Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Can I delete Everyone's special permissions on specific folders without affecting the OS?...

May 27, 2016, 6:28 am
$
0
0

Due to an audit, we are asked to remove Everyone from share permissions or the security tab of the following folders:

  • C:\Windows\system32\CertSrv\CertEnroll (Everyone has the share permission to read but is not listed with any permission on the security tab of the folder itself).
  • C:\Windows\SYSVOL\sysvol\asociacioncibao.com.do\SCRIPTS (Everyone has the share permission to read but is not listed with any permission on the security tab of the folder itself).
  • C:\Windows\SYSVOL\sysvol (Everyone has the share permission to read but is not listed with any permission on the security tab of the folder itself).
  • C:\Windows\Installer (Everyone is just able to read and list permissions on the security tab of this folder).
  • C:\Windows\system32\spool\drivers (Everyone is just able to read and list permission content on the security tab of this folder).

Can someone explain me, if the following situations are considered a security risk and the best practice is to avoid them?... is it a safe practice to delete the permissions mentioned above without causing instabilities on the OS?...

Thanks in advance for your answer! 

Search

Error PXE53: No boot filename received ?

May 30, 2016, 6:02 am
$
0
0
Error PXE53: No boot filename received when boot system to network for installation through WDS.

RODC krbtgt deleted

May 30, 2016, 6:57 am
$
0
0

Hello,

user management in my company deleted krbtgt accounts for RODCs.

We don't have recycle bin implemented and I would like to avoid authoritative restore.

I restored krbtgt accounts using tombstone reanimation (adrestore utility). But it does not work either...probably because password is not kept when object is deleted.

IS THERE A WAY HOW TO RECREATE RODC KRBTGT ACCOUNT?

Thank you for advice

delegation to change phone numbers

May 30, 2016, 7:03 am
$
0
0

HI, we have delegated our telecom group the ability to change users phone numbers in AD. they are able to change the phone number but not the mobile number. 

any suggestions?

thx,

jason

How to allow clients from one domain in the forest find available domain controllers from another domain?

May 30, 2016, 7:48 am
$
0
0

Hello!

We have two domains in the forest - domain1 and domain2.

Domain2 have several sites and domain controllers in these sites. Some controllers of Domain2 are not available for clients from Domain1 because they behind firewall. In Domain2 there is a site CentralHUB with controllers that available for all.

When clients in Domain1 try to authorize in Domain2 they randomly connect to different controllers of Domain 2. Sometime these attempts finish with error because they connect unavailable controllers.

Subnet of clients in Domain1 are linked to the Site1 in the domain1. Therefore I could not link this subnet to another site of another domain (CentralHub).

How to allow clients from domain1 connect only to available controllers of Domain2 in site CentralHub?

Thank you for any help!

Server 2012 R2 CALS

May 30, 2016, 10:17 am
$
0
0

I have a single copy of 2012 R2 which includes 5 user CALS

If I purchase another copy does my CAL limit increase to 10?

SYSVOL folder is empty

May 31, 2016, 5:00 am
$
0
0

Hello, I have a problem with my SYSVOL folder in a 2012 DC. I had a windows server 2003 DC and I installed a new windows server 2012 DC and transferd FCMO roles and everything to the new 2012DC. The 2003DC suddenly died before replicating the SYSVOL folder maybe.

Now I have an empty SYSVOL folder and every time I open the group policy management, I get a message: "The system cant find the file specified"

When I run the dcdiag /q, I get the following:

Unable to connect to the NETLOGON share! (\\DC\netlogon)
         [DC] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC failed test NetLogons
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:15:29
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:20:30
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:25:30
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:30:31
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:35:32
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:40:32
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:45:33
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:50:33
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   12:55:34
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   13:00:35
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 05/31/2016   13:05:23
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the UmRdpService service.
         An error event occurred.  EventID: 0xC0001B63
            Time Generated: 05/31/2016   13:05:53
            Event String:
            A timeout (30000 milliseconds) was reached while waiting for a trans
action response from the ScDeviceEnum service.
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 05/31/2016   13:05:53
            Event String:
            The Smart Card Device Enumeration Service service failed to start du
e to the following error:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   13:05:53
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/31/2016   13:10:54
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\orkilang.local\sysvol\orkilang.local\Policies\{31B2F340-016D-11D2-945F-0
0C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Poli
cy settings may not be applied until this event is resolved. This issue may be t
ransient and could be caused by one or more of the following:
         ......................... DC failed test SystemLog

Can anyone help me as I'm out of ideas on how to fix it.

Delegation of Control for a group to update just phone numbers of user objects.

May 24, 2016, 11:54 am
$
0
0
We have a need to have a security group just have the ability to update phone numbers of users. Is this possible using the Delegate Control wizard, and if so, which attribute am I looking for?
Search

Upgrade/Migrate AD 2003R2 to 2012R2 with active trust

April 12, 2016, 1:01 am
$
0
0

Hi,

I'm sure this was and will be pretty straight forward but I need some clarification for myself:

Planning to upgrade existing AD based on server 2003r2 (3 DCs) with domains and forest on 2003 functional level. Plan would be:

Demote, de-join and uninstall first dc. Install, promote new dc, with same name and ip-adress as the old one. Then do the same for the second one. Third one will be completly disabled and not renewed. Any recommendations?

I'm a bit lost in the active transitive trust part. Remote Domain (with which the trust is initiated) is also in a state of 2003 (domoains and forest). I clarified the compatibility between 2003 and 2012r2 trust but do I need to consider any other things related to the trust? I shouldn't lose any group memeberships, connections etc. right? BTW, an update of the remote forest/domain will not be done until next year.

Thank you!

All the best

Tim

Thanks, regards, tim

Active Directory schannel error

May 31, 2016, 8:41 am
$
0
0

Hi,

I have a Cisco ASA firewall which is attempting to authenticate users for remote VPN access. If I bind to my Active Directory 2012 R2 server over LDAP the authentication works fine. If I attempt to bind over LDAPS (TCP 636 or TCP 3269), I keep getting the following error in my event viewer:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

I have found multiple articles trying to explain what this error means and from what I can gather it looks like there's a handshake failure occurring (fatal error code 40).

I would like to know the following:

  1. If this is a handshake failure, how do I enable verbose logging so that I can see what cipher-suite and protocol the Cisco ASA is attempting to use?
  2. If it is possible to enable verbose logging, where would I find this log file/event so that I can do some further research.
  3. Where can I find a list of all the Windows SChannel error state codes and their descriptions/meanings?
  4. Have there been any KB's released in the last 2 years which potentially limit the cipher-suites and/or protocols available for a client to use when attempting to connect to AD?

Thanks for your assistance!

Nolan

Denying logon to users - Auttomated and error-free ways

May 31, 2016, 7:36 am
$
0
0

i have several AD accounts with "generic" names (insted "mark", "david" or "anna" using "librarian", "consultant", "engineer" and so on)

The accounts MUST exist but with NO logon rights, no local logon, no VPN, just an existing user, a "Placeholder"

The procedure have to be error-free as such as possible

Approach #1:

All "generic" users belonging to a global group and using GPO, the global group wil have a "deny logon locally" privilege. This approach have the disavantage of being subject to errors, if for any reason, the "generic" user does has been (accidentaly) removed form the group

There are other approaches?

Using the "logon hours" AD attribute, effectivelly denying all logon hours? (it´s hard to automate in scripts, i think)

Using the "log on to"  AD attribute, as far as i know is only effective if the client machine is using NetBIOS logon, so, maybe it will not be the best option

Any other idea?

The goal here is to configure the google synch with AD and i´m researching if the "contact" AD object could be used

2010 renaming custom forms

May 31, 2016, 9:02 am
$
0
0
In custom form manager it allows me to rename the form under 'properties'. However, the next time I update the form (publish) the name of the custom form reverts back to the old name.  Is there a way to prevent the old name from coming back?  Is there another place it needs to be deleted?

Windows 10 Lock Screen GPO in a Windows 2008 R2 Domain

May 31, 2016, 9:18 am
$
0
0

I've created a "Windows 10 Lock Screen" GPO using the Windows 10 Templates on my local Windows 10 PC.  I then attached the GPO to the Computer OU in my domain.  However, we don't have any Windows 2012 AD servers in the domain and the domain level is currently a Windows 2008 R2 Domain.  When I do a GPUPDATE /Force on my other Windows 10 PC, I'm not prompted to log off and when I run the command:

gpresult /Scope Computer /v

on my other PC, it shows that the "Windows 10 Lock Screen" GPO is applied:

*******************************************************************************

 GPO: Set - Windows 10 Lock Screen
                Folder Id: Software\Policies\Microsoft\Windows\Personalization\LockScreenImage
                Value:       67, 0, 58, 0, 92, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 92, 0, 87, 0, 101, 0, 98, 0, 92, 0, 83, 0, 99, 0, 114, 0, 101, 0, 101, 0, 110, 0, 92, 0, 77, 0, 66, 0, 67, 0, 87, 0, 97, 0, 114, 0, 110, 0, 105, 0, 110, 0, 103, 0, 46, 0, 106, 0, 112, 0, 103, 0, 0, 0
                State:       Enabled

*******************************************************************************

, yet when I open my local Group Policy Editor, the settings for the "Force a specific default lock screen image" and "Prevent changing lock screen image" are shown as not configured.

This is the Domain GPO Policy as shown on my Windows 10 PC.

***************************************************************

Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
PolicySettingComment
Force a specific default lock screen imageEnabled
Path to lock screen image:C:\Windows\Web\Screen\Warning.jpg
Turn off fun facts, tips, tricks, and more on lock screenEnabled
PolicySettingComment
Prevent changing lock screen imageEnabled

***************************************************************

Powershell script for creating new custom Active Directory Attributes

May 31, 2016, 1:46 am
$
0
0

Hi all

I have an Active Directory 2012, i want to be abel to create a powershell script, that can create a total new custom attribute in Active Directory. And then the script ,ust be abel to enabel this new attribute to all OU in the domain, and to all the groups in AD.

Is there anyone´ho know how, to do this with only powershell commands?

I can find many guides by the GUI, but not only with Powershell.

I hope someone can help with this. Thanks...

Demoting domain controller with active application installed

May 31, 2016, 7:37 am
$
0
0

Hi,

unfortunatetly I've to deal with three domain controllers (Server 2003 R2, FL and DL on 2003) which were used for everything. After about 25 migrations tasks DC#1 and #2 are "free". The third one is "hosting" the most important application for the whole company... pretty cool, I know. 12 years old, compatible with nothing. As you can guess it needs a few months (hopefully) to migrate this application... I don't want to wait that long to go further with the domain migration and update tasks I've in the pipeline. So my plan would be to demote the #3 DC with the application running on it and let it run as a member server as long as it's needed. That way I can update domain to 2012 r2 and go on.

I don't want any approval from anyone of you  (I know it's already bad enough). I would like to hear your experience with demoting a domain controller which is hosting another application. Did it work? Any recommendations? Anything?

Application is a "file based" database, with odbc connections to oracle and sql databases (hosted on other systems).

I appreciated any help! Thank you guys!

Thanks, regards, tim

Search

how many ADFS instances are needed?

May 24, 2016, 1:43 pm
$
0
0

We already have an ADFS instance setup for our Office 365 implementation and have just purchased another company. As a temporary step before a merge of their accounts into our AD we want to setup ADFS.

    I need to know if there would be any conflict with creating a new ADFS cluster for the temporary B2B setup with our current ADFS o365 implementation. The merger politics are still being worked out so all I am sure of is that I need access between our 2 companies on 7/1; will ADFS work for me? Is it my best choice?

Thanks for the help.

Leednc

Account locked out

May 31, 2016, 11:06 am
$
0
0

Hello all,

We are getting few issues in our enviroment that user account are getting locked out due to bad password.

when we trace the location it is showing ADFS server for which i am sure no user has access to it.

when we check logs in ADFS server there is nothing related to event id 4740.

Please suggest how to proceed on this.

Aamir

NA

Script list Windows Desktops and Internet Explorer

May 31, 2016, 10:44 am
$
0
0

Hello, I need a script in Power Shell, which manages me a report of all domain computers, informing the version of Windows and Internet Explorer installed.

Can someone help me ?

Thank you !

Ivanildo Teixeira Galvão

ntdsutil authoritative restore when distinguishedName has quotes (windows server 2008 R2)

May 17, 2013, 1:55 am
$
0
0

Hi,

I want to restore one AD object from backup using ntdsutil (I accidentally delete it).

My issue is that my distinguishedName for that object has quotes in the name (CN=ABC,OU=Test "Special" Objects,DC=test,DC=local)

I tried:

ntdsutil "Activate Instance NTDS" "authoritative restore" "restore object \"CN=ABC,OU=Test "Special" Objects,DC=test,DC=local\""

or

ntdsutil "Activate Instance NTDS" "authoritative restore" "restore object \"CN=ABC,OU=Test \"Special\" Objects,DC=test,DC=local\""

or

ntdsutil "Activate Instance NTDS" "authoritative restore" "restore object \"CN=ABC,OU=Test \`"Special\`" Objects,DC=test,DC=local\""

Nothing helped… the path is not recognized by ntdsutil

Any idea how to restore my object who was stored inside one OU named with quotes?

Thanks,



LDAPS can't connect, except it can.

May 31, 2016, 1:27 pm
$
0
0

server 2012 R2 ad and certificate authority.

i have an internal certificate authority, and each of my domain controllers has a certificate of the 'domain controller' template.

I have HP ILO, and it's configured to authenticate against the domain using TCP 636. this works fine, and has worked fine for years. if I remove the certificate from one of the domain controllers, let's call it DC.domain.com, ILO authentication ceases to work against that domain controller, which I think means ILO has actually successfully been using LDAPS, and not secretly failing back to LDAP 389 this whole time.

but even with the certificate installed on dc.domain.com, I can't connect to it using the LDP tool on port 686 with the SSL box checked. i also can't telnet to dc.domain.com on port 686 (I can on 389). I also have a couple of other non-windows systems that are failing to connect using LDAPS.

I have searched the webs today for LDAPS steps, and I've even created a new "LDAPS" certificate template from a clone of the Kerberos template, and requested a new certificate from that template, and imported that certificate into the NTDS service account store on dc.domain.com. the behavior remains the same: ILO can connect and authenticate with LDAPS, but nothing else can.

what am I missing? is the LDP tool supposed to be able to connect with SSL?

ld = ldap_sslinit("dc.domain.com", 686, 1);

Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);

Error 81 = ldap_connect(hLdap, NULL);

Server error: <empty>

Error <0x51>: Fail to connect to dc.domain.com.


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>