Local Group Membership Removed - Restricted Groups

Tutorials Win: Microsoft Windows Forum

- Previous
  - 1
    - Cannot able to create child domain I am trying to create child domain to a exiting domin i am getting below error the operation failed because Active directory could not create object CN=schild,CN=Partions,CN=Configaration,DC=cmttest,DC=com,check the event log for posible system errors. The FSMO roles ownership could be verified because its directory partitions has not replicated successfully with utlist one replication partner. And event log Details. Internal error: An active directory error has occured Addtional data error value decimal -1073741823 error id 3000e54 Please help me to slove this problem Tag: Local Group Membership Removed - Restricted Groups Tag: 128368
  - 2
    - AD Domain Trust is unsafe! Hi. We are facing a situation with a particular subsidiary company. We have a sort of a resource Forest with a centralized Sharepoint Server. We requested each subsidiary to create a one-way AD trust with the resource forest in order to authenticate their users on the site. All but one subsidiary is giving us problems. Mostly because they semi-outsource many aspects of their IT operations including security; and the oursourcing company is worried about any breaches that it might be accountable for. The main concern it seems is with opening the RPC ports; but all we need is for them to open up one of their domain controllers to the resource forest DCs and some servers and apply a registry setting that fixes the AD RPC port. Still, they won't budge and instead had us implement ADFS. We have implemented ADFS ok and they can authenticate, but we are having issues with ADFS and MOSS user profiles. And I would like them to get onboard with the AD Trust. In their recent response, they claim: 1- ADFS is the world wide accepted method for connecting companies to exchange information over the Internet. ** But we have a private link that doesn't go through the Internet and is protected by firewalls! 2-They calim their security policy does not allow using AD trust becuse is it not safe and can facilitate the hacking of their data?!! 3-They also claim that Microsoft recommended we standardize on ADFS for authenticating all of our subsidiaries instead of AD trust!! (I will have to investigate with the local MS reps) So, my question is, if we are all companies under the same umbrella and a reasonable amount of trust/security policies can be agreed on, then would an AD Trust (one-way at that!!) be considered that un-safe? Tag: Local Group Membership Removed - Restricted Groups Tag: 128366
  - 3
    - How to list which users have been authenticated to a specified DC ? Hello, I would like to know how can we list which users have been authenticated to a specified DC please ? Is there any command that will do that ? I am not talking about an echo %logonserver% command as this is more for a client point of view. I would like to know that from the DC itself. Thank you -- Pascal Tag: Local Group Membership Removed - Restricted Groups Tag: 128365
  - 4
    - Query - Export Enabled / Disabled and Created Date I am using Active Directory Users and Computers. I've created a Query to show all of my users. I would like to export Name, enabled / disabled and the date the user object was created. The name is fine. * Disabled shows as a red x, but I would like to show it as a column so I can export it. * Is there a way to add a column for the date the user was created? Tag: Local Group Membership Removed - Restricted Groups Tag: 128356
  - 5
    - Sessions listing shows connected computers as IP address, not mach Windows Server 2003 native Domain and all users are XP SP2. Users having difficulties sporadically accessing file servers and roaming profiles getting corrupted. When checking sessions via Computer Management on File server containing roaming profiles, listing identifies connected computers with IP address, not with machine name. Is this normal? Is the server having difficulties translating IP addresses to machine name? Tag: Local Group Membership Removed - Restricted Groups Tag: 128354
  - 6
    - USN Rollback Event ID 2103 Hi, We had a USN rollback on one of our main DC (called DC1)( only two DCs into our Active Directory). Problems started to occure with the login process, adding new users and link to exchange mailboxes. We had to removed the DC2 from the AD and kept the DC1 as the only DC of our Active Directory. Now that I have only one domain controller and everytime I reboot that server, a Event ID 2103 comes up. ( The Active directory database has been restored using an ussupported procedure. Active Directory will be unable to log on users while this condition persist. As a result the Net logon service as paused.) Except that error everything is fine, no more problems with my users. Now my question: Can I fix that error now that I have only one DC with USN rollback? tx -- Serge Lavictoire Networking Consultant Tag: Local Group Membership Removed - Restricted Groups Tag: 128351
  - 7
    - GPO defned Interactive Logon message truncated Hi all, I am facing a strange behavior which I think is a sort of bug. I have a interactive logon legal notice which has one line in French and another one in English. It appears that each line shows the first 512character and truncated after. But all together is more than 512 char... Also in the GPMC, the text shows properly. 633 chars + 539 chars of each line. Editing the GPO itself does not show the proper lenght at first but it does show everything if I actually add or modify a char. Does anyone know of any fix for that? Tag: Local Group Membership Removed - Restricted Groups Tag: 128349
  - 8
    - Changing user name yields inconsistent results with folder redirec Hi, I am having an issue with redirected folders after changing user names. Here's the history: We created folders using â??home foldersâ??, as follows: \\server\users\office\joe_cool Then we manually created the â??My Documentsâ?? folder as follows: \\server\users\office\Joe_cool\My Documents After the first logon/logoff, the â??My Documentsâ?? folder name changes to the user nameâ??s docs: \\server\users\office\Joe_Cool\Joe_Coolâ??s Documents Then we use a group policy to redirect the My Documents to the following path: \\server\users\office\%username%\My Documents That has worked great, for years. Now we are changing the user names to the format â??joe1234â??. After logon/logoff with the changed name, some of the userâ??s â??My Documents are changing to the following format: \\server\users\office\joe_cool\joe1234â??s documents While others remain as: \\server\users\office\joe_cool\joe_coolâ??s Documents This is happening with users that are in the same OU and have the same NTFS permissions on their home folders. In most cases it doesnâ??t matter but in one case the user was locked out of his â??My Documentsâ?? folder because of an issue with the path. Can you think of any reason why we are getting different results although we are doing the same thing with every user? -- bb Tag: Local Group Membership Removed - Restricted Groups Tag: 128346
  - 9
    - 2003 Forest Trust Issues - Please Help Dear All, We have two native Windows 2003 Forests with a two way non-transitive trust configured between them. Certainly functionality especially within AD isn't available i.e we cannot add groups/users from Domain A to Domain B or vica-versa. The only exception is local groups we can add users or groups from Domain A and Domain B to the other. But this functionality isn't available for global or universal groups which would enable us to effectively share resources between both organisations. DCDIAG's result in the Outbound Secure Channels test failing. There was an issue with time synchronisation between the two forests an approximate four minute difference. This has now been addressed but upon rerunning the DCDIAG the exact same errors occur. I believe it could be DNS related, even though we have secondary zones for Domain A in Domain B and vica-verca. Can anyone advise? Below are the errors we receive in a DCDIAG: Could not Check secure channel from DC1 Domain A to Domain B Win32 Error 1355 Could not Query Trusted Domain :Win32 Error 2 Any help or advice is greatly received. Regards, Darren Tag: Local Group Membership Removed - Restricted Groups Tag: 128341
  - 10
    - Password complexity policy Hello: I have a Windows 2003 domain with multiple domain controllers. What is the best approach to configure the password complexity and replicate the policy to the domain controllers? I am a novice to Active Directory. Thanks, Mark Tag: Local Group Membership Removed - Restricted Groups Tag: 128338
  - 11
    - Administrator Account Locking Out Hi Everyone, We have found a developing problem in our mixed mode environment of Windows 2003 Servers and Windows 2000 servers. On both of my Windows 2000 servers, I can watch using the ALTools from Microsoft, specifically the lockout status tool, the Administrator account count up and lock out every few minutes. This does not seem to affect performance of any of my system dramatically, but I'm concerned why it is doing this. I have looked in both the event logs, turned on netlogon logging, etc. but can find no reason for it. Can someone point me in the correct direction for finding a log that will show me where the source of the attempted login is coming from? Then I can possibly troubleshoot the cause... Thanks in advance, Ken Tag: Local Group Membership Removed - Restricted Groups Tag: 128325
  - 12
    - Domain DC Time I thought that all computers on a Domaain were supposed to sync up with their DC as their primary NTP server. Why is it that when i run net time /querysntp i get this then: The current SNTP value is: time.windows.com ; shouldnt it be the ip or hostname of my DC? Tag: Local Group Membership Removed - Restricted Groups Tag: 128321
