Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post


We have Windows 2012 Domain Controllers and windows 10 workstations on our network. We have gone with 0365 and we are going to use SharePoint online and our active directory gets synced with Azure AD.
We have 100 staff and I would like to create a security group called “All Staff group” and would like to give permissions to this group to access the resources.
Firstly, do I need to create a Universal -Security group OR Global- Security group?
Secondly, after creating this group, do I need to add all the 100 staff to this group?
Thirdly, do i need to add any values in the attributes?

Any tutorials  and help much appreciated.
Rowby Goren Makes an Impact on Screen and Online
LVL 13
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.


Some of the printers I've been sharing to my users using GPO are not visible in the 'printer section' of the Control Panel. But I can see them using 'get-printer' in Powershell. And they're visible in the printer dialogue of programs like Word or Excel.

But since they're not visible in the Control Panel I had to use Powershell to make one of them the default printer.

Anyone know why this is happening?
Our company website is working fine and is accessible externally however all internal clients cannot access the site through our Smoothwall filter.

Our website is on the same domain as our internal domain and we have a www record in DNS pointing to the external web server’s IP address.

None of our clients can navigate to or ping the website. I logged into the Smoothwall and under the IP Tools section ran a ping to the company website and got 100% packet loss yet pings to all other and obvious blocked sites get through fine so it’s not filtering.

Also if I run the ping tests from the 4 internal Ethernet port interfaces we have setup in Smoothwall I get a 100% failure yet if I use the external Ethernet port it gets a working ping.

It seems to be a DNS issue and the Smoothwall doesn’t seem to know how to either get to our website or deal with the response back from our internal DNS server, or possibly isn’t getting a response back.

The strange issue that has really stumped me is both my IP address and one other in our internal range can access the site fine internally. My IP and the second one that works are both added as Exceptions in the Smoothwall but so are my colleagues and they are all getting site unavailable.

This has been working fine. Any ideas/pointers?
TGT was requested

Based on utlimatesecurity website I have noticed the following regarding the TGT was requested issue (aka event 4768):
"At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 4768 (authentication ticket granted)".  

However when monitoring the systems ,I remarked that some accounts (not so much) keep on requesting TGT during the whole day
Based on my observations,no one is actually logging on the related systems (especially during midnight or early hours in the morning 03:00 or 04:00 am for instance)
So why I see a lot of TGT requests coming from these accounts?can this be considered as IOC or certain softwares may be requesting a certain access?
Is there a way to remove "Groups" from the ribbon bar in Outlook 2016 through Group policy or other means?

Here is an image, which I can manually remove:
I have a Windows Server 2016 Standard Server with a domain with local machines. I would like to integrate this server with existing Office365 users and Azure servers for email and single sign on. Is it better to use the Essentials Office365 integration or the Azure active Directory integration or the AADConnect?
I had this question after viewing LDAP access/integration to external company for web single sign-on..

So, I need to integrating Active Directory with Meraki Sign-On Splash Page and delegate the management of this access to a third person who is not part of the IT support team.
When using JavaScript to write and Microsoft Active Directory Distinguished Name (DN), how should the spaces in an OU name be written?
Example: var from = "CN=TestSvrName,OU=Server Admin Groups,OU=AdminGroups,OU=Admin,DC=COMPANY,DC=COM";
Notice the spaces between Server Admin and Groups.
My code is returning error: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0
I am trying to use powershell to to get all active directory users that have a certain attribute "title:staff" and are NOT a member of a specific group "all-staff".?

Things tend to time out as there are plenty of users in the same OU, so limiting by searchbase doesn't really help, and Get-ADPrincipalGroupMembership does not work - having to expand members property into a file to get all members.

The problem is how do I get all non-members that also have that particular attribute? What would the filter look like, and would it have to be done with some sort of a "foreach" operation, so it is split into individual commands that won't time out, even if they take longer as a whole?

maybe if I get a list "A" of all people with the attribute, and then check against list B that has all existing all-staff members, and if in A and NOT in B output "name" to a specific file?

Or something completely different?
I've accidentally deleted my domain user account and I want to recover it.  I read there's a way to do it using LDP, which I will try.  My question I have it I first recreated my account using the same username, so do I need to delete this new account, before bringing back the old account?  Or will it rename it and "move it out of the way", so to speak?  Has anyone used LDP to restore a domain account before?  any pitfalls?

OWASP: Threats Fundamentals
LVL 13
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Hi, I am in the process of adding new Windows Server 2016 domain controllers into my existing AD environment, which currently hosts Windows Server 2008 R2 domain controllers exclusively.

