Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

EFS - HowTo Recover a file with DRA (Data Recovery Agent)

January 9, 2019, 2:33 am
$
0
0

Hello. Please, I need your help to learn how to decrypt files using DRA certificate. I did these steps:

- I created a Data Recovery Agent Certificate using cipher.exe /r:<filename> in my domain controller logged in as "administrator".
- I added in the default domain policy the Data Recovery Agent using the new certificate.
- I ran gpupdate /force in my client.
- I encrypted a text file (just the file not the folder).
- In the file advanced details, after the encryption, I can see the correct thumbprint of the DRA in the "Recovery certificates for this file" (the thumbprint that I see matches the thumprint of the certificate I generated in the first step).

From here, what am I supposed to do to recover the file using the DRA certificate?

I tried to:
- Log in to a client as user
- ran MMC.exe as mydomain\administrator (runas.exe) and I imported the DRA .pfx in the user (administrator) personal store
- ran cmd.exe as mydomain\administrator and ran cipher.exe /d <filename> to try to decrypt the file: ERR "Access denied"
- tried also to login interectevely to the client using mydomain\administrator and repeat above steps but happens the same.

What's wrong in my procedure please?

Thank you very much.

Francesco B.


Search

User profile domain

October 30, 2019, 11:01 pm
$
0
0

Hi,

Wanted to know how to get logon users domain. So suppose there is multidomain structure with two way trust. If a user is logging into another domain, how do we get the details of user and which domain he/she belongs to ?

Thanks,

Biswajeet

GPO to assign security group to have Admin privilege - Server 2016

October 30, 2019, 12:28 pm
$
0
0

Hi IT Experts,

My objective is to delegate IT support team to have full local admin privilege but same time should be denied accessing to all the servers either directly or remotely. 

To accomplish this task, I created one security group and deploy the policy, while testing found the members of this security group has admin privilege to all the PC's but same time they can also have remote access to all the servers but not to domain, 

My question is, how to restrict completely accessing to any servers via remotely to the same security group.

TIA



Do you want to be acknowledged as the next Windows Server Directory Services Guru? Submit your work to November 2019 competition!

November 1, 2019, 2:00 am
$
0
0

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in November 2019 and must be in English. However, the original blog or forum content can be from beforeNovember 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.


PS: Above top banner came from Kamlesh Kumar.

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn


Thanks,
Sabah Shariq

[If a post helps to resolve your issue, please click the"Mark as Answer" of that post or click Answered"Vote as helpful"button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]


Average user login able to access two different domains

November 1, 2019, 2:05 am
$
0
0

Hello,

I have two stores and I've been asked to move a user to another store but keep her login, exchange account and phone ext and etc... I'll try to describe this the best way I can. Bare with me

Store 1 is parent domain and Company A, it has the global catalog and everything routes through this domain. 

Store 2 is the child domain if you will, Company B, it is within Store 1's umbrella. 

The user is at Store 2 currently and is an average user. She makes/takes phone calls and uses web based applications. For all intensive purposes she would be a Company B user operating at Company A. Without making her some level admin, how is this done without replication issues? I guess I won't worry about the phone stuff until I have my head wrapped around her login access.

I could add her as a new user at Store 1 without an exchange account and then get into the mailflow settings and link her exchange account from Store 2. Copy her Company B files and transfer them to her Company A's folders.

Thoughts? Am I on the right track? Not sure why they decided to make this move on a Friday *angry face*

Server2016 

Is Microsoft Windows Server 2012 R2 compatible with Windows 10 clients?

November 1, 2019, 2:23 am
$
0
0

Hello

Is Microsoft Windows Server 2012 R2 compatible with Windows 10 clients?

My problem is especcialy about Software Policies: I cant make a .exe file run without asking for the administrator password.

On a few remaining very old XP's it's working but on the new Win 10's is not.

My Software policy is: "Software will not run, regardless of the access rights of the user." and then I allow specific apps to run from "Additional rules"

Thank you.

Hard disk error

October 29, 2019, 7:10 pm
$
0
0
Hi all,

I'm promoting a server 2012 R2 Domain Controller. During the prerequisites check, it return error "Verification of prerequisites for Domain Controller promotion failed. The folder U:\windows\ntds does not refer to a valid hard disk. Select a folder on a hard disk drive".

If i set the path to C: drive it working juz fine. My U: drive is in NTFS format, attach from LUN. Is there any requirement in terms of HD type/format?

Using Group policy to deploy the Hardening policies to all client

October 25, 2019, 3:48 am
$
0
0

Hi all,

We have CIS benchmark windows OS hardening documents. Now we are manually doing all the Hardening policies to all client machines one by one, by this way its getting too delay to achieve our goal. Manual hardening take around 5 to 6 hours we have around 4000 machines.

