Good morning guys, recently I've been having issues where some of our users who were apart of the member of in the administrators built in group in active directory keep getting randomly kicked out of the group. What I've been doing is heading
into the admin server and re adding the administrators to the group and then press apply after I add them (do I also have to run a gpupdate?) and then after a while I go back to go check they are removed in the member of in the administrator group again and
I have checked in the audit logs it seems to be kicking them off but noone in my department is going in there and removing users. Another thing that has happened is our domain users are no longer administrators on there own their own devices so they cant access
task manager for example without having to input administrative credentials, how can I fix this issue also when I try to make a user a domain administrator on that device I get access denied. We currently had to reboot our servers and had an ad sync not sure
if either of those could cause a problem. Thanks in advanced for you help.
↧
question admins in builtin administrator group getting kicked out randomly in active directory
↧
upgrade additional 2008 ad server
Hi
In our environment we have 2012 r2 DC Server with all the roles in it
We also have 2008 r2 server that function as secondary DC , we would like to upgrade it to Server 2012 R2
Is there any thing I should do except upgrading OS ?
↧
↧
Laps Active Directory Schema
when trying to update the schema for laps, i am using the following code:
Import-ModuleAdmPwd.PS
Update-AdmPwdADSchema
I am in a server 2019 lab environment, functional levels are both at 2016(there is no 2019)
But, i get the following error when using the update-admpwdadschema command:
At line:1 char:1
+ Update-AdmPwdADSchema
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
+ FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema
Anyone who knows what i am doing wrong?
regards,
Johan
↧
Temp file cab_xxxx
Dear all
We are running Domain controller on Server 2008 R2 and I am running out space on c: drive. Does anyone know what program can create files in the Windows\Temp folder that begin with cab_xxxx (four digits typically)? these files are building up; one of every four is 41MB in size; the rest are usually 0 bytes. Any ideas?
Thanks
MS
↧
Difference: Delegwiz.inf vs Dssec.dat
Hi,
Can somebody please explain the real difference between delegwiz.inf anddssec.dat? Both allow kind of expand on Delegation of Contol Wizard. Which one to use, when, which is better?
Thanks a lot
==============================
Delegwiz.inf
Dssec.dat
↧
↧
Role-based delegation vs Object-type delegation
Hi,
What is the difference between Role-based delegation vs Object-type delegation? Can somebody give me some examples of both types? How to delegate such thing likeDC cloning? Normally you add a member to Cloneable Domain Controllers group.
I need to understand this topic. Thank you!
↧
connect Windows10 to Active Directory
I have Windows Server 2016 on a cloud server, and want to use as AD DS.
After installing AD DS / dns on the server, joined server domain but there is a problem connecting to corporate PC(Windows 10 pro).
nslookup&host command could get IP for domain.
However, I couldn't connect Windows server.
Is it a problem that trying to connect to another network band using Public IP?
If so, is there any way to connect it?
====== error message. (it is not exact, translated) ======
The following domain controllers were verified in the query:
{server name}.{test domain} <---- just 'test.com' also couldn't works.
But, the connection to the domain controller failed.
Common causes of this error are:
- Host (A) or [AAAA] record mapping the name of the domain controller to an IP address does not exist or has an invalid address.
- Domain controllers registered in DNS are not connected to the network or are not running.
After installing AD DS / dns on the server, joined server domain but there is a problem connecting to corporate PC(Windows 10 pro).
nslookup&host command could get IP for domain.
However, I couldn't connect Windows server.
Is it a problem that trying to connect to another network band using Public IP?
If so, is there any way to connect it?
====== error message. (it is not exact, translated) ======
The following domain controllers were verified in the query:
{server name}.{test domain} <---- just 'test.com' also couldn't works.
But, the connection to the domain controller failed.
Common causes of this error are:
- Host (A) or [AAAA] record mapping the name of the domain controller to an IP address does not exist or has an invalid address.
- Domain controllers registered in DNS are not connected to the network or are not running.
↧
Bitlocker recovery password
I am using a cpp program to search an Active Directory using the IDirectory-Search (ref: https://docs.microsoft.com/en-us/windows/win32/adsi/searching-with-idirectorysearch).
For computer objects this function is able to fetch all attributes expect 'msFVE-RecoveryPassword' attribute and instead returning '0x80005010' (E_ADS_COLUMN_NOT_SET) on calling GetColumn function. All other attributes including other bitlocker attributes like 'msFVE-RecoveryGuid' are fetched properly.