  - 13
    - windows 2000 gp & vista Hi, Is it possible to use windows 2000 server group policy to deploy a software on windows vista? I did add an msi packeg to gp, when we log to win XP sp2 the software start to install, but when log to our windows vista, nothing heppend. Thanks, Shahin Tag: Local Group Membership Removed - Restricted Groups Tag: 128314
  - 14
    - DNS is Causing real Problems please help..! Dear all I think my issue is dns related as no permission changes have changed on sysvol etc. Network is running really slow. Getting the standard errors on workstations 1097 (Windows cannot find the machine account, No authority could be contacted for authentication. .) 1030 (Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine) 1054 (Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. . Group Policy processing aborted. ) have 3 DCs in total (one is 2000svr) the 2 Win 2003 DCs act as DNS servers. when logged on as a std user, i can ping the domain name, the servers by FQDN, access the sysvol folders by \\DC_servername\sysvol and \\domainname\sysvol RSOP.msc (ComputerConfiguration) however returns the error ----------------------------------------------------------- Group Policy Infrastructure failed due to the error listed below. No authority could be contacted for authentication. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available. can anyone please help..! kr Paul.. -- PaulK ------------------------------------------------------------------------ PaulK's Profile: http://forums.techarena.in/member.php?userid=48567 View this thread: http://forums.techarena.in/showthread.php?t=964016 http://forums.techarena.in Tag: Local Group Membership Removed - Restricted Groups Tag: 128313
  - 15
    - Which FSMO role is critical Hi, I just want to know, in a production environment which FSMO role will cause more critical issue immediately if it is down Regards RANG Tag: Local Group Membership Removed - Restricted Groups Tag: 128311
  - 16
    - creating trust relationship with only DC=Domain Hi. this company has just bought out another company, i now need to create a trust relationship between the two companys, ours is DC=domain1,DC=com the other companys domain is DC=domain2 my question is will the trust relationship work with a domain without the .extension. if not how can i set up the trust. They are both WIN2K3 Domains Thanks Tag: Local Group Membership Removed - Restricted Groups Tag: 128310
  - 17
    - Sysvol missing on 2nd DC Greetings, After running a netdiag on my second domain controller, i seem to be missing the sysvol volume on it, and also the dns test is faling as well. how could this happen? do i have to demote dc2 and then re-promote it? Tag: Local Group Membership Removed - Restricted Groups Tag: 128293
  - 18
    - There are currently no logon servers available This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C8B096.4B4E8840 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable heres what happend, i have 2 Win 2K3 DC's both of which are running dns. = Dc-01 went down and i couldnt logon to the domain with Dc-02 because it = said "there are currently no logon servers available". Should this have = NOT happend since DC-02 is using its IP as the primary dns server, and = it should've been able to authenticate to itself. Heres what was in the = event log: The Security System detected an authentication error for the server = LDAP/dc-02. The failure code from authentication protocol Kerberos was = "There are currently no logon servers available to service the logon = request. dc-01 - ip. 192.168.1.2 < uses it's IP as the primary DNS server dc-02 - ip. 192.168.1.3 < uses it's IP as the primary DNS server, and = uses dc-01's ip as the secondary dns server ------=_NextPart_000_0006_01C8B096.4B4E8840 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.6000.16608" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY> <DIV><FONT face=3DArial size=3D2>heres what happend, i have 2 Win 2K3 = DC's both of=20 which are running dns. Dc-01 went down and i couldnt logon to the domain = with=20 Dc-02 because it said "there are currently no logon servers available". = Should=20 this have NOT happend since DC-02 is using its IP as the primary dns = server, and=20 it should've been able to authenticate to itself. Heres what was in the = event=20 log:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The Security System detected an = authentication=20 error for the server LDAP/dc-02. The failure code from authentication = protocol=20 Kerberos was "There are currently no logon servers available to service = the=20 logon request.</FONT></DIV> <DIV> <P><FONT face=3DArial size=3D2>dc-01 - ip. 192.168.1.2 < uses it's IP = as the=20 primary DNS server</FONT></P></DIV> <DIV><FONT face=3DArial size=3D2>dc-02 - ip. 192.168.1.3 < uses it's = IP as the=20 primary DNS server, and uses dc-01's ip as the secondary dns = server</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_0006_01C8B096.4B4E8840-- Tag: Local Group Membership Removed - Restricted Groups Tag: 128284
