Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post


Hi I need a formula to convert a Cell that containes an Active directory Distinguished name like this that in a Cell


To This


In a new Cell

They can get quite long as well like so

CN=exchbackup,OU=SERVICE ACCOUNTS,OU=IT SYSTEMS ADMIN,DC=internal,DC=domain-name,DC=com

would be

SERVICE ACCOUNTS-IT SYSTEMS ADMIN,-internal-domain-name-com

Sorry My Excel skills re not brilliant, assume I'm clueless please :)

Starting with Angular 5
LVL 13
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Hi Experts,

we use AADConnect and we use now the objectGUID as sourceAnchor.
But we have a muti Forest and Domain network.
We also have to create a new domain and move users. When we move the user now, then ADSYNC is not working for this user.

I have seen this article about to change the sourceAnchor to ms-DS-ConsistencyGuid.

Can you show me how to change this ?
What happens to my users when I changed this ?
Do I need to reboot or do something else ?
Team ,

I have a scenario , where i have an enterprise client having three main offices ( of 500 users each ), hence three DC's present . This client has around 400 branches , where each branch there are 40 - 50 users each .

Related with MS AD and Authentication as AAA , is it advisable to have Servers(AD) in each branch and DC or only on DC with some branches

We are loosing Internet access when our Small Business Server 2011 Standard is down or rebooting for updates.  I have a backup domain controller, yet internet access still goes down. Whats the best option to configure my backup domain controller to maintain the connection?
Hi experts,

I am wondering if there is any other software can replace Microsoft Server 2012, 2008, 2016, etc.... if I just wish to active directory service? I just need to have all users setup with the correct permission, policy etc....?

All the clients are running on Windows 10. I am wondering since I am just using one of the service what will be a better alternative? Choice can be a 3rd party software, any linux softwares, etc....
What are the user profiles being created on my ADConnect server?  I assume they relate to password writeback and password reset -- but can't seem to find article to confirm that?

I have a strange problem on Outlook 2016.

I updated all my users on the active directory (windows server 2016 Datacenter).
I updated the attributes : Mobile and HomePhone.

Here the powershell I used

Import-Module activedirectory
get-aduser -properties * -filter * | ?{$_.enabled -eq $true} |select samaccountname -ExpandProperty samaccountname | export-csv -Append C:\users\MyName\desktop\list1.csv
get-aduser -server srv-uk-dc3.ukie.contoso.local -properties * -filter * |  ?{$_.enabled -eq $true} | select samaccountname -ExpandProperty samaccountname | export-csv -Append C:\users\MyName\desktop\list1.csv
Import-Csv "C:\users\MyName\desktop\list1.csv" | foreach {
$name = $_.samaccountname
try {$user = get-aduser -server srv-uk-dc3.ukie.contoso.local -identity $name -properties *}
catch { write-host "User not in UK!! : $_."}
try {$user = get-aduser -identity $name -properties * }
catch { write-host "User not in FR!! : $_."}
 if ($ -ne $null){
 $number = $
 $sw = $number.StartsWith("+")
                            if ($sw -eq $true){
                                               $count = $number | Measure-Object -Character | select characters -ExpandProperty characters
                                               if ($count -eq "12") {
                                                                     write-host "FR OK : $name"
                                                                     $number = $number.insert(4," 

Open in new window

It seems that I can't search for any mail items with chinese chars in Subject. It doesn't return any finding. However, it works perfect on English subject. Any idea ?

My Window 10 has already added the Simiplified Chinese language.


search-mailbox -identity tonyip -searchquery "Subject:'帐户安全代码'" -EstimateResultOnly
Question, below was a script that I had assistance on a couple weeks back.

This script runs nightly to update extension attributes.

My concern was that if an employee ended up needing less attributes updated, this script won't update the empty attributes they won't need.

Any idea how to add that in here?

$inFile = 'C:\temp\empid.csv'
$outFile = 'C:\temp\empid_log.csv'
Import-Csv -Path $inFile | ForEach-Object {
	Write-Host "Processing $($_.EmployeeID)"
	$out = $_ | Select-Object -Property EmployeeID, SamAccountName, Result
	$hash = @{}
	If ($_.stuff)	{$hash['ExtensionAttribute1'] = $_.stuff}
	If ($_.things)	{$hash['ExtensionAttribute2'] = $_.things}
	If ($_.list)	{$hash['ExtensionAttribute3'] = $_.list}
	If ($_.nice)	{$hash['ExtensionAttribute4'] = $_.nice}
	#Set-ADUser $_.sAMAccountName -Replace $hash
	Try {
		If ($adUser = Get-ADUser -Filter "EmployeeID -eq $($_.EmployeeID)" -ErrorAction Stop) {
			If ($adUser.Count -gt 1) {
				$out.Result = "ERROR: Duplicate EmployeeID: $(($adUser | Select-Object -ExpandProperty SamAccountName) -join ', ')"
			} Else {
				$out.SamAccountName = $adUser.SamAccountName
				If ($hash.Count -gt 0) {
					$adUser | Set-ADUser -Replace $hash -ErrorAction Stop
					$out.Result = "Successfully set $($hash.Keys -join ', ')."
				} Else {
					$out.Result = "No attribute defined."
		} Else {
			$out.Result = "ERROR: EmployeeID not found!"
	} Catch { 
		$out.Result = "ERROR: $($_.Exception.Message)"
} | 

Open in new window

Over a year ago we enlisted the services of an outside exchange server tech who created an admin acount for them selves. I need to delete this account from exchange server as well as Active Directory but it is protected from "Accidental Deletion". I cannot find where to remove this option. i moved the user to a different OU which did not help.
Please advise how I can force the deletion of this users from the AD / exchange server.
thank you

Error message preventing deletion of Admin user
Introduction to R
LVL 13
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

I'm trying to enable AD Recycle Bin Feature on our DC, DC is running Server 2016 Datacenter Edition.  I've tried doing this through the GUI, Server Management >> Active Directory Administrative Center >> Select local domain.  The option to Enable Recycle Bin is grayed out.  I then attempted to enable it using PowerShell with the following
Enable-ADOptionalFeature 'Recycle Bin Feature' - Scope ForestorConfigurationSet - Target

Return error
Enable-ADOptionalFeature : The specified method is not supported
At line:2 char:1
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigu . . .
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        +CategoryInfo                    : NotSpecified:  (Recycle Bin Feature:ADOptionalFeature) [Enable-ADOptionalFeature],  ADException
        + FullyQualifiedErrorID     : ActiveDirectoryServer:8526,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature
We have a new Win 2016 DC that is not replicating to our existing DC.

How do I troubleshoot?

I am in the process of changing user UPNs to their primary SMTP attribute but have encountered a UPN Suffix routing issue on one of the forests. Details are:

Forest A:
DNS - ResourceA.Internal
Name Suffix Routing:
AccountB.Internal - *accountB.internal
AccountB.Internal - *
AccountC.Internal - *accountC.internal
AccountC.Internal - *

Forest B
DNS - AccountB.Internal
Alt UPN Suffix -

Forest C
DNS - AccountC.local
Alt UPN Suffix -

Trust Relation Ships
ResourceA.Internal <==> AccountB.Internal (Two-way - Forest - Transitive)
ResourceA.Internal ==> AccountC.Internal (One-way - Forest - Transitive)

ResourceA.Internal contains Mailboxes with disabled accounts and Servers
AccountB.Internal and AccountC.Internal contain user accounts linked to Mailboxes in ResourceA.Internal

AccountB.Internal behaviour:
I am able to access Mailboxes (via OWA) and RDP to servers with Domain\User and UPN.

Accountc.Internal behaviour:
I am able to access Mailboxes (via OWA) and RDP to servers with Domain\User only not UPN.

I have checked firewall ports and the following are open:
135/TCP      RPC Endpoint Mapper
464/TCP/UDP      Kerberos password change
49152-65535/TCP      RPC for LSA, SAM, Netlogon (*)
389/TCP/UDP      LDAP
636/TCP      LDAP SSL
3268/TCP      LDAP GC
3269/TCP      LDAP GC SSL
53/TCP/UDP      DNS
49152 -65535/TCP      FRS RPC (*)
88/TCP/UDP      Kerberos
445/TCP      SMB (**)
49152-65535/TCP      …
We want to change our remote office access so that PCs logon to the domain instead of users using remote desktop.

We have our servers colocated in location A with an ip address range 192.168.0.nn one of which is an active directory domain controller. All sites from there are linked with VPN

London Office, has IP address range 192.168.53.nn with a secondary DC. Pcs in london can log onto the domain in Location  A  and also resolve computer names instead of using IP addresses

kent office has IP address range 192.168.50.nn with NO secondary DC, linked via VPN but when trying to join the pcs to the domain in Location A I get the no AD/DC can be found, yet I can ping it successfully using its ip address.

This to me is a DNS issue??? or am I totally wrong? Can anyone resolve this? The attached PDF shows the sites & services
I am enabling loopback policy and I have been trying to understand the following.

I have two GPO's:

1.) GPO A - it has some computer settings enabled and loopback is enabled. The GPO needs loopback.
2.) GPO B - it has some user settings enabled and loopback is enabled. The GPO needs loopback.

Both GPO's are applied to the same OU with computer objects, so my question is...since both GPO's need loopback, do we need to get loopback enabled on both GPO's? or just by enabling loopback on one of them then loopback will be enabled for both.

As background:
This is about a testbed for DCs getting ready for a 2-site/s-subnet real-world network.
Here is a diagram of the testbed:TestbedI'm not at the stage where SERVER2 is being integrated but I'm not sure about expectations, terminology, etc.

One of the objectives is that if one site disappears, the other site has to continue operations.  
This first objective implies that the DCs operate independently or independently/synchronized.

Another objective would be that if one DC goes down, the entire system continues to operate - including the site with the downed DC - relying on the remaining DC.

As shown, the sites are integrated in the sense that there is communication between them, file sharing between them, etc.
I believe that using something like DFS would simplify the file serving split between sites and force files to be "local" - in case of failure or disappearance.

So, here is my question:
As I introduce SERVER2 into this network as shown in the diagram, being that it's the 2nd DC to be promoted, what is it called?  what is its role?  can all the objectives be met?  How to prepare it properly for this?  I have it almost done but that raises these questions.  I'm not looking for "step-by-step", rather the right words so I can more readily proceed.
I need a way to run this once a week.  "C:\Program Files (x86)\Microsoft Office\Office16\MSACCESS.EXE" "\\databases\Access2015$\Paw Trax\sp_be2.mdb" /compact

I tried using Task Scheduler but it won't run.

I also tried making a batch file, but I am not sure of exactly what should go in the file.

How can I accomplish this?
Need some help with deciphering this vbscript... this script first runs a dsquery to grab all users and DN's into a file.

Basically line 12, I'm looking to grab the DN where it builds a strNullset variable to determine if @Domain or - is there a way to do this in powershell without dumping out all of the users in a file, then append later in the script?

Also looking for what line 24 actually does with the "2", and also what line 29 does... ?

Set objArgs = WScript.Arguments

If objArgs.Count < 1 Then
	Wscript.Quit -1
End If
strUserDN = objArgs(0)

Set objUser = GetObject("LDAP://" & strUserDN)
If UCase(objUser.AccountDisabled) = "FALSE" Then 
	strNullSet = objUser.sAMAccountName & "" 
	If InStr(UCase(strUserDN),"Domain2") Then   
		strNullSet = objUser.sAMAccountName & ""
		End If
	If objUser.mail = "" Then                             
		If objUser.userPrincipalName = strNullSet Then 
			objUser.put "userPrincipalName", strNullSet    
			WScript.Echo objUser.sAMAccountName & "," & strNullSet & "," & objUser.userPrincipalName & "," & "Null"
		End If
		If objUser.userPrincipalName = objUser.mail Then  
			strO365Alias = "smtp:" & objUser.sAMAccountName & ""
			If objUser.mailNickname = objUser.sAMAccountName & "2" Then
				strO365Alias = "smtp:" & objUser.sAMAccountName & "2@mail"
			End If
			objUser.PutEx ADS_PROPERTY_APPEND, "proxyAddresses", 

Open in new window

Hello Experts,

I need some help with a query preferably a wmi query that would detect only the 32 bit office. I need to deploy a reg key in a GPO.

JavaScript Best Practices
LVL 13
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

We are currently deploying a hub and spoke WAN topology in our environment.  Everything is going good except the trying to figure out the AD portion.  I have the Hub (Site 1) and two Spokes (Site A and Site B).  What is the best way to allow a user in Site A to access a resource (Server, File Share, etc.) in Site B.

I have a trust from Site 1 to Site A and from Site 1 to Site B.  I know if I create a domain local group in Site 1 I can add users from Site A into it.  Although I cannot access that group from Site B to share the resource seeing how it is a domain local group in Site 1.  

What is the best way to set this up.  I know through the VPN tunnels I am able to allow the Site A domain controllers talk to the Site B domain controllers.  I f I had to I could create a trust between Site A and Site B but I wanted to know if there was another way without creating a web of trusts everywhere throughout the organization.
i have samba domain controller on ubuntu server.
all server and client is member of domain.
issue is some windows 10 client need to write fqdn of a server to ping or connect to it.
f.x. ping topc.example.local  is ok nut when they ping topc (servername) is no responding for server name
This client ins member of domain and all client has nothing in host file.
how to resolve that?
I need to force a reboot of all our domain joined workstations to apply an update to our Trend AV. Asking everyone to do it via email has not done the trick. What is the best way to do that unattended?
I have 4 domain controllers, 1 - 2008 R2, and 3 - 2012 R2, the 2008 R2 domain controller is the original DC. I added the other 3 in order to then demote and send to pasture the 2008 DC. My problem is, when I go to dcpromo the 2008 DC, it's saying that there are no other AD DCs in the domain, and if I remove this one, the domain would no longer exist (paraphrasing). All DCs are replicating to each other. All are global catalog except the 2008 DC. Another funny thing is, when I do Get-ADDomainController | ft Name,isGlobalcatalog on any server, they ALL ONLY show the 2008 DC. If I make the 2008 DC to NOT be a GC server, and i run the command on any of the other DCs, they still bring the 2008 DC up, just saying 'False' as a GC. If I query the site, all DCs will show up as GCs 'TRUE' except the 2008 as False.

Any help would be much appreciated. I really want to decommission the 2008 R2 DC.
Can I revert back to old ssl certificate
If new ssl certificate does not work on my ADFS server
Hello Everyone,
Thanks in advance for your time and insights as they are very much appreciated :-)
I am working on going through the hundreds of settings for domain based (2016 DC x 2, FFL/DFL 2012R2 - central store for GPO) GPO settings and I have a silly question with the intent on saving some time in terms of which settings we explore and which ones we ignore.
If a GPO setting (Users or Computers) states that it is "Supported on: Server 2008, Windows 7, Windows Vista" does that mean that I shouldn't waste time on it because since Windows 10 is not identified explicitly so it will not work versus "Supported on: At least Windows Server 2008 R2 or Windows 7" which means that even though Windows 10 is not directly defined it should/might work because the criteria states that the o/s just needs to be Vista or newer and since Windows 10 is newer it might work. Am I understanding this correctly? LOL! Thanks a bunch :-)

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.