The key question often debated is whether Active Directory is owned by multiple teams, or by a stand-alone IT, security or directory team. And depending on who you ask within the organizations, you may get several different views. So how do you split the responsibility around Active Directory management?
Powershell functions can be created as advanced functions. These functions behave very similarly to built-in Powershell cmdlets. Because I can't do without the ability to add a -Verbose or -Debug parameter to my functions now nowadays, these are the only kind of functions I build. Advanced functions, just like "dumb" functions, have parameters. The parameters are the values that are passed into the function from your script.
Once a business begins to use Active Directory more and more, depending on how large the organization is, objects have the tendency to become "stale." Every employee typically has an Active Directory user account. They are assigned one the day they are hired. At the same time, if they received a computer, that computer was probably joined to the Active Directory domain. Now, let's say they were assigned to a personal printer and they need to share that printer with “Bob” down the hall. “Susie's” printer could now go into Active Directory. What about Susie's computer's DNS record? Many companies choose to integrate DNS with Active Directory as well which is yet another object in Active Directory! You get the point.
Now that you've got an understanding of Powershell's advanced functions and the ValidateSet() parameter validation method in the first part of this blog, “Validating Powershell Advanced Function Parameters” you can begin Part #2 of this small post series. Part 2 of this series goes deeper by demonstrating how to dynamically create your sets for ValidateSet() so they aren't hardcoded in. This is essential when dealing with values that may constantly change or even if you just want to practice writing good scripting and have no static references.
There are many types of organizations. Some organizations have started as cloud-only. Other organizations are still very much entrenched on-premises. From the last group of organizations, I hear the following sentence a lot: “We don’t use Azure AD.”
I think this is an interesting but dangerous thing to say.
In the previous article we looked at the operations and processes regarding backup and recovery of AD DS information, namely the AD DS database and its objects. In this article we will be looking at the backup options for some of Active Directory’s other modules such as Active Directory Certificate Services (AD CS). Your Active Directory monitoring solution should be tracking events for AD CS to ensure the information is backing up successfully.
Almost a year ago, in March 2020, I wrote an article called Microsoft stops basic authentication, now what on this site about Microsoft’s plan to decommission Basic Authentication in Office 365. The Covid-19 pandemic took over the world and a lot of projects were postponed. This was also the case of the Basic Authentication project at Microsoft, but the decommissioning is still planned although there are some serious changes in Microsoft’s planning. Time for an update.
In Part 2 of this series, we'll discuss backup and recovery options for Active Directory Domain Services (AD DS) as a critical component of Active Directory Monitoring. AD DS stores information about the objects on your networks such as user accounts, passwords, user information such as phone numbers, addresses, etc. This information allows users to be authorized on your network to access information. Every organization, large or small, should be backing up this information to restore in the event of any loss of data. This article will cover Windows Backup technologies, tools, and processes for keeping this data intact for restore.
This is a 5-part series discussing how to backup and restore objects for Active Directory modules in Windows Server which is a critical component of Active Directory Monitoring for any organization.
It is always recommended to utilize Active Directory monitoring to help you maintain a healthy authentication and authorization infrastructure. The Windows Time service is a critical component in being able to authenticate users that are using the Kerberos V5 services used by Active Directory. However, some questions usually come up as to how the Windows Time service works and what information should you be looking for when your AD monitoring system finds issues.
