Random Domain Computers Refuse All Logins

Similar Messages

• How to avoid none domain computers to login to the wireless

  Hi, please help its killing me! Its not pure Cisco but Im sure you guys might have some solution in your mind. 
  I want only domain computers plus one OU (Staff) be able to connect to our network. I am trying to restrict Mobile Phones (iphone and android) and personal laptops from connecting to our wireless network.
  We use a windows based NPS.  it is currently set to allow anyone to connect with their domain computer OR Domain username.
  So to the Network Policy I added "Domain Computers" (using "Windows Groups", I also tried "Machine Groups") within the Conditions tab.
  I tested to see if a laptop could still connect and it could not.
  I have tried many many different combinations within the conditions tab to try and get this working but to no avail.
  1. just having "domain computers" (either windows or machine groups)
  2. having domain users and domain computers (with all combinations of windows/machine/users groups)
  3. I even tried Operating system conditions
  These are all set in "And" values, if set to OR (in combination with Domain Users) then the laptop connects, but then so does the phone.
  Regards?

  I have got somewhere!!! the problem is Im not so confidence about it! 
  Firstly thanks everyone. specially Scott. 
  now
  I set the NPS policy to be "Computer Domain" & "Staff OU" then on the Wireless group policy I set it only for " Computer domain". All authenticated users can logon to our domain laptops. no one can connect to the our network with phones or etc devices because they r not joined to the domain. those special people's phones and devices still can connect to the network if their user is in  "Staff OU" 
  I gave up on Cisco! I created a ghost Vlan and tried to use "Local Profiling" to put whatever android or iphone devices available on that ghost vlan and result in disconnecting them but the device is so stupid which couldn't recognize android and iphones! it worked for only ipads but the rest wasn't recognizable by Cisco WLC. 

• Can i recover my all active directory domain computers and users from IFM and in-cooperate them in new forest ??

  My only Active Directory Server on win server 2008 R2 with one domain controller crashed today. The only backup that i had was IFM media.
  So what i have done till now to recover it is a follow
  I reintalled window server but this time it is winserver 2012. I added AD DS role to it. Promoted it to Domain Controller. (functionality level is 2008 R2)
  On second server i installed win 2008 R2 and trying to add additional domain controller from IFM to recover all of my domain users,computers and GPO's. but i am getting this error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XXX, DC=com from the remote domain
  the naming context specified for this replication operation is invalid
  i dont know weather my approach is correct or not
  but my simple questions is
  Can i recover my all domain computers and users from IFM and in-cooperate them in new forest ?? if yes how can i do that?? urgent help required.

  yup exactly i created a new domain(in new forest) with same previous name in window server 2012 on SERVER-1. As ifm file that i had was generated from 2008 r2 so on second server i installed window 2008 r2 and tried to add role of additional domain controller
  from ifm file on SERVER-2 using dcpromo /adv . every step went ok but in last step when it starts replicating domain controllers it poup following error
  Could not replicate the directory partition CN=schema, CN= configuration, DC=XYZ, DC=com. .  .
  and roll backs every thing.

• Help me urgently please, impossible to open my Mac book air, sometimes he refuse my login, sometimes he goes further but the screen is never uploaded completely, he goes off before, and he take hours for all that, till than he have been perfect...

  I'm having problems to open my Mac, sometimes he refuse my login several times, when I insist he start, very slowly but he never gets to the final, he doesn't upload the screen completely, can you help me? thank you

  BTW (speaking as a Dad of 3 daughters in Grad school) if you don't already have and use a DropBox account, or some other similar online "cloud" based backup of your school documents, you should start doing so immediately. By keeping all of your important documents in the Dropbox folder on your computer, you have instant access to them from any other computer (or iPad), should you be w/o your computer while in for repairs (or if, God forbid, it is stolen). It's free for 2 GB of online storage, which is more than enough for a few years worth of Word documents, etc. (If you get other people to sign up via your email "invitation", then Dropbox gives you even more free storage space.) Every time you close a document, it is updated on the Dropbox servers (encrypted), if it is in the Dropbox folder (assuming you give it a few seconds to update before turning off your computer). Do a google search of "Cloud based storage comparisons" to compare the amount of free space each of the competing services give you.

• Send message for all domain computers

  Hi, i am from Spain, excuse my bad English
  I have 1200 computers clients in my 2008 r2 domain
  I want send instant message to all power on computers in my domain
  How i can do it?
  Any Software?
  I want do it type multicast
  thanks in advantage

  This script developed by Chris Carter may come handy. It uses Powershell to send your message to domain computers.
  Message Center GUI using msg.exe
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?
  If i'm not wrong you will be able to use the script mentioned provided the Windows Remote Management (WinRM) has been configured on the remote computer.
  check out this link for a simple way to send a message to a single client and try to experiment from there:
  Show Remote Notifications on client PCs
  Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  IT Stuff Quick Bytes

• How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?

  How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
  I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
  I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY
  when a user login.
  Can this be done?
  Please help

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Lync 2013 credentials problems on domain computers

  Hi folks,
  We are having trouble with Lync 2013 and credentials on our domain computers. We have been using Office 365 and Outlook for our email for a couple years and it has worked well enough, so recently we decided we wanted to start using Lync as well. We deployed
  the Office 365 Pro Plus suite available to us through our Office 365 subscription and signed in. The first sign-in went as expected. It asked for a username and password, asks if it should remember those credentials for next sign-in (yes), then connects and
  everything with Lync itself functioned normally. Subsequent sign-ins have not been normal.
  When a user restarts their computer and launches Lync it remembers their user name but not their password. Once they type their password in it asks if it should remember those credentials for next sign-in again, then connects. If a user exits and re-launches
  Lync without restarting it remembers their credentials and signs in properly, but then immediately a popup box appears saying that "Credentials are required" in order for Lync to get calendar information from Outlook ( http://i.imgur.com/hqcK426.png
  We know the problem is only happening with computers on our domain, but we don't know why. I tested things out on my home desktop and network by installing Office 365 Pro Plus, setting up Outlook, and then Lync. Both Outlook and Lync auto-discovered everything
  normally after getting my credentials and Lync behaves as expected every time the program launches. I then brought my personal laptop in and tried the same thing on my work network to see if it is network related, but Lync behaves normally on that computer
  as well.
  I originally worked on the problem at the Office 365 Community Forums ( http://community.office365.com/en-us/f/166/t/246014.aspx ), but after we isolated the problem to something with the domain computes I was told that they could not help me any further
  and was referred here. Does anyone have any ideas as to what is keeping Lync from behaving properly on our domain computers? We have a mix of Windows 7 x64 and Windows 8.1 x64 computers, all joined to the same domain and with the same basic suite of software.
  Thanks,
  ~Misharum
  PS: How do I verify my account? The outlook.com email address has been verified, but I don't see anywhere to do verification in my TechNet profile here.

  Yeah, the clients are fully patched. I put a support ticket in through Office 365 and the rep there was able to help me. It ended up being two separate problems.
  Lync was not remembering my credentials to automatically log me in between restarts:
  Installed the latest version of the Microsoft Online Services Sign-In Assistant.
  After signing signing into Lync another popup appeared asking for credentials again to access calendar information. (two steps to solve this one).
  In Active Directory Users and Computers, open up the properties of each affected user, go to the Attribute Editor tab, find and double click the proxyAddress attribute, and add in
  sip:[email protected] where the userid is the user's login name and domain.com is your domain. I'd imagine this is scriptable in PowerShell but I don't know enough to do it.
  Then on the computer that the users will be using, while the user is logged in, add a dword of NoDomainUser = 1 in the registry at HKCU\Software\Microsoft\Office\15.0\Common\Identity. The most sensible way to do this in my mind is with a group policy so
  it will get written to each user's registry under their profile when they log in.
  After doing all of this Lync remembered my credentials between restarts, signed me in automatically, and only gave that credentials popup on the first sign-in after applying both changes in step 2.

• Websites will not open. Domain computers. Not Firewall, Not Cookies. Seems to be just domain computers cannot open 90% of websites.

  I have a few domain computers that cannot open any webpages, 90% will not open. MSN CBS ABC NBC none of these pages will open. nothing loads on the page, it says connecting to.. If I click work offline, the page will load minus and video or pictures. just a format and wording appears.
  I have cleaned cookies, reset to default, safe mode, rebooted, checked the firewall, checked the domain controller, re-installed, turned off IP V6, I followed every troubleshooting guide i can find. i check the network settings, check proxy, checked DNS, If i click help and try to get an update from Firefox, it just sits there at like 2.5 KB and says downloading forever.
  The pages will set there and spin for hours. no error, no timeout.. just says connecting to ....(which ever page).

  Hello, any luck in [http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true windows safe mode] ?
  thank you

• Scom monitoring non domain computers

  hello experts
  i have scom 2012 and want to monitor non domain computers (servers in dmz)
  i have created new template in ca server then create new certificates for dmz server and scom rms server.
  now i have connection between two servers but there is an authentication error.
  hear are logs.
  please help
  log from dmz computer
  Log Name:      Operations Manager
  Source:        OpsMgr Connector
  Date:          29/09/2014 10:54:51
  Event ID:      20071
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SRV-AB-WWW1.somebank.am
  Description:
  The OpsMgr Connector connected to scom.somebank.am
  , but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which
  indicate a failure to authenticate.
  Event Xml:
  <Event xmlns="">
    <System>
      <Provider Name="OpsMgr Connector" />
      <EventID Qualifiers="49152">20071</
  EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
      <EventRecordID>2163</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>SRV-AB-WWW1.somebank.am</Computer>
      <Security />
    </System>
    <EventData>
      <Data>scom.somebank.am</Data>
    </EventData>
  </Event>
  scom rms computer
  Log Name:      Operations Manager
  Source:        OpsMgr Connector
  Date:          29/09/2014 11:18:57
  Event ID:      21010
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SRV-SCOM1.somebank.local
  Description:
  The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
  Event Xml:
  <Event xmlns="">
    <System>
      <Provider Name="OpsMgr Connector" />
      <EventID Qualifiers="49152">21010</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
      <EventRecordID>1269145</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>SRV-SCOM1.somebank.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>192.168.169.40:53552</Data>
    </EventData>
  </Event>
  telnet to 5723 port from dmz server to scom rms server is ok

  PS C:\Users\administrator.AMERIABANK>  C:\Users\administrator.AMERIABANK\Desktop\1.ps1
  This script will inspect Local Machine certificate
  store and registry settings. This will take several seconds...
  Script will check certificates to match the following requirements:
          Subject equals computer FQDN
          Certificate is time valid
          Certificate has private key and it supposed for computer certificate
          KeySpec is set to 1
          Certificate Application Policies (in former EKU) contains both Server and Client Authentication
  WARNING: OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in
  WARNING: LocalComputer store or not match all certificate requirements.
  To resolve this issue, obtain new certificate from trusted Certification Authority
  using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
  and install it by running the following command: MOMCertImport /Subject SRV-SCOM1.ameriabank.local

• Restrict non-domain computers

  Does anyone know if it is possible to restrict access based on domain membership or an AD Group?
  The purpose is to restrict non-domain computers even if the client has a legitimate domain credential to use for authentication.

  That is correct. The only way to restrict these computers would be to make a rule (above your auth group policies), that states the specific IPs / subnets are granted certain / no access.
  As long as the rule is above all your auth rules, it will trigger first and take precedence. Be sure to disable WBRS for this rule as well, since there is a potential for +6 sites to be allowed.

• Non Domain Computers Becoming Master Browser

  Hello,
  I am troubleshooting an issue with the master browser service when an external user connects his workgroup laptop to our domain network and wins the election.
  The network consists of a domain controller which has the following registry settings
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster = True
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList = Yes
  All the client computers that are connected to the domain have IsDomainMaster = False and MaintainServerList = No.
  When an external user connects to the network with a laptop that isn't part of the domain it causes a master browser election and wins. All the servers and client computers list only media devices instead of all the computers and servers on the network.
  Is there a way to prevent non domain computers from becoming the master browser without changing registry settings on that computer?
  Thanks
  Jon

  Hello,
  The TechNet Wiki Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.
  Please note that this forum exists to discuss TechNet Wiki as a technology/application.
  As it's off-topic here, I am moving the question to the
  Where is the forum for... forum.
  Karl
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
  My Blog: Unlock PowerShell
  My Book:
  Windows PowerShell 2.0 Bible
  My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

• Non-Domain computers via VPN

  I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise

  Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
  IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
  With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
  If u r using an external server for validating the incoming users, u must go for aaa server externally.
  For a complete detail of deploying vpn with ipsec,
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493

• Default printer on domain computers changes when print spooler is restarted

  Hi.
  It has been brought to my attention that all of my Windows 8.1 machines on our domain change their network default printers when the print spooler is restarted.  Printers are being assigned by group policy, using the print management tool, as Branch
  Office Direct IP printers.  
  A little bit of research indicates that the default printer is changing "BY DESIGN!!!???" to the last printer being assigned in the OU.  Gotta say....if this is by design, it's a bad design!  As well as unacceptable.  Then I discover
  that the default printer precedence is something like 1. Locally installed printers, 2. Software installed printers, 3. Network printers in reverse order that they are assigned in the OU.  COME ON!!  I.e., changing the order of assignment in the
  OU is useless because local printers and software installed printers are still taking precedence, and on every log in the users default printers are being changed to something as useless as WebEx Document Loader.  
  I know this is a radical thought.....but how about if the default printer stays set to whatever the user sets it to??  That way, they won't hate me and curse me.  Selfish, I know.
  I am shocked by the lack of information that I am finding for this simple and sensible option, and am accordingly loosing faith in Microsoft by the day, and beginning to feel that the end really is nigh for this platform, because I seriously don't appreciate
  absorbing hostility that is better directed at them, and self-preservation instincts do eventually kick in.    
  Can somebody tell me how to prevent user selected default network printers on domain computer's from changing when the users log off, before the lynch mob gets here?
  To be clear, these are domain computers.  Users are not administrators.  Printer assignments are made via group policy.  Users do not wear glass slippers (so solutions requiring manipulation of special footwear will not be effective).  
  THANKS

  Hi,
  Please refer to this similar thread Althornin's solution to add the registry to see if it could be fixed.
  Go and edit the users registry hive:
  HKEY_USERS\USERS_SID_HERE\Printers\Connections
  Found old printer connections there that were no longer valid.  Upon clearing those out, after a reboot, the problem went away.
  I also cleared out the HKEY_USERS\USERS_SID_HERE\Printers\Settings key - the users had old printer setting sid there also.
  https://social.technet.microsoft.com/Forums/windows/en-US/316fd408-4957-43b1-92e3-8dda96dcdded/default-printer-keeps-changing
  Karen Hu
  TechNet Community Support

• How to Find Which Programs running in my Domain Computers

  How to Find Which Programs running in my Domain Computers.

  In addition, there are other third tools you can use. Here is a script from the TechNet Scripting Gallery:
  List All Installed Software
  Returns a list of all software installed on a computer, whether or not by Windows Installer. This script reads installed applications from the registry. (See Richard Mueller's comment on how to output it to a CSV file)
  http://gallery.technet.microsoft.com/scriptcenter/8035d5a9-dc92-436d-a60c-67d381da15a3/view/Discussions
  Of course that's just running it against one computer. There's also a script in the above link (scroll to the bottom) that will find installed software of a list of computers in a network and also detect the defined forbidden installed software, and
  another script that will uninstall that software remotely.
  Overall however, if you want to do this network wide with much a much easier method (although more complex to setup), I agree with using SCCM or Spiceworks. There is also Altiris, and a number of other third party solutions that you can use.
  Maybe if you can provide more specific information on the end result of the solution you are looking for, we can provide more specifics to help you.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Network Access Account, used by only Workgroup Computers or Domain Computers also?

  Our environment has a few servers that are in a workgroup (not ideal, but is an application requirement on these few boxes) rather than being on the domain.  We have to patch these servers routinely and would like to use SCCM 2012 to do so.  As
  I understand it all that is needed is to configure the Network Access Account for the site and install the client manually on the workgroup computers, correct?  My next question is, do the domain computers continue to use their computer accounts to access
  network locations during content deployment or will they too use the newly configured  network access account?  Or, does the client first attempt to use its computer account and if that fails then results to using the SCCM Network Access Account?
   I've searched everywhere and can't seem to find this info.  Thanks in advance if you can point me in the right direction.

  Hi,
  I haven't seen any table like this for the Configuration Manager 2012 so this is for 2007, I haven't heard of any changes to this and the conclusion is that the account is used more often than you would think depending on what you are doing with the client.
  http://technet.microsoft.com/en-us/library/bb680398.aspx
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec