Search Results

Search found 20796 results on 832 pages for 'active window'.

Page 99/832 | < Previous Page | 95 96 97 98 99 100 101 102 103 104 105 106 | Next Page >

How to find the cause of locked user account in Windows AD domain

- by Stephane

After a recent incident with Outlook, I was wondering how I would most efficiently resolve the following problem: Assume a fairly typical small to medium sized AD infrastructure: several DCs, a number of internal servers and windows clients, several services using AD and LDAP for user authentication from within the DMZ (SMTP relay, VPN, Citrix, etc.) and several internal services all relying on AD for authentication (Exchange, SQL server, file and print servers, terminal services servers). You have full access to all systems but they are a bit too numerous (counting the clients) to check individually. Now assume that, for some unknown reason, one (or more) user account gets locked out due to password lockout policy every few minutes. What would be the best way to find the service/machine responsible for this ? Assuming the infrastructure is pure, standard Windows with no additional management tool and few changes from default is there any way the process of finding the cause of such lockout could be accelerated or improved ? What could be done to improve the resilient of the system against such an account lockout DOS ? Disabling account lockout is an obvious answer but then you run into the issue of users having way to easily exploitable passwords, even with complexity enforced.

Read the article
Exchange 2003 - Keep user's mailbox but disable account and prevent new emails

- by molecule

Hi all, Just wanted to know what's your take on this... A user has left the company but may return in future. I would like to disable his AD account, archive all his emails, keep his mailbox and prevent new emails from being sent to him. What's the "best practice" method of doing this? Please enlighten and thanks in advance. What I would do: Reset AD password Change SMTP address - leading to NDRs if new emails are sent to his/her previous address Logon as him/her and archive emails Disable AD account Hide address from GAL

Read the article
How to automate kinit process to obtain TGT for Kerberos?

- by tore-

I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos. Currently I have problems with automatically obtain and cache Kerberos ticket-granting ticket via 'kinit'. If this were to be done manually, I would do this: kinit [email protected] This prompts for the AD user password, hence there is a problem with automate this. How can i automate this? I've found some posts mentioning using kadmin to create a database with the ad users password in it, but I've had no luck. Thanks for input

Read the article
Applocker custom extension (Java, CPL, MSC etc.)

- by test1839

We have a Terminal server and want to prevent users from running inappropriate software. Previously we used Software Restriction Policies for this purpose. Now, Microsoft seems to recommend Applocker instead. However we found no possibilities to add custom extensions like JAR, CPL, MSC etc. which was possible in Software Restriction Policies. Do you know how to add custom extensions to the Applocker policies in Windows 2008? Or how can we block custom script interpreters like Perl etc.?

Read the article
How to Setup Sharepoint Extranet to authenticate against a dmz AD

- by Satish

I have a web app which is extended to extranet for our clients to access. We have setup a different AD server and domain for dmz and clients have to be authenticated against that domain. I'm little confused about the setup especially what all web.config files I have to update. Do I have to update the web.config file for Central admin site and the extended web app. According to this blog I need to do update both, but as soon as I make the changes in the web.config for central admin, central admin site stops working. Here is what I added to the central admin web.config file between /Sharepoint and system.web I have this <connectionStrings> <add name="DMZConnectionString" connectionString= "LDAP://dmz.xxx.com:389/OU=Clients,DC=dmz,DC=xxx,DC=com "/> Between system.web and securityPolicy <membership defaultProvider=”DMZADProvider“> <providers> <add name="DMZADProvider" connectionStringName="DMZConnectionString" connectionUsername="DMZ\ldapUser" connectionPassword="Password" enableSearchMethods="true" attributeMapUsername="userPrincipalName" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> I know the connectionusername and password works becuase I use the same in SSP for importing profiles. Any idea what might be causing the error?

Read the article
Must I have Exchange to use Blackberry Enterprise Server Express?

