Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Get AD accounts created between specific dates

November 8, 2018, 3:08 am
$
0
0

Hi Team,

Could any one help me pulling out ad users created between specific dates, I have heard that it is possible to do with Quest AD power shell, Can any one help me on this. Please help.

Trying to pull information with below command but need accounts created between specific dates.


get-adobject -Filter {ObjectClass -eq "user" -and ObjectClass -ne "computer"} -IncludeDeletedObjects -Properties * | Select-Object displayName,samaccountname,Created,mail,extensionattribute5,IsDeleted,LastKnownParent

Regards

Sriman

Search

Proper Domain Delegation in non-standard environment

November 7, 2018, 9:40 am
$
0
0
Hello all!

We are an IT shop that is working on deploying proper administrative AD delegation on our domain. We are working through the information provided by Microsoft and trying to fit it to a specific scenario and it is not working.

It is my understanding that in a normal scenario you have DCs and member servers. You then have server admins that can have rights to the member servers but not the DCs. This limits exposures to the DCs and then, according to MS, you only ever log into the DCs in a disaster or build out situation. The idea being is you never use the domain admin (DA), enterprise admin (EA), or builtin domain administrators group (BA). You use RSAT's to manage users or other servers from a management server/pc, but never log into the DC unless you absolutely have to.

We have deployed this least-privileged concept to our domain and it is working well for the most part.

The problem we are running into is with a larger customer. They have a primary location that has a couple DC's and some member servers. They also have about 50 locations that have a single server that is a DC/File Server/Print Server. The issue is if we have a stripped down admin account that does not have AD delegation, or only has a few OUs, how do we allow them to log into the DC to manage files and printers without giving too much access. Because in AD there are no local groups they are not local admins. Making them local admins would basically make them active directory administrators, and we do not want that. How can we accomplish this?

Our ultimate goal is this...

Tier 1 admins - These are users that have rights to the workstations. We have implemented this and it is working fine.

Tier 2 admins - These are users that have access to all member servers and some basic administration on the servers. We can accomplish most of this via RSAT and delegation but these users are the ones that will occasionally need access to site servers for file shares and print management but should not have full blown access to AD. 

Tier 3 admins - These are very similar to Tier 2 but also have access to the passwords for the DA/EA/BA accounts so they can log into a DC if needed in a disaster scenario or in the instance we are adding a new DC.

It is the Tier 2 admins that are giving me a headache in this scenario because they need site server access but I need to limit the access to AD. Maybe we need to give them the domain access but deny access to the OUs they shouldn't be changing. I am not a fan of that idea though...

Thoughts?

w32tm show different DC than PDC

November 8, 2018, 10:03 am
$
0
0

Hi,


I have all the FSMO roles on DC-B, and that DC is configured to sync with a NTP server outside.

All the clients in the domain are configured to sync with the PDC, so i can see they have NT5DS...

I believed that everyone should sync with DC-B, but some clients show that they sync with DC-A when I run the command "w32tm /query /status". So the question is then if the PDC configuration is wrong ? is it not advertising correctly ?

I have tried to run the command "w32tm /config /syncfromflags:domhier /update" but still the same DC-A

Is there a problem, or is this normal behavior ?

/Regards Andreas

LAPS - Extended Rights

November 1, 2018, 11:18 am
$
0
0

We are looking to implement LAPS in our environment. However, during testing we notice when using powershell to check for extended right holders on an OU: Find-AdmPwdExtendedRights -identity:"OU=Test,DC=Test,DC=COM" | format-table extendedRightHolders

The extended right holders display users/groups which are not present on the same OU via ADSIEDIT. For example, if I:

1. Launch ADSIEDIT

2. Right click on TEST OU

3. Go to properties

4. Go to security 

5. Go to Advance

I don't see the user/groups listed which Powershell listed. We wan't to make sure only Domain Admins has access to view the LAPS password. Any idea what I'm missing? Could it be the users/group are present in child objects under TEST OU? 

Impact of raising forest functional level

November 8, 2018, 10:45 am
$
0
0

Apologies for dumb question. We raised our domain functional level from Server 2003 to Server 2008 R2 a few months ago, but completely overlooked the forest functional level, which is still at 2003. We only have the one domain though, so is there any issue with raising the forest level that I should be aware of? 

Background... Being overly paranoid here. Prior to introducing our first Server 2016 DC, we had to raise our domain functional level as it was still on Server 2003 and we were still using FRS for Sysvol and replication. We had long-since decommissioned our last Server 2003-based DCs. No replication errors showed up at the time. But when I raised the domain functional level from 2003 to 2008 R2, that caused all user passwords in our domain to expire. That was not a good day. As it turns out, there was a fine grained password policy in place that for some reason took precedence over our default domain policy when I raised the domain functional level. I've since removed the FGP as it should never have been there and things seem OK so far. But as I say, now I'm a bit paranoid, as I had been reading up on raising the domain functional level and couldn't find anything that would suggest that would happen. We used to have Exchange years ago but switched to Gmail. We do have some basic Azure AD connectivity.

Thanks,

Syd

Export user list with computer to be able to logon

November 7, 2018, 6:06 pm
$
0
0

I'm using AD on WinSv2008.

How can I export user list(CSV) with computer to be able to logon?

ex : there are 2 users.  user001, user002.

       there are 2 PCs.  PCX, PCY.

       user001 can logon to both PCX and PCY.

        user002 can logon to PCX only.

the list(CSV) we want to generate is

      user001,PCX

      user001,PCY

      user002,PCX

thank you. 

Password Expired

October 9, 2018, 11:18 pm
$
0
0

Dear Team,

We have windows server 2003 R2 with sp2 DC. All the users password was set never expired. Yesterday i had applied Default Domain Policy with complex Password enabled, Minimum Password age:8  character, 3 Password history,Maximum password age:60 days,Miniumum Password age:59 days.

I have removed never password expired on few users, but still they are not able to change password nor its prompting for Password expired message.

Kindly advise.

 

Alternate UPN login with domain trust

November 5, 2018, 10:00 pm
$
0
0

Greetings all.

We are currently in the process of an AD migration. Lets sat that:

1. DomainA is our current source domain

2. DomainB is our target domain

We currently have a two way, external, non-transitive trust between both domains. We also have DNS forwarders setup in DomainA, pointing to DNS servers in DomainB land. We have done some basic testing with ADMT, and are currently able to migrate accounts with SID history from DomainA into DomainB successfully. 

Now DomainB users have a default UPN of user@domainB.something.net, but also have an alternate UPN which can be assigned which is user@domainB.com

What we would like to do, is migrate our users from DomainA into DomainB with SID history (We have this working so far), and then give them a UPN of user@domainB.com (which we tested after migrating with ADMT, we can set UPN as that)

Now what we need, is our users to sit down at a machine bound to DomainA still, and have the ability to login with an account that has been ADMT migrated, using the UPN user@DomainB.com

We have tested, and can login on a machine bound to DomainA, as an ADMT migrated user using only user@DomainB.something.net

So its allowing us to login to what our trusted domain is, user@DomainB.something.net, but its not recognizing the user@DomainB.com????

We bound a VM to DomainB.something.net, and can then logon OK with that ADMT migrated account as user@DomainB.com

So the alternate UPN of user@DomainB.com is only working on machines that are also bound to DomainB.something.net

Its obviously something to do with the trust, and how the UPN's are working, but I haven't figured it out yet.

Any help would be minty.

Cheers.

 

Search

Script to check if there are users logged on in a server(s)

November 6, 2018, 12:06 pm
$
0
0 
Hello,
I was wondering if any of you could help me with the following.  
I need a better script to check if there are users log in a server(s).
Right now what I am doing is... get the server name and enter it in the script below.  This will tell me if users are on it.

qwinsta.exe /server:SERVER

The problem is... this is time-consuming, i would prefer to the script to grab a TXT file with the list of server, and a script would show me something like:

SERVER1 .... 0 
SERVER2 .... 3
SERVER3 .... 10
SERVER4 .... 0

I been looking for a script, but i havent found one yet.
Thank you for your time

lsass.exe terminated unexpectedly with status code 1

November 8, 2018, 10:36 pm
$
0
0

Can anyone help me to fix the issue. Our one of domain controller with OS windows server 2012 R2 keep on rebooting frequently like in 10 days 2 times . With below error

System process lsass.exe terminated unexpectedly with status code 1

Also do we have any details article that can be understand about the error code xxx status.

