Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Domain Admins Denied Access To View Volume Even When Granted Full Control NTFS

July 3, 2012, 11:44 am
$
0
0

On a Server 2008 member server, we have a volume that hosts some shares.  Users who are granted access to the shares have access from their UNC paths and mapped drives.

Domain admins are in the local administrators group and Domain Admins, Local Administrators and System are all granted NTFS permissions of full control of the volume and files.  However, when logged in as any domain admin account, we get access denied clicking on the volume drive icon and cannot browse.  We cannot even see the bar that shows how much of the drive space is used.

Even after clicking through the access denied prompts and  re-applying the permissions, it does not help.  Still cannot view any files or folders from the root level.

When logging in as the local administrator user account we can see all the files and see that the permissions are granted full control to domain admins.

Even running accessrenum.exe, it shows domain admins having full control at the root level.

What can cause this issue?


Search

10K Users deleted under a OU, which consists of 200K users - Need to find how it got triggered from AD servers event viewer

May 30, 2019, 6:00 am
$
0
0

Hi All,

We have 4 Domain controllers and we use CyberArk PAM to protect the privileged user login.

Some one from the AD Mgmt team lave logged in to one of the AD server (DC01) and accessed JAVA Ldap browser and did regular cleanup of already deleted users.

The JAVA LDAP browser is pre-configure with an Admin account who has full rights to an OU (OU=CHN, OU=Archive). Under this OU, there are around 200K users. 

We had an INCident today that around 10K users were deleted within 10 minutes from OU=CHN, during that time one of my team member was doing the cleanup. But he says that he deleted only the already deleted users from OU=Archive container.

There is no session recording or any logs further to verify it.

Is it possible from AD Event Viewer whether any OU deletion was executed by that user?

If he would have done deleting the OU=CHN, it would have initiated deleting the child user objects first and at last it would delete the OU=CHN. This is my assumption and syspect.

To prove that, can this delete OU event be recorded in event viewer?

In event viewer, I can see logon,logoff, and 10K delete events from the service account that is preconfigured in LDAP Browser.

But I want to see which exactly whether he had done deleting the OU=CHN or not...

Kindly help.

Thanks

DK

Extend Our Schema with a Customized Schema Attribute

May 30, 2019, 10:44 am
$
0
0
Hope I placed this in the correct Forum. We are in need of creating a BadgeNum attribute in our Active Directory Schema - defaults won't do.  We have never done this before but would guess that the use of adsiedit.msc would be required.  Does anyone one have proven steps on how to go about this?  

Francisco Mercado Jr.

adprep.exe /DomainPrep /GPPrep

May 30, 2019, 1:39 am
$
0
0

 when i try to excute adprep in my Ad i have this error ,please some help 

C:\adprep>adprep.exe  /DomainPrep /GPPrep
Running domainprep ...


Adprep was unable to modify the security descriptor on object CN=Domain System V
olume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxxx,DC=xx.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access
control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20190530093213
 directory for more information.

Adprep encountered an LDAP error.
Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000
208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=File Replication Service,CN=System,DC=xxxx,DC=xx'
.



Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructu
re master in order to complete this operation.

Attribute for Security Group

July 23, 2009, 5:52 am
$
0
0

Hi,
I know the diff between Security group and Distribution Group but I am hoping to know what is(or are) the AD attribute that separates Security group from Distribution group. I mean what is(or are) AD attribute exclusive to security group.

Regards,
Pushkal Mishra

ADFS3 as service provider using google as Identity Provider

May 30, 2019, 7:05 pm
$
0
0

our organisation use ADFS3 and we have configured several Relying party trusts to single sign on to third party service providers in cloud.

Now we have requirement to grant SSO to On-Prem SharePoint 2013 to users in different organisation using Google managed account. Such way that Google act as IDP and ADFS consume token issued by Google and grant access to SharePoint.

Any lead or web links relating to above info will be much appreciated.

thanks

Sa 

NSW DECC

PowerShell Script to Generate One month report for Popularity and Search Reports in SharePoint 2016 site

May 1, 2019, 5:18 am
$
0
0

Hi All,

By default "Popularity and Search Reports" can fetch reports to the maximum of 15 days, but our client is expecting the report to be generated for last one month.

I heard that there is a PowerShell script for generating the One month report of the Analytics. Could you please help me out with the exact PowerShell script please?

Thanks,

Raj

ADCS Domain Controller Template Provider Category Greyed Out

May 8, 2017, 11:05 am
$
0
0

Hello,

I recently got permission to upgrade our CA and move from SHA1 to SHA2 certs for all devices in our org. All workstation and user certs are now SHA512 4096.

Server 2016 Standard VM on ESXI 5.5

My issue now is with the remaining templates for servers. I made a copy of the Domain Contoller template and it will not allow me to select "Provider Category" under the cryptography tab. I need to change this to KSP from Legacy CSP as I did on both the user and workstation templates.

Any idea why this would be greyed out? This new CA has a new private key and the original CA is going to be offlined as per best practices.

Thanks in advance.


Search

Which inbound ports that a client desktop has to open in order to join AD domain

May 30, 2019, 8:34 pm
$
0
0

For security concerns, in our environment we block all the inbound ports of our desktops.  However, seems I can't AD domain.  However, if I add the following firewall rule:

  • Source: domain controller   
  • Destination: desktop client 
  • ports: all   
  • Allow: yes

I can join domain successfully

So I wonder if any inbound client port is used.  However, I googled but I couldn't find any "official" answer.  (I could find the inbound ports required for a domain controller, but that's not what I want).  Could anyone give me some advices?  


