The latest Group Policy settings reference spreadsheet that covers the available administrative template settings and security settings for Windows Server “8” Beta, Windows 8 Consumer Preview and all earlier versions of Windows is now available in the download center, here.
A description of what is contained in this latest version can be found here:
The Ask the Directory Services Team blog has a post that outlines some of the improvements to Group Policy management that are in Windows Server 8, including:
The post goes into more detail for reach of the above and can be found here.
Security Compliance Manager (SCM) is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers, traditional datacenter, and private cloud using Group Policy and Microsoft System Center Configuration Manager. SCM provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported. Product baselines are based on Microsoft Security Guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats.
According to a post on the Ask the Directory Services Team Blog, SCM 2.5 includes several new features, such as:
SCM 2.5 Beta can be found on Microsoft Connect.
Active Directory Domain Services (AD DS) in Windows Server 8 includes several management enhancements. One of which, is the ability to use the Active Directory Administrative Center to restore objects in the Recycle Bin. What follows is a sneak peak at using the Active Directory Administrative Center in the Developer Preview of Windows Server 8 to restore objects that reside in the Recycle Bin.
As you may already know, Microsoft released a Developer Preview for Windows Server 8. Although the Developer Preview is not feature complete, there are several changes and new features. In terms of Active Directory Domain Services (AD DS), the way in which AD DS is installed has also changed (for the better). Some examples of the changes to the installation include:
What follows is a step-by-step guide to installing AD DS using the Developer Preview of Windows Server 8.
Microsoft has released an update to the Active Directory Monitoring Pack for System Center Operations Manager.
This release focuses fixing problems reported by customers. The accompanying guide mentions:
The update can be found here.
I came across an article on Windows IT Pro that provides a good overview of the new Active Directory features in Windows Server 8. The article can be read here.
As discussed in detail in a post on the AskDS team blog, using security groups for Group Policy preferences (GPP) targeting was a really bad idea. So much so that it would typically result in a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy GPP to the computer. Microsoft recently released a hotfix that addresses this issue by changing how the Security Group Targeting item calculates computer group membership.
If you are using, or plan to use, computer group membership for GPP targeting, you’ll want to install this hotfix. Information pertaining to the hotfix can be found in the Microsoft Knowledgebase article 2561285. Additional information on the issue can be found here. Additional information on the resolution can be found here.
I ran across a post on the AskDS Team blog, which goes into depth on Kerberos and Load Balancing. It’s definitely worth a read if you plan to use Kerberos in a load balanced environment. The post can be found here.
Microsoft has a great KB article that is a must read if you are considering to deploy, or already have deployed, DCs in virtual environments. The KB was updated earlier this month and can be found here.
Microsoft recently updated a KB that lists the well-known security Identifiers (SIDs). The revised KB can be found here.
I’ve said many times that a default installation of Active Directory is not secure. There are several reasons for this, and I do not consider this to be a design flaw. However, there are several built-in features that enable you to secure AD according to your specific requirements.
One of the most common “mitigation” you read is to rename built-in accounts, such as the Administrator account. I’ve never been a fan of this recommendation simply because anyone really looking to exploit your AD environment will be able to determine the renamed account in a matter of seconds. This has to do with well-known SIDs.
Microsoft defines well-known SIDs as:
A group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.
And, the built-in Administrator account is a well-known SID. Therefore, anyone can find the renamed Administrator account simply by knowing the SID. Again, since this is a built-in account, the SID is going to be the same regardless of the environment. All you need to find out is the domain SID, which isn’t difficult. (The Administrator account has a SID of S-1-5-21domain-501, where domain is the domain’s SID).
IMO, renaming built-in accounts may ward off the novice hacker, but it won’t save you from the ones looking to cause real damage. Nonetheless, you should always look at the risks that apply to your environment, and mitigate them accordingly.
There’s a great post on the Ask the Directory Services Team blog that explains how to get the effective audit policy in Windows 7 and Windows Server 2008 R2. Although this sounds like a fairly straightforward thing to do, it’s a little more complex than you may think. This relates to the different ways auditing can be applied – legacy auditing (think pre-Windows Server 2008), granular auditing (Windows Vista/Windows Server 2008) and Advanced Audit Policy Configuration (Windows 7 and Windows Server 2008 R2) – coupled with the fact that auditing can be applied at various levels – domain policy, local policy, multiple-local policy, per-user, or using command-line tools. The post can be read here.
I came across a post on the Active Directory Documentation Team blog, which may be quite useful. According to the post, they are:
pulling together resources that will hopefully become a central location to help people troubleshoot Active Directory issues in the Active Directory Troubleshooting Survival Guide
The Active Directory Survival Guide, which is a Microsoft TechNet Wiki, can be found here: http://social.technet.microsoft.com/wiki/contents/articles/active-directory-troubleshooting-survival-guide.aspx
Description: Learn how to configure Windows Firewall with Advanced Security connection security rules to protect network communication between a domain controller and domain member computers using Internet Protocol security (IPsec).
Download from here.
Wouldn’t it be nice to have a way to automatically generate a Visio diagram of your Active Directory and/or Exchange topology? Well you can by using the Microsoft Active Directory Topology Diagrammer.
Microsoft recently released an update for the User State Migration Tool (USMT) 4.0 that includes fixes and support for migration scenarios for when the source or destination computer have Microsoft Office 2010 installed. The update can be downloaded from here. Additional information on the hotfix can be found by going to http://support.microsoft.com/kb/2023591.
I’ve been doing some research on the changes to Active Directory Domain Services in Windows Server 2008 R2 Service Pack 1. Although Windows Server 2008 R2 SP 1 is still not RTM, there are many useful resources available. Here’s a summary of the changes specific to AD DS in Windows Server 2008 R2 Service Pack 1:
I was recently looking into an LDAP over SSL issue, and I found some very useful articles online…here they are:
I came across a good post that explains how to leverage Group Policy Preferences to change the local Administrator password on member computers. I haven’t had a chance to give it a try, but it sounds pretty good. The article can be found by going here.
Microsoft has updated/corrected the description of the rules for password complexity for Active Directory. The updated description can be found at http://technet.microsoft.com/en-us/library/cc786468(WS.10).aspx. Here’s a snippet:
This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.
If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:
Microsoft recently released an update for the Active Directory Domain Services Best Practices Analyzer (AD DS BPA) in Windows Server 2008 R2. This update adds the following 8 new rules to the AD DS BPA:
I came across a post on the Ask the Directory Services Team Blog, which provides some great links on additional reading for Active Directory. The post can be read here, and is has several useful links which are worth a read.
Windows Server 2008 and Windows Server 2008 R2 include improvements to bridgehead server selection, which are not very well known. In fact, Microsoft only recently published an article on TechNet to explain the improvements to bridgehead server selection in Windows Server 2008 R2. What follows is an in-depth look at these improvements.