Active Directory

73K

Solutions

110

Articles & Videos

38K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Since the default policy tag will delete anything older than 2 years ...

I would like to know if any items (not in the recoverable items folder) exist that are older than 2 years old.

Other than Get-MailboxFolderStatistics (as this command is extremely slow), what is available?
0
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Our new server is having security issues.  I got a message that it couldn't be refreshed because event viewer service wasn't started.  I tried to start it manually and got the attached error.  I tried to change the log on permissions, but they are grayed out.

How do I fix this

event permissions
security permissions
0
So I've inherited a somewhat small environment where I manage Active Directory but the former DBA apparently had all these scripts doing tons of things against AD and everything else in the environment.  
Problem is one of the things that's happening is we have students and alumni in this small campus. Well the script, which I believe is the one below, is moving people to the Alumni OU even though they are a student.
I can ascertain that some of this is partially SQL query but I was hoping someone with a bit of experience could help translate what is going on here and what criteria/reason is moving someone from one OU to another OU or vice versa.

From the script, I see that one important variable appears to be:
$StudentsThatShouldMove = Fill-Dataset $IntegrationConnString $Sql_StudentsThatShouldMove
   
Does that mean I have to look to the SQL side to see what's going on?
#. \\scorch01.VelCollegenet.edu\C$\Users\Public\Documents\Scripts\_CreateAcctsAndDistGroupsV4.ps1
# .\_CreateAcctsAndDistGroupsV4.ps1
#########0#########0#########0#########0#########0#########0#########0#########0
#
# # Description: Move students and alumni accounts to the correct OUs
#
# History:
#	???????? EWM Initial Creation
#   20111213 EWM Sql Server Agent Job 
#				 [Active Directory NEW students daily].[Shell Game (move stuff around where it goes)]
#				 Occurs daily at 9:00:00 PM with no end date
#
#########0#########0#########0#########0#########0#########0#########0#########0

Open in new window

0
We use Trend Micro in our environment. Someone had created a login script that runs a batch file that installs the TM client.  I need to exclude certain computers from this script. The script was added to the default domain policy . We run 2008 R2
1
If configure Azure AD Sync tool in one user profile, it does not seem like you can start it or view or change the settings from another user profile, in a case where we have multiple admins that may need to manege that whats the best way to do it? Can this be managed from multiple profiles or multiple admins must access that one user profile where it was originally installed under and configured?

Thanks
0
Is there a way for me to track which user makes a change to a record in an Access database? For example, if a field is changed from one selection to another, how would I record the user and the timestamp when the change is made? We don't sign into the database so there's no prior authentication before using it (access comes via active directory permissions). We are on Office365 subscriptions so the apps are integrated with our accounts but I don't see anywhere I can capture that info.
0
I'm trying to install an msi through GPO. It fails on my test box with error code 1274 in the event log. DC is 2008r2, test box is Windows 7. Any ideas?
1
This is what I came up with in powershell but it doesn't list the actual users, or exclude people with just 'Domain Users'

Get-ADUser -Filter {Enabled -eq $false} –Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup -Properties name | Select-Object DistinguishedName,name,GroupCategory

Open in new window

1
Trying to secure my RDP connection so we are using TLS. Have create a template and a group policy to deploy it.

When I logon to the server i get the following error:

The terminal server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Domain computer on the template has read and enroll right. It did have only enroll but I added read as well. Not sure If i have to push this change through?
0
Hi all, I am attempting to gage performance impact on a DC that LDAP traffic is having. I am looking at this TechNet article:
https://msdn.microsoft.com/en-us/library/ms808539.aspx#efficientadapps_topic01aa
Halfway down the page this header appears: Determining Query Timing with the Statistics Control

I have opened ldp.exe on the DC and set the STATS control as advised. I then perform a couple of the LDAP quires, all good so far. My question, the article says this:

Using the STATS control, the server returns the following information:
Thread Count: <thread count>
Core Time: <core time>
Call Time: <call time>
Subsearch ops: <sub search operations>
Entries Returned: <entries returned>
Entries Visited: <entries visited>
Used Filter: <filter (octet string)>
Used Indexes: <indexes used (octet string)>

 But where? I can't find any event or log that shows the result? Does anyone know? I have ramped up Field Engineer logging and LDAP diagnostics but still I can't see any trace evidence that this article says should appear.
Many thanks
0
Office 365 Training for Admins - 7 Day Trial
LVL 2
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Hi all,

We have recently upgraded our internal CA to SHA256. We have a number of internal webservers that have sha1 certificates that are still valid. We are looking to upgrade each other certificates through controlled process. My question is, if we are to renew the certificates on the servers with the new SHA256 if there any issues are we able to recreate a new cert using a SHA1 cert?
0
I see in the logs the following error for lot of different workstations joined the domain

The session setup from the computer xxxxxxx$ failed to authenticate. The name(s) of the account(s) referenced in the security database is xxxxxx$.  The following error occurred:
Access is denied.

NETLOGON event ID 5722

Server 2008

Please help
0
I had this question after viewing (Open)LDAP V2.44  search proxy to AD (W2012R2).

I am following this article (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD) in order to set up an OpenLDAP proxy.  But when I run an ldapsearch command on the Windows AD, I get the bind error below:

root@VMUSDevLDA01:/etc/ldap# ldapsearch -x -h 10.41.22.100  "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v2580



Here is my nslcd.conf file, what is wrong with it?

# Mappings for Active Directory
pagesize 1000
referrals off

# Passwd
filter passwd (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map    passwd homeDirectory     UnixHomeDirectory
map    passwd gecos             displayName
map    passwd gidNumber         primaryGroupID

# Shadow
filter shadow (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*))
map    shadow shadowLastChange  pwdLastSet

# Groups
##filter group (&(objectClass=posixGroup)(gidNumber=*))
##map    group uniqueMember       member

# Local account for nsclcd
uid nslcd
##gid ldap
gid
0
Over the past month we have built 2 Tier 2 PKI environments for our domains. One of them appears to be working correctly and the certificates from the templates are being pushed (Workstation Authentication, RDP Auth) as normal. However on our second domain this is not the case. I have setup both PKI environments for the domains exactly the same (minus the domain names) as i read through the same article for both installs. I did notice that some of my servers in the partially functioning PKI have gotten the Workstation Authentication cert, however i can only get the RDP Auth template to work if i am on a server and i put in a Certificate request. The Active Directory call comes up and when i request the RDP Auth certificate it pulls from my new PKI Environment. I'm doing a controlled decommission of the old CA (no templates present and slowly revoking certificates) but as i am not seeing the new environment push out new certificates correctly i am stalled.

On the new PKI Templates i made sure that Domain computers has Read Enroll and Auto Enroll. I also made sure that Cert Publishers on the domain has the computer that is my Subordinate Ca as a member. I also verified that in our Default Domain Policy the settings for Auto enrollment under the Security Policy is configured per Microsoft articles i have found. I did a tab by tab comparison of the working PKI to the "Non working PKI" for RDP Auth and the settings are the same.

I am not sure what else to look at now and am…
0
One of our customers DC's has died, the motherboard went on it and they have replaced it with a brand new server.

I have the pleasure of rebuilding this machine, I have the HDD from the old DC and am in the process of building the new server, windows 2016 (they previously used 2003 I think) and rather than setup a new domain and new AD structure I was wondering if I could somehow pull the old data from the HDD and import it into the new AD?

We have windows server image backups of the old machine, does anyone know if it's possible import the old data (users mainly) so as I don't have to setup an entirely new domain, new users and then manually get all of their machines moved over to the newly built domain?
0
We have an AD Account  and it should be given Mininum permissions whatever is required to just do the below tasks for that account. Nothing else.
1. User should be able to remotely logon to the server in domain joined computer.
2. Should be able to start / stop services using command prompt (cmd.exe "run as Administrator")

Can we assign the user to any of the groups in attached screenshot or need to create something else.

Appreciate your help.
groups.jpg
0
Hi, I know there are lot of feeds with my problem. I tried to search as much as I can, still no progress.

I have a problem with AD replication between 4 servers. I'm working in school and there is main school building where are two physical servers and on them are virtuals (PDC01, PDC02). This is the main AD directories. There are two oter buildings where are psysical servers. First (PDC04) and the farest from school (PDC03). I only have problem with PDC03 where are about 5 kinds of errors. I'm new in this topic so please dont laugh if I get something wrong. I'm posting some files whitch i found usefull for you. Next thing is that I'm not native english i hope i can understand everything. Thank you. Michal
dns-error.txt
V-st-i-ek.PNG
0
Hi All,

I’m in the process of migrating the mailbox from one Exchange Server 2013 Sp1 to another 2013 Sp1 (no-DAG) using the batch migration PowerShell.

I can see it from the Exchange Control Panel website, there is the batch process migration status, however, I need to mount and dismount the mailbox database in the new server due to removing the quota implementation, what’s the impact in pausing or STOPPING the batch migration which caused the migration process to become SUSPENDED ?

Can I still resume it again after mounting the mailbox Database in the destination server ?
What’s the impact to the users when the migration process is STOPPED or in the SUSPENDED state ?

I’m not going to delete the migration batch (by clicking the bin icon) since I need to get off from the old server to the new server.

Any help and comments would be greatly appreciated.

Thanks.
0
Hi All,

What’s the impact when taking the backup of Exchange Server (no DAG) with Veeam (VSS aware or Application-Aware Processing enabled) when the server is currently running on Circular logging and the mailbox is being migrated from one server to another ?
More info about the application aware: https://helpcenter.veeam.com/docs/backup/vsphere/backup_job_vss_application_vm.html?ver=95 

The reason I ask this question is that the migration of the 2TB+ mailbox database is quite slow about 5 GB per hours, which is about 17 days with no backup running on the email server.

Any help and comments would be greatly appreciated.
0
[Webinar] How Hackers Steal Your Credentials
LVL 8
[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Hi All,

Can anyone please assist me in correcting the below PowerShell script to properly display the size of Exchange mailbox database size total in GB ?

Get-MailboxServer | Get-MailboxDatabase | Select Server, Name,@{n='MailboxesCount';e={@(Get-Mailbox -database $_.identity).count}}, @{Name="Size (GB)";expression={"{0:N2}" -f ((get-mailboxstatistics -database $_.Identity | Measure-Object -Property TotalItemSize,TotalDeletedItemSize -Sum |Select-Object Sum |Measure-Object -Property Sum -Sum).Sum.ToString() /1gb)}} | ft -AutoSize -Wrap

Open in new window


Because when I run the script it is only showing the count but the size is just all 0 bytes ?
Would it be possible to show the GB free of the disk space where the .EDB file is located.

Thank you,
0
I'm trying to add Net framework 3.5.  It asks me for an alternate location for the source.  I put the DVD in the drive and selected the drive letter but it still fails.

Do I need to put the path in to a specific location on the DVD or could I run setup and add features?
0
Is there a way to create two new user account in AD, and have them in the same OU? I cant do this today as it states the user already exists in the OU. Even though their SAMAccount and UPN names are different, the Display Names are the same and I think that's whats not allowing us to do this...


DisplayName : Sam Adams
OU : Chicago Office
SAMAccount : Sam.Adams
UserPrincipalName : Sam.Adams@contoso.com
PrimarySMTPAddress :  Sam.Adams@contoso.com

DisplayName : Sam Adams
OU : Chicago Office
SAMAccount : Sam.Adams2
UserPrincipalName : Sam.Adams2@contoso.com
PrimarySMTPAddress :  Sam.Adams2@contoso.com
0
I know this is okay but I wanted to see if anyone could explain to me why our conditional forwarders do not resolve the "Server FQDN". I attached a screen shot. The conditional forwarders are on a domain that is setup on a trust relationship.

Everything else resolves and validates.
DNS-forwarders.bmp
0
Hi

How to resolve this issue unable to start up for Active directory user in windows 2012
0
hi all ,

we have the below error from the SCCM 2012 :

distribution manager failed to connect to the distribution point mswnet sccm 2012

we are using now discovery by network only and machine being discovered but the number being discovered increase very slowly i.e. every day approximately machine being discovered is 3-5 .

any idea why this error show ?

any how to speed up the discovery method ?

thanks all
0

Active Directory

73K

Solutions

110

Articles & Videos

38K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software