Installation of new 2016 servers to replace the 2008.

May 28, 2019, 3:34 pm
$
0
0
Hi,

We have a domain that already has a 2016 server in the forest and there are still two servers 2008 left.

I want to remove these 2008 and install new 2016 servers.

I will do the promotion myself and transfer the functions to the new ones.

Are there any other tasks that need to be performed? How to update GPOs? Etc...

Thank you.

Enable Remote Desktop access for Domain user

May 15, 2019, 9:05 pm
$
0
0

On a newly setup Windows 2019 Server Essentials domain, a user requires to RDP into their workstation.

I have added the user to the Builtin Remote Desktop Users group but they are still unable to RDP into either the server or their workstation.

If I add them to the Builtin Administrators group they can RDP into the server, but not their workstation.

Any suggestions please?

Active Directory Migration Tool ERROR

May 23, 2019, 7:41 am
$
0
0

Please help

I'm receiving this error during migrating this user to another AD

ERR2:7422 Failed to move source object 'CN=al'. hr=0x8007207d An attempt was made to modify an object to include an attribute that is not legal for its class.

Changing Local account passwords in bulk across multiple machines in Domain

May 7, 2019, 11:25 am
$
0
0

We have a local admin account on all of our workstations that we use with our remote software to login. The Problem is that that same account on all of the workstations has had the same password for years and some of the users now have it and could possibly login locally. How can I change the password for this local user account so that it resets on all of the machines in Bulk rather than me going to each machine individually and resetting it? If it cannot be done through a GPO what would the powershell command be to reset the password for the same local account in bulk on over 200 machines?

Support analyst

grand permission by powershell

May 8, 2019, 11:18 am
$
0
0
By accident I R.C on a domain name and security in authenticated users changed all read permission to deny now I got attached issue can some one help me to grand users permission gain by power shell  

baban jamal ali

Cannot delegate permission to move user object from OU to its subOU

May 31, 2019, 12:49 am
$
0
0

Hello,

like I said in a title, I am trying to delegate permission for moving user object to its subOUs.

I have spent lots of time doing research and tests on this topic and almost all of the answers says that I need to to the following:

Source OU:

- This object only - Delete User Objects

- Descendant User objects - Write Distinguished Name, Write Name, Write name

Destination OU:

- This object only - Create User objects

All permissions are delegated to the test group.

But the thing is that in doesn't work. While trying to move the test user I get an "Access denied" error.

Is there anything I can do more to make it work? I would like to keep it as simple and as minimal as possible.

Search

give full control to authenticated users on a domain name

May 8, 2019, 11:59 am
$
0
0 
$acl =get-acl d:\test5
$ace =new-object system.security.AccessControl.FileSystemAccessRule('Authenticated Users','FullControl','Allow')
$acl.AddAccessRule($ace)
$acl |Set-Acl
this one is for a folder how can I change my script for entire domain ou 

baban jamal ali

How to properly apply GPOs for lock screen and screensaver timeouts

May 10, 2019, 8:00 am
$
0
0

Good day all,

I am having trouble applying GPOs for lock screens and screensavers.
Here are the details:

upgraded domain from 2003 to 2008.
2 domain controllers 1 is 2008 r2 and the other was upgraded to 2012 r2 standard (we want to upgrade the domain to 2012 soon).
I need to apply a GPO(s) to initiate a screensaver after 1 minute, and lock the machines at 7 minutes.
I had the screensaver GPO working by user account on Windows 7 machines, but it would not work for Windows 10 machines.
Additionally, I could not get the lock screen to work after 7 minutes on Windows 7 machines, or Windows 10 machines.
we have imported the Windows 10 templates for Group Policy management.
Now, the lock screen GPO works for windows 10, and not windows 7.
Also, the Screensaver setting does not work for either one.
I know this is a cluster of multiple possible issues, but any help on this will be greatly appreciated.
Thanks!

Does O365 give a rigths as a Server Cal, Exchange Cal, etc?

May 31, 2019, 1:56 am
$
0
0
Does O365 give a rigths as a Server Cal, Exchange Cal, etc to connect to on-premise services?

Window Server - Não sobe o servico de Logon de Rede

May 28, 2019, 11:24 am
$
0
0

Boa tarde

Estou com windows server 2012 R2, que parou o serviço de logon de rede, com isso parou o meu AD e todas aplicações que rodam com o AD, a hora que tento iniciar o servico me da o erro 1075.

Alguem ja resolveu este problema????

DNS - very confused.

May 31, 2019, 3:01 am
$
0
0

Hi All,

We are in the process of migrating machines from one domain to another. There is a two way trust relationship between both domains. Last week was the beginning of the Pilot migration and we successfully migrated 12 users across with very little issue using the Quest tool.

Yesterday we created a GPO to Append DNS suffixes for both domains due to erratic DNS issues. We set the Primary to the Target Domain and Secondary to the legacy domain. When the migrated users in the Target domain logged in this a.m. they could not get onto the local I.E. page. The error was "Page not found".

The hosting server is on the legacy domain and users have had no problem before the GPO was applied. I am confused by this and don't know where to turn or troubleshoot.

So I guess my questions are.

What exactly does the DNS suffixes do? I am guessing it tells the local client to look at the DNS Target server first then if it cant find what it wants should go to the Legacy DNS server?

Any information on how I could troubleshoot this issue would be greatly received.

Regards.

 

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>