Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is required to start the all services normally
0

Expert Comment

by:Praveen Patten
Comment Utility
Super Jinesh
1
Last week, our Skyport webinar on “How to secure your Active Directory” provided 218 attendees with a step-by-step guide for identifying Active Directory security threats and how to protect against them.

According to Howard Friedman, presenter and vice president of business innovation at Ascent Solutions, 90% of organizations use Active Directory for their identities and credentials. That means this system—often at the center of everything for an enterprise—is at a high targeted risk for theft and security breaches.

In fact, Russell Rice, head of product at Skyport Systems, said threats are many and growing. There are sites that exist for the sole purpose of providing free means to breach Active Directory firewalls and swipe credentials to infiltrate weak points of entry. 

This vulnerability has lead teams like Friedman’s and Rice’s to explore existing weaknesses in this widely-used system and find ways to safeguard against potential threats.

They discussed why these gaps exist, citing issues such as cost, bogged down processes that teams and individuals put off, and too many administrative access points. While the job can sometimes be “unsexy”, as Friedman put it, securing Active Directory doesn’t just protect user credentials, but credentials for computers, data, and even three-party firms. They’re all connected, and a problem in …
5
This article runs through the process of deploying a single EXE application selectively to a group of user.
8
LVL 14

Expert Comment

by:Jamie Garroch
Comment Utility
As a developer of PowerPoint templates and add-ins, this article is a great find as clients often do not know how to deploy these types of deliverables centrally. Thanks for taking the time to write it. Is there a way to test this is local mode i.e. when you don't have access to a corporate infrastructure. I see that Win10 has a "Local Group Policy Editor":
Local Group Policy Editor
0
LVL 46

Author Comment

by:Shaun Vermaak
Comment Utility
Hi Jamie. Thank you for the comment.

Unfortunately not. In fact, you cannot see preferences even in RSOP.msc, only in GPRESULT.

May I recommend you build a testing DC with a trial account?

Something that you might like is that these preferences are XML and you can variablize it.
1
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
7
LVL 3

Expert Comment

by:alohadin
Comment Utility
This has been bookmarked!
Great stuff Shaun.
Thanks a lot.
1
LVL 9

Expert Comment

by:Senior IT System Engineer
Comment Utility
thanks for sharing such a great article Shaun :-) !
0
Lab Topology
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
1

Expert Comment

by:PriteshW
Comment Utility
Good Article, setup on my lab and works well.
0
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
0
LVL 22

Expert Comment

by:Walter Curtis
Comment Utility
Great information. Thanks! Recommended reading for all SharePoint people. This should be submitted as an article.

Have a good one...
1
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
0
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
0
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, code portability, maintainability and platform agnosti
0
Synchronize a new Active Directory domain with an existing Office 365 tenant
1
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
0
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
1
Resolve DNS query failed errors for Exchange
2
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogged down in the details.
6
LVL 67

Expert Comment

by:Jim Horn
Comment Utility
Nice article on a large Active Directory and SQL Server permissions issue that DBA's work with a lot.  Nicely illustrated as well.  Voting Yes.
0
LVL 8

Expert Comment

by:Yashwant Vishwakarma
Comment Utility
Nice article Joseph :)
got some idea about active directory concepts.
Voted YES.
1
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
3
LVL 9

Expert Comment

by:Senior IT System Engineer
Comment Utility
Hi Michael,

Do I need to run the Powershell that you mention above in the PDC emulator role or it has to be from the DC where I have made the changes ?
0
LVL 5

Author Comment

by:Michael Christly
Comment Utility
I run this in powershell (as admin) from my desktop. It would be fine to run on any dc. However I have remote admin tools installed on my machine. If your domain is large this type of forced replication could cause a significant network traffic until replication is complete. My domain has 4 dc at two physical sites and it takes about 20 to 40 seconds to complete.
1
Domain split
Previously I had a customer who was preparing to be split into two separate businesses. The disruption to the IT infrastructure was going to be huge, and the timeline to complete the work was tight - very tight. With the help of EE I managed to find a way to do this quickly and cleanly.
6
LVL 25

Expert Comment

by:Luciano Patrão
Comment Utility
Good article!
0
LVL 67

Expert Comment

by:Jim Horn
Comment Utility
Nice case study you've written here, and well illustrated.  Voting Yes.
0
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lot of time with Jeremy Moskowitz's GP books.
0
Several part series to implement Internet Explorer 11 Enterprise Mode
1
Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
6
Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
13
LVL 15

Expert Comment

by:LockDown32
Comment Utility
Thanks McKnife. I caught the part about the fast boot. It was interesting and clear. What wasn't clear was the fix.
0

Expert Comment

by:IT Guy
Comment Utility
Excellent article
0
Hi all.
 
The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.
 
If you are not doing it directly in a Domain Controller (DC) you need to install and import the Active Directory (AD) module and you also need the required privileges to change passwords.
 
This script will check the users in a specified Organizational Unit (OU) without specifying any user, so be careful if you decide to use it.
 
Warning: If you decide to use this script test it first in a lab environment. Do it at your own risk.
 
This script will check the users in a specified Organizational Unit (OU) and then generate a random alphanumeric password with 8 char length.
Of course we can do more stuff but I don't want to complicate and I just want to show you how it can be done. This is just one way of doing it.
 
#This is the file that will be generated with the users account ID and the password generated.
[String]$path= ".\NewPass.txt"

#This will check if the file exist and will delete that file so a new one can be created from the scratch
#If the doesn't exist will through an error saying that the file doesn't exist and will continue.
if ($path -ne $null){Remove-Item $path}


<# Required Assembly to Generate Passwords #>
Add-Type -Assembly System.Web
#In my case I created a OU for test purposes here it is.
#You need to change it to meet your requirements.

Open in new window

2
LVL 12

Author Comment

by:David Paris Vicente
Comment Utility
Hi all,

Thank you all for your comments.
@robert for you to be able to do that with the code above you will need to use regexp, but I believe you can achieve it in a more easy way, check the example below.

In my code I have:
$NewPassword=[Web.Security.Membership]::GeneratePassword(8,3)

Open in new window


If you change it to:
$NewPassword = -join ((97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window


This will generate a random char only with lower cases.

If you also want to capital letters you need use the ASCII table to check the value of each char, lets see an example.

$NewPassword = -join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window


The output will be a random string.

Now if you want to add numbers, you can do it by adding the ASCII value related with numbers. Lets check it.

$finalpass=''
$NewPassword =  ((0..8) + (65..90) + (97..122) | Get-Random -Count 10 | % {[int32]$_}) 
Foreach($pass in $NewPassword){
 if ($pass -le 8){
    $finalpass+= $pass 
 }else {
 $finalpass+= [char]$pass 
 }
}
Write-Host $finalpass

Open in new window



I believe this can do the trick, I didn't had to much time to tested it, but I can see that some random passwords could only have letters.

Then you can export it to a csv file piping the  variable $finalpass
$finalpass|Export-CSV c:\NewPass.csv -Append  

Open in new window


With this little code you already have the tools to start tweaking and accomplish your goal.

I hope it helps.

Cheers.

D.
1

Expert Comment

by:rob ert
Comment Utility
alright i managed to make it generate lowercase letter + letters using ur code and it works perfectly thanks alot ..
i have another question i hope im not being annoying ... the exported csv shows like Capture.PNG ... how can i make it like this Capture2.PNG ... if you notice the users and not consecutive they should be ige1 ige2 ige3 ige4 ige5 etc instead of userID: and password: in every row... plus is there a way to select specific users from that OU ?
your help is much appreciated ...
0
We receive many questions about how to disable the Exchange ActiveSync feature by default so that once an email account is created, the ActiveSync feature is disabled by default for that account, and since this is not configurable neither by Exchange server settings nor by any script, I will share with you the best practice to work around this issue.

We will do the below configuration:
 
  1. Configure on the Exchange server a policy named DisableMobileAccess to allow a maximum of zero mobile devices to connect through ActiveSync or through OWA for devices per user, and apply it on the organization level. Thus, when we create a user with a mailbox, even if the ActiveSync is enabled for it by default, the user will not be able to connect via ActiveSync since the allowed number of devices for him is zero by default! (He will not be able to connect through OWA for Devices feature either.)
     
  2. Configure on the Exchange server a policy named EnableMobileAccess to allow a maximum of a specified number of mobile devices to connect through ActiveSync per user, and apply it on the users level, so for each user we want to grant him an ActiveSync access, we will add his account to that policy, in my example, the specified number will be 50 which is the default number in the default policy settings on the Exchange Server 2013.

To Create the DisableMobileAccess policy, log on to your Exchange Server 2013, open the Exchange …
1
LVL 7

Author Comment

by:Marwan Osman
Comment Utility
Great, thank you
0
Unless you've been hiding under a rock you know that Microsoft will be releasing a new version of Windows this summer (2015). As administrators of Active Directory and managers of group policy we use WMI filtering to set and apply group policy objects to different versions of Windows, clients / servers, desktops and laptops. For instance, we want the policy to be applied only to laptops and not desktops, or to client operating systems and not server operating systems.

The examples below might be familiar as it is a common way to apply a GPO to all Versions of Windows after 7. It would also automatically work for Windows 8 and Windows 8.1 but it will fail for Windows 10.
select * from Win32_OperatingSystem where Version >= “6.1”
Unfortunately, WMI does the comparison as a string and not a number. This means that Version “10” is actually lower than “6.0” as 1 is lower that 6. So now we have to change our previously working WMI filter to:
select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″
Note: The same is also true for Windows Server 2016 as it has the same OS version number. This is why I've created this new article

WMI Filtering is another tool to put in your active directory toolbox. Order of execution of Group Policy Objects
Policies in hierarchy are located. (L-S-D-OU)
WMI Filters are checked.
Security settings are checked.
Only then after everything has passed does the policy …
5
The Need
In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more than five minutes, network login and authentication fails. I am not sure if anyone has ran into this problem or not. There seems to be various reasons for time sync problems, but I found this an odd problem\solution. Recently, as part of the move off of Windows Server 2003 domain controllers, I had to move the FSMO roles from our 2003 DC’s to 2008. The 2003 server was set to sync its time, and therefore the domain, against a Cisco switch. I made a screen capture of the current settings as shown below:

NTP1.jpgAs per a number of Microsoft Knowledge Base articles, I manually configured the new time servers via the command line with the following command:
 
W32tm /config /manualpeerlist: /syncfromflags:manual /reliable:yes /update
Net stop w32time
Net start w32time

Open in new window


However, two days later, I receive a call about authentication problems. It seems the time on all of the systems was off by 20 minutes, even the time on the new PDC Emulator. When running the command:
 
w32tm /query /status

Open in new window

 the server indicated it was performing its synchronization from the local CMOS clock.

ntp2.jpgSince this server was running in a virtual environment, my first thought was to verify it was not syncing against the host, which is was not. Next, I checked the configuration via the command line, which also indicated it was receiving the information from the local CMOS clock. 

ntp3.jpgntp4.jpg
6

Expert Comment

by:Narges Doosthosseini
Comment Utility
Thanks for your article.
I've added the 0x8 on the registry configuration. After restarting Windows time in services, the time source changes to "Local CMOS CLOCK" again!
0
LVL 32

Author Comment

by:Rodney Barnhardt
Comment Utility
Is this by chance a virtual machine? If so, it may be configured to sync with the host. The setting depends on the type of hypervisor, but that can cause problems on a PDC emulator running NTP if it is set that way.
0
Recently, I got a chance to renew certificates on Active Directory Federation Services (ADFS) servers. I read lot of articles, but doing it in production is totally different. Hence, I am sharing all steps; I performed to successfully renew/replace the Service Communications, Token-Signing, and Token-Decrypting Certificates.

I had four ADFS servers: Two ADFS Proxy in the DMZ and Two ADFS Main Server in a farm with a SQL back-end database.

Step 1. Request New Certificate.
  • Generate a new certificate request with same primary key from Primary ADFS Server in your farm. You can use IIS or Certificate snap-in to generate the new certificate request.

    Note:  You also need root and intermediate certificate.
Step 2. Import New Certificate in Certificate Store.
  • Import New Certificate into Certificate Store on ADFS Primary server with Private Key.
  • Launch MMC>File>Add/Remove Snap-in>Certificates>Add>Computer Account>Local Computer>Finish.
  • Browse to Personal Store and import the certificate.
    1
  • Right Click on new certificate > All Tasks>Manage Private Keys > Add ADFS Service Account > Give Read Permission.
    2
  • Browse to Intermediate Certificate Store and import intermediate certificate.
  • Browse to Trusted Root and import root certificate.
  • Now Export Certificate with Private Key and import on other ADFS Server. 3Note: Make sure to add Service account permission on all ADFS server. Not required for ADFS Proxy.
Step 3. Apply new Certificate in ADFS snap-in.
  • Login to Primary ADFS Server.
4

Expert Comment

by:Dimitar Atanasov
Comment Utility
Very useful indeed, thank you very much for your efforts to create this detailed guide.
Appreciated!
0
LVL 46

Author Comment

by:Amit
Comment Utility
Thanks for appreciating my efforts.
0

Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software