Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have several users using a single RDS server who should be seeing eight printers deployed by Group Policy.
--The GPO has them listed under both User and Computer configuration / Policies / Windows Settings / Printer Connections.  gpresult /r stares that the policy is being applied.
--RDS users at that location have several settings set for them, including lack of the ability to use the Run command or get to any server using "\\servername\share" (Disabled in registry). Mapped drives do display.
--One printer is visible, however, and it is one of the ones in the list, but displays with the MAC address and other info for the HP printer, instead of \\servername\printer name.
--When we add the printer under Control Panel (as administrator) the driver is downloaded and printer added successfully, but does not display in Control Panel.
--GPO does have Authenticated Users under both Scope / Security Filtering and Delegation Tab with Read Access.
--I have attempted to move the GPO up to the top of the Linked Group Policy Objects order in both the Terminal Server container and the main container for the domain to no avail.

Trying to ascertain just what could be blocking users from seeing those printers that another policy is deploying.  Like I said I can add them but they don't appear after hitting Finish.
Ensure you’re charging the right price for your IT
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

I have an 2010 Exchange system that I need to do a few things with.  One of the things I would like to do is also migrate from my old domain name to the new one, but this seems to be a task I am not 100% sure I can do and a consultant wants to charge a large sum of money to do this.

  1. Migrate to a new Domain. How hard is this and moving to O365 in a new tenant  an option?
  2. Relocate DB's to a new VMDK.  The DB's are currently on LUNS that are connected to the VM via iSCSI.  The reason I am asking this is because vCenter does not see these drives so to back this machine up I need to do it old school as if it was a physical server.  I would like to move the DB's to another drive that is a VMDK.  I have 7 DB's all around 500 GB each.
  3. Or should I do a mailbox move to new DB's located on the VMDKs?
I am looking for a JavaScript to plug into vRealize Orchestrator that will search Active Directory sub-OUs and pass the returned LdapEntry DN to the ActiveDirectory.rename() method. I was thinking the searchForEntry method might work, but I am not sure how to write that.

So far, this is my script, and it is confined to a computer object in the first line. It is designed to move a computer object from one OU to another.
var from = "CN=" + hostname + ",OU=Servers,OU=Centrify,DC=COMPANY,DC=COM";
System.log (from);
var to = "CN=" + hostname ;
System.log (to);
var newParent = "OU=Computers,OU=ToBeDeleted,DC=COMPANY,DC=COM";
System.log (newParent);
ActiveDirectory.rename(from, to, newParent);

Open in new window

Our users AD accounts are occasionally being locked out with the events showing the Caller Computer Name is WORKSTATION. We do not have any computer called workstation on the domain and I read somewhere this might be related to iPhones but I can find nothing now on this reference.

Any experience with this and assistance as to what the cause is?


I need a GPO to have a Screensaver lock our workstations after 15 mins.  Can I follow the instructions from this link?

This map drive preference use to assign a drive label.
Preference with drive label
H drive mapping using the label
The drive mapping is assigned to this registry entry

We now want to stop using drive labels. The following attempts were made to remove the drive label.

1.   The drive label text was removed from preference.  
2.   Changed the drive label name which does update the registry entry.
3.   Deleted the drive label text again, which again did not remove it from the registry.
4.   Deleted the map drive within the preference, which again did not remove it from the registry.

I am for suggestions how to remove the drive label from the registry.
What is the minimum AD functional level to deploy RDS 2019? Do i need at least 1 2019 Domain controller in our domain?

What manages the 2019 RDS CALS - i have lic for 2019 OS - do i need to purchase 2019 CALS?

What is the method to enable and configure the Windows Hello Face (attached) or finger print via GPO in Windows 10 (1903).

Best regards,

I enabled Microsoft MFA for a few users. Is there any way to avoid having to use App Passwords or is there a way for them to create their own? The automatic ones from Microsoft are difficult to remember and are already deterring users from wanting to test MFA. I am a domain admin with MFA enforced (not just enabled) and have never been prompted for my app password on any Office program or online offering (e.g., SharePoint online) and neither has my colleague. I use text but my colleague uses the MS Authenticator app.  

One user was prompted on his iPhone's native email app for his password and didn't know to use the app password so was entering his domain password which obviously would not authenticate him. Another was prompted when opening Outlook but I have no other information except that he told me he got an error when entering his password (again, domain password). Again, I have never been prompted for a password where I had to use an app password so not sure why they are. They are not domain admins, for reference.  

We have not configured any conditional access rules.

Thanks for any help understanding this and configuring it, if possible, to simply require the verification code to authenticate.
Hi - Spammed user in our system is being trapped frequently. by external email systems flagged as junk
Here is the rub - The user has a display name with a special character umlaut double dot..

the display name has this character  in one letter. - Id like to understand where the display name is analyzed by an email system if at all. using what mechanism - her email address does not contain the special character. so her display name is different than her email address - hos does email system work to check this - Is the only option to remove it from her display name - its a o365 exchange online user.

Learn Ruby Fundamentals
LVL 13
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Can I add Universal Security Group as Member of Global Security Group ?

I have Universal Security Group that I want to make Member of Global Security Group. However when I go to properties of Global Security Group / Members  then I try  to search and add the Universal Security Group , it does not show up.

I thought probably it cannot be done

Any idea?

Thank you
I need to configure a group policy object for a specific user connecting to an RDS server via a thin client.  It's a shared account and we don't want the screen saver to kick in so they have to type the shared account password. Just log in and keep it up.

I don't want any of the other users to be affected by this GPO, so I'm looking in the User configuration and can't locate the screen saver disable option or something similar. Where can I set this?  

A user account is  locking  frequently ,  But caller computer name is not showing.
Hello experts,

We have multiple child domain as per the site locations. So it is necessary to enable network reachability and create site link between each sites.
Any thoughts ?

I currently use password hash and just starting to look at moving to ADFS,
I will setup 2 ADFS servers + 2 WAP servers.

My current domain is, some users UPN in but we have 6 brands within the group, the users in these brands login with the UPNs ,,

My question is, will I need a different SSL cert for each of the domains on the ASFS servers or just the domain?


Gpresult shows domain type 2000 even domain and forest shows 2012 R2forest & domain
Any idea?

hey guess, we had a muck up.
The backup server accidentally turned on a VM thats a domain controller (hostname ADFS which is win2008r2), so we had 2 of the same VM running at the sametime, so it caused a duplicate existence -  Active Directory and replication didn't like that (also the GC got messed)
note: main DC is called NEWDC (win2016)
here's what DCDIAG and dcdiag-failure.txt

here is repadmin - repadmin-fail.txt

1) I ran repadmin /showrepl and it showed replication failure, so i thought resetting the burflags for replication would help. I did this article for non-authoritative restore.
   a) after this atleast the repadmin /showrepl command showed all Replication - Succesfull but later when i reset the server it all failed again. Replication will go back and forth between failed and success. Currently at 930pm it shows 'successful' but it will fail again. repadmin-success.png dcdiag-flipssuccessfulshortly.txt
2) when running DCdiag it gave a list of errors including SYSVOL not being online, LocatorCheck, all failing.
3) when i try to open Active Directory and Users on any DC it gives AD-not-opening.png

Whats the best way we can get replication to start from the other NEWDC and fix ADFS??
Hi Expert

We have a new Win10 PC cannot join server 2012 domain. Previously, other PC can be solved by adding "AllowSingleLabelDnsDomain" in registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

But this time it cannot. Below is the error message:

I have hard coded the DNS for the two domain controller and can ping. What I guess that the domain is setup many years ago (2003 version), and on that time there ".com" adding to the end. (i..e it is called abc domain, not domain). We have upgraded to the 2012 domain last year.

After the upgrade, sometimes we find the PC cannot find the domain.

Regards, Ivan

@@@@@@ Error Message @@@@

An Active Directory Domain Controller (AD DC) for the domain "XXXX" could not be contacted.

Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The domain name "XXXX" might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "XXXX":

The query was for the SRV record for …
I will be setting up an AD FS farm in order to link to SharePoint Online (part of Office 365).

We have a single-forest AD environment with three (3) child domains under the root forest domain.
The root forest domain isn't used except for a few management accounts.
All three child domains have users that will need to access our single SharePoint Online instance.

I believe my best course of action will be to setup the AD FS farm under the root forest domain since it has trusts to all its child domains.
I'll be installing an AD FS server as well as a WebProxy server and then federating to the Azure AD that SharePoint Online requires.

What would be the best way to ensure all users within the three child domains can log into SharePoint Online?
I believe I'll have to modify some of the claims from the default in order to achieve this.

Any direction/best practices/general help would be appreciated.

Expert Spotlight: Joe Anderson (DatabaseMX)
LVL 13
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

How would I create a GPO so that all my users in a domain login under temporary profiles while retaining their username for auditing purposes? We have a school where computers remain in the classroom but students cycle in and out. We'd like to have it where the student's profile isn't saved on the local Windows machine, but domain admin profiles are saved to ensure students profiles don't just build up. Is this possible?
We recently configured a forest trust between two domains and we have been able to cross authenticate.  However, it only works if the user puts in\username.  It isn't enough to just put in domain\username.

The scenario looks like this.

User at is logging into a server at  To use the username and password for their account they need to log into the server as\username.

Is that typical or is there anything we can do to make the login domain not require the .com?

Is there something else we can do in DNS to allow this to work?
How can I disable / grey out or remove Archive button in Outlook 2016 via group policy?  We do not want user to use this feature.
I have setup Intune for a few surfaces, there are various policies and App installs, assigned to devices and their Azure AD groups.

Logging in as User1 it goes through the expected device preparation - setting up device for work - Device preparation - Installing Apps etc it takes about 10 minutes which is fine as its installing Office365 to the device.

But logging in as User2 is goes through the same process but never gets beyond:
Apps (identifying)

Intune shows the App (Office 365) have a status of "install pending".

1. What is it doing? any ideas why its hanging?
2. Isn't office now installed so the user2 config of it must be almost nothing?
I have this error in all DC's on my company:

Error DNS-Server-Service Event ID 4015

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F2312, #1:
      0: 0000051B: DSID-030F2312, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.

Could you help me, please?

Regards, David.
This is using MS Windows 2012 R2 AD. There is only one DC with all the 5 FSMO roles, DNS, DHCP roles. Recently, found that the domain logging in were getting slow. Users have to wait some time before they were shown they are logged in. Another issue is, they seem they can't access to the file servers, look like the permissions issue.

The temporary workaround is in the morning, we have to system reboot the DC, and all these above issues are gone (for a time being). What could be the issue? How to troubleshoot?
I did checked through the DNS, sites and services, domain, and user & computers; all looks working fine.

Thanks in advance.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.