Jan 10

Dynamic Objects in Active Directory

Sometimes we need to create users/groups/computers in Active Directory that will be used temporary (by a contractor, for testing etc.). The typical workflow is: Create > Use for a while > Delete. The deletion is manual and often these objects are being forgotten which poses some security risks.

It is little known fact that we can create the so called Dynamic objects (DOs, a.k.a. temporary objects) that get deleted from AD automatically when the associated TTL expires. Microsoft added this capability in Windows Server 2003. In fact the “Dynamic object” is an auxiliary class (OID = 1.3.6.1.4.1.1466.101.119.2). When linked to an object it adds some new attributes like the entryTTL (Entry-TTL) and ms-DS-Entry-Time-To-Die attribute.

Continue reading

Jan 05

WinRM would not listen on port 5985

The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.

Checking WinRM config showed something strange:

Listener [Source=”GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null

So WinRM was actually configured but wasn’t listening on any network interface. Why?

Continue reading

Dec 20

NTFRS: How to force SYSVOL replication

For those who still use NTFRS – as of KB823230 ntrfsutl can be used to force Sysvol replication:

The replication path will be SRC_DC_FQDN > DST_DC_NAME

In fact ntfrsutl connects to DST_DC_NAME and “tells” NTFRS to pull Sysvol changes from its inbound partner SRC_DC_FQDN.

Jan 21

MS16-101: NTLM fallback is now prohibited

Преди времесе зачетох в следната статия:

Troubleshooting failed password changes after installing MS16-101

В нея се споменава за пароли, NTLM, последствия от Ms16-101 – кофти patch, не се случва за първи път т.е.нищо интересно.

Continue reading

Jan 08

Configuring Windows Components Logging

“Човек и добре да живее, все ще му се наложи да дебъгва”:

Directory Services Debug Logging Primer

Списъкът е огромен, но не очаквам да е изчерпателен.

Jan 15

“Could not retrieve default replication accounts” during RODC Promotion

The task was to promote the first RODC in a mixed OS domain with Windows 2003 Forest/Domain functional levels. Before DC promotion the AD Schema was successfully extended and there was one Writable Domain Controller (Windows Server 2013 R2) up and running.

I noticed some RODC related groups are missing even trough adprep finished without any errors:

  • Read-only Domain Controllers
  • Allowed RODC Password Replication Group
  • Denied RODC Password Replication Group

I thought they will appear after first RODC promotion. But that was not the case!

These groups, along with many others, are created AFTER you transfer the PDC role to a domain controller, running Windows Server 2008 or later!

After transferring the PDC role these groups were created:

Nice to know it 🙂

Thereafter the first RODC was promoted successfully!

References:

Dec 14

Set-ADUser : Insufficient access rights to perform the operation when setting the Title attribute in Active Directory

Представете си, че имате обикновен потребител в Active Directory домейн, примерно Updater@pkg.lab. Искате той да има право да променя полето Title на определен списък с потребители.

Атрибутът Title отразява длъжността (т.е. Job Title) на потребителя в организацията.

За тази цел сте делегирали права Read/Write за атрибута Title в определени организационни единици:

Continue reading