Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Dear experts, how can we collect users' activities on web browsers? Assuming that this is domain environment and we prefer free solution, script or Gpo settings. Many thanks!
Has Powershell sent you back into the Stone Age?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

I need to create an automated process that does the following.

Scenario is based on user being terminated or leave the organization.

1) User account get's disabled in AD as part of the employee termination process
2) User account is part of a specific security group for example SAP-Users
3) We need an e-mail notification that a users account was disabled that belongs to the group "SAP-Users"
Note: This process should only apply if the user account belongs "SAP-Users"

I have a problem with our roaming profiles ntfs permissions. We backup our users profiles daily, but when I create a new AD account and the user logs on, the users profile directory (Profiles.V2, V5, V6) created, do not inherit the folder permissions which should contain the backup service account read permissions for this folder. The permissions on the parent folder are correctly set. How can i enable inheritance without the need to do this manually for each user profile directory?

Thank you in advance.
We have a Windows Active Directory Domain with about 70 users.  We currently use Office 365 for E-Mail with no on premise server and about 70 users.  I would like to sync my Active Directory up to Office 365 so we can use Duo Multi Factor Authentication.  My concern is what happens since everyone has an account on both and many have different passwords.  My understanding is once we sync up we will have a single sign on for both.  If I activate the sync will peoples E-mail stop working and look for their network password?
I have a hyper V lab environment setup. I originally had it setup to a internal switch but wanted to change it to a external switch so I can get out to the internet.
 I can get out to the internet if I set that machines to automatically get a ip address but I need to be able to communicate between the machine in the lab.

At my work place they have it setup so all the machines use the DC for DNS resolution and they set forwarders on the DNS server to get out to the internet. This doesnt seem to work in my lab envir. Is there a way to get the machines to see each other and get out to the internet as well?
Windows SBS 2011 single-server domain.  DC boots up but directory services does not start.  Netlogon service fails with 0xc000064.  ADUS, ADSS, tools will not start - stating invalid interface.  Users cannot access network shares, printers, etc.  Netdom query fsmo errors with invalid interface.  DCDiag shows cannot connect to DC.  Have already tried last known good configuration.  Your thoughts would be very appreciated.
I had to configure ADFS server for chrome

 I ran this command :

Import-module adfs  ( by opening windows powershell and not azure windows power shell

 2)Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

 3) reboot

everything worked fine

but there is one workday  mailbox which before running the command , IT work day people used chrome and then typed, it used to ask the email address of shared mailbox and then password  and user were getting directed to that shared mailbox ,this mailbox is not allowed to be configured in their respective outlook

but now when they type the same workday mailbox email address when they type and put in email address , it is doing 2 things

1) not asking the password
2) user instead of getting into that workday mailbox are getting apps page on 365 portal and when they open outlook, their mailbox is opening up instead of that shared mail box

hope I put the question correctly , so question is that shared mail box is not opening or showing up

from my personal computer when i type and put the workday mailbox email address it gives me a prompt and username and pasword

but when i am in my network the above issue is happening
We have a police department client that is required to audit for successful and failed logon attempts, and logoffs, on a weekly basis.  The auditing must be performed by an employee of the PD, which means that we need to generate Event Viewer reports in a way that can be easily reviewed by a layperson.  Ideally a digest would be emailed on a daily basis.  We've set up the server to send emails any time there's a failed logon, but emails every time there's a successful logon or logoff would result in an inordinate amount of email traffic.  

The server is running Windows Server '08 R2.  We're either looking for assistance in setting up digest report emails, or for direction to a piece of software that'll handle it for us.
netlogon and sysvol folder are empty. How to recreate. Please help us to fxi
Regarding the issue is that while doing the DR scenario the client not able to login using secondary domain controller if primary domain controller fails.

What is the reason please suggest and help us to fix.

In client PC we have manullay configured the dns which primary is 1st domain controller and secondary is domain controller 2.

Please help us to understand what is the process which client used to login if primary domain controller fails.

Please do the needful. Thank You.

Note: All fsmo roles are in 1st domain controller only(primary domain controller)
Become a CompTIA Certified Healthcare IT Tech
LVL 12
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Does anyone know if there will be any additional Group Policy features relating to USB/Removable Device restrictions in Windows Server 2019? I have heard there was, but can't seem to find anything specific.
GPO fails to apply User Policies, Computer Policies applied successfully. Below is the output:

Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on
the "More information" link. User Policy update has completed successfully.

Not sure how to correct.
We have multi site AD . Each site has internal DNS . How do i make sure that DNS get updated immediately when we make change instead of waiting for AD to replicate it.
I'm upgrading my on-prem SBS 2008 server to 2016 Standard. I was performing a one-way sync to Azure. What is the best way to go about pulling down the data in Azure to my new 2016 server?
For my new Exchange 2013 server install - How to I determine our current Active Directory Autodiscover Endpoint and if it is wrong how do I change it ? just migrated from an Exchange 2010 server.
Can someone comment briefly on what best-practice is for demoting a healthy domain controller?
I am planning to replace our 2008R2 DC's with 2016 DC's and will be reusing the existing Names and IP's.
Obviously this is not something we do very often and I just want to makes sure I get it right the first time.
So generally speaking would we demote the DC to a member server and then uninstall ADDS, WINS, DNS, etc. and then remove it from the domain into a workgroup or would we uninstall ADDS, WINS, DNS, then demote the DC into being a member server and then into a workgroup?

We have at least two DC's that host and replicate ADDS, WINS, DNS, GC, GPO, etc. and our replications are good. Neither of the DC servers does anything else other than act as a DC.
We are not running a Certificate Authority on the DC.
Neither DC acts as a bridgehead server as we only have one site and both DC's are in the same subnet/vlan.
Both DC's are patched to within 1 month of current MS updates and are on the same patch level.
Need to verify that replication between all existing DC's works flawlessly.
Do general server checks (review logs, run dcdiag and netdiag) to isolate and mitigate any existing issues.
Make sure remaining DC can handle the domain functions (user logon etc.) on its own.
Remove all FSMO roles hosted on the DC that is being demoted to another DC.
Make sure it is not the only Global Catalogue, DNS/WINS or only DC in the domain, i.e. that another functioning DC …
I am upgrading our AD from 2008r2 to 2016.  I am running the adprep commands manually (I know the server promotion will also do it but in this case I need to run them manually).  After I have completed the Adprep Forestprep do I need to run the domainprep command as well in the Forest Root?

LDAP connection failing with below error, I have successfully tested the credentials , I can telnet on 389 and 636 although I am testing over 389 when I get this error:

Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 52e, v2580
Error 0x8009030C The logon attempt failed

Anybody experienced this issue before?
I am attempting to set up a new multiforest ldap instance but am getting stuck with the install of the xml file, followed by a sync. I may be confusing the matter and need some instruction on what steps are correct if I am attempting to pull in and sync all remote domain users to the multiforest partition and how to resolve associated errors.

Steps taken and code used:

XML Code:

<description>Import domain USers</description> 

Open in new window

Adamsync /install Command: (no creds)

ADAMSync /install localhost:52512 c:\windows\ADAM\MS-AdamSyncConfdomain.xml /log c:\windows\adam\logs\install.log

Establishing connection to target server localhost:52512.
Updating configuration file on c:\windows\ADAM\MS-AdamSyncConfdomain.xml.
Reading Configuration File from c:\windows\ADAM\MS-AdamSyncConfdomain.xml
Saving Configuration File on dc=multiforest,dc=local
Saved configuration file.

ADAMsync /install (with creds)

ADAMSync /install localhost:52512 c:\windows\ADAM\MS-AdamSyncConfNLS.xml /creds administrator password /log c:\windows\adam\logs\install.log

Establishing …
Simplify Active Directory Administration
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

We are using Exchange 2016 CU10 on-premises but could not setup the email signatures (only images) on OWA.

When we compose an email, the signature image showed up but when the recipient got that email (on both MS Outlook 2013, 2016 and OWA), it showed the X red icon, instead if proper image.

Can you please suggest? Many thanks!
Hi Guys,

We have an issue where certain users are constantly locked out of Active Directory.
The lock-out event / request seems to be originating from the user's workstation, via their connection with the  Exchange server.

Event viewer shows LogonType = 3
LogonProcessName = NtlmSSP
WorkstationName = xxxx
IpPort 50674

I've installed Wireshark on the Exchange server to monitor the network traffic upon log out, and it reports Exchange network traffic from the client the moment the account is locked out.

Any ideas will be appreciated,
I have a customer that has a external domain name which is 23 characters long that they want to use for a new office 365 tenant so as an example domain looks like this . I need to build them a new internal active directory domain and was going to use but was wondering if a active directory domain name with 23 characters not including the int. or .com is to long ?
Hello all, i'm looking to disable access to USB drives in our environment, and would like to only allow certain people and specific brands of USB drive.

Is this possible using active directory, or is there any software that would make it easy to use.

Server 2012 folder redirection is not working. Workstations both Windows 7 and 10 pro. On the workstation when I run gpupdate /force I get this error "The group policy client side extension folder redirection was unable to apply one or more settings because the change must be processed.

I have tried this on a completely different network yesterday and got the same exact thing.
Complete Error
Hi all

Working at school

I have request for primary school students to have access to emails but only be able to send internal and reciveve internal only. So block external emails alltogether

Heres what i have done,

Created a Universal distribution group in AD - Added the releveant groups to it i.e. primary school students

In office 365 created a new rule

- The recipent is located - Outside the organisation and the sender is member off (the distribution group i created in AD)

Do the following - delete the message without notifying anyone

After the above, i have been testing by sending email to a test student via my gmail account and test student can send emails and receive externally.

So seems like this is not working, any ideas?

one thing i noticed was in members of that distribution list, i am unable to locate the AD security groups, could this be the reason? my security groups seems are not automativally synced. I had to go in Attribute of the distribution list to make it sync to Office 365 not sure if its same for this

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software