Domain Users Group is a Protected Group on the Domain

I'm having an issue where I set some permissions for a particular users mailbox, but when I come back later the permissions later they have been removed. I have done some digging around and I believe the issue is a result of the Domain Users group being
protected, which has led me to the AdminSDHolder object in the System OU. Does anyone know if it possible to amend the the security permissions, so that the group is no longer protected as it is causing some major issues for me.
Any suggestions would be appreciated
Thanks in Advance

I just want to add to make sure that the user is not part of another group that may be nested in another group that is protected.
I had that issue with a customer, a police dept, after I migrated them to Exchange 2010 when some, but not all users, had issues with their mobile devices accessing Exchange ActiveSync. I found it was previously created users and
not new users, that had the problem. They had a number of users in administrative groups when they had one server that was a DC (previously SBS), and everyone in the organization had access to it, which required users to have administrative
rights, at least that's how they did it back then by the previous administrator, to provide them local logon rights.
With the help of a tool from Joe Richards, I had to hunt down each nested administrative group the users were in to remove them or change the AdminCount attribute to 0 before setting to allow inheritance otherwise it would set itself back when
AdminSDHolder runs every hour.
This was all discussed in the following TechNet thread:
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/269e0ab2-6e65-4001-abcb-3c89f6f938fd/issues-with-adminsdholder?forum=winserverDS
Also, take a look at this PW script that is supposed to look for all of that, at least that was my last discussion with the author mentioning that each group that a user is part of must be checked, when he posted the script to the ADDS group
in FB (https://www.facebook.com/groups/ADDSForum/):
Exchange Checkbox of Doom
http://www.dexterposh.com/2014/12/powershell-exchange-checkbox-of-doom.html
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Similar Messages

Domain Users cannot RDP but Admin group users can

Hi guys, need your urgent help. I have worked day and night on this issue. Basically the domain users if rdp to the server, it will get disconnected right away after place in domain account with password. However if logged on using console, I am getting
the below error message:
You cannot log on because the logon method you are using is not allowed on this computer. Please see your network administrator for more information.
I have checked few items to remediate the issues:
1. Done checked - Allow Log on through Remote Desktop Services RDP users group are in.
2. Domain users are added to local RDP users group.
3. KB 2667402 installed.
4. Restarted the RDP service.
Please take note this server have RDS installed as well as Citrix client version 7.
Evan Ting

Hi Evan,
Do you have any progress？
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Domain Users are not able to log in to Domain Computers - Administrators are able to do so

I have Primary Domain Controller and Secondary one, The users can log in to both as I have changed the locally Policy to allow Domain users to log in.
But I am having problem with users who can not log in to computers joined the domain. I noticed that ONLY Administrators allowed to log in locally in the Policy and if want to add users, i will not be able to do so as Adding Users or Group is Disabled.
Advise is appreciated.

Hi,
Please follow the below steps for checking whether either "Allow Logon Locally" or "Deny Logon Locally" is enabled in the default policy,
1. Go to start -> run -> tupe GPMC.MSC, to open Group Policy Management Console.
2. In the Group Policy Management Console,right click and edit the default policy and navigate to the node "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment".
3. In the "User Rights Assignment" node, check whether the options "Deny log on locally" or "Allow Logon Locally" are
defined and groups added to those options to confirm the logon problem of domain users.
NOTE: Also check the local policy, as you have mentioned "I have Primary Domain
Controller and Secondary one, The users can log in to both as I have changed the locally Policy to allow Domain users to log in."
Regards,
Gopi
www.jijitechnologies.com

Domain\user question

In the Exchange setup under username it says Domain\User. Is there a convention for the Domain part? For example is this "companyname.com" or something like that? Thanks.

If you are logged into the domain, you can open a command box but going to start run, then type in whoami. It will come back as domain\username. Also when you log into a computer on the domain, you will see a Domain drop down menu, in which you can select the domain or yourcomputername (localmachine). That is also your domain. But Active Sync has to be enabled in your Exchange environment.

