Active Directory

73K

Solutions

110

Articles & Videos

38K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
0
Microsoft Certification Exam 74-409
LVL 1
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group filtering a group policy.
2
Here's a look at newsworthy articles and community happenings during the last month.
3
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
6
 
LVL 8

Expert Comment

by:Senior IT System Engineer
Comment Utility
Hi Shaun,

Why there is a need to use Configurator.exe (Configurator Editor) to do this?
I believe this can be done purely with Group Policy Preference for Windows Vista-Server 2008 and above.
0
 
LVL 31

Author Comment

by:Shaun Vermaak
Comment Utility
Enforcement, yes but not the part where group members are moved to AD. If you do it individually with Preferences you will how to create a preference item for each possible combination.
Also, the configurator is the configuration tool, admingroups.exe is the actual application.
0
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
1
 
LVL 31

Author Comment

by:Shaun Vermaak
Comment Utility
Hiya. Yes I tried it without but could not get a variable to use for getting the value
0
A hard and fast method for reducing Active Directory Administrators members.
3
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract user data, including hashes from an IFM backup.
1

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs of each program we employ. As luck would have it, our days are often spent with other important tasks, leaving us unable to thumb through 300-page guides.


To help Active Directory administrators understand Microsoft’s latest guidance, Skyport Systems hosted a webinar last week that detailed the high-level action items needed to secure Active Directory (AD) in its most recent update.


The main issues they see in companies mitigating AD security issues are threefold: operations, complexity, and cost. Not only are there so many teams involved in managing and securing active directory, but the complex application has many ports of connection, raising cost to implement best practices and install programs built to specifically secure this infrastructure.


And why is AD security so important? Easy—AD systems are the central point of authentication for most companies, Bhavik Shah, CISSP at Skyport Systems explained. Cloud based services, internal operations tools, external platforms, all tie back to AD. So if a hacker gains access to AD, they have access to so much more than simple credentials. This is why the system is so heavily targeted. If a hacker owns AD, they own the entire network.


Skyport Systems understands this problem and so does Microsoft. Microsoft has even tried to close the gaps by releasing new tools proven to work.


“But the problem with implementation is there are vague guidelines,” said Shah. “It takes money, expertise, and other programs to successfully secure Active Directory.”


So Skyport took Microsoft's 300 pages and broke it down into something consumable—a phased approach, broken out into buckets of focus into the modern security framework.


Active Directory Hygiene

Shah recommends looking into existing complexity of hygiene protocols, like whether you’re checking domains frequently enough. He compares this level of security to having a bunch of locks on a door, and that it isn’t a matter of whether or not the hackers will get in, but how long until they do.


“Hackers will get in quickly if this is the only area of focus,” Shah advised.


Secure Admin Workstation

“This is the biggest gap that I’ve seen as far as what Microsoft is telling you to do and what people are actually doing,” said Shah.


In this gap, there will be no jump server set up between a laptop and its domain controller, meaning credentials are cached locally on the device, sitting in the memory of the laptop. If not addresses, credentials can easily leak into the user environment.


Protect Domain Controller

In this level of security protection, administrators need to only allow ports AD needs to perform its job, protected by a firewall and shielded from the internet. In some cases, administrators may completely wipe AD’s connections and start from scratch to gain the level of protection they desire.


Admin Forest

As the final bucket of the security process, this step requires an effort to segregate credentials into separate forests, with users in different locations than admin credentials and so forth. Shah mentioned this step is usually reserved for large enterprises.


For more detailed information on how to implement these steps of security and how Skyport System’s SkySecure product includes hardware and software components to deliver a secure virtualization environment for Active Directory, check out the webinar!



2
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that need to recover Group Policies from files
1

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the many intricate ways privileged accounts can compromise Active Directory environments.


On the subject of “Tracking and Securing Privileged Users in Active Directory”, Derek Melber, technical evangelist for the ADSolutions team at ManageEngine, outlined that number as Microsoft's own observation.


That’s why companies like ManageEngine are working to educate users and provide simple-to-use tools for protecting the popular Active Directory infrastructure.


Melber explained that when companies are breached, they usually aren’t aware of the breach for up to 146 days. That means a hacker can be in your organization with domain administrator credentials, undetected, for 5 months—something Melber appropriately described as a “terrifying level of access.” According to Microsoft’s research timeline, when the first host is compromised (typically a desktop) the admin domain credentials are compromised in two days or less.


So how do companies combat these risks and stay ahead of hackers?


Melber said a great place to start is to follow these 5 steps for tracking and securing privileged credentials:


  1. Run reports on privileged access accounts
  2. Analyze data from these reports
  3. Configure settings
  4. Monitor settings and access
  5. Set up alerts for when access changes


These steps help companies follow the practice of creating a least privileged environment, something ManageEngine believes in. Following this for all endpoints, Melber explained companies can reduce vulnerabilities within Internet Explorer by 100%.


Individual privileged accounts, however, aren’t the only thing to monitor. Melber discussed the importance of following the same protocol with privileged groups. In privileged groups, users have uninhibited access to important files. He gave the example of a privileged group member accessing financial servers and backing up files or folders, regardless of the permissions set on those documents.


In order to audit this activity, tools are needed to run reports and control access. With the right tool, Melber says it’s possible to track access, monitor settings and behaviors, configure password resets, receive real-time alerts, and launch automatic reports.


