NDES SCEP for intune device certs - do we really need an Ent CA
We have AAD joined devices. We do have on-prem capability but have tried to minimise the requirement to have an Active Directory given most resources users access are cloud only. However, we now wish to use NDES server - SCEP to deliver device…
start a script at session start
Hi everyone, I must start a script at start the session not desktop not other programs. I have tried has create user on activity directory and in the tab "Environment" I have set to the path of script. but in my laboratory it works.…
"NT-Autority\System" impersonated or overtaken? GPO-problems.
Hi all, was reseaching a GPO-problem on a single W10_1903 PC. DNS, DFS and evereything else seemed okay, except from all the GPO-errors in the Event Log. But when I from a psexec command prompt, (running "WhoAmI" gives…
Event log error
I checked some event logs through Event Viewer. But the error like attached image was occured. the meaning of error is 'One or more logs in the query have errors.' How can I read this event log? Additionally, I have been using Windows…
Server Authentication Restriction
Could you please help me the best option/tool that I can implement in my infra to secure the Microsoft Windows server. In my environment we are running more than 40+ servers and which not under AD infra. So could you please help me how to make secure…
PKI Certificate
We have a 2 tier PKI and a algo hash is SHA256 i have an appliance that requires SHA384 as minimum hashing algorithm, is it posible to generate a SHA384 cert in our current PKI environment
Certificate templates on custom attributes
Hey guys, I have an 2-tier enterprise PKI in my on-premise AD domain and I was asked to enroll users certificates with the common name or the SAN based on the attribute sAMAccountName. Since the default CA policy module supports only fixed attributes…
Machine Certificate Expired
I inherited a Windows Server 2016 Standard which appears to have the Certificate Authority installed but the role is not installed. I think it may have to do with RSAT tools. Anyway, there is an expired certificate that is showing up in the Application…
Allow login to app using IIS only for some users
I have an app, e.g. SL. It's running on Web Server using IIS. SL has it's own authentication method. I don't want that any user with SL account be able to login. I want only those accounts that have Windows Authentication. My goal: 1. create…
What is the GPO needed to enalbe windows server audit logging for account lockout
I am trying to identify where a user account lockout keeps happening, by searching for the source in our DC's event logs -> Windows Logs -> Security, but I am not seeing any lock out events in our domain controller. I can see other successful…
Upgrade a tow tier PKI to Windows 2019
Hi Guys, We have a two tier PKI environment in production both are Windows 2012 R2. Is it possible to upgrade the OS to Windows 2019 How to upgrade? which one to upgrade first the root or the sub ca?
Group Policy in Parent/Child or Parent/Tree domains
Hi, I'm trying to crack the "mystery" of Parent/Child/Tree domains. How do you apply group policy to child or tree domain? Let's say : parent is contoso.com child is usa.contoso.com tree is fabrikam.com What are the permissions…
Certificate template key length after AD upgrade
My AD forest have slowly evolved from its NT4 ancestor. Certificate services were introduced when it was at 2003 level. Now I have migrated up to 2016, and the key lengths of the certificate templates are (of course) the same they were when created years…
Unable to sign CSR with Microsoft Windows CA
Hello Guys, I have created CSR (using the blow guide) for one of our NPS servers. https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Creating_an_Offline_Certificate_Request_in_Windows_Server When trying to sign it with our CA I…
Network Audit logging
I have enabled the advanced audit policy configuration in windows server 2016 and wanted to capture the below network related events: Packet filter matches, DR-F0401-032, DR-F0401-036, DR-F0401-037 and DR-F0401-117. System scan for open ports and…
My GPO(Group Policy Object) is being blocked by my ACL
Hi all, I can't seem to find a way to allow my GPO to pass through my core router(which has ACL running). I was able to determine that the cause of this was the packets were being blocked by the ACL because if I remove the ACL on the VLAN, the GPO takes…
Anonymous Logon being logged when changing passwords
So I have a Windows Server 2016 domain and whenever changing a password in Active Directory, even when creating a new account, anonymous logon is being written to the logs (event 4738) even though I'm logged in with a domain administrator account. It…
Dynamic Access Control: Settings for "Device Claims"
Hi, I try to combine together all requrements for "Device Claims". From what I could see 1) There have to be Windows 8 not below 2)Kerberos setting in Group policy Plus I presume DC running 2012 +. Are there any other…
2019 Certificate Authroity Revocation Issue
Hi there! I'm having a rather weird issue in our Certificate Authority environment in that when I revoke a user cert, the client never becomes aware to the fact, and never shows as revoked client-side. Computer based certificates DO however get actioned…
Deny acces rights for members in group are not enforced
Hello, I'm using Windows 2016 standard server that is joined in a domain. The domain admins are placed in the local administrators group, but I don't want the domain admins to be able to write or change data on the D-drive of the server. I've set the…