Win7 PC w/ new Active Directory user not able to logon to Win 2K Domain

Similar Messages

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• Logging into weblogic console using Active directory users?

  Hi,
  We developed a portal application using BEA 8.1 by getting users from embidded LDAP provided with the weblogic server.Now we need to access the users accounts stored in active directory.we configured new active directory authenticator and able to see the user and group names in the weblogic console. when we try to login to the console using one of the active directory user names, we are unable to login.
  I would be thankful if any one can help on this.
  Thanks & Regards
  Surendranath Reddy

  Hi Surendranath,
  I am trying to attempt the same task, but have been unsuccessful so far. If you have had any luck with this, please let me know.
  I can get MS AD to work just fine in the Security Provider and it works via the developers application, but I cannot login using the Active Directory users from the Admin Console.
  Thanks,
  Kevin.

• Building a Basic Runbook to disable a Active Directory User who has not logged in for 90 days.

  I am new to Orchestrator.  I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008.  I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
  and moved to another OU.  However, I would be happy just to have the account just be disabled.  If you need any more info or I have posted in the wrong forum, please let me know.  
  Thanks

  Hi,
  there is no SCO Activity to do this.
  Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
  Best will be you take a look at this PowerShell Script
  http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  and change it to your needs
  Seidl Michael | http://www.techguy.at |
  twitter.com/techguyat | facebook.com/techguyat

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• Not able to open active directory user and computer in windows server 2008r2

  Hi All techies,
  i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
  computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
  Please let me know the cause of it and really appreciate it .
  Thanks
  Atul

  You need to ensure that
  1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
  2. DNS record exists for all DCs in DNS
  3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
  As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
  - Sarvesh Goel - Enterprise Messaging Administrator

• Active directory users and computers wont start on a dc, "the server is not operational"

  In our environment, we have 3 dc's 
  two which run server 2008 (they work perfectly)
  and one never off branch dc that runs server 2008 r2.
  We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
  We have a third party DNS solution.
  How do i troubleshoot this issue?

  dc01 (which replicates perfectly with dc02, and vise versa)
  dcdiag /test:dns
  C:\Users\adminuser>dcdiag /test:dns
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: Hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... ourDC01 passed test Connectivity
  Doing primary tests
  Testing server: Hostingpartner\ourdc01
  DNS Tests are running and not hung. Please wait a few minutes...
  Running partition tests on : ForestDnsZones
  Running partition tests on : DomainDnsZones
  Running partition tests on : Schema
  Running partition tests on : Configuration
  Running partition tests on : int
  Running enterprise tests on : int.domain.com
  Starting test: DNS
  Test results for domain controllers:
  DC: ourdc01.int.domain.com
  Domain: int.domain.com
  TEST: Delegations (Del)
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
  Summary of test results for DNS servers used by the above domain controllers:
  DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
  2 test failures on this DNS server
  Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Summary of DNS test results:
  Auth Basc Forw Del Dyn RReg Ext
  Domain: int.domain.com
  ourdc01 PASS PASS PASS FAIL n/a PASS n/a
  ......................... int.domain.com failed test DNS
  dcdiag on dc01(which can replicate with dc02)
  C:\Users\adminuser>dcdiag
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... OURDC01 passed test Connectivity
  Doing primary tests
  Testing server: hostingpartner\ourdc01
  Starting test: Replications
  [Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
  Win32 Error 8453.
  ......................... OURDC01 failed test Replications
  Starting test: NCSecDesc
  ......................... OURDC01 passed test NCSecDesc
  Starting test: NetLogons
  [OURDC01] User credentials does not have permission to perform this operation.
  The account used for this test must have network logon privileges
  for this machine's domain.
  ......................... OURDC01 failed test NetLogons
  Starting test: Advertising
  ......................... OURDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
  ......................... OURDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
  ......................... OURDC01 passed test RidManager
  Starting test: MachineAccount
  ......................... OURDC01 passed test MachineAccount
  Starting test: Services
  ......................... OURDC01 passed test Services
  Starting test: ObjectsReplicated
  ......................... OURDC01 passed test ObjectsReplicated
  Starting test: frssysvol
  ......................... OURDC01 passed test frssysvol
  Starting test: frsevent
  ......................... OURDC01 passed test frsevent
  Starting test: kccevent
  ......................... OURDC01 passed test kccevent
  Starting test: systemlog
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:29
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:50
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:10:56
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:11:17
  (Event String could not be retrieved)
  ......................... OURDC01 failed test systemlog
  Starting test: VerifyReferences
  ......................... OURDC01 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Running partition tests on : Schema
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Running partition tests on : Configuration
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Running partition tests on : int
  Starting test: CrossRefValidation
  ......................... int passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... int passed test CheckSDRefDom
  Running enterprise tests on : int.domain.com
  Starting test: Intersite
  ......................... int.domain.com passed test Intersite
  Starting test: FsmoCheck
  ......................... int.domain.com passed test FsmoCheck
  The problematic dc03:
  Dcdiag gives the same output as dcdiag /test:dns
  C:\Users\adminuser>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = OURDC03
  Ldap search capabality attribute search failed on server NTSDC03, return
  value = 81
  We have an infoblox dns server on ip address xxx.y.y.251.
  first error in event logs on dc03:
  error 1863
  This is the replication status for the following directory partition on this directory server.
  Directory partition:
  CN=Configuration,DC=int,DC=domain,DC=com
  This directory server has not received replication information from a number of directory servers within the configured latency interval.
  Latency Interval (Hours):
  24
  Number of directory servers in all sites:
  2
  Number of directory servers in this site:
  2
  The latency interval can be modified with the following registry key.
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
  To identify the directory servers by name, use the dcdiag.exe tool.
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
  i have also go several warning 2088, 2093, 2087.
  And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones

• Active Directory Users and Computer not displaying column data?

  I am running Windows 8.1 Enterprise with RSAT installed.  My Domain controllers are Server 2008 R2.
  I am having and issue with Active Directory Users and Computers.  Typically I will turn on Advanced Features and then add Columns for Email address and Display Name.  This for example allows me to easily export lists of users and there email
  addresses among other things.
  The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty.  It simply will not display this information.  It only displays Name, TYpe and Description.
  If I use a Windows 7 client, the information displays correctly.
  Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?

  ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
  ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
  Example:
  Import-Module ActiveDirectory
  Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
  So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation.

• Can not open Active Directory Users and Computers

  Problem Reported:
  Out of the blue this has started happening:
  When I go to "Active Directory Users and Computers" I get this message.
  "MMC cannot open the file C:\WINDOWS\system32\dsa.msc.
  This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
  Additional information:
  This is a server that has been in use for 2+ years with active directory users that can and do login everyday.
  As far as I know the system has no backup.
  dsa.msc IS located in the system32 folder
  I am using the administrator account.
  OS:
  Microsoft Windows Server 2003 R2
  Standard x64 Edition
  Service Pack 2
  Please help with detail. Thank you.

  Have you tried to uninstall ADUC administrative tool and re-install it again? If no, please give a try. 
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site

  Have an existing ex2010 sp3 organization.
  Could not run ex2013cu1 setup from my newly built 2012 server, getting the error in the subject line.  I used the command line to run the AD preparation steps successfully from my 2012 DC/GC, then tried to run setup again from the new 2012 server and
  still get the same error.  The error itself in the log is pretty useless:
  [05/07/2013 01:19:13.0137] [0] **********************************************
  [05/07/2013 01:19:13.0137] [0] Starting Microsoft Exchange Server 2013 Cumulative Update 1 Setup
  [05/07/2013 01:19:13.0137] [0] **********************************************
  [05/07/2013 01:19:13.0152] [0] Local time zone: (UTC-08:00) Pacific Time (US & Canada).
  [05/07/2013 01:19:13.0152] [0] Operating system version: Microsoft Windows NT 6.2.9200.0.
  [05/07/2013 01:19:13.0152] [0] Setup version: 15.0.620.29.
  [05/07/2013 01:19:13.0152] [0] Logged on user: DOMAIN\ADMINISTRATOR.
  [05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
  [05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
  [05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='sourcedir', Value='\\h1\f$\junk\installers\server\Exchange\2013cu1'.
  [05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='mode', Value='Install'.
  [05/07/2013 01:19:13.0215] [0] RuntimeAssembly was started with the following command: '/sourcedir:\\SERVER\f$\junk\installers\server\Exchange\2013cu1 /mode:Install'.
  [05/07/2013 01:19:13.0215] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
  [05/07/2013 01:19:13.0793] [0] Finished loading screen CheckForUpdatesPage.
  [05/07/2013 01:19:38.0762] [0] Finished loading screen UpdatesDownloadsPage.
  [05/07/2013 01:19:40.0496] [0] Starting file's copying...
  [05/07/2013 01:19:40.0496] [0] Setup copy files from '\\SERVER\f$\junk\installers\server\Exchange\2013cu1\Setup\ServerRoles\Common' to 'C:\Windows\Temp\ExchangeSetup'
  [05/07/2013 01:19:40.0700] [0] Finished loading screen CopyFilesPage.
  [05/07/2013 01:19:40.0840] [0] Disk space required: 1292445007 bytes.
  [05/07/2013 01:19:40.0840] [0] Disk space available: 23767240704 bytes.
  [05/07/2013 01:19:59.0762] [0] File's copying finished.
  [05/07/2013 01:19:59.0965] [0] Finished loading screen InitializingSetupPage.
  [05/07/2013 01:20:02.0934] [0] Setup is choosing the domain controller to use
  [05/07/2013 01:20:09.0325] [0] Setup is choosing a local domain controller...
  [05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. 
  See the Exchange setup log for more information on this error.
  [05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
  [05/07/2013 01:20:11.0809] [0] Setup will use the domain controller ''.
  [05/07/2013 01:20:11.0809] [0] Setup will use the global catalog ''.
  [05/07/2013 01:20:11.0825] [0] Exchange configuration container for the organization is 'CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
  [05/07/2013 01:20:11.0919] [0] Exchange organization container for the organization is 'CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
  [05/07/2013 01:20:11.0966] [0] Setup will search for an Exchange Server object for the local machine with name 'WEX1'.
  [05/07/2013 01:20:12.0028] [0] No Exchange Server with identity 'WEX1' was found.
  [05/07/2013 01:20:12.0044] [0] The following roles have been unpacked:
  [05/07/2013 01:20:12.0044] [0] The following datacenter roles are unpacked:
  [05/07/2013 01:20:12.0044] [0] The following roles are installed:
  [05/07/2013 01:20:12.0059] [0] The local server does not have any Exchange files installed.
  [05/07/2013 01:20:12.0075] [0] Server Name=WEX1
  [05/07/2013 01:20:12.0137] [0] Setup will use the path '\\SERVER\f$\junk\installers\server\Exchange\2013cu1' for installing Exchange.
  [05/07/2013 01:20:12.0137] [0] The installation mode is set to: 'Install'.
  [05/07/2013 01:20:27.0591] [0] An Exchange organization with name 'DOMAIN' was found in this forest.
  [05/07/2013 01:20:27.0591] [0] Active Directory Initialization status : 'False'.
  [05/07/2013 01:20:27.0591] [0] Schema Update Required Status : 'False'.
  [05/07/2013 01:20:27.0591] [0] Organization Configuration Update Required Status : 'False'.
  [05/07/2013 01:20:27.0591] [0] Domain Configuration Update Required Status : 'False'.
  [05/07/2013 01:20:27.0841] [0] Applying default role selection state
  [05/07/2013 01:20:27.0872] [0] Setup is determining what organization-level operations to perform.
  [05/07/2013 01:20:27.0872] [0] Because the value was specified, setup is setting the argument OrganizationName to the value DOMAIN.
  [05/07/2013 01:20:27.0872] [0] Setup will run from path 'C:\Windows\Temp\ExchangeSetup'.
  [05/07/2013 01:20:27.0888] [0] InstallModeDataHandler has 0 DataHandlers
  [05/07/2013 01:20:27.0888] [0] RootDataHandler has 1 DataHandlers
  [05/07/2013 01:20:27.0903] [0] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.  See
  the Exchange setup log for more information on this error.
  [05/07/2013 01:20:27.0935] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. 
  See the Exchange setup log for more information on this error.
  [05/07/2013 01:21:04.0154] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
  [05/07/2013 01:21:04.0154] [0] End of Setup
  [05/07/2013 01:21:04.0154] [0] **********************************************

  Hi,
  The cause is clearly described in the log:
  [05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. 
  See the Exchange setup log for more information on this error.
  [05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
  I'd suggest you check NIC settings and AD configuration.
  Hope it is helpful.
  Fiona Liao
  TechNet Community Support

• How to create "folders" in Active Directory Users and Computers?

  Hello Community
      In Windows Server 2008R2 when you go to Active Directory Users and Computer
  you will see icons of folders such as:
      -  Builtin has a folder icon
      - Computers has a folder icon
      - ForeignSecurityPrinicpals has a folder icon
      - Domain Controller as a folder icon
      - Managed Service Accounts has a folder icon
      - Users has a folder icon
      All of the above folders are visually identical.
      If you right click and select “File” –  “New”
   on any of the selections the icon
  will not look like the folder icon they have their own icons which look different
  from the "Folder" icon.
      I would like to create a “Folder” that looks just visually exactly like the ones
  mentioned above, how can I create those types of Folders in Active Directory User
  and Computers?
      Note: I would like to put users in the folders.
      Thank you
      Shabeaut

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Best practice for Active Directory User Templates regarding Distribution Lists

  Hello All
  I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
  this has led to problems with new employees being added to groups which they should not be a part of.
  I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
  but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
  When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
  What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
  for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
  of.
  Has anyone come up with a better method of doing this?
  Thank you

  You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
  If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
  and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
  Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
  the factors you predefine for them.

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• Creating active directory users with dscl

  Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error.  Here are some examples.
  SUCCESSFUL READ OF AD USER ATTRIBUTE:
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
  Password:
  SMBHomeDrive: H:
  root#
  SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
  Password:
  root#
  FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
  root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
  Password:
  <main> attribute status: eDSInvalidRecordType
  <dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
  root#
  The same error occurs when attempting to create a new user.  Any ideas?  Thanks in advance for any suggestions.

  In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
  However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
  the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username>

• How to display active directory users through weblogic portal Application?

  Hi,
  Does anyone has faced this situation?
  I configured the activedirectory and able to see the users and group in the weblogic console at Security->Realms->Myrealm->users. when I run my portal application,I am able to see only the users that are configured in embedded weblogic LDAP ie, I can see only the users weblogic,portaladmin and yahooadmin that are of defaultauthenticator provider.I need to display the active directory users also in our portal.
  I have two doubts on this?
  1)Is it I need to write custom code to view the active directory users in our portal?
  2)Does I need to use any jars that supports active directory authenticator?
  I would appreciate if any one can reply on this with helpfull docs/information.
  We are using BEA 8.1 SP4.
  Windows 2000.
  Surendra

