@black3dynamite said in [Help] Windows 10 lost AD profile [remote user]:

@stess said in [Help] Windows 10 lost AD profile [remote user]:

@jaredbusch said in [Help] Windows 10 lost AD profile [remote user]:

Cached creds have expired.

Log in on the network.

Anyway to prevent it from expiring? or extend the caching?

Increase the value. The max is 50.

Are you referred to the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)
" ?

@jaredbusch said in [Help] Windows 10 lost AD profile [remote user]:

@stess said in [Help] Windows 10 lost AD profile [remote user]:

@jaredbusch said in [Help] Windows 10 lost AD profile [remote user]:

Cached creds have expired.

Log in on the network.

Anyway to prevent it from expiring? or extend the caching?

You can change domain settings related to this. But it has been years since I looked into it.

It could be the machine credentials have expired and not user.

Domain machines are not designed to be off the network forever.

Any keyword I can start off with? Especially the machine credentials setting.

@jaredbusch said in [Help] Windows 10 lost AD profile [remote user]:

Cached creds have expired.

Log in on the network.

Anyway to prevent it from expiring? or extend the caching?

@black3dynamite said in [Help] Windows 10 lost AD profile [remote user]:

@stess said in [Help] Windows 10 lost AD profile [remote user]:

@black3dynamite said in [Help] Windows 10 lost AD profile [remote user]:

Interactive logon: Number of previous logons to cache

https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

Check to see if Protected Users is configured.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

I already checked protected user group. We do not have anyone/group in it.

I'll read about this logon cache.

It might just be easier if you setup VPN on her laptop and have her login.

That's already on the list. But my plate is full, and it's not that urgent. Just that I've never seen this issue before. Any I want to prevent it from happening... ever again.

@black3dynamite said in [Help] Windows 10 lost AD profile [remote user]:

Interactive logon: Number of previous logons to cache

https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

Check to see if Protected Users is configured.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

I already checked protected user group. We do not have anyone/group in it.

I'll read about this logon cache.

@dashrender said in [Help] Windows 10 lost AD profile [remote user]:

@stess said in [Help] Windows 10 lost AD profile [remote user]:

@black3dynamite said in [Help] Windows 10 lost AD profile [remote user]:

Sounds like the her cached user profile is not working correctly.

I was told similarly from another post. But I am not sure what would be the cause.

Disk corruption.

That's a possibility. To note: it's a brand new laptop (2 months old) with decent spec.

@black3dynamite said in [Help] Windows 10 lost AD profile [remote user]:

Sounds like the her cached user profile is not working correctly.

I was told similarly from another post. But I am not sure what would be the cause.

@dashrender said in [Help] Windows 10 lost AD profile [remote user]:

Why did she choose other user? you normally only do that when trying to not log in as the last user. Are you sure she's typing in the same username/password as the last time she was on the domain?

I got this from a generic google search. I saw her typed in her credential and got the same message. I even try my credential and admin credential and got the same error message.

Hi guys :beer_mug:

I posted this on spiceworks but apparently everyone is on vacation this week

I have a user who took her laptop on a vacation. She normally work in office so we didn't setup VPN for her + she does not need access to our file server for her tasks while she is remote. This is not the first time she took her laptop with her, but this is the first time she was not able to login with her credential.

Have anyone ever seen this error before? We did not introduced any new GPO the past weeks and no major changes are made...especially on the OU her user account is in.

Right now she's basically stranded. We gave her credential to local account we created for safe keeping (not admin) so she has something to do What might be the cause for this?

Couple of things that might help are she's working off her phone hotspot, She has been on a vacation/remote for 2-3 weeks. She was able to log in with her domain account just last week.

Any thoughts are appreciated.

PS. Happy holidays to those taking PTO

Thanks @bnrstnr @Reid-Cooper for the input.

@Reid-Cooper I'll spin VMs in the future (if I did go for server that is)

@bnrstnr said in Buying used server from another IT guy... Not sure what to look for:

SAS6iR

That's a very good point. I have 4x 4TB WD Red. This probably already killed my idea. I will look at servermonkey.com.

So I am in a market for a NAS and while I am shopping around I noticed that a decent NAS (consumer grade) cost roughly $300-$400...while an old server cost around $400-$500. Both are drive-less.

