Active Directory

78K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm looking for guidance for creating a GPO for a specific OU, & have only those GP settings applied to particular OU.
1
Price Your IT Services for Profit
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

windows 10 pro workstation connect to domain, cannot remote desktop to computer.
1. Remote desktop access to computer is turned on.
2. Removed Webroot antivirus (not antivirus installed)
3. Go to control panel windows defender firewall, there is a yellow bar with, "for your security, some settings are managed by your system administrator."
3. Domain networks is green and connected
4. Private networks is red and not connected
5. Guest or public networks is not connected.

6. I have tried to turn off this through gpedit on my one domain controller and on the local workstation. (Computer Configuration / Administrative Templates / Network / Network connections / Windows Defender Firewall / domain Profile) set Windows Defender Firewall: Protect all network connections to disable.
7. I did gpupdate /force on the DC and then gpupdate on the local computer, (rebooted pc also).
8. I have tried the following command on the local computer, Turning Off Firewall Using Windows Command Prompt admin, "netsh advfirewall set allprofiles state off" restarted computer and in control panel it domain firewall is still grayed out and on.

9. I am at a loss to turn this off and allow remote desktop to access this computer
0
Is it possible to have AAD Connect automatically synchronize to Office 365 whenever a new account is created automatically on-premise without running the AD Sync manually?
0
Hello,

I'm looking to bypass the pop up box for Microsoft sign in.

I tried this code once and it worked with no Microsoft Sign In pop up, but several hours later the pop up is coming up again.

Any idea on how I can script this to successfully login each time bypassing the popup?

Connect-AzureAD -Credential $cred
$Tenant = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$username = “xxxxxxxxxxxx@on.microsoft.com”
$password = “xxxxxxxxxxxxxxxx”
$Credentials = $Username,$Password

Open in new window

0
After making a change to an existing group policy that was previously applied to all computers in the domain, now will only update some computers with the change, not all.
0
Hi,


In PowerShell if in my csv file I have the date of lastlogondate in this format: 2019-01-29  10:34:10 AM

I need to get users with lastlogondate older than 90 days. My question is:

Should I compare like this:

1- Where-Object {([datetime]::($_.lastlogondate) -le (Get-Date).adddays(-90))

or Like this:

2 -Where-Object {([datetime]::FromFileTime($_.lastlogondate) -le (Get-Date).adddays(-90))
0
This one always frustrate me.  Simple command to see all the domain or forest details. And it doesn't show the list all the servers or sites.  
For example: Get-ADDomain | Format-List
Gives me
ReplicaDirectoryServers            : {server1.company.com, server2.company.com, server3.company.com, server4.company.com...}   how to get all servers?

Same for this:  Get-ADForest | Format-List

Gives me:
GlobalCatalogs        : {server1.company.com, server2.company.com, server3.company.com, server4.company.com...}  how to get all servers?
Sites                 : {site1, site2, site3, site4...} how to get all sites?

I'm probably missing something very simple.  Just annoying issue!
1
Dear Friends,

Can I delete these LogFiles of Exchange Server 2016, It is  deployed in production environment and we are running out of pace in Drive (C: ). Although the transaction Logfiles (E00000172383,1024 KB { this type}) are already dumping on another drive. I am afraid of deleting these files. Deletion of these files can cause  problem for the Exchange server ? I really need help of you guys. Pleasae look at the attachment. You advice is always leads me to solution. Hope this time as well. Thanks in advance
Inetpub.jpg
0
Hi,


We had an issue because of affected pc and all AD users was locked. How can I set account never locked out for  just some users like admin account?

Thanks
0
I am trying to add additional email address for 1 particular DL

we have 50 to 60 DL , i see proxy address under attribute editor
 displayed in all most all dl except few, may be DL starting with similar name.

we have on premise AD where AD accounts are synced through AAD sync to office 365.

we have mailboxes in office 365.

i did check and uncheck in filter but doesnt seems to work

is anything wrong with AD schema not been extended for exchange for only some DL ,

or do i need to check anything.
0
High-tech healthcare
High-tech healthcare

From AI to wearables, telehealth to genomics to 3D printing — healthcare technology is seeing rapid advancement. Experts believe that this technological advancement will save money and save lives. Healthcare is changing dramatically, and emerging technology drives that change.

