[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi all, I have a problem need your help. There's a security group in our Domain, and domain users who are added to this security group can not update their group policy. when the users try to update the group policy on their computer via "gpupdate /force", it shows that "Computer Policy update has completed successfully. User Policy could not be updated successfully. The following errors were encountered:" details error shows in attachment. Once I removed domain users from this security group, the user will update their user policy successfully. It looks that this issue is caused by this security group, but what's the root cause? Do you have any advise that how can I fix this problem?

Thank you all so much.
OWASP: Avoiding Hacker Tricks
LVL 12
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

i want to implement Azure information protection policy (AIP)on on premise windows servers  like for example sql server where very important files are sitting there.

we have Active directory and user accounts are synced through AAD sync to office 365 , we have user mailboxes are in office 365.

we have ADFS server in place and HAVE SSO configured.

we dont have on premise exchange server.

Are there any steps to do in azure AD or any good article which can help me implement the policy
We are facing an issue where all of a sudden cannot login to any of the servers in Domain B (Child DOmain) with Domain A accounts. it gives Logon Attempt Failed, but when you RDP to the IP address of the Server then you can login just fine.
I have checked just about anything and it seems there is a kerberos pre authentication issue.
do anyone have any idea as to what might have caused this and how to pin point the issue?
I would like to know if it's possible to retrieve an hashed password from ADAM with Python?

I've seen that DSInternals could allow that, but wouldn't work with ADAM.  Plus we don't need the password in clear text, just the hashed version.

(Using Windows Server 2012 R2, ADAM, Python 3.7)

An Error Event occured.  EventID: 0xC0003500
            Time Generated: 11/14/2018   19:02:41
            (Event String could not be retrieved)
         ......................... PCSDC1 failed test frsevent
I have a windows 2003 DC (The only DC in the forest) Users have lost access to this DC(File server) and the result of dcdiag.exe is in these two  attached files. I ran utility to compress and regenerate ntds.dit and then copied to c:\windows\NTDS folder after add word OLD to the name of res1.log, res2.log, edb.log, ntds.log. This did not helped and I had to rename it back.
An Error Event occured.  EventID: 0xC0003500
I'm trying to trouble shoot account locks using Microsoft ALTools.  I've downloaded it, extracted it, copied "acctinfo.dll" to SYSWOW64 folder on DC, register it but I dont see the "Additional Account Info" in users properties.  Is there a something im missing, is there a better tool to use?
I have a client with a SBS2011 server and about a dozen workstations. (I know SBS is old, but it works and he's fine with it for now.) He just bought two new computers with Win10 Pro on them. They joined the domain fine, but I found that remote desktop is not working. The SBS domain group policy to allow RDP is enabled and firewall rules are set to allow. All current and recently added Win7 computers pick up the group policy rules just fine and RDP works on them.

When I go into the Win10 Settings -> System -> Remote Settings the switch to turn on RDP is off and greyed out. The weird thing is when I open the old Control Panel (I like that way better than the Win10 settings app) and check the remote desktop settings, it says it is on and configured by the group policy. Soooooo....

Any ideas would be great appreciated. Thanks!

We have windows 7 and windows 10 PC in our network. Recently when students searches particular image on google search, it  returns with unsuitable materials that is  unsuitable for a school environment.

We use Google chrome and Internet explorer and Is there any Group policy to turn the safe search on the students GPO.
I noticed very interesting, please see the attached picture PC -1. On the windows 7 PC s when imaged is searched on the Google chrome or Internet Explorer the "SafeSearch on is not on.

But at the same time if I go to a windows 10 PC (attached PC-2 image)  and open Google chrome or Microsoft edge it says "SafeSearch" is on and it doesn’t bring any inappropriate images.

Our filtering system is BLOXX and is hosted outside our network and not sure from where the "SafeSearch on" settings are picked from. Please help where could be the problem, any help to resolve this will be much appreciated.

Thanks in advance.
I'm trying to set up remote Desktop services on our Windows 2016 server and the licences (User CALS) aren't being used by users when they log in via RDP (as viewed in RD Licensing Manager).

I've been through the instructions on several sites namely this one at www.lemonbits.com but am getting the following error in Server Manager > Remote Desktop Services > Servers:

Error ID: 85
Source: Microsoft-Windows-TerminalServices-Licensing
The Remote Desktop license server could not be registered as a service connection point in Active Directory Domain Services (AD DS). Ensure that there is network connectivity between the license server and AD DS. To register the license server as a service connection point in AD DS, use Review Configuration in the RD Licensing Manager tool.

When I Review the Configuration All I get is green ticks and no actions to take.

Looking for advice on where to go from here. It's all changed since I last set this up in 2008 when, if I remember correctly,  it was much simpler (good old days?)

Review Configuration
RD Licensing Manager
RD Licensing Manager
RD Gateway Manager
RD Gateway Manager
Server Manager
Server Manager
I have two AD (Domain A and Domain B) with two way forest trust.  All user accounts from Domain A are going to be re-created (not migrated!) in the Domain B.  They get a new username according to the naming convention from Domain B.  As we are going to do this for a couple of hundreds accounts, we need to transfer the AD passwords as well.

Is there a way on how to transfer the AD passwords from Domain A to Domain B (with different usernames)?  Please note that we are not using ADMT for the user account creation, we will use our own IDM solution.

We do not want the users to change their password.  Is there a way on how to achieve this?

Problems using Powershell and Active Directory?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Currently to allow the sending of mail from applications or printers (scan to mail) we used an anonymous smtp server. Our network team wants us to go as much as possible through a smtp server with authentication. To do this, we need to create one service account per application or printers.  
The question that is being debated between the AD/network and messaging team is: do all the service accounts that will be used have to have a mailbox to allow applications or printers to send mail?
Could you please confirm the good practice or what needs to be done for an application to send emails using the smtp server with authentication? With or without a mailbox for the service account?

we want to use our exchange servers for sending emails with authentication.

Additional question: is it possible to do it through Office 365?

Thank you in advance for your explanations and clarifications.

Exchange serveur 2010 SP3 and Office 365 : hybrid mode
Windows serveur 2008 R2.
I have enabled MFA for my account in o365 and can now not log into outlook 2016 - keep getting the credentials prompt...  
We are hybrid exchange with ADconnect.
Hi Experts

I'm doing DNS migration from one provider to another and I know @ refers to root domain.

I see an - A record that states as * too.

1What does * refers to in DNS record? I have attached screenshot.
There are two * records.
1 is * that pointing to IP address as shown above and the other is *.domain.com that also pointing to same IP.

Regarding the issue is that, in client pc if we ping our domain name such as "ea.ad.crr.com" then getting the IP Address which is other site  domain controller not the local site domain controller address.

Not sure why we getting another site domain controller ip address instead of local site domain controller ip.

If we ping the domain name in each respective site domain controller itself then it is resolving correctly however if we ping the same in client pc on those respective sites it is not resolving correct local domain controller IP.

Please help me to fix the issue. Please do the needful so that it will be very helpful.

Thank You.
I recently Dcpromo'd a domain controller but I'm still seeing this on one of my new 2016 DC's.  The old DC doesn't exist and I don't see any reference to it but for some reason, the new DC is still trying to replicate to it?  I've googled some articles but can't seem to get an answer.  When I run repadmin, I don't see it show up but it's obviously still somewhere in AD.  AD replication is fine and I'm not seeing any errors except this one...

DFSR Error:

The DFS Replication service failed to communicate with partner SERVERNAME for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
Partner DNS Address: SERVERNAME.domain.net
Optional data if available:
Partner WINS Address: SERVERNAME
Partner IP Address:
The service will retry the connection periodically.
We are using O365 w/ Azure AD which has served us well.  I am now in the process of setting up a local server to handle shared printers and GPO.  Most of the documentation I have come across deals with moving from a local AD to Azure - not the other way.

I currently have our O365 & Azure setup with ourdomain.com - so all the emails are @ourdomain.com

I installed the server with the domain of ourdomain.com also b/c I was under the impression this is the only way the usernames would link up correctly.  I am not using ADFS b/c I wasn't sure if it works with our configuration.

I have tested this and basically I have to recreate each user in the local domain; (which also resets their password) disconnect the PC from Azure AD and then join it to the local AD - Then I have to move all of their files from their old Azure AD profile to the new local AD profile. (unless they were using Onedrive - at which point we still have to hook it up and let it sync.

