Microsoft Exchange and Active Directory Blog
In an Active Directory domain, the problem occurred that no new computers could be added to the Active Directory. The error message when adding the client was as follows: In the domain, an Identity Manager was able to create the computer before it was added to the Active Directory (pre-staged) and not only when it was added ... Read more
Windows Server 2025 offers new features for Active Directory (AD DS) and Active Directory Lightweight Domain Services (AD LDS) for the first time in a long time. With the new features, Active Directory scales better even in very large environments and brings additional improvements for security and stability. Optional feature for 32k database page size Since the introduction of Active Directory ... Read more
Some Active Directory features cannot be defined for organizational units but only for AD groups. One example of this is Fine Grained Password Policies. If you still want to apply such features to all users of an organizational unit, simply create a group with all users who are stored in the OU. This group is also called a shadow group. ... Read more
Service accounts for starting Windows services or scheduled tasks are often configured with the "password never expires" attribute and then used for years. Often such service accounts are also alienated for a specific purpose and used on many servers for a wide variety of tasks. Service accounts with far-reaching authorizations and passwords that never expire then make it easier for ... Read more
Some readers of this blog have requested an article on delegating admin authorizations. Most requests revolve around the fact that certain administrative tasks, such as creating user accounts or resetting passwords, should be carried out by users. Of course, these users should not have Domain Admin authorizations, but only the authorizations required for their activities. Read more
Sometimes it may be necessary to subsequently change the IP and host name of a domain controller, for example if a new domain controller replaces an old one and is to be accessible under the same IP and name. Changing the IP address of a domain controller is normally possible without any problems, changing the host name of a domain controller ... Read more
Users are often added to the local "Administrators" group on servers or PCs to give users admin rights on the corresponding computers. Although this is the easiest way to configure admin rights for a user account, it is unfortunately easy to lose track. Here is an example of the members of the local administrator group of a server: The users ... Read more
This third part of the article series "Simple measures for more security in AD" deals with the passwords of local administrator accounts. In many environments, the local administrator passwords are always the same, but this sometimes opens the door to malware and makes lateral movement possible or at least simplifies it. Different passwords for the ... Read more
I have already described the basic functionality of Admin Tiers in Part 1 of this article series; this article will now focus on setting up Admin Tiers in an existing environment. Basically, it makes sense if at least one Admin Host has already been installed. By and large, this article is first of all about ... Read more
Part 1 of this article series has already presented measures to improve the security of the Active Directory. The next articles are now dedicated to the implementation of these measures within an existing Active Directory using an example environment. This article will first deal with the Admin Host. Introduction The fictitious company "FrankysWebLab" can be used as an example here. Read more
