Posted on

Who can join a workstation to the Active Directory domain?

By default all domain users have the ability to add a workstation to the domain.

Limits on the number

The limitation on this task is that any one user can add a maximum of 10 workstations to the domain.

Impact

When the user reaches the maximum number of computers joined to the domain, he receives this error message

Who added a workstation to active directory?

To find out who added a workstation to the active directory, simply run this ppowershell script created based on this article:

Using PowerShell to Discover Who Added a Client to Your Domain

Clear-Host

Write-Host "I'm writing ms-DS-MachineAccountQuota"

# List the current value of ms-DS-MachineAccountQuota
Get-ADDomain |
Select-Object -ExpandProperty DistinguishedName |
Get-ADObject -Properties 'ms-DS-MachineAccountQuota' |
Select-Object -ExpandProperty ms-DS-MachineAccountQuota





Write-Host "Number clients in this environment"
Get-ADComputer -Filter * | Measure-Object | Select-Object -ExpandProperty Count
Write-Host "Number users in this environment"
Get-ADUser -Filter * | Measure-Object | Select-Object -ExpandProperty Count


Write-Host ""
Write-Host "Who did this?"
$Clients = Get-ADComputer -Properties ms-ds-CreatorSid, WhenCreated -Filter {ms-ds-creatorsid -ne "$Null"}
$Users = Get-ADUser -Filter *

ForEach ($C in $Clients)
{
ForEach ($U in $Users)
{
If ($U.Sid -eq $C.'ms-ds-creatorsid')
{
$C | Select-Object -Property @{
Name = 'ComputerName'; Expression = {$C.Name}},
@{Name = 'WhenCreated'; Expression = {$C.WhenCreated.DateTime}},
@{Name = "UserName"; Expression = {$U.Name}
}
}
}
}

Change the limit on the number of workstations

It is possible to modify this number by increasing it or bringing it to 0. If it is set to 0, users will have to have particular permissions to be able to add a computer to the domain.

To do this, from the domain controller, launch the adsiedit.msc command.

On the left, position yourself on the main node that begins with “DC=…”. Right-click -> Properties. The key with the number to change is MS-DS-MachineAccountQuota.

 

Restrict adding a workstation to the domain to a group

It is possible to limit the ability to add workstations to the domain to a group of users by acting directly on the GPOs

Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment

Look for the “Add workstations to the domain” entry and change it to specify only the users and groups that can perform the add operation.

Posted on

AD – Active Directory – Export Users Password Expiration Date to a file

how to get the password expiration date for Active Directory User Accounts.

Open PowerShell and run the command

$ExportPath = 'c:\temp\passwordexpiration.csv’
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTim
Posted on

“Failed bios lock” when installing HPE Reseller Option Kit (ROK) 2019 – 2022 Server

Installing the HPE Re-seller Option Kit (ROK) Windows 2019 or 2022 Standard and Datacenter server software onto VMware virtual machine you should received “Failed BIOS Lock” error which means the HPE branded OS software needs HPE hardware to run.

To solve it, shout down virtual machine and :

  • Enter the Edit Settings of the VM
  • VM Options, Advanced, Edit Configuration, Add Configuration Params then type:
  • Name field: smbios.addHostVendor
  • Value field: TRUE

Posted on

Active Directory: change server roles

In a multiserver Windows Active Directory Server environment, it may be necessary to move roles from one server to another.

Which server has Active Directory roles?

To find out which server has the Active directory roles type the command:

NETDOM QUERY FSMO

Transfer roles with command line.

Open a Dos prompt and type:

ntdsutil

then

roles

then

connections

then

Connect to server ServerFQDN

Where server is the server you want to pass roles to

Then

quit

Depending on the roles you want to switch, type the following commands:

Ruolo Credenziali Comando
Master for domain naming Enterprise Administrators Seize naming master
Master schema Schema Administrators Seize schema master 
Iìnfrastructur master  Domain Admins Seize infrastructure master 
Master PDC emulator Domain Admins Seize pdc
master RID Domain Admins Seize rid master
Posted on

microsoft wsus : questions and answers

How to update group policy on a client ?

gpupate /force

Which wsus server is registered on a client ?

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate"

How to print group policy group for a client on screen ?

Gpresult /r

How to  confirm whether the update has been downloaded on the WSUS server first ?

Add file staus option. In wsus , in update window, right click on grid header and select “File Status”. The green icon means that the update is ready for installation.

How to get update log in a client via PoerShell ?

Open Powershall with admin privileges and digit :

Get-WindowsUpdateLog

This command will build a wsus client log on desktop.

How to remove a windows computer from wsus updating

Posted on

Updating Nakivo Appliance in environment with Qnap nas

Nakivo Environment

In this environment we have a Nakivo Appliance and a Qnap nas, used as Nakivo backup repository. We need to update the Nakivo appliance that currently is at 10.6 version.

Updating Nakivo using web console

Enter in your Nakivo web interface, navigate to “Seetings” – “Software Update”. The procedure proposes to you the 10.7 version. Proceed. You’ll reice a warning that “remote transporters will not be updated automatically”. After this procedure the Nakivo will be at 10.7 version and not other updates will be avalaible. Indeed the web console signals that your qnap transporter is “out of the date”. So you need to update it to use it. And here there is the problem: we’ll sew that, using nakivo qnap site , you’ll be able to install only the version 10.9 of qnap trasporter that is newer than the currently Nakivo appliance version. So you first need to install the 10.9 version on your Nakivo appliance, but you need to do it manually

Updating Nakivo manually

Using Nakivo upadte site you have to download the “Virtual Appliance”. You”ll download the file

NAKIVO_Backup_Replication_v10.9.0.76010_Updater.sh

Using the application Winscp connect to your Nakivo appliance via ssh. Upload the sh file in the folder /opt/nakivo/updates.

To enter via ssh in a nakivo appliance the default credential are :

  • username : root
  • password : QExS-6b%3D

Now you have to follow this instruction to update the application : Nakivo manual.

Updating Nakivo Transporter in Qnap

In our environment , the Qnap has a Nakivo Transporter App version 10.6.0, compatible with the starting version of our Nakivo appliance. It’s not possible to update this version automatically via qnap, you need to downnload from Nakivo site the new transporter and update it via Qnap web console.

In Nakivo site , you have to choose between the intel or arm transporter package. You’ll download a opkg file.

So, enter in qnap web console and install it manually :

Unable to install Qnap Transporter because the digital sign is invalid

If you are unabled to install the Nakivo Trasporter package because you recive an error that report that the digital sign is invalid , yoiu need to allow installation of applications without a valid digital signature. Click the Settings icon in the top-right corner of the App Center. On the General tab, check the option “Allow installation of applications without a valid digital signature”.

Issue with Nakivo web interface 10.9 in web browser

Even if Nakivo siuggests to use chrome or Firefox to use properly its web interface, we had problem using Chrome. We solved it using Microsoft Edge.

Links