Directory User

Similar Messages

• How to populate members in AD Directory Users group

  I have a Mountain Lion Server bound to Active Directory hosted on a Windows 2003 server.  After binding I can see all active directory users and groups in Server.app however some groups will not populate the group members, namely Domain Users, Domain Computers and a few other built in groups.  These groups are default groups that are populated automatically with any user or computer joined to the domain.  This isn't that big a deal except that I want to use these groups to apply settings in profile manager.  Since the group members will not populate the settings do not apply.  It kind of makes sense that these groups would not populate since users/computers are assigned to them automatically and the mac server may not be able to read the proper data to fill these groups but this seems like a major flaw.
  Any ideas to make this work?

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Cannot log into DTR with Active Directory User

  Greetings,
  I have set up and installed JDI correctly.  I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user.  I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
  500   Internal Server Error
    SAP J2EE Engine/6.40 
    Application error occurred during the request procession.
    Details:   Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!].  The ID of this error is
  Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
  This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error. 
  Any help is greatly appreciated.
  Thanks,
  Marty

  Hi Marty,
  In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
  http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
  It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
  Regards,
  Manohar

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• Windows 2008 Server - Cannot run Active Directory Users and Computers

  Hi,
  I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
  I attempt to open Active Directory Users and Computers tool and I get a;
  Microsoft Visual C++ Runtime Library error;
  "The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
  I click ok, then get the following debug info;
  Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mmc.exe
  Application Version: 6.0.6001.18000
  Application Timestamp: 47919524
  Fault Module Name: msvcrt.dll
  Fault Module Version: 7.0.6001.18000
  Fault Module Timestamp: 4791ad6b
  Exception Code: 40000015
  Exception Offset: 0000000000029b06
  OS Version: 6.0.6001.2.1.0.272.7
  Locale ID: 3081
  Additional Information 1: 43aa
  Additional Information 2: cf3a46656318492c1997480001b6b0e0
  Additional Information 3: 3837
  Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
  Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
  If someone could please assist, it would be very much appreciated.
  Regards
  B

   
  Hi,
  To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request please take a look at the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  However, I am also glad to share my research.
  Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
  Also, please follow the article below to perform necessary steps to see how it's going?
  FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
  http://support.microsoft.com/kb/190536/en-us
  Hope this helps.
  Best wishes
  Morgan Che

• How to populate active directory users in to drop down list items dynamically in Share point 2010 ?

  Hi My self Arun in my current project i have a task on that active directory user  need to automatically populate in share point list drop down  please help me.  is that any out of box feature in share point 2010 ?   
  Thanking You 
  Arun 

  Arun,
  If you plan to implement the "Querying the Active Directory" based on my code snippet,
  and if you do not have permission [your account must be the part of domain admin] to do so,
  Then still you can do it in least effort through code,
  string usersInXml = SPContext.Current.Web.AllUsers.Xml;your xml string look like this.
  <Users><User ID="2" Sid="" Name="Administrator"
  LoginName="i:0#.w|murugesan\administrator" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1" Sid="" Name="Murugesa Pandian" LoginName="i:0#.w|murugesan\murugesan" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1073741823" Sid="S-1-0-0" Name="System Account" LoginName="SHAREPOINT\system" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0" /></Users>
  You can user Linq to XML to filter the "LoginName,Name and Email and then populate your drop down list.
  * User must be logged into the site at least once.
  Murugesa Pandian.,MCTS|App.Devleopment|Configure

• How to import your MS Active Directory users in an Oracle table

  Hello,
  I first tried to get a Heterogenous Connection to my MS Active Directory to get information on my Active Directory users.
  This doesn't work so I used an alternative solution:
  How to import your MS Active Directory users in an Oracle table
  - a Visual Basic script for export from Active Directory
  - a table in my database
  - a SQL*Loader Control-file
  - a command-file to start the SQL*Loader
  Now I can schedule the vsb-script and the command-file to get my information in an Oracle table. This works fine for me.
  Just to share my scripts:
  I made a Visual Basic script to make an export from my Active Directory to a CSV-file.
  'Export_ActiveDir_users.vbs                              26-10-2006
  'Script to export info from MS Active Directory to a CSV-file
  '     Accountname, employeeid, Name, Function, Department etc.
  '       Richard de Boer - Wetterskip Fryslan, the Nethterlands
  '     samaccountname          Logon Name / Account     
  '     employeeid          Employee ID
  '     name               name     
  '     displayname          Display Name / Full Name     
  '     sn               Last Name     
  '     description          Description / Function
  '     department          Department / Organisation     
  '     physicaldeliveryofficename Office Location     Wetterskip Fryslan
  '     streetaddress          Street Address          Harlingerstraatweg 113
  '     l               City / Location          Leeuwarden
  '     mail               E-mail adress     
  '     wwwhomepage          Web Page Address
  '     distinguishedName     Full unique name with cn, ou's, dc's
  'Global variables
      Dim oContainer
      Dim OutPutFile
      Dim FileSystem
  'Initialize global variables
      Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
      Set OutPutFile = FileSystem.CreateTextFile("ActiveDir_users.csv", True)
      Set oContainer=GetObject("LDAP://OU=WFgebruikers,DC=Wetterskip,DC=Fryslan,DC=Local")
  'Enumerate Container
      EnumerateUsers oContainer
  'Clean up
      OutPutFile.Close
      Set FileSystem = Nothing
      Set oContainer = Nothing
      WScript.Echo "Finished"
      WScript.Quit(0)
  Sub EnumerateUsers(oCont)
      Dim oUser
      For Each oUser In oCont
          Select Case LCase(oUser.Class)
                 Case "user"
                      If Not IsEmpty(oUser.distinguishedName) Then
                          OutPutFile.WriteLine _
                 oUser.samaccountname      & ";" & _
                 oUser.employeeid     & ";" & _
                 oUser.Get ("name")      & ";" & _
                 oUser.displayname      & ";" & _
                 oUser.sn           & ";" & _
                 oUser.description      & ";" & _
                 oUser.department      & ";" & _
                 oUser.physicaldeliveryofficename & ";" & _
                 oUser.streetaddress      & ";" & _
                 oUser.l           & ";" & _
                 oUser.mail           & ";" & _
                 oUser.wwwhomepage      & ";" & _
                 oUser.distinguishedName     & ";"
                      End If
                 Case "organizationalunit", "container"
                      EnumerateUsers oUser
          End Select
      Next
  End SubThis give's output like this:
  rdeboer;2988;Richard de Boer;Richard de Boer;de Boer;Database Administrator;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Richard de Boer,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;
  tbronkhorst;201;Tjitske Bronkhorst;Tjitske Bronkhorst;Bronkhorst;Configuratiebeheerder;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Tjitske Bronkhorst,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;I made a table in my Oracle database:
  CREATE TABLE     PG4WF.ACTD_USERS     
       samaccountname          VARCHAR2(64)
  ,     employeeid          VARCHAR2(16)
  ,     name               VARCHAR2(64)
  ,     displayname          VARCHAR2(64)
  ,     sn               VARCHAR2(64)
  ,     description          VARCHAR2(100)
  ,     department          VARCHAR2(64)
  ,     physicaldeliveryofficename     VARCHAR2(64)
  ,     streetaddress          VARCHAR2(128)
  ,     l               VARCHAR2(64)
  ,     mail               VARCHAR2(100)
  ,     wwwhomepage          VARCHAR2(128)
  ,     distinguishedName     VARCHAR2(256)
  )I made SQL*Loader Control-file:
  LOAD DATA
  INFILE           'ActiveDir_users.csv'
  BADFILE      'ActiveDir_users.bad'
  DISCARDFILE      'ActiveDir_users.dsc'
  TRUNCATE
  INTO TABLE PG4WF.ACTD_USERS
  FIELDS TERMINATED BY ';'
  (     samaccountname
  ,     employeeid
  ,     name
  ,     displayname
  ,     sn
  ,     description
  ,     department
  ,     physicaldeliveryofficename
  ,     streetaddress
  ,     l
  ,     mail
  ,     wwwhomepage
  ,     distinguishedName
  )I made a cmd-file to start SQL*Loader
  : Import the Active Directory users in Oracle by SQL*Loader
  D:\Oracle\ora92\bin\sqlldr userid=pg4wf/<password>@<database> control=sqlldr_ActiveDir_users.ctl log=sqlldr_ActiveDir_users.logI used this for a good list of active directory fields:
  http://www.kouti.com/tables/userattributes.htm
  Greetings,
  Richard de Boer

  I have a table with about 50,000 records in my Oracle database and there is a date column which shows the date that each record get inserted to the table, for example 04-Aug-13.
  Is there any way that I can find out what time each record has been inserted?
  For example: 04-Aug-13 4:20:00 PM. (For my existing records not future ones)
  First you need to clarify what you mean by 'the date that each record get inserted'.  A row is not permanent and visible to other sessions until it has been COMMITTED and that commit may happen seconds, minutes, hours or even days AFTER a user actually creates the row and puts a date in your 'date column'.
  Second - your date column, and ALL date columns, includes a time component. So just query your date column for the time.
  The only way that time value will be incorrect is if you did something silly like TRUNC(myDate) when you inserted the value. That would use a time component of 00:00:00 and destroy the actual time.

• How to create "folders" in Active Directory Users and Computers?

  Hello Community
      In Windows Server 2008R2 when you go to Active Directory Users and Computer
  you will see icons of folders such as:
      -  Builtin has a folder icon
      - Computers has a folder icon
      - ForeignSecurityPrinicpals has a folder icon
      - Domain Controller as a folder icon
      - Managed Service Accounts has a folder icon
      - Users has a folder icon
      All of the above folders are visually identical.
      If you right click and select “File” –  “New”
   on any of the selections the icon
  will not look like the folder icon they have their own icons which look different
  from the "Folder" icon.
      I would like to create a “Folder” that looks just visually exactly like the ones
  mentioned above, how can I create those types of Folders in Active Directory User
  and Computers?
      Note: I would like to put users in the folders.
      Thank you
      Shabeaut

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Report on Active Directory User Attributes in SCCM 2012

  I need to output a list of all users in a collection, along with certain user attributes from Active Directory. I can get part of what I need with the following query:
  SELECT v_FullCollectionMembership.ResourceID,
  v_R_User.Windows_NT_Domain0,
  v_R_User.Distinguished_Name0,
  v_R_User.Full_User_Name0,
  v_R_User.Mail0,
  v_R_User.User_Name0
  FROM v_FullCollectionMembership, v_R_User
  WHERE v_FullCollectionMembership.ResourceID = v_R_User.ResourceID
  AND v_FullCollectionMembership.CollectionID = 'SMS00002'
  If possible I need to add:
  Last logon timestamp
  User account status (enabled or disabled)
  I have added "lastLogon" and "lastLogonTimestamp" as additional attributesunder Active Directory User Discovery. This discovery method is enabled and I have run a full discovery about a month ago, and again today. I read in
  another thread that these attributes should appear in the table v_R_User, however they have not. Is v_R_User the right place to look for this or is there another view or table I can query?
  Once I have the above sorted out, how can I find the user account status in SCCM? I have done reports in the past directly from AD and used the 'useraccountcontrol' attribute and I noticed there is a column named 'User_Account_Control0' in v_R_User, however
  the values do not match those found in Active Directory.
  Thanks.

  Have you checked the attribute from the Active Directory in decimal format? Check that and compare it to the value ConfigMgr has stored in its 'User_Account_Control0'...
  User Account Control tells you multiple things of the account, for example does the account have "Smart card login required" -option checked from the account properties.
  The tricky part here is to actually get the report show you what you really want, because "useraccountcontrol" -attribute is a numeric value, you have to calculate what decimal combination means what in readable text.
  More info on the attribute can be found from here
  http://support.microsoft.com/kb/305144 and from there you can also find the values for different settings. For example:
  account is enabled = 512
  account is disabled = 514
  account is enabled with smart card = 262656

• Best practice for Active Directory User Templates regarding Distribution Lists

  Hello All
  I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
  this has led to problems with new employees being added to groups which they should not be a part of.
  I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
  but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
  When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
  What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
  for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
  of.
  Has anyone come up with a better method of doing this?
  Thank you

  You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
  If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
  and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
  Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
  the factors you predefine for them.

• Not able to open active directory user and computer in windows server 2008r2

  Hi All techies,
  i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
  computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
  Please let me know the cause of it and really appreciate it .
  Thanks
  Atul

  You need to ensure that
  1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
  2. DNS record exists for all DCs in DNS
  3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
  As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
  - Sarvesh Goel - Enterprise Messaging Administrator

• Getting Active Directory Users in UCM User Admin - Users Tab

  Hello All
  We have integrated WLS with our Active Directory. And we are getting all the active directory users under Security Realms >myrealm >Users and Groups tab in WLS Console.
  We are also able to login to webcenter spaces and Content server using those userid and credentials. But our problem is in UCM under Admin Applets - User Admin - Users tab all the active directory users are not listed. So we are not able to assign particular roles to the users.
  When a particular Active Directory user logins in UCM (First Time) after that the admisistrator (weblogic) is able to get that user under Admin Applets - User Admin - Users tab. And also it comes as an External user so we are not able to assign role.
  So basically UCM requires a login to get all the users listed in users tab.
  Our requirement is we want all the Active Directory users to get listed in UCM without the condition that the users has to login in content server once.
  Thanks

  Hi Navin ,
  First and foremost the requirement that you have posted is not possible and the reason for that is :
  Users are created on AD which is outside the realm of UCM hence there is no way that the users created on AD will be shown up under Users tab without they login atleast once . UCM does not know which all users are part of the realm until and unless the AD users login in atleast once .
  Secondly external users cannot be assigned roles from UCM because when the Auth type is set to External UCM sees it as external entity hence not giving it any way to relate roles / groups from UCM . As a workaround you can change the AuthType for the External users to Global from User Admin applet after the users login for the first time . This will enable you to assign roles / groups for the AD users .
  Hope this helps .
  Thanks
  Srinath

