Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi, i got a new W10 laptop, and configured signin with the 365 email account. Now i want to make that account a NON admin on the PC, but i dont see any option to do so, it doesnt show up under computer management or control panel, when i login as another local admin acct to change it. Please help.
HTML5 and CSS3 Fundamentals
LVL 20
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Earlier when I used to open outlook 2016 I used to get out login prompt which under default username users email address used to populate

But when I disabled Skype auto launch

Now when users log in to outlook prompt it gives user UPN instead of email address

Does it mean outlook is not pulling the address book  from Skype?
We have outlook 2016 and Skype installed

We don’t want Skype to auto launch

Can we stop it through group policy
Or is it the default behavior. That Skype would auto launch anyways along with outlook
How to pull OU data from list of emails in AD. I have a .csv file with just the email address and need to add a column for location. What would be the easiest way to do this in PowerShell?
I'm receiving an Event ID 4515 on my Server 2008 R2 DNS server.  It's saying that the zone was previously loaded from the directory partition MicrosoftDNS, but another copy has been found in the partition
I found the following article to resolve it:
But I'll be honest, the idea of deleting directory partitions scares the crap out of me.  I just wanted to differ to you guys and make sure this is correct.
Hi experts,

I'm using SQL Server 2019.

I need to create a SQL Server Stored Procedure that queries Active Directory.

Query 1

Windows Powershell query - Get Active Directory users whose password will expire in 15 days.

At this link I saw this query to for a Powershell Script that queries Active Directory and gets Active Directory users whose password will expire in 15 days.

List of users with paswords expiring within a certain date range

I replaced the domain with my domain info and then I run this power shell script.

Get-ADUser -filter * -SearchBase "OU=Users,DC=Contoso,DC=com"  -properties PasswordNeverExpires,msDS-UserPasswordExpiryTimeComputed | where {$_.enabled -eq $true -and $_.PasswordNeverExpires -eq  $False} | select Name,@{Name="ExpiryDate";Expression={([datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")).DateTime}} | where {($_.ExpiryDate | get-date)  -gt (get-date) -and ($_.ExpiryDate | get-date) -lt (get-date).adddays(15) }

Open in new window

I get this, which is the a list of users whose password will expired in 15 days or less.
So this powershell query returns the result I need. But I need to query Active Directory from a SQL Stored Procedure.


Query 2

So to learn how to query active directory from a sql server query. I looked at this reference which has the information on how to do it.

Querying Active Directory Data from SQL Server

Step 1:      Create Linked Server
Step 2:      In the SQL query use LDAp information

After i created a linked server with the script in the link aboei, i then ran this query. But in my query that I ran, i replaced contoso with my domain ino.

SQL Server Query
We use folder and server specific AD security groups to manage access  to our shared folders, and need to replace some of the groups as we are migrating them to a new server.

The folder specific groupss  are  ServerA-dir-folder-rw, serverA-dir-folder-ro
The server specific groups is ServerA-dir-rw, ServerA-dir-ro

We need to rename the folder groups to ServerB-dir-folder-rw, serverB-dir-folder-ro - whch attributes should we rename - cn,name,samaccountname,etc?

We need tor replace the server specific groups with ServerB-dir-rw, ServerB-dir-ro - we cannot rename those, as they are still in use on Server A. How do I replace these?
The issue is we have a lot of blocked inheritance down the folder structure, so we cant just replace them at the top level.

Thank you!
when users log into his windows workstation, how does workstaion talk to domain controller ,

is it through LDAP protocol

also when users open outlook , how does it communicate with DC
can i do an inplace upgrade of windows server 2008 r2 to 2012 r

i believe i need to use iso image of windows server 2012

 how can i migrate  contents ( files and folders)  when i bring up standalone windows server 2012 r2 and want to  migrate contents from windows  server 2008 to 2012

or from from 2012 r2 to 2016 r2
We're trying to implement a GPO that will block USB storage devices.
It appears that there are at least two approaches at the broad design level:
1) Apply the GPO to users.
2) Apply the GPO to computers.
We tried applying a new GPO to users like this:
  • Set up a User's Security Group
  • Set up a GPO with Scope including the User's Security Group
  • and with Authorized Users having READ and NOT Apply GPO
  • Then, the GP settings for removable storage are added as well
  • Then the GPO is linked to the User's OU
  • Then blocked Users are added to the User's Security Group
It didn't work for us.  

