regards, amy please remember mark replies answers if , un-mark them if provide no help. if have feedback technet subscriber support, contact tnmff@microsoft.com .

i have windows 2003 server setup terminal server. has 2 network ports. one on lan , other on internet. the access lan works no problem unable accessed internet. terminal server listening on both network ports when user tries access internet window come saying "this computer can't connect remote computer. try connecting again. if problem continues, contact owner of remote computer or network administrator." when @ windows firewall logs says requests being dropped when disable firewall still unable connect. many in advance. tom agutter hi tom,   can verify have network connectivity machine internet?  can ping , net use machine internet?   i'd suggest posting message ts newsgroup, forum longhorn server questions, folks on newsgroup might better equiped answer question: http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.windows.terminal_services   thanks, drew

not sure post it, i'm putting here. i have several internal , external site require ssl. i don't want ahve continue purcahase ucc certs these internal , external domains, want find out having own ssl authorization system. i need able authorize ssl certs intranet sites, , sites accessible internet. need make sure certs don't error out, , authorized. i called godaddy , network solutions trying find answer, can't seem other ucc. thought or ideas on can do? if use own pki infrastructure, works within intranet.  however, if plan on exposing website externally, default external computers not trust certificates browsers prompt warning indicating certificate not trusted. that why external facing applications, go trusted 3rd party certificate.   visit: anitkb.com , knowledge base. Windows Server  > 

we have public dmz server , internal server. name of servers same , have configured public dmz server's name public (created dns record name of public dmz server , the ip address of it) , it is working perfectly. internal network i tried create another record pointing internal server but everytime still going public dmz sever. our internal users should resolve name of internal server. external users should resolve the public dmz server same name. please help! regards khalid   mcitp: enterprise administrator |mcitp: server administrator mcitp: enterprise support | mcts: exchange 2007, 2010, ocs2007 | uc specilized i created new forward zone other server's name , worked 2 dns records! mcitp: enterprise administrator |mcitp: server administrator mcitp: enterprise support | mcts: exchange 2007, 2010, ocs2007 | uc specilized Windows Server  >

hello, i'm trying figure out how ps script have in order move files word archive in there naming of specific path, network path?   any ideas?  thx hi, try this: $sourcelocation = "p:\test" $destlocation = "\\g1\test2" get - childitem $sourcelocation * archive * | move - item - destination $destlocation Windows Server  >  Windows PowerShell

hi, so have single domain in company 3 dns servers. when preferred , secondary dns services down or when rebooted, doesn't seem third server services users requests. although ms books claim using multiple dns servers fault-tolerance mechanism, it's not. issued ipconfig /flushdns , still same problem. when manually put third server address preferred, fine. what benefit of having multiple dns servers then? hi  you need add third dns server on dhcp scopes; open dhcp console-right click scope options->select configure options->006 dns servers add third dns server. Windows Server  >  Network Infrastructure Servers

i have sbs 2008 in home office folder redirection working perfectly.  have 2 remote offices connected via sonicwall gateway gateway tunnels.  servers in both remote locations server 2003 standard.  3 servers on same domain, sbs2008 pdc , both 2003 servers secondaries. i have issues few users work out of main sbs2008 office travel both remote locations.  when login can take hours login complete.  random happen often.  have setup gpo's redirect sbs2008 redirected folders, , under documents , settings server 2003.  of time works owner 1 of users seems never able login correctly or doesn't receive desktop , documents. i need know if there known issues , how resolve.  please help. thank you. i have setup gpo's redirect sbs2008 redirected folders, , under documents , settings server 2003.  i'm little unclear sentence. mean have group policy redirect folders both sbs2008 , server 2003, users should have local copy when try logged on either main office o

hello, we having stability problem event forwarding process. after set events being forwarded time, stops. restarting windows remote management service helps, not possible, , service has killed in process explorer. on source computer event generated, when service stops responding: event type: error event source: eventforwarder-operational event category: none event id: 102 date: 12.5.2010 time: 10:11:36 user: n/a computer: server description: subscription application log can not created. error code 8. while on collector computer the subscription runtime status shows errors: [server.domain] - error - last retry time: 12.5.2010 10:11:36. code (0x8): <f:providerfault provider="event collector plugin windows remote management " path="%systemroot%\system32\wevtfwd.dll" xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"> <t:providererror xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/win