- by John Spaz

In the past I've setup BES (not express) for a company that just wanted their users on the corporate network, they didn't care for email or any other enterprise feature, they just wanted to push a policy that the phones internet should be routed through the corporate network. I want to setup BES Express now for a customer that also just wants the phones on his network but wherever I look, it says that BES Express requires Exchange. Is there a way to install BES Express without Exchange and without a AD Domain? Basically what the customer wants to accomplish is to be able to filter and log the internet access on the phones.

Read the article
Printer monitor software across multiple workstations (AD integrated)

- by HannesFostie

I was asked to see if there is any kind of (free) software that allows multiple people in an office that use the same printer to see what jobs have finished recently, which are queued and which is printing. Main reason is that sometimes multiple people have the same task where they need to print some kind of form, and they are unsure whether or not their colleague has already printed the file. Because the printer is AD integrated, they only see a short message when printing, but they do not see a proper printer queue. A simple tray icon/tool would be perfect, no real graphical user interface is required. If this turns out to be too hard to find, I will attempt to write a simple application or script for the job, but since this is a low priority job I decided to ask here first before I start messing around with scripting which isn't my forte. Thanks

Read the article
Is it possible to configure simultaneous authentication against 2 different AD domains by IIS 7?

- by just3ws

Basically, I need to be able to attempt to authenticate against two different AD domains from IIS. I'd like to be able to automatically query both AD's and whichever comes back with an authentication wins. The users are completely separate and will only exist in their respective domain. IIS | | /-------------\ | | ------ ------ AD1 AD2 JoeU AmyU JillU JohnU So, if IIS requests to authenticate JoeU it will query both domains. JoeU will be found in AD1 so we can ignore whatever response comes back from AD2. Is this even possible using stock IIS 7? Is there a middleware or something to allow this type of configuration on IIS 7? Would this be a job for some kind of middleware sitting between IIS and the AD domains?

Read the article
Resolve another domain from current AD domain

- by faulty

We have 2 AD domain setup in our office. First is the primary domain for our office and exchange. The 2nd one is for development use to simulate production environment of our clients. Both domain are hosted on Windows 2008 R2 Enterprise. We, the development team has no access to the office domain other than login and email purpose. DNS is running on PDC of both domain. Both domain does not use public domain name. Now, our machines are joined to the development domain and we use outlook to access our office's exchange. We've added DNS entries for both the domain. From time to time we are having problem resolving our office domain (i.e. during outlook login), which we need to edit our NIC's DNS to have only DNS server from our office and then flush DNS. After that switch back once it's able to resolve. Is there a permanent solution for this scenario like specifying that the office domain be resolve with another DNS server when requested from the development domain? Thanks

Read the article
Reset local Certificate Revocation List (CRL) manual

- by Sasha

How can I reset local CRL (in OS local cash) in Windows OS (XP, Windows 7) manual? We need to reset local CRL because otherwise the OS will use local CRL until "next update" period. As described in "Manually publish the CRL": Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL.

Read the article
Exchange 2010 domainprep messing up mailbox permissions on existing Exchange 2003 server

- by tearman

So our environment is basically we have an Exchange 2003 server, and we're attempting to move to Exchange 2010 gradually, and move to new hardware while we're at it. So our first step was obviously to get Exchange 2010 installed on the new box. However, after running the domainprep steps listed in http://technet.microsoft.com/en-us/library/bb125224.aspx (including PrepareLegacyExchangePermissions) our mailbox permissions get messed up. Normally, we have an AD security group for Exchange Administrators that allows anyone in that group to view all folders inside any user's mailbox. However, now, this functionality is gone and our Exchange Admins can't access anyone's mailboxes. We'd like to get this functionality back if we could. Thanks

Read the article
Share Exchange/Outlook calendars between two different domains

- by Jon

Can this be done? Two organisations, complete separate domains and exchange servers. Do I need a AD trust? Can data be shared over HTTP or does it require a VPN connection? One Org will have an Exchange 2010 server, the other 2007.