Later, I found out that one of the IT guy working here is selling his old server for $300. Here's the spec from dell website:
224-8609 : T710 Tower Chassis for Up to 8 3.5-In HD (3Gbps) and Intel 5 6XX Procs
310-8509 : Power Cord, NEMA 5-15P to C13, 15 amp, wall plug, 10 feet / 3 meter
430-3251 : Broadcom 5709 Dual Port 1GbE NIC w/TOE PCIe-4
330-4219 : Optical SATA for PowerEdge T61 0/T710
317-0259 : E5520 Xeon Processor, 2.26GHz 8M Cache, Turbo, HT, 1066MHz M ax Mem
313-9100 : 16X DVD-ROM,SATA, INTERNAL
341-8726 : 160GB 7.2K RPM SATA 3.5" Hot P lug Hard Drive-Entry
317-1218 : E5520 Xeon Processor, 2.26GHz 8M Cache, Turbo, HT, 1066MHz M ax Mem
317-2061 : 16GB Memory (8x2GB), 1333MHz Dual Ranked RDIMMs for 2 Processors, Advanced ECC
330-4331 : 1100 Watt Redundant Power Supply
341-5700 : SAS6iR SAS RAID Controller
330-5280 : Dell Management Console
330-4332 : Electronic System Documentation and OpenManage DVD Kit
317-0265 : PowerEdge T610/T710 Heat Sinks for 2 Processors

My only problems here are its 4U (HUGE) and the sound pollution from this server. Sound matters as I will be putting it in a closet in my bed room (I rent a room in a condo).
What are everyone's thoughts? As I mentioned before this is primary for a NAS and maybe VM in the future.

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

So... after checking out Dafyre's ADSI suggestion... ADSI managed to pull the properties attribute.
I still need to decipher what these codes mean. But thought I should share.

Here's the script I found:
$searcher = [adsisearcher]'(&(objectCategory=User)(objectclass=person))'
$searcher.SearchRoot = [adsi]'LDAP://OU=Users,OU=Production,DC=Domain,DC=Local'
$searcher.SearchScope = 'OneLevel'
$searcher.FindAll() |
ForEach-Object{
[pscustomobject]@{
Name =$.properties['name'][0]
EmployeeID = $.properties['ipphone'][0]
}
}

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

@stess tell your manager to understand the technical limitations of an old ass operating system. And without either making changes to what is installed on the system or replacing the system entirely that this isn't possible.

I agree. But I also understand it's no my ass that's on the line when IT screwed up... it's his ass. So, I don't feel like going against him much. I want him to run the department to his heart content. If anything happens my hands are clean. At least this is what I have in my mind.

sure, this totally makes sense. But you can't give him something that isn't possible by the same token...

Same token?

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

I agree. But I also understand it's no my ass that's on the line when IT screwed up... it's his ass. So, I don't feel like going against him much. I want him to run the department to his heart content. If anything happens my hands are clean. At least this is what I have in my mind.

Shit always rolls down hill.

LOL!! That's very true. I guess at least my conscience is clean.

So... after checking out Dafyre's ADSI suggestion... ADSI managed to pull the properties attribute.
I still need to decipher what these codes mean. But thought I should share.

Here's the script I found:
$searcher = [adsisearcher]'(&(objectCategory=User)(objectclass=person))'
$searcher.SearchRoot = [adsi]'LDAP://OU=Users,OU=Production,DC=Domain,DC=Local'
$searcher.SearchScope = 'OneLevel'
$searcher.FindAll() |
ForEach-Object{
[pscustomobject]@{
Name =$.properties['name'][0]
EmployeeID = $.properties['ipphone'][0]
}
}

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

@stess tell your manager to understand the technical limitations of an old ass operating system. And without either making changes to what is installed on the system or replacing the system entirely that this isn't possible.

I agree. But I also understand it's no my ass that's on the line when IT screwed up... it's his ass. So, I don't feel like going against him much. I want him to run the department to his heart content. If anything happens my hands are clean. At least this is what I have in my mind.

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

Is your manager concerned that if people see a new item in the start menu that they'll go poking around?

More or less..yes.

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

You can apparently deploy the DLL needed for the Ad module

I found a very Simple and elegant way to make the AD Powershell Module Portable.
you will need 3 simple things
1.) the ActiveDirectory Module Directory from a system that has it already installed.
Standard path on a 64bit windows 7
C:WindowsSystem32WindowsPowerShellv1.0Modules
2.) Global Assembly Cache Utility Available from the Windows SDK
gacutil.exe
3.) the Microsoft.ActiveDirectory.Management dll assemblyfound on a system that already has the RSAT and powershell enabled. Microsoft.ActiveDirectory.Management.dll

Now in order to make this work you need to install the dll using the gacutil program. commandline is as follows.

GACUTIL.exe -I Microsoft.ActiveDirectory.Management.dll

Once installed you must copy the entire directory from item 1 to the powershell module location.

Once copied you can then use the import command to import it and start using the cmdlets. below is my batch file I wrote to automate this for deployment during SCCM.

https://blogs.msdn.microsoft.com/rkramesh/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7/

It required RSAT which is a No No from my manager.

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

That information is simply readable, by anyone with RSAT.

Having RSAT installed, doesn't mean people would be able to change or reset passwords or anything else from there.

But in terms of powershell, with Windows 7 system you will be required to install RSAT.

Yes. But I cannot goes against my manager's decision (above my pay grade + I don't want headache from arguing with him)

Alternatively, I could export the data into powershell script itself. Instead of reading from CSV, it reads data from within itself. Not sure how this will goes or is it possible

Using powershell (old powershell on an old OS) is the issue here.

Can you provide your script so we can see what you have going on.

$csvPath = "\svfs\fileshares\IT\Tools\ipphone export-csv.csv"
$logonuser = whoami
$csv = Import-Csv -Path $csvPath
$xmlPath = "C:\ProgramData\NEC-i\PC Phone\Settings.xml"
$necXML = New-Object XML
[xml]$necXML = Get-Content $xmlPath

foreach ($csvread in $csv) {
$csvusername = $csvread.username
$csvextension = $csvread.ipphone
if ($csvusername -eq $logonuser){
$necXML.CygSettings.UserName = "$csvextension"
$necXML.CygSettings.CtiExtension = "$csvextension"
$necXML.CygSettings.Password = "1234"
$necXML.CygSettings.ServerIP = "NEC"
$necXML.Save($xmlPath)
}
}

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

That information is simply readable, by anyone with RSAT.

Having RSAT installed, doesn't mean people would be able to change or reset passwords or anything else from there.

But in terms of powershell, with Windows 7 system you will be required to install RSAT.

Yes. But I cannot goes against my manager's decision (above my pay grade + I don't want headache from arguing with him)

Alternatively, I could export the data into powershell script itself. Instead of reading from CSV, it reads data from within itself. Not sure how this will goes or is it possible

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

Is this a Windows 7 pc that would be running this powershell script?

Yes. Win 7 Pro. PS Logon script

So you're wanting every user's machine in the company to run this script when they log into their PC?

Yes. Basically, we want to run this script to pull a value from their AD user object and add the value to existing config file for one of the program we use. It does not have to get Get-ADobject as long as we can grab the value and change it. I am looking into Get-WMIObject but so far it is not working as we want it to.

EDIT: We use AD to store this value because I feel it's a good centralized place.

What AD value is your script pulling, we may be able to find the GET-WMI comparable. . (may)

Telephony > IP Phone

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

Is this a Windows 7 pc that would be running this powershell script?

Yes. Win 7 Pro. PS Logon script

So you're wanting every user's machine in the company to run this script when they log into their PC?

Yes. Basically, we want to run this script to pull a value from their AD user object and add the value to existing config file for one of the program we use. It does not have to get Get-ADobject as long as we can grab the value and change it. I am looking into Get-WMIObject but so far it is not working as we want it to.

EDIT: We use AD to store this value because I feel it's a good centralized place.

Are users allowed to change their own ADObjects?

I can't even get AD commands to run without AD module > which required RSAT > which my manager said he doesn't want it installed for "reasons".

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

What version of Powershell do your users have?

Version 2.0

@dashrender said in Local powershell script to pull AdObject without installing RSAT:

@stess said in Local powershell script to pull AdObject without installing RSAT:

@dustinb3403 said in Local powershell script to pull AdObject without installing RSAT:

Is this a Windows 7 pc that would be running this powershell script?

Yes. Win 7 Pro. PS Logon script

So you're wanting every user's machine in the company to run this script when they log into their PC?

Yes. Basically, we want to run this script to pull a value from their AD user object and add the value to existing config file for one of the program we use. It does not have to get Get-ADobject as long as we can grab the value and change it. I am looking into Get-WMIObject but so far it is not working as we want it to.

EDIT: We use AD to store this value because I feel it's a good centralized place.