Posts filed under ‘Windows’

How to install and configure LAPS

Recently , we had to deploy LAPS on one of our client environment. The requirement was to manage the local administrator password of all the domain joined workstations / servers via centrally. I used the below guides to complete the installation .(Kudos to the blog owners)



In addition to the above you may come across the below issues.

  • Unable to configure the Group Policy using the LAPS Administrator Template or missing LAPS Administrator Templates.

    Solution: You need to run the laps installation on the DC and remove all the options and select only ” GPO editor templates”

  • Manual Password reset via Fat Client / Command Line is not working.

    Solution : You need to run the GPupdate after the manual password reset on the computer where you are changing the password.

Good Luck.

December 15, 2019 at 2:29 pm Leave a comment

How to Track File Deletion on a File Server

Hi Folks

Anybody wants to enable auditing on their file server , for the purpose of tracking and auditing who has deleted any files or folders , I would recommend the below article.

It covers detailed steps on how to enable the Group Policy for auditing and enabling Folder level Auditing parameters. However after enabling the required configuration you need to filter out for the event ID’s 4663,4624,5140, and 4660 in the Security Event Log.

These event ID’s will provide the audit trail for the event.

June 18, 2019 at 12:22 pm Leave a comment

Additional Permissions needed for a Service Account to Reset and Change AD passwords and Unlock AD Accounts.

In some scenarios we had to delegate the  permission for a Junior Administrator to do some AD related tasks ,for example change/reset the AD user password , Unlock user account , etc. In this case most of the articles I have googled and referred pointing only to enable the
“Reset user passwords and force password change at next logon “. But what I realized is that this alone will not grant your the required permission.

Thus additionally you need to add a custom level delegation as provided below;

  • Create a custom task to delegate and click Next.
  • Select  Only the following objects in the folder from the Delegate control of option.
  • Select the User objects option as the object to which to delegate.
    Click Next to proceed.(Ensure Property-specific is selected.)
  • Scroll down to select the Read lockout Time and Write lockout Time.
  • Review the changes and click next to complete the wizard.

Please note that I have not listed any detailed steps on how to create the delegation rules as there are plenty of articles available on the Internet  that provides a very descriptive guidelines along with  the screenshots.


June 28, 2018 at 11:20 am Leave a comment

SYSVOL Replication Error on Windows 2012 R2

Hi Guys

Recently we migrated  one of our customer’s  active directory domain controllers to a virtualized environment. During the DC migration  my colleague noticed that the SYSVOL and NETLOGON folders are not replicating it’s contents from the existing domain controller. Thus he copied the contents manually. But after some time client started reporting error like;

  • The Group Policy is not getting updated or Propagated to all the workstations / users.
  • Logon Scripts stopped working.

Thus when we digged in to the problem we were able to track down the issue to DFSR based sysvol replication, Most importantly the old DC was not replicating for almost 1300 days approximately(Figure.1) The below event ID’s helped us to track down the issue:






So when we started troubleshoot we tried to ran the commands stated in the Eventviewer(refer attached file) but no avail.

Also we ran the below command
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state

Strangely the status on all the server showing 2 which is Initial Sync. (One of the reason for the problem) .Also in our MaxOfflineTimeInDays more than 1000 days. But
By default in Windows the  is set to 60 Days. In our case we need to extend it upto 1800 days where there was an offset of more than 1000. so we ran the command to force the servers to allow the content freshness for more than 1000 days.

wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=1800

(Do not forget to bring it back the original value of 60 Days)

But sill no avail. Then we decided to Authoritative restore of the SYSVOL folders. We ran the below command set which were extracted from the MS KB:

Do this step on the PDC Emulator Role

Stop the DFSR Service

#net stop dfsr

Open the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up to date for SYSVOL contents):

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>


Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>


Stop the DFSR service on all the remaining controllers

#net stop dfsr

Force Active Directory replication throughout the domain and validate its success on all DCs.

Start the DFSR service set as authoritative:(On the PDC emulator)

#net start dfsr

You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.

On the same DN from Step 1, set:


Run the below command to force Active Directory replication throughout the domain and validate its success on all DCs.

#repadmin /syncall /AdP

Run the following command from an elevated command prompt on the same server that you set as authoritative:


You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.

Start the DFSR service on the other non-authoritative DCs.

#net start dfsr

You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.

Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>


Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):



Voila we could see the replication started working and when we checked the replication status  via the command

For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state

it shows  the status 4 (which is all synced)

I am listing the below articles which helped me in the initial troubleshooting.

Good Luck


Update 1 (29/01/2018) :

  • Added the start and stop DFSR commands.


November 5, 2017 at 12:19 pm 4 comments

Windows 2016 License Calculator


With recent change of Licensing approach by Microsoft to transient from Processor based to Core based license has triggered various confusions for customers.  But the HP has come up with a cool calculator that helps to calculate the exact licenses we need to procure per server  and the total rights for virtual OSE’s. Further this tool gives an option to add the number of VM’s that we are planning to host and in turn the tool gives the additional license pack we need to order;

June 12, 2017 at 12:51 pm Leave a comment

How to import Users to Windows 2012 Active Directory using PowerShell

Hi Guys

In many AD installations I do come across requirements  to create multiple users in Active Directory(More than 200 in many cases) .In these cases we could use the below mentioned CSV template and use the PS command to directly import the users in  to Active Directory.


Here the Path value is pointing to the OU that you want to place the users  in the Active Directory , which could be find using the Attribute Editor of the OU(We need to enable the Advance Feature in the ADUC Management Console)

PS Command Syntax
Import-CSV C:\anyname.csv | New-ADUser –AccountPassword (ConvertTo-SecureString –AsPlaintext “any complex password” –Force) –PassThru | Enable-ADAccount.


