Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

User cannot Change password using Powershell

January 7, 2019, 1:17 pm
$
0
0

Hi,

I need help in setting user cannot change password for a set of domain accounts in my organisation.I have sorted the Password never expire for those accounts for which  I am using the below PS cmd:

import-csv C:\POWERSHELL\GroupAddition.csv | ForEach {Get-QADUser "DOMAIN\$($_.samAccountName)" -connection $ARSConnection | Set-QADUser -PasswordNeverExpires:$True -connection $ARSConnection}

This works fine for password never expire.

But when I use the same command with the attribute name for cannot change the password, it is failing with parameters not correct.

import-csv C:\POWERSHELL\GroupAddition.csv | ForEach {Get-QADUser "DOMAIN\$($_.samAccountName)" -connection $ARSConnection | Set-QADUser -CannotChangePassword:$True -connection $ARSConnection}

I did various search in net but fail to get a complete answer .Many places they are saying to use the same above attribute which I used, but it is not working in my case.

Abhi

Search

New Replica Of AD LDS Fails When Functional Level Is Too High

January 8, 2019, 7:10 am
$
0
0

I have a simple AD LDS instance setup on a Windows 2016 server:

c:\windows\ADAM\adaminstall /answer:E:\ADLDS\instance3\adaminstall.cfg

with the content of E:\ADLDS\instance3\adaminstall.cfg

[ADAMInstall]
ApplicationPartitionsToReplicate=*
InstallType=Unique
InstanceName=instance2
LocalLDAPPortToListenOn=3891
LocalSSLPortToListenOn=6361
AddPermissionsToServiceAccount=Yes
NewApplicationPartitionToCreate=dc=com
DataFilesPath=E:\ADLDS\instance2\data
LogFilesPath=E:\ADLDS\instance2\log
Administrator=myAdminGroup

I can add a replica instance using the following installfile

[ADAMInstall]
ConfigurationSetLevel=5
ApplicationPartitionsToReplicate=*
InstallType=Replica
InstanceName=instance3
LocalLDAPPortToListenOn=3892
LocalSSLPortToListenOn=6362
DataFilesPath=E:\ADLDS\instance3\data
LogFilesPath=E:\ADLDS\instance3\log
SourceServer=localhost
SourceLDAPPort=3891
Administrator=MyAdminGroup


But if I change the functional level of the first instance to WIN2012R2 (msDS-Behavior-Version=6) before I create the replica instance, the creation of the replica fails:

Active Directory Lightweight Directory Services could not create the NTDS Settings object for this Active Directory Lightweight Directory Services
 instance CN=NTDS Settings,CN=<Server name>$instance3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={6BA71401-BACF-47A0-A59B-9F8CC
9A6E9C2} on the remote AD LDS instance localhost:3891. Ensure the provided network credentials have sufficient permissions.
Error code: 0x80072177
The version of the operating system installed on this server is incompatible with the functional level of the domain or forest.

This problem is already described in https://jorgequestforknowledge.wordpress.com/category/active-directory-lightweight-directory-services-adlds/functional-level/ but there the author saysthis issue does not exist in Windows 2016 anymore, but apparently it does.

Is there any way one can add a replica to a AD LDS instance where the functional level is on WIN2012R2?

AD password expiry exceptions

January 5, 2019, 2:32 am
$
0
0

Morning everyone,

 I'm a newbie to AD and I've been tasked with looking into a way we can put exceptions into our password expiration policy. Currently, our password expiry policy is set to 90 days, but we'd like to add an exception to this so they do not expire on certain days, (i.e. Saturdays, Sundays, December 25th etc.) 

 Would anyone know if this is possible, and if so, where I'd need to start please?

Appreciate the help,

DHCP shows incorrect and disabled Network Adapter setting

January 8, 2019, 11:01 am
$
0
0

DHCP is still working as I tested it with ipconfig /release and ipconfig /renew.

The weird thing is that DHCP shows the disabled and not configured Network Adapter IP Address at the top
instead of the correct adapter with IP Address of 192.168.18.11.
However, when I right click on this 169.254.25.243 address and left click on Add/Remove Bindings, it shows the correct Ethernet Adapter and correct IP Address.

This is true on both DHCP Servers which are in a failover.

How do I correct this?

Reset Server node error when launching WSUS

January 8, 2019, 11:12 am
$
0
0

Hi Everyone. Can anyone tell me why I keep getting the following error message when launching WSUS. When I click 'reset Server node' nothing happens. It seems the only way to remedy the problem is to reboot the server which is counter productive. Once the server comes back up it works fine until after a period of time. I have researched this but haven't found a solution. Any thoughts would be appreciated.

