YubiKey Smart Card Deployment Guide Oct. 9, 2019, 9:01 a.m.

The YubiKey Minidriver is designed to function in a Windows Server and Client environment configured for smart card authentication. Ensuring your deployment is set up properly is a crucial element of the initial planning for the YubiKey Minidriver deployment.

Creating Custom Secure LDAP Certificates for Domain Controllers with Auto Renewal Sept. 4, 2019, 12:15 p.m.

The primary reason for enabling this functionality is to allow third-party applications that aren’t capable of performing secure binds or encrypted LDAP sessions (over TCP 389) to connect securely.

Identifying Clear Text LDAP binds to your DC’s Sept. 4, 2019, 12:15 p.m.

The core of the issue is this, when an application performs a simple LDAP bind, the username and password is transmitted in clear text in the very first packet. The DC doesn't even have a chance to prevent this exposure from occurring.  If this connection is not encrypted at a lower layer such as TLS or IPSec, it may be intercepted and a bad day may soon follow.

How Healthy is your LAPS Environment? April 6, 2019, 3:41 p.m.

LAPS is easy to deploy and works great. The challenge comes in knowing if it’s actually working. How do you know if your machines have ever set the password? Or maybe they set it once and haven’t updated it since even though it’s past the designated expiration date? It’s definitely worth monitoring to ensure that your machines are operating as expected. Jiri Formacek (the creator of LAPS), threw together a small PowerShell script to provide that capability.

Implementing LAPS – My way | Secure Identity April 3, 2019, 3:37 p.m.

Local Administrator Password Solution (LAPS) has been around for a while and last year it became an official supported tool by Microsoft. Since there are so many articles about it, I would like to share my tweaks. I decided to create my own LDF file to extend the schema with this two attributes because I feel that a few things are missing.

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting Nov. 12, 2018, 11:06 a.m.

Starting in Windows Server 2008 R2, Active Directory now implements a true recycle bin. No longer will you need an authoritative restore to recover deleted users, groups, OU’s, or other objects. Instead, it is now possible to use PowerShell commands to bring back objects with all their attributes, backlinks, group memberships, and metadata.

Cluster and Stale Computer Accounts Nov. 12, 2018, 8:38 a.m.

A Failover Cluster does not update the lastLogonTimeStamp the same way as a real computer. A cluster updates the lastLogonTimeStamp when it brings a clustered network name resource online. Once online, it caches the authentication token. Therefore, a clustered network named resource working in production for months will never update the lastLogonTimeStamp. This appears as a stale computer account to the AD administrator.

Global Object Access Auditing is Magic Nov. 1, 2018, 3:55 p.m.

Global auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. This means that instead of manually altering and maintaining SACLs on 10TB of shared files, you can instead define them implicitly and not actually modify the files at all. You can then troubleshoot an unexplained file deletion, see who keeps changing permissions on a folder, or satisfy an auditor.

Getting the Effective Audit Policy in Windows Nov. 1, 2018, 3:50 p.m.

You should not trust any of the Group Policy reporting tools when it comes to audit settings. There’s only one safe bet and it’s this command: auditpol.exe /get /category:*

Troubleshooting Group Policy Using Event Logs Sept. 28, 2018, 8:53 a.m.

Most of the events in the Group Policy operational log appear in pairs. For each start event, there is an end event. End events can be successful, warning, or error events. Usually these events share the last two digits in their event ids. For example, a 4017 event appears in the event log, which represents a Group Policy component beginning a specific action. If the action completes successfully, then the Group Policy service records a 5017 event. If the action completes with errors or fails then the Group Policy service records a 6017 or 7017 event, respectively. Policy processing events use the same numbering scheme for warning and error events messages in the 8000–8007 range for Group Policy success events. You can use these numbering patterns to quickly identify warning and failure events in the Group Policy operational log.

CRUD: When to use Create, Replace, Update or Delete in Group Policy Preferences? Sept. 17, 2018, 5:12 p.m.

Here is a quick run-down of how Create, Replace, Update and Delete behave in Group Policy Preferences.

List Group Policy Client Side Extensions Sept. 4, 2018, 3:50 p.m.

The order of Client Side Extensions are the order you see in the registry, and that is the order you see in my list as well. But, yes normally there is a but as well Smile the first CSE to be applied is {35378EAC-683F-11D2-A89A-00C04FBBCFA2}, this is the one for Registry/Administrative Templates this also includes if you write an ADMX template on your own, this will be applied first.

function Get-GPClientSideExtensions {
    Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | foreach {
        $guid = ($_.Name).Split("\") | Select -Last 1
        $props = Get-ItemProperty $_.PSPath

        # Guessing CSE name in order (default), ProcessGroupPolicy, ProcessGroupPolicyEx
        if ($props.'(default)') {
            $description = $props.'(default)'
        } elseif ($props.ProcessGroupPolicy) {
            $description = $props.ProcessGroupPolicy
        } elseif ($props.ProcessGroupPolicyEx) {
            $description = $props.ProcessGroupPolicyEx
        } elseif ($gpeGuid = "{35378EAC-683F-11D2-A89A-00C04FBBCFA2}") {
            $description = "Administrative Templates"
        } else {
            $description = "Error guessing CSE name"
        }

        [PSCustomObject] @{
            GUID = $guid
            Description = $description
        }
    }
}

Post-Graduate AD Studies | Ask the Directory Services Team May 31, 2018, 5:31 p.m.

List of links to core documentation for all major AD components.

Report and Edit AD Site Links From PowerShell May 24, 2018, 10:30 a.m.

Optimising AD inter-site transport settings.

DNS requirements for installing Active Directory April 16, 2018, 2:44 p.m.

When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers.

During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism.

How DNS Support for Active Directory Works: Active Directory April 16, 2018, 2:44 p.m.

Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. As a result, DNS is positioned within the discoverability and logical structure components of Active Directory technology components.

LDAP Tool Box Self Service Password April 12, 2018, 8:43 a.m.

Self Service Password is a PHP application that allows users to change their password in an LDAP directory.

Active Directory FSMO Roles Explained April 4, 2018, 10:51 a.m.

Because Active Directory is a multi-master database, changes can be processed at any given domain controller (DC), regardless of whether the DC is connected or disconnected from the network. A limited number of operations are not permitted to occur at different places at the same time and must be the responsibility of only one domain controller in a domain or forest. All domain controllers are capable of performing these single master operations. The domain controller that actually performs a single-master operation is the domain controller that currently holds the operation’s token, also known as the “role holder”.The operation's token, and thus the role, can be transferred easily to another domain controller without a reboot. Because the role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.

Determine the tombstone lifetime for the forest April 4, 2018, 10:40 a.m.

The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition. You can use this procedure to determine the tombstone lifetime for the forest.

Active Directory Replication Overview & USN Rollback: What It Is & How It Happens April 4, 2018, 10:37 a.m.

Typically when a USN goes backwards, it is due to a supported restore from backup. When this process occurs, the invocation ID changes. Since all replica partners track replication based on DC GUID, Invocation ID, and USNs, a supported restore method keeps the previous invocation ID as “retired” and effectively ignores it. The new database Invocation ID & associated USN are used to get AD changes from the DC… except when the USN rolls back with NO change in Invocation ID. This means that when a DC is in a state of USN Rollback, AD updates can be performed on that DC with none of the changes replicated to its replication partners.