Import-CSV C:\Users_1.csv | New-ADUser –AccountPassword (ConvertTo-SecureString –AsPlaintext “P@ssw0rd” –Force) –PassThru | Enable-ADAccount

December 22, 2016 at 2:24 pm Leave a comment

There is no certificates installed on this remote desktop server

On the RD  Session Host Configuration when you tried to assign the SSL certificate which you obtained from any vendor you will receive the message in the title.

This is because the SSL certificate need to be imported on .PFX format , In my case the cert i downloaded from GoDaddy was having a .crt extension. Therefore I opened the Certificate-Snapin(Local Computer) and  selected the already imported certificate in the Personal container,then I  tried to export the certificate as  Personal Information Exchange(.pfx)so I could re-import it correctly But I was not able to do so as it was showing the below screen,


As you see the Personal Information Exchange option is disabled as this is because the SSL certificate does not have the private key.

In order to overcome this get the serial number of the certificate(Open  the ssl certificate by double clicking on it and open the details TAB) then on a command prompt entere the below command;

certutil -repairstore my “SerialNumber”

That’s it now you could the export the cert as .pfx and re-import it on Personal and Remote Desktop containers in Certificate Snap-in.

Finally you could select the SSL on RD Session Host configuration.




In 2012 and above MS have removed the RDP Snap-in to change the SSL Certificate thus you need to follow the steps mentioned in MS KB Article:


May 25, 2015 at 2:27 pm Leave a comment

Trust relationship cannot be created because the following error occurred


I was trying to build a Forest wide Trust between 2003 R2 and 2008 R2 environment and I covered  the required prerequisites as below;

* The forest functional level should be  set to minimum  Windows 2003 Server(On the Windows 2003 Domain Controller)

* The conditional forwarding  was set up on 2003  and 2008 to resolve target domain names

But still I was getting  the error on the title along with the below error ;

“The operation failed: The error is: This operation cannot be performed on the current domain.”



In order to solve this please make sure below identifiers are not same in your both target and source domains


– NetBIOS  name

– DNS name

In my case it was the NetBIOS name and I had to rename the domain name.


Known Issues for Creating Domain and Forest Trusts
Available From: Accessed (12th May 2015)


May 12, 2015 at 1:45 pm Leave a comment

How to restore Active Directory Users with Active Directory Recycle bin

Dear Folks

I would strongly recommend to enable this feature to ease up the administration, further If you have deployed Exchange in your environment and if you want to recover a deleted mailbox the AD Recycle bin becomes handy because when you delete the Mailbox on Exchange 2013 it will delete the related AD User Account as well.

In order to restore you could simply restore the AD user account which will restore the Mailbox.

Notes to be remembered

– This setting is irreversible

– A Deleted object stays their for 180 days by default(In case if this does not your business practice please refer

1 2 3 4 5 6

Once the above is done you could access the ADAC select  your domain name then  you will find the Deleted Object whereas you could select the user account and select the Restore Option on the Actions pane.


February 1, 2015 at 10:19 am Leave a comment

Time Sync Issue on Virtualized Domain Controllers VM on Hyper-V and VMware

Dear Folks

Recently we noticed that our Domain Controller(VM) was throwing the Wrong time and forcing all the other servers and the client pc’s the wrong time.

Hence we started digging the problem by initially finding the source for our Domain Controller Clock it was found out by using the below command

w32tm /query status

Source: VM IC Time Synchronization Provider

This means the source is the Hyper-V Guest Integration Time Service.and in turn our Hyper-V server was having the wrong time.

Therefore what we did  is we disabled the  “Hyper-V Time Synchronization Service” via services. thereafter we ran the command mentioned above  and the source became

Source: Local CMOS Clock

Then we set the local clock on DC to the correct time and  noticed that all our servers and client started taking the time from the Domain Controller correctly.

So as a practice I would advice to do the same when your  DC is sittings as a VM on any Hypervisor to avoid time sync issues.


As per the new recommendation Microsoft is saying to keep the Time Synchronization service enabled and make the below registry entry on the virtualized PDC emulator

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

and add an external source.


On the PDC Emulator role  server type the below command to check the communication between the NTP server.

w32tm /stripchart /computer:<target> /samples:<n> /dataonly

Then if it is working fine change the NTP as below;

w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /reliable:yes /update


As per the VMware recommendation

– Keep the VM Tools Time Synchronization Disabled (By Default)

– Configure the ESXi host to use an external time source(Router / Switch / Public Server)

– Configure the PDC emulator for the external time source same as ESXi Host.


I would like to mention the few commands below which will be useful when dealing NTP issues on Windows;

To Stop/Start NTP
net stop w32time
net start w32time

To Remove and Install the service
w32tm /unregister
w32tm /register

To Configure the PDC to use an external source:
w32tm /config /maunalpeerlist:”” /syncfromflags:manual /reliable:yes /update

To Query the status
w32tm /query /status
w32tm /query /configuration (The output must shows the Type as NTP instead of NTDS5)

To force the time
w32tm /resync /rediscover
w32tm /config /update

To find the configuration
w32tm /query /configuration

To check the locaol NTP source
w32tm /query /source

To manually check the time source
w32tm /stripchart / /samples:5 /dataonly


To force the member server to sync with the domain controllers available in the domain

w32tm /config /syncfromflags:domhier /update (If the NTP service is disabled make it to manual mode).

September 22, 2014 at 10:26 am 1 comment

Older Posts



Follow Hope you like it.. on

Blog Stats

  • 34,624 hits

%d bloggers like this: