Your security profile does not include permission to refresh or refreshing data: c3_core_error_en_504


I developed Web Intelligence reports but face security issue in order to get the data based on logged in user. With Administrator user I was able to see all records but when I test the report with different user I was getting different types of error messages. I search a lot on internet but unable to find proper answer. After doing permutation & combination with permission my reports are working fine with other users also. Here I am putting which how to assign permission to avoid following errors:

  1. your security profile does not include permission to refresh

  2. c3_core_error_en_504


    Login to Central Management Console (CMC). As per my understanding we have to assign permissions as marked in below snapshot.

    1. Assign permission to folders.
      In my case I created “custom reports” folder & put all custom reports under it.

      If only view permission or no access as below user will receive error message “your security profile does not include permission to refresh”.

      Make sure on custom report folder everyone should have “View on Demand” permission.

      With above permission reports will work fine.

    2. Assign permission to Universe

      Select “Universes”

      Select Manage  Top-Level Security  All Universes

      Make sure everyone should have “View on Demand” Access to universes

    3. Assign permission to Connections.

      Select Connections

      Select Manage  Top-Level Security  All Connections

      Make sure everyone should have “View on Demand” Access to Connections

    4. Assign permission to Applications.

      Select “Web Intelligence” application  Manage  User Security

      Make sure everyone should have “View” Access to Web Intelligence.

Deploying Group Policy Security Update MS16-072 \ KB3163622


This post was written to provide guidance and answer questions needed by administrators to deploy the newly released security update,MS16-072 that addresses a vulnerability. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine on domain-joined Windows computers.

The table below summarizes the KB article number for the relevant Operating System:




Article #


Context / Synopsis

MSKB 3163622

MS16-072: Security Updates for Group Policy: June 14, 2016

Main article for MS16-072

MSKB 3159398

MS16-072: Description of the security update for Group Policy: June 14, 2016

MS16-072 for Windows Vista / Windows Server 2008, Window 7 / Windows Server 2008 R2, Windows Server 2012, Window 8.1 / Windows Server 2012 R2

MSKB 3163017

Cumulative update for Windows 10: June 14, 2016

MS16-072 For Windows 10 RTM

MSKB 3163018

Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016

MS16-072 For Windows 10 1511 + Windows Server 2016 TP4

MSKB 3163016

Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016

MS16-072 For Windows Server 2016 TP5

TN: MS16-072

Microsoft Security Bulletin MS16-072 – Important

Overview of changes in MS16-072

What does this security update change?

The most important aspect of this security update is to understand the behavior changes affecting the way User Group Policy is applied on a Windows computer. MS16-072 changes the security context with which user group policies are retrieved. Traditionally, when a user group policy is retrieved, it is processed using the user’s security context.

After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This by-design behavior change protects domain joined computers from a security vulnerability.

When a user group policy is retrieved using the computer’s security context, the computer account will now need “read” access to retrieve the group policy objects (GPOs) needed to apply to the user.

Traditionally, all group policies were read if the “user” had read access either directly or being part of a domain group e.g. Authenticated Users

What do we need to check before deploying this security update?

As discussed above, by default “Authenticated Users” have “Read” and “Apply Group Policy” on all Group Policy Objects in an Active Directory Domain.

Below is a screenshot from the Default Domain Policy:

If permissions on any of the Group Policy Objects in your active Directory domain have not been modified, are using the defaults, and as long as Kerberos authentication is working fine in your Active Directory forest (i.e. there are not Kerberos errors visible in the system event log on client computers while accessing domain resources), there is nothing else you need to make sure before you deploy the security update.

In some deployments, administrators may have removed the “Authenticated Users” group from some or all Group Policy Objects (Security filtering, etc.)

In such cases, you will need to make sure of the following before you deploy the security update:

  1. Check if “Authenticated Users” group read permissions were removed intentionally by the admins. If not, then you should probably add those back. For example, if you do not use any security filtering to target specific group policies to a set of users, you could add“Authenticated Users” back with the default permissions as shown in the example screenshot above.
  2. If the “Authenticated Users” permissions were removed intentionally (security filtering, etc), then as a result of the by-design change in this security update (i.e. to now use the computer’s security context to retrieve user policies), you will need to add the computer account retrieving the group policy object (GPO) to “Read” Group Policy (and not “Apply group policy“).

    Example Screenshot:

In the above example screenshot, let’s say an Administrator wants “User-Policy” (Name of the Group Policy Object) to only apply to the user with name “MSFT Ajay” and not to any other user, then the above is how the Group Policy would have been filtered for other users. “Authenticated Users” has been removed intentionally in the above example scenario.

Notice that no other user or group is included to have “Read” or “Apply Group Policy” permissions other than the default Domain Admins and Enterprise Admins. These groups do not have “Apply Group Policy” by default so the GPO would not apply to the users of these groups & apply only to user “MSFT Ajay”

What will happen if there are Group Policy Objects (GPOs) in an Active Directory domain that are using security filtering as discussed in the example scenario above?

Symptoms when you have security filtering Group Policy Objects (GPOs) like the above example and you install the security update MS16-072:

  • Printers or mapped drives assigned through Group Policy Preferences disappear.
  • Shortcuts to applications on users’ desktop are missing
  • Security filtering group policy does not process anymore
  • You may see the following change in gpresult: Filtering: Not Applied (Unknown Reason)
  • If you are using Folder Redirection and the Folder Redirection group policy removal option is set to “Redirect the folder back to the user profile location when policy is removed,” the redirected folders are moved back to the client machine after installing this security update

What is the Resolution?

Simply adding the “Authenticated Users” group with the “Read” permissions on the Group Policy Objects (GPOs) should be sufficient. Domain Computers are part of the “Authenticated Users” group. “Authenticated Users” have these permissions on any new Group Policy Objects (GPOs) by default. Again, the guidance is to add just “Read” permissions and not “Apply Group Policy” for “Authenticated Users”

What if adding Authenticated Users with Read permissions is not an option?

If adding “Authenticated Users” with just “Read” permissions is not an option in your environment, then you will need to add the “Domain Computers” group with “Read” Permissions. If you want to limit it beyond the Domain Computers group: Administrators can also create a new domain group and add the computer accounts to the group so you can limit the “Read Access” on a Group Policy Object (GPO). However, computers will not pick up membership of the new group until a reboot. Also keep in mind that with this security update installed, this additional step is only required if the default “Authenticated Users” Group has been removed from the policy where user settings are applied.

Example Screenshots:

Now in the above scenario, after you install the security update, as the user group policy needs to be retrieved using the system’s security context, (domain joined system being part of the “Domain Computers” security group by default), the client computer will be able to retrieve the user policies required to be applied to the user and the same will be processed successfully.

How to identify GPOs with issues:

In case you have already installed the security update and need to identify Group Policy Objects (GPOs) that are affected, the easy way is just to do a simple gpupdate /force on a Windows client computer and then run the gpresult /h new-report.html -> Open the new-report.htmland review for any errors like: “Reason Denied: Inaccessible, Empty or Disabled”

What if there are lot of GPOs?

A script is available which can detect all Group Policy Objects (GPOs) in your domain which may have the “Authenticated Users” missing “Read” Permissions
You can get the script from here:


  • The script can run only on Windows 7 and above Operating Systems which have the RSAT or GPMC installed or Domain Controllers running Windows Server 2008 R2 and above
  • The script works in a single domain scenario.
  • The script will detect all GPOs in your domain (Not Forest) which are missing “Authenticated Users” permissions & give the option to add “Authenticated Users” with “Read” Permissions (Not Apply Group Policy). If you have multiple domains in your Active Directory Forest, you will need to run this for each domain.
    • Domain Computers are part of the Authenticated Users group
  • The script can only add permissions to the Group Policy Objects (GPOs) in the same domain as the context of the current user running the script. In a multi domain forest, you must run it in the context of the Domain Admin of the other domain in your forest.

Sample Screenshots when you run the script:

In the first sample screenshot below, running the script detects all Group Policy Objects (GPOs) in your domain which has the “Authenticated Users” missing the Read Permission.

If you hit “Y”, you will see the below message:

What if there are AGPM managed Group Policy Objects (GPOs)?

Follow the steps below to add “Authenticated Users” with Read Permissions:

To change the permissions for all managed GPO’s and add Authenticated Users Read permission follow these steps:

Re-import all Group Policy Objects (GPOs) from production into the AGPM database. This will ensure the latest copy of production GPO’s.