The other approach would seem to be:
  • Set up an OU of Computers
  • Create a simple GPO with the same settings for removable storage
  • Link the GPO to an appropriate Computer OU or set of them
  • Move pertinent computers into the appropriate Computer OUs

I haven't done the latter yet but I have more confidence in it.

Any suggestions?
Learn SQL Server Core 2016
LVL 20
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

We have the following scenario
  • A plain vanilla 2012R2 based RDS deployment in which we want to use a RD Gateway (wasn't the case so far)
  • The local domain named domain.local - public domain
  • A vaéid wildcard cert for *
  • Gateway machine is named rdshost.domain.local and session host rdshost.domain.local

We have performed the various setup and everything works fine, except that we have a certificate mismatch because the user connecting is redirected by the gateway to rdshost.domain.local (the name of the machine in the local domain) whereas the cert is for domain.local. And obviously we will never have a CA cert for domain.local

What is the best practice in such circumstances (I guess it is a pretty classic use case) ?
Hello all and thanks for your time and expertise.  Folks, I created a group of users to manage student accounts.  I delegated control on the OU and applied the Modify group membership permission.  However, when I try and use one of the accounts I get the following error message:  Object group "group name"  cannot be added to group "group name" because Insufficient access rights to perform this operation.  
I would greatly appreciate your help in figuring out what I'm doing wrong.
Trying to put together a script that i can run as a daily scheduled task to automate moving Disabled Objects in our OU to the disabled OU.  I put this together but its not working. Can you please help rewrite the script so that it makes sense.

$DisabledUsers = Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”}

$DisabledUsers |
Select-Object SamAccountName |
Get-ADUser |
Move-ADObject -TargetPath $TargetOU

Open in new window

Cloud Services Terminology

I have read about Cloud Services Terminology :

it does not cover the case where everything is On-Premises, except for Azure Active Directory and  Office 365  ,
local Active Directory is connected to Azure AD.

How do we call this type of Service? is it Saas ?

Thank you
Hi Experts,

we have problems with AD SYNC to O365.
In the past all items were synced.

The AD SYNC was reinstalled and the anchor was changed to the recommended Microsoft value.
But old items in the Cloud cannot be deleted.

Do you know a way to clean up the synced objects ?
Hi Experts,

after a user migration and profile migration the user has some issues to login.

The Group Policy Client Service Failed the Logon

Do you have a fix for it ?
On the profile folder I have checked the permissions, they are ok and the user also has full access rights.

Any ideas ?
We have a user that the "Send As" for self permission keeps being cleared. I am unable to add the permission in Exchange 2010 Management Console. I can only do it on the actual user properties in ADUC.

How do I find who/what/why the "send as" permission keeps being cleared?

Running repadmin I can see exactly WHEN it occurs (nTSecurityDescriptor shows a new USN with the date and time), but I have no idea of why.
We have an AD environment that a previous tech set up with PKI. the enterprise CA cert is going to expire soon and when trying to renew it we get an error that looks something like this:

The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed. 

Open in new window

All attempts to locate the root CA, which was taken offline, have been unsuccessful so we have a couple of main questions:

1) what happens when the cert expires and we haven't addressed this?
2) what steps can be taken to deal with this in the event we can't find the root CA?

Thanks in advance!
I am working on a Powershell script that will go through the memberships of AD groups that begin with a certain name and then output the group name along with only unique Titles and Departments of members.

So for example if there are two people in a group with the same title and department, I'm aiming to get it to output like this, where it has group name, and then the Title column and Department column with unique ones.

Now I could do this to Excel if that works and just remove duplicates to make it easier.
But the issue I'm having is that the Title and Department values always output as an array.

Results style I'd like to yield:

Group name: "Emergency - All"

Title               |    Department
IT Admin       |   IT
Technician    | Facilities

Group name: "Emergency - Facilities"

Title               |    Department
Technician    | Facilities

And so on and so forth for each group....

How results are currently yielding:

Title                                                Department
-----                                                  ----------
{IT Admin , Technician...} {Facilities...

Obviously that creates a problem for both readability and exporting.
It's an array with commas and I don't know how to overcome it.

