Basic Active Directory Security

A large majority of breaches happen because of compromised credentials (https://blog.centrify.com/cause-of-data-breaches/) and so it stands to reason that a compromise of privileged credentials would be the worst case scenario. If someone gets hold of Domain Admin credentials the game is essentially over. Because of this when I'm talking to customers about improving their security posture … Continue reading Basic Active Directory Security

Domain Controller promotion stops responding

Whilst promoting a Windows 2012R2 server to a domain controller it got as far as 'Replicating the schema directory partition' and then nothing else happened. Now, this server has NetBios over TCPIP disabled which was causing the above problem.  The quick answer to this is to use the long version of the username when entering … Continue reading Domain Controller promotion stops responding

New Child Domain – Server Core and PowerShell

All of my domain controllers are now server core unless someone can give me a very good reason to install Windows with a GUI, so far no one has given me a good enough reason. When deploying a new child domain this means we can now use some PowerShell goodness to create our new child … Continue reading New Child Domain – Server Core and PowerShell

SYSVOL Not Replicating – The content set is not ready

Had an odd problem in a lab environment.  The lab was only two Windows 2012R2 core domain controllers, fully patched and up to date and a WSUS server.  For some reason SYSVOL was not replicating and I only noticed when I configured a GPO for WSUS and noticed that one of the DCs never registered in … Continue reading SYSVOL Not Replicating – The content set is not ready

Restore Computer Object with AD Recycle Bin

Over the Xmas period it would seem that someone deleted a computer account from AD.  This meant that the user of that PC could not log in using that PC.  This is a Windows 2008R2 forest so to restore the computer object;   Get-Adobject -filter {samaccountname -eq "pcname$"} -IncludeDeletedObjects | Restore-Adobject   The $ on … Continue reading Restore Computer Object with AD Recycle Bin

AdminSDHolder and admincount=1 attribute

Certain groups within Active Directory are considered protected groups and are protected by AdminSDHolder.  When a user becomes a member of a protected group it will no longer inherit permissions from its parent object in AD (usually an OU).  This can mess up any carefully laid permission delegations you may have configured.  Much more on … Continue reading AdminSDHolder and admincount=1 attribute

Move users to OU based on description

Trying to keep up with job changes and ensuring users accounts are in the correct OU in AD can be problematic.  In the environment I work in each team has their own OU (I'm not sure why it is like this,  I suspect it's a case of 'that's the way we've always done it'). Anyway … Continue reading Move users to OU based on description