Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

When I need to alter permissions for a folder on our file server, the selection location is our domain.  I always have to change the location to my OU to find the groups I need to work with.  Is there a way to set my OU as the default location in place of our domain?

Thank you
[Webinar] Lessons on Recovering from Petya
LVL 10
[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

We are using a new network IOC tool.
It is identifying a lot of network traffic activity as possible malicious file share enumeration.
It appears to be normal activity but I don't know how to identify the root cause.

The help documents  in the tool state (top line is the recommendation, the --- is a comment from me):

The host is accessing a large number of file shares as an end user attempts to find a particular file or directory
       --- For each alert, the host is a user with elevated access right, for example a network admin or helpdesk tech.
Ask the user of the host whether she has any knowledge of accessing the listed file shares
        --- They don't remember accessing any of the files listed.
Check the file server logs to see what files were accessed on the shares
       ---- I don't have access to do this but I don't see anything odd in the SIEM.
If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands
       ---- No access rights to do this

The PCAPS all show SMB2 errors - is this coincidental or could it be related?

The dashboard shows the alert as file share enumeration with the following information:

Host - an end user who is a helpdesk tech with elevated access rights
Source - A VLAN server
Targets - 14 devices that are a combo of desktops and servers
Enumerated …
Hello Team,

Can someone please provide me with a nice PowerSHell cmdlet to pull out information from AD?
 Please, see below information needed

All users. Include username, name, description, create date, last login date, last password change date, account disabled, and user password configuration.
Below script is working fine. when script executes by added | export-csv getting error "empty pipe element is not allowed"

Thanks in advance

Import-Module ActiveDirectory
$users = Get-Content "C:\input.txt"

foreach ($SamAccountName in $users)
	{ Get-ADPrincipalGroupMembership -Identity $SamAccountName |
		Select-Object -Property name, distinguishedname, @{n='samaccountname'; e={$SamAccountName}}} | Export-Csv -NoTypeInformation c:\1.csv

Open in new window

after downloading some tool from Internet (eg. putty) I noticed that I am not able to run it.
I must right-click and disable "block" for specific .exe file in order to use it.
This happens on all server on this AD domain, so I guess there is some policy.
How can I verify this?
Thank you very much
i know a little bit on ADFS , but i need to know more about ADFS structure, how it works

any questions and answers on the topic will help.

I have one question regarding Windows Server licencing and I do not understand that part.
I am using Windows Server 2016.

I have a licence where said Windows Server 2016 / 10 cores per server. What does that mean in practical explanation?

Next, I have CAL fpr win2016 serv = 25 CALs - that means I can add 25 machines/ users to Active Directory and they can access server, or I can use the same licence key for 25 devices, including client and server machines?

Thank you

Our Windows 2008 domain controller server has a lot of errors in the application log - please see the attached.

Please advise how to fix it.

The computer 'WinDefend' preference item in the 'Windows Firewall {58007B38-5D12-4234-8AC5-335AD6922CE8}' Group Policy object did not apply because it failed with error code '0x80070424 The specified service does not exist as an installed service.' This error was suppressed.

Can someone help me modify this so it also counts the nested groups in the user object ?

GC Users.txt|GET-ADUSER –Properties name,MemberOf | Select-Object SamAccountname,@{n='GroupCount';e={ ($_.memberof).count }}
Have already implemented to disable screen saver settings but still locking out in RDP session. It is windows 10 VDI and requirement is that it should never lock out for the robotic processing.

Could you help me any settings that prevent screen lock completely in RDP session?
Does Powershell have you tied up in knots?
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

We are trying to lock down office computers:

Users cannot visit websites other than approved list of websites
users cannot install any software
users cannot save anything on the local computers other than shared drive.

I might be able to do this via group policy but I assume it will be tedious or time consuming.
I came across this application below. is anyone aware of better or less expensive options?

Is there a way to disable saving of documents on the computer via Active Directory?

We want users to save all documents to the shared drive on file server
Can anyone assit me in updating the Description field (in General Tab) to multiple groups in Active Directory ?
I need to replace only the old server name with a new one. Groups are in different organizational units and the path behind the server name is different each time. Is there any possibility of doing this in bulk? Thanks in advance.

\\server name\path
I have read the article online on how to setup o365 multi-function devices which work perfect but we have two unique cases which I need others opinion on. We have two seperate App server the run custom application and accept emails from a sub-domain name the push out a broadcast notification. I know I can work with my security team to create a direction connection between the internal server and o365 then in o365 set the internal server as a smart host for email sent to the specified domain. While this does work i do no feel right on connect a server direct and wondering if it would be test to setup an internal server running IIS / SMTP that would connect to o365 acting a buffer to the external connection.

I was wondering if anyone has seen any issues with setting Network security: LAN Manager authentication level : Send NTLMv2 Reponses Only with currently support Mac OS's, Linux.

We are a large environment.
I am trying to set the Automatic Configuration Script in a new GPO.  The problem is that when I deploy .  The GPO Servers are both 2008 R2 and dont have IE10 capability.  But I do have a 2012 server (not DC) that does have the IE10 GPO capability, and this si where i am writing the GPO object.

I have created a separate Test OU and put my users account in that OU and applied the IE11 GPO.  It did the gupdate /force and restarted my workstation.  But the GPO just didnt apply.  I then enfoced it, so it should overwrite any other IE settings that may have been set in any inherited GPOs.  Again, i forced the update and restarted, but it still doesn't apply.

I just cant figure out why it wont apply.  

Is it because the server I am writing the GPO on isnt a DC or GP Server?  I dont think so.
Is it because my domain functional level is 2008?  I dont think so.

Can anyone here please assist me in modifying the PowerShell script below to list all server and appliances that are still sending out email using the IP address of my physical Exchange Server 2013 (MBX-CAS role) except certain Exchange IP address list ?

For Example in the below Powershell, I wanted to exclude ClientIp:, and to not included in the CSV result.

Get-MessageTrackingLog -Server PRODMBXCAS-14-VM -resultsize unlimited -Start "12/08/2017 1:00:00 AM" -End "12/09/2017 11:59:00 PM" | where-object {$_.EventId -eq "RECEIVE"} | Select @{Name='Recipients';Expression={[string]::join(";", ($_.Recipients))}}, Sender, EventId, Timestamp, Source, MessageSubject | Export-CSV –Path "C:\Result\Dec2_Email_Statistics_Receive.csv" -NTI

Open in new window

How can I get that into the script above ?

After reading: https://technet.microsoft.com/en-us/library/bb124375%28v=exchg.150%29.aspx  What's the difference between:

Where {$_.OriginalClientIp -notlike ""}
Where {$_.ClientIp -notlike ''}
Can Azure AD can be used for replication between AD sites/DCs?  Say one DC in US and another one in China.  
Install AAD Connect on both Domain Controllers.  Can they be synced through AAD?  Or, has to be a direct connectivity?
Can same FSMO role be on two DCs?
Currently I have 1st DC on VM and 2nd DC on a new physical reliable server.  However, since the VM was a 1st DC all five FSMO roles are still sitting on that VM.  
Any opinions as for spreading those to 2nd DC or moving all roles to the 2nd DC?

Thanks in advance!
Office 365 Training for IT Pros
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Experts, I need to write a script that not only identifies modified group policies in the domain but also shows how they were modified.
Is this possible?
2nd Domain Controller DNS server missing Zones.  1st has Forward Lookup Zones.  2nd doesn't.  Do I need to add it manually?
To add new DCs into DNS.  Should i add a short name or FQDN?  In order to machines to see DCs by name.  Currently DCs only pingable by IPs.
Company DNS is on BIND DNS.
Thanks in advance.
I had this question after viewing MS15-011 - UNC hardening clarification?.

I was searching EE for an article on UNC hardening post MS15-011 patch install.  I understand the reasoning for the post patch GPO, which leads me to believe this GPO needs to apply workstations and servers, and not just servers?
Dear Experts

I am glad to be back here.

I have following problem. I have small network - primary DC (W8DC) (all FSMO roles assigned and GC). Secondary DC (DC) and Exchange 2010 server (E2010E08).

All those running smoothly in VMWare ESX.

I was quite fool and have not realized that backup of those machines via Veeam is not enough, or it is enough, but must be carefull during recovery as restore of primary DC to previous state can cause problems in replication (USN].

So I finished with replication error between primary and secondary DC. No real windows backup of ActiveDirectory available.

Luckily as I said my domain is not complicated, it is just a few people and Exchange. I could ever recreate domain from scratch but I am unsure how to connect it back to Exchange so I tried following steps.

1. I removed DNS from secondary DC and pointed Exchange to primary DC only. I adjusted primary DC DHCP to announce itself as only DNS. No problem.
2. I forcefully removed secondary DC from the domain (correct removal was not possible as there were errors in replication). I removed domain services from secondary DC. still no problem.
3. I cleaned domain data from secondary DC (no problem).
4. I removed all traces of secondary DC from primary DC DNS (no problem)
5. I pointed Exchange 2010 to work with primary DC only as for domain and as for GC. No problem.
6. I created primary DC to be time-source for domain synchronizing itself with an external time source.
7. At…
Hi Experts,

What are the steps to forward logs collected at Domain Controller to another Server like SIEM,

considering , if we need to understand issues like account lockouts, would this be sufficient.


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software