[26834] in resnet
Re: Windows 7/2008 not connecting to network...
daemon@ATHENA.MIT.EDU (Rob Whalen)
Wed Oct 12 16:13:02 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_022F_01CC88E0.3B9B3120"
Content-Language: en-us
Message-ID: <022e01cc891a$e7f91ec0$b7eb5c40$@stmarys-ca.edu>
Date: Wed, 12 Oct 2011 13:09:53 -0700
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Rob Whalen <rwhalen@STMARYS-CA.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <04c201cc8918$1cdd0910$56971b30$@edu>
This is a multipart message in MIME format.
------=_NextPart_000_022F_01CC88E0.3B9B3120
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Adel,
This does not sound like it was due to an update. In fact all facts point to
a worm or virus. Windows update would not turn off the firewall, but a virus
can. Removing RDP access delays techs from troubleshooting the issue and
perhaps indicates a takeover, so others with that account would be able to
access the box. Modern worms can also use the domain info to direct attacks
or even the users email. This is where I would start hunting.
Rob
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Adeel
Siddiqui
Sent: Wednesday, October 12, 2011 12:50 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Windows 7/2008 not connecting to network...
We have a strange issue going on our campus that's causing our Windows 7
computers and Windows 2008 servers to completely lose network connectivity.
This is only happening to computers that are connected to the domain.
The issue seems to have started a few weeks ago after the last round of
Windows Updates were installed on those computers. As a result, the Windows
Firewall services and its dependency services all got turned off on those
computers and can't be re-enabled either. Also, RDP access to those
computers won't work either. I suspected a group policy of some sort might
be the cause but we use little to no group policy administration on our
campus at all. Upon further investigation, we found that there seems to be
some cause to this due to some registry permissions that seemed to have
changed after the aforementioned Windows Updates were installed. I have a
feeling that the problem lies with how the computers are authenticating to
the domain, but can't confirm that prognosis.
I've tried everything to fix this issue from changing group policy settings,
to removing/re-adding the computers to the domain. Nothing seems to have
worked permanently or at least completely. We have managed to do some on the
spot MacGyvering to fix the issue (i.e. manually applying administrative
permissions to certain keys in the registry on those computers as suggested
by a few online articles) but they are temporary band-aids at best.
Has anyone else run into this? Any permanent fixes/solutions that you can
suggest?
regards,
Adeel Siddiqui
Network Administrator <http://www.usao.edu/staff/adeel-siddiqui>
Information, Research and Network Services
University <http://www.usao.edu/> of Science and Arts of Oklahoma
Chickasha, OK 73018
(405) 574-1319
asiddiqui@usao.edu
___________________________________________________ You are subscribed to
the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to
http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
------=_NextPart_000_022F_01CC88E0.3B9B3120
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META =
HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>Adel,<o:p></o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>This does not sound like =
it was due to an update. In fact all facts point to a worm or virus. =
Windows update would not turn off the firewall, but a virus can. =
Removing RDP access delays techs from troubleshooting the issue and =
perhaps indicates a takeover, so others with that account would be able =
to access the box. Modern worms can also use the domain info to direct =
attacks or even the users email. This is where I would start =
hunting.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>Rob<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><div><div =
style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] <b>On Behalf Of </b>Adeel =
Siddiqui<br><b>Sent:</b> Wednesday, October 12, 2011 12:50 =
PM<br><b>To:</b> RESNET-L@LISTSERV.ND.EDU<br><b>Subject:</b> Windows =
7/2008 not connecting to network...<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>We have a =
strange issue going on our campus that’s causing our Windows 7 =
computers and Windows 2008 servers to completely lose network =
connectivity. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>This is only =
happening to computers that are connected to the domain. =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>The issue seems to have started a few weeks ago after =
the last round of Windows Updates were installed on those computers. As =
a result, the Windows Firewall services and its dependency services all =
got turned off on those computers and can’t be re-enabled either. =
Also, RDP access to those computers won’t work either. I suspected =
a group policy of some sort might be the cause but we use little to no =
group policy administration on our campus at all. Upon further =
investigation, we found that there seems to be some cause to this due to =
some registry permissions that seemed to have changed after the =
aforementioned Windows Updates were installed. I have a feeling that the =
problem lies with how the computers are authenticating to the domain, =
but can’t confirm that prognosis.<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>I’ve =
tried everything to fix this issue from changing group policy settings, =
to removing/re-adding the computers to the domain. Nothing seems to have =
worked permanently or at least completely. We have managed to do some on =
the spot <i>MacGyvering</i> to fix the issue (i.e. manually applying =
administrative permissions to certain keys in the registry on those =
computers as suggested by a few online articles) but they are temporary =
band-aids at best. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Has anyone =
else run into this? Any permanent fixes/solutions that you can =
suggest?<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><br></span>re=
gards,<span style=3D'font-size:10.0pt'><br></span><i><span =
style=3D'font-size:12.0pt;color:black'>Adeel =
Siddiqui</span></i><b><i><span =
style=3D'font-size:14.0pt;color:black'><br></span></i></b><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><br></span><i=
><span style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'><a =
href=3D"http://www.usao.edu/staff/adeel-siddiqui">Network =
Administrator</a><br></span></i><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'>Information, =
Research and Network Services<br><b><a =
href=3D"http://www.usao.edu/">University of Science and Arts of =
Oklahoma</a></b><br>Chickasha, OK 73018</span><span =
style=3D'font-size:8.0pt'> <span =
style=3D'color:#1F497D'><br></span></span><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'>(405) =
574-1319<br><u><span style=3D'color:black'><a =
href=3D"mailto:asiddiqui@usao.edu">asiddiqui@usao.edu</a></span></u></spa=
n><span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'> =
<o:p></o:p></span></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:12.0pt;font-family:"Times New =
Roman","serif"'>___________________________________________________ You =
are subscribed to the ResNet-L mailing list. <o:p></o:p></span></p><p>To =
subscribe, unsubscribe or search the archives, go to <a =
href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html">http://LISTSERV.ND=
.EDU/archives/resnet-l.html</a> =
___________________________________________________ =
<o:p></o:p></p></div></body></html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
------=_NextPart_000_022F_01CC88E0.3B9B3120--
