Basic Active Directory Security

A large majority of breaches happen because of compromised credentials (https://blog.centrify.com/cause-of-data-breaches/) and so it stands to reason that a compromise of privileged credentials would be the worst case scenario. If someone gets hold of Domain Admin credentials the game is essentially over. Because of this when I'm talking to customers about improving their security posture … Continue reading Basic Active Directory Security

Domain Controller promotion stops responding

Whilst promoting a Windows 2012R2 server to a domain controller it got as far as 'Replicating the schema directory partition' and then nothing else happened. Now, this server has NetBios over TCPIP disabled which was causing the above problem.  The quick answer to this is to use the long version of the username when entering … Continue reading Domain Controller promotion stops responding

New Child Domain – Server Core and PowerShell

All of my domain controllers are now server core unless someone can give me a very good reason to install Windows with a GUI, so far no one has given me a good enough reason. When deploying a new child domain this means we can now use some PowerShell goodness to create our new child … Continue reading New Child Domain – Server Core and PowerShell

AdminSDHolder and admincount=1 attribute

Certain groups within Active Directory are considered protected groups and are protected by AdminSDHolder.  When a user becomes a member of a protected group it will no longer inherit permissions from its parent object in AD (usually an OU).  This can mess up any carefully laid permission delegations you may have configured.  Much more on … Continue reading AdminSDHolder and admincount=1 attribute

Move users to OU based on description

Trying to keep up with job changes and ensuring users accounts are in the correct OU in AD can be problematic.  In the environment I work in each team has their own OU (I'm not sure why it is like this,  I suspect it's a case of 'that's the way we've always done it'). Anyway … Continue reading Move users to OU based on description