Group Policy Preferences Password Vulnerability Now Patched

Looks like Microsoft finally removed the ability to set admin account passwords through GPP due to the Group Policy Preferences password  exposure vulnerability.

More information on how Group Policy Preferences are attacked is in the post “Finding Passwords in SYSVOL & Exploiting Group Policy Preferences“.

Because of the security concerns with storing passwords in Group Policy Preferences, Microsoft just released a security patch, MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege, that removes this functionality. Any passwords that were in Group Policy Preference xml files stored in SYSVOL before the patch are still in SYSVOL after MS14-025.

Note that this doesn’t remove the ability for Windows to perform this functionality, it only removes the ability to configure passwords in Group Policy Preferences through the GUI. In other words, the patch is for the RSAT – Server Admin Tools. This is impressive since it actually removes functionality which is something Microsoft is traditionally not fond of doing.

In July 2013,  I wrote about the vulnerability of managing passwords with Group Policy Preferences. Here’s the information:

Using Group Policy Preferences for Password Management = Bad Idea OR “How to Get Your Network Owned in Several Simple Steps”

Continue reading

Active Directory Changes in Windows Server 2012

Active Directory, aka Directory Services, has been updated quite a bit in Windows Server 2012.

Here are some of the major updates:

Microsoft article: “What’s New in Active Directory Domain Services (AD DS)”

Microsoft WhitePaper: Windows Server 2012 Evaluation Guide (pdf download)

How to Clean up the WinSxS Directory and Free Up Disk Space on Windows Server 2008 R2 with New Update

It’s finally here! After pages and pages of comments from you requesting the ability to clean up the WinSxS directory and component store on Windows Server 2008 R2, an update is available.

As a refresher, the Windows Server 2008 R2 update is directly related to my previous blog post announcing a similar fix for Windows 7 client.

The Windows 7 version of this fix introduced an additional option to the Disk Cleanup wizard that would cleanup previous versions of Windows Update files. KB2852386 adds a Disk Cleanup option on Windows Server 2008 R2, similar to the Windows 7 update.

What does this mean for Windows Server 2008 R2? After installing this update and prior to being able to perform the cleanup, the Desktop Experience feature must be installed. Why you ask? Disk Cleanup is not installed by default on Windows Server 2008 R2. It is instead a component installed with the Desktop Experience feature.

Why was the update not included as a DISM switch like Windows Server 2012 R2? 

This was evaluated, however, due to the amount of changes required and the rigorous change approval process, it was not feasible to back port the functionality this way. Knowing that it would be some time before everyone could upgrade to Windows Server 2012 R2 and based on feedback from an internal survey taken of a subset of enterprise customers, it was determined that this update would still be useful in its Disk Cleanup form, even with the Desktop Experience prerequisite. We hope you agree. However, we are aware that for some of you, the Desktop Experience requirement will be a deal breaker, but decided to release it anyway hoping it will help in some instances.

How can I get the update?

The update is available on Windows Update. It can also be manually downloaded from the Microsoft Update Catalog. The KB article listed above will also direct you to a download link in the Microsoft Download Center.

Script It!


My super knowledgeable scripting cohort Tom Moser wrote a PowerShell script that automates THE ENTIRE PROCESS. Can I get a cheer? Ok. So maybe it is a bit much to expect IT admins to cheer, but can I get an appreciative grunt?  The script certainly beats the alternative of doing this all manually.

You can find the script on the TechNet Script Center here:

What does the script do? 

In short, the script does the following:

1) Installs Desktop Experience, if not previously installed, and performs a reboot.

2) Sets the appropriate registry keys to automate the cleanup. The script will cleanup not only previous Windows Update files as well as Service Pack files.

3) The script then initiates the cleanup.

4) If Desktop Experience was not previously installed, the script uninstalls it.

5) Performs final reboot.




