Develop Reference

Windows Share Permissions for Domain Admins not working

I'm setting up a new share that I've enabled enumerated access on. I'm looking to limit people access to files on a certain folder. I've setup other folders that restrict access unless your in a security group. This folder thats giving me trouble was copied over from another network share. When I create a folder from scratch everything works fine so I'm curious if thats whats giving me issues.
The folder I'm trying to access is
x:/Limerock/Projects/"Project Name"
If I go into the security tab and check my effective access it says that I have full control:
The user I'm signed into is joe.jankowiak which is part of the Domain Admins security group. Domain Admins owns all the folders in above this and has full control.
When trying to enter the folder it tells me I need to request permission. I'm an admin so it goes through and adds "joe.jankowiak" to the full control list in the security permissions.
Why is it not taking my domain admin credentials to enter this folder? I'm seeing other weird behavior such as it saying "Unable to display current owner." and "You must have read permissions to view the properties of this object". Clicking continue lets me see it.
Everything looks right, I've setup 6 other new folders in the exact same manner and they work fine. I've signed in and out many times but it hasn't fixed it. Weird enough, another computer I signed into lets me access the folder just fine. Is there a way to reload file permissions since logging in/out doesn't seem to do it. Is there a command like gpupdate that I should run?

I have seen this before andyou might need to do the following operations in order:
-Replace Ownership on the folder and replace all child object ownership too=>apply or OK
-Close the security properties and re-open it again
-Add Domain Admins as full control and Replace all child object permissions... =>apply/OK
That should do it

