Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

KB3081320 - affect on domain clients Schannel negotiation

December 3, 2015, 12:44 am
$
0
0

Hi.

KB3081320 - https://support.microsoft.com/en-us/kb/3081320

In the known issues for this update it is advised that:

This update makes changes that are required for the Extended Master Secret Transport Layer Security (TLS) extension. These changes will break any existing Cryptographic Next Generation (CNG) SSL providers. We recommend that you work with your vendor to update your CNG SSL providers. In the meantime, to work around this issue, you can edit the registry to disable the Extended Master Secret extension.

I was wondering will this update affect secure channel negotiation between AD client computers and the domain, assuming we do not issue client certificates to domain computers, but do use secure LDAP communication.

Thanks in advance.

Search

Event log Subscription Query

December 6, 2015, 9:28 pm
$
0
0

Hi,

I have 12+ Domain Controller in my prod environment and I need to enable Event log subscription on all my DC's to forward security event log to central location. The purpose of this is, I need to capture all security log, so that it will be easy for me to check if anyone performing unwanted activities in DC's like addition, deletion etc.

OS : Windows server 2008 R2 SP1

Can anyone suggest is this the right way ?

Also Please let me know what all the prerequisites required to configure this ?




Updating Java security exceptions without removing custom sites

December 7, 2015, 1:43 pm
$
0
0

On our network, we have an internal site that runs several Java applets. These applets require elevated permissions, and also require the primary site to be added to the Java site exceptions list. It's been a bit of a nightmare internally since if a user moves to another computer on the domain, the setting would not be there, and would have to be entered manually. To alleviate this, we added the file "exception.sites" to our domain, and have it added to the "%userprofile%\appdata\locallow\sun\java\deployment\security" folder, and the file is pushed out via Group Policy to every domain-connected computer. Now, when a user signs in, the setting will be present and does not need to be manually entered.

However; this also presents a problem.  The setting in the group policy is currently set to "Replace".  This means, when a user adds a custom site as an exception, the site is removed the next time their main workstation refreshes the group policy.  Is there a way to enforce this file so our internal site remains as an exception, but not wipe out any custom sites added per user?

Example: Our internal site is "Site.domain.com."  The user adds "Site2.domain2.com."  If the user relogs, or restarts their computer, the Java settings will only show "Sit.domain.com." as an exception.  We want to avoid this


Reporting/Querying Active Directory - Accounts with User Must Change Password

December 7, 2015, 1:55 pm
$
0
0

Our personnel vendor decided that all employees need a login account (even those who work in the field and do not regularly use a computer). Therefore, they used our identity management solution and created some 2000 accounts in our AD infrastructure. And now, they want us to identify all these accounts by querying Active Directory for any user who has the "User Must Change Password at Next Login" selected.  I looked through the AD query wizard and do not see that field as an option. 

Can anyone tell me a good way to do this?

Thanks,

John M. - City of Denver

John M.

Using Microsoft LAPS and Deep Freeze

August 4, 2015, 9:15 am
$
0
0

Hi,

I have a question about using Microsoft LAPS in an environment where Deep Freeze is in use on 250+ Windows 7 clients. Is it possible to allow LAPS to only update the password during the thawed window defined in Deep Freeze?

Mike

Windows Server 2016 TP4 cannot install via udisk

December 7, 2015, 6:52 pm
$
0
0

hi

I've download Winsrv 2016 TP4 and make a udisk media with the ISO, but during I install it to my PC, during starting the install windows, it reports an error

"Could not find install.wim.."balabala

I can install it in HyperV VM by mount the ISO, and I can install TP3 via the udisk. Does anyone has the same problem? Or know the reason or work around? Thank you.

Script to change home directory

December 7, 2015, 8:43 am
$
0
0

I need to substitute a server address with a DFS one in each user's home directory. Unfortunately only a portion of the string is constant. Bellow is an attempt in Powershell that works but is clumsy. Is there a better way?

$hdir = (Get-ADUser bguest -Properties *).HomeDirectory
$hdir = $hdir -replace "\\\\.*\\", "\\\\ad.company.com\\lfl\\"
$hdir = $hdir -replace "\\", "-"
$hdir = $hdir -replace "--", "-"
$hdir = $hdir -replace "-", "`\"
Set-ADUser bguest -HomeDirectory $hdir

Any pointers are greatly appreciated


PC's able to access via remotely even after disabled.

December 7, 2015, 8:56 pm
$
0
0

Hi All,

I recently disabled couple's of unused PC's in AD. I have noticed that, I'm able to access them via remotely even after disabling them. Kindly advise. Thanks in advance


Search

SceCLI 1202 - Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

December 7, 2015, 1:53 am
$
0
0

Hi,

Server 2012 R2 Domain Controller:

I get this error :

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.    Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.    Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.    Start -> Run -> RSoP.msc
b.    Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.    For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.    Remove unresolved accounts from Group Policy

a.    Start -> Run -> MMC.EXE
b.    From the File menu select "Add/Remove Snap-in..."
c.    From the "Add/Remove Snap-in" dialog box select "Add..."
d.    In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.    In the "Select Group Policy Object" dialog box click the "Browse" button.
f.    On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.    For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

-----------------------------------------------------------------------------------------------------------------------------------------------------------

Error 1332: No mapping between account names and security IDs was done.
     Cannot find IIS_WPG.

I can see that the account IIS_WPG is the problem.

RSOP.MSC:

Local Security Policy:

So I cant remove this account since it does not even show up. How do i proceed?

W2K3

December 7, 2015, 6:29 am
$
0
0

Hi.

A few years ago, I installed 2 DC Windows 2003 STD, 1 EXCH 2007 and other servers at our customer.
On ADS, I configured 2 domain: something.local and something.it.
Now, I would add other domain anythingelse.com (required from Microsoft Support to migrate to Office365) already configured  on Exchange 2007 as Domain accept (there are 20 mailbox).
If I add new domain via dcpromo, there may well be problem with mailbox xxx@anythingelse.com?

Thank you very much

UserSharedFolder Attribute

December 7, 2015, 11:02 pm
$
0
0

Hi

Can someone please provide detailed description of "UserSharedFolder" attribute of user object in Active Directory.

The following definition is available on MSDN "The attribute specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\server\share\directory".

However, there's example provided to make it clear what's the purpose or use of this attribute.

Can we populate this attribute to map a drive for our users? 

Thanks

Taranjeet Singh

zamn

Multiple problems with Active Directory - 2008 r2 - At the end of my rope

December 7, 2015, 1:52 pm
$
0
0

Hi all,

I'm completely lost with errors on a  Server 2008 r2 AD.

Here's my symptoms:

  • Computers are losing trust relationship - unable to rebind - Error "The following error occurred attempting to join the domain "domain.local": Cannot complete this function"
  • Hundreds of errors every minute in System log saying Event 12292 "The SAM database was unable to lockout the account of Guest due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above."
  • Unable to make any changes in AD. I can't disable accounts, edit groups, add users, delete users, etc. Any attempt to make a change to an AD item results in:"Windows cannot ... because: An internal error occurred."
  • AD is not replicating to the other DC. Attempts to replicate give the error"The target principal name is incorrect"

This seems to have started over the weekend or late Friday. I was told that one PC that lost trust relationship started on Sunday.

The only change I've made recently is resetting WSUS because that stopped working. That was early last week and after it's initial sync, it was running alright - except using tons of memory.

No idea where to go with this. I'm a novice at Win server.

Need to keep Domain Contollers IP addressed after up grade from 2008 R2 to 2012

December 7, 2015, 7:17 pm
$
0
0

Good evening,

We have many servers and devices and Linux servers that have the IP embedded into each device pointing the the domain controllers at different sites. Is there a step by step on how to upgrade 2008 R2 server to 2012 servers and keep the same IP addresses on the newly created windows 2012 servers? We are upgrading to 2012 not 2012 R2 due tto we still have Exchange 2010. I would like to know if this is possible to do and if so what is the proceedure.

Thanks and have a great evening.

Deny users from certain AD container to be a members of local administrators group

December 7, 2015, 5:21 am
$
0
0

Hello.

Users in our company user accounts are not members of local administrators group on computers they use. Some of them have separate local account that is a member of local administrators group. Is there a way to deny them to add they domain account to local admins? Is it possible to deny members of AD container to be in loc. admins group or somehow deny local admins to manage local admins membership?

Thanks!

Using a public DNS name internally that is owned by someone else

December 7, 2015, 11:51 am
$
0
0

My company, call it CompanyA, is using an internal active directory namespace (and DNS) of CompanyA.net.  This domain is used to access internal resources for a subset of the user population.

However, CompanyA does not own the public domain CompanyA.net.  It is owned and registered by a third party who controls the DNS server.  CompanyA's desktop and laptop machines are configured with a dns suffix search order which includes CompanyA.net. So, considering that laptops walk out of the building and connect externally, it strikes me as a ... questionable practice.

I am suggesting that CompanyA should purchase CompanyA.net from the owner of that domain in order to prevent DNS hijacking, connectivity issues, and the sort, but I am having trouble articulating why this is a good idea.

Could anyone please help me out with reasons or language or maybe some blogs or references which would explain why it is a good idea to own the public DNS name spaces which are used internally?

Search

Need some assitance deciphering event id 4933

May 11, 2012, 9:56 am
$
0
0

So here is the event:

I am not sure why this is registering as an Audit Failure.  Can anyone shed some light on this?  Replication is running in this domain without issue as far as I have been able to tell

05/11/1203:39:58PMLogName=SecuritySourceName=MicrosoftWindowssecurityauditing.EventCode=4933EventType=0Type=InformationComputerName=xxxxxx.xxxxxx.xxxxxTaskCategory=DirectoryServiceReplicationOpCode=InfoRecordNumber=41163985Keywords=AuditFailureMessage=SynchronizationofareplicaofanActiveDirectorynamingcontexthasended.DestinationDRA:CN=NTDSSettings,CN=xxxxxxx,CN=Servers,CN=xxxxxxxxxx,CN=Sites,CN=Configuration,DC=xxxxxx,DC=xxxxxxSourceDRA:CN=NTDSSettings,CN=xxxxxxx,CN=Servers,CN=xxxxxxxxxxx,CN=Sites,CN=Configuration,DC=xxxxxx,DC=xxxxxxNamingContext:DC=xxxxxxx,DC=xxxxx,DC=xxxxxOptions:85SessionID:27421EndUSN:18881686StatusCode:1722

What are the drawbacks to have computers in a domain and users/ressources in a child domain ?

December 2, 2015, 12:37 pm
$
0
0

Hi,

we have an Active Directory domain oganized like this :
1. DomA with approx 1500 users; 1000 computers and 120 servers
2. DomB which is a child domain of DomA with 500 users, 100 computers and 20 servers.

DomB is a very old domain and we will migrate in few months every ressources (users, computers & servers) from DomB to DomA

But actually, we want to migrate ONLY computers from domB to domA (when I say migrate, I mean "manually change the domain configuration" from each computer (as we also have many specific tasks to do on each ones).


So my question is :
What are the drawbacks to be in such situation ? (so with users from DomBlogging from a computer member of "DomA" and accessing ressources onDomA and DomB.


I dont really think it's a good situation but I dont have enough arguments to convince my boss ;-)
Many thanks for your help


How to migrate windows 2008 DC to new windows 2012 R2 server

December 8, 2015, 12:56 am
$
0
0

Hello,

I want upgrade old Windows 2008 DC to Windows 2012 R2 in another server. I'd like to backup all DC information (AD, DHCP and DNS)  from old server and put them into new one, so new server becomes DC, how should I do?

Regards,

Cypress

Alowing users to manage their Active Directory profile picture?

December 7, 2015, 4:17 am
$
0
0
How can Sharepoint be used by employees to upload photos to Active Directory so that it appears in Outlook, Lync, etc.. From my research, only an admin can upload the photo to AD and there is no way for users to update this. Currently uploading a picture to Sharepoint 2010 doesnt update it anywhere else other than Sharepoint itself. If sharepoint can't be used for this, is there any other software that can be used?

Windows 10 cannot join domain or access shares - The specified network name is no longer available (System error 64)

November 20, 2015, 11:14 am
$
0
0

Hi All,

I got a peculiar problem that I cannot seem to understand. I suspect there must be something wrong with our domain configuration, as no Windows 10 machines (upgarded or clean install) is able to join (or re-join) the domain, or access any file shares on any servers. The error message is always the same:

System error 64 has occured.
The specified network name is no longer available

Checks that I've completed:

  • Windows 7 on the same machine/network OK
  • Windows 10 upgrade is not okay, Windows 10 clean install also unable to join the domain
  • ip, DNS config, DNS suffix OK
  • nslookup domain.local OK
  • nslookup domain controllers OK
  • ping domain OK
  • ping domain controllers OK
  • net use \\DC\Netlogon returns the same error
  • gpupdate returns the same error (see below)
  • No suspcious errors in the event log
  • Raised domain functionality level to Windows Server 2008 R2 
  • IPv6 enabled everywhere
  • DFS is enabled on the DCs
  • UNC hardening turned on/off (RequireMutualAuthentication=0, RequireIntegrity=0), didn't help

We have Windows SBS 2011 and a Windows 2008 R2 domain controllers. The servers are hosted with only IPv4 VPN communication enabled with site-to-site tunneling between the offices. However nothing changed in the network infrastructure since we tried upgrading Windows 7 computers.

The full GPUPDATE error message:

Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{UID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

I found this thread to be quite useful and seemingly people are having the same problem, however it didn't resolve my issue:
https://community.spiceworks.com/topic/1119601-windows-10-group-policy-issue

Some people even hinted that it is a Win10 bug that wasn't yet solved in the Threshold 2 update.

Is there anyone out there who could help me? :)

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>