The script I currently have is:  
$report = @()
$Distros = Get-ADGroup -filter * | ? {$_.Name -like "Emergency - *"}
    foreach ($Distro in $Distros){

Open in new window

Exploring ASP.NET Core: Fundamentals
LVL 20
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Moving DC from 2008 to 2016. So I currently have 3 DC's two are running 2008 server and one is on 2016, I have built another 2016 server that I added the Active Directory role to which installed but when I go into the active directory configuration wizard the pre-reqs failed stating domain controllers have not replicated. I did some research and found the Active directory replication status tool on MS's website. I ran that tool and found that one server out of the 3 current DC's isn't replicating either way. The server in question is being replaced so my question is can I just demote the server that is having replication issues and not worry about fixing the issue because its being replaced anyways.
Good afternoon,

We've recently had a customer DC and File Server server crash, and while we've redirected all users Folder Redirection folders to the new file server, it looks like users Offline Folders are still trying to sync back to the dead server. This brings up 2 questions.

1. I assume I just need to find the Offline Files GPO and point it to the new server. I haven't parsed through all of them yet, it just wasn't in the Folder Redirection GPO.

2. I had a Win10 users hard drive fill up this morning, and not knowing they had Offline Files (see above lack of GPO understanding) I disabled Offline Files and rebooted. I did not delete anything out of the CSC folder or do anything to the security, but of course now we can't see cached data after gpupdate. If I re-enable Offline Files, reboot the end user computer, the CSC folder will still be there and accessible correct? I'll have to fix the partnership on the server via GPO, but I'm a bit gun shy to reboot after I disabled it.

Thanks for any tips Experts.
I want to limit access to  an O365 room resource, so it is bookable only by members of a specific group. Is that possible?
Okay, this bug has kept me busy for quite some time. Grateful for all the help.

For starters, everything works. roughly-ish.

I have an AD with 4 servers, all of them are 2012R2. I think the servers have been upgraded sometime before I started working here and that may be the problem.

When I edit a GPO, I often get the error message: Namespace Microsoft.Policies.Sensors.WindowsLocationProvider is already defined as the target namspace for another file in the store. And a link to our sysvol share. After that, I can't edit or see settings on the GPO.

Things I've tested:

1. Executed the dcdiag command on the domain controller:
Starting test: DFSREvent
   There are warning or error events within the last 24 hours after the
   SYSVOL has been shared.  Failing SYSVOL replication problems may cause
   Group Policy problems.

2. Checked event logs and found this error message ... even though there are messages that the sync is actually working. I don't understand this. We have not run out of disk space.
The DFS Replication service encountered an error communicating with partner server02 for replication group Domain System Volume.
Partner DNS address:
Optional data if available:
Partner WINS Address: server02
Partner IP Address:
The service will retry the connection periodically.
Additional Information:
Error: 14 (Not enough storage is available to complete this operation.)
Hello Experts!

     I need an LDAP query that pulls the following from Active Directory:

From the General Tab:
1.) displayName
2.) physicalDeliveryOfficeName  
a.  Within the Office field, I'd like to search for multiple keywords.  e.g. "CONTRACTOR" OR "Keyword2" OR "Keyword3".  I'm not sure if case-sensitivity matters or not.

From the Address Tab
1.) Street
2.) City
3.) State/province
4.) Zip/Postal Code          
From the Object Tab
1.)  Created

From the Organization Tab
1.) Job Title
2.) Department
3.) Company
4.) Manager Name

Here is part of the query:
(&(objectclass=user)(!(objectClass=computer))(samAccountName=$samAccountName$))" attrs="sAMAccountName, personalTitle, displayName, givenName, sn, mail, telephoneNumber, mobile, manager, department, whenCreated, userAccountControl, description, physicalDeliveryOfficeName

Open in new window

I have a batch script setpwd.bat  that contains only 2 lines:

echo off
net user /domain  my_ADid  Myp@ssw0rd

However, when I ran it, I got an error & this is despite I'm changing my
own password which I have the privilege to change ie when Ctrl-Alt-Del,
& select "Change Password", I could change the password.

What was amissed?  I'm on Win 10 which is
connected to our


C:\tool>echo off
The request will be processed at a domain controller for domain
System error 5 has occurred.  <==
Access is denied.    <==

I'm using a new complex password (that was never used before) that meet
the GPO requirement.  Command below works though:

net user /domain myADid
(to list out my AD Id's attributes)

I should not need a domain admin to do this, right?

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.