Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Lock Down OU for Disabled Objects

December 5, 2018, 2:21 am
$
0
0

Good day,

I have an OU that I need only disabled objects on. The problem is my team mates once they re-enable accounts they do not move them to their relative containers (they just leave them there on the disabled objects OU). I would to lock everyone from enabling an object from the disabled objects container and only be able to move an object in or out to another container. Once the object is on another container it can then be enabled. 

Looking forward to an exciting exercise.

Many Thanks

Anele L.P. Takane

Search

Powershell script to move users from one security group to another, setting the new one as primary, based on where their account is in AD.

December 17, 2018, 2:12 pm
$
0
0

So I'm having trouble finding suggestions that exactly match my needs, and my attempts to do it myself all fail nicely...

Windows 2008 SP2 as DC. I have the Security Group "Domain Users", the security Group "Deleted Users", The OU "Users" and the OU "Inactive Users". What I want to do is craft a powershell script on my local machine to find each user in "Inactive Users", add them to the SG "Deleted Users", change their primary to "Deleted Users" and remove their membership in "Domain Users". I don't want to take any users in "Users", instead just leave them unchanged.

When I try to use something like:

Get-ADGroup -filter * | Where-Object {$_.name -like "Inactive Users"} | select name

I get an error like this:

get-adgroup : Cannot find an object with identity: 'Inactive Users' under: 'DC=domain,DC=local'.At line:1 char:1+ get-adgroup 'Inactive Users'+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : ObjectNotFound: (Inactive Users:ADGroup) [Get-ADGroup], ADIdentityNotFoundException    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M   icrosoft.ActiveDirectory.Management.Commands.GetADGroup
Get-ADOrganizationalUnit -Filter 'name -eq "Inactive Users"' | select Name,DistinguishedName

However gives me the correct OU returned.

How can I handle this?


DFS Replication from AD DS to RODC

December 22, 2018, 8:43 pm
$
0
0

Dear everyone,

how is DFS replication the sysvol from writable domain controller to Read only domain controller? 

Thanks advance !

Best Regards,

Peang Suy 


Login Error via LDAP in linux machine with trusted domain

December 23, 2018, 9:25 pm
$
0
0

Hi Team

I am trying to host a ldap server(ADAM). i have two domain, domain A and domain B and both i have trusted with selective authentication. In windows based application, I am able to login via ldap using domain A user and domain B user. But if i am trying to login in linux based application like(gerrit, jira) i am able to login with domain A user but i am not able to login with Domain B user.  showing "Invalid User or password": in the event viewer i am getting error "An error occured during logon" error code 413

Could any one can help me on this issue.

Arun Thomas Server Admin

User migration from one domain to another.

December 3, 2018, 10:08 pm
$
0
0

I am trying to migrate OUs from one domain to another in same forest. OUs contain Users and Groups. I have checkedTrust relationships between both the Domains and it is Active. I am using the CSVDE command to export domain users to csv file.

I have used this command to export: csvde -d {LDAP Path} -f c:\filename.csv

While importing it to another domain using the command: csvde -i -f c:\filename.csv

I encounter the issue: 

Connecting to "(null)"

Logging in as current user using SSPI

Importing directory from file "C:\Users\xxxx\xxxx\ecportedusers.csv"

Loading entries...

Add error on line 4: Unwilling To Perform

The server side error is "Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)."

2 entries modified successfully.

An error has occurred in the program

No log files were written.  In order to generate a log file, please

specify the log file path via the -j option.

