Finding Accounts Trusted for Delegation

As part of a security audit, I was asked to help in finding all accounts marked with "Trusted for Delegation"

What is "Trust for Delegation"

You can try reading the TechNet Article, but in short - delegation (also known as kerberos double-hop) is allowing a service to impersonate clients in order ...

more ...

List all Group Policy Extensions Registered

I use this script to see all GP extensions that my computer can process:

ls 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions' | select `
    @{name='Guid';expression={[guid]$_.pschildname}}
    @{name='Name';expression={$_.GetValue('')}}
    @{name='DllName';expression={$_.GetValue('DllName')}}
    @{name='ProcessWhenNoChanges';expression={!$_.GetValue('NoGPOListChanges')}}
    @{name='IsUserPolicy';expression ...
more ...

setspn Duplicates and Case Sensitivity

Today I found out that the command I use to find duplicate SPNs, setspn -x

is case sensitive, meaning that the following SPNs don't count as duplicates:

HOST/bla
HOST/BLA

This makes sense when using UNIX systems for TGS creation.
However, Active Directory Domain Controllers, being Windows systems ...

more ...

Backing up BitLocker to ActiveDirectory - My Additions

The Story

If you thought about deploying BitLocker in your enterprise, you probably came across the recovery issue - if you lose the encrypting smart card, corrupt the key file, forget the password or the TPM breaks down - how can you access the data?
For small organizations, manual recovery can be ...

more ...

Remotely changing DNS server list through registry

Recently I was called to help some some friends who had an unusual problem:
They demoted an old DC because they needed to raise the domain functional level, and after doing so many of their servers stopped working - they wouldn't allow remote logins, the Exchange services wouldn't start ...

more ...

Preventing Users from Adding Computers to a Domain

Some time ago, we've come to the conclusion that the computer accounts in the domain are disorganized. After doing the tedious job of sorting existing accounts, we saw that new computer accounts are still being added to the "Computers" container, and we had no idea which computer was behind ...

more ...

Investigating Repeatedly Locked Out Users

I often get asked by some other IT guy "why does user XXXXX keep on getting locked out?"

Let me clue you in on something - users (almost) always get locked out for the same reason: They try the wrong password too many times.The reasons for THAT, however, are quite ...

more ...


Group Policy Security Filtering and Loopback

I recently discovered that when applying a GP object using loopback and user security filtering (allowing only specific users to apply the GP), the computer still needs read access to the GP.

Otherwise, the GP will show up as not applied due to it being "inaccessible":

My guess is that ...

more ...

Opening Group Policy Management Editor from the Command Line

Yesterday I wanted to open the Group Policy editor (or "Group Policy Management Editor") for a specific GP object through PowerShell, but there is no "Edit-GPO" cmdlet. I quickly checked from the task manager how the GPMC opens the editor, and made my own:

function Edit-GPO([guid]$guid){
$domain = Get-ADDomain ...
more ...