Architecture & Design

Removing “Password Never Expires” Accounts in Active Directory The “Password never expires” setting (the DONT_EXPIRE_PASSWORD userAccountControl flag) is one of those legacy conveniences that quietly turns into a long-term security and compliance problem. This article shows how to find these accounts, decide what “good” looks like per account type, and remove the…

Ensuring Compliance for Dormant and Shared Accounts Dormant accounts and shared accounts are two of the most common identity-control gaps in Active Directory and hybrid environments. They create audit findings because they weaken accountability (who did what?) and increase attack surface (stale credentials, over-permissioning, and silent…

Alerting on “Password Never Expires” Violations (Active Directory) This article explains what the “Password never expires” setting actually means in Active Directory, why it is risky, and how to build reliable detection and alerting with minimal noise. Why this matters? A password is a shared secret. Over time, shared secrets…

Cleanup Automation Using Lepide and Netwrix Insights “Cleanup” in Active Directory (and adjacent systems like file servers and M365) is rarely a one-time task. It’s an operating model: continuously detect what’s stale or risky, validate it, apply a controlled action, and prove you didn’t break anything. The easiest way to get this right is to turn audit and activity…

A user home folder sounds simple: “give each person a private network location and map it as H:”. In real environments, that “simple” choice becomes a long-running system: identity meets storage, permissions, audits, migrations, quotas, backups, and incident response. That is why assigning home folders dynamically with scripts is not just a convenience trick—it is a…

Webinar: Modern AD Ops — Registration WAD • Live Webinar Intro Agenda Register FAQ …

Implementing LAPS for local accounts: an expert comparison guide for Active Directory and Entra ID Local administrator accounts are both necessary and dangerous. They are the “break glass” lever for offline recovery and deep troubleshooting, but they also create one of the most reliable paths for lateral movement when passwords are static or…

Auditing failed logons and lockouts in active directory Failed logons and account lockouts are the earliest, loudest signals of identity trouble in a Windows environment. Sometimes that trouble is harmless (a user typing the wrong password). Sometimes it is operational debt (stale credentials in a scheduled task). Sometimes it is an active adversary (password…

Restricting logon to specific machines: the expert guide Restricting logon to specific machines means enforcing which Windows computers a given user may sign in to—locally or via Remote Desktop—using Active Directory controls such as userWorkstations (“Log On To…”) and computer-side User Rights Assignment policies (“Allow/Deny log on locally” and “Allow/Deny log on…