Cleaning up AdminSDHolder orphans

I quite regularly come across Active Directory environments where users have been mistakenly added to groups protected by the AdminSDHolder and subsequently removed when the mistake has been realised.  This process creates “orphans” because the AdminSDHolder process doesn’t tidy up after itself.  Here’s what happens: User added to group protected by the AdminSDHolder (e.g. Account… Read More »

OU Shadow Script

Back in March 2010 when Powershell and I were on somewhat less friendly terms, I wrote an OU shadow script to populate group membership based on the contents of an OU. Since then, Powershell and I now at least acknowledge eachother when we pass in the corridor and I have updated the script with some… Read More »

FIPS Cryptography causes slow RDP session

I’ve recently been looking at Microsoft’s Security Compliance Manager 3.0.  SCM allows provides a rich set of server-role-based security baselines for deployment using either GPO or SCCM.  This latest version includes baselines for Windows Server 2012.  After deploying the “WS2012 Domain Controller Security Compliance 1.0” baseline settings via GPO into my lab environment I found RDP sessions to… Read More »

Need some generic attributes?

Quite often I see customers that need to use generic attributes to populate user, group or contact objects with certain values that do not appear in the default AD schema.  Most of these customers have Microsoft Exchange and tend to use the extension attributes that are delivered as part of the Exchange AD schema extensions. … Read More »

Running other things on Domain Controllers

I often see my customers running things other than Active Directory Domain Services (ADDS) on Domain Controllers.  These can range from the relatively innocuous (KMS) to the downright ludicrous (Exchange).  Until now, I haven’t been able to point to anything official from Microsoft to state that this is not a good idea.  Anyway, fellow Directory Services MVP… Read More »

Still using NTDSUTIL to perform metadata cleanup?

Something I’ve noticed in the on-line forums is that people are still advising others to use NTDSUTIL to perform a metadata cleanup to remove references to Domain Controllers that have been removed from AD without using DCPROMO (e.g. following a DC failure where demotion was not possible).  Since Windows Server 2008 it has been possible… Read More »

The Net Accounts Command

You probably know this, but for some reason I only found out about it when someone showed it to me the other day.  Anyway, in the interests of sharing…. A really quick way to find the domain password and account lockout policy is to run the following from a CMD prompt: net accounts The output… Read More »