A Domain Controller is not a Domain Computer

Today I spent half a day troubleshooting an issue with Authentication Silos that I finally tracked down to an unexpected issue with a Group Policy. To give you a little background information: Authentication Silos are used to limit to which computers a user can log on. This is especially useful in Tier-0 configurations. To enable…

What’s new in Active Directory 2019? Nothing.

OK, so there is not precisely “nothing” new in AD 2019, but as a management summary it will do. Before you read on I would like to make it perfectly clear that: This information is not official in any way. All information here is based on public information. I had a look in our documentation…


Quickly find potential Kerberoast victims

Read up on the Kerberoast approach to bruteforce the passwords of service accounts, and find out which of your service accounts would be an interesting target.

Logging on to Azure for your everyday job

Use a PowerShell profile function to load Azure RM account context automatically. If the context file does not exist, create one. Also, check the token for validity because it may have expired.


Azure Batch for the IT Pro – Part 2

This is the second and final part of a blog series with a walkthrough for Azure Batch. The first part is here: Azure Batch for the IT Pro – Part 1 In the first part I showed you how to create an Azure Batch Account, the corresponding Storage Account, a test application based on Powershell,…

Azure Batch for the IT Pro – Part 1

I spent some time on working with Azure Batch for a customer, and what struck me that it was not so easy for an IT Pro to create a meaningful testing setup. The stumbling point is that you need to have an application doing meaningful work. So what is Azure Batch? It is the PaaS…


Download the original Active Directory Branch Office Deployment Guide

During the great Windows Server 2003 content purge on TechNet in the summer of 2016 a lot of valuable documentation was lost. Part of it was recovered in the infamously huge PDF download with 2003 support content, and other content was ported to the new documentation site on https://docs.microsoft.com, but the rest was just gone….


Get-UniqueString: generate unique ID for Azure Deployments

When deploying resources to Azure, you sometimes need to generate a world-wide unique name. Examples of these are DNS names, storage account names, Azure Batch account names, etc. Some of these names have additional requirements. For instance, storage account names must be all lowercase with a length of 3 to 24 letters. How do you…

Best practices for a stable AGPM deployment

Over the years I have worked a lot with Advanced Group Policy Management (AGPM), our solution for change management of Group Policy. This small tool is part of Microsoft Desktop Optimization Pack (MDOP). AGPM has always flown under the radar, but is deployed in surprisingly many enterprises. By reviewing and troubleshooting some of these deployments…


Do you have plaintext passwords in your Azure deployments?

If you are developing deployments for Azure you will encounter situations where you need to use passwords and other data that needs to stay hidden. Azure has plenty of facilities for this, but sometimes people can be tempted to take shortcuts. So, for one of the projects I’m involved in there was a suspicion that…