Copy AD group memberships from a source user to other users

Note: This blogpost is also posted on my personal blog –

One of those mondaine tasks you get to do as an IT administrator is assigning users to security groups for access to resources in the domain. Usually, when you ask the person making this request which security groups the user account needs membership for, they’ll tell you to use some other user account as a reference. Sometime you’ll even get a list of users that need to have the same memberships. Read more

Error 1787 when logging in with domain account

After joining a new Windows 2008 R2 Server to the domain I could not login to the domain.

I would get the following error message:

The security database on the server does not have a computer acocunt for this workstation trust relationship.

Additionally the following error was logged in the Eventlog:

Event ID 3 | Error 1787 | Error Code 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN | A Kerberos Message was received


Read more

Script to Get Computer OU

Just some quick code to get the OU Name of the computer we run the script on.


Function GetComputerOU
	Dim objSysInfo: Set objSysInfo = CreateObject("ADSystemInfo")
	Dim objComputer: Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
	Dim objOU : Set objOU = GetObject(objComputer.Parent)
	GetComputerOU = objOU.OU
End Function

Wscript.Echo GetComputerOU


function GetComputerOU
	$SysInfo = New-Object -ComObject "ADSystemInfo"
	$Computer = [ADSI]("LDAP://{0}" -f $SysInfo.GetType().InvokeMember("ComputerName", [System.Reflection.BindingFlags]::GetProperty, $null, $SysInfo, $null))
	return ([ADSI]$Computer.Parent).OU


TCP Error 10061 when Login into ChangeAuditor

When installing ChangeAuditor form Quest (a next, next finish installation) I received an error when I tried to logon with the client but I did not get any error during or after the installation.  I got the following error:

Info","Could not connect to net.tcp://<FQDN>.local:49309/Service. The connection attempt lasted for a time span of 00:00:02.0779654. TCP error code 10061: No connection could be made because the target machine actively refused it <IPadress>:49309. "

Quest ChangeAuditor TCP error code 10061


Read more

Settings NTFS Permissions by SID in PowerShell

I am currently creating a PowerShell script that creates a user with all needed Active Directory attributes, Exchange mailbox, (TS) Home- and Profile directories and so on.

In such a script you can easily get failures because of Active Directory replication.

Read more

Check if a useraccount exists with PowerShell

Function below can be used to check if a given Username exists in Active Directory:

function UserExists([string]$Username)
	$strFilter = "(&(objectCategory=person)(sAMAccountName=$Username))"

	$objDomain = New-Object System.DirectoryServices.DirectoryEntry

	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
	$objSearcher.SearchRoot = $objDomain
	$objSearcher.PageSize = 1000
	$objSearcher.Filter = $strFilter
	$objSearcher.SearchScope = "Subtree"

	$colResults = $objSearcher.FindAll()
	return [bool]($colResults -ne $null)

AD Internals: Reset RID Allocation Pool

imageA few days ago I wrote about how RID Allocation Pools work in Active Directory (see AD Internals: Display RID Allocation Pools)

The article includes a script to dump all RID information for the whole domain. I will be using this script, rIDump.ps1 in this article.

In my test environment I had a problem with the RID Allocation Pool on one of the Domain Controllers. I noticed this because I had some duplicate SID’s in the domain.

So I needed to force this Domain Controller to re-allocate a block of RID’s and I wrote a PowerShell script, rIDAlloc.ps1,  to do that:

Before I go on with the script I will explain how we can force a Domain Controller to re-allocate a RID Pool.

First we need to obtain the Domain SID, we can do this by grabbing the objectSid attribute:

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomainSid = $objDomain.objectSid

Then we need to write the Domain Sid to a special attribute called invalidateRidPool on the directory root (RootDSE).

Read more

The case of the duplicate SID’s


I encountered another interesting error during Exchange 2010 installation today. During the Organization Preparation I got the following error:

The requested object has a non-unique identifier and cannot be retrieved.Active directory response: 0000219D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

The setup.log doesn’t give us much more detailed info: Read more

Exchange 2010 well-known object entry install error

SNAGHTML1ca684cToday I was testing the installation of Exchange 2010 in a VMWare sandbox environment. We created the sandbox to test migration from a 2003 AD and Exchange environment to 2008 R2 with Exchange 2010.

We used a P2V to get real copies of the Active Directory and the AD upgrade to 2008 R2 was already tested.

But during the Exchange installation in the sandbox I got the following error:

The well-known object entry on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local points to an invalid DN or a deleted object.  Remove the entry, and then rerun the task.

Read more

SCOM: Change alert owner fails from non AD joined machine

In System Center Operations Manager 2007 R2 (SCOM) alerts and warnings are generated and collected in the ‘Active Alerts’ view. A useful function is the ability to assign an alert to a user, this enables the IT department to delegate the alerts to specific administrators. This way a storage administrator can solve the storage problems, and the DBA’s can solve database alerts.

In the properties of an alert (or warning) a field Owner is present. Next to the field a button ‘Change’ which opens a search dialog for looking up users in Active Directory. Although the AD search is optional (you can type each value without verification) you do need a domain joined computer for this feature.

Read more