Hi,

Some of the printers I've been sharing to my users using GPO are not visible in the 'printer section' of the Control Panel. But I can see them using 'get-printer' in Powershell. And they're visible in the printer dialogue of programs like Word or Excel.

But since they're not visible in the Control Panel I had to use Powershell to make one of them the default printer.

Anyone know why this is happening?

TGT was requested

Dears
Based on utlimatesecurity website I have noticed the following regarding the TGT was requested issue (aka event 4768):
"At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 4768 (authentication ticket granted)".  

However when monitoring the systems ,I remarked that some accounts (not so much) keep on requesting TGT during the whole day
Based on my observations,no one is actually logging on the related systems (especially during midnight or early hours in the morning 03:00 or 04:00 am for instance)
So why I see a lot of TGT requests coming from these accounts?can this be considered as IOC or certain softwares may be requesting a certain access?

I have a Windows Server 2016 Standard Server with a domain with local machines. I would like to integrate this server with existing Office365 users and Azure servers for email and single sign on. Is it better to use the Essentials Office365 integration or the Azure active Directory integration or the AADConnect?

When using JavaScript to write and Microsoft Active Directory Distinguished Name (DN), how should the spaces in an OU name be written?
Example: var from = "CN=TestSvrName,OU=Server Admin Groups,OU=AdminGroups,OU=Admin,DC=COMPANY,DC=COM";
Notice the spaces between Server Admin and Groups.
My code is returning error: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0

I've accidentally deleted my domain user account and I want to recover it.  I read there's a way to do it using LDP, which I will try.  My question I have it I first recreated my account using the same username, so do I need to delete this new account, before bringing back the old account?  Or will it rename it and "move it out of the way", so to speak?  Has anyone used LDP to restore a domain account before?  any pitfalls?

Thanks,
Damian

Hi, I am in the process of adding new Windows Server 2016 domain controllers into my existing AD environment, which currently hosts Windows Server 2008 R2 domain controllers exclusively.

FFL = Windows Server 2008 R2
DFL = Windows Server 2008 R2

Features Enabled = AD Recycle Bin

AD Schema = 87 (Windows Server 2016)


Already migrated from FRS to DFSR.


Which brings me to my question.

When I migrated my current Windows Server 2008 R2 domain controller environment from FRS to DFSR, I noticed that the SYSVOL folder was replaced by a new folder called SYSVOL_DFSR.


So, when I introduce these new Windows Server 2016 domain controllers into my existing domain environment will I need to make sure they create a SYSVOL_DFSR folder under the "Active Directory Domain Services Configuration Wizard / Paths" during the installation of the AD DS server roles or will the default SYSVOL work just fine on them even though the existing Windows Server 2008 R2 domain controllers won't have that folder for replication?



Just wondering.


Thanks in advance.

AeroHive WiFi Radius Question.

Authentication issues when running Radius on the AP.

I know this is a specific product related question but I'll give it try nonetheless...

 I configured an AeroHive 250 AP as a radius server, I"m using Windows Active directory in the back end for user authentication. When i create users account in AD and assign the password connecting to the WiFi network works fine. If I set "users must change the password at the net log" in the AD account users are not able to connect to the WiFi. This is not an AD issue because if I run windows radius (NPS) users have the ability to change the password when connecting to the WiFi.

Is there a setting that needs to be enabled on the AP Radius function that will allow users to change the password when authenticating over the WiFi network???
 

thanks..

Hello:
I have a script to create an AD user and add to its respective security groups, this script works 80% of the time without issues, but sometimes I have the problem that It can not add the user to his group because it can not find the recent create user.  If I add a delay it fixes the problem.  I want to fix it without adding the delay, any suggestions

function New-OPAdDomainStudent
{
<#
.Synopsis
   Short description
.DESCRIPTION
   Long description
.EXAMPLE
   Example of how to use this cmdlet
.EXAMPLE
   Another example of how to use this cmdlet
#>
    [CmdletBinding()]
    [Alias()]
    [OutputType([int])]
    Param
    (
        $SamAccountName,
        $Surname,
        $FirstName,
        $MiddleName,
        $HomeFolderPath = "\\myd-fileserver.mydomain.com\students$",
        $HomeDrive = "H:",
        $ID,
        $OU = "DOMAIN Students"
    )
    Process
    {

        $EmailSuffix = "@students.mydomain.com"
        $Email = $SamAccountName + $EmailSuffix
        $HomeFolder = Join-Path -Path $HomeFolderPath -ChildPath $SamAccountName
        $OuDn = (Get-ADOrganizationalUnit -Filter {Name -eq $OU}).DistinguishedName
        if ($OuDn -eq $null) {
            log -message "Unable to find OU $OU, exiting" -level Error
            Stop-MPScript
        }
        $Password = "Welcome"
        $EncryptedPassword = ConvertTo-SecureString $Password -AsPlainText -Force
        log -message "Creating account $SamAccountName" …

Would anyone happen to have a powershell script to check a bunch of computers AD member of groups from a populated txt file and output to a csv?

Thanks in Advance

John

I started to build a spreadsheet but decided there must be a better way:

I have a domain with workstation fileshares.
For each:

I've followed common practice in setting local groups (because there are non-joined accesses to be allowed).
One might call this the "permissions" level.

And, I've established domain groups.
One might call this the Role level.

And, I've made the domain groups members of the local groups.
Nice and tidy....  It's easy to remember the structure because it's consistent; i.e. used consistently.

But it's not so easy to analyze because there are groups within groups.  
Who has permission?
Are there any duplicate or conflicting permissions?
etc.

What's a good way to *see* all this?
It should be easy.
For a small organization, it should fit on one page.

Part of the challenge is that some of the information is only on the workstation and some is only on the AD Server.  
Maybe a PowerShell script?
I've not found any commercial or other tools that seem to address this.

I have a Windows 2019 file server (not AD joined) in a DMZ with SMB (IP port 445) opened for file share access from an internal Active Directory based network. I'm looking for a method to authenticate to the file share and to manage access to the share for users.

Powershell.


I'd like to be able to run a script against one OU at a time to find all the accounts that are:

Password Expired
Account is NOT disabled

I dont want to include accounts with the Password Never Expires

I'm wondering what the "rule" would be for this:

On a domain-joined workstation, I run:
NET GROUP /DOMAIN
and I get a list of Groups for the nearest Domain Controller.
And, if I run the same command line NET GROUP /DOMAIN on the DC, I get the same list as I get on the workstation.

Then, on the nearest Domain Controller, I look at a list of Group names in AD Users and Computers \ Users.
and I see a somewhat different list.
For example,
Allowed RODC Password Replication Group
is in the list on the DC but not reported by the NET GROUP /DOMAIN command.

Why?