Hi,

I have problem to check if a user has really quit the company (except asking HR:-)) because by checking the lastlogon attribute in AD is not enough. If a user just uses his email the lastlogon is not completely accurate. Also the LastLogonTime  in O365 mailbox is not accurate at all (many things can change that value).

Mailbox activity report from O365 can't be manipulate by Powershell...have to download manually. I need something that I can code.

So what do you think I check lastlogon and pwdLastSet attributes? Like if both values are over 90 days then the user is really gone.
0
i am trying to add another email address to a distribution group

but when i type below on AD , it says the term set-distribution group is not recognized as commandlet

we have DL synced through AAD sync from on premise to office 365

Set-DistributionGroup “sales uk” -emailaddresses @{Add='
sales01365.domain.com.com'}
0
Hi,

As far as I understand our current set-up:-

We have a WPA2 Enterprise wireless solution.  The AP's act as Radius Clients and connecting devices use PEAP to connect valid domain users via RADIUS (currently running on Server 2012 R2) using their domain credentials.

There is a server-side certificate which I believe is used for encrypting the session.

I have been asked to move to a pure certificate based solution (i.e. certificate on both server and client and no more authentication necessary) and I am not sure how best to set this up.  We have our own PKI.

Can anyone point me in the direction of any good quality information about how I would set RADIUS up to work in this way?

I have noticed an unchecked box in Radius that says "Disconnect Clients without Cryptobinding" but I can't find a lot of documentation about what that means and what checking it would change.

I have also noticed that we are using the Domain Users group to validate users, but imagine we could use Domain Computers instead.  How secure would that be?  Does the device actually do some authentication or could another device with the same name connect with that setting?

I've also seen a number of things indicating that MS-CHAP and MS-CHAP-V2 are essentially worthless. so how do I avoid using these?

If anyone can point me at any great documentation for setting something like this up in a more secure way, I would find that really helpful.

Not an expert in these areas, so any …
0
Hi,


How to read with PowerShell a csv file with header name containing space?

Like:
Display Name, Last Logon Date

I don't want to reformat the header name all the time.
1
Experts,

I am no expert on PKI although I've setup a couple for simple uses.
I have a client that has a single Enterprise root (single tier). They have server 2008 and are also looking to upgrade AD to 2016 while taking my recommendation to upgrade to 2 tier PKI (one offline root and 2 SUB Issuing).
I understand the theory behind it but I could use some guidance on getting it done. I've looked at several articles but nothing that's detailed on this scenario.
thinking I would just build out the PKI on 2016 separate as i know you can have multiple PKIs in the same forest (a good guide on this might be helpful also).
But what needs to be copied over/moved to new PKI from old? GPO changes ect.
Should PKI be done before AD or does that matter?
I'm not overly familiar with this client so I'm not really sure what they use certificates for at this point.
0
Hi,

Could someone please explain the practical difference between these two dns settings in DHCP?
DHCP-DNS-config.PNG
I am currently set to "Dynamically update DNS records only if requested by DHCP" but I have read that best practice is to use "Always dynamically update DNS and PTR records"

 Why should I do this? I do see many duplicate/old A records in my DNS. Will changing the setting to "always" stop these duplicate records?
old-duplicate-dns-records.PNG
Thank you very much
0
I am trying to Backup my Active Directory from my Hypr-v domain controller to its house server via powershell.
The parameters i have run across :
- can make a "one time" MS Backup from the MS Backup software gui on DC of the to the housed server hard drive.
- can not make a "scheduled" MS Backup from MS Backup software gui on DC of the to the housed server hard drive.
--issues
---backup account does not have rights. (yes i gave full admin\backup admin rights)

-can make a "one time" MS Backup from the MS Backup software using powershell on DC of the to the housed server hard drive.
-can not run twice a "one time" MS Backup from the MS Backup software using powershell on DC of the to the housed server hard drive.
--issue
---backup job name already exist (must change name in script to run again
- can not make a "scheduled" MS Backup from MS Backup software powershell on DC of the to the housed server hard drive.
--issues
---will run once, but job name issue comes in


PS script
Register-ScheduledJob -Name “System State Backup10” -Trigger @{Frequency = “Daily”; At = “12:00”} -ScriptBlock {
      # Create new Backup Policy
      $Policy = New-WBPolicy

      # Add System State to the policy
      Add-WBSystemState -Policy $Policy

      # Set Backup Location
      $BackupLocation = New-WBBackupTarget -VolumePath "\\xxxsvra\svrA"

      # Add backup location to policy
      Add-WBBackupTarget -Policy $Policy -Target $BackupLocation

      # Start Backup Using Policy
      Start-WBBackup -Policy …
0
how can i use a group policy in active directory to push the configuration.xml file for office 365 proplus to 10 window servers.

so that office 365 proplus can be installed on those servers.
0
Hi,

How can I code this with PowerShell?

Search all users in AD
If users lastlogon is over 30 days and his O365 lastlogon also over 30 days then
Disable users

Thanks
1
Angular Fundamentals
LVL 13
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Hello,

We receive an email about a vulnerability in chrome.  May someone advise what is the best way to remediate the issue?

Do we need to update chrome on all workstation?  If yes, how can we deploy the update from a centralize way such as using group policy?

Please advise.

Many thanks.
google-patches.bmp
0
So recently upgraded added a Windows 2012 R2 server to my existing Windows 2003 network. The purpose is to remove the 2003 server from the environment. The add went fine but now in Event viewer on the new 2012 R2 server I am getting SceCLI Event IF 1202 about 0x534 : No mapping between account names and security IDs was done. I found a pretty good article (below) that helps me find the accounts that are not syncing and they are "besadmin" and "exmerge". But when I go into RSoP it shows me the accounts are in the "Allow log on locally" and "log on as a service". I have searched AD and found that both of these accounts have been removed. BESADMIN was for my Blackberry server, no longer in use and not sure what exmerge is but I'm sure it's with Exchange which is no off-site with Office 365. I would like to remove these two accounts from "Allow log on locally" and "log on as a service" but when I go in through RSoP everything is greyed out. How can I remove those entries so I stop getting the error 1202?RSoP

http://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/
0
GPO Setting via ADMX for Outlook 2010, 2013, 2016 are in Place but not working.
I did setup the rules where the calendar week should be defined to our EU ISO settings.
The object is pulled by the client, but in Outlook still the wrong setting is in place???
gpresult.png
0
Hi EE,

We have an application that we just migrated the database of our setup is as follows:

Microsoft servers Windows Server 2012 R2
Applications are distributed via Citrix XenApp 6.
Application in question uses SQL auth.

The issue is when we migrated the database and repointed the connection strings the application doesn't login via Citrix see the error below. However, when we are connecting to the DB from the server the application is installed on there are no issues.

"||AXAPS04|0|System|7/03/2019 4:13:40 PM|-2147205987|[Microsoft][ODBC SQL Server Driver][SQL Server]Cannot execute as the database principal because the principal ""guest"" does not exist, this type of principal cannot be impersonated, or you do not have permission.||AMPRO Standard|5.0.14|AMPRO|5.0.14|basStartup|CheckDatabase|3|||"

I'm at a loss how to diagnose this, I have checked the GPO and Folder permissions and rebooted the application server no fix.

Any assistance is welcome on this opaque issue.

Thank you.
0
Hi,

Is it possible that an AD user account is locked in on-premise DC but he can still logon his O365 mailbox? Maybe due to replication in the cloud side?
0
Looking to add to this script to skip and not update duplicate EMPID's and export a log that shows results of the EmpID's that have been updated.

Below is a working script to import EmpID's and update attributes and it's set to Try/Catch any failures when updating EmpID's.

$udata = Import-Csv -Path C:\temp\empid.csv 
 foreach($user in $udata)
{
  $empId = $user.employeeid
  $hash = @{}
  if(!($user.attr1 -eq "")){$hash.ExtensionAttribute1 = $user.attr1;}
  if(!($user.attr2 -eq "")){$hash.ExtensionAttribute2 = $user.attr2;}
  if(!($user.Attr3 -eq "")){$hash.ExtensionAttribute3 = $user.attr3;}
  if(!($user.Attr4 -eq "")){$hash.ExtensionAttribute4 = $user.attr4}
  #Set-ADUser $user.sAMAccountName -Replace $hash

try{ 
Get-Aduser -Filter {EmployeeID -eq  $empId} | Set-ADUser -replace $hash
}
catch{ 
Write-Output "Attempted to set user ID $empID attributes and failed" >> C:\Temp\FailedEmpID.txt
}
}

Open in new window

1

Active Directory

78K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.