The effects of GPO version numbers on Group Policy replication Oct. 18, 2017, 4:20 p.m.

There are two portions of every GPO. The Group Policy Template (GPT) is stored in the SYSVOL of each domain controller and the Group Policy Container (GPC) is stored in the Active Directory database. Each of these GPO portions has an associated version number that keeps track of how many changes have occurred to the computer and user portions within the GPO.

active directory group policy

Understanding the GPO version number Oct. 17, 2017, 7:38 p.m.

If you've ever poked around to look at the raw GPO version number, you've probably wondered why is the number so huge and how does it get displayed as a much smaller value when you view the version number using GPMC.

active directory powershell group policy windows

[MS-GPAC]: Group Policy: Audit Configuration Extension Oct. 16, 2017, 1:56 p.m.

Documentation for Group Policy: Audit Configuration Extension, which provides a mechanism for an administrator to control audit policies on clients.

active directory documentation group policy windows

Group Policy: Inside ADM and ADMX Templates for Group Policy Sept. 27, 2017, 4:33 p.m.

The Administrative Templates node appears on both the User and Computer sides, but where do all these magical settings within Administrative Templates come from That's where ADM files come into play.

active directory windows group policy

How to Deploy Local Administrator Password Solution with AWS Microsoft AD Sept. 27, 2017, 2:39 p.m.

In an on-premises AD environment, you would update the schema by running the Update-AdmPwdADSchema Windows PowerShell cmdlet with schema administrator credentials. Because AWS Microsoft AD is a managed service, I do not have permissions to update the schema directly. Instead, I will update the AD schema from the Directory Service console by importing an LDIF file.

active directory microsoft security aws

From AdmPwd to LAPS and now LAPS.E Sept. 27, 2017, 2:30 p.m.

Overview of Local Administrator Password Solution (AdmPwd / LAPS / LAPS.E), and the differences between the various versions.

microsoft security active directory

Active Directory FSMO roles in Windows Sept. 26, 2017, 1:53 p.m.

Because Active Directory is a multi-master database, changes can be processed at any given domain controller (DC) in the enterprise regardless of whether the DC is connected or disconnected from the network.

For certain types of changes, Windows incorporates methods to prevent conflicting updates by extending the single-master model found in earlier versions of Windows to include multiple roles. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows there are five FSMO roles:

  • Schema master
  • Domain naming master
  • RID master
  • PDC emulator
  • Infrastructure master.
active directory windows

Get AD group membership recursively with PowerShell Sept. 26, 2017, 10:25 a.m.

The solution should retrieve not only direct group membership, but indirect (through group nesting) too. Although the question is plain and simple, the solution is very interesting from various perspectives.

active directory powershell programming

Carl Webster - Scripts and Other Utilities July 20, 2017, 10:05 a.m.

Library of admin scripts for Active Directory.

script active directory windows powershell

Poking Around DNS Scavenging Settings with PowerShell June 21, 2017, 4:55 p.m.

DNS scavenging, as you may know, takes a good deal of patience and forethought. It's not something you want to just blindly enable without doing any reconnaissance first.

active directory windows dns

SelfADSI : Active Directory Permissions : Security Descriptors May 8, 2017, 5:10 p.m.

Permissions in Active Directory are defined by so-called security descriptors, which are stored as properties directly in the AD objects.

active directory sysadmin

Setting AD Group Managers with PowerShell May 2, 2017, 2:19 p.m.

From time to time you may want to delegate control of an AD security group to an unprivileged user. The group manager property is an LDAP property on the group object that contains the Distinguished Name of a given user account. The checkbox that allows the group manager to modify who is a member of this group is not an LDAP property with a boolean type, that would be too simple and not line up with the Microsoft security management methodology. It's implemented as an Access Control Entry (ACE) in the objects Discretionary Access Control Li (DACL). Think of it like the permissions when looking at the Security tab for a file. These can be manipulated programatically.

active directory windows sysadmin

How to use DNSLint to troubleshoot Active Directory replication issues March 30, 2017, 3:51 p.m.

DNSLint is a Microsoft Windows utility that can help you determine whether all DNS servers that are supposed to be authoritative for the root of an Active Directory forest actually have the necessary DNS records, and can resolve all of the necessary DNS records to successfully synchronise partition replicas among domain controllers in an Active Directory forest.

active directory windows sysadmin dns

Group Policy Processing March 15, 2017, 11:46 a.m.

The local Group Policy object is always processed, followed by GPO. Site first, domain next, and OU last, including any nested OUs, from parent to child. The Block policy inheritance or No Override options can affect the presence or absence of Group Policy objects in the list of Group Policy objects to be processed, but cannot change their order. Computer policy is processed at startup and then user policy is processed when the user logs on. If user and computer policy settings specify different behavior, the computer policy will generally prevail.

active directory sysadmin

Windows audit policy and best practices March 6, 2017, 4:43 p.m.

Windows Audit Policy is used to determine the amount of data logged by Windows security on domain controllers and other computers on the domain. These definitions were found to be most effective from both a best practice and compliance standpoint and are based on customer experience and recommendations from Microsoft.

active directory windows security

Best practice for Default Domain Policy and Default Domain Controllers Policy March 6, 2017, 4:33 p.m.

Microsoft has some good guidance on this topic, but it’s not always clearly and consistently stated. Here’s a quick Q&A that might help.

active directory windows sysadmin best practice

Create the Key Distribution Services KDS Root Key March 3, 2017, 8:10 a.m.

The domain controllers will wait up to 10 hours from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a Group Managed Service Account (gMSA). Workaround with Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)).

active directory windows

Active Directory Naming Contexts and Application Partitions Feb. 24, 2017, 3:09 p.m.

Think of a domain as a big data partition, which is also referred to as a naming context. Only domain controllers that are authoritative for a domain need to replicate all of the information within that domain. Information about other domains is not needed on those domain controllers. On the other hand, there is some Active Directory data that must be replicated to all domain controllers within a forest.

active directory windows

PowerShell – Move AD FSMO Roles Feb. 24, 2017, 12:53 p.m.

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

active directory powershell

Active Directory Delegation via PowerShell – May I see your ID(entity)? Feb. 22, 2017, 2:42 p.m.

The pseudo code for doing this is pretty simple:

  1. Get the current DACL on the object we desire to set permissions on.
  2. Append the existing DACL with a new ActiveDirectoryAccessRule.
  3. Re-apply the DACL.
active directory powershell sysadmin