Find out if your AGPM archive needs updating

For those of you out there using Advanced Group Policy Management a.k.a. AGPM, I have a question: how do you know that your AGPM archive still reflects the reality in Active Directory? Thought about it? Good. There is a thorny issue here that caused a lot of problems already. AGPM flat-out assumes that its archive…


Does a service account get Group Policy?

Asking the question is answering it: no, it doesn’t. This is so natural that you never think about it until you really start considering it. The fact is, you need an interactive logon to process GPO or logon scripts. So other kinds of logon such as service logon or network logon do not have GPO applied….

1

What is my current Azure Resource Manager subscription?

Just a brief note this time. Like many who learned Azure in the old days of Azure Service Manager (a.k.a. classic IaaS), I have number of things to unlearn while adjusting to Azure Resource Manager (ARM). Today I struggled for at least thirty minutes trying to find out the default subscription in an ARM Powershell…


April 2016 – kb3103709 contains five AD hotfixes for Windows Server 2012 R2

Update 6-28-2016: Security update MS16-081 (June 2016) described in kb3160352, has the latest AD binaries and includes the updates described below. We have just published KB3103709 on Windows Update for Windows Server 2012 R2 containing five AD-related fixes. So yes, it specifically applies to Windows 2012 R2, and not to older operating systems. Let’s take a quick look:…


Workaround for the ADU&C search bug with advanced tabs missing

With a bit of luck you learn something every day in this business, and today a customer showed me a new workaround for a long standing problem in Active Directory Users and Computers (ADUC). Like most serious admins, you probably always have the advanced view enabled, like this: If you search for a user in…

1

Copying many files to Onedrive for Business – preventing sync errors

Over the years I have collected a large number of files that I keep hoarding for all sorts of good and not-so-good reasons: whitepapers, investigations, memo’s, projects, scripts, Visual Studio solutions, and so on. In the bad old days these files were on a file server, and I would use offline files to sync them…


Foreign Security Principals and Well-Known SIDS, a.k.a. the curly red arrow problem

So I was at a customer today, and for some reason or another we ended up looking at the members of the group called “Pre-Windows 2000 Compatible Access”. Members of this group basically have read-only rights in all of Active Directory. The member set depends on the forest history, but since Windows 2003 the only…


Search for Preferred Bridgehead servers

Just a quickie for today. I was talking to a friend about Preferred Bridgehead servers. This is an old-fashioned feature from the bad old days where hardware was expensive and firewalls were everywhere. A preferred bridgehead is the preferential replication partner for DCs in other sites, and is used to exclude the other DCs in the…

2

Force replication throughout the Forest

So there are a million posts already on how to force Active Directory replication, I know that. Mine has a little twist though, so keep reading. Forcing AD replication is not something you need to do often. If you find yourself doing it daily, there is probably room for improvement in your replication topology. However, in a test…

3

Azure VM Backup: beware of Windows Server 2008 R2

Since March 2015 we have the possibility to backup and restore entire VMs running in Azure. If you were not aware of this before, have a look at the documentation here: https://azure.microsoft.com/en-us/documentation/services/backup/. Using the Backup Vault you can automatically backup full VMs on a flexible schedule. For Active Directory, you could set this to daily, with…

1