Hi
We have many service accounts which are part of local Administrators group, through GPO we are planning to restrict the membership of Administrators group and to provide these service accounts "Log on as a service" permission through GPO. What we understood is, by providing service accounts these permission, then there is no need to add these accounts to local administrators group.
Your suggestions please
Thanks in advance
LMS
Hi
We have configured one account to "Use Kerberos DES encryption type" with AD, which is using by SAP for single sign on. The account was created and configured before introducing Windows 2008 R2 DCs. Our current Domain & Forest functional level is Windows 2008 and all DCs are running on Windows 2012 R2. We are planning to upgrade to Windows 2016 DCs and same with functional levels. DES support is not enabled on DCs (not enabled & selected the GPO setting :- Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options - Network security: Configure encryption types allowed for Kerberos option & there are no Reg entries :- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\). Also as per KB "https://support.microsoft.com/en-au/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled" we didn't find event IDs 27 or 16 with DCs.
For testing purpose we are planning to remove the DES setting from the account and will check the SSO with SAP. In case of any issue we will re-select the option. We are looking for any suggestion on disabling DES with this account
Thanks in advance
LMS
I have been struggling to get the AD LDS instance schema upgrade to match with the Active Directory Domain. LDS instance is synchronizing data from active directory. Domain was upgraded to Windows Server 2008 and therefore Active Directory domain schema version is 44. LDS Schema version is 30.
I have used ADAMschemaanalyzer tool to import the difference LDIF file in LDS instance and upon manual check I see all the attributes are modified but still LDS schema version is set to 30.
Can someone explain how can I get this version incremented?
As a note, upperrange for title attribute for Windows Server 2003 is 64 and for Windows Server 2008 it is 128. After importing the LDIF file there is no change in rangeupper value for this attribute. I am stuck please help!
Hello,
I want to know what is the difference when I deleting an object with recycle bin enabled and when recycle bin is disable
I read that don't changes to tombstone but is-deleted attribute of that enables
What is the difference between them
Thanks for your help
Hey, It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.
My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.
Anyway, here are the questions:
Thank you all.
If there is another forum similar to TechNet please let me know.
Right now were doing patching of out 2016 DCs as a manual monthly process.
We have options of SCCM or Tanium with the Security wonks pushing Tanium very hard.
I'm not fond of the Tanium client getting installed as 'Local System' on the DCs as it means Tanium Admins can "do what they will" on the Domain Controllers.
Has anyone worked with Tanium installed on Domain Controllers, and if so what was your experience? Are there other minimum permissions necessary alternatives?
Also, any experience with ADFS servers and/or MIM servers?
Thank You
-Kyle
Support analyst
It was my understanding a user could not access any computers in a domain, unless that user was added to the domain controller.
In my test, I added a user to a vm server 2012, and can rdp onto that server, without being a user on the domain.
Normal??
I have a server 2012 environment with a DC. The domain includes 3 server 2012 vm machines for rdp/terminal services.
I added a user to a domain. I expected the newly added user would be able to log onto the rdp/terminal services vm's.
Since the other rdp/terminal services vm servers are part of the domain, I thought the new
user would be able to log onto those servers. But they cannot.
How can this be accomplished?
Dear All,
Does anyone know how to record user actions (audit trails) and review them when required in the Microsoft Active Directory User and computers, version 6.2.9200.16384 (Windows server 2012)?
We have a central management console which works with Active directory. We enumerate users/computers/groups etc and use it inside our console for applying the policy. Is it a good idea to consider "Lost And Found Folder" as a valid group just like others containers?
-- Vikram
We are experiencing a very strange issue with the AD.
A user war created in the AD unser domain.de. The user shows properly in the in the AD snap in. and is located under domain/users.
However, when we want to assign user rights on the server (selecting the directory, properties etc) and selecting the domain in the search dialog box for the user - this user does not appear. This user only appears when we adjust the path to the root directory. But even then - when we then select this user and click ok - it does not appear in the user list.
In the user search dialog box the path is also correct domain.de/users (as all the other users).
The user is active and can sign in.
Would appreciate if anyone has an idea what could be wrong.
Thank you.
Uli
I am trying to do a cross forest migration and i get a error message unable to update sid history ID.below is the error log i get.
Trust is establish successfully. Able to ping the servers across the domains. Replication of the servers is fine.
ERR2:7111 Failed to add sid history for user to user. RC=31.
Thanks in advance.
Shabeeb Khan