I would like to generate reports for AD users on criteria like newly created, deleted, modified users, enable, disable and inactive users. I want to generate these reports for past 30 days only. Is there any script or reporting tool available for this
purpose?
↧
Active Directory User Reports
↧
Active Directory Groups Reporting
I am looking for a report on Nested Groups from non-local domain ( cross domain, cross forest any groups that are nested in a particular domain )
any thoughts ?
Thanks a billion ..
↧
↧
Child Domain Error : Event ID 2974
Hi
we have recently installed domain and FQDN of Child Domain is "PDC.PDC.ABC.com" and we tried install the ADC for the child domain. We found that our ADC is not able to contact PDC.PDC.ABC.com and SYVOL folder is empty.
so i have doubt that name of the child domain "PDC" might be the issue so please guide me.
We found the below error :
Event ID 2974:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=TERMSRV/PDC
CN=PDC,OU=XXX Computers,DC=ABC,DC=com Winerror: 8647
↧
Itunes disc burning
I have Itunes on my Dell laptop with CD drive. It used to work ok but then it stopped so I purchased a remote cd drive to connect via the usb port. I can now play or import from this remote drive but I still have the problem of not being able to burn to
a CD I get error codes 0CxAA0301 or 0xC0AA0007. Sometimes it will burn one song then stop other times it seems to burn all the play list but an error comes up at the end stating a problem occured. When I try the cd on a cd player there is nothing there.
I am using windows 10 and the latest Itunes update.
↧
dcdiag failed to delete test record
I've (mostly) successfully brought a new 2008R2 AD/DNS server into my existing 2003 domain. I'll be retiring the 2003 servers, then bringing a 2nd 2008R2 DC online. So I'm going through every possible log/test I can on the new 08r2 server to make sure I'm as healthy as possible before progressing. One thing I haven't been able to figure out is a failure when I run "dcdiag /test:dns" - It reports that it failed to delete a test record called 'dcdiag-test-record' in zone domain.local, but when I look at DNS (on all 3 dns servers), I can't find the record it supposedly failed to delete.
Is this something I need to actually worry about?
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ADD
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ADD
Starting test: Connectivity
......................... ADD passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ADD
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... ADD passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : DOMAIN
Running enterprise tests on : DOMAIN.local
Starting test: DNS
Test results for domain controllers:
DC: ADD.DOMAIN.local
Domain: DOMAIN.local
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone DOMAIN.local
ADD PASS PASS PASS PASS WARN PASS n/a
......................... NAPA.ncty passed test DNS
↧
↧
Monitor user activities
Hi,
We have Windows server 2008 and 2012 DCs.
Please let me know how to log and monitor all the activities of admin users in DC and also in Exchange. We do not plan for any third party solutions, please let me know any method inbuilt to Windows.
↧
would like to force replication imediately to all domain controller in the domain by command
I would like to force replication imediately to all domain controller in the domain by command.
Does repadmin /syncall meets this ?
↧
Export the root certificate from the LDAP directory
The WebLogic server is running in LINUX 7. I have created new OVD provider in WebLogic server and SSL is configured for LDAP, forthis I generated Key store file and I need to export root certificate from LDAP (Microsoft AD).please can someone please assist how to export this?? which path has to contain the root certification?
↧
How to turn on windows features on windows client machines using gpo
Hello,
I would like to know how to turn on windows features like telnet, iis using gpo on widows client machines.
Thanks,
Thanks
↧
↧
Get-ADPrincipalGroupMembership - Global Catalog Issues???
So I'm trying to understand if we have an issue here or not…
We have a PowerShell script that uses the Get-ADPrincipalGroupMembership cmdlet.
One of our domain controllers was offline temporarily and the script suddenly started to fail with an error stating, "The server is not operational." When the domain controller came back online the script suddenly worked again.
From what I can tell, the Get-ADPrincipalGroupMembership cmdlet requires a global catalog to perform the group search, so I presume the domain controller in question was somehow the global catalog server of choice for the server running the script. However, I'm confused as to why the server would not simply try to locate another global catalog server in the site (of which there are two).
If I run Get-ADForest, I can see all the global catalog servers listed correctly. The DC in question has held FSMO roles in the past, but does not any longer.
So the question is, does the above behavior indicate some kind of issue? I wouldn't expect the loss of a single domain controller in a site with multiple domain controllers to cause this issue.
↧
Remove 2008 Domain Controller from the domain
Hi,
We are replacing a Server 2008 R2 domain controller with a Windows Server 2012 R2 domain controller at a remote site. We installed a server running Windows Server 2012 R2 and the Active Directory. In order to test that the new server was functioning correctly, we shut down the 2008 R2 server. Unfortunately, we have not been able to get back to the remote site for over a week, and now we would like to boot up the 2008 R2 server and remove the Active Directory. Is it alright to boot up the 2008 server, since it has been off the network for so long? Additionally, no new users have been created, and no security changes have been made in the last week. Please let me know if we can bring the 2008 server back online without any issues, so that we may remove the AD from it.
Thanks in advance.
Ed Khan
↧
Subnets to Use for Remote Sites
Hello ,
we have to deploy a new active directory in Remote Site .in Remote site, we have a Vlan for users and Wifi and Servers .
Should i declare all theses subnets (Vlans) In My active directory sites . If not , what notmally should be declared in my case .
Regards
↧
log to computers.
hi all,
my environment consists of 2 domain controllers (dc1 and dc2)
and exchange 2010 that consists of 4 servers:
2 HUB/CAS servers (srvhc01,srvhc02)
2 mailbox servers (MBx01,MBX02) all of these servers reside in the same site.
one of the admin in active directory decided to set the " log on to computers " for each user to contain the user's computer
only .but that makes users can't access the outlook web access mail ,so beside adding the users computers to "log on to computers" ,he added (srvhc01,srvhc02)
but I noticed that outlook client keeps prompting for user name and password for a shorter period of time
so I added DC1 and DC2 to" log on to computers" in each user the solution still under test.
so the question what servers shall I add in the "log on to computers" so that I can not disturb logging to exchange services
is my conclusion right "the reason for being outlook keeps prompting for user name and password because the user logs to active directory through the hub/cas server "
please help me because my manager insist for applying this
↧
↧
When attempting to install the Active Directory Management Gateway service, the installation fails with the error "the update does not apply to your system".
To whom it may concern,
I'm trying to get the Active Directory Web Services installed in my Windows Server 2008 box. The update is Windows6.0-KB968934-x64, and I keep getting the error message stated in the title. After researching, it seems that a next rollup is needed, but I can't find it. It seems that maybe I need to ask the Micorsoft people directly. Any help would greatly be appreciated. I know updating to a newer version of Windows will probably solve this problem, but I'm not ready to do so yet.
Regards,
↧
Some DNS requests timed out on the client, but worked on DC
I have a weird problem. when I do a nslookup on this particular domain name, it shows timed out on my Windows 10 client and I can't access this website, but if I log onto the DC/name server, DC02, it works just fine.
All other websites work just fine.
Any suggestion as why this is happening and how to resolve this?
On the client:
C:\Users\JSMITH>nslookup p2energysolutions-my.sharepoint.com
Server: dc02.company.com
Address: 172.16.9.212
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dc02.company.com timed-out
On the DC02
C:\Users\JSMITH_da>nslookup p2energysolutions-my.sharepoint.comServer: UnKnown
Address: ::1
Non-authoritative answer:
Name: spo-0004.spo-msedge.net
Address: 13.107.136.9
Aliases: p2energysolutions-my.sharepoint.com
p2energysolutions.sharepoint.com
prodnet10511-10480edgea0000.sharepointonline.com.akadns.net
prodnet10511-10480a0000.sharepointonline.com.akadns.net.spo-0004.spo-msedge.net
↧
During past x amount of hours 37 connections to this domain controller?
Hey friends,
I am trying to troubleshoot the cause of one of my domain controllers (vmware virtual server servers) shutting down last night and while looking through the System log in the event viewer I spotted something that I am trying to determine how concerned I should be about it. The first sentence concerns me the most because I am not sure if it's an issue or not. So at that location we do have users from other office go there and log in so they should be hitting that domain controller any way.
Also, in Computer Management, Under shared folders I looked at the "sessions" folder and can see a mix of computer authenticated that are local to that site and also some from other other sites, I am thinking those are visitors to the office?
Below is from the System log in the even viewer.
During the past 4.21 hours there have been 60 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
Phil Balderos
↧
GPO for disabling client administrator accounts on my Domain.
Hi, I am attempting to disable the builtin local administrator accounts for all of my client PC's on the domain using group policy preferences. My Domain runs Server 2012 and the computers I am trying to disable the local admin account on are Win 7 and
10 pro. I have created the GPO through 'Computer Configuration-Policies - Windows settings - Security Settings - Local Policies - Security options' And then selected the option for 'Accounts Administrator Account status'and selected it to Disabled. (Assuming
disabled means to disable all admin accounts on the client computers within the domain). I have linked the GPO to an OU with the PC's of my choice and enabled the link. In the scope I have added the machine group called Brandall that I am targeting. Under
delegation I applied the policy to 'Domain admins' and the machine group 'Brandall'. Authenticated users is not added. I then raised the precedence of the GPO to'1' on the OU. I then went to the client computer and ran a Gpupdate/force and rebooted.
Once rebooted I run 'Gpresult /r' and it shows that the GPO has not been applied. However When I run 'Gpresult /r /scope computer' it shows that the policy has been applied. However sadly when I check to see if the local administrator account on the client
machine is disabled it is not. I have tried multiple methods and nothing seems to work. What am I doing wrong?
Support analyst
↧
↧
FGPP vs Default password policy
I am in the process of setting up FGPP, but am seeing conflicting results. Here is my scenario:
-There is no default domain policy. The previous IT team have disabled all settings in the default domain policy, yet all domain clients receive the default 42 domain policy regardless. When I look at password settings in RSOP, there is 'not configured'
for all password entries.
-I have created my FGPP in Adsiedit, applied it to my IT security group and added a user (myself)
-After creating, when I run against my account, dsgetuser "CN=etcetcetc" -effectivepso I get the response saying the policy is applied to the user
-When I run get-aduserresultantpasswordpolicy -identity username I get the applies to policy, and I see my account max password age is as I have set in the policy (90 days)
However, when I then run net user /domain username, I see my password is still set to expire within the default 42 days.
The AD attribute msDS-ResultantPSO shows my IT password policy as well.
Yet still, net user /domain username and the lockoutstatus.exe tool show my password will expire in 42 days. I have also tried resetting my password since implementing the policy and the new expiry time shows up as 41 days 23 hours straight away. Can someone
advise why the two are clashing, and how I can fix this?
↧
GPO Polices?
Hi All,
I am a little confused as to what polices are actually kicking in on my newly built machine on our domain.
We have a number of GPO Computer Policies that are saying have been applied. Two of these policies are Default domain policies. One is at the TOP level of the tree structure, is Not Enforced but Link Enabled. Security Filtering is applied to Authenticated Users.
Two is at the OU Level of the tree structure, is Not Enforced but Link Enabled. Security Filtering is applied to Authenticated Users.
when I carry out a gpresult /r I see both of these as being Applied Group Policy Objects. Does that mean that they are both being applied? they don't have identical policies as there are some differences. I am getting confused as to which one is actually used.
Any help or explanation would be greatly appreciated.
Regards.
↧
Cleaned up old GPO's, but they're still in SYSVOL
Hi all,
I'm tidying up one of my test domains and have deleted ALL GPOs (via GPMC) with the exception of the Default Domain Policy and the Domain Controllers Policy.
There is only 1 DC in the domain, however, when i look under \SYSVOL\domain\Policies, the GPO folders are still present, all 1,970 of them.
I've attached a screenshot from the DC showing the 2 remaining GPOs, and the 1,970 GPO folders. I've checked the content and it looks like just the folder structure remains, there are no actual files.
Shouldn't they have been deleted along with the GPOs? Is it safe to delete them manually?
↧