News, Blog & Resources

Find differences between two GPO templates

25th June, 2018

If you’ve been dealing with Group Policy Objects (GPO) for any length of time you’ll know that when a new version of the ADMX templates are released there are often no release notes as to what has changed.  If you’re lucky you’ll find the occasional blog that tells you what may be some of the […]

Mobile number not syncing via AAD Connect

22nd June, 2018

Very brief observation from us today. A customer complained that the mobile attribute was not syncing from their local Active Directory to Office 365/Azure Active Directory – even though AAD Connect was reporting the attribute changes…. It turns out, that this is one of the only attributes editable directly on Azure Active Directory / Office […]

Technical Limitations of Migrating IBM Domino Rooms to Exchange

21st June, 2018

Recently we observed an issue with Domino Rooms that we migrated to Exchange/Office 365.  In short, appointments contained within cannot be cancelled or re-scheduled and always remain as zombie reservations (unless manually cleaned up). Coexistence This is addition to coexistence issues experienced with Rooms.  You have to set Microsoft Rich Text to disabled for the […]

Paying it forward…

19th June, 2018

Paying it forward… Well, not really, just plain old IT email forwarding. We all (Messaging Admins) have used forwarding extensively, but it struck me that there are several ways to achieve the same thing.  Most often the forwarding scenario comes up during the following scenarios: Coexistence (mergers / acquisitions / divestitures) Upgrades (migrating to a […]

Inside Kerberos – 7: Wrap up

17th May, 2018

Alright, we’ve covered a lot of ground, but let’s wrap up by grabbing our original questions and answering the 1. Why is there a problem with SIDHistory and Domain Local Groups, and exactly what is the problem? We’ve seen that Domain Local groups can have sid-history applied from one domain to another, this allows for […]

Inside Kerberos – 6: Conversations

10th May, 2018

We have covered a lot of ground so far, and we have touched on the Kerberos conversations that go on, but let’s take a deeper look at exactly how these messages are made up and how they are protected. Elements to protect the transmission Secret Keys Secret keys are stored inside the Security Account Manager […]

Inside Kerberos – 5: Tokens

3rd May, 2018

Alright then, we’ve covered SIDs, SIDHistory, and Tickets.  Let’s move onto Access Tokens. Privilege Access Certificate The Privilege Access Certificate or PAC is a Microsoft extension to Kerberos utilizing the Authorization Data field in the tickets.  This is sometimes referred to as the Access Token, however strictly speaking the Access Token is the structure generated […]

Inside Kerberos – 4: Tickets

25th April, 2018

Ok I think we have talked enough about SIDs in the previous two parts on SIDs and SIDHistory.  Let’s move on to Kerberos tickets… Luckily in Kerberos there are really only two tickets (which confusingly are sometimes also referred to as Tokens) Ticket Granting Ticket (TGT) Service Ticket (ST) Both of these tickets are issued […]

Inside Kerberos – 3: SIDHistory

19th April, 2018

In this blog we will be exploring SID History, and it follows on from Part 1 which gave an overview of Kerberos, and Part 2 which was all about SIDs. The attribute sid-history has been there right since Windows 2000 and is used to store all of the SIDs that an object has had.   […]

Inside Kerberos – 2: SIDs

12th April, 2018

In Part 1 we set the scene in regards to how Kerberos works at a high level, so let’s now get down and dirty with Security Identifiers (SIDs) What is a Security Identifier (SID)? From MSDN: “A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has […]

Inside Kerberos – 1: Overview

5th April, 2018

I recently did some work at a client to help migrate them to a new Active Directory.  While setting up the migration including password and SidHistory syncs I told them to be careful of Domain Local Groups which can cause issues if users are nested directly in them.  Now I knew this was true, but […]

Add open with Notepad as Administrator

9th March, 2018

So often do I work on my laptop or on servers and I have to open a file in Notepad to edit it, however the file is protected so you have to not only be an administrator but you need to use ‘Run as Administrator’ Now that’s all well and good if the menu item […]