Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

We are using a new network IOC tool.
It is identifying a lot of network traffic activity as possible malicious file share enumeration.
It appears to be normal activity but I don't know how to identify the root cause.

The help documents  in the tool state (top line is the recommendation, the --- is a comment from me):

The host is accessing a large number of file shares as an end user attempts to find a particular file or directory
       --- For each alert, the host is a user with elevated access right, for example a network admin or helpdesk tech.
Ask the user of the host whether she has any knowledge of accessing the listed file shares
        --- They don't remember accessing any of the files listed.
Check the file server logs to see what files were accessed on the shares
       ---- I don't have access to do this but I don't see anything odd in the SIEM.
If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands
       ---- No access rights to do this

The PCAPS all show SMB2 errors - is this coincidental or could it be related?

The dashboard shows the alert as file share enumeration with the following information:

Host - an end user who is a helpdesk tech with elevated access rights
Source - A VLAN server
Targets - 14 devices that are a combo of desktops and servers
Enumerated …
Industry Leaders: We Want Your Opinion!
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Serveral years ago, I transfered all of my users and computers from one windows 2003 domain to a new windows 2003 domain. Ever since the transfer I have had issues joining any ESX server to my domain. I do not believe it is an ESX issue, but an issue with my active directory. My PDC is now running Windows 2012 and the issue persists. I have exhausted every avenue I can think of to find why I cannot join the domain. I install 2012 as a virtual machine and created a test domain. I was able to join the ESX server on the first try without issue. I have compared my Default Domain Policy, Default Domain Controller Policy, Local Security Policy and AD permissions to the fresh install and they are the same.
Guys, I have a problem I need to solve urgently.

I have users who login to an application in domain A (client's domain) using UserID of domain B (my domain).
The client application located on desktops of domain A fails to logon the user with error code 80090311 (there are currently no logon servers available to service the logon request).

Infact, I do not see any failure audit on the DC of my domain B, but I do see a failure audit on the application server of my domain B (code 0xc000005e (no logon servers).

Additionally, after turning netlogon debug on DC of my domain B, I see these entries
NlSetStatusClientSession: Set connection status to c000005e
NlSessionSetup: Session setup Failed
I_NetLogonGetAuthData failed: (null) DOMAIN_A (Flags 0x1): 0xc000005e

What could be the cause ?

Who actually need to speak to Domain A (trusted domain) ? Is it just the DC of my Domain B, or also the application server (member server of my Domain B) ?

hi guys

We have an Exchange 2010 environment. I want to set a temporary password for someone so that they can set one for themselves. So I have done so and set the check box to 'user must change password at next logon' in AD. They will be external so the only way they can access our emails will be via OWA.

But when I go to OWA and put the temporary password in and their username, it does not prompt them to enter a new one?! This has been happening for anybody I create recently. I wonder if Exchange just needs a reboot?

Any ideas why?
Thanks for helping
Hello Team,

Can someone please provide me with a nice PowerSHell cmdlet to pull out information from AD?
 Please, see below information needed

All users. Include username, name, description, create date, last login date, last password change date, account disabled, and user password configuration.
Below script is working fine. when script executes by added | export-csv getting error "empty pipe element is not allowed"

Thanks in advance

Import-Module ActiveDirectory
$users = Get-Content "C:\input.txt"

foreach ($SamAccountName in $users)
	{ Get-ADPrincipalGroupMembership -Identity $SamAccountName |
		Select-Object -Property name, distinguishedname, @{n='samaccountname'; e={$SamAccountName}}} | Export-Csv -NoTypeInformation c:\1.csv

Open in new window

I have about 8-10 computers out in the manufacturing area. Most are not assigned to a specific user. So they are sort of kiosks that any employee can walk up to and use. There are a few different things users could do with the computer, and the conflict between these tasks has me confused on how to best set them up.

First off, we have a domain with Microsoft active directory. Every computer and user is on the domain.

One main use of the computer is the ERP system. In the factory, it uses a walk-up kiosk interface. The user enters their employee number and logs on/off a job, accesses data, or whatever. When they are done, the next person keys in their ID and does what they need. The ERP software automatically logs in based on the windows account logged in, and each account name must be different. So the idea was you'd log into Windows using "Kiosk 1", "Kiosk 2", etc. Each of those accounts would be set up as a service account on the domain.

However, some users also need access to network folders. They will be running tests, diagnostics, and such and will need to save data on network locations. Or they will need to access data on the network to do their job. My network folders are locked down with security groups and permissions. So I have concerns about making a walk-up kiosk have access to folders on the network.

So I'm trying to find a way to satisfy both needs on the same computer. Making users "switch users" between the kiosk account and their own was my first …
Hello -

I am looking for a way to change a bulk of computer names within Windows Server 2012 multi domain AD structure? We have many computer names that need to be updated to our new naming convention. I appreciate all your help!

after downloading some tool from Internet (eg. putty) I noticed that I am not able to run it.
I must right-click and disable "block" for specific .exe file in order to use it.
This happens on all server on this AD domain, so I guess there is some policy.
How can I verify this?
Thank you very much
i know a little bit on ADFS , but i need to know more about ADFS structure, how it works

any questions and answers on the topic will help.
Office 365 Training for IT Pros
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

I'm looking to run a PowerShell command (probably against AD) that will export a list of all AD accounts and what Workstations they have logged into

Exporting the following SAMAccountName,UserPrincipalName,LastLoginComputer...
we use active directory on a domain and i prefer to use mozilla firefox for a web browser. i am trying to add pop up exceptions for certain websites. how can i do this without having to login to each users account and set it in thier firefox profile?

thank  you
Hi Experts ,

We Run active directory 2008r2 domain and forest. with some 2012r2 into it.
All DNS servers are also AD Controllers.
When we add a DNS record , should that replicate instant or do we need to wait the replication schedule?
Is there a way to sync DNS records instant if ?


