Welcome to another episode of Guardians of the Directory, where we pull back the curtain on the real-world challenges in securing and managing Active Directory and hybrid identity environments. In this episode, Craig Birch is joined by Sander Berkouwer, identity veteran, Microsoft MVP, and author of the Active Directory Administration Cookbook, to have a brutally honest conversation about hybrid identity – and why it's more than just "messy"... it's broken.
💡 Key Takeaways:
Why Hybrid AD isn't just two directories, and how the real architecture adds a third (and sometimes fourth) layer of identity confusion.
What’s really going wrong with Entra Connect Sync, delegated permissions, PowerShell lifecycle issues, and administrative sprawl.
ADFS: still lingering, or finally on its way out? Why some orgs are stuck with legacy federation even today.
The harsh truth about identity governance: the promise of Entra ID Governance, and the licensing challenges that come with it.
What’s actually working for organizations today — and why baby-stepping IAM might be your smartest move yet.
The real impact of role sprawl, just-in-time access challenges, and why elevated rights still haunt hybrid AD deployments.
Fix or Fail: Craig and Sander rapid-fire common hybrid identity practices and decide what stays and what needs to go.
The one thing Sander would fix today if he could: a surprising insight into replication and its ripple effect on the hybrid identity stack.
🔧 Whether you're wrestling with federation headaches, struggling to consolidate IAM platforms, or just trying to get a handle on delegation and privilege creep, this episode lays out the problems — and a few practical ways forward.
Welcome back to Guardians of the Directory! In this episode, Craig Birch is joined once again by Zero Trust expert Jerry Chapman for a deep dive into the Zero Trust Blueprint—a practical model to help organizations shift from theory to execution. Jerry shares insights from his work as Co-Chair of the CISA Zero Trust Working Group and provides a clear framework covering assessment, strategy, roadmap development, and execution phases.
Together, they explore:
The critical role of business assets and protect surfaces
Common pitfalls organizations face as they mature their Zero Trust implementations
How Zero Trust applies equally to human and non-human identities (including AI!)
The value of visibility, automation, and governance in maintaining Zero Trust momentum
If you're looking for a realistic, actionable guide to embedding Zero Trust in your enterprise—and especially within Active Directory environments—this episode is your blueprint.
Resources Mentioned:
CISA Zero Trust Maturity Model
CISA Zero Trust Working Group
Microsoft Entra PIM
Next-gen IGA and Certificate Lifecycle Management
Guest Bio:
Jerry Chapman is a cybersecurity veteran with over 25 years of experience in identity and Zero Trust. He serves as a Co-Chair for the CISA Zero Trust Working Group and is a recognized thought leader in strategy-driven security.
In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down the often-misunderstood AdminSDHolder object in Active Directory and why it's a high-value target for attackers. Learn how the SDProp process uses it to secure privileged groups—and how misconfigurations or legacy permissions can open the door to persistent access.🔍 What you’ll learn:What AdminSDHolder and SDProp really doWhy this object matters for securing protected groupsHow attackers abuse it for persistenceHow to identify dangerous ACLs and misconfigurationsPowerShell tips to simplify your audit🛠️ PowerShell script to audit AdminSDHolder will be posted in the video description/comments.