Active Directory




Articles & Videos



Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Has anyone run Symantec Exec on a file server during production hours?  My backups seem to run into the next day, is this normal? Im backing up about 1 TB.
Free Tool: Subnet Calculator
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Hello experts,

I was manually pasting /over writing a new .dll for an application fix. I was mapping to the C$ drive of the workstations and pasting on the application folder in the program files a .dll fix.  Some workstations I had to stop the process in order to be able to overwrite it.

I will like to perhaps use active directory to do it.

The network is a windows network. What needs to be done is replace a dll file in all the workstation.

Thank you in advance for your help on this
can someone provide assistance with this script, we need to update this script to use an "input.csv" file  

we are trying to export all the groups for the users on the input.CSV file. this script works for a single

$Groups = (Get-ADPrincipalGroupMembership -Identity usera | Select-Object -ExpandProperty name) -join ','

get-aduser usera -properties memberof,samaccountname,givenname,surname | select samaccountname,givenname,surname, @{name="Groups";expression={$Groups}} | export-csv "c:\temp\ADUsers.csv" -Delimiter ";" -NoTypeInformation -Encoding UTF8

Open in new window

Is there a way to use WMI CONNECTION Crendentials once in a class I don't understand to code in clases just code in Form1. And also Am I closing the WMI Connection properly m = Nothing below is Source Code. I'm getting the message Get rid of IDE0017 VB.NET Object initialization can be simplified I'm creating a WMI Inventory app. Anyway any source code that is better then my Code I would appreciate cause I'm not a Professional Coder by any means but it is fun.
 Public Sub ListDrives()

        Dim options As ConnectionOptions
        options = New ConnectionOptions
        options.Username = "XXXXXX"
        options.Password = "XXXXXXXXXX"
        '* Test the connection

        '  Dim ps() As Services

        lvProcesses.Columns.Add("", 100, HorizontalAlignment.Left)
        lvProcesses.Columns.Add("Drive Letter", 120, HorizontalAlignment.Left)
        lvProcesses.Columns.Add("Drive Size", 120, HorizontalAlignment.Left)
        lvProcesses.Columns.Add("DriveFreespace", 120, HorizontalAlignment.Left)
        lvProcesses.Columns.Add("FileSystem", 120, HorizontalAlignment.Left)
        lvProcesses.Columns.Add("UNC Path", 200, HorizontalAlignment.Left)
        On Error Resume Next
        Dim scope As ManagementScope
        scope = New ManagementScope("\\" & ComputerName & "\root\cimv2", options)

        Dim query As ObjectQuery
        query = New ObjectQuery("SELECT * FROM 

Open in new window

Hi all,

We have just upgraded our internal ROOT CA to use SHA256. The upgrade is as expected im just wondering now how to we get the new 256 ROOT certificate out to the trusted ROOT CA repository of the clients that we are potentially upgrading the certificates on?
I cannot seem to find a way with PowerShell to distinguish between Office 365 Retention Policies and Label Policies.
NOTE: I am not speaking about Exchange Retention Policies at all for this question

Any ideas?

I am trying to finish up a PowerShell script to where I am pulling a listing of groups from Active Directory and export them to a .csv file.  I need the script to also output the group-type (security, distribution).  Here is what I have so far:

Get-ADGroup -Filter {GroupCategory -eq "Security"} | ForEach-Object {
      $Group = $_
      Get-ADGroupMember -Recursive -Identity $_.DistinguishedName
} | Select-Object -Property `
            @{Name='GroupName'; Expression={$Group.Name}},
            @{Name='GroupType'; Expression={$Group.GroupScope}},
            @{Name='MemberName'; Expression={$_.Name}},
            @{Name='MemberSamAccountName'; Expression={$_.SamAccountName}} |
      Export-Csv -NoTypeInformation -Path 'C:\Group Listing.csv'

does anyone know of a way, perhaps using one of the AD cmdlets, that will get the same info as a Microsoft baseline security analyser scan, in the "shares" section of the report, which gives both the share and directory ACL, but writes the results out to a CSV file so further filtering/analysis can be performed. MBSA does give what I need but the report is essentially read only, I need a way to filter the results as on some servers under review are hundreds of shares, so having it in csv would make that additional analysis a lot easier. Basically MBSA just enumerates all shares on a server and produces the share and directory ACL, in a simple:

share (name), path, share ACL, directory ACL,

so I need a command to do the same and put the results in a nice CSV file with the same columns so I can do similar analysis.

I am trying to create a PowerShell script to pull some info from Active Directory into a .csv format.  I am trying to get the following attributes:

- Group

Here is what I have so far:

Get-ADGroup -Filter {GroupCategory -eq "Security"} | ForEach-Object {
    $Group = $_
    Get-ADGroupMember -Recursive -Identity $
} | Select-Object @{
}, Name | Export-Csv -NoType -Path C:\Security Groups.csv

I am running server 2008 R2.

My Server was hang in this morning without having any error. While hanging, I can't even use keyboard and mouse. Then, I checked in event viewer. It shows the following message.
"The processing of group policy failed. Windows attempted to the file "\\mydomain.local\sysvol\mydomain.local\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group policy setting may not be applied until this event is resolved. This issues may be transient and could be caused by one or more of the following:
a) name resolution/ network connectivity to the current domain controller.
B) File replication services latency (a file created on another domain controller has not replicated to the current domain controller).
c) the distributed file system (DFS) client has been disabled."
My question here is that
1. Is the server hanging related to this error?
2. Groups policy tab is missing in AD also. Is this missing tab related to this error?
If yes, pls help me to get the solution. Thanks.
Has Powershell sent you back into the Stone Age?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Hi people,

Can anyone here please review my Exchange Server PowerShell below to do the mailbox migration from one Exchange Server called PROD-MBX14 into PRODMBX22-VM and then send the email out for any status complete or error ?

New-MigrationBatch –Local –Name PROD-Migration CSVData ([System.IO.File]::ReadAllBytes("C:\TEMP\Group1_Migration.csv")) –TargetDatabase SVR1-DB01, SVR1-DB02, SVR1-DB03, SVR1-DB04  -Autostart -AutoComplete
Start-MigrationBatch –Identity PROD-Migration
Complete-MigrationBatch PROD-Migration

Open in new window

In the .CSV C:\TEMP\Group1_Migration.csv, there are 688 lines of unique email address per line that is running in the old mailbox server.

What I have done manually is to select all of the mailboxes DB in the new server PRODMBX22-VM called:

But how do I do it using the script above and then executing it with the scheduled task to start the migration in the batch of 10, and then move on to the next one again?

The reason I do it 10 by 10 is that the Exchange server is running out of memory if I do it more than 10.

Thanks in advance.
Hello -

I am looking for a way to push GPO software installation policy to only specific computers.  Assign the software installation policy to the machine, as opposed to the user. I have a multi-domain (forest) running server 2012 R2 and all OU structure is the same except obviously domain name.



- Distro groups (OU)
- Fax Server Groups (OU)
- location Servers (OU)
- Workstations MAC (OU)
- Workstations PC (OU)
- Domain Controllers (OU)
- Logon Account All (OU)

The systems are located within our existing computer OU and user OU. Now, specific computer accounts will be assigned GPO modulex86 and GPO modulex64. I am using SCCM to identify my computers office version (x86 or x64). Once I compile a list, the idea is to push out the proper GPO to them. This is where I get stuck. What is the best way to accomplish this? Should I modify GPO delegation and only allow group of computers? This means I will have to remove computer accounts from existing OU and not sure if that is wise as we have them organized within specific OUs right now.

Do I use WMI Filtering? If so, how?

Hope this makes sense. I'd like to understand how to organize these GPOs without complicating the system. I appreciate your help!

I need to mount a ISO in 2008 server. Anybody have a free good tool to use?
Take ownership of the Folder

I am trying to take ownership of the folder as I am member of Domain Admins group.

When I click some point when the permissions reach certain sub folders I get the message:

“You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?”
“All permissions will be replaced if you click Yes.”

I am not sure if I click Yes if it messes all the permissions that have been granted to other groups.

any Idea ?

Thank you

2012R2 server & domain - Win7 workstations.

I am trying to setup folder redirection but It would seem that I have messed up my ACLs:
event log
I believe I have defined the authorisations as per best practices but I guess I have missed something...
share setup
Any idea ?

I have recently modified an existing GPO (a fairly basic one about printer mapping) and to my surprise it would not work as expected.

I ran the modeling tool and sure enough the old settings are still appearing.

Digging further I see this
error message
That's all nice and dandy but comparing the ACL on both machine they seems identical...

Server 1
server 1Server 2
(I have applied a sort to make comparison easier).

Where do we go from here ?

I have a program called PolicyTech my users use and sometimes within the program it will call for a word module to be installed. Now when this happens the users system will be prompt for UAC credentials and prevents the user from installing the module successfully. This is a program and install that we approve, however we do not want to disable UAC, but figure out a way to push a GPO to allow for this program and word module to install without UAC credentials needed. I appreciate anyone that can help me figure out how to set a GPO to allow what I am trying to accomplish for my users.


We would like to introduce a 10 year delete and allow recovery DPT.
Then we would like to modify the DPT (or delete and recreate) to have the duration of 3 years.
We would only modify the duration not the action.

Does it make more sense to modify the duration or delete and recreate the DPT?

Thank you

      We have a customer that someone put there internal domain the same as there external website domain. So there windows domian is for example but there website is also

I have put in a www a record on DNS pointing to the IP that i get back from pinging

However the issue is now if i try and navigate to the website in the internal network i get come back.

And by the way it does work outside of the network :).

Is Your AD Toolbox Looking More Like a Toybox?
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Hi All,

I've got Exchange Server 2013 that is running one very big Mailbox Database about 1.96 TB as single .EDB file.

Since the drive partition is formatted as NTFS-MBR, I cannot extend it anymore to larger than 2 TB.

So my only option while waiting for new Storage array delivery, I need to delete the older mailboxes that are very big. So after right click on the Exchange Control Panel website and delete them, how do I make sure the disk space is available (White Space is enough) for the future growth temporarily?

my understanding is that after deleting the mailboxes, the mailbox DB is still the same size, but then there is white space that can be used for the rest of the mailbox growth.

Hi guys

We have a Windows 2008 R2 AD environment. There are 'Computer' OU's that I am looking at which probably consist of machines that are no longer on the domain. Ideally I would like those cleaned up.

How do you go about such a thing? Do you use any tools or can recommend any? I was using the Solarwinds Inactive Computer Removal tool. Is that something you have tried?


I'm running Exchange Server 2013 SP1 that was losing its 1.9 TB Database disk for 2 hours, and then back online again all in a sudden.

So the timing is like:

9:00 PM - 9:30 PM, I am doing my change to delete the oversized Mail.que:
1.  Go to services.msc and Pause the Microsoft Exchange Transport service.
2.  Run “Get-Queue | ft -AutoSize” and ensure all pending messages are clearing out to be very minimal under 10.
3.  Stop the Microsoft Exchange Transport service
4.  Set Microsoft Exchange Transport service to "Disabled"
5.  Rename mail.queue file
6.  Set Microsoft Exchange Transport service to "Automatic"
7.  Reboot the Exchange server
8. Run “Get-Queue | ft -AutoSize” and ensure all pending messages are clearing out.

Open in new window

after the reboot, the Windows Server is rebooting itself again, but then this time its worst, the D:\ drive where all of the Exchange mailbox DB went missing due to the D:\ drive has become RAW instead of NTFS for about 2-2.5 hours.

11:45 PM yesterday, the D:\ drive is mysteriously back online again as NTFS drive, all emails are flowing back as normal.

But then I've got some users more than half reporting that they are missing their yesterday's email even before the maintenance window yesterday at 9:00 PM ?

The email today is working fine from everyone, but some of my users did lose their yesterday emails?

Looking through Exchange Transaction logs, I can see some emails within the outage window:

Should it be necessary to enable Auto-Expanding Archive at the mailbox level too??
I was in the process of converting all 3 domain controllers from 2012 to 2102 R2. All servers are VM. All servers were imaged first. Likewise I have console access if necessary. I had 2 servers built and sized with temporary addresses. I have them both fully patched and ready at the workgroup level. I had only two servers,but had to go to 3. (Long story). I had a server #3 built under 2012 R2, patched and protected. Took it to domain member and subsequent domain controller. I moved the FSMO from #1 to the new #3 as well as copying the database and exporting the CA functions. FInally I updated the GP to relocate the NTP from #1 to #3. I had some problems with SYSVOL and NETLOGON, but managed to copy and configure share permissions and all three domain are replicating. I Meanwhile I use the GUI to demote the #2 (2012 legacy) domain to member server which went cleanly. No forcing necessary.  YEY Bumped it down to workgroup and shut it down.  Brought the #2 new server to domain member and subsequent domain controller and again some SYSVOL and NETLOGON issues. Fixed the same way. So now I have two  2012 R2 domain controllers and one 2012 DC.  I changed #1 to DC from GC. dcidag, nltest, netdom, diags all look good. Attempted to demote #1. Did not work. Required forcing. I Went to #3 and attempted to use AD Sites and Services and it would not delete. (Yes. I unchecked the object deletion). I tried ntdsutil, adsiedit, ldp, some super duper script I got from technet. Nothing worked. I…
If userA, on a shared workstation, manually logs into OWA (portal actually) -  (where the needed URLs are in a zone that does not allow for automatic logon) ....

1. The domain, userA userB are all federated
2. userA signs out of OWA
3. userA closes IE
4. GPO deletes all cache and cookies upon closing of IE
5. userB opens IE
6. userB opens
7. userB is signed directly into userA's OWA

Where are the credentials kept?  In a cookie right?  where else?

Thank you.

Active Directory




Articles & Videos



Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software