CAll Us: +1 908 988 4688 Submit Ticket
Delegation of Control of DNS Zone Administration

Delegation of Control of DNS Zone Administration

Overview

Members of the built-in DNSAdmins security principal in an Active Directory domain are granted following default permissions: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.

In a large organization, there may be a need to delegate control of the DNS Zone Administration to regional or branch office network administration groups or to the SOC team, who may have to create honeypot DNS entries. This article outlines one possible way to configure the delegation.

For this illustration, the regional network administration team is assumed to be located in the APAC region and create their first Active Directory integrated DNS Zone called lazydog.com

Procedure

In order to keep the default Active Directory permissions on the defaultNC or the DomainDNSZones partition intact and to delegate control of DNS Zone Administration, this procedure requires the creation of a custom application partition.

Read More »

Update User Access without logoff and logon or restart

INTRODUCTION

Kerberos Tickets refresh soon after the Kerberos Tickets expires (generally in 10 hours) or when the user logs in interactively or computer boots up while connected to the corporate network.

BACKGROUND

Kerberos authentication protocol is more secure and efficient when compared to the legacy NTLM authentication protocol. However, when the administrator updates the group membership of the Active Directory user object or of the Active Directory computer object, it requires for the user to logoff and login again or for the computer to be restarted.

Read More »

Granting Temporary Admin Rights to Users

INTRODUCTION

SYNERGIX AD Client Extensions software allows domain users to have elevated privileges for specific duration ( default is 60 minutes ). This is particularly useful when the user must install legacy applications or install local printer drivers.

The software includes Group Policy Administrative Template file that makes it easy to configure the feature. Once the GPO is configured, the Systems Administrator is required to merely add the domain user account to specific Active Directory Security Group ( default is “SYNERGIX ADCE Managed Domain Users – Apply Users” ). They can also exclude computers such as Scientific Lab PCs or other special purpose PCs by adding the computer accounts to specific Active Directory Security Group ( default is “SYNERGIX ADCE Managed Domain Users – Deny Computers” ). Read More »

Making Drive Maps Work Over VPN Connection

INTRODUCTION

Group Policy preferences expand the rangeof configurable settings within a Group Policy object (GPO). These new extensions are included in the Group Policy Management Editor window under the new Preferences item. Examples of the new Group Policy preference extensions include folder options, mapped drives, printers, scheduled tasks, services, and Start menu settings.

 

BACKGROUND

Some of the Group Policy Preference items, for example Drive Maps, are processed in the foreground. It means they will get processed only when the user is logging in interactively and when connected to corporate network. This very useful feature finds its limitation when the scope is expanded to support remote users connecting with VPN client software or when laptop users resume from standby on corporate network

Read More »

Refresh Kerberos Tickets Without Logon or Restart

INTRODUCTION

Kerberos Tickets refresh soon after the Kerberos Tickets expires ( generally in 10 hours ) or when the user logs in interactively or computer boots up connected to the corporate network.

 

BACKGROUND

Kerberos authentication protocol is more secure and efficient when compared to the legacy NTLM authentication protocol. However, when the administrator updates the group membership of the Active Directory user object or of the Active Directory computer object, it requires for the user to logoff and login again or for the computer to be restarted.

Administrators and users have become used to this process, however, there is a more efficient method to improve the Windows user experience.

 

RESOLUTION

Read More »

How to Synchronize Expired Active Directory Credentials

INTRODUCTION

Expired Active Directory user credentials that were changed by the administrator through Active Directory management console or by the user through Citrix Access Gateway Advanced Access Control and the VPN tunnel are not updated on the client Windows XP computer.

 

BACKGROUND

Locally cached credentials of the Active Directory are not changed through the Access Gateway Advanced Access Control VPN tunnel. The computer is not contacting and communicating with the domain controller through the VPN tunnel and the locally cached domain credentials are not updated until you log off the client computer and then log on to the domain again. Read More »

Integrating Truecrypt with Active Directory

Not claiming any subject matter expertise in cryptography but merely looking atas a potential candidate for enterprise use and the challenges faced by systems administrators managing such a tool.

 

(1) Asking users to change the truecrypt ( full disk encryption ) password when they change their domain account password every 60 or 90 days. Ideally, if it is the same password for both the Active Directory domain account and for Truecrypt, it can potentially reduce support calls.

 

(2) Allowing an IT security officer to recover the data when the password is forgotten. Read More »

From zero to boot in 0 seconds

INTRODUCTION

Simply leave your Microsoft(R) Windows(TM) based computer powered on, like you would leave your SmartPhone on all the time. That’s going from zero to boot in 0 seconds ! But that comes with a catch or problems (lots of them) that your systems administrators don’t want to deal with.

 

BACKGROUND

If your computer could probe a network connection to your corporate network and perform tasks that are not performed during cached profile (off network login), you have a Windows system that is up and running 24 x 7. Read More »

Changing domain password over VPN

INTRODUCTION

In Active Directory environment, the default domain policy, specifically the password expiration policy, can cause resource access issues to VPN users who typically login with cached credentials. When their password is about to expire, they do not receive password change notification, which ultimately results in their account being locked out.

 

BACKGROUND

This issue gets resolved by the users having to call the help desk to have their password changed. These service requests to the help desk translates into lost productivity and potential disruption of services to business users. Although sending EMail notifications is an option, it is not as effective solution for changing domain password over VPN. The users learn to treat such recurring notifications as spam and may start to ignore these password change notifications. Even otherwise significant number of remote users may read such notifications when they are offline and then, tend to procastinate the password change as it requires them to re-establish the VPN connection.

Read More »