I'm trying to remove a user from our AD using Adsiedit but I get this error:
Operation failed. Error code: 0x5 Access is denied.
00000005: SecErr:DSID-031A1256, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
I removed all permissions, made myself owner and gave myself full permissions but still same error.
Somehow the user is messed up because it isn't visible in Users and Computers. When I check the account properties I also noticed that the sAMAccountType is 805306370 (TRUST_ACCOUNT).
Hello,
I recall this article https://support.microsoft.com/fi-fi/kb/2774190 once stated that Windows Server 2003 systems and some NAS devices do not understand Resource SID compression and this could cause users getting access denied errors if they attempt to access file shares on 2003 boxes with TGS granted by 2012R2 Domain Controller. Is this true? This article has been revised on September and that statement no longer exists for 2003 servers, only NAS devices.
I'm aware that SID compression can be disabled from Domain Controller if required.
Can someone explain, and provide a link to documentation, for point number 2 in the section titled “Best Practices” in this document:
https://technet.microsoft.com/en-us/library/jj852252%28v=ws.11%29.aspx
In the Scripting Guy’s Forum there is a thread where someone claims they must unjoin, then rejoin their computers every 30 days.
I stated confidently that this was not necessary, but a regular in the forum posted a link to the above library article. He also has stated that after the normal 30 days for a computer password to expire, if the computer remains off the domain for a total of 60 days, then he believes the computer must be rejoined. Did something change that I missed (easy to believe)? Is there documentation for this? I thought it was only necessary to rejoin the domain if the client was restored to a previous state with an old password, or something else broke the secure channel.
Richard Mueller - MVP Enterprise Mobility (Identity and Access)
Hello,
I am an analyst with a university, and am relatively new to the field, so I apologize in advance for any incompetency.
When I started this job a few months ago, the school had just put in a SEIM, with little knowledge on the software. This led to a lot of inaccuracies in event logging and its AI engine. One alarm set of alarms, Internal Brute Force Auth/Failed Brute Force Auth/Internal Distributed Auth, fires almost daily, usually multiple times a day. These fire when the SEIM detects more then 10 authentication failures from a user account within 15 minutes followed by a successful authentication (with the exception of the Failed Brute Force Auth).
I've determined that this can sometimes be the result of a user changing their password, and a service on their machine not being able to authenticate correctly with a server (this can usually be determined by the reason code provided by kerberos). However, more often then not, they'll fire when a user simply types in a bad username once. For instance, recently an admin tried to log into a local admin account on a machine, and made the first time he attempted to log in. He only made this mistake once, however there were a total of 19 logs within 2 minutes, all authentication failures from that admin account against one of our domain controllers.
This didn't lead to his account being locked, and its not necessarily having any big impact on our operations, but I'd like to be able to mitigate the amount of alarms we receive on a daily basis. My question is what could be causing so many logs to be generated from only one misentry? Does the computer itself make more then one request when trying to receive the TGT from kerberos, leading to multiple logs?
Thank you in advance, please let me know if you need any clarification.
Hello,
I am using a Windows 2012 R2 Standard DC's with Windows 10 client machines in a local domain.
Just recently moved to a new office and this is the first time (since the move) I am trying to join a new client machine to my local domain and also add a new domain user profile locally to a client machine and getting these errors:
There are currently no logon servers available to service the logon request.
or...
this PC is having problems communicating with this domain.
Any helpful resolutions would be appreciated.
Thanks
Hi
I am trying to run a Get-MessageTrackingLog report, I can get when the user sent but need to see the delivery email address. I am only getting the MessageID with this script. I am unsure where to insert Recipient and any qualifiers to get the recipients email address
Get-MessageTrackingLog -messageID: 76264960-86b5-41b1-a8f2-6f8d5ac95151@SERVER.xx.xx -Start "2017/01/05 09:00:00" - -End "05/01/17 11:00:00" -Sender: user@domain.com |ConvertTo-Html > C:\report6.html
Exchange server 2010 on premise
hello everybody
I have an issue in my Share in the file server, the shares are not consistant
nslookup lookup to the server with the name works (not FQDN)
when I access with the name only \\servername\ it fails with access denied.
when I access with FQDN it success but sometimes rarly fails with access denied
when I access with IP it success but sometimes fails with access denied.
the user I'm using is a domain admin and in the security tab of the shares local administrators have full controll and my user also has full controll.
