Find missing SPN registrations

Active Directory admins are probably well aware of how Kerberos works. If you need a little refresher, check out the article over at askds: Kerberos for the busy admin. Kerberos requires a service principle name (SPN) for each Kerberos enabled network service offered in the forest: a file service, KDC, web farm, whatever. Typical examples…

0

GPMC slow to start? GPO reports failing? You may be missing an index.

See if you recognize this: You have lots of OUs in the domain. At least a couple of thousand. Group Policy Management (GPMC) is slow to start. It may take 10 seconds or more, and in extreme cases fails to load at all. Editing a GPO works just fine. Generating a GPO report or executing a GPO backup…

0

LDAP query prettifier

For some reason I have spent a lot of time looking at LDAP queries in the last few weeks. The simple queries are easy to “decode” but for the more complex ones you really need to format them properly to follow the flow. I wrote a little PowerShell script to do that, and I don’t…

3

How admins can cheat at changing their password

Here is a little known trick that you can do if you have AD permissions to manage your own account: when you are prompted to change your password when its age has expired, do this: Start AD Users & Computers, and find your account. Open the Accounts tab, check the box next to “User must…

2

LDAP: how to do server-side sorting and why it’s a bad idea

Active Directory is an object repository, in many ways similar to a database. And like any database, it can deliver its output sorted in any way you like. However, this server-side sorting is rarely done. In fact, it is so rare that it’s pretty hard to find out how to do it. The usual and…

1

Find objects in LostAndFound … for all partitions

I was onsite again today, and we were talking about the Lost and Found container in AD. You know, the one where you sometimes find objects without a clear reason of why they end up there. Before we delve into the PowerShell code, let me briefly explain what it’s for. Suppose you have two DCs,…

0

Workaround for the ADU&C search bug with advanced tabs missing

With a bit of luck you learn something every day in this business, and today a customer showed me a new workaround for a long standing problem in Active Directory Users and Computers (ADUC). Like most serious admins, you probably always have the advanced view enabled, like this: If you search for a user in…

1