List members of a Group

You can retrieve a list of users from a Security or
Distribution Group in domain by using DSget tool – a new tool introduced in
Windows 2003. This tool and other related tools ships with Windows 2003 CD.

Let’s say you need to gather a list of users (+nested groups) from a domain
group. This is bit easy. You can use the following command to accomplish the

dsget group “DN_of_group” -members -expand > userlist.txt

The output will be saved in userlist.txt

This is the sample output saved in userlist.txt

“CN=Shan Dallis,OU=Users,DC=test,DC=local”
“CN=Tapihe C Mdwa,OU=Users,DC=test,DC=local”

and so on…

Add a user to Local Admin group on All machines.

Scenario: You need to add a user (test1) to local
Administrators group on all computer. How do you achieve this??? no no…you’re
wrong here – don’t need to use VBScript or something like that simply use
PSEXEC to accomplish this! – intersting!

Here it is:

psexec.exe net localgroup administrators
test.local\test /add

Isn’t simple as pie?

-@server.txt – This
file includes the list of servers to be processed by psexec to run the Net
Localgroup Administrators test.local\test /add

net localgroup – This command directs NBT API to execute a
command using Windows Low-level sub-system. You should use Net Group for Global
security group if you’re gonna add to Global Security Group.


Ping Servers in DMZ

Let’s say in a situation you need to check the connectivity
of few servers in DMZ from your management server.

Scenario: You have 20 Servers
running in your DMZ network. You need to check connectivity of these servers
everyday or once a week to make sure they are up and running. The manual
process would be:

1. From your working computer you log on to your Management Server from which
you can ping these servers. You use RDP to connect to Management server.

2. Ping each_server and get response from Management Box.

To avoid manual process you can use PSEXEC from to do so.

This is how you do it:

You know these servers are in DMZ and can be pinged only from Management
Server. You use a simple script to do so:

For one server you can use the following:

PSEXEC \\management_server ping server_in_dmz > c:\PingResponse\Response.txt

For more than one server you use the following:

1. A server.txt file to put all the servers in

2. A CMD or BAT file to ping all the servers and
store their result in %server_name%.txt file.


@echo off
Check Servers Ping Response in DMZ network.

set srvlist=servers.txt
rem ———————————–

echo.if not exist “%srvlist% (
echo Can’t find Server List file: %srvlist%

echo Processing all Servers……….
for /f “tokens=* delims=AU” %%m in (%srvlist%) do call:checknow



set srvname=%~1set srvname=%srvname: =%
psexec.exe \\management_server ping -w 1000 %srvname% >




Duplicate SPN registered in domain.

Sometimes, your domain controller may report an error for duplicate SPN names registered in Active directory database. These errors are logged when you have duplicate SPN names but don’t know their exact location to delete them.

You can use a Microsoft tool called LDP.exe or LDIFDE.exe to search duplicate SPN and remove them from the domain.

Check out here:

Domain Controller’s Log on Locally rights removed or set to "Not Configured".

In a situation where you have accidentally locked yourself. You have removed Domain Controller’s policy: “Log On Locally” and no one is allowed to log on locally on the domain controller. There are few methods that you can use to retrieve the logon rights back.

This is only possible if you are facing problems logging on locally. If you have accidentally removed the following rights or have denied yourself then there is no way to make DC operable in this case – but there is way!

Access This Computer From Network

Deny Access This Computer From Network

Okay, let’s talk about “Log on Locally” right and how to get it back.

You can use the following methods outlined below to get it back on track:

Users or Administrators should be able to access this computer remotely as long as the “Access This Computer From Network” logon right is enabled and configured properly.

Method 1

1. Go to a Workstation (XP) or Windows Server
2. Open Active Directory Users and Computers.
3. Right Click on Domain Controllers OU > Property > Group Policy Tab.
4. Change the setting in there for “Log on locally” right.
5. Run PSEXEC to enforce policies on DC.

PSEXEC \\Dc_name secedit /refreshpolicy user_policy
PSEXEC \\Dc_name secedit /refreshpolicy machine_policy

6. Wait for five minutes.
7. Now try to log on to DC locally.

Everything should work.

Method 2

If problem still persists you can follow the steps listed below to manually reset it.

1. Go to a Working DC.
2. Go to SYSVOL.
3. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}         switch to this one – This is the Default DC GPO.

4. Copy the contents.
5. Access remote computers C:\ drive.
6. Switch to SYSVOL share.
7. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}        Double click to open this folder.

6. Paste the contents here.
7. Now run PSEXEC command with Secedit to enforce policies.

Please note copying GPO from one DC to another will cause your all settings to be removed.

Two SYSVOL shares or SYSVOL missing!

Sometimes you may get in a situation where you have two-two SYSVOL shares and you don’t know which one is working and replicating information to other domain controllers.

No problem – sometimes SYSVOL may not be working properly and you get JOURNAL_Wrap error messages on domain controller. When FRS activates itself to replicate contents of SYSVOL to other domain controller it searches registry to find the correct path of SYSVOL. Registry contains the information such as SYSVOL folder location, SYSVOL share name etc. These information are supplied back to FRS to replicate its contents to other domain controller – Well! here is the problem – FRS says: “I don’t know what is what : This SYSVOL folder is not the one I’m looking for”. Folder have missing information. Now you’re stuck up here! Can’t go any more, can’t do anything with the system. FRSs second step to check DNS for SRV records registered by domain controller – that’s the other problem if it can’t find other DCs using DNS – that’s not the matter here.

Microsoft has written an article on Troubleshooting SYSVOL:

Check out here:

D4 registry entry in above article makes this domain controller authoritativ for whole SYSVOL share.

Also check: Troubleshooting Missing SYSVOL and Netlogon shares: