How to Modify Security Inheritance on Active Directory Objects using PowerShell

A couple of weeks ago I was working with a customer analyzing a number of user accounts affected by AdminSDHolder protection.  User accounts that are members of privileged groups such as Domain Admins end up being modified so they are protected by AdminSDHolder.  There is a property named AdminCount that usually has no value that…

19

How to update the list of Name Servers on a DNS Zone with a Script

I was working with a customer this week doing some Active Directory cleanup tasks.  We were decommissioning the last of their Windows Server 2003 domain controllers so we could upgrade the domain and forest functional level to Windows Server 2008 R2 to take advantage of some new features. After removing the last Windows Server 2003…

7

How to find user accounts with Kerberos preauthentication disabled.

One of my duties as a Premier Field Engineer is to perform Active Directory Risk Assessments (aka ADRAP).  During these risk assessments we review the configuration of key components of Active Directory to determine if there are any settings that vary from our recommended practices. During almost every ADRAP I perform we get a message…

1

Understanding and Managing the Certificate Stores Used for Smart Card Logon

Recently I was onsite helping a customer clean up some certificates related to smart card logon.  One of the things I find challenging about PKI and specifically about smart card  logon is remembering how and where to publish certificates.  It seems like every time I work on an issue related to smart card logon and…

10

How to Determine Which DNS Server(s) Have Scavenging Enabled Using PowerShell

One of my duties as a Microsoft Premier Field Engineer (PFE) is to make sure the products a customer is currently using are configured properly and the customer is getting all the functionality the product provides.  Whenever I’m working with customers on any DNS issue I always check to see if they are using DNS…

9

How to run DCDIAG and NETDIAG on Multiple Computers Using a Batch File

I was onsite with a customer this week reviewing their Active Directory configuration.  During the visit the system admin I was working with mentioned he needed to run DCDIAG and NETDIAG on every domain controller (DC) in his domain and collect the output to prepare for their upcoming migration to Office 365.  When I got…

13