“It all goes back, unfortunately, to breaches. Attackers are one step ahead of us. Attackers are using configurations against us. We need to flip that around. We need to know who has privileges. We can then help reduce the breaches that are in our environment,” says Melber.


For more details on tips provided in this webinar—or to watch the presentation—click here.


*Please email Derek Melber with any Active Directory questions at derek@manageengine.com


3
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabilities to a minimum is necessary. This popular system has the ability to both help and hurt corporations.


Recently, Microsoft published a guide containing more than 300 pages on how to keep Active Directory systems safe and secure. While a thorough breakdown of all available techniques and best practices, most teams don’t have idle time available to spend thumbing through the document—especially in a moment of critical need.


In response to this, Skyport Systems is hosting a webinar to provide quick, easy-to-implement tips on the best ways to secure the most vulnerable parts of your Active Directory infrastructure. They’ve done the heavy lifting of understanding this document.


Join us Thursday, April 20th, to learn:

  • Easier ways to secure AD based on Microsoft’s guidance
  • How to secure workstations and domain controllers with their SkySecure product
  • How to create an admin/red forest with SkySecure


Register Now


0
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material
6
 
LVL 8

Expert Comment

by:Senior IT System Engineer
Comment Utility
Great, so in this case by I assume that utilizing your GPO with WMI filtering above, the tier separation can be fully separated.
So do I just implement the Group Policy Preference above ?
0
 
LVL 31

Author Comment

by:Shaun Vermaak
Comment Utility
You need the groups, GPOs and filters on the GPOs. At the end you link these policies to the root of the domain but during testing it should only be linked to a specific testing OU
1

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies and corporations that rely heavily on it for housing proprietary information as well as internal connections—but that’s not all.


When you take a system such as AD that’s already a focus of cyber terrorist attention and you add a large number of privileged credentials into the system, the risk only grows. Suddenly, the directory becomes porous with innumerable opportunities for invasion.


In a 2016 Cyberthreat Defense Report, it was discovered that only three out of 10 respondents felt confident in their company’s ability to monitor privileged users. This response raises awareness to the needs for secured and limited privileged credentials.


Companies like ManageEngine have seen the damage a high number of credentials can cause within a company, and they’ve set out to teach IT teams and AD technicians how to reduce privileged accounts while protecting the ones that remain.


On April 11th, Derek Melber, technical evangelist for ManageEngine’s ADSolutions team, will be presenting on the topic of tracking and securing credentials in Active Directory.


Join us to learn how to:


  • Create a honeypot Administrator account to track attacks
  • Ensure the built-in Administrator account is secured
  • Monitor activities performed by users that have privileges in Active Directory
  • Reduce membership in privileged groups
  • Be informed when any privileged group changes membership
  • Track changes to service accounts and ensure the highest level of security


Register Now


0
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
5
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
0
This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.

In the article I will show how it applies to Active Directory
4
 

Expert Comment

by:Jason Brown
Comment Utility
Hi Shaun,

Thanks for the useful article explaining rights delegation based on roles for groups. This will help to standardise rights across members in a role as well as to prevent breadcrumb delegations.
0
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
3
In-place Upgrading Dirsync to Azure AD Connect
0
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
8
 
LVL 37

Expert Comment

by:Mahesh
Comment Utility
Thanks Shaun.

Your observation and information is correct

I got same inputs from another source

https://blogs.technet.microsoft.com/abizerh/2013/04/21/how-an-incorrectly-configured-account-lockout-policy-can-give-more-pain-than-security/

As a consultant / architect, I use to suggest older way of lockout policy, now that view is changed

Thanks

Mahesh.
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
Comment Utility
This is awesome article :-)
Thanks for sharing !
0
Free NetCrunch network monitor licenses!
LVL 4
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is required to start the all services normally
0
 

Expert Comment

by:Praveen Patten
Comment Utility
Super Jinesh
1
Last week, our Skyport webinar on “How to secure your Active Directory” provided 218 attendees with a step-by-step guide for identifying Active Directory security threats and how to protect against them.

According to Howard Friedman, presenter and vice president of business innovation at Ascent Solutions, 90% of organizations use Active Directory for their identities and credentials. That means this system—often at the center of everything for an enterprise—is at a high targeted risk for theft and security breaches.

In fact, Russell Rice, head of product at Skyport Systems, said threats are many and growing. There are sites that exist for the sole purpose of providing free means to breach Active Directory firewalls and swipe credentials to infiltrate weak points of entry. 

This vulnerability has lead teams like Friedman’s and Rice’s to explore existing weaknesses in this widely-used system and find ways to safeguard against potential threats.

They discussed why these gaps exist, citing issues such as cost, bogged down processes that teams and individuals put off, and too many administrative access points. While the job can sometimes be “unsexy”, as Friedman put it, securing Active Directory doesn’t just protect user credentials, but credentials for computers, data, and even three-party firms. They’re all connected, and a problem in …
5
This article runs through the process of deploying a single EXE application selectively to a group of user.
2
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
2
 
LVL 3

Expert Comment

by:alohadin
Comment Utility
This has been bookmarked!
Great stuff Shaun.
Thanks a lot.
0
Lab Topology
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
1
 

Expert Comment

by:PriteshW
Comment Utility
Good Article, setup on my lab and works well.
0
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
0
 
LVL 18

Expert Comment

by:Walter Curtis
Comment Utility
Great information. Thanks! Recommended reading for all SharePoint people. This should be submitted as an article.

Have a good one...
1

Active Directory

73K

Solutions

110

Articles & Videos

38K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software