 

Support analyst

Active Directory - Group Policy to Audit Network Shared Drive

January 8, 2019, 11:23 am
$
0
0

I have network shared drive (hosted on my file server) that I would like to audit. On my DC I have set up group policy called "My auditing policy". 

Then under In “Group Policy Management Editor” under  “Computer Configuration” - “Policies” - “Windows Settings” - "Security Settings" -  “Local Policies” and under "Audit Policy" I defined policy to audit "Success" and Failure". Then On my DC I run "gpupdate /force" which gave me warning that some policy will involve re-directed drives and that I needed to log off in order for policy to take effect which I did.

I then proceeded to my file server where this network shared drive is located. This drive has sub directories...

    my shared drive

  • directory 1
  • directory 2
  • directory 3
  • ..............
  • ...............

    

   I right click directory 2 and then "Properties" - "Security" - "Advanced" and enabled auditing of this folder (where Principal was  "Everyone").

I went as a regular user (usernameA) on different computer (all machines are domain members) and opened file within directory 2 and when I went into my file server machine and looked in Event Viewer under security I could not find any logs  for "usernameA". So I have 2 questions...

  1. How does the policy know which directory needs to be audited?
  2. Why am I not seeing any logs in Event Viewer on my file server?

 


AD Lockouts for 1 User

January 7, 2019, 10:32 am
$
0
0
Hello, I am currently troubleshooting an issue with one user at our company. Specifically, they are getting locked out whenever they type in their password once when they sign in for the day at their desk as well as when they lock screen to go away from their desk for lunch and then log back in when they return. I am stumped on what could be causing this as I have checked Task Scheduler, Services, Credentials Manager, removed OWA for Devices entries so they don't have email on their phone as well as turn on Diagnostic Startup to limit what services are started when the PC boots. Any suggestions on where I should check next?

one KMS client suddenly cannot activate - Non authentic message, that is not true

January 8, 2019, 3:40 pm
$
0
0

Hi,

2 KMS servers in place in large environment.

Functioning flawlessly.

Today got a request for one W7 machine that is on network for at least couple of years.

The problem is that it cannot activate from KMS, with falce visual message that it is not authentic.

After some basic diagnostics I have to ask forum. There are similar topics on web, but I have my MGADiag output.

Prior to ask... checked that the machine properly see KMS servers populated by DNS.

Telnet connection is fine.

So, see plz MGADiag... I never saw this thingy, so would like to have a solution in case there will be more machines with the same symptom.

I can try to enter MAK address tomorrow, now not sure if it will help in case of KMS client corruption or else...

 Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 50
Cached Online Validation Code: 0xc004c4a2
Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85570
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {234352AF-9C25-4791-9609-9DC91D989E5A}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_ldr.181111-0600
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: 
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{234352AF-9C25-4791-9609-9DC91D989E5A}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85570</PID><PIDType>1</PIDType><SID>S-1-5-21-2746169226-2174554052-403190442</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq Elite 8300 SFF</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>K01 v02.05</Version><SMBIOSVersion major="2" minor="7"/><Date>20120507000000.000000+000</Date></BIOS><HWID>F0693307018400FE</HWID><UserLCID>0C0C</UserLCID><SystemLCID>040C</SystemLCID><TimeZone>Est(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Version du service de licences logicielles : 6.1.7601.17514

Nom : Windows(R) 7, Professional edition
Description : Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
ID d’activation : b92e9980-b9d5-4821-9c94-140f632f6312
ID d’application : 55c92734-d682-4d71-983e-d6ec3f16059f
PID étendu : 00371-00170-868-000000-03-3084-7601.0000-0082019
Identificateur d’installation : 002206180062226935007631966903565173031974676454729006
Clé de produit partielle : GPDD4
Statut de la licence : notification
Raison de la notification : 0xC004F200 (non authentique).
Nombre de réinitialisations de Windows restant : 2
Heure approuvée : 2019-01-08 18:20:13
Utilisez slmgr.vbs /ato pour activer et mettre à jour les informations sur le client KMS afin de mettre à jour les valeurs.

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0xC004C4A2
HealthStatus: 0x0000000000000000
Event Time Stamp: 1:8:2019 12:55
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: LgAAAAEAAgABAAIAAAABAAAAAQABAAEA6GEmRvaZEsL4uVpbeIQUrY7/lBiWYw==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table NameOEMID ValueOEMTableID Value
  APICHPQOEMSLIC-BPC
  FACPHPQOEMSLIC-BPC
  HPETHPQOEMSLIC-BPC
  MCFGHPQOEMSLIC-BPC
  SSDTSataReSataTabl
  SSDTSataReSataTabl
  SLICHPQOEMSLIC-BPC
  SSDTSataReSataTabl
  SSDTSataReSataTabl
  TCPAAPTIO4NAPAASF
  ASF!INTEL HCG
  BGRTHPQOEMSLIC-BPC

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

Search

Windows Server File Auditing Condition

January 8, 2019, 4:30 am
$
0
0

Hello

i am trying to audit all file accesses for a specific folder structure (right-click on folder --> Properties --> Security --> Advanced --> Auditing) but i want to exclude one single user (service account "acct.deletefiles", deleting old files based on a schedule).

My understanding is that i have to add an condition to the audit-rule as below:

https://imgur.com/a/GNQ5DJl

User     Group      Not member of each        Value        1 item(s) selected

"1 item(s) selected" is an Domain Local Active Directory Security Group in which account ".acct.deletefiles" is member of.

Nevertheless, all file accesses for this user are logged, what am i doing wrong?

Thanks in advance


DFSR 4010 and 2010

January 8, 2019, 8:47 am
$
0
0

I am running Windows Server 2012 R2 and have been testing DFSR for several months.  I have noticed in the event viewer every night that replication is stopped because of a backup operation (1102) and subsequently restarts (1104) and contacts the DC (1206).  The issue is it also logs events 4010 and 2010 saying the DFS Replication service detected that the replicated folder has been removed from configuration.  And that the DFS Replication service has detected that all replicated folders on volume F: have been disabled or deleted. 

The strange thing is that according to DFS management, my replication group is green and happy.  Also files are replicating fine as they always have.

I have reviewed other posts, but I'm still foggy as to how this can be resolved.

Any help is greatly appreciated.

DFSR 4004 Error:9226

January 8, 2019, 9:39 am
$
0
0

Hi,

I have two replication groups on this virtual Windows 2012 R2 server both replicating to the same target virtual Windows 2012 R2 server.  The replication groups are both working and files are replicating as designed.

Each night at around 11pm this file server (and others) are backed up via EMC Avamar.  At this time, as I believe is expected, the replication service stops (1102) due to the backup and subsequent snapshot.  The replication service subsequently restarts (1206) and then 1 second later, each RG logs event ID 4004 with Error: 9226.

 

The DFS Replication service stopped replication on the replicated folder at local path F:\DFS_Shares\Data. 

Additional Information: 
Error: 9226 (Multiple volumes share the same volume serial number which prevents DFSR from finding the right volume) 
Additional context of the error:   
Replicated Folder Name: RFData 
Replicated Folder ID: 0FCA83F3-C440-4157-B9C9-97B9E5C3DA4F 
Replication Group Name: RGData 
Replication Group ID: EDF8035C-3B84-41A8-8C83-EA18F9E489F4 
Member ID: 32CFD858-CF89-404B-B041-F473431923AC

 

The DFS Replication service stopped replication on the replicated folder at local path F:\DFS_Shares\Notes. 

Additional Information: 
Error: 9226 (Multiple volumes share the same volume serial number which prevents DFSR from finding the right volume) 
Additional context of the error:   
Replicated Folder Name: RFNotes 
Replicated Folder ID: F593A73D-FAD0-475A-93F1-2CA289A9982C 
Replication Group Name: RGNotes 
Replication Group ID: 881DAB4A-FA1E-4719-BB5D-FDC9ECBC2534 
Member ID: D70C4240-5476-4A93-A2A8-07E92DA98232

This is closely followed by each RG logging event ID 4002 which leads me to believe things are well at that point.  The target or secondary server does not log the 4004 events.

When I check the volume serials, I do not find any duplicates.

Tier Model and exceptions: Exchange installation, Azure ADSync

January 7, 2019, 3:38 am
$
0
0

We are planning to build a new domain following the Tier model. But there are a lot of exceptions, where Microsoft is not enabling delegation. Any suggestions, how it is supposed to function in the scenarios below?

1. Exchange 2016 and 2019 require Enterprise Admins rights for a first server installation. That means, Tier0 hash will be stored on a Tier1 server, which is Exchange. Which is not good at all, but maybe there are some good ways to minimize this risk? What is it then? Should we install Exchange while logged on to a special account and then disable account and remove from EA group after installation?

2. Azure AD Sync. For installation and for enabling certain features, it requires Enterprise Admins. Not possible to delegate. How is it compatible with a Tier model?

So I believe that while we cannot enforce Tier model, there is zero benefit in implementing something stricter, like Bastion/ESAE.

MCSE, MCITP

Migration AD to new forest and Migrate Client computers and users without effect

January 1, 2019, 7:44 pm
$
0
0

Dear Forum, 

I have 2 domains are abc.com and efg.com. we will have new domain and forest hij.com and migrate all user from abc.com and efg.com to hij.com. we want to do migration without effect the computers and users. so anyone you advise about migration process of this project. 

Sokneang SAM

Decommission of Wins server

December 13, 2018, 6:37 am
$
0
0

Hi,

In my AD infrastructure still my clients PC are using WINS address. 

Do we need to WINS for active directory infrastructure.

If WINS and DNS are assigned in TCP/IP which name resolution process client PC will be utilized for contacting domain controller.

will there be any outage if  WINS is removed from network ? Please assist

AD infrastructure details:

AD:2012

Client PC: Xp3 and above


Owner on security tab - advanced security in properties of "domain root" in ADUC

January 8, 2019, 9:37 pm
$
0
0
I would like to know the default owner that should be of the domain root (acme.local) in the advanced security of the properties --> security --> advanced button in ADUC. and what the consequences of changing this is? would there be any reason to change this? normally when the domain is created/installed the account is a domain admin account and the administrators group 'is' the owner. I just need some more information that I have not been able to find on the NET. thank you in advance.
Search

What's the limit bytes(length) of the Organization Unit?

January 8, 2019, 11:12 pm
$
0
0

Hi,this is on Window Server 2018 R2 Enterprise edition.

I got this error when I added organization Unit.

org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException: 00002082: AtrErr: DSID-03050C79, #1:
        0: 00002082: DSID-03050C79, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att b (ou):len 160

I'm guessing that length of organization unit casues error.

So here's my question. where can I find the maximum length of strings I can use?

Thank you. 

Access is denied error when create an GPO

January 5, 2019, 11:32 pm
$
0
0

Hi,

I got the "Access is denied" error when I attempt to create an GPO. Can anyone help me? Thanks


Kerberos Encryption Types

December 30, 2018, 11:44 am
$
0
0

Dear

   i need to know, in kerberos exchange messages from client to KDC and vice versa, what type of encryption used in these messages .

and where the encryption method DES is used in kerberos .

one more question, i need to know the encryption type for 

AS-Req, AS-Rep, TGS-Res, TGS-Rep and AP-Req

thanks alot

Help Needed: Authentication Policies and Authentication Policy Silos Will Not Work

January 2, 2019, 9:09 am
$
0
0

I'm trying to restrict logon access to our org's domain controllers using an Authentication Policy and/or an Authentication Policies with an Authentication Policy Silo.  I'm working with a single privileged account, a bastion host, a management server and the forest domain controllers.  The only account not in the target Active Directory forest is the bastion host.

I've tried the instructions in each of the following articles, with no results:

Authentication Policies and Authentication Silos – Restricting Domain Controller Access

Using Authentication Policies to Restrict Privileged User Account Logons

How To Configure Protected Accounts - Authentication Policies

I've tried the suggestions in this thread and the few others I've managed to find:https://social.technet.microsoft.com/Forums/windowsserver/en-US/751659d0-aae0-486e-ab6d-820e5384a855/authentication-policies-and-silos-not-working-properly?forum=winserverDS

I've even tried removing the non-domain joined bastion from the equation by replacing it with a domain-joined workstation with direct access to the management server. 

Regardless of what I do, I continue to see events in the AuthenticationPolicyFailures-DomainController logs on the domain controllers like the following:

Additionally, after poring over the existing documentation, I've searched for more detailed information on the different parts of the authentication policy and how authentication policies work and have turned up nothing.

Has anyone set up an Authentication Policy and/or Authentication Policy Silo that actually works?  Is there any detailed information out there on the different parts/attributes of an authentication policy?

Deploy GPO allow Applocker Adobe XD CC 2018.

January 8, 2019, 2:17 am
$
0
0


We got some issues with Applocker and Adobe XD CC, when we block open Windows Store via GPO it works windows store can't open but when we install Adobe XD CC it also cannot open too it alert "This app has been blocked by your system administrator." "Contact your system administrator for more info." 

What should we do for these issues?
We using Windows Server 2012 R2 and Windows 10 Enterprise 1803.




--Samdy

Viewing all 31638 articles
Browse latest View live
Search