💡 If AdminSDHolder is compromised, your admin model is too.Subscribe for more quick-hit insights on Active Directory and Entra ID security.Powershell:Import-Module ActiveDirectory# DCSync-related GUIDs$dcsyncGUIDs = @( [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"89e95b76-444d-4c62-991a-0facbeda640c")# Noisy identities to ignore$noisyAccounts = @( "NT AUTHORITY\SELF", "NT AUTHORITY\SYSTEM", "NT AUTHORITY\Authenticated Users", "NT AUTHORITY\INTERACTIVE", "BUILTIN\Pre-Windows 2000 Compatible Access", "Everyone")# AdminSDHolder ACL retrieval$domainNC = (Get-ADDomain).DistinguishedName$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"$adminSDHolder = Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor$acl = $adminSDHolder.nTSecurityDescriptor# Admin group membership mappingfunction Get-AdminGroupMembers { param([string[]]$groupNames) $members = @() foreach ($name in $groupNames) { $group = Get-ADGroup -Identity $name $members += Get-ADGroupMember -Identity $group.DistinguishedName -Recursive | ForEach-Object { $_.SamAccountName } } return $members | Sort-Object -Unique}$adminGroups = @("Domain Admins", "Enterprise Admins", "Administrators")$adminMembers = Get-AdminGroupMembers -groupNames $adminGroups# Filter risky, non-default ACEs$dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and -not ($noisyAccounts -contains $_.IdentityReference.Value) -and ( ($_.ActiveDirectoryRights -band "GenericAll") -or ($_.ActiveDirectoryRights -band "GenericWrite") -or ($_.ActiveDirectoryRights -band "WriteDacl") -or ($_.ActiveDirectoryRights -band "WriteOwner") -or ($_.ActiveDirectoryRights -band "CreateChild") -or ($_.ActiveDirectoryRights -band "Delete") -or ($_.ActiveDirectoryRights -band "DeleteTree") -or ($_.ActiveDirectoryRights -band "ExtendedRight") )}# Output$dangerousACEs | Select-Object ` IdentityReference, ActiveDirectoryRights, InheritanceType, ObjectType, @{Name="ACEType"; Expression={ if ($_.ActiveDirectoryRights -band "GenericAll") { "GenericAll" } elseif ($_.ActiveDirectoryRights -band "GenericWrite") { "GenericWrite" } elseif ($_.ActiveDirectoryRights -band "WriteDacl") { "WriteDacl" } elseif ($_.ActiveDirectoryRights -band "WriteOwner") { "WriteOwner" } elseif ($_.ActiveDirectoryRights -band "CreateChild") { "CreateChild" } elseif ($_.ActiveDirectoryRights -band "Delete") { "Delete" } elseif ($_.ActiveDirectoryRights -band "DeleteTree") { "DeleteTree" } elseif ($_.ActiveDirectoryRights -band "ExtendedRight") { if ($dcsyncGUIDs -contains $_.ObjectType) { "DCSync" } else { "ExtendedRight" } } else { "Other" } }}, @{Name="IsAdminGroupMember"; Expression={ $sam = $_.IdentityReference.Value.Split("\")[-1] $adminMembers -contains $sam }} | Format-Table -AutoSize
🔍 Admin Accounts with SPNs — Hidden Risk Behind Kerberoasting | Directory Insights in 10 MinutesIn this episode, Craig Birch breaks down a major Active Directory security blind spot: Kerberoasting via privileged accounts with SPNs (Service Principal Names).You'll learn how attackers exploit these accounts — and how to find, assess, and fix the risk without breaking your apps.Straightforward, no fluff — just practical identity security guidance.🛠️ What You’ll Learn🔐 What SPNs are — and why they matter⚠️ How attackers use them in Kerberoasting attacks🖥️ Why ADUC isn’t enough for visibility💻 PowerShell + LDAP filters for fast discovery🧠 SDProp and how it flags privileged accounts🤝 Why app owner collaboration is critical🔁 Safer alternatives: gMSAs, strong passwords, and role reviews❌ Why auto-remediation can break things💡 PowerShell SpotlightpowershellCopyEditGet-ADUser -LDAPFilter "(&(admincount=1)(servicePrincipalName=*))" -Properties servicePrincipalName | Select-Object Name, servicePrincipalNameUse this to find privileged accounts with SPNs — the ones most at risk of Kerberoasting.✅ Quick TakeawaysScript it — don’t rely on ADUCNever auto-remove SPNs without impact analysisTalk to app owners before changesHarden service accounts or switch to gMSAsMonitor SDProp-marked accounts to shrink attack surface💬 Found this helpful? Like, share, or comment! Got a topic you want us to cover in 10 minutes or less? Drop it below — we’re listening.
