Questions tagged as ['active-directory']

A Microsoft technology that constitutes an LDAP directory service with centralized management functionality for user accounts, computer accounts, groups, and configuration management across many Windows servers and desktops.
Score: 0
What Chromium Edge settings affect its ability to perform ClickOnce deployments from a LAN share on an ActiveDirectory network?
us flag
Tim

Chromium Edge (v92.xx -- the currently supported one as of this writing) is treating the ClickOnce setup.exe file on a LAN share as a "normal download" (intercepting it rather than executing it) even after Group Policy has been set to enable ClickOnce support in Edge. What are the Edge settings that need to be changed to support ClickOnce?

I suppose SmartScreen is involved, in particular the Allo ...

Score: 0
Ayyanar sithanandhan avatar
User profile delete GPO
de flag

I created a GPO to delete the user profile within 90 days but it didn't work.

When I checked, I found the user profile folder and ntuser.dat file modified dates are not matching.

My client operations system is Window 10 20H2 version and Server 2016

Score: 0
Malkavian avatar
Join windows 10 professional to a domain NetpDoDomainJoin: status: 0x52e
in flag

I am using ethernet cable and I have a Synology Nas acting as Active Directory Domain controller. My computer has the Nas inserted in the Dns records and can resolve the Nas, for example I can ping the Fqdn of the domain and the Nas respond. Every time I join my computer to the domain windows 10 professional says that I am using bad credentials (and I can prove I am not) and when I check this file: %win ...

Score: 0
Spratty avatar
AD account for monitoring services across servers
bq flag

We have some Windows servers that run various services and we have a situation where sometimes those services just stop. To monitor these services I have written a Windows service that uses the ServiceController to look at the suspect services and check their current status. This works fine when I configure the new service to run under an account which has local admin permissions to the servers in quest ...

Score: 3
Do I need Active Directory Certificate Services
us flag

I have an AD setup that apparently has a vulnerability related to the Certificate Services feature. Thinking back through the MS Server courses I've sat, I don't remember anything on it, so I dug about online and I'm leaning towards "no".

I do not generate certs in-house for anything - workstations are allowed to Self-Sign, and my parent org has steps to follow for generating cert requests local ...

Score: 1
Taha Adel avatar
Effective access doesn't reflect the actual NTFS permissions
bz flag

I came across a weird issue when practicing permissions in Windows Server 2016. I gave read permission only to a shared directory for a group called "Human", but the effective access tap shows that the user "luke.skywalker" who's a member of the Human group has the following access

Here's the actual permissions

Here's the effective access

This of course led to the ability of Human group members to  ...

Score: -1
krishna shakya avatar
How to create a shared folder as a domain admin in DC environment?
us flag

how can I create a shared folder on the windows server? I am a domain admin with a full administrative right logged on from windows 10 domain-joined PC.

I was able to access the server drive using UNC path "\srvname\c$", however, I can't edit the share permission of the newly created folder even though I have administration rights.

Is there any other way for a domain admin to manage share folders? A ...

Score: 2
KMote avatar
Add domain users to a group of security groups via group policy
pe flag

Is there a way to add domain users to a collection of security groups via group policy? We have some SSO groups that all employees share. Instead of tech support person having to manually add new user to each of these groups, we'd like to push them via GP. The reason is that sometime, our tech person would miss adding one or more of the groups during user creation.

Score: 0
Bitlocker Recovery Keys not showing in active directory suite
za flag

I recently asked this same question here about a month ago -> BitLocker Recovery Keys Not Showing in Active Directory

But things have changed now and I am still getting the same results. I am going to go as into detail as I can for this post so I don't have to make any more posts (hopefully).

Ok, so we need to store these keys on AD to meet DoD requirements and I wrote a little bit of Java to find  ...

Score: 2
Chris avatar
OpenLDAP Meta backend to return one result
kg flag

I have configured OpenLDAP to act as a proxy server via meta backend to do remote queries to two different companies' Active Directory servers. Everything works correctly in terms of pulling information from both domains. However... we have a case where two of the same sAMAccountname gets pulled and that causes issues for one of the web application we are using.(The web application requires one search b ...

