Domain Administration issues

Similar Messages

• Built in domain administrator... locked out?

  PART-1
  Today our built in domain administrator got locked out. From what I've read this is not possible. We were alerted on it and when I opened the object it said it was locked out. (I'll admit, I didn't try logging in with it). I double checked and the objects
  SID does indeed end in -500 which is indicative of it being the built in account.  
  I ran this query:
  $BA=(get-addomain).domainsid
  $BA.tostring() + "-500"
  and the only result I got back was the SID that matched the user in question.
  What's going on? Was it truly locked out? I guess we will run a test tomorrow but I wanted to reach out to the forums too.
  PART-2
  Once this account was locked out we went to the source server and found that it was no longer on the domain. Instead it was in a workgroup that had a name that resembled our domain. I checked the event log and there were a ton of errors with event ID 4097
  that said "The machine [machine-name] attempted to join the domain [FQ-domain-name]\[FQDN-of-PDC] but failed. The error code was 1326". These errors correspond with the time that the account was locked out. There were a ton of them...
  The account that was originally used to join this machine to the domain was the built in admin above (I know, not best practice). Regardless, why would it switch from domain to a workgroup? Why would it attempt to auto re-join? And why would it use the account
  originally used to join the domain? 

  I have found my answers...
  Part 1:
  The built-in administrator will get locked out and marked as locked out - however, when you go to log in with it, it will AUTOMATICALLY unlock the account. So essentially it cannot be locked out but it will give off the impression that it is.
  you can however disable the account. .... supposedly if you ever have to recover your domain in restore mode it will enable the account for you... .never had an opportunity to test that and I hope I don't
  Part 2:
  This is a vmware related issue. The machine tried to re-run custom specs. Please see the following vmware article if you are having the same issue.
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2078352
  This is related to deploying machines with custom specs in 5.1 with hosts on build 1743533 (ESXi 5.1 patch 4)

• Built-in domain Administrator account not given full access to new Exchange 2013 server

  I migrated from Exchange 2010 to 2013 over the weekend.  I cannot log into the EAC with my domain administrator account I use to log into all my other servers.  I also cannot run the clean-mailboxdatabase cmdlet logged in as this user.  I
  had no trouble moving mailboxes from the old server to the new server with this account though.
  This account is a member of: Domain Admins, Enterprise Admins, Exchange Full Admin, Exchange Organization Admin, Organization Management, Schema Admins, Server Management.
  I can log into the EAC with another admin account that has the same memberships as the Administrator account.
  I tried giving the account the role of "Databases" as suggested by others to fix the clean-mailboxdatabase issue but that did not work for me either.
  The Administrator mailbox has been moved to the new database on the Exchange 2013 server.  The Exchange 2010 has been decommissioned and is turned off.

  Hi,
  Based on my research, to retrieves the mailbox statistics for the disconnected mailboxes for all mailbox databases in the organization, we can try the following command:
  Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
  http://technet.microsoft.com/en-us/library/bb124612(v=exchg.150).aspx
  Additionally, The Identity parameter specifies the disconnected mailbox in the Exchange database and it can be display name instead of mailbox GUID.
  http://technet.microsoft.com/en-us/library/jj863439(v=exchg.150).aspx
  Hope it can help you.
  Thanks,
  Angela Shi
  TechNet Community Support

• Cannot access Exchange Mgmt Shell - user "Domain\Administrator" isn't assigned to any management roles

  This is a new domain-joined Server 2012 member server with no data. Domain Administrator account is in the Organization Management group. Domain functional level is Server 2012.
  Setup /m:RecoverServer fails because "...server roles are already installed..."
  Uninstall fails because the "mailbox database contains one or more mailboxes..." which I can't delete.

  Hi,
  I recommend you refer to the following article to troubleshoot the issue:
  https://social.technet.microsoft.com/wiki/contents/articles/14874.error-the-user-domain-localusersadministrator-isnt-assigned-to-any-management-roles-on-exchange-2010-management-console.aspx
  we may try to propagate the RBAC permissions for the user again! procedure is as below:
  1.
  Open Windows Powershell as  “Run As Administrator”
  2.
  Load the setup Snapin with the command: Add-Pssnapin *Setup*
  3.
  Run the commands one after the other to propagate the RBAC to the user who is logged on to the Exchange Server.
  a. Install-CannedRbacRoleAssignments  –InvocationMode Install
  b.
  Install-CannedRbacRoles
  c.
  Install-CannedRbackRoleAssignmentsRAP
  d.
  Install-CannedAddressLists
  Thanks.
  Niko Cheng
  TechNet Community Support

• Strange profile when I access with Domain Administrator accout

  Hello,
  It's the first time that I got this issue (I used to install Windows 2008 Server R2 many times a month) :
  These are different steps :
  - Windows 2008 Server R2 installed normally
  - access with local administrator (account : administrator)
  - doing updates
  - creating new local user (account : admin)
  - add this user to local administrator group ( group : Administrators)
  - access with that new admin user
  - delete administrator profile and disable that user
  - restart
  - add the server to a domain and then restart
  - access to the server with domain administrator (account : domain\Administrator)
  - then there's no mention of the domain administrator name in the profile
  hatem

  I'd check it again in between each of the steps you mentioned to see where it happens. Can't make much from the last screen shot since its blacked out. It may have been a one-off and will not happen next time.
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Built-in Domain Administrator Account Repeated Locks

  This account was disabled years ago and is not used.  However, event 4740 are regularly generated,  It shows the calling computer name as one of our servers.  So, I logged into the that server and look in the local security event log and there
  are no references to account lockouts at the time the 4740s are generated on the domain controllers.
  I checked for services running on the server using administrator credentials and I checked for scheduled tasks using administrator credentials and I don't see anything on the server listed as caller computer.
  I renamed the "User logon name" for this account to something different so that would not longer be a match if something is try to authenticate using the logon name of "administrator."  However, this has not helped.  The account
  still generates the 4740.
  I checked the domain "Administrator" account again today and it was no longer disabled.  So, I disabled it again and will see if it still gets locked out again in the next 24 hours.
  How can an account with the user id changed still get locked out?  It seems very strange that the account can be locked out when the user name no longer matches anything that could have ever had that user id saved.
  What can be done to fix this issue?

  hi,
  If possible please do the following steps.
  Note: here I have taken user account name as User1
  1.Using ADSIEDIT changed the value of UserAccountControl attribute of the User1 account to 66082(numerical) i.e. 0x10222(in hex) and disabled it which is the sum of the following attributes:
  a. ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
  b.    
  It’s current value was 0x10202 aka 66050 in dec (I believe this implies ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD)
  2.   Then for the account (in ADUC) do the following:
  a.  Unchecked the "user cannot change password" -> OK
  b. Right-clicked on the
  ‘user1’ account and selected reset password and kept it blank and clicked OK
   i.     
  This step is to set a NULL password for the User1 account and keep it disabled
  c.      
  Right-clicked on the User1 account and checked the "user cannot change password" again
  https://support.microsoft.com/en-us/kb/305144?wa=wsignin1.0

• How to Reset Windows 2008/R2 Domain Administrator Password

  How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
  It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
  An accessible PC.
  A USB/CD/DVD flash drive.
  The Windows password reset tool Daossoft Windows Password Rescuer.
  Then it requires 4 steps as below:
  Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
  Step 2: Burn it to the flash drive.
  Step 3: Boot your Windows Server computer from the flash drive.
  Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
  More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.

  It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
  illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
  Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
  http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
  Thanks,

• Cannot connect to Domain\administrator from ny RDC after assigning an active directory domain to my server

  hi, I'm using windows server 2012 R2 and I was Just wondering how to make the Remote Desktop enable connection through domain\administrator before actually creating the domain... In other words, I wanted to create an Active Directory Domain User and connect
  to the server from the RDP. The problem is that I can only connect through the RDP considering that I'm using Windows Azure, so the physical server isn't actually sitting on my desk... Anyway when I create an AD DS the system automatically reboots and I'm
  not able to connect to it anymore, so all I need to do right now is enable somehow the Remote Desktop Services to connect through "Domain\Administrator" before I actually create the AD DS and assign it to my server so that when the system reboots
  and I open the RDP I can connect to the server.
  Thanks in advance.

  Hi,
  Thank you for posting in Windows Server Forum.
  As per your comment, it seems that you are managing the server with .RDP file. I can suggest you to run
  "Remote Desktop Connection Manager” for maintaining server. With that you can specify the credential for domain\administrator and when you setup the AD DS, after that you can open the connection through domain\administrator and not as local user.
  Hope it helps!
  Thanks,
  Dharmesh

• Domain Administrator account being locked up by PDC

  Hi everyone,
  My PDC is locking up my domain administrator (administrateur in french) account.
  System event logs :
  The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
  consider resetting the password of the account mentioned above.
  Level : Error
  Source : Directory-Services-SAM
  Event ID : 12294
  Computer : Contoso-PDC
  User : System
  There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
  I tried to change the name of the domain administrator account from "administrateur" to "administrator".
  Now there is "Audit failure" events poping up in the security event logs.
  Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
  Here is the detail log :
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: Administrateur
  Account Domain: CONTOSO
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: CONTOSO-PDC
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  On the PDC i checked :
  Services : None of them are started with the "administrateur" account
  Network Share : There is no network share ...
  Task Scheduler : None of the tasks are launch with the "administrateur" account.
  And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
  Any ideas?
  ps : Sorry for the probable english mistakes :(

  Hi,
  Thanks for you answers.
  San4wish :
  Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
  About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
  fixed this vulnerabilty.
  So i doubt its a conficker type worm.
  Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.

• Can't preview RAW files in Bridge CC, administrator issue?

  Can't preview RAW files in Bridge CC.
  When i try to upate Bridge, it says:
  Bridge is unable to check for updates, cause it can't connect to the internet or user is logged in as a non-administrative user.
  So then i have to log in as a administrative user to the Bridge...and update..
  Can't it be done easier???
  I must also say i have also Bridge CS6 installed on pc and there everything is working fine.
  Thx.

  1/ Adobe Bridge should be possible to open without administrator issue.
  By default it does, something seems wrong with your install
  2/the images DO appear first for 2 or 3 seconds , then it turns to a RAW file icon.
  Again indicating a wrong install, you see the embedded jpeg previews briefly but then the Raw thumbs should be build. When you see the generic Raw icon this means you don't have the correct version of the ACR plug in installed to match your camera or no converter at all.
  Try this page:
  http://helpx.adobe.com/creative-suite/kb/camera-raw-plug-supported-cameras.html
  3/i only succeed in openening Bridge descently , so with ableing to see RAW files , WHEN i go to c:/progamfiles/Adobe/AdobeBridhecc/Bridge.exe
  When, If i copy the exe file for opening Bridge CC and i put it on the Desktop, it DOES NOT Preview the RAW files.
  Here you have lost me. As a Mac user I'm afraid I don't know nor understand anything about .exe, I download the .dmg file for an application which then automatically opens and I just click on the install icon, provide admin password and serial number once and then start using it without bothering about install ever again

• Changing Domain Administrator Password : How can I find out what all servers / services are currently using this?

  Good morning all,
  I took over as IT director for the school district in my town about 2 years ago, and we've had some techs come and go, all of which have had the domain administrator password (not my call, but my fault for not changing it by now).  I am about to change
  it, but before doing so I want to know how I can make sure what all this will break so I can quickly change the cached/saved password on whatever supporting services use this user/pass.
  Can anyone help here?
  Thank you!

