User password age and why you cant trust it blindly

There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox – Password never expires
  • Checkbox – User must change password at next logon
  • Value – Maximum password age
  • Value – When was the password last set

So how is all this stored:

[Read more…]

RID pool depleted?

Whoh.. What happened.. I was about to install a new software in my home domain that required a service account so I tried to run New-ADServiceAccount.. But I got:

So why does my domain leak like a sieve?

Lets run dcdiag on it

[Read more…]

Enable scavenging on all dns zones using Powershell

So I needed to enable scavenging on all reverse zones for a customer. All forward and most reverse zones were done but not all. Since this was a Windows Server 2012R2 server I knew, that every cmdlet I might need was available.

But what if I have enabled scavaging but want to update which servers will scavenge?

And now all my zones have scavenge enabled and the correct DNS server specified.

Dont forget to create a GPO Central Store

It doesn’t matter if your domain is new or old.  If the servers are Windows 2008 or later you could and should use the central store. I have seen both new and upgraded domains that don’t use the concept of the central store.

What is the Central Store

In older versions of windows you copied the administrative templates to each GPO. With Windows 2008 and later you don’t need nor should do so. The Central Store is a directory on the sysvol where all servers can look and multiple policies share the same new admx format files.

I checked I dont have the Central store and it works anyway

Well yes all same level windows have a copy of the same policies in the C:\Windows\PolicyDefinitions directory. But that gives different information based on the client that you used edit the policy. By creating the central GPO store we make sure that all client use the same amdx files.

How do I create a central store then.

Just copy the C:\Windows\PolicyDefinitions directory with subfolders to \\domain.fqdn\sysvol\domain.fqdn\policies\. Its as simple as that.

For more information see How to Implement the Central Store for Group Policy Admin Templates, Completely (Hint: Remove Those .ADM files!)

Don’t talk to the prisoner

I know that it sounds like a bad line from a movie, but it is really a valid point in computing too. So which prisoner am I speaking of? Lets see if you can guess, so your options are:

  • The Beagle Boys, you know from Donald Duck.
  •, one of the servers that blackholes bad DNS queries.
  • Al Capone, the famous gangster.
  • Aung San Suu Kyi, political prisoner of Burma.

Well even if I think most of these prisoners are interesting today my plan is to write about

Why and how we can avoid it. [Read more…]

Manually remove Direct Access from a client

So why would I even want to do this, isn’t Direct Access is great?

Well yes, when Direct Access is working it is great, unless you are using Citrix without a Citrix Secure Gateway. So why is it good to know how to manually remove the Direct Access from a client. I ran in to a problem last week, when changing the Network Location server location some clients got stuck. The NLS server was changed but the NRPT didnt get the change before triggering the Direct Access connection. AND to make things worse had the customer had problems that stopped the clients from connecting through Direct Access from the inside.

So there I was, when a client refreshed the Direct Access GPO it stopped working. So we disabled the GPO, that stopped new clients getting in to this dark place that is broken Direct Access. [Read more…]

How to demote a Domain Controller

So you might have a system hardcoded to talk with that domain controller. Now you need to find which servers are talking to the domain controller.

  1. Disable dynamic DNS
  2. So now clean up the DNS of that domain controller so no more clients will talk to the server by DNS queries.
  3. Wait a couple of days.
  4. Then use Network monitor to check if any and which clients are still talking to the server.
  5. For DNS you can use my script from the blog post about DNS logging.
  6. Continue to remove systems that are still using the Domain Controller.
  7. When you give up or is done. You can now remove the domain controller.
  8. Depending on which Windows version you have you have the option of dcpromo or the Server Manager.

How to Prevent Domain Controllers from Dynamically Registering DNS Names

Update: Since I wrote this Pierre Audonnet has written about this too given the following suggestions.

Remove unwilling B2D device in Backup Exec

So you are using Backup Exec 2012 and are having problems with a ghost B2D folder.. You can’t seem to be able to remove it. You get an error like:

Remove-BEDiskStorageDevice : Unable to delete the disk storage. The device (or Backup Exec server) cannot be deleted because existing jobs or selection lists remain.  You must select another target for these jobs or selection lists before you can delete the device or Backup Exec server.

[Read more…]

Clean users email addresses from old domains

So you have lots of domains in your exchange environment that you don’t use anymore. Well you remove them from the accepted domains and what do you know. They still exist on all the users. So how do we clean this up. Well I wrote a small Powershell script that does just that.

Lets start with getting all accepted domains:

And now just list all addresses that are wrong:

And now just rerun the script altered so it removes the addresses instead:

[Read more…]

What to remove in DNS to to stop Client Access to Domain Controllers

So you want to get rid of a domain controller, but dont want incidents with systems configured directly to that controller?

First of start with disabling the dynamic registration of the Domain Controller in DNS. The easy way of doing that is by setting the registry value of UseDynamicDns to 0.

So now the Domain Controller wont register it self in the DNS again. So now lets start to remove entries from the DNS. There exist a list in the %WINDIR%\System32\config\netlogon.dns, Below is an example of that list. [Read more…]