Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Recommended NTFS permissions for Home folders - Windows 2016

October 30, 2019, 4:05 am
$
0
0

Hi,

What are the recommended NTFS permissions from user home drives when you want to automate their creation from the Profile tab of each user account in AD?  I dug around and tried some of the older recommendations but I am getting odd results.

Here is what I have done and the results:
Windows Server 2016
Created folder = Home
Shared folder as Home and share permissions Everyone = Full Control

NTFS Permissions on Home

SYSTEM
Full Control
This folder, subfolders and files

Company_Home_Admins
Full Control
This folder, subfolders and files

CREATOR OWNER
Special
All permissions EXCEPT Change permissions, Take ownership
Subfolders and files only

Authenticated Users
Special
Traverse folder/execute file, List folder/read data, Read attributes, Create folders/append data
This folder only

Then on my AD user account, go to the Profile tab, and set I the Home folder path to:
\\file_server\Home\%username%
Click OK
As expected it changes the path to:
\\file_server\Home\JeffP
Look at the file server in the Home folder I see a JeffP folder created...but the permissions are not what I expect.

NTFS Permissions on Home\JeffP

SYSTEM
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

Company_Home_Admins
Full Control
This folder, subfolders and files
Inherited from D:\Home
This is as expected

CREATOR OWNER
Special which is all permissions EXCEPT Change permissions, Take ownership
Subfolders and files only
Inherited from D:\Home
This is as expected

JeffP
Full Control
This folder, subfolders and files
Inherited from None
Why is the user getting Full?  We don't want them to be able to Take Ownership or Change Permissions.

File_Server\Administrators
Full Control
This folder, subfolders and files
Inherited from None
How is this getting on here?  We dont want the Windows serer admins to have any permissions.  They are not NTFS educated.

File_Server\Administrators
Special which is all permissions EXCEPT Change permissions, Take ownership
This folder only
Inherited from D:\Home
How is this getting on here?  And inherited?  The local administrators group is no where applied to the Home folder.

Is this happening because the folder is getting created via the AD account and therefore it considers the user to be an administrator?  The local Administrators group getting applied twice and in one instance saying it is inherited when it is absolutely not inherited is just baffling me.

If you made it this far thanks in advance!

Search

ADFS SSO

November 4, 2019, 9:50 pm
$
0
0
I'm currently using ADFS to provide SSO to SharePoint Online sites for users within the organisation. There is now a plan to have one of those sites integrate with an internally hosted (on-prem) web service that is also to be published externally through ADFS. Is there a way to get the ADFS to work so that once logged into the SharePoint Online site, the user is also authenticated for the web service?

AD LDS Backup failing

October 31, 2019, 11:09 am
$
0
0

We have a web server that uses AD LDS for managing tabs, roles, security, etc. running on Windows Server 2016.

I am currently having an issue backing up AD LDS using the DSDBUTIL.  It has been running for years but has recently started having problems and fails to write the backup either to a network share or a local folder (I have tried both during troubleshooting).  Also I cannot correlate when it started failing to any server or application changes.   

When attempting to run a bat file that contains the DSDBUTIL command, the ADAM (INSTANCE-NAME) Writer reverts to the FAILED State as shown below.

Writer name: 'ADAM (INSTANCE-NAME) Writer'

   Writer Id: {dd846aaa-a1b6-42a8-aaf8-03dcb6114bfd}
   Writer Instance Id: {8bbe9162-20e3-44ec-9ee3-2a30f439a64e}
   State: [11] Failed
   Last error: Non-retryable error


The writer also reports the following error when trying to do the backup:

A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error.  If the backup process is retried,

the error is likely to reoccur.

Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer.

If anyone can point me in the right direction it would be appreciated.  We also have a replicated instance of the same web server and the backup using DSDBUTIL works fine from there.  I have also tried using Windows Backup but it also fails, causing the ADAM (INSTANCE-NAME) Writer to fail again.  I have to restart the ADAM (INSTANCE-NAME) service to place the writer back in the READY state.

Thanks 





Network ports required to open for one way trust to work to a resource domain

October 31, 2019, 7:12 am
$
0
0

We will be deploying a new resource domain and need to setup a one way Active Directory trust.

I think I will have to setup DNS resolution which I plan to do by implementing conditional forwarding in our user domain. So that will require DNS port to be opened. So should that be port 53 both tcp and udp?

