Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Logon script doesn't run using GPO

November 14, 2019, 8:34 am
$
0
0
My DC is a Windows 2016 Server and the workstation is Windows 10. I am not able to get my logon script to work with GPO. The vbscript (for logon input) works fine when i manually click the button to "activate" the script. however, when I create a new GPO and it doesn't appear. The script is located on the DC on one of the local drives and in the SYSVOL folder. Because I want the script to only work when i an administrator is logging in I decided to place the file:

Option 1: User Configuration > Policies > Windows Settings > Scripts > Logon. then I clicked Browse in the "Add a Script"  box and click on the vbscript under "Scripts" and I left the parameter option blank. I've also created batch file which points to the vbscript and does the same thing.

Option 2: thing I did was tried to create a scheduled task: User Configuration > Policies > Control Panel Settings > Scheduled Tasks. I choose New > Scheduled Task. Then in the Pop Properties, I named task. Under RUN, i browse to either file .vbs or .bat and unchecked "enabled (scheduled task runs at a specified time)" and left all other fields blank. Under the "schedule" tab, I clicked on the drop down box and selected "At Logon". Then click "Apply" and "Okay".

I currently have my admin account and authenticated user listed as the accounts to apply the GPO to and it's being applied to an OU with one test machine

So after I tried both options, separately, I right clicked on the GPO to run "Group Policy Update". It says success. I run gupdate /force, log off and then log back in to see if it works. after 5 minutes it still hasn't popped up, so I reboot, but I get the same results. NOTHING.

I thought initially it was related to permissions, but it's not because I was able to create a GPO to create a folder if it didn't exist. This worked fine when I tested it with my account and machine. I don't think it's a firewall issue, because I was able to create the folder using the same machine and accounts and it worked fine. I also ran a script to test port 3389 to validate. 

I've ran out of ideas and not sure what it could be. Any assistance would be appreciated.
Search

Unable to access folder in netlogon on Domain Controller

November 25, 2019, 2:41 am
$
0
0

Here is my situation. 

In the NETLOGON share I created this folder structure:

Netlogon
  File & Folder distribution
    To Computers
    To Users

The folder called "To Computers" is ginving me a headache. This is why.

The inherritance on the folder called "To Computers" has been disabled, the "authenticated users" group has been removed and  the "read & execute" permissions have been granted to  the "domain computers" group.

My user account is a member of the domain administrators group and the built-in\administrators group.

When I access this folder one of our Domain Controllers (for what's it worth: the one holding the FSMO roles) I get an access denied error. I'm able to access the same folder without any issues on my desktop or the other DC with the same credentials.

Is there anyone out there who has encountered the same issue?

DC 2019 - ERROR_NO_LOGON_SERVERS

November 25, 2019, 1:41 am
$
0
0

Hi,

I have a problem with a new Server 2019 Domain Controller. I have added it to an existing 2008R2 domain consisting of 2x Server 2008R2 and 1x Server 2016.

I noticed that the computers in the same (test-)site do not authenticate to this controller, but use one of the other (prod-) sites. When I try to run "nltest /query" the error "1311 0x51f ERROR_NO_LOGON_SERVERS" appears. For the other Production Domain Controllers, this command is successful.

Even then I execute "nltest /sc_query:<DOMAIN>" it says "0 0x0 NERR_Success". But only after I do a "nltest /sc_reset:<DOMAIN>" the "nltest /query" command is successful until the next restart.

The DNS points to the other domain controllers. All tests in "dcdiag" show that they were successful.

Thanks

The computer is part of domain, but the system is still showing workgroup

November 14, 2019, 9:21 pm
$
0
0

Hi Team

Recently I found that our computer with Windows 10 OS (Joined domain), but as you can see the workgroup option is still there. I checked with other company, they said it shows domain information there. Odds!



Any body understand what is the reason?

Thanks,

Steven

Linux AD integration & case sensitivity

November 20, 2019, 8:52 am
$
0
0

Hi,

We have Linux integrated in our AD so all users can log in to their linux machines with their AD accounts,

now we have a program that runs on the Windows pc and that program access a linux machine to start a job/service but it doesnt work with the AD accounts because of case sensitivity of the names is there a way to make it case insensitive or to always get and send the correct cased username to a linux?