I was hoping there is a setting missing in my Azure AD connect that would pull the current Azure AD accounts into our local AD.  I have not had much luck.  

The main issue is that we have over 100 machines that we need to join to the local AD so we can implement the printer groups and GPOs.  

Any suggestions or tips of what can be done better?
We are migrating from an old Windows Server 2008 R2 (Win2K8) Certificate Authority (CA)
to a new Windows Server 2016 CA (Win2K16). In the new plan we would have an
Standalone Root CA (offline) and an Enterprise Subordinate CA (online).

The Subordinate CA will be part of the domain, but the Standalone Root CA will
be a workgroup NOT connected to the domain or network and will eventually be
turned off for safe keeping.

I had to do a Multi-tier or Two-tier approach. One of the requirements were
to copy the Certificate Templates from the old Win2K8 R2 CA to the new Online
Win2K16 CA. They were under the impression we have to copy the modified
Certificate Templates from the old Win2K8 CA to the new Win2K16 CA.

Now correct me if I'm wrong, but I was under the impression all
Certificate Templates live in Active Directory and would be accessible by
the new CA anyways, so there should NOT be any copying of Templates to new
CA. Please clarify.

How to check who has account with administrative permission on the ADFS?


I have an ADFS "Web Application Proxy Service" that is not starting even if i try manually.


Making Bulk Changes to Active Directory
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Could someone suggest the best way to copy NTFS permissions from one folder to another folder on a new file server.

I am looking for ways to do it

1) while I am copying data
2) Data is already copied.  Need to apply permissions to new share.
Can a csv with the division ad attribute be mapped to active directory users?

I have 2 machines that are not getting GPs and getting below error. Please assist.

Message          : The processing of Group Policy failed. Windows attempted to read the file
                   \\abc.corp\SysVol\abc.corp\Policies\{DE985BED-5764-4A16-A991-231E4AD1C8A3}\gpt.ini from a
                   domain controller and was not successful. Group Policy settings may not be applied until this event
                   is resolved. This issue may be transient and could be caused by one or more of the following:
                   a) Name Resolution/Network Connectivity to the current domain controller.
                   b) File Replication Service Latency (a file created on another domain controller has not replicated
                   to the current domain controller).
                   c) The Distributed File System (DFS) client has been disabled.
LogName          : System
TimeCreated      : 11/8/2018 7:13:38 PM
LevelDisplayName : Error
MachineName      : xyz.abc.corp

Thank you in Advance.
A mailbox has been removed from a AD user but the Exchange Global address book still show the user there. Any idea ? I have already updated the offline address book several time but it doesn't help.

Good Day

I'm currently busy doing servers upgrade for one of my customers; a 5 site / campus college.  Exchange site is connected to each other VIA VPN.
I unfortunately cannot do server upgrade all at once, and tackling this project in 2 phases (3 sites per phase)

Phase 1 is complete this it the current setup with regards to Exchange and AD.
SITE 1: (Bridgehead Site) 2 x Server 2012 R2 AD servers, 1 Server 2003 AD Server, 1 Exchange Server 2003 and 1 Exchange Server 2007
SITE 2: 2 x Server 2012 R2 AD servers, 1 x Exchange Server 2007.
SITE 3: 2 x Server 2012 R2 AD servers, 1 x Exchange Server 2007.  
SITE 4: (1st Exchange 2007 server Deployed) 2 x Server 2012 R2 AD servers, 1 x Exchange Server 2007.
SITE 5: 1 x Server 2003 AD server and 1 Exchange Server 2003

Site 1 is HQ and also site where external inbound and out email transport occurs to and from the Exchange 2003 server.

When there is any issues at SITE 4, mail for the entire college but internal inter exchange and external stops flowing till issues are resolved at site 4.
To me its seems as if the entire college email system is solely reliant on SITE 4 for Inter-site and external mail transport.  Main site should not be site 4, it must be SITE 1.

I've read that this SITE 4 dependency issue might have something to do about it being the first Exchange 2007 Org site.

I need detailed steps to:
Remove sole dependency for SITE 4 to be operational in order for Entire Exchange org function.
Find Where Your Active Directory Groups Are Used On File Shares

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software