Hi Everyone,
We see a lot of events having the client hostname or IP address same as the domain controller. I am sure there are no credentials saved on the domain controller for that specific user. Also, the user has no access to login to the domain controller. I would like to know in what scenarios, we may face these events.
Dear Team,
This is sateesh here, whenever we are trying to do changes on group policy on windows server 2008R2 we are getting below message error popup on screen.
Error Popup : Unhandled exception has occurred in a component in your application if you click continue. the application will ignore this error and attempt to continue.
the process cannot access the file because it is being used bye another process (Exception from HRESULT :0X80070020).
Note : after clicking continue also policy is not getting applied please help me to resolve this.
Hey DS Gurus!
I have a requirement from our Security department to create a Penalty Box OU that will be used to quarantine machines that may have been compromised by a virus or malware. The objective would then be to restrict network access for devices in that OU to only be able to communicate with select apps. The second objective is that the background/wallpaper of the machine should change to a .GIF or some sort of banner to instruct the owner to contact the helpdesk.
I have never done this before so looking for guidance on how to best accomplish the above. I've been doing some Googling but so far haven't found much help on this topic.
Any guidance is appreciated.
-Christian
windows 2008 R2 domain controller
How can I resolve this problem. Last time LastLogonDate is showing. I need to check who last logon over 90days.
Search-ADAccount -UsersOnly -SearchBase "ou=Users,ou=bo,dc=dat,dc=com" -AccountIna -TimeSpan 90
I have a user who will be away for a while. I don't want to disable his account but want to disable his account to login to the domain. How to do it? I created a group, added his account to the group and created a GPO for "deny local logon" to the group. But my tests with his account can still login. Any idea?
Thanks in advance.
David
Hi all gurus<o:p></o:p>
I'm new to AD, and my company just bought AD server and start to use AD.<o:p></o:p>
Now I need to define some role for below users and really need some expertise suggestion.<o:p></o:p>
CEO – What role should assign to CEO? What can the CEO do and what can’t the CEO do? When do IT need CEO help in this AD environment?<o:p></o:p>
Director – What role should assign for this group of people? What can they do and what they can’t do? Basically they just don’t want IT to control them and their laptop, also don’t allow anyone to remote into their laptop.<o:p></o:p>
Head of Department – What role should assign for this group of people? Basically our plan is let HOD to assign the folder access rights for their staff.<o:p></o:p>
IT Admin – What role should assign for this group of people? Our thought is only IT admin can access to all files and folder just as backup for the HOD and also help to assign access for Directors<o:p></o:p>
IT Users – What role should assign for this group of people? Our thought is IT users only allow to access to the folders belong to IT.<o:p></o:p>
I need to submit these rights/assignment to the board tomorrow for approval. So really need your help.<o:p></o:p>
Thanks<o:p></o:p>
wlho
Hi everyone, I can't seem to find article which state where is the AD global catalog contents stored inside a DC. Held in some files, in memory only, or inside the domain/application partition of the AD database?
Sorry, it more to kill my curiosity than an issue to resolve.
Regards.
Hello Team,
We are using windows 2016 domain controller and there are 30 windows XP system . our domain user login on xp system these system lockout users of domain which is login
I am trying to migrate OUs from one domain to another in same forest. OUs contain Users and Groups. I have checkedTrust relationships between both the Domains and it is Active. I am using the CSVDE command to export domain users to csv file.
I have used this command to export: csvde -d {LDAP Path} -f c:\filename.csv
While importing it to another domain using the command: csvde -i -f c:\filename.csv
I encounter the issue:
Connecting to "(null)"
Logging in as current user using SSPI
Importing directory from file "C:\Users\xxxx\xxxx\ecportedusers.csv"
Loading entries...
Add error on line 4: Unwilling To Perform
The server side error is "Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)."
2 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.I was trying to close a host review (security scan) finding with the auditor with regards to "password policies" and "account lockout policies" displayed as "Not Defined" in RSoP and GPResult.
My affected server is running on Windows Server 2016, as a secondary domain controller. The primary domain controllerRSoP shows that Default Domain Policy was applied for "password policies" and "account lockout policies".
Found this article on MS Support, would like to check if it applies to Windows Server 2016.
Need advice from the forum, or MS Support could help to update on the article's "Applies to" list to include Windows Server 2016.
Thanks in advance.
jon
Hello, I setup 2 domains with a bi-directional trusted relationship: domain1.com and domain2.com .