Add either “Authenticated Users” or “Domain Computers” the READ permission using the Production Delegation Tab by selecting the security principal, granting the “READ” role then clicking “OK”

Grant the selected security principal the “Read” role.

Delegation tab depicting Authenticated Users having the READ permissions.

Select and Deploy GPOs again:
Note:  To modify permissions on multiple AGPM-managed GPOs, use shift+click or ctrl+click to select multiple GPO’s at a time then deploy them in a single operation. 
CTRL_A does not select all policies.

The targeted GPO now have the new permissions when viewed in AD:

Below are some Frequently asked Questions we have seen:

Frequently Asked Questions (FAQs):

Q1) Do I need to install the fix on only client OS? OR do I also need to install it on the Server OS?

A1) It is recommended you patch Windows and Windows Server computers which are running Windows Vista, Windows Server 2008 and newer Operating Systems (OS), regardless of SKU or role, in your entire domain environment. These updates only change behavior from a client (as in “client-server distributed system architecture”) standpoint, but all computers in a domain are “clients” to SYSVOL and Group Policy; even the Domain Controllers (DCs) themselves

Q2) Do I need to enable any registry settings to enable the security update?

A2) No, this security update will be enabled when you install the MS16-072 security update, however you need to check the permissions on your Group Policy Objects (GPOs) as explained above

Q3) What will change in regard to how group policy processing works after the security update is installed?

A3) To retrieve user policy, the connection to the Windows domain controller (DC) prior to the installation of MS16-072 is done under the user’s security context. With this security update installed, instead of user’s security context, Windows group policy clients will now force local system’s security context, therefore forcing Kerberos authentication

Q4) We already have the security update MS15-011 & MS15-014 installed which hardens the UNC paths for SYSVOL & NETLOGON & have the following registry keys being pushed using group policy:

  • RequirePrivacy=1
  • RequireMutualAuthentication=1
  • RequireIntegrity=1

Should the UNC Hardening security update with the above registry settings not take care of this vulnerability when processing group policy from the SYSVOL?

A4) No. UNC Hardening alone will not protect against this vulnerability. In order to protect against this vulnerability, one of the following scenarios must apply: UNC Hardened access is enabled for SYSVOL/NETLOGON as suggested, and the client computer is configured to require Kerberos FAST Armoring

– OR –

UNC Hardened Access is enabled for SYSVOL/NETLOGON, and this particular security update (MS16-072 \ KB3163622) is installed

Q5) If we have security filtering on Computer objects, what change may be needed after we install the security update?

A5) Nothing will change in regard to how Computer Group Policy retrieval and processing works

Q6) We are using security filtering for user objects and after installing the update, group policy processing is not working anymore

A6) As noted above, the security update changes the way user group policy settings are retrieved. The reason for group policy processing failing after the update is installed is because you may have removed the default “Authenticated Users” group from the Group Policy Object (GPO). The computer account will now need “read” permissions on the Group Policy Object (GPO). You can add “Domain Computers” group with “Read” permissions on the Group Policy Object (GPO) to be able to retrieve the list of GPOs to download for the user

Example Screenshot as below:

Q7) Will installing this security update impact cross forest user group policy processing?

A7) No, this security update will not impact cross forest user group policy processing. When a user from one forest logs onto a computer in another forest and the group policy setting “Allow Cross-Forest User Policy and Roaming User Profiles” is enabled, the user group policy during the cross forest logon will be retrieved using the user’s security context.

Q8) Is there a need to specifically add “Domain Computers” to make user group policy processing work or adding “Authenticated Users” with just read permissions should suffice?

A8) Yes, just adding “Authenticated Users” with Read permissions should suffice. If you already have “Authenticated Users” added with at-least read permissions on a GPO, there is no further action required. “Domain Computers” are by default part of the “Authenticated Users” group & user group policy processing will continue to work. You only need to add “Domain Computers” to the GPO with read permissions if you do not want to add “Authenticated Users” to have “Read”

Bulk Import Contacts to Office 365 Global Address List


You may have noticed that the Office 365 portal doesn’t offer you a way to easily import a list of contacts into your company’s Global Address List (GAL). In order to bulk import contacts, you would need to use PowerShell. Here are instructions on how to use PowerShell.

Gathering Contacts

1. Download this External Contacts CSV and open it up in a program like Excel.

2. Delete the sample data.

3. Collect your contact data and fill out the columns. You must provide an email address for each contact. If any of your contacts do not have an email address, do not add them to this list because they cannot be imported. It’s recommended that you fill out these columns for each contact.

  • ExternalEmailAddress
  • Name
  • FirstName
  • LastName

4. The other columns are optional. If any column is left blank, it will not be imported into the GAL.

Set up PowerShell 3.0

If you haven’t used PowerShell before, we will first need to configure your computer to use PowerShell with Office 365. If you have Windows 8, Windows 8.1, or Windows server 2012, you can start on step 3.

1. Install Microsoft .NET Framework 4.0 or Microsoft .NET Framework 4.5. You don’t need to install both.

2. Install Windows Management Framework 3.0.

3. Click on the Start icon on your desktop and search for “PowerShell”.

4. Right click on “Windows PowerShell” and select “Run as administrator”.

5. In the PowerShell window, type this command

Set-ExecutionPolicy RemoteSigned

6. When asked if you want to change the execution policy, type “Y” and then press the “Enter” key.

For more detailed information, click here.

Import Contacts with PowerShell

1. Click on the Start icon on your desktop and search for “PowerShell” and click on it to open PowerShell.

2. Type in this command and enter in your Office 365 Global Admin credentials.

$Cred = Get-Credential

3. Type in this line to create your remote session to Office 365.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Cred -Authentication Basic –AllowRedirection

4. Type in this line to start the session.

Import-PSSession $Session

5. If you do not get any errors running the above lines, you are finally connected to Office 365 with PowerShell. We can now start importing the contacts.

6. Rename the CSV file to something simpler like “ExternalContacts.csv” and place the file in C:\.

7. Type in this command to create the contacts with basic information.

Import-Csv C:\ExternalContacts.csv|%{New-MailContact -Name $_.Name -DisplayName $_.Name -ExternalEmailAddress $_.ExternalEmailAddress -FirstName $_.FirstName -LastName $_.LastName}

8. Now that the contacts have been created, we will run these two commands to fill in the rest of the information.

$Contacts = Import-CSV C:\ExternalContacts.csv

$contacts | ForEach {Set-Contact $_.Name -StreetAddress $_.StreetAddress -City $_.City -StateorProvince $_.StateorProvince -PostalCode $_.PostalCode -Phone $_.Phone -MobilePhone $_.MobilePhone -Pager $_.Pager -HomePhone $_.HomePhone -Company $_.Company -Title $_.Title -OtherTelephone $_.OtherTelephone -Department $_.Department -Fax $_.Fax -Initials $_.Initials -Notes $_.Notes -Office $_.Office -Manager $_.Manager}

How to Plan Your Entire Day


You understand how dreadfully monotonous it is, if you’ve previously been a part of a market which can be afflicted by a serious dialog. Regrettably, you can not move out of the lounge, or is it possible to sleep and neither is it possible to employ your cellular phone for amusement. By choosing up a unplanned theme that may retain your attendees employed till the last expression eliminate many of these troubles. Such matters that were funny are experienced every individual and by each. Since many of the problem is straight out of your creativity, these improvised functions don’t get much work. Continue reading

Meru – Upgrading the controllers running an Nplus1 (N+1) setup



CLI Steps:

STEP 1: Stop Nplus1 on the Slave controller

“configure terminal”

“nplus1 stop”

STEP 2: Stop Nplus1 on the Master controllers

“configure terminal”

“nplus1 stop”

STEP 3: Verify in the release notes of the proposed upgrade version if it is supported to directly upgrade to that version, from the current firmware version on the controller.

STEP 4: Start tftp server on host machine with access to the controller CLI

STEP 5: type “copy tftp://x.x.x.x/filename” where x.x.x.x is the IP address of the tftp server, filename is the name of the new firmware code file to be transferred. Make sure there is a period (.) at the end of the command, as shown above.

STEP 6: After successful transfer of the new code onto the controller, type “show flash” to verify that the new code is available on the controller.

STEP 7: type “configure terminal”

STEP 8: type “auto-ap-upgrade disable”

STEP 9: type “exit”

STEP 10: type “upgrade system xxxx” where xxxx is the name of the new firmware code to which the controller has to be upgraded.

STEP 11: The controller will upgrade the APs first, and then upgrade itself, after which the controller will reboot and come online with the new firmware code.

