Service Principal Names
As Microsoft descriptions
(A service principal name (SPN) is a unique identifier of a service instance.)
SO what is the meaning?
Advertisements
Category Archives: Active Directory
Configure source of time on Domain
Reply
Configure time in my Active Directory
-
How to set the PDC ROLE server as the source of time zone on the network
-
How to move PDC role and Time service to another server
How to set the PDC ROLE server as the source of time zone on the Domain
How to set a time source in my domain
KRBTGT account cannot be enabled
KRBTGT account cannot be enabled
The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
Ref: https://technet.microsoft.com/en-us/library/dn745899.aspx#Sec_KRBTGT
How to know the SPN needed name
How to get the SPN of any server
And how to know the Service needed name
Setspn
First, open the active directory administrative center
Authorizing DHCP Server by a non-enterprise administrator
Authorizing DHCP Server by a non-enterprise administrator
By default, only a administrator which is member of “Enterprise Admins” group can authorize the DHCP which is installed in domain environment. If the other accounts would like to authorize the DHCP server which is a member server in child domain, you may get “Access is denied“.
To solve this problem, I try to grant the permission for child domain administrator.
1. At the forest root domain controller, log in as Domain Administrator.
2. Launch “Active Directory Sites and Services“.
3. On the menu, click “View > Show Services Mode.
4. Expand “Services > NetServices“.
5. Right-click “NetServices“, select “Delegate Control“.
6. On “Delegation of Control Wizard” screen, click “Next“.
7. On “Users or Groups” screen, add an user or group which you want to grant permission for authorizing DHCP servers to.
8. Click “Next“.
9. On “Tasks to Delegate” screen, select “Create a custom task to delegate“.
10. Click “Next“.
11. On “Active Directory Object Type” screen, select “This folder, existing objects in this folder, and creation of new objects in this folder“.
12. Click “Next“.
13. On “Permissions” screen, check “Full Control“.
14. Click “Next” .
15. Click “Finish“.
Now, the non-enterprise administrator user account can authorize the DHCP Server which is installed in Child Domain.
Ref: http://terrytlslau.tls1.cc/2011/11/authroizing-dhcp-server-by-child-domain.html
https://technet.microsoft.com/en-us/library/cc786474(WS.10).aspx
Active Directory Security, Permission and ACL Analysis
Active Directory Security, Permission and ACL Analysis
http://www.ldapexplorer.com/en/liza.htm
Bottom of Form
LIZA
|
|
|
Liza is a free tool for Active Directory environments which allows you to display and analyse object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition. |
Top of Form Bottom of Form |
I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So with the LIZA development, i tried to display most of the permission ACE (Access Control Entry) information as simple as possible so you have an almost complete overview at the first sight.
The following topics are available for the LIZA online manual:
Configuring Internet explorer using Group policy preferences
Group Policy Internet options for Server 2012 and IE 10
GP Preferences not working for you? Probably F5-F6-F7-F8
I noticed that some of my policy’s where not applying via the Internet Explorer GPO Preferences,
And after much digging around on the internet I found out why.
If you notice below each setting has a red dotted line and a green line, the ones with the green lines are enabled and the ones with the red dotted lines are not enabled or ignored.
User Configuration
└ Preferences
└ Control Panel Settings
└ Internet Settings
To simply enable and disable, click on the section you are about to change and press F6, this will configure/enable just this setting-The red dotted line should turn green.
The other options are as follows;
F5 Configure all of these settings
F6 Configure just this setting
F7 Ignore just this setting
F8 Ignore all these settings
The same goes for settings and advanced settings – Green to apply the setting, Red to ignore the Setting 
The same goes for your LAN settings, un-tick automatically detect settings and enable with F6 this will make sure the policy is applied, if you disable/ignore (F7) the setting the policy with not check with the local machine policy’s.
Enter the URL of the Home page you wish to set, and select start with home page. Notice the red dots underlining the home page entry.
You must press F5 (or F6), to confirm the entry. If you do not the setting will not be applied. Once you have done so, the entry turns green.
Function keys:
F5 – Enable all settings on the current tab.
F6 – Enable the currently selected setting.
F7 – Disable the currently selected setting.
F8 – Disable all settings on the current tab.
Setting a Proxy with Group Policy Preferences
Create or modify an existing Internet Settings policy as explained above, this time head over the connection tab -> Lan Settings.
Specify the proxy, again note the red dots showing that the setting have not been confirmed. Press F5 to confirm.
Ref: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-home-page-settings-part-2/
http://blog.thesysadmins.co.uk/group-policy-internet-explorer-10-death-iem.html
http://technet.microsoft.com/en-us/library/cc754299.aspx
