deleted objects

Can the deleted objects container to made to be visible in ADUC or ADAC? I tried following this article http://support.microsoft.com/kb/892806 but without my much help. I have a 20008 R2 with Recycle Bin Enabled. I tried using LDP and ADSIEDIT, can find it there as well

Win2k3 patches failed - secpol wont let me modify privs

Hi I am working in an AD win2k3 R2 SP2 domain with a PDCE and a DC. I just tried to update patches on the DC logged in as a Domain admin and most of the patches failed. When I checked, it was insufficient privs. I launched secpol to try to verify permisions for the account I was using and when I opened 'user rights assignment' there was an info note at the bottom of the pane that said "this setting is not compatible with computers running windows 2000" and the option to add users was grayed out. As I mentioned before, We're running Win2k3 R2 SP2. This may (or may not) also ti

synchronising domains

Hi, I have two domains, A and B, both with Windows 2003 server. Domain A contains several accounts which I want to sync to the other domain B. Is that possible? I believe so it was in NT 3.51 (..), simple by trused and trusting domains? Thanks in advance. John

domain server releated issue

Hi I am having three servers one with windows 2003 domain controller, additional domain controller and last one as fileserver. when ever there is problem with my primary domain controller server(server down), users are not able to access the fileserver(share folders), but same users able to log in domain server, able to access internet authenticated via additonal domain controller and resolving dns. I want to know when primary dc is down can i able to access my fileserver i mean users share folders or i have do any changes. Need help on this Regards Alex

ADRB

I see some posts saying that AD Rcycle Bin should be enabled using PS cmdlets on the Schema Master...Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity> Is that correct, if so what is reasoning behind this?

Help!!! Migration Problem!

Morning Guys, We're migrating from one Windows 2003 domain to another (acquisition). DomainA.lab - Forest Trust 2000, Domain Trust 2003 DomainB.lab - Forest Trust 2003, Domain Trust 2003 Migration from DomainA.lab to DomainB.lab - Trust relationship external, 2-way, Domain Wide Authentication Side Filtering disabled on both domain and I can also see the SID History attribute which is correct Problem: Users in domainA cant can't access SOME shares on domainB computers. The SIDHistory attribute in DomainB matches the SID of the group in DomainA, but still no luck. Any suggestion

DFSR

I have a Windows 2003 domain controllers and want to upgrade all my DC's to windows 2008. Now i want to know if after upgrading all my dc's and raising the domain level to w2k8, will sysvol start replicating using DFSR? or should we follow the FRS to DFSR migration path? My understanding is that all new domains that have been started with w2k8/r2 will by default use DFSR?? is that correct? I have noticed that even after staring the AD forest with a wk28r2 dc, there were no DFS Role Services installed..is that the default behaviour? should DFS Role Service be installed after th

dsquery -inactive get bad results

Hi! When running dsquery user -inactive command one of the account displayed is for example my account and i'm sure that i am not inactive, and using it everyday The same thing happens if i run dsquery computer -inactive, all the domain controllers name appears in the list. Why this command could get bad results?

Is There A Way to Test if Global Catalog Functioning Correctly

Still dealing with some cleanup issues from a DC loss last week. The DC was a Global Catalog server. However, I *believe* we had another one in place. At least, there was a checked GC box under the NTDS properties. However, I was wondering if there is some sort of test to make sure a GC is available and functioning before I proceed with the metadata cleanup of the dead domain controller? Not that it matters much at this point, I suppose. Still, it would be nice to go into this feeling comfortable about having a GC available. Thanks

Creating a sub domain

Dear All I have created one Primary domain and a Secondary domain server in my local infrastructure already.My primary domain name is EXAMPLE.COM.It contain only 175 node.Now we going to start a branch office for our company.So i need to create a sub domain for my primary domain server like BRANCH.EXAMPLE.COM.It contain 100 node. Now i wand to know how to create a sub domain.What is the best way to create it.What I mean that is it i install my sub domain server on my main office and then ship it into the branch office.Otherwise i will create sub domain in my branch office through