How to make Secondary domain controller to Primary domain controller?

November 19, 2019, 3:33 am
$
0
0

Dear Team,

I have Primary domain controller 2003 and Secondary domain controller is 2008 R2.

Need your help to make 2008 R2 secondary AD to primary and removed the 2003.

Please help me to proceed further.

SUNIL PATEL SYSTEM ADMINISTRATOR

DisplaySpecifiers for Ru-ru locale is missing in ADSI

December 4, 2017, 4:56 am
$
0
0


Hi!

I need to make some changes in DisplaySpecifiers, but I need to make them both in 409 and 419 threads to make it visible in russian version ADUC.

So what should I do if there is only CN=409 (USA) and CN=C04 (Chinese_HongKong) in ADSI DisplaySpecifiers?

I also need CN=419 (Russian) locale thread, but this one is missing.

There is already existed infrastructure with 2008R2 domain/forest level with 2008R2/2012R2 Domain Controllers.

All of Domain Controllers are russian edition, so they're already have installed russian language pack and it exists in

HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex\Language



Russian is also set as default system language, all MMC's displays correctly in it.

How can I import or install that locale to my ADSI?

Or is it only way to have it - manually create CN419 container with all its attributes and properties?

HOW do you assign these permissions to an account using group policy?

November 18, 2019, 2:41 am
$
0
0

Hi,

An active directory account needs the permissions below applying via group policy but they are NOT in the list of permissions under user rights assignment - so HOW do you assign these permissions below via Group Policy?

These are not under user rights assignment:

  • Permission to start SQL Writer
  • Permission to read the Event Log service
  • Permission to read the Remote Procedure Call service


Search

Hide child domains

November 18, 2019, 1:35 am
$
0
0

I'm building a setup with a root forest with child domains. Every child domain will be a seperate customer domain. Is it possible that when a users searches for example printers they only see their own child domain? Now when I click on search for printers in active directory I see the whole root domain and all the child domains. I want to hide this so people don't see the names of the other child domains. 


Domain groups and domain computers are hidden

November 14, 2019, 2:35 am
$
0
0

Hi,

     In my 2016 r2 active directory domain groups and domain computers are hidden , we can find if we search but not showing in the folder

Disabled GPO link for Folder redirection.

November 15, 2019, 12:34 am
$
0
0

Hi team,

I'm a bit new and just starting to learn directory services and GPOs. 

I'm trying to implement Folder redirection with setting "Redirect the folder back to the local userprofile location when policy is removed". So far it is working as expected but I'm just a bit curious if there is client machine failure/shutdown?

For example: I removed the FR GPO and it suppose to redirect the folder to the local profile right? let say my user has 100GB worth of documents in the File server and during the redirection the computer shutdown at 50%, what will happen to the rest of 50% worth of files. Will it resume once the computer is up again or the 50% will stay in the File server? 

I apologize in advance if this topic is already existing. Thanks and have a great day!

Log on GPO

November 21, 2019, 1:21 am
$
0
0

We are is process of migrate 15000 computers from one domain to another using Quest migration tool. everyday we are planning X number of users in remote sites. based on our email the user logoff the computer for migration .Our challenge is that post migration, many times users waiting for our confirmation and not logon to the comupter. We are willing to display a logon screen prior the user press Ctrl+Alt+Delete that we have to show the users that the system has migrated to new domain and they can logon to the system.

Can it be possible using GPO?

Thanks and Regards,

Hariharan

Delegating Fine Grained Password Policies

November 25, 2019, 7:38 am
$
0
0

Hello, my company is implementing Fine Grained Password Policies. Articles mention that the rights to modify these can be delegated by I cannot seem to find an article showing how. Could someone point me in the right direction?

