Hello All,
I am trying to audit user log in access to the domain.
My aim to to see records of logon and logoff and also export the report.
Can one achieve this even without the use of third party tools.
Please share third party tools with better intelligence reporting.
Thanks
o.k
Hi,
I have an issue in one of the Domain Controller, Where Hard disk is failed.
Can anyone let me know how to recover domain controller in Hard disk failure ?
Hi i have a weird problem with one of our domain admins, i created his account my copying one of the other Domain Admins,
and if he logs onto the domain controller, and used AD users and computers, if he tries to create a new users, it refuses to set a password, and also if he tries to reset a password on any accounts he gets access denied.
I cannot figure out what is going wrong with this account, i have also tried creating a new account from fresh, and the same happened.
thanks
Mark
Hi guys,
I am having trouble with logon script.
How can I detect the IP address of target workstation ?
if the workstation located within a range, (192.168.101.1 to 192.168.101.254), then able to execute the rest of the logon script.
Thanks in advance.
BTW, i am not familiar in vbs
Hi Admins, this might be a simple question but I cannot find the answer when searching.
I am working with PCIDSS Certification and one item asks for users to be forced in changing the password every 90 days. This has been set already. My question is, where do I see the password history for a particular user? I understand that this will not be displayed as plain text, but hashes. We can I find this information please? Thank you.
Hi,
An application sends the following GET request to ADFS:
GET /adfs/ls/ wfresh=0&wauth=http%3a%2f%2fschemas.microsoft.com%2fws%2f2008%2f06%2fidentity%2fauthenticationmethod%2fpassword&username=USER%40mycomp.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIAeNiNdQz0jPRYjbUM7RSsUxKNEw0TTbXTTM0T9Q1SUm11E00TDPUNTM0t0i2SDE1NDIyLhLiEuDm-GcsdkB_jvPqanPb85ul3VjsdKlhblWWWmlqRZladb5SeWlmRYGekZWOXnJ-1gZLzAwexHiBifEWE7-_I1DOCETkF2VWpT7CEnFxJqTITM5PSZ3FnBMZYpif4FUnlwZWhUYHFoZlAnEuRVlUUY5pT55KQVJuUFlKca-pUm5YQZeIV7ukUaWJUnhlqVeeZ6Wvi6O5WDs7loCpp0NwHyfcF8QXQKXh-iap6VY6pqYWybpJiUlWehaWiSbmVlaGKQZmBfYGa8wMK4ixN3iAEA0&popupui=1 443 - 21.127.30.56 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+9_0_2+like+Mac+OS+X)+AppleWebKit/601.1.46+(KHTML,+like+Gecko)+Mobile/13A452 https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=678a547-f33a-1de3-a5f2-7544c3d756743&resource=0000000a-0000-0000-c000-000000000000&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.
How can I create a claim rule with the parameter "Client_id" (bold)? What do I have to do in order that I can use e.g. "http://schemas.microsoft.com/2012/01/requestcontext/claims/client_id" in my claim rules? I don't understand how a mapping of URL parameters of the request URL and Claims is done ... ? Can somebody help here?
Thanks,
Emil
Hi Experts,
I'm in the prcess of creating AD Forest recovery process for our infrastructure. Currently all our FSMO roles are placed in one DC and all DC's are GC. We have one root and 4 child domains and all DC's are WIN2k8R2.
At the time of DC recovery, we need to select one DC from root domain. So it it advisable to restore the DC which has all thr FSMO roles or do i need to select any other DC from forest domain?
After reading the MS forest recovery doc, i have created below steps. Did i miss any points on below steps or any correction.
Regards, Nidhin.CK
Hello,
I have set DFS between the my servers, frequently gettting error...
Event ID 5014
I'm running "DCDIAG /Q /E " between my two domain controllers, and one of them is getting errors. I'm running as admin of course!
The first DC is sitting on subnet1, and is called ACMEDC1.
The second DC is sitting on subnet2, and is called ACMEDC2.
When I run on ACMEDC2, there are no errors.
When I run on ACMEDC1, there are some errors:
Fatal Error:DsGetDcName (ACMEDC2) call failed, error 1722I can do a lookup of ACMEDC2 with nbtstat - it will resolve to an IP address and then it appears in the cache (so "nbtstat -a ACMEDC2" and "nbtstat -c" work.
However, from ACMEDC1, I have also noticed that I cannot connect to any SMB shares on SOME servers when using the netbios name. There doesn't seem to be any rhyme or reason - server version, subnet.
For example, from ACMEDC1:
I can connect to \\ACMESRV1\fileshare
(or any share)
If I try to connect to ACMEDC2:
\\ACMEDC2.ACME.LOCAL\FILESHARE
works
\\(IP ADDRESS)\FILESHARE
works
But:
\\ACMEDC2\FILESHARE
fails with the error "Windows can't find '\\ACMEDC2\FILESHARE'. Check the spelling and try again."
I can connect to SMB successfully with PowerShell too. nbtstat -RR (or -R) do not resolve the issue either.
So I think that whatever is causing the issue with the SMB connection to the flatname is causing the same issues in DCDIAG. I am not seeing any problems with any other AD services - replication works perfectly, and ACMEDC2 is having no such issues in SMB or DCDIAG.
Greetings,
I'm struggling to solve my issue with redirected folders (Desktop, Documents) and travelling laptops. The situation is following:
I thought redirected folders are automatically synchronised and accessible offline. I don't know why is the laptop trying to reach the DFS share when it is outside of the corp. net.
