"Logon Failure: Account Currently Disabled" and "System Error 1331" Error Messages

When you try to connect to a server in another domain you get the error messages “Logon Failure: Account Currently Disabled” and “System Error 1331” Error Messages.

This happens if one of the computers have been moved from one domain to anothet. The computer account is the disabled in teh computerd old domain and this is what creates the error.

The solution is to remove the old computer account (marked with a red X) from the old domain.

The KB article (263936) is here.

Problem with APC Powerchute on Windows Servers

I just troubleshooted a server which on reboot stopped on “Applying Computer Settings” and refesed to start. The I stumbled om this and apparently there is a bug in APC Powerchute 6.x regarding an expired Certificate for the java software.

In rebooted the server in Safe Mode and disabled the services and tadaa It started!

Edit 2005-08-16:

There is now a KB article



Hur ofta behöver man inte en mailadress för att registrera i en tävling eller för att ladda ner ett program… men man vill inte att företaget skall “dela med sig” av adressen så att din mailbox fylls av spam. Här är lite länkar till lite tjänster som erbjuder slaskmailboxar:

Slaskpost.se – Mailen ligger kvar i 24h
www.mailinator.com – Mailen ligger kvar i 24h
www.jetable.org/en/index – Adressen pekas till din egen mailadress men raderas efter 1 – 8 dagar.

Configuring Radius Authentication for VPN on Cisco Pix

Cisco Secure PIX Firewall 6.x and Cisco VPN Client 3.5 for Windows with Microsoft Windows 2000 and 2003 IAS RADIUS Authentication

Configuring the PIX Firewall

PIX Firewall
pixfirewall(config)# write terminalBuilding configuration...: Saved:PIX Version 6.1(1)nameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol rtsp 554fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000names!--- Issue the access-list command to avoid !--- Network Address Translation (NAT) on the IPSec packets.access-list 101 permit ip pager lines 24interface ethernet0 autointerface ethernet1 automtu outside 1500mtu inside 1500ip address outside address inside audit info action alarmip audit attack action alarmip local pool ippool history enablearp timeout 14400global (outside) 1!--- Binding access list 101 to the NAT statement to avoid !--- NAT on the IPSec packets.nat (inside) 0 access-list 101Nat (inside) 1 0 0route outside 1route inside xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute!--- Enable access to the TACACS+ and RADIUS protocols.aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius !--- Associate the partnerauth protocol to RADIUS.aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host cisco123timeout 5no snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enable!--- Tell PIX to implicitly permit IPSec traffic.sysopt connection permit-ipsecno sysopt route dnat!--- Configure a transform set that defines how the traffic will be protected.crypto ipsec transform-set myset esp-des esp-md5-hmac!--- Create a dynamic crypto map and specify which !--- transform sets are allowed for this dynamic crypto map entry.crypto dynamic-map dynmap 10 set transform-set myset!--- Add the dynamic crypto map set into a static crypto map set.crypto map mymap 10 ipsec-isakmp dynamic dynmap!--- Enable the PIX to launch the Xauth application on the VPN Client.crypto map mymap client authentication partnerauth!--- Apply the crypto map to the outside interface.crypto map mymap interface outside!--- IKE Policy Configuration.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400!--- IPSec group configuration for VPN Client.vpngroup vpn3000 address-pool ippoolvpngroup vpn3000 dns-server vpn3000 wins-server vpn3000 default-domain cisco.comvpngroup vpn3000 idle-time 1800vpngroup vpn3000 password ********telnet timeout 5ssh timeout 5terminal width 80Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc: end [OK]pixfirewall(config)#

Configuring the Microsoft Windows 2000 Server with IAS

Follow these steps to configure Microsoft Windows 2000 server with IAS. This is a very basic setup to use a Windows 2000 IAS server for RADIUS authentication of VPN users. If you require a more complex design, please contact Microsoft for assistance.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

  1. Launch the Microsoft Management Console by going to Start > Run and typing mmc and then clicking OK.
  2. To add the IAS service to this console, go to Console > Add Remove Snap-In….
  3. Click Add. This will launch a new window with all of the available standalone snap-ins. Click Internet Authentication Service (IAS) and click Add.
  4. Make sure Local Computer is selected and click Finish. Then click Close.
  5. Notice that IAS is now added. Click OK to see that it has been added to the Console Root.


  6. Expand the Internet Authentication Service and right-click on Clients. Click New Client and input a name. The choice of name really does not matter; it will be what you see in this view. Make sure to select RADIUS and click Next.
  7. Fill in the Client address with the PIX interface address that the IAS server is connected to. Make sure to select RADIUS Standard and add the shared secret to match the command you entered on the PIX:
    aaa-server partnerauth (inside) host cisco123 timeout 5

    Note: In this example, “cisco123” is the shared secret.


  8. Click Finish to return to the Console Root.
  9. Click Remote Access Policies in the left pane and double-click the policy labeled Allow access if dial-in permission is enabled.
  10. Click Edit Profile and go to the Authentication tab. Under Authentication Methods, make sure only Unencrypted Authentication (PAP, SPAP) is checked.

    Note: The VPN Client can only use this method for authentication.


  11. Click Apply and then OK twice.
  12. To modify the users to allow connection, go to Console > Add/Remove Snap-in. Click Add and then select the Local Users and Groups snap-in. Click Add. Make sure to select Local Computer and click Finish. Click OK.
  13. Expand Local User and Groups and click the Users folder in the left pane. In the right pane, double-click the user you want to allow access.
  14. Click the Dial-in tab and select Allow Access under Remote Access Permission (Dial-in or VPN).


  15. Click Apply and OK to complete the action. You can close the Console Management screen and save the session, if desired.
  16. The users that you modified should now be able to access the PIX with the VPN Client 3.5. Please keep in mind that the IAS server only authenticates the user information. The PIX still does the group authentication.

Configuring the Microsoft Windows 2003 Server with IAS

Follow these steps to configure Microsoft Windows 2003 server with IAS.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

  1. Go to Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client. When you have typed the client information, click OK.

    The example below shows a client named “Pix” with IP address Client-Vendor is set to RADIUS Standard, and the shared secret is “cisco123.”


  2. Go to Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
  3. Ensure that the option for Grant Remote Access Permissions is selected.
  4. Click Edit Profile and check the following settings.
    • On the Authentication tab, check Unencrypted authentication (PAP, SPAP).
    • On the Encryption tab, ensure that the option for No Encryption is selected.

    Click OK when you are finished.


  5. Add a user into the local computer account by going to Administrative Tools > Computer Management > System Tools > Local Users and Groups.. Right-click on Users and select New Users.
  6. Add user with Cisco password “cisco123” and check the following profile information.
    • On the General tab, ensure that the option for Password Never Expired is selected instead of the option for User Must Change Password.
    • On the Dial-in tab, select the option for Allow access (or leave default setting of Control access through Remote Access Policy).

    Click OK when you are finished.



This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

  • show crypto isakmp sa – View all current IKE security associations (SAs) at a peer.
  • show crypto ipsec sa – View the settings used by current security associations.


This section provides information you can use to troubleshoot your configuration. For additional information, refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPSec Tunnel.

Troubleshooting Commands

Certain commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands and IP Security Troubleshooting – Understanding and Using debug Commands.

  • debug crypto ipsec – View the IPSec negotiations of phase 2.
  • debug crypto isakmp – View the ISAKMP negotiations of phase 1.
  • debug crypto engine – View the traffic that is encrypted.


Variables in Batch Files


Windows NT 4/Windows 2000 Syntax


Note:     The parts of this text that are displayed in magenta are valid for Windows 2000 only


Displays, sets, or removes cmd.exe environment variables.

SET [variable=[string]]

    variable   Specifies the environment-variable name.
string Specifies a series of characters to assign to the variable.

Type SET without parameters to display the current environment variables.

If Command Extensions are enabled SET changes as follows:

SET command invoked with just a variable name, no equal sign or value will display the value of all variables whose prefix matches the name given to the SET command. For example:


would display all variables that begin with the letter ‘P’

SET command will set the ERRORLEVEL to 1 if the variable name is not found in the current environment.

SET command will not allow an equal sign (=) to be part of the name of a variable.
However, SET command will allow an equal sign in the value of an environment variable in any position other than the first character.

One new switch has been added to the SET command in Windows NT 4, and another one in Windows 2000:

 SET /A expression SET /P variable=[promptString]

The /A switch specifies that the string to the right of the equal sign is a numerical expression that is evaluated. The expression evaluator is pretty simple and supports the following operations, in decreasing order of precedence:

       () - grouping
* / % - arithmetic operators
+ - - arithmetic operators
<< >> - logical shift
& - bitwise and
^ - bitwise exclusive or
¦ - bitwise or
= *= /= %= += -=
&= ^= ¦= <<= >>=
- assignment
, - expression separator

If you use any of the logical or modulus operators, you will need to enclose the expression string in quotes. Any non-numeric strings in the expression are treated as environment variable names whose values are converted to numbers before using them. If an environment variable name is specified but is not defined in the current environment, then a value of zero is used. This allows you to do arithmetic with environment variable values without having to type all those % signs to get their values. If SET /A is executed from the command line outside of a command script, then it displays the final value of the expression. The assignment operator requires an environment variable name to the left of the assignment operator. Numeric values are decimal numbers, unless prefixed by 0x for hexidecimal numbers, 0b for binary numbers and 0 for octals numbers. So 0x12 is the same as 0b10010 is the same as 022. Please note that the octal notation can be confusing: 08 and 09 are not valid numbers because 8 and 9 are not valid octal digits.

The /P switch allows you to set the value of a variable to a line of input entered by the user. Displays the specified promptString before reading the line of input. The promptString can be empty.

Environment variable substitution has been enhanced as follows:


would expand the PATH environment variable, substituting each occurrence of "str1" in the expanded result with "str2". "str2" can be the empty string to effectively delete all occurrences of "str1" from the expanded output. "str1" can begin with an asterisk, in which case it will match everything from the begining of the expanded output to the first occurrence of the remaining portion of str1.

May also specify substrings for an expansion.


would expand the PATH environment variable, and then use only the 5 characters that begin at the 11th (offset 10) character of the expanded result.
If the length is not specified, then it defaults to the remainder of the variable value.
If either number (offset or length) is negative, then the number used is the length of the environment variable value added to the offset or length specified.


would extract the last 10 characters of the PATH variable.


would extract all but the last 2 characters of the PATH variable.

Finally, support for delayed environment variable expansion has been added. This support is always disabled by default, but may be enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?

Delayed environment variable expansion is useful for getting around the limitations of the current expansion which happens when a line of text is read, not when it is executed.
The following example demonstrates the problem with immediate variable expansion:

set VAR=beforeif "%VAR%" == "before" (set VAR=after;if "%VAR%" == "after" @echo If you see this, it worked)

would never display the message, since the %VAR% in BOTH IF statements is substituted when the first IF statement is read, since it logically includes the body of the IF, which is a compound statement.
So the IF inside the compound statement is really comparing "before" with "after" which will never be equal.
Similarly, the following example will not work as expected:

set LIST=for %i in (*) do set LIST=%LIST% %iecho %LIST%

in that it will NOT build up a list of files in the current directory, but instead will just set the LIST variable to the last file found.
Again, this is because the %LIST% is expanded just once when the FOR statement is read, and at that time the LIST variable is empty.
So the actual FOR loop we are executing is:

for %i in (*) do set LIST= %i

which just keeps setting LIST to the last file found.

Delayed environment variable expansion allows you to use a different character (the exclamation mark) to expand environment variables at execution time.
If delayed variable expansion is enabled, the above examples could be written as follows to work as intended:

set VAR=beforeif "%VAR%" == "before" (set VAR=afterif "!VAR!" == "after" @echo If you see this, it worked)set LIST=for %i in (*) do set LIST=!LIST! %iecho %LIST%

If Command Extensions are enabled, then there are several dynamic environment variables that can be expanded but which don't show up in the list of variables displayed by SET.
These variable values are computed dynamically each time the value of the variable is expanded.
If the user explicitly defines a variable with
one of these names, then that definition will override the dynamic one described below:

     %CD%   -   expands to the current directory string.
  %DATE%   -   expands to current date using same format as DATE command.
  %TIME%   -   expands to current time using same format as TIME command.
  %RANDOM%   -   expands to a random decimal number between 0 and 32767.
  %ERRORLEVEL%   -   expands to the current ERRORLEVEL value.
  %CMDEXTVERSION%   -   expands to the current Command Processor Extensions version number.
  %CMDCMDLINE%   -   expands to the original command line that invoked the Command Processor.



Warning note:    A note on NT 4's SET /A switch from Walter Zackery in a message on alt.msdos.batch.nt:
  "The SET /A command has a long list of problems. I wouldn't use it for much more than simple arithmetic, although even then it truncates all answers to integers."


On the other hand, limited though it may seem, the SET command's math function can even be used for a complex task like calculating the date of Easter Day for any year.