Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi All,

I wanted to know how to audit Active Directory's setup in determining where a security group has been configured? Preferably using a Windows tool or a Microsoft product. This is on a Server 2003/2008-R2.

Thanks In advance
0
Introducing Cloud Class® training courses
LVL 12
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

I have a new Server 2016 machine on the same domain as an old SBS2008 machine. I have joined the 2016 box to the domain and promoted it to a DC. It has replicated AD, DNS and Group Policy but it wont create the SYSVOL or NETLOGON shares on the new machine. I have tried all the fixes on google i could find that seemed relevant but it wont replicate FRS. As it seems to have replicated everything else i was wondering if i could simply manually copy over the SYSVOL and NETLOGON shares to the new machine? I know its probably not recommended but the old machine will be demoted so in theory i would have thought that at that point it wouldnt matter that it couldnt replicate?
Anyway if anyone has any idea if this approach is workable please let me know?
Thanks in advance.
Andrew
0
Please I want to Update the address book on all outlook PCs, for that, Where is the setting gpo or gpp to automatically updated

Manauly :
In Outlook 2010 and Outlook 2013
tab Send/Receive-> Send/Receive Groups-> Define Send/Receive Groups--> download address book

Do you have an idea to turn this in bachground.

Thx
0
in my Organization 6 Sysadmin persons are working.i have 2 Dc 's in my organization 2012R2 servers.all sysadmin Persons are in Domain Admin .now i want to only one user has super user. now i want removed rights to remainig users ,how did provide they can add domain and creation and deletion users and limited rights to give those users how to set
0
we use gpo and certificate server to control access to our corporate wireless which works well for domain joined computers. Is a way to install the gpo and certificate on a device not joined to the domain?
0
Dear Experts,

We want to give one of the members of a distribution group SendAs Permission.  
We have a one way sync from our AD on on-prem Server to Office 365.

When we try to change the User  permission in Admin Portal of Exchange Online, we get this message:

The action 'Set-DistributionGroup', 'GrantSendOnBehalfTo', can't be performed on the object 'Comms' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

We also tried this from On-prem AD, but the only method we found makes us apply the permission to entire OU..

Please advise.
0
What are the steps required to configure a group policy to disable the CTRL-ALT-DEL requirements when logging on?

I need to configure this policy for some clients within my test environment.

How can this be done?
0
I'd like to import and export AD OUs and User objects as well from one domain controller to another.  I've been Goodling the LDIFDE utility but haven't found good or step by step instructions.  I'm sure we have great technical minds here and I decided to seek for help.
Both servers are Win2016 environment and have everything in common except the domain name,  and with the short amount of time left no need to start over.  
No users objects needed ....just the OUs and their GPO if all possible.
0
We are planing to install Windows 2012 R2 and DHCP. The IP v6 is enabled in Windows.

Is there any issue of leaving it on or disabling  ?
0
Hi

I've established a transitive forest trust between Active Directory domains ( lets call them DomainA and DomainB). I'm able to successfully access DomainB objects from member servers and workstations in DomainA (i.e. give DomainB groups file permissions, etc...). However I'm unable to do the opposite in DomainB. For example, if I attempt to give a DomainA group file permissions on a member server in DomainB, I receive the following error:

"The Active Directory Domain Controllers required to find the selected objects in the following domain are not available"

Problem only seems to affect DomainB workstations and member servers. On a domain controller, I'm able to add a DomainA user to a DomainB group.

I've confirmed that DNS resolution is working between the domains, and verified the trust. There is no physical firewall between the DCs, and all windows firewalls have been disabled.

DomainA is running all 2016 DCs, while DomainB is running 2008 R2.

I'm drawing a blank on what's going on.
0
Simplify Active Directory Administration
LVL 8
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Is there a way to migrate all the folders and files that are used for folder redirection from the old server to the new server?

I have used the ForensiT to migrate all the profiles but for some reason it's pointing to the old server folder redirection and no files and folders got migrated from the old server after running the ForensiT.

Thanks.
0
Source:        NfsClnt
Date:          7/11/2018 9:57:49 PM
Event ID:      16397
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MDFS.mddist.local
Description:
  Windows(R) Lightweight Directory Access Protocol (LDAP) failed a request to connect to Active Directory Domain Services(R) for Windows user <MDDIST\Administrator>.

  Without the corresponding UNIX identity of the Windows user, the user cannot access Network File System (NFS) shared resources.

  Verify that the Windows user is in Active Directory Domain Services and has access permissions.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NfsClnt" />
    <EventID Qualifiers="32768">16397</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-07-12T02:57:49.000Z" />
    <EventRecordID>77</EventRecordID>
    <Channel>Application</Channel>
    <Computer>MDFS.mddist.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>MDDIST\Administrator</Data>
  </EventData>
</Event>
0
Hello Experts,
After moving users mailboxes from old mailboxdatabase to new mailboxdatabase, dismounted the Mailboxdatabase and while deleting the Mailboxdatabase from active server, getting below error message.

Can move the HealthMailboxes from old Mailboxdatabase to new Mailboxdatabase?

[Or]

Delete the HealthMailboxes associated with old mailboxdatabase users from Monitoring ADUC container?

This is the message i received in Mailbox Server.
 -----------------------------------------------
 WARNING: Failed to remove monitoring mailbox object of database "MBX_Server_EDC_1_Remove". Exception: Active Directory
 operation failed on EX-DC01.Domain.com. This error is not retriable. Additional information: Access is
 denied.
 Active directory response: 00000005: SecErr: DSID-03152501, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

 ----------------------------------------------
Your help must be appreciated.