Thanks

NTP time syntax with multiple external sources for command W32tm /config /manualpeerlist

November 25, 2019, 9:05 am
$
0
0

Hi everyone,

Good morning! Just a quick one but hope it is not a long one :)

I asked some questions on the W32TM before... I would like to change the time source on my DC with PDC role from "local" to my core switch followed by some other sources ( in use by the core switch) for some backup. I would like to ask if the following the syntax is correct? I separated the IP by white space. Also, I put 0.IP1, 1.IP2, 2.IP3...etc in the ip list with the double quotes. Am I right?

Also, do I need to add anything like 0x1 or 0x8 at the end of each IP that I saw on the net. I do not know what they mean :)

####################

W32tm /config /manualpeerlist:”0.10.0.0.1 1.129.6.15.29 2.204.34.198.40 3.69.25.96.13” /syncfromflags:manual /reliable:yes /update

####################

Finally, may I ask... once I change the time source on the PDC...how long to take to let the DC and PC sync with the same time (how long to wait for the propagation)? Anything I  need to pay attention on :)

Thank you very much !

Takami Chiro


Implementing password expiration policy soon - "krbtgt" account question

November 25, 2019, 10:25 am
$
0
0

Hello all.

Our org. will soon enforce a password expiration after 90 days using Group Policy applied at the root domain level.

Using PowerShell I generated a report showing Name, PasswordLastSet, PasswordNeverExpires, Enabledobjects. The idea being to review the list and manually set accounts (service, VPN, etc.) that shouldn't expire accordingly within AD.

Most concerning in the report is the KRBTGT account, who's password was last set two years ago, is currently in a disabled state, and "false" in the PasswordNeverExpires column. Should I be concerned with this service account? I understand it serves an important role so I don't want an expired password policy to throw it off.

Thank you.

Search

mmc certificate request - "url" alternative name

November 25, 2019, 11:49 am
$
0
0

what's this SAN type for? what's the syntax? where is it documented? 

LDIFDE - export users and their memberOf attribute

November 25, 2019, 2:57 pm
$
0
0

Hi All

I am new to LDIFDE, I can now export/import users from my AD DS server to a standalone AD LDS server.  I have so far only exported/import, DN, objectclass, CN, givenname.

However I am not stuck, I add memberOf to my -l switch but the export file did not show anything.  If I open ADSIEDIT and go to my user and change the filter to "backlinks" (after googling!) I can see the memberOf attribute and the DN of the groups.  Is the fact the memberOf is a backlink have anything to do with why the memberOf attribute is not exporting.

I then intend to import it but will worry about how it is when I come to that.

Much appreciated.

P

How to query the user name of the last logon with one computer?

November 25, 2019, 2:26 pm
$
0
0

Hi everyone,

How to extend the properties of ADUC
Allows me to directly query the user name of the last logon with one computer.

Thank you in advance.

Best regards,

Yuxiang

Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

PSRemoting 0x80090322 error

November 25, 2019, 8:57 am
$
0
0

Good afternoon,
I use powershell remoting alot in my current project, but there is one server that does not allow to connect:

Windows Server 2012 R2
PSVersion 4.0
Source and target are both member servers in the same domain.
Error: Connecting to remote server XXXXXXX failed with the following error message: winRM cannot process the request. The following error with errorcode 0x80090322 occurred while using kerberos authentication: An unknown security error occurred.
Possible causes are:
- The user name or password specified are invalid.
- Kerberos is used when no authentication method and no user name are specified.
etc...

I tried many things:
when using -credentials switch its still not working
When using IP, it is still not working
I compared SPNs with a working server with setspn -l server name and entries on both servers are the same
There are no events displayed in the target machine if I try to connect
I tryed to disable the firewall
Using another source server makes not difference.

The problem is that I am not sure where to continue troubleshooting because I dont know where to get more information out of the system about this problem.

Any ideas?

AD Users in Root and computers in Child domain

November 21, 2019, 7:22 am
$
0
0

Hi,

I need some advice on whether having users and computers in a root domain is any less beneficial to having the users in the root domain and the computers in a child domain.

It may seem a weird question but due to how we are working we are "partitioning" off users in the Root domain.

Are there any potential security issues if we put the computer accounts in the same domain as the users?

Kind regards

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>