Thursday, July 31, 2008

Citrix Users Report Login Issue on Unix Workstation

A few days ago, one of our remote Citrix workstation users reported a login issue. Here was the error message displayed on the client interface.

"Your account is configured to prevent you from using this computer."

To fix the issue, I confidently used the "tried and true" procedure described below. At the same time, I was “showing” someone else how to address the issue. I was quite surprised when the procedure didn't work. The registry key values were not displaying in the right pane. The only thing showing up was the tree structure, no data. After awhile, I realized the regedt32 editor was not set to “View->Tree and Data”; it was only set for “View->Tree” structure. After making the trivial adjustment, we ran through the procedure without incident.

Here is the procedure - Source: MS Help and Support

Part 1: Disable the Security Policy
Disable the following Group Policy setting on either the default domain or the domain controller organizational unit:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shut down your system immediately if unable to log security audits
You can find this policy on the default domain policy, default domain controller policy, and local security policy.

Note: After you disable the security policy, you must also remove the security policy registry key.

Back to the top
Part 2: Edit the CrashOnAuditFail Registry Key
1. Click Start, and then click Run.
2. In the Open box, type regedt32.exe, and then click OK.
3. Click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
4. In the right pane, double-click CrashOnAuditFail.
5. In the Value data box, type 0 (zero), and then click OK.
6. Click Start, and then click Run.
7. In the Open box, type secedit /refreshpolicy machine_policy /enforce, and then click OK to apply the new security setting.
8. Restart your server.

Friday, July 25, 2008

System Administrator Appreciation Day

Today is System Administrator Appreciation Day. As SysAdminDay puts it, it is a thankless job for 364 days. You do not receive a lot of attention when things are going well. But when things do go wrong, you do, in deed, receive a lot attention - the type that spikes your stress level. You routinely get those dreaded calls between 12 am and 4 am or on your days off: "I need YOU to come in ASAP!" A lot of people will say that SysAdmins can just work from home. I wish. You can be rest assured that is not always the case or even possible (depending on the type of work).

By the way, you are reading this post because some underappreciated system administrator at Blogger is taking care of the "behind the scenes" activities - Thank you Mr/Ms. SysAd @Blogger.

But when it is all said and done for me, being a SysAdmin is one of the best darn occupations in the world. Frankly speaking, I really can not think of a more interesting profession.

By the way, today, we lost an inspirational leader in the field of computing: Dr. Randy Pausch, "Last Lecture Professor," 1960-2008

Monday, July 21, 2008

Inadvertent Use of Duplicate Group ID

We were trying to limit the number of regular users who could use xterm or cmdtool for security reasons. A user-defined group was created and admins/non-regulars were assigned to it. Unfortunately, the admins/non-regulars were mysteriously denied xterm/cmdtool execution, which definitely was not the desired effect. Permission denied. That feedback was a bit perplexing because the admins/non-regulars were supposeably assigned to the newly created group per niscat. After a little troubleshooting, it was discovered the newly created group ID matched an existing group’s GID in a different name service database. The GID issue was corrected and xterm worked like a champ.

Tuesday, July 15, 2008

UNIX Admin Corner and the IT Island

I thought James Dickens of UNIX Admin Corner wrote a short but interesting post a few days ago. His post was titled "Why is IT such an Island." It was something to ponder regarding the rapidly growing IT community. Personally, I share a similar opinion with Mr. Dickens and felt it was a fair portrayal of the IT community.

Here is an excerpt of his post: "Seems like everywhere I go, people in IT act like they are on an island, they don't attend user groups, Geek/Techy relationships I have with others seem to be rare, they don't visit or much less hang out on irc (.i.e. freenode) most don't follow blogs...Read more plus comments"

I know sites like UNIX Forums are great places to get your tech-related questions answered or simply share your knowledge, but where are the social sites geared to the hard-core UNIX/Technical community. I think it would be beneficial if we had a mybloglog or blogcatalog type site that primarily focused on connecting techies.

Presumably some would say large social behemoths such as facebook (general) or linkedin (general professional-oriented) already fill that niche by having user-defined techie groups. That might be true but I think most techies join those groups as a side note. I do.