Explore information related to active directory


Updating Group Policy Settings on Windows Domain Computers - How to do it?


This article covers how to update Group Policy Settings on Windows Domain Computers. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO).


To force a group policy update on a domain:

1. Right-click the selected OU, and click Group Policy Update.

2. Click Yes in the Force Group Policy update dialog box. This is the equivalent to running GPUpdate.exe /force from the command line.

Read More



Securing RDP Connections with Trusted SSL/TLS Certificates


This article covers how to secure RDP Connections with Trusted SSL/TLS Certificates. 


To Check What Certificate RDP Is Using

You can check the thumbprint of the certificate the server is using. Windows Key+R > Regedit {Enter} > Navigate to:

HKEY_LOCAL_MACHINE
> SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > TemplateCertificate

You can check this with the actual Certificate> Windows Key+R > mmc {enter} > File > Add/Remove Snap-in > Certificates > Local Computer > Open Certificates > Personal > Certificates > Locate the certificate you ‘Think’ RDP is using and you can compare its thumbprint with the registry key.

Read More



Time Based Temporary Group Membership in Active Directory on Windows


Basically, Temporary Group Membership (Time Based) is the version of Active Directory in Windows Server 2016 introduces an interesting feature that allows you to temporarily add a user to an AD security group. In order to use the Temporary Group Membership, you need to enable the Privileged Access Management Feature in your Active Directory forest. Like with AD Recycle Bin (which allows you to recover deleted objects), you cannot disable PAM after it has been enabled.

Read More



Use gMSA in Active Directory to launch services and tasks


This article covers how to use gMSA in Active Directory. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password. Group Managed Service Accounts (gMSAs) provide a higher security option for non-interactive applications/services/processes/tasks that run automatically but need a security credential.


The Install-ADServiceAccount cmdlet installs an existing Active Directory managed service account on the computer on which the cmdlet is run. The cmdlet also makes the required changes locally so that the managed service account password can be managed without requiring any user action.

Read More



Workgroup Failover Cluster without Active Directory in Windows


This article covers how to go about Workgroup Failover Cluster. While Availability Group was a viable replacement for Database Mirroring, there were a couple of blocking issues that prevented customers from upgrading. In older Windows Server versions prior to Windows Server 2016, you could create a failover cluster only between the servers in the same Active Directory domain. The new version allows to create two- (or more) nodes failover cluster between servers joined to different domains, and even between workgroup servers (not AD domain joined) – a so-called Workgroup Cluster.

Read More



Active Directory Temporary Group Membership on Windows Server 2016


This article covers how to implement  Active Directory Temporary Group Membership on Windows Server 2016. Temporary Group Membership is a new feature that appeared in Windows Server 2016 and is a part of the Privileged Access Management (PAM) functionality.


By default, PAM is not active and the first thing you need to do is turn it on. You can do this with the PowerShell cmdlet Enable-ADOptionalFeature. For example, to enable PAM in domain contoso.com, run the following command with domain administrator privileges:

Enable-ADOptionalFeature -Identity ″Privileged Access Management Feature″ -Scope ForestOrConfigurationSet -Target ″contoso.com″

Read More



Set-ADUser Modify Active Directory Users with PowerShell - Do it now ?


This article covers how to use Set-ADUser Modify Active Directory Users with PowerShell.

Basically, the Set-ADUser cmdlet is part of the Active Directory module for Windows PowerShell.


The Identity parameter specifies the Active Directory user to modify. 

You can identify a user by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name. 

You can also set the Identity parameter to an object variable such as $<localUserObject>, or you can pass an object through the pipeline to the Identity parameter.

Read More



Domain Password Policy in the Active Directory - How to Set it up


This article covers an effective method to configure Domain Password Policy in the Active Directory which ensures a high level of security for user accounts. 

Group policy with password policy should be assigned to domain level, not OU, you can have multiple GPO's with password policies in domain level however only one policy will be applied to all users in their priority.


Basic Password Policy Settings on Windows:

Let's consider all available Windows password settings. 

There are six password settings in GPO:

1. Enforce password history – determines the number of old passwords stored in AD, thus preventing a user from using an old password.

However, the domain admin or user who has been delegated password reset permissions in AD can manually set the old password for the account;


2. Maximum password age – sets the password expiration in days. After the password expires, Windows will ask the user to change the password. Ensures the regularity of password changes by users;

You can find out when a specific user’s password expires using the PowerShell: 

Get-ADUser -Identity j.werder -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}.