Thanks-Sami
0
We have a Non Enforced Policy Applying to Users in a Blocked Inheritance OU, how can this happen?
0
I created a Gpo folder redirection policy and users started to sync from their old redirection location the new server. I have one user that didn’t read the email stating to let this run and they hard shut down the pc... when they booted back up and logged in it will not continue where it left off and I can’t figure out how to resume or start over with this specific user
0
DNS scavenge with multiple DHCP lease times

We have the following configuration. Also attached is our DHCP configuration @ the top level. We have the default Server 2012 R2 options, "Dynamically update DNS records only if requested by the DHCP clients" with " discard A and PTR records when lease is deleted" ticked. We have credentials set for DNS dynamic update & our DHCP servers are added into the DNSUpdateProxy group. Scopes & counts as follows:

9 DHCP scopes with 1 day lease
12 DHCP scopes with 2 day lease
11 DHCP scopes with 8 hour lease
105 DHCP scopes with 8 day lease

Have done a lot of reading about the refresh + no refresh ideally being the same as the DHCP lease time, but assumption being DHCP lease times are same for all scopes. Our scenario is they are not, & so not really sure on the impact of different scavenging options

Majority are 8 day lease, so reading many blogs it mentions this should ideally match the total refresh. So values of 4 & 4 for no refresh & refresh, but then what is the impact of this on our scopes with 1day, 2day & 8 hour leases? Suppose the risk is they end up with duplicates until the zone is scavenged?

This is where I am thinking we should maybe configure DHCP to "always dynamically update DNS records" but they don't know if this actually required. My thinking is that if address is assigned to another computer DHCP can update DNS & we shouldnt have duplicates, then configure 4 + 4 days for scavenging. Or is this not …
0
I am following the below links to enable ISTG for inter-Site and intrasite and have doubt about this.
Hope someone will help me.
https://terrytlslau.tls1.cc/2011/07/disabling-knowledge-consistency-checker.html?m=1
https://blogs.technet.microsoft.com/markmoro/2011/08/05/you-are-not-smarter-than-the-kcc/

I checked our sites options and noticed the option is "none".
Step 10 in the above link 1 listing the numbers to disable both intersite and intrasite.
The same number is being used on the link 2,
What is the number I have to enter to enable both Intrasite-Intersite?
My second question is, do I have to delete the existing manual NTDS object before enabling ISTG?
0
I have a hyper V machine that I cannot login to. It says the trust relationship between this workstation and the primary domain failed. I do not know the local admin password or if its even enabled. What can I do??
0
How to restrict user from installing applicaiton on windows 10 pro without admin permission? Currenlty all users can download/install applicaiton on thier domain machines.

Regards
0
Ultimate Tool Kit for Technology Solution Provider
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

SMBv2 status in Windows 7 - For obvious reasons I have a requirement to shutdown SMBv1 on all worksations in an organisation (AD 2008) and make them all use SMBv2. I have the information from this link;

https://support.microsoft.com/en-gb/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and 

However it appears to me that the Windows 7 workstations have SMBv2 disabled by default, firstly does anyone know if that is the norm for Win 7?

Secondly does anyone know of a way to enable SMBv2 in Windows 7 using a GPO?

(I know the MS article I referenced above shows how to enable it using sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi & sc.exe config mrxsmb20 start= auto but how might I do this within Group Policy?).

Thanks
0
I had this question after viewing Node(s) server01.domain.com server02.domain.com cannot reach a writable domain controller. Please check connectivity of these nodes to the domain controllers..

I am validating windows fail-over cluster. I am getting below errors. Can some help me out for this ?

Connectivity to a writable domain controller from node VMClient01.domain.com could not be determined because of this error: Could not get domain controller name from machine VMClient01

Connectivity to a writable domain controller from node VMClient02.domain.com  could not be determined because of this error: Could not get domain controller name from machine VMClient02

Node(s) VMClient01.domain.com  VMClient02.domain.com cannot reach a writable domain controller. Please check connectivity of these nodes to the domain controllers.
0
How to connect ldap to samba domain controller on ubuntu?
I have samba 4.X domain controller.
ps -ef | grep samba
show me also smb using post 389
from dns i can see ldap is running to port 389.
but ldapsearch -x ldapi:/// is ok but not show my search
0
I have one window user (Win10) that joined domain, so normally they will have no permission to make any changes on local computer, so i want to give permission on that domain user to be able only install any software on their computer but every strict permission keep as original, how to do that?
0
I hava a list of Computer names that I like to get their Ip address to. The addresses are static and its a list of about 100 computers . I need a powershell script that can go out and match the Host names to their Ip and listed out in an Excel Sheet
0
Hello, I need to disable batch file execution in RDP (Windows 2012 r2) session for a regular user. Administrators should be able to run batch scripts. If GPO "Prevent access to the command prompt" is enabled and "Disable the command prompt script processing also?" set to "Yes" then batch files cannot be executed but login script cannot run as well.

Also, GPO has a note:
"Note: Do not prevent the computer from running batch files
if the computer uses logon, logoff, startup, or shutdown
batch file scripts, or for users that use Remote Desktop Services."

If this option set to "No" then login script can be executed but command prompt can be opened by executing a batch file with following content:
@echo off
:loop
set /p cmd="%cd%> " 
%cmd%
goto loop  

thank you.
0

Active Directory

77K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software