Active Directory & Azure AD/Entra ID Security

Active Directory & Azure AD/Entra ID: Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Category: ActiveDirectorySecurity

May 19 2026

AD Fundamentals: Group Policy Permissions & Owner Rights

By Sean Metcalf in ActiveDirectorySecurity, AD Fundamentals

This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on Group Policy Objects (GPOs) and their permissions. Group Policy provides the ability to change application settings, security settings, install and run code, and more! …

GPOOwner, GPOPermissions, GPOSecurity, GroupPolicyOwner, GroupPolicyPermissions, GroupPolicySecurity

May 13 2026

AD Fundamentals: Domain Root & AdminSDHolder Permissions

By Sean Metcalf in ActiveDirectorySecurity, AD Fundamentals, Technical Reference

This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. this post focuses on permissions on two important objects in AD: the Domain root and the AdminSDHolder object. Domain Root Let’s start with the domain root. The domain is the container …

AdminSDHolder, AdminSDHolderPermissions, DomainPermissions, DomainRootPermissions

May 12 2026

AD Fundamentals: DSHeuristics

By Sean Metcalf in ActiveDirectorySecurity, AD Fundamentals

This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on the mostly unknown AD component called DSHeuristics DSHeuristics is like a registry editor for changing behavior in the Active Directory forest (and AD Lightweight …

DSHeuristics, DSHeuristicsSecurity, dwAdminSDExMask, fAllowAnonNSPI, fLDAPBlockAnonOps

May 06 2026

AD Fundamentals: Pre-Windows 2000 Compatible Group

By Sean Metcalf in ActiveDirectorySecurity, AD Fundamentals, Microsoft Security, Technical Reference

This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on the often-misunderstood group called “Pre-Windows Compatible”. This domain-scoped group is created automatically in the Built-in root OU and is part of any Active Directory …

Pre-Windows2000, Pre-Windows2000CompatibleGroup, Pre-Windows2000CompatibleSecurity, PreWindows200Compatible

May 05 2026

AD Fundamentals: Domain Controller Security

By Sean Metcalf in ActiveDirectorySecurity, AD Fundamentals, Technical Reference

This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on Domain Controller configuration. Tier 0 Domain Controllers need to be managed and maintained as Tier 0 servers since they handle authentication and authorization for …

DCACLs, DCSecurity, DCSupportedWindows, DomainController, DomainControllerPermissions, DomainControllerSecurity, DomainControllerSoftware

Mar 02 2026

Detecting Fake Active Directory Password Changes

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Mitigation, PowerShell

In Active Directory, there has been a method that’s been around for many years which changes the password last set date but not the actual password. This is what I call a “fake password change” since the account appears to have a recent password when scanning for old passwords based on password last set, but …

ActiveDirectory, ActiveDirectoryReplicationMetadata, FakeADPasswordChange, FakePasswordChange, PowerShell, pwdlastset, unicodepwd

Jan 20 2026

Active Directory Security Tip #16: Mitigating Kerberoast Attacks

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Mitigation, PowerShell, RealWorld

There are two main password attacks leveraged by adversaries; one is called Password Spraying and the other is called Kerberoasting. This post focuses on identifying accounts that may be targeted for Kerberoasting and how to harden the environment against Kerberoasting.

ActiveDirectory, ActiveDirectorySecurityTip, Kerberoast, kerberoasting, MitigateKerberoastAttack, PowerShell

Dec 02 2025

Active Directory Security Tip #15: Active Directory Domain Root Permissions

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, PowerShell

This week let’s look at Active Directory domain permissions which are configured on the domain root and apply to the domain. There are many different type of concerning permissions, but let’s look at the most egregious.

ActiveDirectory, ActiveDirectorySecurityTip, ADPermissions, Domain Root Permissions

Nov 04 2025

Active Directory Security Tip #14: Group Managed Service Accounts (GMSAs)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, PowerShell, Technical Reference

Group Managed Service Accounts (GMSAs) User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated …

ActiveDirectorySecurityTip, GMSA, GroupManagedServiceAccount, msDS-GroupManagedServiceAccount, msDS-GroupMSAMembership, msds-ManagedPassword, msDS-ManagedPasswordId, msDS-ManagedPasswordInterval, PrincipalsAllowedToRetrieveManagedPassword

Oct 08 2025

Active Directory Security Tip #13: Reviewing Foreign Security Principals (FSPs)

By Sean Metcalf in ActiveDirectorySecurity, PowerShell, Technical Reference

Review the membership of groups for accounts and groups from another Active Directory forest (technically another domain, but using forest here). These are called “Foreign Security Principals” (FSPs) like the ones highlighted in the image. These FSPs are accounts that exist in another forest but have rights in the AD forest. Any FSPs should be …

ActiveDirectory, ActiveDirectorySecurityTip, ForeignSecurityPrincipals, FSP, FSPs

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Made with by Graphene Themes.

Category: ActiveDirectorySecurity

AD Fundamentals: Group Policy Permissions & Owner Rights

AD Fundamentals: Domain Root & AdminSDHolder Permissions

AD Fundamentals: DSHeuristics

AD Fundamentals: Pre-Windows 2000 Compatible Group

AD Fundamentals: Domain Controller Security

Detecting Fake Active Directory Password Changes

Active Directory Security Tip #16: Mitigating Kerberoast Attacks

Active Directory Security Tip #15: Active Directory Domain Root Permissions

Active Directory Security Tip #14: Group Managed Service Accounts (GMSAs)

Active Directory Security Tip #13: Reviewing Foreign Security Principals (FSPs)

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Category: ActiveDirectorySecurity

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright