Cleaned up old GPO's, but they're still in SYSVOL

October 29, 2018, 8:17 am

≫ Next: W7: Locked user account - "Road warrior" - how to get them back "online"

≪ Previous: A question about _msdsc.MyDomain.local domain

$

0

0

Hi all, 

I'm tidying up one of my test domains and have deleted ALL GPOs (via GPMC) with the exception of the Default Domain Policy and the Domain Controllers Policy. 

There is only 1 DC in the domain, however, when i look under \SYSVOL\domain\Policies, the GPO folders are still present, all 1,970 of them.

I've attached a screenshot from the DC showing the 2 remaining GPOs, and the 1,970 GPO folders. I've checked the content and it looks like just the folder structure remains, there are no actual files.

Shouldn't they have been deleted along with the GPOs? Is it safe to delete them manually?

---

W7: Locked user account - "Road warrior" - how to get them back "online"

October 29, 2018, 8:15 am

≫ Next: Create A bulk users without login permission on domain

≪ Previous: Cleaned up old GPO's, but they're still in SYSVOL

$

0

0

Hi everyone,

i locked a user yesterday because of problematic traffic and kicked him out of VPN.

Today i inspected his notebook after reenabling the user and everything was fine. So i though...

After lunch he called and said he cannot login because his account is disabled. In AD his account was enabled in the morning.

So we are stuck at the login screen. He has no possibility to go to an office. We have a dummy user that can login and start a VPN session. So i though - runas user and then the client would save the unlocked state of this user.

Well it did not. How to reenable a remote worker after he got disabled?

My next approach is "Switch user" i hope this will work. But what is best practice here?

---

<h3>Regards Stephan</h3>

Create A bulk users without login permission on domain

October 23, 2018, 1:15 am

≫ Next: Mapping Network Drive via GP for Security Groups - Win Server 2016,

≪ Previous: W7: Locked user account - "Road warrior" - how to get them back "online"

$

0

0

please help me we want to create approx 250 users without login permission on our domain. we are using window server 2016 active directory .

Mapping Network Drive via GP for Security Groups - Win Server 2016,

October 25, 2018, 4:28 am

≫ Next: Default Domain Policy processing failed.

≪ Previous: Create A bulk users without login permission on domain

$

0

0

Hello,

I would like some help with mapping network drives for multiple users via group policy that are all in pre-organised security groups. 

I have seen a few posts/videos, documents on how to map via group policy but how do we apply it to specific security groups?

For example we have two security groups with:

HR - 10 users

MARKETING - 20+ users

I want it to apply to alone those groups, with those specific users inside those groups.

Thank you - *I have a looked a several posts, and other resources before posting.

Default Domain Policy processing failed.

November 1, 2018, 1:54 am

≫ Next: Numerous Machines losing Domain Trust periodically

≪ Previous: Mapping Network Drive via GP for Security Groups - Win Server 2016,

$

0

0

Hi all,

I current having an issue with the processing of Default Domain Policy. I having 2 DC in my environment and the the replication is healthy by using repadmin to verified. But when i check group policy one of the AD having the below error msg. In addition, the event viewer only show this policy so i suspect other is working fine. Hope can get any help from you guys. Thanks



Numerous Machines losing Domain Trust periodically

September 11, 2017, 11:14 am

≫ Next: Some DNS requests timed out on the client, but worked on DC

≪ Previous: Default Domain Policy processing failed.

$

0

0

Domain Controllers Windows 2012 R2
Schema Version 69
ForestMode Windows 2008R2
DomainMode Windows 2008R2

I have numerous Windows 7 SP1 machines that have broken trust relationships.

I have reset the trust using netdom and manually through the Computer Management GUI.

Some appear to be addressed, others have the same issue within a few days.

I can set the following in a GPO, but I would like to no why this is occurring.

 Domain member: Disable machine account password changes Enabled
 Domain member: Maximum machine account password age 0 days

I have analyzed the event logs on the effected machines, but nothing stands out.

Any suggestions or tools that I may use to determine root cause?

Thanks in advance.

Some DNS requests timed out on the client, but worked on DC

October 24, 2018, 9:27 am

≫ Next: Syslog daemon and Auditing daemon

≪ Previous: Numerous Machines losing Domain Trust periodically

$

0

0

I have a weird problem. when I do a nslookup on this particular domain name, it shows timed out on my Windows 10 client and I can't access this website, but if I log onto the DC/name server, DC02, it works just fine. 

All other websites work just fine.

Any suggestion as why this is happening and how to resolve this?

On the client: 

C:\Users\JSMITH>nslookup p2energysolutions-my.sharepoint.com
Server:  dc02.company.com
Address:  172.16.9.212

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to  dc02.company.com timed-out

On the DC02

C:\Users\JSMITH_da>nslookup p2energysolutions-my.sharepoint.com
Server:  UnKnown
Address:  ::1

Non-authoritative answer:
Name:    spo-0004.spo-msedge.net
Address:  13.107.136.9
Aliases:  p2energysolutions-my.sharepoint.com
          p2energysolutions.sharepoint.com
          prodnet10511-10480edgea0000.sharepointonline.com.akadns.net
          prodnet10511-10480a0000.sharepointonline.com.akadns.net.spo-0004.spo-msedge.net

Syslog daemon and Auditing daemon

October 22, 2018, 2:21 am

≫ Next: What does error code 8007203c mean?

≪ Previous: Some DNS requests timed out on the client, but worked on DC

$

0

0

What is an SYSLOG  daemon? What is an auditing daemon?

---

What does error code 8007203c mean?

October 24, 2018, 12:23 am

≫ Next: How to turn on windows features on windows client machines using gpo

≪ Previous: Syslog daemon and Auditing daemon

$

0

0

While performing modification actions in Active Directory, Error 8007203c error occurs. 

How to turn on windows features on windows client machines using gpo

November 1, 2018, 2:50 am

≫ Next: (apparently) random AD accounts keep being locked due wrong logins

≪ Previous: What does error code 8007203c mean?

$

0

0

Hello,

I would like to know how to turn on windows features like telnet, iis using gpo on widows client machines.

Thanks,

---

Thanks

(apparently) random AD accounts keep being locked due wrong logins

October 25, 2018, 7:40 am

≫ Next: GPO for disabling client administrator accounts on my Domain.

≪ Previous: How to turn on windows features on windows client machines using gpo

$

0

0

Hello there,

we have an issue since beginning of August where Active Directory accounts are being locked - not always the same accounts. It really seems to appear randomly. So far these accounts having nothing special specific attribute or group or whatever in common. I mean nothing that seperates them from the accounts not beeing locked.

Google provided me a script which offers me time, username, hostname and IP of machine where the lock happened. (gathers the DCs Eventlog and searches for EventID 4771 (Kerberos Preauthentication failed)) But it does not get me any further. Find nothing helpful in eventlog of these machines where the lock happen.

Activated gpo so that attribute msDS-FailedInteractiveLogonCount is counted and I monitor it with netwrix. On "special days" e.g. yesterday several accounts raised one higher other days nothing happens.

Researched the process which is responsible: svchost.exe -k netsvcs -pBut does it help me getting the program which leads to this behaviour? Could be several things according to google e.g. Task Scheduler. We don't push scheduled tasks to the machines with maybe outdated password and on the machines I researched no suspicious task could be found.

I have started performance monitor according to this link (we did not have any domain migration but I gave this link a try to monitor kerberos activities)

https://blogs.technet.microsoft.com/askpfeplat/2013/12/15/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers/

In this report even two locks actually happened. But it is a really large file. Although it seemed to work I did not find anything helpful again. No question: maybe I have been searching wrong - that's why I am writing...surprise.

I hope I could summarize everything I did. Maybe some help to get a new trace which leads us to the mole?

Everything in general I find at google is more like some service using an old password to login..but on machines of so many users? And even if and we push it out via gpo, why not all users then? So I am lost...

We have Windows 2012R2 Domain and DCs. Clients are Win10 Enterprise 1803.

If you need more information, please ask. Tried to make it as short as possible with all "helpful" information I have.

Thanks for your help.

GPO for disabling client administrator accounts on my Domain.

October 29, 2018, 1:30 pm

≫ Next: Test-ComputerSecureChannel is false and minutes later is true

≪ Previous: (apparently) random AD accounts keep being locked due wrong logins

$

0

0

Hi, I am attempting to disable the builtin local administrator accounts for all of my client PC's on the domain using group policy preferences. My Domain runs Server 2012 and the computers I am trying to disable the local admin account on are Win 7 and 10 pro. I have created the GPO through 'Computer Configuration-Policies - Windows settings - Security Settings - Local Policies - Security options' And then selected the option for 'Accounts Administrator Account status'and selected it to Disabled. (Assuming disabled means to disable all admin accounts on the client computers within the domain). I have linked the GPO to an OU with the PC's of my choice and enabled the link. In the scope I have added the machine group called Brandall that I am targeting. Under delegation I applied the policy to 'Domain admins' and the machine group 'Brandall'. Authenticated users is not added. I then raised the precedence of the GPO  to'1' on the OU. I then went to the client computer and ran a Gpupdate/force and rebooted. Once rebooted I run 'Gpresult /r' and it shows that the GPO has not been applied. However When I run 'Gpresult /r /scope computer' it shows that the policy has been applied. However sadly when I check to see if the local administrator account on the client machine is disabled it is not. I have tried multiple methods and nothing seems to work. What am I doing wrong?

---

Support analyst

Test-ComputerSecureChannel is false and minutes later is true

November 1, 2018, 9:51 am

≫ Next: LAPS - Extended Rights

≪ Previous: GPO for disabling client administrator accounts on my Domain.

$

0

0

I have no clue how to troubleshoot secure channel but it appears I am having secure channel issues.  When I run Test-ComputerSecureChannel the results return false and minutes later the result is true. This is happening on multiple device all over my domain. What can cause a client to be false then true?  How do I track this down?

LAPS - Extended Rights

November 1, 2018, 11:18 am

≫ Next: Renaming a domain controller did not create new computer account in AD but kept old one

≪ Previous: Test-ComputerSecureChannel is false and minutes later is true

$

0

0

We are looking to implement LAPS in our environment. However, during testing we notice when using powershell to check for extended right holders on an OU: Find-AdmPwdExtendedRights -identity:"OU=Test,DC=Test,DC=COM" | format-table extendedRightHolders

The extended right holders display users/groups which are not present on the same OU via ADSIEDIT. For example, if I:

1. Launch ADSIEDIT

2. Right click on TEST OU

3. Go to properties

4. Go to security 

5. Go to Advance

I don't see the user/groups listed which Powershell listed. We wan't to make sure only Domain Admins has access to view the LAPS password. Any idea what I'm missing? Could it be the users/group are present in child objects under TEST OU? 

Renaming a domain controller did not create new computer account in AD but kept old one

November 1, 2018, 12:08 pm

≫ Next: How to find out when your domain password will expire

≪ Previous: LAPS - Extended Rights

$

0

0

I have been having issues from netlogon service not starting to Time service not starting which through a few hours of research finally lead me to an issue.

Bear with me as I described what I did then what happened.

I have 2 DC's which have been running fine for some time

• NEXUS (Server 2008)
• NEXUS-NEW (SERVER 2012)

I wanted to upgrade NEXUS (Server 2008) to Server 2012 and call it the same computer name and ip address eventually

Here are the steps I took

1. I created a new 2012 DC, called it NEXUS-UPGRADE
2. Made sure all FSMO where in control of NEXUS-NEW which they already were
3. Promoted NEXUS-UPGRADE to a DC, confirmed it was working...everything checked out.
4. Went to NEXUS (Server 2008) did a dcpromo and demoted it to a regular server...everything checked out.
5. Renamed NEXUS (Server 2008) to NEXUS-OG
6. Changed the IP address of NEXUS-OG to a different one
7. Shut down NEXUS-OG
8. Went to NEXUS-UPGRADE and renamed it to NEXUS and changed the ip address to the original ip
9. Rebooted server

At this point everything seemed fine.

The next day started having time sync issues with computers on the network as well as DNS issues. I went to DNS and saw that there was some forwards and reverse entries with the new servers original name NEXUS-UPGRADE so I changed them all the NEXUS.

Still having issues

Ran dcdiag /v and was seeing that it was having replication issues and still looking for the name NEXUS-UPGRADE.

Went to regedit and searched for NEXUS-UPGRADE entries and fixed them all to NEXUS

Still having issues

Finally I went to Active Directory and saw that the domain controller accounts listed were NEXUS-NEW and NEXUS-UPGRADE

NEXUS is missing!!

So basically what happened was when I changed the new server I created computer name back to NEXUS that change did not happen with AD. It still has it's original name of NEXUS.

My idea is to change the new server from NEXUS to something else then go back and change it to NEXUS again. I tried using netdom and computer properties but they error out.

Problem is when I try and change it I get an error that the original computer account does not exist which it doesn't and I cannot change the name.

How can I get AD to create a computer account for my new AD (NEXUS)

I hope this makes sense

---

How to find out when your domain password will expire

May 12, 2017, 6:33 am

≫ Next: Unable to join Windows 10 clients in domain

≪ Previous: Renaming a domain controller did not create new computer account in AD but kept old one

$

0

0

Hi all,

Today I have applied PSO on test OU and wanted to know when user password will expire ?

is there any command to get the information ?

I ran net user %USERNAME% /domainbut did not received any out put.

-Atul

---

TheAtulA

Unable to join Windows 10 clients in domain

October 30, 2018, 11:15 pm

≫ Next: Backed Up Server 2012r2 Domain Controller VM - Keeps loading on Please Wait after network setup (IP address/Subnet Mask/DNS)

≪ Previous: How to find out when your domain password will expire

$

0

0

Hi 

I am unable to join Windows 10 client PCs in domain since few days but still can add Windows 7 PCs. While joining Domain it says "Network path not found" Tried so many resolutions but still, nothing works.

Please help me with this

Thanks

Backed Up Server 2012r2 Domain Controller VM - Keeps loading on Please Wait after network setup (IP address/Subnet Mask/DNS)

November 1, 2018, 11:40 pm

≫ Next: Subnets to Use for Remote Sites

≪ Previous: Unable to join Windows 10 clients in domain

$

0

0

Hi IT Experts,

I need help. Here's the background:

Half yearly i will bootup a backup image of Server 2012r2 Domain Controller (with DNS, DHCP, Print Server, File Server, Folder Redirection) to test whether it is working perfectly. If you need to know, i am using ShadowProtect to backup incrementally everyday and when i restore the image, the RPO will be the night before. As usual, i will bootup the virtual server with the network disabled. No problem to login. 

After enable the network and configure the ip address, subnet mask, gateway and dns (127.0.0.1), and rebooting the server, it will keep loading on "Please Wait". I have waited for 1 hour, but it remains the same. So I turn it off and disabled the network. Turn it on again, i was able to login again.

Can anyone guide me what i can do to resolve this?

Thanks in advance.

Subnets to Use for Remote Sites

October 30, 2018, 6:16 am

≫ Next: We are facing cache credentials issue in one of system (Window Server 2012 r2) not domain joined

≪ Previous: Backed Up Server 2012r2 Domain Controller VM - Keeps loading on Please Wait after network setup (IP address/Subnet Mask/DNS)

$

0

0

Hello ,

we have to deploy a new active directory in Remote Site .in Remote site, we have a Vlan for users and Wifi and Servers .
Should i declare all theses subnets (Vlans) In My active directory sites  . If not , what notmally should be declared in my case .

Regards 

We are facing cache credentials issue in one of system (Window Server 2012 r2) not domain joined

November 2, 2018, 12:26 am

≫ Next: Is it necessary to configure NTP on servers & clients in domain

≪ Previous: Subnets to Use for Remote Sites

$

0

0

Dear All,

Please get me help to resolved below scenario issues.

System Windows Server 2012 tries to and have failed for logon attempts on Domain credentials using cache credentials. We have checked server neither showing any of connections in file share nor in credential manager. As per our understanding, cache credential can be zero via registry or secpol.msc. Can you assist if this does not affect other processes as this system is critical and system restart is not an option.

 

Need assistance and feedback on this will be highly appreciated