Hi,

Please help me to understand the below logs use case. If we enable these logs will my domain controller face any performance issues. 

Enabling these will consumes more space ? on C drive.

I have two domain controllers both running Windows Server 2019 and within AD I have built two Granular password settings one for End Users and one for Admins. Within these settings I have set the password expiration time to 90 days however whilst the rest of the settings are applying (confimed with adjusting password length settings) the password expiration setting is not applying and defaults to 42 days.

I've gone over all group policy objects and ensured there are no password expiration settings enabled in all of them.

Can anyone assist or point me in the right direction of what I am missing please

Thanks 

Rob

hello,

we sync our on-premise directory to AD and enabled ADFS. and the password hash is not sync to AAD.

in this  case, we found something interesting, we joined a windows 10 to AAD. and the user able to login this AAD joine computer via their domain credential.

and if they change the password on on-premise AD, they can use the new password to login the computer. 

but as I know, AAD dont has the password hash sync, and during the windows 10 login, there not ADFS login page show up, 

how AAD know the password, how the authentication work?

thanks

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Hi,

What is this error i getting in the server. I did domote the server all FMSO role are currently mapped to this server only but still why i am getting this error?

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=ad,DC=Contoso,DC=com

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

Thanks & Regards, D.Nithyananthan.

I posted a similar question a few weeks ago but eventually closed that question.  I had the issue come up again so I decided to post another question.  I hope I can determine what is going on this time.

I have a problem that is occurring randomly to my Windows workstations (Windows 10 is all we have).  Ever so often a workstation will seem to lose its connection to the domain.  I know that sounds odd because it is.  I first notice it if a user complains about their network drives go missing.  When I look at the machine I also notice that when going to Computer Management, Local Users and Groups, the domain accounts show up as not recognizable.

This is a Windows domain with 3 Windows 2008r2 DC's and one Windows 2016 DC.

Symptoms: 
1- network drives don't show up in File Explorer
2- when going to Computer Management, Local users and groups, Groups, any group with a domain account....the account is not recognizable.  Looks like this... S-1-5-21-1392988177-2029604534-620655208-512

The computer user is able to login and access resources.  For the most part everything works ok. 

It is like the workstation has partially lost its connection to the domain.

Resolution:  to resolve the problem I have been unjoining the computer from domain and then join it back again.  This corrects the problem for the time being.  However, it is happening randomly to my workstations and has happened more than once on a few of them.  I need to determine what is causing this.  Thanks for any help.

One more thing.  It has happened to my system at least twice.  My system is a laptop and I take it offsite to other company offices.  It seems like it has happened to me after I return to the main office and boot up here.  Not sure this matters.

On a 2019 server based AD with the bitlocker role installed on the DC, the recovery keys of all clients are successfully backed up to AD and visible on the "bitlocker recovery" tab in ADUC as well as in ADSIedit.

However, if I encrypt the DC itself, despite showing "the recovery key was backed up to AD successfully", the key is not backed up, it's not in ADSIedit, either, nor can it be retrieved using scripts.

This seems to be a dangerous bug, please try to reproduce this, Microsoft.

Steps to reproduce:

-install AD on server 2019

-install the BL role plus management tools

-on the DC itself, bitlock a test partition x:

manage-bde -on x: -used -pw -rp

->copy the recovery key protector ID that you see

-Afterwards, use this command to backup the key to AD

manage-bde -protectors -adbackup x: -id {84E151C1...yourID...7A62067A512}

Now verify if you can find the key backed up to AD. It won't be there.

Hello,

is there any risk in deleting empty AD security groups in your domain. we found several dozen groups with no members the particular concern is how to be sure deleting the empty group wont create any other problem like the group is empty but how  to be sure it is not in use anywhere outside active directory  like hardened to any application or program.

Regards, Aatif Kungle

Hello,

I would like to have command line for Giving Full permission to an user object, below is the screenshot where i would like to give permission to one user for another user object.

The process in which we create new computers on our domain is:

Go to our policy-free OU, create a new pc name and then, on the same initial screen, we click Change... and add a group under User or Group. This, for us, allows anyone in that group to manage that pc within AD.

Rather than manually add a pc and add the group, I am currently using MDT to join to our domain, but I want to auto-create the pc names as well, on the fly. I can do this, but I don't know how to add a GPO to automatically apply that specific group to the security properties of the pc.

For every single pc on our domain, if you look at the properties and choose Security, there is the group (because we've been manually adding it). I'd like, from the very top down, for that group to be part of the standard Security Group on every pc we have. I don't work in AD so I don't know how to apply this, but I'm hoping for a reply that will work.

Hi folks,

Running Server 2016 R2 VMs hosting a three tier CA and need help putting together the certutil commands to:

 - Query the CA database

 - Locate all user cert objects associated with provided email address (A list of emails indicating owners of certificates to be revoked is provided daily.)

 - Revoke all certificates associated with a listed email address

 - Publish a base CRL for corresponding CA

 - Copy Base CRL to all CDP locations

Please let me know if more info is needed.

Thanks!

Hi everyone
Please give me advice

The situation

I have two forests separated by firewall
I need to setup one way trust from FOREST-A to FOREST-B
FOREST-A is resource forest where resides web server - intranet-portal.contoso.com
FOREST-B is users forest
Users from FOREST-B should be able to authtenticate with web server intranet-portal.contoso.com using Kerberos (SSO)

The question about trust

Should all DCs from FOREST-A be able to comminicate with all DCs from FOERST-B (see picture VARIANT-1 green arrows Ports(Trust))?
Or i can restrict communication between DCs from SITE-A-1 and DCs from SITE-B-1(see picture VARIANT-2 green arrows Ports(Trust))?

Hello,

i ran into an issue when i got the request to copy a description attribute from one container object to another container object. 

The problem here is that the description string is very long and doesn´t even get displayed correctly in Active Directory Users and Computers.. The only place where the attribute gets displayed correctly is in adsiedit.msc..

When using

get-adobject -Identity "CN=PDP,CN=TestApplication,CN=Program Data,DC=contoso,DC=dir" -Properties Description -Server contoso.dir 

I only get one line of the multivalued Description attribute. However when using dsquery.. it is possible to retrieve the whole string which is somehting like this:

08TkXgU0XZIXpJTXwgTXXLRSXTRVXgSklXRSIpXgkpXgk6XXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJGRVJOIXlWQU4gRUXUIXxJRUQgQU1PSyXXVU4gT1XMIXXXQkUgSXVUIXRIQVQgR0XMVXXNT1XiKQoJKQoJOnVzZXJwXm90ZWN0LnIxLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LnIxLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiV0XSIXVORXMgRlVMTXXXTkRZIXJSQUQgRVlXRXXPUkIgRX9PUiXXQU5LIXZPTXsgQVZJRXXXVVJVIikKXSkKXTp1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0XgkJOkZpXmX1;07XGVjXX56MS5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX56MS5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlXPTlQgVU4gTUVORXXXRUlSIXRXUk0gQlJXRXXSSUNIIXRVRXXXWVRXIXXXUyXGSU4gU09NRSIpXgkpXgk6XXNlXnXyX3RlY3QuXnouX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXnouX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJXSU5XIXJXR0UgV0XTIXXGQVIgTlVXRSXZRUxMIXVTRSXIT0xUIXlPR0XgR09XVXXIQVJUIXpPRVkiKQoJKQoJOnVzZXJwXm90ZWN0LnXsLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LnXsLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiSXXOSyXUT04gQklUIXRPT00gTXXORSXXTUVOIXRV;06XGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJSVUlOIXZPTkQgU0XMSyXNQVJXIXXVR0ggSXVZIXJJRyXJT04gVXlOVXXOQUlSIXRVQ0sgU0VXVXIpXgkpXgk6XXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJMVUxVIX5PQiXUUk9XIXXPU0UgUkXJTXXPSU5UIXXXVkUgQ0XVRyXKT0lOIXNXVkUgUkXOIXXXTSIpXgkpXgk6XXNlXnXyX3RlY3QuXnXuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXnXuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJJT1RXIXpJTSXMT09LIXXXUk0gTXXXIXXPQyXXTUVOIXNMVUUgSXVSIXXPUkQgTX9ORyXIQVVMIikKXSkKXTp1X2VyXXJv;05RX9XIXZJVXMgUkXNIXxXRyXXQUlMIXNPRlQgUXVUIXZMT1XgQVJXQiXXSU5PIXNJTXsiKQoJKQoJOnVzZXJwXm90ZWN0LmXiLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmXiLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiUkXTSXXXT0lMIXXXVyXXQU5UIXZSRUQgU0XMIXlXQSXORUxMIXXXTyXXVUxMIXXXSyXOQUXiKQoJKQoJOnVzZXJwXm90ZWN0LmXyLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmXyLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiTUXPIXNVRSXSRVQgRUNITyXXUkVXIXXXSUwgU0tJIXNMRVXgT1RJUyXXVU4gQklXIXNXUXIpXgkpXgk6XXNlXnXyX3RlY3QuXXUuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXXUuX3Rp;04IXlXWSXXSUxMIXNUQVIiKQoJKQoJOnVzZXJwXm90ZWN0LmVzLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmVzLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiU0XXRSXUQVIgQVJXIXXMT0IgQ09OIXZPR1kgR0xXRXXSVURZIXXXQVQgV0lGRSXXQkUgVXVXTXIpXgkpXgk6XXNlXnXyX3RlY3QuXm0uXmXtYS1kXnMuXmV0IXX1X2VyXXJvXGVjXX56XS56YW1XLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiU09XIXZJVXMgSX9STiXUSXVZIXJPSUwgRXlXIX5PVXUgSVRXTSXXQUQgU09QIXZJRUYgQkVXIikKXSkKXTp1X2VyXXJvXGVjXX5mXi5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5mXi5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIkVXU1kg;03XX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5jXi5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlZJU0UgQU5OQSXTS0lXIXXVUyXIRVJXIXXXUk0gVXXMTXXXSUZXIXNOT0IgQ09PTXXMSUNXIXlXVXIpXgkpXgk6XXNlXnXyX3RlY3QuY3ouX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuY3ouX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJXTXVNIXRSSU0gTXXSSyXMQVZXIXXPRSXUT0XgSk9ZIXRXVyXLTXXOIXJJVXXKRUXOIX9MQUYiKQoJKQoJOnVzZXJwXm90ZWN0LmR2LnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmR2LnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiTXVXSyXXU0sgR0XXIXZPSUwgVk9URSXXT01XIXXIT0XgVVNXUyXXT05X;02XXoJXTpGXW5nXXJlUXJpXnQgKXJISUxUIXZXTkXgTUXPIXRVQ0sgQlJXRyXXQVlTIXVXSVQgTk9UIXNXUlQgSXXXIXXXUiXXVU9ZIikKXSkKXTp1X2VyXXJvXGVjXX5jXi5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5jXi5zXGloXX1kXnMuXmV0XgkJOkZpXmÖ1XmVQXmluXXXoIkXMVUUgT0RJTiXXQkUgTXVXSyXNRSXUUlVXIX1XU0ggWUXSRXXGRUXUIXNMQVkgQVRXIXlWQU4iKQoJKQoJOnVzZXJwXm90ZWN0LmNzLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmNzLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiSX8gUk9TRSXXQVJMIXJJVXUgV0XZIXXMVU0gU0lUIXxVRyXSVVNTIXJPTUUgSXXMTXXNQUlXIikKXSkKXTp1X2VyXXJvXGVjXX5jXi5zXGlo;01RU5XIXxPVkUgU0XXRXXTTXlNIXRXVXUgQlVOIXJPTXQgSXVSTyIpXgkpXgk6XXNlXnXyX3RlY3QuYXUuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuYXUuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJXSU4gT05XRSXUVU5XIXRVTksgRXlWRSXXQ1RTIXlSSyXXQ1QgRX9PUiXXRUXOIXXPU0UgSXlQIikKXSkKXTp1X2VyXXJvXGVjXX5iZy5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5iZy5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlJVQiXNQU8gU1VXSXXMQVRXIXRXU0sgQkXXIXZJRSXXRU5UIX9SQUwgRk9XWSXSVURXIXVXTyIpXgkpXgk6XXNlXnXyX3RlY3QuYm4uX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuYm4uX3RpXGwtZG5zLm5l;12XXXoIk9VVXMgQ09PTiXGSVJXIXXPRSXXQVJOIXxXVXUgQklUUyXIQUxMIXJVTSXXVVNUIXxPIXXPTXQiKQoJKQoJOnVzZXJwXm90ZWN0LXp1LnptLnpXXWXtZG5zLm5lXXXoXXNlXnXyX3RlY3QtXnUuXm0uXmXtYS1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIkXJTkQgV09WRSXIVVJUIXRXSUwgR0VUUyXXVUNLIXRXUyXIQVXLIX1XQUwgQkXMSyXXTlkgV0XXVXIpXgkpXikKXX==;11RlQgTUXZTyIpXgkpXgk6XXNlXnXyX3RlY3QtXmMuXm0uXmXtYS1kXnMuXmV0IXX1X2VyXXJvXGVjXX16Yy56XS56YW1XLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiRUxMQSXXQU5XIXXJRSXTQUxUIXxPU1MgV09STiXGSU5XIXNPIXRXWSXXVUtXIXVXSX8gUkVXIikKXSkKXTp1X2VyXXJvXGVjXX16Xi56XS56YW1XLWRuXy5uZXQgKXVzZXJwXm90ZWN0LXpqLnptLnpXXWXtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJOT09OIX1JTkUgTXVXRiXST0XXIXRXUyXXUlQgQ1VOWSXTV1VNIXxJTkUgTUXTSyXXQUNIIXNPT1QiKQoJKQoJOnVzZXJwXm90ZWN0LXpwLnptLnpXXWXtZG5zLm5lXXXoXXNlXnXyX3RlY3QtXnXuXm0uXmXtYS1kXnMuXmV0XgkJOkZpXmX1XmVQXmlu;10Xy5uZXQgKXVzZXJwXm90ZWN0LnNjLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiVXXXIXZXRVQgSXVXIXNXQUXgSVMgU0XWRSXMQVRXIXRVU0sgQVJXIXNIVVQgSVJPTiXNT1NUIikKXSkKXTp1X2VyXXJvXGVjXX51YS5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX51YS5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlJVTSXXUkXXIXJVUkwgT0JXWSXXSX9XIXZXVXXTVVXgUXlXIX5PVXXTTXXZIXXXUyXUSXXUIikKXSkKXTp1X2VyXXJvXGVjXX56YS5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX56YS5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIkJXU0ggRXJXVyXGTXlUIX5XV1MgUk9PVXXIQSXKRVJLIXJJVXUgT0xXRiXXRUXGIXxP;09XmVQXmluXXXoIk1JVXUgUXVSIXNPSU4gVklXVyXPVVRTIXNVTiXKSVZXIXxVUksgUkVQIXXXUkUgQlVTWSXXVUZGIikKXSkKXTp1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlXXSUwgSXlMTXXXUkVXIXRPTkXgV0XPQSXGVVJZIXXPQ0sgTkVSTyXZRUXIIXXXUlkgU0lSIXRIQU4iKQoJKQoJOnVzZXJwXm90ZWN0LnJ1LnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LnJ1LnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiTXlXUiXNT0XUIXXMSUIgT1XMIX9SQUwgQVJLIXNPT1QgQ1VXIXXSQUQgT1XOUyXTRUVTIXJPTXQiKQoJKQoJOnVzZXJwXm90ZWN0LnNjLnN0XWXsLWRu;00KXoJOnVzZXJwXm90ZWN0LmRlLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmRlLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiUkXTSXXXVVRPIXZJRVXgS0VXIXJPTiXJUkXgRVJPUyXXRUwgT0YgQkVXSyXUSXVXIXpPSX4iKQoJKQoJOnVzZXJwXm90ZWN0LmX0LnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmX0LnN0XWXsLSRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiQk9VWSXIVUxLIXJJTXUgS0VSUiXOVU1XIXNUVUIgR0lGVXXGUkVXIXRXUk0gU0VXTSXXQVIgR0XQIikKXSkKXTp1X2VyXXJvXGVjXX5XXi5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5XXi5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIk1PTXQgQUtJTiXXRUxUIXNVQiXS;"

My issue now is that i see no possibility to write this string to a container object.. I supposed it must be possible with dsmod but there is no category "container" for dsmod.. And powershell is giving me following error when i try to place this string into the description

Does someone maybe know a solution to my problem?

Hi Everyone,

We have an ADLDS Instance running on windows server 2008 R2  and forest functional level of instance is windows server 2003 R2. We have an application which is relying on this instance and it already extended the schema with the application attributes. Initially ADsync was running which is now stopped and accounts are created manually.Now we are planning to include the recycle bin feature on this instance , my query is can we promote the forest functional level without upgrading schema? since i have read the article regarding enabling recycle bin needs to import the below .ldf files which i suspect it may conflict with application attributes.

MS-ADAM-Upgrade-1 and MS-ADAM-Upgrade-2 

Thanks in advance

Hello

We have a third party solution integrated to our active directory (Windows Server 2008) via LDAP, For certain users authentication is failing with the following message:

"User found in active directory, but the credentials of the user failed validation against Active Directory"

Kindly help me the solution for this.

Thank You

Hello,

I met a problem in my script who, at first view is simple but I don't understand the result, I need to check for all enabled user wome attribute and if those attribute are empty then my scritp have to return them to me.

Here it is :

Import-Module ActiveDirectory

Get-aduser -filter {info -notlike "*" -and Enabled -eq $true} -properties info, name | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ info "

}

Get-ADUser -LDAPFilter "(&(!manager=*)(userAccountControl=512))" -Properties * | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ manager "

}

Get-ADUser -LDAPFilter "(&(!matriculeRH=*)(userAccountControl=512))" -Properties * | Select name | foreach {

Write-Host "$($_.name) n'a aucune valeur dans le champ matriculeRH "

}

for the first one, the INFO attribute it works just fine but for the other it return me only one user while there is a lot more with empty attribute. 

Thank you very much ! 

Hello,

in  https://www.beyondtrust.com/blog/entry/windows-server-2008-r2-recycle-bin  the author states (amongst others):

1) Deleted objects are no longer stripped of the majority of their attributes so the AD database (DIT) size will increase.
2) These larger deleted objects are also replicated to every DC so there will be an increase in replication traffic. 

Point 1 is clear: Yeah, ntds.dit size will increase. 
But point 2?

I thought that when I delete an object on one domain controller, then the other DCs of the same domain just get the info "This object has been deleted" and delete the object in their database, but they do not get the whole AD object through replication.
Therefore I think the replication traffic would not increase.

Am I right?

Thanks

Walter

Does anyone know a power shell script that can go through AD and find all disabled user accounts and also output details like City and OU that I can output to a .csv? I have searched all over and cannot find a script like this. Any help is greatly appreciated.

Thanks.

Chad Guiney