Remotely add Domain User to local group

I've been playing with this for some time, and I seem to be missing something. I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
groups. I would like to be able to run this from a management workstation.
I've been working from these two posts.
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally. I have not been able to figure out any format that allows me to get the information remotely. So I figured I would use Invoke-Command
to execute the two lines of code remotely.
Invoke-Command -ComputerName RemoteServer {
$de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
$de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
(I am trying it first with fixed, valid values - change to variables when I get things figured out.) That gave me the error:
Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
+CategoryInfo :NotSpecified: (:) [], MethodInvocationException
+FullyQualifiedErrorID :DotNetMethodTargetInvocation
+PSComputerName :RemoteServer
I need help on what to try next.
Thanks.
. : | : . : | : . tim

I've been playing with this for some time, and I seem to be missing something. I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
groups. I would like to be able to run this from a management workstation.
I've been working from these two posts.
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally. I have not been able to figure out any format that allows me to get the information remotely. So I figured I would use Invoke-Command
to execute the two lines of code remotely.
Invoke-Command -ComputerName RemoteServer {
$de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
$de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
(I am trying it first with fixed, valid values - change to variables when I get things figured out.) That gave me the error:
Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
+CategoryInfo :NotSpecified: (:) [], MethodInvocationException
+FullyQualifiedErrorID :DotNetMethodTargetInvocation
+PSComputerName :RemoteServer
I need help on what to try next.
Thanks.
. : | : . : | : . tim
The ADSI commands work remotely as long as you are an administrator on the domain.
Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
Normally we would use AD and GP to add users to local groups.
Your script is also incorrect. Thisis the correct template.
$remotepc='somepc'
$de=[ADSI]"WinNT://$remotepc/Administrators,Group"
$de.Add("WinNT://Domain/User")
You should never the user to the admin group. It is a formula for disaster.
¯\_(ツ)_/¯

Can I get the members of Domain Users group (AD specific) with JNDI?

Hi All,
I've found these forums very helpful and full of great information, I've been able to retrieve all members of groups that I search for (from the information on this forum), and get the member's attributes such as email addresses through that.
The question I have is, is there a way to query the Domain Users group, since it's a special group in Active Directory, and retrieve the members of it? So far I have been unsuccessful. Here's a query I found that works on .Net:
(|(&({ClassFilter})(memberOf={GroupDistinguishedName}))(distinguishedName={G
roupDistinguishedName}))
I haven't been able to get it to work with JNDI however. Can anyone point me in the right direction?
thanks,
Matt

It's not so much that the Domain Users is a special group, it's more that because by default, all users have their Primary Group set to Domain Users, that it appears to behave differently.
So the query that you're trying to execute via JNDI, would be something like:String searchFilter = "(&(objectClass=user)(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com))";And of course if everything has been left to defaults, it doesn't return any results.
Similarly if you look at the member attribute of Domain Users, it will be empty.
Assuming the defaults, and every user's Primary Group is set to Domain Users, the following query would return all the user's whose primary group is Domain Users:String searchFilter = "(&(objectClass=user)(PrimaryGroupID=513))";Note that 513 is the Relative ID (RID) for Domain Users.
Now if you set a user's Primary Group to be something other than Domain Users, then the Domain Users group would now have a value
for it's member attribute and conversely the respective user would now have Domain Users as one of the values of their memberOf attribute.
So then your query would be something like:
String searchFilter = "(&(objectClass=User)(|(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com)(PrimaryGroupID=513))){code}
I guess the fundamental question, is why do you need to determine whuch users are members of Domain Users ?
If this is for usie in an application, where the user has authenticated and you are using group membership to make authorisation decisions, perhaps the constructed tokenGroups attribute may be more useful as it contains the Security Identifiers (SID) for all the groups the user is a member of ?

Domain users creation for BizTalk server 2013 installation

Hi all,
I am setting up biztalk 2013 environment clustered BizTalk server and single sql server. I would like to know the list of domain users and domain groups to be created and which groups these users to be a member of. I am also installing and would be using
Sharepoint to develop BizTalk interfaces.
Thanks
Please Help
Vikram

Hi Vikram ,
You need to create below Windows group on your AD before you start your BizTalk Configuration .
1)SSO Administrators:Administrator of the Enterprise Single Sign-On (SSO) service.
2)SSO Affiliate Administrators :Administrators of certain SSO affiliate applications.Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users.
3)BizTalk Server Administrators:Has the least privileges necessary to perform administrative tasks Can deploy solutions, manage applications, and resolve message processing issues.
To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators.
4)BizTalk Server Operators:Has a low privilege role with access only to monitoring and troubleshooting actions
5) BizTalk Application Users:The default name of the first In-Process BizTalk Host Group created by Configuration Manager.Use one BizTalk Host Group for each In-Process host in your environment.Includes accounts with access to In-Process
BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe).
6)BizTalk Isolated Host Users :The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP.Use one BizTalk Isolated Host Group for
each Isolated Host in your environment.
7)BAM Portal Users :Has access to BAM Portal Web site.
8)BizTalk SharePoint Adapter Enabled Hosts :Has access to Windows SharePoint Services Adapter Web Service
9)BizTalk B2B Operators Group : A new BizTalk role that reduces the onus on the Administrators to perform all Party management operation. This role allows windows users associated with the role to perform all party management operations.
Now coming to domain User , you can have single -multiple setting were you can run SSO ,InProcess and Isolated on different domain user . You can also run all the configuration settings on single user as well .
Thanks
Abhishek

Domain Users are allowed by default to join domain

Hi everyone !
Recently i install Windows Server 2012 Standard
Configure Active Directory Domain Services
Create simple user "test1"
then i go to windows 7 client and join domain with this "test1" user.
and i shocked how is it possible that a simple domain user which is not a part of any domain admin or admin group and can join or rejoin domain successfully.
Help me to get out of this how can i restrict simple domain user to join domain and why it was by default ?

> then i go to windows 7 client and join domain with this "test1" user.
By default, EVERY user can join up to 10 clients to the domain.
> and i shocked how is it possible that a simple domain user which is not
Why shocked? What's the issue when users join computers to the domain?
> Help me to get out of this how can i restrict simple domain user to join
> domain and why it was by default ?
Create a GPO, link it to the domain, move it up to above "Default Domain
Policy" and configure Computer - Policies - Windows Settings - Security
Settings - Local Settings - User Rights Assignment: Add Workstations to
the domain.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

SDK service using domain user trying to set SPN for computer account

I have a SDK service running under a domain user account, but it tries to register the SPN for the computer account of the machine?!
Therefore I get the following alert:
The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/WIN-9IAJC0HS9RJ and MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local to the servicePrincipalName of CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx,DC=local
Which makes sense because it has not the permissions to do that.
When I make the domain user account member of domain admins it has the concerning permissions and it indeed registers that SPN to the computer account. But why?? The SPN should be registered to the domain user account instead (and therefore I had given the
domain user account the read/write permissions to itself to do that).
I have the following SPN registered now for the computer and domain user account:
setspn -l WIN-9IAJC0HS9RJ
Registered ServicePrincipalNames for CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx
DC=local:
MSOMSdkSvc/WIN-9IAJC0HS9RJ
MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local
MSOMHSvc/WIN-9IAJC0HS9RJ
MSOMHSvc/WIN-9IAJC0HS9RJ.domainxx.local
TERMSRV/WIN-9IAJC0HS9RJ
TERMSRV/WIN-9IAJC0HS9RJ.domainxx.local
WSMAN/WIN-9IAJC0HS9RJ
WSMAN/WIN-9IAJC0HS9RJ.domainxx.local
RestrictedKrbHost/WIN-9IAJC0HS9RJ
HOST/WIN-9IAJC0HS9RJ
RestrictedKrbHost/WIN-9IAJC0HS9RJ.domainxx.local
HOST/WIN-9IAJC0HS9RJ.domainxx.local
setspn -l domainxx\omdas
Registered ServicePrincipalNames for CN=OMDAS,CN=Users,DC=domainxx,DC=local:
none for this account
I don't get it. Anyone?
I am using SCOM 2012 R2
Pls help.
Thanx in advance.
Regards
Chris

SCOM SDK service really tries to set its SPN to the computer account (although the SDK service is running using a domain user account). The alert is no bug!
I know this for sure because I gave the SDK service permission to do it - by making the domain user account member of the domain admins security group - and it indeed sets the SPN on the computer account.
The latter is the actual bug I would say! It should try to set the SPN for the domain user account the sdk service is running with.
Then again, nog having the SPN been set correctly to this domain user account, does not seem to bother SCOM at all indeed. Perhaps it uses NTLM instead in this scenario.
Can anyone comfirm?

Hide "Windows Updates Available" from domain users

Hi,
We're running 4 RDS 2012 servers in a load-balance pool.
All 4 servers have been scheduled to download and install updates at specific intervals (nightly) + reboot as well.
I've noticed however that regular domain users also get the notification that there are "updates available" right after they log on. And they are given the option to install them.
Is there a way to hide/disable this notification window from domain users ?
Kind Regards, Vincent

In Group Policy Object Editor, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click
Windows Update.
In the details pane, click Allow non-administrators to receive update notifications, and set this option.
Click OK.
Come back and mark replies as answer if they help, and help others with the same problem. If this post is helpful please vote it as Helpful on the left side.

