Hi,
I have three users - test1, test2, test3
They are in a Group "TestGroup".
I have a "Test OU" to which I would like to grant permissions to "TestGroup" users except one use ., i.e., say "test3".
Is it possible to delegate such permissions in active directory?
Anand Kumar D
This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
Hello All,
My first question on this forum,
Environment : 1 forest with root domain toto.org and three child domain apac.toto.org, emea.toto.org and nsca.toto.org, DC on Windows 2008 R2 SP2 up to date, forest and domain functionnel level 2003, FW on DC domain networks OFF
ADMT server Windows 2008 R2 SP2, member of domain emea.toto.org, Admt 3.2 , FW domain network OFF, IPv6 disable by registry
I can migrate Users between APAC and NCSA, but when i want migrate Users between APAC/EMEA or NCSA/EMEA i have this message :
2013-01-08 10:15:03 ERR2:7422 Failed to move source object 'CN=TestUserAdmtUS'. hr=0x800706f7 The stub received bad data.
2013-01-08 10:15:03 Operation completed.
Any idea ?
We have problems with ADFS SSO to a cloudservice, it seems like their clock/time sometimes is "earlier" that ours and we get an error:
Assertion condition was not fulfilled 2013-01-08T15:19:15.393+01:00 must not be before 2013-01-08T14:19:15.814Z, issueInstant in assertion = 2013-01-08T14:19:15.814Z
Sometimes it works and sometimes not...
Is there a way to configure ADFS to be more "forgiving" or if not, make set the ADFS servers clocks at -x seconds/minutes?
Not sure if the above qustions would be a good solution... any sugestions would be very welcome!
My 2003 backup Domain controller died, i remove it from AD after a lot of trouble using the ADsutil. i am trying to add another DC using DCPromo but keep getting the message run Adprep /Forestprep first.
When i try running this on the domain controller using adprep32 /forestprep it say i do not have permission, i am a member of the domain admins and enterprise admins and schema admins, but it will not run. does anyone have any ideas, i am currently running with only one DC.
here is the message from the copmmand prompt
C:\support\adprep>adprep32 /forestprep
Adprep was unable to check the current user's group membership.
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Verify the current logged on user is a member of Domain Admins group, Enterprise
Admins group and Schema Admins group if /forestprep is specified, or is a membe
r of Domain Admins group if /domainprep is specified.
Adprep encountered a Win32 error.
Error code: 0x5 Error message: Access is denied..
hi there,
I've been asked to look into our current AD design. We currently have 200 users across 4 physical sites. There is one domain.
As the business is project based the sites are increased and decreased in line with what contracts were are working on. we are also looking to acquire some other companies and potentially also sell of some business units.
Our current sites are linked by 100mb lines
In short we are looking for a flexible design. Would it be worth creating different domains in the forest for the branch office sites and any new acquired sites?
I appreciate any advice on this.
Thanks,
Al
Hi,
I would like to create a new object in my active directory. I can create it via
mmc->Schema Console->Classes(Right Click)->New Class
and add attributes to it by Right click (Created class) -> Properties.
But how do I create object of that type of class/object in Active Directory via ADUC ?
Should I write a vb script and add it via ADSI Edit->Configurations->displaySpecifiers-> ?
Anand
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
With a 1 way trust Domain A trusting Domain B
Users will reside in Domain B, Resources will reside in Domain A. Mainly VDI resources.
Will the GPO's from Domain B process if the users login to Domain B into the Domain A resources?
Right not very familiar with GP but i have been tasked with researching it and finding a way to create home folders when creating new accounts.
I am using windows server 2008 R2 and have a mixture of Windows 7 and Windows XP users.
Thanks for any help and guidance on this issue.
Hello
I have installed the AD LDS for windows 7 and I was following this tutorial: AD LDS Getting Started Step-by-Step Guide
But when I try to connect to the instance with the ADSI Editor I get the following error:
Operation failed: Error code: 0x20d6
No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest.
I tested it on a windows server 2008 R2 and it works but on windows 7 it doesn't.
There is only one instance and no forest, so the error is misleading, I tried upper and lower case, to add and remove parameters but nothing.
I can connect to the service with the configuration, rootds and schema but when I try to set a name I get always the same exception.
I have googled it but I didn't find anything useful, somebody has any idea?
Thanks
Hi, would appreciate some claification on AD exchange attributes please. I am about to embark upon a AD and exchange migration.
I have a test environment with test accounts and test mailboxes. I am using ADMT to migrate users with SID history allowing access to resources in the old domain.
I am reading that in order to attach the migrated exchange mailbox to the already migrated AD account I must not migrate the exchange attributes in ADMT when the user goes across.
I just do not have a definitive up to date (Exchange 2010) list of these attributes to exclude in ADMT.
I do not want to migrate the attributes and then use ADModify to clean things up.
Can someone please help me and give me a definitive list rather than point me to a website that lists all the attributes and their function/purpose? (If its not to cheeky to ask?)
Much appreciated.
Regards
Nathan
Hello all,
I have AD running Windows 2000 !!...(upgrading sooon..;-). I have several branches....whereby in each branch i have a DC. PDC is in the main office.
sometimes we encounter issues over the network whereby the link between the main office and one of our branches is down. This affect the operations, business...etc because users are not able to login on their PCs using their domain credentials.
I want that when the link is down (bet the main and branch)...users are still able to authenticate and login using their domain credentials.
When the issue occurs, i have tested the followings in one branch:
- From a PC (either XP or Win 7) in the branch, PING the PDC in the main office = TIMEOUT, it's expected as the link is down.
- From a PC in the branch, PING the DC in the branch office, = reply OK from ping.
- I have checked the DNS entries on the PCs, it's ok. that the primary is the DC in the branch and alternate is the DNS server in the main office.
How to resolve this? that is allow the users to login/authenticate via the DC in the branch office when the link bet the branch and the main office is down.
Enabling Cache Logon will resolve this issue?? that enabling cache logon for the PC in the branches.
Great to help asap...
Hi,
I'm documenting a procedure to do a system state backup of our 2003 Domain. During that process I've run into a question as to how to name the backup .bkf file. The following Microsoft Article Documents this at
http://technet.microsoft.com/en-us/library/cc785766(v=ws.10).aspx
For naming the bfk file, one of the considerations is to know
Whether the backup domain controller contains MD5 checksum data to source Sysvol Tree.
Does anyone know how or where I would go about where to check this setting in Active Directory? Is is visible on a Domain Controller?
Thanks,
Kevin C.
Hi,
I have ADAM installed in server to extend BladeLogic schema for software deployment. I have local admin access also on the server. While connecting ADAM paritition using ADSI edit, I get following error.
Operation failed.Error Code: 0x208d
Directory object not found
0000208D: NameErr:DSID-0310020A, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=bbca,DC=test'
Can someone help me why I get such error while accessing ADAM partition ?
---Subramani
Subramani
Server 2008 R2
Will the adminsdholder function unlock a privileged account that has been locked out due to maximum password attempts?
Hi,
I kept existing windows 2000 native mode and Without registeing schmmgmt.dll. I have transfered roles from windows 2003 domain controller to windows 2008 r2 adc. Still 2003 domain controller (backup) is running.
I tried to create 2008 r2 ADC but I am getting an error message while running adprep /forestprep ie., "If all existing windows 2000 active directory controller meet this requirement. Press C to continue.
I tried to raise the forest level, getting another error message ie. 1. Widows 2003 server : you cannot raise he domain fnctional level because this domain includes active dictory domain contrllers that are not running the appropriate version of windows.
2. You cannot raise the forest functional level. Either this forest includes Active Directory Domain Controlers that are not runing the appropriate version of windows, or one or more domains are still t windows 200 mixed fuctional level
Please give me stepsto resolve this problem.
---->> Madhu. Y
Hello,
Its there an attribute of the Computer object in AD which can tell us when the object was 'placed' in a OU? When-Created and CreateTimeStamp indicates the date the object was created, so this would help when an object is first placed in an OU, but if the object is moved to a different OU and back to the original OU, these attributes would not help. Any suggestions?
Thanks for your help! SdeDot
Can you still use/sync a Windows 2003 R2 ADAM instance with a Windows 2008 R2 Forest/Domain functional level Active Directory environment? Is ADAMsync still the correct method for doing this?
My organization is having an issue with GPO application which is possibly caused by DNS. Most Directory activity seems to be working fine but group policy is failing to apply on some machines and I have also seen a few other oddities (ADFS 2.0 webpage is not accessible.) The issue was first noticed on our Terminal Servers when ever a policy refresh was attempted. I have run DCDiag on each machine and repadmin /showrepl and have found no problems. All SRV records are in place. Below is an example of one of the events recorded on a Terminal Server:
Any ideas as to why this can occur and why only on certain computers?
Hi
I have delegated helpdesk group on one OU in AD 2008R2 with user account management.
But I can see in in that OU, some users are not gettting inherited delegation permission.
I found on user account that "Include inheritable permissions from this objects parent" check box is not showing.
How can I force this on every user object in the OU?
Hi
In our company domain, we have implemented password policy for particular group.In the password policy , password should not expire setting is set.And found the same policy is effective for the users in that group but when we check through command prompt by executing netuser /dom abc where in this instance abc is the username ,in the command prompt it is listed that the password expires on some date.
when we check the user account abc in the dc , the password never expires tab in the properties of the particular user account is not greyed out
We are sure that this group is having the particular password policy implemented and found working too.But why in the command prompt it is listed that the password expires?
Please help me in getting the facts.
Regards
S.Swaminathan
Thanks & Regards S.Swaminathan Live & let others live!!!