Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Renew subordinate CA certificate

$
0
0

Hello,

I want to renew the CA Certificate of my sub CA. When I right click the issuing CA and chose "renew ca certificate" I chose not to change the private key. After this, the CA services are restarting but I'm not able to select, whether I want to request online or offline.

Any ideas?


Error "the account must added to the allowed list for this RODC" while pre-populating users data to RODC

$
0
0

Hi All,

I am using server 2012r2 for both primary DC and RODC.  I am getting below error (the account must added to the allowed list for this RODC) while pre-populating user created on the primary DC to RODC.  I have already added these new users in the "Allowed RODC password replication group" and ran gpupdate /force command on both DC, but I am still not able to login with new users on RODC server.   

Also, I would like to understand if my understanding is correct or not.  Once the new created user's password on the primary DC are pre-populated, I will be able to login those users in presence of  RODC while primary DC is not in working state.  Is this correct behavior?  

I am facing this issue for some time now.



How to manually remove a duplicate TRUST_ACCOUNT from active directory?

$
0
0

Hi,

I have a user account in my AD which is a TRUST_ACCOUNT , and also is a duplicate, I mean it has DN in the form of :

CN={DomainName}$\0ACNF:{GUID},CN=Users,DC=XXXXXX,DC=com

how can I remove this object?

I tried to generate a fake trust and remove the trust (described here:https://www.privalnetworx.de/active-directory-interdomain-trust-account-phantom) but that could not delete the object.

I get Error:

ldap_delete_s(ld, "CN={DomainName},CN=Users,DC=XXXXXX,DC=com");
Error: Delete: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Error 0x5 Access is denied.

Microsoft DNS TTL Setting

$
0
0

Dear Team,

I have a Microsoft DNS server installed on Windows 2008 R2 SP1, in DMZ for all my company Systems

The Default TTL for all forward zones is 24Hours (1 day) . How can I change the Default TTL to 2 hours?

Question 2: I have tried to reduce the TTL for individual forward zones to 2 hours through SOA tab, both Minimum (Default TTL and TTL for this record, but getting reset to default overnight.

Kindly suggest

Thanks and advance

Custom Attributes in AD

$
0
0

I have created a custom attribute in AD, it is visible in the user properties but when running powershell to create a new user the custom attribute is not usable.

The create user script is attached, the custom attribute name is libraryCardNumber. The error I get is - 
New-ADUser : A parameter cannot be found that matches parameter name 'libraryCardNumber'.

Searching other forums I have found that maybe a custom attribute might not be able to be used as it isn't a default AD attribute.

Any help would be appreciated.

param (

	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$FirstName = 'attribute',



	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$LastName = 'edit15',



        [Parameter(ValueFromPipelineByPropertyname)]

        [ValidateNotNullOrEmpty()]

        [string]$libraryCardNumber = '123456',



	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$Email = 'fbcl@coolin.co.uk',


		
	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$MobilePhone = '',


		
	[Parameter()]

	[ValidateNotNullOrEmpty()]

	[string]$Department = 'Public Users',


	
	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$PostalCode = 'n10 1aq',

#-----------------------------------------

	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$DateofBirth = 'Adult',

#-----------------------------------------

	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$Location = 'OU=fbcl-users',


	
	[Parameter()]

	[ValidateNotNullOrEmpty()]

	[string]$DefaultGroup = 'PublicUsers',


	
	[Parameter(ValueFromPipelineByPropertyname)]

	[ValidateNotNullOrEmpty()]

	[string]$Password = 'Pa$$w0rd',


	
	[Parameter()]

	[ValidateScript({ Test-Path -Path $_ })]

	[string]$BaseHomeFolderPath = ''

)

$dot = '.'



## Find the distinguished name of the domain the current computer is a part of.

$DomainDn = (Get-AdDomain).DistinguishedName

## Define the 'standard' username (first initial and last name)

##$Username = "$($FirstName.SubString(0, 1))$LastName"

$Username = "$($FirstName)$dot$LastName"



#region Check if an existing user already has the first initial/last name username taken

Write-Verbose -Message "Checking if [$($Username)] is available"

if (Get-ADUser -Filter "Name -eq '$Username'")

{

	Write-Warning -Message "The username [$($Username)] is not available. Checking alternate..."

	## If so, check to see if the first initial/middle initial/last name is taken.

	$Username = "$($FirstName.SubString(0, 1))$MiddleInitialLastName"

	if (Get-ADUser -Filter "Name -eq '$Username'")

	{

		throw "No acceptable username schema could be created"

	}

	else

	{

		Write-Verbose -Message "The alternate username [$($Username)] is available."

	}

}

else

{

	Write-Verbose -Message "The username [$($Username)] is available"

}

#endregion



#region Ensure the OU the user's going into exists

$ouDN = "$Location,$DomainDn"

if (-not (Get-ADOrganizationalUnit -Filter "DistinguishedName -eq '$ouDN'"))

{

	throw "The user OU [$($ouDN)] does not exist. Can't add a user there"

}

#endregion



#region Ensure the group the user's going into exists

if (-not (Get-ADGroup -Filter "Name -eq '$DefaultGroup'"))

{

	throw "The group [$($DefaultGroup)] does not exist. Can't add the user into this group."

}

#if (-not (Get-ADGroup -Filter "Name -eq '$Department'"))

#{

	#throw "The group [$($Department)] does not exist. Can't add the user to this group."

#}

#endregion



#region Ensure the home folder to create doesn't already exist

$homeFolderPath = "$BaseHomeFolderPath$UserName"

if (Test-Path -Path $homeFolderPath)

{

	throw "The home folder path [$homeFolderPath] already exists."

}

#endregion



#region Create the new user

$NewUserParams = @{

	'UserPrincipalName' = $Username

	'Name' = $Username

	'GivenName' = $FirstName

	'Surname' = $LastName

	'libraryCardNumber' = $libraryCardNumber

	'EmailAddress' = $Email

    'MobilePhone' = $Mobilephone

    'Department' = $DefaultGroup

    'Description' = $DateofBirth

	'SamAccountName' = $Username

	'AccountPassword' = (ConvertTo-SecureString $Password -AsPlainText -Force)

	'Enabled' = $true

	'postalCode' = $PostalCode

	'Path' = "$Location,$DomainDn"

	'ChangePasswordAtLogon' = $false

}

Write-Verbose -Message "Creating the new user account [$($Username)] in OU [$($ouDN)]"

New-AdUser @NewUserParams

#endregion



#region Add user to groups

Write-Verbose -Message "Adding the user account [$($Username)] to the group [$($DefaultGroup)]"

Add-ADGroupMember -Members $Username -Identity $DefaultGroup

#Write-Verbose -Message "Adding the user account [$($Username)] to the group [$($Department)]"

#Add-ADGroupMember -Members $Username -Identity $Department

#endregion



#region Add user to roaming profile list

#Set-ADUser -Identity $Username -ProfilePath \FBCL2019-DC01\profiles\%username%

Set-ADUser -Identity $Username -ProfilePath \\FBCL2019-DC01\profiles\%username%

#endregion



#region Set protect from accidental deletion on all user objects : NOT WORKING AS OF 28 JULY 2019

#Set-ADObject -Identity $Username -ProtectedFromAccidentalDeletion:$true

#endregion



if ($Host.Name -eq "ConsoleHost")

{

write-host "-------------------------------------------------------------------------"

write-host "The new user was added successfully."

Write-Host "Please press any key to continue…"

#$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp") > $null

}

#region Create the home folder

#Write-Verbose -message "Creating the home folder [$homeFolderPath]..."

#$null = mkdir $homeFolderPath

#endregion
		
		


Colin Thomson



Change Domain Controller IP address and Host name with Old demoted Domain controller.

$
0
0

Hello Team,

I would like to know whether is it advisable to use old demoted DC IP address and host name to the newly promoted Domain Controller.

And If it is Yes than, what is the Best Practice to do it with Guide?

Both Demoted and new DC have same OS server 2012 OS.

Please advice in this.

Thanks & Regards,

Sapan Shah


ADMT migration

$
0
0
Hello everyone, I would like to consult with the ADMT migration tool, what the change user and computer SID  in the domain.

Run an app with admin's right

$
0
0

Hi.....i have an app on my client's system

that needs admin's right for starting....

 I know that i can use RunAS app but

i'm looking for another way in windows ((((10))))....also I've tried

Task Scheduler and creating shortcut but.....they didn't work 

thank a lot..:)


This server is the owner of the following FSMO role, but does not consider it valid

$
0
0

Hi,

What is this error i getting in the server. I did domote the server all FMSO role are currently mapped to this server only but still why i am getting this error?

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=ad,DC=Contoso,DC=com

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

     

Thanks &amp; Regards, D.Nithyananthan.

Configure detailed Auditing in AD 2016

$
0
0

Hi,

Please help me to understand the below logs use case. If we enable these logs will my domain controller face any performance issues. 

Enabling these will consumes more space ? on C drive.

Configure Auditing for Account Management: Computer Account Management
Configure Auditing for Account Management: Other Account Management
Configure Auditing for Account Management: Security Group Management
Configure Auditing for Detailed Tracking: Audit PNP Activity
Configure Auditing for Detailed Tracking: Audit Process Creation
Configure Auditing for DS Access: Audit Directory Service Access
Configure Auditing for DS Access: Audit Directory Service Changes
Configure Auditing for Logon-Logoff: Audit Account Lockout
Configure Auditing for Logon-Logoff: Audit Group Membership
Configure Auditing for Logon-Logoff: Audit Special Logon
Configure Auditing for Object Access: Audit Detailed File Share
Configure Auditing for Object Access: Audit File Share
Configure Auditing for Object Access: Removable Storage
Configure Auditing for Policy Change: Authentication Policy Change
Configure Auditing for Policy Change: Other Policy Change Events
Configure Auditing for Privilege Use: Audit Sensitive Privilege Use
Configure Auditing for System: Audit System Integrity

Command Line to add permission on User object

$
0
0

Hello,

I would like to have command line for Giving Full permission to an user object, below is the screenshot where i would like to give permission to one user for another user object.

retrieving and writing to a container object with powershell

$
0
0

Hello,

i ran into an issue when i got the request to copy a description attribute from one container object to another container object. 

The problem here is that the description string is very long and doesn´t even get displayed correctly in Active Directory Users and Computers.. The only place where the attribute gets displayed correctly is in adsiedit.msc..

When using

get-adobject -Identity "CN=PDP,CN=TestApplication,CN=Program Data,DC=contoso,DC=dir" -Properties Description -Server contoso.dir 

I only get one line of the multivalued Description attribute. However when using dsquery.. it is possible to retrieve the whole string which is somehting like this:

08TkXgU0XZIXpJTXwgTXXLRSXTRVXgSklXRSIpXgkpXgk6XXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJGRVJOIXlWQU4gRUXUIXxJRUQgQU1PSyXXVU4gT1XMIXXXQkUgSXVUIXRIQVQgR0XMVXXNT1XiKQoJKQoJOnVzZXJwXm90ZWN0LnIxLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LnIxLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiV0XSIXVORXMgRlVMTXXXTkRZIXJSQUQgRVlXRXXPUkIgRX9PUiXXQU5LIXZPTXsgQVZJRXXXVVJVIikKXSkKXTp1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0XgkJOkZpXmX1;07XGVjXX56MS5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX56MS5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlXPTlQgVU4gTUVORXXXRUlSIXRXUk0gQlJXRXXSSUNIIXRVRXXXWVRXIXXXUyXGSU4gU09NRSIpXgkpXgk6XXNlXnXyX3RlY3QuXnouX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXnouX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJXSU5XIXJXR0UgV0XTIXXGQVIgTlVXRSXZRUxMIXVTRSXIT0xUIXlPR0XgR09XVXXIQVJUIXpPRVkiKQoJKQoJOnVzZXJwXm90ZWN0LnXsLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LnXsLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiSXXOSyXUT04gQklUIXRPT00gTXXORSXXTUVOIXRV;06XGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJSVUlOIXZPTkQgU0XMSyXNQVJXIXXVR0ggSXVZIXJJRyXJT04gVXlOVXXOQUlSIXRVQ0sgU0VXVXIpXgkpXgk6XXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXXQuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJMVUxVIX5PQiXUUk9XIXXPU0UgUkXJTXXPSU5UIXXXVkUgQ0XVRyXKT0lOIXNXVkUgUkXOIXXXTSIpXgkpXgk6XXNlXnXyX3RlY3QuXnXuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXnXuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJJT1RXIXpJTSXMT09LIXXXUk0gTXXXIXXPQyXXTUVOIXNMVUUgSXVSIXXPUkQgTX9ORyXIQVVMIikKXSkKXTp1X2VyXXJv;05RX9XIXZJVXMgUkXNIXxXRyXXQUlMIXNPRlQgUXVUIXZMT1XgQVJXQiXXSU5PIXNJTXsiKQoJKQoJOnVzZXJwXm90ZWN0LmXiLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmXiLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiUkXTSXXXT0lMIXXXVyXXQU5UIXZSRUQgU0XMIXlXQSXORUxMIXXXTyXXVUxMIXXXSyXOQUXiKQoJKQoJOnVzZXJwXm90ZWN0LmXyLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmXyLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiTUXPIXNVRSXSRVQgRUNITyXXUkVXIXXXSUwgU0tJIXNMRVXgT1RJUyXXVU4gQklXIXNXUXIpXgkpXgk6XXNlXnXyX3RlY3QuXXUuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuXXUuX3Rp;04IXlXWSXXSUxMIXNUQVIiKQoJKQoJOnVzZXJwXm90ZWN0LmVzLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmVzLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiU0XXRSXUQVIgQVJXIXXMT0IgQ09OIXZPR1kgR0xXRXXSVURZIXXXQVQgV0lGRSXXQkUgVXVXTXIpXgkpXgk6XXNlXnXyX3RlY3QuXm0uXmXtYS1kXnMuXmV0IXX1X2VyXXJvXGVjXX56XS56YW1XLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiU09XIXZJVXMgSX9STiXUSXVZIXJPSUwgRXlXIX5PVXUgSVRXTSXXQUQgU09QIXZJRUYgQkVXIikKXSkKXTp1X2VyXXJvXGVjXX5mXi5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5mXi5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIkVXU1kg;03XX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5jXi5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlZJU0UgQU5OQSXTS0lXIXXVUyXIRVJXIXXXUk0gVXXMTXXXSUZXIXNOT0IgQ09PTXXMSUNXIXlXVXIpXgkpXgk6XXNlXnXyX3RlY3QuY3ouX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuY3ouX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJXTXVNIXRSSU0gTXXSSyXMQVZXIXXPRSXUT0XgSk9ZIXRXVyXLTXXOIXJJVXXKRUXOIX9MQUYiKQoJKQoJOnVzZXJwXm90ZWN0LmR2LnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmR2LnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiTXVXSyXXU0sgR0XXIXZPSUwgVk9URSXXT01XIXXIT0XgVVNXUyXXT05X;02XXoJXTpGXW5nXXJlUXJpXnQgKXJISUxUIXZXTkXgTUXPIXRVQ0sgQlJXRyXXQVlTIXVXSVQgTk9UIXNXUlQgSXXXIXXXUiXXVU9ZIikKXSkKXTp1X2VyXXJvXGVjXX5jXi5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5jXi5zXGloXX1kXnMuXmV0XgkJOkZpXmÖ1XmVQXmluXXXoIkXMVUUgT0RJTiXXQkUgTXVXSyXNRSXUUlVXIX1XU0ggWUXSRXXGRUXUIXNMQVkgQVRXIXlWQU4iKQoJKQoJOnVzZXJwXm90ZWN0LmNzLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmNzLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiSX8gUk9TRSXXQVJMIXJJVXUgV0XZIXXMVU0gU0lUIXxVRyXSVVNTIXJPTUUgSXXMTXXNQUlXIikKXSkKXTp1X2VyXXJvXGVjXX5jXi5zXGlo;01RU5XIXxPVkUgU0XXRXXTTXlNIXRXVXUgQlVOIXJPTXQgSXVSTyIpXgkpXgk6XXNlXnXyX3RlY3QuYXUuX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuYXUuX3RpXGwtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJXSU4gT05XRSXUVU5XIXRVTksgRXlWRSXXQ1RTIXlSSyXXQ1QgRX9PUiXXRUXOIXXPU0UgSXlQIikKXSkKXTp1X2VyXXJvXGVjXX5iZy5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5iZy5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlJVQiXNQU8gU1VXSXXMQVRXIXRXU0sgQkXXIXZJRSXXRU5UIX9SQUwgRk9XWSXSVURXIXVXTyIpXgkpXgk6XXNlXnXyX3RlY3QuYm4uX3RpXGwtZG5zLm5lXXXoXXNlXnXyX3RlY3QuYm4uX3RpXGwtZG5zLm5l;12XXXoIk9VVXMgQ09PTiXGSVJXIXXPRSXXQVJOIXxXVXUgQklUUyXIQUxMIXJVTSXXVVNUIXxPIXXPTXQiKQoJKQoJOnVzZXJwXm90ZWN0LXp1LnptLnpXXWXtZG5zLm5lXXXoXXNlXnXyX3RlY3QtXnUuXm0uXmXtYS1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIkXJTkQgV09WRSXIVVJUIXRXSUwgR0VUUyXXVUNLIXRXUyXIQVXLIX1XQUwgQkXMSyXXTlkgV0XXVXIpXgkpXikKXX==;11RlQgTUXZTyIpXgkpXgk6XXNlXnXyX3RlY3QtXmMuXm0uXmXtYS1kXnMuXmV0IXX1X2VyXXJvXGVjXX16Yy56XS56YW1XLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiRUxMQSXXQU5XIXXJRSXTQUxUIXxPU1MgV09STiXGSU5XIXNPIXRXWSXXVUtXIXVXSX8gUkVXIikKXSkKXTp1X2VyXXJvXGVjXX16Xi56XS56YW1XLWRuXy5uZXQgKXVzZXJwXm90ZWN0LXpqLnptLnpXXWXtZG5zLm5lXXoJXTpGXW5nXXJlUXJpXnQgKXJOT09OIX1JTkUgTXVXRiXST0XXIXRXUyXXUlQgQ1VOWSXTV1VNIXxJTkUgTUXTSyXXQUNIIXNPT1QiKQoJKQoJOnVzZXJwXm90ZWN0LXpwLnptLnpXXWXtZG5zLm5lXXXoXXNlXnXyX3RlY3QtXnXuXm0uXmXtYS1kXnMuXmV0XgkJOkZpXmX1XmVQXmlu;10Xy5uZXQgKXVzZXJwXm90ZWN0LnNjLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiVXXXIXZXRVQgSXVXIXNXQUXgSVMgU0XWRSXMQVRXIXRVU0sgQVJXIXNIVVQgSVJPTiXNT1NUIikKXSkKXTp1X2VyXXJvXGVjXX51YS5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX51YS5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlJVTSXXUkXXIXJVUkwgT0JXWSXXSX9XIXZXVXXTVVXgUXlXIX5PVXXTTXXZIXXXUyXUSXXUIikKXSkKXTp1X2VyXXJvXGVjXX56YS5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX56YS5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIkJXU0ggRXJXVyXGTXlUIX5XV1MgUk9PVXXIQSXKRVJLIXJJVXUgT0xXRiXXRUXGIXxP;09XmVQXmluXXXoIk1JVXUgUXVSIXNPSU4gVklXVyXPVVRTIXNVTiXKSVZXIXxVUksgUkVQIXXXUkUgQlVTWSXXVUZGIikKXSkKXTp1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5yXy5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIlXXSUwgSXlMTXXXUkVXIXRPTkXgV0XPQSXGVVJZIXXPQ0sgTkVSTyXZRUXIIXXXUlkgU0lSIXRIQU4iKQoJKQoJOnVzZXJwXm90ZWN0LnJ1LnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LnJ1LnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiTXlXUiXNT0XUIXXMSUIgT1XMIX9SQUwgQVJLIXNPT1QgQ1VXIXXSQUQgT1XOUyXTRUVTIXJPTXQiKQoJKQoJOnVzZXJwXm90ZWN0LnNjLnN0XWXsLWRu;00KXoJOnVzZXJwXm90ZWN0LmRlLnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmRlLnN0XWXsLWRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiUkXTSXXXVVRPIXZJRVXgS0VXIXJPTiXJUkXgRVJPUyXXRUwgT0YgQkVXSyXUSXVXIXpPSX4iKQoJKQoJOnVzZXJwXm90ZWN0LmX0LnN0XWXsLWRuXy5uZXQgKXVzZXJwXm90ZWN0LmX0LnN0XWXsLSRuXy5uZXQKXQk6RmluZ3VyZVXyXW50IXgiQk9VWSXIVUxLIXJJTXUgS0VSUiXOVU1XIXNUVUIgR0lGVXXGUkVXIXRXUk0gU0VXTSXXQVIgR0XQIikKXSkKXTp1X2VyXXJvXGVjXX5XXi5zXGloXX1kXnMuXmV0IXX1X2VyXXJvXGVjXX5XXi5zXGloXX1kXnMuXmV0XgkJOkZpXmX1XmVQXmluXXXoIk1PTXQgQUtJTiXXRUxUIXNVQiXS;"

My issue now is that i see no possibility to write this string to a container object.. I supposed it must be possible with dsmod but there is no category "container" for dsmod.. And powershell is giving me following error when i try to place this string into the description

Does someone maybe know a solution to my problem?

getting below error while restoring AD user from ldap.exe

$
0
0

i dont know why i am getting this error, unable to restore the user.

user is lab06

cn=users

dc=lab dc=com

can someone help on this.please help

GPO - Minimum password length = 15 not applying

$
0
0

Hello,

I got trouble to activate the 15 characters minimum password length =15 to my Windows 2016 domain servers.

The Domain Controllers are on 2012 r2 OS.

Details :

Domain default GPO : set the password length to 14 character (for 2008 and 2012 domain servers) -> working fine.

GPO for 2k16 servers : I tried to set the settings by two different way :

-> manually update the GPTTMPL.inf file to set to 15 characters for the 2016 GPO

-> Launching GPMC.MSC on a Windows 2016 servers, and modify the value on the GPO to 15 characters.

Both ways, when i ran a gpupdate/force on my 2016 servers, it can't apply the settings to 15 characters :

Problem seems like the GPO_2k16 can't replace the default domain policy Password Minimum length to 15 character.

Error on Event Log : 0x57 : The parameter is incorrect. Troubleshooting 1202 events.

How to deal with such case ?

I need to have the 2008 and 2012 servers password minimum length to 14 characters, and 2016 to 15 characters.

Some more logs (winlogon.log) :


----Configure Security Policy...
        Start processing undo values for 7 settings.
        There is already an undo value for group policy setting <MinimumPasswordLength>.
        There is already an undo value for group policy setting <PasswordHistorySize>.
        There is already an undo value for group policy setting <MaximumPasswordAge>.
        There is already an undo value for group policy setting <MinimumPasswordAge>.
        There is already an undo value for group policy setting <PasswordComplexity>.
        There is already an undo value for group policy setting <RequireLogonToChangePassword>.
        There is already an undo value for group policy setting <ClearTextPassword>.
Error 87: The parameter is incorrect.
     Error configuring password information.
        Start processing undo values for 3 settings.
        There is already an undo value for group policy setting <LockoutBadCount>.
        There is already an undo value for group policy setting <ResetLockoutCount>.
        There is already an undo value for group policy setting <LockoutDuration>.
        There is already an undo value for group policy setting <ForceLogoffWhenHourExpire>.
    Configure account force logoff information.

