Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Im having trouble setting group membership for NIS in AD via Powershell.

I have a script that creates groups, sets their NIS domain and GID, then adds a list of users to the Windows side of the group Membership, then recurse through those to check that the users ahve a NIS domain, and UID set, if not sets them, and then I want to add the users to Unix side of group membership.

I've found the property I need to set "msSFU30PosixMember", this is the field that populates when I add users via the GUI, but when I populate that field manually (with an array of Distinguished Names), I see nothing in the users list. The weird thing being it recognises that there is "something" there, becasue the remove button is clickable in the GUI, even with nothing highlighted, usually its greyed out.

Anyone done this before and know what im missing, 95% of my script is working but this last bit it now rather winding me up, espeically as the other fields, NIS Domain, GID, UID etc are all working as expected.
Is Your AD Toolbox Looking More Like a Toybox?
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Hi all.

I have a 2003 AD forest, all Domains are 2008 R2. Forest has 2 domains -
I have SQL servers in domain My account has access to SQL servers.

Here's my question. If I migrate my user account to domain 'one', would I by default still have access to my sql server?

Thank you for looking
Hi there,

I'm trying to setup a hybrid configuration with Exchange 2010 and Office 365 and I'm unable to complete the Office 365 Hybrid Configuration Wizard. I seem to have an error completing the wizard and I'm getting an error HCW8001. Looking through the Microsoft documentation, its saying that you need to enable Dirsync.

I've then connected onto the Azure AD shell and typed in Set-MsolDirSyncEnabled -EnableDirSync $true. From the Office 365 Azure AD dashboard, it's saying that AD sync is enabled.

What else can I do to get this part to work?

Dear All,

My lovely colleague has deleted my computer account from a test OU.I haven't rebooted my machine yet. However I'd like some tips on how to resolve this rather then reimaging my machine.

Thank you all kindly

What's the difference between: VMware Horizon and VMware Horizon Mirage ?

My goal is to be able to deploy personalized virtual desktop (VDI solution) so that the users in my company can use it like a Terminal Server but it is deployed from one Golden Image for standardization.

Previously in Citrix world, it is XenDesktop, but in VMware I'm not sure.
VMware ThinApp is the tool/software which can be used to deliver virtualized application running on the Terminal Server like XenApp.

Hi All,

Can anyone here please share some tips or steps in Group Policy in how to create the Outlook Email signature for each people in different OU ?

For Example: --> Email Signature Template ACC1. --> Email Signature Template IT1. --> Email Signature Template MRK1.

How to do that based on each OU ?

Note, the users are using various different OS and Office product like:
Operating System: Windows 7 and Windows 10
MS Office: 2010, 2013 and 2016 (some will use 64 bit, but majority is 32 bit)

Any help and guidance will be greatly appreciated,


We had a lot of issues with ad and finally got it back running. But now we have this error popping up all the time.

The processing of Group Policy failed. Windows attempted to read the file \\kaufmann.local\sysvol\kaufmann.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

The path does not exist but the path


How can I fix this so it uses the new path?

To add some information

  • Windows 2016 Server
  • Virtual Machine
  • The only Active Directory Server at the moment.
Hello Experts,

What is the service impact of enabling modern authentication on a non-federated domain/tenant?

Please, elaborate your answer

Consider a hybrid deployment AD On prem / Azure Exchange/Office 365, Azure AD connector to sync to the tenant
Hello Experts,

My client runs a hybrid organization with following specs:


Several Windows 2012 R2 DCs
Single-forest/single domain
ADFS internal
WAP servers

All mailboxes in the cloud distributed among to different tenants

Azure AD connector server one for each tenant. Both tenants use same source AD authoritative to sync to the tenant. Some information is synced to Tenant 1, and other information is synced to tenant 2.  

One domain is called

For business reasons, they created another UPN suffix that calls for another domain[technically is not a Windows domain],and the name is


Multiple Windows 2012 R2 DCs
ADFS internal servers [primary server resides in the cloud, secondary internal ADFS servers are on PREM]
Express route between on prem and Azure

The organization uses a domain called to sync users/contact/OU to tenant 1, by using AzureADconnectorserver1. This tenant and domain follow the Federated identity model as per link below

There are also some OUs /users/ that are also synced to the second tenant for the domain

Moderm Authentication is enabled for the federated domain named The second domain or UPN that also uses same authoritative AD on prem, is not federated for some reason.

Having said that, here are the questions:

For a single forest/domain in a …
I have a new boss who doesn't understand what my department does.

I was hoping someone on EE has been in the same situation where they've had to put together an outline of exactly what IT does.

If anyone is willing to share what they have that would be appreciated.

If you have a chart of the IT department that would be GREAT.

Or if anyone has a link to a good site that describes IT, that would also be appreciated.
Office 365 Training for Admins - 7 Day Trial
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Need to export users from google g-suite and import into AD DC2016.  Powershell script or other tool?

Anyone done that?
Hello all, we have many servers on domain, i can login to all of them fine, but whenever myself or any other admin tries to login to server08 we are logged in with a temp profile with the below message.

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder. 

Open in new window

any ideas ?
I have a hybrid Exchange environment setup (2010 SP3) at; SSO through ADFS/AADSync is working and a few users migrated into O365 Exchange.

I have a new domain at is configured/AADSync setup for these users, no Exchange. This is the domain folks will land on.

For AADSync in these two domains, each user is defined by UPN and "appears once in each forest". There is a two-way forest trust setup among the domains.

These two domains sync to the same O365 tenant.

Through a merger I have a 3rd domain:, no AADSync, no hybrid environment.

I need all mail to converge into in hosted Exchange in single tenant.

Plan is to setup hybrid for, so the mailboxes will show up in O365, using AADSync and ADFS, then migrate on-premise mailboxes to hosted, while UPN for all users is

Users are logging into at present and using old domain credentials to connect to email at both companies.

Question is how do I get the users already synced to O365 to have permissions to the mailboxes in the two other domains? Primary SMTP for each user will remain either or, respectively

Not sure what my next step should be to make this all fit together.
Hello Experts,

I was assigned with a new task from one of my clients where he is looking to replace an old VB script that maps network drives based on some criteria.

I need to know what option would be the best even if writing a new PowerShell script or work with group preferences in AD.

The current logon script :

Maps several network drives to multiple folders for different departments.

If a machine is part of an OU, then the script will map several network drives

If an user is member of an specific group in AD, and based on sort AD attribute, then the logon script will map specific network drives.

As u can see, there are different conditions to map network drives for users based on their department, the computer machine assigned and some AD attributes.

Based on your experience, what option is feasible? PowerShell logon script or group preference, or something else?

I am trying to understand the Microsoft product that fits this if there is one.

Ok so I am aware with on-premise active directory and group policy we can do things like folder re-direction and have people save data to servers etc. Plus have
a verious department have a shared network via AD group.

Ok in a cloud world how can we do this without an on-premise active directory if possible?

What features / product set am I looking at?


Hello - i'm trying to set a screen lock time of 60 minutes for users who login to our RDS Server running Server 2016.    I've tried various Group Policy and local settings but can't seem to find the correct one, or some other policy is applying the current 10 minute policy, but haven't been able to locate that either.   Can you assist?
what is the differenc ebetween seizing and transferring fsmo role

why cant i seize schema master role
Hi All,

we are doing a project in which we are upgrading all windows 2008 domain controllers to windows 2016 server (VMs)
The one which will be done first have NPS role, and is a certificate server as well (doesn't hold any FSMO roles)
any guidelines which can assist in the upgrades and demoting the old server?

looking for a powershell script to check the following

- check all accounts locked in last 60 minutes (not lockout state, but the actual lockout event)

items needed... name, upn, lockout source, domain controller, last badpassword, badpassword attempts
Has Powershell sent you back into the Stone Age?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Hi All,

My Exchange Server 2013 DAG spreads across 5x mailbox servers VM in three different Data Center locations.
So each mailbox servers hold mixed of 2 Active 3 Passive or 3 Active 2 Passive mailbox DB.

After the nightly successful backup, I can see that the some of the current Mailbox databases are mounted on the server that is activation preference 2.
So the database is kept on mounting from one server to another one (changed daily after the successful backup).

Is this the normal behavior of DAG ?
Would there be any impact if I let it automatically failover to one server nightly or keep running on the passive node forever ?

Note here are the settings applied for all the Mailbox Database:

AutoDagExcludeFromMonitoring                        : False
AutoDatabaseMountDial                               : GoodAvailability
DataMoveReplicationConstraint                       : SecondCopy
ReplicationType                                     : Remote

Open in new window

And this is the Cluster Properties from one of the DAG member which should be replicated for all nodes:

cluster /prop SameSubnetThreshold=20:DWORD
cluster /prop SameSubnetDelay=2000:DWORD
cluster /prop CrossSubnetThreshold=20:DWORD 
cluster /prop CrossSubnetDelay=4000:DWORD
cluster /prop RouteHistoryLength=40:DWORD

Open in new window

Spun up a DC too fast.  Wonder now how to change a DNS Domain name from domain.local to and also a NetBIOS name.  
Worth the stretch or easier just to wipe and reinstall?
DC Win2016 Server Standard.
Trying to deploy an AD and cannot use the NetBIOS name that I want.  Saying same already exist.  
How can it be if we do not have any domain?
Can it be conflicting with a machine name someone name as such?
Environment: Single forest, single domain, 3 DC's all holding a copy of the  GC
DC's are: 2012, 2008R2

Have a Windows 7Pro workstation that I want to do some GPO testing on.
I am a domain admin
If I run 'gpupdate /force' on the WS, I get:

If I browse to the policy folder that is referenced by the error,  I notice that the :
"......Policies\{9F698386-2D66-47E5-88A1-D5EBCD7E0112}\User"  folder is EMPTY.
And there are USER policies configured...

I've tried a sync of the 2 2008 servers against the 2012 server , with no affect
Note: We used to manage GPO's on one of the 2008 servers, now we do so on the 2012.
Is there something not working right because we added the 2012 DC into the domain?

Many thanks for any help/guidance..
First time asking a question.
Basically im having an issue at my school district. I have many Vlans that are internal "Same Building". My DFS Servers are on Vlan 5 "IP", and i setup the teachers to use Vlan 10 "Ip". They do connect to the dfs server but it is very slow. If i try to \\DFS\DFS it take upwards of 10 minutes to prompt me for a username or password. But if i \\IPAddress it will instantly pop up.
From Vlan 10 i can ping, remote desktop and everything inbetween to vlan 5. DFS is the only thing struggling.
Hello People,

when a user goes to the lock screen in windows 10 they should see an option that says 'reset password'.

this does not show on any of the windows 10 domain PC's. why would this be?

whenever a user says they want to reset the password i do it through active directory for them. i know that users can go into user accounts and start doing things in there but almost all users do not have access to this location and is far more difficult for a general user than going to a button which says 'reset password'.

where has it gone - i have only just noticed this issue but could have been present for a long time?


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software