Active Directory

How to display all OU’s & their distinguished Name from your domain

Today I wanted a quick overlook of all the OU’s and their distinguished Name. This is how I did that. Open a PowerShell prompt and enter the following :

U can expect a reply something like below :

How to Add an extra email address to your O365 mailbox the right way

This blogpost describes how to add an extra email address on your O365 mailbox. Someone told me that when he tries to add an extra email address using the Office 365 admin partner he receives the following error :


The error says that this action (adding an extra email address) should be performed on the object in your on-premises organization. This means that your Active Directory is connected to Azure (O365). So extra email address should be added on the specific user properties and not directly using the Exchange admin interface. Your changes are automatically replicated to Azure.

Go to your domain controller and open dsa.msc (Active Directory Users and Computers) and go to the user you wish to provide an extra email address. Important : don’t search for this specific user, this way you don’t see all the properties later on. Also make sure that you have the advanced view enabled in dsa.msc, otherwise you won’t see the Attribute editor tab.


Open the properties of the specific user and select Attribute Editor and go to ProxyAddresses. Now you have the option to add an extra emailaddress, use the following Value :

Make sure that the domain is registred correctly in O365.

(Thanks to Roelf Z for the comment)


Solved: No Attribute Editor option within ADUC

I received a question why the Attrib Editor option didn’t show up in Active Directory Users & Computers. See the picture below.


This is well known issue (by design). When you search for a user there is no Attrib Editor option. Instead go to the specific OU and open the properties from that specific user.


Notice the Attrib Editor is now showing up!

How to build your own Self service portal 2

A collegae asked me if it was possible for end users to change their passwords themself.

Ofcourse there are several commerical tools (like manageengine) which allows users to change their passwords but they are not cheap and licensed by the number of end users. (In my case > 2000 users)

First I used the IISADMPWD method from Server 2003 IIS but I found a better method. I used RD Web Access to provide the end users a way to self service their password.

First install the RD Web Access component :

  • Add Roles and Features
  • Choose Remote Desktop Services installation
  • Standard Deployment
  • Choose Session-based desktop deployment



Now configure IIS :

  • IIS Manager
  • Right click RDWeb
  • Configure application Settings and enable PasswordChangeEnabled true

Now you can go to the following address :



Make sure you protect this webpage using a SSL certificate.

Unable to manually install Windows Updates (WSUS)

Sometimes you don’t want to wait/rely to your WSUS environment for specific updates.

But when you try to install updates manually you might notice the following message :

windows updates before

It’s easy to go around this, you copy/paste the following code into a reg file :

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoDriveTypeAutoRun”=dword:00000095 “NoWindowsUpdate”=dword:00000000 “NoAutoUpdate”=dword:00000001

When you apply the above regfile and go to windows updates you notice that updates are possible again :

windows updates after

Exchange 2010/2013 : Unable to find schema master

Some time ago I ran into an error while installing Exchange. It seems this problem also occurs when upgrading/installing an Exchange Server service pack. This is how to fix this problem :

First go to the (root) domain controller and register the schema extension :

Now load the plugin by starting mmc and adding the extension

Now right-click the Active Directory Schema en select Change Active Directory Domain Controller. (Choose the domain controller you wish to transfer the schema role to)


Hit ok when you receive the read-only warning.

Now select Change Schema Master and hit Change.


Solved : The publiser could not be verified problem

Some time ago I ran into a problem while opening a application on a Windows DFS share :


All the standard solutions, like internet explorer intranet zones etc. didn’t work.

After some troubleshooting I found out the following group policy setting fixed my issue :



User configuration/administrative templates/windows components/attachment manager

Add the extensions (*.exe, *.mdb etc) of the file’s you wish to open.

The problem should be solved right now.

Windows 2008 profile problem (fixed)

A customer had a problem that a virusscanner didn’t like a executable on the desktop and therefore somehow refused access to the user’s profile. The user decided to remove his profile (all the files in c:\users\<user>) and tried to logon. The user noticed that each time a temporary profile was created.

The solution was as follows :

Open regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList


When you click on a SID you see which user this is.


As you notice, there are 2 identifiers. One with the extension .bak and one without. Remove the one without the .bak and remove the .bak extension from the other.

Now my customer was able to login with a clean profile.

Howto : quickly check domain health

Before I upgrade a domain I usually check for problems and issues. I use the following steps to give me an idea of the status :

(Check DC en services)

Check networking components

Show DHCP status

Show all replication between sites

Show replication issues

When you perform the steps mentioned and you didn’t ran into several errors than you have probably nothing to worry about. 🙂