Active Directory problems/client log in issues

Similar Messages

• Unable to add Active Directory: Kerberos Client trace scenario configuraiton

  Hi,
  While trying to add Active Directory: Kerberos Client trace scenario configuraiton, I am getting this error message in the log (see below).
  What am I missing?
  Thanks
  Alex.
  6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on supplemental OPN: done
  6/24/2014 10:09:18 AM Warning Cannot create ETW manifest loader for Active Directory: Kerberos Client: The system cannot find the file specified. Please check that the manifest is properly installed
  6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: completed successfully
  6/24/2014 10:09:18 AM Error running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: Unexpected exception happened: The given key was not present in the dictionary. stacktrace:    at Microsoft.Opn.Runtime.Messaging.Etw.GeneratedOpnCacheManager.ImportEtwProviderMetadata(Guid
  providerId, EtwManifestResolver manifestResolver, Boolean reportConflicts)
  Product Technical Specialist in Identity Management, Microsoft Canada. http://blogs.msdn.com/alextch

  Active Directory: Kerberos Client is MOF based ETW provider.
  Looks like PEF/Message Analyzer version which your using doesn't have parsing of events from MOF based providers.
  We added support MOF based ETW providers in PEF/MA v1.0.2 . What is PEF/MA version your using?
  Alternatively, you can use LinkLayer/Firewall Trace Scenarios to get the Kerberos Network traffic or other Kerberos Manifest based ETW providers for example "Microsoft-Windows-Security-Kerberos" etw provider if these providers produce any ETW events.

• Account locked out events are not getting in active directory security event logs

  Account locked out events are not getting in active directory security event logs for some users. I can see that the user is locked and when i tried to find out the event in sec log at DC but couldnt able to find. It is only happening for some users.
  not for the all users.

  In addition.
  Check the ADDS Audit.
  Active Directory Services Audit - Document references
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• 10.5.5 Active directory problem for mobile users

  I an running 10.5.5 on a MBP 2.4. The computer is attached to Active Directory for authentication. The accounted is setup as a mobile user with automatic home sync. Below is the problem I'm experiencing after 10.5.5.
  Upgrade worked fine, everything went through as expected. When I got home with computer, couldn't login. I did eventually get logged in, computer became extremely unresponsive at intermittent times.
  At work next day, everything worked fine.
  I believe this is a problem with 10.5.5 computers that are bound to AD, when AD is not available (but internet is.) Some type of weird priority locking or timeout setting? It seems to fail immediately if no network is available, but if the internet is available it is like it gets "hung" waiting for a response.
  Anybody else having similar problems?
  Below are the details on the specific tests that brought me to this conclusion.
  1) Boot with work network cable connected - Works fine
  2) Boot with work wifi network enabled - works fine
  3) Boot with public wifi network enabled and work cable - works fine.
  4) Boot with only public wifi - appears "frozen" (turned off after 5 minutes of trying to login)
  5) Boot without network or wifi - works fine using cached mobile account info
  6) Boot with network cable and public wifi, remove network cable after login- works fine for a period becomes periodically frozen. attempts to do anything become queued, when computer starts responding queue emptys out (can see menus / applications switch around to correspond with clicks.)
  7) Change account to Manual sync of mobile account, again boot with network cable and public wifi, remove network cable- no freezing responds normaly.
  All steps repeated after rebinding computer to AD - same results.

  First rule of installing an upgrade, run permissions repair both before & after. Did you do that?
  I'm using a Mac dual bound to AD & OD, works perfectly. I can't speak for the exact setup of your network but I personally would be suspicious of AD. I had a similar issue some time back where my processor would go crazy with the net directory authentication running like crazy. Turned out AD had somehow forgotten my computer. It only happened away from work where my Mac couldn't contact the AD server (not exactly sure why). I'd try the following.
  1. While at work create a local administrative account on your Mac (you should always have a backup account anyway).
  2. Login as local admin account.
  3. open Directory Utility from the Applications/Utilities folder & remove the AD server (you'll need an account that can bind machines to AD).
  4. re-add your Mac to AD.
  This may resolve your issue & shouldn't hurt anything in the least.

• Binding to Active Directory Problem. I am a Newb! probably something stupid

  Hey All,
  Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
  what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
  cheers all,
  jess

  Hi
  set up the xserve as an Open directory Master
  will it place nice on the network
  with the rest of the windows servers that we have.
  There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
  i just want to have a mac studio of about 35 people be
  kind of an island within a sea of windows users. If
  there can be cross over there then fine.. but really
  i want the mac to work well with the apple server and
  if i can get the windows clients hooked up also then
  fine.
  There should be no problem with this.
  When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
  As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem.