I don't know what's going on, please help
this file server was also a domain controller exceeded tombstone life time.
this problem occured when I forcebly demoted the the DC
Is Domain Administrator can view changes in any software which is assigned to user through group policy software publish or assign
Hi
New Windows Server 2016 standard VM (Hyper-v). After adding DHCP, authorizing it gives below error.
How can I fix this?
Thanks
Regards
Hi all,
I come to you with the reason to make the following query:
When I want to synchronize the Trend Micro IWSVA product against my Active Directory from the Web console that provides that product, I get the following error:Hello,
We have a single-domain forest. AD schema version in Windows Server 2008 R2. Domain Functional Level and Forest Functional Levels are also 2008 R2.
I'm just wondering is it supported option to re-promote 2008R2 Domain Controller to domain if AD schema has already been extended to Windows Server 2012 R2? DFL/FFL levels are still in Windows Server 2008 R2.
I'm thinking about different rollback options incase some application emerges after 2012 R2 AD schema upgrade which refuses to work with 2012 R2 Domain Controller. I know that AD schema version cannot be reversed without Forest Recovery, but re-promoting 2008 R2 Domain Controllers could give more time to software developers to fix the application.
Good Day!
I've just noticed that this command:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}} | CLIP
returns lines like that for most of my users:
DisplaynameExpiryDate
---------------------
FirstName Givenname01.01.1601 01:00:00
With "most" i mean almost all of them. Only Exceptions are User with Domain- Admin rights and two (imo) random users.
Logon and such works as always.
I can't imagine what could have caused this. I've been playing around with our password-expiration-reminder script but i wouldn't know how it could be the reason.
The Attribute "pwdlastset" is fine for alle users.
Reseting the Password over ADUC creates a "right" msDS-UserPasswordExpiryTimeComputed value.
Do you have any idea what causes this?
Thanks!
I was tasked with replacing our 2003 R2 DCs with 2012 R2 DCs. The 2012 R2 servers must use the same name and IP address as the 2003 Servers.
I successfully demoted and removed one of the 2003 DCs and made sure all metadata was cleaned up. This server does not hold any FSMO roles. To clean up the metadata I checked AD UC, AD SS and DNS. After confirming metadata was clean, I then configured and promoted the 2012 R2 Server with the computer name and IP of the decommissioned 2003 DC.
The issue is that on the 2012 DC the Sysvol and Netlogon folders are not shared but are present on the DC. I left it overnight thinking it just needed time to replicate...
Here is the Dcdiag on the 2003 DC:
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034C4
Time Generated: 01/04/2017 21:12:32
Event String:
The File Replication Service is having trouble
enabling replication from 2012 DC to 2003 DC
for c:\windows\sysvol\domain using the DNS name
2012 DC.local. FRS will keep retrying.
Following are some of the reasons you would see
this warning.
[1] FRS can not correctly resolve the DNS name
2012 DC.local from this computer.
[2] FRS is not running on 2012 DC.local.
[3] The topology information in the Active
Directory Domain Services for this replica has
not yet replicated to all the Domain Controllers.
This event log message will appear once per
connection, After the problem is fixed you will
see another event log message indicating that the
connection has been established.
A warning event occurred. EventID: 0x800034C5
Time Generated: 01/05/2017 08:28:39
Event String:
The File Replication Service has enabled
replication from 2012 DC to 2003 DC for
c:\windows\sysvol\domain after repeated retries.
