Active Directory

73K

Solutions

110

Articles & Videos

38K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi

Our staff have subscribed to a test website , where the students will be doing the test. When they log in to the website
they get a popup which says " A website wants to open web content using this program on your computer.

Below the windows it says : This program will open up outside of Protected Mode. Internet Explorer's Protected Mode helps protect your computer. If you do not trust this website do not open the program."
Name: .... Plugin Name
Publisher : Company name

At the bottom gives the option of Allow and Don't allow.

I would like to allow this popup , so that it doesn't popup when user logs in. Please let me know if there is a way to sort this.

Thanks
0
Independent Software Vendors: We Want Your Opinion
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

I have given a user NTFS Read/Write permissions on a folder : named Folder1.
However when user tries to create a new folder or file under Folder1, he gets the message " You need permissions to perform this action" regardless of the message, the folder or files still gets created.

The Odd thing is when user tries to delete the folder  or file he just created , he gets the same message again "You need permissions to perform this action" and,  he cannot delete the folder or file he just created.

The Objective is to give proper permissions to user to be able to create folders and files under Folder1, and to be able to delete folders and files he created but prevent him from deleting files and folders that other users have created, though it is ok if he can read and make changes to the files that other users have created, since they share files.

Any help on this , will be very much appreciated.
0
I'll try to make this as brief as I can!

The domain in question has one physical 2008 R2 fileserver/DC (call it DC1), which seems fine, and one virtualised domain controller (DC2).
There was an old virtual DC. We found replication had stopped long ago with journal wrap errors. It was past tombstone date. We manually demoted it and cleaned up DNS and AD.

A clean virtual 2008 R2 DC (DC2) was installed. It joined the domain, and AD is fine on it. DNS appears fine. The sysvol folders have been created, but not populated or shared.

 I think we need to fix the current NTFRS connection first before migrating to DFS.

dcdiag shows no errors on DC1 (apart from failed replication from DC2)  and dcdiag on dc2 shows failure to advertise but is otherwise ok.
repadmin /showreps shows all successes .

I have gone through DNS repeatedly and can't see a problem (maybe I've missed it).
I have tried both non-authoritative and then authoritative Burflags restores of FRS - no change.

DC1(good server) has event id13508
DC2 (no sysvol shared) has event 13565

But I must be missing something!
in NTFRS logs:

On DC2 (the one without sysvol shares), ntfrs.log includes numerous lines like this:
<FrsIssueJournalAsyncRead:      3256:  9340: S4: 11:27:13> ReadUsnJournalData  - NTStatus 00000103, USN = 00000000 2b630e60  WStatus: ERROR_IO_PENDING

it also has:
<FrsDsConvertName:              1384:  4689: S4: 11:27:13> :DS: Convert Name DC1$ From 00000008 To 00000002
0
Hi All,

My newly running Exchange mailbox server 2013 SP1 is now running fine after migrating from multi roles Exchange 2013 SP1 CAS- MBX running on Windows 2008 R2.

So what's the step so I can decommission this old Windows Server 2008 R2 without impacting the email flow for all users during the business hours ?

Do I need to prepare anything to do after hours ?
0
Hello,

I want to run an LDAP query on AD server to retrieve and export a list of users who are part of a security group.

I know that when I go to find in AD I can change the find criteria to Custom Search. in here I can enter an LDAP query and I know this can also be done via powershell/CMD

but how can I run an LDAP query without using commands? is it even possible. all google searches just show using commands.
0
Hi
As above (we think).  Since migration from 7 to 10 Win OS, machines are not automatically connecting to either of the two wifi APs we have in GPO.
Current settings attached.
Ideas?
Thanks
wifi.pdf
0
Hello,

we try to config a linked server to connect to another SQL Server windows integration ("Be made using  the login's current security context"). The issue is sometimes the linked server works and sometimes not, very strange.

SQL ServerA with a linked server to SQL ServerB. Server A is SQL 2012, Server B is SQL 2008 R2. The SQL services on Server A run with domain\userA and on B with domain\userB. We did define SPN's for A and B as follows:

The output of setspn -l userA is as follows:
MSSQLSvc/ServerA
MSSQLSvc/ServerA.domain.com
MSSQLSvc/ServerA:1433
MSSQLSvc/ServerA.domain.com:1433

The output of setspn -l userB is as follows:

MSSQLSvc/ServerB
MSSQLSvc/ServerB.domain.com
MSSQLSvc/ServerB:1433
MSSQLSvc/ServerB.domain.com:1433

Also we did define in Active Directory for UserA:
"Trust this user for delegation to specified services Only" and defined the services of there.
For debug we did temporary use the setting:
"Trust this user for delegation to any services (kerebros only)", but it didn't help

What else need to do? And why does it sometimes work and sometimes not?