Access to Active Directory without being logged on a domain ?

$
0
0
Hello,

I’m an industrial vision software engineer, and a customer asked us to add a feature in some of our softwares, running on Win7 and Win10 computers.

This feature requires that the software should be able to request the Active Directory groups of a given user (identified by its login), even if this request is sent by a computer off domain.


I'm basically an industrial software engineer, so familiar with sensors, data and processing, but not so comfortable with network management and related Windows tools.


I'have tried some samples and command lines (like “Net localgroup” etc) but AFAIK they work only on a computer logged onto a domain.

Is there a workaround or other solution to achieve this ?


Thanks for any suggestion.

Claude



Deploying LAPS in broken Forest

$
0
0

Hi there, we have implemented LAPS successfully in a single domain TEST environment but have had issues when deploying to a forest.

I believe this is due to replication not working between the sub-domain and the root.  Replication between DC's within the domain is fine.

So back to LAPS, I can see the entry for ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime within root and wondered if this could be exported and imported using ldifde....

Initial attempts to import gives the following errors:

An error has occurred in the program
dn: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,Add error on entry starting on line 1: Unwilling To Perform

The server side error is: 0x20e7 The modification was not permitted for security reasons.
The extended server error is:
000020E7: SvcErr: DSID-03152D2E, problem 5003 (WILL_NOT_PERFORM), data 0

The exported ldif file (domain names removed)

dn: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=<root>,DC=<com>
changetype: add
objectClass: top
objectClass: attributeSchema
cn: ms-Mcs-AdmPwd
distinguishedName: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=<root>,DC=<com>
instanceType: 4
whenCreated: 20190821125635.0Z
whenChanged: 20190821125635.0Z
uSNCreated: 61915468
attributeID: 
 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
attributeSyntax: 2.5.5.5
isSingleValued: TRUE
uSNChanged: 61915468
showInAdvancedViewOnly: FALSE
adminDisplayName: ms-Mcs-AdmPwd
oMSyntax: 19
searchFlags: 904
lDAPDisplayName: ms-Mcs-AdmPwd
name: ms-Mcs-AdmPwd
objectGUID:: AaDqLmaexECT9ZzLgHJgkQ==
schemaIDGUID:: RXApA6jLI0OCu6BG7YcuzA==
systemOnly: FALSE
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=<root>,DC=<com>m
dSCorePropagationData: 16010101000000.0Z
msDS-IntId: -1745476022

So obviously repair replication (not going to be easy) but if anyone could shed some light on importing the objects it would be appreciated.

Thanks


Certutil script

$
0
0

Hi folks,

Running Server 2016 R2 VMs hosting a three tier CA and need help putting together the certutil commands to:

 - Query the CA database

 - Locate all user cert objects associated with provided email address (A list of emails indicating owners of certificates to be revoked is provided daily.)

 - Revoke all certificates associated with a listed email address

 - Publish a base CRL for corresponding CA

 - Copy Base CRL to all CDP locations

Please let me know if more info is needed.

Thanks!

Can AdminCount be set to 1 on any accounts in Active Directory

$
0
0
Can AdminCount be set to 1 on any accounts to protect them even if they are not member of any privileged groups

Guru

LDAP Authentication Issue

$
0
0

Hello

We have a third party solution integrated to our active directory (Windows Server 2008) via LDAP, For certain users authentication is failing with the following message:

"User found in active directory, but the credentials of the user failed validation against Active Directory"

Kindly help me the solution for this.

Thank You

Need help renew domain controller authentication certificate.

$
0
0
Need help renew domain controller authentication certificate. 
Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>