FFL = Windows Server 2008 R2
DFL = Windows Server 2008 R2

Features Enabled = AD Recycle Bin

AD Schema = 87 (Windows Server 2016)

Already migrated from FRS to DFSR.

Which brings me to my question.

When I migrated my current Windows Server 2008 R2 domain controller environment from FRS to DFSR, I noticed that the SYSVOL folder was replaced by a new folder called SYSVOL_DFSR.

So, when I introduce these new Windows Server 2016 domain controllers into my existing domain environment will I need to make sure they create a SYSVOL_DFSR folder under the "Active Directory Domain Services Configuration Wizard / Paths" during the installation of the AD DS server roles or will the default SYSVOL work just fine on them even though the existing Windows Server 2008 R2 domain controllers won't have that folder for replication?

Just wondering.

Thanks in advance.
Hi, I am in the process of adding new domain controllers (Windows Server 2016) into my AD environment, which currently hosts Windows Server 2008 R2 domain controllers.

FFL = Windows Server 2008 R2
DFL = Windows Server 2008 R2

Features Enabled = AD Recycle Bin

AD Schema = 87 (Windows Server 2016)

Already migrated from FRS to DFRS.

My question is probably a simple one, but I still need to ask it anyways.

When installing the AD DS server role on the new Windows Server 2016, should I use the same DSRM (Directory Service Restore Mode) password as I have for my current Windows Server 2008 R2 domain controllers?

Or can I use a different DSRM password for these new Windows Server 2016 domain controllers, which will eventually replace my current Windows Server 2008 R2 domain controllers?

Just want to leave no stones unturned as I proceed.  The last time I had to introduce new DC's in my environment was back in 2011.  So, I am a little rusty and have been refreshing up on the process, as well as, checking for any changes since then.

Just wondering.

Thanks in advance.
AeroHive WiFi Radius Question.

Authentication issues when running Radius on the AP.

I know this is a specific product related question but I'll give it try nonetheless...

 I configured an AeroHive 250 AP as a radius server, I"m using Windows Active directory in the back end for user authentication. When i create users account in AD and assign the password connecting to the WiFi network works fine. If I set "users must change the password at the net log" in the AD account users are not able to connect to the WiFi. This is not an AD issue because if I run windows radius (NPS) users have the ability to change the password when connecting to the WiFi.

Is there a setting that needs to be enabled on the AP Radius function that will allow users to change the password when authenticating over the WiFi network???

I want to limit certain users from being able to "copy" files/folders from the Server to there local C Drive / USB drive / CD drive / DVD drive, etc.

Note:  The same domains users should be able to create/modify/delete those same files/folders on the Server.

I am running Windows 2016 Server Standard along with Active Directory, etc.
I have a script to create an AD user and add to its respective security groups, this script works 80% of the time without issues, but sometimes I have the problem that It can not add the user to his group because it can not find the recent create user.  If I add a delay it fixes the problem.  I want to fix it without adding the delay, any suggestions

function New-OPAdDomainStudent
   Short description
   Long description
   Example of how to use this cmdlet
   Another example of how to use this cmdlet
        $HomeFolderPath = "\\\students$",
        $HomeDrive = "H:",
        $OU = "DOMAIN Students"

        $EmailSuffix = ""
        $Email = $SamAccountName + $EmailSuffix
        $HomeFolder = Join-Path -Path $HomeFolderPath -ChildPath $SamAccountName
        $OuDn = (Get-ADOrganizationalUnit -Filter {Name -eq $OU}).DistinguishedName
        if ($OuDn -eq $null) {
            log -message "Unable to find OU $OU, exiting" -level Error
        $Password = "Welcome"
        $EncryptedPassword = ConvertTo-SecureString $Password -AsPlainText -Force
        log -message "Creating account $SamAccountName" …
What is the best way to get a list of active directory users via ADSI? Typical powershell cmdlet is Get-AdUser -filter *, where it returns attributes DistinguishedName, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName by default. What is equivalent command in ADSI?
I found this one, but it is not returning anything, i'm just getting >> context in my CLI. If i save this to file i can run it as ./file.ps1 and it works. So to finalize i just need it to run in powershell without creating file and do it on remote machine.
$ACCOUNTDISABLE       = 0x000002
$PASSWORD_EXPIRED     = 0x800000

