is it possible to set AD logon hours with half hour like 6.30am to 5.30pm?
↧
is it possible to set AD logon hours with half hour like 6.30am to 5.30pm?
↧
"The trust relationship between this workstation and the primary domain failed"
i am admin in the domain.......i forgot local admin authentication details of my machine......while login through the domain i am getting error as "
"The trust relationship between this workstation and the primary domain failed"................
kindly help me how to overcome this problem....many applications are configured on this.......how can i login through domain without getting any affect to the apps...your support will be appreciated..
↧
↧
AD LDS: SSL Connection to ADLDS instance stopped working after applying KB3042058
Hi All,
The SSL Connection to our AD LDS instance stopped working after applying KB3042058. Every time I try to make a connection, I receive the error "Operation failed. Error code:0x8007203a The server is not operational."
At the same time, the following error is created in the system event log of the server:
Source: Schannel
Event ID: 36888
The following fatal alert was generated: 80. The internal error state is 1250.
How can I fix this issue?
↧
need to create one attributes grade in Active directory in win 2008 r2
dear team,
we want create one attribute in active directory
attribute name grade
please suggest nd provide steps how to do that
pls help
↧
Current User Session Details - Against Domain Controllers
Hello,
Can you please assist to get the details for current user logon session detail with source IP address and host name againt the specific domain controllers.
Hope I can use net session commend but I cannot get the all details.
D.K Konar. NMS
↧
↧
how can I delegate client management to a specifig group?
I have a remote office that should be managed by a specific user (named "Alex") that CANNOT be member of domain admin. This office has a Windows 2012 R2 rodc (named "srv1") , some computer and user
I've created an organization unit (named "ou remote") and put inside the specific user and pc.
Then I've created a local domain Group (called "office admins") and add user Alex
Srv1 has "managed by" field set as "office admins", so user "Alex" can logon to the local server and admin it
I've also set "delegate control" to the organization unit so the user can reset user password, change Group ad other.
The last things to do is to allow Alex to act as administrator on the pc he has to manage.
I've tried without results this things:
1) on the "ou remote" I've set "managed by" to group "office admin" but no effect on the computer
2) set "managed by" to "office admin" on the single client (pc) and still no effect (If I logon on pc as alex I does not get admin rights)
3) use of a restricted Group gpo to add "office admins" to the local administrators of each computer, but as this policy delete all the other user present as administrators so I cannot use it
How can I do it??
Thank you.
Alessadro
alex
↧
Certificate Authority Guidance: New PKI vs Migration
We have an old CA. It's on a domain controller. The domain controllers are all being upgraded to 2012, so the CA must go to a new (non-dc) machine. I am trying to determine which method will easilyget me onto a new CA without breaking every existing cert. We publish certs internally for WCF and Web services and encrypted email. Also Lync I believe.
I am seeing two general methods. This one is to create a new PKI entirely and ease off the old one. Not what I prefer. Complicated.
http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx
This method is to simply migrate the existing - which I prefer. I have 'successfully' tested this in a lab, but I am not sure how our existing certs would fare or how to test. I did test a little with an SSL cert I created and it remained valid through the process, but not sure if this is conclusive.
https://technet.microsoft.com/en-us/library/9aa53be9-0497-49fa-9ff6-09b72cb69444(v=ws.10)
I will be honest. I know I can improve our PKI infrastructure (1 tier) - but that's not my objective. My objective is new domain controllers. The Certificate Authority piece is making my head hurt, and I'm just trying to get through it in such a way that my co-workers don't have to re-issue every single cert. We just don't have the resources for a full on PKI re-do.
↧
A script or a way to assign a GPO to multiple OUs ?
Hi,
I would like to assign/link a specific group Policy to a specific OU list.
As there are many OUs, is there a way to do it without having to configure each OUs to apply these GPO ?
I am not very good with Scripting solution, so I will really appreciate your help if that is the only solution.
Many thanks
↧
Add Missing Computers To The Essentials Dashboard
How does one add a Computer or 'device' (that is already in AD) so that it is visible from the Essentials Dashboard?
↧
↧
Impersonate as Group Managed Service Account (GMSA) in windows 2012
Dear Microsoft Team,
Have a good day!
After Windows 2012, gMSA is created/managed by Windows 2012 with the ActiveDirectory PowerShell Mmodule. The service can be started via logging on with gMSA and It doesn’t need to change the password manually. That’s great.
However we encounter a problem and need your help. Here is our steps:
(1) We created a gMSA in Domain Controller, and this gMSA can be used in Machine A and Machine B;
(2) There is a SQL server 2014 in Machine A, and we added this gMSA for SQL server log in;
(3) We realized a program (It is NOT a Windows Service) and this program running on Machin B. It will connect to SQL Server via Windows Authentication. We want to use this gMSA account to connect to SQL Server, so we try to impersonate as the gMSA User in the program.
+++++++++++++++++++++++++++++++++++++++++++++
BOOLIMPERSNATE_USER()
{
HANDLEtokenHandle;
BOOLbRet =LogonUser("IcekingTest$","testcom", "", //s_URLUserName, s_URLDomain, s_URLPassword,
LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &tokenHandle);
//BOOL returnValue = LogonUser("IcekingTest", "testcom", "", //s_URLUserName, s_URLDomain, s_URLPassword,
// LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &tokenHandle);
if (!bRet)
{
cout<< "error logon: "<<GetLastError() << endl;
returnfalse;
}
if(!ImpersonateLoggedOnUser(tokenHandle))
{
cout<< "Impersonate failed!"<<endl;
CloseHandle(tokenHandle);
returnfalse;
}
CloseHandle(tokenHandle);
returntrue;
}
+++++++++++++++++++++++++++++++++++++++++++++
It is failed, and the output is as the followings:
+++++++++++++++++++++++++++++++++++++++++++++
error logon: 1326
+++++++++++++++++++++++++++++++++++++++++++++
Error 1326 Means:
+++++++++++++++++++++++++++++++++++++++++++++
RROR_LOGON_FAILURE
1326 (0x52E)
The user name or password is incorrect.
+++++++++++++++++++++++++++++++++++++++++++++
Our question is that if our program is Not a Windows service, how does the program impersonate as the gMSA account? Or How can we use the gMSA account in a program which is not a Windows Service?
Best regards,
Iceking
↧
Windows 10 cannot join domain or access shares - The specified network name is no longer available (System error 64)
Hi All,
I got a peculiar problem that I cannot seem to understand. I suspect there must be something wrong with our domain configuration, as no Windows 10 machines (upgarded or clean install) is able to join (or re-join) the domain, or access any file shares on any servers. The error message is always the same:
System error 64 has occured.
The specified network name is no longer available
Checks that I've completed:
- Windows 7 on the same machine/network OK
- Windows 10 upgrade is not okay, Windows 10 clean install also unable to join the domain
- ip, DNS config, DNS suffix OK
- nslookup domain.local OK
- nslookup domain controllers OK
- ping domain OK
- ping domain controllers OK
- net use \\DC\Netlogon returns the same error
- gpupdate returns the same error (see below)
- No suspcious errors in the event log
- Raised domain functionality level to Windows Server 2008 R2
- IPv6 enabled everywhere
- DFS is enabled on the DCs
- UNC hardening turned on/off (RequireMutualAuthentication=0, RequireIntegrity=0), didn't help
We have Windows SBS 2011 and a Windows 2008 R2 domain controllers. The servers are hosted with only IPv4 VPN communication enabled with site-to-site tunneling between the offices. However nothing changed in the network infrastructure since we tried upgrading Windows 7 computers.
The full GPUPDATE error message:
Computer policy could not be updated successfully. The following errors were encountered:The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{UID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
I found this thread to be quite useful and seemingly people are having the same problem, however it didn't resolve my issue:
https://community.spiceworks.com/topic/1119601-windows-10-group-policy-issue
Some people even hinted that it is a Win10 bug that wasn't yet solved in the Threshold 2 update.
Is there anyone out there who could help me? :)
↧
AD all containers empty
I look after a small domain with two DCs. The Operations Master's Active Directory Users and Computers snap-in shows nothing in any of its containers.
Fortunately the secondary DC is working and is authenticating users to the domain.
As a very part-time administrator, what can I check/do about this situation?
Thanks, Lost
↧
User access and two forests
I have two separate forests with transitive trusts between them. I have a user in Forest A, child domain, that I want to make a member of Forest B's Distributed COM, Event Log Readers, and Server Operators. The forests are 2008 R2. Is this possible. I've tried to add the user to the groups and it drops in with the symbol for Foreign security principle. What am I missing. I've also tried to create a universal group and add it to the other groups. Each time, I get access denied from the application that is trying authenticate with the Forest A user in a child domain.
Any help would be greatly appreciated.
↧
↧
Any issues mixing 2003 and 2012 DCs?
Greetings,
We are finally going to begin our migration but unfortunately I cannot do it quickly.
So after we install our first 2012 DC (latest version and all patches) into our existing w2k3 DC domain, are there any issues or will it all just work? I'm guessing the latter and did read a post about authentication issues but apparently there's a hotfix for that now.
Thanks
David Z
↧
I am blocked
How do my accounts get blocked ? as I am blocked out of my bank Help
↧
AD login details
Hi ,
we are using Windows server 2008 , it has around 200 users in AD. Now we need one report , when users are logging in to their systems in the morning and when they are loggig off from the AD.
I search on the google and found some vbscript but I would like to know some open source program , which can provide us good user friendly report in excel file.Also I would like to implement the same logging in logging out time inside the lync messenger too.
You can suggest any third party tool as well as any open source too.
Thanks
we are using Windows server 2008 , it has around 200 users in AD. Now we need one report , when users are logging in to their systems in the morning and when they are loggig off from the AD.
I search on the google and found some vbscript but I would like to know some open source program , which can provide us good user friendly report in excel file.Also I would like to implement the same logging in logging out time inside the lync messenger too.
You can suggest any third party tool as well as any open source too.
Thanks
↧
NS Lookup Default Server: Unknown
I am sure this is a topic that has probably had it's horse beaten by hundreds, if not thousands of people and I am have read all the topics and done what most of have asked. Here is the problem.
When I navigate to the Reverse Lookup section and Edit the Name Service Record which holds the IP coming up on the NSLOOKUP the message reads "The server with this IP address is not authorative for the required zone."
The results of my NSLOOKUP are of that of the Parent server that holds the forest. The server that the NSLOOKUP is being performed on is a child domain of that server. So 192.168.1.30 always comes up as unknown.
I have also done a simple PTR record which still won't produce the name if the lookup.
Any suggestions? You guys have been wonderful with your help so far.
↧
↧
Domain user can't access his profile on file server
We have a medium sized domain with about 400 users and sometimes a particular phenomenon happens to some users. Whenever the user tries to log in with his account on any computer in our domain, he can't seem to be able to access his own profile from file server (which is where user profiles are redirected), he is instead logged in with a temp profile. Occasionally this happens to some users and I have no idea why that happens, user itself doesn't have any special group policy set up on him that others don't have (which don't seem to have this problem). We're running Windows server 2008 R2 servers. The weird thing is, that I can access the profile (when it's created) on the file server whilst logged on with the affected user through path "\\fileserver\profiles\user01profile\" and I can fully control the files owned by that user in that location. When I log in with the user I get windows message saying that it was unable to access user profile and thus created temp profile instead.
Could there be some particular reason why some users get corrupted like that and perhaps some sort of fix or diagnostic that I could check out?
↧
Smart Card Authentication Failing For Just One Domain Controller
Guys,
We're a bit stumped on this one. Recently, replaced one of our DCs (promo down, new hardware, same name/IP, promo up) and now whenever clients (Win7) hit that DC for Smart Card authentication they fail out with a generic message on the client and a corresponding DC log entry (example below).
We've checked certificates and that doesn't seem to be the issue, the DC is getting them correctly from the CA which go to the proper stores. And this only happens on this one DC - we've shut it down for now to alleviate the problem.
Not sure what else it could be, any help would be appreciated!
Thanks!!
SourceName=Microsoft Windows security auditing.
EventCode=4771
EventType=0
Type=Information
ComputerName=xxx.xxx.xxx
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=52904702
Keywords=Audit Failure
Message=Kerberos pre-authentication failed.
Account Information:
Security ID: {DOMAIN}\{USERNAME}
Account Name: {USERNAME}
Service Information:
Service Name: krbtgt/{DOMAIN}
Network Information:
Client Address:::ffff:xxx.xxx.xxx.xxx
Client Port: 53904
Additional Information:
Ticket Options:0x40810010
Failure Code: 0x4b
Pre-Authentication Type:15
Certificate Information:
Certificate Issuer Name:{INTERMEDIATE CERT NAME}
Certificate Serial Number: xxxxxxx
Certificate Thumbprint:xxxxxxx
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
↧
SChannel: How can I add custom cryptographic functions?
I want to add an additional cryptographic function to be utilized by SChannel, let's call itTLS_DHE_RSA_WITH_AES_128_CBC_SHA.
How would I do that?
Still people out there alive using the keyboard?
Working with SQL Server/Office/Windows and their poor keyboard support they seem extinct...
↧