Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Delegating Control for Managing Membership of a Group

July 20, 2020, 2:41 am
$
0
0

Hello,

I am looking for solution to delegate permission only for addition and removal of users from security group.

Regards

Bhavesh Khare

Search

Domain controllers 2K19 and 2K8r2.

July 7, 2020, 8:27 am
$
0
0

Hi everyone!

  Is it possible to raise new DCs 2K19 alongside old DCs 2K8r2? In other words, add them to the existing domain and then remove the old ones later?

Thanks.

Doria

ADFS 3.0 Getting pop-up box instead of login page from external

July 20, 2020, 5:02 am
$
0
0

Hello,

Maybe someone can provide me some hint with the following issue. I will start from the beginning.

I have implemented Windows 2016/ADFS 3.0 in our company. It worked perfectly until some days ago, when the token signing / decrypting certificates expired.

I renewed both certificates and I also updated the new token signing certificates for the Office 365 trust.

After that, when sign in to Office, instead of company authentication page users get an authentication popup. 

All user agents strings have been added to WIA.

The Global authentication policy  has:

- for extranet Form based authentication
- for intranet Form based authentication and Windows Authentication

ExtendedProtectionTokenCheck is none
Fallback to WIA is true.

Some colleague of mine updated the user agents right after a renewed the certificates, but before update the office365 one.

That was (hopefully) the only thing he did, but I already added the user agents from scratch.

I would be happy if you guys can give me some hint where to look further, as having a popup displayed is awkward.

Thanks in advance!

Best,

Victor


Add SidHistory to a user

June 2, 2020, 5:38 am
$
0
0

Hi , 

    I´m working on delete  "sidhistory" .   At this moment I have all the resources without SidHistory , only the users have "sidhistory" . 

    I will delete de sidhistory field , but ,is it possible if some user has some issue , to paste his sidhistory without to do a restore from ad backup ¿¿??  

  Is it possible edit field with powershell and paste  older sidhistory ???  

Example:    Us1

SID                                  : S-1-5-21-4174452598-3359285060-3602202020-331244
SIDHistory                           : {S-1-5-21-3151815273-3026384734-512502699-5215}

I will delete  SidHistory

Us1

SID                                  : S-1-5-21-4174452598-3359285060-3602202020-331244
SIDHistory                           : {}

(not real sids used )

Is it possible,  set  "sidhistory"  in the future  with powershell if I need to solve an issue from usr1 ???

Thanks everybody :)


Windows cannot move object error...

July 21, 2020, 8:00 am
$
0
0

Hi everyone!

  May someone help me with this error when i try to move a user object to another OU?

Doria

Error - UNWILLING_TO_PERFORM - while change user password in AD ldap using python code

July 22, 2020, 7:31 am
$
0
0

I am creating a simple python function to change the user password. I have tested my AD set up, able to search the user and get correct response but when try to run l.modify_s, I get the below error. AD user has the required permissions. Not sure why am I getting this error.

"errorType": "**UNWILLING_TO_PERFORM**","errorMessage": "{'info': u'0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\\n', 'msgid': 3, 'msgtype': 103, 'result': 53, 'desc': u'Server is unwilling to perform', 'ctrls': []}"
}
Please find my code below
import ldap
import os
import boto3
import random
import string

from base64 import b64decode

import ldap

def lambda_handler(event, context): 
    try:
        cert = os.path.join('/Users/marsh79/Downloads', 'Serverssl.cer')
        print "My cert is", cert
        # LDAP connection initialization
        l = ldap.initialize('ldap://WIN-E3EJL23P92K.corp.asurjit79.com')
        # Set LDAP protocol version used
        l.protocol_version = ldap.VERSION3
        #Force cert validation
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
        # Set path name of file containing all trusted CA certificates
        l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
        # Force libldap to create a new SSL context (must be last TLS option!)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

        bind = l.simple_bind_s("admin@corp.example.com", "secret_pass")
        base = "OU=Enterprise,OU=Users,OU=corp,DC=corp,DC=example,DC=com"
        criteria = "(objectClass=user)"
        attributes = ['distinguishedName']
        result = l.search_s(base, ldap.SCOPE_SUBTREE, criteria, attributes)
        results = [entry for dn, entry in result if isinstance(entry, dict)]
        new_password='secretpass_new'
        unicode_pass = unicode('\"' + new_password + '\"', 'iso-8859-1')
        password_value = unicode_pass.encode('utf-16-le')
        add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
        print "My result distinguishedName1:", results[0]['distinguishedName'][0]
        print "My result distinguishedName2:", results[1]['distinguishedName'][0]

        
        l.modify_s(results[0]['distinguishedName'][0],add_pass)
        
        print results
        
    finally:
        l.unbind()

I have checked multiple things

  1. Password complexity is good
  2. Enabled secured ldap on my AD server and tested this using ldp.exe and I can connect using port 636
  3. I am able to run this code if I just need to search the user. I get the search results.
  4. But when I try to modify the password, it breaks without any clear explanation why it is not willing to perform this operation...which is very annoying :X

Importing AD accounts from a child domain using a CSV file

July 22, 2020, 11:13 am
$
0
0

Hello everyone,

anyone can help me provinding a powershell to import AD accounts from a child domain using a CSV file to another child domain, please?

