Exploring the Global Catalog and examining the “universalness” of Universal Groups

Universal groups (UG) are stored in the Global Catalog (GC). But what exactly is the Global Catalog, and how does it store objects? Does it store anything at all! And how do Universal Groups work anyway? Active Directory Domain Controllers (DC) have exactly one database. It is stored in %windir%NTDS and is called NTDS.DIT. DIT …

Some nice one-liners

Restart the computer you are logged on to immediately, forcing all applications to close: shutdown.exe /r /t 0 /f The same for a remote computer: shutdown.exe /r /t 0 /f /m \<computer> Add someone to the local Administrators groups: net localgroup Administrators /add <user or group> Enable Remote Desktop on a remote system: reg add …

Some Active Directory Migration Tool (ADMT) Notes

The good old Active Directory Migration Tool (ADMT) has reached version 3.2 making it compatible with Windows 7/Server 2008 R2 and x64. ADMT started it’s Microsoft life as licensed software from One point. I’ve been using this baby since version 2.0. It offers what you need to perform intra or inter-forest Active Directory migrations/restructures, but …

Some SID Filtering Notes

SID Filtering is also known as Quarantine, Domain Quarantine, or SID Filtering Quarantine. SID Filtering only applies to trusts, it cannot be enabled within a domain. SID Filtering, by default, is not active on automatically created trusts within a forest. You can enable it, but not if the forest functional level is below Windows Server …

AdminSDHolder, Protected Groups, SDProp and moving mailboxes in Exchange

When you move a mailbox in Exchange 2000 or newer, you sometimes encounter an error saying that you have insufficient permissions to move the mailbox. Although that may be the case, usually this error is caused by the user object associated with the mailbox you are trying to move not having inheritable permissions enabled in …

“A certificate cloud not be found that can be used with this Extensible Authentication Protocol” error in IAS

After issuing a new certificate for a Windows Server 2003 running IAS this error presented itself in the IAS console when trying to configure EAP with the new certificate: “A certificate could not be found that can be used with this Extensibel Authentication Protocol.” This was accompanied by these two events in the System Log: …

An overview of groups used by Active Directory Certificate Services

This is a quick list of the groups associated with Active Directory Certificate Services. CERTSVC_DCOM_ACCESS Purpose: Grant DCOM access to Certificate Authority. Default description: This group has no default description. Group type: Local/Domain Local Security group. Default members: Everyone/Domain Users and Domain Computers. This group is created when Windows Server 2003 Service Pack 1 is …

Error when trying to reset a password when Fine Grained Password Policies (FGPP) are in effect

I had created a Fine Grained Password Policy (FGPP) which, among other things, turned off the requirement for complex passwords. I had applied this policy to users through a group. When I tried to reset the password of one of the users for which this FGPP applied, Active Directory Users and Computers would give me …

Customizing Office 2010 Setup with OCT: Adding/Removing files

The Office 2010 Office Customization Tool (OCT) can add and remove files to/from a computer that is installing Office. These are the steps in the OCT where you can add and remove files: Notice the text in the Add files step; Specify files to add to the user’s computer during installation. When you exit this …