$searcher = [adsisearcher]"(&(objectClass=user)(objectCategory=person))"
$searcher.FindAll() | % {
  $user = [adsi]$_.Properties.adspath[0]
  New-Object -Type PSCustomObject -Property @{
    SamAccountName       = $user.sAMAccountName[0]
    Name                 = $[0]
    Mail                 = $user.mail[0]
    PasswordLastSet      = [DateTime]::FromFileTime($_.Properties.pwdlastset[0])
    Enabled              = -not [bool]($user.userAccountControl[0] -band
    PasswordNeverExpires = [bool]($user.userAccountControl[0] -band
    PasswordExpired      = [bool]($user.userAccountControl[0] -band

Open in new window

Would anyone happen to have a powershell script to check a bunch of computers AD member of groups from a populated txt file and output to a csv?

Thanks in Advance

I'm trying to import the DISA STIG GPOs from the DOD website.  I've done this before but can't get it working now.

I create new GPO object, right click and select import, but it keeps wanting me to restore from backup (I am selecting to import, not to restore from backup, I'm certain), but the next button is greyed out and I can't import.

I have 2 domains.  One regular domain and one air-gapped domain.  I can import the GPOs on my regular domain, but on the air-gapped domain it wants to force me to restore from backup, and the STIG GPOs don't appear to have backups (or I can't find the right directory).

BTW, I am logged in as a domain admin, and as mentioned I have been able to do it with previous versions of the STIG GPOs.

Any ideas?
I started to build a spreadsheet but decided there must be a better way:

I have a domain with workstation fileshares.
For each:

I've followed common practice in setting local groups (because there are non-joined accesses to be allowed).
One might call this the "permissions" level.

And, I've established domain groups.
One might call this the Role level.

And, I've made the domain groups members of the local groups.
Nice and tidy....  It's easy to remember the structure because it's consistent; i.e. used consistently.

But it's not so easy to analyze because there are groups within groups.  
Who has permission?
Are there any duplicate or conflicting permissions?

What's a good way to *see* all this?
It should be easy.
For a small organization, it should fit on one page.

Part of the challenge is that some of the information is only on the workstation and some is only on the AD Server.  
Maybe a PowerShell script?
I've not found any commercial or other tools that seem to address this.
Expert Spotlight: Joe Anderson (DatabaseMX)
LVL 13
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

I have a Windows 2019 file server (not AD joined) in a DMZ with SMB (IP port 445) opened for file share access from an internal Active Directory based network. I'm looking for a method to authenticate to the file share and to manage access to the share for users.
need to click the Tick box on Managers can update member list in Active directory for groups under an OU.
Please note: All I need is, for the check box to be selected under a OU with all groups located under it.  I already have the username attached to the managedby attribute
I have a previously script created but is not working.  This script runs and throws no errors, but check box is still not selected

Import-Module ActiveDirectory
$searchBase = 'OU=Groups=domain,DC=com'
Get-ADGroup -LDAPFilter "(&(objectcategory=group)(managedBy=*))" -Property managedBy -SearchBase $searchBase | ForEach-Object {
      $manager = Get-ADUser -Identity $_.managedBy
      Write-Host "Processing $($_.Name) (managed by '$($manager.SamAccountName)')"
      $acl = Get-Acl -Path "AD:\$($_.DistinguishedName)"
      $newAce = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList `
      Set-Acl -Path "AD:\$($_.DistinguishedName)" -AclObject $acl

I'd like to be able to run a script against one OU at a time to find all the accounts that are:

Password Expired
Account is NOT disabled

I dont want to include accounts with the Password Never Expires
I have created an azure dynamic device group withe a rule
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

In ‘Windows enrolment / windows autopilot devices’
There are 2 devices listed which did indeed autopilot when built.

The group has a status of ‘up to date’ But a last update status of ‘unknown’

We only have a small tenant, the group was created hours ago by an admin. We have a license which supports Intune.

Why doesn’t the group have any members?
I'm wondering what the "rule" would be for this:

On a domain-joined workstation, I run:
and I get a list of Groups for the nearest Domain Controller.
And, if I run the same command line NET GROUP /DOMAIN on the DC, I get the same list as I get on the workstation.

Then, on the nearest Domain Controller, I look at a list of Group names in AD Users and Computers \ Users.
and I see a somewhat different list.
For example,
Allowed RODC Password Replication Group
is in the list on the DC but not reported by the NET GROUP /DOMAIN command.


   I have server 2012R2 with windows 10pro users. I am trying to prevent computers users from accessing the internet using GPO. I make the same steps as shown in following link, but it does not work at all... any ideas?

Thank you.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.