Read the article
Cannot access domain from windows 2003 client

- by Peuge

Hey all, First off I am a novice at AD and DNS so please bear with me. This is my current situation: I have one server which is a DC and DNS server (win2k3) - Machine 1. I have another machine which is trying to join this domain - Machine2. This machine is also a win2k3 server. This is what I have done so far: I have setup DNS on the DC and its tcp/ip dns is pointing to itself. On machine2 I have set its dns to point to the dc. The DNS has been setup with a forward lookup zone with the same name as the domain (accdirect.com). I can ping machine1 from the machine2 by its FQDN and ip. I have set up forwarders on the DC for our ISP dns and can browse the internet on both machines. In the DNS mmc on the DC I can see a host (A) has been created for machine2. The problem is I still cannot join the domain. When I try join the domain via my computer - properties then it brings up the username/password box and after I go "ok" it says cannot find domain accdirect.com If I run this from machine2 dcdiag /s:accdirect.com /u:accdirect.com\admin /p: then I get the following: Performing initial setup: ** Warning: could not confirm the identity of this server in the directory versus the names returned by DNS servers. If there are problems accessing this directory server then you may need to check that this server is correctly registered with DNS [accdirect.com] Directory Binding Error 1722: Win32 Error 1722 This may limit some of the tests that can be performed. Done gathering initial info. On the dc all dcdiag and netdiag results pass. If anyone could help me I would really appreciate this! Sorry if any of my terminology is a bit off, I have only been doing this for two days. thanks Peuge

Read the article
NTFS Permission Structure to allow Traversal but no Modification except in Leaf Nodes?

- by pepoluan

Assume there's this folder structure: D:\ --+-- Acctg --+-- Payable | +-- Receivable | +-- Fin --+-- Inv | +-- Tax | +-- Treas | +-- Mrktg --+-- Ads +-- Promo Users are not allowed to change the structure, but they are free to create & delete files & folders in the leaf nodes (i.e., the rightmost folders). AGDLP principle said that I should assign permissions on the above folders to DL-Groups. Let's say I have a G-Group of users, G-Accounting-Payable, containing users that have access to the D:\Acctg\Payable folder. The way I see it, I have two strategies: - Strategy 1 Create three DL-Groups and assign them permissions: DL-D-Acctg_T -- allowed traversal of D:\Acctg folder DL-D-Acctg-Pay_LF -- allowed listing of D:\Acctg\Payable folder contents DL-D-Acctg-Pay__RW -- allowed full permissions to the contents of D:\Acctg\Payable folder Add G-Accounting-Payable as member to all the above DL-Groups - Strategy 2 Create just one DL-Group DL-D-Acctg-Pay__RW, and assign it the proper permissions for each level of the folder. Then, add G-Accounting-Payable as member to that DL-Group. - Which strategy is the Recommended Best Practice, and why?

Read the article
Strange permission errors with Windows Server 2008

- by Spirit

I just don't know a better way to describe my issue that is driving me nuts. I am trying to establish a test domain with virtual machines on a box that has Win7 with VMwware workstation installed. The purpouse with this domain will be so that we can try and test different situations before they go into the production network. I build a VM with WinSrv2008R2 and I am using that VM as a template to make other servers for the domain by making clones of it. Now I raise a DC with one clone and a member server with another clone - I add the server to the domain. I am following a standard procedure as always (it is not my first domain). Then I make an admin account and I am adding the admin to be a member of the Domain and Enterprise Admins group. That admin is admin with full priviledges on the DC.. no problem there. But on the other server has ... somewhat half the privileges and I cant log in via RDP. I tryed with another account. Same issues. For example (with half the privileges): I can't open the Even Viewer if I go via Start - Administrative Tools - Event Viewer. But I can open the Even Viewer via the server manager. You can notice this on the image below. I mean WTF??? I am going crazy, I haven't experienced anything similar in my three years of expertise. I already lost 3 days troubleshooting this. Could this be related with the cloning? Perhaps if I make fresh installs of WinSrv2008 there won't be any problems? I've had raised test domains as VMs on other occasions before, and there weren't any problems then. This is VMware Workstation 8. I've made clones before, on Workstation 7 it didn't had any problems. Anyone has any ideas? UPDATE: This is the info from the event log when I try to access via RDP: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: pat.coleman Account Domain: lab Failure Information: Failure Reason: Domain sid inconsistent. Status: 0xc000006d Sub Status: 0xc000019b

Read the article
How do I apply WinHTTP proxy settings domain-wide?

- by Oliver Salzburg

We're already configuring Internet Explorer proxy settings through group policy and it works great. Sadly, I've recently run into multiple issues where those settings are ignored by certain services. I realized that these service have one thing in common. They use WinHTTP, which has its own proxy settings. Now I'm asking myself how to apply those across the whole domain. I realize that I could create a logon script and simply run netsh winhttp import proxy source=ie, but, from experience I know that these settings require a reboot to take effect. So this wouldn't help me at all in a logon script. So, how can I do it?

Read the article
Multi-Domain Root Administrator

- by Brent Pabst

We have a new domain structure we are planning on rolling out in the next few months. Essentially there is a single top level and forest domain controller "mydomain.lan" and two children "us.mydomain.lan" and "pl.mydomain.lan". We want to configure an administrator account or two at the top level domain that then has full administrator permissions on the sub domains. By default the top level administrator cannot access or login to machines on the sub-domains. Running W2K8R2. Ideas?

Read the article
Powershell BitLocker Recovery Key

- by TheNoobofNoobs

I'm trying to get a list of all computers that have a bit locker recovery key (or information for that matter) populated in their respective fields in AD. I am unable to even start on a script as I don't know where to begin. I did find this online but it doesn't appear to be working. foreach($comp in get-adcomputer -filter *) { get-adobject -filter 'objectclass -eq "msFVE-RecoveryInformation"' - searchbase $comp.distinguishedname -properties msfve-recoverypassword,whencreated | sort whencreated | select msfve-recoverypassword -last 1 } Export-Csv "FilePath.csv" Any ideas as to how I can go about this. Running Windows 7, Powershell 3.0, Windows Server 2008 R2.

Read the article
Dsquery nested groups

- by Doctor Trout

Hi there, How would I write a dsquery to get a list of all the members of a d-list, expanding any nested groups to get the members of those groups? I've written this: dsquery * -filter "(&(memberOf=cn=...))" -r -limit 0 -attr CUSTOMFIELD sAMAccountName displayName > export.txt but returns nested d-lists and I want to expand these. I then tried this: dsquery group -samid "NAME | dsget group -members -expand > export.txt But this just lists the OU of each member and I want to get the Account Name and a custom field returned. Is there any way, either of chosing which fields to return from dsget or to epxand dsquery to show nested group membership? Thanks.

Read the article
RSH between servers not working

- by churnd

I have two servers: one CentOS 5.8 & one Solaris 10. Both are joined to my workplace AD domain via PBIS-Open. A user will log into the linux server & run an application which issues commands over RSH to the solaris server. Some commands are also run on the linux server, so both are needed. Due to the application these servers are being used for (proprietary GE software), the software on the linux server needs to be able to issue rsh commands to the solaris server on behalf of the user (the user just runs a script & the rest is automatic). However, rsh is not working for the domain users. It does work for a local user, so I believe I have the necessary trust settings between the two servers correct. However, I can rlogin as a domain user from the linux server to the solaris server. SSH works too (how I wish I could use it). Some relevant info: via rlogin: [user@linux~]$ rlogin solaris connect to address 192.168.1.2 port 543: Connection refused Trying krb4 rlogin... connect to address 192.168.1.2 port 543: Connection refused trying normal rlogin (/usr/bin/rlogin) Sun Microsystems Inc. SunOS 5.10 Generic January 2005 solaris% via rsh: [user@linux ~]$ rsh solaris ls connect to address 192.168.1.2 port 544: Connection refused Trying krb4 rsh... connect to address 192.168.1.2 port 544: Connection refused trying normal rsh (/usr/bin/rsh) permission denied. [user@linux ~]$ relevant snippet from /etc/pam.conf on solaris: # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_lsass.so set_default_repository rlogin auth requisite pam_lsass.so smartcard_prompt try_first_pass rlogin auth requisite pam_authtok_get.so.1 try_first_pass rlogin auth sufficient pam_lsass.so try_first_pass rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # I have not really seen anything useful in either system log that seem to be directly related to the failed login attempt. I've tail -f'd /var/adm/messages on solaris & /var/log/messages on linux during the failed attempts & nothing shows up. Maybe I need to be doing something else?

Read the article
How to make network drives appear even if disconnected?

- by Jake

I have the same problem as many others: network and home drives set by group policy and AD are not connected on windows startup. The prime suspect is that the LAN or wireless does not connect until after user log in. I have already given up on that. Now, I just want the disconnected drives to continue to list in My Computer so that if the user goes in and double click the drive, it will connect again. However, on some machines the drive is completely missing from My Computer. If I right click My Computer Map Network Drive again, it does work. But it's very troublesome to do it all the time. And I don't want to use a script to map the drives because I don't want to appear to be using a hacky solution to the users. The drives listed as disconnected will look more like a "built-in feature", and gives users more confidence. How can I keep the disconnected drives in My Computer? I am using Windows 7 Professional and Win2k8.

Read the article
Determine logged on user on Windows computer from Linux

- by Justin

How can I determine who is logged on to a remote Windows XP computer from Linux? I do not have administrator access on the domain or on the remote computer. I can do it from a separate Windows computer using PsLoggedOn -L \\computer from PsTools I've tried using nmblookup -A remotecomputer, but I only see entries for the computer and the domain, not a <03> entry for the user. I've also tried running PsLoggedOn under wine; I get an error: Connecting to Registry of \\computer.company.com... fixme:reg:RegConnectRegistryW Connect to L"computer.company.com" is not supported. I started looking into winexe, but it looks like I would need administrative rights on the remote computer to get it working.

Read the article
Explain to a Jr. SysAdmin what happens when a PC joins a Windows 2008 Domain

- by Nimmy Lebby

An ideal answer would at least include: Critical configuration of the PC before it could join How the PC finds the Domain servers What happens when the PC cannot find any domain servers What connections are made from the PC to the domain How the AD records the connection How the PC drops the connection/AD monitors for stale connections Difference in this process between Windows 2008 R2 and previous versions of Windows Server That is all I could think of for now but I'm sure, as answers come in, I'll think of more.

Read the article
NTDS Replication Warning (Event ID 2089)

- by Chris_K

I have a simple little network with 3 AD servers in 2 sites. Site A has Win2k3 SP2 and Win2k SP4 servers, site B has a single Win2k3 SP2 server. All have been in place for at least 3 years now. Just last week I started getting Event 2089 "not backed up" warnings (example below) on both of the win2k3 servers. I understand what the message means, no need to send me links to the technet article explaining it. I'll improve my backups. What I'm more curious about is why did I just start getting this message now? Why haven't I been getting it for the past 3 years?!? Perhaps this is related: I recently decommissioned a few other sites and AD controllers (there used to be 3 more sites, each with their own controller). Don't worry, I did proper DCpromo exercises and made sure we didn't lose anything. But would shutting those down possibly be related to why I get this error now? This won't keep me awake at night but I am curious as to what changed... Event Type: Warning Event Source: NTDS Replication Event Category: Backup Event ID: 2089 Date: 3/28/2010 Time: 9:25:27 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: RedactedName Description: This directory partition has not been backed up since at least the following number of days. Directory partition: DC=MyDomain,DC=com 'Backup latency interval' (days): 30 It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition. By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key. 'Backup latency interval' (days) registry key: System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Read the article
How to find the computer name a user logged on to

- by V. Romanov

Hi guys Is there a tool or script or some other way of knowing what computer name a specific user is currently logged on to? Or even was logged on to? Say the user "HRDrone" is working on his machine whose hostname is "HRStation01". I, sitting at my sysadmin desk, only know that the username is "HRDrone". Any way i can find out that he is logged on to "HRStation01" without asking the user? AD event viewer? anything? Thanks!

Read the article

< Previous Page | 95 96 97 98 99 100 101 102 103 104 105 106 | Next Page >