Correct role for different people on AD environment

December 3, 2018, 8:16 pm
$
0
0

Hi all gurus<u1:p></u1:p><o:p></o:p>

I'm new to AD, and my company just bought AD server 2016 and start to use AD.<u1:p></u1:p><o:p></o:p>

Now I need to define some role for below users and really need some expertise suggestion.<u1:p></u1:p><o:p></o:p>

CEO – What role should assign to CEO? What can the CEO do and what can’t the CEO do? When do IT need CEO help in this AD environment?<u1:p></u1:p><o:p></o:p>

Director – What role should assign for this group of people? What can they do and what they can’t do? Basically they just don’t want IT to control them and their laptop, also don’t allow anyone to remote into their laptop.<u1:p></u1:p><o:p></o:p>

Head of Department – What role should assign for this group of people? Basically our plan is let HOD to assign the folder access rights for their staff.<u1:p></u1:p><o:p></o:p>

IT Admin – What role should assign for this group of people? Our thought is only IT admin can access to all files and folder just as backup for the HOD and also help to assign access for Directors<u1:p></u1:p>(can IT also set to no rights to touch CEO and Directors files and folders?)<o:p></o:p>

IT Users – What role should assign for this group of people? Our thought is IT users only allow to access to the folders belong to IT.<u1:p></u1:p><o:p></o:p>

I need to submit these rights/assignment to the board tomorrow for approval. So really need your help.<u1:p></u1:p><o:p></o:p>

Thanks<o:p></o:p>


Service Accounts required permissions

December 22, 2018, 10:15 pm
$
0
0

Hi

We have many service accounts which are part of local Administrators group, through GPO we are planning to restrict the membership of Administrators group and to provide these service accounts "Log on as a service" permission through GPO. What we understood is, by providing service accounts these permission, then there is no need to add these accounts to local administrators group.

Your suggestions please

Thanks in advance

LMS

Restrict administrators through GPO

December 22, 2018, 11:09 pm
$
0
0

Hi

We have a few computers managing by application team. There are two common accounts which are part of all these servers, but there are individual accounts for each of the servers which should be part of local administrators group. In this scenario how can we achieve / restrict local administrator group membership through GPO

Thanks in advance

LMS

Search

2008 R2 domain group policy not works on 2016 server

December 23, 2018, 5:21 pm
$
0
0
2 x 2008 R2 servers as domain controller. Found that the group policies are not apply on my newly added 2016 servers. Is this the product design?

how to change password with Domain controller not available anymore : configuration information could not be read from the domain controller, either because the machine is unavailable, or because access is denied

December 20, 2018, 6:50 pm
$
0
0

I have a Machine with windows 7 x64 pro which was connected to a domain controller that is dead and not available anymore.

I want to continue to use this computer standalone and keep all the software and configurations already installed, however i need to change my pass and i am not able to do it getting this msg : configuration information could not be read from the domain controller, either because the machine is unavailable, or because access is denied.

How can i solve this (change the pass or copy all the user settings to local) without the domain controller server?

thank you

vitor



AD-integrated DNS + Name Sever List

December 17, 2018, 9:12 pm
$
0
0

Hi Everyone

I have a query regarding the Name Sever (NS) records. Suppose, I have AD-integrated DNS and I configure a Stub-zone (or  secondary zone) where I mention NS records for the DNS servers to be contacted for any unresolved queries (queries for which AD-integrated DNS is not authoritative).

When the client queries for a name that matches the domain of stub-zone, will all AD-integrated DNS contacts one NS server and if that's not available it contacts second. Can someone please explain the behavior in details.

Thanks

Taranjeet Singh

zamn

GMSA and permissions

December 19, 2018, 1:52 pm
$
0
0

Greetings,

 I have a scheduled script that creates user accounts and as part of that process it creates their home folder.

 This script was run using an account that had administrative access to the server that holds the home folders, and because the administrators group has full access, it was able to create the home folder.

 I decide to change the scheduled script to run under a GMSA. I put the GMSA in the same groups as the previous account and therefore should have administrative access to the home folder server.

However, when the script runs, it fails with Access Denied when creating the home folder.

Is this a limitation of GMSAs or is there something else that needs doing for this to work?

Thanks

David Z

Terminated user last logon showing 2025

December 14, 2018, 7:07 am
$
0
0
We have a user who was terminated a while back that is showing a last logon date in 2025.  I know Last Logon can drift up to 14 days normally, but I've never seen it go 7 years out.  Any ideas what the reason for this is?

Connection Logger tool used for Logging DNS Traffic.

December 24, 2018, 4:13 am
$
0
0

Hi All,

I have a environment were we have 10 Windows server 2008 Domain controller we are upgrading the DC to Windows server 2016 using the side by side approach. Before doing this we are capturing the DNS traffic from the old server using connection logger tool. After capturing the traffic these servers will be decommissioned. Currently the ports we are monitoring using the tools are - 

TCPPorts=53,88,139,389,3269

UDPPorts=53,88,389

We expect that after decommissioning the server, we should not be getting any traffic on LDAP ports (389 & 3269) as DNS service is not in the server to establish a connection on this port but we are still seeing entries in connection logger logs for Port 389 & 3269.  

The question that i have is - 

1. IS my understanding right about  the way the decommissioning process mentioned above.

2. Does Connection Logger tool only logs the established DNS connections(when server is a domain controller) or it will also log the unestablished connection (after decommissioning the server). 

Thanks,

Pranay.

windows Server 2016

December 24, 2018, 4:58 am
$
0
0

Hi,

we are using windows server 2016, and client machines are windows and mac.

windows machine successfully able to joint on domain. if we try to joint mac machines on domain getting error message 10001 and 5202 authentication error. i m put correct credential.

Please suggest.

Thanks,

Udaiyar

Search

Can`t see users property from ForeignSecurityPrincipals OU

December 24, 2018, 8:57 am
$
0
0

Hi,

in organization two domain with two way trust qwe.com and zxc.com. I add two new domain controllers to zxc.com and have a problem.

When I add user from qwe.com to group of zxc.com, and after that try to show members.

On new domain controller I cam see this

 

and on old domain controllers - ok

From new domain controller I can search users from qwe.com directory. In ForeignSecurityPrincipals OU (on new domain controller) I can see objects like SID and can not see there attributes. On the old controller, I can see the objects and their properties.

BPA error is:

Title:
Domain controller DC02.zxc.com must have "Access this Computer from the Network" granted to the appropriate security principals
Severity
Error
Problem:
Domain Controller DC02.zxc.com does not have user right "Access this computer from the network" granted to 'Builtin Administrators', 'Enterprise Domain Controllers' or 'Authenticated Users', or has the user right "Deny access to this computer from the network" assigned to either of those groups or 'Everyone'.

Impact:
Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.

Resolution
Verify that the domain controllers in the domain zxc.com have this user right granted to the appropriate security principals. Using Group Policy Management and Group Policy Results, verify that the winning Group Policy for the "Access this computer from the network" user right grants that right to the 'Builtin Administrators', 'Enterprise Domain Controllers', and 'Authenticated Users' groups. Verify that the policy setting "Deny access to this computer from the network" does not have 'Everyone', 'Authenticated Users', 'Builtin Administrators' or 'Enterprise Domain Controllers' groups defined in it.


http://go.microsoft.com/fwlink/?LinkId=168844


I check policy, and all permission are default.

Title:
Domain controller DC02.zxc.com must have "Enable computer and user accounts to be trusted for delegation" granted to the Builtin Administrators security group

Problem:
Domain controller DC02.zxc.com must have the "Enable computer and user accounts to be trusted for delegation" user right granted to the Builtin Administrators security group if domain controller DC02.zxc.com is used as a replication partner during a domain controller promotion.

Impact:
Installation of additional domain controllers (promoting replica domain controllers) in domain zxc.com may fail if they select domain controller DC02.zxc.com as a replication partner during the installation.

Resolution
Verify that the current domain controllers in domainzxc.com  have the "Enable computer and users accounts to be trusted for delegation" user right granted to the Builtin Administrators group

http://go.microsoft.com/fwlink/?LinkId=168842

Title:
SID filtering is not enabled for external trust qwe.com

Problem:
SID filtering is not enabled for external trust qwe.com established with domain zxc.com

Impact:
If authentication occurs across an external trust boundary (where the user and the computer hosting the resource are in different domains), a vulnerability exists because domain zxc.com (the trusting domain) does not verify that the trusted domain qwe.com is actually authoritative for all the SIDs in the authorization data (that is, the access token). It is possible for an attacker or rogue administrator to insert SIDs into the authorization data presented to this trusting domain  zxc.com.

Resolution
Enable SID filtering for external trust qwe.com by using the netdom trust /quarantine:yes command. Enabling SID filtering may prevent users from accessing resources in your environment. Before enabling SID filtering for the trust, you should review the detailed resolution procedures for this BPA rule.

http://go.microsoft.com/fwlink/?LinkId=168864


DFSR Staging File - There are folders numbered 00-99 Please explain.

December 23, 2018, 7:27 pm
$
0
0

When I visit the Staging folder there are folders numbered 00-99 and I saw a lot of files what are the usage of those folders and those files? Please explain.

3200-{7F3D6A72-7639-4C9A-AEBC-144FDD7BD66E}-v3200-{7F3D6A72-7639-4C9A-AEBC-144FDD7BD66E}-v3200-Downloaded.frx


Workstation Local Admin Query

December 7, 2018, 10:32 am
$
0
0

Hi,

I have been using this function below to grab the local admin group of workstation.  I want to import and export a CSV of hundreds of workstations, but I also need to include workstations that it errored because it was not on.  Any help on how to proceed on this?

function get-localadministrators {
    param ([string]$computername=$env:computername)

    $computername = $computername.toupper()
    $ADMINS = get-wmiobject -computername $computername -query "select * from win32_groupuser where GroupComponent=""Win32_Group.Domain='$computername',Name='administrators'""" | % {$_.partcomponent}

    foreach ($ADMIN in $ADMINS) {
                $admin = $admin.replace("$computernamerootcimv2:Win32_UserAccount.Domain=","") # trims the results for a user
                $admin = $admin.replace("$computernamerootcimv2:Win32_Group.Domain=","") # trims the results for a group
                $admin = $admin.replace('",Name="',"")
                $admin = $admin.REPLACE("""","")#strips the last "

                $objOutput = New-Object PSObject -Property @{
                    Machinename = $computername
                    Fullname = ($admin)
                    DomainName  =$admin.split("")[0]
                    UserName = $admin.split("")[1]
                }#end object

    $objreport+=@($objoutput)
    }#end for

    return $objreport
}#end function


Import-Csv "path" | foreach-object {get-localadministrators -computername $_.computername} | Export-Csv "path"

Event log 4625, Status =0xc000006D, 0xc0000064 , what is this log and why getting generate.

December 21, 2018, 8:04 pm
$
0
0

Hi Everybody,

I want to monitor account audit on my Domain controller that who, and when, login on machine domain, how may user tried to login on domain, who many failed login attempt happened. 

For this, I have did some R&D over internet and enable  account audit, log out and login policy from GPO. But there are lots of alerts are getting generate with different account names. i have pasted one event log following, I searched over internet, they said that 0x0000064 error is related to user account not exists. 

Now question is that when user account is not exists then why these alert are generating or who is trying to login . i dont understand. You guys have lots of experice and i belive you must know about it.  could you please let me know about it. 

Thanks for you help.

Account name =NRTQQ   , Status =0xc000006D, 0xc0000064, login type =3

 administrator = , 6d, 6a 


An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		BUSTER
	Account Domain:		

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

block a website on server 2012

December 17, 2018, 10:55 pm
$
0
0

please explain me the detailed procedure of blocking a website on server 2012 r2

found many procedures but not effective..

 
Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>