Now we want to deploy all the Hardening policies to  all the domain clients by using a GPO or any scripts to achieve our goal shortly. Is there any possible ways to solve this. Kindly suggest me on this issue. Awaiting for your positive responses.

Thanks,

Lee

Search

Sysvol folder is not replicated after server migration

October 22, 2019, 9:54 am
$
0
0

Consider my scenario  i have 3 server (physical machine dell poweedge 730 )

1.server A is windows server 2012 R2 standard- PDC

2.server B is win server 2012 R2 Standard-BDC

3 server C is new deployed server  server 2016 standard no roles is installed 

Server A hold all fsmo roles  the 3 are connected same lan segment inbetween no firewall is located

We migrate server A to C and we follow below guide

http://www.rebeladmin.com/2016/10/step-step-guide-migrate-active-directory-fsmo-roles-windows-server-2012-r2-windows-server-2016/ 

After migration all user and group and fsmo sucessfully but sysvol folder and netlogon is not replicated ,why?any thing need to changed 

Listing all groups in AD containing a given string

October 12, 2012, 9:01 am
$
0
0

I want to find all AD groups containing the word "prgm". I tried right-clicking the domain name, "Find..." , tested various combinations such as "prgm", "*prgm*" but incorrect results were returned.

Can this task be done using the AD User and Computer interface tools? (If not, how then?)

TIA,

edm2

Unable to start CA-Services after migration (Current log file missing 0xc8000210 (ESE: -528 JET_errMissingLogFile))

October 11, 2017, 2:38 am
$
0
0

Hello everybody!

I'm currently trying to migrate our Root Certification Authority (CA) from Windows Server 2008 (x86) to Windows Server 2016 (x64). I followed the migration guide under https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/ for the main steps.
Both old and new CA-Server will be standalone CA-Servers in our domain and will havedifferent hostnames (the CA-Name will stay the same of course).

The migration process works without any error messages. The CA-Service starts without any problems before restoring the CA-Backup.
But as soon as I restore the CA-Backup and try to start the CA-Services again, I receive the following error message:

"Current log file missing 0xc8000210 (ESE: -528 JET_errMissingLogFile)"

The service won't start anymore. The eventlog shows similiar error messages.

I made a procmon-trace to analyse which files the certsrv.exe is looking for and found out, that it's looking for "edb,chk", "edb.jcp" and "edbtmp.log" in the CA-data-folder. Those files are not there (and I don't know why, as I only restored the previous created CA-backup).

Any hints? :)

Thank you!!

Slow Domain Computer Logon - 2 to 5 Minute Hang On Welcome Screen

November 1, 2019, 7:45 am
$
0
0

We've got a mix of people who are and are not experiencing this issue currently.

I've turned on verbose messages to figure out what process is causing it to hang but when I turned it on, it simply showed Welcome for 4 minutes and then when it loaded the profile/gpo/ect. everything went through about as fast as you would normally expect. I'm not sure what could be causing the hang at "Welcome" but I wanted to ask what things I could try to potentially log what exactly is happening at that point in time or potentially known issues. All computers experiencing the issue are on Windows 10 and there is a bit of a mix of OS version but mostly this is seen happening on OS 17134.

So far we've tried removing profile paths, resetting ip stack/dns, I tried to get the log in event viewer -> Applications and Services Logs, Microsoft, Windows, Diagnostics-Performance to show something, but it hasn't recorded any events. I'm not positive on how to set it up differently then default, however. I read that it dealt with regedit and this path -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\ but I have no idea what each of these would actually do unfortunately. 

I also have the performance tools from the SDK installed, but I'm not sure how to interpret the information it has given.

Any help with this is greatly appreciated.

Should raise the functional level to Windows Windows 2016 or Windows 2019

November 1, 2019, 7:56 am
$
0
0

Hi,

We have completed the upgrade of all our domain controllers in one of our forest to Windows 2019.

the current functional level is Windows 2008 R2. Should we raise it to 2016 or 2019 ?

Migrate 2008 R2 (Hybrid Exchange 365 / 2010 corpname.com) Domain1 (asdf.com) to 2019 (Exchange 365 corpname.com) Domain2 (corpname.com)

October 25, 2019, 9:44 am
$
0
0

I need to upgrade our Domain and our current domain name is not our corporate domain name due to legacy situation at time of creation and long before I was here. The plan is to create a new 2019 domain, create a full trust and migrate to it using the corporate domain name.

