Can we Enable/Disable CD-ROM and USB using group policy preferences, item level targeting etc..
↧
Enable/Disable CD-ROM and USB
↧
How to Group policy works and how to troubleshoot it
i want to know How to Group policy works in active directory and how to troubleshoot if we get any issues.
↧
↧
User and group access limited time controll
Hi,
We have a system that requires often vendors to have local administrator access on the servers in the network.
The scenario is as follow. Vendor A has local admin access to 10 servers, now and then vendor A needs help from vendor B, and they need local admin access also. So we have created a group in AD that is called "Admin Access Vendor B" and this group is added to the local administrator group on all 10 servers. Usually this group is empty, but when vendor A needs help from vendor B, we populate the group "Admin Access Vendor B" with users from vendor B, so now they have admin access to all 10 servers until we remove them from the group.
We are not sure if this is the best way to go, since we then often have a lot of empty groups added to the local administrators groups on many servers, but as long as there are no users in this groups i guess its ok ? I guess if someone should be able to add them self to the group, well then they have admin access on the domain...
Another thing could be a solution is to have some kind of time limit on the accounts added to the local administrator group. Say that you add "Admin Access Vendor B" to the local administrators group on all 10 servers, but this group will automatically
be removed from the local administrators group after 2 days.... is there any solution like this ? or other suggestions....
Thanks for answers.
/Regards Andreas
↧
Enable Kerberos AES encryption on an existing one-way trust
I'm trying to get kerberos to work between an internal and a DMZ forest with a one-way trust between them and have narrowed the issue down to encryption type between the client and DC.
After some research the issue is appears to be the option "The other domain supports kerberos AES encryption" under the forest trust settings on the incoming side.
This option is currently disabled and the checkbox is greyed out so I can't select it, after plenty of searching I haven't found another way to enable this option on an existing trust. Is removing and re-creating the trust the only way to correct this?
The internal forest & domain are both Server 2008R2 functionality level, and the DMZ forest & domain are both Server 2016 functionality level.
↧
FSR to DFSR migration stuck for RODC
Hi team,
I'm trying to perform a FSR to DFSR migration using https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/#quick Guide. Upon running the below command, i can see that all DCs are in 'prepared' state except for the RODC server in the head office.
C:\Windows\system32>Dfsrmig /getmigrationstate
The following domain controllers have not reached Global state ('Prepared'):
Domain Controller (Local Migration State) - DC Type
===================================================
RODC-SVR0 ('Start') - Read-Only DC
Migration has not yet reached a consistent state on all domain controllers.
State information might be stale due to Active Directory Domain Services latency
.
It's been 3 hours now and still the same. Any idea on what to do?
Cheers,
Jude.
↧
↧
Help with delegation - Usergroup should be able to delete computers but do not create them
Hi everyone,
i'm searching for the setting to allow users to delete computers but do not create any. All tutorials are about creating AND deleting so i think i'm missing a right here.
Currently i've the group to:
| OU=Clients_W10,OU=DOM_Computers,DC=domain,DC=local | Domain\ACL_IT-ClientMgmt | Allow | False | Child Objects Only | ReadProperty, GenericExecute | Info |
| OU=Clients_W10,OU=DOM_Computers,DC=domain,DC=local | Domain\ACL_IT-ClientMgmt | Allow | False | This object and all child objects | Delete computer | Warning |
What else do i need to accomplish this task? At the moment it states:
And no it is not protected
<h3>Regards Stephan</h3>
↧
Email Synch between AD and Azure AD using Azure AD Connect
In AD I have put the user's email in the following fields:
- In the E-mail field under Properties/General
- in the 'mail' field under Attribute Editor
- in the 'otherMailbox' field under Attribute Editor
- in the 'proxyAddressess' field under Attribute Editor
I have setup Azure AD Connect to synch ALL possible fields
And yet still in Azure AD, the 'Email & 'Alternate email' fields under Authentication contact info are still BLANK!!
'Anyone know what AD fields synch to fill the Azure AD 'Email' and 'Alternate email' fields?
↧
Cant Login After Creating a new Domain.
Hey all,
I created a new domain which did override the root domain of my server. I now cannot login using the previous credentials as the GPO were lost. I have tried using the dsrm password too and it wont work. Please help.
↧
Windows 2012 R2 Forest and Domain Functional level
I have a question regarding to raise FFL and DFL.
We have all Windows 2012 R2 DCs and the FSMO roles are in two domain. The current functional level is Windows 2018 R2.
i know that we raise the DFL at PDCE. Where we we perform FFL?
Is it at Schema master or PDCE?
↧
↧
Newer Version of LockoutStatus.exe than 1.0.0.60?
Not sure if this is the appropriate category/forum, but I'm posting here as this is where I've found a few related issues/queries.
Is there a version of LockoutStatus.exe newer than 1.0.0.60? Several posts from ~5 years ago that described issues similar to what I'm experiencing (being unable to set a password using the tool when required minimum length is greater than 1) mention an internal version (.62?) that was in development at the time but had no timetable for release.
In the last 5 years, has there been any change? Or has everyone switched to a different tool or created their own?
↧
Same name two certificate can create issue ?
Hi
We have 4 certificate which needs to be installed through GPO on below path. But these 4 certificates also already been installed via SCCM package on almost all systems.
Now clients is saying that GPO applied on all system in domain so pushed these certificates through GPO as well.
Intermediate Certification Authorities |
Trusted Root Certification Authorities |
Trusted Root Certification Authorities |
Trusted Root Certification Authorities |
My only concern is if i pushed certificate from GPO then certificates will be installed through GPO
with double entry or will override the existing certificates on same path.
And if there would be two certificates with same name, then it may create any problem?
Please suggest..
↧
How Group policy works in active directory and how to troubleshoot it
i want to know How Group policy works in active directory and how to troubleshoot if we get any issues.
↧
User locked out -- no indication in event viewer
Hi,
A user is locked out per the lockoutstatus.msi tool.
There are no entries in the event viewer security log for event id 4740 on either of my two domain controllers. Also no 4771, 4776, or 529 event ids. My security log goes back years -- it is not the case that the data is archived/overwritten.
I have "Audit Account Management" enabled for success and failure domain-wide via GPO.
How do I determine the source of the lockout?
Thank you,
Chris
↧
↧
DCPromo as ROWC fails - Server 2016
I've been working on a DCPromo issue for about 6 months that I can't seem to get around. Some of my specific details are a little fuzzy at this point since it's been so long but I tried the process 3 times in the last 24 hours & I still get a failure.
2016 servers were RWDC & I demoted them & then tried to DCPromo as RODC. I continuously get these results:
The operation failed because:
While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.
"The replication operation failed because the target object referred by a link value is recycled."
I have tried deleting any related AD recycle bin records short of just deleting everything, which I'm not doing. I'm searching by date, by server name & by "KRBTGT_" & deleting anything I find but the issue persists:
Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server domaincontroller.domain.com | Where-Object {$_.DistinguishedName -like "*krbtgt_*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged
Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server pdc-necorp.nesl.com | Where-Object {$_.DistinguishedName -like "*xxxxxx*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged
Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server dhcp-necorp.nesl.com | Where-Object {$_.WhenChanged -gt "7/17/2018 4:00:00 PM"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchangedI've also waited over 30 days between attempts (after deleting the recycle bin items) - no good!
The only way around it is to promote as an RWDC again.
Any suggestions would be appreciated.
-Dave
↧
Repadmin report 8453 error - Access is denied
Background
The environment is just built using Windows server 2016. Single forest with root domain as ad.corp.com and child domain org.corp.com. Each domain has two domain controllers
ad.corp.com: RDC01, RDC02
org.corp.com: SDC01, SDC02 (not built yet)
The forest and domain functional level are all set as Windows 2008 R2.
Issues:
On SDC01 which has just been promoted, login as domain admin, then run following command
Repadmin /syncall /d
The result returned the following error
SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: CN=NTDS Settings,CN=RDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com
To : CN=NTDS Settings,CN=RDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com
Checking done so
1. It seems except that error, the active directory still working fine. Object creation and deletion could be replicated to all DCs.
2. Run DCDiag on each DC and all DCs are clear. No error detected.
3. Same Repadmin command is executed on the other 2 DCs and none has error returned.
4. Execute Repadmin /replsummary and Repadmin /showrepl on EACH DC, no error is reported.
5. Installed Microsoft Active Directory Replication Status Tool on EACH DC, no error is detected.
6. On the same DC, SDC01, if I logged in using account which is member of "Enterprise Admin", then no error is returned when executing command Repadmin /syncall /d
It is clear to me that the root cause is sub domain administrator doesn't have some permission set properly. I even has tried to uninstall org.ad.corp.com domain and repromote it again using all default value (except the functional level is set as Windows 2008
R2), but still the same issue.
Any suggestions?
↧
Object types missing from selection in Select Groups
we run our DC on a VM and it is exclusively used for DC and Certificate purposes.
this morning there was an application error with mmc.exe, so I rebooted the VM.
All was fine except that now when I go to add a user or computer to a group in AD, I can not select "computers" or "Users" when I click the object types button, they are just missing. The only two available under the select object types are "Groups" or "Built in Security Principles"
I do not know why those object types are no longer selectable, but It is important that I get them back.
This is on MS server 2012 R2, up to date.
↧
RSAT not showing under Windows features
Hello
I have a colleague who is experiencing problems with getting the Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and everything goes smoothly. However, after the required restart, active directory does not show up when searching for it. When trying to enable RSAT in Windows features, there is no "Remote Server Administration Tools". When searching for a solution, it was suggested to delete the english language package and reinstall it. This did not solve the issue. Active directory isessential for some work tasks, so we really need to solve it.
