February 3, 2011

Redirecting New Users and New Computers to a Specified OU

Filed under: Active Directory,Tips n Tricks — Rahul Patel @ 5:21 pm

Either on you computer or on a domain controller run the below commands to make the changes.

To Redirect Users
C:\Windows\System32\redirusr DN_of_new_OU
For example:
C:\Windows\System32\redirusr ou=myusers,DC=mydomain,dc=com

To Redirect Computers
C:\Windows\System32\redircmp DN_of_new_OU
For example:
C:\Windows\System32\redircmp ou=mycomputers,DC=mydomain,dc=com

Note: Your domain functional level must be at at least Windows Server 2003.
If your DN contains spaces etc you will need enclose the DN with quotes.


August 3, 2009

LimitLogin: Step By Step

Filed under: Active Directory,Group Policy — Rahul Patel @ 8:30 pm

LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain.
It can also keep track of all logins information in Active Directory domains.

LimitLogin capabilities include:

· Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.

· Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).

· Easy management and configuration by integrating to the Active Directory MMC snap-ins.

· Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.

· Generating Login information reports in CSV (Excel) and XML formats.

LimitLogin grants System Administrators, Help Desk staff or any other IT-related personnel the ability to quickly query for any user logged on to the domain and view the machines they’re currently logged on to, while enabling the above list of features and management tasks to be performed on those user sessions.

Download the LimitLogin:http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe



1) IIS must be installed along with ASP.NET – This does not have to be on DC

2) Make sure the following Web Extension are set to Allowed in IIS Services:

ASP.NET v1.1.4322

3) Install “LimitLoginIISSetup.msi” on the IIS server

NOTE: SSL can be used but it should be configured before proceeding with second phase of install. However, the configuration can be modified latter to use SSL. Just edit the 3 HTTP entries at the bottom of the “LimitLogin.wsdl file” to use HTTPS instead

4) Add WSLimitLogin.asmx to the top of list in the Documents tab of the website.

NOTE: If you did not install IIS on a DC then you will have to configure the IIS Server to be “Trusted for Delegation”. See the section titled, “Manually configuring ‘Trust for Delegation’ in the “LimitLogin Active Directory Setup” portion of the LimitLogin.chm help file for directions on configuring this.

5) Verify “Integrated Windows Authentication” is set on the “Directory Security” tab of the website under “Authentication and Access Control”.

NOTE: Web site must Integrated authentication not anonymous.

6) Attempt to connect to http:///WSLimitLogin.

NOTE: Reinstall SP1 if IIS returns “Service unavailable” and generates DCOM and W3SVC errors in the System log

7) Create a hidden share on a server that will eventually house the llogon.vbs and llogoff.vbs scripts and make sure authenticated users has Read access to the NTFS and Share permissions.

NOTE: You can placed these files in Netlogon if you want to distribute the load amongst all DCs in the domain.



1) Logon to a Windows XP machine or a DC with Schema and Enterprise Admin rights and Install “LimitLoginADSetup.msi”

2) You will be presented with three boxes in the Setup Options:

Prepare your Active Directory Forest for LimitLogin
Prepare your Active Directory Domain for LimitLogin
Install LimitLogin AD MMC add-in tools on this machine

3) If you are going to run setup in phases extending the schema with the LimitLogin Classes and Attributes must be done first.

4) The scripts will be configured using the data you enter here:

– UNC path of the file share where the login scripts will go (\\domainname\Netlogon)
– Host name of the Web server
– Web Service Name (Default is WSLimitLogin)
* Optional SSL checkbox

5) You will be prompted to enter the host name of a Windows Server 2003 DC that will host the application partition that is dynamically created.

NOTE: Replicas of this application partition should be configured to avoid an outage if the one DC is offline.

6) The LimitLogin version of Active Directory Users and Computers MMC Snap-in will be installed.

7) You will get a pop-up telling you to copy the llogin.vbs, llogoff.vbs and limitlogin.wsdl files to your share. Copy the files at this time.


1) Client machines must have .NET Framework version 1.1.4322 or higher to install the client.

2) At this time Windows Firewall must be completely Disabled to have the logoff feature function.

3) Configure a Computer GPO that installs the “LimitLoginClientSetup.msi” client application to all targeted workstations.

NOTE: Directions on how to configure this are located in the LimitLogin.chm help file under the section titled, “Setting up clients for LimitLogin”.

FYI: In Step 8 of the help file you are directed to check the “Install Application at logon” option but this feature is not available. I left mine set as Assign and did not check “Install Application at logon” and installation worked fine. If you want to make use of the “Install Application at logon” feature you must click the “Assign” radio button (even though it is already selected) and the check box for “Install Application at Logon” will appear.

4) Configure a User policy that applies to all monitored users in a top-level OU. The Logon and Logoff scripts will point to the UNC of the llogon.vbs and llogoff.vbs respectively.

5) Import the “Limit Logon Computer Logoff Options.adm” file to the User GPO where the scripts are defined. An empty “LimitLogon Remote Logoff Options” node will appear.

NOTE: This ADM file is located in the same install folder where the scripts were created. Just copy this to %systemroot%\inf and edit the GPO.

6) To make the settings configurable in the GPO click View > Filtering and UNCHECK “Only show policy settings that can be fully managed”

7) See if this user’s logon script GPO has to be applied to computers as well as users by linking just to the OU where the users are and not computers.

Enable – “Logoff sessions remotely” and check the option “Attempt to remotely logoff the selected sessions”
Enable – “Prompt and confirm every remote session logoff” and check the option “Prompt and confirm every selected session before attempting Remote Logoff”
Enable – “Wait for remote logoff attempts to complete and report status” and check the option “Wait for remote logoff attempts to complete and report status”

8 ) On the OU where the users are going to be managed, right-click and select LimitLogin Tasks…. Click Configure and set the limit to 100 (the highest that will apply) or limit the user to a smaller number of logons if you wish. This must be done to activate the Remote Logoff functionality.

July 27, 2009

Fix for File Replication System (NTFRS) replication problems (Event ID 13549)

Filed under: Active Directory — Rahul Patel @ 5:09 pm

This fix worked for me in resolving an issue where a additional domain controller was in a death cycle of starting/stopping/restarting the FRS service every few minutes.


If, after you run DCPROMO to add a domain controller to the existing domain, after reboot, you run into a problem where the NETLOGON and SYSVOL shares are not being created and you check the File Replication Service logs in the Event log to find the following error messages:

(Event ID 13549)
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future. It is 30 minutes greater than the current time. This can happen if the system time on the partner computer was set incorrectly when the file was created or updated. To preserve the integrity of the replica set this file update will not be performed or propagated further.

The file name is: “[YOUR_PROBLEM_FILE_HERE]”
The connection to the partner computer is:


Make sure and keep copies of all the folders and files.

Take these actions to resolve your problem:

On all Active Directory registered domain controllers:

1. Stop NETLOGON Service
2. Stop File Replication Service (NTFRS)

On the PDC Emulator

1. Rename all files in the %systemroot%\ntfrs folder and subfolders (change their extension to .old).
2. Give an unlisted account full control of the directory %systemroot%\SYSVOL folder and reset permissions on all child objects.
3. Change the registry key:
HKLM\System\CurrentControlSet\Services\ntfrs\paramaters\Backup/Restore\Process at Startup\BurFlags (REG_DWORD) = D4
(The default on this is 0)
4. Start the NETLOGON Service
5. Start the NTFRS Service

On all non-PDC emulators:

1. Change the registry key:
HKLM\System\CurrentControlSet\Services\ntfrs\paramaters\Backup/Restore\Process at Startup\BurFlags (REG_DWORD) = D2
2. Start the NETLOGON Service
3. Start the File Replication Service (NTFRS)

At this point, the system in question should have recreated the SYSVOL share and the NETLOGON share. Check this by running ‘net share’ from a command prompt. You should also see the Group Policy Objects listed in the SYSVOL directory as:



There may be more directories listed here, but these are the Default Domain Policy and the Default Domain Controllers Policy that are installed by default when the Active Directory is created. If these are being replicated, then file replication is functioning.

December 9, 2008

Free AD Objects Recovery Tools

Filed under: Active Directory — Rahul Patel @ 11:50 am

Blog at WordPress.com.