Active Directory: Registry keys can remove user groups

The following is a collection of expert responses to reader questions by Laura Hunter.

How can I remove a user from a group using Registry keys without accessing AD users and computers?

Laura Hunter: In Windows Server 2003, you can use the dsmod command-line utility with the –delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from

    Requires Free Membership to View

www.joeware.net. ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.

I want to setup a DNS server and AD domain. What do I do first? If I install the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too?

LH: Not only can you have a DNS zone and an AD domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing AD, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.

I am part of a truly global forest (2000) and now the time has come to be pruned from that forest. I would like to create a new 2003 forest and migrate the user objects, plus everything else that is necessary, over to the new domain. I would also like to add Exchange 2003 into this domain. My main question is, what would be the best/easiest way to migrate the Exchange 2000 mailboxes to Exchange 2003?

LH: The first domain that you create in an AD forest becomes the forest root domain. This domain must remain the forest root for the lifetime of the AD forest; it cannot be restructured to become the child of another domain without rolling up or migrating to a new forest.

Recently after our power shutdowns, all our NT4s started to have problems. Our NT4 clients in our native mode Windows 2000 domain started to fail to connect to the domain. We rejoined and it showed that everything was successfully joined, but when we rebooted and tried to log in to the domain, it failed. We also noticed the domain accounts all became 'domainunknown' accounts. We have tried to join and rejoin many times. Any idea what is causing this?

LH: Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.


Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at laurahcomputing@gmail.com.

This was first published in January 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.