[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Active Directory

78K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Good Morning All,

I am in a situation where I am attempting to migrate a terminal server from 2008 R2 to 2012 R2.
The server is virtualized (ESXi 6), to avoid downtime, I have cloned the server with a new MAC.

The machine has been fully upgraded to 2012 R2, however after renaming and re-joining to the domain,
I am of course greeted with new profiles for domain accounts that have previously logged into the server.
I'm looking for a free or paid way to mitigate this.
(I should note, this is a copy of the old terminal server, all data is retained (user folders - C:\users)

Is there a way to, without user interaction, merge the new and old profiles?
I am especially interested in retaining profile specific registry settings relating to Outlook.

Thank you in advance
0
Determine the Perfect Price for Your IT Services
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Exchange resource forest...

trying to run get-adpermission for a disabled user results in :
The operation couldn't be performed because object 'username' couldn't be found on 'dc.domain.local'.
    + CategoryInfo          : InvalidData: (:) [Get-ADPermission], ManagementObjectNotFoundException

can't see Linked mailbox delegates via ECP :
erro i get is :
error
Your request couldn't be completed. Please try again in a few minutes.

event log has:
Microsoft.Exchange.Data.Directory.Recipient.NonUniqueRecipientException: Multiple objects with Sid ************************ were found.
0
We want to disable the XBox app in a large network with several hundred Windows 10 Clients.

Using Group Policy Management we disabled it via AppLocker:

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules > Microsoft.XboxApp.

Open in new window


Now, XBox can't be run anymore.

Just one Question: How can we get rid of the XBox icon within the Start Menu using GPO?

XBox.png
Best regards
Chris
0
I have an old server 2003 DC in a remote site that I want to get rid of. Can I bring the DC back to my main site (different subnet) and demote it from the main site?  I dont need this DC as I plan on installing a new server 2008r2 on this machine and bringing it back to the remote site. Are there any complications with doing this?

Thank you.
0
Looking to delete computer accounts and user accounts in Active Directory

Got below script for computer accounts previously

Import-Csv -Path C:\Temp\DisableComputer.csv | ForEach-Object {Remove-ADComputer -Identity $_.Name -WhatIf}

It ran fine above then I changed it to below to run it properly

Import-Csv -Path C:\Temp\DisableComputer.csv | ForEach-Object {Remove-ADComputer -Identity $_.Name}

Problem is it doesnt perform deletion of computer accounts in a batch, have to do it one by one and see below error

Remove-ADComputer : The directory service can perform the requested operation only on a leaf object

Looking for a way to bulk delete and also modification required to bulk delete AD user accounts also
1
Troubleshooting an AD account that keeps locking out

Have installed lockout tool (just cant see it after installation) can you install it on a client pc and point to the Domain controller?

What logs do I need to look at on domain controller to see account status etc?

https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
0
My questions are about PKI. I have been trying to setup a PKI and now have one setup in a lab. At that time, I did not use a CAPolicy.INF file and everything seems ok.  I just registered and received my PEN number from IANA and it looks like i am supposed to put this in the Policy file before setting up my Subordinate CA. That is fine, as i plan to rebuild one more time in the lab. It looks like I am supposed to enter the PEN/OID number in the form of 1.3.6.1.4.1.MY PEN. then an object identifier for the cert template i want to use.  For example, if i used
1.3.6.1.4.1.MY PEN.2.5.29.32.0  It would cover ALL Cert Templates and i'd only need the one policy?  since my PKI seems to work without even building a custom CAPolicy.inf, i'm not sure why one would benefit me. It seems like it would be less administrative overhead to not even have it.  Also, if I DO need to use my PEN/OID, should I make a policy for any Cert Template i think I may need in the future?
0
What are the best practices providing Admin access for Active Directory for Developers.
Devs writing an application that will authenticate using active directory. In order to do so they will need to generate a key the
application. They will also need to create different groups of users and place users in the groups. They believe having admin access will make this a lot easier than asking for each thing in turn.

How is everyone dealing with these similar requests?  Please advice.
1
Hi all,

I’m looking to setup a private CA on my internal AD domain and I’ve only done limited testing with an internal PKI. This is for testing and learning purposes…

If any of the following is rubbish, please bear in mind I’m pretty much new to PKI

I can setup the Root CA and subordinate CA and issue certificates through group policy but what I would like to do is have these certificates trusted by devices outside of my AD infrastructure. I understand, and believe I would have to install the Root Certificate on these devices to trust my CA…

Am I correct in thinking I have to have a publicly available CRL server? Does this need to be AD joined?

Can I use an Azure standalone VM for this purpose? and if I can, would I need a VPN connection to my network for CRL updates? Are there any security benefits to this over an on-premise web server Possibly in a DMZ?

I currently have an on-premise Exchange server and use a trusted SAN cert, if I had the above could I use the internal CA to perform the same role... Namely EAS, MAPI over HTTP, OWA etc specifically for iPhone/Android and remote OWA access.

Also, Exchange related… would an internal CA work with AutoDiscover outside of AD joined devices? Specifically, IOS/Android or is trusted Cert the only real option?

Thank you for taking the time to read this, I may have some follow up questions about the whole process as I’m shaky on the broad concepts, so please be patient. The details I can get from …
0
Hello all,

i have a list of computers in csv file. How can i check if they are in my AD.
I can check in console one by one but i have around 1200 machines, is there any script in powershell to check that.

Regards
1
Big Business Goals? Which KPIs Will Help You
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Would a read-only Active Directory account be able to perform the following:


•      Query the user database via LDAP
•      Query group membership via LDAP
•      Query the domain controller via WMI

For context, we are looking to implement Cisco Meraki's native AD functionality (we only use Meraki AP's), which requires an Active Directory account that can accomplish the above tasks. We want to limit the access of this account as much as possible.

Thanks in advance
0
Azure Active Directory I have MFA disabled, verified under users under o365 portal that they are disabled, however when joining new computer to domain it asks for additional security verification.

Any suggestion how to turn that off?

screenshot
0
PowerShell Gurus,

PowerShell Version
$psversiontable

Name                           Value
----                           -----
PSVersion                      5.1.17134.407
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.407
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Open in new window


I have a huge conundrum.  Simple AD query for Computer objects with dnsHostName attribute.  Populates in the console correctly:

PS C:\WINDOWS\system32> get-adcomputer -filter * -Property * | Format-Table dNSHostName

dNSHostName
-----------
isserv95.contoso.com
isserv33.contoso.com

ISSERV46.contoso.com
isserv8.contoso.com
ACE-ARCHTICS.contoso.com
ace-test-mub1.contoso.com
ace-host-pc1.contoso.com
ISSERV36.contoso.com
BS-ESTP-LT1.contoso.com
mub1-laptop.contoso.com

Isserv15.contoso.com
ACE-TRAV-MSTR.contoso.com
ACE-TRAV-MSTR1.contoso.com
ISSERV97.contoso.com
IT-MIS-SB1.contoso.com
isserv64.contoso.com
ISSERV96.contoso.com
Coloserv64.contoso.com
ISSERV99.contoso.com
as-acct-lt4.contoso.com
CC-ALTN-AC1.contoso.com
HS-LAUN-PC3.contoso.com...

Open in new window


Populates the variable:

$computers = get-adcomputer -filter * -Property * | Format-Table dNSHostName

Open in new window


$computers

Open in new window


dNSHostName
-----------
isserv95.contoso.com
isserv33.contoso.com

ISSERV46.contoso.com
isserv8.contoso.com
ACE-ARCHTICS.contoso.com
ace-test-mub1.contoso.com
ace-host-pc1.contoso.com
ISSERV36.contoso.com
BS-ESTP-LT1.contoso.com
mub1-laptop.contoso.com

Isserv15.contoso.com
ACE-TRAV-MSTR.contoso.com
ACE-TRAV-MSTR1.contoso.com
ISSERV97.contoso.com
IT-MIS-SB1.contoso.com
isserv64.contoso.com
ISSERV96.contoso.com
Coloserv64.contoso.com
ISSERV99.contoso.com
as-acct-lt4.contoso.com
CC-ALTN-AC1.contoso.com
HS-LAUN-PC3.contoso.com...

Open in new window


When trying to export-csv, no matter if I am on my laptop or domain controller, when I open the output it looks like this... every time:

get-adcomputer -filter * -Property * | Format-Table dNSHostName | export-csv C:\users\mar534\des
ktop\computers.csv -NoTypeInformation -Encoding UTF8

Open in new window


This is what the csv file looks like:

PowerShell Computer Inventory
I have tried attributes Name, OperatingSystem, etc all yield the exact same results.  I even tried removing the arguments at the end, adding -Encoding ASCII, to no avail.

In over 22 years in IT I have never run into this issue before?  Has anyone seen this before, and if so, what was the fix?

Thanks,

Mark
1
Hi Experts,

We have a Windows server that's a domain controller that has been tombstoned, this has now gone over the 60 days tombstone lifetime. We would like to get the DC back up and running as normal and in order to do this I believe this will need a force removal from the domain?. I think a dcpromo /forceremoval needs to be done to demote the DC to a member server

Is my understanding correct?, any other recommended key steps required?  
There are other DC servers in the environment that are working fine.

Thanks
0
Hello Experts,
We ave O365 and have been using Teams for collaboration. I noticed that when i hover over someones picture and it gives info like deptartment, phone, fax, etc it seems to be getting it from AD (we use AD Connect to sync our AD to O365). However, If i change something, it doesnt change it in Teams. If i go to the user account  inside O365 I cant change anything since it says its getting the info from AD. I'm not sure what I'm missing. I changed some info on a couple people on friday and it hasnt changed on Teams.

Do I need to change it somewhere else or tell it to sync new data somewhere?

Thank you.
0
Given the task of configuring security groups, adding folders filled with other folders to each of those groups.

What is a good strategy for organizing this?

After creating the security groups, add the folders assign access and rights to those folders, and then the folders within folders decide who needs what access?
0
I want to write a group policy that keep the screen saver setting to (None) and wait time is 15 mins for all of our Win 8.1 and Win 10 clients. I want the screen saver to be greyed out so that users cannot change the screen saver and also wait time. All of our machines are domain joined.
These https://prajwaldesai.com/lock-computers-in-domain-via-group-policy/ settings are obsolete when i was about to configure in GPO.
0
I'm in the midst of moving one of our clients to AWS and I am looking for some assistance.  

Their current setup is they have 3 servers on site:

1.  Active Directory, File Services, Print Server, User Profiles, DNS
2.  RDP / Citrix server
3.  Windows 7 computer running indexing software for document management solution

I have already migrated all of their servers to AWS.  I plan on leaving a domain controller on site as well as a print server.

AWS is connected to head office via a VPN tunnel.

The subnet at head office is 192.168.70.0/24 and the subnet in our AWS VPC is 172.16.0.0.

My questions are:

1.  Would best practice be to host DNS on Route 53 (AWS), on our cloud based or on prem?
2.  Is it practical to have Roaming Profiles from a cloud based file server?  In anticipate this will significantly slow down login times.
3.  When we move the domain controller from on site to the cloud how do we update DNS records so workstations and servers are authenticating against the cloud based DC?  I'm not certain if the SRV record has to be changed.

Any advice or tips would be greatly appreciated.

Thanks,

Sean
0
Can you have multiple dynamic distribution groups (DDG's) in a Server 2008 R2 - Standard (AD DS) OU?

My on-premises setup:
Exchange 2010 - Enterprise (with latest SP)
Server 2008 R2 - Standard DC's (DFL = Server 2008)


I ran across an issue where I need to delete a current DDG (DDG_1), but would like to create a new one to take its place prior to deletion.  Then I would recreate the DDG_1 as a static/normal DG (or as Exchange 2010 refers to it as "Mail Universal Distribution Group").

So, is it possible to have two DDG in the same OU, very briefly until the new DDG is established and has all of the necessary users populated to it?


If not, what is best practices?


Thanks in advance.
0
SolarWinds® Network Configuration Manager (NCM)
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

Hi Experts,

We have 3 Domain controllers.
Whilst DFSR replication appears to be working fine, there appears to be an issue in the C:\Windows\SYSVOL\sysvol\domain.org\Policies folder
A number of files are identical in the Policies and Scripts folders within sysvol are showing & they all hold the same copy.

In the GUI, however (ie windows Explorer)there is a discrepancy in the size of the policies folder on DC2 compared to the other DC's (1 and 3).
The following event is seen in the DFS even log on all 3 DC's which I suspect is related to the issue:

DFRS event ID 5014
The description for Event ID 5014 from source DFSR cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:
7D733767-68B3-4A0E-839F-4C3162D1BDA9
DCR01
Domain System Volume
1726
The remote procedure call failed.
18713738-3F9D-46DB-B3AF-9613165C9A79


Note the event is recorded on all DC's at various times of the day and regular events (approx an internal of every 9 to 10 minutes on each DC)
The DFSR console is installed on the DC's and looking within the console it looks like replication folders have been setup to replicate the SYSVOL folder. I believe these should not be setup on the SYSVOL …
0
how to get members of distribution group through windows PowerShell

also how get alias smtp addresses of a shared mailbox through command shell in active directory
0
we had outlook cache mode enabled through group policy in our organization , but due to disc space issue we  disabled cache mode in group policy under user configuration -administrative template- office 2016 - outlook options

we have outlook 2016 and mailboxes in office 365, we dont have any hybrid environment

after disabling cached exchange mode  users are experiencing  with slowness in opening email, switching between in box and sent items, scrolling through inbox

i see under mail icon, cache exchange mode not checked and greyed out but doesnt show on line mode written as well

i deleted my ost file and i am connected to office 365  but my outlook is also experiencing slowness in surfing through emails


anything i should check or i am missing something
0
Hi Experts,

I have two Windows AD domains that have a two way AD trust between them. For the purpose of this question i will call them DomainA and DomainB instead of the real names

And if I have an AD user (DomainA\Bill) created in Domain A and is only a member of AD groups on just DomainA (such as DomainA\domain users group) can that user (DomainA\Bill) read AD information from both Domain A and Domain B?

The user is not a member of any groups in DomainB

For example if the user in question used a tool such as AD Explorer that pointed at a Domain controller in DomainA using there user account should they be able to read AD information from DomainB?

Thanks
0
We have two separate Active Directory Domains (Domain A and Domain B) in separate Forests with a two way forest trust.  Domain A hosts the Exchange 2016 servers.  Users in Domain B also have a mailbox using linked mailboxes from Domain A.

We are going to rename Domain B to Domain C using the command rendom.

Do I need to re-link the mailboxes after domain rename?  Is there anything else I need to consider?

Thanks!
0
what is the exact path to delete users email in outlook from deleted items

I have outlook 2010 ADmx , not sure of path
0

Active Directory

78K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software