Hello everyone,

I need help on how to allow domain users in my domain to run certain software as administrators without always having to enter domain admin credentials, and without adding the users to the local Administrators group.

I would really appreciate any advice or guidance on the best and most secure way to achieve this.

This is also my first post here, and I am still a beginner in network administration and Active Directory, so I am looking forward to learning from your experience and support.

Thank you in advance.

Hi friends,

I recently faced an active directory server with multiple useless domains and I decided to migrate the active domain to newly installed DC, at my First search I found ADMT that can migrate all the Object with it's attributes such as passwords of user object or profile of Computer object. It also could disjoin and rejoin the object to the new domain automatically.

In the process, the migration of all objects was successful, but the security translation and computer migration were not!

After reading lots of logs and Microsoft official docs, I found out it is buggy for a domain newer than ADDS 2016.

Have you any other solution or any experience for migration of ADDS 2022?

Both domains are 2022 with a 2016 functional level.

If there is anything besides QUEST or AD Manager, please suggest me🙏

I recently spent some time looking at high availability for CRL and AIA distribution in AD CS.

My first thought was to keep things simple: two IIS servers behind a load balancer, each hosting its own CRL share. From a client perspective this actually worked pretty well. As long as the load balancer performed health checks, clients could continue downloading CRLs even when one of the web servers was unavailable.

What surprised me was the publishing side.

The CA was configured to publish CRLs and Delta CRLs directly to both web servers. When I simulated the loss of one of the publication targets, the Base CRL continued to publish, but Delta CRL publication failed completely. Event Viewer started throwing a mix of ERROR_DIRECTORY (0x8007010b) and E_ABORT (0x80004004) errors.

In other words, the web tier remained highly available, but the publication process itself wasn't.

That eventually led me to a different design based on DFS Namespaces, DFS Replication, IIS and gMSAs. The CA now publishes to a single DFS path, DFS-R takes care of replication, and the web servers simply serve the content.

One thing I found interesting during this project is that making CRL distribution highly available is actually the easy part. Making CRL publication highly available requires a bit more thought. I've written up the complete design, implementation steps, PowerShell configuration and some lessons learned along the way:

https://michaelwaterman.nl/2026/06/04/building-a-highly-available-crl-and-aia-distribution-platform-for-ad-cs/

Hopefully this helps someone who's looking at the same challenge. At the very least, it might save you from spending an evening or more wondering why Base CRLs keep publishing while Delta CRLs suddenly refuse to cooperate.

With the last old devices gone (NT4!), this forest is running fully on Win10/11 and Server 2019/2022 now.

There was an audit from an external security company, and I should set the minimum password length to 16 instead of 14.

The problem is that the maximum value of "Minimum password length" on 2019 servers is 14 - an all DCs are 2019. I'm already happy I went from functional level 2003 to 2016 this year. I get no budget to buy a few thousand 2022 or 2025 CALs this year.

From a 2022 server I went into the GPO management to turn "Relax minimum password length limits" on, but now I am unsure how this replicates. It is not visible on the 2019 servers - I expected at least an error because of a missing admx or so.

Also, I'm unsure whether this Relax etc. policy belongs in the Default Domain Policy with the password policy, or in the Default Domain Controller Policy, as the setting is probably only relevant for DCs anyway.

Thank you for your opinions.

I'm trying to optimize our AD Sites & Services Site Links to accurately reflect the costs of replication traffic. There are 7 physical sites that each have a single connection to the internet via their local ISP, however site-to-site VPN tunnels are configured to be full mesh, ie any one office can send traffic directly to another. The tricky thing is that the quality of the ISP connection varies from office to office with a few being high latency. How should I create site links and group sites within them so that DC replication occurs over the higher quality connections first and avoids poor-ISP to poor-ISP replication links?

Came across something today and just felt the need to share. I was having an issue with a particular group that we were trying to sync to Entra. The group itself synced but it had no members on the entra side. After a lot of searching and testing I found out the following: If a user has a group set as their primary group, that user does not get listed in the "members" attribute and thus their membership doesn't get synced to Entra.

By default, a user gets added to the "domain users" group and that gets set as their primary group. If you happen to create a user that is not a member of the "domain users" group, whatever group you add them to first gets set as their "primary group". If you then want to sync that group to entra, they won't show up. Hopefully this post will save someone else some time in the future...

Hi All,

Just looking for some advice.

I'm doing some AD prep before an uplift and I've come across an Inter-Site failure in dcdiag for one of our AD sites.

The failure is due to a deleted former RODC, and you can see this referenced in the 0ADEL CN. You can also see this in the ISTG Server and Site listing, which is "Invalid".

This was obviously not demoted properly and thus the reference for this site has stayed.

However, I am confused as to why this has not automatically switched to a working DC within the Site, of which there are two.

The only way I am aware of for fixing this, is to change the attribute 'interSiteTopologyGenerator' to the NTDS CN of a working DC within the site. Is that correct?

I was also wondering if emptying the attribute value and forcing a "Check Replication Topology" would also resolve the problem, by embedding a working NTDS value itself.

An help/input appreciated.

Domain/Forest level is 2016.

Inherited this environment two years ago. Previous admin nested groups inside groups inside groups. Last month I finally pulled a full membership expansion report.

14 users have access to a finance file share with no obvious reason to be there. Traced it back through four levels of nesting. One group in the chain was a distribution list added to a security group six years ago and never removed. That DL had 40 members. All 40 inherited the file share access.

None of this is visible in AD Users and Computers. You see direct members, not transitive ones. The access looks clean unless you specifically expand the full membership tree.

We run quarterly access reviews. Managers certify their team's access. They're certifying what the tool shows them  and the tool doesn't surface transitive memberships. So the reviews are passing on access nobody knows exists.

Three of the 14 users with unintended finance access have since left the company. Accounts disabled, group memberships never cleaned up. The nesting is still intact for whenever those accounts get reused.

Is there a standard approach for auditing and flattening nested groups in AD without breaking things that depend on the current structure? Specifically wondering whether people tackle this top-down from the resource or bottom-up from the user.

I'm setting up a new desktop technician role in my AD environment and want to give that group the ability to manage our workstations in AD, to include, creating, moving, deleting, resetting computer objects and joining/unjoining the domain, basically anything needed for our workstations.

I created a new security group and put the account in the group. I went to the top OU where our computer objects live, and the computers container, and went through the delegation wizard. Selected the custom settings, selected computer objects, and chose full control. I verified on the OU and computer objects within, that the group has full control including Reset Password.

The admin logs in, we confirm membership of that group, and token is fresh, When attempting to reset a computer object, he gets access denied. He can move computer objects within the computer container and the assigned OUs.

I did update the Default Domain Controllers policy to allow this group "Add workstations to domain", as we had restricted that previously. Doesn't really apply in this problem, but would come up. I've also added them to allow Computer Account Re-use setting in my Domain Controllers GPO.

I feel like I'm just missing one critical component that I can't track down and haven't had any luck with finding a good article, or CoPilot, ChatGPT, or Claude getting me over the finish line. The goal is to limit entitlement so we move our desktop tech role away from being a Domain Admin. Would love any suggestions!

We’re taking our HQ building offline at the end of the week for a full switch infrastructure refresh - so all users will be remotely working.

In readiness this evening we tested that users would still be able to sign-in to Office365 and all cloud services inc. those with SSO to Entra. To simulate our HQ building being offline we took down both DCs at this site, leaving our Azure VM DC up and a DC at our branch office location up.

Unfortunately things didn’t go as expected…users couldn’t pass-through authenticate.

We’ve got an Entra Connect with PTA instance in Azure (active), and a second instance at our HQ in staging mode. The only time we could get PTA to work was when we also switched OFF the Entra Connect instance at our HQ…just leaving the Azure DC and Azure Entra Connect.

Entra wants multiple Entra Connect and PTA agents - but it seems like they become a problem if they are up with no local DCs.

Any ideas? Experience of Entra Connect in a failure scenario? Should it be seamless?
I’m wondering if maybe a DNS configuration issue on the HQ Entra Connect instance - does it need the DNS address of the non-HQ DCs?

I’d like to share with you #Quickadcs a PowerShell script, the idea is to simplify the implementation of Passwordless Authentication with Yubikey.
Quickadcs allows you to :

# Configure a Public Key Infrastructure, PKI
# Provisioning smartcard certificate template
# Configure smardcard GPOs

Securing the most critical identities.
It’s free and open source, available in GitHub : https://github.com/Marlyns-GitHub/Quickadcs.git

Hi everyone,
I’m currently working in IAM and have realized that my understanding of SSL/TLS certificates and PKI is one of my weakest areas. While I understand the basic concepts of SSL/TLS, certificate-based authentication, and how certificates are used in applications, I want to build a much deeper and hands-on understanding of PKI from the ground up.
My primary focus is on Active Directory Certificate Services (AD CS). I’d like to learn everything properly, including:
Root CA and Intermediate CA hierarchy
Certificate chains and trust
CRLs and OCSP
Certificate templates
Enrollment and auto-enrollment
Certificate-based authentication
Smart cards and device certificates
PKI design and best practices
Common troubleshooting scenarios
AD CS attacks and security considerations
I’m looking for structured learning resources, labs, courses, home lab setups, websites, or platforms that provide practical hands-on experience rather than just theory.
For those who became comfortable with PKI and AD CS, what resources helped you the most? If you were starting from scratch today, how would you learn it?
Thanks in advance!

I started working as a helpdesk and its been 7 months since i joined initially i went through some yt videos and got familiar with networking fundamentals and somewhere hands on knowledge with business grade routers and unmanaged switches the thing is i know how things work upto static routing which is more than enough for my role right now . But im focusing more towards system administration so do i need to get the CCNA certificate or just move towards system administration?

Email arrives requesting app permission, user clicks through the real Microsoft consent UI, attacker gets persistent API access to the mailbox without credentials or a session token. MFA is completely irrelevant because no authentication event occurs after consent is granted.

Nothing in the email itself is malicious. The sender can be legitimate, the link goes to a real Microsoft domain, the consent screen is genuine UI. The only signal is the application name and the permissions it is requesting, neither of which most monitoring setups are alerting on in real time. Revocation requires finding the application in enterprise app registrations which is not somewhere most analysts are looking regularly.

I’m stuck on interpreting a NetNTLMv2 result.

Context:

- Target is a Windows Server domain controller

- SMB signing is required on the DC.

- Anonymous SMB and guest access fail.

- Responder captures repeated LLMNR/NBT-NS/mDNS requests for FileServer/FileServer.local.

- I captured a NetNTLMv2 response for a domain user.

- John cracks the NetNTLMv2 response to a plaintext candidate.

- However, the plaintext fails normal authentication:

- SMB: STATUS_LOGON_FAILURE

- LDAP simple bind: error 49 / data 52e

- WinRM: login failure

- Kerbrute confirms the username exists.

- I also tested LDAP relay with ntlmrelayx, but I’m still checking whether LDAP signing/channel binding or the authentication type blocks it.

Question:

Does a cracked NetNTLMv2 response that fails SMB/LDAP/WinRM usually indicate a stale/cached NTLM response, password change, old-password NTLM behaviour, wrong domain/format issue, or something else? What would be the correct methodology to prove which case it is, without just brute forcing?