Category Archives: Active Directory

GPO – Deny single user/Group

Leave a reply

1. First you need to find the GPO Guid

To Find the group Guide Connect to a dc server and open Active Directory PowerShell

get-gpo -all |select-object DisplayName,id |sort name >c:\gpo.txt

2. Find in Active directory the GPO with ldap search

That guid is an attribute on an object in Active Directory, so you can query for it:

(&(objectCategory=groupPolicyContainer)(name={D45A4D0F-77BE-4116-9F5B-CF96E81D2DDC}))

3.Right Click On the Guid – Properties -security

4.Advanced

5.Add the user/group

6.Deny on – Apply Group Policy

Idit Bnaya

Sr. Cloud Solution Architect at Microsoft, I’m passionate about helping customers succeed by building secure, scalable, and innovative cloud solutions – with a strong focus on AI, DevOps practices, and end-to-end security. With a proven track record in the IT and services industry, I serve as a trusted advisor, partnering closely with organizations to guide them through digital transformation and maximize the value of their cloud investments. My role combines technical leadership with project ownership – from designing modern architectures to leading cross-functional implementations that drive real business outcomes. I also manage and empower strategic partners, working hand-in-hand with them to ensure project success and deliver measurable business impact for customers.

www.itblog.co.il

AD Schema version

Leave a reply

The following list show each version:

Schema-Version 13 = Windows 2000 RTM
Schema-Version 30 = Windows Server 2003 RTM
Schema-Version 31 = Windows Server 2003 R2 RTM
Schema-Version 44 = Windows Server 2008 RTM
Schema-Version 47 = Windows Server 2008 R2

You can find the version number by using one of the following :

1.ADSIedit – – objectVersion property of the Schema container

2.HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\<Schema Version>

3. dsquery * CN=Schema,CN=Configuration,DC=Root-Domain -Scope Base -attr objectVersion

Idit Bnaya

www.itblog.co.il

Error : The File Replication Service is unable to add this computer to the following replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)- Event ID: 13555"

Leave a reply

This could be caused by a number of problems such as:

an invalid root path,
a missing directory,
a missing disk volume,
a file system on the volume that does not support NTFS 5.0

The information below may help to resolve the problem:

Computer DNS name is "dc2.domain"

Replica set member name is "DC2"

Replica set root path is "c:\windows\sysvol\domain"

Replica staging directory path is "c:\windows\sysvol\staging\domain"

Replica working directory path is "c:\windows\ntfrs\jet"

Windows error status code is

FRS error status code is FrsErrorMismatchedJournalId

Steps to take:

1. Stop the File Replication service on the domain controller DC1
2. Start Registry Editor
3. Locate and then click the BurFlags value under the following key in
the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
4. On the Edit menu, click DWORD, click Hex, type D2, and then click
OK.
5. Quit Registry Editor.
6. Restart the File Replication Service

Source : http://support.microsoft.com/kb/925633

Idit Bnaya

www.itblog.co.il