Posts Tagged "Active Directory"

How to purge Kerberos tickets of the system account

Posted by on Mar 30, 2016 in Active Directory, Environment | 0 comments

How to purge Kerberos tickets of the system account

… or: How to update group membership information of the computer account. When updating Active Directory group membership of your users you usally ask them to logoff and logon again. You don’t tell them why, you just tell them to do so. What happens? When logging on again the group membership information of a user (within their kerberos tickets) gets updated and they can access the ressources they have access to. You can check which tickets a user has by using the klist command: But how about the system / computer account. You can’t logoff and logon the system account. You...

Read More

Ambiguous Name Resolution (ANR) for LDAP

Posted by on Dec 7, 2013 in Active Directory | 0 comments

Ambiguous Name Resolution (ANR) for LDAP

What is ANR? Ambiguous Name Resolution (ANR) is an efficient search algorithm associated with Lightweight Directory Access Protocol (LDAP) clients that allows for objects to be bound without complex search filters. ANR is useful when you are locating objects and attributes that may or may not be known by the client. A common use for ANR, for example, is in a situation in which a building name is known by the requesting client, but not the associated number. In this case, the physicalDeliveryOfficeName attribute may have a value of “Building 40” and a client might search for...

Read More

“No such object” when configuring TPM on Windows Server 2012 or Windows 8

Posted by on Feb 13, 2013 in Active Directory, BitLocker, Group Policies | 0 comments

“No such object” when configuring TPM on Windows Server 2012 or Windows 8

Scenario: You have a Windows Server 2012 or Windows 8 computer with TPM and you store your Bitlocker recovery and TPM owner information in Active Directory. When trying to configure the TPM hardware by using tpm.msc you get this error: Turn on the TPM security hardware This computer may require you to change the state of the Trusted Platform Module (TPM) manually. To perform this action, try turning on the TPM through the BIOS or performing a firmware update. Consult the computer manufacture’s documentation for instructions. There is no such object on the server. Error code: 0x80072030...

Read More

Check objectVersion on all Domain Controllers after schema update with PowerShell

Posted by on Feb 2, 2013 in Active Directory, Powershell | 1 comment

Check objectVersion on all Domain Controllers after schema update with PowerShell

Just copy and paste into PowerShell (Active Directory Module for Windows PowerShell) to get the version of AD schema on all domain controllers in current domain: $schemaContext = Get-ADRootDSE | %{$_.schemaNamingContext} Foreach ($dc in ([System.DirectoryServices.ActiveDirectory.DomainController]::findall( (new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$env:USERDNSDOMAIN)))) | %{$_.name}) { $path = 'LDAP://' + $dc + '/' + $schemaContext $Object = [adsi]$path $dc + ' ' + $Object.objectversion...

Read More

Strange behavior with Data Protection Manager End User Recovery feature or not?

Posted by on Sep 14, 2012 in Data Protection Manager | 1 comment

Strange behavior with Data Protection Manager End User Recovery feature or not?

I recently activated the End User Recovery feature of Data Protection Manager 2012. I did the schema extension – which by the way added a ms-BackupSrv-Share attribute a ms-ProductionSrv-Share attribute a ms-SrvShareMapping class and a MS-ShareMapConfiguration container to my Active Directory. We’ll come back later to this… I also enabled EUR in DPM itself (Options > End-user Recovery). In the first few days this feature seemed to work really well and I was happy in the first place. But now, about 3 or 4 weeks later, I am experiencing some strange behavior. When looking...

Read More