  - 19
    - Active Directory interoperability with other systems. Hi, I am not too much familiar with Active Directory capabilities, my question is: 1. Is it possible to configure Active Directory in a trigger like mode where if a new user is created AD would add this info into a csv file or SQL Server table, or if a user was deleted from AD it would also export this info somehow. We would like to use this info in other systems and to build that kind of automation. 2.If this is not possible are there any built-in tools in AD that could be scheduled to run automatically to export certain fields for all the users in AD into a csv file or Sql Server Table Please let me know if my questions are not clear, essentially I am looking for automated solution where other systems would be synchronized with AD info when users are added/deleted from AD, so other systems would be aware of that. Thank you, Vadim Tag: Local Group Membership Removed - Restricted Groups Tag: 128276
  - 20
    - Duplicate name on network, but cannot find object I have a Netware server with CIFS running called "WTWGRAPHICS2." It's not connected to the Windows 2003 AD. I would like to remove this computer and replace it with a windows box, also called "WTWGRAPHICS2." However, I get the error message "You were not connected to the network because a duplicate name exists on the network." I searched AD U&C, DNS and WINS,and hosts file for mention of WTWGRAPHICS2, but I can't find anything. Any ideas appreciated. Jim Tag: Local Group Membership Removed - Restricted Groups Tag: 128275
  - 21
    - Find easy what you need for windows(98, ME, xp, vista) If you need some tools for windows or you have a problem, this is the right spot ... http://microsoft-windows-tips.blogspot.com/ Tag: Local Group Membership Removed - Restricted Groups Tag: 128271
  - 22
    - Moving File Server Into New Domain Good Afternoon Everyone, Iâ??m going through a domain migration and Iâ??ve done users, workstations, Exchange, and now its time for the file servers. I have a trust between Domain OLD and Domain NEW. For the file servers Iâ??ve replicated user permissions on each folder so that any folder with an entry for dOLD\user now also has an entry for dNEW\user. This has worked great but since my goal is to retire Domain OLD I want to move the file sever into the new domain. My question is this: If I move the file server from Domain OLD to Domain NEW will my permission erase? TIA, Ray Tag: Local Group Membership Removed - Restricted Groups Tag: 128268
  - 23
    - dcgpofix doesn't work Hi All- I have a corrupted domain gpo and so i ran dcgpofix as a method of disaster recovery (i don't have a backup - that's a different story). I ran the following command: dcgpofix /ignoreschema /target:domain I get an error that says the following: Unable to read EFS certificate from registry.pol Does anyone have any ideas on what to do next? I'm seeing that the domain policy is no longer being applied to any of the computers in the domain. Thanks. Tag: Local Group Membership Removed - Restricted Groups Tag: 128260
  - 24
    - Quesiton on Group Policy Loopback Processing Hi all, I am new to GPOs and I have a problem with Group Policy Loopback Processing. I am dealing with two OUs, one called LAB101 (which only has computer accounts in it) and one called STAFF (which houses all of my users). For the STAFF OU I added a GPO called "STAFF GPO" but I have not configured anything in it. For the LAB101 OU I added a GPO called "LAB101 GPO". In the LAB101 GPO I enabled Group Policy Loopback Processing (mode = replace). I did this because I want a User logon script to run whenever a user logs into the machine. So, I also added a logon script in the user configuration of the LAB101 GPO. However, when I log into a LAB101 machine, the script never runs. Am I missing a step? Any help is appreciated, thanks. Tag: Local Group Membership Removed - Restricted Groups Tag: 128257
  - 25
    - Accounts randomly loosing membership to a group in DL's security Hi, We have a Windows 2003 shop. We have two servers where one user looses his membership to a Security Group that we have setup under DLs Security. Why is this happening? The PC's in question are different operating systems (2000 and Vista) so I highly doubt that that has anything to do with it. Both servers are 2003 Standard R2. Thoughts? Thank you. -Rachel Tag: Local Group Membership Removed - Restricted Groups Tag: 128255
- Next
  - 1
    - Dfs problem Hi all, I have 2 domain controllers in my network (hq.company.srh, fsv.company.srh) . Operations master role (RID,PDC,Infrastructure) belongs to only one domain controller-hq.company.srh. I am creating a DFS root on hq.company.srh something like company. I can log in to the domain using my domain account from a computer which is not a domain computer without problems but when I try to enter the directory of DFS I get an error saying "Configuration information cannot be read from the domain controller either because the machine is unavailable or access has been denied" Normally if I wrote \\company.srh to open up the dfs root. Instead of hq.company.srh comes up fsv.company.srh. I have tried to create dfs root on fsv.company.srh. I can log on from the client computer with no problems What do you think the problem is? Thank you. Tag: Local Group Membership Removed - Restricted Groups Tag: 128254
  - 2
    - DHCP dynamically updating internal DNS servers instead of authoritative? Hi there. Say you have a domain: domain.com which is out there on the Internet doing its thing, et cetera but you also use that domain internally for your active directory (which is probably not ideal). Domain.com is hosted on your cluster of authoritative nameservers and has records related to your online presence such as MX records, A records for your website and other public services, et cetera. Lets say that you're running DHCP/DNS in your active directory and you would like new registrations to only be added to the 'local' version of domain.com and not the Internet version of domain.com, I realize that the DHCP server (and perhaps windows in general) sends dynamic updates to the authoritative nameservers, but I would rather not for reasons of security through obscurity publish our internal DNS to the Internet. I realize the right way to do this would've probably been to use a subdomain such as internal.domain.com or corp.domain.com but this was all established 10 years ago. So the question is, is it possible to have the DHCP server send updates to the local DNS servers rather than the actual authoritative DNS servers? thanks, Andy Tag: Local Group Membership Removed - Restricted Groups Tag: 128247
  - 3
    - GPO Queston Hi all, I have a batch script that I need to run that sets the default printer, it contains the following line: rundll32 printui.dll,PrintUIEntry /y /n "115 Lab 4200" My thinking is that I would make an OU for the Room 115 lab and put all of the machines in that lab in the OU. I then made a GPO for that OU and added the script to User Configuration -> logon Scripts, hoping it would execute this script along with the logon script set in the properties of the users. However, it does not. What am I doing wrong? Any help is appreciated, thanks. Tag: Local Group Membership Removed - Restricted Groups Tag: 128246
  - 4
    - script for disabling accounts i have created app. 1200 users with default password and some of them have logged rest of them have not just logged in since 1 month. I have created a list which users have not logged in with a lastlogon script. I want a script or any key information about how to i write a script to disable which i give the usernames. Thanks Tag: Local Group Membership Removed - Restricted Groups Tag: 128244
  - 5
    - Password policy expiration Win2003 sp2 domain. Is there a way to setup a password expiration prompt for a specific set of users who are remote and do not always login? Or does default domain policy make this a useless option? thnx -- la Tag: Local Group Membership Removed - Restricted Groups Tag: 128242
  - 6
    - Connectivity problems between child member-server and root domain controllers Hi Support I have a forest with one root domain (root.local) and a child domain (child.root.local) in a single AD forest. The root domain and the child domain are seperated by a ISA server 2006 firewall. I have open for communikation between all of the domains controller in the root and the child domain. All of the domain controllere in both domains are Global Catalog servere. Everything is working fine, replication, DNS, GC without any errors. The root domain controllers hosts the root DNS zone (root.local) The child domain controllers hosts the child DNS zone (child.root.local) I have forwarders on the child domain controllers DNS works fine Replication Works fine My issue is: When I am on a member server i the child domain and want to assign NTFS permissions on a folder, the dialog boxes hangs for a long period of time. (Could be any member server in the child domain) I have looket at the ISA server logs and can see that this child member sever tries to access the root domain controllere while it hangs. I first to connect to the rootdcs using "PING", "Microsoft CIFS" and last "Session" If i open PING and CIFS in the firewall between the child member server and the root domain controllers it works fine, but i dont not want that communikation to occur. The communication must be so that the child member-servers only communicate with the child domain controllers. I have specific sites defined for the ROOT domain and the CHILD domain Hope you have som good idears so we can this fixed Best regards Jesper vedholm Systemtech A/S Tag: Local Group Membership Removed - Restricted Groups Tag: 128241
  - 7
    - Endpoint mapper error when joining a computer to domain We are getting endpoint mapper error when trying to join domain. in the netsetup log we are getting the following: 05/07 07:32:49 NetpChangeMachineName: from 'D630CLONE' to 'A24929' using 'OURDOMAIN\itsetup' [0x2] 05/07 07:32:49 NetpDsGetDcName: trying to find DC in domain 'OURDOMAIN', flags: 0x1020 05/07 07:32:49 NetpDsGetDcName: found DC '\\DC1' in the specified domain 05/07 07:32:49 NetpChangeMachineName: status of connecting to dc '\\DC1': 0x0 05/07 07:32:49 NetpGetLsaPrimaryDomain: status: 0x0 05/07 07:32:49 NetpManageMachineAccountWithSid: status of NetUserSetInfo on '\\DC1' for 'D630CLONE$': 0x0 05/07 07:32:49 NetpGetLsaPrimaryDomain: status: 0x0 05/07 07:32:49 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: OURDOMAIN.com 05/07 07:33:11 NetpGetComputerObjectDn: Unable to bind to DS on '\\DC1': 0x6d9 05/07 07:33:11 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6d9 05/07 07:33:11 ldap_unbind status: 0x0 05/07 07:33:11 NetpChangeMachineName: status of setting DnsHostName and SPN: 0x6d9 ANY hints or suggestions? I verified that the WF/ICS is turned off on this particular DC. We do not get the endpoint mapper problem every time we join the domain but it is frequent enough to rule out a random error. thanks, James Tag: Local Group Membership Removed - Restricted Groups Tag: 128240
  - 8
    - AD system state backup on Windows 2008, disk size increasing Hello everyone, I've been working lately with Windows Server 2008 RTM version, and I promoted one server (virtual machine) as a DC. After having some obstacles configuring the AD system state backup I finally completed and I had a schedule backup running periodically. That backup storage is made on a seconday disk on the DC, but I found out that the system state backup catalog it's getting real big in a few weeks, meaning that the VM disk is increasing as well (over 25gb right now). Is there any way that I can have more control about that? Like accessing the system state catalog and removing old system state backups? Basically I don't want to get to the point where I have virtual disks over 200gb :) Thanks! -- augusto alvarez | it pro | southworks http://staff.southworks.net/aalvarez Tag: Local Group Membership Removed - Restricted Groups Tag: 128236
  - 9
    - MAC and AD Dear guru, Is it possible to do so? 1) Can the MAC join our Windows 2003 Native mode AD? 2) Use AD users to login the MAC? 3) Enforce group policy to our MAC (password, lock screen)? 4) Use Integrated Login to Sharepoint through Safari browser? Do I need additional software to do all these functions? thanks Huang Tag: Local Group Membership Removed - Restricted Groups Tag: 128233
  - 10
    - 2 Domains 1 Forest and Fire wall hi ive made a quick pic to help describe what i'm trying to acomplish. http://cisco.truedeviant.com/ad.jpg the fire wall will only allow the two domain contrrolers to talk to each other and this can not be modifided. sites and services are set up ok ad are the trusts the issue that am haveing is is when i logon to the clinet machine that is a member of Domain B and try to logon to Domain A i can see in wireshark that the client is trying to talk to the Domain A domain controller but is failing due to the fire wall. with out enableing routeing and or tunneling on Domains A domain controller is there any way i can get the client to talk to domain B and get domain B to authenticated the Domain A users and alow the user to logon. cheers Yale Tag: Local Group Membership Removed - Restricted Groups Tag: 128232
  - 11
    - User accounts disabled automatically by administrator?! Hi, Recently I have faced a strange problem in active directory. Some specified user accounts disabled automatically by administrator. I feared domain administrator password leaked so I changed the password and restrict AD accessibility to only domain administrators , but problem still remains. Anybody knows about it? Thanks in anticipation Bijan Tag: Local Group Membership Removed - Restricted Groups Tag: 128224
  - 12
