Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post


I have created some shared mailboxes and didn't choose where the AD accounts where sa saved.
They have been saved in our ownercompanys OU.
Our domain is a sub-domain to our owners global domain.

When I try to move the account to the right OU in our domain I got access denied.
And I have try with a global administrator account but got the same error.
Do anyone have a good idea how I can solve this problem.
They have start used the shared mailboxes so I can´t just recreate them.

Big Business Goals? Which KPIs Will Help You
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)
I am looking for active directory alternatives for a developer environment. The solution needs to do nothing more than contain an OU structure and some users that can be authenticated. Preferably it should be possible to install this alternative on Windows 10. As of right now, I know of AD LDS (which I never got authenticating) and then perhaps - but they are not free and I am guessing that the standard LDAP:// path strings will not be transferable to that solution, thus needing to recode the authentication solution. The options that seem to be left are to install a Windows server 20XX with the AD DS role set up, which I preferably woulf like to avoid.
Hi all i would like to have a user account in one domain and use it with another domain. If possible i would like to only have one account for each user but have access to both domain.

what would be the best way to configure

many thanks
Hello experts,
We are about to turn on Azure AD Connect directory sync and just wanted to ask from a  security perspective, what steps, or review did your security folks need to do as far as identifying which attributes (as noted in the MS link below) are considered sensitive or PII data.

Please let me know.

Regarding the issue is that there is a domain name called "" and for that the name resolution we have pointed out to our local ISP(india) using conditional forwarder in our dns and also in forwarders tab\list we have pointed out to our head office dns server ip which is in US.

As per configuration if we nslookup on the mentioned address "" we should have get response from our local ISP(india) which is in conditional forwarder however that is not the case instead we are getting response from US IP which is in forwarders list.

So that clients getting delay response.

As per dns default behaoviour is that any query comes from dns it will go to check first conditional forwarder and then only go to check in the forwarders list in dns. I do not know why our dns server is not working properly.

Please help us to fix this issue, Please help and do the needful. i do not know how to overcome this issue. please help.
Any good advice is appreciated.
I am wanting to create a CSV of all accounts created in a particular OU, which have not had a home drive defined.   Account created date would also be useful in this report.

Please could you recommend command to run from AD Powershell and then export to CSV?

Hello Everyone and as always thank you in advance for your time and insights.
We are about to integrate two new 2016 domain controllers to eventually replace our current two 2008R2 domain controllers with the intention of also leveraging them to raise our current Forest and Domain Function Level from 2008R2 to 2016. We have around 30 MEMBER servers running a mix of
2003 (3 of them on physical servers that are being decommissioned)
and the rest are all 2008R2, 2012, 2012R2 of which about 1/2 are virtual machines hosted on a 3 host ESX VMware 6.0 infrastructure.
I had not come across or read about any issues for only member servers (physical or virtual) when it comes to raising the FFL or DFL to 2016, but then I saw this article (see below) and now I am a bit confused and need to make sure that I am interpreting that correctly. I am assuming they are referring to Domain Controllers running 2016 O/S and 2016 AD (FFL/DFL) being incompatible with VMware hosts of all versions at this point and not merely member servers with 2008R2 or 2012R (running on VMware 6.0) having an issue with functioning with a 2016 AD FFL/DFL because the member servers are virtual and are hosted through a VMware ESX 6.0 environment or am I reading that wrong?
Manage Service Account

I have a question regarding GPOs.

Is it possible to force a GPO in a sub OU even if the parents OUs GPO has other settings set? So, I want to overwrite a parents GPOs setting within a sub OU.

Thank you in advance!
Determine the Perfect Price for Your IT Services
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!


I am not sure if that doable in window server 2008 enterprise x86 but I will post this question. Can I customize a profile for Active directory user based on her/his name? So, the user when log on to the domain her/his picture will show up on the start screen for Windows 7 and the login screen.

I have all user pictures in the shared folder on the server.

1 user can't login to linux box using domain password. Other users have no problem.

I have a Zentyal server where all my users are defined (17 users).
This server is used to validate the user passwords from our Zimbra server, our intranet application (custom developed PHP application doing authentication using ldap calls), and we have 2 linux application servers who also validate the passwords using samba against our Zentyal server.

This works perfectly for 16 users.
For the 17th users (lets call him Norbert), everything works perfectly (zimbra login, intranet login, login on 1 of our application servers) EXCEPT logging in on our second application server.

Note: this is not the last user created on Zentyal, he has been working for this company for over 8 years, several other colleagues created after him have no problem connecting to this server.

On server2:
If I do an "id -u anyusername" for any of the 16 other users, I get an id back
If I do an id -u norbert i get :    "id: norbert: no such user"
If I do the same on server1: no problem, not with norbert, not with anyone.

The samba config file for application server 1 and 2 are identical.
And, again, everything works FINE for ALL OTHER users.

If I try (from another machine) ssh -l norbert server2
I get the question norbert@server2 password:
upon entering THE CORRECT password, I get "permission denied, please try again"

If i do ssh -l norbert server1 and enter the same password, I have no problem.…
Hello Experts, I have a strange issue. I am working on a migration of company A to company B for AD. Company A is currently part of their on-prem AD which is company.local, and they also leverage O365 for E-mail, SharePoint, onedrive... for which they have separate accounts which only reside in Azure AD. Once I join the user machine from company A to company B domain, and the user logs into the machine using their new company B domain user account, the user is no longer able to access their onedrive files via Office Client. they cannot activate Office client, and cannot register their device with Azure AD. The attached error is received.

When the user is part of Company B domain, we are not creating new user profiles for them, we are simply using regedit to point the new UserProfile to the older UserProfile so they do not lose any data. I have done some testing, and the issue seems to be related to the users profile on the machine. if I log in as the user on a different machine which is part of the new domain (using the users new Company B AD User account), then I am able to activate office client...hence i believe this issue is related to the User profile. I have removed the device from Azure AD, cleared creds, re-installed Office client, and cleared all activation keys cached on the machine and un-licensed, re-licensed the user in O365, but nothings seems to have done the trick. creating a brand new profile for each user we migrate is not feasible, too much work.

I need to add email address to this script how can I make it where it returns the email in the select -object  when it sends it to the csv file

import-module activedirectory
 $domain = “”
$DaysInactive = 120
 $time = (Get-Date).Adddays(-($DaysInactive))

 Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |

 select-object samaccountname,Name,@{Name=”LAST Logon Time”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv c:\OLD_User.csv -notypeinformation
Dear experts, how can we collect users' activities on web browsers? Assuming that this is domain environment and we prefer free solution, script or Gpo settings. Many thanks!
I need to create an automated process that does the following.

Scenario is based on user being terminated or leave the organization.

1) User account get's disabled in AD as part of the employee termination process
2) User account is part of a specific security group for example SAP-Users
3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users"
Note: This process should only apply if the user account belongs "SAP-Users"
I need to create a script to get SamAccountName from users's name csv file on several domains
Actually my script look like this
$PathFile = "C:\CSV\UsersINSPQ.csv"
Import-Csv -Path $PathFile | ForEach {
 $User = $_.User
Get-ADuser -Filter {Name -eq $User} -Properties Name -Server "" | Select Name, SamAccountName}

It works well, but i need to do it on 7 domains like domain A,B,C,... and G. So how to make a loop to have a single result for all domains with this script, and yes all domains trust each others.
I have a question regarding DFS

Current situation:
Our primary DC hosts the DFS. When the primary DC goes offline. The DFS namespace is not accessible.

If the primary DC goes offline, the DFS namespace should be accessible. I do not want to replicate the files to another server. My only goal is that the namespace is working.

Does some of you guys know how to achieve that?

Thank you in advance!

I have a problem with our roaming profiles ntfs permissions. We backup our users profiles daily, but when I create a new AD account and the user logs on, the users profile directory (Profiles.V2, V5, V6) created, do not inherit the folder permissions which should contain the backup service account read permissions for this folder. The permissions on the parent folder are correctly set. How can i enable inheritance without the need to do this manually for each user profile directory?

Thank you in advance.
Problems using Powershell and Active Directory?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

I'm deploying WSUS via GPO.
- WSUS is working well including ccorrespondig download packages.
- GPO for Automatic Update on Domain controler setting as following :
  1) Configure automatic updating: 4- Auto download and schedule the install
  2) Schedule install day: 0- Every day, Schedule time: 10:00
  RESULT: ALL clients was affected/managed by GPO, but the TIME check update incorrect. They always showed last checked update at 7:50 AM everyday. (See attached file)
What am i missing ?
Anyone can help me ? Thanks.

DC and WSUS: Windows Server 2012 Std
Clients: Windows 10, 7 and Server 2012 Std.
We have a Windows Active Directory Domain with about 70 users.  We currently use Office 365 for E-Mail with no on premise server and about 70 users.  I would like to sync my Active Directory up to Office 365 so we can use Duo Multi Factor Authentication.  My concern is what happens since everyone has an account on both and many have different passwords.  My understanding is once we sync up we will have a single sign on for both.  If I activate the sync will peoples E-mail stop working and look for their network password?
I have a hyper V lab environment setup. I originally had it setup to a internal switch but wanted to change it to a external switch so I can get out to the internet.
 I can get out to the internet if I set that machines to automatically get a ip address but I need to be able to communicate between the machine in the lab.

At my work place they have it setup so all the machines use the DC for DNS resolution and they set forwarders on the DNS server to get out to the internet. This doesnt seem to work in my lab envir. Is there a way to get the machines to see each other and get out to the internet as well?
Windows SBS 2011 single-server domain.  DC boots up but directory services does not start.  Netlogon service fails with 0xc000064.  ADUS, ADSS, tools will not start - stating invalid interface.  Users cannot access network shares, printers, etc.  Netdom query fsmo errors with invalid interface.  DCDiag shows cannot connect to DC.  Have already tried last known good configuration.  Your thoughts would be very appreciated.
I had to configure ADFS server for chrome

 I ran this command :

Import-module adfs  ( by opening windows powershell and not azure windows power shell

 2)Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

 3) reboot

everything worked fine

but there is one workday  mailbox which before running the command , IT work day people used chrome and then typed, it used to ask the email address of shared mailbox and then password  and user were getting directed to that shared mailbox ,this mailbox is not allowed to be configured in their respective outlook

but now when they type the same workday mailbox email address when they type and put in email address , it is doing 2 things

1) not asking the password
2) user instead of getting into that workday mailbox are getting apps page on 365 portal and when they open outlook, their mailbox is opening up instead of that shared mail box

hope I put the question correctly , so question is that shared mail box is not opening or showing up

from my personal computer when i type and put the workday mailbox email address it gives me a prompt and username and pasword

but when i am in my network the above issue is happening
We have a police department client that is required to audit for successful and failed logon attempts, and logoffs, on a weekly basis.  The auditing must be performed by an employee of the PD, which means that we need to generate Event Viewer reports in a way that can be easily reviewed by a layperson.  Ideally a digest would be emailed on a daily basis.  We've set up the server to send emails any time there's a failed logon, but emails every time there's a successful logon or logoff would result in an inordinate amount of email traffic.  

The server is running Windows Server '08 R2.  We're either looking for assistance in setting up digest report emails, or for direction to a piece of software that'll handle it for us.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software