Category: Uncategorized

NTDSUtil – Cannot delete server from a site – DsRemoveDsServerW error 0x5(Access is denied.)

When cleaning up non-existence domain controller using NTDSUtil, you may get this error:

metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
DsRemoveDsServerW error 0x5(Access is denied).

There could be many reasons like the account is not really have access to remove servers from domain. But most obvious and common reason is the NTDS Settings is set to protect from accidental deletions.


1. Open Active Directory Sites and Services (on the the same DC where you are running NTDSUtil)

2. Navigate to Sites —> Your Site Name —> Servers —> DC Name —> NTDS Settings

3. Right click on NTDS Settings and select Properties

4. Change to Object tab and un-check the check box “Protect object from accidental deletion


That’s all. Try removing the server using NTDSUtil. 🙂


Find a user (or any object) exists in Active Directory

With all Microsoft Active Directory Module for PowerShell, it doesn’t have an cmdlet to simply search a user or group in AD to find it exists or not. Get-ADUser or Get-ADGroup spits an ugly error message if it doesn’t find the object.

I wrote an PowerShell function to do exactly what I wanted. Simple search the given user or group, return True if it exists or return False. If you need it, feel free to use this function.

Download the script here:

# Function: IsUserExists
# Parameter: SamAccountName of the user
# Purpose: Find the user existing in AD or not. Returns True
# if the user exists, or returns False
# Written by Anand Venkatachalapathy
Function IsUserExists()
Param ( $username = “Administrator”)
$strFilter = “(&(objectCategory=User)(SAMAccountName=$username))”

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry

    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “Subtree”

    $colProplist = “name”
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

    $colResults = $objSearcher.FindAll()

    If ($colResults.Count) { Return $true }
Else { Return $false }


PowerShell: Check the user is member of a Group (including Built-in Groups)

The issue with Get-ADUser JohnDoe –Properties MemberOf cmdlet is it doesn’t list Domain Built-in groups like Domain Users. I am not sure why Microsoft wants to hide built-in groups from listing user group memberships. So I have written a VB Script style function.

To use this function, copy & paste this function to your PowerShell script and call the function with username and groupname to check. E.g., IsMember –User JohnDoe –Group “Domain Users”

Download the Script:

# Function: IsMember
# Parameters: AD User Name (SAMAccountName) and Group Name
# Description: Check if the provided User is member of given Group name.
# Returns True if the user if member of the group or returns False.
# Speciality: This function lists groups and check the group membership
# including Built-in groups like Domain Users.
# The Get-ADGroupMember from PowerShell AD Module doesn’t list
# built-in groups like “Domain users”, but this
# function does.
# Usage e.g.,: If (IsMember -User JohnDoe -Group “Sales-NA”)…
# Written By: Anand, the Awesome, Venkatachalapathy
Function IsMember()
Param (
[string]$User=$(Throw “Error: Please enter a username!”),
[string]$Group=”Domain Users”

Import-Module ActiveDirectory

#Get the Domain Name or you may assign it manually to
#$DomainName variable below
$DomainName = (Get-ADDomain).NetBIOSName

# Bind to specified user in domain.
$UserObj = [ADSI]”WinNT://$DomainName/$User,user”

    # Invoke the Groups method.
$GroupsObj = $UserObj.psbase.Invoke(“Groups”)

    ForEach ($GroupObj In $GroupsObj)

# Retrieve name of group.
$GroupName = $GroupObj.GetType().InvokeMember(“Name”, ‘GetProperty’, $Null, $GroupObj, $Null)

#Check the Group, if given group and current group name is same, return True
If ($GroupName.Equals($Group)) { Return $true }

#Group Not found, send False
Return $false

RDS 2012 R2–Single sign on using Windows Authentication for RDWeb page

WebSSO is great and it works beautifully if configured correctly. If you go, you will be presented with form based authentication page.

What if we present the published apps/icons without presenting form-based authentication page, meaning use Kerberos or NTLM authentication with logged of user. This makes sense for internal corporate users, they are already logged in with their domain credentials and who do they have to logon again.

This blog is to achieve Windows Authentication for RDWeb logon. It’s really easy to do in Windows Server 2012 R2.

  1. Logon to Remote Desktop Web Access server.
  2. Open Explorer and go to C:\Windows\Web\RDWeb\Pages
  3. Make a backup copy of web.config file.
  4. Open Notepad as Administrator
  5. Open C:\Windows\Web\RDWeb\Pages\web.config
  6. Uncomment Windows Authentication section and comment Formbased authentication. The end result would like this:

To turn on Windows Authentication:
– uncomment <authentication mode=”Windows”/> section
– and comment out:
1) <authentication mode=”Forms”> section.
2) <modules> and <security> sections in <system.webServer> section at the end of the file.
3) Optional: Windows Authentication will work in https.  However, to turn off https, disable ‘Require SSL’ for both RDWeb and RDWeb/Pages VDIR.
Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck ‘Require SSL’ and
click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.

    <authentication mode=”Windows”/>

<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”TSWAAuthHttpOnlyCookie” protection=”All” requireSSL=”true” />
<personalization defaultProvider=”TSPortalProvider”>
<add name=”TSPortalProvider” type=”Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider”/>
<allow users=”*” verbs=”enterSharedScope”>

Enable Windows Authentication in IIS settings

1. Open IIS Console on the RD Web Access Server
2. Expand to RDWeb folder.
3. Double click on Authentication.
4. Disable Basic Authentication and Enable Windows Authentication

That’s all, BUT there is one more thing. Since we don’t use form-based authentication, how would you specify it’s Public or Private. On RDWeb page there is a check box to make the RDWeb sessions private. It shows up in the bottom as below.


I made this Private checked by default since all my users are internal (& I have different Remote desktop web access server for external users with form-based authentication). To make that happen follow the steps below.

  1. Logon to Remote Desktop Web Access server.
  2. Open Explorer and go to C:\Windows\Web\RDWeb\Pages\en-US
  3. Make a backup copy of Default.aspx file.
  4. Open Notepad as Administrator
  5. Open C:\Windows\Web\RDWeb\Pages\en-US\Default.aspx
  6. Modify the variable bPrivateMode to true (from false). The modified variable line looks like this:

public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

Now it looks like this, since Private mode is checked by default.


Hope this helps you. Enjoy!!

Windows 8.1/Windows Server 2012 R2: Task Manager Gadget on your desktop

How about to display CPU,Memory, Disk and Network performance details on your desktop without any third-party software? Windows 8.1 has built-in cool display, gadget like, in Task Manager application.

It looks like this:



With that you can monitor you computer/server performance at a glance. To get this view,

  • Open Task Manager (right lick on task bar and select Task Manager) on your computer or server
  • Go to Performance Tab


  • Double click on one of the graphs on the left side strip

Enjoy the tip. Hope you like it.

RDS 2012: How to login to RDWeb page without typing Domain Name?

Logon to RDWeb site with just username and password, saves time and confusion for the users. We can make user to bypass typing Domain Name with few easy steps.

There is two steps I did. One add “DomainName\” by script and second steps to change the text from “Domain Name\User name:” to just “User name:” in logon page.

To do the first step, follow the instructions below.

For Windows 2012 R2:

1. Remote Desktop to your RD Web Access Server.

2. Open Windows Explorer and go to C:\Windows\Web\RDWeb\Pages. Backup webscripts-domain.js file.

3. Open Notepad as (run as) Administrator. Open C:\Windows\Web\RDWeb\Pages\webscripts-domain.js

4. Find strDomainName variable text. It looks like this:

var strDomainName = “”;

5. Modify the above text with your NetBIOS domain name like below: (CONTOSO is my example domain, replace it with yours).

var strDomainName = “CONTOSO”;

6. Save the file and close the Notepad.

For Windows 2012:

1. Remote Desktop to your RD Web Access Server.

2. Open Windows Explorer and go to C:\Windows\Web\RDWeb\Pages. Backup renderscripts.js file.

3. Open Notepad as (run as) Administrator. Open C:\Windows\Web\RDWeb\Pages\renderscripts.js

4. Find “strDomainUserName = objForm.elements(“DomainUserName”).value;” and add the following script blob

// add default domain…
if ( strDomainUserName.indexOf(“\\”) == -1 )
strDomainUserName = “INTSURG\\” + strDomainUserName;
objForm.elements(“DomainUserName”).value = strDomainUserName;

So it would look like this..

if ( objForm != null )
strDomainUserName = objForm.elements(“DomainUserName”).value;
// add default domain…
if ( strDomainUserName.indexOf(“\\”) == -1 )
strDomainUserName = “MYDOMAIN\\” + strDomainUserName;
objForm.elements(“DomainUserName”).value = strDomainUserName;
strPassword = objForm.elements(“UserPass”).value;
strWorkspaceId = objForm.elements(“WorkSpaceID”).value;

5. Save renderscripts.js file.

Now user can just provide username and password. Domain name will be added if it is not present.

Now it the RD Web access log on page will still display Domain Name\User name:. That can be changed very easily also. Follow the steps below for the second step.

For Windows Server 2012 and Windows Server 2012 R2:

1. Remote Desktop to your RD Web Access Server.

2. Open Windows Explorer and go to C:\Windows\Web\RDWeb\Pages\en-US. Backup login.aspx file.

3. Open Notepad as (run as) Administrator. Open C:\Windows\Web\RDWeb\Pages\login.aspx

4. Modify the following text as below:


const string L_DomainUserNameLabel_Text = “Domain\\user name:”;


const string L_DomainUserNameLabel_Text = “User name:”;

5. Save login.aspx file.


That’s all. If you ever update with RDS patches, you will have to redo these steps again.

Enjoy. Smile

RDS 2012: Redirect RDWEB page from IIS Default (root) site

After you successfully deployed RD Web Access server users have to type or you create a link to reach this page.

To make it easier you may want to redirect to It’s easier than you thought. Follow the steps below.

  • Remote Desktop to RD Web Access Server.
  • Open Server manager and Click on IIS on the left side bar.


  • Right click on RD Web Access server and select Internet Information Services (IIS) Manager
  • Expand to Default Web Site.


  • Double click on image  (HTTP Redirect) under IIS section.
  • Match the settings as in the picture below.
    • Check the box Redirect requests to this destination
    • Type /RDWeb/Pages as redirect destination
    • Uncheck the box for Redirect all requests to exact destination…
    • Check the box for Only redirect requests to content in this directory..
    • Select Status code as Found (302)


That’s all now, try typing (or whatever your website URL is), it will redirect to the RDWeb page. Enjoy.