Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

i just want to understand 1 thing

i see a citrix environment in one company

90% of users are using xenapp having non persistence desktops.

i see seperate DHCP scope defined in one of citrix servers.

when i do ipconfig, i see address coming as 10.x.x.x

we have on premise AD where users are synced through AAD sync to office 365 and mailboxes in office 365

outlook is 2010 and is configured on premise in stalled on xenapp and published to studio

my question:
there is group policy called outlook GPO for outlook users whose cache files shoudl be enabled

i know this is bit vague

but if DHCP scope is defined in citrix server and dekstops are getting IP'S from there

how come group policy called outlook GPO is working for outlook users

when there is no DHCP scope defined in AD

I MEAN HOW that GOP is geeting affected in outlook where citrix has its own DHCP

is that some thing AD has in its users and computers accounts for cirtix servers and then it si working?
Simplify Active Directory Administration
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

We have a remote office being out of internet connection for almost a week due to ISP's fiber cable incident. Now I need to investigate when the outage exactly began. To do that, first of all, I searched the firewall log since we have site-to-site VPN connection between the two firewalls. But I found out the log size limitation is too small so the log details of interest have been overwritten and not available.
Secondly, we have a DC in that office and there is site replication set up in ADSS as I can see. With that, do you know if there is log available somewhere regarding the remote DC connection getting cut off?

Thanks for your help.
Is there any way to prevent users copying files from a mapped drive, when they're not domain joined?

Server 2012 R2 - Active Directory & File Share
Local devices - connect to shared folders from the server, using their AD accounts for authentication only. Local devices are NOT domain joined.
Filter users from AD to find disabled accounts within specific OU that contain a specific attribute

Users are mixed inside of one OU I'm trying to find OU users by an attribute "O" which stands for organization that has a specific value  

Get-Aduser  -searchbase "OU=mydomain,OU=test",dc=com"  -filter * | where { $_.enabled -eq $False}

so the script above finds the users that are disabled I want to find all the users store them as a variable then filter the results to use the -Properties O | where-object {$_.o -eq "value 1", "value 2", "value 3"}

How would I add this to the script and then store the users and use the results within the 2nd part so I don't have to query for the users and then filter and then find disabled I also want to export to csv with following columns

username, samaccountname, O, disabled status
I am trying to edit the registry settings via GPO policy. These are for the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]. I have a list of computers in a Security group. I have applied my GPO to the Security Group. GPresult shows it is successful, however, the registry shows no changes. If I apply the setting directly to the computer, it works.

I had this successfully work for disabling the CD Rom. For some reason the registry item isn't working.

What am I missing?
Azure AD Connect for hash password sync.  Have a client with a .local on prem Active Directory domain.  The Azure AD Connect wizard is showing their .com domain (for their website and email) is published and verified but the .local is not verified.  I have read tons of documentation, added the .com domain suffix to the on prem AD and changed the UPN of all users to use the verified domain.

Now as i go back to the wizard it still shows the .local as not verified (which i expect) but says the users will not be able to login to Azure services using SSO because not all the domains are verified.  I am stuck.  Will my users with the verified domain UPN still sync and work correctly but anything using the .local domain will not?  Or will they all flat out fail?  I am having difficulty finding specifics about this with Microsoft documentation.  Thanks!

What is reason to following issue, when creating the domain, within Win 2012 server? I did already created the A record of relevant Domain name.
Hi AD Experts,

I need advice on creating an additional "domain admin" account for a specific appliance/service, but restricting it if possible... Herewith the details and background;


We have a single domain forest for a large Company (MS Win Server 2008 R2 Forest Function Level) with several geographical sites, each site has it's own Global Catalog and the main AD Servers with the FSMO Roles are situated in our DMZ in our "private cloud" on the WAN, they used to have one central internet breakout in the DMZ for all the sites, they are all part of a WAN + private Cloud (DMZ) where we host several applications. We manage the AD for the entire Group (i.e.: we are responsible for AD + Security and we have Domain Admin password etc.)

Recently one of the Businesss (Divisions) were sold and they installed their own local Cyberoam Firewall which is connected to a new local fibre link internet breakout, but the WAN Link back to the rest of our Company, as well as the Active Directory, remains as is, because they still access some of the hosted applications in our DMZ. A new IT Company is now looking after the Cyberoam Firewall on-site at the Business that was sold.


The new IT Company (the one looking after the Cyberoam Firewall on-site) has requested us to supply them with a Domain Admin Account on our single domain forest AD so that they can use the credentials on their new Cyberoam Firewall for ADS or LDAP …
If I have 2 domain controllers in 2 different sites and both have IPv6 checked in TCP stack, do I need to define the dynamic IP address in AD Sites and Services?

I had an issue with SYSVOL GPO replication where one of the domain controllers was using the IPv6 address of the other domain controller to access its SYSVOL, but the address was not defined in AD Sites and Services.  I unchecked and did some other things that resolved the issue... but I need to know best practice for this please. thank you.

PowerShell, I need to Create a report for all user attributes :
Here is my script, but I got only info First Name, Last Name and Display Name, all other attributes come up empty .  Any ideas where is the problem

#import the ActiveDirectory Module
Import-Module ActiveDirectory

#Sets the OU to do the base search for all user accounts
$SearchBase = "OU=Users,OU=Users,DC=domain,DC=org"

#Get users info
$AllAdUsers = Get-ADUser -Filter * `
                         -SearchBase $SearchBase |
                            Where-Object {$_.DistinguishedName -notlike "*ou=Generic Users*"}

$AllADUsers |
Select-Object @{Label = "First Name";Expression = {$_.GivenName}},
@{Label = "Last Name";Expression = {$_.Surname}},
@{Label = "Display Name";Expression = {$_.displayName}},
@{Label = "Logon Name";Expression = {$_.sAMAccountName}},
@{Label = "Email";Expression = {$_.mail}},
@{Label = "Job Title";Expression = {$_.title}},
@{Label = "Division";Expression = {$_.division}},
@{Label = "EmployeeID";Expression = {$_.employeeID}},
@{Label = "Department";Expression = {$_.department}},
@{Label = "EmployeeNumber";Expression = {$_.employeeNumber}},
@{Label = "Phone";Expression = {$_.ipPhone}},
@{Label = "Building";Expression = {$_.building}},
@{Label = "Last Logon";Expression = {$_.lastLogonTimestamp}} |

#Export CSV report
Export-Csv -Path c:\report\reportUsers.csv -NoTypeInformation
Free Tool: Port Scanner
LVL 12
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

We have multiple DCs in a network. I am trying to find which users are being get authenticated by a particular DC (SRV1).
How do i check this?. I want to reboot a DC, but want to make sure I am not
kicking the user out of the network.
I had this question after viewing Update Notes in Active Directory account with powershell.

My Code:

Import-module ActiveDirectory
$userlist = Import-Csv C:\Temp\testinfo.csv

foreach ($user in $userlist){

Write-Host "Setting info"

Set-ADUser -Identity $user.User_name -Replace @{info = $user.BadgeID}


Two columns with data in spreadsheet:

User_Name      BadgeID
cctest      ABCD

I want to append to the Info field if the badgeID data changes, can you help.
I have a Windows Server 2012 Standard (all updates) with 2 Virtual machines running. Both VM's are setup as 2012 Server as Active Directory Controllers. Both these VM's  have been running in this configuration for 4 years. Yesterday they suddenly stopped communicating with the Internet. I can ping each machine from the other but I can not ping the Firewall. From the host machine I can ping the VM's but not vice versa.
i am unable to access one sharepoint site called it -expenses on office 365 portal-this is repeat problem

while i can access other sites

do i need to check on premise AD that i am member of that particular group.

we sync users through AAD sync and have ADFS server, anything to check ?
Does anyone know how I can get the Active Directory Users and Computers add-on to my Windows 10 Laptop?

I can't seem to find the install from the microsoft site. Another site says it's already built in and I just need to enable the feature but I don't see that option.
Cisco ASA 5520 with AnyConnect VPN authenticated via LDAP. I'm trying to tighten my security down by limiting which users are allowed. I've taken a test user out of the two groups defined by my dynamic access policy and the user is still allowed to connect in. Why?

I have four pictures attached explaining my situation as I understand it:
1) My LDAP Attribute map shows "Users" or the "<Location> Users" OUs/Containers are mapped attributes.
2) My Dynamic Access Policy shows users that are a member of the "Administrators" OR "<Company Name> Company" group are allowed to continue.
3) A test admin user that's been removed from the "Administrators" group  & has never been a part "<Company Name> Company" group.
4) A normal level test user that's been removed from the "<Company Name> Company" group & has never been a part of the "Administrators" group.

Both of these users can VPN in fine. Why? Any help is appreciated.
three distributin groups ( distribution-universal) are created in the organization by using active directory users and computers, but these distribution groups are invisible in exchange management console, how I can make them visible in exchange 2016 management console?
even in exchange shell, the three distribution groups are not lisetd when running the command get-distributionlist

what is the issue? and how we can resolve it?
I have a hybrid deployment with Exchange 2010 on premises, AD on prem, running ADConnect to sync all identities to Azure/Office 365.  

I have exchange 2013 boxes; CAS, ARR Proxy and Edgesite servers and have migrated all of my mailboxes to Exchange Online.

My question is, do I have to keep at least one or two of the exchange 2010 exchange servers in this setup?  I still have about 10% of mailboxes on premises that are mostly service account mailboxes.  I don't have any DLs migrated, these are still on prem.  

What is needed to retire the 2010 exchange boxes, migrate DLs?  Migrate the remainder of mailboxes?  Is there anyway these can be moved moved to one of the 2013 CAS servers and attach a database so as not to consume a license?

Or do one or two need to remain as long as I'm in hybrid coexistence mode and always need to remain?

Thanks Experts!
We are using Outlook 2010, and find the below GPO is very useful to improve the reliability of "searching" email.

computer config / admin template / windows components /search/ (enable) disable indexer backoff

However, we cannot find this GPO on domain level. Then we find the below registry having the same effect

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] "DisableBackoff"=dword:00000001

Then another problem exist is that our end user has no administrator right to change the registry if we deploy this by VBA.

So, any help if we deploy it?
Creating Active Directory Users from a Text File
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Hello Experts

Are they attributes that are changed after a Unser is migrated from On premisses to Office 365 in a Hybrid Scenario

If yes what are the attributes

How can I get the below DomainAdmin2 acccount
to automatially run a "command prompt" as ADMIN ?

Maybe something in the UAC or local computer policy ?

 1. login to my Windows 2012 R2 server with my DomainAdmin1 acccount
      ** granted AD GROUPs on this account also give it "LocalAdmin"
 2. open command prompt (without selecting "Run as Admin"
 3. title bar TITLE says attached "Administrator"
 4. copy my DomainAdmin1 acccount, creating a DomainAdmin2 acccount
 5. repeat above #1+ using the DomainAdmin2 acccount
 6. title bar TITLE does NOT say attached "Administrator"

I need to add users from active  directory to a group. That is simple, however, these users number thousands and are in different OUs. I need to exclude mailboxes, service accounts and admin accounts
We need to lock down internet browsing on 3 Windows 10 machines (do not require access to an intranet or extranet site) in a domain environment.

They have a Sonicwall firewall, Active Directory through Windows Server 2008 R2 and we also have Open DNS on these machines.
Our antivirus platform communicates to these computers through https and we need to be able to connect to them during the odd time for support using Screenconnect and we have Labtech Automate.

How would you go about doing this?

Method 1 I believe is using firewall, assign static IP, restrict inbound HTTP/S (port 80,443) and somehow allow  communication from our servers?
Method 2 I think is there likely is a way to prevent any internet access for browsing through openDNS
Method 3 Block access to external by having no default gateway, but adding a default route

WHat do you guys think would be the least complicated or contrived method, how would you implement this?
Hello                                                                           I have a additional domain structure mix up of read only and write able 2012 when I want to join clients it gives me RPC server not available error in one of my sites I have check DNS A record in both pdc and RODC it looks fine and I check DNS forwarders they resolved each other

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software