If I have two DC's on a network and a user is locked out on Srv2 (event 4740), can this event get propagated to Srv1's eventlog aswell or are there settings to control this?
I am hoping it is possible to check only one event log to read all lockout events for an entire domain. From what I have been able to deduce it appears that evt 4740 only appears on the server where the lockout actually occurred.
Event forwarding, forwards events from one computer to another. This can be used in order to collect events at a specific computer to ease eventlog-handling.
Microsoft has a technet article for this:
https://technet.microsoft.com/en-us/library/cc748890.aspx
Windows IT-pro also has an article regarding troubleshooting eventlog forwarding:
http://windowsitpro.com/security/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and-collec
I haven't dabbled with AD in a couple of years, but I believe that the lockout will happen on one controller, and then will the other DCs receive data through the synchronizations but not log that lockout. It might be in the sync logs, but most likely not.
You didn't say if you have Read-only-DCs, but I suspect you don't.
I think you must read all event logs of the DCs you have. You might want to consider something like 'Splunk' etc. I remember it being used in a company I worked in 3 years ago. However, I'm in no way affiliated with 'splunk' and I don't know it well enough to advocate it in any way.
Related
My team has attempted to utilize a 3rd party Active Directory Object auditing tool which ran some automated scripts and turned on active directory auditing on our domain controllers. We use Win 2016 Server for our domain controllers.
As a result our DCs got bogged down and we subsequently turned off the auditing. My boss doesn't want to risk having this happen again so I am attempting to find a less invasive way to monitor changes to groups, user accounts and group policy. For security reasons, we want to be able to ask the question: Who changed what and at what date and time.
My options as I see them are basically some kind of custom .NET library or solution, accessing LDAP via PHP or perhaps a polling solution using PowerShell to dump data to a secondary file, API or service.
I've scoured the internet for a solution that might work for us and spent several days experimenting and building prototypes to no avail. It seems that the expectation for all possible solutions are to turn on the auditing features and simply hope that your DCs don't immediately max out on resources.
If we were to deploy a test DC and turn on auditing for evaluation purposes, I could potentially come up with a solution to track changes over time but we wouldn't be able to assess the real world impact of certain auditing features being turned on because it wouldn't have the same traffic that our production Domain Controllers have.
The solution that I am looking for has a low impact on the performance of our domain controllers and offers a method by which to store data pertaining to active directory object changes that can be subsequently displayed on one or more reports.
I have a use case where I need to set up two physical stations at a venue. Each station will be running a couple of app servers and a mongodb server.
I can't rely on the venue's internet access so I need my app to be able to work offline and "sync" the dbs every once in a while.
I initially thought about having two masters that would somehow sync with a remote one but TIL that master-master replication is not possible with mongodb.
I've read about the active-active approach, however, that won't let me write to a different shard when offline.
I'm running out of ideas, any recommendation would be greatly appreciated.
------ Update on what I'm trying to achieve:
I'm working with a venue that has two entrances. The idea is to be able to capture some information from people attending the events (name, email, etc). After getting registered we will print a name tag with some of the info.
Everything sounds pretty easy, however, if possible, I would like to not rely on the venue's network (internet). So that's where I started struggling figuring out whats the best approach. I guess what I want is being able to have a remote mongo but if the network goes down somehow keep saving records locally and send them to the remote mongo instance when network is available again.
Extra considerations:
- Events last a couple of days, some people lose their name tag overnight, they should be able to go to either of the entrances and get it reprinted. So we should be able to find their info even if they registered in entrance A but they are asking for a reprint in entrance B.
More questions:
- Am I overthinking it? Maybe venue's network + a 4G/LTE modem as a backup should be enough? I would prefer not relying on it tho.
I believe you're overthinking things. Here's what I would do if faced with a similar situation:
From the description, it doesn't sound like the two sites need to be connected in real time at all. I would create a server on Entry A, another in Entry B, and consolidate their data each day after the day ended if required. This is because:
It's unlikely that one person will register in both sites within a single day. If they lost their tag on that day, I'll just tell them to go back to where they registered earlier and get it reprinted there. Worst case, you'll create a duplicate entry (should be obvious which is the duplicate since no one would lose their tag within seconds) but I would not anticipate hundreds of people all lost their tags within a day.
If the attendee lost their tag overnight, both servers will have synced data and should be able to reprint.
If you're concerned about the venue's Wifi access, just run cables from the server to the printing stations.
Personally, I would argue that the overnight sync is not really needed at all (see the likelihood of people registering twice). I would just collect the data from both servers after the event ended. That is, unless you have specific needs for the combined data from both entries during the 2nd day.
Note: please make sure you're running a minimum of 3-node replica set. Running a standalone instance for prod environment is not recommended. Hardware/disk corruption is a common event.
I am working on a tool to generate fake data for System Center Operations Manager for internal testing purposes. I wrote a script as part of a discovery that is able to create an instance of any class I want and make SCOM fake-discover it. Currently, I'm using a class for AD Printer. Now the next step is to somehow create alerts on behalf of the Printer. For this, I wrote a rule targeted at the AD Printer, which reads from the logs to detect when it should be fired. The logs are being written to from a PowerShell script. However, I see no results. But when I target the same rule to All Windows Computers, I see the alerts.
From what I understand the rule will run on all agents that have an instance of the target class. Since I fake-discovered the AD Printer on this agent (which also happens to be the Management Server), should the rule not run on this?
Any other suggestions on how I can achieve this are welcome as well.
PS. I probably cannot share any of my code as I am under an NDA, but I can clarify my approach further, if needed.
Yes, the Powershell script should run on the agents which have instances of the AD Printer. I recommend you to check the OperationsManager event log for script errors. The easiest way to generate (fake) alerts is to set up a simple, Event-based text log monitor: one specific word can trigger the unhealthy state (which in turn generates an alert), while another word resets the monitor to the healthy state. You can specify criteria for both events. Look at this blog post for further details.
I have googled tons for this but with no success, maybe I just have the wrong approach?
Problem:
We work with migrating organizations from on premises Exchange to Office 365 and vice versa. As a service we also log in to all user computers and do the initial "add existing mailbox"-steps. Since we are using Autodiscovery-pointers this takes a lot of time. With a bad bandwidth it can take up to 15 min per user.
Our goal:
Create a Powershelscript where we can put the settings that normally being fetched by Autodiscovery and quickly add a new, existing mailbox to the computer so next time they log in they can just start the Outlook application and they are logged in.
I hope I made myself understandable, please ask if anything is unclear.
Thanks in advance!
Edit:
Maybe there is a way to go through the initial Outlook-setup via a PSSession? Then the time that an Autodiscovery takes wouldn't matter since we can do all the setups remote, unatended.
I want to write a workflow application that routes a link to a document. The routing is based upon machines not users because I don't know who will ever be at a given post. For example, I have a form. It is initially filled out in location A. I now want it to go to location B and have them fill out the rest. Finally, it goes to location C where a supervisor will approve it.
None of these locations has a known user. That is I don't know who it will be. I only know that whomever it is is authorized (they are assigned to the workstation and are approved to be there.)
Will Microsoft Windows Workflow do this or do I need to build my own workflow based on SQL Server, IP Addresses, and so forth?
Also, How would the user at a workstation be notified a document had been sent to their machine?
Thanks for any help.
I think if I was approaching this problem workflow would work to do it. It is a state machine you want that has three states:
A Start
B Completing
C Approving
However workflow needs to work in one central place (trust me on this, you only want to have one workflow run time running at once, otherwise the same bit of work can be done multiple times see our questions on MSDN forum). So a central server running the workflow is the answer.
How you present this to the users can be done in multiple ways. Dave suggested using an ASP.NET site to identify the machines that are doing the work, which is probably how I would do it. However you could also write a windows forms client that would do the same thing. This would require using something like SOAP / WCF to facilitate communication between client form applications and the central workflow service. This would have the advantage that you could use a system try icon to alert the user.
You might also want to look at human workflow engines, as they are designed to do things such as this (and more), I'm most familiar with PNMsoft's Sequence
You can design a generic "routing" workflow that will cause data to go to a workstation. The easiest way to do this would be to embed the workflow in an ASP.NET application. Each workstation should visit the application with a workstation ID in the querystring:
http://myapp/default.aspx?wid=01
When the form is filled out at workstation A, the workflow running in the web app can enter it into the "work bin" of the next workstation. Anyone sitting at the computer for which the form is destined will see it appear in their list of forms to review. You can use AJAX to make it slick and auto-updating.