With restricted group policies you can define the content of the local groups on your workstations and servers. Thanks to these GPOs you can set up which domain groups will be local administrators, power users, remote desktop users etc. on the PCs.

If you want more details about restricted group policies and can understand French I suggest you read Jonathan’s post on the Portail MCSE blog. If you only understand English you will find a description here. You can use the “Members” portion of restricted group policy, which we will call “replace mode restricted group policy” or the “Member Of” portion of restricted group policy, which we will call “add mode restricted group policy”. This feature is supported on Windows 2000 SP4 and later versions.

In this article we will focus on setting up a replace mode restricted group policy that modifies the local administrator and power users group on our workstations.
Read more »

We will describe in this post how to secure your autologon workstations. Those PCs are accessed by everyone inside your company because no account and password are required to login.This is why you need to work out how to secure them.

The autologon workstation uses a service user account to open a windows session, the most obvious way to set up an autologon on a workstation is to edit registry keys. This method is not secure because the account credentials appear in clear text in the registry, meaning that the account can easily be used for other purpose.
Read more »

The title of this post seems a bit contradictory, the use of generic accounts in your domain should be limited to the minimum. Access to your domain ressources should be done with nominative accounts when possible, that’s why you want to avoid generic accouns use. However for political or historical reasons a department of your company might use this type of accounts to access some applications or log on some computers. This account is used by several persons, accordingly the password does not remain secret and across many departments, non-authorized persons might know it and use it for other purposes. If you set up a classic change password policy for this account, then when the password expires, a single person will change it and will probably not notify other users that are entitled to use the account of the new password. That’s why generic accounts are generally flagged “the password never expires”, which is an obvious lack of security. We will demonstrate in this post how to set up an automatic system that will change the password and notify users entitled to use the account.
Read more »

You can track GPO links changes by analyzing the security eventlog, GPO links will give you information on which objects your GPO is applied to. We will monitor GPLink attribute changes.

In order to analyze in real time the security log of all your DCs you need to pay for a Syslog solution, like Snare or Kiwi. Or you can try to setup an eventlog forwarding solution if you are under Windows 2008, you can also try to run a script that catches security log events, but you might encounter some performance issues.
Read more »

We will explain in this post how to monitor GPO changes by tracking modifications on the GPT. Only deletion, computer/user configuration modification and creation can be overlooked. About GPO monitoring you can read this article,which shows you how to activate auditing on your Sysvol share \\domainname\sysvol\domainfqdn\Policies and retrieve GPO changes via the eventlog. We will use another method, taking advantage of the replication of this folder.
Read more »

We will describe in this post how to indentify an application that causes a CPU time overconsumption on your Domain Controllers. We will use two tools for this: Server Performance Advisor and Wireshark. The first is used if you have a Windows 2003 DC, if OS is Windows 2008 the tool is already included, you access it with MMC snap-in perfmon.msc, its new name is Windows Reliability and Performance Monitor. Both versions have performance counters dedicated to Active Directory, in this post we will use SPA, because the DC having trouble is running Windows 2003. If you want more details on using Windows RPM for AD you can read this article.
Read more »

On this post we will describe how to do a spring clean on your active directory database file ntds.dit.
The first step will be to search for stale objects in your domain, if after collecting those objects you don’t find many of them, do not hope to gain some space on your database. For example the size of a user object is at the minimum 4Ko, the size may vary depending on the number of attributes the account has. Check this article for more information on objects size.
Read more »

When you perform a complete domain or forest recovery, after you have restored the first DC system state, you have to cleanup metadata of the DCs on which you will reinstall AD using a DCPromo. For more information about disaster recovery plans I suggest you read this document.

On a Windows 2008 server when you delete the DC computer object, server object removal (cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain) and metadata cleanup are performed automatically. On a Windows 2003 server you need to use the ntdsutil command line tool and delete the server object manually. This post describes how to set up a semi automated process to perform these steps.

Read more »

Here is an application for your helpdesk that collects data about the user environment which can be useful for troubleshooting, It was developed using WMI code creator was really useful for coding this application.

Just click on the icon bellow to download the tool, if you notice any bugs and have any ideas for tool evolution, please do not hesitate to contact me.

Read more »

If lsass process consumes too much CPU time on your domain controller the cause might be clients infected by Conficker. The link to the KB article discusses how to prevent its propagation and how to remove the worm. The purpose of this post is to identify infected clients which cause this lsass.exe overconsumption easily.

This topic was already discussed in a post of AskDS, I’ll add a few comments and scripts which will help you to eradicate the virus on your workstations.
Read more »