Sometimes after delegating permissions to a user or group it may be required to revoke them (maybe the user has left or group belongs to a temporary team of contractors). To do this you cant go through the delegate control wizard and take back the permissions as you would expect so just thought i would put a quick post up showing how to

First of all open ADUC and select view and make sure Advanced Features is checked

Next right click the OU that you need to remove the delegated permissions from and select properties and then the security tab

Here you should be able to see the user/group that you originally delegated permission to. In order to revoke these delegated permissions simply remove them from the ACL

HTH

Ash

We came across an issue recently when we were creating a test environment, basically we were taking a copy of our DC’s VHD’s and then attaching the copies to VM’s in out Test Lab.

We attached both VHD’s and then Reassigned the IP’s to fit in with our Test Lab IP addressing scheme.

After doing this and starting the VM’s both DC’s were able to communicate via ping however AD was not functioning correctly as DNS on both servers was not functioning correctly. I checked the Event Logs on both servers and they were both giving the same alert.

Event ID 4013

“The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.”

To resolve this issue i had to do the below to allow the initial synchronization.

1. Log onto the First Domain Controller
2. Open Regedit
3. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
4. Right-click Parameters, click New, and then click DWORD Value.
5. Type “Allow Replication With Divergent and Corrupt Partner” and press enter.
6. Open the entry and in the Value Data box type 0
7. Reboot First DC wait for it to come back online and then repeat the above steps on the Second DC.

Now AD should be fully functional again, when this is the case please be sure to change the “Allow Replication With Divergent and Corrupt Partner” back to 0.

Just to let you know Microsoft have released a hotfix to sort out an issue where users home folders were getting deleted whenever a users home folder path was change to a DFSR path within an AD user Object.

For full details of the symptoms see my previous blog ‘ http://support.risualblogs.com/blog/2011/01/24/offline-files-and-group-policy-causes-home-folder-deletion/’

The Hotfix is KB977611 and can be requested from the following location ‘http://support.microsoft.com/kb/977611’

Hotfix Symptoms Quoted from the above Microsoft KB Article.

“Consider the following scenario:

• As a domain administrator, you apply a Folder Redirection Group Policy object (GPO) in order to redirect a folder to a network share. For example, you redirect the Documents folder.
• You change the Folder Redirection GPO to specify a new network share. Additionally, the new network share targets the same physical location as the existing network share.
• When you change the Folder Redirection GPO, you click to select the Move the contents of <Folder_Name> to the new location check box.
• You apply the Folder Redirection GPO to the domain users and to the client computers.
• A domain user logs on to a client computer that is running Windows Vista or Windows Server 2008.

In this scenario, the domain user finds that the redirected folder is empty.
Notes

• This issue typically occurs when you redirect a folder to a Distributed File System (DFS) link.
• For more information about how to configure the Folder Redirection GPO, see the More information section.

”

You may come across the following alert in some of your Domain Controllers Event logs “Client IP Address does not map to an existing Site Boundary in Active Directory”

This event means that a machine has authenticated to a Domain controller which doesn’t have an IP range specified in AD Sites and Services subnets.

To find the IP of the offending machines you need to have a look at the domain controllers netlogon log (%systemroot%\debug\netlogon.log) which will display a list of the IP addresses that do not have a subnet specified.

You then just need to open AD sites and Services and add the subnet.

• Open AD Sites and Services
• Expand Sites , Right click on subnets and choose new subnets
• Enter the Subnet and associate with the appropriate site and click ok

The error should now disappear

Recently we have came across an issue where users home folders were getting deleted, every time we changed the users home folder location in there AD user object

Each user who had there home folder deleted all changed their home folder to a DFSR path, all had offline folders enable and all had a GPO applied with the setting “ Enable Move the Contents of Documents to the new location” enabled.

After much research we managed to find out the scenarios in which the users files would or wouldn’t get deleted.

Scenario 1

Folder Gets Deleted Every time we change the path.

1, Enable Move the Contents of Documents to the new location

2, Set UNC path under the home drive for the User in AD

3, Log on as the user onto Vista Client

4, Make sure H drive is enabled for Offline files

5, Add some files to the H drive and then perform a Sync through offline files

6, Change Users home drive to DFS namespace

7, Log off Vista machine and Log back on

8, Perform a Sync

9,Reboot Client

10, Home Folder gets deleted

Scenario 2

Folder doesn’t get deleted

1, Deselect Move the Contents of Documents to the new location

2, Set UNC path under the Profile for the User in AD

3, Log on as the user onto Vista Client

4, Make sure H drive is enabled for Offline files

5, Add some files to the H drive and then perform a Sync through offline files

6, Change User home drive to DFS namespace

7, Log off Vista machine and Log back on

8, Perform a Sync

9, Reboot Client

10, Home Folder does not get deleted

Scenario 3

Folder doesn’t get deleted

1, Do not use offline files

2, Move the contents folder can be enable or disabled doesn’t make a difference

In the end we went for scenario 2 as we needed users to have the offline files functionality.