Welcome to the Dojo

Welcome to InfoTech Ninja

IT professional writing about cybersecurity, cloud & DevOps, automation, networking, and systems administration. Real-world guides for real-world problems.

#Cybersecurity #Cloud #Automation #Networking #SysAdmin

Latest Articles

Systems Admin

Configure Roaming Profiles for Active Directory User Accounts

A roaming profile follows the user across machines - sign into PC-A, then PC-B, and the same desktop, files, and app settings appear. Five-step setup on Windows Server 2022: AD security group (Roaming Profiles Users), hidden SMB share (profiles$ with access-based enumeration and a custom ACL granting only Create-Folders to the security group on This folder only), user profile path attribute set to \\\\\\profiles$\\%username%, GPO 'Add the Administrators security group to roaming user profiles' linked to the client OU (must be in place BEFORE first roaming logon - not retroactive), then verify on a Windows 10/11 client (gpupdate, sign in, drop a Test folder on the desktop, sign out / in, browse the share, confirm sysdm.cpl reports profile Type: Roaming). Includes the .V6 profile-version suffix explainer (different OSes get separate folders), the logon/logoff lifecycle, and the seven common pitfalls (path-before-share trap, forgotten Admins GPO, caching-on-the-share, mixed-OS .V6 collisions, profile bloat without limits).

14 min read
Read →
Systems Admin

Windows Server 2022 Hardware Requirements

The minimum hardware floor for Windows Server 2022, with the technical reasoning behind each spec. CPU: 1.4 GHz x64 with DEP/NX/SLAT (use systeminfo to verify Hyper-V Requirements). RAM: 512 MB for Server Core, 2 GB for Server with Desktop Experience; ECC strongly recommended on physical hardware. Disk: 32 GB base, +4 GB for GUI; RAM > 16 GB scales pagefile.sys / hiberfil.sys / dump files (powercfg -h off reclaims hibernation space on servers that do not need it). Network: 1 Gbps PCIe-compliant Ethernet. TPM: optional in general, required for BitLocker, UEFI Secure Boot measurement, Credential Guard, and VBS - TPM 2.0 standard on modern servers. Includes the practical-vs-documented-minimum comparison table - the documented numbers are install-floors, real production sizing is several times higher on every dimension.

8 min read
Read →
Systems Admin

Active Directory Logical Components and Partitions

Active Directory has both physical and logical components. The logical side is what shapes how identity actually works - which objects exist, which DCs replicate which data, where to look for a setting. This article covers the five core logical components (Schema, OUs, Forest, Domain, AD DS Database) and the four partitions inside the database (Schema, Configuration, Domain, Application = DomainDnsZones + ForestDnsZones). Walks ADSI Edit inspection of each: connect to the Configuration well-known naming context, drill to CN=Partitions for the self-description; connect to Schema for classSchema and attributeSchema objects; connect to Default naming context for the Domain partition (matches ADUC); type explicit DNs for DomainDnsZones and ForestDnsZones to see how AD-integrated DNS records are stored. Includes the replication-reach matrix (which partitions replicate forest-wide vs domain-only), the Global Catalog partial-attribute subset, the Computers/Users-are-containers-not-OUs gotcha (use redirusr/redircmp), and the schema-extension-is-permanent caveat.

13 min read
Read →
Systems Admin

Configure Advanced Audit Policies in Active Directory

Active Directory does not audit security-relevant events out of the box. The legacy 9-category basic audit policy is high-volume and low-resolution; the right tool for granular AD audit is Advanced Audit Policy Configuration with its ~60 subcategories. Walks the full pipeline: create a dedicated GPO, enable two representative subcategories (DS Access -> Audit Directory Service Changes, Object Access -> Audit File System) with Success+Failure, link the GPO to the Domain Controllers OU, force gpupdate, then verify by creating a Test GPO and confirming Event ID 5137 fires on the DC's security log with the matching GUID. Includes a reference table of useful event IDs (4624/4625 logon, 4720/4726/4738 account, 5136-5141 directory service, 4663 file system), the SCENoApplyLegacyAuditPolicy basic-vs-advanced split, the SACLs-required-for-File-System gotcha, the default-16MB-security-log gotcha, and pointers to Windows Event Forwarding and SIEM ingestion for handling volume.

12 min read
Read →
Systems Admin

Comprehensive Guide to Group Policy Objects (GPO): Theory and Best Practices

The conceptual reference for Group Policy: what GPOs actually are, the difference between local and domain GPOs, the two built-in defaults (Default Domain Policy and Default Domain Controllers Policy) and why you should not modify them for general settings, the Computer-Configuration vs User-Configuration split, what GPOs can and cannot be linked to (sites/domains/OUs yes; individual user/computer accounts no), administrative templates (ADMX = engine, ADML = dashboard labels), GPO scope (link + Security Filtering + WMI Filtering + Item-Level Targeting for Preferences), and the LSDOU processing order with last-write semantics. Walks inheritance / Block Inheritance / Enforced precedence (Enforced beats Block), the GUI tools (gpmc.msc, gpedit.msc) and CLI tools (gpupdate, gpresult, LGPO.exe, the GroupPolicy PowerShell module), every GPO attribute (Name, GUID, Links, Security Filtering, WMI Filtering, Version Number, Enabled/Disabled state), and the Azure AD DS differences (no site links, no software deployment, predefined OUs, AAD DC Administrators group). Includes seven best practices and cross-links to the practical articles in the pathway.

15 min read
Read →
Systems Admin

Raise Active Directory Domain and Forest Functional Level

Raising AD functional level is a one-way change that unlocks newer features (PAM at 2016 forest, Protected Users at 2012 R2 domain, AD Recycle Bin at 2008 R2 forest) and removes support for older Windows Server DCs. The wizard click is fast; the pre-flight is where rollout time lives. Walks the full end-to-end procedure: replication health checks (repadmin /replsummary, Get-ADReplicationFailure), DC OS-version inventory (Get-ADDomainController), raise each domain via Active Directory Domains and Trusts (right-click domain - Raise Domain Functional Level - pick target - Raise - confirm), then raise the forest (right-click root - Raise Forest Functional Level), verify both via Properties dialog and Get-ADForest / Get-ADDomain PowerShell, then post-raise housekeeping (repadmin /syncall, Restart-Service kdc on each DC). Includes the order-matters rule (every domain must be at the new level before the forest dropdown will offer it), the FRS-to-DFS-R prerequisite for 2016, the powered-off-DC trap, and the irreversibility caveats.

10 min read
Read →
Systems Admin

Forest and Domain Functional Levels in Active Directory: Theory

Functional levels are the rule book that controls what an Active Directory forest and the domains in it can do. They lock the minimum Windows Server version DCs can run, gate the features available across the directory, and shape every upgrade plan. Two attributes, two scopes - forest functional level (the floor for the whole forest) and domain functional level (per-domain, must be >= forest level). The current ceiling is Windows Server 2016; 2019 and 2022 DCs run at the 2016 level. Functional levels apply only to DCs - workstations and member servers can run any Windows version. Walks the theory: schema vs forest vs domain, the forest-beats-domain rule, the features unlocked at each level (DFS-R for SYSVOL at 2008, AD Recycle Bin at 2008 R2, gMSA at 2012, Protected Users at 2012 R2, PAM at 2016), the GUI check (Active Directory Domains and Trusts) and PowerShell check (Get-ADForest / Get-ADDomain), the FRS-to-DFS-R prerequisite for raising to 2016, and the four common misconceptions (functional level does NOT control client OS, does NOT speed up DCs, etc.).

11 min read
Read →
Systems Admin

Backup and Restore Group Policy Objects (GPOs)

GPOs can be deleted in two clicks; AD replicates the deletion to every DC, SYSVOL files vanish, and clients drop the policy at next refresh. AD Recycle Bin restores the container in AD but not the SYSVOL GPT files where the actual policy settings live - so per-GPO backup is its own discipline. Walks the full GPMC lifecycle: Back Up All... for a fleet snapshot, Back Up... for one GPO before a risky edit, Manage Backups... for preview-then-restore (View Settings opens an HTML report, Restore overwrites the live GPO), and the manual re-link step that the backup does NOT capture. Plus the PowerShell-only equivalent (Backup-GPO -All / Restore-GPO -Name) for scheduled / scripted use. Includes the four pitfalls (no description = uninformative Manage Backups list, backup-on-the-DC-fails-with-the-DC trap, untested-backup wishful thinking, View-Settings-first habit) and the link-map documentation gotcha.

12 min read
Read →