Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Removing group membership from many users

April 17, 2013, 3:32 am
$
0
0

Hi

I would like to know if there is a way of removing membership from many users at once, that is from a CSV file or from a comma separated list perhaps.

I am open to using any built-in tools within directory services or using a 3rd party piece of software.

I will also say that I am aware of ways to remove on mass, users from a group but that is not what I would like to do. The reason for this requirement is to manage leavers.

For Example. User1, User2 and User3 are a member of Group1, Group2 and Group3.
Manually removing groups from "Member Of" for User1 is very easy and doesn't take much time at all. But doing that 50 times over is quite time consuming.
Thus the requirement to feed in a CSV of Users1 through to 100 for example and get it to remove all memberships for those accounts.

Obviously the reason why I don't want to remove all users from a group is because there will of course be some users still in the business(!) and therefore I don't want to affect their permissions.

I hope I've explained the issue clearly, it isn't complicated as far as I can see but I don't seem to be able to find a tool to do it.

Thanks in advance.

Search

remove dfs from RODC windows server 2008 R2

April 14, 2013, 9:27 pm
$
0
0

Hi

how can remove DFS from RODC server?

without touching Active directory settings.

any comment will appreciate.

Arvind

Logon failure the target account name is incorrect when trying to open shared network folder.

April 17, 2013, 9:31 am
$
0
0
We have another business location that is connected to us via VPN, when anyone at that location tries to open a server directly \\servername\folder it gives them this message "Logon failure the target account name is incorrect" . If they try to open the same folder with an IP address \\10.2.1.1\folder it opens. If we ping the servername from the same computer it resolves. They can access email and log into their virtual machines. There is no domain firewall setup on the computer or server. The IP address and DNS on the computers are right. I've taken the computer off the domain and put it back on and reset the vpn tunnel that connects us. I've also done a flushdns multiple times. Our third location isn't having any problems. PLEASE HELP...

need your help!

April 17, 2013, 8:35 am
$
0
0

Hi all,

on one Windows 2008 R2 domain controller, it gets this event 13562 in the file replication service log.

----------------------------------------------

Log Name:      File Replication Service
Source:        NtFrs
Date:          4/17/2013 11:06:44 AM
Event ID:      13562
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC1.mycompany.local
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC1.myconpaly.local for FRS replica set configuration information.
 
 The nTDSConnection object cn=4092b303-706e-4c86-bd1f-6eff3cb7dcf8,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local is conflicting with cn=4943015c-7af9-4f6d-b455-d80088902857,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local. Using cn=4092b303-706e-4c86-bd1f-6eff3cb7dcf8,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local

The nTDSConnection object cn=4092b303-706e-4c86-bd1f-6eff3cb7dcf8,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local is conflicting with cn=529f509c-7140-4f7c-b627-5539e7241d91,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local. Using cn=4092b303-706e-4c86-bd1f-6eff3cb7dcf8,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local

 

The nTDSConnection object cn=5bd513ce-2397-4f5b-83f0-81f7564937d4,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local is conflicting with cn=4092b303-706e-4c86-bd1f-6eff3cb7dcf8,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local. Using cn=5bd513ce-2397-4f5b-83f0-81f7564937d4,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local

 

The nTDSConnection object cn=5bd513ce-2397-4f5b-83f0-81f7564937d4,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local is conflicting with cn=73ca1e82-f89f-4ff3-a614-4df085eadfdd,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local. Using cn=5bd513ce-2397-4f5b-83f0-81f7564937d4,cn=ntds settings,cn=DC1,cn=servers,cn=site1,cn=sites,cn=configuration,dc=mycompany,dc=local

-----------------------------

Can anyone help me how to fix this error?

Thank you.

 

 

Sysvol folder is not replicating to some of our DCs in our domain

April 17, 2013, 1:09 pm
$
0
0

Hello,

We recently introduced two new Windows 2012 DCs into our domain and since then we have noticed that Sysvol replication doesn't occur between some of our DCs.  Doug

Remove old DHCP Server from Authorized Servers

April 17, 2013, 11:58 am
$
0
0

Hi All,

I have in the DHCP MMC, an old (serveral) DHCP servers in the list of authorized servers.  I want to remove it from the list.  Drilling down into ADSIedit I see a list of authorized servers along with the CN=DhcpRoot entry.  In that list I deleted one of the old computers, but it still appears in DHCP MMC.

Every post I am finding says to edit the CN=DhcpRoot and remove them from there.  What are my other options?

