You searched for gMSA - Windows Active Directory

Service account design in architecture (gMSAs etc.)

October 3, 2025

Service Account Design in Architecture (gMSAs, SPNs, Delegation, and Real-World Patterns) Service accounts are rarely “just accounts.” They’re long-lived identities that sit at the junction of authentication (Kerberos vs NTLM), authorization (AD ACLs), and operational reliability. That combination makes them both critical and dangerous: …

Configure gMSA Defender Identity: Step-by-Step Guide

April 30, 2024

Microsoft Defender for Identity Formerly known as Azure Advanced Threat Protection (Azure ATP), Defender for Identity is a cloud-based security solution offered by Microsoft to help organizations in identity monitoring with high security, in both on-premises and hybrid environments. With the modern identity threat detection (ITDR), security operation teams in your organization can now prevent…

Active Directory Fundamentals

How to detect Golden Ticket attacks

November 14, 2025

How to Detect Golden Ticket Attacks in Active Directory A Golden Ticket attack is one of the most damaging post-compromise techniques in Active Directory: an attacker forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account secret, then impersonates any user (often Domain Admin) to access domain resources while blending into “normal”…

Active Directory Fundamentals

Detecting Kerberoasting with PowerShell and logs

November 14, 2025

Detecting Kerberoasting with PowerShell and Logs Kerberoasting is an Active Directory attack technique where an attacker requests Kerberos service tickets (TGS) for accounts that have Service Principal Names (SPNs), then cracks the ticket offline to recover the service account password. Because it uses legitimate Kerberos flows, the key to detection is understanding what…

Active Directory Fundamentals

Identifying unsecure SPN configurations

October 31, 2025

Identifying Insecure SPN Configurations in Active Directory (Detection + Fix Runbook) Service Principal Names (SPNs) are a core part of how Kerberos knows which service you’re trying to reach and which account should decrypt the service ticket. That also makes SPNs a high-signal control point for both security and reliability: weak service-account hygiene, legacy…

Active Directory Fundamentals

Mitigating unconstrained delegation vulnerabilities

October 31, 2025

Mitigating Unconstrained Delegation Vulnerabilities in Active Directory Unconstrained delegation is one of those “it worked in 2006” features that becomes a high-impact breach path in modern AD environments. This guide gives you a field-ready plan to find it, remove it safely, migrate to better models (constrained delegation / RBCD), and set…

Active Directory Policies

Use Protected Groups for critical OU containment

October 24, 2025

Using Protected Groups for critical OU containment “OU containment” is supposed to be your safety boundary: admins can manage what’s inside an OU, but they can’t casually reach outside it. In real Active Directory environments, that boundary often fails in subtle ways—mostly because of privileged group membership, inherited rights, and…

Uncategorized

Handling expansion and consolidation of OUs during M&A

October 17, 2025

Handling expansion and consolidation of OUs during M&A Mergers and acquisitions are where “good enough” Active Directory design gets stress-tested. Organizational Units (OUs) sit right at the fault line: they encode administration boundaries, policy application, onboarding/offboarding workflows, and sometimes a company’s entire way of thinking about…

Active Directory Policies

AD group expiration and recertification best practices

October 17, 2025

AD group expiration and recertification best practices Active Directory groups are one of the most powerful—and most quietly dangerous—access control primitives in Windows environments. They’re easy to create, easy to nest, and easy to forget. The result is predictable: groups that outlive their projects, privileged memberships that never…

Active Directory Fundamentals

How to design AD for Zero Trust: Practical first steps

October 3, 2025

Designing AD for Zero Trust: Practical First Steps Designing AD for Zero Trust (practical first steps) means reshaping your on-premises Active Directory (AD) so that every access request is explicitly verified, least-privileged, and resilient to compromise. Zero Trust is a security model that assumes no implicit trust—inside or outside your network—and continuously validates identity…

gMSA

Service account design in architecture (gMSAs etc.)

Configure gMSA Defender Identity: Step-by-Step Guide

How to detect Golden Ticket attacks

Detecting Kerberoasting with PowerShell and logs

Identifying unsecure SPN configurations

Mitigating unconstrained delegation vulnerabilities

Use Protected Groups for critical OU containment

Handling expansion and consolidation of OUs during M&A

AD group expiration and recertification best practices

How to design AD for Zero Trust: Practical first steps

Featured Posts

What is Azure Data Factory (ADF)?

How to demote a Domain Controller: A step-by-step guide

Healthcare data Breaches down almost 50 percent in the first month of 2021

Popular with Readers

Active Directory Users and Computers (ADUC) - An introduction and installation guide

Active Directory Sites

Active Directory Password Policy

Recently Added

Legacy D-Link DSL Routers Exploited via Unauthenticated DNS Hijacking (CVE-2026-0625)

Migrating from AD FS to Azure AD SSO

Role-based access control (RBAC) in Azure