Score: 0
AnJ avatar
On which OU should we delegate permissions for adding computer to a domain - clarify microsoft docs
cn flag
AnJ

Following principle of Least-Privilege Administrative Model I'm making custom group for managing domain, that would be less privileged than Domain Administrator. For starters it should have permission for adding computer to a domain.

I'm testing many different ways of achieving this and I came across this article from Microsoft: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/ ...

Score: 0
5y5tem5 avatar
PKI trust in Active Directory
gb flag

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in ...

Score: 0
DarkMoon avatar
Finding all accounts without a domain in proxyAddresses (or Where-Object FilterScript on array that doesn't contain entry by wildcard)
in flag

I'm trying to get a list of Active Directory accounts that don't have a an address with a given domain name in their proxyAddresses. I know that to find ones that do, I can do:

Get-AdUser -Filter 'proxyAddresses -like ''smtp:*@domain.com'''

However, the reverse doesn't work, because if they have even one other entry in proxyAddresses (and all our accounts do, like X500 addresses and onmicrosoft addre ...

Score: 1
GP and RDP not working after Domain Rename
gr flag

I recently carried out a domain rename on our domain controller. We switched from a .local to our domain name as we are planning to implement 365 very soon. Mostly everything went well with the switchover. I followed instructions to use rendom/netdom/gpfixup. What didn't work was gpfixup. When I ran these commands, they completed without errors and outputted "successful", however, it did not make any ch ...

Score: 2
AnJ avatar
Grant minimum required permission for adding computer to a domain - without using delegation
cn flag
AnJ

Following principle of Least-Privilege Administrative Model I need to create custom group that would give its members permission to add computers to a domain but nothing else that could pose a security risk.

So I created my custom group in AD (let's call it "Domain Manager") and assigned test domain user to this group.
Then I went over to Group Policy Manager and created GPO. Inside my GPO I went to

Score: 0
AveryFreeman avatar
Active Directory + NFS: Why is domain user's uidNumber, gidNumber not shown by `id` command in Windows?
in flag

I am connecting NFS v3 shares (ZFS datasets) from a Solaris file server owned by domain users to Windows computers, but the concept should apply to basically any POSIX-style server. I'm hoping to find an intuitive way for permissions to persist across platforms, which can also apply to multiple users using the same client.

The Solaris server does not recognize the users' identity when mounting t ...

Score: 0
Local Admin Password Solution showing 1 password from non-admin PowerShell
tr flag

We run the following command to check and make sure systems have their LAPS setup correctly. We are supposed to do this from an elevated PowerShell prompt and it works fine. When we run it as a non-admin PowerShell none of the computer show the password, which is correct except for 1 and I don't know why. any ideas how to get it to behave like the others?

Get-ADComputer -Filter * -Properties ms-Mcs ...
Score: 0
IKnowLessThanIThought avatar
SystemState backup on SBS 2011 Std. - How many hours would you allow it to run?
in flag

I'm doing a migration of SBS 2011 Std to Server 2019 following server-essentials.com documents. This is for a 10 user domain. Exchange is on the SBS box but mail is being handled by o365. This is certainly not doing anything 'fancy' It's the lone server in the domain. No line of business apps on the server.

It feels like I am on step 2 of 1000 steps : ) each of the few tasks I've tried / don ...

Score: 1
Jacob Dennis avatar
Difference between Managed Service Account and Non Interactive Server Account in AD
cn flag

Just out of Curiosity also I couldn't find the answers to this anywhere, I am learning AD LDAP and came across a scenario for using non interactive service account for binding LDAP. I am not able to understand the uses of of these account types. Any help/explanation is deeply appreciated!

Score: 1
user2956014 avatar
Unable to rename the DN using trusted domain user credentials
in flag

I have two AD in which two-way trusts relationship(forest and transitive) exists. Trusted domain are trust1.com and trust2.com.

I created a AD-User(TEST1) in trust2.com using administrator credentials of trusted domain (trust1.com). But I am not able to rename the computer username from TEST1 to TEST2 using administrator credentials of trust1.com.

