Find missing SPN registrations

Active Directory admins are probably well aware of how Kerberos works. If you need a little refresher, check out the article over at askds: Kerberos for the busy admin. Kerberos requires a service principle name (SPN) for each Kerberos enabled network service offered in the forest: a file service, KDC, web farm, whatever. Typical examples…

0

Azure Template to deploy a forest with two domains, Part 3 — visualizing the template

This is part 3 in a series about writing a complex Azure AMR template. This is the full list: Part 1: using the template Part 2: Understanding the template structure Part 3: visualizing the template In the final part of this series I want to have a brief look at the template design, and in…

1

Azure template to deploy a forest with two domains, part 1 — using the template

This is Part 1 in a series. This is the whole series: Part 1: using the template Part 2: Understanding the template structure Part 3: visualizing the template This blog has been a while in the making. For various reasons I needed a simple way to quickly create a test forest in Azure with two domains, and…

1

Why you can still have duplicate SPNs in AD 2012 R2 and AD 2016

As an AD admin you are probably familiar with the problem of duplicate Service Principal Name (SPN) attributes. Need a refresher on Kerberos and SPN? Read the famous blogpost over at askds: Kerberos for the busy admin. If you have these duplicates, Kerberos fails for the affected accounts. It always fails so there is no…

1

Uniqueness requirements for attributes and objects in Active Directory

If you are involved in writing or using provisioning code for Active Directory you will be aware of uniqueness problems. What do you do with an account for John Smith if he is the tenth of his name? It helps to know about the conditions that Active Directory imposes on you when you create or modify…

0

GPMC slow to start? GPO reports failing? You may be missing an index.

See if you recognize this: You have lots of OUs in the domain. At least a couple of thousand. Group Policy Management (GPMC) is slow to start. It may take 10 seconds or more, and in extreme cases fails to load at all. Editing a GPO works just fine. Generating a GPO report or executing a GPO backup…

0

LDAP query prettifier

For some reason I have spent a lot of time looking at LDAP queries in the last few weeks. The simple queries are easy to “decode” but for the more complex ones you really need to format them properly to follow the flow. I wrote a little PowerShell script to do that, and I don’t…

3

How admins can cheat at changing their password

Here is a little known trick that you can do if you have AD permissions to manage your own account: when you are prompted to change your password when its age has expired, do this: Start AD Users & Computers, and find your account. Open the Accounts tab, check the box next to “User must…

2

Hotfix 2 for AGPM 4.0 SP3 allows you to keep custom Read permissions

We released a silent update to AGPM 4.0 SP3, last september. Find it here: https://support.microsoft.com/en-us/kb/3174540. It is also slipstreamed in the latest MDOP release. The update is a change in functionality regarding permission on GPO’s. Let me quote it for you. The old behavior, always tripping up people that are new to AGPM: If you want to change…

0