I discussed this situation with much more experienced friend of mine and he said that I used the concept of the folder redirection incorrectly. What I should do instead is to map the network drive (e.g. W:\) pointing to \\domain\redirectionfolder\%username% to each user and redirect their desktop and documents to W:\. Problem is, I could not find the correct setting in GPO that would say to change the location of "Desktop" folder to W:\.
May I hear your opinion which approach is better in order to solve this issue with laptops outside of the corporate network? I'm really clueless at the time.
Thank you in advance,
Best regards,
Standa
Hi,
One server have windows server 2012 and second is windows server 2008 and both are primary server.
I have configured zone transferred to other DNS server but records are not being updated and i am not getting any failure message.
Any help or idea will be highly appreciated.
Hi,
I've created a new network within my site, within my switching environment. I am not able to navigate to any UNC path locations on any of my Servers, or workstations. If I try Windows Explorer times out.
Take note I am authenticating on a workstation that was previously a host within the network that my AD Controllers were from which I was able to successfully communicate to all AD services. Inter-network communication is occurring. I am able to
ping all of the hosts from the network were my AD infrastructure resides. I don't have anything preventing network communication, like firewalls or ACL's on my switches. What I have observed is that it takes a good 3-4 minutes to authenticate
on the workstation since it's now a member of this new network.
The workstation is using a static IP address. I specified the DNS Servers from the original network where my AD Servers reside. I saw a new A record from the DNS Server assigned to the new IP address of the workstation from the new network. I
am successfully able to resolve FQDN's to IP addresses.
I have created a new subnet within AD Sites & Services, and assigned it to appropriate site. Is there anything administratively that needs to be undertaken to allow access to my AD forest?
Be aware my AD controllers are using the Windows Server 2008 R2 SP1 platform.
Thanks in advance.
Hello,
I have a question about RID pool and user account creation.
Our system has two server farms each of which has two DCs (i.e. 4 DCs in total).
Two farms are a primary and a backup, and the RID master DC resides in the primary.
The entire system is under a single domain.
When the primary farm fails and the backup farm takes over,
we do not want to seize the RID master role at the backup farm,
because the primary might recover later depending on the cause of the failover.
I read a Technet article which says that I can change the block size by changing a registry value.
http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
I would like to know whether it would be possible to avert the RID block depletion on backup farm's DCs by setting a larger value to the 'RID Block Size' key (e.g. 5000) in advance.
In other words, is there anything that could potentially deplete
DCs' RIDs other than the account/computer/group creation operations we will perform
when our system enters the service (we will be creating no more than
several hundred user accounts, a couple hundred computers, and about a dozen groups).
We might create new user accounts while we are on the backup farm,
but the number of added users will not exceed 1000.
We will not create new computers and groups while on the backup farm, except perhaps a few.
Also, we will be incorporating AD CS, Exchange, and Skype for Business
to our single domain system.
(I posted the question to the HA forum, I've been suggested that this is a better place for my question, so here I am. Sorry for the double post.)
Regards,
Wanko
hi,
after going through https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx several times, i cant find a solution for my challenge:
- block access to o365 for all non company enrolled devices
- users use windows phones (enrolled with intune/sccm) and surface pro (domain joined), access for them should work while travelling
so limit all access based on ip address will not work because:
- mobile phones cannot be enrolled to intune (they use an ip from the mobile provider)
- surface users use direct access, but access to non-company domains (like microsoftonline.com) will go directly, so again different IPs will be used
when accessing adfs from a client, this is what adfs logs:
Following request context headers present:
X-MS-Client-Application: -
X-MS-Client-User-Agent: -
client-request-id: 00000000-0000-0000-de2f-008000000035
X-MS-Endpoint-Absolute-Path: /adfs/ls/
X-MS-Forwarded-Client-IP: 188.20.20.20
X-MS-Proxy: vmprpr1
so nothing except the ip, which is of no real use.
Any ideas how to implement this request?
I have already posted this question to the o365 forum, but they had no idea about adfs configuration and suggested to post here.
regards
Manfred
Hi,
How to make Backup of AD FS (3.0) that have WID database in use?
Is Windows System State Backup sufficient?
Found article from of 2.0
http://social.technet.microsoft.com/wiki/contents/articles/2199.ad-fs-2-0-how-to-back-up-the-federation-service.aspx
Do I need some special backup for SSL (Private key), Token Signing and Token Decryption certificates?
AD FS with SQL answer found
https://social.technet.microsoft.com/Forums/windows/en-US/507a1002-939f-4120-a69c-0e227ca21081/how-to-backup-and-restore-windows-2012r2-adfs?forum=winserverDS
Do I need to take concern some Virus scanning exlusions with WID?
Can't find any recommendations of that
https://support.microsoft.com/en-gb/kb/822158
Thanks for help
Hello,
i have excel file with 100 names , my boss ask me the email address my question is
"how i can export user name and email address form active directory to CSV File basted on date "i mean the time when i create the users"
FZ2H
HI all
Our company abc is getting merged with xyz and hence all the AD needs to be migrated from abc.com to xyz.com
Please let us know how to proceed on this?
We need to setup a task to force logoff of all workstations, even if the user has locked their workstation.
I tried to use the logoff.exe and the shutdown.exe action in a GPO policy (not the default Domain policy). First we send a message (for those that are actually working) and then 15 minutes later we use the "exe" command. Unfortunately, this doesn't work for "Locked" workstations.
How do you force Locked workstation logoff???