Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

User rights report

November 28, 2018, 8:08 am
$
0
0
Can anyone tell me how I can obtain a system generated list of privileged user rights (e.g., users with full system access or access to security administration functionality)or a system-generated report of all privileged users in the system.  Privileged users will be those users who have access above and beyond what a typical end user would have.  As an example they may be able to change password configurations or administer users access.

Support analyst

Search

User rights to download

November 6, 2018, 1:02 pm
$
0
0
The Users in my Domain only have User rights. However some of our users needs rights to be able to download files from the Internet and open them. They cannot do that with user rights. They get prompted for an Admin login everytime. What group can I add them to that will still restrict them from doing anything malicious but yet allow them to download and execute files??

Support analyst

User rights report

November 28, 2018, 8:16 am
$
0
0
Can Anyone tell me how to obtain a system generated list of privileged user rights in Active Directory(e.g., users with full system access or access to security administration functionality or how to provide a system-generated report of all privileged users in the system? Privileged users would be those users who have access above and beyond what a typical end user would have.

Support analyst

stop new objects in some OU to inherit from account operator

November 28, 2018, 7:53 am
$
0
0

Hi

i can i stop new created object to inherit account operator.

thanks


KCC could not add this Replica Link due to error

November 13, 2018, 10:11 am
$
0
0

In the process of migrating DCs to new hardware. I have 2 - Windows 2008R2 DCs on older servers, 1 - 2012R2 VM DC on HyperV, and 1 - Windows 2012R2 DC on a new server. All was working well for several weeks. Four days ago, after a network outage on the new DC I started getting replication errors. I noticed DNS on the new server was not populating and the server was in the wrong time zone - we don't use DST. I corrected the time zona, reset that machines password using - netdom resetpwd and rebooted. DNS is now working but replication is not. Ran DCDiag and everything passes except for:

From GoodDC02 to BadDC3
            Naming Context: DC=ourdomain,DC=com
            The replication generated an error (8453):
            Replication access was denied.
            The failure occurred at 2018-11-13 09:46:03.
            The last success occurred at 2018-11-09 09:59:37.
            98 failures have occurred since the last success.
            The machine account for the destination BadDC3.
            is not configured properly.
            Check the userAccountControl field.
            Kerberos Error.
            The machine account is not present, or does not match on the.
            destination, source or KDC servers.
            Verify domain partition of KDC is in sync with rest of enterprise.
            The tool repadmin/syncall can be used for this purpose.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source GoodDC02
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.

I can ping between all DCs using IP address, Name, or GUID. When I run repadmin /showreps all the other DCs are replicating but the BadDC3 shows "KCC could not add this Replica Link due to error" and "error 8453 Access was denied". I followed the ADSI edit articles and the BadDC3 has delegation, DNS is set the same as the other DCs, UserAccountControl shows 0X82000 (Server_Trust_Anchor|Trusted_For_Delegation) on all servers. AD Sites and Services I see 2 connectors between each domain controller - GoodDC01 connected to GoodDC03 and BadDC3, GoodDC02 connected to GoodDC03 and BadDC3, GoodDC03 connected to GoodDC01 and GoodDC02, except for BadDC3 which is connected to GoodDC01, GoodDC02, and GoodDC03. After two days I do not know what to look for?

Thoughts

eburch@lasertel.com

Adding Columns That Are Attributes

November 28, 2018, 8:44 am
$
0
0

Hello All,

I was wondering if there is a way to add a column for an attribute that already exists such as assetnumber, this is a hidden attribute but i enabled it and now want to see it as a column in users and computers, or is the only way to do this to make a new attribute everytime?

Find all Custom Attributes from Schema

November 28, 2018, 11:16 am
$
0
0

So, I'm using the Get-ADObject cmdlet in PowerShell to retrieve all attributes from the Schema. It's working fine, but our end goal is to narrow down that list to only Attributes that have either been added by a product that isn't from Microsoft or attributes that were added manually. We can do this manually but it would take some time and effort that we would like to avoid. We could also make some assumptions but those are may exclude some custom attributes from the list. (Name -notlike "ms-*" and WhenCreated -gt 01/01/2000)

Is there a script or tool that can accomplish this? I'm coming up empty on my search engine research.

Also, what's up with a lot of the attributes having a creation date of 10/21/1630? I haven't been able to find anything on that date related to MS/Windows.

Remove Orphaned Server 2003 Domain Controller

November 28, 2018, 12:35 pm
$
0
0

I'm in the process of replacing our legacy domain controllers to Windows Server 2016 Standard running on VMware 6.7 hosts.  The existing DCs are running Windows Server 2003 R2 with SP2 and Windows Server 2008 with SP2 on physical Dell servers that will be retired.  Forest Functional and Domain Functional levels are all Server 2003.  Prior to promoting the VM running Windows Server 2016 Standard to a DC and GC, I need to remove an old orphaned domain controller that failed about a year back but the metadata was never removed.  I have read several articles that provide the steps to remove the old DC that is dead/offline by running metadata cleanup, remove the DC from Active Directory Sites and Services along with any remaining DNS records. 

My question is regarding a Microsoft script that I located that will perform the metadata cleanup automatically and it appears to work in my current setup based on what I've read.  Link is attached below.  To further complicate my setup is that my AD consists of two (2) AD sites that are connected via secure VPN but are using separate subnets.  All online DCs are also GCs and run DNS in AD-Integrated mode.  AD health is fine other than the offline DC that I need to purge.  

Does the fact that I have two (2) sites matter as long as they can see each other and replication is currently working for the online DCs?

https://gallery.technet.microsoft.com/ScriptCenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3/

Thanks for any input.

Ken

Search

LAPS - Permission chaos - Desktop Admins vs Server Admins

November 25, 2018, 3:13 am
$
0
0

In my organization, all desktop admins have been given permission from root of domain to entire OU tree on computer objects.

We implemented LAPS for workstations and it is fine. They can read passwords of all workstations. We are global and 100s of locations worldwide. 

Now the challange is, we want to implement LAPS on servers. This will expose the passwords of servers to desktop Admins. 

Our servers are in "Servers" OU under each location OU. 

We can block permission of desktop admins at this OU. How it is manual work every time. If someone creates new servers OU and places servers in it, and forgot to block Desktop Admins, servers passwords are exposed. 

To avoid this, we can write a periodic script also, which will scan servers in AD and their OU. Then deny permission to desktop admins on this OU. 

Still not comfortable solution for our IT. 

what is standard way to setup permission for LAPS, servers  / workstations?

Help! Missing ntfrs registry keys on both DCs

November 23, 2018, 5:05 am
$
0
0

Hello, i have two 2008 R2 domain controllers in my network and a working exchange 2010 server.

Recently i realised i have some issues with netlogon replication and in process of trying to solve it i decided to make a sysvol restoration. So i stopped service, opened regedit and was going to change needed registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process atStartup but there is no such keys on my servers the only thing i have there isHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\sysvol

I checked secondary domain controller and there is no such keys either, as i understand it is a major issue and i have no idea how to solve it..can someone please help me?



netlogon error in server 2012

November 22, 2018, 7:04 pm
$
0
0
our server 2012 throwing continous error or netlogon and our internet speed become very slow. Can you pl. help me to resolve this issue.

DFS - Wrong Targets

November 22, 2018, 7:04 pm
$
0
0

I have some AppV Shared Content Stores, all of which are referenced by a DFS NameSpace.

Consider this:  I have 2 servers.  Server A on 10.100.1.1 and Server B on 20.200.2.1

I also have 2 AppV SCS's, SCS A on 10.100.1.2 and SCS B on 20.200.2.2.

Both Server A and SCS A hang off the same switch and are in the same chassis.

Both Server B and SCS B also hang off the same switch and are in the same chassis.

Server B is getting its content from SCS A, rather than my preferred option of SCS B.

How can I make sure that the DFS Namespace and clients get to the most preferred SCS?

Change UPN for a group of Users

November 28, 2018, 5:42 pm
$
0
0
<#
1. Import Data from a CSV file
2. Process each object in CSV file:
a. Foreach Object
b. Validate the Existence of the User in AD: 
-> if found - Proceed to Step 3
-> If Not Found, Update the Array Variable used for Exporting the Script Execution outcome And/OR Update the Log file
3. Trigger or Attempt to Change the UPN using the value using the reference variable corresponding to the user which is available on the CSV File.
a. IF Successful , Update the Output Array with outcome being successful And/Or write to a Log
b. If Not Successful (On Error), Get the Error Exception indicating the reason for failure and update the array with the exception

4. Export Data to CSV File to Review the execution and outcome of Set-ADUser triggered for UPN Change`

#>


$FileData = Import-CSv "CSV File Path"
$OutputData = @()

Import-module activeDirectory
$UserCount = ($FileData| Measure).Count
$StartCount = 0
Foreach($User in $FileData)
{
$StartCount += 1
$CurrentUser = $User.SamAccountName
$CurrentUPN = ""
$NewUPN = ""
Write-Host "Processing User [$CurrentUser - $StartCount] - Out of [$UserCount]" -ForeGroundColor CYAN
$UserInfo = Get-ADUser $CurrentUser -Properties SamAccountName, UserPrincipalName|Select SamAccountName,UserPrincipalName
if($UserInfo)
{
$CurrentUPN = $UserInfo.UserPrincipalName
$NewUPN = $CurrentUser + "@UPNSuffix"
Set-ADUser $CurrentUser -UserPrincipalName $NewUPN -WhatIf
$OutObj = "" | Select User,CurrentUPN,NewUPN,ChangeStatus
$OutObj.User = $CurrentUser
$OutObj.CurrentUPN = $CurrentUPN
$OutObj.NewUPN = $NewUPN
$OutObj.ChangeStatus = "UPN Change Successful"
$OutputData += $OutObj
$OutObj
}
Else
{
$CurrentUPN = "$CurrentUser - Not IN AD"
$NewUPN = "$CurrentUser - Not IN AD"
$OutObj = "" | Select User,CurrentUPN,NewUPN,ChangeStatus
$OutObj.User = $CurrentUser
$OutObj.CurrentUPN = $CurrentUPN
$OutObj.NewUPN = $NewUPN
$OutObj.ChangeStatus = "User Not In AD"
$OutputData += $OutObj
$OutObj
}
}
$OutputData | Export-Csv UPNChangeStatus.Csv -NTI

AD LDS able to accept wholeSubtree queries to RootDSE?

November 21, 2018, 7:12 pm
$
0
0

Hello All,

I have multiple outlook clients which are already configured to do contact lookup to a special Unix box via LDAP.
The LDAP query configured on these clients does not specify any base DN, and is querying directly to the RootDSE for contacts, which this special box is somehow able to respond.

But when I do this query to a AD LDS instance, it gives me a Result <32>, problem 2001 error. 

Is there a way to configure AD LDS to accept wholeSubtree queries without specifying the baseDN?

Thanks!

Password reset for remote workers - without AlwaysON VPN or another self connecting VPN - no contact to ad server

November 28, 2018, 10:48 pm
$
0
0

Hi everyone,

sorry for the long topic. But these are the first suggestions i get which i cannot deploy easily.

How to you deal with remote workers "all over the world" that might have lost their password?

Even if you reset in your AD they won't be able to log in because they have no connection to your AD servers.

We have Azure AD P1 with Azure Sync if that would help. We will hybrid join any client we have. 

Does this help? How do you cope with this?

<h3>Regards Stephan</h3>

Search

User Migration with ADMT

November 28, 2018, 11:12 pm
$
0
0

Hello,

We are migrating users, groups, computer objects from one forest to another forest domain. and user name is different in each domain. below is the scenario,

Source Domain User : 10025@abc.com (User Name: 10025)

Target Domain User: KES052@xyz.com (User Name: KES052)

we have created users in Target domain with new user id (common id), when i am migrated SID for those users is replace with user name. (10025 is replacing with KES052), how could i migrate only SID without replacing anything from source domain?

In ADMT console i am performing include file and merging the user and excluded all the attributes but only username is changing, all SAM and UPN as is target.

Appreciate if inputs to get rid of this.

Regards,

Vinay

Migrating Active Directory Services from 2012 R2 to 2016 server for our Organization Domain

November 28, 2018, 12:50 am
$
0
0

Scenario:

Platform : Windows 2012 R2 Single forest -Single domain having 20 Domain Controllers and trust is in place with couple of different organization Domains and Forests. Root DC and other DCs are windows 2012R2 only for our domain. All DCs are AD-Integrated DNS.  

Requirement: Plan to provision 4 nos of Windows2016 DCs and decommission all other existing 2012R2 DCs. What are steps to follow to complete this entire activity. 

Our Plan: Add all 4 servers with O/S 2016 one by one within current domain and promote them as DCs individually. Transfer the FSMO roll to identified newly promoted 2016 DC. Check DC replication after validating site replication. Then keep this hybrid mode for 4-5 days and check for any issues then decommission 2012 R2 Dcs one by one. Old Root DC will be decommissioned at last.

As this is very critical activity, we need some expert suggesstion and thus any suggestions would be highly appreciated.

Regards,

SoumenG



NTFS Permissions Fiasco and How To Resolve

November 19, 2018, 10:26 am
$
0
0

I am currently working a contract with a company running their file shares on dfs on 2008 R2. They would like to update to 2016, and migrate all data to a different SAN provider. Normally this would not be an issue, but I have (as always seems to be the case) run into a bit of a rub.

For each of the shared drives, the company policy has been to create a RO and RW security group in A.D., and control NTFS permissions through these groups. There are literally hundreds upon hundreds of each group, covering folders and subfolders and third-grandchildren folders.

On top of this horrible structure, a LARGE number of folders were deemed "too private" for anyone but a select few, and thus have inheritance broken on them. Still more on top of this were deemed "way too private" and even the administrators were removed. So even as an Enterprise Admin there are many directories I get an access denied on.

While the removal of admin access is bad enough, with the broken inheritance it means that in a particular directory with 15 subfolders I may only see 6. So I end up "not knowing what I don't know" as I can't see the folders I have no access to.

So I am just looking for suggestions on a best practice way to go about resolving this, at least to the point where I know what I don't have access to, so I can then put it back on the directory owner to move their own data to the new dfs root. The only thing I can think of is to do an initial trial copy of data, and just record what directories it fails on, but I am concerned the ones I cannot even see won't throw an error. With ~80TB of data to go through, it is looking like it is going to be a nightmare.

Windows security log - flooded with Error Code: 0xC0000371

November 27, 2018, 5:02 am
$
0
0

Hi Everyone,

my Cisco Ironport E-mail gateway is connected with Windows AD Servers. Every time when new e-mail is comming in, Cisco Ironport trying to establish connection to one of our AD servers and checking if recipient e-mail address exist in the AD. If not e-mail is rejected. More or less this is how my system is integrated with AD. Few days ago Windows team told me that my system trying to open too many connections to AD and in the result Windows Security log is flooded (>6mln) with this kind of errors:

#################

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=GLS0020.torp.mir TaskCategory=Credential Validation OpCode=Info RecordNumber=1363466953 Keywords=Audit Failure Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: TEC-LDAP-I-IRON1 Source Workstation: GLS0020 Error Code: 0xC0000371

#################

As I see in the AD client logs (Ironport LDAP logs), Ironport trying to establish 1 connection to AD Server, but AD rejecting it.After several tries connection is established. Some times connection is established after 2-10 tries and some times more than 1000.

########### Ironport ldap log

Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) to server InternLDAP (10.201.134.182,10.201.134.183:636)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connected to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) lookup success, (10.201.134.183:636) returned 0 results
Mon Nov 26 15:36:16 2018 Info: LDAP: Bounce query InternLDAP.ldapaccept MID 136648 RID 0 address sdfsdf@testdomain.de
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connected to server

########### Ironport ldap log

Is it normal that AD Server rejecting so many connections ?

I have asked Windows Team to enable debug mode for AD server, just to check if what is the reason, that AD rejecting 90% of connections ? They told me that is not possible, is it true? Is it realy not possible to check in Windows Servers why system rejecting connections ?

What is exacly means that error:

Error Code: 0xC0000371

Everytime when AD rejecting connection this error appear, what is mean ?

Thanks in advance for any support.

Cheers

Konrad

Delegation through VPN dont work

November 23, 2018, 9:57 pm
$
0
0

Hello,

in corporate network everything works.

If login in to a computer outside the corporate network and then connect to the corporate network via VPN (Cisco AnyConnect Secure Mobility Client)

  Then  All services with Windows authorization is work, except for one (WEB API )

The WEB API service is started under the service account and on it the is set "trust this user for delegation to any service (kerberos only)".

If, when VPN is connected, open a browser on behalf of another user and connect to webapi, then everything works

Problem is for users who login via a locally saved cache, delegation does not work. How to solve it ?

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>