Microsoft MVP '09-Present. We design & build HA solutions for on-premises, data centre, & hybrid. Workload Migration Specialists. Active Directory Security.
Joined August 2011
- Tweets 10,231
- Following 412
- Followers 2,573
- Likes 1,569
Photos and videos
Pinned Tweet
Jun 11
ACTIVE DIRECTORY IS KING OF SIMPLICITY THUS SECURITY!!!
In Server Manager, after being prompted for credentials on the Secure Desktop, we have _all_ of the AD Consoles and PowerShell interface.
How many is that? About half a dozen.
Between Active Directory Users & Computers, the Group Policy Management Console (GPMC) and PowerShell we have about 90% of what we need.
AD Sites & Services, DNS, and DHCP consoles round out the principle methods we manage a UserVille, Infrastructure, Dev, DMZ, or other ADDS Forest/Domain in our secure KISS (Keep It Simple S______) ADDS System.
How is any one person, or team of persons, supposed to keep track and manage all of this?
IMNSHO, this complexity is the worst "We're more Secure" model in existence!
I suggest bookmarking this site:
msportals.io/
* Note the scrollbar in the snips!!!
Jun 10
ACTIVE DIRECTORY IS STILL KING!
Imagine the absolute pain, and not realizing one is _in_ that pain, of having started a business in the Cloud First/Cloud Native era, so about the last 15 years, and managing a 100 or 1,000, or 10,000 user network in what is essentially a Peer-to-Peer workgroup setup!
8-O
Cloud Managed: Deploy 100 new Desktops
Cloud Tool: Huh? Oh, you want me to do what? Okay ...
Active Directory Managed: Join domain using PowerShell dropping the 100 new desktops into the Deployment OU, go have coffee, come back to 100 user ready systems.
Oh, and in the AD scenario the 100 new users were set up in a similar manner. They come out with their AD permissions, Remote permissions, Exchange Server mail permission, SharePoint on-premises permissions, and so much more.
And, guess what?
Yeah, the user provisioning took a couple of minutes.
1
8
76
7,127
Jun 12
PUSH THAT PASSWORD IN AN UNLREATED E-MAIL
eu.pwpush.com/p/new
^^^
The URL changed due to the company introducing their PRO series products. This link allows for a quick password or other sensitive information send.
The Files service requires PRO.
208
Philip Elder retweeted
Jun 10
The reason is quite hilarious đđ.
Microsoft put $50 billion into Anthropic.
FIFTY billion dollars.
they are a Project Glasswing partner. Fable 5 runs inside Azure. Microsoft sells Claude to its own enterprise customers through Microsoft 365 and GitHub Copilot.
and they won't let their own employees use it.
here's why.
under Anthropic's new Mythos-class data retention policy, every prompt you type and every response you get is stored for 30 days. automatically. no opt out.
if their safety classifiers flag anything in your session, anything, they keep it for up to two years.
you don't get told when that happens, what was flagged or who can see it.
Microsoft employees paste confidential contracts into these things. customer data. internal roadmaps. acquisition strategies. legal documents. source code.
all of it sitting on Anthropic's servers for 30 days minimum. flagged sessions for two years.
so the company that invested $50 billion looked at that policy and told its staff: actually hold on.
other Claude models still work internally. under Zero Data Retention rules. the normal ones are fine.
just not the most powerful one they helped fund.
and one more thing.
the Pentagon listed Anthropic as a supply chain risk in March and banned defense contractors from using its products.
Microsoft funds Anthropic. sells Anthropic's models. runs them on Azure. helped build the most powerful one.
won't let employees use it.
the Pentagon won't let defense contractors near it.
the safeguard that makes Fable 5 safe enough to release publicly is the same safeguard that lets Anthropic keep your data for two years.
the guardrail is a data retention policy.
but you can use it. it's in your browser right now. đ
have fun.
Jun 10
JUST IN: Microsoft has reportedly restricted employee use of Claude Fable 5 over concerns that confidential data could be retained by Anthropic.
60
317
2,035
602,553
Jun 11
MEMORY PRICES ARE CRAZY!
Dell Pro Max 16 Plus
- Intel Ultra 7
- 16GB RAM (Huh?)
- 512GB NVMe Drive
- NVIDIA RTX 1000
- 1920x1200 FHD No-Touch
- 3 Year full warranty
- Base Price is 70% over August 2025
Bump to 32GB RAM is $750.00
Bump to 64GB RAM is $1,725.00
Nuts!
3
4
640
Jun 10
ACTIVE DIRECTORY IS STILL KING!
Imagine the absolute pain, and not realizing one is _in_ that pain, of having started a business in the Cloud First/Cloud Native era, so about the last 15 years, and managing a 100 or 1,000, or 10,000 user network in what is essentially a Peer-to-Peer workgroup setup!
8-O
Cloud Managed: Deploy 100 new Desktops
Cloud Tool: Huh? Oh, you want me to do what? Okay ...
Active Directory Managed: Join domain using PowerShell dropping the 100 new desktops into the Deployment OU, go have coffee, come back to 100 user ready systems.
Oh, and in the AD scenario the 100 new users were set up in a similar manner. They come out with their AD permissions, Remote permissions, Exchange Server mail permission, SharePoint on-premises permissions, and so much more.
And, guess what?
Yeah, the user provisioning took a couple of minutes.
Jun 9
How dead is Active Directory?
According to NAIC census data as of December 2024, there were about 1.5 million businesses in the US with 10 employees.
Even with conservative estimates, the amount of businesses that STILL have AD is not insignificant.
Active Directory is alive and well and continues to be a major infrastructure component for many, many organizations.
That means that Active Directory will continue to be attacked.
That also means that learning to defend Active Directory will continue to be important.
1
17
10,293
Jun 5
LETTER TO INSURANCE: BUSINESS CONTINUITY DEFINED/EXPLAINED
The following is the e-mail we sent to our fire client's insurance company because they were having a difficult time trying to categorize what we've been doing to keep the business up and running, that is Business Continuity, once they started moving in to the new location.
* Unfortunately, I can't embed the egg basket pics in the text below so a pic of the actual letter is attached.
** EGG BASKET: IT Infrastructure In Production
** FADED EGG BASKET: IT Infrastructure In Backups
*** Who'd Think they'd be so colourful eh? ;-)
[QUOTE]
Categorizing our invoices is explained by a simple analogy as follows:
1: Fire Client IT at Fire Client Old Address, Edmonton
- Information Technology Infrastructure
-- Systems and workloads
-- đˇ EGG BASKET
- IT Infrastructure Backup Structure
-- 1: On System
-- 2: Local
-- 3: Cloud
-- 1:đˇ FADED 2: đˇFADED 3: đˇ FADED
2: Fire at FIRE CLIENT OLD ADDRESS
- Site assessment led to loss of work
3: Disaster Recovery Procedure: Restore for Business Continuity
- We restored the Local Backup version to our DRaaS systems
- 3 Days across the Labour Day Long Weekend
- Backup 2: đˇ FADED Restore --> DRaaSđˇBASKET
4: Disaster Recovery Plan Procedure: NEW LOCATION secured
- Alternate new location
5: NEW LOCATION: Ongoing Business Continuity
- Migrate each IT component from our DRaaS to NEW LOCATION IT Infrastructure
- MPECS DRaaS Systems: đˇ BASKET --> NEW LOCATION IT Systems đˇ BASKET
- Each IT Component is being migrated one by one from our DRaaS Systems to NEW LOCATION IT Systems
-- Thatâs one egg at a time from our DRaaS systems to the NEW LOCATION Systems
- Each IT Component is _migrated_ to preserve Fire Client business continuity
30 Aug 2025
DISASTER STRIKES! FIRE! DISASTER RECOVERY HERE WE GO!
We had to walk this Disaster Recovery Plan process all the way through to their VMs that are now restoring on our DRaaS system so that they can get up and running by Tuesday AM.
The Disaster Recovery Plan _MUST_ be thorough with a concise step-by-step because when the adrenalin is flowing, and folks are at 115% and stressed, the process will be a lot easier.
Oh, and the Plan must be practiced on both sides. Us and them!
VERY IMPORTANT NOTE: SMOKE AND SOOT VOIDS WARRANTIES!
The fire was at the other end of the building but the soot is thick on everything.
So far, our server ODM and Dell have both confirmed in writing that their warranties are void for all IT equipment under their brand.
Fortunately, there's no water damage or fire damage. The firewall took care of stopping the fire on the other side of the building.
And, Veeam is a treat.
Plug in their backup drives, import, decrypt, and we're restoring. Easy peasy. That makes a stressful situation that much less stressful. :0)
.@Veeam awesome job on the product folks!
284
Jun 3
Business Plug: WATERSPORTS WEST SURF & PADDLE SHOP in Largo, Florida.
watersportswest.com/
Great folks! A family owned business with great stories to tell.
It's been my favourite stop for a number of years on the way in to our vacation stay on the Gulf of America! :0)
The Bohweemuth is a bit sticker bare. It's a relatively fresh 17" Dellosaurus. :0)
140
Jun 3
MICROSOFT OFFICE: CHECK OUT/IN & VERSIONING ON THE RIBBON
Make SharePoint Online managed content and versioning really easy to work with!
To add the Check Out, Check In, and Versioning buttons to the Office app Ribbon:
Click the Customize dropdown on the Ribbon
Click More Commands
Change Choose Commands From to:
All Commands
Add:
Check Out
Check In
Server
Users will need to repeat for each Office app unfortunately. And, I don't see an obvious way in the Microsoft Office Group Policy ADMX files to add them there.
6
775
May 29
HARDWARE PRICE COMPARISON
September 1st, 2025 : May 28th, 2026 in CA$
64GB DDR5 PC5-5600 ECC Micron $485 : $3,600
64GB DDR4 PC4-3200AA ECC Micron $250 : $1,200 (Used)
10TB Seagate EXOS SATA $375 : $850
1.92TB Kingston SED600M SATA SSD $390 : $1,890
That's just a sampling of what we're seeing for price differences as of today May 28th, 2026.
Crazy eh?
FYI: We're building with larger ECC DIMMs in fewer counts to meet our memory demand. Leaving channels open leaves us room for later hopefully after the AI Bubble pops!
1
10
806
Jun 2
One more: PNY RTX 5000 Blackwell Workstation (Blower) Edition has jumped $6K per unit in the last 4-6 weeks!
1
107
Jun 3
Correction PNY RTX 6000 Blackwell Workstation (Blower) Edition has jumped by $6K per unit in the last 4-6 weeks.
82
Jun 3
ACTIVE DIRECTORY GROUP POLICY: BLOCK NEW OUTLOOK
Download and update your Group Policy Central Store with the new ADMX files for Office 2024:
microsoft.com/en-us/downloadâŚ
From there, set:
Manage Automatic setup of classic Outlook accounts in new Outlook: DISABLED
It goes without saying that we should not have to opt out of the pilfering of our user's logon name, password, and entire mailbox contents up to the Microsoft Mother Ship.
But we do.đĄ
3
19
104
7,569
Jun 2
Experts Exchange Question by Don:
How to protect computers from the new computer attacks from software like Mythos?
My answer which is, I think, pretty good thus worth sharing!
:0)
[QUOTE]
Don,
TL;DR
Layers Don. Layers.
In the end, Train the Humanâ˘Â is the best way to mitigate.
***
You have a bunch of really good answers.
But, I have a question for you, yes it is facetious bordering on sarcastic: Are you a praying man Don? ;-)
Firstly:
Humans are not perfect
Humans code
Therefore, code is not perfect.
^^^
Let's get that out of the way.
Secondly, let's talk about the two methods vulnerabilities appear in code:
1: As above - To err is human âŚ
2: Deliberate
- See University of Minnesota Hypocrite Commits for a Linux variant
- SMBv1 (EternalBlue) - There's no way Microsoft didn't know that it had been weaponized
- SPECTRE (CPUs) - Backdoors in hardware and firmware
- vPro - Yeah, there's tinfoil hat here but do the research
So, where does that leave us?
1: Most certainly the Security Theatre folks will prey upon the more FUD oriented folks.
2: Buying up a bunch of RTX 3090s and getting our own models/Mythos going
3: Realizing that some of what we see in tech had creators, some being malicious, that never foresaw Crowd Sourced code fuzzing for vulnerabilities
IMNSHO, Crowd Source fuzzing is the best thing that has happened in tech because it's forcing, FORCING, vendors to actually clean up their code if #1 or realize that someone will find that SolarWinds code plant at some point.
[/QUOTE]
I am now of the mind that we need to build out some infrastructure here, which we are in the process of doing, to set up our own AI models/agents and more.
I've seen enough to see that there are benefits to be had so long as there are solid guardrails in place.
Though, Mythos does make those guardrails disappear doesn't it? ;-)
experts-exchange.com/questioâŚ
.@ExpertsExhange
1
130
Jun 2
SUGGESTION: CHECK YOUR AZURE/M365 BILLING PROFILE(S)
Yes, a not default billing profile can be set up that got in via token theft or other such method and no, no notifications get sent out when that new billing profile gets created.
So, check for rogue billing profile(s)!
2
271
May 29
WOLTERS KLUWER CORPORATE TAXPREP T2 2026V1
The .NET version needed is the .NET Desktop Runtime v10.x.x!
dotnet.microsoft.com/en-us/dâŚ
We're seeing accounting firm clients sending out install notices with an SDK link so something must be wrong with the .@Wolters_Kluwer instructions.
1
304
May 27
Active Directory Hardening Awesomeness!
These are all no-brainers with all of them residing within IT's easy reach with absolutely _no excuses_ for any of them NOT to be done!
List Add: At #1 or #2:
1: Enable UAC for _all_ elevation requests _including administrator_ on the Secure Desktop. No exceptions.
** IT get used to the initial prompt for Server Manager then open a PowerShell window from there.
*** Start CMD
*** Start TaskMgr
*** Start ResMon
NOTE 1: Yes, this includes UserVille. Use LAPS (Local Administrator Password Solution) for the credentials prompt.
NOTE 2: Train users that an out of the blue UAC Prompt is _EVIL_ and should be reported to IT STAT!
NOTE 3: For Remote Desktop Services Session Hosts and RemoteApps hosts all users should be set to DENY elevation requests!
NOTE 4: For all sites we manage UAC prompts on server system desktops also hit a DUO digits MFA request. No exceptions.
Spencer List Highlights for me:
** Train the Human - this is always the weakest link
** Run the Disaster Recovery Plan over and over
** Test restore backups fully - spot file/folder does NOT count
** MFA integration (we use DUO)
May 27
35 ways to harden your Active Directory environment
1. MFA everywhere, without exceptions
2. Create a patch cadence you can stick with, and stick to it
3. You donât need more domain admins, limit it like anyone who has it is cursed
4. You canât protect what you donât know exists, inventory is essential
5. Segment your network like your career depends on it
6. If it absolutely doesnât need to be on the internet, it shouldnât be
7. EDR alone will not save you, diversify your threat detection strategy
8. Application control can be one of the hardest controls to defeat, use it
9. Deception technology is essential for todayâs modern threats, learn it and use it well
10. Email security tools are great, but donât forget out of band processes are key especially for money transfers
11. Teach users the basics of social engineering red flags, donât phish them yourself
12. If you donât test your backups, you donât have backups
13. If you donât test your DR plan you donât have a plan
14. If you donât follow the 3-2-1 rule for backups you donât have backups
15. Backups in Steveâs basement donât count
16. Rotating passwords regularly for no good reason is counter productive and then less secure option
17. 99% of vulnerabilities donât matter, spend your time identifying the ones that could hurt you and address those first
18. Vulnerability scanning doesnât show the whole picture, pentesting is a must
19. Hunting for misconfigurations yourself is a necessary part of good systems engineering
20. The cloud is not more or less secure than on-prem, itâs your strategy that matters most
21. Service accounts should be treated like radioactive material, tightly scoped and constantly monitored
22. Under no circumstances should the built in admin account be a service account
23. Domain admins should not be service accounts either
24. Active Directory permissions drift over time, assume yours already has
25. If you canât explain why something needs admin rights, it shouldnât
26. If you canât explain why someone needs admin rights, they shouldnât
27. Separate admin work from daily work, identity debt is real
28. Donât reuse local admin passwords, LAPS is easy, use it
29. Security tools donât replace good engineering, they amplify it
30. If fixing it later is the plan, itâs not a plan
31. Boring but consistent security beats clever hacks every time
32. If you donât know if you have misconfigured ADCS, you probably do
33. After every change in ADCS, run invoke-locksmith
34. After every delegation change in AD run Invoke-ADeleginator
35. Use AppLocker Inspector to audit your applocker policies.
đˇď¸Bookmark this so you can come back to it later.
1
30
195
20,616
May 26
Many, many, many moons ago there was a promise:
The PC would shorten everyone's work week to 4 days or better! The machines would do the work!
Well, here we are and we've been feeding the machines.
But, we're no longer "fast" enough to keep the machines fed.
So, now we get machines feeding machines.
"The Machine Stops"
E.M. Forster
Yeah, who has time to review that code?
See: Amazon AWS
May 25
My whole argument regarding AI boils down to this:
>>> AI increases output much faster than it increases certainty <<<
Yes, it generates more code, more prototypes, more pull requests and more âsolutionsâ.
But every generated line still needs ownership, review, testing, debugging and long-term maintenance by humans.
And I think the market currently underestimates how expensive that last part really is.
1
373
May 25
My very favourite is the appreciation from a user when something that has been bugging them for a while gets fixed _while there in person_ as that's the only real way to make IT all warm and fuzzy! ;-)
May 25
Sysadmin life is both incredibly fulfilling and incredibly challenging all in the same 40 hour window. Sysadmins rule đ¤
1
1
762