Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Groups with No Owners and Inactive Owners, Groups with No Members

January 27, 2020, 8:44 am
$
0
0

I was auditing the AD for one of my customers. As  a result of the audit i found out the below things

1) There were many groups with No Owners

2) There were groups where Owners have left the Org long time back

3) There were over 4000+ NTFS groups

4) Many Groups do not have "Managed by" field populated

So is there any way or is there any best process/practice which can be adopted as to how to mitigate this so that these are not repeated in the future. 

Also, is group nesting a good idea and if yes, how many level of nesting max should be done.

Any other best practice related to proper AD Group Administration would be appreciated.

Pallab Chakraborty

Search

Does mail contacts require Exchange?

January 23, 2020, 9:35 am
$
0
0

We will be decommissioning our Exchange server this year but there is a need to record email addresses for certain users and have them be members of groups without giving them an actual AD domain account.  This is a hack to fix some potential issues we will be having once we decommission our Exchange server as part of an integration effort with another company.

Is Exchange required to create mail contacts in AD?  Thank you for any guidance!

Best,

Jen

syntax error

January 17, 2020, 2:41 am
$
0
0

Hi All i am executing the below script in Powershell ISE i am getting the error experts guide me on this.

$Input = "((Office -like '*Singapore*') and ((departmentNumber -eq 1234) or (departmentNumber -eq 1235) or  (departmentNumber -eq 1236)))"
Get-ADUser -Filter $Input -properties DisplayName,Userprincipalname,title,departmentNumber| Select DisplayName,Userprincipalname,title,departmentNumber |export-csv C:\output.csv -Notypeinformation

Get-ADUser : Error parsing query: '((Office -like '*Singapore*') and ((departmentNumber -eq 1234) or (departmentNumber -eq 1235) or (departmentNumber -eq 1236)))' Error Message: 'syntax error' at position: '32'.
At line:2 char:1
+ Get-ADUser -Filter $Input -properties DisplayName,Userprincipalname,title ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Looking for Account Lockout script

January 25, 2020, 5:09 am
$
0
0

Hi Guys,

my infra having 100+ DC and logs are purged very frequently (within 10-20min). to find the account lock out source is quite difficult task.

do we have any power shell script to find the account lockout source?

Thanks in advance.!

/Gopi

The sign in method youre trying to use isnt allowed.For more info contact network your Network Administrator

January 29, 2020, 1:50 am
$
0
0

Good Morning,


After removing a group which was mistakenly added to Administrators users on that group cannot log-in to the Domain and are getting the above error .

The workaround is to have them Disconnnect from the network (Wi-Fi)Log-in to the machine then connect to the Network.

Please can you assist with a permanent solution as we cannot have these users as Administrators.

Cross Forest CA - Access Denied when attempting to Enrol Certs

March 27, 2018, 5:57 pm
$
0
0

Scenario

We have a forest root, lets call ForestA.local.

We then have a sub domain in this forest. Lets call it Domain.ForestA.local. All user / computer accounts etc are in this domain. This is the main domain used by the company.

We have another forest, lets call ForestB.local. 

Both forests are running as Server 2008R2

We have setup a 2 tier Enterprise CA in domain.forestA.local. This works well for users and computers in that domain. We also want to use this CA for certificates in ForestB.local domain, so we set up a 2 way forest trust between ForestA.local and ForestB.local.

I then performed the steps as described in https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955845(v=ws.10) starting at step 5.

Namely:

Enabled LDAP referrals

Added CA computer accounts to Cert Publishers group in ForestB.local

Published the root CA certificate to ForestB.local

Published the enterprise CA certificate to ForestB.local

changed permissions on templates to allow enrollment for users and computers in ForestB

Used PKISync.ps1 to copy the templates from ForestA to ForestB

Now when on a machine in ForestB.local domain, I use the Certificates snap in to request a new test web certificate. The certificate templates display correctly. However, once i hit submit I get the following error

Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {D322F504-F793-432D-84D8-128274ECC1C3} (Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)). Failed to enroll for template: xxxxxxxxxxxxx

I have tried giving every permission including adding domain users and computers to the local Certificate Service DCOM Access group on the Enterprise CA server however still the same issue exists. 

I have also spent hours googling this problem however doesnt seem to be alot out there for this particular problem.

Anyone have any ideas?

verification of outbound replication failed. unable to locate replication source domain controller

January 30, 2020, 1:20 am
$
0
0

currently our environment has 3 DCs .

primary DC ,

1st PDC is windows server 2012 standard ( not R2 ),

2nd DCs windows server 2012 standard ( not R2 ) and

3rd Dc is windows server 2008 R2 standard.

we are planning to upgrade to windows server 2016 DC and for the first step I was trying to promote it to a domain controller but not successful .

when I tried to run the prerequisite check in dcpromo promoting it as a domain controller from PDC  the error said not able to find the PDC.

>>> verification of outbound replication failed unable to locate replication source domain controller <<<

But when I tried the prerequisite check with my 3rd Dc ( windows server 2008 )the prerequisite was passed.
but I was not able to promote it from there because the 3rd 2008 server was not PDC.

Active Directory Authentication Ports

July 16, 2019, 8:35 am
$
0
0

I have been upgrading our Domain Controller to Windows 2016.  I have been informed from our security department that the RPC authentication ports are configured on our various firewalls.  They would like me to limit these ports on the domain controllers, and I want to make sure that I am looking at the correct Registry Keys before making these changes.

I believe that the Key that I need to create (or edit) is:

HKLM\System\CurentControlSet\Services\NTDS\Parameters (adding DWORD called TCP/IP Port)

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters (adding DWORD called DCTcpipPort)

Is this the correct keys?  If so, do I need an entry for each port, or can I use a Multi_SZ and list all the ports

Search

DSRM Password change

January 30, 2020, 8:10 am
$
0
0
Hi,

I have 2 DC let say dc1 and dc2.

I have set the different directory service restore mode password for my 2 DC. Due to security reason i don’t want to set same DSRM password for my dc's

I created 2 domain user account according to the dc name like dsrmdc1,dsrmdc2

whenever i am changing the password for above 2 dsrm domain accounts the same password want to be synchronized automatically to "administrator" account.

I did some research on my query but not able to achieve the goal.

Lot of article floating in the internet telling to configure a GPO for sync the password from domain account to administrator account that is suitable when we have single dsrm account scenario.

However i am using independent account on each dc.

Let say dsrm1 account password want to sync with dc1 administrator account

Let say dsrm2 account password want to sync with dc2 administrator account

How to create scheduled task via according to my requirement

Do I need to create independent task on task scheduler ? Please assist.   




DC - refuses administrator log on

January 14, 2014, 10:00 am
$
0
0

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Domain controller login error "There is a time difference betweein client and server"

January 30, 2020, 9:57 am
$
0
0

Hi,

We have a child domain B.A.local where A.local is root domain. When I try to logon to domain controller of B.A.local domain with A.local user id and password (which is a enterprise admin), I get error message "There is a time and/or date difference between the client and server". Not sure how to fix this as I am unable to logon. Also, when I try to logon to another domain controller in B.A.local domain, it says, incorrect username or password.

In ADUC of root domain, when I click "change domain", select the child domain, it says, it could not find the domain because, the username or password is incorrect.

Please help troubleshooting this issue. 

Thanks,

Umesh.S.K

Domain Accounts on Secure Host Baseline (SHB)

January 30, 2020, 11:01 am
$
0
0

All,

I am using the Secure Host Baseline Server 2016 and have a question regarding the default user accounts within AD. The "Local" admin on the DC is "DoD_Admin". I have implemented LAPS on all endpoints for automatic password changes for the local accounts. However, LAPS will not work for the Domain Admin account. How do other orgs handle password changes for this account? Is it manual? How often is it changed? Is there another way to safely manage this Domain Admin account?

Brent E. 

Strange LDAP behavior

January 30, 2020, 11:03 am
$
0
0

Preparing for the LDAP/s transition, I noticed some strange behavior that I can't explain.  I used the ldp.exe tool to test these connections.  I have successfully configured LDAP/s on port 636 as well as continuing to allow the standard non-ssl connections over 389.  Here's the weirdness.. one of our domains allows the tree to be browsed without performing a bind after connecting.  It only works if the connection is made over 636 (ssl), not if made over 389.