I have read up on making the migration using ADMT, but I want to make sure there isn't anything that could pose a problem I'm not aware of since our current domain is in hybrid state using the the corporate domain as our email domain. So while our current AD domain name is asdf.com our email domain name is corpname.com and is a hybrid Exchange 2010 / Office 365 configuration.

For one thing, currently we cannot user our UPN to log into our domain since it is different than our public /email domain name. When I migrate to the new Domain I am hoping I can seamlessly begin having them log in with there UPN.

 

I am hoping I can do the following:

Create new corp domain

Create Full Trust

Migrate Users to new Domain

Migrate User Computer accounts to new Domain

Migrate Servers to new Domain

Configure LDAP Authenticating devices to new Domain.

Break Full Trust

Disable Hybrid Exchange environment.

Decommission old Domain

- LZ

Active Directory Site Without Domain Controllers

November 1, 2019, 9:47 am
$
0
0

We have a remote site with only 6 computers, connected via site-to-site VPN.  We decided we won't put a DC in this location--users will have to authenticate over the VPN.  Even though we don't have DC's at this site, we still want group policies to apply just to this one location.

Question: is it reasonable/responsible to create an Active Directory site for this remote office, that will have no DCs, yet still apply group policies to this office at the site level using the site node in group policy management console?  Any reason why that wouldn't work?

Search

Recommended NTFS permissions for Home folders - Windows 2016

October 30, 2019, 4:05 am
$
0
0

Hi,

What are the recommended NTFS permissions from user home drives when you want to automate their creation from the Profile tab of each user account in AD?  I dug around and tried some of the older recommendations but I am getting odd results.

Here is what I have done and the results:
Windows Server 2016
Created folder = Home
Shared folder as Home and share permissions Everyone = Full Control

NTFS Permissions on Home

SYSTEM
Full Control
This folder, subfolders and files

Company_Home_Admins
Full Control
This folder, subfolders and files

CREATOR OWNER
Special
All permissions EXCEPT Change permissions, Take ownership
Subfolders and files only

Authenticated Users
Special
Traverse folder/execute file, List folder/read data, Read attributes, Create folders/append data
This folder only

Then on my AD user account, go to the Profile tab, and set I the Home folder path to:
\\file_server\Home\%username%
Click OK
As expected it changes the path to:
\\file_server\Home\JeffP
Look at the file server in the Home folder I see a JeffP folder created...but the permissions are not what I expect.

NTFS Permissions on Home\JeffP

SYSTEM
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

Company_Home_Admins
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

CREATOR OWNER
Special which is all permissions EXCEPT Change permissions, Take ownership
Subfolders and files only
Inherited from D:\Home
This is as expected

JeffP
Full Control
This folder, subfolders and files
Inherited from None
Why is the user getting Full?  We don't want them to be able to Take Ownership or Change Permissions.

File_Server\Administrators
Full Control
This folder, subfolders and files
Inherited from None
How is this getting on here?  We dont want the Windows serer admins to have any permissions.  They are not NTFS educated.

File_Server\Administrators
Special which is all permissions EXCEPT Change permissions, Take ownership
This folder only
Inherited from D:\Home
How is this getting on here?  And inherited?  The local administrators group is no where applied to the Home folder.

Is this happening because the folder is getting created via the AD account and therefore it considers the user to be an administrator?  The local Administrators group getting applied twice and in one instance saying it is inherited when it is absolutely not inherited is just baffling me.

If you made it this far thanks in advance!

Multiple Site Connection problem

November 2, 2019, 7:00 am
$
0
0

 i have to install a multiple site  domain   but the link between site is ;not establish yet 

now i have one DC configured on first site  and i need to configure the rest of site each site with dc   , those new dc will work offline  and some operation like  add new user or computer and some lunix server on it 

 i need to find a way to make each do Dc work as master on his site an no need to connect the main dc   until i finish my site connection and the network  will be full converged  and also if i can publish fsmo on all dc

 thanks 

is Microsoft recommended in place upgrade domain controller from 2016 to 2019

November 3, 2019, 2:24 am
$
0
0

is Microsoft recommended in place upgrade domain controller from 2016 to 2019?

Convert a RODC to R/W domain controller

November 3, 2019, 2:52 pm
$
0
0

Hi 

How we ca convert a RODC to R/W domain controller?

I have 3 RODC and I want to convert them by R/W without any impact .

D you have any idea please ?

Upgrade in place prepare domain and forest

November 3, 2019, 3:23 pm
$
0
0

Hi 

If we choose to perform a upgrade in-place from Windows 2016 to Windows 2019, do we need to prepare forest and domain ?

Viewing all 31638 articles
Browse latest View live
Search