In ADSI-Edit we can't see the CN=Password Settings Container anymore. So we can't create Fine-Grained Password Policies in AD. Is there
a way how to rebuild/restore the Password Settings Container?
↧
Password settings container in AD deleted
↧
"Enable computer and user accounts to be trusted for delegation" rights is disabled for Administrator account despite delegation option in the "AD Computer Properties" being "Trust this computer for delegation to any service (Kerberos only)"
Hi all,
"Enable computer and user accounts to be trusted for delegation" rights is disabled for Administrator account as shown below
despite changing delegation option being "Trust this computer for delegation to any service (Kerberos only)" as shown below
I am doing this to change the name of the domain controller that requires the above mentioned right, or else I get "access denied error".
Pls tell me how to enable the above mentioned right to the current user who is Administrator ?
Tks in advance
Joe
↧
↧
How can I display active directory attribute msDS-GroupMSAMembership value on UI its syntax is NT Security Descriptor type ?
I have set the value -PrincipalsAllowedToRetrieveManagedPassword which indirectly updates the attribute 'msDS-GroupMSAMembership' on Active Directory and its Syntax is "NT Security Descriptor",
Now I want to retrieve the valid value through java code which I had set during creation of it(May be Distinguish name or any other name).
Any help would be most welcome !!!!
↧
Can I create an LDAP query against AD, that means SamAccountName must be at least 6 characters
Hello
Can someone please help me with a question, I want to use an LDAP filter (I do not want to use PowerShell cmdlet)
if I have two users whose SamAccountName are Fred another user Anthony
I know I can use an LDAP filter like SamAccountName=* but is there a filter to say SamAccountName must be at least 6 characters ?
For example with RegEx query I could do
".{6)"
The above meaning must be at least characters long (any character) is something similar possible with LDAP queries ?
Thanks all in advance
CXMelga
↧
GMSA login failure after reboot
We have a GMSA set up for SQL Server for an Availability Group but since a week ago we encountered an issue. Every time we reboot the server, the GMSA account will not be able to logon onto the server with the correct credentials. The only solution is going to the Services -? Log on tab, delete the password field and hit apply (the default process for setting a GMSA login). The weird thing is this happens only on one of the nodes from the AG. The other node (where it works) is in the same domain and OU.
Test-ADServiceAccount returns True on the faulty server, PrincipalsAllowedToRetrieveManagedPassword contains both of the nodes, tried both DOMAIN\user and user@DomainFQDN, GMSA has Login as Service right and the GMSA group contains both of the servers.
Does anyone have a suggestion on what could make the GMSA unable to get its credentials when the VM starts up? Let me know if you need any additional info.
Thanks!
↧
↧
Prevent the laptop from connecting to non domain resources when off network
We have single forest/single domain environment. We identified an issue that a domain joined laptop can connect to a home printer. We are looking for a way to prevent the laptop from connecting to non domain resources when it is off network. What are our
options?
↧
Active Directory domaine Services error message
Hi ,
I am facing problem with my DC (Windows server 2019) , i get error message when i launch active directory users and computer :
error message :
naming information cannot be located because library not registered .
↧
Two DC, DC2 doesnt work after turn of DC01
Hello Guys
I need some help, This is my situation I had DC00 running Windows Server 2008 r2, But we decide to move to Windows 2012 Standard. I use a virtual machine (win2012) to set a simulation moved all the fsmo roles to the virtual machine and is working fine. I wipe the 2008 server and set my new 2012 standard, transfer all the role from the vm but when I shutdown the VM the whole ADDS gone!
Any advise on this ?
↧
Convert a Global group to Local
Hi,
I'm unable to convert a global group to local?
Should I create new group?
↧
↧
"WhenChanged" Attribute timestamp updates without having made changes.
We have a windows 2012r2 based Forest root domain with four DC's.
We are noticing that the "WhenChanged" attribute for many Users, even for those who are disabled users, keep updating to some latest date & time on all Domain Controllers, although the users and admin are sure that no object changes in AD have
been carried out.
Why this could be happening?
↧
Issue adding relying party - An error occured during and attempt to read the federation metadata
Hi,
I followed this guide to set up an ADFS 2.0 lab environment. The only difference that I have is that I did not set up the ADFS server and the WIF application to be on the same box but rather on 2 different.
My server configuration is as follows:
- Server 1 - win 2008 R2 - Domain Controller, DNS
- Server 2 - win 2008 R2 - CA, ADFS
- PC 3 - win 7 - Development environment
I successfully created my ADFS configuration STS and could add that as a STS reference in the .Net application in Visual Studio 2008 on my dev environment. I then needed to configure the WIF application to be a valid Trusted Relying Party and followed these steps:
- Created an SSL certificate request
- Submitted an SSL request and issued it via the CA
- Installed it on the Development environment
- Ran the ADFS 2.0 'Add Relying Party Trust Wizard'
- Got stuck with trying to find the Federation metadata address of the dev environment
No matter what URL I put in https://win7dev.mydomain.com/ClaimsAwareWebAppWithManagedSTS (is what it is on my dev environment IIS), I just cannot seem to get this going.
I can run my app now from the ADFS box by connection to https://win7dev.mydomain.com/ClaimsAwareWebAppWithManagedSTS but that url would just not work when adding as a trusted relying party :(
Could a certificate mismatch error be the problem?
Thanks
Mike
↧
Network Path Cannot Be Found for Windows Server 2016
I have been through all the online help forums, videos, and other online research and I cannot seem to find a solution to my problem. I was trying to access folders located on the file share service on the DC and am unable to access as I get the error code 0x80070035 which is the "Network path cannot be found".
Also my silly doubt is, Could this happens due to malware infection.
Please reply my answer. Thanks in advance.
↧
I want to local user(previous) Profile will have in active directory user
Dear Team,
I joined one user in Active directory, but i want to take previous profile tools (example: mail, software, other short Cut tools in previous profile) to Active directory user, how can the move previous user profile to AD users.
↧
↧
Event ID 1005 - ADWS on domain controller 2016.
Hi,
I am getting Event ID 1005 - ADWS on domain controller 2016.
Detail :
Active Directory Web Services could not change its advertising state. The Netlogon service might not be running. Restart Netlogon and then restart Active Directory Web Services.Desired state: True
Pls help me solve this problem.
Thanks and best your regard.
↧
Newest LastLogon date is very different than LastLogonDate
I'm working on collecting user logon data for audit and governance purposes. We want to disable accounts after a certain amount of inactivity. Previously we had been using LastLogonDate but I know that date is fuzzy and also can change even when a user doesn't log in (such as when the account has permissions to a file share and those permissions are enumerated by someone else.) Due to that, I decided that I would hit each Domain Controller and grab the LastLogon attribute which I understood would be accurate. An example of which is below.
$LastLogon = (Get-ADuser User1 -Server DomainController1 -Properties lastlogon | select @{Name="lastLogon";Expression={[datetime]::FromFileTime($_.'lastLogon')}}).lastlogon
The problem that I've found is even though I've hit all the DCs, the newest LastLogon date I have for an account is 7/27/19 but if I check the LastLogonDate (get-aduser User1 -properties LastLogonDate) then I get a date of 2/20/20.
I know this is an active account so I want to understand why the LastLogon attribute is incorrect. Since the account in question is a service account used for a network monitoring tool, I'm positing that only certain types of logons change the LastLogon but I don't know for certain and am hoping someone can explain how that date change is triggered.
Thanks in advance!
WB
↧
Multiple CAs - Autoenrollment on network level
Hi,
we have multiple CAs in various sites. If a client or user requests a certificate, which CA will be addressed first? Which aspects is it dependent on or how can it be controlled which CA is used for autoenrollment?
We have some cases where the client/user of site A receives a certificate from a CA on site B, and not site A for example.
↧
Single Forest ,& SIngle Domain VS Multiple Forest with Multiple Trees and Domain
Dear Experts ,
We are working with customer having 6 entities with 6 Separate Domain ,
Recently the customer is planning to use Azure Active Directory and Move to Cloud , and start using Office 365 workloads,
We have suggested AD consolidation of multiple AD and then move to Azure Active Directory,
However client is insisting to maintain multiple AD and then using a Single AD connect server and Sync to Azure AD ,
Though this is supported we would like to hear about the disadvantages/limitations of this setup,
Eg : how will Password Write Back Work
What about policies that customer want to implement via azure AD , which domain would it apply to,
What if Intune / EMS is required to control Windows 10 Machine,
Kindly Advise,
Regards - Hasan Reza
↧
↧
New AD Domain Setup server 2019
Hi all,
it is a long ago i created a new domain.
I used to create a domain with .local.
but i understand thats i bad idea.
i have to setup a new server 2019 in a new domain.
if my top level is for example : company.com
should i use that as domain name?
or is it better to use : corp.company.com or something else like ....?
↧
DCDiag & Repadmin Deep Dive!!
Hi Team,
Could you please share any link or provide information about DCDiag & Repadmin Tool functionality and how each test works and fetches the details?
↧
Finding the source of repeated AD account lockouts
Hello,
On a Windows Server 2008 R2 domain, I have turned on auditing to try and determine the source that keeps locking out an admin account every 30 minutes or so. Looking at the security event log on our domain controllers, I see Event IDs 4740 and 4776 that correspond to each account lockout instance. The problem is that the Caller Computer Name is blank for Event ID 4740 and the Source Workstation is also blank for Event ID 4776.
I am using Microsoft's Account Lockout Status, as well as a few other account lockout troubleshooting tools, to try to identify a device name or ip address. The closest I've found is a machine named "RDESKTOP" which just tells me it is being caused by some remote desktop device.
Does anyone have any suggestions on how to determine the name or ip address of RDESKTOP so that I can track it down and ultimately figure out where an old password is trying to be repeatedly used causing a user's AD account to be locked out every 30 minutes or so?
Thank you in advance for any advice or suggestions on how to track down the real source of the constant account lockouts.
-Marc
↧