How to control memberships for local computer’s builtin groups

Oct 3rd, 2009

Domain Administrators sometime face a scenerio in which they have multiple workstations or member servers as part of a domain and will like to restrict/control which user should be members of any of the built-in local groups, such as Administrators, Backup Operators, Remote Desktop Users, Power Users etc. Rather than attempting to accomplish this manually, it will be much easier and faster to use an automatic approach. I will suggest two possible automatic options to get this done, either through a computer startup script or through Restricted Groups using Group Policy Objects. But I will highly recommend using the Restricted Group option, I will explain why later. Read more…


Performing an authoritative restore for Active Directory deleted objects or containers

Jul 4th, 2009

Just thought I should list the step by step process for performing authoritative restore in active directory for windows server 2003. But first, just a brief summary of the difference between an authoritative and a non authoritative restore.

 A non Authoritative restore is hardware failures or other software issues that results in the complete restoration of the directory services from backup.

An Authoritative restore is used when a change or deletion of an object is made in Active Directory and the action/change have to be reverse. An example can be a user mistakenly deletes an OU or a user object, then decided to reverse the action by restoring the OU or user object that has been deleted.

Steps on performing an authoritattive restore. In this scenerio, I deleted an OU and a user and then restore both through authoritative restore process. Read more…

How to remove child domain and other naming context from forest root domain

Jul 4th, 2009

In previous post I outline some guidelines on how to remove demoted domain controller from domain using ntdsutil.exe. In this post, I will give guides on removing a naming context, be it a child domain or a DNS zone from Active Directory usning ntdsutil.exe.

First. make sure that no domain controller or replica objects exists in your forest for the domain in question. If they do, use previous steps [link here] to remove the objects before proceeding to delete the domain from the forest. Read more…

Remove a demoted or failed DC from Active Directory using Ntdsutil.exe

Jun 26th, 2009

If you ever have been in a situation where your domain controller crashes or failed and there is no way you intend to bring it back to production then you must remove the failed domain controller objects from Active Directory. In a regular procedure, to remove Domain controller from domain, you will run dcpromo to demote, but in this case, the domain controller is no more, so you have to use the ntdsutil tool to remove the objects from active directory. Also, you will need ntdsutil to remove domain controller from domain in a situation where you have tried to use dcpromo to demote but it failed, then you decided to use dcpromo /forceremoval. The force removal process does not totally clean the DC objects, so you will need to use ntdsutil to complete the process. Read more…

Access-based Enumeration (ABE)and DFS:How to hide folders from unauthorized users

Apr 13th, 2009

Access-based enumeration (ABE) allow users to view/list only files and folders that they hace access to. This feature hides other files and folders from prying eyes. It was introduced with windows server 2003. It is not enabled by default. I have put together some detail instructions on how to configure ABE. Read more…