    - GPO question after using rendom.exe I=92m renaming a domain, which is managed by two W2K3 R2 domain controllers, with the rendom utility. In Microsoft=92s step by step guide to renaming a domain, it says to enter this command: gpfixup /olddns:oas.local /newdns:oas-backup.local /oldnb:oas / newnb:oas-backup 2>&1 >gpfixup.log This command fails and the resulting popup window has this error message: =93The procedure entry point CryptUnprotectMemory could not be located in the dynamic link library CRYPT32.dll=94 Also, this is probably related but when I try to run gpmc.msc, I experience the following trouble: There is a problem when clicking on either the domain controller policy or the domain policy. In fact, a window is displayed asking to change the current domain controller. On this form there is a combobox, which is greyed out, and it says, =93look in this domain=94. And the domain reflected in the un-editable control is =93oas.local=94 =96 which is the old domain!!! Any attempts to select any of the four radio buttons (the domain control which is the PDC emulator, any domain controller, and available domain controller running Windows 2003, or specifying a domain controller) fails. Just about everything worked using rendom =96 except for being able to access the GPO for the domain and the domain controllers. Any suggestions on how to get the gpfixup command or the gpmc.msc working is greatly appreciated. Thanks! Tag: Local Group Membership Removed - Restricted Groups Tag: 128223
  - 13
    - Problem with domain name I struggled with this one and finally figured it out but I want to understand what is going on with this network. Single DC on the network. When I looked at all of the domain members under computer properties, the domain name only reads "local". I also looked under the active directory on the server and the computer properties of the server and it was listed as "local". I assumed that someone prior to me had set this up as a single level DNS domain name. So I tried to add a member with "local" as the domain name and it continued to fail. So eventually I noticed that if I browsed the network on a workstation that was already part of the domain the domain name was actually "DOMAIN". So I tried to add the member with this name and it worked. But it still displays as simply "local" when viewed under computer properties, under active directory on the DC, etc. Why is the FQDN not showing. I expect it to be displayed as "DOMAIN.local"?? Is there a group policy setting that hides this part of the domain name. All is working fine I just wanted to understand why this is happening? Tag: Local Group Membership Removed - Restricted Groups Tag: 128220
  - 14
    - Importing a W2k3 Domain Controller into VMWare Stage Manager I've imported a w2k3 dc into vmware's stage manager beta 1.0. server is in a fenced network. I had previously shut down the server (vm) then imported into stage manager. I receive error attempting to open ADUC: "naming information cannot be located because: the specified domain either does not exist or could not be contacted. contact your sys admin to verify that your domain is properly configured and is currently online." any suggestions appreciated. Tag: Local Group Membership Removed - Restricted Groups Tag: 128213
  - 15
    - Weird LSAsrv Eventlog message Hi Everyone, I wasn't even sure how to google this. Check out this LsaSrv message I'm getting on my client PCs: The Security System could not establish a secured connection with the server ldap/dc.domain.suffix/domain.suffix@domain.suffix. No authentication protocol was available. Shouldn't it not look like that at all? Incidentally the dns name of our domain controller (one of them) is dc.domain.suffix. It seems like the ldap address is wrong to me. Where would the machines be getting that other address? Thank you! Tag: Local Group Membership Removed - Restricted Groups Tag: 128212
  - 16
    - IDMU ypservers Map Broken? I am having trouble with my 2003 R2 IDMU Server for NIS. Nothing is going into my ypservers map but spaces, and it's really hurting my ability to make a working NIS Slave. Not so good. Adding more servers just adds more blank lines in "ypcat ypservers". I see the servers in the map cache file for ypservers, but it's not actually serving the file out. Any advice? Thanks! Tag: Local Group Membership Removed - Restricted Groups Tag: 128211
  - 17
    - password requirement I have a group policy setup so users have at least 6 characters for there password. If I change the password requirement from 6 characters to 7 characters, will those users that are logged in with 6 characters not be able to access resources until they change there password? Thanks, Sam Tag: Local Group Membership Removed - Restricted Groups Tag: 128206
  - 18
    - IP Setting Hi. We Have Wan As Follow: Location Max Clients Server IP/mask Client IP From... To client mask Main 200 192.168.0.1 /22 192.168.0.2 ... 200 255.255.255.0 Branch1 100 192.168.1.1 /22 192.168.1.2 ... 101 255.255.255.128 Branch2 50 192.168.1.129/22 192.168.1.130 ... 182 255.255.255.192 Branch3 50 192.168.1.193/22 192.168.1.194 ... 224 255.255.255.192 Branch4 20 192.168.2.1 /22 192.168.2.2 ... 122 255.255.255.224 Branch5 20 192.168.2.33 /22 192.168.2.34 ... 54 255.255.255.224 Branch6 20 192.168.2.65 /22 192.168.2.66 ... 86 255.255.255.224 Branch7 20 192.168.2.97 /22 192.168.2.98 ... 118 255.255.255.224 Branch8 20 192.168.2.129 /22 192.168.2.130...150 255.255.255.224 Branch9 20 192.168.2.161 /22 192.168.2.162...182 255.255.255.224 Branch10 20 192.168.2.193 /22 192.168.2.194...214 255.255.255.224 Branch11 20 192.168.2.225 /22 192.168.2.226...246 255.255.255.224 I Have Create For Main Office PDC and each Branch Office One Site/DC/ GC/DNS , and All Branch are Connected to Main Office With ADSL 256K. My Problems: 1) Is My IP Setting On Servers and Clients correct? If Answer is NO. Why? How ? 2) There are Some Shared Folders On Server At Main Office. How My Clients At all Branches Access to This Folders? Tag: Local Group Membership Removed - Restricted Groups Tag: 128205
