Why and how to implement browser extension whitelisting
Some extensions installed by millions of users have been found to steal or leak Personally Identifiable Information (PII), passwords or other secrets, take screenshots, act as a key logger, cause phishing, spamming and so on.
This article will show you why and how to implement browser extension whitelisting, preventing the installation of extensions not explicitly allowed by you.
Windows Security pop-up when connecting to AD with LDAPS
Windows Security window pops up asking users for the password to the private key of their certificate.
LDAPS uses certificates, that are not intended for this purpose, to authenticate users.
Danish national identity system NemID can cause this pop-up window, when users have an “employee certificate” (“Medarbejdersignatur”).
PrintNightmare still incompletely patched - What should I do... And what shouldn't I do?
Lingering access with Temporary Group Memberships
Beware of NTLM when using Temporary Group Memberships
Short-term group memberships might lead to long-term permissions
Temporary Group Memberships are a very welcome addition to Windows Server 2016 Active Directory Domain Services.
It gives you the means to elevate privileges for someone temporarily.
However, this blog post is not here to give instructions on enabling it or using it. You will find plenty of that elsewhere.
This blog post is here to remind you not to trust this feature blindly.
Your short-term group membership might give you long-term privileges.
No, you do not need to run ADPREP manually anymore
There are many great step-by-step guides out there about upgrading your Active Directory forest to Windows Server 2012 (R2).
There is however one thing, most of them seem to forget:
ADPREP, that prepares the forest and domain(s) for the new Active Directory version, is now a part of the Active Directory Domain Services installation process, both when using the Server Manager Wizard and when running Install-AddsDomainController.
The Windows Server 2012 (R2) server, on which the AD DS installation process is running, will perform the ADPREP tasks remotely on the existing Domain Controllers.
This makes the installation process significantly easier, as you do not have to attach the installation media to an existing Domain Controller and run ADPREP from there.
There is however one case, where you would need to run ADPREP manually:
If you have never run the ADPREP /DOMAINPREP /GPPREP (which will add ACEs to the GPOs in the SYSVOL folder to enable additional RSOP functionality) in an existing domain before, this will need to be done manually.
If you have already run ADPREP from Windows Server 2003 SP1 or higher previously, most likely /GPREP will have been run already.
So go ahead and run that AD DS Installation wizard (or PowerShell cmdlet), and don't worry about how you will run the ADPREP from the existing Domain Controllers, because you don't have to.