I also will need to open ports for the trust to work. MS article lists all the below ports:-

Client Port(s)Server PortService
49152 -65535/UDP123/UDPW32Time
49152 -65535/TCP135/TCPRPC Endpoint Mapper
49152 -65535/TCP464/TCP/UDPKerberos password change
49152 -65535/TCP49152-65535/TCPRPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP389/TCP/UDPLDAP
49152 -65535/TCP636/TCPLDAP SSL
49152 -65535/TCP3268/TCPLDAP GC
49152 -65535/TCP3269/TCPLDAP GC SSL
53, 49152 -65535/TCP/UDP53/TCP/UDPDNS
49152 -65535/TCP49152 -65535/TCPFRS RPC (*)
49152 -65535/TCP/UDP88/TCP/UDPKerberos
49152 -65535/TCP/UDP445/TCPSMB (**)
49152 -65535/TCP49152-65535/TCPDFSR RPC (*)

I think I don't need the port 123 as all clients will be syncing time with user domain servers.

Do I need all other ports to be opened as users won't be logging onto the resource domain?

From my understanding when the user tries to access a resource (lets say network file share) then the resource domain server will try to authenticate the user against its domain controller(DC) and then the resource domain DC will send a referral to the server and ask it to check against the user domain DC. So basically the resource server acts as the client for the user domain DC. And thus would these rpc dynamic ports will need to be opened from the resource domain subnet to the user domain DCs?

From user domain DCs -> resource domain DCs will I only need to open following ports only:-

53   TCP/UDP  DNS
135  TCP      Portmapper 
88   TCP/UDP  Kerberos
389  TCP/UDP  LDAP
445  TCP      SMB
636  TCP      LDAP (SSL)
Net Logon fixed port     TCP    For object picker to work

What are other things to consider?


"Locked for editing..." by a generic username, not the named user

October 1, 2019, 8:14 am
$
0
0

Hi,

Following on from my thread here: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains-mso_o365b/locked-for-editing-by-a-generic-username-not-the/b71cf68d-1bbf-47e5-a3c2-e6d449c965b2?messageId=674853fc-ae11-4b2a-adeb-dc2d1ac2a2e1

It was suggested that I post in here as it could be an AD issue.

Essentially we have a scenario where we have Users who are unable to see who is locked to a file that is being used on a network share. The file is locked for editing by 'Staff/Research Student' rather than the specific Username of the person.

The department used to have Windows 7 and Office 2010, which was never an issue - when the file was open, it would identify by username who it was locked too.

They have since been updated to Windows 10 and Office365 and now they're presented with the above, more generic option.

I am wondering if anyone has seen this prior and whether anyone may have any advice.

Thanks.

Certificate authority general usage

November 5, 2019, 5:17 am
$
0
0

Hi,

I am new to CA system and I am wondering if we install a CA system will this impact how Active Directory works or communicates ?

I have setup a test domain, and I noticed that the CA test server has issued a lot of certificates for the one and only AD server I have... What I am worried about is that some communications will stop working ?

/Regards Andreas

Does the Active Directory attribute msDS-AuthenticatedAtDC (forward link) have a time to live value

November 5, 2019, 6:13 am
$
0
0
Do you know if the linked value msDS-AuthenticatedAtDC (on the user) timeout after a period of time (e.g. TTL)

What I mean by this say a user called Fred authenticates via RODC01 (for example he logs onto a PC at the site hosting RODC01) the attribute on his user object (which is the forward link) will show he authenticated at RODC01.

How lets say he goes back to his main office and does not return to the site containing RODC01 and two years have passed. If I look at Fred user account will RODC01 still show up under msDS-AuthenticatedAtDC ?

I know when he Fred changes his password at a read-write DC, his password cashed on RODC01 wull be removed. However what about msDS-AuthenticatedAtDC is that updated at any point so his RODC01 no longer show up?

Thanks, please email me
cxmelga

"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR

November 5, 2019, 6:15 am
$
0
0

Hi to all,

I need some advice about situation which I have.

We have two domain controller primary and secondary.

On primary domain controller we have JRNL_WRAP_ERROR but adding GPO and other settings are applyed on primary and not replicated on secondary after JRNL_WRAP_ERROR was happened. So we have new GPO on primary controller and on secondary we do not have all GPO. I know for D2 i D4 restore but I am not sure what to apply and in what order.

Everything else is replicating fine but FRS is not working.

Can I have some advice.

Thanks in advance!

Search

Why one user can't change the password if the user have Full Control over the Group?

November 5, 2019, 9:00 am
$
0
0

Hello all,

Let's take an example to explain a scenario. 

I have one user named 'demop' which have full control over the Group named 'weak_permission' which contains a user named 'victim'. Now, I tried to change the password of the Victim but I got an error saying, 'Access Denied'.

As the user have full control over the group then it should have the full control over the user under the group also, then why I am facing the error. I also checked theAdcount attribute, it was not there, any where so what am I missing here?

