Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

One DHCP server has run out of IP addresses to Assign.  Just want to verify this is the correct procedure to expand it.

Deactivate the current scope
Create a new scope with a wider range and use the same exclusions.
Free Tool: Site Down Detector
LVL 12
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
I can't see all the machines on the network on a new DC we set up. I can map to them and ping them, just cant see them all in File Explorer/network. I have a network that we just took over, the previous admin used a for the DNS / server name that the company does't even own. So to get around the issues we set up static routes for the internal servers. This seems to work fine on the current production server that we will be migrating to a new production server. It can now see all the machines on the network and they show up in File Explorer/network. I have checked all the obvious things, sharing is enabled, all the proper services are running etc. The DNS records between the new and old server match.

So what we have is as follows.

Current server 2008r2: Had to add an a record to point the to the internal IP now it seems to be working, it can see all machines on the network when you open file explorer.

Old Exchange server 2008r2 that use to be the production server: Moved mail to hosted solution, now it only has data on it that we will be moving.

New server 2016: It will be the new production server to replace these older servers. We added it to the domain, made it a DC. I didn't want to go any further because I can only see a handful of machines on the network. Oddly enough the same machines on the old exchange server are the same machines I can see on the new server. I'm sure I am missing something simple here?

Just strange I can see all…
Fired Staff - Their work labtop is at home and offline.  I'm lookin for a mechanism to log off the user and delete their local account permissions as soon as their labtop comes online..

I have access to Labtech device management tools, and a server 2008 r2 active directory synced with Office 365.

We have recently update our maximum password age to 90 days in our default domain policy.

After that, we have realized that in the local administrator account properties of each domain server has the "User must change password at next logon" check box checked.  

I have no idea of why this is the case.  

Someone who knows please advise and advise how to fix.

Hi, we are setting up a brand new Win2016 Standard server mainly as a file server with RDS.  Should I setup Active Directory as "" or "company.local"?  There is no Exchange server but we would like to have SSL certificate for the Remote Desktop Gateway.  Something that came to mind for Remote Desktop Services access is to setup a sub domain called, "" for our remote desktop users.  Thanks.

We have created new domain admin accounts
We add all the admin permission under this accounts
Added the new domain accounts to the local machine but we can't use the backup sofware,  we can access the local C drive and we can move files from the C drive to another machine with this account.
Attached are screeenshots of the settings we have put under the new account and the error message we are getting


thank you.
Dear experts,

I have a domain controller running on Window 2012 R2 with Active Directory Integrated zone. I also have another domain controller running on Window 2008 R2. Unfortunately the Window 2008 R2 machine malfunctioned which at least I can still survive on the DC on Window 2012 R2. My concern right now is how to remove/demote the Window 2008 R2 properly without the capability of accessing that machine? Can I remove/demote Window 2008 R2 directly from Window 2012 R2? Thanks
Account lockouts every second. The audit logs of my domain controller are filled with audit failure of 6 accounts where 5 accounts are non-existent and 1, mine, exists disabling my access across the domain. This is unfamiliar territory for me and I need assistance with finding and stopping the cause of the these access failures.
Hi I have to do system architecture diagrams for environment

Its very documentation heavy, have to cover VMware, Active Directory, 2008R2 forest mode and on premise Exchange 2010

Is there any guidelines people would recommend i realise its a general query

For instance are there free tools that provide mapping which i can use with visio

I have seen the free stencils Veeam provide and they look good

I am looking to do high level overview then go a bit deeper and also include support documentation which will be a lot more straightforward

Any pointers appreciated
Get 10% Off Your First Squarespace Website
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

can macbooks/apple macs be joined to a windows AD domain and used by end users in the same way as a domain joined windows 10 laptop?

Or would there typically be an additional application on the macbook installed to allow connectivity to the domain, e.g. file servers and applications, and the devices not directly added to a companies AD? I'm a tad confused how these devices would be managed, as I don't suspect you can deploy group policies to macs for example to lock down USB ports etc, as you can with windows devices.
Dear Experts, I have one AD (server2012R2) and one Mail Exchange 2016 server. When I configured the complexity of password in AD and applied it with "gpupdate /force", the policy could not applied in Exchange mail users. They can still change the password with simple phrases. For example: no need special characters, or number,...

Can you please explain and suggest?

Many thanks!
Hi All

Does anyone have a Powershell script to share that would do the following ?

1) gets the path form a text file .. example below .. with 100s  of paths
2) checks if a set of domain credentials can access each share.
3) output CSV with each path and if the account was able to access the share or not .

I need to create an Active Directory account to be used by the ASA.  Our VPN users is using Cisco Anyconnect.  

Anyone knows what permission I need to delegate this account to the AD domain please?

I am using MS Access as the front end (Microsoft Office 365 ProPlus) and currently have a SQL2008 server. I am migrating to a newer SQL 2014 server and are experiencing issues with code written using SQLDMO while testing in the new environment. I have an SSIS job that is called using the now deprecated SQLDMO that is obviously failing in the new environment. I am having limited success finding how to use SQLSMO in a similar fashion. Can someone please give some general direction (or specific!) so that the application can call these jobs in the new SQL server 2014?

Here is the code snippet we use:

Private Sub Command45_Click()

   Set objSQL = CreateObject("SQLDMO.SQLServer")
   ' Leave as trusted connection
   objSQL.LoginSecure = True
   ' Change to match the name of your SQL server
   objSQL.Connect "Server2K14"
   Set objJob = objSQL.JobServer
   For Each job In objJob.Jobs
      If InStr(1, job.Name, "SSIS Bills") > 0 Then
         MsgBox job.Name
         MsgBox "Job Started"
      End If

End Sub

Thank you, and please let me know if I have failed to provide necessary information.
Hello experts,

I need to list accounts which matches the following filter:

Enabled = True and
If the employeetype attribute  contains any values with A* (A1, A2, A3...), B* (B1, B2, B3...), C* (C1, C2, C3....), D* (D1,D2,D3,....)

EmployeeType - A*, B*, C*, D*

$UserList = Get-AdUser -Filter ( ) and -Enabled

Please assist.

Thank you.
We have a weird problem we've been asked by a client to add 1 single drive mapping to their login script
Net use Z: \\server\postscan
when they login its not there, I've put a 'pause' in the login script I can see straight after Z: mapping I can see 'Command Completed Successfully' so its like the script is running fine and the syntax is correct.
If I type net use from a command prompt there is no Z: drive
if I browse to \\server\netgon and double click the logon.bat file the Z: drive appears
If I copy the logon.bat file to the local startup it does hat same thing no Z: drive
An y ideas?
Hello Experts,

I’m having an issue when I try to request a certificate via my certificate authority’s web.  When I try to submit a certificate request from the web interface, I get the following message:

No certificate templates could be found.  You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.

My environment is as follows:
-      I have a root domain ( that really does not have anything in it.
-      I have a child domain ( – This is where all of my AD objects reside.
-      I have an offline root CA that is not part of any domain.
-      I have a subordinate CA that is a member of

In troubleshooting the issue, I have done the following:
1.       I have made sure that the dNSHostName attribute on the subordinate CA and the sServerConfig value in the file match exactly.

2.      On the certificate server, I created a new application pool and changed the application pool identity from ApplicationPoolIdentity to NetworkServices.  I did a reboot after this change.

3.      I made sure that the domain admins group of has the same rights in AD Sites and Services – Services – Public Key …
is there anyway to query AD attributes to identify a list of devices which are laptops? I think there used to be an attribute around internal battery which may help. Any advise welcome.
7 new features that'll make your work life better
7 new features that'll make your work life better

It’s our mission to create a product that solves the huge challenges you face at work every day. In case you missed it, here are 7 delightful things we've added recently to monday to make it even more awesome.

i got this question

this user doesnt have access to view OU=ESB Users
it was there before
to view and lookup
the ldap host is ca209.phn

how should I find in active directory
Whats is the least privilege for an account to perform LDAP query in my Windows 2008 AD DC. Currently the ID has local admin rights. I would like to assign only very least privileges required to the account to do LDAP query , if possible.
Hello Experts,

I had a basic requirement of having a AD to authenticate users, block a few websites (whatsapp,Facebook and Youtube). The sites had to be available only for HR and Management teams and were to be blocked for everyone else.
This was outsourced to a thirdparty vendor to get this up and running in about 5 days.

However the vendor informed me that the requested setup is complete in about 5 hours.
What he has done are the following
** ubuntu server installed serving as a DC and AD authentication server.
** pfSense firewall installed but this is currently down due to the OS blowing away after power failure.
** certificate that was generated to ensure internet only works when the certificate is installed.

Now the issue is with the websites blocked. All users are currently being blocked from using these sites. Facebook, WhatsApp and other Social media like twitter are a requirement for HR and Management operations.

The setup is incomplete and the vendor is absconding after payment.
Since I am knowledgeable about Linux OS and familiar with CLI, I need to make sure the required setup is up and running.

Kindly point me to the right KBs or Update me on the steps that I need to take to ensure this is completed.
Hi guys,

Tonight we were installing some Windows updates on a server running Windows Server 2012 R2 with Exchange 2016. During the installation the server became unresponsive so after a while we decided to hard reset it. When it came back online everything seemed fine at first. The update manager even noted that all updates had been installed correctly. But none of the Exchange services wouldn't start. The eventlogs were packed with all types of errors that we're pointing towards network connectivity issues.
We tried all the standard solutions for testing and fixing network issues, like checking DNS server, "net view" and "net use" from the broken server to other servers; everything seemed to be functioning correctly. It' wasn't until we ran the "nltest /dsgetsite" and were getting the error:
Getting DC name failed: Status = 1919 0x77f ERROR_NO_SITENAME
We checked the registry and noticed the "DynamicSiteName" key was missing.
For the sake of testing we manually created the key and watched as Exchange services start up. But halfway through they stopped starting up. It turned out the DynamicSiteName key had removed itself from the registry again. Once again we recreated the key and this time Exchange was able to start up completely and started functioning correctly again.
The problem was that the registry key was gone again. Everytime we create it, it deletes itself within seconds.

We're not sure what to do about this. Exchange currently remains to …
Hello Experts,
I am having an issue with Outlook password authentication.
Randomly users will get prompted to enter their password, once they do, password is not accepted. Exchange on premise, 2010, tied to AD 2008.
Checked AD, user account is not locked. User is able to log into OWA without any issues.
This mainly happens when user is off the network working from home.
As a test one of the users was not having any issues. I connected their laptop to my hot spot and restarted Outlook. Outlook right away prompted for a password, i entered the password and Outlook is asking for it again as if its wrong. I deleted password entry out of password manager, same issue. If i reconnected the user back to company wifi or LAN, then Outlook is ok.
Same issue happened with another user on LAN network, but it seemed that his AD account got locked out. Might have been due to password expiring and then mobile device locking the account.

Any suggestions where to start looking?

I have more than 50 desktops running windows 7 pro. All the desktop have an account in server 2012 AD.
I am trying to accomplish 2 things:

1 - How do I get a report running from the server (or from a 3rd party program) showing me a list of drivers installed on every single desktop? I found out that some of the computers don't have the printer drivers installed on them, and I can't go seat on every one of them to see which ones are missing the drivers.

2 - Can use gpo to activate windows 7 (the OS). If not is there another way of deploying the activation at once from a single machine?

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

monday.comMonday Learn more about Monday
Kevin StanushSystemTools Software Learn more about SystemTools Software