Applying group policy only to members of a domain local security group

So there is domain ABC.local with various OUs and sub-OUs defined. There is also domain local security group (placed in ABC\Users) defined whose members are users from various OUs/subOus. If I wanted to apply group policy only to that securiy group, how would I do that? I tried to link group policy object at the ABC.local domain level and then apply security filtering by removing Authenticated users group and adding domain local security group containing users from various OUs. However the policy did not apply to the users. When I linked group policy object to OUs where users resi

Answer File

This is a multi-part message in MIME format. ------=_NextPart_000_0006_01CABD5F.8BEFECE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable In Windows Server 2008 dcpromo answer file we used = RebootOnSuccess=3DYes, can the same be still used in Windows Server 2008 = R2? or do we have to mandatorily use RebootOnCompletion=3DYes instead? What is the receommended option in both 2008 and 2008 R2? ------=_NextPart_000_0006_01CABD5F.8BEFECE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCT

2003 AD user looses rights to home directory

I have a single user in my AD2003 that seems to have lost rights to her home directory. I have checked her group and user permissions and everything is good. I have deleted and recreated the home directory. Even tried logging in from a different PC to eliminate XP profile issues. for some reason she simply can't write anything to her home folder. she can see it but doesnt have the ability to put anything in the folder. If no other solution I may try deleting the user and recreating her. but Just wanted to check and see if anyone else has run across this type of issue? John

Trust Failed

hi all... two days ago i encountered a trouble... i have two server in my office (ad writable, same domain)... everything was fine since when,two days ago, i get the error " the trust between this workstation and the primary server cannot be established" or something like that, because error is in italian... i cannot log on any pc in my office... the only way is to detach the ethernet and log being disconnected from server, and then plug in the network again.. once i do that i can access the pc and but can access only one of the two server... what does this mean? h

Locked Out User

I have one user who keeps getting locked out. As soon as we unlock the account and he logs in his account locks again. We removed/added his computer to the domain, deleted and recreated his user account and it just won't go away. Any ideas? Anyone see this before? Any troubleshooting ideas?

Delagate account operator resposibility

I need simple script for our secretary for resetting password, account expiration. She do not belong to account operator group therefore I need that script will be run as another user with rights to change user password etc. User and passwor dcould be encoded in script. Is there any ready script? It will be nice if script will check if account exist and will allow reset password by writing it two times(avoid mistakes) Doeas any of you have already such vbs script? Regards Raff

Remote Desktop Users

Is it possible to restrict RDP users to a Windows 2008 R2 DC? By default all Domain Admins are allowed. Want to just allow some admin users, not all Domain Admins. Jordan

Managed Service Account

This is a multi-part message in MIME format. ------=_NextPart_000_0009_01CABBFD.9060E670 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I do not see an option to create a Managed service Account using = ADCU/ADAC, how can this be enabled? While i understand using powershell = is the recommended way to create Managed Service Accounts, i would like = to know what is the difference in an MSA object that is created using = GUI and PS. ------=_NextPart_000_0009_01CABBFD.9060E670 Content-Type: text/html; charset="iso-8859-1" Content-Tran

How to list all acess given to a security group

How do I list all the access grants given to a security group in a domain? I have a security group that I want to know every access it has been granted on every server in the domain. I have examined several utilities and commands but none of them provide the information I need. The utlities and commands I have tried include AccessEnum ShareEnum Net Group I have not found any utility in the Windows 2003 Server Resource kit that can do the task. I did find a command line utility -- PERMS that was used with NT, but it is not available/usable with Win 2003. Thanks in advance

Hand blender

I neede parts for CBS-77 hand blender

DSMOD from batch and text file

I am trying to run a batch file that will disable user accounts using a text file. --Batch file-- @echo off if {%1}=={} @echo Syntax: disableDNs FileName&goto :EOF if not exist %1 @echo Syntax: disableDNs %1 not found.&goto :EOF setlocal ENABLEDELAYEDEXPANSION set file=%1 @echo. for /f "Tokens=*" %%u in ('type %file%') do ( set user=%%u set user="!user:"=!" @echo DSMOD USER !user! -desc Disabled -disabled yes DSMOD USER !user! -desc Disabled -disabled yes @echo. ) endlocal --text file-- "CN=Lastname,CN=Firstname,CN=Users,DC=test,DC=com" "CN=Madeup,CN=Nam

How To Recover Domain Controller

Hello, We just lost a domain controller. I have found what looks like some pretty good documentation on recovery, and I'm about to give it a shot. However, I know there are often times when real-world experience is often more helpful than a KB article, so I thought I'd solicit any advice anyone might have. We lost DC1, one of three DCs in our domain. All DCs are Windows 2003 SP2. DC1 was on very old hardware that probably cannot be replaced. DC1 was our primary DNS, Schema Master, and Domain Naming Master. It was not a Global Catalog server. DC2 is our secondary DNS, and

DHCP permissions

Hi. I have a number of dhcp servers installed on DCs in various offices. I need to assign a local admin in one of the remote offices permission to manage the dhcp server in his site not all dhcp servers. If I add admin to the default local dhcp administrator group in ADUC I believe he will have access to all dhcp servers in the domain. I need to assign permissions to just one dhcp server.... Thanks

GPO active desktop wallpaper does not work on windows 7

Maby someone here can help me. I manage the system for a small business with 2003 server and XP clients. I use a GPO for the wallpaper (active desktop .htm file). On XP this runs very fine however I now am testing Windows 7 and I cannot get the GPO to work. I have found this article: http://support.microsoft.com/kb/977944 and installed the hotfix, this did not help. I also used the workaround registry edit but this also makes no difference. I keep getting the black desktop and can localy edit everything but with the same user on an XP machine the GPO wors fine (with correct w

Time

When modifying registry to setup logging of Time service on domain controllers there are three keys that are applied using a script: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Log HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\WriteLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Servicedll I would like to know what is the function of servicesdll?

ad user to Local group

Hello, I was told that I need to add the user to the DHCP Administrators local group if I do not want the same user to have control over the other DHCP servers I have, How can I accomplish this ? Thank you -- aconti ------------------------------------------------------------------------ aconti's Profile: http://forums.techarena.in/members/73272.htm View this thread: http://forums.techarena.in/active-directory/1310820.htm http://forums.techarena.in

Milenko Kindl Gives an Advice on How to Affair-Proof Your Relationship

Milenko Kindl Glas Srpske An affair is one of the most difficult challenges a couple can face, and nothing destroys a romantic relationship faster than infidelity. Is it really possible to affair-proof your relationship? The answer is, "Yes, it's possible." But in order to make that happen, it's important to know what causes an affair in the first place. An affair is an extreme symptom of a relationship that has been in trouble for some time. Affairs do not happen out of the blue and rarely happen because someone is a bad person. Cheating is caused by one single factor: "Lack." In

Mechanism for applying shared and NTFS permissions

Hello All, Can someone point me to documentation explaining the mechanism for security decriptors/attributes when applying permissions via changing group memberships for users. I do not need to know what file permissions are and what needs to be set but rather the background mechanism on how it actually gets applied and when it takes effect. For example, suppose a user is mapped to a shared drive and has full control on sharing and file system permissions via group membership. I decide that this person no longer needs full but rather read access on file/folder, after making th

Event ID 2887

I've been getting this error since we upgraded the domain controllers to server 2008. After enabling the detailed logging I get event ID 2887 about every 3 minutes from my Mac computers: The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: 207.157.74.96:49660 Identity the client attempted to authenticate as: NSSTC-UAH\christymac$ We've tried forcing them to digitally sign their LDAP requests

AD Recycle Bin - Multiple Domains

Hi group, I am looking for some more information as to how the recycle bin operates when you have multiple domains. We have the following structure: ad.domain.com = forest sales.ad.domain.com = domain in ad forest support.ad.domain.com = domain in ad forest I enabled the recycle bin with the following command: > Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'ad.domain.com' -server pfrdc-01 Now the recycle bin is working fine for any items deleted in the ad.domain.com domain, but removing items from either the sales or support domain

Password lists

I came into an office of about 40 users where they keep all passwords in an xlsx. I had never kept passwords before- never needed to- . Is this a common practice? -- Carly

Service Account

Are there any known repurcussions of either moving or deleting the Managed Service Accounts Container in a Windows Server 2008 R2 domain?

GPO & Mandatory Profile

I am configuring a kiosk profile for a timeclock application on a pc. I can really lock the desktop down and autoadmin login with the user and the program to start at login, but the user can close the program. My thought was to place the program shortcut on the desktop in case that happens so the users can start the program. However, if I enable "Hide and disable all items on the desktop" the desktop icon from my manadatory profile disappears. If I disable that setting the desktop is vulnerable. What other solutions do I have to allow the user to launch just one program if need

LDAP query statistics from the server?

OpenLDAP has an optional "monitor" backend, which exports server performance stats as a separate tree. ie: cn=Searches,cn=Statistics,cn=monitor has an attribute containing the number of completed searches done against the server as a steadily increasing number, and another attribute for the number currently executing, and so on. It's very handy as a rough monitor of the usage. Does AD have anything similar, preferably accessible via plain LDAP calls? I've read about the STATS control, but that seems to be geared toward getting stats only about the query it's attached to. If not

Unable to access the active directory

I want to start by saying that I am new to the Windows Server platform. I am setting up a small local server network with a router that is the gateway and firewall at 10.10.7.1. A 2003 domain controller with forward and reverse looking DNS server at 10.10.7.2. And a 2003 small business server at 10.10.7.3. I think that I have the DNS server setup properly. The small business server is able to find and join the domain. When I try to complete the setup, I get the error “Unable to access the active directory”. When I look at the DNS settings the forward lookup zones show what

Lingering Objects -tips?

I'm new in my job and inherited so many issues in our AD.. I have been pulling my hair regarding "lingering objects" issue in my forest. there are so many DCs that are no longer replicating since they have been disconnecting for more than 60 days.. ==tombstone state = Can you give me a tip on how to fix this lingering objects? I have so many of these errors below.. and I have no idea where to start.... If I have to demote/repromote those DCs not replicating, there are quite a lot about 15!, will it fix the problem? ************ Errors***** Internal event: Active Di

LDAP error

Hi, I'm testing a LDAP connection to my companies Active directory server and I'm getting the "An invalid dn syntax has been specified." error all the time. Here is my code: Dim entry As New DirectoryEntry() entry.Path = "LDAP://xxxxxx.company.se:389" entry.Username = "uid=MYAPP,ou=users,ou=internal,o=company" entry.Password = "yyyyyyyyy" entry.AuthenticationType = AuthenticationTypes.Secure Dim search As New DirectorySearcher(entry) search.ExtendedDN = ExtendedDN.Standard search.Filter = "(&(ou=ENN)(eriIsManager=Y))" search.PropertiesTo

AD CS PEM certificate

Hi everyone; I've installer ActiveDirectory CS. I've already try to request PEM certificate, but i cannot request it from web enrollment... Is possible to request PEM certificate? thanks...

AD REPLICATION

Hello, I have 2 servers windows 2003. On one of them, Exhange 2003 is installed. The 2 servers are DC Exchange Serveur was destroyed and I restored an image (acronis) since 2 days. Restore succefully with none problem. BUT in Exchange some users don't receive their emails, they remain in the queue. After many research, the probleme comes from AD replication. When i use REPADMIN /SHOWREPL i have : "The server destination reject currently replications requests" 2709 consecutives failures Last success @ 2010-02-13 19:49:11", the day and the time are exactly the same t

Users appear dithered in Global Group, 2003 Fun level

I have an odd situation. I'm troubleshooting a permission issue with our provisioning team, they are unable to unlock accounts in AD. They are nested members of the account operators group which technically should give them this access, however, we have about 250 members in the provisioning team group and they appear dithered- they are a different color, much lighter than the usual user icon in AD 2003 Functional domain/forest. The technical library mentions the group limit being in the millions. I've never seen this before- any ideas? -- -Chris

pwdlastset View in AD

We changed our passwords every 90 days. Users love to call us and tell us that they cannot log in. We look in AD at their Account Properties and it is not locked out. We run a script and find that their password has not changed for over 90 days. However, Help Desk can not run the script to see this date. (obviously Help desk would not run a script.) Is their any way to view Password Last Changes or Password Expire in the AD Proerties of the account much like we see the other attributes like Account lock out, Address, Profile...etc.. We have 2003 AD Native

Set AD account to never lock out?

Hi, Is it possible to make an AD account never lock out like the admin user account? Thanks

Pre-authentication failures explained?

Howdy- In some of our DCs, we see an inordinate amount of Event ID 675s in the Security Log; they appear to be originating primarily from Macintosh clients that are bound to AD. Is there anything that can be done (server-side or client-side) to eliminate these specific errors? Pre-authentication failed: User Name: machine$ User ID: DOMAIN\machine$ Service Name: krbtgt/DOMAIN.COM.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.10.10.55 (IP address) TIA, BM

Netlogon issues

Hello Guys, I have a very starnge issue, last night we had to re-ip one of out windows 2003 DC's so i first Dcprom'ed it down chaged the computer name and then re-ip'ed the server. After that I dcpromo'ed the server up and made it a GC and associated the new Subnet with the site and restarted the netlogon service. Now When i log on to the DC i get a strange netlogon warining which says ==================================== Event Type: Warning Event Source: NETLOGON Event Category: None Event ID: 5802 Date: 2/18/2010 Time: 10:18:03 AM User: N/A Computer: Server A Descri

External Trusts and Forest Functional Level

Our domain is at Windows Server 2003 functional level and our Forest is at Windows Server 2000 functional level. We also have 4 external trusts with domains in a variety of modes. DomainB is running in 2000 Mixed Mode domain level and 2000 forest mode. We'd like to move our forest functional level to 2003, but our concerned that this may effect / break the external trusts. Does anyone have any first hand experience?

windows 2008 R2 DC questions

Hi all, We have 3 windows 2003 32bit Domain controllers. we are going to introduce new windows 2008 domain controllers for around 800 users. Currently, our windows 2003 DC is configured to use two disk RAID1 for OS, RAID 5 for database and log. (the database dit is about 120MB). Can we use th same RAID 1 for OS and RAID 5 for DIT and log? or just use two disk RAID 1 for everything? Which one is better? any other recommendation? BTW, will it affect our exchange 2003 and windows XP clients, group policy? Thank you.

Change User Default Keyboard language using GPO

Hello, It is possible to Change User Default Keyboard language using GPO ? I try to create an Adm files which can change the language for one user, it's work fine, but on the logon screen the language is always by default. In other word i would like chnage by GPO what i do when i manuelly change this register key on a locale machine. HKEY_CURRENT_USER\Keyboard Layout\Preload\1 with the right value according the language selected. Can you help me ? Ty,

Why AD objects created always have the "domain admins" as owner ?

Hello, my account is member of the domain admins. Every time that I create an object, the owner displayed is the Domain Admins and not my user account. I know that there is a GPO for files and folders created by an admin to specify that the user who created the object is the owner (and not the admin if the user is an admin too) but is it possible to do the same with an AD object (and so let a user the user as the owner of an object even if it is member of the domain admins groups)? thank you -- Eric

NT4 to 2003 upgrade - client setup

I am performing an upgrade from NT4 to 2003 and have done a bit of testing but I am still unsure of the behavior of workstations and servers when they suddenly find themselves on an upgraded domain. Currently, the plan is this: 1. Take a NT4 BDC on a virtual machine and upgrade it to 2003. Add NT4Emulator key. 2. Configure DNS, etc. Verify everything transferred over. Remove NT4Emulator key. 3. Reboot. 4. Configure clients to use new DNS server. 5. Shutdown all other NT4 BDCs. Im uncertain at what happens between steps 3 and 4. Will the workstations continue to be able to a

Applock

This is a multi-part message in MIME format. ------=_NextPart_000_0006_01CAAF54.BC57BA20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Can applock group policy be hosted on Windows 2003/2008 domain = controllers? ------=_NextPart_000_0006_01CAAF54.BC57BA20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META name=3DGENERATOR content