Philip P. Mennenoh

Need help with Active Directory Permissions delegation to Helpdesk

April 17, 2013, 2:26 pm
$
0
0

DC on Server 2008R2 (Very Poorly Structured in terms of Administrative Access)

I am newly Appointed Administrator (Never had experience with RBAC)

There is a Helpdesk team, I want them to have following permissions on DC :

Create/Modify Users, Create OU's/Sub-OU's, Reset Passwords, Create & Modify SG's & DG's


1) Firstly, with TESTADMIN User I am not able to Access DC at all (TESTADMIN is very well added in "Remote Desktop Users" group in AD). It says "Connection was denied because The User Account is not Authorized for Remote Login"

2) "Remote Desktop Users" is very well added in "Allow Logon through Remote Desktop Services" in Local Security Policy of DC

4) Than, I tried logging in to Domain Controller using this TESTADMIN & I was able to (Only after adding TESTADMIN in "Allow Logon through Remote Desktop Services" in Local Security Policy of Domain Controller (But I am not able to open ADUC, though I delegated Control of One OU to this User)

WAO . . . I am really typing Too much :O :O :O

Conclusion, Shall we ;) ???

I want Helpdesk to have LIMITED Access to DC & also to Exchange (PLEASE HELP :D)

Thanks in Advance ! ! ! 

Mohammed Bin Ahmed - Data Center Engineer

4015 error on 2012 DC in branch offce - NOT an RODC

April 17, 2013, 12:42 pm
$
0
0

I have 2012 DC in a branch office connected via Site to Site VPN connection. I have it pointing to the DNS server at our home location and to itself as the secondary DNS server with 127.0.0.1. Everything seems to be working fine. 

Every 1 or 2 hours the event log will fill up with 4015 errors - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

I have ran dcdiag and all shows as ok. I've also tried IPconfig /flushdns, IPconfig /registerdns, net stop netlogon, net start netlogon.

Any ideas why this is happening? Thanks.

Search

Find Who Disabled user Id

April 17, 2013, 5:20 pm
$
0
0

Hi

I have a scenario here, my AD accounts got disabled and I need to find who had disabled the account.? We are having 2008 R2 AD and “Account Management” auditing is not enabled. 

Possibility change "pwdLastSet" to Today?

September 26, 2011, 6:13 am
$
0
0

Hello,

i want to change some user-account object-settings (pwdLastSet) to today. This because i want to implement a password policy.

When i try to change the attribe to -1 the date will not change!

What to do to fix this?

 

Maurice

Verification of prerequisites for Active Directory preparation failed

April 17, 2013, 7:50 am
$
0
0

We currently have Windows Server 2003 SBS, SP2, Domain Controller. Would like to add Windows Server 2012, Standard, 64-bit as a backup domain controller.

"Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain sxxxx.local.
Exception: The RPC server is unavailable.
Adprep could not retrieve data from the server name.xxxxx.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130417103902-test directory for possible cause of failure."

What the log says is really:

"Adprep encountered a Win32 error. Error code: 0x6ba Error messa The RPC server is unavailable."

Can anyone has similar experience shred some lights to troubleshoot this? Have reviewed other links that have similar probems but that doesn't help. 

Many Thanks!

Proxy Authentication and lockout status

April 18, 2013, 12:19 pm
$
0
0

Is it possible to have the account lockout status not sync between AD DS and AD LDS when using proxy authentication? 

We have a scenario where an application will use LDS as an authentication store. Some users will be contained in the LDS database and others will be stored in AD and use proxy authentication. We don't want the user to be locked out of the application because they've entered their password wrong numerous times, even though they me be locked out of AD DS due to our domain password lockout policy. 

Thanks,

Mr Dizzle


Which else ports I need to open on firewall so the server in DMZ can use domain logon

April 18, 2013, 11:55 am
$
0
0

Hi everyone,

How are you all? I hope you can help on this... Little frustrated....

Currently, I have a web server in DMZ with ip 172.x.x.x scheme. And our domain (AD) is in the LAN (with ip scheme 10.x.x.x). For some reason, someone need to access to domain servers in the LAN from the server in DMZ. 

Based on the DMZ access to LAN rule...we need to manually configure and open the ports to allow the access from dmz to the LAN.

Before doing anything...the web server in the DMZ does not join the domain yet.... SO I did the research and do the following:

On the Firewall, I opened up the following ports so that the web servers can talk to our DCs in the LAN:

UDP port 88 - for kerberos

TCP and UDP port 135 for dc to dc operations

TCP 139 and UDP 138 for replication service between DCs

UDP 389 to handle normal queries from the client to the DCs

TCP and UDP 445 for replication service

TCP and UDP 464 for kerberos password change

TCP 3268 and 3269 for Global Catalog from the client to the DCs.

TCP and UDP port 53 for dns

On the web server, of course, I add the DC DNS server IPs there so it knows which dns it can talk to.

######################

Afterwards, I joined the domain, and great! From the server I can ping any LAN server name without any problem, including the DCs. The tracert shows as expected too.

HOwever, when I tried to logon.... it says it cannot find any logon server....

What else do I miss?  By the way, the web server have the windows firewall disable.

I hope you can help me on this....

Thank you very much in advance.

Takusan



DFS links in AD?