The error message on the linked server is "Login failed for user "NT Authority\Anonymous Logon". (Microsoft SQL Server, Error:18456)

It falls back to NTLM authentication, but Why?


thanks,
Immanuel
0
Since the default policy tag will delete anything older than 2 years ...

I would like to know if any items (not in the recoverable items folder) exist that are older than 2 years old.

Other than Get-MailboxFolderStatistics (as this command is extremely slow), what is available?
0
Our new server is having security issues.  I got a message that it couldn't be refreshed because event viewer service wasn't started.  I tried to start it manually and got the attached error.  I tried to change the log on permissions, but they are grayed out.

How do I fix this

event permissions
security permissions
0
I am unable to find a method in PowerShell to do this.  

Does anybody know how to report on the searches (not the holds - that I can do) within an eDiscovery case, within the new Security & Compliance Center?

Thank you.
1
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

I'm logged on to a new 2012 R2 server that my assistant built.  (his first)  I was trying to run a Powershell script and it failed with "access denied' to files I was trying to delete in the system32 folder.  
When I checked the security permissions there was no domain administrator in there.
I looked in users and the only user was Administrator for the computer, not the domain.

I've never seen this before.  What is wrong and how do I fix it?
1
So I've inherited a somewhat small environment where I manage Active Directory but the former DBA apparently had all these scripts doing tons of things against AD and everything else in the environment.  
Problem is one of the things that's happening is we have students and alumni in this small campus. Well the script, which I believe is the one below, is moving people to the Alumni OU even though they are a student.
I can ascertain that some of this is partially SQL query but I was hoping someone with a bit of experience could help translate what is going on here and what criteria/reason is moving someone from one OU to another OU or vice versa.

From the script, I see that one important variable appears to be:
$StudentsThatShouldMove = Fill-Dataset $IntegrationConnString $Sql_StudentsThatShouldMove
   
Does that mean I have to look to the SQL side to see what's going on?
#. \\scorch01.VelCollegenet.edu\C$\Users\Public\Documents\Scripts\_CreateAcctsAndDistGroupsV4.ps1
# .\_CreateAcctsAndDistGroupsV4.ps1
#########0#########0#########0#########0#########0#########0#########0#########0
#
# # Description: Move students and alumni accounts to the correct OUs
#
# History:
#	???????? EWM Initial Creation
#   20111213 EWM Sql Server Agent Job 
#				 [Active Directory NEW students daily].[Shell Game (move stuff around where it goes)]
#				 Occurs daily at 9:00:00 PM with no end date
#
#########0#########0#########0#########0#########0#########0#########0#########0

Open in new window

0
We use Trend Micro in our environment. Someone had created a login script that runs a batch file that installs the TM client.  I need to exclude certain computers from this script. The script was added to the default domain policy . We run 2008 R2
1
If configure Azure AD Sync tool in one user profile, it does not seem like you can start it or view or change the settings from another user profile, in a case where we have multiple admins that may need to manege that whats the best way to do it? Can this be managed from multiple profiles or multiple admins must access that one user profile where it was originally installed under and configured?

Thanks
0
Is there a way for me to track which user makes a change to a record in an Access database? For example, if a field is changed from one selection to another, how would I record the user and the timestamp when the change is made? We don't sign into the database so there's no prior authentication before using it (access comes via active directory permissions). We are on Office365 subscriptions so the apps are integrated with our accounts but I don't see anywhere I can capture that info.
0
I'm trying to install an msi through GPO. It fails on my test box with error code 1274 in the event log. DC is 2008r2, test box is Windows 7. Any ideas?
1
This is what I came up with in powershell but it doesn't list the actual users, or exclude people with just 'Domain Users'

Get-ADUser -Filter {Enabled -eq $false} –Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup -Properties name | Select-Object DistinguishedName,name,GroupCategory

Open in new window

1
Trying to secure my RDP connection so we are using TLS. Have create a template and a group policy to deploy it.

When I logon to the server i get the following error:

The terminal server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Domain computer on the template has read and enroll right. It did have only enroll but I added read as well. Not sure If i have to push this change through?
0
Hi all, I am attempting to gage performance impact on a DC that LDAP traffic is having. I am looking at this TechNet article:
https://msdn.microsoft.com/en-us/library/ms808539.aspx#efficientadapps_topic01aa
Halfway down the page this header appears: Determining Query Timing with the Statistics Control

I have opened ldp.exe on the DC and set the STATS control as advised. I then perform a couple of the LDAP quires, all good so far. My question, the article says this:

Using the STATS control, the server returns the following information:
Thread Count: <thread count>
Core Time: <core time>
Call Time: <call time>
Subsearch ops: <sub search operations>
Entries Returned: <entries returned>
Entries Visited: <entries visited>
Used Filter: <filter (octet string)>
Used Indexes: <indexes used (octet string)>

 But where? I can't find any event or log that shows the result? Does anyone know? I have ramped up Field Engineer logging and LDAP diagnostics but still I can't see any trace evidence that this article says should appear.
Many thanks
0
Salesforce Made Easy to Use
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Hi all,

We have recently upgraded our internal CA to SHA256. We have a number of internal webservers that have sha1 certificates that are still valid. We are looking to upgrade each other certificates through controlled process. My question is, if we are to renew the certificates on the servers with the new SHA256 if there any issues are we able to recreate a new cert using a SHA1 cert?
0
I see in the logs the following error for lot of different workstations joined the domain

The session setup from the computer xxxxxxx$ failed to authenticate. The name(s) of the account(s) referenced in the security database is xxxxxx$.  The following error occurred:
Access is denied.

NETLOGON event ID 5722

Server 2008

Please help
0
I had this question after viewing (Open)LDAP V2.44  search proxy to AD (W2012R2).

I am following this article (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD) in order to set up an OpenLDAP proxy.  But when I run an ldapsearch command on the Windows AD, I get the bind error below:

root@VMUSDevLDA01:/etc/ldap# ldapsearch -x -h 10.41.22.100  "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v2580



Here is my nslcd.conf file, what is wrong with it?

# Mappings for Active Directory
pagesize 1000
referrals off

# Passwd
filter passwd (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map    passwd homeDirectory     UnixHomeDirectory
map    passwd gecos             displayName
map    passwd gidNumber         primaryGroupID

# Shadow
filter shadow (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map    shadow shadowLastChange  pwdLastSet

# Groups
##filter group (&(objectClass=posixGroup)(gidNumber=*))
##map    group uniqueMember       member

# Local account for nsclcd
uid nslcd
##gid ldap
gid
0
Has anyone run Symantec Exec on a file server during production hours?  My backups seem to run into the next day, is this normal? Im backing up about 1 TB.
0
Over the past month we have built 2 Tier 2 PKI environments for our domains. One of them appears to be working correctly and the certificates from the templates are being pushed (Workstation Authentication, RDP Auth) as normal. However on our second domain this is not the case. I have setup both PKI environments for the domains exactly the same (minus the domain names) as i read through the same article for both installs. I did notice that some of my servers in the partially functioning PKI have gotten the Workstation Authentication cert, however i can only get the RDP Auth template to work if i am on a server and i put in a Certificate request. The Active Directory call comes up and when i request the RDP Auth certificate it pulls from my new PKI Environment. I'm doing a controlled decommission of the old CA (no templates present and slowly revoking certificates) but as i am not seeing the new environment push out new certificates correctly i am stalled.

On the new PKI Templates i made sure that Domain computers has Read Enroll and Auto Enroll. I also made sure that Cert Publishers on the domain has the computer that is my Subordinate Ca as a member. I also verified that in our Default Domain Policy the settings for Auto enrollment under the Security Policy is configured per Microsoft articles i have found. I did a tab by tab comparison of the working PKI to the "Non working PKI" for RDP Auth and the settings are the same.

I am not sure what else to look at now and am…
0
One of our customers DC's has died, the motherboard went on it and they have replaced it with a brand new server.

I have the pleasure of rebuilding this machine, I have the HDD from the old DC and am in the process of building the new server, windows 2016 (they previously used 2003 I think) and rather than setup a new domain and new AD structure I was wondering if I could somehow pull the old data from the HDD and import it into the new AD?

We have windows server image backups of the old machine, does anyone know if it's possible import the old data (users mainly) so as I don't have to setup an entirely new domain, new users and then manually get all of their machines moved over to the newly built domain?
0

Active Directory

73K

Solutions

110

Articles & Videos

38K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software