Jan 10

Dynamic Objects in Active Directory

Sometimes we need to create users/groups/computers in Active Directory that will be used temporary (by a contractor, for testing etc.). The typical workflow is: Create > Use for a while > Delete. The deletion is manual and often these objects are being forgotten which poses some security risks.

It is little known fact that we can create the so called Dynamic objects (DOs, a.k.a. temporary objects) that get deleted from AD automatically when the associated TTL expires. Microsoft added this capability in Windows Server 2003. In fact the “Dynamic object” is an auxiliary class (OID = 1.3.6.1.4.1.1466.101.119.2). When linked to an object it adds some new attributes like the entryTTL (Entry-TTL) and ms-DS-Entry-Time-To-Die attribute.

Continue reading

Jan 05

WinRM would not listen on port 5985

The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.

Checking WinRM config showed something strange:

winrm enumerate winrm/config/listener

Listener [Source=”GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null

So WinRM was actually configured but wasn’t listening on any network interface. Why?

Continue reading

Dec 20

NTFRS: How to force SYSVOL replication

For those who still use NTFRS – as of KB823230 ntrfsutl can be used to force Sysvol replication:

ntfrsutl forcerepl DST_DC_NAME /r "domain system volume (sysvol share)" /p SRC_DC_FQDN

The replication path will be SRC_DC_FQDN > DST_DC_NAME

In fact ntfrsutl connects to DST_DC_NAME and “tells” NTFRS to pull Sysvol changes from its inbound partner SRC_DC_FQDN.