Kind regards
Hakan
↧
↧
Is NTLM officially supported in a organization with all DCs running Windows 2016 and forest /domain lever either running Windows server 2012 or 2016
Hello MS Directory Services team,
I would like to gather some sort of MS officially information [KB/post] and/or response to this thread, whether NTLM authentication is not supported and has been deprecated in Windows 2016.
My client who runs a Microsoft shop[Exchange/Windows servers, Windows 10/7 PC, Office 2013/2016] is also running some legacy applications that still relies on NTLM for authentication instead of Kerberos. so, what would be the right approach given the support MS matrix?
My client is going to migrate their farm of Windows 2008 DCs to 2016, and this is something that needs to be addressed before this implementation, otherwise legacy applications that rely on NTLM will fail.
Can you please confirm that if we upgrade our DCs to Server 2016 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?
Please, see below copy paste from old partner site with a similar question. It would be highly appreciated if you can provide as much information as you can with KB/urls that fully supports your answer.
Hi
We are migrating active directory from its current 2003 OS and 2003 domain/forest functional level to Windows 2012 R2 OS and 2012 R2 Domain and forest functional level and have some concerns about both Microsoft and 3rd party applications. Regrettably, Microsoft has provided some conflicting documentation about authentication, specifically NTLM so please can you clarify:
Primarily we have been using this resource as our plan of action
This document tells us that for the NTLM aspects:
- Database – database configurations using NTLM will need to change authentication methodologies.
- IIS or apache – websites using NTLM will need to change authentication methodologies.
- Authentication in some applications may be using NTLM for authentication,NTLM is no longer supported in 2012 R2 for authentication, Kerberos is used. If applications are still using NTLM they will need to be updated or upgraded to meet this requirement.
However, If we refer to this documentation:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
it only tells us that Kerberos if the preferred authentication protocol for domains and doesn't say that we cannot fall back onto NTLM if that is in use. It also says that it is still supported and that there have been no changes or deprecation of NTLM in server 2012 R2:
- NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.
- There are no changes in functionality for NTLM for Windows Server 2012 .
- There is no removed or deprecated functionality for NTLM for Windows Server 2012 .
Can you please confirm that if we upgrade our DCs to Server 2012 R2 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?
In addition, are you able to steer me to documentation that summarizes other functional changes/deprecation that may affect applications e.g. ciphers or authentication algorithms that may have been removed?
From your description, I know you have some questions about authentication on Windows server 2003 AD and Windows server 2012 R2 AD. If there’s any misunderstanding, please let us know.
For your convenience, I have listed my answers to your question as below:
Q1: Can you please confirm that if we upgrade our DCs to Server 2012 R2 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?
A1:Based on my research, Protected Users authenticating to a Windows Server 2012 R2 domain can no longer authenticate with NTLM authentication. Please make sure if our application will use Protected users. If yes, it will be affected. If not, I think it will be OK. We can see more details in the following link:
Forest and Domain Functional Levels
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
In addition, to double confirm if the third party application will be affected, we suggest to build a test environment and do the test firstly.
Q2: are you able to steer me to documentation that summarizes other functional changes/deprecation that may affect applications e.g. ciphers or authentication algorithms that may have been removed?
A2: Based as my research, I find changing the Domain or Forest Functional Level should have no impact on an application that depends on Active Directory. For any third party applications, we should contact the vendor to find out if they tested the product at the proposed Level, and if so, with what result.
For the changes for Windows server 2012 R2, I have found the following articles, we can read them as reference:
Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta
Hope the above information can help. If there’s any question or concern, feel free to contact us.
↧
Make visible on Organization tab in ADUC a new Attribute
Hello,
How do I make visible on Organization tab in ADUC the new attribute I added named "hrmanager" ?We already have Manager showing in the Organization tab.
I would like HRManager to show right below Manager.
PS C:\> get-ADUser User -Properties hrmanager
DistinguishedName : CN=User,OU=DeptName,OU=Office,DC=Companyname,DC=com
Enabled : True
GivenName : FirstName
hrmanager : CN=HRManagerName,OU=DeptName,OU=Office,DC=Companyname,DC=com
Name : User
ObjectClass : user
ObjectGUID : 68358fce-2806-4ebb-afc2-79ff8479729e
SamAccountName : User
SID : S-1-5-21-XXXXX
Surname : LastName
UserPrincipalName : User@CompanyName.com
Thanks for any help,
Denise
Denise Child
↧
Guest's account in the SAM database failed due to a resource error
Hllo All,
i got this error on our server (DC) in events log and it happened few times. (on windows server 2012 R2 Standard)
Guest's account in the SAM database failed due to a resource error, such asAs a typing error on the hard drive, not be locked.The error code can be found in the error data.Accounts are blocked after multiple incorrect password entries. Therefore, reset the password for this account.
Event-ID: 12294, Source:Directory-Services-SAM
Could anyone please tell me what is this error?
Regards
↧