  - 19
    - AD attribute I need to add the department field under the organization for all users based on their department group membership. What utility can be used to extract the information from department group, then that information will be used to populate the department field hopefully via script. WE have over 1000 users, so need a quick fix. Thanks. -- Dipti Tag: Local Group Membership Removed - Restricted Groups Tag: 128202
  - 20
    - Question on Printers in AD Hello all, We are running a Windows 2003 domain. I was wondering, is it was possible to set the default printer for a group of computers in AD? That way, no matter who logs into the machine, their default printer is set to the one on the server. Any help is appreciated, thanks. Tag: Local Group Membership Removed - Restricted Groups Tag: 128198
  - 21
    - Isolating ADAM from AD Hi, I'm trying to use ADAM as a development/testing environment. I exported the AD schema, then objects, using ADSchemaAnalyzer followed by ldifde. Now when I run my application against the ADAM instance (on my local computer, Windows XP Pro) and change a property, the real AD is updated with the same change. Is there a way I can disconnect these? Thanks, Robert Tag: Local Group Membership Removed - Restricted Groups Tag: 128197
  - 22
    - Ports Used for ADAM I am setting up a master and replica ADAM instances on two seperate servers. Can I use the same port number combination for open and ssl on each instance? Please advise... Tag: Local Group Membership Removed - Restricted Groups Tag: 128194
  - 23
    - Error Loading Operating Sytem - Windows 2003- Need to recover AD f I had some partition problem and was able to fix it. I logged into recovery console and did fix mbr and alsot fix boot disk. Now when I go to the install it doens show only the C drive. I still get Error Loading Operating system. If possible, can I get some files off the Windows 2003 server to restore my AD? I can access all the files and copy them off using Windows PE Boot disk Tag: Local Group Membership Removed - Restricted Groups Tag: 128193
  - 24
    - Windows Server 2008 and 2003 GC's + Exchange 2003 We are thnking about repalcing our core DC's/GC's in our HUb. Our AD design is a hub and spoke topology where the spokes are all 2003 GC's. We are also using Exchange 2003 with the thought to upgrade to 2007 but first we would like to get our core DC's/GC's up to 2008. Can Server 2008 GC's/DC's coexist with 2003 gc's i this tolopology? Please advise... Tag: Local Group Membership Removed - Restricted Groups Tag: 128182
  - 25
    - EVT ID 1053 at logon Dear All i constantly receive event id 1053 when logging on to my 2003 domain. Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. swiftly followed by ID 1054 Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. This results in logon scripts not running. Also if i try to have someone else log on to my pc they get specified domain could not be contacted.. (i am domain admin and this only appears on my pc as far as i know) GPupdate from the command line works fine its just at logon... Anyone have any ideas at all !!! Help please Kr Paul Tag: Local Group Membership Removed - Restricted Groups Tag: 128173

Hi

We have an issue where by a very small percentage of clients (no more
than 30 out of 40,000) are having members removed from their local
groups. We control most of the group members locally on these clients
via restricted groups in a single GPO. We can see "policy change" and
" account management" events on these clients that show the members
being removed but we don't know by what.

We do currently have a typo in the restricted groups of this GPO
introduced by a migration table typo. This typo maps a service account
(just a local user account on the client) as if its a local group on
the client. This generates a Eventid1202 but can be explained

I've seen this article, that refers to a AD object that has been
removed being refereced in the resticted group causing a problem but
can't actually get my head round whether its relavent.

http://support.microsoft.com/kb/320099/en-us

Can anyone suggest a way of captured whats actually removing these
group members, bearing in mind that its only happening on a very small
number of clients. We already have the event tracking the removal just
don't know by what

Craig

ps, the clients do eventually fix themselves which Im assuming is
after the 16hours security settings refresh

Top