Security of elevated privileged access is becoming more and more important with every Active Directory installation. Attacks are going to happen and ensuring you know who has privileged access will help reduce the overall effectiveness of these attacks
Securing Active Directory Delegations Challenge
I have a challenge for you this week! After all, everyone loves a challenge. This one is to verify that your Active Directory is secure and to show you how to verify your security in the future
Grab Microsoft’s Out-of-Cycle Kerberos Patch
During last week’s Microsoft Patch Day , I pointed out that Microsoft had delayed two of the expected bulletins. This week, they released one of those delayed updates, and rate it as a Critical issue
Powershell Scripting and Disasters!
So I am at a conference recently in Arizona and an attendee says to me that they used Powershell to update the email address for 100 existing Active Directory users. This is quite simple using Powershell , according to the attendee
Monitoring of Active Directory Changes Made Easy
There are some things that Microsoft builds into their product that are just amazing, while other things that are just pathetic! When it comes to monitoring Active Directory, we have both. However, by using the good and supplementing the bad with other options, a fantastic solution can be achieved! The Good and Bad of Active Directory Monitoring The good that Microsoft provides with regard to Active Directory monitoring is with regard to the detailed logs that can be generated
Windows Active Directory Password Policy: Still Misunderstood
I am going to make this short and sweet. I want to not focus on the Password Policy settings and focus just on the deployment of the Password Policy in Active Directory. Here is the reality of the Password Policy in bullet format, for easier consumption: The Password Policy for the domain is defined in the Default Domain Policy Group Policy Object (GPO) by default
Real-Time Change Auditing for Windows Active Directory
ManageEngine ADAudit Plus recently announced the addition of real-time change auditing for Windows Active Directory. Available immediately, the new feature provides administrators with real-time email alerts, when critical and unauthorized changes are made to AD. Similarly, administrators can view a real-time, live feed of alerts in the ADAudit Plus console along with a thorough analysis of “who did what, when and from where” in the solution’s 200+ pre-configured audit reports
Active Directory Delegation: It Does Not Need to Be Hard!
One of the most important and powerful reasons that organizations consider Active Directory is the fact that delegation is built into the product. W indows NT did not have delegation, unless you want to call membership in the Account Operators group delegation! Windows Active Directory provides a simple method , using the Delegate Control Wizard, to grant a group of users granular control over all or even just a subset of your Active Directory objects. For example, if you have a help desk that should have the ability to reset passwords for all users except for those in IT, you can delegate this permission to the OU that contains the non-IT employees
Safely Delegating Password Reset Capability in Active Directory
I have been preaching for years about how powerful Active Directory is in the ability to delegate control over certain tasks and certain objects in Active Directory. One of the most obvious delegations is giving a one group of users the ability to reset passwords for a different group of users. There are a few issues using the Microsoft solution, and those issues can cause insecure settings, hard-to-report delegations, and access to AD that is hard to find and remove
Track Down Active Directory Attack Attempts
There is nothing scarier to an Active Directory administrator than the thought of someone attacking the domain controllers. The majority of attacks come from within the internal network and come from existing domain users.