Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Disable AD User after period of inactivity?

$
0
0
Hi everyone- how can you implement a GPO setting that disables an AD user after a period of inactivity or a period during which they have not logged on? Thanks!

Event ID 4740 User Account Management Account Locked Out but Audit Success

$
0
0

Hi Anyone can advice me on this?

One of my user keep getting account locked out, however it keep on locked even after I unlock them.

I checked the event viewer, it shows that account locked out but the audit is success.

Logon ID:0x3E7

Why is it audit success but the account is locked out? anyone?


Nursyafika

DC information

$
0
0

Hi Experts

I am logged in one of the jumpserver, i want to pull how many domain controllers are there in my domain. please help me with powershell syntax

Change the maximum password age to just a group

$
0
0

Hello,

I have created a group in active directory (password group) I'm trying to set 182 days maximum password age for this one group.  I put only the office staff into this group and now looking to apply this policy. This a Windows Server 2016

Can this be done?

How to properly remove empty OUs

$
0
0

We have many OUs in ADUC thing is I can run the below and find out empty OUs no problem but how would I incorporate any delegation, last used, or gpo associations?

Import-Module ActiveDirectory
 
# Get a list of all the OUs in the domain
 
# Below the list is sorted by CanonicalName in descending order intentionally. This was
# done so that child OUs are checked first to determine if they are empty. This information
# is then used when checking the parent OU so that empty child OUs are not counted when
# determining if a parent OU should be considered empty.
 
$ouList = Get-ADOrganizationalUnit -Filter * -Properties CanonicalName |
    Sort-Object -Property CanonicalName -Descending
 
# Put together a list of all empty OUs in the domain
 
$report = @()
foreach ($ou in $ouList) {
 
    # The Where-Object line below is the logic that excludes any empty OUs underneath the
    # current OU for purposes of determining if this OU should be considered empty.
 
    # The Select-Object line is included here primarily to increase how quickly we process
    # through the OUs as we don't really care how many objects are underneath the OU only
    # that there are object (or not) underneath.
 
    $objectList = Get-ADObject -Filter * -SearchBase $ou.DistinguishedName -SearchScope OneLevel |
        Where-Object {$report.DistinguishedName -notcontains $_.DistinguishedName} |
        Select-Object -First 1
 
    # If we didn't find any objects underneath the OU, add it to the report
    
    if (-not $objectList) {
        $report += $ou
    }
}
 
# Export the report
 
$report | Sort-Object -Property CanonicalName | 
    Select-Object CanonicalName, Name, DistinguishedName |
    Export-Csv "$env:USERPROFILE\Desktop\EmptyOUs.csv" -NoTypeInformation
 
# Open the report
 
Invoke-Item -Path "$env:USERPROFILE\Desktop\EmptyOUs.csv"

DCDiag: DC failed test VerifyEnterpriseReferences

$
0
0

I am working on a network that used to have several DCs.  Some of those were demoted gracefully and some failed and were demoted forcefully.  The only remaining DC runs Windows Server 2008 R2.  When I execute DCDiag against that DC, the only error I see is: 

      Starting test: VerifyEnterpriseReferences
         The following problems were found while verifying various important DN references.  Note, that  these problems can be reported because of latency in replication.  So follow up to resolve the
         following problems, only if the same problem is reported on all DCs for a given domain or if  the problem persists after replication has had reasonable time to replicate changes.
            [1] Problem: Missing Expected Value
             Base Object: CN=TPAUTIL-SRVR,OU=Domain Controllers,DC=restmgt,DC=com
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: msDFSR-ComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            LDAP Error 0x5e (94) - No result present in message.

         ......................... TPAUTIL-SRVR failed test VerifyEnterpriseReferences

I have reviewed Q312862 thoroughly, but the document is meant to cover several different problems.   I cannot determine which section of the document is applicable to this particular condition.

I have also looked through ADSIEdit and I don't see which value is missing or what entry it is under, etc.  Can anyone please provide a little more detailed guidance?  Sorry if I am being dense and thanks in advance for your help!

Ken Morley

I cannot join new machines to the AD "Network Path not found"

$
0
0

After having demoted and removed one of two domain controllers I cannot add any new servers to the AD. Both the DC and the server I am trying to add is running Server 2016. I have enabled netbios over TCP/IP. The new machine has only the DC as DNS, I have started the netlogon service and the DC passes all teh dcdiag tests. The new machine can ping the DC and vice versa. I am completely stumped. 

Existing Fileservers and DFS

$
0
0

Hello,

When installing DFS at existing fileservers with real folders/data, how can i add the already existing folders. Do i need to add a folder from server A and it will auto sync to server B with the same user/group rights and content?

regards,


Who enabled or changed DNS scavenging configuration

$
0
0

Hi,

We have DNS scavenging enabled for some time now and has been working fine. Last week, someone changed the scavenging Refresh and Non-refresh interval on a zone to 9 hours each and it ended up deleting some crucial records from DNS. Though auditing shows the records got deleted by scavenging, is there a way to check who messed up with scavenging?
We have auditing DS Access auditing enabled but there's no log related to this.

AD Replication issue - not creating replication partner with WS2016 DCs

$
0
0
  1. We are having WS2008R2/2012R2 DCs, and in the process of upgrading to WS2016 DCs (13 WS 2016 DCs upgraded till yet).
  2. Our older version DCs has inter-site replication partners with other AD sites, and we have 11 AD sites.
  3. Now, the issue is that our new WS2016 DCs can’t create replication partnerships with other AD Sites DCs.

We are using Infoblox DNS service. We checked and no replication issues found.

Any suggestion as in coming days we are going to demote older versions DCs?


    Rajneesh Kumar MCSE - Server Infra, MCITP - SA, CNA

    Error when copying user - The name reference is invalid.

    $
    0
    0

    I have windows server 2016 and was using exchange 2013 and about a year ago migrated to office365

    Since then I have copied several users not sure why I am encountering this issue now (probably due to windows updates) as from what I read it seems to be related to exchange. 

    According to the following site https://www.vspbreda.nl/nl/ms-office/office-365/name-reference-invalid/ it has to do with the Default Global Address List and when I try and remove it on a test user I am getting an error.

    Any ideas? also will it affect anything from my setup or is it safe to remove? TIA

    What are the 'side effects' of changing a user's network login name in AD 2008 R2 (i.e. Windows 7 desktop profiles, etc.) ?

    $
    0
    0

    We have a number of users whose original AD login names were set up as 'first name' only (i.e. Tom).  We have since standardized on all user names being 'first initial, last name' (i.e. TSmith).  

    If I were to change the user login accounts to 'first initial, last name', what potential side effects would this have on .  Or is the logon name tied to the UID such that AD would simply automatically show any resources/folders that had DOMAIN\firstname applied to them, now as DOMAIN\firstinitiallastname?

    Also, how does a domain profile on Windows 7 get affected?  If the user then logs onto Windows 7 with their new login name, would Windows 7 prepare a whole new desktop for that username, or is Windows 7 smart enough to associate the modified logon name, with the desktop profile of that same UID's previous logon name, so that their desktop doesn't change?

    admt error updating already migrated user passwords

    $
    0
    0

    hi

    we prepare a admt migration atm (server 2012r2), all user accounts are premigrated and mailenabled the initial password sync 6 months ago went fine...

    now we want to do the final password sync before we start the migration but we get errors on all users that changed their password since the initial sync...

    2019-02-25 11:57:55 ERR2:7084 Failed to set strong password for CN=xxxxx.  The specified network password is not correct.

    Password Policys are the same in Source and Target Forest this only occurs on Accounts that have already a Password migrated due the initial sync 6 months ago, on new Users the Password is migrated without any error.

    regards 

    harald

    Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

    $
    0
    0

    Question

     

    Some customers would like to know how the user password is stored in Active Directory and how to view and modify it.

     

     

    Answer

     

    The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

     

    This unicodePwd attribute can be written under restricted conditions, but it cannot be read due to security reasons. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

     

    More Information

     

    How To Change a Windows 2000 User's Password Through LDAP

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190

     

    How to set a user's password with Ldifde

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;263991

     

    Should you worry about password cracking?

    http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx

     

    How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

    http://support.microsoft.com/kb/299656

     

    Applies to

     

    Windows Server 2003/R2, Windows Server 2008/R2

    One profile, multiple simultaneous logins, broken search

    $
    0
    0

    I have this issue cropping up at multiple unique locations.

    At each location I have a single Server 2016 Standard (STD) acting as the AD DS with DHCP and DNS, the client workstations are Windows 10 Pro (64). Each workstation is installed from a common AOMEI Backupper image, has windows updates run on it, and is given a unique workstation name. Each business wants every user to log into each station with the same user name. When we join the workstations to the domain, the Administrator user works fine, but when the user logs in as the common, non-administrator, user the Settings UI no longer works, Search fails, many MMC functions fail, and we cannot access the internet with any browser (Edge, IE or Chrome). The occurs on a freshly built domain and ones where we move the roles from a previous domain. In the cases of a previous domain the client was using the common user log in just fine. Those previous domains were built on Svr08R2 STD, Srvr12 STD or 12R2 STD with Windows 7 or 8.1 workstations.

    If we try to create new, unique users in AD and then log in at a station that has been corrupted with the new login, the corruption carries over to the new user as if the local default user profile is corrupted. We arenot running a Windows 7-type "copy profile" on Windows 10. We know what damage that causes. That being said, this look very similar to that.

    I admit I have made many modifications to the workstation local and Domain group policy, too many to list here, but we only have this issue with users that want to use one log in name for everyone. Our other clients, with the same build parameters, using unique logins for each station do not have this issue. Also, this has only cropped up since we moved to Server 2016 and Windows 10 pro.

