Information wants to be free!
This is a quick list of the groups associated with Active Directory Certificate Services. CERTSVC_DCOM_ACCESS Purpose: Grant DCOM access to Certificate Authority. Default description: This group has no default description. Group type: Local/Domain Local Security group. Default members: Everyone/Domain Users and Domain Computers. This group is created when Windows Server 2003 Service Pack 1 is …
Continue reading “An overview of groups used by Active Directory Certificate Services”
I had created a Fine Grained Password Policy (FGPP) which, among other things, turned off the requirement for complex passwords. I had applied this policy to users through a group. When I tried to reset the password of one of the users for which this FGPP applied, Active Directory Users and Computers would give me …
I often get asked what I recommend for server/client naming schemes. Although there is no definitive answer; this always depends on your organization and what your specific requirement are, here are some pointers: Things you would often want to include in the name of a machine: Your organization name or an abbreviation of it: <org> …
While investigating some EFS settings I needed to look at the raw data in Group Policy settings files, usually called Registry.pol and located in the SYSVOL share for each GPO. First I tried to load it as any other hive in Registry Editor, but that did not work, indicating that .pol files do not use …
Continue reading “Viewing the contents of Group Policy Registry.pol files”
WMI filters are useful to further filter Group Policy Objects (GPOs), beyond what is possible/convenient with groups. Distinguish between x86 and x64 computers: x86 Select AddressWidth from Win32_Processor where (AddressWidth=”32″) x64 Select AddressWidth from Win32_Processor where (AddressWidth=”64″) Determine Windows version: Use this filter to determine the Windows version and role: select * from Win32_OperatingSystem where …
In smaller deployments Microsoft Security Essentials (MSE) is a good, free alternative for anti-malware. If you decide to use MSE in your images, you will discover that sysprep resets the Out Of Box Experience (OOBE) settings for MSE. In other words; every user that logs on to a machine deployed from your image will see …
Continue reading “Microsoft Security Essentials, Sysprep and Group Policy”
The Enable-ADOptionalFeature cmdlet must be run on the Schema Master DC (if not you will get A referral was returned from the server) The only valid value for the Scope parameter is ForestOrConfigurationSet, Domain is not vaild (If you try you will get The specified method is not supported) The Forest Functional Level must be …
Continue reading “Some notes on the Windows Server 2008 R2 Active Directory Recycle Bin Feature”
Kerberos authentication requires correct time on all clients participating in authentication. If the clocks on two machines trying to authenticate to each other are too far apart, Kerberos authentication will fail. Since Kerberos is used extensively in Windows a mechanism to ensure correct clocks throughout the forest was also implemented. This is the Windows Time …
Over the years I have been involved in quite a few Active Directory deployments and restructures. On these projects much time is always spent, or should be spent, on designing the OU structure. The main thing about OU structure desing is to keep thing simple. Some organizations like to take the organizational chars and copy …
Continue reading “Some thoughts on Active Directory OU structure design”
Windows Server 2008 Active Directory introduced a setting called Protect object from accidental deletion on all directory objects: This was implemented to avoid accidentally deleting objects from the directory. OUs have this setting set by default. But what does it actually do? When this setting is set a Deny access control entry (ACE) is added …