Http 401 unauthorized for domain user

I am having an issue with SCCM reporting. One particular domain user is getting 401 error;unauthorized. The user has the identical rights as the other users (based on security group membership) but gets the error when clicking on reports > create report.
In addition, the user doesn't get the default listing for the reports. Even more peculiar the user can access both the report server and manager URLs.
Win 2008 R2 w/ SCCM 2012 and SQL server 2008 R2 (runs the reporting site role)

What is the Security role of this user? Normally, if you give the proper rights for the user in SCCM console, SCCM will take care the security settings in Reporting Service. Anyway, check the settings by accessing SCCMreportserver/reports
Juke Chou
TechNet Community Support

Problem in sending email to other domain users

Hi All,
I am using javamail for sending emails and able to send to people within my exchange server domain. The problem is i am unable to send mail to other domain users like yahoo.com, hotmail.com..the error it is throwing out is *"Invalid Address"*
Is there any spaecial API for this to work?
Thanks,
Kishore

More details, please.
Please read the JavaMail FAQ. Post the protocol trace if you can't figure it
out yourself.

Software always installs to Domain Admin account on connected PC-cant install to Domain User account

I have completed the following steps:
Set up Windows Server 2012 R2 Essentials successfully
Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
Admin desktop-Not the Domain User account, etc. I've tried:
Downloading a new copy of the software to the Domain User desktop & running it from there
Right-click file, Install as Admin
click file, Install as a different user
Right clicking file, Properties>Compatibility & changing compatibility settings
Right clicking file, Properties>Compatibility>Run as Administrator
None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

Hi voltron5,
Many programs may provide options: "install for everyone" or "just for current user", when you install them.
Please check if there are such options during the installation process.
If those three programs are all third-party applications. I suggest you should contact with the corresponding
support and confirm this.
If those three programs are Microsoft applications, would you please let me know specific information of those
three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
Hope this helps.
Best regards,
Justin Gu

System DSN not visible to 'domain users', why??

We have a Windows Server 2012 R2 Remote Desktop Services RDS farm.
I set up a 32-bit *system* DSN properly with the 32-bit ODBC app for Crystal Reports 2011, a 32-bit app.
When a domain user opens CR the newly created DSN does not appear in CR, though it appears for an admin user.
Why is the system DSN not visible to the domain users per se??
I checked the proper registry item and gave 'Domain Users' read permission to it, still no work.
Certain users need to see the DSN so they can configure the report to talk to the proper server, database, etc.
System DSNs are supposed to be visible/usable to all users.
What should I do??
Thank you, Tom

FWIW some other DSNs are visible to CR2011 but nothing we can use, they were somehow automagically created during installation of other software stuff.
I've tried every way I can think of to install the DSNs (different providers, different accounts) but I still can not get the desired DSN visible to my domain user login after opening a Crystal Reports 2011 report and clicking 'change database location'...
I thought about and tried using a DSN-less connection string but that did not go very far...it would be usable, people could type in ID and password if they must, but I could not get it to even let that happen...I also did not quite know what the string
should be, the database itself is SQL Server 2012 (11.0), I don't know the exact version OTOH.
The Remote Desktop Services Hosts are all Windows 2012 R2...could that be the cause of the problem?? Every other server I've put system DSNs was 2003 or 2008...
Thank you, Tom

I:0#.w|domain\user showing in report

I am creating a report in SQL Report Builder 3.0 and I have 2 colums that will populate a user field. I am getting the format of i:0#.w|domain\user instead of just a username. How can I fix this in report builder?

Hi Jim_JNCIP,
According to your description, you have a field/parameter which the format is "domain\user", now you want to cut out the user only. Right?
In this scenario, we can use Instr() function to get the index of "/" first, then use Right() function to get substring. Please try the expression below:
=Right(Fields!User.Value, Len(Fields!User.Value) - InStr(Fields!User.Value, "\"))
Reference:
Expression Examples (Report Builder and SSRS)
If you have any question, please feel free to ask.
Best Regards,
Simon Hou

Domain Users Group is a Protected Group on the Domain

Similar Messages

Maybe you are looking for