    My question is, how do we create a situation with Server 2016 standard w/ AD DS and Windows 10 Pro (64) workstations where each user logs into each workstation with the same user name? Is it possible w/o blowing up the local default profile? What articles would help me develop such a scenario? I have tried researching this, but none of the article I have found seem to deal with this specific design. It is not a design I would choose for any client, but this is what multiple clients want since it is what they used in the past. 


    GPO to delet a local profile

    $
    0
    0
    Would anyone happen to know if there is a GPO that I could setup in AD on Server 2012 that I can use to delete one specific local profile off of about 200 machines?

    Support analyst

    Error on get-ADPrincipalGroupMembership for groupnames with \

    $
    0
    0
    We have a windows 2003 domain with 3 windows 2003 DC's. On one of them we installed Active Directory Management gateway service.

    When I use get-ADPrincipalGroupMembership on users who are member of a groups with a slash ("/") in its groupname I receive the following error:


    Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.At line:1 char:31+ Get-ADPrincipalGroupMembership <<<< ecomor + CategoryInfo : NotSpecified: (ecomor:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException + FullyQualifiedErrorId : The server was unable to process the request due to an internal error. For more informa tion about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the cl ient, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership

    Is someone else having the same problem?

    Help with Windows 2008 SP2 Certificate Servers Upgrade/Migrate

    $
    0
    0

    I have inherited these systems

    There is a root CA which is ONLINE and a Sub CA. It is using SHA1. This month we are hit with the google chrome 72 update whereby users are getting the privacy error

    "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM" "

    You attempted to reach fqdn of our adfs server, but the server presented a certificate signed using a weak signature algorithm (such as SHA-1). This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker).

    proceed to fqdn of our adfs server (unsafe)

    We are close to the end of life for windows 2008 server and the upgrade is in the pipeline.

    Is it easy to upgrade the algorithm to SHA256? What would be the knock on effects in the network? We have exchange, SQL, ADFS and many web servers. Would this stop working? Also on the ADFS to get rid of the above error do we need to update the certs?In which case we will have to supply the new cert to the third parties.  

    Rather than making the changes twice (one to fix the above error and then to migrate off from 2008)is it better to migrate CAs to a server 2012R2, 2016 or 2019?

    And for migration what server should I use the forest root is on 2008 R2 some DCs on 2012R2 and some on 2008R2 at 2008 functional level. We will be migrating all the ADs to 2012R2. 

    Should I take the CAROOT offline after the upgrade? 

    How long should I keep the cert validiyu for? At the moment CASUB gets a 2 year cert from CAROOT and users get certs for a maximum of 2 years from CASUB.

    Any help is highly appreciated, my experience around CAs are minimal.

    Thanks in advance.

    ADUC MMC Crash

    $
    0
    0

    Have an odd situation. I have a Win10 build 1809 MMC version 3.0 and a Windows Server 2012 R2 build 9600 MMC version 3.0.

    My issue is that when in ADUC on the Win10 pc and the ADUC mmc open (it opens fine) I try to open the properties of a specific user the ADUC mmc crashes and closes.

    However, when doing the same actions on the Windows Server 2012 R2 (which is also a AD DS server) opening the properties on that user is fine and can do anything I need to do.

    This only happens on that particular user, all other AD objects are not having this issue. Made a copy of this particular user and gave it a new name and the account properties open just fine no issues with the copied account.

    I have other AD admins that are seeing the same issue when trying to open this user and all other AD objects are fine. Other AD admins are running Win10 and Win7 with RSAT tools installed.

    Has anyone seen this situation before? I'm thinking this is account related not ADUC related per say since all other accounts are able to be managed as they should be.

    Any and all help is greatly appreciated.

    Len


    Leonard Hoffman


    [urgent] error FSMO role in my AD

    $
    0
    0

    Hello and sorry for my English,

    I try do depromote domain controler but i have one error, i can't. So i checked and i found this error :

    If i do : "netdom query FSMO", i have :
    schema master        SSGVFIC.toto.com
    domain naming master  SSGVFIC
    .toto.com
    primary domain controleur SSGVDC
    .toto.com
    RID master   SSGVDC
    .toto.com
    infrastructure master    SSGVDC
    .toto.com
    ---> OK good, it is like i want

    but if i look in ADSEDIT, in CN=Infrastructure,DC=ForestDnsZones,DC=toto,DC=com, i have this server (other domain controler) : 
    CN=NTDS Settings,CN=SOCVFIC,CN=Servers,CN=titi,CN=Sites,CN=Configuration,DC=toto,DC=com

    and in DC=DomainDNSZones,DC=toto,DC=com, i have this server (domain control i want to depromote):
    CN=NTDS Settings,CN=SSGDC,CN=Servers,CN=titi,CN=Sites,CN=Configuration,DC=toto,DC=com

    So, what i have to do ?
    Change this settings in adsedit with SSGVDC server who is infrastrure master, for both setting ?

    Thanks






    Viewing all 31638 articles
    Browse latest View live


    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>