• Yet another active directory problem

  Hi,
  I'm trying to bind a few Macs in my Windows 2003 Active Directory Domain, they're the first that comme with Lion 10.7.2 out of the box. I'va had my share of problems with AD binding of Macs, but I already have a lot of 10.6.8 Macs, and a few other that got upgraded from 10.6 to 10.7 without much problems and those work fine with my AD.
  That, of course, couldn't last and I now have a new problemes with my 10.7.2 Macs. The binding process in itself seems to work fine, I've got the green light in front of my AD domain and I can log with my AD accounts on my Macs. The problem start when I try to access the directory utility to change the default settings for "active directory" (any settings will do, create mobile acount for example) : this creates another AD binding in "network account server", I can still login with my ad accounts but none of the settings I set in the directory utility are effective.
  Both of those AD binding are shown with a green light, but the second one has a comment stating that it is not present in the auth scope rules. My AD DNS domain name is something like "domainname.com" (no .local), but the short netbios name is something like "dom" : the original AD binding on my 10.7.2 Macs is "dom", and the one created after I change some settings is "domainname". On my other Lion or SL Macs correctly joined to my domain, the domain only appears with the name "domainname" : it seems that for some reason Lion is now troubled by the fact that my netbios name is not the dns name minus the extension...
  If I unbind one of my correctly working upgraded 10.7.2 Macs, it exhibits the same issue when I try to rebind it.
  Does anyone else has a similar AD configuration, and does it work with 10.7.2 ? Does anyone has any idea of how to work around it ?
  Thanks

  Hi there,
  I have experienced the same problem with Macs in my Windows environment. I have found a work-around for it, but it is a little bit tedious. What I have found is that if you reinstall Lion (10.7 or 10.7.1) and bind it to the domain before patching to 10.7.2 it will bind correctly with only one entry in the network account server dialog. From there you can updagte to 10.7.2 and it will work correctly. There is a catch, though. If for any reason you need to unbind the machine from the domain, you will run into the same problem when you try to bind it again. I know it is not much of a fix, but it is what I have been doing to get around the problem. I hope this helps you out.
  Regards

• SharePoint Foundation Active Directory Problem

  Hey,
  I have a problem with the Active Directory connection to SharePoint Foundation.
  My Situation looks like this:
  I'm working on a kind of project controlling plattform. Each of our customers has its own site. Also each customer has an account in our Active Directory. For the administrative part, we have a list which contains some infos of the customer, the url to its
  site and the contact person.
  I wrote an import-script which creates a site and a new item in the list. To put the contact person in the list-item, I use a code-snippet like this:
  try
  user = web.EnsureUser(loginName);
  catch (Exception ex)
  throw new Exception("LoginName " + loginName + " not found");
  Now the problem is, that the try/catch block fails too often which means: SharePoint doesn't know the loginNames of some of our customers.
  Why does SharePoint not know maybe 1/5 of all our customers? All of them have an account in our active directory, none of them ever logged in the SharePoint (at the time they even doesn't know, that they have a SharePoint site for this project).
  I searched the internet for the problem but all I found where questions related to the synchronization of ad-properties to SharePoint Foundation. But I don't want to sync the phone-number or something like that - I want SharePoint only to know all the loginNames
  of our customers, not only 1/5 of them.
  How do I achive this, what am I doing wrong?
  Thank you!

  web.EnsureUser has nothing to do with the UPS at all. This has nothing to do with synchronisation (it does have a role but it's a maintenance one and nothing to do with authentication.
  The simplest answer is that the login names are being entered wrongly. Having said that there are a few areas you can look at to try to identify the problem:
  Does it fail repeatedly for the same username? Can you add that user to the site manually using a people picker control and if so will the script work afterwards? Are there any trends in the user accounts that SharePoint cannot find?

• 10.4.6 and Active Directory Problem - Volume cannot be found??

  I have bound six 10.4.6 to active directory. All went sweet with no problems. I have "force local home folder" off in Directory Access for AD. I can login to the Mac no problem using any user account from AD. If I login with a user the first time all goes well. The desktop icons show and the home directory is that of the users network home folder and can browse it. All good until I log out and login again. I get the desktop icons but the users home directory give the error "The Volume for %username% Cannot be found" when trying to access. I can browse the network to the user home folder without having to authenticate. The server (2003) shows no login errors, all looks fine. I have upgraded one Mac to 10.4.7 but made no differnce.
  I have installed "services for Mac and Appletalk" on the server but from what I have been told this shouldn't need to be installed but I did as I was getting no where anyway.
  Any ideas?
  PowerPC   Mac OS X (10.4.6)  

  Hi Chris!
  Before I comment, I want to define a couple of things. A "Mac home folder" stores a user's files (Documents, Library, etc.). This home folder can be stored locally on the workstation or it can be stored on a server. A "Windows home folder" is defined in a user's Active Directory account and can be used as the Mac home folder or simply as a network user folder for storage.
  While the idea of a network-based Mac home folder is nice, it can be clunky simply because the entire user experience is dependent on network speed and/or good file synchronization between your server and workstation. As someone who works in a group supporting about 300 Macs, I suggest enabling local home folders and not using a network-based Mac home folder.
  Next, File Services for Macintosh (AFP protocol) built into Windows Server will not support network-based Mac home folders. This is a dead end. You can install a third party product from Group Logic called ExtremeZ-IP, which does support network-based home folders over AFP.
  Therefore, what's happening in your network is that the network-based Mac home folders are being mounted via the SMB protocol, which uses Windows style file sharing. SMB in Mac OS X is good for limited use but I wouldn't recommend it for extensive use, which would include network-based Mac home folders.
  Here's what I suggest for your AD settings: 1.) Enable local home folders. 2.) Connect via SMB. This will keep your users' Mac home folders local to the machine but if their Windows network home folder is properly defined in their AD account settings then these should automatically mount on the Desktop via SMB at login.
  If you can get your Windows home folders to mount automtically on the users' Desktops then you can experiment with synchronization. After logging in, each user can visit Apple menu --> System Preferences... --> Accounts and the synchronization options will be available. A user can synchronize all or part of his local Mac home folder to his mounted Windows home folder.
  Hope this helps! bill
  1 GHz Powerbook G4   Mac OS X (10.4.7)  

• Java/Active Directory problem

  I have a strange problem. We have an application that we login to through a website. The application requires Java 1.42_9 to run properly. These workstations came from Dell with java 1.50_6 preloaded which I removed infavor of the required 1,42_9. Everything works normally when a user logs into the the workstation (WinXP SP2) as the local adminstrator. The problem arises when a user logs into the machine with an Active Directory account. We trying to run the website to login to our application and all we get is the Red X in the upper left hand corner of the screen. There is nothing in the Java console, it seems like java does not even attempt to start. I am not sure what Active Directory has to do with this but as long as we log in as a local admin everything works great. If I load Java 1.50_6 back on the workstation it works but it takes over two minutes for Java to load which is unacceptable. I have also tried 1.50_7 but it too take too long to load.
  Sorry for the long winded post, but Im hoping someone has suggestions on why logging into Active directory causes 1.42_9 to fail.

  Your problem is your use of these two combinations
  constrains.setSearchScope(SearchControls.SUBTREE_SCOPE);
  ctx.search("", "(objectclass=*)", constrains); Many LDAP servers, including Active Directory, do not permit subtree searches from the root.

• Force Active Directory Users to Log Into a Shared Local Profile.

  I've searched long and hard for an answer to this but I've found very little info on it so I'm starting to wonder if it's at all possible.
  On some of our "Presenter PC's" at work it has been deemed that the creation of a new account from the Default profile takes too long when logging into Active Directory and slows presenting down too much. Our Default profile is probably around 120Mb due to
  the contents of the image after deployment and how every application is tailored for use hence the AppData folder takes the bulk of the size up and it's not an option to remove it.
  These PC's are (for now at least but hopefully not for much longer) locked down by Deep Freeze which resets all changes to all files when the PC is rebooted so a shared profile is not a problem at this point in time.
  What I want to know is whether there is ANY way to make it so that a user authenticating to Active Directory can ALWAYS be forced into a pre-configured, local profile running on Win 7 32/64 Pro?
  I've been looking at credential providers and replacing USERINIT.exe. I'm just not 100% sure which part of the process actually tells the PC which profile to use. I know that the registry is checked for the user GUID and if not present creates a new entry and
  copies the Default profile but I don't know quite where this is called and how to modify it.
  My programming knowledge limited to a bit of CMD and AutoIt but I do know a few coders so if we really have to get our hands dirty on this it isn't the end of the world.
  I should also add I've recently been toying with taking the AppData folder outside of the Default profile and creating a SymLink to it but upon copying the Default profile to a new profile (much quicker and more acceptable) the SymLink is lost and replaced
  with a relatively empty set of folders which can't be deleted and replaced with a SymLink because the LSASS.exe process is using it and obviously you can't stop that process...
  Making the PC log into a local profile on startup is also not an option because a user MUST log into AD to not be in breach of our AUP and all network drives must be availalbe (mapped by GPo and login script).
  Any help is more than welcome at this point in time as I've pretty much exhausted all avenues that I know of and have turned to you helpful folk.  Cheers

