Guardians of the Directory

Welcome to another episode of Guardians of the Directory, where we pull back the curtain on the real-world challenges in securing and managing Active Directory and hybrid identity environments. In this episode, Craig Birch is joined by Sander Berkouwer, identity veteran, Microsoft MVP, and author of the Active Directory Administration Cookbook, to have a brutally honest conversation about hybrid identity – and why it's more than just "messy"... it's broken.💡 Key Takeaways:Why Hybrid AD isn't just two directories, and how the real architecture adds a third (and sometimes fourth) layer of identity confusion.What’s really going wrong with Entra Connect Sync, delegated permissions, PowerShell lifecycle issues, and administrative sprawl.ADFS: still lingering, or finally on its way out? Why some orgs are stuck with legacy federation even today.The harsh truth about identity governance: the promise of Entra ID Governance, and the licensing challenges that come with it.What’s actually working for organizations today — and why baby-stepping IAM might be your smartest move yet.The real impact of role sprawl, just-in-time access challenges, and why elevated rights still haunt hybrid AD deployments.Fix or Fail: Craig and Sander rapid-fire common hybrid identity practices and decide what stays and what needs to go.The one thing Sander would fix today if he could: a surprising insight into replication and its ripple effect on the hybrid identity stack.🔧 Whether you're wrestling with federation headaches, struggling to consolidate IAM platforms, or just trying to get a handle on delegation and privilege creep, this episode lays out the problems — and a few practical ways forward.

Welcome back to Guardians of the Directory! In this episode, Craig Birch is joined once again by Zero Trust expert Jerry Chapman for a deep dive into the Zero Trust Blueprint—a practical model to help organizations shift from theory to execution. Jerry shares insights from his work as Co-Chair of the CISA Zero Trust Working Group and provides a clear framework covering assessment, strategy, roadmap development, and execution phases.Together, they explore:The critical role of business assets and protect surfacesThe importance of session management, privilege access, and standing permission hygiene in Active DirectoryCommon pitfalls organizations face as they mature their Zero Trust implementationsHow Zero Trust applies equally to human and non-human identities (including AI!)The value of visibility, automation, and governance in maintaining Zero Trust momentumIf you're looking for a realistic, actionable guide to embedding Zero Trust in your enterprise—and especially within Active Directory environments—this episode is your blueprint.Resources Mentioned:CISA Zero Trust Maturity ModelCISA Zero Trust Working GroupMicrosoft Entra PIMNext-gen IGA and Certificate Lifecycle ManagementGuest Bio:Jerry Chapman is a cybersecurity veteran with over 25 years of experience in identity and Zero Trust. He serves as a Co-Chair for the CISA Zero Trust Working Group and is a recognized thought leader in strategy-driven security.

In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down the often-misunderstood AdminSDHolder object in Active Directory and why it's a high-value target for attackers. Learn how the SDProp process uses it to secure privileged groups—and how misconfigurations or legacy permissions can open the door to persistent access.🔍 What you’ll learn:What AdminSDHolder and SDProp really doWhy this object matters for securing protected groupsHow attackers abuse it for persistenceHow to identify dangerous ACLs and misconfigurationsPowerShell tips to simplify your audit🛠️ PowerShell script to audit AdminSDHolder will be posted in the video description/comments.💡 If AdminSDHolder is compromised, your admin model is too.Subscribe for more quick-hit insights on Active Directory and Entra ID security.Powershell:Import-Module ActiveDirectory# DCSync-related GUIDs$dcsyncGUIDs = @( [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"89e95b76-444d-4c62-991a-0facbeda640c")# Noisy identities to ignore$noisyAccounts = @( "NT AUTHORITY\SELF", "NT AUTHORITY\SYSTEM", "NT AUTHORITY\Authenticated Users", "NT AUTHORITY\INTERACTIVE", "BUILTIN\Pre-Windows 2000 Compatible Access", "Everyone")# AdminSDHolder ACL retrieval$domainNC = (Get-ADDomain).DistinguishedName$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"$adminSDHolder = Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor$acl = $adminSDHolder.nTSecurityDescriptor# Admin group membership mappingfunction Get-AdminGroupMembers { param([string[]]$groupNames) $members = @() foreach ($name in $groupNames) { $group = Get-ADGroup -Identity $name $members += Get-ADGroupMember -Identity $group.DistinguishedName -Recursive | ForEach-Object { $_.SamAccountName } } return $members | Sort-Object -Unique}$adminGroups = @("Domain Admins", "Enterprise Admins", "Administrators")$adminMembers = Get-AdminGroupMembers -groupNames $adminGroups# Filter risky, non-default ACEs$dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and -not ($noisyAccounts -contains $_.IdentityReference.Value) -and ( ($_.ActiveDirectoryRights -band "GenericAll") -or ($_.ActiveDirectoryRights -band "GenericWrite") -or ($_.ActiveDirectoryRights -band "WriteDacl") -or ($_.ActiveDirectoryRights -band "WriteOwner") -or ($_.ActiveDirectoryRights -band "CreateChild") -or ($_.ActiveDirectoryRights -band "Delete") -or ($_.ActiveDirectoryRights -band "DeleteTree") -or ($_.ActiveDirectoryRights -band "ExtendedRight") )}# Output$dangerousACEs | Select-Object ` IdentityReference, ActiveDirectoryRights, InheritanceType, ObjectType, @{Name="ACEType"; Expression={ if ($_.ActiveDirectoryRights -band "GenericAll") { "GenericAll" } elseif ($_.ActiveDirectoryRights -band "GenericWrite") { "GenericWrite" } elseif ($_.ActiveDirectoryRights -band "WriteDacl") { "WriteDacl" } elseif ($_.ActiveDirectoryRights -band "WriteOwner") { "WriteOwner" } elseif ($_.ActiveDirectoryRights -band "CreateChild") { "CreateChild" } elseif ($_.ActiveDirectoryRights -band "Delete") { "Delete" } elseif ($_.ActiveDirectoryRights -band "DeleteTree") { "DeleteTree" } elseif ($_.ActiveDirectoryRights -band "ExtendedRight") { if ($dcsyncGUIDs -contains $_.ObjectType) { "DCSync" } else { "ExtendedRight" } } else { "Other" } }}, @{Name="IsAdminGroupMember"; Expression={ $sam = $_.IdentityReference.Value.Split("\")[-1] $adminMembers -contains $sam }} | Format-Table -AutoSize

🔍 Admin Accounts with SPNs — Hidden Risk Behind Kerberoasting | Directory Insights in 10 MinutesIn this episode, Craig Birch breaks down a major Active Directory security blind spot: Kerberoasting via privileged accounts with SPNs (Service Principal Names).You'll learn how attackers exploit these accounts — and how to find, assess, and fix the risk without breaking your apps.Straightforward, no fluff — just practical identity security guidance.🛠️ What You’ll Learn🔐 What SPNs are — and why they matter⚠️ How attackers use them in Kerberoasting attacks🖥️ Why ADUC isn’t enough for visibility💻 PowerShell + LDAP filters for fast discovery🧠 SDProp and how it flags privileged accounts🤝 Why app owner collaboration is critical🔁 Safer alternatives: gMSAs, strong passwords, and role reviews❌ Why auto-remediation can break things💡 PowerShell SpotlightpowershellCopyEditGet-ADUser -LDAPFilter "(&(admincount=1)(servicePrincipalName=*))" -Properties servicePrincipalName | Select-Object Name, servicePrincipalNameUse this to find privileged accounts with SPNs — the ones most at risk of Kerberoasting.✅ Quick TakeawaysScript it — don’t rely on ADUCNever auto-remove SPNs without impact analysisTalk to app owners before changesHarden service accounts or switch to gMSAsMonitor SDProp-marked accounts to shrink attack surface💬 Found this helpful? Like, share, or comment! Got a topic you want us to cover in 10 minutes or less? Drop it below — we’re listening.

In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down one of the most overlooked Active Directory misconfigurations: the "Do not require Kerberos pre-authentication" setting.🔍 Why it matters:Enables AS-REP Roasting attacks using tools like Hashcat or John the RipperAllows silent user enumeration without authentication failuresCan go undetected by SIEMs and security logs🛠️ What you'll learn:How this setting weakens AD securityHow attackers abuse it for initial access and password crackingHow to detect and remediate affected accounts using PowerShell🧠 Practical, fast, and built for real-world AD admins—no fluff.▶️ Chapters: 00:00 - Intro00:45 - Why “Do Not Require Pre-Auth” Is Dangerous02:30 - AS-REP Roasting Explained03:20 - Finding Vulnerable Accounts (GUI + PowerShell)05:40 - Remediation Script Walkthrough08:20 - Final Recommendations📥 PowerShell Script:# Import the Active Directory moduleImport-Module ActiveDirectory# Find user accounts that do not require Kerberos preauthentication$users = Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth# Display the accounts that do not require Kerberos preauthentication$users | Select-Object Name, SamAccountName, UserPrincipalName# Pause for confirmation before remediationRead-Host -Prompt "Press Enter to remediate these accounts"# Remediate all accounts by setting DoesNotRequirePreAuth to $falseforeach ($user in $users) { Set-ADAccountControl -Identity $user -DoesNotRequirePreAuth $false}

Welcome to another episode of Directory Insights in 10 Minutes, powered by Guardians of the Directory. In this quick-hitting session, host Craig Birch walks through the process of identifying and remediating accounts in Active Directory that still rely on outdated Kerberos DES encryption.🔐 DES is insecure and easily exploited by attackers. Craig shows you how to detect and update these accounts using both GUI and PowerShell—so you can act fast to protect your environment.👉 If you find this helpful, give us a like, drop a comment, and suggest a topic for a future episode!Why DES-only encryption is dangerous in modern AD environmentsHow to detect DES accounts using PowerShellRemediation using Set-ADUserAccountControlUpgrading users to use stronger AES encryptionFast, actionable tips to secure your Active Directory🛠️ Key Takeaways:Why DES-only encryption is dangerous in modern AD environmentsHow to detect DES accounts using PowerShellRemediation using Set-ADUserAccountControlUpgrading users to use stronger AES encryptionFast, actionable tips to secure your Active Directory

Summary:In this episode of Directory Insights in 10 Minutes, we dive into a critical yet often overlooked Active Directory misconfiguration—Allowing Password Storage with Reversible Encryption.This setting can override password policies, leaving user credentials exposed to plaintext extraction through common attacker tools like Mimikatz and DCSync.🚨 Key Takeaways:✅ How this misconfiguration bypasses domain password policies✅ How attackers can extract plaintext passwords using AD credential dumping tools✅ How to find vulnerable accounts using PowerShell✅ How to remediate and secure your AD environment

Episode OverviewIn this episode of Directory Insights in 10 Minutes, we’re exposing a dangerous yet overlooked Active Directory misconfiguration—PasswordNotRequired.Most AD admins assume password policies protect all accounts. They don’t. This attribute allows accounts to override domain password policies, making them vulnerable to blank passwords and easy takeovers.What is the "Password Not Required" Attribute?A hidden AD attribute that allows accounts to exist without a password.Bypasses domain password policies, including length, complexity, and history requirements.Affects privileged accounts, service accounts, trust accounts, and regular users.Why is This a Risk?Attackers (or insiders) can reset the password to blank and gain instant access.Any account with this misconfiguration is an easy target for privilege escalation.Most AD admins don’t even know this setting exists—but attackers do.

Directory Insights in 10 Minutes – Episode 1🛡️ AD’s Biggest Misconfiguration – Fix It Now!Description:Welcome to the first episode of Directory Insights in 10 Minutes, brought to you by Guardians of the Directory. This series is all about cutting through the noise—no fluff, no filler—just real-world, practical security insights for Active Directory and Entra ID admins.In this episode, we’re exposing the #1 misconfigured setting in Active Directory—one that attackers love and admins often overlook. Even today, in 2025, this security gap exists by default in every new AD deployment.What You’ll Learn:✅ Why the built-in Administrator account (RID 500) is vulnerable out of the box✅ How attackers abuse Kerberos delegation to impersonate admin accounts✅ Why Microsoft’s security guidance is buried in a 2,000-page document✅ The one checkbox that removes this attack path instantly✅ Why Protected Users group doesn’t fully mitigate this risk🛠️ Quick Fix:1️⃣ Go to RID 500 account properties2️⃣ Under the Account tab, check "Account is sensitive and cannot be delegated."3️⃣ Apply this setting to all administrative accounts4️⃣ Implement this as part of your ongoing security process

SummaryIn this episode of Guardians of the Directory, host Craig Birch interviews Kevin Kampman, a veteran in directory services, discussing the evolution of Active Directory, its challenges, and the future of directory management. They explore the historical context of directory services, the impact of cloud technology, and the importance of naming conventions in directory management. Kevin shares valuable lessons for today's directory administrators and offers insights into the future landscape of directory services, emphasizing the need for adaptability and understanding of complex systems.Key TakeawaysActive Directory has evolved significantly since its inception in 2000.The integration of cloud services has introduced new challenges for directory management.Naming conventions are critical for effective directory administration.Understanding the history of directory services is essential for future success.The future of directory services will involve more complexity and interconnectivity.AI will play a significant role in managing directory services in the future.Organizations must adapt to changing technology landscapes to remain effective.Collaboration between different teams is crucial for successful directory management.Risk assessment is important in directory administration.Continuous learning and mentorship are vital for new directory administrators.

Summary In this episode of Guardians of the Directory, Craig Birch and Jerry Chapman delve into the concept of Zero Trust in cybersecurity. They discuss its principles, models, and the importance of identity-led security. The conversation highlights the five pillars of Zero Trust, the challenges organizations face with data management, and the complexities of securing applications in a cloud environment. They emphasize the need for continuous governance, automation, and practical steps organizations can take to implement Zero Trust effectively. The episode concludes with advice on starting small and making incremental improvements in security practices. Key Takeaways Zero Trust is not just a buzzword; it's a necessary strategy. Identity-led security is fundamental to Zero Trust. Organizations struggle with data management in a Zero Trust framework. Continuous governance is essential for maintaining security. Automation and orchestration are critical for Zero Trust success. The five pillars of Zero Trust include identity, networks, devices, data, and applications. Visibility and analytics are crucial for effective security measures. Explicit allow is a key goal in Zero Trust architecture. Organizations should focus on practical steps to implement Zero Trust. Improvement in security practices should be incremental, not perfect.

Chad Nichols discusses the complex challenge of restoring Active Directory after a ransomware attack without risking reinfection. He sheds light on the pitfalls of traditional backup methods, which often carry residual malware, and stresses the importance of clean recovery strategies. This critical insight highlights the balance between operational urgency and long-term security.

Summary In this episode of Guardians of the Directory, host Craig Birch engages with John Harper, founder of Hackers Teaching Hackers, to discuss the evolution of cybersecurity education, the importance of community sharing, and the vulnerabilities within Active Directory. They explore the offensive security landscape, the significance of hands-on learning, and practical strategies for strengthening Active Directory security. The conversation also delves into the journey of becoming a red teamer and the resources available for aspiring cybersecurity professionals. Key Takeaways Hackers Teaching Hackers started as a grassroots initiative to share knowledge. Active Directory is often poorly managed, leading to significant security vulnerabilities. Community sharing in cybersecurity has improved over the years. Hands-on learning is crucial for understanding security concepts. Imposter syndrome is prevalent in the cybersecurity community. Active Directory hygiene is essential for organizational security. Real-time monitoring of Active Directory changes is critical. Penetration testing should include Active Directory in scope. Networking and mentorship are vital for career growth in cybersecurity. Continuous learning and community involvement are key to success in red teaming.

In this episode of Guardians of the Directory, Craig Birch and Derek Melber delve into the complexities of Active Directory security, focusing on the stealthy threats posed by shadow permissions, DC Shadow, and DC Sync. They discuss the historical context of these vulnerabilities, the role of applications in creating shadow permissions, and the importance of cleaning up orphaned SIDs. The conversation also covers best practices for managing service accounts and highlights critical areas within Active Directory that administrators should monitor. The episode concludes with actionable recommendations for improving security posture. Key Takeaways Active Directory is a critical component of identity infrastructure. Shadow permissions can be exploited by attackers without detection. Many organizations lack visibility into their Active Directory permissions. Cleaning up orphaned SIDs is essential for security. Service accounts should have strong passwords and limited privileges. Regular audits of Active Directory are necessary to identify risks. Applications can inadvertently create shadow permissions. Understanding the baseline permissions is crucial for security. PowerShell can be a powerful tool for managing Active Directory. Start with small changes to improve security posture.

Summary This conversation delves into the critical issue of cybersecurity in K-12 education, highlighting the vulnerabilities schools face due to budget constraints, lack of training, and the unique challenges of supporting a diverse student population. Jason, an IT expert, shares insights on the value of school data to cybercriminals, recent case studies of cyber attacks, common attack methods, and the importance of having robust recovery plans and security measures in place. The discussion emphasizes the need for schools to be proactive in their cybersecurity efforts to protect sensitive information and ensure the safety of their students. Key Takeaways K-12 schools are increasingly targeted by cybercriminals due to their vulnerabilities. Budget constraints often lead to compromised security in educational institutions. Student information systems contain valuable data that can be exploited by attackers. Recent cyber attacks have caused significant disruptions in school operations. Phishing and password stuffing are common attack methods in schools. Implementing multi-factor authentication is challenging in K-12 environments. Schools need a solid cybersecurity response plan to handle incidents effectively. Backup plans are essential for maintaining educational continuity during cyber incidents. IT departments must document and test recovery plans regularly. Being proactive in cybersecurity can deter potential attackers.

In this episode of Guardians of the Directory, Craig Birch and Chad Nichols discuss the critical steps needed to recover from a ransomware attack that targets Active Directory. They explore the challenges organizations face during such attacks, the importance of having a solid recovery strategy, and the lessons learned from real-world experiences. The conversation emphasizes the need for preparedness, security measures during recovery, and the implementation of best practices to prevent future attacks. takeaways Active Directory is the backbone of the network. Ransomware attacks can encrypt all systems quickly. Assessing damage post-attack is crucial. Recovery strategies must be well-planned. Traditional backup solutions may not suffice. Isolating infected systems is essential during recovery. New accounts should be created for privileged users post-recovery. Implementing zero trust security policies is vital. Regular testing of recovery procedures is necessary. Learning from past experiences can improve future responses.

In this inaugural episode of Guardians of the Directory, join Craig Birch, Principal Security Engineer and Technical Evangelist at Cayosoft, as he introduces himself and the mission of this podcast dedicated to Active Directory (AD) and Entra ID management, security, and recovery. With over two decades of experience in identity security and a passion for helping AD administrators and security professionals alike, Craig dives into the critical role AD and Entra ID play in today’s enterprise environments. Why focus on a technology that’s been around for 24 years? AD and Entra ID remain at the core of over 90% of organizations worldwide, often becoming prime targets for cyber attackers who seek privilege escalation paths. Each episode, Craig will share actionable insights, best practices, and expert interviews on topics ranging from AD basics to advanced defense strategies. Whether you're an AD admin, security expert, or curious learner, tune in bi-weekly for updates on key challenges and emerging solutions. Subscribe to Guardians of the Directory wherever you get your podcasts and stay one step ahead in protecting your organization’s backbone. Stay guarded, stay informed—be the Guardian of your directory!

Summary In this episode of Guardians of the Directory, Craig Birch and Mike Brennan discuss the evolving landscape of cybersecurity, particularly focusing on identity security and the challenges organizations face in preventing ransomware attacks. They explore the inadequacies of traditional security measures, the importance of proactive strategies, and the need for continuous monitoring and modern recovery solutions. The conversation emphasizes the necessity for organizations to rethink their security approaches to effectively combat the growing threat of ransomware. Takeaways Organizations are still struggling with stopping ransomware attacks despite having security solutions in place. Ransomware is evolving, and traditional defenses are often inadequate. Endpoint protection is challenging due to the proliferation of devices and remote work. Vulnerability management is hindered by inconsistent patching and the speed of zero-day exploits. Privileged Access Management (PAM) is crucial but often overlooked in identifying all privileged accounts. Multi-Factor Authentication (MFA) is not a silver bullet and has its limitations. SIEM systems can be overwhelmed by alerts and may not detect sophisticated attacks. Pen testing provides valuable insights but should be complemented with continuous monitoring. Backup and recovery strategies need to be proactive and air-gapped to prevent reinfection. Organizations must adopt a holistic approach to security, focusing on identity and access management. Chapters 00:00 Introduction to Identity Security and Ransomware Threats 03:02 The Evolution of Cybersecurity Defenses 06:04 Endpoint Protection Challenges 08:59 Vulnerability Management and Patching Issues 11:57 The Importance of Privileged Access Management 14:56 Understanding Multi-Factor Authentication Limitations 18:13 The Role of SIEM in Modern Security 22:03 Pen Testing and Continuous Monitoring 27:06 Backup and Recovery Strategies 36:03 Conclusion: Rethinking Security Approaches