The password is visible in ADUC properties page of the computer object and also through Bitlocker recovery password viewer. Since the 'msFVE-RecoveryPassword' is not available in security tab -> permission list, I am not able to find if the user credentials used in the program have the read permission on the attribute. But since 'msFVE-RecoveryInformation' has a common delegation, it might not be a permission issue.
Any suggestion or troubleshooting step would be really helpful
Thanks in advance.
↧
AD Users and Computers Hang
Hello,
when i tried to unlock user account or reset password , it takes the user propertied window hang and take about 3 minutes to apply the change.
this is Child domain , contains 3 sites
every site have 2 DCs
the issue only at one of the sites at both DCs.
↧
↧
KRBTGT password reset
Hi,
I have read few articles in Active directory forum regarding KRBTGT account password reset.
Microsoft says when recovering the domain from the disaster recovery or compromised situation during that time only KRBTGT account password recommended to reset.
can some one can say resetting KRBTGT password is really required to reset on regular basis.
I have read few articles in Active directory forum regarding KRBTGT account password reset.
Microsoft says when recovering the domain from the disaster recovery or compromised situation during that time only KRBTGT account password recommended to reset.
can some one can say resetting KRBTGT password is really required to reset on regular basis.
↧
Unable to find cause of account lockouts
We are having accounts get locked out, from the logs on the DC in the security log we see event ID 4776 for these users but the source workstation is blank. on the DC we have the netlogon log and
I can see an entry saying its coming from our Wifi radius server, on the radius server there is an entry in its netlogon log however it doesn't tell me where the attempt is coming from and the radius logs themselves don't have any entries related to the users
getting locked out. Is there any way I can tell whats causing this?
DC
02/05 07:54:41 [LOGON] [2452] XXXXX: SamLogon: Transitive Network logon of XXXXX\USER from (via RADIUSSVR) Entered
02/05 07:54:41 [LOGON] [2452] XXXXX: SamLogon: Transitive Network logon of XXXXX\USER from (via RADIUSSVR) Returns 0xC000006A
Radius server
02/05 07:54:41 [LOGON] [2044] SamLogon: Network logon of XXXXX\USER from Entered
02/05 07:54:41 [LOGON] [2044] SamLogon: Network logon of XXXXX\USER from Returns 0xC000006A
Jason
↧
Best Practice with regards to removing Obsolete windows 7 machine from AD
Hello Everyone,
We had recently migrated from windows 7 to windows 10 and during that process we had manually remove the drives from the actually devices without first removing them from the Domain and now we are left with a bunch of obsolete PC in our Active Directory.
Therefore, I was wondering if anyone has the Microsoft recommend process to cleanly remove all these obsolete machines from our AD with leaving behind and chum behind.
Any help will be greatly appreciated and thank you for your time.
We had recently migrated from windows 7 to windows 10 and during that process we had manually remove the drives from the actually devices without first removing them from the Domain and now we are left with a bunch of obsolete PC in our Active Directory.
Therefore, I was wondering if anyone has the Microsoft recommend process to cleanly remove all these obsolete machines from our AD with leaving behind and chum behind.
Any help will be greatly appreciated and thank you for your time.
↧
Domain Password History
Hi Admins, this might be a simple question but I cannot find the answer when searching.
I am working with PCIDSS Certification and one item asks for users to be forced in changing the password every 90 days. This has been set already. My question is, where do I see the password history for a particular user? I understand that this will not be displayed as plain text, but hashes. We can I find this information please? Thank you.
↧
↧
Unable to Map Network Drive using %username% variable
We are running a windows server 2012 r2 AD environment and would like to dynamically map user specific network drives at time of logon to domain desktop sessions. We created a network share on a 2012 R2 server with full share and security permissions for the everyone group just to see if it would work however whenever we use the following command on domain authenticated user session
net use H: \\servername\home\%username% OR net use H: \\servername\home\%LogonUser%
we receive the following error:
System error 55 has occurred. The specific network resource or device is no longer available.
In troubleshooting we tried ECHO %username% at a command prompt and receive the correct username. We were able to use the same UNC path above in the builtin "Connect" feature under the Profile tab in AD to get the drive to map correctly. The share is not hidden.
Any help would be greatly appreciated.
↧
lingering objects issue in AD
Hi Team,
I am facing lingering objects issue but I am unable to delete the lingering objects in the below patch .please help.
Path:
CN=Deleted Objects,CN=Configuration,DC=test,DC=local
Source domain controller:
14090997-c0b3-4732-9332-e572beb0c820._msdcs.test.local
Object:
CN=DC03\0ADEL:a818857b-a342-44cf-ac87-578c59284be7,CN=Deleted Objects,CN=Configuration,DC=test,DC=local
Object GUID:
a818857b-a342-44cf-ac87-578c59284be7 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.
↧
SAM denied remote call on a 2019 DC
After promoting to 2019 DC i see Warnings with eventid 16969:
6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
Is this something i should be worry about? Should i add "Domain Users" and "Domain Computers"?
There is a new registry setting on 2019 DC: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteS = O:BAG:BAD:(A;;RC;;;BA) that is not controlled by GPO.
↧
Errors
Error 1
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Error 2
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
Error 3
The WinRM service failed to create the following SPNs: WSMAN/WIN-5QDUAHBF4SG.projectok.com; WSMAN/WIN-5QDUAHBF4SG.
Additional Data
The error received was 8344: %%8344.
User Action
The SPNs can be created by an administrator using setspn.exe utility.
Error 4
The EDS Job manager failed to start the following jobs:
Job: 'PFAssistantLog' creation failed.
Job: 'OwaClientLog' creation failed.
Job: 'OwaClientLocation' creation failed.
Job: 'OAuthCafeLog' creation failed.
Job: 'OABDownloadLog' creation failed.
Job: 'MRSAvailabilityLog' creation failed.
Error 5
An exception occurred during ADFilteringSettingWatcher.Start. Message='System.ApplicationException: Could not setup AD Change Handler
at Microsoft.Forefront.ActiveDirectoryConnector.ADFilteringSettingsWatcher.Start()'
Error 6
Process ForefrontActiveDirectoryConnector.exe (PID=4584). WCF request (Get Servers for projectok.com) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running.
In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 3 time(s). Error Details
System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService. The connection attempt lasted for a time span of 00:00:02.0056424. TCP error code 10061: No connection could be made
because the target machine actively refused it 127.0.0.1:890. ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:890
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.ICommunicationObject.Open()
at Microsoft.Exchange.Net.ServiceProxyPool`1.GetClient(Int32 retry, Boolean& doNotReturnProxyAfterRetry, Boolean useCache)
at Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)
AND MANY MORE.....
Main error
Exchange server services are not starting after reboot. I want to start automatically.
↧
↧
My user account is locked out automatically in a couple of minutes again and again after I unlock it.
Account locked out automatically. After I unlock it, The account will get locked again in a couple of minutes. I checked the logs
in the Windows Event Viewer. It shows many logs like the following. It looks like user account always gets locked on the Domain Controller, not on the member servers or workstations. We have checked Account lockout tools, bad password count automatically.
↧
AD Claims - Use transformation rules within domain
I'm having a hard time finding documentation for AD DS (not AD FS!) claims and how to use them for different scenarios.
I can create a claim based on an attribute, that's not a problem. It also looks like claim transformation rules can be created and used for forest trusts.
Can claim transformation rules be used within the issuing domain itself?
Consider the following example, where I want to transform the canonicalName claim and pass it on, slightly modified, as the OU claim.
New-ADClaimTransformPolicy -Name "canonicalName to OU" -Rule 'C1:[Type == "ad://ext/canonicalName:88d803ab2a08e1ab", Value =~ "contoso.com/Tier 1/Servers/*", ValueType=="string"] => Issue(Type = "ad://ext/ou:88d80239468c8835", Value = "contoso.com/Tier 1/Servers/", ValueType=C1.ValueType);'
An msDS-ClaimsTransformationPolicyType object MUST be associated with a TDO for a given claims-traversal direction in order to apply the claims transformation rules in the msDS-ClaimsTransformationPolicyType object to sets of claims that traverse the TDO in the specified direction.
This indicates that I can't use the above cmdlet to transform the claim within the domain. So that begs the question is this even possible to accomplish?
↧
Unsigned LDAP
Hi All
i would like to ask a question about Unsigned LDAP how one can explain it as simple as possible you know.
If you can't explain it simply, you don't understand it well enough.
So my assumption was that like with Certificates when Dc reply to LDAP query it signs LDAP with is private key, then client could check CRL having RootCA chain see that the replay is valid and authentic and decrypt with DC public key (SSL handshake)
i have a lots of Linux boxes they trigger Unsigned events (i know it could be false postive but still) my assumption was that if i install RootCa cert on them i would resolve the issue. but it seems that Kerberos itself its signed (with what ? krbtgt password?) also What does exactly Unsigned LDAP means? that client sending the query could not be check for autheticity ?? i could read MS documentation but no clear explanation is given imho.
so one thing that i am sure of is that i don't know how it is working =) thanks for any feedback
↧