SID Filtering is also known as Quarantine, Domain Quarantine, or SID Filtering Quarantine. SID Filtering only applies to trusts, it cannot be enabled within a domain. SID Filtering, by default, is not active on automatically created trusts within a forest. You can enable it, but not if the forest functional level is below Windows Server …
Tag Archives: Active Directory
AdminSDHolder, Protected Groups, SDProp and moving mailboxes in Exchange
When you move a mailbox in Exchange 2000 or newer, you sometimes encounter an error saying that you have insufficient permissions to move the mailbox. Although that may be the case, usually this error is caused by the user object associated with the mailbox you are trying to move not having inheritable permissions enabled in …
Continue reading “AdminSDHolder, Protected Groups, SDProp and moving mailboxes in Exchange”
“A certificate cloud not be found that can be used with this Extensible Authentication Protocol” error in IAS
After issuing a new certificate for a Windows Server 2003 running IAS this error presented itself in the IAS console when trying to configure EAP with the new certificate: “A certificate could not be found that can be used with this Extensibel Authentication Protocol.” This was accompanied by these two events in the System Log: …
An overview of groups used by Active Directory Certificate Services
This is a quick list of the groups associated with Active Directory Certificate Services. CERTSVC_DCOM_ACCESS Purpose: Grant DCOM access to Certificate Authority. Default description: This group has no default description. Group type: Local/Domain Local Security group. Default members: Everyone/Domain Users and Domain Computers. This group is created when Windows Server 2003 Service Pack 1 is …
Continue reading “An overview of groups used by Active Directory Certificate Services”
Error when trying to reset a password when Fine Grained Password Policies (FGPP) are in effect
I had created a Fine Grained Password Policy (FGPP) which, among other things, turned off the requirement for complex passwords. I had applied this policy to users through a group. When I tried to reset the password of one of the users for which this FGPP applied, Active Directory Users and Computers would give me …
Viewing the contents of Group Policy Registry.pol files
While investigating some EFS settings I needed to look at the raw data in Group Policy settings files, usually called Registry.pol and located in the SYSVOL share for each GPO. First I tried to load it as any other hive in Registry Editor, but that did not work, indicating that .pol files do not use …
Continue reading “Viewing the contents of Group Policy Registry.pol files”
Group Policy WMI filters
WMI filters are useful to further filter Group Policy Objects (GPOs), beyond what is possible/convenient with groups. Distinguish between x86 and x64 computers: x86 Select AddressWidth from Win32_Processor where (AddressWidth=”32″) x64 Select AddressWidth from Win32_Processor where (AddressWidth=”64″) Determine Windows version: Use this filter to determine the Windows version and role: select * from Win32_OperatingSystem where …
Configuring a Windows Domain Controller to synchronize its clock with an external time source
Kerberos authentication requires correct time on all clients participating in authentication. If the clocks on two machines trying to authenticate to each other are too far apart, Kerberos authentication will fail. Since Kerberos is used extensively in Windows a mechanism to ensure correct clocks throughout the forest was also implemented. This is the Windows Time …
Some thoughts on Active Directory OU structure design
Over the years I have been involved in quite a few Active Directory deployments and restructures. On these projects much time is always spent, or should be spent, on designing the OU structure. The main thing about OU structure desing is to keep thing simple. Some organizations like to take the organizational chars and copy …
Continue reading “Some thoughts on Active Directory OU structure design”
What does the Protect object from accidental deletion setting in Windows Server 2008 Active Directory actually do?
Windows Server 2008 Active Directory introduced a setting called Protect object from accidental deletion on all directory objects: This was implemented to avoid accidentally deleting objects from the directory. OUs have this setting set by default. But what does it actually do? When this setting is set a Deny access control entry (ACE) is added …