HI
we have an scenario that every user just login to only one PC
user1 computer 1
user2 computer2
1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user
2-when set managed by for computer that never work .
how can i doing this ?
Thank you in advance
Hi,
I have a strange issue where I’m seeing support staff running out of attempts to add machines to the domain.
They receive the error "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased”.
The users who are seeing this issue are being granted domain join rights via a GPO applied to the ‘Default Domain Controllers’ policy.
In this policy, under Windows Settings > Security Settings > Local Policies/User > Rights Assignment we have added a group named ‘Domain Join’ to the policy ‘Add workstations to domain’.
We then add our support staff into the group ‘Domain Join’.
When I look at effective access for the default ‘Computers’ container in AD for the affected user accounts, It does show that they have ‘Create All Child Objects’ and ‘Create Computer Objects’.
Is there anything obvious that I am missing here, or does it seem that this has been setup correctly?
Many thanks
Hello All,
I have been trying to implement a powershell script that used at a different company to the domain at my current job.
The script is pretty simple. It is to search for users that are supposed to belong to a group and add them if they are missing.
I am using a filter to ensure that this only works on user accounts that are not disabled however this is where I ran into the problem in this domain. 90% of the user account do not come back with the "Enabled" property. When I investigated I also found that these account do not have any value for the userAccountControl attribute (missing in ADSI edit).
I was under the impression that this userAccountControl attribute cannot be missing or null.
If that is not the case how can I find disabled accounts that are missing the userAccountControl attribute.
Any help with this would be great! Thanks in advance.
Hello,
i would like to create a testlab with bulk settings. I dont want to create every single group,user,ou,shared file with its userrights manually, nor i would like to invent the names myselve.
Are there any default scripts or files somewhere available for download that create automatically folders with names and the right groups, useraccouns,...?
many thanks for any help.
Hello I will like to get these information from a Windows Server 2012. The accounts arelocal server accounts
(AccountID/AccountName/AccountDesc/PwdLastSetTime/PasswordLastSetDate/PwdExpirationAge/DaysUntilExpiration/TypeofAccount/AccountAccessLevel) in either a (.csv/.txt/excel format).
Thank you all for your help.
I am trying to configure Windows Domain Controllers to send all events to a Linux syslog server (syslog-ng). Configured the Subscription Manager group policy to point to the URL of the syslog server to port 5985. But it is not working... have tried entering the Root and Intermediate thumbprint in the value of the subscription manger connection string.
Getting this error in the Event Viewer "Eventlog-ForwardingPlugin"
The forwarder is having a problem communicating with subscription manager at address http://xxxxxxxx-xxx.xxxxxxxxxxxxns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="XXXXXXXX.xxxxxxxx.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.
Somehow, I don't think it is a certificate issue at this point.
User Forest: users.com (1000 enabled users)
Resource Forrest: resources.com (200 enabled users, 800 linked mailboxes)
I need to sync (and merge) to Azure AD for Office 365.
AADConnect Import Rules Precedence should be:
1. Can I simply set:
P5: User Common (resources.com)
P6: User Common (users.com)
I've been trying to figure out the differences between testa01 (success) and testa02 (failure) and it looks testa02 doesn't have Kerberos setup properly.
In testa01 when I visit jenkins.factset.com(or is.factset.com) as svc-hudson I am authenticated properly. However, in testa02 I get prompted for credentials.
I can also see Kerberos errors in the event viewer after enabling Kerbros vent logging in testa02.
kindly let us know to resolve the issue.
We are receiving Event 3 Security-kerberos continuously in logs.
I have an application that uses windows authentication. We created several child domains for each department and one root domain.
For example:
company.com
/ \
dep1.company.com dep2.company.com
Each department has an own subnet and domain controller. The users did not actually join the domain. The computers are already in another domain from an independent organisazion and they only need to login to the application with the logins provided by us
from the corresponding child domain.
This looks something like this:
Sorry, can't add an image.
(https://social.technet.microsoft.com/Forums/getfile/1427308)
The remote user (user@contoso.com) has the credentials stored in the access credential manager in order to make SSO possible.
What I suspect is that the sql server can't find the user@dep1.comany.com account in the child domain. At least SQL shows en error in the event viewer:
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. [CLIENT: <named pipe>]
I double checked that every account is existing, the account has not been locked and neither needs the password to be changed.
There are transitive trusts between the toor domain and all child domains and one between the app.company.com and dep1.company.com
I tried adding a foreign security principal
Added an alias in the SQL Native Client 11.0 Configuration
Added an ODBC Bridge client side
Altered the "Access this computer from the network" in the secpol.msc
Both server and application server have permission to delegate (AD -> Computer objects -> Delegation)
I found a lot online but nothing has worked for me. I am a lost sysadmin and have reached google page 2.
Any help is much appreciated.
Hi
We are in the process of hardening DC security. All our DCs are Windows 2016 (1607) and clients are Windows 2012, 2012 R2 and Windows 10 (1607 & 1803). We found event IDs 2887 & enabled detailed event log (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" with a DWORD value of “2.”), not yet started analyzing the logs.
If we apply this policy at DC level, then do we need to configure at client OU as well? Also what about other appliances in network?
What is the normal suggestion / recommendation to enable this setting?
Thanks in advance
LMS
Hello,
We have enrolled a certificate to a group of computers. Now we want to expire the same certificate on a computer to test an application functionality. How can I expire the certificate?
Thank you
Hello Experts,
We are a windows domain environment with DNS service running on all 3 of our domain controllers DC1, DC2, and DC3. Our domain name is the same as our website name. Our DC's with the DNS service have A-records that point <domain>.edu to DC1's IP address, D2's IP address, and D3's ip address, so when we UNC path over to \\<domain>.edu\SYSVOL, we can always see the NETLOGON and SYSVOL folders, and pull down group policy objects from 1 of the 3 domain controllers.I am working on a network of samba4 domain controllers. I would like to add new Windows Server 2008R2 domain controllers thand then demote the linux samba4 domain controllers.
Initially I successfully added 3-4 domain controllers without problems. Suddenly when I was adding the last one I started to have the following problem. This happens even if I create a new VM and try to dcpromo on the new machine, so I cannot dcpromo on new machines. I also deleted the old machines where dcpromo worked and demoted them.
I can go through dcpromo until the directory replication. It always replicates all the objects but the last one and every time I repeat this operation the number of objects to replicate grows. So at this point dcpromo stalls and stop responding.
I already tried to clean entries and dirty data on the other domain controllers.
This is the log
04/19/2019 11:45:28 [INFO] Operazione sul controller di dominio completata.
04/19/2019 11:45:28 [INFO] DsRolepSetOperationDone returned 0
04/19/2019 11:45:57 [INFO] Promotion request for replica domain controller
04/19/2019 11:45:57 [INFO] DnsDomainName samdom.xxx.it
04/19/2019 11:45:57 [INFO] ReplicaPartner xxx.samdom.xxx.it
04/19/2019 11:45:57 [INFO] SiteName Default-First-Site-Name
04/19/2019 11:45:57 [INFO] DsDatabasePath C:\Windows\NTDS, DsLogPath C:\Windows\NTDS
04/19/2019 11:45:57 [INFO] SystemVolumeRootPath C:\Windows\SYSVOL
04/19/2019 11:45:57 [INFO] Account samdom.xxx.it\administrator
04/19/2019 11:45:57 [INFO] Options 1179840
04/19/2019 11:45:57 [INFO] Validate supplied paths
04/19/2019 11:45:57 [INFO] Validating path C:\Windows\NTDS.
04/19/2019 11:45:57 [INFO] Path is a directory
04/19/2019 11:45:57 [INFO] Path is on a fixed disk drive.
04/19/2019 11:45:57 [INFO] Validating path C:\Windows\NTDS.
04/19/2019 11:45:57 [INFO] Path is a directory
04/19/2019 11:45:57 [INFO] Path is on a fixed disk drive.
04/19/2019 11:45:57 [INFO] Validating path C:\Windows\SYSVOL.
04/19/2019 11:45:57 [INFO] Path is on a fixed disk drive.
04/19/2019 11:45:57 [INFO] Path is on an NTFS volume
04/19/2019 11:45:57 [INFO] Start the worker task
04/19/2019 11:45:57 [INFO] Request for promotion returning 0
04/19/2019 11:45:57 [INFO] Forcing time sync
04/19/2019 11:45:57 [INFO] Forzatura della sincronizzazione dell'ora con xxx.samdom.xxx.it
04/19/2019 11:45:58 [INFO] Ricerca di un controller di dominio per il dominio samdom.xxx.it contenente l'account DCXXX03$
04/19/2019 11:45:59 [INFO] Individuato controller di dominio xxx.samdom.xxx.it per il dominio samdom.xxx.it.
04/19/2019 11:45:59 [INFO] Directing kerberos authentication to xxx.samdom.xxx.it returns 0
04/19/2019 11:45:59 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache
04/19/2019 11:45:59 [INFO] Per il server xxx.samdom.xxx.it verrà utilizzato il sito Default-First-Site-Name.
04/19/2019 11:45:59 [INFO] Arresto del servizio NETLOGON
04/19/2019 11:45:59 [INFO] Arresto del servizio NETLOGON
04/19/2019 11:46:00 [INFO] Configuring service NETLOGON to 1 returned 0
04/19/2019 11:46:00 [INFO] Stopped NETLOGON
04/19/2019 11:46:00 [INFO] Deleting current sysvol path C:\Windows\SYSVOL
04/19/2019 11:46:01 [INFO] Created system volume path
04/19/2019 11:46:01 [INFO] Copia del file di database iniziale del servizio directory C:\Windows\system32\ntds.dit su C:\Windows\NTDS\ntds.dit
04/19/2019 11:46:01 [INFO] Installazione del servizio directory in corso...
04/19/2019 11:46:01 [INFO] Calling NtdsInstall for samdom.xxx.it
04/19/2019 11:46:01 [INFO] Avvio dell'installazione di Servizi di dominio Active Directory
04/19/2019 11:46:01 [INFO] Convalida delle opzioni fornite dall'utente.
04/19/2019 11:46:01 [INFO] Determinazione in corso di un sito in cui effettuare l'installazione
04/19/2019 11:46:01 [INFO] Analisi di una foresta esistente in corso...
04/19/2019 11:46:01 [INFO] Avvio di un ciclo di repliche tra xxx.samdom.xxx.it e il master operazioni RID (bbb.samdom.xxx.it) in corso. In questo modo, la nuova replica sarà in grado di creare utenti, gruppi e oggetti computer...
04/19/2019 11:46:01 [INFO] Configurazione del computer locale per l'hosting di Servizi di dominio Active Directory
04/19/2019 11:46:03 [INFO] EVENTLOG (Warning): NTDS General / Configurazione interna : 1463
Alcuni indici probabilmente danneggiati sono stati rilevati ed eliminati durante l'inizializzazione.
Gli indici eliminati verranno ricostruiti.
04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS Database / Elaborazione interna : 2013
È in corso la ricostruzione del numero di indici seguente come parte del processo di inizializzazione.
Indici:
6
04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS Database / Elaborazione interna : 2014
Ricostruzione del numero di indici seguente completata.
Indici:
6
04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1464
Durante la ricerca di un indice è stata rilevata la necessità di un nuovo indice per l'attributo seguente.
Attributo:
msFVE-VolumeGuid
Nome nuovo indice:
INDEX_LP_000907CE_0410
Verrà creato automaticamente un nuovo indice.
Dati aggiuntivi
Valore errore:
-1404 JET_errIndexNotFound, No such index
04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1137
Creazione di un indice per l'attributo seguente completata.
Identificatore attributo:
591822
Nome attributo:
msFVE-VolumeGuid
04/19/2019 11:46:04 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1464
Durante la ricerca di un indice è stata rilevata la necessità di un nuovo indice per l'attributo seguente.
Attributo:
msFVE-RecoveryGuid
Nome nuovo indice:
INDEX_LP_000907AD_0410
Verrà creato automaticamente un nuovo indice.
Dati aggiuntivi
Valore errore:
-1404 JET_errIndexNotFound, No such index
04/19/2019 11:46:05 [INFO] EVENTLOG (Informational): NTDS General / Schema DS : 1137
Creazione di un indice per l'attributo seguente completata.
Identificatore attributo:
591789
Nome attributo:
msFVE-RecoveryGuid
04/19/2019 11:46:05 [INFO] EVENTLOG (Informational): NTDS General / Configurazione interna : 2120
Questo server di Servizi di dominio Active Directory non supporta il Cestino. È possibile annullare l'eliminazione di oggetti, tuttavia è possibile che alcuni attributi di un oggetto di cui è stata annullata l'eliminazione vadano persi. È inoltre possibile
che vadano persi anche gli attributi di altri oggetti che fanno riferimento all'oggetto di cui si annulla l'eliminazione.
04/19/2019 11:46:05 [INFO] È in corso la creazione dell'oggetto Impostazioni NTDS per questo controller di dominio Active Directory nel controller di dominio Active Directory remoto xxx.samdom.xxx.it
04/19/2019 11:46:05 [INFO] Replica della partizione di directory dello schema in corso
04/19/2019 11:46:06 [INFO] Replica di CN=Schema,CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1000 oggetti su 1550.
04/19/2019 11:46:07 [INFO] Replica di CN=Schema,CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1550 oggetti su 1550.
04/19/2019 11:46:07 [INFO] Il contenitore degli schemi è stato replicato.
04/19/2019 11:46:07 [INFO] Aggiornamento della cache dello schema completato.
04/19/2019 11:46:07 [INFO] Replica della partizione di directory di configurazione in corso
04/19/2019 11:46:08 [INFO] EVENTLOG (Error): NTDS Replication / Client DS RPC : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
xxx.samdom.xxx.it
Additional Data
Error value:
La chiamata di procedura remota non è riuscita. (1726)
04/19/2019 11:46:18 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1000 oggetti su 1793.
04/19/2019 11:46:18 [INFO] EVENTLOG (Informational): NTDS General / Elaborazione interna : 2041
Le voci duplicate del registro degli eventi sono state soppresse.
Per informazioni dettagliate, vedere il registro degli eventi precedente. Per duplicato si intende una voce
per cui il codice dell'evento e tutti i parametri di inserzione siano identici. Il periodo di tempo per
l'esecuzione dei duplicati va dal momento dell'evento precedente a quello dell'evento specificato.
Codice dell'evento:
c00007aa
Numero delle voci duplicate:
1
04/19/2019 11:46:18 [INFO] EVENTLOG (Informational): NTDS General / Replica : 1695
Questo servizio directory supporta la replica del valore collegato. Ciascun valore di un attributo multivalore viene replicato individualmente per ridurre la larghezza di banda della rete e garantire un livello di risoluzione dei conflitti più dettagliato.
04/19/2019 11:46:19 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:20 [INFO] EVENTLOG (Error): NTDS Replication / Client DS RPC : 1962
Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available.
directory service:
xxx.samdom.xxx.it
Additional Data
Error value:
La chiamata di procedura remota non è riuscita. (1726)
04/19/2019 11:46:29 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:39 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:48 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
04/19/2019 11:46:58 [INFO] Replica di CN=Configuration,DC=samdom,DC=xxx,DC=it: ricevuti circa 1792 oggetti su 1793.
Can anybody help me to solve this problem?
Hi all,
trying to get event IDs 4729 and 4728 to log so then we can monitor changes to security groups in AD but after configuration we're still not seeing them. I have double checked group policy settings and permission based settings as shown on the following article: https://www.itsupportguides.com/server-side-tips/active-directory-logging-changes-to-groups/
Can anyone suggest another policy that could be disabling the function?
Thanks.
Support analyst
HI
we have an scenario that every user just login to only one PC
user1 computer 1
user2 computer2
1-when set log on to for user they can login but unable to login to mail server(OWA) and we should add our exchange server for user
2-when set managed by for computer that never work .
how can i doing this ?
Thank you in advance
HI all
we have below scenario
after add computer for user in log on to
2-user login to ICT009 but unable to login all web application like OWA
by adding server to user log on to problem fix but w have lot of web application and its impossible to add all web application for user log on to.
Thank you in advance
Hi,
I have two DC( Primary and Additional) with Windows Server 2016 that both of them are running on Hyper-V. I've backed up from primary dc and I've restored that to another location and then I've turned off primary dc. Unfortunately, Primary DC's backup didn't work and additional dc cannot work when primary dc is not turn on. Therefore, client's outlook asked for credentials when it was authenticating the users. Any help would be appreciated.
Thanks