D.K Konar. NMS


User rights to download

November 6, 2018, 1:02 pm
$
0
0
The Users in my Domain only have User rights. However some of our users needs rights to be able to download files from the Internet and open them. They cannot do that with user rights. They get prompted for an Admin login everytime. What group can I add them to that will still restrict them from doing anything malicious but yet allow them to download and execute files??

Support analyst

Disable "Add" and "Remove" in Group's Member of

November 8, 2018, 11:18 pm
$
0
0

Hi all,

Please be informed that we would like to limit our help desk permission for manage Group permission in AD.

May i know is it possible to disable permission of "Add" and "Remove" button in the Group's "Member of" but keep the permission in member tap?

Thx

We are facing cache credentials issue in one of system (Window Server 2012 r2) not domain joined

November 2, 2018, 12:26 am
$
0
0
Dear All,

Please get me help to resolved below scenario issues.

System Windows Server 2012 tries to and have failed for logon attempts on Domain credentials using cache credentials. We have checked server neither showing any of connections in file share nor in credential manager. As per our understanding, cache credential can be zero via registry or secpol.msc. Can you assist if this does not affect other processes as this system is critical and system restart is not an option.

 

Need assistance and feedback on this will be highly appreciated

Debugging Directory Services and Lsass.exe

November 2, 2018, 5:14 pm
$
0
0

Hi Guys,

I have some weird issues happening with my DC's and it is only happening on W2k12 R2 and 2016 DC's.

We have some third party agents that runs on DC's that related to logon events.

And somehow when server come up this agent causing shutdown the LSASS.exe and directory services to go down.

Due to this you cannot login to server at all and basically DC becomes not functional... 

How can I debug this scenario and where we can find exactly what causing this issue?

Can someone give me direction please?

Thanks,

Gokhan Cil

How to backup Active Directory when D:\Windows\NTDS folders are not on C: volume (no longer part of System State)?

October 31, 2018, 6:23 am
$
0
0

Our architect specified servers for new AD forest and domain. ADDS is to be installed to D:\Windows\NTDS (not the default C:\Windows\NTDS). These are VMs and a cloud provider will be backing up the VMs by snapshot. I suspect the backups of the VMs will be trustworthy (but "suspect" is not good enough in my estimation), so I always like to have my own Microsoft-specified and Microsoft-supported backup in my back pocket for when the complete disaster arrives - so I'm still covered, even if the cloud provider fails.

In the past I've used the usual Windows Server Backup, ran a scripted backup that performs a System State Backup of C: (which would have contained C:\Windows\NTDS, the registry, and all of Active Directory's components on the DC). But now I have to also back up D:\Windows\NTDS and System State Backup will not be backing up D:.

What is the recommendation?

Here is the essential working section from the scripted backup:

WBADMIN Delete SystemStateBackup -KeepVersions:1 -Quiet >> %MyLogFile% 
WBADMIN Start Backup -BackupTarget:E: -SystemState -Quiet >> %MyLogFile% 

Notice that my script cleans up the destination backup volume E: to minimize the size of the backup and to ensure there is free space prior to starting the backup. WBADMIN does not have an equivalent "Delete" option for non-SystemStateBackup backups. The E; volume is then picked up as a file system backup and archived, so I always have multiple generations of backup history.

So what does Microsoft's Active Directory team recommend for a good solid backup of the DC?

P.S. I had already asked this question in the Windows Server  > Backup– Windows and Windows Server  forum, but that moderator recommended I ask here.

George Perkins

Search

Changing the NAME attribute on the root domain properties

October 26, 2018, 9:57 am
$
0
0

This is an example of one of the domains our forest domains. What are the consequences of changing thename attribute on a domain itself, if any? Are there any services or anything that is tied to theName attribute?

I want to be able to change this attribute so that I can pull the name that is easy for the techs to understand.

regional.mydomain.com

Thank you!