In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down one of the most overlooked Active Directory misconfigurations: the "Do not require Kerberos pre-authentication" setting.🔍 Why it matters:Enables AS-REP Roasting attacks using tools like Hashcat or John the RipperAllows silent user enumeration without authentication failuresCan go undetected by SIEMs and security logs🛠️ What you'll learn:How this setting weakens AD securityHow attackers abuse it for initial access and password crackingHow to detect and remediate affected accounts using PowerShell🧠 Practical, fast, and built for real-world AD admins—no fluff.▶️ Chapters: 00:00 - Intro00:45 - Why “Do Not Require Pre-Auth” Is Dangerous02:30 - AS-REP Roasting Explained03:20 - Finding Vulnerable Accounts (GUI + PowerShell)05:40 - Remediation Script Walkthrough08:20 - Final Recommendations📥 PowerShell Script:# Import the Active Directory moduleImport-Module ActiveDirectory# Find user accounts that do not require Kerberos preauthentication$users = Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth# Display the accounts that do not require Kerberos preauthentication$users | Select-Object Name, SamAccountName, UserPrincipalName# Pause for confirmation before remediationRead-Host -Prompt "Press Enter to remediate these accounts"# Remediate all accounts by setting DoesNotRequirePreAuth to $falseforeach ($user in $users) { Set-ADAccountControl -Identity $user -DoesNotRequirePreAuth $false}
Welcome to another episode of Directory Insights in 10 Minutes, powered by Guardians of the Directory. In this quick-hitting session, host Craig Birch walks through the process of identifying and remediating accounts in Active Directory that still rely on outdated Kerberos DES encryption.
🔐 DES is insecure and easily exploited by attackers. Craig shows you how to detect and update these accounts using both GUI and PowerShell—so you can act fast to protect your environment.
👉 If you find this helpful, give us a like, drop a comment, and suggest a topic for a future episode!
Why DES-only encryption is dangerous in modern AD environments
How to detect DES accounts using PowerShell
Remediation using Set-ADUserAccountControl
Upgrading users to use stronger AES encryption
Fast, actionable tips to secure your Active Directory
🛠️ Key Takeaways:
Why DES-only encryption is dangerous in modern AD environments
How to detect DES accounts using PowerShell
Remediation using Set-ADUserAccountControl
Upgrading users to use stronger AES encryption
Fast, actionable tips to secure your Active Directory
Summary:
In this episode of Directory Insights in 10 Minutes, we dive into a critical yet often overlooked Active Directory misconfiguration—Allowing Password Storage with Reversible Encryption.
This setting can override password policies, leaving user credentials exposed to plaintext extraction through common attacker tools like Mimikatz and DCSync.
🚨 Key Takeaways:
✅ How this misconfiguration bypasses domain password policies
✅ How attackers can extract plaintext passwords using AD credential dumping tools
✅ How to find vulnerable accounts using PowerShell
✅ How to remediate and secure your AD environment
Episode Overview
In this episode of Directory Insights in 10 Minutes, we’re exposing a dangerous yet overlooked Active Directory misconfiguration—PasswordNotRequired.
Most AD admins assume password policies protect all accounts. They don’t. This attribute allows accounts to override domain password policies, making them vulnerable to blank passwords and easy takeovers.
What is the "Password Not Required" Attribute?
Why is This a Risk?
Directory Insights in 10 Minutes – Episode 1
🛡️ AD’s Biggest Misconfiguration – Fix It Now!
Description:
Welcome to the first episode of Directory Insights in 10 Minutes, brought to you by Guardians of the Directory. This series is all about cutting through the noise—no fluff, no filler—just real-world, practical security insights for Active Directory and Entra ID admins.
In this episode, we’re exposing the #1 misconfigured setting in Active Directory—one that attackers love and admins often overlook. Even today, in 2025, this security gap exists by default in every new AD deployment.
What You’ll Learn:
✅ Why the built-in Administrator account (RID 500) is vulnerable out of the box
✅ How attackers abuse Kerberos delegation to impersonate admin accounts
✅ Why Microsoft’s security guidance is buried in a 2,000-page document
✅ The one checkbox that removes this attack path instantly
✅ Why Protected Users group doesn’t fully mitigate this risk
🛠️ Quick Fix:
1️⃣ Go to RID 500 account properties
2️⃣ Under the Account tab, check "Account is sensitive and cannot be delegated."
3️⃣ Apply this setting to all administrative accounts
4️⃣ Implement this as part of your ongoing security process
Summary
In this episode of Guardians of the Directory, host Craig Birch interviews Kevin Kampman, a veteran in directory services, discussing the evolution of Active Directory, its challenges, and the future of directory management. They explore the historical context of directory services, the impact of cloud technology, and the importance of naming conventions in directory management. Kevin shares valuable lessons for today's directory administrators and offers insights into the future landscape of directory services, emphasizing the need for adaptability and understanding of complex systems.
Key Takeaways
Active Directory has evolved significantly since its inception in 2000.
The integration of cloud services has introduced new challenges for directory management.
Naming conventions are critical for effective directory administration.
Understanding the history of directory services is essential for future success.
The future of directory services will involve more complexity and interconnectivity.
AI will play a significant role in managing directory services in the future.
Organizations must adapt to changing technology landscapes to remain effective.
Collaboration between different teams is crucial for successful directory management.
Risk assessment is important in directory administration.
Continuous learning and mentorship are vital for new directory administrators.
Summary
In this episode of Guardians of the Directory, Craig Birch and Jerry Chapman delve into the concept of Zero Trust in cybersecurity. They discuss its principles, models, and the importance of identity-led security. The conversation highlights the five pillars of Zero Trust, the challenges organizations face with data management, and the complexities of securing applications in a cloud environment. They emphasize the need for continuous governance, automation, and practical steps organizations can take to implement Zero Trust effectively. The episode concludes with advice on starting small and making incremental improvements in security practices. Key Takeaways
Zero Trust is not just a buzzword; it's a necessary strategy. Identity-led security is fundamental to Zero Trust. Organizations struggle with data management in a Zero Trust framework. Continuous governance is essential for maintaining security. Automation and orchestration are critical for Zero Trust success. The five pillars of Zero Trust include identity, networks, devices, data, and applications. Visibility and analytics are crucial for effective security measures. Explicit allow is a key goal in Zero Trust architecture. Organizations should focus on practical steps to implement Zero Trust. Improvement in security practices should be incremental, not perfect.
Chad Nichols discusses the complex challenge of restoring Active Directory after a ransomware attack without risking reinfection. He sheds light on the pitfalls of traditional backup methods, which often carry residual malware, and stresses the importance of clean recovery strategies. This critical insight highlights the balance between operational urgency and long-term security.
Summary
In this episode of Guardians of the Directory, host Craig Birch engages with John Harper, founder of Hackers Teaching Hackers, to discuss the evolution of cybersecurity education, the importance of community sharing, and the vulnerabilities within Active Directory. They explore the offensive security landscape, the significance of hands-on learning, and practical strategies for strengthening Active Directory security. The conversation also delves into the journey of becoming a red teamer and the resources available for aspiring cybersecurity professionals.
Key Takeaways
Hackers Teaching Hackers started as a grassroots initiative to share knowledge.
Active Directory is often poorly managed, leading to significant security vulnerabilities.
Community sharing in cybersecurity has improved over the years.
Hands-on learning is crucial for understanding security concepts.
Imposter syndrome is prevalent in the cybersecurity community.
Active Directory hygiene is essential for organizational security.
Real-time monitoring of Active Directory changes is critical.
Penetration testing should include Active Directory in scope.
Networking and mentorship are vital for career growth in cybersecurity.
Continuous learning and community involvement are key to success in red teaming.
In this episode of Guardians of the Directory, Craig Birch and Derek Melber delve into the complexities of Active Directory security, focusing on the stealthy threats posed by shadow permissions, DC Shadow, and DC Sync. They discuss the historical context of these vulnerabilities, the role of applications in creating shadow permissions, and the importance of cleaning up orphaned SIDs. The conversation also covers best practices for managing service accounts and highlights critical areas within Active Directory that administrators should monitor. The episode concludes with actionable recommendations for improving security posture. Key Takeaways
Summary
This conversation delves into the critical issue of cybersecurity in K-12 education, highlighting the vulnerabilities schools face due to budget constraints, lack of training, and the unique challenges of supporting a diverse student population. Jason, an IT expert, shares insights on the value of school data to cybercriminals, recent case studies of cyber attacks, common attack methods, and the importance of having robust recovery plans and security measures in place. The discussion emphasizes the need for schools to be proactive in their cybersecurity efforts to protect sensitive information and ensure the safety of their students.
Key Takeaways
K-12 schools are increasingly targeted by cybercriminals due to their vulnerabilities.
Budget constraints often lead to compromised security in educational institutions.
Student information systems contain valuable data that can be exploited by attackers.
Recent cyber attacks have caused significant disruptions in school operations.
Phishing and password stuffing are common attack methods in schools.
Implementing multi-factor authentication is challenging in K-12 environments.
Schools need a solid cybersecurity response plan to handle incidents effectively.
Backup plans are essential for maintaining educational continuity during cyber incidents.
IT departments must document and test recovery plans regularly.
Being proactive in cybersecurity can deter potential attackers.