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• Active directory users and computers wont start on a dc, "the server is not operational"

  In our environment, we have 3 dc's 
  two which run server 2008 (they work perfectly)
  and one never off branch dc that runs server 2008 r2.
  We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
  We have a third party DNS solution.
  How do i troubleshoot this issue?

  dc01 (which replicates perfectly with dc02, and vise versa)
  dcdiag /test:dns
  C:\Users\adminuser>dcdiag /test:dns
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: Hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... ourDC01 passed test Connectivity
  Doing primary tests
  Testing server: Hostingpartner\ourdc01
  DNS Tests are running and not hung. Please wait a few minutes...
  Running partition tests on : ForestDnsZones
  Running partition tests on : DomainDnsZones
  Running partition tests on : Schema
  Running partition tests on : Configuration
  Running partition tests on : int
  Running enterprise tests on : int.domain.com
  Starting test: DNS
  Test results for domain controllers:
  DC: ourdc01.int.domain.com
  Domain: int.domain.com
  TEST: Delegations (Del)
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
  Summary of test results for DNS servers used by the above domain controllers:
  DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
  2 test failures on this DNS server
  Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Summary of DNS test results:
  Auth Basc Forw Del Dyn RReg Ext
  Domain: int.domain.com
  ourdc01 PASS PASS PASS FAIL n/a PASS n/a
  ......................... int.domain.com failed test DNS
  dcdiag on dc01(which can replicate with dc02)
  C:\Users\adminuser>dcdiag
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... OURDC01 passed test Connectivity
  Doing primary tests
  Testing server: hostingpartner\ourdc01
  Starting test: Replications
  [Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
  Win32 Error 8453.
  ......................... OURDC01 failed test Replications
  Starting test: NCSecDesc
  ......................... OURDC01 passed test NCSecDesc
  Starting test: NetLogons
  [OURDC01] User credentials does not have permission to perform this operation.
  The account used for this test must have network logon privileges
  for this machine's domain.
  ......................... OURDC01 failed test NetLogons
  Starting test: Advertising
  ......................... OURDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
  ......................... OURDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
  ......................... OURDC01 passed test RidManager
  Starting test: MachineAccount
  ......................... OURDC01 passed test MachineAccount
  Starting test: Services
  ......................... OURDC01 passed test Services
  Starting test: ObjectsReplicated
  ......................... OURDC01 passed test ObjectsReplicated
  Starting test: frssysvol
  ......................... OURDC01 passed test frssysvol
  Starting test: frsevent
  ......................... OURDC01 passed test frsevent
  Starting test: kccevent
  ......................... OURDC01 passed test kccevent
  Starting test: systemlog
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:29
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:50
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:10:56
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:11:17
  (Event String could not be retrieved)
  ......................... OURDC01 failed test systemlog
  Starting test: VerifyReferences
  ......................... OURDC01 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Running partition tests on : Schema
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Running partition tests on : Configuration
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Running partition tests on : int
  Starting test: CrossRefValidation
  ......................... int passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... int passed test CheckSDRefDom
  Running enterprise tests on : int.domain.com
  Starting test: Intersite
  ......................... int.domain.com passed test Intersite
  Starting test: FsmoCheck
  ......................... int.domain.com passed test FsmoCheck
  The problematic dc03:
  Dcdiag gives the same output as dcdiag /test:dns
  C:\Users\adminuser>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = OURDC03
  Ldap search capabality attribute search failed on server NTSDC03, return
  value = 81
  We have an infoblox dns server on ip address xxx.y.y.251.
  first error in event logs on dc03:
  error 1863
  This is the replication status for the following directory partition on this directory server.
  Directory partition:
  CN=Configuration,DC=int,DC=domain,DC=com
  This directory server has not received replication information from a number of directory servers within the configured latency interval.
  Latency Interval (Hours):
  24
  Number of directory servers in all sites:
  2
  Number of directory servers in this site:
  2
  The latency interval can be modified with the following registry key.
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
  To identify the directory servers by name, use the dcdiag.exe tool.
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
  i have also go several warning 2088, 2093, 2087.
  And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones

• Active Directory Users and Computer not displaying column data?

  I am running Windows 8.1 Enterprise with RSAT installed.  My Domain controllers are Server 2008 R2.
  I am having and issue with Active Directory Users and Computers.  Typically I will turn on Advanced Features and then add Columns for Email address and Display Name.  This for example allows me to easily export lists of users and there email
  addresses among other things.
  The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty.  It simply will not display this information.  It only displays Name, TYpe and Description.
  If I use a Windows 7 client, the information displays correctly.
  Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?

  ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
  ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
  Example:
  Import-Module ActiveDirectory
  Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
  So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation.