This is a great tools that was released a couple of months ago. It could be a good idea to run idFix in the startup of the project to find and eliminate possible problems as soon as possible.

http://www.microsoft.com/en-us/download/details.aspx?id=36832

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.

Got a question a couple of days ago about how to install the Active Directory PowerShell module on a machine that doesn’t have the ADDS role. That’s pretty basic, but in some cases there could be some better options so I decided to write a post.

I will start with a short walkthrough of installting RSAT and then go in to PowerShell Remoting. Continue reading →

In Active Directory default, a set of High-Privileged accounts and groups is created when you create your domain. They are often called Protected Groups/Users.

From the beginning at Windows 2000 Server there were four protected groups:

Administrators
Domain Admins
Enterprise Admins
Schema Admins

In Windows 2000 SP4 and Windows 2003 Server they added a bunch of Groups and two user accounts:

Administrator
Krbtgt
Backup Operators
Cert Publishers (removed in Windows 2003 Server SP1)
Domain Controllers
Print Operators
Replicator
Server Operators
Account Operators

And in Windows 2008 Server they added:

Read-Only Domain Controllers

And one last thing, in a hotfix for Windows 2000/2003 Server the ability to remove a few groups as protected groups was enabled:

Account Operators
Server Operators
Print Operators
Backup Operators

This is done with the help of the dsHeuristic attribute flag.

http://support.microsoft.com/?id=817433

So, what is so special to know about protected groups except that they have high privileges and the most of them should almost never be used?

Those who have a delegated Organizational Unit structure may have noticed that every hour the specific delegated rights disappear for some of the admins and create a headache. This is what this post is all about. The AdminSDHolder, SDProp and adminCount misunderstandings.

Continue reading →

A salute to a operating system that will leave us with a lot of memories.

This is an old one but still I see it everywhere on fileservers.

When you’re about to modify an ACL on a folder or share do you recognize this picture:

From a Windows Vista/2008 Server and later you probably also recognize this picture:

-Well of course I want access permanently, I’m one of the file share admins.

Click Continue!

Well that’s one of the reasons why your security tab is bloated and over time could be quite big and have a lots of unknown accounts.

Let’s break this down…

Continue reading →

In this post will try to describe what ACLs and all its components is and how they are used.

In Windows you can delegate access to different kinds of Securable Objects. A Securable Object has a Security Descriptor (SD). The SD helps control the access to the object, it contains information of the owner, what to be audited and granted access in what way. It contains the actual ACL which sets the security permissions. In Active Directory all objects has a Security Descriptor.

Continue reading →

Hello Me, and others that might stumble over this some day. This is a short description of Security Principals and their SIDs.

In Windows we work with Security Principals. A Security Principal is a user, group, computer or a service that is stored as objects in Active Directory for central management or in the computers local Security Account Manager (SAM) database.

Continue reading →

Hi!

Well this is exciting and nervous, my first blog!

I have had this in mind for a while now and thought it was time to actually start.

This blog will be about the things I love the most, Identity Management with the focus in Active Directory Services and Infrastructure. I work as an IT consultant and is going to use this blog like a notebook for myself. I will write about new and old things that I think is interesting and important to know and keep them here so I don’t forget.