I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8
Sean Metcalf
Author's posts
May 19 2026
AD Fundamentals: Group Policy Permissions & Owner Rights
This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on Group Policy Objects (GPOs) and their permissions. Group Policy provides the ability to change application settings, security settings, install and run code, and more! …
May 13 2026
AD Fundamentals: Domain Root & AdminSDHolder Permissions
This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. this post focuses on permissions on two important objects in AD: the Domain root and the AdminSDHolder object. Domain Root Let’s start with the domain root. The domain is the container …
May 05 2026
AD Fundamentals: Domain Controller Security
This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on Domain Controller configuration. Tier 0 Domain Controllers need to be managed and maintained as Tier 0 servers since they handle authentication and authorization for …
Mar 02 2026
Detecting Fake Active Directory Password Changes
In Active Directory, there has been a method that’s been around for many years which changes the password last set date but not the actual password. This is what I call a “fake password change” since the account appears to have a recent password when scanning for old passwords based on password last set, but …
Jan 20 2026
Active Directory Security Tip #16: Mitigating Kerberoast Attacks
There are two main password attacks leveraged by adversaries; one is called Password Spraying and the other is called Kerberoasting. This post focuses on identifying accounts that may be targeted for Kerberoasting and how to harden the environment against Kerberoasting.
Nov 04 2025
Active Directory Security Tip #14: Group Managed Service Accounts (GMSAs)
Group Managed Service Accounts (GMSAs) User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated …
Oct 19 2025
Improve Entra ID Security More Quickly
At BSides Northern Virginia (BSides NoVa) in October 2025, I presented a talk on how to improve Entra ID security quickly. This post captures the key information from my talk slides. This article describes the Entra ID settings and configuration that should be set to improve security including:
Recent Comments