Monthly Archives: November 2015

Expire Passwords On Smart Card Only Accounts

I was browsing thru the new schema updates in Windows Server TP 4 and found an interesting new attribute: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts

Sch83.ldf:

dn: CN=ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
CN: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
attributeID: 1.2.840.113556.1.4.2344
attributeSyntax: 2.5.5.8
adminDisplayName: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
adminDescription: This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.
oMSyntax: 1
lDAPDisplayName: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
isSingleValued: TRUE
systemOnly: FALSE
schemaIDGUID:: SKsXNCTfsU+AsA/LNn4l4w==
systemFlags: 16
searchFlags: 0
instanceType: 4

Well, this sound interesting if you read the adminDescription:

This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.

No much more info when I tried to search the internet.

If we search for the attribute we can find it being used at the root of DNC corp.secid.se Continue reading

Time-based groups

This is a follow up on earlier post about JIT and will cover the Time-based groups part.

Expiring links is a new feature in Windows Server 2016 and makes it possible to set Time-To-Live (TTL) values on all linked attributes. In the case of Time-based groups it’s possible to set a TTL value on the member forward link.

It’s up to the domain controller to manage this links and remove them when the TTL limit is reached. This also works well with replication because the TTL value end time is replicated and the link will be deleted locally on all domain controllers.

In conjunction to this there has also been some Kerberos enhancements to really be able to take advantage of Time-based groups.
When the KDC creates tickets it restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value. If a user has 15 minutes left until the TTL on a group membership expires, the KDC will only create TGT/TGSTs that is good for another 15 minutes. When the tickets has expired and new ones is requested, the SID of the expired group memberships will not be in the PAC anymore.

Continue reading

What’s new in admx templates for Windows 10 Version 1511

Today Microsoft released new Administrative Templates for Windows 10 Version 201511 which can be found here.

New admx files:

AppPrivacy.admx
CloudContent.admx
FeedbackNotifications.admx
WindowsStore.admx
WinMaps.admx

Updated admx files:

AVSValidationGP.admx
Biometrics.admx
ControlPanelDisplay.admx
CredentialProviders.admx
DeviceGuard.admx
ErrorReporting.admx
Explorer.admx
LanmanServer.admx
LanmanWorkstation.admx
MicrosoftEdge.admx
Passport.admx
SearchOCR.admx
SettingSync.admx
StartMenu.admx
TerminalServer.admx
VolumeEncryption.admx
W32Time.admx
Windows.admx
WindowsUpdate.admx
wlansvc.admx

A selection of interesting updates:

Continue reading