  Hi,
  For mandatory profile, I suggest you refer to the following articles:
  Customize the default local user profile when preparing an image of Windows
  http://support.microsoft.com/kb/973289
  mandatory profiles
  http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/d2406a55-e053-45c5-b064-bf009c4bfafc
  Hope this helps.
  Vincent Wang
  TechNet Community Support

• LDAP Active Directory Problem

  Hi,
  i have a win 2003 server (german) and apex 3.x. I (hope i ) have read all postings to this topic. Read the Apex Book, tried the Oracle Examples but all examples i have found won´t work for me. After three hours i found one solution that works:
  (Domain: marco.de)
  create or replace FUNCTION check_ldap_user(
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  ) RETURN boolean IS
  l_session DBMS_LDAP.session;
  l_ret binary_integer;
  BEGIN
  l_session := DBMS_LDAP.init (
  hostname => '192.168.178.100',
  portnum => '389');
  IF (DBMS_LDAP.simple_bind_s (
  ld => l_session,
  --dn => 'cn='||upper(p_username)||',cn=user,dc=marco,dc=de', /* <= This line does not work */
  dn => upper(p_username), /* <= This Version work */
  passwd => p_password)) = 0 AND p_password IS NOT NULL THEN
  l_ret:=DBMS_LDAP.UNBIND_S(ld=> l_session);
  RETURN True;
  ELSE
  RETURN False;
  END IF;
  EXCEPTION WHEN OTHERS THEN
  dbms_output.put_line(sqlerrm);
  RETURN FALSE;
  END;
  The Question is, if there any problems with a german Active Directory Server (Mayby the groups like "Domänen-Admins" are the problem)
  Thanks
  Marco

  Hi,
  Any help?

• Query Active Directory + Problem with thumbnailPhoto

  Hi<o:p></o:p>
  I have a problem and I don’t know if it is my SQL Query, so here goes
  <o:p></o:p>
  I have a view on my SQL server that Queries our Active Directory. I can see that there is data in the table.<o:p></o:p>
  But when I try to use the Image in some C# code I get an error on 60% of the images with the exception header missing or corrupted.
  My view is built with this Query:
  select
  * from
  openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName,  department, thumbnailPhoto
  FROM ''LDAP:[REMOVED]''
  WHERE objectCategory = ''Person''
  Do you have any idea where the problem is? The photos shows up fine in Outlook, SharePoint, lync etc. I’m pretty sure that the C# code works correctly. Hope you can help.
  Regards
  If only I had time to learn everything I wanted ...

  Hi Latheesh
  I've tried with this script:
  SELECT ISNULL(ROW_NUMBER() OVER ( ORDER BY department ), -999) 'id' ,
  CONVERT(NVARCHAR(25), givenName) AS Fornavn ,
  CONVERT (NVARCHAR(50), sn) AS Efternavn ,
  CONVERT(CHAR(5), UPPER(SUBSTRING(mail, CHARINDEX(mail, N'@'),
  CHARINDEX(N'@', mail)))) AS 'initialer' ,
  CONVERT(NVARCHAR(255), mail) AS Mail ,
  CONVERT(NVARCHAR(75), title) AS Stilling ,
  CONVERT(NVARCHAR(120), department) AS Afdeling ,
  CONVERT(NVARCHAR(13), telephoneNumber) AS Fastnet ,
  CONVERT(NVARCHAR(13), mobile) AS Mobil ,
  CASE WHEN userAccountControl = 2 THEN 'Account is Disabled'
  WHEN userAccountControl = 16 THEN 'Account Locked Out'
  WHEN userAccountControl = 17
  THEN CONVERT (VARCHAR(48), 'Entered Bad Password')
  WHEN userAccountControl = 32
  THEN CONVERT (VARCHAR(48), 'No Password is Required')
  WHEN userAccountControl = 64
  THEN CONVERT (VARCHAR(48), 'Password CANNOT Change')
  WHEN userAccountControl = 512 THEN 'Normal'
  WHEN userAccountControl = 514 THEN 'Disabled Account'
  WHEN userAccountControl = 544
  THEN 'Account Enabled - Require user to change password at first logon'
  WHEN userAccountControl = 8192
  THEN 'Server Trusted Account for Delegation'
  WHEN userAccountControl = 524288
  THEN 'Trusted Account for Delegation'
  WHEN userAccountControl = 590336
  THEN 'Enabled, User Cannot Change Password, Password Never Expires'
  WHEN userAccountControl = 65536
  THEN CONVERT (VARCHAR(48), 'Account will Never Expire')
  WHEN userAccountControl = 66048
  THEN 'Enabled and Does NOT expire Paswword'
  WHEN userAccountControl = 66050
  THEN 'Normal Account, Password will not expire and Currently Disabled'
  WHEN userAccountControl = 66064
  THEN 'Account Enabled, Password does not expire, currently Locked out'
  WHEN userAccountControl = 8388608
  THEN CONVERT (VARCHAR(48), 'Password has Expired')
  ELSE CONVERT (VARCHAR(248), userAccountControl)
  END AS 'Disabled' ,
  CONVERT(NVARCHAR(75), givenName + ' ' + sn) AS 'DisplayName' ,
  CONVERT (VARBINARY(MAX), thumbnailPhoto) AS 'Photo'
  INTO ##adTemptable
  FROM openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto,userAccountControl
  FROM ''[REMOVED]''
  WHERE objectCategory = ''Person''
  WHERE department IS NOT NULL
  But i still gets the same error on MANY rows
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6846 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 7006 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6496 and truncated data length is 4000.
  If only I had time to learn everything I wanted ...

• Solaris 10 Active Directory problem

  I've been battling through the integration of Active Directory on our Solaris 10 systems, and have reached another brick wall. I am able to getent passwd <user> and kinit <user> without any problems, but any attempt to su or login via SSH shows the following:
  Apr 14 10:34:26 eddie su: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New password cannot be zero length
  Using Samba version 3.0.23b, connecting to Windows Server 2003, with SP1. I've tried various fixes, tried installing and uninstalling other versions of ldap, pam, and krb5.
  If anyone could shed some light on this error, it would be much appreciated.
  Cheers,
  Dave

  have you checked this link?
  http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp?cid=e5595

• Active directory problem ?

  i have installed a brad new Xserver Intel Xenon dual core with 10.4.8, and i have manged to get the computer connected to our windows 2000 AD it´s on a windows 2003 server but the ad is in 2000 mode, and kerberized it, and the server is a domain member. I have populated the local group with AD users, and i have no problem to logon from our macs, but when i try the same account from one of the pc´s with XP sp2 they can´t logon, and i get the logfile like this. If i logon with a local server account from the pc there is no problem.
  NTSTATUS_WRONGPASSWORD
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  netbios connect: name1=FILSERVER name2=DAVIDXP
  netbios connect: local=filserver remote=davidxp, name type = 0
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  netbios connect: name1=FILSERVER name2=DAVIDXP
  netbios connect: local=filserver remote=davidxp, name type = 0
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  Macbook Pro   Mac OS X (10.4.8)  
  Macbook Pro   Mac OS X (10.4.8)  

  If you completely remove it from your forest and partitions Yes that is possible. I have included some more links for you. 
  How to remove data in Active Directory after an unsuccessful domain
  controller demotion
  Active Directory – Remove a Domain Using NTDSUTIL
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Active directory member;range=0-999 issue

  Has anyone else run into a problem with active directory and
  it returning the member attribute with the range attached? I am
  running into this problem as discussed in a microsoft article (see
  below). The data comes back fine and I get all the records I need.
  BUT... the problem is the column name is returned as
  "member;range=0-999" instead of just member as in a normal active
  directory query. The problem is it has that semicolon in the column
  name so trying to loop through the query or get to that data keeps
  breaking it. So it is there, I just can't get to it. I have tried
  escaping the semicolon or aliasing the column name, but I just keep
  running into problems. I am hoping someone else has run up against
  this or knows ways to get around invalid column names in a query.
  If I have a resultset for a query that has a bad column name, how
  can I get to that data?
  When an Active Directory server returns the values of the
  member attribute as the result of a directory search query, its
  behavior varies depending on whether the total number of attribute
  values for that object exceed the maximum limit on values
  retrieved. For example, if a distribution list on a Windows 2000
  Server contains 1000 or fewer member values, a search query will
  return all of the values in a single call. However, if the list
  contains 2497 member values, the first call to the search query
  function will return the member attribute with no values, and an
  additional member;range=0-999 attribute that contains the first
  1000 member values. To retrieve the next group of member values,
  the search query should be repeated using a range specifier that
  begins at the attribute number one past the number of the previous
  group returned. In this example, the search query function would
  request the member;range=1000-* values, which would return the
  member;range=1000-* attribute with no values and a
  member;range=1000-1999 attribute with the next 1000 values. This
  process is repeated until the last group of values is retrieved.
  The end range on the last group retrieved from the server would be
  indicated by an asterisk (*) in the returned attribute name.

  I found I was able so solve this using the method found at
  the following address:
  http://www.bennadel.com/index.cfm?dax=blog:357.view