Hello,
I have a group which contains users for ex: user1. Now that group is a member of another group named 'group2' and this group2 having Reset Password permission on user2.
Now I tried to change the password of user2 from user1 it says access is denied?
What am I missing?
Thanks and regards
Hi all,
everyday, to check Health DCs, i use command "repadmin /replsummary", everything is okay with no fail. One day, i have updated windows and restart, after i run command "repadmin /replsummary" again then have some errors:
Source DSA largest delta fails/total %% errorplease check for me
Thanks!
Hello,
Due to some business use cases we have to disable last-logon TIME from the lastlogontimestampattribute on AD 2008 R2.
Could someone please advise what are possibilities disabling this on domain level.
Whenever we are trying to create `computer` object in Microsoft Active Directory as below:
var ldap = require('ldapjs');
var client = ldap.createClient({
url: 'ldap://<<host>>:389'
});
client.bind('<<Admin DN>>', '<<password>>', function(err) {
if(err){
console.log('error',err);
}else{
console.log('bind is success');
}
});
var newDN = "CN=testcomputeruser,OU=testou,DC=test,DC=com";
var newUser = {
cn: 'newtestComputer334',
objectClass: 'computer',
description: 'This is test implementation hence this is test description.',
//UndefinedAttributeTypeError: 'msDS-RevealedList':'S:12:RevealedList:CN=RevealedList,OU=testou,DC=test,DC=com',
//UndefinedAttributeTypeError 'msDS-isGC':'FALSE',
//UndefinedAttributeTypeError 'msDS-isRODC':'FALSE',
//UndefinedAttributeTypeError 'msDS-SiteName':'TestmsDSSiteName',
//UndefinedAttributeTypeError 'msDS-IsUserCachableAtRodc':'568974',
}
client.add(newDN, newUser,function(err, resp) {
console.log('newDN : ', newDN);
console.log('newUser : ' ,newUser);
if(err){
console.log('error',err);
}else{
console.log('new user is success');
}
})I am working on project migrating/consolidating AD forests. Now just like any other environment, this customer also has lot of applications.
I need to understand what all info do we need to get the AD dependent applications and furthermore, do we really need that info assuming that there will be SID History in place, as user will still be able to access there applications in the source domain.
Can anyone please help with some details around application piece while AD migration
Thanks
Guys,
Is it possible add a RHEL (Red Hat) server to an MS Active Directory (AD)?
Thanks.
Hi All,
We seem to have a little issue on our Domain. Basically, when users attempt to login to the domain they should in theory login to their local DC, this is not happening. For example a user in the HQ site office would authenticate and logon to a DC in another location which could be hundreds or even thousands of miles away.
Everything in Sites & Services have been checked and are correct. Does anyone know how to trouble shoot this problem we have. I have looked in the event - security logs but I don't see anything that will lead me to a solution.
Are there any logs I can check in order to try and troubleshoot this problem.
Hello Happy New Year to all!
My question has been asked before but the solutions do not apply to my problem, or at least they do not solve it.
I have a former domain controller that degraded it generated more headaches than solutions, I get the blue screen with error c00002e2 and error status 0xc000007a, I can only access through DRSM mode, in the summary of installed roles are server dns and active
directory domain controller, both with red x, which makes me presume that it was not a clean dcpromo, the NTDS folder and its content is missing, does not exist in the Windows directory, but in the Windows registry appear all the parameters of NTDS.
It is not feasible to format the disk and install everything from scratch, the previous IT manager had the great idea of installing sql server and plc drivers for robots on the same server, not to mention data collection services for wireless remote desktop users, among other things.
The dism tool does not recognize it because it is Windows Server 2008.
Uninstalling the roles in both cases gives me an error.
What else can I try to lift the Server?
I'll be waiting for your answers.
Thank you in advance for your attention.
Valter
Hi,
We have some AD security groups that are used for restricted access and for this reason, we don't want these groups being copied across to a new user account when we clone an existing user.
I appreciate that you probably can't prevent selected groups copying across, so we would be happy to prevent all group membership being copied when we create a new user by copying an existing user account.
According to this article it should be possible - https://4sysops.com/archives/prevent-copying-of-an-active-directory-attribute-when-duplicating-a-user-account/
So I am a Schema Admin and Enterprise Admin and I have followed all the instructions when logged on to the Schema Master. However, when I try to edit the memberOf attribute, the "Attribute is copied when duplicating a user" section is greyed out
Is there a way around this or is this greyed out because changing it would break the schema?
Many thanks
I am migrating my office to ADDS. I set up two domain controllers, I wanted to change the server name on one of them. I believe all replication was done and I would be able to demote it, change the name, and bring it back but I obviously missed a step or two. When I ran DCPROMO to bring it back it failed. The error message is:
"ADDS could not create the NTDS Settings object for the ADDC"
"While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync."
The working DC gives a warning: "The attempt to establish a replication link for the following writable directory partition failed. Error value: 8524 The DSA operation is unable to proceed because of a DNS lookup failure."
The servers can ping each other by IP and by FQDN. Windows finds the working DC in the DCPROMO wizard. Nslookup gives the name and IP of the server that is up and running. I have domain, schema, and enterprise admin rights. Ipconfig /registerdns doesn't give any error messages. They see each other just fine but fail on replication it seems. Both servers are recent installs of Server Standard 2008 r2 with all updates. The roles that worked before are ADDS, DNS, File Services, and Print Services. The Print Services seems to be working. Both servers worked fine before the demotion. I changed the name back to the original to see if that helped.
Any ideas on how to fix this? Could I remove all the roles that don't work then add them back?
I'm trying to set up a disaster recovery backup and I'm testing a recovery scenario in isolation. Here's what I did thus far:
- I've made a bare-metal and system-state backups with Windows Server Backup of one of our DC VMs
- I've placed the backup onto a VHDX drive
- I've created a new HyperV VM; it's connected to a private network (isolated) and attached the VHDX with the backups. Using a Windows Server 2016 ISO I restored the bare-metal backup
- I've reconfigured the network adapter to have the same IP as the original DC VM
- I've entered DC recovery mode and restored the system-state backup as AUTHORITATIVE
- I've seized all domain and forest roles
Now, post boot the server has no SYSVOL and NETLOGON shares. The network is not identified as a domain, but is "unidentified public". DNS is working fine and NSLOOKUP calls seem to be correct. I cannot access the AD Users and Computers MMC because I get a "Naming information cannot be located because the specified domain either does not exist or could not be contacted" error.
Here are the DCDIAG results: https://pastebin.com/dRqZPrGU (it's too long to paste here as there's an error related to Azure AD sync that's spammed all over the log, unfortunately).
Any idea what's going on here? Am I doing something wrong or is there something wrong with the backup? Or is there something wrong with the original DC VM server and it's not a viable source for a DC backup?
I have a hosted exchange server in which i allow certain users to add external contacts (via ECP).
The external contacts hereafter appear in the AD under the OU External Contacts.
What I now want to allow is to edit the email address inside the AD User Properties.
However, when I log in as the users and I go to Active Directory Users and Computers, go into the attribute editor for an external contact, the value is greyed out when i'm logged in as the user.
I already delegated control and gave all permissions for the OU External Contacts.
However, this still doesn't let me to edit (any) of the attributes in the AD Attribute Editor.
When I right click the OU External Contacts and check under Security, the user also has FULL CONTROL permissions on the OU.
What am I doing wrong?
How can I allow a non-domain admin to edit these attributes?
Hello Folks,
I've started working at a company a little over a month ago and one of my projects is cleaning up Active Directory. I resolved a bunch of replication errors and have managed to get everything syncing. I'm moving with caution but making great strides. I need to reconfigure the AD Sites & Services>Sites>Inter-Site Transports>IP>Site Links.
It looks like they tried to setup a hub and spoke using Site-A – Site-D – Site-G with the other sites hanging off their respective location's site head. Last weekend Site-D relocated to a different office and the server had hardware issues which caused it to be down for a few days. This caused Site-E & Site-F to not receive replication. The DEFAULTIPSITELINK was deleted long before I got here and there is a lot of manual creations in the NTDS Settings in the sites.
There are MPLS connections to Site-A from everywhere. Speed/connectivity is not an issue at any site. All sites connect directly to Site-A. Other sites connect to each other but not all sites are connected to all sites.
Site-A is HQ for the company and most but not all accounts are generated here. But it is critical that all DCs replicate to and from HQ for various O365 & related reasons.
The goal is to recreate the IP Site Links and have <automatically generated> connections in the NTDS Settings. So I know I will need to delete any manually created connections and force KCC to create the<automatically generated> NTDS connections after the Site Links are recreated.
How do I go about reconfiguring the Inter-Site Transports>IP>Site Links? Do I create one Site Link and add all sites to it and enable BASL? Could it be that simple because it's only one domain?
1 forest and 1 domain
10 DCs Site-A Windows 2016 Std. All else Windows 2019 Std.
9 physical locations
Bridge All Site Links is disabled
Americas
Site-A = DC01(FSMO) & DC02
Site-B = DC03
Site-C = DC04
Europe
Site-D = DC05
Site-E = DC06
Site-F = DC07
Asia
Site-G = DC08
Site-H = DC09
Site-I = DC10
Any help is appreciated. Thanks in advance!
Hi,
my domain accounts were connecting to the domain running the logon script.
However it has stopped working without having changed anything. In case I want
to browse with the windows explorer until the bat file using the ip address then
it fails (for instance, \\192.168.0.101\sysvol where the ip address is the dc),
But if I use the hostname of the dc it works fine(\\sdv1\sysvol).
Can anybody help me?
Thanks.
Regards.
Hi All
i have a monitoring solution which threw an alert that LDAP query has failed on the my DC02. There is no much information in the alert. i am not sure what needs to be checked. experts guide me on this.
After installation ADCS Subordinate Enterprise CA I get:
C:\Users\admin>certutil
Entry 0: (Local)
Name: `Corp-SUB-CA'
Organizational Unit: `'
Organization: `'
Locality: `'
State: `'
Country/region: `'
Config: `CA-SUB.corp.ca\Corp-SUB-CA'
Exchange Certificate: `'
Signature Certificate: `CA-SUB.corp.ca_Corp-SUB-CA.crt'
Description: `'
Server: `CA-SUB.corp.ca'
Authority: `Corp-SUB-CA'
Sanitized Name: `Corp-SUB-CA'
Short Name: `Corp-SUB-CA'
Sanitized Short Name: `Corp-SUB-CA'
Flags: `13'
Web Enrollment Servers: `'
There are several blank fields (bold ones) that I don´t know where, during powershell or Graphicall installation I must set up. Where are those fields configured? Can I change that values once the Subordinate CA is installed?
Thanks.
Mohamed MCDST | MCSA | MCSE | Azure solutions Architect.
How can I include the "IncludeExceptionDetailInFaults" to get the verbose error message from PowerShell?
PS C:\Users\test_user\Desktop> $User = Get-ADUser -Identity $test_user -Properties mail,department $User.mail = "glen@fabrikam.com" $User.department = "Accounting" Set-ADUser -Instance $User Set-ADUser : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. At line:4 char:1 + Set-ADUser -Instance $User+ ~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Set-ADUser], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.SetADUser
Hi all,
I have a task to create AD organization structure on a way that we see who is the boss over who etc.. Can anyone help?