Interview Question

[Cody]

Hello friends:

Recently I had a phone interview, and one of the questions I was asked was:

You are logged onto a Windows domain controller and you have the domain
admin privileges, but you are not able to create a user account in "AD Users
and Computers", what could be the reason?

I tried to find the answer on the web, but no luck. Would appreciate your
input.

Thanks.

 

[Jorge de Almeida Pinto [MVP]]

possible answers:
(1) you are a member of some group that has been denied that
(2) the DC is not able to retrieve a new RID pool from the RID Master FSMO
and is therefore not able to create security principals

most probably (1)

I mention both because you don't mention what the context is of the question
(permissions or troubleshooting). But most probably the context is
permissions

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Joe Richards [MVP]]

Could be multiple reasons. I would fire back the question "what is the
error message?" That is more than what 95% of the folks would probably
respond with. There are very few absolute answers to things in
complicated systems. Obviously the people asking the question had a
specific case in mind and I would actually question how good they were
if they didn't give you a well qualified question unless they were
looking for you to ask questions to try and flesh out the details.

To throw them if they were looking for an answer and not a question I
would have said something like... it could be that you have run out of
available DNT values.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Cody]

Jorge and Joe, thanks so much. I will explore more on your suggestions.

 

[Jorge de Almeida Pinto [MVP]]

wanna test all options mentioned?
(1) Member of a group that has a DENY to create user objects
* create group and assign that a DENY to create user objects in some OU
* create a user account, make it a member of that group and domain admins
* logon and try to create a group in the OU with the delegation
(2) Not able to retrieve new RID pool from RID Master
* disable outbound replication on the RID master FSMO (repadmin /options
<FQDN RID MASTER FSMO> +DISABLE_OUTBOUND_REPL)
* create 1000 user objects on another DC than the RID Master FSMO itself
using the script:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/usmgvb03.mspx
(make sure you adjust the script with the correct OU)(while creating the
users you should receive an error)
(3) running out of DNT values
see: http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Cody]

Gracias Jorge, I have setup a Virtual PC lab and I will test the scenarios
you mention.


"Jorge de Almeida Pinto [MVP]"