Author Archives: Daniel

Who is object owner in your domain?

Object Owner, who is that in your Active Directory environment?
When delegating admin access in Active Directory there are a few things to consider, and one of them is the owner.

When an object is created, it will have an owner set in the Security Descriptor guarding that object. The object owner will be set depending of who is creating it. Continue reading

Implementing LAPS – My way

Local Administrator Password Solution (LAPS) has been around for a while and last year it became an official supported tool by Microsoft (don’t know if my tweaks are though) and there is a lot of articles about implementing LAPS, which is a no brainer and it works great.

Since there are so many articles about it, I would like to share my tweaks. Consider this article more about having fun and exploring the possibilities.

If your new to it and want to read more about LAPS, you can go here: Microsoft Security Advisory 3062591 and here: Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

And a mini threat model by Jessica Payne: Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including mini threat model)

Here’s my view on it. Continue reading

Delegate DHCP Admins in the domain

This is a simple guide delegating DHCP Admins in the domain.
This guide is built on a Windows Server 2012R2 environment.

If you have a lot of DHCP servers and want to delegate the administration in your domain it’s quite easy, and a good thing to do if you don’t want to grant people Domain Admin access unnecessarily. But, there is a few differences you need to know depending on How and Where you install the DHCP Server Role.

If we start with the most common way installing the DHCP Server Role service which is an easy task. Continue reading

Too much permissions on the domain root

This is an interesting question that I would like to share my view of here.

The question: What are the security implications of someone being able to modify permissions protecting the domain root object?

Let’s start with some basics:

  • All Objects in AD are securable
  • Securable Objects has a Security Descriptor (SD)
  • The SDs contains Owner SID, Group SID, DACL, SACL (known as ACLs) and the header with control flags
  • The ACLs contain ACEs
  • ACEs contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited

This topic focuses on the Write_DAC or Modify Permissions. If a Security Principal (User, Sec group, Computer) has the Write_DAC he is allowed to modify the Security Descriptor guarding the object.

So what are the implications of someone having the permission to modify the SD on the Domain Root? Continue reading

Expire Passwords On Smart Card Only Accounts

I was browsing thru the new schema updates in Windows Server TP 4 and found an interesting new attribute: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts


dn: CN=ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
CN: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
attributeID: 1.2.840.113556.1.4.2344
adminDisplayName: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
adminDescription: This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.
oMSyntax: 1
lDAPDisplayName: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
isSingleValued: TRUE
systemOnly: FALSE
schemaIDGUID:: SKsXNCTfsU+AsA/LNn4l4w==
systemFlags: 16
searchFlags: 0
instanceType: 4

Well, this sound interesting if you read the adminDescription:

This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.

No much more info when I tried to search the internet.

If we search for the attribute we can find it being used at the root of DNC Continue reading

Time-based groups

This is a follow up on earlier post about JIT and will cover the Time-based groups part.

Expiring links is a new feature in Windows Server 2016 and makes it possible to set Time-To-Live (TTL) values on all linked attributes. In the case of Time-based groups it’s possible to set a TTL value on the member forward link.

It’s up to the domain controller to manage this links and remove them when the TTL limit is reached. This also works well with replication because the TTL value end time is replicated and the link will be deleted locally on all domain controllers.

In conjunction to this there has also been some Kerberos enhancements to really be able to take advantage of Time-based groups.
When the KDC creates tickets it restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value. If a user has 15 minutes left until the TTL on a group membership expires, the KDC will only create TGT/TGSTs that is good for another 15 minutes. When the tickets has expired and new ones is requested, the SID of the expired group memberships will not be in the PAC anymore.

Continue reading

What’s new in admx templates for Windows 10 Version 1511

Today Microsoft released new Administrative Templates for Windows 10 Version 201511 which can be found here.

New admx files:


Updated admx files:


A selection of interesting updates:

Continue reading

Just In Time Admin Access

When talking about security in Active Directory a big challenge is the delegation and how to protect the admin accounts and groups. Microsoft has release two whitepapers about this subject.

  • Best Practices for Delegating Active Directory Administration
  • Best Practices for Securing Active Directory

The delegation highlights the security model in Active Directory which is important to understand and have in mind to get the best out of it. It’s not an easy task to manage and has many dependencies of administrative users and systems to keep in mind when setting this up.

This goes hand in hand with securing your Active Directory environment since you have very high privileged accounts, and if the wrong persons gets on hold of it, it can do some great damage to the whole company. Continue reading

DC userAccountControl 0x81000

Got a question from a friend about a weird problem when trying to promote a 2012R2 Domain Controller.

The error is in the prereq test before promoting:

Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain controller 2k3dc.secid.local. Domain Controller data not found for the specified Active Directory domain controller. Continue reading