I can see ldap_rename is giving the error insuffici ...

Score: 0
lucki1000 avatar
AD keeps locking my account every 5 minutes, but without reason?
cn flag

I know there are many threads who are similar like mine, but may I'm to stupid to get all these informations.

My problem is I changed my password and since them i get locked every ~5 minutes, I don't have any scripts who uses my creds, and also no known service who will use this.

Our PDC DC is DC02 and this is from his netlogon.log:

07/21 07:42:13 [LOGON] [5932] DOMAIN: SamLogon: Network logon of DOMAIN\ ...
Score: 1
Linux: Converting from NIS to AD auth, how to associate old UID/GID to "new" users?
cn flag

Background: Our org has used NIS for 20+ years for UNIX/Linux authentication, continuing thru the present time. Windows and Active Directory came on the scene in our org sometime around 16 years ago, but AD was never used for Linux auth (only using RHEL/CentOS and Ubuntu Linux now, all other *nix has fallen by the wayside.) So, on all of our many Linux resources, we are still using traditional UID/GID r ...

Score: 0
erotavlas avatar
Web server, firewall and active directory: internal network connection error "DNS rebinding attack"
fr flag

I have a problem with a web server (WS) (apache on ubuntu 20.04 server), Fortinet Firewall (FF) and windows Active Directory (AD). My ISP recently upgraded my Internet connection and changed some configuration (static IP addresses and subnet). Before the upgrade, there was no problem. In particular, the AD was behind FF while the WS was external to it (machines from local networks and from external netw ...

Score: 3
Appleoddity avatar
How to add missing property to AdminSDHolder
ng flag

I am trying to delegate permissions for a service account to modify a single extended property on active directory user accounts. The property is msDS_CloudExtensionAttribute1.

Our AD user objects have this property, and so it is easy to delegate the proper permissions at the OU level. However, protected user accounts (such as domain admins) keep having their permissions reset by the SDPropagator task.

Score: 0
Home profile not mapping for users
cn flag

The home profile is not mapping for users on my domain.

I have configured this through the user -> profile -> home folder

Connect U to \myshare%username%

I have also replaced %username% with the actual username

The drive doesn't map, when I login and map the drive manually, it works (so it is not a networking error). I have also attempted to map the drive via GPO and same issue, it does not map.

 ...
Score: 0
200mg avatar
Windows Domain Controller - SSL Cert with Two Hosts In Subj. Alternative Name (SAN)
in flag

My Domain Controllers auto enroll and get a Computerv2 cert that handles server authentication. One of the apps we use requires an SSL cert with a SAN that contains multiple hosts. I know how to create a certificate request that contains multiple hosts in the SAN. I have a couple of questions.

  • Can I just delete the auto enrolled Computerv2 certificate and import the private key for the multi SAN c ...

Score: 0
spovelec avatar
Unable to join domain from Site-to-Site VPN Server
cn flag

I work for a small business that is looking to expand to the cloud so that our remote workers can access more of our systems. As a software dev and keen IT enthusiast, I jumped at the opportunity to get my hands dirty with this project. After spending the last 2 weeks attempting to get a test solution working on my PC with HyperV, I have a new found admiration for networking majors.

My Solution Sinc ...

Score: 1
Arkest Must avatar
How to move Active Directory Settings on a Winodws Server 2016 to another server that has Windows Server 2019 that Does not have A.D
om flag

How to move Active Directory Settings on a Windows Server 2016 to another server that has Windows Server 2019 that Does not have A.D

To clarify further I have a Windows Server 2016 with DNS setup, and a Domain Controller Active Directory Services setup on one Server.

However I want to move the Settings from the Windows Server 2016 to my newer server which is on different hardware. The newer server s ...

Score: 2
tangled_cables avatar
Get-ADComputer with ANY filter not working (module loaded)
cn flag

I have spent many hours on this and engaged a number of people I know to be PowerShell experts without any luck. It should be simple but it is definitely not working out that way this time.

Objective:

  1. I want to get all computers in an OU (the computers in the OU will be changing - I am open to using a server list, but it will still need to run to get the computers in the OU daily and updating the txt fi ...