Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Storing BitLocker recovery keys in user object instead of computer object

September 29, 2015, 2:30 pm
$
0
0

We use non persistant virtual desktops and when a user logs out their computer object can sometimes be deleted and there is no guarantee that the user would receive the same desktop each time.

We have enabled the BitLocker GPO to allow usb disk encryption and to create a recovery key and store a copy in AD. Lets say a user forgets their password and looses their file based or printed recovery key. Now we have to find the recover key by trying each key from each AD computer object.

Can we modify the AD schema to store the recovery keys in the user object? Is there some other solution?

Search

Upgrade ADFS 2.0 Standalone to 3.0

September 29, 2015, 12:33 pm
$
0
0

I currently have a production environment using ADFS 2.0 and ADFS 2.0 Proxy for CRM 2011 on windows 2008R2 servers. I am looking to install ADFS 3.0 on Server 2012 and use it for a new installation of CRM 2015, all on new servers.

What is the proper way to do this?

I understand you can not migrate from a standalone 2.0 installation to 3.0 installation. So I am wondering how to properly migrate this.

1. Do  I just uninstall ADFS 2.0 and ADFS Proxy on their respective servers, and decommission these servers?

2. Is there clean up in Active Directory after I uninstall 2.0.?

3. Do I need to export the certificates from 2.0 to import into 3.0?

4. Do I use the same federation names?

Once again what are the proper steps to accomplish this migration?

Thanks,

Paul Collins

ADFS 3.0 - Implications of editing the onload.js file

September 29, 2015, 5:02 am
$
0
0

Hello.

I have seen a couple of posts around the internet about changing the sign in input validation for ADFS 3.0 to allow users to authenticate without needing to supply the domain associated with their account. This works well. However, it says on the Microsoft documentation that making changes to the onload.js file to change validation is not supported. While it does work, what are the implications of making such changes?

Thank-you.

Can't use NETDOM to reset password for DC that has Target Principle Name is incorrect error

September 29, 2015, 12:59 pm
$
0
0

I have a small network with two DCs, My secondary DC fails to replicate via site/services, and returns a "Target Principle Name is incorrect" 

I am running Windows Server 2008 R2 on both DCs.

I am sure that the computer account is out of sync. I attempt to follow the below instructions to correct:

https://support.microsoft.com/en-us/kb/288167

HOWEVER, when I run netdom resetpwd it always fails saying access denied, no matter what user account and password I use (only domain accounts since the problem server is a DC and has no local account). I have tried to run the command in an elevated command prompt, and via powershell, nothing changes the result.

googling this issues seems to only find people who also failed using Netdom and had to unjoin and rejoin the domain to fix this issue, (however they were dealing with client machines and not a DC....)

Any help with this would be greatly appreciated.

At this point, I'm thinking of simply running dcpromo, removing the server as a DC, and then re promote it, but have read that this should not be done and that resetting the computer account is the preferred way.

-Windex

Systems Administrator


Exchange 2007 - cannot receive from particular users

September 29, 2015, 10:29 am
$
0
0

Hello,

We have a situation where a relatively new user (current month) has no trouble sending/receiving email amongst other users internal to our Exchange organization. However, the same user cannot receive email from (3) specific internal users.

Can anyone point me to a possible cause?

JTW

Windows Server 2008, Event ID 521

September 29, 2015, 8:03 pm
$
0
0

Hi All im always encountering this error. on my windows Server 2008.

I already did this resolutions :

 - Reinstall windows server backup

 - Patch the latest update on the server

 - Restart the server

 - Remove USB boosters (there is no usb booster )

 - Restart volume shadow copy service

My purpose for this windows server backup is to use it for DPM backup, I succeeded in installing the agent but the health status of this server is always on error.

Hope you help.

Thanks,

MaxSTC

Logon script

September 29, 2015, 11:39 am
$
0
0

Hi all,

we want to remove a expired certificate from client PCs, we created a power shell script and added to logon of Group policy in DC, the power shell script works well when run on local clients, however when applied from DC gpo, and restarted the client pc so that logon scrip should effective, certificates are not removed, Please advise, why logon is not effective

cannot access the network due to time difference between your server and client even there is no time difference

September 29, 2015, 11:29 pm
$
0
0

Hi all,

I am new to this forum.

I am getting the following error on client machine.

cannot access the network due to time difference between your server and client

But I dont have the time difference between the Client and the DC.

Even we run the following command but still no use.

NET TIME /DOMAIN:name /SET

We did the following to login.

1. Removed the LAN cable conncted to DC machine.

2. Restart the Client machine.

3. Connect back the cable.

4. Then we are able to access the network.

DC windows 2008 server R2.

Client is Windows 2007

Please help.

Search

Cannot delete trust between domains

September 29, 2015, 3:30 am
$
0
0

Hi all,

I have recently removed two-side forest trusts between two domains. I have connected to Domain1 and press Remove in DomainsAndTrusts -> Domain1 -> Properties -> Trusts. I choose to delete from local and remote domain. Everything is ok with Domain1 but the problem is with Domain2.

In AD Domains and Trusts of Domain2 I still see Domain1. When I'm trying to remove it I'm getting a message:A Trusted-Domain object cannot be found for the trust domain Domain1. The trust have been removed by another user.

I have checked ADSI and found no records in CN=System container for Domain1.

How can I completely remove the trusts from Domain2?

Account Expiry

September 29, 2015, 2:56 am
$
0
0

Hello

I know I can set an account to expire on a give day but is it possible to set an account to expire at a give time? 

Example: set account to expire 29/09/2015 @ 17:00

Regards

Ewan.

Add atributes

September 29, 2015, 7:39 am
$
0
0

hi

i am add 4 attributtes in active directory i will upload data in ad csv format through and i am using tool wise soft bulk ad user manager attributes not updated . pls help not set mangers attribute this tools through

SSO issue in Selective AD Trust Environment

September 29, 2015, 9:16 am
$
0
0

Hi,

We have Selective Two way trust  between test.ik.net and test1.kb.net . In that, for a web application , SSO is not working in the Trusted Domain and its working fine in Trusting environment.

DNS Configuration(Source Domain):(test.ik.net )

Not an AD integrated DNS

DNS Namespace: test.ik.net

Application Hosted with Different Namespace : https://web01.testcorp.net

Conditional forwarder is configured in test.ik.net to testcorp.net

Trusted Domain DNS Configuration:(test1.kb.net )

AD integrated DNS

Conditional forwarder has been configured to test.ik.net DNS and 53 port is opened

There is no port opened from Trusted domain to testcorp.net

Proper SPN has been configured and users can able to access application without SSO.

The application hosted with test.ik.net namespace is working fine from both the ends, but namespace withtestcorp.net makes SSO issue. Please suggest us to reslove this issue.

Thanks in Advance

Bala

Force Logoff at specified time - Even if computer is Locked

September 18, 2015, 9:30 am
$
0
0

We need to setup a task to force logoff of all workstations, even if the user has locked their workstation.

I tried to use the logoff.exe and the shutdown.exe action in a GPO policy (not the default Domain policy).  First we send a message (for those that are actually working) and then 15 minutes later we use the "exe" command.  Unfortunately, this doesn't work for "Locked" workstations.

How do you force Locked workstation logoff???

Migration from Redhat Directory server to Active Directory

January 7, 2013, 10:16 pm
$
0
0

Hi Gurus,

I am in the process of migrating all the data from redhat directory service to Active directory.

The procedure followed was exported the data from redhat directory server using Jxplorer and tried to import the same in active directory.

Lot of attribute mismatch was seen and the encrypted password of redhta directory service is also not working.

Please help with the exact procedure of doing this.

Thanks

Active Directory: Delegate permission to move users to child OUs. (same parent OU)

September 30, 2015, 12:30 pm
$
0
0

I've followed this article here to delegate moving users to a group. I set the permissions of 'Source OU' and 'Destination OU' at the same high level OU (for example 'OfficeA'), so the group could move users around between the departments OUs inside the 'OfficeA' OU.

When I move a user, if the user is inside an OU that is the LAST OU in the tree (no other child OU inside it), it works fine.

If the user is inside an OU which has others child OUs (not the last one in the tree), I get the 'Access Denied' error when moving.

The permissions are inheriting correctly from the top to the child OUs. I can't figure out whats going wrong, can anyone 

enlighten me?
Search

Active Directory Security Group membership based on specific attribute

September 30, 2015, 10:39 am
$
0
0

Trying to figure out if there's a way to create an AD security group and populate its members with user objects that have a specific attribute.


Example:


ABC Security Group


User XYZ has attribute countryCode = 0


User CDE has attribute countryCode = 1


User FGH has attribute countryCode = 1


I want to populate ABC Security Group with all the users who have attribute countryCode = 1, automatically


The idea  is that I've got thousands of users with countryCode = 1 and I really don't want to have to add them, or remove them, manually.  I would like if their countryCode ever changes from 0 to 1 or 1 to 0, it will automatically add or remove them from ABC Security Group.


Thanks,

Daniel

Thanks, Daniel

Reporting on changed attributes

September 14, 2015, 2:48 pm
$
0
0
I have a script that runs right now that shows me accounts that were modified in the past 24 hours. It does the job but reports on any kind of change (obviously). I want to narrow this down to just report on a particular attribute changed, in my case the email attribute. Is there an easy way to do this or would I have to run two reports and compare?

PointF in .NET Framework is not present for Device Applications

September 30, 2015, 4:42 am
$
0
0

Hi,

I am working on an embedded medical device that takes inputs from various sensors and uses the data to display various graphs using .NET Framework 2.0. The OS used is WinCE 6.0, the .dlls are development in C# as a Device Application.

I find that the PointF API present in System.Drawing namespace is not present in for .dlls that are created as a Device Application. However PointF is present for projects created as Windows Applications.

I need to use the floating point PointF in this.CreateGraphics().DrawLines API for precision in drawing the graphs. 

Can you please let me know why PointF is not present for Device Applications and if there is any other alternative around this.

Thanks,

Chethana


Unable to edit in arrtibute editor with ADCS and ADSIEDT

September 30, 2015, 3:47 am
$
0
0

I am trying to open attribute editor for AD or DL objects in Azure AD than it shows 

Error : There is no attribute registered to handle this attribute type

Please guide

ForeingSecurityPrincipals Cleanup

January 25, 2010, 5:12 am
$
0
0

Hello,
a customer is asking us to cleanup the ForeingSecurityPrincipals container in a Windows 2008 Domain.

The situation is they had a trust relationship with a Windows 2000 Domain, and using the ADMT they migrated users and computers accounts to the Windows 2008 Domain. Then the trust relationship was removed and the Windows 2000 Domain was decommissioned.

The question is if is possible to cleanup the ForeingSecurityPrincipals container.
I know that while the trust relationship is established certain objects may be in use, but is possible that some of the objects of this container is being used after having removed the trust relationship?

Thanks

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>