  Hello,
  In my point of view if I were in this situation I would Change the domain administrator password. By
  Resetting the domain administrators all the services which use domain administrator as their logon user, will lose their functionality. I had this experience and I did change the domain administrator password with no problem. However do not
  forget to have a account lockout tool or script for locating the place where the account was locked out.
  But to keep it short most of the time. lockout problems are arise from mapped drives, credential manager and saved RDP sessions and etc.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• I've used the Domains Administrator and added 45 domains. Where is that information recorded ?

  I've used the Domains Administrator and added 45 domains. Where is that information recorded ?
  Thanks,
  Bob Larsen

  The should be in defaultdomains.xml which will be in your system types directory (if you defined one), otherwise it is in a folder where you installed data modeler.

• Install Oracle XE in a domain without domain administrator credential

  Hi,
  I work in a company. My Windows 7 64b and my login are identified in a Windows domain. For test purpose, I would like to install Oracle XE on my computer so that I can connect on it.
  I tried many things and I had always credential problems or Oracle problems. As I understand the behavior of Oracle :
  - if you install it being connected to the domain, you enter during the install a system password that is useless : the domain administrator password should probably be used
  - if you logged in the domain but you disconnect your network cable, you cann connect with the given system password
  - if after installation you change SQLNET.AUTHENTICATION_SERVICES to (NONE) then you can connect but Oracle isn't started. From the logs, it seems that Oracle hadn't the correct password itself to initialize itself
  - if you create, on your computer, a local account with administratror credential, it works all fine from this account but not from your domain account !
  My question is : how to install Oracle XE being identified on the domain, without needing administrator credential ? Or once Oracle is installed and authentification set to local, is it possible to initialize Oracle again ?

  how to install Oracle XE being identified on the domain, without needing administrator credential Add your domain login to the local administrators group. Per the XE install guide for Windows, the installing user must have administrator rights on the host. See the section "Permission Requirement for Installing Oracle Database XE" at:
  http://docs.oracle.com/cd/E17781_01/install.112/e18803/toc.htm#BABIHEJC
  Also note the System Architecture requirement, Intel x86, which is not X64. Not to say that it won't work, but there will be challenges getting a successful installer run with a Windows X64 OS.

• Domain Administration Server HA

  Greetings,
  I'm in the process of setting up a Appserver cluster, with four nodes.
  Originally I planned to install domain administration server on one machine, then install nodeagents on all four machines.
  I was going to create a cluster and add the node agents.
  However, what I have run into is, if I lose the machine that is the domain adminstration server, what will I do?
  Can I install domain adminstration servers on multiple machines and manage the same cluster configuration? do I just need to mirror the "domains" directory to another server, and if that macine fails I can start that domain on another machine?
  I guess my questions would be what the best practices are for deploying applications server cluster and how to maintain high availability on the administration servers.
  I'm using Version 8 Enterprise Addistion btw.
  Thanks in advance!
  Jeremy
  3nt3r 7h3 r341m http://www.society86.com
  What the blog?! http://trellipses.blogspot.com

  I am in the same place as Jeremy and would like an answer to his question.
  Also regarding recreating the the DAS:
  Lets say you set up a cluser with 2 server instances across 2 machines with the Admin (DAS) server on the first nodeagent/server instance machine. Can you use the second nodeagent/server instance machine as the backup machine to recreate the DAS? If so, any special instructions? I certainly do not want to have to involve a 3rd machine.

• Need to provide local administrator access without domain administrator rights

  Hi All,
  I need to provide local admin access to one account in windows environment without providing domain administrator rights.
  Windows 2008 DC. Desktops : windows 7
  So that we can use this account to install agents like SCCM\SCOM in all servers & desktops.
  Need suggestions.

  Hi,
  I agree with Senne, in addition, we can also use net command to perform local group management.
  More information for you:
  Add a member to a local group
  http://technet.microsoft.com/en-us/library/cc772524.aspx
  How to Make a Domain User the Local Administrator for all PCs
  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]