3. Minimum password length – it is recommended that passwords should contain at least 8 symbols (if you specify 0 here, the password is not required);


4. Minimum password age – sets how often users can change their passwords. This setting won’t allow the user to change the password too often to get back to an old password they like by removing them from the Password History after the password has been changed several times in a row. As a rule, it is worth to set 1 day here in order users can change a password themselves if it gets compromised (otherwise an administrator will have to change it);


5. Password must meet complexity requirements – if the policy is enabled, a user cannot use the account name in a password (not more than 2 symbols of a username or Firstname in a row), also 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters and special characters ($, #, %, etc.). Also, to prevent using weak passwords (from the password dictionary), it is recommended to regularly audit user passwords in the AD domain;


6. Store passwords using reversible encryption – user passwords are stored encrypted in the AD database, but in some cases you have to grant access to user passwords to some apps. If this policy setting is enabled, passwords are less protected (almost plain text). It is not secure (an attacker can get access to the password database if the DC is compromised; an read-only domain controllers (RODC) can be used as one of the protection measures).

Read More



Map Network Drives or Shared Folders with Group Policy - How to do it


This article covers how to map network drives or shared folders with Group Policy.

Mapping network drives using Group Policy preferences is flexible, provides easy control over who receives the drive mappings, and has easy-to-use user interfaces, all of which are in stark contrast with the complexities associated with scripts.


To Set up drive mappings with Group Policy preferences:

1. Group Policy preferences are a set of extensions that increase the functionality of Group Policy Objects (GPOs). 

2. Administrators can use them to deploy and manage applications on client computers with configurations targeted to specific users. 

3. The Drive Maps policy in Group Policy preferences allows an administrator to manage drive letter mappings to network shares.


To Deploy item-level targeting with Group Policy preferences:

Item-level targeting (ILT) is a feature of Group Policy preferences that allows preference settings to be applied to individual users and/or computers dynamically. ILT allows an administrator to specify a list of conditions that must be met in order for a preference setting to be applied or removed to a user or computer object.

You can configure drive mapping, only users in the Product Managers group would receive the mapping. 

1. Under the Common tab of the mapped drive properties, check the Item-level targeting option, and then click Targeting….

2. In the Targeting Editor window, click New Item and select Security Group.

3. Click the … button, and type in the name of the security group.

4. Click OK to close the Targeting Editor once you're finished adding items to the list. 

Read More



Create Keytab File for Kerberos Authentication in Active Directory


This article covers how to create keytab files for Kerberos. Active Directory uses Kerberos version 5 as authentication protocol in order to provide authentication between server and client. Kerberos protocol is built to protect authentication between server and client in an open network where other systems also connected.


The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).


The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).


The keytab is generated by running kadmin and issuing the ktadd command. If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host ( trillium , in the above example) without sending it unencrypted over the network.


To Create a Kerberos principal and keytab files for each encryption type you use:

1. Log on as theKerberos administrator (Admin) and create a principal in the KDC.

You can use cluster-wide or host-based credentials.

The following is an example when cluster-wide credentials are used. It shows MIT Kerberos with admin/cluster1@EXAMPLE.COM as the Kerberos administrator principal:

bash-3.00$ kadmin -p admin@EXAMPLE.COM

kadmin: add_principal vemkd/cluster1@EXAMPLE.COM

Enter password for principal "vemkd/cluster1@EXAMPLE.COM": password

Re-enter password for principal "vemkd/cluster1@EXAMPLE.COM": passwordCopy code

If you do not create a VEMKD principal, the default value of vemkd/clustername@Kerberos_realm is used.

2. Obtain the key of the principal by running the subcommand getprinc principal_name.

3. Create the keytab files, using the ktutil command:

Create a keytab file for each encryption type you use by using the add_entry command.

For example, run ktutil: add_entry -password -p principal_name -k number -e encryption_type for each encryption type.

Read More



Add domain in PRTG


This article will guide you on how to add a #domain in the #PRTG #monitoring system.

PRTG is a network monitoring system to monitor a #website.

If you are working in more complex environments or those with a desire to reduce the number of authentication mechanisms on their networks, PRTG includes the option to easily integrate with Active Directory (AD).

1. PRTG additionally adds the probe device to the local probe. This is an internal system device with several sensors. It has access to the probe system and monitors the system's health parameters. 

2. PRTG automatically analyzes the devices that you add and recommends appropriate #sensors on the device's Overview tab.

Read More



Backup Active Directory Domain Controller


This article will guide you on how to #backup #active #directory domain controller.
A System State backup generally includes a copy of any installed device #drivers and related files, most of the Windows directory, the #Windows #Registry, the Active Directory configuration (where applicable) and system files under Windows File Protection.
In production it is best practice to have at least 2 domain controllers per domain. If you factor in each child domain and the other domains that could easily scale up fast if you have two in each one.
To Configure Windows Backup Users on a Domain Controller:
1. Expand Active Directory "Users > Computers > Users".
2. Right-click the appropriate user who will be performing backups and click Properties.
3. On the Member Of tab, click Add to add the Backup Operators group to the User.
4. Click OK.

Read More



Find the Source of Account Lockouts in Active Directory



This article will guide you on steps to find the source of Account Lockouts in the Active Directory #domain.

The most common underlying cause for #AD account lockouts, beyond users forgetting their password, is a running application or background service on a device that is authenticating with stale credentials. 

To Track Source of Account Lockouts in #Active #Directory:

1. Search for the #DC (Domain Controller) having the PDC Emulator Role. 

2. Look for the Event ID 4740. 

3. Put Appropriate Filters in Place. 

4. Find Out the Locked Out Account Event Whose Information is Require. 

5. Open the #Event Report, to Find the Source of the Locked Out account.

Read More



ElasticSearch LDAP Authentication on the Active Directory


This article will guide you on how to authenticate #ElasticSearch users using the Active Directory from #Microsoft #Windows and the #LDAP protocol.

#Active #Directory (#AD) supports both Kerberos and LDAP – Microsoft AD is by far the most common directory services system in use today.

To Set up Active Directory Authentication using LDAP:

1. Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page. 

2. Enter the proper base for the Active Directory in the "Base DN" attribute. 

3. Set the Search Scope. 

4. Enter the Username Attribute. 

5. Enter the Search Filter. 

6. Verify that the #settings are correct by clicking the Verify button.

Read More



Restore Active Directory from backup


This article will guide you on how to restore active directory from backup. Back up Active Directory on a regular basis

You should back up your Active Directory regularly with an interval that doesn't exceed 60 days. #AD services presume that the age of the Active #Directory backup cannot be more than the lifetime of AD tombstone objects, which by default is 60 days.

Read More



Zabbix Single Sign-On SSO Authentication in Active Directory


This article will guide you on how to set #Zabbix : Single Sign-On (#SSO) Authentication in #Active Directory which helps users authenticate the Zabbix frontpage without entering credentials.
Users and resources are added to the directory service for central management and ADDS works with authentication protocols like #NTLM and #Kerberos. Thus, users that belong to ADDS can authenticate from their #machines and get access to others #systems that integrate with ADDS. This is a form of Single Sign-on.

Read More



Nagios Authentication and Importing Users with AD and LDAP


This article will guide you on how to integrate #Nagios Log Server with Active Directory or #LDAP to allow user authentication and validation with the Nagios Log Server interface.
Currently by default LDAP traffic (without SSL/TLS) is unsigned and unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. After the patch or the windows update would be applied, LDAPS must be enabled with Active Directory.
To Set up Active Directory Authentication using LDAP:
1. Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page.
2. Enter the proper base for the Active Directory in the "Base DN" attribute.
3. Set the Search Scope.
4. Enter the Username Attribute.
5. Enter the Search Filter.
6. Verify that the settings are correct by clicking the Verify button.

Read More



Steps to Setup Ansible AWS Dynamic Inventory


This article will guide you on how to use #AWS resources using Ansible with the help of Dynamic Inventory.

The #Ansible #inventory file defines the #hosts and groups of hosts upon which #commands, #modules, and tasks in a playbook operate. The file can be in one of many formats depending on your Ansible #environment and plugins.

Ansible will use it as an inventory source as long as it returns a #JSON structure like the one above when the script is called with the --list .

Read More



Clean up Domain Controller DNS Records with Powershell


This article will guide you on the process to clean up Stale/Dead #DC DNS records with the help of #PowerShell. You can see that it is easy to clean up domain controller records with the help of this method using few Windows PowerShell #commands.

To remove old DNS records from a domain controller, simply Remove #DNS Entries by:

1. Right click a #Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.

2. Open DNS Console and Remove the IP of the decommissioned DC that might be present on the #network #adapter.

Read More



How to restore Deleted Active Directory Objects and Users


This article will put you through the steps to restore Deleted Active Directory Objects/Users. You can also right click on any unwanted change or object deletion in #Active #Directory and click “Rollback Change” to restore the change with a single-click.

Active Directory #Recycle Bin feature preserves all link valued and non link valued attributes. This means that a restored object will retain all it's settings when restored. By default, a deleted object can be restored within 180 days.

Read More



DHCP server installation on windows server 2019


Are you trying to install DHCP server on Windows server 2019? Here is a step by step guide to do it.

Read More



How to use ADUC MMC to process queries in Active Directory user and Computers


This article describes how to use saved queries in relation to Active Directory Users and Computers (ADUC) which is a MMC snap-in for managing Active Directory.

Read More




For Linux Tutorials

We create Linux HowTos and Tutorials for Sys Admins. Visit us on LinuxAPT.com

Also for Tech related tips, Visit forum.outsourcepath.com or General Technical tips on www.outsourcepath.com






Focus on your business, not your servers.

Click Here to Learn More