STEP 12: type “configure terminal”

STEP 13: type “auto-ap-upgrade enable”

STEP 14: type “exit”

STEP 15: type “show controller” to view the controller firmware version.

STEP 16: Start Nplus1 on the Master controllers

“configure terminal”

“nplus1 start master”

STEP 17: Start Nplus1 on the Slave controller

“configure terminal”

“nplus1 start slave”

TEST RESULTS: Nplus1 must always be stopped on the slave controller first, and then the master controllers.

LIMITATIONS IF ANY: If there are a large number of APs on the network, it may take several minutes for the controller to upgrade these APs before upgrading itself and rebooting


Since the upgrade Windows Server 2012 to Windows Server 2012 R2 a couple of days ago, I started receiving the following:

Server Manager:  Under Manageability – Online- Data retrieval failures occurred

I was able to drill down a bit more by clicking notifications at the top right of server manager and under task details this is the detailed message received:

(Computer Name):  Configuration refresh message:  The system cannot access one or more event logs because of insufficient rights, file corruption, or other reasons.  For more information, see the Operation channel in the ServerManager-ManagementProvider error log on the target server.

When I go to the Applications and Services Logs, Microsoft, Windows, ServerManager-ManagementProvider, Operational in the Event Log, These are some of the alerts I am receiving:

Failed to query the results of bpa xpath: Microsoft/Windows/CertificateServices:$reports$\$latestreport$\Discovery.xml:$creationtime$. error: The system cannot find the file specified., last error: The system cannot find the path specified..

Failed to query the results of bpa xpath: Microsoft/Windows/CertificateServices:$reports$\*\Result.xml:/ResultDatabase/Result. error: A device attached to the system is not functioning., last error: The system cannot find the path specified..

Failed to query the results of bpa xpath: Microsoft/Windows/CertificateServices:$reports$\*\Result.xml:/ResultDatabase/Result. error: A device attached to the system is not functioning., last error: The system cannot find the path specified..

Failed to query the results of bpa xpath: Microsoft/Windows/MSMQ:$reports$\*\Result.xml:/ResultDatabase/Result. error: A device attached to the system is not functioning., last error: The system cannot find the path specified..

Failed to query the results of bpa xpath: Microsoft/Windows/MSMQ:$reports$\*\Result.xml:/ResultDatabase/Result. error: A device attached to the system is not functioning., last error: The system cannot find the path specified..

Failed to query the results of bpa xpath: Microsoft/Windows/WebServer:$reports$\*\Result.xml:/ResultDatabase/Result. error: A device attached to the system is not functioning., last error: The system cannot find the path specified..

Failed to query the results of bpa xpath: Microsoft/Windows/FileServices:$reports$\$latestreport$\Discovery.xml:$creationtime$. error: The system cannot find the file specified., last error: The system cannot find the path specified..

I am signed on as the administrator of the domain.  This only happened after the upgrade to 2012 RTM R2.  This message is in regards to the local server, not remote servers in the domain as I have read in other posts.


Generic failure querying the localized name for channel: Microsoft-Windows-DxpTaskRingtone/Analytic [hResult = Function failed during execution., hLastResult = The system cannot find the file specified.].

Looking at the log in Applications and Services Logs, Microsoft, Windows, DxpTaskRingtone/Analytic it cant open the log file. Note: This was listed exactly as typed even though it should have been Applications and Services Logs, Microsoft, Windows, DxpTaskRingtone, Analytic. I looked for the log file and sure enough it was not there. I looked at the registry entry:


I compared this to other entries and didn’t see any corruption. Looking at the Isolation and Type of other entries this should not even show up in the event log. I edited the name of the key and sure enough it disappeared from the event log. I changed the name back and it was still gone. I refreshed my Server Manager and still saw red. Just for shits and giggles I backed up the key and deleted it. With the key gone the server manager refreshes without error and all of my manageability icons are green.




Many times we come across when our SM59 RFC connection SAPOSS or other connections related to SAPNet is not working, most of the time due to wrong password, which you we can easily correct with the correct logon data which is as follows(SAP Note 182308):
Language    EN
Client      001
User        OSS_RFC
Password    CPIC


But this is not which I wanted to discuss here. Here we will check the firewall connection and how to create these RFC connections automatically.

Before we proceed, maintaining correct hostname(Use FQDN) and its correct IP that can be reached from outside of you customer network is very important.

So double checking it is best idea.

Scenario 1

In above screen of OSS1, we have SAProuter 1 and SAProuter 2 entry filled, though filling the entry for SAProuter 1 and SAProuter 2 is not mandatory in order to work your OSS connection in SM59…. BUT from your server firewall and SAPNet firewall connection should be allowed.


Lets move to this scenario, where both SAProuter 1 and SAProuter 2 entry is filled with your customer hosts where saprouter is configured.

For discussion sake lets assume the server name is “C” where you are executing OSS1 tcode, and two other servers are host A and host B as mentioned in figure.


The flow will be C -> A -> B -> SAPNet

1. Login to server C and check the port

telnet <A IP/hostname> 3299

You should get response like below


2. Again login to host A  and check port

telnet <B IP/hostname> 3299


Now, we will check in reverse direction for incoming flow

B -> A -> C


1. Login to host B and check port for A

telnet <A IP/hostname> 3299


2. Login to host A and check port for C here you have to check for your application instance number, if it is lets say 40 then

telnet <C IP/hostname> 3240


If any of the above telnet is not working then get in touch with your client network/firewall team and request them to open the port.


In this scenario, we noticed that SAProuter 2 is router which is responsible for first entry point from outside your client network, which means the firewall at host B should be open for SAPNet to enter and at the same time if it is not done earlier then you have to be in touch with SAPNet network team and request them with help of OSS message to allow entry for your host A


Scenario 2

When we fill SAProuter 1 only not the SAProuter 2

This means that in client network host A will be entry/exit point and your application servers will be communicated with SAPNet like this

C -> A -> SAPNet

You have to check your firewall accordingly.


Note 35010 – Service connections: Composite note (overview)


If all these firewall is working fine, the delete all RFC connection related to SAPNet and recreate them as follows (SAP Note 812386)

1. Transaction OSS1 ->Parameters -> Technical settings -> Change mode -> Save. The SAPOSS destination can only be updated by saving.

2. Create the RFC destinations again:


  • Use the following path to create SAPNET_RTCC: SE38 -> RTCCTOOL -> list -> Refresh from SAPNet
  • Use the following path to create SAPNET_RFC: SDCC -> Maintenance -> Refresh -> Session overview
  • SDCC_OSS is created initially when you activate SDCCN. If you then want  to create a new copy of SAPOSS, use the following path:
  • SDCCN -> Goto -> Settings -> Task specific -> RFC destinations -> Change mode -> ‘Create destination to SAPNet R/3 Frontend’


Checkout this wiki for more insight about saprouter at SAPNet.


Hope this will be of help to some of us.

Central user administration configuration in a landscape


Here is the procedure for Central user administration configuration in a landscape:
1) Create Logical systems to all clients for the landscape using BD54 or SALE as comfortable.
2) Attach Logical system to clients using Same.
3) Create RFC connection to relevant systems with the same name as logical system name .
If you Logical system name is SIDCLNT100 for dev then create RFC connection to DEV with same name SIDCLNT100.
4) Let us suppose you Central system: DEVCLNT100 Child system: QUACLNT200
5) Create user CUA_DEV_100 in devclnt100 system
4. Create user CUA_QUA_200 in quaclnt200 system.
Create RFC’s to child systems from central and central to child.
5) Now logon to central system and execute tcode scua to configure cua.
Enter the name of the distribution model: CUA
Press create
Enter ALL Child system RFC’s
Save your entries now result screen will appear
If you expand the nodes for
the individual systems, you normally see the following messages for
each system: .ALE distribution model was saved,. .Central User
Administration activated,. and .Text comparison was started.. If
problem messages are displayed here, follow the procedure in SAP
Note 333441:
6) Setting the Parameters for Field Distribution Enter Tcode SCUM in central system following screen will appearNow maintain your filed distribution and save it.You can use transaction SUCOMP to administer company address data.You can use transaction SCUG in the central system to perform thesynchronization activities between the central system and the childsystems by selecting your child system on the initial screen of transactionSCUG and then choosing Synchronize Company Addresses in the Central System
After you have synchronized the company addresses, you can transfer theusers from the newly connected child systems to central administration.
This is done, as with the synchronization of the company addresses, using
transaction SCUG in the central system. To do this, on the initial screen of
transaction SCUG, select your child system and choose the Copy Users to the Central System button.
You can use the report RSCCUSND from the central system of Central User Administration (CUA) to synchronize the master data of selected users with a child system of the CUA. The report sends the master data (including role and profile assignments) to a child system of the CUA.

