Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Active Directory Issue - Windows Server 2008 R2


  • Please log in to reply
3 replies to this topic

#1 A Selene

A Selene

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 23 January 2017 - 08:16 PM

I've found a user account cited as a member in groups "Domain Users" and "Denied RODC Password Replication".

The user account is marked "disabled".

 

However, there is NO Domain User by that name.  It's a member of no other groups.

I forgot to check on Local Users but that would seem to be impossible in any event.

 

What does all this mean? When I try to remove the account from the "Domain Users" members list, I get the message:

"This is the member's primary group so the member cannot be removed. Go to the Member Of tab of the Member's

 Property sheet and set another group as primary.  You can then remove the member from this group".

 

The rub is that since there's no user by that  name in Domain Users, I can't examine its property sheet.

 

What should be done about this?  I'm stumped...

 

Thanks,

-AS



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:11 AM

Posted 23 January 2017 - 08:32 PM

..... misread


Edited by TsVk!, 23 January 2017 - 08:32 PM.


#3 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 24 January 2017 - 03:54 PM

Problem solved. It was the krbtgt account.  My mistake.



#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 29 January 2017 - 10:42 AM

That account is disabled by default. You don't want to make any other changes to it, however. That account is used by the Kerberos ticket-granting service. Fiddling with it can mess up your Kerberos tickets and user logons.

 

https://technet.microsoft.com/en-us/library/dd277461.aspx

http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-environment






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users