Hello all
I have around 100 computers, and i need to find out last logon time stamp and last logon user.
I have script to find out last logon time stamp and can any one tell how to find out last logon user to those computers
Thanks
Aamir
NA
↧
Last logon users
↧
Can a Domain Controller be assigned to multiple AD Sites
In order to resolve a DFS issue at one of our branch offices I had to create a new AD Site and assign their specific subnet to it. There is no Domain Controller at this location. It seems like every AD Site should have a Domain Controller assigned to
it, for performance reasons. Is it possible to "share" Domain Controllers among AD Sites? For instance, this new Site would have DC1 assigned to it, while DC1 would still be assigned to the original AD Site. I have not been able to locate anything
definitive.
HDL
↧
↧
How to enable read-only access to AD integrated DNS for a group of users when they use the DNS Administrative Tool?
Hi, hope you can help.
What is the easiest way to allow a group of users to view AD integrated DNS with the DNS Administrative Tool?
When trying to connect to a DC with the DNS Administrative Tool, the following message is displayed:
Access was denied. Would you like to add it anyway?
So, I'm guessing that means I don't have access.
AD Integrated DNS is being hosted on our Server 2012 R2 DCs and I'd like to give select IT users read-only access to the information in DNS, ideally using the DNS Administrative Tool. It would be great if they could have the same view of DNS that a Domain Admin would have, but a read-only view (so they cannot make any changes).
Functional levels are 2012 R2.
Any feedback is greatly appreciated. Thanks, Joe.
↧
Secure vs Unsecured DNS Updates
We have domain joined computers that VPN into our network but they don't register in DNS. If I allow non-secure updates, they register fine. (the register fine when in the office). How does Windows DNS determine if an update is secure or un-secure?
↧
GP screen lock timeout time changes
We have all users on a domain with a GP policy to lock screen after 15 min of inactivity. So far 3 users who's first screen lock of the day will be at 15 min. After that it goes to 2-3 min. Until PC is rebooted. Then the first lock will be at 15 min again
and so on. We have refreshed policies many times. Wiped and rebuilt one user and still happens. Verified the policy on local machine with the gpresult command. These PC's are added to domain before they are given to the users and we also have a GP all users
have only users rights. Not admin. So there is no previous screen saver setting set before deployment. I have found others posting online experiencing similar issue but no fixes or causes posted.
↧
↧
server failed test DRSREVent
Server failed test DRSREVent. Give error while I run DCDiag command.. I don't have any other DC in network???
↧
Change Computer Name on Domain Without Removing From Domain
I know that when changing a computer name that is on a domain you first should remove it from the domain and add it to a workgroup. Why is that and what are the consequences of not first removing it from the domain?
↧
Particular AD user account getting locked out
Hi,
One Particular AD user account is getting locked out and we have checked security log found locked outevent ID 4740 for that user but Caller Computer Name is blank/empty.(below screenshot for your reference)
All domain controllers are running with 2012 r2.
Already tried with Microsoft ALtool.exe but unable to trace the machine which sending bad credential which causing account lockout.
caller computer name is blank only for one particular user account whereas other user which are getting locked out is coming with caller computer name.
Kindly let me how to trace the machine which causing this particular user account getting locked out.
↧
Is it possible to renew a cert on CA server?
Hi,
We used the same method in https://blogs.technet.microsoft.com/rmilne/2014/06/17/how-to-request-certificate-without-using-iis-or-exchange/ to request server authentication cert for our domain controllers. Now, we need to renew these certs as they are going to expire in one month. Just wonder is it possible to renew these certs from CA server instead of using certreq to generate request file again manually on each domain controller?
Thank you for your sharing and help!
↧
↧
Demoting domain controller with active application installed
Hi,
unfortunatetly I've to deal with three domain controllers (Server 2003 R2, FL and DL on 2003) which were used for everything. After about 25 migrations tasks DC#1 and #2 are "free". The third one is "hosting" the most important application for the whole company... pretty cool, I know. 12 years old, compatible with nothing. As you can guess it needs a few months (hopefully) to migrate this application... I don't want to wait that long to go further with the domain migration and update tasks I've in the pipeline. So my plan would be to demote the #3 DC with the application running on it and let it run as a member server as long as it's needed. That way I can update domain to 2012 r2 and go on.
I don't want any approval from anyone of you (I know it's already bad enough). I would like to hear your experience with demoting a domain controller which is hosting another application. Did it work? Any recommendations? Anything?
Application is a "file based" database, with odbc connections to oracle and sql databases (hosted on other systems).
I appreciated any help! Thank you guys!
Thanks, regards, tim
↧
External Login using ADFS 2.0
I have an MVC application and I want external users to use a sub site to Login to a page. In ADFS server I want to enter the sub site Url then in the default web site create a sub site folder and copy the same parent code but different web config file with claims settings. I can't seem to get it working. Any idea or help will be apprecaited
Ebenezer
↧
User logon name (pre-Windows 2000) (sAMAccountName)
Hey,
We have a requirement to change this attribute for all users. I've tried it with my account and it does work OK, but anything that uses Integrated Authentication is passing the old value (which for us was domainname\firstname.lastname).
So our intranet is passing domainname\firstname.lastname to our SQL server still instead of the new format, which is domainname\initials.
What am I missing?
Thanks
↧
AD upgrade from Windows 2008 R2 to 2012 R2
I am going to upgrade my AD from 2008 R2 to 2012 R2, can anyone provide step by step instructions and your recommendations to perform an upgrade without any issues? Also, need to get best practices, and key factors to be considered during
an AD upgrade.
↧
↧
Does MS / AD have a solution for enforcing strong passwords?
Our organization wants to be able to enforce strong passwords beyond what is currently available using domain-level password policy. For example, we would like to filter out dictionary words, and prevent users from simply incrementing a number in their password each time it expires. For example, we don't want people to be able to have passwords like:
"Secure25", "Secure26", "Secure27"
etc. Is there anything above and beyond domain password policies that can accomplish this? Or is there anything coming in Windows 2016 or MIM that could help? We know MFA and Passport can greatly improve security, but we still want to address the issue of weak passwords. TIA for any suggestions!
↧
user accounts ending with $ on Active Directory
Hi,
As part of an AD cleanup sweep, I noticed a few AD users accounts ending with $. I have turned on Advanced View but I still can't view them on the GUI but I can get the details using the Get-User cmd-let. The user accounts are on the default Users container. I suspect that these accounts were created automatically as it has very little attribute set. These accounts also have the PasswordNotRequired flag set to True. Internet search also did not yield the needed info for me. Just that there was a TechNet article which says about some of these accounts created automatically as part of a domain trust inter-operability? Anyone knows anything about this?
↧
Export from one AD and Import to another AD server
Hello, we had a major issue and mistake where someone accidentally deleted an OU that contained about 50 security groups and members. Unfortunately this controls the security of one of our major software products here. I was able to bring up a backup VM of AD and I can see the OU and the contents that I need. However, I cannot figure out how to export that OU and all of its groups and members and then import it back into the production AD. Can someone please help me or is this even possible?
the structure is this
matc.net\EX\TMSEPRD The TMSEPRD is the OU that got deleted with all of the security groups in it.
↧
ADFS 3 authentication looping prompt
We have installed and configured ADFS 3 with CRM 2013 as following:
- ADFS server where ADFS 3 is installled on Windows Server 2012 R2.
- CRM 2013 server configured for IFD installed on Windows Server 2012 R2.
- We have an ASP.NET application uses single sign on (as the example found in CRM SDK 2011).
Case 1:
Login to ASP.NET web application, loads login form once, then open CRM without login. (Works fine)
Case 2: (problem)
Login to CRM, loads login form once, then open ASP.NET web application displays login form (repeatedly prompt for authentication).
We have attached the following two screen shots for Case 2.
Case 2 - Step 1
Case 2 - Step 2 (trying to login to custom page prompts repeatedly for authentication)
We are stuck in this issue for more than 3 weeks now, we really appreciate your help.
Islam Eldemery
↧
↧
Delegate enable computer account
Is it possible to delegate enable a computer object in AD? I looked in the delegation wizard and advanced security permissions but didn't see anything that matches.
↧
Does Microsoft plan to support the SCIM protocol for integrating with cloud application providers?
Does Microsoft support or plan to support the Standard for Cross-Domain Identity Management (SCIM) [1] in any of its directory/federation products? I found this blog post [2] where Kim Cameron spoke favorably of SCIM about 2 years ago and stated "Microsoft will try to help move this [SCIM] forward: Tony Nadalin will be attending the next SCIM meeting in Vancouver on our behalf."
I am curious if there are any further details/commitments from Microsoft for support of SCIM.
I ask for a couple of reasons: (1) my company is a Microsoft customer using Microsoft directory products internally and (2) my company offers cloud-based solutions that allow our clients to integrate with us via SCIM. Some of these clients use Microsoft directory/federation products and are starting to inquire about interoperability between those products and our cloud services.
Thanks in advance for any information you can share on this topic.
-Drew
[1] http://www.simplecloud.info/
[2] http://www.identityblog.com/?p=1222
↧
Cannot remove missing NIS server
I had a 2008r2 DC go down. Among other things, the server was an NIS master server. I've managed to successfully transfer all of the dead server's duties to another DC (also 2008r2). The new DC is now the NIS master. However, the old DC is still showing up as a Windows Subordinate NIS server, and I cannot delete it from the NIS servers list in the IMU mmc snap in. The dead server is actually listed as available for promotion (!).
Any advice on how to clean up the NIS servers list?
↧