Wednesday, 20 June 2018

Windows Server: Black Screen with "Windows logon process failed to spawn user application."

After demoting a DC we were not able to get to the desktop with a black screen showing up and that was it.

Try and get Task Manager up and running produced the following in the server's Event Logs:

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          6/20/2018 11:19:06 AM
Event ID:      4006
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SERVER.DOMAIN.COM
Description:
The Windows logon process has failed to spawn a user application. Application name: launchtm.exe. Command line parameters: launchtm.exe /3 .

In the end the solution ended up being to add the local administrator account to the local Users group after hitting CTRL+ALT+DEL/END to click Log Off/Sign Out.

Once we signed back in we got to the server's desktop and were able to continue with it's removal from the domain.

EDIT: Note that the change was done from a DC via Active Directory Users and Computers.

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service

Thursday, 7 June 2018

Exchange 2013+: Set Up a Receive Connector for MFP/Copier/Device Relay

The following are the two steps required to enable an internal anonymous relay in Exchange 2013/2016/20*.

Step 1: Create the Receive Connector

New-ReceiveConnector –Name MFP-APP-AnonRelay –Usage Custom –Bindings 0.0.0.0:25 –RemoteIPRanges 192.168.25.1-192.168.25.10,192.168.25.225-192.168.25.254 –Comment “Allows anonymous relay” –TransportRole FrontEndTransport –AuthMechanism None –PermissionGroups AnonymousUsers

Variables:

  • -Name: Change this if needed but must match for both steps
  • -RemoteIPRanges: Only put trusted device IP addresses in this section

Once the receive connector is set up it can be managed via EAC.

Step 2: Allow Anonymous Rights

Get-ReceiveConnector “MFP-APP-AnonRelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Variable:

  • The Receive Connector name must match the one set in Step 1

Conclusion

Once the above steps are set up there is no need to set a username and password on any device that has an allowed IP.

For obvious reasons one should never put an Internet IP address in this rule! But, that being said, one always denies all SMTP 25/587 inbound traffic to a third party sanitation provider's subnets right (we use ExchangeDefender for our own and our client's needs)?

Also, this setup is for on-premises Exchange.

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service