Microsoft Exchange and Active Directory Blog
To increase security within the Active Directory, small organizational measures in conjunction with free tools are usually sufficient. Many widespread attack vectors can at least be significantly curbed with a few small changes and fairly simple measures. The word "attacker" often appears in the following article, but "attacker" does not necessarily mean a ... Read more
Especially in larger and above all older Active Directory environments, a large number of authorizations and delegations accumulate over time. These often include authorizations with orphaned SIDs, for example if the user has already been deleted but the ACL still exists. Many people are familiar with these orphaned SIDs from file servers and their authorization structure. In order to ... Read more
There is currently a security vulnerability in all Exchange Server versions, which makes it possible to obtain domain administrator authorizations via EWS or, for example, to redirect emails. What makes this vulnerability particularly critical is that it can be exploited remotely. The attacker only needs to have access to a mailbox on the Exchange Server. Since the EWS API and often also ... Read more
When creating new databases in an Exchange 2016 organization, I encountered the following problem. The databases could be created within EAC and Shell without any problems. However, after the databases were created, they could not be mounted and remained in the status "unmounted". Unfortunately, at first glance the error message in EAC ... Read more
I have now received several emails regarding the migration of domain controllers that are still running an older operating system. Most of the emails are about retaining the IP address of the original domain controller. The environments described in the e-mails were all similar, only the operating system on which the original domain controller was running ... Read more
In my private environment with a Sophos UTM 9.508-10, I have always had the problem that the recipient verification of Email Protection via Active Directory did not work. In the live log of Email Protection, the following warning was always displayed: Warning: ACL "warn" statement skipped: condition test deferred: failed to bind the LDAP connection ... Read more
I have now received a number of inquiries asking how several companies can share an Active Directory. The last inquiry was about a company that had bought out another company. The companies should now share the infrastructure. In the standard setting of an Active Directory, however, all users ... Read more
I have created a small GUI that copies Active Directory groups from one user to another user. With the script you can quickly transfer all groups of a user to another user account: The GUI is only very rudimentary, you can select a source user account and a target user account, a click on "Copy groups from source to target ... Read more
The following case is certainly not an everyday occurrence: The aim was to monitor an Active Directory group for certain members. Only very specific user accounts should be present in this group, all additional or remote members should be reported. I quickly created a small PowerShell script in which the users were specified. Read more
With Windows Server 2016, a new Privileged Access Management feature was introduced, which allows users to be added to a group for a certain period of time only and automatically removed again after this time has expired. This feature is useful if a user is only to be given administrative rights (e.g. Domain Admin) for a certain period of time. A ... Read more