......................... 2003 DC passed test FrsEvent
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
Invalid service type: RpcSs on 2003 DC, current value
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... 2003 DC failed test Services
--------------------------------------------------------------------------------------------------------------------------------
Dcdiag on 2012 DC
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034FD
Time Generated: 01/04/2017 15:48:24
Event String:
File Replication Service is initializing the system volume with data from another domain controller. Computer 2012 DC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
A warning event occurred. EventID: 0x800034FD
Time Generated: 01/04/2017 17:55:36
Event String:
File Replication Service is initializing the system volume with data from another domain controller. Computer 2012 DC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
A warning event occurred. EventID: 0x800034C4
Time Generated: 01/04/2017 20:13:38
Event String:
The File Replication Service is having trouble enabling replication from 2003 DC to 2012 DCfor c:\windows\sysvol\domain using the DNS name 2003 DC.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name 2003 DC.local from this computer.
[2] FRS is not running on 2003 DC.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A warning event occurred. EventID: 0x800034FD
Time Generated: 01/04/2017 20:35:29
Event String:
File Replication Service is initializing the system volume with data from another domain controller. Computer 2012 DC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
A warning event occurred. EventID: 0x800034FD
Time Generated: 01/04/2017 21:23:02
Event String:
File Replication Service is initializing the system volume with data from another domain controller. Computer 2012 DC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
......................... 2012 R2 passed test FrsEvent
This is my first big project any help would be appreciated!
Hi
I need to print a list of all security groups and their descriptions. We run Windows Server 2013.
Any help would be greatly appreciated.
Thanks
Terry
Do you folks have a tool to extract the log files for NPS server that are located under C:\Windows\system32\LogFiles that makes it into a better readable format or a way to export this into the event log viewer? OS is windows server 2008r2
I am trying to troubleshoot and issue with our wireless clients and I cannot understand exactly why they are failing as the policy I have setup looks to be correct.
"bb-dc44","IAS",01/05/2017,13:59:51,1,"bb\bubmorgin","bb\bubmorgin","00-23-1a-97-e1-f8:bb-wifi","08-74-02-b2-56-5f",,,"hh-ww2","10.2.2.111",1,0,"10.2.2.111","hh-ww2",,,19,,,2,5,"wifi",0,"311 1 10.2.2.112 12/05/2016 01:15:53 443749",,,,,,,,,"586e8997/08:74:02:b2:56:5f/123581",,,,,,,,,13,6,,,,"106",,,,,,,,,,,"bub-wifi-conneciton 2",1,,,,Can someone advise what error below might mean as I cannot get our iphones to connect to the wifi. This is the error I get. The iphone has the correct certificate and it is not expired.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: bb\bobmarcin
Account Name: bb\bobmarcin
Account Domain: bb
Fully Qualified Account Name: bb.local/finance/bobmarcin
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-23-5a-71-09-f0:bb-wifi
Calling Station Identifier: 08-74-92-a2-5e-5a
NAS:
NAS IPv4 Address: 10.2.1.11
NAS IPv6 Address: -
NAS Identifier: SUM-WLC2
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: bb-wireless
Client IP Address: 10.2.1.11
Authentication Details:
Connection Request Policy Name: wireless
Network Policy Name: bb wireless
Authentication Provider: Windows
Authentication Server: bb-dc1.bb.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: 35383676513738352F30383A37343A30323A62323A35363A35662F231233555034
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
I was looking for stale computer accounts within our domain using the PasswordLastSet date when I discovered hundreds of computer objects with the useraccountcontrol value of 4128 (WORKSTATION_TRUST_ACCOUNT and PASSWD_NOTREQD) instead of the usual 4096 (WORKSTATION_TRUST_ACCOUNT) value.
Most of these computers were part of a migration from another domain but many were created recently.
I would like to require all computers maintain a secure password with the domain so I could discover stale computer objects. I created a script which could make that change but I am unsure of any negative consequences that might result.
Have you had experience changing this useraccountcontrol value? What would you advise?
Thanks!