Force a specific default lock screen and logon image
Dear, I currently have a DC deployed on Windows Server 2019. i want to configure a specific default image on lock screens on Windows 10 pro clients via group policy. Is this possible or is it only compatible with Enterprise or Education editions? Thanks in advance,
GUID reuse deleted accounts
I had a meeting today and they talked about using the user GUID to identify users, the question came up if a user account is deleted for say 6 months and then I create an account with the same name and organization as well as username will the GUID be the same. I found information on how the GUID is built that says yes but it just seems like the answer should be no. An account that is recreated will not get the same GUID since they are somewhat randomly generated. This is a Server 2016/19 Win10 environment with no Internet connectivity and no Office 365 or teams. Does anyone have a link to how Windows generates a user GUID it seems that SQL server uses that and if in account is deleted and recreated they will not have access to the old data? This is all new to me as my thought is why would you not use usernames, and for me you assign permissions in Windows using groups. Not an SQL expert so any help would be appreciated.
Windows Server 2016 on ESXi, two servers solution in case of failure
Hi, I'm facing a problem I still can't find a solution to. Short description below. ESXi virtualization environment has a Windows Server 2016 Datacenter installed. The Server has AD switched on, for the sake of our discussion I'm naming it "contoso.local". There are shared resources on the virtualized server such as shared folders and files, also there is MS SQL server which receives incoming connections from Windows clients (Win10/11). What do I need to achieve? I need to create another virtualized Windows Server 2016 Datacenter or Standard which will be an alternative server that will start offering its services immediately in case of the another server failure. What do I mean by "immediately" here? I mean, the switching procedure/time must be immediate and all the resources such as shared folders or SQL databases must be up-to-date. So, if at 1:00 PM the first server has a failure (disconnected, shut down by mistake etc), the other server must take control of the client machines at 1:05 PM. And as I mention all shared resources and SQL connections must stay the same but on the second server. The users on client machines can't have their work disrupted (any open Word documents in shared foilders intact or financial software connections kept on). I'm aware of the fact that the second server must be a sort of replica that works all the time and receives data from the server so it must be a 1-1 copy of all data that it constantly updates itself with new data coming from the first server. The question is - how can this be done ? I tried Cluster failover, storage replica already but this mechanism didn't work out. I created two disks (logs, data) according to step-by-step instructions but it is still not a solution to the problem. I'll appreciate any advice to my issue(Another) Issue with RADIUS authentication for some users
Hi I thought I'd found the solution to our problemin this Tech Community thread from 2021, only to find that there was only one reply. Our NPS logs looks very very similar to those described in that 'DenverCoder' post, here's a screenshot to illustrate (the working one is in green, and shows the full AD path to the user account in AD, and the Network Policy name): We use NPS servers as part of the solution to provide MFA for our staff VPN. It works perfectly for about 127 out of 130 staff. but three of them don't even get an MFA prompt. Just now I thought I'd found a 4th victim, as she'd tried about 20 times today, only to succeed about an hour ago (not sure what inspired her to try again) Looking at the Event View on the NPS shows events 6273 (“Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”) and 4625 (“Failure Reason: Unknown user name or bad password.”) To me it looks like it's failing to recognise the user's group membership (you have to be in the AD group for the MFA to work, otherwise you ain't coming in bruv!) All suggestions gratefully received.
Domain Controller and AD FS Upgrade from Windows Server 2008 R2
My Site, a Community College is planning to upgrade our Domain controllers and AD FS Server from Windows Server 2008 R2 Data Center, We have 2 Domain Controllers and 1 AD FS Server, Looking for advice on how to stage this upgrade Here are More Details on our current configuration. PS C:\Windows\system32> Get-ADForest ApplicationPartitions : {DC=ForestDnsZones,DC=sullivan,DC=suny,DC=edu, DC=DomainDnsZones,DC=sullivan,DC=suny,DC=edu} CrossForestReferences : {} DomainNamingMaster : DC01.sullivan.suny.edu Domains : {sullivan.suny.edu} ForestMode : Windows2003Forest GlobalCatalogs : {DC01.sullivan.suny.edu, DC02.sullivan.suny.edu} Name : sullivan.suny.edu PartitionsContainer : CN=Partitions,CN=Configuration,DC=sullivan,DC=suny,DC=edu RootDomain : sullivan.suny.edu SchemaMaster : DC01.sullivan.suny.edu Sites : {Default-First-Site-Name} SPNSuffixes : {} UPNSuffixes : {} Primary Domain Controller dc01 OS Version - Windows Server 2008 R2 Data Center Roles Active Directory Certificate Services Active Directory Domain Services DHCP Server DNS Server 2nd Domain Controller dc02 OS Version - Windows Server 2008 R2 Data Center Roles Active Directory Certificate Services Active Directory Domain Services Network Policy and Access Services ADFS SERVER OS Version - Windows Server 2008 R2 Data Center ADFS version 2.0 Roles Web Server (IIS) Features Remote Server Administration ToolsActive directory security remediation items - seeking advise
Hi Active Directory Brain Trust, We're aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !! Deny Log On Through Remote Desktop Services Deny Log On Locally Deny log on as a service Deny access to this computer from the network