  Hi,
  I too have a similar kind of requirement, i use a jsp to do this activity, but i get an exception, i have shown the entire jsp code below,
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <%@ page import="java.util.Set" %>
  <%@ page import="javax.naming.Context" %>
  <%@ page import="weblogic.jndi.Environment" %>
  <%@ page import="weblogic.management.MBeanHome" %>
  <%@ page import="weblogic.management.configuration.DomainMBean" %>
  <%@ page import="weblogic.management.configuration.SecurityConfigurationMBean" %>
  <%@ page import="weblogic.management.security.RealmMBean" %>
  <%@ page import="weblogic.management.security.authentication.AuthenticationProviderMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserPasswordEditorMBean" %>
  <%@ page import="weblogic.security.providers.authentication.LDAPAuthenticatorMBean" %>
  <%@ page import="weblogic.management.configuration.EmbeddedLDAPMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserEditorMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserReaderMBean" %>
  <%@ page import="weblogic.management.security.authentication.GroupReaderMBean" %>
  <%@ page import="weblogic.management.utils.ListerMBean" %>
  <%@ page import="javax.management.MBeanException" %>
  <%@ page import="javax.management.modelmbean.RequiredModelMBean" %>
  <%@ page import="examples.security.providers.authentication.manageable.*" %>
  <%@ page import="weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBean" %>
  <%@ page import="weblogic.management.utils.InvalidParameterException" %>
  <%@ page import="weblogic.management.utils.NotFoundException" %>
  <%@ page import="weblogic.security.SimpleCallbackHandler" %>
  <%@ page import="weblogic.servlet.security.ServletAuthentication"%>
  <%!
  private String makeErrorURL(HttpServletResponse response,
  String message)
  return response.encodeRedirectURL("welcome.jsp?errormsg=" + message);
  %>
  <html>
  <head>
  <title>Password Changed</title>
  </head>
  <body>
  <h1>Password Changed</h1>
  <%
  // Note that even though we are running as a privileged user,
  // response.getRemoteUser() still returns the user who authenticated.
  // weblogic.security.Security.getCurrentUser() will return the
  // run-as user.
  System.out.println("------------------------------------------------------------------");
  String username = request.getRemoteUser();
  System.out.println("User name -->"+username);
  // Get the arguments
  String currentpassword = request.getParameter("currentpassword");
  System.out.println("Current password -->"+currentpassword);
  String newpassword = request.getParameter("newpassword");
  System.out.println("New password -->"+newpassword);
  String confirmpassword = request.getParameter("confirmpassword");
  System.out.println("Confirm password -->"+confirmpassword);
  // Validate the arguments
  if (currentpassword == null || currentpassword.length() == 0 ||
  newpassword == null || newpassword.length() == 0 ||
  confirmpassword == null || confirmpassword.length() == 0) { 
  response.sendRedirect(makeErrorURL(response, "Password must not be null."));
  return;
  if (!newpassword.equals(confirmpassword)) {
  response.sendRedirect(makeErrorURL(response, "New passwords did not match."));
  return;
  if (username == null || username.length() == 0) {
  response.sendRedirect(makeErrorURL(response, "Username must not be null."));
  return;
  // First get the MBeanHome
  String url = request.getScheme() + "://" +
  request.getServerName() + ":" +
  request.getServerPort();
  System.out.println("URL -->"+url);
  Environment env = new Environment();
  env.setProviderUrl(url);
  Context ctx = env.getInitialContext();
  MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.LOCAL_JNDI_NAME);
  System.out.println("MBean home obtained....");
  DomainMBean domain = mbeanHome.getActiveDomain();
  SecurityConfigurationMBean secConf = domain.getSecurityConfiguration();
  // Sar
  EmbeddedLDAPMBean eldapBean = domain.getEmbeddedLDAP();
  System.out.println("Embedded LDAP Bean obtained...."+eldapBean );
  RealmMBean realm = secConf.findDefaultRealm();
  System.out.println("RealmMBean obtained....");
  AuthenticationProviderMBean authenticators[] = realm.getAuthenticationProviders();
  System.out.println("AuthProvMBean obtained....");
  // Now get the UserPasswordEditorMBean
  // This code will work with any configuration that has a
  // UserPasswordEditorMBean.
  // The default authenticator implements these interfaces
  // but other providers could work as well.
  // We try each one looking for the provider that knows about
  // this user.
  boolean changed=false;
  UserPasswordEditorMBean passwordEditorMBean = null;
  System.out.println("UserPwdEdtMBean obtained....");
  //System.out.println("Creating MSAI....");
  //ManageableSampleAuthenticatorImpl msai =
  // new ManageableSampleAuthenticatorImpl(new RequiredModelMBean());
  //System.out.println("Done....");
  for (int i=0; i<authenticators.length; i++) {
  System.out.println("### Authenticator --->"+authenticators);
  if (authenticators[i] instanceof ActiveDirectoryAuthenticatorMBean)
  ActiveDirectoryAuthenticatorMBean adamb =
  (ActiveDirectoryAuthenticatorMBean)authenticators[i];
  System.out.println("### ActiveDirectoryAuthenticatorMBean .....");
  String listers = adamb.listUsers("*",0);
  while(adamb.haveCurrent(listers))
  System.out.println("### ActiveDirectoryAuthenticatorMBean user advancement.....");
  adamb.advance(listers);
  if (authenticators[i] instanceof UserPasswordEditorMBean) {
  passwordEditorMBean = (UserPasswordEditorMBean) authenticators[i];
  System.out.println("Auth match ...."+passwordEditorMBean);
  try {
  // Now we change the password
  // Sar comment
  System.out.println("Password changed....");
  //passwordEditorMBean.changeUserPassword(username,
  // currentpassword, newpassword);
  changed=true;
  // Sar Comment
  catch (InvalidParameterException e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  catch (NotFoundException e) {
  catch (Exception e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  // Sar code
  LDAPAuthenticatorMBean ldapBean = null;
  UserReaderMBean urMBean = null;
  UserEditorMBean ueMBean = null;
  GroupReaderMBean gMBean = null;
  //ListerMBean lBean = null;
  try
  if (authenticators[i] instanceof LDAPAuthenticatorMBean)
  ldapBean = (LDAPAuthenticatorMBean) authenticators[i];
  String userFilter = ldapBean.getAllUsersFilter();
  System.out.println("userFilter ="+userFilter);
  if (authenticators[i] instanceof UserEditorMBean)
  try
  System.out.println("UserEditorMBean...");
  ueMBean = (UserEditorMBean) authenticators[i];
  System.out.println("List users..."+ueMBean);
  boolean b = ueMBean.userExists("webuser");
  System.out.println("User Exists->>>"+b);
  String cursor = ueMBean.listUsers("webuser", 2);
  System.out.println("List User ----->"+cursor);
  catch(InvalidParameterException e)
  response.sendRedirect(makeErrorURL(response, "ERROR InvalidParameterException:" + e));
  catch(java.lang.reflect.UndeclaredThrowableException e)
  response.sendRedirect(makeErrorURL(response, "ERROR UndeclaredThrowableException :" + e));
  e.printStackTrace();
  catch(Exception e)
  response.sendRedirect(makeErrorURL(response, "ERROR LBean:" + e));
  catch(Exception ex)
  ex.printStackTrace();
  response.sendRedirect(makeErrorURL(response, "ERROR:" + ex));
  return;
  if (passwordEditorMBean == null) {
  response.sendRedirect(makeErrorURL(response, "Internal error: Can't get UserPasswordEditorMBean."));
  return;
  System.out.println("pwd changed ->"+changed);
  if (!changed) {
  // This happens when the current user is not known to any providers
  // that implement UserPasswordEditorMBean
  response.sendRedirect(makeErrorURL(response,
  "No password editors know about user " + username + "."));
  return;
  %>
  User <%= username %>'s password has been changed!
  <br>
  <br>
  </body>
  </html>
  Here is the console log
  User name -->webuser
  Current password -->i
  New password -->u
  Confirm password -->u
  URL -->http://localhost:7011
  MBean home obtained....
  Embedded LDAP Bean obtained....[Caching Stub]Proxy for mydomain:Name=mydomain,Type=EmbeddedLDAP
  RealmMBean obtained....
  AuthProvMBean obtained....
  UserPwdEdtMBean obtained....
  ### Authenticator --->Security:Name=myrealmDefaultAuthenticator
  Auth match ....Security:Name=myrealmDefaultAuthenticator
  Password changed....
  UserEditorMBean...
  List users...Security:Name=myrealmDefaultAuthenticator
  User Exists->>>true
  java.lang.reflect.UndeclaredThrowableException
  at $Proxy1.listUsers(Unknown Source)
  at jsp_servlet.__updatepassword._jspService(__updatepassword.java:411)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
  a:1006)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:463)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
  ontext.java:6718)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:37
  64)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: javax.management.MBeanException
  at weblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:551)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
  at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.j
  ava:988)
  at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
  at weblogic.management.commo.CommoProxy.invoke(CommoProxy.java:365)
  ... 14 more
  ### Authenticator --->Security:Name=myrealmDefaultIdentityAsserter
  pwd changed ->true
  Can u pls let me know how to get all the entries from LDAP.
  Thanx
  Sar