Active Directory

79K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

I've incorporated the people picker from this site into a Sharepoint online webpart.  It's not showing any people.
How do I populate from the Active Directory?
https://social.technet.microsoft.com/wiki/contents/articles/52920.spfx-solution-use-pnp-people-picker-control.aspx
0
Learn SQL Server Core 2016
LVL 13
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

I have an issue with Adobe and the registry settings to turn off the Trustworthy prompt. For the past two months or so I have been setting the value for bEnableTrustedConversion to 1. Somehow, somethings keeps changing it back to 31 30 so the prompt reappears. is there some group policy in active directory that could be doing this? If so, how do I stop it from changing the registry setting?
0
I have an Active Directory server that hosts files and permissions. One of the employees just got a new laptop and will be going out of town for a few days.

What is the best way to setup her laptop for security while allowing her to still access the server and its files?

Thank you!
0
Hi All,

We currently have 2 * server 2008 domain controller. Both are backed up up nightly via Veeam. If we had a problem with one DC or indeed AD, what is the best practice to roll back to a previous working state. If for example one DC has a problem can I roll this one back and then AD etc will sync any changes made / discrepancies between the old data on the restored DC and any changes made during this time on the running DC. Is this a terrible idea?

Thankyou,
Paul
0
I am attempting to setup bitlocker network unlock for some of the laptop in the company.
I have a offline root and subordinate CA.  When I request a certificate on the WDS/Bitlocker server the issued certificate list the requesting computer as the issuing computer and does not trust the certificate because its not in the root CA.  I dont understand why this is happening I have to go to the subordinate CA to approve the request and after that the certificate does not show up in the personal certificate store but under the active directory user store.  Any ideas?
0
I have a weird one and i'm not sure where to go from here.  My account has been getting locked out of our AD controller constantly.  I tracked it down to my SpiceWorks Server (SW-Server) that has been the cause and i have been unable to find where in the server the old credential is cached.

Today i just got another PC and did a fresh load on it.  The original server was joined to the domain and using my user account for the login that SpiceWorks was loaded into.  The new server i just kept as a local user and is not joined to the domain.  I figured since its off the domain there cant be a way for it to lock my account out.  Guess i was wrong.  In the event logs (which are attached) its showing now that Spice-Server is locking my account.

This new server is not joined to the domain so i dont know how it could be reaching out and using my credentials (wrong ones) to lock out my account.  The only thing installed on the PC is the Spiceworks desktop and the restored database from the old Server.  We have Office365 so the SpiceWorks install is reaching to Office365 for the ticket emails not a local hosted exchange. I checked the Spiceworks service and it using the local user account not a domain one.

Attached is the event log from the old server and the new server.  Can anyone help me to figure out how its still locking me out.

Thanks in advance
SW-Server-Log.JPG
Spice-Server-Log.JPG
0
Hi Experts,

we have an old DC 2008R2 running.
But with Exchange2019 we need to get rid of it.

On the DC is also running a RADIUS server.
What can I do ?

Is it possible to demote the old DC ? The new DC is already in place and the FSMO roles are also moved.
But the RADIUS must work.
0
I have used ADMT to migrate user account, security translation and computer accounts all successfully. When logging in with migrated user account on new domain, a new local user profile is created on the machine. Should the user profile not be migrated as well?

Current Domain: old (2008)
New Domain: new (2012)

I run ADMT from old domain DC and do migration successfully.

Please help!
0
I had this question after viewing tool to generate passwords for active directory users.

I usually use this cmdlets to create users in AD using powershell:
import-csv C:\temp\ADUsers.csv | 
foreach {New-ADUser -name $_.name -displayName $_.displayname 
-OtherAttributes @{'company'= $_.company;'department'= $_.Department;'pager'= $_.pager;'mobile'= $_.mobile;'UserPrincipalName'= (“{0}@{1}” -f $_.name,”test.net”)} 
-Enabled $true }

Open in new window


My issue is, I couldn't use the password generation cmdlets from the solution in this post tool to generate passwords for active directory users  in my script, I don't know how to make it work with my script, I'm not that professional in powershell.

any other cmdlets are welcomed :)

keep in mind that the password policy in my company is 9 characters at least, 1 capital letter at least, 1 small letter at least, and 1 number at least
0
I have a PS script that runs within unattend.xml.  

It renames the laptop using the serialnumber

PowerShell.exe -Command "& {Start-Process PowerShell.exe -ArgumentList '-ExecutionPolicy Bypass -File ""c:\windows\rename.ps1""' -Verb RunAs}"
$NewComputerName = "$(Get-WmiObject win32_bios | select -expand serialnumber)-20"
Rename-Computer -NewName $NewComputerName -force -Restart

Open in new window


Works well.

How can I add to that script....join a domain and to a certain OU?

PS beginner here.

Thanks
0
Introduction to Web Design
LVL 13
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Added Send As permissions to a user and it keeps dissappearing!  Went down the path of checking and found that this user has the Admincount=1 in AD attribute editor.  If you set it to "not set" it comes back an hour later when SDProp runs.  This user is only a member of Domain Users.  I added another group named TEST, made it primary and removed Domain Users, and it works!  So how do I "fix" the Domain Users group so that it doesn't enable Admincount=1, and how to remove Domain Users from being a "protected group".   Thanks!
0
below settings on our ADFS version 3.0

This is 2 consecutive bad passwords then Office 365 will soft lock the account and not send authentication requests to our internal AD.

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 2 -ExtranetObservationWindow (new-timespan -Minutes 60)

It is  strongly recommend that ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold. Failing to do so would result in AD FS being unable to protect accounts from being locked out in Active Directory. which is set up in our environment

we don't have adfs proxy set up

but we are seeing lot of ADFS auth failures for 2 user accounts

does above settings only work if  auth failures come from o365
0
Hi all I'm going to be converting FRS to DFRS to be able to promote a server 2019 to a DC. My question is at my HQ my DC's can communicate with all other remote DC's and I see no replication issues from HQ. remote sites do not talk to each other. Would this present a problem? Thanks!
0
I have formatted just configured primary Active Directory Federation server, wanted to make a fresh.
(Reason to format ADFS: I had set ADFS service name & ADFS server name as same by mistake so thought to recreate ADFS)
Now AD Connect is showing error "Failed to connect to primary AD FS server"
I want my AD to forget that lost AD Federation server so that I can create a new.

Please guide.

Failed to connect to primary AD FS serve
The current configurations:
Current AD Connect configuration
0
I'm unable to create an OU in Active Directory, it says that an OU with that name is already in use.  I did a search for this OU at the top level of domain no results.  I created this OU last night on secondary DC it never propagated over to primary.  Came in this morning secondary DC had "Pending Status" assuming it was from the newly created OU last night,  unable to get rid of Pending status without a reboot.  Now even though OU doesn't exist it thinks it does.  How can i clear this up?
0
I am setting up a new network and I would like all client machines (win10) to use Azure AD (the free options with office365 biz premium)
We need a local windows file server (for big design files) and I don’t really want to set the server up as a local domain controller and would like to connect it to the Azure AD as a member server and allow users access to the local file shares using their Azure ad credentials controlled in Azure AD.
Is this possible without creating local accounts for each user to access the local file shares. I am familiar with using AD connect with server 2019 essentials which will make the local server the Primary domain controller and configuring it in that way, but Id like to keep Azure ad a the primary DC if possible?  If there is another or better way, please advise.
0
We are trying to track down an issue where the password expiration date is not conforming to our policy.  We have a 90 policy, but the password on domain accounts seem to be expiring at 42 days.  

The following net user command provides the expected output:
>net user /domain joe.user
The request will be processed at a domain controller for domain example.com.
User name                    joe.user
Full Name                    Joe User
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            8/1/2019 9:09:56 AM
Password expires             10/30/2019 9:09:56 AM
Password changeable          8/2/2019 9:09:56 AM
Password required            Yes
User may change password     Yes
.....

Open in new window

The 10/30/2019 date corresponds with the 90 day requirement.  However, the password expires much sooner.  Using the following get-aduser command, you get a different date:
(Get-ADUser -Identity joe.user -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' |ForEach-Object -Process {[datetime]::FromFileTime($_)}

Thursday, September 12, 2019 9:09:56 AM

Open in new window

The dates provided by the two commands are different.  Any insight why, it may help use narrow down the issue if we knew why the two commands return different dates?  Also, the account really does expire earlier than the 90 policy.  We've had users needing to change their password even though the net user command shows they have plenty of time.
0
Does windows server ADFS 2012 r2 comes with azure MFA , do we need to install azure MFA separately and MFA adapter

Also if we enable azure MFA on ADFS windows server 2016 which comes as default  do we need to configure  MFA adaptor as well

Can we configure MFA for  selected relying party trust

Since I have on premise ADFS server 2012 r2 I was planning to implement azure MFA  if I enable from azure portal or if I configure on ADFS on premise is there any difference
0
Hi,

How (is there a way) can I make a Powershell AD query run faster?
I know filter f.e. for a user account like smits* or a group name like marketing* but they take long to execute.

J
0
JavaScript Best Practices
LVL 13
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

I have only one DC. That DC is running 2008 R2. The domain and forest functional levels are both set at Windows 2003.

I am building a new DC to retire the old. That new DC will be running Server 2019.

Do I have to first raise the domain and forest functional levels to 2008 R2 on the current DC before I add the 2019 server to the domain? Do I then promote the 2019 server to a DC after first raising the levels to 2008 R2?


Thank you
0
Hello,

I have 3 DCs,2 VM DCs and  1 physical DC and I want to virtualize last physical DC.
To virtualize DC  infrastructure shouldn't be a problem
https://www.altaro.com/hyper-v/virtualized-domain-controllers-4-myths-12-best-practices/
but what about cluster environment
„In 2008 R2 and prior, a cluster wouldn’t start at all if it couldn’t contact a domain controller. This is no longer true in 2012 R2 and later. Even if the cluster service won’t start, both Hyper-V and VMMS.EXE will. With basic cluster troubleshooting techniques, you can bring a clustered virtual machine online without the cluster running. These are techniques that you should know anyway if you’re operating a Hyper-V cluster.“
https://www.dell.com/support/article/hr/en/hrdhs1/sln266049/windows-server-how-to-recover-from-a-hyper-v-cluster-failure-in-windows-server-2008-or-2008-r2-when-all-domain-controllers-are-virtualized-in-the-cluster?lang=en

I have 3 NOD vmware(6.0) cluster and I want to virtualize last physical DC.
Please give me some advice,hint,best practices,share your expirience…about virtual AD environment in vmware cluster.
Thank you
0
Hi,

In thhis PowerShell script:

Get-ADUser user01 -Properties LastLogon,distinguishedName,Memberof | select SamAccoountName,Lastlogon,DistinguishedName,Memberof |Export-csv -Path c:\temp\test.csv

How can export Memberof value in csv?
0
On premise AD seems to have stopped syncing with Office 365 cloud. What should I check for? I've made three user accounts all in OUs that have proven to have their objects sync to the cloud. However now nothing is syncing, even though on the Office admin side it says syncs are occurring as normal. I've also forced syncs with powershell and still these accounts aren't syncing to the cloud. Any ideas?
0
I have SaasPass MFA auth working in ADFS, however, it is not working as I would want.  It first loads a screen that asks only for the user’s name.  When you enter a valid name and hit Next, it then takes you to the SaasPass adapter screen which then prompts for the name again and the One-Time Password.  I had to add the name to this second screen because I could not find any way to get it from the first screen.

Ideally, I would like it to prompt the user for name AND password on the first screen, validate against AD, then open the MFA screen and validate with the OTP.  I still think I have to change the policies of ADFS to get that workflow right.

Does anyone have experience with ADFS and SaasPass?
0
Hi   we are about to do this (100 objeccts in 1 tenant to be transfered to us 250 users )however there are a number of duplicate attributes - not guid source anchour or UPN (some users exist as mailboxes in both tenants)  but others - what are the options to resolve these before adconnect adds in their directory to synch - can i change the attributes ? and if so what are the implications to the user if a number of their attributes have to change before they will be adsynched to our tenant?  thanks
0

Active Directory

79K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.