Three concrete AD delegation scenarios with the right ACL technique for each: targeted Deny ACEs to hide mobile and pager from a Hardware Support team, the schema confidential bit to restrict national-ID attributes to HR, and a volume-object ACL to make a published share invisible to everyone except Finance.
Use ntdsutil to create IFM media on an existing healthy Domain Controller, copy it to a target server at a remote site, and promote that server with the Install from media option to skip full WAN replication.
How to install the DNS extension in Windows Admin Center and use it to manage a Windows DNS server — create forward and reverse lookup zones, add Host (A) and PTR records, and verify resolution from PowerShell.
How to install the Active Directory extension in Windows Admin Center and use the browser console to manage AD objects on a Domain Controller — create an OU, create a user, create a Domain Local group, and confirm group membership.
A full walkthrough of installing Windows Admin Center on a domain-joined Windows 11 PC and using it to remotely manage a Windows Server 2022 domain controller — MSI install, Express Setup, port 6516, self-signed certificate, adding DC.smart.local, and exploring Roles, Events, Performance Monitor, and PowerShell.
A full walkthrough of configuring Folder Redirection via Group Policy in Windows Server 2022 — OU and group setup, hidden SMB share, NTFS permissions, GPO security filtering with delegated Read for Authenticated Users, and a Windows 10 client test — plus a deep dive on why Folder Redirection still needs Authenticated Users to have Read on the GPO.
A reference for the five essential ports (88, 389, 445, 53, RPC) that must traverse a firewall for Active Directory clients to authenticate, fetch Group Policy, and replicate — plus how to pin RPC to a fixed port.
Account Lockout Policy converts a brute-force password attack from 'eventually wins' into 'locks the account and stops'. Three knobs configured at the domain level via Default Domain Policy: lockout threshold (failed attempts before lock - default 0 = no protection, recommended 5), reset counter (minutes before failed-attempt counter resets - default 30), and lockout duration (minutes account stays locked - 0 = manual unlock only). Walks the full setup in Server 2022 GPMC + Windows 10 client: edit Default Domain Policy, set the three values, disable Administrator account lockout (recommended - protects break-glass), gpupdate /force, deliberately lock a test user (5 wrong passwords), then unlock via ADUC Account tab or Unlock-ADAccount PowerShell. Includes the domain-scope constraint (must live in Default Domain Policy, not OU-linked - this is one of the rare exceptions to the don't-edit-defaults rule), the SIEM event-ID reference (4625/4740/4767), and pointers to Fine-Grained Password Policy for per-user/per-OU differentiation.
A roaming profile follows the user across machines - sign into PC-A, then PC-B, and the same desktop, files, and app settings appear. Five-step setup on Windows Server 2022: AD security group (Roaming Profiles Users), hidden SMB share (profiles$ with access-based enumeration and a custom ACL granting only Create-Folders to the security group on This folder only), user profile path attribute set to \\\\\\profiles$\\%username%, GPO 'Add the Administrators security group to roaming user profiles' linked to the client OU (must be in place BEFORE first roaming logon - not retroactive), then verify on a Windows 10/11 client (gpupdate, sign in, drop a Test folder on the desktop, sign out / in, browse the share, confirm sysdm.cpl reports profile Type: Roaming). Includes the .V6 profile-version suffix explainer (different OSes get separate folders), the logon/logoff lifecycle, and the seven common pitfalls (path-before-share trap, forgotten Admins GPO, caching-on-the-share, mixed-OS .V6 collisions, profile bloat without limits).
Active Directory has both physical and logical components. The logical side is what shapes how identity actually works - which objects exist, which DCs replicate which data, where to look for a setting. This article covers the five core logical components (Schema, OUs, Forest, Domain, AD DS Database) and the four partitions inside the database (Schema, Configuration, Domain, Application = DomainDnsZones + ForestDnsZones). Walks ADSI Edit inspection of each: connect to the Configuration well-known naming context, drill to CN=Partitions for the self-description; connect to Schema for classSchema and attributeSchema objects; connect to Default naming context for the Domain partition (matches ADUC); type explicit DNs for DomainDnsZones and ForestDnsZones to see how AD-integrated DNS records are stored. Includes the replication-reach matrix (which partitions replicate forest-wide vs domain-only), the Global Catalog partial-attribute subset, the Computers/Users-are-containers-not-OUs gotcha (use redirusr/redircmp), and the schema-extension-is-permanent caveat.
Active Directory does not audit security-relevant events out of the box. The legacy 9-category basic audit policy is high-volume and low-resolution; the right tool for granular AD audit is Advanced Audit Policy Configuration with its ~60 subcategories. Walks the full pipeline: create a dedicated GPO, enable two representative subcategories (DS Access -> Audit Directory Service Changes, Object Access -> Audit File System) with Success+Failure, link the GPO to the Domain Controllers OU, force gpupdate, then verify by creating a Test GPO and confirming Event ID 5137 fires on the DC's security log with the matching GUID. Includes a reference table of useful event IDs (4624/4625 logon, 4720/4726/4738 account, 5136-5141 directory service, 4663 file system), the SCENoApplyLegacyAuditPolicy basic-vs-advanced split, the SACLs-required-for-File-System gotcha, the default-16MB-security-log gotcha, and pointers to Windows Event Forwarding and SIEM ingestion for handling volume.
The conceptual reference for Group Policy: what GPOs actually are, the difference between local and domain GPOs, the two built-in defaults (Default Domain Policy and Default Domain Controllers Policy) and why you should not modify them for general settings, the Computer-Configuration vs User-Configuration split, what GPOs can and cannot be linked to (sites/domains/OUs yes; individual user/computer accounts no), administrative templates (ADMX = engine, ADML = dashboard labels), GPO scope (link + Security Filtering + WMI Filtering + Item-Level Targeting for Preferences), and the LSDOU processing order with last-write semantics. Walks inheritance / Block Inheritance / Enforced precedence (Enforced beats Block), the GUI tools (gpmc.msc, gpedit.msc) and CLI tools (gpupdate, gpresult, LGPO.exe, the GroupPolicy PowerShell module), every GPO attribute (Name, GUID, Links, Security Filtering, WMI Filtering, Version Number, Enabled/Disabled state), and the Azure AD DS differences (no site links, no software deployment, predefined OUs, AAD DC Administrators group). Includes seven best practices and cross-links to the practical articles in the pathway.
