Hi,
I want to Implement LAPS on my school. we have created two OU for two different location on my DC server. one is VG1 Dulhera and second is VG-2 sitapur.But i want to apply LAPS only on those computers OU who are inside in VG-1 Dulhera OU. My question is how to give machine rights only on those computers who are inside VG-1 Dulhera OU.
Hello all,
My organization is looking to edit the current default complexity schema. Currently we require users when changing their password that they need to adhere to the following criteria: upper case, lower case, number, special character.
In AD password complexity it only requires 3 of the 4, we would like to change this to match all 4 criteria. How can we edit AD password complexity?
Also what challenges do we face and what possible problems could occur?
Matt Burgos
Hi
I have the need to manage users in one domain, that need to authenticate on a domain B application/software.
Domain A users (I don't manage this domain)
Domain B the application where I need to grant access to users or group in Domain B
I think the best way would be to do a trust between the domains, or can I use AD LDS in some way?
thanks
I'm at a cross roads here and I could use some help.
Our Active Directory system is setup very flat and most gpo's are at the root of the domain. We use filtering to keep them from applying to specific user and computer groups. when necessary, we will implement a different GPO in a Sub UO. We are in a school district, so we want to filter staff and students in different ways. In this case, we have a wireless GPO that requires User Authentication in the root of the Domain.
My Network guy explains this is because aruba and radius will not see the AD authentication in time and will dump the user into the wrong(student) VLan if it doesn't have the AD credential, so we must use User Auth and not Machine Auth. Then if we have say a room full of student machines, we create a OU, place the wireless laptops in there, create a Machine Auth GPO and add it to the folder. if its a student computer, we dont care if it gets dumped into the student vLan.
The problem with this setup is that in order to user auth into a brand new imaged machine, you have to plug into the wall to do an initial log in and cache the credentials, other wise you will never get the wireless to work. This is problematic and inconvenient, and seems like we should not have to do this.
The desired behavior would be to have the root GPO machine auth and dump the authenticated staff members into the correct vLan.
I'm not an expert at AD, or wireless GPO authoring.
I'm not sure if trying User and Computer Auth would solve this problem, or perhaps setting the "Always wait for the network at computer startup and login" to enable.
Any advice appreciated
Hi,
We have a server 2008 R2 Domain with 2 DC's.
we have now problem that some of the users are not able to change thier password from RDweb change password pagehttps://remote.mydomain.com/RDWeb/Pages/nl-NL/password.aspx or when they login to an RDP session to one of our server 2012 R2 RDS servers. I cannot try to change the problematic users password from inside the domain coz these users are external.
users get the error that the username is not exist or the password is not correct!! but this is not the case!!
The strange thing is that I cannot find the event 4723 or 4724 for these users on any of the 2 DC's. I can see these event for other users
Any suggestions?
Thanks
Shahin
Hola a todos, buen día
cordial saludo!
de ante mano, muchas gracias por su tiempo y conocimientos compartidos!
Mi pregunta es la siguiente:
Requiero aplicar una política, que me permita bloquear un Usuario de Dominio, que se autentica en un WebService, y que haya realizado mas de 5 intentos fallidos.
Quedo atento
Muchas gracias por su amable colaboración y por sus conocimientos compartidos!
Henry Osorio O.
Recently we had penetration testing done by security auditor.
In that auditing he extracted all usernames and did brute force attack for checking easily guessable passwords in environment.
My query is how he extracted all usernames without any access...
Any suggestions please...
Hi,
I need your help regarding this.
We have a policy to lock account by some conditions also i have configured conditions to unlock it after certain period of time but the unlocked condition is not working.
The conditions are maintain on default domain policy.
Hi,
I have Windows 2008 R2 domain. I am trying to display the computer's IP address in Active Directory, but I couldn't figure it out. I wonder if it is possible to do it.
Need help!
Thanks in advance!
Grace
Hi All,
In a forest, can we have a domain controller without Global Catalog and Infrastructure Master roles.
If yes, could you please help me in detailed.
Thanks,
Sivakumar Thayumanavan
Not sure if this is the appropriate category/forum, but I'm posting here as this is where I've found a few related issues/queries.
Is there a version of LockoutStatus.exe newer than 1.0.0.60? Several posts from ~5 years ago that described issues similar to what I'm experiencing (being unable to set a password using the tool when required minimum length is greater than 1) mention an internal version (.62?) that was in development at the time but had no timetable for release.
In the last 5 years, has there been any change? Or has everyone switched to a different tool or created their own?
ADMT is not being used anymore? How to migrate users to a new domain?
We have a WIn2008R2/WIn2012R2 AD Forest and we´re facing a new chalenge, to rename the domain and reboot more than 1.600 machines, TWICE?
Or create a new/pristine enviroment and re-create all objects and users?
Or use a tool like ADMT?
Besides Sharepoint and a bunch of tools, we also have MS Office365 with 100% of the mail service in the clous, synching using Azure AD Connect to sync information from AD to Office365
ADMT is not an option anymore?
It´s not compatible with Office365?
Office365 supports users with multiple SIDs?
Have server 2012 which I migrated from sbs 2008. Ran all the migration tools and dcpromo. Everything was working fine but now I can't see the AD users and computers. Not sure what happened. Any help would be awesome.
Hi,
Hopefully a quick question. I am upgrading our 2012R2 DCs to 2016, these will new VMs builds, joined to the existing domain and then decommission the older 2012R2 servers. The question is there is an external trust with another AD forest, is there anything special that I need to do to ensure that this trust is maintained. I assume that so long as the DNS on both domains are updated with the new DC (DNS) servers then the trust should be maintained and no downtime experienced?
Thanks in advance
Rob
Hi,
Intermittently ( 5 out of 10 times) I am seeing an issue.
1. I am logged onto my windows PC (10.10.10.10) with username "test1"
2. From this machine I RDP to another server (192.168.1.10) with a username 'test2'.
However after this I see a logon event in AD stating user 'test2' logged in PC 10.10.10.10 , which is my local PC.Rather AD should be showing user 'test2' logged on to 192.168.1.10.
Please help to identify where the issue could be, is it my PC settings or some issue on AD ?
Hello all,
My organization is looking to edit the current default complexity schema. Currently we require users when changing their password that they need to adhere to the following criteria: upper case, lower case, number, special character.
In AD password complexity it only requires 3 of the 4, we would like to change this to match all 4 criteria. How can we edit AD password complexity?
Also what challenges do we face and what possible problems could occur?
Matt Burgos
Hi,
I need to issue multiple values against a claim - EXACTLY like a list of groups would be. I have tried this with 2 rules, both issuing against the same claim and it works: i.e in the array/list jwt format.
"myClaim" : ["value1", "value2", "etc"],
what I need is the rule syntax to do this in one rule (as I need to issue a lot of values for the ONE claim), i.e myClaim= ' [ "Value1", "Value", "etc" ]' (this does not work - obviously, I get "unexpected input")
Any ideas????
>>> This is issuing a claim with a list of values in one rule, NOT multiple claims in one rule <<<
Regards
Eadmund
Hi,
what is the default settings for computer object complete removal from AD, after the computer was disjoint from domain?
I see few servers that were disjoint a week ago with the sign of disabled account.
I guess it should eventually disappear?
Thx.
--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis