windows – Active Directory / Domain spring cleaning best practices

I am taking over an AD role and one of the tasks I want to accomplish is to “clean up” active directory… remove stale accounts, empty groups, ensure groups have the right users in them.

The domain has a few thousand users.

What is the best resource for “active directory / domain management”?

active directory – Windows AD OU Block (Read/List) Objects from other OU

I have a Root OU that has an OU called “Clients” and under I have multiple OU’s and the client’s PC’s/User Accounts in sub-OU’s.

The issue is, my clients can see other groups’ user accounts/computers and need to prevent this as if they’re on completely different machines and not under the same Domain. I am guessing I have to go make Deny rules for every single OU Group about every Client OU Group?

Currently, they can search AD for users and see other clients (not within a said company).

Any thoughts on how to do it and potentially with Powershell or just in general?

active directory – How to remove AdmPwd Permission from BUILTINUsers (MS LAPS)

I’ve deployed MS LAPS to manage local admin passwords and all is working fine, except that non-privileged users are able to access the local admin password, in both Powershell and LAPS UI.

Running the command below shows me that in addition to the intended groups, BUILTINUsers can also read the password. (This command is the same that the LAPS_OperationalGuide suggests, but I piped results to a ForEach and Out-File so that output was not truncated.)

    Find-AdmPwdExtendedRights -Identity 'All Computers' | `
     ForEach-Object -Begin $null -Process {$_.ObjectDN}, {$_.ExtendedRightHolders} -End $null |`
      Out-File C:TempWTF.txt

mydomainDomain Users group is a member of BUILTINUsers (which is normal), so maybe this is where the problem is coming from…? Regardless, I cannot find a way to remove the AdmPwd permission from BUILTINUsers or from mydomainDomain Users. I’ve stepped through every single account listed in ADSIEditAllComputersPropertiesSecurityAdvanced but no user or group has the AdmPwd permission, except those that should. Did same in ADUC with same result.

Can someone please tell me how to remove the AdmPwd permission from BUILTINUsers? There is a Set-AdmPwdExtendedRights cmdlet, but no Remove-AdmPwdExtendedRights cmdlet. Failing that, can someone tell me how to find where the permission is coming from?

Before folks start asking, yes, I have closely followed the LAPS_OperationGuide, have run all the Powershell cmdlets, have gone to ADSI Edit and removed “All Extended Rights”, and have given rights to my two intended groups. Everything about LAPS is working properly except for the BUILTINUsers problem.

active directory – How easily and quickly access workstations that are two or three servers away from mine

I work for a small IT firm whose main client has dozens of Windows Servers (2012 R2) catering to thousands of workstations in several dozen cities.

We routinely and remotely assist end-users, and to do that, we have to:

  1. Log onto a main server in our own domain;

  2. From there, log onto a server (VM) on the client’s domain;

  3. From there, log onto yet another server where the Active Directory is set;

  4. From there, finally access the end-user workstation, either via RDP, Veyon or UltraVNC, depending on the OS the workstation has under the hood.

That’s a lot of hoops and a lot of wasted time entering credentials before finally doing our job, so I was wondering how we could speed things up by passing directly from our own workstation to the end-user’s, thus automating the whole authentication process on two server rebounds.

csv – ¿Como actualizar un atributo personalizado en Active Directory?

Hola chicos mi nombre es Bastián y soy estudiante.
vengo para pedir ayuda sobre un script de actualización de usuarios en active directory con archivo CSV.
cree las columnas en el esquema de active directory, todas aparecen en el perfil del usuario cuando los busco, pero cuando realizo la actualización el mensaje marca que el parámetro no existe.
Las actualizaciones mediante PowerShell de manera directa funciona y se ve reflejado, pero mediante el archivo CSV no encuentra las columnas, necesito su ayuda, para corregir mi error, les agradecería orientación

Import-Module ActiveDirectory (String)$Ruta = Read-Host “Ingrese la ruta donde está el archivo csv (Por Ejemplo C:archivocsv.csv)” $ou=”OU=DominioExtendido” + “,” + (Get-ADDomain).DistinguishedName If(-Not(Get-ADOrganizationalUnit -Filter {Name -eq “DominioExtendido”})){New-ADOrganizationalUnit “DominioExtendido” -Path (Get-ADDomain).DistinguishedName} $dominio=(Get-ADDomain).DNSRoot Import-Csv -Path $Ruta | foreach-object { $UPN = $.Cuenta + “@” + “$dominio” New-ADUser -SamAccountName $.Cuenta -UserPrincipalName $UPN -Name $.Nombre -DisplayName $.Nombre -SurName $.Apellidos -GivenName $.Nombres -Description $.Descripcion -Office $.Oficina -OfficePhone $.Telefono -EmailAddress $.Email -Title $.Titulo -Department $.Departamento -Company $.Compania -City $.Ciudad -State $.Region -AccountPassword (ConvertTo-SecureString $.Clave -AsPlainText -force) -Path $ou -Enabled $true -ChangePasswordAtLogon $true -Verbose -companyCode $_.CodigoEmpresa -companyID $._RutEmpresa -socialReason $._razonSocial -acronymCountryCode $._CodigoPais -contractType $._TipoContrato -businessUnity $._BU -officeLicence $._Licencia365} “”

introducir la descripción de la imagen aquí

Where to see active pages in Google Analytics right now?

I’ve now been googling for half an hour and can’t understand how to find this in the new GA which seems very confusing for regular users like me.

Been using Google Analytics for 10+ years, but now when creating a property and click realtime, I can’t see which pages people are active on right. I see a lot of useless data but not the simple line I’m used to use.

Where are these data available?

permissions – Adding domain user to local group when access to active directory no longer exists

We used to have a domain (foo) but the domain controller machine has been dead for a long time.

I am logged into my Windows 10 workstation as foomike and would like to add foomike to a local group which already has fooAdministrator as a user.

It is not possible to select foomike as an additional user for this local group because it is “not from a domain listed in the Select Location dialogue box”. This of course makes sense.

Is it possible to add this domain user to the local group somehow or is my only option to build a domain controller so the foo domain exists again (and even then I do not know if it would work to set up foomike in the new AD)?

Active Workdesk CMS | NulledTeam UnderGround

Active Workdesk CMS is an online platform where resourceful clients and skillful freelancers can be connected. The site helps professionals find projects, communicate with clients and get paid.
It is a marketplace for clients and freelancers in fields like web development, application development, writing, graphic design or any other scope.

Key Features

  • 2 types of project – Fixed & Long term
  • Private…

.

accessibility – Why is low contrast between active and inactive window title bars considered a good thing?

Microsoft gave some explanation for these changes to Visual Studio in this article:

Visual Studio 11 User Interface Updates Coming in RC (May 2012)

(emphasis mine)

Another area of requested change relating to user interface
controls/chrome has been for us to improve the overall sense of Metro
styling within the themes by drawing our own window chrome. By drawing
our own window chrome we have succeeded in both making more efficient
use of space and in increasing the overall sense of Metro styling.

the article continues…

The custom chrome and line work changes we’ve made together with
reducing the number of default toolbars and toolbar icons combine to
give you three extra visible lines of code in the editor compared to
Visual Studio 10
. As I noted at the beginning of the post the overall
objective behind many of the Visual Studio 11 theme changes is to give
you maximum real-estate for, and ability to focus on, your code.

It looks like Microsoft designed a custom title bar in Visual Studio 2012 to:

  1. Move the “Quick Launch” search bar all the way up to the top of the window, so that users could hide all toolbars and see a few extra lines of code.

  2. Make a more consistent metro theme.

  3. Increase focus on “content” (i.e., code)

Based on the article it seems like the custom, low contrast title bars were Microsoft’s attempt to “get you to focus more on your code” rather than looking at the window chrome.


Issues with Microsoft’s article:

  • If you hide all the toolbars, Visual Studio 2010 and 2013/2015 are very similar in the amount of vertical space you have for your code.

In the newer versions of visual studio, Microsoft made the tabs smaller, but they increased the size of the logo in the upper left, the notification button / indicator is also larger than a standard title bar button in Windows Classic.

For Classic Themes: Visual Studio 2013 and 2015 actually have one less pixel of vertical space than Visual Studio 2010.

(click on the image to enlarge it)

VS2010 vs VS2013 code editor space comparison

For Aero Themes: Visual Studio 2013 and 2015 give you four additional pixels of vertical space. (Default font, the pink line is the top of the i in #include ... in Visual Studio 2010)

(click on the image to enlarge it)
VS2010 vs VS2013 code editor space comparison (aero)

This comparison was done on Windows 7.

In Windows 10 / Visual Studio 2017:

  • Compared to Visual Studio 2010 with Windows 7 Aero, you gain an additional 3 pixels of vertical space for your code.

  • Compared to Visual Studio 2010 Windows 7 Classic you lose 5 pixels of vertical space.

So far no environment has more maximum possible space for code as Windows 7 Classic / Visual Studio 2010, though the difference is negligible (not even enough for a full line of code).

As for “Metro makes it easier to focus on content”:

A) In an article talking about Office 2007 (see below), Microsoft specifically mentioned that “Replacing the Window chrome is a very visible way to differentiate your app and increase branding impact”; it seems like if anything replacing the window chrome would make it so that users are noticing the unique look of your application more than the content.

With custom chrome, the application no longer blends in with the rest of the user’s system (and it will probably only look more foreign later on, because it doesn’t “evolve” when the OS updates).

B) Microsoft made the exact same claim about Windows Aero years ago (Archived: Oct. 2009):

One of Aero’s more visually obvious features is glass window borders, which let you focus on the contents of your open windows. Window behavior has also been redesigned, with subtle animations accompanying the minimizing, maximizing, and repositioning of windows to appear more smooth and effortless.


Office 2007

Joe Castro (Microsoft) wrote an article on the usage of custom window chrome (archived 2019), he mentioned Office 2007.

See excerpt below, he was mostly focusing on the technical side of it in the article, however, he mentions that replacing the window chrome can give your application a distinctive look, though it will require more work to implement standard system features. He specifically mentions Active/Inactive states as something requiring extra work.

It seems that some employees at Microsoft recognized the importance of differentiating between an active and inactive window, though perhaps a more “subtle” difference between active and inactive was preferred in the long run.

Predicting the future is hard – or “How to make some people unhappy,
all of the time”

Ultimately replacing the window chrome is doing the job of the window
manager. Emulating Windows like this has potential to miss behaviors
that your users expect, or not work correctly under some circumstances
(like high-DPI, or under a screen reader). Care should be taken to
ensure that the behaviors your users care about will work correctly
with your replacement.

For example, some of the standard window caption features today are:

  • Left-click on the icon to get the system menu.

  • Double click on the system icon to close the app (Office’s pearl does this as well).

  • Right click in the caption to get the system menu.

  • Double-click the caption to maximize the app.

  • With DWM, change the caption text style when maximized.

  • Change colors based on Active/Inactive states (The colors it uses respect DWM colorization when Aero glass is on, the Theme colors when
    not in Windows Classic, and System colors when in Windows Classic.)

  • It respects system metrics for sizes, and the metrics available for measurement have changed in different versions of Windows (e.g.
    iPaddedBorderWidth was added for Vista).

These are all things that the system no longer does automatically for
you when you use your own chrome. And some of this behavior has
changed in different versions of Windows.

Replacing the Window chrome is a very visible way to differentiate
your app and increase branding impact, but it’s likely that an
implementation will miss some things,
or that future versions of
Windows may change some behaviors making your app look out of place.

This doesn’t mean “don’t do this.” Just that replacing the chrome
should be an informed decision.

Also, user feedback on Office 2013 has shown that low contrast in title bars is not just a hypothetical issue:

And another thing, now that I have to have all of these separate window open, how can I tell which one is selected? Previous Office products had a color change in the bar at the top of the window to show whether that window had the focus. Office 2013 doesn’t seem to have any visible indication. I keep pasting things into the wrong windows.

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123