Active Directory

How to build your own Self service portal 2

A collegae asked me if it was possible for end users to change their passwords themself.

Ofcourse there are several commerical tools (like manageengine) which allows users to change their passwords but they are not cheap and licensed by the number of end users. (In my case > 2000 users)

First I used the IISADMPWD method from Server 2003 IIS but I found a better method. I used RD Web Access to provide the end users a way to self service their password.

First install the RD Web Access component :

  • Add Roles and Features
  • Choose Remote Desktop Services installation
  • Standard Deployment
  • Choose Session-based desktop deployment



Now configure IIS :

  • IIS Manager
  • Right click RDWeb
  • Configure application Settings and enable PasswordChangeEnabled true

Now you can go to the following address :



Make sure you protect this webpage using a SSL certificate.

Unable to manually install Windows Updates (WSUS)

Sometimes you don’t want to wait/rely to your WSUS environment for specific updates.

But when you try to install updates manually you might notice the following message :

windows updates before

It’s easy to go around this, you copy/paste the following code into a reg file :

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoDriveTypeAutoRun”=dword:00000095 “NoWindowsUpdate”=dword:00000000 “NoAutoUpdate”=dword:00000001

When you apply the above regfile and go to windows updates you notice that updates are possible again :

windows updates after

Exchange 2010/2013 : Unable to find schema master

Some time ago I ran into an error while installing Exchange. It seems this problem also occurs when upgrading/installing an Exchange Server service pack. This is how to fix this problem :

First go to the (root) domain controller and register the schema extension :

regsvr32 schmmgmt.dll

Now load the plugin by starting mmc and adding the extension

Now right-click the Active Directory Schema en select Change Active Directory Domain Controller. (Choose the domain controller you wish to transfer the schema role to)


Hit ok when you receive the read-only warning.

Now select Change Schema Master and hit Change.


Solved : The publiser could not be verified problem

Some time ago I ran into a problem while opening a application on a Windows DFS share :


All the standard solutions, like internet explorer intranet zones etc. didn’t work.

After some troubleshooting I found out the following group policy setting fixed my issue :



User configuration/administrative templates/windows components/attachment manager

Add the extensions (*.exe, *.mdb etc) of the file’s you wish to open.

The problem should be solved right now.

Windows 2008 profile problem (fixed)

A customer had a problem that a virusscanner didn’t like a executable on the desktop and therefore somehow refused access to the user’s profile. The user decided to remove his profile (all the files in c:\users\<user>) and tried to logon. The user noticed that each time a temporary profile was created.

The solution was as follows :

Open regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList


When you click on a SID you see which user this is.


As you notice, there are 2 identifiers. One with the extension .bak and one without. Remove the one without the .bak and remove the .bak extension from the other.

Now my customer was able to login with a clean profile.

Howto : quickly check domain health

Before I upgrade a domain I usually check for problems and issues. I use the following steps to give me an idea of the status :

dcdiag /v

(Check DC en services)

netdiag /v

Check networking components

netsh dhcp show server

Show DHCP status

repadmin /showreps

Show all replication between sites

repadmin /replsum /errorsonly

Show replication issues

When you perform the steps mentioned and you didn’t ran into several errors than you have probably nothing to worry about. 🙂