Can't pull Max Password Age with vbscrip

July 3, 2013, 6:27 am

≫ Next: KRB_AP_ERR_MODIFIED on DC and partner DC only after machine account password change

≪ Previous: Active Directory (ADRAP) report export in .XLS or CSv

Ok, here's the setup. My company has been building a new 2012 domain environment. So far, all the servers in the domain are 2012.

With the new domain, I have begun testing Fine-Grained Password Policies because it was one of the functions we could not do on our old domain. And so far, everything on the domain side appear to be working just fine.

So now comes the problem. Because our users will be using Remote-apps to connect to their servers, they aren't going to be notified that their passwords will be expiring soon. Thus enters the VBscript.

Using Microsofts instructions, http://msdn.microsoft.com/en-us/library/ms974598.aspx, I have been trying to get a script going that will pop up a message telling the user that they need to change their password, but I've hit a brick wall with this part of the script.

Set objDomain = GetObject("LDAP://" & objADSystemInfo.DomainDNSName)
Set objMaxPwdAge = objDomain.Get("maxPwdAge")

    If objMaxPwdAge.LowPart = 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _"domain. Therefore, the password does not expire."
        WScript.Quit

For some reason, it will not pull the max password age. Now I'm using Fine-Grained passwords for the test account, but I have also tried setting the max password age in the default domain policy, and I still get the message that the "age is set to 0 and the password will not expire" even though I know the policy is functioning on the account.

I was thinking I might need to try and get the information from this attribute http://msdn.microsoft.com/en-us/library/cc220303.aspx, but I am unsure of how to call this information.

If I can just get the script to pull the max password age, I believe I can get the rest of the script working.

↧

KRB_AP_ERR_MODIFIED on DC and partner DC only after machine account password change

September 2, 2014, 2:11 am

≫ Next: I have problem in DNS on Server 2008 R2

≪ Previous: Can't pull Max Password Age with vbscrip

Hi there,

I am currently experiencing a strange problem, for which I could use some help:

There are two DCs (Windows Server 2012, forest root, DNS) which work perfectly most of the time. But sometimes, when one of the DCs decide to change its machine account password, a KRB_AP_ERR_MODIFIED error occurs in the System log of both DCs (partner and itself).

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the serverProblematicDC$. The target name used was ldap/PROBLEMATICDC.example.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (EXAMPLE.COM) is different from the client domain (EXAMPLE.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

A restart fixes it (I know, restarts are no solution, but I am not operating the DCs ;) I lowered the machine account password change time span and (obviously) it worked perfectly. Once, the problem was massive, so I reset the machine account password by hand (and they worked beautifully for several months). Now the problem is back, and I am totally clueless. Everything seems ok (DCDiag, DNS, DNS config, SPNs, etc.). We have one month, and then the problem may or may not occur again :(

Maybe someone can point me in the right direction :)

Thanks,

MMF

↧

I have problem in DNS on Server 2008 R2

July 28, 2014, 2:31 am

≫ Next: windows Active directory server administration

≪ Previous: KRB_AP_ERR_MODIFIED on DC and partner DC only after machine account password change

Hello

i have problem in DNS on windows server 2008 R2.

I saw DNS events log, It has a lot of same log with event id 5001,5004,5002 and etc.

the description of this event is :

The DNS server encountered a bad packet from 61.111.8.236. Packet processing leads beyond packet length. The event data contains the DNS packet.

and same that but the ip is different .

i don't know exactly what it is .

tanks for you helping me .

↧

windows Active directory server administration

September 3, 2014, 3:29 am

≫ Next: DFS link stop responding

≪ Previous: I have problem in DNS on Server 2008 R2

can member of domain admin user install software to client computers in active directory client computers

↧

DFS link stop responding

September 2, 2014, 10:18 pm

≫ Next: WAP 2012 R2 EVENT ERROR

≪ Previous: windows Active directory server administration

Hi Guys

I'm new to DFS, and our company use DFS to let user access file share. we have 2 name servers for one DFS root for fault tolerance. However sometimes, we found one DFS stop working, users can't connect to the file share ,and after a short period, the user will switch to another DFS name server and can access the file server , so from which point i can start debuging this problem ?

↧

WAP 2012 R2 EVENT ERROR

September 3, 2014, 5:48 am

≫ Next: Hide all except one object in Active Directory Users and Computers.

≪ Previous: DFS link stop responding

Hi,

I have a failed WAP 2012 R2 Server with even id below, any ideas?

Log Name:      AD FS/Admin
Source:        AD FS
Date:          9/1/2014 9:25:44 AM
Event ID:      383
Task Category: None
Level:         Error
Keywords:      AD FS
User:          SYSTEM
Computer:      USBELWAP01
Description:
The Web request failed because the web.config file is malformed.

User Action:
Fix the malformed data in the web.config file.

Exception details:
Root element is missing. (C:\windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config)
Root element is missing.

↧

Hide all except one object in Active Directory Users and Computers.

September 3, 2014, 6:30 am

≫ Next: Assigned .msi package does not install app

≪ Previous: WAP 2012 R2 EVENT ERROR

Hello,
I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...

d.

↧

Assigned .msi package does not install app

September 3, 2014, 6:33 am

≫ Next: Using Server 2012 R2 ADFS for different Federating?

≪ Previous: Hide all except one object in Active Directory Users and Computers.

This should be trivial but it does not work - I have created GPO with software installation at computer configuration and linked it to an OU containing test Windows 7 computer. Having assigned new .msi package that resided on shared folder to a computer I did gpupdate /force on test computer, restarted it and nothing happened. There were no application logs related to MsiInstaller and of course application was not installed on test computer. How to troubleshoot this? gpresult /r on client computer retrieves info that GPO with software installation was applied but strangely application is not installed.

↧

Using Server 2012 R2 ADFS for different Federating?

September 2, 2014, 1:17 pm

≫ Next: AD DS Migration: SBS 2003 legacies to modern structure

≪ Previous: Assigned .msi package does not install app

We're preparing to setup an ADFS server to support our Office 365 deployment. We also have the need, for another project, to configure ADFS for connection to an outside Active Directory. Can we (should we?) do this on the same box or should we isolate them from each other?

Orange County District Attorney

↧

AD DS Migration: SBS 2003 legacies to modern structure

August 24, 2014, 1:09 pm

≫ Next: cannot find computers object in domain controller

≪ Previous: Using Server 2012 R2 ADFS for different Federating?

Hi!

I know that many questions were already asked and answered regarding this topic, but no answer is really satisfactory or understandable to me.

Initial situation:

Originally Windows 2003 SBS based forest root domain, 10 years old
DNS: contoso.local
NetBIOS: CONTOSO
MX-entries: mail.contoso.com and autodiscover.contoso.com which are forwarded by ISA to the internal Exchange Server
Forest & Domain functional level: 2003
2012 R2 domain controllers already added
Exchange 2003 migrated to Exchange 2010 SP 3
User logon with UPN firstname.lastname@contoso.com

Desired situation:

Forest root domain: corp.contoso.com
Old domain "mounted" as subdomain location.corp.contoso.com
User logon with UPN firstname.lastname@contoso.com
Upgrade to Exchange 2013

Question:

Is there a migration path other than creating a completely new forest, root domain and location subdomain, recreating all users, all ACLs and moving Exchange Mailboxes using ExMerge?

For example by

simply adding the existing forest root domain as a subdomain to a new forest or by
creating the new forest, root domain and location subdomain with a trust-relationship to the old forest and simply moving object-by-object resp. mailbox-by-mailbox to the new location subdomain or by
using the Active Directory Migration Tool?

Thank you so much!!!

Lucas.

↧

cannot find computers object in domain controller

September 2, 2014, 10:48 am

≫ Next: User Account Bad Password Attempt - Workstation Lost Trust Relationship

≪ Previous: AD DS Migration: SBS 2003 legacies to modern structure

hello everyone

why all computers in active directory transformed automatically into additional domain

the OU computers in active directory empty.

is this a problem or it is normal ?

thanks

↧

User Account Bad Password Attempt - Workstation Lost Trust Relationship

September 3, 2014, 8:44 am

≫ Next: Child Domain not able to login with enterprise account

≪ Previous: cannot find computers object in domain controller

I can't find a definitive answer to this so I'm hoping the forum can assist.

Senario: a workstion cannot authenticate to the domain (i.e. password out of sync), and a user tries to log on to the domain using the workstation and recieves the message "trust relationship between this workstation and primary domain failed".

My question is does it still count as a bad password attempt in the domain for the user account?

Thank you.

↧

Child Domain not able to login with enterprise account

August 31, 2014, 11:10 am

≫ Next: Errors after RODC deployment

≪ Previous: User Account Bad Password Attempt - Workstation Lost Trust Relationship

Hello All,

We have a forest domain e.g School.com and a child domain HQ01.school.com . I usually login the child domain (HQ01.school.com) with enterprise administrator account (SCHOOL\Administrator).

But Due to some issue i am not able to login child domain (HQ01.school.com) with enterprise administrator account (SCHOOL\Administrator), Also child domain user accounts are not authenticating. In logs i see domain (HQ01.school.com) not found.

Please help to solve the issue.

Regards,

↧

Errors after RODC deployment

September 3, 2014, 11:14 am

≫ Next: User Rights to access Domain Controller

≪ Previous: Child Domain not able to login with enterprise account

Hi guys

After deploying an RODC in a different site, I get the following warnings on this sever eventviewer:
Event ID: 4013 Source DNS-Server-Service
Event ID: 2886 Source ActiveDirectory_DomainSevices Task Category: LDAP Interface
Event ID: 1400 Source ADWS Active Directory Web Services Task Category: ADWS Certificate Events

The sync works fine:

Syncing all NC's held on BOC-RODC.
Syncing partition: DC=DomainDnsZones,DC=Research,DC=local
SyncAll terminated with no errors.
Syncing partition: DC=ForestDnsZones,DC=Research,DC=local
SyncAll terminated with no errors.
Syncing partition: CN=Schema,CN=Configuration,DC=Research,DC=local
SyncAll terminated with no errors.
Syncing partition: CN=Configuration,DC=Research,DC=local
SyncAll terminated with no errors.
Syncing partition: DC=JSSResearch,DC=local
SyncAll terminated with no errors.

Note: when I promoted the RODC, I selected also DNS Server. I opened the DNS on the RODC, and it's read only. I guess this is right. The synchronization works fine, if I change something in DNS on the DC, it's reflected on the RODC after a while. I do not see the reason for Event ID 4103 ????

Also what can I do about the errors above, is this normal on an RODC?. I did not have any of these errors when I created another DC in the same site

↧

User Rights to access Domain Controller

September 4, 2014, 4:37 am

≫ Next: Disable or put Password on all local administrator Accounts in Domain Computers

≪ Previous: Errors after RODC deployment

Hi all,

I am currently trying to strength the Domain Controller policy settings. I would like to inquire about the users that should be granted with "Access this computer from the network" permission. Who should be member of this user rights, are adding administrators account sufficient to protect DC as I found that Authenticated Users are added as well.

Could anyone help me with providing me a guide for setting secure Domain Controller policy settings.

Hiam

↧

Disable or put Password on all local administrator Accounts in Domain Computers

September 3, 2014, 12:55 pm

≫ Next: raising the domain/forest functional level

≪ Previous: User Rights to access Domain Controller

We have about 2000 Domain Computers in different Sites under one Domain.

There are many Computers with no Local Admin. Password or Easy password.

My Qs are:

- What are ways to make Strong Password on Local Admin Account on all Domain Computers

- Is there any Third Party tool to do this?

- or Group Policy?

Thanks

↧

raising the domain/forest functional level

September 4, 2014, 7:07 am

≫ Next: Memberof not shown after migrating contacts with movetree

≪ Previous: Disable or put Password on all local administrator Accounts in Domain Computers

I need clarification for the raising forest and domain functional level from Windows Server 2003 to Windows Server 2008. Setup is like, we have a forest abc.com . abc.com domain has complete server in Windows Server 2008 and windows server 2008 R2 domain controllers. we are up running exchange 2010, SharePoint 2010, lync 2010 in our setup with current 2003 functional level. Planning to raise forest and domain functional level for abc.com domain.

Now query is like--

1. After raising functional level from Windows 2003 to Windows Server 2008 whether there will be any impact on above mentioned application.

2. Whether any impact on authentication process for the application running on abc.com domain

Jags

↧

Memberof not shown after migrating contacts with movetree

September 4, 2014, 8:05 am

≫ Next: Replications errors

≪ Previous: raising the domain/forest functional level

Hello all!

I need some help trying to resolve an issue I’m experiencing after a contact migration in between a subdomain and its parent domain using movetree.

The command I ran is:

movetree /start /s dc1.sub.test.com /d dc1.test.com /sdn "OU=testmovecontacts, ,DC=sub,DC=test,DC=com" /ddn "OU=DestinyContacts,DC=test,DC=com" /verbose

Aparently the operation ran correctly (ReturnCode: 0x0 The operation completed correctly. MOVETREE FINISHED SUCCESSFULLY.); but when I try to see the groups (universal distribution groups) a contact is memberof, the memberof tab is empty.

User gets the emails send to the distribution lists, and I can see with ADSI that the contacts have the attribute “memberOf” set with the correct CNs.

The domain is in windows 2003 native mode. Anyone have a clue what’s going on?

Thanks.

↧

Replications errors

August 29, 2014, 3:46 am

≫ Next: Find Computer name during PXE

≪ Previous: Memberof not shown after migrating contacts with movetree

Topology

3 sites

Location 1: 1 DC

Location 2: 2 DC

Location 3: 3 DC

The location 1 DC is having replications issues

The replication status tool show the following errors

1 The target principal name is incorrect

2. The remote system is not available

The issues has started after the machine DC1 was not in network for 3 hours. Can any one help me on this

Amal RS

↧

Find Computer name during PXE

September 4, 2014, 8:50 am

≫ Next: Problems deleting computer objects-because of their subordinate objects

≪ Previous: Replications errors

Apologies if its already been answered but I couldn't find answer to this simple question. During re-image of existing pc, pressing F8 what command should I enter to get existing name of machine on x:\windows\temp command prompt

And

how to find which collection a device belongs to using device name using sccm console. I already have Console Extensions installed but under system Tools don't see any option for device collections

Kindly advise

↧

Latest Images