Problem solve Get help with specific problems with your technologies, process and projects.

Active Directory: Registry keys can remove user groups

Check out this series of responses to reader questions from Active Directory expert Laura E. Hunter. This compilation covers topics such as how to set up a DNS server with an AD domain and how to use using Registry keys to remove a user from a group.

The following is a collection of expert responses to reader questions by Laura Hunter.

How can I remove a user from a group using Registry keys without accessing AD users and computers?

Laura Hunter: In Windows Server 2003, you can use the dsmod command-line utility with the –delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.

I want to setup a DNS server and AD domain. What do I do first? If I install the DNS service first and name the zone '' can I name the AD domain '' too?

LH: Not only can you have a DNS zone and an AD domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing AD, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.

I am part of a truly global forest (2000) and now the time has come to be pruned from that forest. I would like to create a new 2003 forest and migrate the user objects, plus everything else that is necessary, over to the new domain. I would also like to add Exchange 2003 into this domain. My main question is, what would be the best/easiest way to migrate the Exchange 2000 mailboxes to Exchange 2003?

LH: The first domain that you create in an AD forest becomes the forest root domain. This domain must remain the forest root for the lifetime of the AD forest; it cannot be restructured to become the child of another domain without rolling up or migrating to a new forest.

Recently after our power shutdowns, all our NT4s started to have problems. Our NT4 clients in our native mode Windows 2000 domain started to fail to connect to the domain. We rejoined and it showed that everything was successfully joined, but when we rebooted and tried to log in to the domain, it failed. We also noticed the domain accounts all became 'domainunknown' accounts. We have tried to join and rejoin many times. Any idea what is causing this?

LH: Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.


Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.