I have one question regarding Windows Server licencing and I do not understand that part.
I am using Windows Server 2016.

I have a licence where said Windows Server 2016 / 10 cores per server. What does that mean in practical explanation?

Next, I have CAL fpr win2016 serv = 25 CALs - that means I can add 25 machines/ users to Active Directory and they can access server, or I can use the same licence key for 25 devices, including client and server machines?

Thank you
Hi urgent query looking to get this done

Found below script at http://www.morgantechspace.com/2014/04/Create-Bulk-AD-Users-from-CSV-using-Powershell-Script.html

Have a test csv attached, I want to add exchange mailboxes and also 3 more security groups "Test members" "Test 2017" and "Test Wifi" what is the best way to do this?

Would it be just Add-ADgroup member "Domain Admins" "Test members" Test 2017" Test Wifi" $_."samAccountName";

Import-Module ActiveDirectory
Import-Csv "C:\Scripts\NewUsers.csv" | ForEach-Object {
 $userPrincinpal = $_."samAccountName" + "@TestDomain.Local"
New-ADUser -Name $_.Name `
 -Path $_."ParentOU" `
 -SamAccountName  $_."samAccountName" `
 -UserPrincipalName  $userPrincinpal `
 -AccountPassword (ConvertTo-SecureString "MyPassword123" -AsPlainText -Force) `
 -ChangePasswordAtLogon $true  `
 -Enabled $true `
 -EmailAddress $_."EmailAddress"
Add-ADGroupMember "Domain Admins" $_."samAccountName";

>Should contain only lower-case characters and numbers and the only special characters allowed are "_" and ".". So: ("[a-z0-9_.]")
> If there is no "." in the username, the script should ask for confirmation before creation of the user. The message should be:
"The username does not contain a dot, are you sure you want to continue?"
>Maximum amount of characters = 31
> Minimum amount of characters = 3
 and how to create user in specific CN [Built in OU] with Manuel entry?

I have 600 user accounts (within  OU14, OU15 ,OU16, OU17) that i have extracted in a notepad. I need to delete all these user accounts from our active directory which are not required any more. Is there any script or batch file or command that i can use to delete all these user accounts.
If so please post me the syntax to safetly delete them from the AD.

My Ad structure is like this :

Thanks and any help would be great.
I had this question after viewing Disabling auto logons in Internet Explorer 11.

My users like to save their ID/Passwords when accessing my Active Directory secured intranet website. Based on a manager request, I need to know if there's a way my website (or an IIS setting) can force the user to always authenticate.
Any help here would be appreciated...
Hello, in my company we are planning on starting to decommission our local forest. it is a one domain forest with 8 domain controllers.We are currently in the process of migrating, building local servers to our parent companies domain.
Can anyone recommend any good books that walk you through the steps, mention important points to consider,
help planning on domain/ forest decommissioning...etc, thanks in advance.
Does Powershell have you tied up in knots?
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Hello, We have cluster of ESXi hosts that are members of our local domain, and all VMs on those ESXi hosts are also members of our local domain. I would like to make one of these VMs a member of the parent domain. is this possible?, i have heard from other people that it is not possible because the Esxi host the VM resides on is a member of the local domain, so the only other option would be to create a new VM in the parent domain, and replicate the data over?, Please assist, thanks in advance. we have 2 way trust between the 2 domains.
I need to change all the users' logon name domain name
so instead of john@companyA.com change to john@companyB.com
In user's properties Account tab.

How can it be done please?
Hi All,

Can anyone here please let me know what do I need to do in order to successfully cutting over the Anti Spam solution from onPremise Linux VM into the Cloud Solution with no data loss or user email flow interruptions?

As at the moment on my Exchange 2013, the Send Connector Smarthosts listing the local IP address for the 2x Linux VMs.

Do I just change it to the Public IP address of the Cloud Anti-Spam provider ?

Note: My Public DNS server is running on my On-premise Windows Server 2008 R2 VMs.

I need to create a script to spin up an Domain Controller (RODC and Writable) from the script in the event of the emergency.  In case the DC  tanks Admins should be able easily spin up a replacement using a script.  This would eliminate a human errors and increase a recovery speed.
Can someone point me to the right direction, how its being done and experiences.
Thanks in advance!
Modern Authentication is NOT enabled.

Is this possible?
When I block all from the outside I do not see Teams identifying itself here:

I only see:

Caller identity: 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) 


Caller identity: 

Open in new window

I have setup DFS over four servers and I am getting strange errors when I run the health report.  One server has this error:
This member is waiting for initial replication for replicated folder Users and is not currently participating in replication. This delay can occur because the member is waiting for the DFS Replication service to retrieve replication settings from Active Directory Domain Services. After the member detects that it is part of replication group, the member will begin initial replication.
There are 10 shares on each machine, but only one of the shares on that particular machine is showing that issue.  However, looking at the actual server it is replicating fine, as the files have been updated within the last 3 hours.  I originally set up DFS about a month ago, so that error should not exist.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software