I was browsing thru the new schema updates in Windows Server TP 4 and found an interesting new attribute: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
adminDescription: This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.
Well, this sound interesting if you read the adminDescription:
This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.
No much more info when I tried to search the internet.
If we search for the attribute we can find it being used at the root of DNC corp.secid.se Continue reading
This is a follow up on earlier post about JIT and will cover the Time-based groups part.
Expiring links is a new feature in Windows Server 2016 and makes it possible to set Time-To-Live (TTL) values on all linked attributes. In the case of Time-based groups it’s possible to set a TTL value on the member forward link.
It’s up to the domain controller to manage this links and remove them when the TTL limit is reached. This also works well with replication because the TTL value end time is replicated and the link will be deleted locally on all domain controllers.
In conjunction to this there has also been some Kerberos enhancements to really be able to take advantage of Time-based groups.
When the KDC creates tickets it restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value. If a user has 15 minutes left until the TTL on a group membership expires, the KDC will only create TGT/TGSTs that is good for another 15 minutes. When the tickets has expired and new ones is requested, the SID of the expired group memberships will not be in the PAC anymore.
Today Microsoft released new Administrative Templates for Windows 10 Version 201511 which can be found here.
New admx files:
Updated admx files:
A selection of interesting updates: