GPMC slow to start? GPO reports failing? You may be missing an index.

See if you recognize this: You have lots of OUs in the domain. At least a couple of thousand. Group Policy Management (GPMC) is slow to start. It may take 10 seconds or more, and in extreme cases fails to load at all. Editing a GPO works just fine. Generating a GPO report or executing a GPO backup…


LDAP query prettifier

For some reason I have spent a lot of time looking at LDAP queries in the last few weeks. The simple queries are easy to “decode” but for the more complex ones you really need to format them properly to follow the flow. I wrote a little PowerShell script to do that, and I don’t…


How admins can cheat at changing their password

Here is a little known trick that you can do if you have AD permissions to manage your own account: when you are prompted to change your password when its age has expired, do this: Start AD Users & Computers, and find your account. Open the Accounts tab, check the box next to “User must…


Hotfix 2 for AGPM 4.0 SP3 allows you to keep custom Read permissions

We released a silent update to AGPM 4.0 SP3, last september. Find it here: It is also slipstreamed in the latest MDOP release. The update is a change in functionality regarding permission on GPO’s. Let me quote it for you. The old behavior, always tripping up people that are new to AGPM: If you want to change…


Overview of RID pools for the domain

A short one today. A customer had concerns about the RID Pool administration in his domain. Brief refresher: DCs create security principals such as users, computers and groups, and each one of these must have a unique security identifier a.k.a. as SID. A SID for a domain security principal is built from two parts: the…


Clearing the ConflictAndDeleted DFSR folder on DCs

Following this earlier post on troubleshooting DFSR replication conflicts for SYSVOL I got some questions on how to clear out the ConflictAndDeleted folder where DFSR keeps the conflicted files. Usually, there is no need to do this, but you might want to clear the folder after you fixed something in DFSR and want to observe the results….


LDAP: how to do server-side sorting and why it’s a bad idea

Active Directory is an object repository, in many ways similar to a database. And like any database, it can deliver its output sorted in any way you like. However, this server-side sorting is rarely done. In fact, it is so rare that it’s pretty hard to find out how to do it. The usual and…


Find out what SYSVOL on DFSR is doing, part 2

This is a continuation of a previous post: Since that blog and its script were published I have run it myself a couple of times on customer sites, and received reports from other people who tried it as well. The script had one problem where I neglected the possibility that a DC had zero…


Find objects in LostAndFound … for all partitions

I was onsite again today, and we were talking about the Lost and Found container in AD. You know, the one where you sometimes find objects without a clear reason of why they end up there. Before we delve into the PowerShell code, let me briefly explain what it’s for. Suppose you have two DCs,…


Find out what your SYSVOL on DFSR is doing

(Updated 16-9-2016: reference to new post, updated the script with better error checking and a bugfix) This is part 1; continue at part 2 here: All of you out there should be running your SYSVOL on DFSR by now. This is the new default since Windows Server 2008 from the previous decade. If you…