Active Directory FSMO Placement Guidance

FSMO Placement Guidance Summary:

  • Make sure the PDC is highly available and connected.
  • Place the PDC on your best hardware in a reliable hub site that contains replica domain controllers in the same Active Directory site and domain.
  • Place the Forest FSMOs on the forest root PDC (schema master & domain naming master).
  • Place the RID master on the domain PDC in the same domain.
  • If you have a single domain environment, all DCs are GCs, OR you have enabled the recycle bin (see MSDN note below), place the infrastructure master on the PDC (which likely contains the other FSMO roles as well).
  • Don’t move FSMOs around regularly. The PDC is targeted for a number of operations and network connections. It is best to not force clients to rediscover the PDC on a regular basis.

This means, in a single domain environment, it makes sense to place all the FSMOs on a single DC. Pick one that is highly available and well-connected. You may decide that selecting a virtual DC is the way to go since it can usually be moved to different hosts for DR/COOP reasons. Note that if you do go virtual for this DC, consider disabling VM host time synchronization.Though, there may be valid reasons for not doing so.

In a multiple domain environment, place the Forest FSMOs on the forest root PDC (schema master & domain naming master) and select one DC per domain on which to place all of the FSMOs – the PDC is a good choice assuming they are all GCs or the AD Recycle Bin is enabled.


When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.

From MSDN: “ Infrastructure FSMO Role


FSMO Role Information:
Continue reading

Windows Server 2012 MCSM Reading List

Here’s a link to download the MCM/MCSM Directory Services Reading List document that I developed for the MCSM Directory Services (Windows Server 2012) program and was created after the MCSM Directory Services (Windows Server 2012) test questions were written.

It is based on the original one created for the MCM DS program provided to candidates.


The AD Reading Library on this site also has Active Directory references worth reading and is updated occasionally.

Enabling and Managing the Active Directory Recycle Bin

So, you have upgraded all your DCs in the forest to Windows Server 2008 R2 and raised the domain and forest functional levels to Windows Server 2008 R2. Congratulations!
Now what?

Yes, you have to enable the AD Recycle Bin manually by running the following PowerShell commands:

Import-Module ActiveDirectory

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=com’ –Scope ForestOrConfigurationSet –Target ‘’

Note that this effectively removes the importance of the Infrastructure Master FSMO since all DCs will perform that role. From MSDN: Continue reading

Facebook increases privacy on all new posts by default

Looks like Facebook might be coming to its senses…


AD Reading: How Key Active Directory Components Work

The following links provide in-depth information on how key Active Directory components work.


AD Reading: Windows Server 2012 Active Directory Features

The following are extremely useful resources for Windows Server 2012 Active Directory Features.


Windows 2012 Features

Group Managed Service Accounts (gMSA)

RID Protection

DC Cloning & SafeGuarding

Dynamic Access Control (DAC)

Kerberos FAST

Kerberos Constrained Delegation Enhancements

o   Part 1

o   Part 2


Kerberos Proxy

AD Reading: Active Directory Group Policy

The following are extremely useful resources for understanding the Active Directory Group Policy.

Group Policy

o   Core Group Policy Architecture

o   Core Group Policy Physical Structure

o   Core Group Policy Processes and Interactions

o   Network Ports Used by Group Policy

o   Related Information

o   Change and Configuration Management

o   Core Group Policy Infrastructure

o   Core Group Policy Scenarios

o   Core Group Policy Dependencies

o   Related Information

o   Group Policy Tools

o   Group Policy Settings

o   Group Policy WMI Classes

o   Related Information

o   Overview of Group Policy

o   Planning Your Group Policy Design

o   Designing Your Group Policy Model

o   Deploying Group Policy

o   Maintaining Group Policy

o   Additional Resources for Group Policy Infrastructure

o   What Is Group Policy Management Console?

o   How Group Policy Management Console Works

o   Group Policy Management Console Tools and Settings

o   What Is Group Policy Object Editor?

o   How Group Policy Object Editor Works

o   Group Policy Object Editor Tools and Settings

  • Group Policy Loopback processing

o   Part 1: Circle Back to Loopback

o   Part 2: Back to the Loopback: Troubleshooting Group Policy loopback processing