Is there a way to find when (the date) a user made his last logon?
Hi everyone! I can inactive users who does not logon in domain for sometime ago, like 30 days or more, using dsquery.exe, but is there a way to find when (the date) the user made his last...
View ArticleApproach to prevent accounts from being added to AD Security groups
Dear ExpertsI am trying to find a way in which I would need to prevent the user accounts( standard)from getting added to restricted AD Security Groups,which are in certain OUs.We have accounts(that...
View ArticleRSAT not showing under Windows features
HelloI have a colleague who is experiencing problems with getting the Remote Server Administration Tools in his windows features. We have followed the installation proccess for RSAT windows 10, and...
View ArticleCreating a secondary domain controller (AD DS server) in Azure and turning...
Hi All,We have an on prem Domain Controller. for redundancy we are planning to configure a VM with Azure with a AD DS role on it. Our on-prem and Azure network is connected via express route....
View ArticleAD ACL Tooling
HelloInterest in tooling being used to investigate ACLs in AD and in particular those that are considered risky, such as reset password, WriteOwner and AllExtendedRights.I'm aware of ACL Scanner,...
View ArticleDomain Controller Scheduled Task
HelloWhat is security best practice for running scheduled tasks against a DC? Should I run on the DC and should I use a gMSA? Would it be more secure to create a JEA endpoint and schedule a task on...
View ArticleNewly promoted Windows Server 2012 R2 Domain Controller still flagging to...
I have recently promoted a virtual Windows Server 2012 R2 member server to become a Domain Controller.Its an additional DC in an existing domain... (have done this many times before) pretty simple...
View ArticleAD Account Lockout and LastBadPwd
Hello All,Alright, I’ve done everything I can think of and am hoping someone has a thought for me.We have a user whose AD account gets locked daily after recent password change (which is sometimes...
View Articlegpresult /R vs Get-ADPrincipalGroupMembership
I'm tying to understand the output differences between the following commands:PowerShell: Get-ADPrincipalGroupMembership user | format-table -property nameWindows 10 command prompt: gpresult /Rgpresult...
View ArticleAD Information
Hi,I am running with a project to migrate machines from one domain to another using Quest as the preferred tool.The Quest engineer has requested information regarding machines and logons to those...
View ArticleNo event ID 4768 on my domain controllers... WHY?
I have 6000+ users... 8000 + endpoints... 12 domain controllers... Doing some work where I need to find event ID 4768 to look at some user / machine log in information... Cannot find this event on...
View ArticleEvent ID 1699 : 8453 replication access was denied
Hi,We have enabled Microsoft Azure password Write-back feature by user account(XYZ) who have only global admin rights. Password write-back feature is working fine as users are able to change their...
View ArticleA question about AD password storage and encryption
Is the NTDS.DIT is encrypted as a whole (regardless of any internal encryption) using the BootKey stored in the System hive of the registry, and the BootKey is different for every computer, or is it...
View ArticleHow to create an internal SSL certificate
Hi, Guys.Do you know how to create an internal SSL certificate? Thank you
View ArticleForest and domain functional levels only show "Windows Server" available...
I recently migrated our DC's from Server 2008R2 to Server 2016. We now have four Server 2016 DC's and no others. When I went to raise the domain and forest functional levels from Server 2008R2 I saw...
View ArticleSlow performance to Web Enrollment page
I have setup a certificate web enrollment site for my AD CS. I have two servers that have setup web enrollment for certificate. But for some reason on only the newly created server when I click on the...
View ArticleActive Directory Schema extended with Exchange but no values are in Attribute...
I have a 2012 Domain Function level and just extended the Schema with Exchange 2016 using Admin Command Prompt of Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms. This completed...
View ArticleRaise Domain Functional Level
We just upgraded to Windows Server 2016 for our Domain Controllers. Our old DC was on Server 2008. Right now, my domain functional level is set to Server 2008 R2. I have the option to raise it to...
View ArticleCannot delete orphaned DFS Namespace
I attempted to delete a Windows 2000 Server Mode DFS Namespace from the DFS management but it did not complete correctly. It provided an access error.I verified my account is a member of Enterprise...
View ArticleIs this possible?
I have a DNS only domain, domain.com. It is just a DNS domain with several A records and a few SRV records for lync, Exchange. Can I do dnscmd /zoneexport domain.com c:\temp\domain.com.dns to export...
View Article