Thanks & Regards




Why ADCount is not set to 1 when in the Privileged Group Domain Admins?

November 5, 2019, 8:12 am
$
0
0

Hi,

For example I have an user named 'demop' which perviously was not in any privileged Group so that means that object does not contains any admin count attribute which i confirmed it. So I moved it to Domain Admins Group, now, When I check if the attribute is present or not, it was not there? So according to the Document, attribute should be set if any object is in any privileged group. What am I missing here?

DC Promo 2016 server created duplicate SVR records in DNS

November 5, 2019, 11:00 am

Access Active Diretory by using 389?

November 5, 2019, 11:34 am
$
0
0

Hi everyone,

How are you? Hope you can help...

My colleague is writing up a program (by ColdFusion) so that his program can retrieve and display some directory info (such as phone numbers). As you know may guess his program fails to do so.

In his programming script, I verified the port number 389 is that. Also, the object (OU=, OU...etc) is correct too as well as his service account.

So what else is missing? Besides, what is Active Directory Light Weight Service and would it be needed in this case? If so, I can be installed on a member server and it will not affect our current Active Directory?

Hope you can help. Thank you.

Takami Chiro

Should raise the functional level to Windows Windows 2016 or Windows 2019

November 1, 2019, 7:56 am
$
0
0

Hi,

We have completed the upgrade of all our domain controllers in one of our forest to Windows 2019.

the current functional level is Windows 2008 R2. Should we raise it to 2016 or 2019 ?

After upgrading AD new users doesn't appear at Sharepoint and others

October 29, 2019, 6:20 am
$
0
0

Hi,

a few weeks ago I've upgraded AD servers from WS 2008 to WS 2016.

We use Sharepoint foundation at my company and new users created are not appearing when I want share any folder with them. Old users are appearing so I suppouse that the issues is realted with the AD upgrading.

I also use Dynamics Nav and there are some erros related to this. Looks like the servers are trying to find the old AD server instead the new ones.

I did: dns flush on each one and if I do a nslookup is looking to the AD actual.

Server names are different but IP address are the same as the old ones.

Thanks in advance for any help provided.

regards

Recreate failed DC from scratch with same name and IP

October 30, 2019, 8:07 am
$
0
0

Hi,

We have 3 DCs (Windows 2012 R2), but number 2 crashed because of disk failure. We don't have backup as we have 3 DCs on separate physical hosts and even separate locations.

However, we have several applications pointing to the failed DC either by name or IP.

Is there a procedure to recreate a DC using the same name and IP than the failed one without screwing up the AD ?

Can we just remove the old DC from AD Objects and proceed with creation or is there a risk of remaining objects that would result in issues ?

Thanks

Search

GPO to assign security group to have Admin privilege - Server 2016

October 30, 2019, 12:28 pm
$
0
0

Hi IT Experts,

My objective is to delegate IT support team to have full local admin privilege but same time should be denied accessing to all the servers either directly or remotely. 

To accomplish this task, I created one security group and deploy the policy, while testing found the members of this security group has admin privilege to all the PC's but same time they can also have remote access to all the servers but not to domain, 

My question is, how to restrict completely accessing to any servers via remotely to the same security group.

TIA



DNS does not work. Access denied

October 27, 2019, 11:58 pm
$
0
0

Hello,

we have 2 DC's. server2(not a fsmo owner) is turned off about a mounth.

server1(fsmo owner) worked fine but after reboot it doesn't. Event id shows DNS events 4000 and 4007.

DNS snap in throws Access denied. Both servers have same problem. OS on both Win2008R2

DNS servers on Server1 NIC configured with primary dns his own ip, secondary 127.0.0.1

How can I fix primary DC dns service?

Tried this https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load-event-4000-4007

but no luck.

Windows 2012R2/Windows 2016 domain support for Windows 2000 server

November 5, 2019, 7:21 pm
$
0
0

Hi,Everyone,There is a problem to be consulted, my domain server is 2008R2, forest and domain functional level is 2008R2, and I want to upgrade to 2012R2/2016, then for some old windows server 2000 in my domain, can I use domain account login normally? Can the Windows server 2000 add domain domain? 

Thank you Very much!!

Make a field as read-only for users

October 23, 2019, 7:39 am
$
0
0

Hello, I need to make the field Office (physicalDeliveryOfficeName) read-only for my users.

So, nobody can edit the own Office field.

How can I do it? 

Many thanks to everyone!

Piero

AD domain upgrade order

November 5, 2019, 7:24 pm
$
0
0
My ad is a single forest multi domain architecture, with one root domain and two sub domains. When I upgrade, should I upgrade the sub domain or the root domain first?
Viewing all 31638 articles
Browse latest View live
Search