Import User and Group with Powershell in AD from a csv file

I'm pretty new in Powershell.
I was working in a cloud environment creating an Active Directory with some users and groups and had to close the server in which I was working.
In order to reproduce and have a completely identical enviromment, I used this code
Get-ADUser -Filter * -Properties * | Export-Csv -Path ExportUsers.csv
and also
Get-ADGroup -Filter * -Properties * | Export-Csv -Path ExportGroups.csv
did with my code an export of ALL users and groups from the Active Directory using Powershell in order to export ALL info of the users and groups.
Now, I have create a VM with a new Active Directory in my laptop and at least I created the same domain name I had in the cloud (just to start in a closes as possible way).
I'm not able to import now all groups and all users WITH ALL PROPERTIES there are in the file. I saw in several threads that someone created some scripts inserting inside all params they need from the file. In reality, I'd like to have all info of the user so I'm trying the easier way to import all data without going to say exactly the fields I need (I need everything!)
The export was pretty simple so I hope the import should be the same.
The header columns of my csv file in regard to users is this:
AccountExpirationDate,"accountExpires","AccountLockoutTime","AccountNotDelegated","adminCount","AllowReversiblePasswordEncryption","BadLogonCount","badPasswordTime","badPwdCount","CannotChangePassword","CanonicalName","Certificates","City","CN","codePage","Company","Country","countryCode","Created","createTimeStamp","Deleted","Department","Description","DisplayName","DistinguishedName","Division","DoesNotRequirePreAuth","dSCorePropagationData","EmailAddress","EmployeeID","EmployeeNumber","Enabled","Fax","GivenName","HomeDirectory","HomedirRequired","HomeDrive","HomePage","HomePhone","Initials","instanceType","isCriticalSystemObject","isDeleted","LastBadPasswordAttempt","LastKnownParent","lastLogoff","lastLogon","LastLogonDate","lastLogonTimestamp","LockedOut","logonCount","logonHours","LogonWorkstations","Manager","MemberOf","MNSLogonAccount","MobilePhone","Modified","modifyTimeStamp","msDS-SupportedEncryptionTypes","msDS-User-Account-Control-Computed","Name","nTSecurityDescriptor","ObjectCategory","ObjectClass","ObjectGUID","objectSid","Office","OfficePhone","Organization","OtherName","PasswordExpired","PasswordLastSet","PasswordNeverExpires","PasswordNotRequired","POBox","PostalCode","PrimaryGroup","primaryGroupID","ProfilePath","ProtectedFromAccidentalDeletion","pwdLastSet","SamAccountName","sAMAccountType","ScriptPath","sDRightsEffective","ServicePrincipalNames","SID","SIDHistory","SmartcardLogonRequired","State","StreetAddress","Surname","Title","TrustedForDelegation","TrustedToAuthForDelegation","UseDESKeyOnly","userAccountControl","userCertificate","UserPrincipalName","uSNChanged","uSNCreated","whenChanged","whenCreated"
and this is just an entry of an user
,"9223372036854775807",,"False",,"False","0","0","0","True","mydomain.com/Users/Guest","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"Guest","0",,,"0","3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM",,,"Built-in account for guest access to the computer/domain",,"CN=Guest,CN=Users,DC=mydomain,DC=com",,"False","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,,,"False",,,,"False",,,,,"4","True",,,,"0","0",,,"False","0",,,,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","False",,"3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM",,"0","Guest","System.DirectoryServices.ActiveDirectorySecurity","CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com","user","b3cdb85f-aa85-41e8-a36a-1e9cabb03bf2","S-1-5-21-1277972300-3555916100-1183092696-501",,,,,"False",,"True","True",,,"CN=Domain Guests,CN=Users,DC=mydomain,DC=com","514",,"False","0","Guest","805306368",,"15","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","S-1-5-21-1277972300-3555916100-1183092696-501","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","False",,,,,"False","False","False","66082","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"8197","8197","3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM"
and, in a similar way, I have exported all GROUPS, so that now I have a csv with these headers:
"adminCount,"CanonicalName","CN","Created","createTimeStamp","Deleted","Description","DisplayName","DistinguishedName","dSCorePropagationData","GroupCategory","GroupScope","groupType","HomePage","instanceType","isCriticalSystemObject","isDeleted","LastKnownParent","ManagedBy","member","MemberOf","Members","Modified","modifyTimeStamp","Name","nTSecurityDescriptor","ObjectCategory","ObjectClass","ObjectGUID","objectSid","ProtectedFromAccidentalDeletion","SamAccountName","sAMAccountType","sDRightsEffective","SID","SIDHistory","systemFlags","uSNChanged","uSNCreated","whenChanged","whenCreated"
And an example of an entry
1,"prestige.com/Builtin/Administrators","Administrators","3/21/2014 2:00:02 PM","3/21/2014 2:00:02 PM",,"Administrators have complete and unrestricted access to the computer/domain",,"CN=Administrators,CN=Builtin,DC=prestige,DC=com","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Security","DomainLocal","-2147483643",,"4","True",,,,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","3/21/2014 2:18:22 PM","3/21/2014 2:18:22 PM","Administrators","System.DirectoryServices.ActiveDirectorySecurity","CN=Group,CN=Schema,CN=Configuration,DC=prestige,DC=com","group","729af9dd-25ee-448e-a63e-72fa546aa83e","S-1-5-32-544","False","Administrators","536870912","15","S-1-5-32-544","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","-1946157056","12711","8199","3/21/2014 2:18:22 PM","3/21/2014 2:00:02 PM"
What should be the best way to import ALL info, using maybe powershell again and that csv, in my new Active Directory? I need to have it as more similar as possible of the AD I had in the cloud.
Thanks everyone for your help: I'm not finding a good way to resolve :-(

Automatise Adduser for Windows Active Directory 2008

I would like to add a lot of users into my Active Directory Users Group based on a csv with specifics informations like phone numero, email, job ...
I look around the internet and found a "method" using powershell. But, it's always to add basic infos like Name, Surname, Login and password.
Is there a webpage referencing the New-ADuser cmd ?
I found something on this website
http://blogs.technet.com/b/pascals/archive/2013/08/09/cr-233-er-des-utilisateurs-de-test-dans-ad-avec-un-mini-script-powershell.aspx
Thanks,

I usually use the Quest AD cmdlets which makes easier the AD manipulation.
You can download the cmdlets from here.
You can also add phone number, webpage, etc. by default, or you can use the -IncludedProperties for addition.
Here is the syntax for the new user creation.

LogonSessionId account assigned Read access in new certificates?

I have a question that (hopefully) someone can shed some light on.
I was writing a Powershell script that would import a certificate to the Local Machine store, and assign the Everyone group Read permissions to the private key's on the certificate.
Now, I do have a working script that does accomplish this, but I've noticed that I have an account called "LogonSessionId_0_some-random-number" assigned Read permissions to the ACL on the private keys as shown in the following image:
At first I thought this was my script maybe doing this, but when I manually import the certificate I get the same result.
Has anyone seen this before or know why this is happening? What exactly is this account and why are permissions being assigned? I've tried to search for some answers on this but have come up short.
Not sure if it helps, but this is the portion of my code that imports the certificate and assigns the permissions:
$sslCert = gci Cert:\LocalMachine\My | WHERE {$_.Subject -match $getCerts}
$sslCertPrivKey = $sslCert.PrivateKey
$privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" | WHERE {$_.Name -eq $sslCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
$privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
$permission = "Everyone","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$privKeyAcl.AddAccessRule($accessRule)
Set-Acl $privKeyCertFile.FullName $privKeyAcl
I'm using Windows 10 Pro.
Any help/insight is greatly appreciated!

It's because you have different scopes.
When you add something at the machine level, by default it gives all users read permissions. Everyone with access to that computer will be able to see the certificate.
You don't need to explicitly give users read access for a machine level certificate.
It's like when you install some programs they ask "Install for all users?" If you say yes, it installs at the machine level and everyone can use it, otherwise it will install for just you and logging in with a different user means they won't have access.
Comment out the user-specific part of your script to test what I'm saying, you'll notice all users are given read-only and things will work as expected.

Windows / Active Directory - User / Groups

I'm looking for a way to find a the windows login associated with a specific group. I'm trying to add permissions to a tool that only allows names formatted like:
DOMAIN\USER
DOMAIN\GROUP
I have a list of users in active directory format that I need to add:
ou=group1;ou=group2;ou=group3
I have tried adding DOMAIN\Group1, but I get a 'user not found' error.
P.S. should also be noted that I'm not a Lan admin

Programatically or Manually?
Manually, i prefer AdExplorer, which is a nice Active directory Browser. You just connect to your domain controller and then you can look for the user and see all the details. Of course, you need permissions on the Domain Controller, not sure which though.
Programatically, it depends on your language of couse. On .net, the System.DirectoryServices Namespace is your friend. (I don't have any code examples here unfortunately)
For Active Directory, I'm not really an expert apart from how to query it, but here are two links I found useful:
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
http://en.wikipedia.org/wiki/Active_Directory (General stuff about the Structure of AD)

You need to go to the Active Directory Users Snap In after logging in as a domain admin on the machine:
Go to start --> run and type in mmc.
In the MMC console go to File -->
Add/Remove Snap-In Click Add Select
Active Directory Users and Computers and select Add.
Hit Close and then hit OK.
From here you can expand the domain tree and search (by right-clicking on the domain name).
You may not need special privileges to view the contents of the Active Directory domain, especially if you are logged in on that domain. It is worth a shot to see how far you can get.
When you search for someone, you can select the columns from View --> Choose Columns. This should help you search for the person or group you are looking for.

You do not need domain admin rights to look at the active directory. By default, any (authenticated?) user can read the information that you need from the directory.
If that wasn't the case, for example, a computer (which has an associated account as well) could not verify the account and password of its user.
You only need admin rights to change the contents of the directory.
I think it is possible to set more restricted permissions, but that's not likely the case.

OU is an Organizational Unit (sort of like a Subfolder in Explorer), not a Group, Hence group1, 2 and 3 are not actually groups.
You are looking for the DN Attribute, also called "distinguishedName". You can simply use DOMAIN\DN once you have that.
Edit: For groups, the CN (Common Name) could also work.
The full string from Active Directory normally looks like this:
cn=Username,cn=Users,dc=DomainName,dc=com
(Can be longer or shorter, but the important bit is that the "ou" part is worthless for what you're trying to achieve.

Well, AdExplorer runs on your Local Workstation (which is why I prefer it) and I believe that most users have read access to AD anyway because that's actually required for stuff to work, but I'm not sure about that.

Install the "Windows Support Tools" that is on the Windows Server CD (CD 1 if it's Windows 2003 R2). If your CD/DVD drive is D: then it will be in D:\Support\Tools\SuppTools.msi
This gives you a couple of additional tools to "get at" AD:
LDP.EXE - good for reading information in AD, but the UI kinda stinks.
ADSI Edit - another snap-in for MMC.EXE that you can both browse AD with and get to all those pesky AD attributes you're looking for.
You can install these tools on your local workstation and access AD from there without domain admin privileges. If you can log on to the domain, you can at least query/read AD for this information.

Thanks adeel825 & Michael Stum.
My problem is, though, i'm in a big corporation and do not have access to log in as the domain admin nor to view the active directory, so i guess my solution is to try and get that level of access.