Paul

W2008R2: replication error 8418

October 26, 2018, 6:13 am
$
0
0

Hi, I have two servers, running repadmin /syncall /e /d

I obtain following message:

CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=DC01UKIP,CN=Servers,CN=UK-ipswich,CN=Sites,CN=Configuration,DC=group,DC=local
    To  : CN=NTDS Settings,CN=DCHW02,CN=Servers,CN=Napoli,CN=Sites,CN=Configuration,DC=group,DC=local
CALLBACK MESSAGE: Error issuing replication: 8418 (0x20e2):
    The replication operation failed because of a schema mismatch between the servers involved.
    From: CN=NTDS Settings,CN=DC01UKIP,CN=Servers,CN=UK-ipswich,CN=Sites,CN=Configuration,DC=group,DC=local
    To  : CN=NTDS Settings,CN=DCHW02,CN=Servers,CN=Napoli,CN=Sites,CN=Configuration,DC=group,DC=local
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8418 (0x20e2):
    The replication operation failed because of a schema mismatch between the servers involved.
    From: CN=NTDS Settings,CN=DC01UKIP,CN=Servers,CN=UK-ipswich,CN=Sites,CN=Configuration,DC=group,DC=local
    To  : CN=NTDS Settings,CN=DCHW02,CN=Servers,CN=Napoli,CN=Sites,CN=Configuration,DC=group,DC=local

In "ADSS", I read different info between servers, particulary server DC01UKIP has an old site still visible.

Any suggestion?

Thank You in advance

Export the root certificate from the LDAP directory

November 4, 2018, 2:03 am
$
0
0

The WebLogic server is running in LINUX 7. I have created new OVD provider in WebLogic server and SSL is configured for LDAP, forthis I generated Key store file and I need to export root certificate from LDAP (Microsoft AD).please  can someone please assist how to export this?? which path has to contain the root certification?

DN attribute disappeared from users details

November 9, 2018, 12:44 am
$
0
0

The users from our directory were, without a reason, segregated to several OUs so we restructured the directory and went from over a dozen OUs to 2, one for users, one for service/testing/other accounts.

After doing this I went to reconfigure a couple of endpoints that bind to the LDAP using full DNs, it's hardcoded on them. That's when I realized all DN attributes are gone from the directory. Not only those from the moved elements (the user accounts) but also the ones for computers accounts as I found out when I went to the OU where they are automatically place into.

It won't appear on the AD Users & Computers MMC modules nor using ADSI...   ...and, now forget everything I just stated because writing this I gave another pass to all the options as to avoid wasting anybody's time, and in doing so I connected to the directory using Apache Directory Studio and I can see distinguishedName still is in the users' attributes. It just won't appear in Active Directory Users and Computers, ADSI Edit nor Active Directory Administrative Center.

It's as it had been deprecated in some way, it's there but concerning Windows it isn't. I am remoting into a Domain Controller to check, you can't get any higher than that, authority-wise. There are only two, replication-error-free DCs, BTW. One holds all the FSMO roles and is referenced everywhere unlike the other that's there mainly for disaster recovery; it's a tiny directory. Very basic needs.

I asked other admins but they don't recall making changes on the domain other than moving the users which wouldn't affect computer accounts, I'm also told a SharePoint farm was installed but soon scraped in favor of a lighter solution--the VMs have been already deleted. Any idea what could be causing this behavior?

I bet you think this post is about you. Don't you…don't you. ♪

Erroneous Results from Get-ADUser

October 31, 2018, 10:40 am
$
0
0
The below AD query gives me thousands of results, including four named: 7-Jan, 7-Mar, 1-Apr, 8-May.

Get-ADUser -Filter * -SearchBase "OU=Departments,DC=dom,DC=for" | Select-Object samaccountname | export-csv -Path c:\users\me\desktop\wtf.csv -NoTypeInformation
However, when I use Powershell to ask AD to show me users with the samaccountname of any from the above list I get nothing:

Get-ADUser -Filter * -SearchBase "OU=Departments,DC=dom,DC=for" | Select-Object samaccountname | Where-Object {$_.samaccountname -eq "7-Jan"}

Does anyone have any idea or explanation for this?
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>