hello all, i have strange problem network drives mapping , using in powershell. if map network drive first time set-location , able browse thought drive. if dissconect drive , re-create drive again, not able set-location , browse drive anymore... $pdrive = " \\sharename\projects$\p1757_xxx " (new-object -com wscript.network).mapnetworkdrive("p:",$pdrive) set-location p: working :-) set-location c: (new-object -com wscript.network).removenetworkdrive("p:") $pdrive = " \\sharename\projects$\p1757_xxx " (new-object -com wscript.network).mapnetworkdrive("p:",$pdrive) set-location p: not working :-( set-location : cannot find drive. drive name 'p' not exist. at line:1 char:13 + set-location <<<<  p:     + categoryinfo          : objectnotfound: (p:string) [set-location], drivenotfoundexception     + fullyqualifiederrorid : drivenotfound,microsoft.powershell.commands.setlocationcommand s

quiero cambiar la zona horaria en forma automatica todas las estaciones de trabajo, por que no me ha resultado con la instalacion del parche. tengo un script que lo hace y lo puesto en una gpo que cuando el usuario se logea al servidor, intenta cambiar la hora, pero aparece un mensaje en las estaciones de trabajo que dice "no tiene permiso para cambiar la hora del sistema". he leido tanto que ya estoy algo confundido, porque en algun momento pense que las estaciones podira tomar la hora del server traves del comamdo net time \\server /set /y, pero siempre tengo el mismo problema, "no tiene permiso para cambiar la hora del sistema". tambien puesto en la politica configuracion del equipo / configuracion de seguridad / asignacion de derechos de usuarios / cambiar la hora del sistema, los usuarios autentificados, del dominio, el usuario especifico, etc., y nada!!. estoy que tiro la esponga, alguien se le ocurre que puede estar sucediendo! por su tiempo, grac

dear colleagues , i looking software collect user print job information (eventid 10) , give out sorting username . i have found several softwares extract whole information there need excel works extract specific information such username , number of printed pages . does knows software working in manner ? thanks in advance hello,   see if following solutions meet requirements. note: information provided as is . print inspector – printer usage tracking software http://www.softperfect.com/products/pinspector/ print job monitor http://www.imonitorsoft.com/product-print-job-monitor.htm printer manager, printer control, printer tracking , printer counter software http://printeradmin.com/   thanks zhang Windows Server  >  Management

hi all, having problem wap server. i've configured adfs, , installed relevant ssl certificate fs. mywebsite.co.uk when attempting run wap configuration wizard, enter relevant server details , select ssl certificate, when runs, receive message saying "an error occurred when attempting establish trust relationship federation service. error: service unavailable". be? all servers 2012 r2. kind regards, tom hi, thanks post. regarding error, may refer following article , similar threads: error while configuring wap–the underlying connection closed https://blogs.technet.microsoft.com/keithab/2015/04/13/error-while-configuring-wapthe-underlying-connection-was-closed/ similar threads reference: web application proxy configuration error https://social.technet.microsoft.com/forums/windowsserver/en-us/e04fe6fe-3415-45c2-a1ec-0c76be8ae3a5/web-application-proxy-configuration-error?forum=winserver8gen cannot complete web application proxy wizard adf

hello technet, i'm trying execute command windows 7 machine ad ds tools installed, doesnt work. says parameter incorrect no matter do.  dsmove cn=%computername%,cn=computers,dc=f1,dc=lcl -d f1.lcl -newparent ou=windows 7,ou=workstations,ou=computers,ou=01-north-f1,dc=f1,dc=lcl best regards jesper vindum, denmark can verify dns correct, command should work, examples here  http://technet.microsoft.com/en-us/library/cc731094(v=ws.10).aspx y ou don't need -d switch i tested in lab , command works fine thanks mike http://adisfun.blogspot.com follow @mekline Windows Server  >  Directory Services

is possible use virtual machine create virtual server? is, sandbox mess around see changes make can server before doing on production server , avoid causing damage? chris, hyper-v role can installed on physical machine not virtual machine. machine commonly referred hyper-v host opposed hyper-v guests - being virtual machines. you can install hyper-v role on physical machine running server 2012 r2 remotely (same applies server 2012, 2008 r2). don't have sitting @ server console. can via number of ways rdp or powershell remoting. sam boutros, senior consultant, software logic, kop, pa http://superwidgets.wordpress.com (please take moment vote helpful and/or mark answer, applicable) Windows Server  >  Windows Server 2012 General

we're troubleshooting performance issues new hv 3.0 deployment.  customer having performance issues , we're trying determine whether issue storage or other configuration.  part of testing have been using iometer generate workload on storage , @ same time using hyperv30.xml template pal collect information host.   after parsing collection found reported following... condition \tcpv4\connection failures min avg max hourly trend std deviation 10% of outliers removed 20% of outliers removed 30% of outliers removed more 10 tcp connection failures per hour nexustest2 293,520 293,640 293,758 761 70 293,627 293,616 293,604 can provide insight indicates?  see "vmq not enabled or network cards not support vmq" in log well. thanks, -beau hi, thanks question. regarding vmq, please refer following , check if vmq enabled. enabling virtual machine queue physical network adapter http://technet.micro

hello, i'd restrict dynamic dns allow domain controllers , possibly member servers dynamically register.  appears done configuring dacl on ad integrated zones.  have specific information on how accomplish this?  documentation have been able find states adjust permissions not go detail far groups remove/add. thanks, dasani using gpo, disable dns client service on machines other ones want register. registration service. you can disable updates completely, , manually create required records. dcs, can use system32\config\netlogon.dns file created on each dc register zone srv records if choose disable updates completely, make sure dcs register srv , other necessary records, can simply turn on updates short period while run ipconfig /all restart netlogon service on dcs, disabled updates. t you can use acl, have extremely careful doing way. have link doc read? if so, please post it.   ace fekay mvp, mct, mcitp ea, mcts windows 2008 & exchange 2007 & exchange

greetings, i administering windows server 2008 r2 @ small school , paying small fortune web content filtering third party firm somewhere in cloud. seeking lot of different ways keep cost down maintaining network additions on own , wondering if knows if ws2008 has built in web content filtering software? have windows firewall advanced security bu don't think can manage web content queries through particular tool. have been looking @ microsoft forefront threat management gateway trying no incurred cost, hence hoping knew way... thanks much hi, thanks posting in windows server forum. you need application-layer firewall can understand traffic flowing through them , allow or deny traffic based on content. however, built-in windows firewall not have feature. , business-oriented firewalls include capability. such tmg have mentioned. cut down cost purpose, can tell windows server 2008 cannot provide function os itself. need choose firewall accept cost. understanding highl

i setup gpo deploy software package. worked fine. received updated .msi , wanted redeploy package. did tasks->redeploy. seemed work fine on machines had package installed. problem machines original package not deployed. i'm getting errors in gp results update cannot run unless installed. thought redeploy install package if wasn't installed. can't rid of on uninstalled machines. unlinked gpo , uninstalled installed machines keeps running , erring on uninstalled machines. questions: 1. normal behavior redeploy? should deploy if not installed , redeploy if installed 2. how gpo off of uninstalled machines? thanks   hello, i agree abhijit. the link new thread: http://social.technet.microsoft.com/forums/en-us/winservergp/thread/478292fb-6f64-47e9-9074-1a22d8412284/#478292fb-6f64-47e9-9074-1a22d8412284 please note applications deployment, better use microsoft configmgr 2007 solution. solution provide use more options in deployment , reporting o

per thread started few days ago, have moved our environment virtual adapter based using vmq , pair of teamed 10gbps ethernet adapters per physical host. (see: https://social.technet.microsoft.com/forums/en-us/4a164894-dcf6-484e-bd32-15179c67f3cd/separation-of-traffic-with-2-x-10gbps-nics?forum=winserverhyperv) i planning roll out vlans @ physical layer , assign each vadapter 1 based on traffic type - however, each adapter has it's own unique subnet (10.0.1.0/24, 10.0.2.0/24, etc.) i'm wondering if there benefit had adding pvlans environment? aside few stragglers, our entire server environment hyper-v/vm based. utilize both iscsi , smb 3.0, again, traffic isolated own ip subnet , i've constrained smb specific pair of vadapters , iscsi vadapter pair. i'd rather not add complexity of physical layer vlans unless there compelling reason so. if don't need added security provided subnets, no, not need add them.  vlan usage has become common people forget networks

hi friends, i m runnign vbscript on windows 2000 server - could tell me method / property check status of service ? thanks. use win32_service wmi class: http://msdn.microsoft.com/en-us/library/aa394418(vs.85).aspx for example: strservice = "servicename" strcomputer = "." set objwmiservice = getobject("winmgmts:\\" & strcomputer & "\root\cimv2") set colitems = objwmiservice.execquery("select * win32_service name='" & strservice & "'",,48) for each objitem in colitems  blstarted = objitem.started  sstatus = objitem.status next wscript.echo "service started: " & blstarted wscript.echo "service status: " & sstatus www.operatingquadrant.com Windows Server  >  Directory Services

hello im trying rdp windows 8 machine using ipv6 windows 2012r2 machine no success getting error: "remote desktop cant find computer "ipv6 address". might mean "ipv6 address" not belong specified network. verify computer name , domain trying connect to" triubleshooting: 1. im able ping client machine target machine using ipv6 address 2. im able telnet from client machine target machine using ipv6 address check port 3389 3. im able rdp target machine using other windows 8 machine client 4. windows firewall set off @ both client , target machines it seems there issue windws 2012 r2 client. any idea? fixed! i installed available windows updates. this solved issue! Windows Server  >  Remote Desktop Services (Terminal Services)

hello, i having strange issue troubles me. have 2 domain controllers (dc1 & dc2). hyper-v hosts (no comments please). use replication between 2 servers vms running on both servers. from time time, replication pauses seems 1 server not able find other server. at same time, active directory gets out of sync. i have noticed happening on dc2. noticed because if change password on of vms, in gets updated on dc1 not on dc2. to work around issue, restart dc2 , works fine. i cannot find why happening. any ideas? thanks! hi, >>  i use replication between 2 servers vms running on both servers. may know means used ad replication or hyper-v replication between vms? >> from time time, replication pauses seems 1 server not able find other server. have tried diagnose related network issues, event logs? best regards, andy please remember mark replies answers if help. if have feedback technet subscriber support, contact tnmff@microsoft.com .

remote desktop manager not showing udp connections on 2012 r2 gateways. udp 3391 enabled , open externally through nat.  i have 2 gateways load balanced using microsoft nlb. udp enabled on both gateways , vip nat'd in firewall 443 , udp 3391 open. have seen randomly udp show in manager, one. expect see http connection along 2 udp connections. is there reason why not seeing udp connections come in, or seeing them randomly? have working on other gateways not load balanced , single gateway instances. doesn't seem related policy or anything. i'm thinking reinstalling ms nlb. hi, firstly, please ensure udp transport enabled within properties of rd gateway server. in addition, may use network monitor further analyze whether udp connections established. best regards, amy please remember mark replies answers if , un-mark them if provide no help. if have feedback technet subscriber support, contact tnmff@microsoft.com.

hello, i've installed "routing , ras" role on 2008 r2 server provide incoming vpn connectivity. working fine. however, when use server manager check best practices on role, following warning: "rras: @ least 1 network interface should enabled rras-server. problem: interfaces on server disabled. solution: activate @ least 1 interface on server." when follow link microsoft's advice pages suggested go network center/adapter settings , enable interface. there 3 interfaces listed there, server's main network connection , 2 outbound vpn connections. 3 enabled. there no "rras interface" there - should be? "route print" on command line list "ras (dial in) interface". what warning trying tell me? regards, angusmac   hi,   i think both practices ok in case since there no explicitly error results ghost nic. if want to clean lingering settings disabled nic, may:     1.     clean registry key removed nic

symptom   your terminal server license server or remote desktop license server issues temporary client access licenses (cals). in system log see event id 17 logged when terminal services licensing/remote desktop licensing service restarted, or when computer restarted. event continues logged after attempt reactivate license server.   event type: warning event source: termservlicensing event category: none event id: 17 date: 3/17/2010 time: 3:14:13 am user: n/a computer: ls01 description: 1 or more terminal server licensing certificates on server ls01 corrupt. terminal server licensing issue temporary licenses until server reactivated. see terminal server licensing topic more information.   after start receiving event id 17, interaction microsoft clearinghouse except reactivation result in error below , license server deactivated. deactivation occur on license servers connected internet have connection method set automatic.    windows server 2008 r2

running windows 10   64 bit   having problems fonts outlook 2016  fonts jagged or broken. issue not limited outlook please help! hi, what font mean in outlook? mean editing font or displaying font? better if share screenshot j agged or broken font. if cannot upload images in forum currently, can share them via onedrive or sending them gbsd tn office information collection ibsofc@microsoft.com . (please include thread url easy follow-up) if it's editing font, font set default font? if try switch font, issue continue? are using high resolution monitor? have tried running repair of office installation see result? convenience: https://support.office.com/en-gb/article/repair-an-office-application-7821d4b6-7c1d-4205-aa0e-a6b40c5bb88b regards, steve fan please remember mark replies answers if helped. if have feedback technet subscriber support, contact tnmff@microsoft.com . Microsoft Off

hi i have domain , forest functional level 2003. can use rds 2016 on these levels? because seem rds have problem claim user cal licence , config rd gatawey. i don't found prereq on functional level, on other side dc running windows server 2003 depreciated... thanks  lot. martin rumpel hi martin, the 2016 per user license tracking/reporting not function if schema hasn't been updated newer version.  @ minimum see errors/warnings on server 2016 rd licensing server.  perhaps if updated schema 2008 r2 or newer work 2003 dcs. what specific issues seeing licensing , configuring rd gateway? please provide ad schema version, operating system version of dcs, , precise errors/warnings/symptoms seeing. thanks. -tp Windows Server  >  Remote Desktop Services (Terminal S

hi guys, in dev environment i've installed following on server2003r2sp2x86: server a: ca + ca web server b: ca web pointing @ server a only problem is, server b can't issue certs or dish out root ca (public) cert. the errors are: issue client auth cert: your request failed. error occurred while server processing request. contact administrator further assistance. request mode: newreq - new request disposition: (never set) disposition message: (none) result: access denied. 0x80070005 (win32: 5) com error info: ccertrequest::submit access denied. 0x80070005 (win32: 5) laststatus: operation completed successfully. 0x0 (win32: 0) suggested cause: certification authority service has not been started. attempt download root ca cert: an unexpected error has occurred: certification authority service has not been started. any ideas? soon'ish craig   can provide more details: what spns did configure? what url did use conn

hi all i remove subtree in xml file. found how remove subtree, not root of subtree here want remove second <disk> ... </disk> data. removeall() removes <disk></disk> tags. how remove theses ? thanks lot ! ml $xml = [xml] @" <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend">     <settings pass="specialize">         <component name="microsoft-windows-international-core" processorarchitecture="amd64" publickeytoken="31bf3856ad364e35" language="neutral" versionscope="nonsxs" xmlns:wcm="http://schemas.microsoft.com/wmiconfig/2002/state" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance">                 <diskconfiguration>                 <disk wcm:action="add">                     <createpartitions>                     </

hi i getting alert resource account shared mailbox , in disable mode. when open acl editor on resource account, , got advance , single permission,  uncheck , recheck 1 of rights recalculate the  size of ace's correctly allowing sd propagator work.  but error message : ################### --------------------------- windows security --------------------------- unable save permission changes on serviceaccountest.a constraint violation occurred. --------------------------- ok    --------------------------- #################### alert: active directory cannot create new security descriptor source: dc2k8 path: dc2k8.contoso.com last modified by: connector framework alert write action last modified time: 5/10/2015 1:50:07 alert description: security descriptor propagation task not calculate new security descriptor following object. object: cn=serviceaccountest,ou=resource accounts,dc=contoso,dc=com operation tried again later. user a

hi guys i'm attempting to establish trust between 2 forest globomantics.com , verdepetra.com (come trainsignal video training) when put trust name in trust wizard "the local security authority unable connect active directory domain controller tk-dc1-2k8.verdepetra.com. endpoint format invalid" error i'm running 3 virtual machines, 2 dcs globomantics.com , 1 dc verdepetra.com all 3 ip addresses in same range (192.168.5.2 - 4) forest , domain functional levels windows server 2008 r2 also i've created stub zone verdepetra.com in globomantics.com , sounds ok   ok figured out :d i uninstall virtual machine tools , worked fine! Windows Server  >  Windows Server General Forum

hello  i'm migrating file server (windows 2008r2) windows 2012 r2. in 2008r2, data in volume ntfs raid 5. making first tests, use partition on 2012r2 fsms 64k. after test migragação data in 20 gb in size, result strange conform below: windows 2008 r2 size of files = 20.2 gb disk size = 20.5 windows 2012 r2 size of files = 20.2 gb disk size = 46.7 gb partition in windows 2012 r2, 64 kb in size, standard of fsms, not believe "problem" because held double disk space, strange. files of word, excel, pdf , images. me this? thank you mcp - mcts - mcts ad hi, “fsms 64k” means refs format 64k allocation unit? value of “disk size”? best regards, mandy please remember mark replies answers if , unmark them if provide no help. if have feedback technet subscriber support, contact tnmff@microsoft.com. Windows Server

can body informative link on upgrade of windows 7 windows 8 silently? have 100 machines upgraded windows 7 windows 8. views , ideas in concern appreciated. thanks. here "silently" means remotely/automatically/no user action needed, right? if there sccm in organization, can utilize osd feature of sccm. operating system deployment in configuration manager‎   mdt choice. microsoft deployment toolkit Windows Server  >  Setup Deployment

hi experts, can me to solve issue "14 0xe error_outofmemory" on windows 2003 server reboot if possible. configuration of server follows: os: 2003 server 32 bit sp2 ram: 8 gb thanks manoj kr. singh http://manojkrsingh.blogspot.com issue has been solved now. trend officescan causing memory leak. after disabling service, issue resolved. thanks manoj kr. singh Windows Server  >  Windows Server General Forum

system information: windows 2008, sp2 trying run script utilizing robocopy copies files 1 path - script follows: robocopy g:\ftp_data\ g:\archive_share\archive\ /v /s /e /copyall /minage:14 /r:1 /w:30 /log+:c:\scripts\robo-archivelog.txt the script works when run domain administrator, however, account has been granted local administrative rights, receive following error: error : not have manage auditing user right. *****  you need copy auditing information (/copy:u or /copyall). i should mention granted account "manage auditing , security log" through local security policy console. thanks please run whoami /priv , post output. if not see sesecurityprivelege enabled user account, let's 2 things in response.  1. machine has pick new policy if set locally.  can done gpupdate /force or reboot.  2. once machine has applied new policy, user token has recreated updated privelege.  can done several ways easiest log off , on. hth /rich

there shortcut in windows 2008 in start menu called maintenance goes , support. have been trying remove maintenance shortcut using group policy life of me cant find policy this? hi,   you may try use startup script delete maintenance folder start menu folder. here detailed location of start menu: c:\users\%username%\appdata\roaming\microsoft\windows\start menu\programs.   if encounter difficulties when customizing scripts, may submit new question in official scripting guys forum! best resource scripting related issues.   the official scripting guys forum! http://social.technet.microsoft.com/forums/en/itcg/threads   regards, please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread. Windows Server  > 

hi,   i have question regarding template permissions in single forest multiple domains (common root country specific child domains). i need implement pki solution (preferably standalaone root ca & enterprise subordinate issuing ca) use in only one of country domains without impacting rest of forest , other country domains. i have lab-ed environment , have discovered permissions on security templates in cn=certificate templates,cn=public key services,cn=services,cd=configuration,dc= root_domain, dc= lan either authenticated users or root_domain.lan\global groups .  users , machines in country.root_domain.lan \ global groups .  (these permissions appear on most pki specific containers) the enterprise ca was installed user logged in root_domain with local administrator, (root) domain admin & enterprise admin permissions. is usual behaviour permissions of certificate templates container? how set required permissions domain members enroll templates? can ensure members of country d