@dashrender From what I've seen, yeah.

Import-Module activedirectory $target = Get-ADOrganizationalUnit -Identity "OU=Disabled Computer Accounts,OU=Space,DC=Domain,DC=com" $computers = Get-ADComputer -filter {(enabled -eq "false")} foreach ($name in $computers) { Move-ADObject $name -TargetPath $target -verbose }

Followup to above... this section would move the disabled computers to a 'disabled' OU.

My Favorite Ultra-VNC setup:

Not all issues can fixed from command line alas, thus this recipe:

uvnc: file.recurse: - source: salt://uvnc - name: 'c:\salt\uvnc' - makedirs: True cmd.run: - name: 'c:\salt\uvnc\state.cmd' module.run: - name: firewall.disable

remeber to re-enable the firewall of the client when finished. (salt "client" firewall.enable)
you will need to create uvnc folder (get it from UltraVNC portable builds) folder in your Salt master, in /srv/salt

in it :

winvnc.exe

UltraVNC.ini

state.cmd

SecureVNCPlugin32.dsm (Optional Encryption plugin)

Server_ClientAuth.pubkey (Optional Encryption server SSL handshake check)

And in the state.cmd put the following:

taskkill /f /im winvnc.exe sc stop uvnc_service sc delete uvnc_service "c:\salt\uvnc\winvnc.exe" -install "c:\salt\uvnc\winvnc.exe" -startservice sc config uvnc_service start= demand ipconfig | findstr /i "ipv4"

And whenever you want to connect to client, run this in salt master:
salt '172' state.apply uvnc

And you will see the IP of the client, you will need to match the IP and if you made any custom setting like port number/encryption plugin with vnc viewer and connect to client.

@dbeato said in AD User Tool: Bulk AD User:

@Dashrender Then, he needs to force it with Powershell no just a GUI....

Agreed.

@scottalanmiller said in Always Virtualize Domain Controllers:

@black3dynamite said in Always Virtualize Domain Controllers:

It would help if Microsoft would also recommend to always virtualize domain controllers.

They do. They've been really clear on that from everything that I have seen.

Last recommendation seen on microsoft official docs - maybe the italian ones: virtualize the AD first instance, keep a phisical one as second instance...

don't understand the logic of this. but hey: their offical business support said I was not allowed to virtualise more than 2 VMs on hyper-v, even if there were linux :/

I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD.

@msff-amman-Itofficer said in Beginner SaltStack Question: Can minions be placed in folders or groups ? (Coming from AD perspective):

@scottalanmiller

ohh shit, how did that get passed me...

Great, thanks again.

:)

@Mike-Davis said in Authenticate Laptops to Wifi against ActiveDirectory:

and on the Meraki side, you chose WPA2 Enterprise, correct?

Definitely WPA2 on the Meraki. I'll check my conditions though. Thanks for the tip.

@scottalanmiller said in Nethserver for FTPS/SFTP:

@alefattorini said in Nethserver for FTPS/SFTP:

It should work flawlessly, do you have any issue?

I guess a big question is, with Nethserver is.. does it "just work" or is there a setting that needs to be selected? Not sure if this is the default behaviour or not.

Mostly this. I haven't done anything with it yet and before I invest the time, I'd like to know if it possible and/or how difficult it is, especially since a co-worker claims that it did not and he went with IIS to get the same task done (and then he sat there cursing the whole day because he doesn't like Microsoft products).

@Mike-Davis said in AD CS hosed - anyone have any experience?:

@scottalanmiller said in AD CS hosed - anyone have any experience?:

So the SBS is the one and only AD in this case?

Sorry, I think we're interpreting the word cluster differently here. When I read that I though you were talking about Microsoft Cluster Server - which is a different technology than multiple domain controllers. He had three domain controllers.

In that case, how do you recover from something like this? Since the FSMO roles are on a 2003 server, do you start running through the various esentutl.exe commands?

Right, I'm talking about an AD application cluster (the set of domain controllers for one domain.) SBS has to be the root controller in order to work. And if you have a cluster (this isn't AD specific but is a general thing about clustering) you can't do restores. If you restore a cluster node like this, you corrupt the entire cluster in many cases, if you are lucky just one node. AD DCs form a database cluster under the hood, which is how they handle failovers, but that means that you have to protect them like a normal database cluster and let them resync from a rebuild, never do a restore.

https://community.spiceworks.com/topic/1988106-ad-logins-dont-work-after-baremetal-restored-windows-2008-dc

Yes, you'll likely need to seize roles on one of the 2012 R2 machines and just retire the SBS 2003 machine.

@Mike-Davis said in Domain Controller and WINS Server Powered Down and Removed without Proper Demotion:

@wirestyle22 said in Domain Controller and WINS Server Powered Down and Removed without Proper Demotion:

We don't use DHCP at all

I would go the other direction then and check for WINS queries and then visit all the NICs that are still using WINS and remove the entry. This article explains it:
https://blogs.technet.microsoft.com/craigf/2010/07/09/decommissioning-wins/

Thanks! This actually answered a few of my other questions too.

Inserted a new line of code at line 82 & 87 to read as follows:

icacls \\<server>\d$\Users\$un\* /grant $un:F /inheritance:e /T

This line grants the new employee full access to their network folder and subfolders and items.

@coliver said in Azure AD Open Source Alternative:

@StrongBad said in Azure AD Open Source Alternative:

Samba 4 does what AD does, for free. But I'm not aware of anything that does what Azure AD does using open source software that you can host yourself. Does anyone know if something exists?

I guess what are you looking for? Azure AD is basically hosted AD with some limitations as to client management.

It's a totally different technology. Azure AD is a competitor with hosted AD. It's not AD in any way. Very different technologies. One is a LAN design and one is LANless as well.

@DustinB3403 I figured, but just wanted to clear the air juuusstttt in case. :-D

@JaredBusch said in Synology DSM 6.1 Released with Active Directory Server:

@scottalanmiller said in Synology DSM 6.1 Released with Active Directory Server:

@JaredBusch said in Synology DSM 6.1 Released with Active Directory Server:

@travisdh1 said in Synology DSM 6.1 Released with Active Directory Server:

@scottalanmiller said in Synology DSM 6.1 Released with Active Directory Server:

@travisdh1 said in Synology DSM 6.1 Released with Active Directory Server:

@scottalanmiller said in Synology DSM 6.1 Released with Active Directory Server:

@travisdh1 said in Synology DSM 6.1 Released with Active Directory Server:

Hrm, fast-clone. Probably time to try out a Btrfs based file server at home.

It's good stuff.

Yeah, I know brtfs is the way to go, I just haven't tried it out yet myself. Starting out on IRIX with XFS back in the day makes me a too nostalgic.

I still use XFS for everything.

When will be the right time to switch to btrfs then? We know it's been stable for long enough that it's becoming the default in a number of distributions now, but has it really been battle tested well enough yet?

Also, should we maybe make another thread for the btrfs discussion?

The answer here is you do not switch. You install a distro letting it do its native thing by default and less you have an over arcing huge reason to override defaults. So you will get this when you install a new system that now has it as a default.

openSuse, for example, has had it as default for two years.

Really though, I prefer XFS for anything that isn't a storage machine. VMs need something mature, stable and light. XFS does that well.

But does your preference mean that you will override a default installs choice just because that is your preference?

Using anything but default should have very clear reasons because the first time somebody besides you have to troubleshoot it there will be big problems.

I would often, yes actually. XFS is not like an odd, unsupported option. It's just not the default. It's still completely core to openSuse's design. They simply had to pick which one they were going to use when someone did not choose one or the other and they opted for extra features over lean design for those that don't know which they want, which I think makes sense. Just like CentOS opts for the simplicity of using root for administration instead of sudo, but makes it super easy to enable sudo. It's not default, but it's fully supported. They just had to choose something as default.

FreeBSD does have getent.

PowerShell Empire has some good modules that will do all that ;)
Check out BloodHound.

@thwr said in DCs out of sync:

@Dashrender said in DCs out of sync:

@thwr said in DCs out of sync:

No substantial changes have been made during the last couple of weeks. Just a few new users and password changes plus maybe 2 or 3 new machine accounts. Some clients and servers now refuse to authenticate users during login due to the well known "trust could not be established between..." error.

Where you still getting those errors after you powered down the broken DC? I'm guessing not since you moved forward with the install of another DC.

Nope. Only "missing that other DC" errors now, which is fine. I've got some crappy internet connection (free WiFi in the train, next to no 3G/4G signal) here and can't check the current state. but it was fine half an our ago.

OK, reading your OP, it seemed that you were getting those errors after turning off the broken DC, but since you're not - seems like you found a good solution.

@mlnews said in How to configure Ubuntu Linux server as a Domain Controller:

http://www.techrepublic.com/article/how-to-configure-ubuntu-linux-server-as-a-domain-controller-with-samba-tool/

Samba 4 and samba-tool make getting up and running with AD on Linux pretty quick and easy.

Sounds nice, I'll need to make time to look at this.

@JaredBusch said in AD on top of something that depends on it:

No, JB would say, FFS stop conflating shit. A hypervisor is not a server or desktop OS.

LOL same difference :P

Everything is still looking good!

@coliver said in Removed ADFS, CRM plugin for Outlook wont authenticate now:

Man am I the only one that doesn't have issues with ADFS? It just works with little to no intervention on our part.

Yes. It's just awful.

Why do you have ADFS? Why not just sync?

And patch management and software updates are taken care of for you.

@aanenih said in Can't Get SpiceWorks on Azure to Authenticate to AD:

Hello Guys, I seem to have found the solution to this issue. By default, Azure has no ports open and that was why i was getting the errors. To solve this problem, i had to create an endpoint for the Virtual machine that had Spiceworks installed in it and open ports 389 and 636 TCP.
Now spiceworks syncs and authenticates with the AD on Azure and on premise.

that's why I was asking for specific VPN details. A VPN on the servers bypasses the Azure ports. A site to site VPN hits the "outside" of the servers and has ports blocked.

@travisdh1 said in Creating an Active Directory Group with PowerShell:

Gah, I'm having bad memories of OpenVMS with the different programs for every single little thing.

It does make for a nice looking and short command-line structure tho.

Oh yeah, SO much different than UNIX.

@scottalanmiller said in Using Pertino with Active Directory:

Originally posted on my Windows Administration blog in 2013 here: http://web.archive.org/web/20130929034913/http://www.scottalanmiller.com/windows/2013/04/05/using-pertino-with-active-directory/

This information is very out of date concerning Pertino itself. But the theory on how this works remains relevant.

IMO, you should put the 'old post' notice at the top of these.