So to sum up, if I connect over 389 without ssl, then attempt to browse the tree, I get the expected:

"Error comment: In order to perform this operation a successful bind must be completed on the connection"

If I connect over 636 with SSL, I am able to add the tree and browse all nodes.  

This is only happening in one of our domains, and it doesn't make any sense.  There are no anonymous permissions delegated, but I can't see why that would even matter, since it only let's me browse when I'm connected via 636.  Keep in mind I am not attempting a bind in either scenario.  Thoughts?



Running application from Network share fails

January 30, 2020, 12:12 pm
$
0
0

Several users are experiencing problems running applications on network shares in the past few weeks.

One of the users is getting an error pop up: "The application was unable to start correctly (0xc0000006)". The others just see nothing happen at all when clicking on the application shortcut.

In all cases, two errors appear in the Application event log:

Event ID 1005

Windows cannot access the file  for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program WinReport because of this error.

Program: WinReport

Additional Data
Error value: C00000C4
Disk type: 0

or

Windows cannot access the file  for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Sage 100 because of this error.

Program: Sage 100

With the same additional data.

Event ID 1000 shows the faulting applicationFaulting application path:

Faulting application path: \\er-mas\apps\Sage\Sage 100 Advanced 2017\MAS90\Home\Pvxwin32.exe
Faulting module path: \\er-mas\apps\Sage\Sage 100 Advanced 2017\MAS90\Home\Pvxwin32.exe

Faulting application path: \\newera\common\winreport\WinReport.exe
Faulting module path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll

This is affecting applications on several application servers: er-mas is Server 2008 R2, and newera, er-files and hf-dc are 2012 R2.

This is affecting one user directly on their Windows 10 PC, and several users running these applications from Remote Desktop servers that are running Server 2016.

Also the mapped drives are showing the following message if you manually go to the UNC path and try to run the application: "This file is in a location outside your local network", even though its a mapped drive on a server internal to our lan.

removing forestdnszone/domaindnszone

October 8, 2010, 6:16 am
$
0
0

hello - ive encountered an environment where they've moved to infoblox appliances for DNS....what is the best practice for removing the forestdnszone/domaindnszone partitions from AD and the replication scope???  should this be done??? how best to approach??

 

tia!!!

Search

Reducing AD tombstoneLifetime

January 28, 2020, 2:42 pm
$
0
0

Hi, if i reduce the AD tombstoneLifetime value do the tombstone object immediately get cleaned up, or do they still wait the default 180 days to be removed. Also what is the process that cleans up the tombstone object after the lifetime is expired?

Thanks

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

HomeDrive field is not consistent between "Users and Computers" and Administrative Center

January 28, 2020, 11:30 am
$
0
0

Users that were created in the past have Home Directories, but in some cases they do not map the drives at Login.

In Users and Computers console, the Drive letter is selected, but in Administrative Center the field is blank.

In PowerShell
$users=get-aduser -filter {HomeDrive -eq '*' }   -SearchBase $ou -Properties HomeDrive, HomeDirectory

Produces lower case 'z' for HomeDirectory for users who have nothing listed in Administrative Center (while Users and Computers shows 'Z:' selected).  Changing the drive letter in Users and Computers produces a correction everywhere, including when it is changed back to "Z:".

What could explain this inconsistency?

How to block administrator

January 27, 2020, 5:41 pm
$
0
0
Im not Impress of this computer who wont let us do anything

What is the best practice about User Lifecycle Management in AD

January 27, 2020, 12:18 pm
$
0
0

I am auditing one of my customer's AD and i find out that when a user leaves the Organisation, their user ID is being put into disabled state and put into a particular OU.

The disabled users or users who have left the organisation stays in that OU forever and there is no lifecycle measurement or garbage collection happening after a periodic time to remove very old users.

I would like to know , in real life scenarios and as a best practice, is this a good practice to keep users in disabled state in a particular OU or users should be first be disabled for a certain amount of time and then marked for deletion from OU after a certain period.

If option 2 is the right one, how this can be achieved or the best way to achieve this.

Thanks

Pallab Chakraborty

How to import and export active directory user and Computers?

January 27, 2020, 11:06 am
$
0
0

Hi All,

How to import and export active directory user and Computers?

Kindly provide best solution

Viewing all 31638 articles
Browse latest View live
Search