When I try to authenticate using user@domain1.com accessing resource.domain2.com (im using winrm to test)
Get-WSManInstance wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM Win32_ComputerSystem" -ComputerName resource.domain2.com -Authentication Kerberos -Credential user@domain1.com
Im getting following error. When I try to do that using user@domain2.com, everything is ok
Get-WSManInstance : An unknown security error occurred. At line:1 char:1+ Get-WSManInstance wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidOperation: (:) [Get-WSManInstance], COMException+ FullyQualifiedErrorId : Exception,Microsoft.WSMan.Management.GetWSManInstanceCommand Get-WSManInstance : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858909" Machine="kitchen-unit"><f:Message>WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config.</f:Message></f:WSManFault> At line:1 char:1+ Get-WSManInstance wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidOperation: (wmi/root/cimv2/*:Uri) [Get-WSManInstance], InvalidOperationException+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.GetWSManInstanceCommand
I think that something wrong with SPNs, but I have not found how SPNs should be configured for cross-realm authentification
Should I create SPN's on Computer Account withing domain1.com?
Hi,
I am in situation where I need to check the which version of LDAP 2 or 3 used in my domain.
can anyone suggest how to check it.
Thanks
With read/write access granted to "Notes" field in the Telephone tab of Active Directory, the data entered into the field is not visible after entry for those granted with only read/write. Those granted Create/Delete User objects however, can see this. Is there a way to grant permissions without having to give Create/Delete User objects? On Windows Server 2008 R2 if that helps any.
Hi, I have a client that automatically restart every week, I checked the problem by going to the event viewer and I saw KRB AP ERP error. Why is this problem going around? Thanks for your help
I am looking powershel scripts
1) get members computers from AD security gurops for instace I have AD security gurop needs to get members Computers
2) get members user from AD security gurops for instace I have AD security gurop needs to get members users
3) export computer part of which AD security gurop I have a computer belongs to which AD gurops
4) export user part of which AD security gurop I have a user belongs to which AD gurops
Kindly let me know below queries
1) how to get add and remove program from a computer
2) how to get add and remove program from a list of computers
3) how to get specfic application from add & remove progarms
4) how to get specfic application from add & remove progarms from list of computers
5)how to get add and remove (installed programs) program from a computer
6) how to get add and remove program(installed programs) from a list of computers
7)how to send an email (output) CSV file to email ID DL
I need to install BitLocker key on 500 windows machine using script.
we have both TPM chip and no TPM chip windows machines.
could you please send me the script and how to deploy it in windows server.
As I am new to the Windows server,AD, SCCM, Powershell script it would be great help if I get step by step procedure.
Dear Team,
please help us to install powershell active directory module for windows server 2008.
Regards, Pradhap P
Hi All,
I have an issue that Site B users are authenticating from Site A domain controllers, I checked this by Site running following command on Site B Users
echo %logonserver%
DC_SITE_A
nltest /DsGetSite
Site_B
I already checked IP Subnet properly assigned to Site B.
how can I troubleshoot.</g>
Regards
Usman Ghani
Usman Ghani - MCITP Exchange 2010
I am trying to upgrade to dc 2012
I get this error :
Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group.
but I use Administrator user that is member of Enterprise admin
Help please
[2018/11/17:15:05:07.325]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20181117150507-test\ADPrep.log'
[2018/11/17:15:05:07.325]
Adprep successfully initialized global variables.
[Status/Consequence]
Adprep is continuing.
[2018/11/17:15:05:07.330]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.332]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.332]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD2018-1,CN=Servers,CN=Shalgham,CN=Sites,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.333]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.333]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.333]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.334]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.335]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.335]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=AD2018-1,CN=Servers,CN=Shalgham,CN=Sites,CN=Configuration,DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.335]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.346]
Adprep discovered the schema FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.350]
Adprep connected to the schema FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.350]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.351]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.351]
Adprep successfully retrieved information from the Active Dcomectory Domain Services.
[2018/11/17:15:05:07.351]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.352]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.352]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.353]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2018/11/17:15:05:07.353]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.354]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.357]
Adprep discovered the Infrastructure FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.360]
Adprep connected to the Infrastructure FSMO: AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.360]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.361]
LDAP API ldap_search_s() finished, return code is 0x0
[2018/11/17:15:05:07.361]
Adprep successfully retrieved information from the Active Dcomectory Domain Services.
[2018/11/17:15:05:07.361]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=Shalgham,DC=lo,DC=com.
[2018/11/17:15:05:07.361]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.361]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.362]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2018/11/17:15:05:07.362]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
[2018/11/17:15:05:07.362]
LDAP API ldap_search_s finished, return code is 0x0
[2018/11/17:15:05:07.384]
Adprep successfully logged on to the local machine using the specified credentials for network connections.
[2018/11/17:15:05:07.384]
Adprep successfully made the network connection to the Active Dcomectory Domain Controller AD2018-1.Shalgham.lo.com.
[2018/11/17:15:05:07.406]
Adprep successfully stopped using the specified credentials for network connections.
[2018/11/17:15:05:07.406]
Adprep successfully closed the network connection to the Active Dcomectory Domain Controller AD2018-1.Shalgham.lo.com.