If master data exists in the child system for the user sent, it is overwritten.
1. Start report RSCCUSND (for example, using transaction SA38).
2. In the Receiving System field, specify the child system to which you want to send the user data.
3. You can use the fields User and User Group to restrict the number of users.
4. Specify the data that you want to distribute under Distribution Options.
5. Choose Execute.

Configure SQL Server Database Mirroring Using SSMS


My test environment consists of two separate VM’s running VM Workstation with Windows 2008 R2 Datacenter Edition and SQL Server 2008 R2 Enterprise named appropriately Principal and Mirror. The SQL Server and SQL Server Agent Services accounts are running as domain users (DOMAIN\User). Windows Firewall is OFF for the sake of this example.

I created a database on the Principal SQL Server instance and named it TestMirror. The recovery model is set to FULL RECOVERY.

1st step: Issue a full backup of the database.

BACKUP DATABASE TestMirror TO DISK = ‘C:\Program Files\Microsoft SQL


2nd step: Issue a transaction log backup of the database.

BACKUP LOG TestMirror TO DISK = ‘C:\Program Files\Microsoft SQL


Below are the two files in the file system:

3rd step: Assuming you have the backup folder shared on the Principal Server and you can access it from the Mirror Server, you will need to restore the full backup to the Mirror server with the NORECOVERY option.

RESTORE DATABASE TestMirror FROM DISK = N’\\Principal\Backup\Backup.bak’

WITH FILE = 1, MOVE N’TestMirror_log’ TO

N’C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\TestMirror_1.ldf’,


4th step: Restore log backup also with the NORECOVERY option.

RESTORE LOG TestMirror FROM DISK = N’\\Principal\Backup\Backup.trn’



Now it’s time to dig down and configure Database Mirroring. From the Principal server, right click the database and choose “Tasks” | “Mirror” or choose “Properties” | “Mirroring”.

Click the “Configure Security” button and click “Next >” if the Configure Database Mirroring Security Wizard intro screen appears. The next screen should be the Include Witness Server screen:

This is where you would configure a witness server for your mirroring, but since we’re just configuring a basic mirror we will skip this part. However, if you are configuring mirroring in an Enterprise environment it is recommended you configure a witness server because without one you will not have synchronous automatic failover option.

Select “No”, then click “Next >” to continue the process.

The next screen will give you options to configure the Principal Server Instance:

Here we will be creating our endpoint, which is a SQL Server object that allows SQL Server to communicate over the network. We will name it Mirroring with a Listener Port of 5022.

Click the “Next >” button to continue.

The next screen will give you options to configure the Mirror Server Instance:

To connect to the Mirror server instance we will need to click the “Connect…” button then select the mirror server and provide the correct credentials:

Once connected, we also notice our endpoint name is Mirroring and we are listening on port 5022.

Click “Next >” and you’ll see the Service Accounts screen.

When using Windows Authentication, if the server instances use different accounts, specify the service accounts for SQL Server. These service accounts must all be domain accounts (in the same or trusted domains).

If all the server instances use the same domain account or use certificate-based authentication, leave the fields blank.

Since my service accounts are using the same domain account, I’ll leave this blank.

Click “Finish” and you’ll see a Complete the Wizard screen that summarizes what we just configured. Click “Finish” one more time.

If you see the big green check mark that means Database Mirroring has been configured correctly. However, just because it is configured correctly doesn’t mean that database mirroring is going to start…

Next screen that pops up should be the Start/Do Not Start Mirroring screen:

We’re going to click Do Not Start Mirroring just so we can look at the Operating Modes we can use:

Since we didn’t specify a witness server we will not get the High Safety with automatic failover option, but we still get the High Performance and High Safety without automatic failover options.

For this example, we’ll stick with synchronous high safety without automatic failover so changes on both servers will be synchronized.

Next, click “Start Mirroring” as shown below.

If everything turned out right, Database Mirroring has been started successfully and we are fully synchronized.


If Database mirroring did not start successfully or you received an error here are a few scripts to troubleshoot the situation:

Both servers should be listening on the same port. To verify this, run the following command:

SELECT type_desc, port

FROM sys.tcp_endpoints;

We are listening on port 5022. This should be the same on the Principal and Mirror servers:

Database mirroring should be started on both servers. To verify this, run the following command:

SELECT state_desc

FROM sys.database_mirroring_endpoints;

The state_desc column on both the Principal and Mirror server should be started:

To start an Endpoint, run the following:

ALTER ENDPOINT <Endpoint Name>


AS TCP (LISTENER_PORT = <port number>)

FOR database_mirroring (ROLE = ALL);

ROLES should be the same on both the Principal and Mirror Server, to verify this run:


FROM sys.database_mirroring_endpoints;


To verify the login from the other server has CONNECT permissions run the following:


CONVERT(nvarchar(38), suser_name(SP.grantor_principal_id))





FROM sys.server_permissions SP , sys.endpoints EP

WHERE SP.major_id = EP.endpoint_id

ORDER BY Permission,grantor, grantee;


You can see here from the State and Permissions column that the user has been Granted Connect permissions.

Group Managed Service Accounts alias gMSA


This article will show the process I did to get my managed service account registered for using services like SQL and Task Scheduler.

Managed service accounts have been around for a while but was limited and only worked in the local security context of the windows server. Which meant that you couldn’t use the same account in a cluster of servers.

Usually only limited to Task Scheduler or simple applications.

Please read the following for a quick view on how the old technology worked for Managed service accounts:

Windows 2012 introduced Group Managed Service Accounts which meant, that it could be shared between servers this is great news and shows potential for other applications Like SQL 2012.

I used the following TechNet article to setup my first Group Managed Service Account which I’m going to use for SQL 2012: (Please look for my next blog post on how I installed SQL 2012 with my group managed service account.)

Ok let’s start


Please read the requirements from the article above. I’m only going to highlight the high level requirements.

To enable Group Managed Service Accounts Windows PowerShell is used and it requires to be run from a 64bit instance. I had a Windows 2012 Domain controller in my test environment so using the PowerShell from that server was sufficient. You also require the powershell AD Tools to be installed on the machine you are using.

Before you start

Before you start creating the group managed service account you need to know if the following:

  • Does the application service support gMSAs
  • Does the service require inbound or outbound authentication
  • The computer account names for the member hosts for the service using the gMSA
  • The NetBIOS name for the service
  • The DNS host name for the service
  • The Service Principal Names (SPNs) for the service
  • The password change interval (default is 30 days).

Step 1: Provisioning of group Managed Service Accounts

You can create a gMSA only if the forest schema has been updated to Windows Server 2012, the master root key for Active Directory has been deployed, and there is at least one Windows Server 2012 DC in the domain in which the gMSA will be created.

Important: Master root key is the tricky part. You can force the creation but when the master root key is created you’ll need to wait for AD Replication to complete. Will take up to 10 hours to complete just enable it and leave it for the next day.



  1. Check if a KDS root key exists “Get-kdsrootkey”
  2. If none exist create a new one “Add-KdsRootKey –EffectiveImmediately”
  3. Wait 10 hours or more (Enable it and leave it for a day)
  4. Test the KDS Root Key “Test-kdsrootkey –keyid <GUID from above>”
  5. Create a Security Group in AD which the computer accounts will be a member of to have access to retrieve the managed password. Important: Remember to reboot the computers once you have made them a member of a group.

  6. Add computer accounts as members to new group

    1. Reboot the server/s
  7. Create the gMSA “New-ADServiceAccount SQL2012Managed -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword Allowed-SQL2012ManagedServiceAccount-Access -ServicePrincipalNames MSSQLSvc/SQL2012:1433,MSSQLSvc/”

  8. Success now you can start using the Managed Service Account for other installations.
  9. Open “Active Directory Administrative Center” to confirm Managed Service account creation


Step 2: Add the new service account to the required machines


Once you have created the Managed Service Account you need to assign it to all the required machines.

  1. Open Windows Powershell on the Server in my exsample I’ll open it on the SQL2012 Server that I’m going to use.
  2. Run the following command “Install-ADServiceAccount SQL2012Managed”

  3. To Confirm the account try to change a service to run under the newly created account

  4. Please see my next blog post on how to install SQL 2012 using managed service Accounts.