Thank you.

Best Practice/Backup Solution before Delete Domain

July 22, 2020, 3:07 pm
$
0
0

Hi All,

Planning to delete one of child domain in my environment. This domain is currently have inactive accounts alone. May i know what kind of backup should be taken before delete this child domain. If in case, we need to recover any configuration/account/information from this domain, is restoring the backup will work?

Thanks in advance.

Search

No replication failure but differences on policies subfolder.

July 20, 2020, 6:50 am
$
0
0

Hi everyone!

  We have 2 DCs on the same site in a local domain that do not have any data replication failures, but when I count the number of files and folders in 'C:\Windows\SYSVOL\domain\Policies', there are differences on totals.

C:\Windows\SYSVOL\domain>repadmin /replsum
Replication Summary Start Time: 2020-07-20 09:42:43

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 SRVWI003                  48m:54s    0 /   5    0
 SRVWI026                  57m:12s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 SRVWI003                  57m:12s    0 /   5    0
 SRVWI026                  48m:54s    0 /   5    0
C:\Program Files\SysinternalsSuite>hostname
srvwi003

C:\Program Files\SysinternalsSuite>du.exe -nobanner c:\Windows\SYSVOL\domain\Policies
Files:        367
Directories:  1097
Size:         1,510,708 bytes
Size on disk: 7,389,312 bytes
C:\Program Files\SysinternalsSuite>hostname
srvwi026

C:\Program Files\SysinternalsSuite>du.exe -nobanner c:\Windows\SYSVOL\domain\Policies
Files:        296
Directories:  888
Size:         1.483.386 bytes
Size on disk: 6.123.648 bytes

  It's like looking for a needle in the sand. Are there any practical ideas or tools for finding out where the difference is?

Thanks.

Doria



Preventing automation task failure because of account lockout.

July 10, 2020, 7:16 pm
$
0
0

Hello,

In my environment, there is service account used to perform AD related operations tasks(Adding/removing users from groups) via automation called by Service Now. What I observed in couple of days that automation task is failing because of that service account lockout.

I need to know can I do something to prevent locking out of the account so that AD related operations tasks are completed via automation.

Any suggestion or approach?

G-ONE

How to find which *Active* users are not logged in AD for 120 days?

July 15, 2020, 11:31 pm
$
0
0

I want to export a list

prephare using LDAP and not Powershell bat it can be both

with all users that haven't logged in on the past 120 days and are still active (not the disabled ones)

I need only their display name, email and descriptions.

is there any script for finding out the inactive AD user for more then 45 days and sending an email to respective users manager

July 21, 2020, 2:25 pm
$
0
0

Hello All,

I am looking for script for finding out the inactive AD user for more then 45 days and sending an email to respective users manager

Thanks

SysVol Permissions for one or more GPO's are not in sync

July 16, 2020, 11:16 pm

Conditional Forwarder

July 12, 2020, 4:09 am
$
0
0

Hi,

Do we still need to have a conditional forwarders between two domain having a forest level trust over internet connected with ipsec vpn tunnel. If not then how to configure the DNS properly to let both the domains resolve DNS names of each other properly?

Thanks.

lost dns master key server

July 22, 2020, 11:36 pm
$
0
0

hi,

i delete older dc, what was fsmo server. I did do seize operations but some reason dns master key role did not change. Now i cant return it back. can i take back from backup? or can i somehow change new  dc server to be dns master key server?

Search

Local Security Policy cannot be contacted

July 16, 2020, 12:04 am
$
0
0

Hi,

We have two Windows 2012 DCs. After the primary DC went down, users were unable to login to an RDP Server and getting error message, "Local security policy cannot be contacted". Does this mean the second DC is not working fine. Both DCs have the same roles installed.

Thanks.

How to get bitlocker key using computername using powershell command

July 23, 2020, 2:55 am
$
0
0
Need power shell command for getting bit-locker recovery key from AD using computer-name or 8 digit recovery id

A constraint violation occurred - when uploading picture in Active Directory

July 20, 2020, 5:14 am
$
0
0

Event id 4776

July 4, 2020, 9:11 am
$
0
0

Hi,

I have configured the settings in default domain controller policy "SendNLTMv2Responseonly,Refuse LM and NTLM request"

one of my domain user created 1000 of event id 4776 with error code C000006A.

He used work group pc and configured his domain account in the script.

The particular script failed to execute in the work group pc.

domain controller does not locked out the account even after 1000 failure login attempt.

I don't  have any fine grained password policy configured.

May I know the reason for not causing the lockout out.



AD monthly checks

July 23, 2020, 7:39 am
$
0
0

Hi,

Please provide some monthly based validation and check list for active directory.

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>