Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Local account locking out domain account with the same name

May 1, 2020, 7:56 am
$
0
0

We have a 2012R2 Standard Application server that has a local account configured that is used for the day to day operations of the locally installed application. We have a domain account with the same name but with a different password that is used for a service that performs file copies and print jobs to network locations.

We are seeing that the domain account is getting locked out even when the domain account is not in use or the service is not running. From the event logs on the DC (2016) we can see that the domain account is getting locked out from the 2012R2 application server but it would appear that the local account is querying and locking out the domain account?

I have seen other articles in which this is referenced, can you advise if this is expected behavior and why would the local account be attempting to authenticate against the domain?

Search

Sidhistory vs Recursive group membership vs access token

May 5, 2020, 12:53 pm
$
0
0
Hello,

I migrated users and groups from source to target domain using sidhistory of both users and groups. So when user login to target domain and access token is build, 

Please confirm if it contains:

Sid for target domain user account
Sid for target domain groups of which the user is a direct member.
Sidhistory for target domain user account (Sid of source domain user account)
Sidhistory for target domain groups (Sid of source domain groups) of which the user is a direct member

Now my questions are

1- Does access token also contains Sid for all recursive target domain groups of which user is an indirect member?
2- Does access token also contains Sidhistory for all recursive target domain groups (Sid of source domain groups) of which the user is an indirect member?

What I mean by recursive group membership is: for example User(source/target) is member of Group1, Group1 is member of Group2, Group2 is member of Group3 and so on

Kindly reply specific to all points mentioned above.

G-ONE

ADMT Migration errors

May 5, 2020, 12:59 pm
$
0
0

Using ADMT to migrate AD contents from one domain to a new one.

We're able to migrate users and groups without any problems, but running into a persistent error trying to migrate workstations and servers.

It looks like ADMT can't copy the configuration file down to the machines.

ADMT is using our Domain Administrator account, We tried disabling Windows Firewall is disabled on the target machines but no luck.

[Agent Dispatch Section]

2020-05-05 14:25:25 Read 23 accounts from the database that were previously migrated from the domain 'domain.local' to the domain 'domain.com'

2020-05-05 14:25:25 Created account input file for remote agents: Accounts000010.txt

2020-05-05 14:25:25 WRN1:7817 Cannot store account file 'c:\Windows\ADMT\Logs\Agents\Accounts000010.txt' in database. A retry of this operation can only be performed on the  machine that the operation was originally performer on.

2020-05-05 14:25:25 Installing agent on 1 Servers

2020-05-05 14:14:43 The Active Directory Migration Tool Agent will be installed on FS01.domain.local

2020-05-05 14:14:45 Error in OpenFileInfo(): FindFirstFile(  C:\Windows\ADMT\Logs\Agents\Accounts000010.txt) rc=2 The system cannot find the file specified.

Configure LDAPS TLS

April 28, 2020, 2:27 am
$
0
0

Hello,

I run into a strange scenario where an AD server requests a client certificate whenever one initiate a TLS session to reach the LDAP server.

We use hardware tokens which are pin protected. People using a specific application will get prompted for the pincode by their windows workstation each time a TLS session to the LDAP server is initiated. This looks like a normal behaviour - the server request an optional certificate, and the client uses a valid pkcs11 driver to pull a potential certificate from a token. However the users are prompted for the pincode every other minutes and it's starting to become a problem.

Is there a way to configure the LDAP server, or maybe the Schannel library responsible for this, to NOT request a client certificate?

The DCs are Windows 2012r2 servers.

Using GMSA Account for LDAP Bind/Search in Java Application

April 29, 2020, 1:28 pm
$
0
0

This questions is related to : Group Managed Service Accounts

Use Case:

We have customers who have configured GMSA Account for running services and connecting to SQL Sever, We also have a Java Based Authentication Facade that connects to Active Directory to Search User/Authenticate Users.

Customer requesting that we use GMSA Account to do LDAP Bind when connecting and searching for users in Active Directory instead of currently provisioned Service Account and Password to do LDAP Bind. 

Question/Assistance/Help:

Can GMSA Account be used in Java Application? i.e can we use GMSA Account to do a LDAP Bind a Search from Java.

 

I tried a C# utility which requests GMSA password however our Java Bind does not work with the GMSA Account and Retrieved GMSA Password.

 

We used steps similar to pointed out in dsinternals.com  - retrieving-cleartext-gmsa-passwords-from-active-directory to get GMSA Password.

A test C# program can retrieve GMSA Password and can bind to LDAP and Search Users using GMSA Account and GMSA Password - All running on the same machine which is permissioned to retrieve GMSA Password as per GMSA requirements.

However using same GMSA Account and Retrieved GMSA Password does not work with Java - Simple Bind and also Bind via Kerberos GSSAPI


Again running on the same machine which is permissioned to retrieve GMSA Password.

We get the following error:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]

Indicating credential is invalid

Any pointers much appreciated - Thank you.


Domain Users accidentally added Administrators group in Active Directory and gets re-added because AdminSDholder

April 30, 2020, 11:55 am
$
0
0
Because we wanted to apply a password policy to our domain we disabled block inheritance on the domain controllers OU.

But we did not know there was a gpo active on domainlevel that would added the local administrator and the domain users to the builtin administrators. Really bad design... but even badder we did not noticed. 
This gpo is no problem for the workstations but for the domain controllers it is!
This meant all the domain users suddenly were members of the administrators security group. Something you really don't want.
When we noticed we deleted the membership.

But because of the AdminSDholder the membership gets re-added after some time.
How can we prevent the re-adding of the membership to the Administrators group?

Kind regards,

Richard

2012 Active Directory Restore Plan Best Practice

May 3, 2020, 6:05 pm
$
0
0

I have one surviving vm DC in the environment that holds no fsmo roles. Its virtual. 

My primary dc contains all fsmo roles (all servers are 2012) and its dying.

1. My plan is to transfer the fsmo roles to the virtual dc.

2. demote old server.

3. Skip the process of restoring other VM DC from backup and just create new DC's and have them talk to the new virtual pc holding the fsmo roeles.

4. Clear metadata of the decommissioned dc using ntdsutil.

5.Remove reference of removed server from DNS.

6. Delete Old server from Sites and Services.

repeat steps 4-7 for all the other VM DC's that were replaced by newly spun up dc's.

This should avoid painful lessons and keep me in the clearly with no surprises in 90 days correct?

Or is there a painful piece of information I'm overlooking?


Forest recovery

April 29, 2020, 2:09 am
$
0
0

Hello team

we are upgrading DFL to 2012 r2 from 2003 

and if then we have roll back, the only option is Forest Recovery

Can you anyone advise which method is the best way

1) system state restore

2) baremetal backup restore

we have 4 DC in Parent Domain and 21 DC in child Domain

which will be more quick

and we have Manufacturing Unit and hence cannot without confirmation

any other suggestion is also welcome

Please advise

regards

Aamir Masthan

NA

Search

How to find out which users are going to be disabled and how to send out a request for approval to extend to manager?

April 21, 2020, 2:49 pm
$
0
0

I'm new to this, so bare with me please... 

We have contractors that have access to well everything until their contract ends. What I need to do is a bullet list of things, and if I can find a way to do it, it would be greatly appreciated. 

  1. Search for users that are going to lose access within two weeks. 
  2. Send a request to reporting manager asking if user contract to be extended. 
  3. Send manager response to an email address which will be checked by us. 

Is this possible using the Active Directory Admin Center? 


Limit users who query AD ldap

April 24, 2020, 3:35 am
$
0
0

Hi,

How do I prevent ordinary users from querying ldap? We have an application which we had one account used for application to connect to AD Ldap. What we have noticed is that ordinary users can do query against ldap. Can we apply delegation so that ordinary users cannot do query? If so, what would be the permissions? If ever we apply these permissions will it prevent them from logging in to the domain controller or use some other services?

Thanks,

Janus

Account Lockout Policy

April 27, 2020, 11:24 am
$
0
0

Current settings :-

Account Lockout Duration - 0 minutes
Account Lockout Threshold - 5 invalid login attempts
Reset account lockout counter after - 60 minutes

I understand with above settings the user will never get unlocked automatically but admins will have to unlock the account.

I'm just confused with the below statement from Reset account lockout counter after settings:-

"If Account lockout threshold is set to a number greater than zero, thisreset time must be less than or equal to the value of Account lockout duration"

As you see the reset time(60 minutes) in my settings is not less that or equal to the value of account lockout duration(0 minutes).Is that wrong or what will be the impact ?

Thanks



Add a new attribute to the user object.

April 30, 2020, 6:35 am
$
0
0

Hi everyone!

  How can I add an user attribute in AD dictionary? I would like to and a new field to the user object. Is there any howto material? May someone share it, please?

Thanks.

Doria

IT

April 30, 2020, 11:29 am
$
0
0
no active directory yet fsmo roles are shutting down server 2012 r2

Azure AD Domain Services with Multiple Azure AD Domains

April 30, 2020, 12:22 pm
$
0
0

Hello Experts,

I'm evaluating the use of Azure AD Domain Services in Azure.

So the scenario is this...I have an AD Forest with multiple subdomains, these subdomains are currently being synced with Azure AD using AD Connect.

Now I want to spin up a new Azure AD Domain Services instance in Azure that will connect to Azure AD. My question is can an instance of Azure AD Domain Services sync with multiple replicated domains in Azure AD?

Regards,

Shola Lawani

migrate from 2008

April 23, 2020, 4:29 am
$
0
0

hi guys,

is it feasible to install active directory 2016 in an organization running active directory 2003 and 2008?

i am planning to migrate to 2016

many thanks

Search

Delegate Permission to user in Specific organisation unite in Active directory 2012

May 4, 2020, 3:02 am
$
0
0

Hello Dears,<o:p></o:p>

We have to delegate permission to specific IT support account in specific organization unite which is belong to all IT support team to make enable and disable their account, I did all the steps for delegation control in the IT support OU but it is not working, because all the IT members are member in another security account to have permission to join computers to the domain.<o:p></o:p>

Kindly any solution appreciates.<o:p></o:p>

Delegate 'info' attribute for security groups

February 28, 2020, 10:03 am
$
0
0

Hi,

I need to delegate 'info' attribute for security groups in our Active Directory environment. Since this attribute is not available in delegate wizard, I checked dssec.dat file but it's not even there. Any ideas how modification of this attribute can be delegated to a user or a security group?

Thanks in advance!

How to find using Powershell command or script to find AD Users disabled in last 3 months on Windows Server 2008/2012?

May 6, 2020, 6:50 am
$
0
0
How to find using Powershell command or script to find AD Users disabled in last 3 months on Windows Server 2008/2012?

Allow members of a group to manage each other

May 6, 2020, 10:13 am
$
0
0

We have an issue that I am hoping to figure out with some assistance. We currently operate a domain that uses the standard practice of least privilege. We have delegated tasks to security groups and all tasks are working as expected, with the exception of one.

Users in a security group that has delegated privilege are unable to perform management actions for users that reside in the same security group.

Example:

Admin A locks out account and is member of security group A. Admin B, who is also a member of security group A attempts to unlock the account and receives access denied. Additionally, neither admin can modify any attributes of any other account that belongs to security group A.

I know this is a delegation restriction, but I also know that it can be changed. I just haven't found the search term that gets me what I am looking for, all my searches return how to allow a group to delegate other objects, not how to delegate to manage itself.

Thanks for the help

How to tell how many computer accounts a specific user has joined to the Domain?

May 6, 2020, 11:24 am
$
0
0

How to tell how many computer accounts a specific user has joined to the Domain?

Our domain has a "25" limit in the quota, related to how many PCs can be joined to the domain (as seen by ADSI)

I don´t know whys is "25", insted of "10", the default, but it´s not important right now.

The important question is:

How to tell, looking at a specific user, how many times he used that privilege?

We´re deploying MS INtune and some test-users are being denided to add their PCs to the AzureAD, so, maybe we´re using IT user who already added their quota to the on-premisse AD doamin, we´re not really sure even if this makes sense.

Anyway, the thing here is to know about the "quota" of a particular user, if it was reached


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>