June 11, 2012, 2:14 am
$
0
0

Are DFS links and link targets stored in the directory? If they are, I haven't found them... all I can find is a list of roots and root targets under Dfs-Configuration in the System container in the default domain NC. I ran a Wireshark trace while enumerating DFS links from DFSutil and could only see a NETDFS query targetted at the root servers, with the links and link targets being provided back as RPC responses from a root server. No LDAP at all.

Is there a way to programmatically enumerate DFS links and link targets? I'm working on a Powershell script which leverages dfsutil, but is there another way (perhaps using a .NET library)?

Use of Active Directory for an IaaS Offering in a Private Cloud

April 18, 2013, 12:27 am
$
0
0
We are a service provider who plan to provide IaaS service to our customers. Our IaaS offering has both Public and Private Cloud offerings. For a Private Cloud Offering, we are spinning up a separate AD Forest for every customer. Now the customer base is increasing heavily and management of these separate AD Forests has started to become a huge task in itself.

Is there a way to provide isolation to every private cloud customer without adding more AD management effort. Are there tools/solutions from Microsoft/its partners who can provide such a solution? else the only way i can think off using a Single Forest and multiple tree's or multiple child domain model, where the Forest Root will have Service Provider Admin Accounts which will be provided Domain Admins rights in all child domains underneath. That way we do address the issue of having multiple admin id's, passwords..etc. However, Microsoft says AD Forest is the administrative boundary and now we are confused if we can provide enough isolation by providing each customer with a child domain/tree.

I am stuck now, what options do we have to move forward? Federation?? Kindly assist.
Thanks
Search

Modify user attr in AD

April 6, 2013, 6:42 pm
$
0
0

In my Windows server, there are around 1500 users, I would like to update the user a/c in Active Directory as it is not correct .

What I would like to update is the e-mail field , for example,  the current email format in AD is tom.chan at email.com, I want to change the format to "user name" + email.com

For example:

A user a/c its current user email field in AD is tom.chan at email.com , I would like to replace it with the user's user name (eg. user1), therefore , the email will be changed to user1 at email.com

example 1) tom.chan at  email.com ==> user1 at email.com ;
example 2) amy.yuen at email.com ==> user2 at email.com ;
example 3) jacky.hung at email.com ==> user3 at email.com etc

Could anyone can help to give advice? Thank you in advance.

Home Directories : new domain controller, keep same DC name or easy way to redirect?

April 18, 2013, 11:24 am
$
0
0

I work for a school district, and we are upgrading our domain controllers at each site.  Each domain controller houses our user's home directories as well.  Example, in active directory, user.a has his/her home directory set as\\fserver0\users$\user.a\ as does the rest of the users at each site. 

We are replacing these servers, but i'm looking for the easiest way to do this without losing links to the user's home folders.  My thoughts on ways to do this:

1) demote existing fserver0, take off domain, remove all dns/etc entries, rename new server to fserver0 and promote as DC and move share registry entry from old server to new so\\fserver0\users$ is still valid, problem resolved

2) (insert your recommendations here for an easier way of doing this)

Is there a way to fire up a new server named \\fserver1, physically move the data drive to this server as well as the share registry entry, and then mass-update all shares that were once tied to\\fserver0\users$ to \\fserver1\users$ ?

i'm open to any suggestion, as I'm probably making this quite a bit more complicated than it actually is.  I'm wanting to get a good processing of doing this for I'm doing for 4 sites.

Thank you very much

Upgrading Exchange 2003 Domain to Windows Server 2008R2 DS

April 18, 2013, 1:05 pm
$
0
0

Hi ,

My environment is currently as per below.

1 Windows Server 2003 Domain Controller with Exchange 2003 Server installed. - FSMO Roles reside on this server
1 Windows Server 2003 Domain Controller - Secondary DC

We are planning to upgrade to Windows Server 2008R2 DS as Windows Server 2012 does not support Exchange 2003 Domain. Main reason for upgrade is the GPMC support for WIN7 & WIN8 clients.

The question I have is would Exchange 2003 break if I move the FSMO roles from the DC installed together with Exchange 2003 to the new Windows Server 2008R2 DC.

Please advise. Thank you.

Shaun Lee

Event ID 10154

April 10, 2013, 2:16 pm
$
0
0
I receive the event ID 10154 the WinRM service failed to create the following SPNs: wsman, on several servers in my domain. the event shows up on domain controllers, and member servers.  I have seen several solutions for this warning, however my question is should I try to resolve this.  Teh event only happens after the server has been rebooted.  the Domain controllers are running Server 2008 sp2, and all the other member servers are running Server 2008 sp2, except for one which is running Server 2008 R2 sp1.  The domain functional level is 2003.

User Admin rights error

April 18, 2013, 4:59 am
$
0
0

Hi,

After creating a few more users.  Using an exsisting administrator as a template.

Now back using the original template user I seem to have lost certain (inconsistant that i can tell) rights.  however is still a domain admin/administrator.

I can view all GPOS on one DC but only have on the other DC. 

Any ideas or does  this sound familiar.

Thanks
Tom

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>