When writing scripts for clients, it’;s important to generate good logs. It’;s a common position where a script works perfectly in test. But in production something is askew. Being able to look back at the process and step through after the fact is essential. Usually my logs are written in CSV format. CSV is great for parsing. But, it’;s awful to run in a text file. Due to this, I decided to modify my log function.
What is Admin Count? Before we discuss Admin Count, a little background is needed. AD contains an object called AdminSDHolder. Its purpose is to protect objects. Specifically, objects which are members of administrative groups. AD objects have an attribute called “Admin Count”. The default value is for most objects. Changing the value to “1”, flags the account as protected by AdminSDHolder. By adding a user to an administrative AD group. You change the value to “1”.
I recently needed to create a script for the purpose of migrating data. Due to complexity, a number of scripts were used. This post covers the script I created to remove illegal characters from directory names. Also adjusting for new directory paths. Migration Overview The migration had some quirks. Due to this, a simple A to B move wasn’;t an option. There was some restructuring and many folders were not to coming across.
In part 1, we looked at making the necessary changes to AD for LAPS, from extended the schema to modifying the object attribute security. In this part, we will go through deploying the LAPS agent on a workstation. This process is very straight forward, we will use GPO to deploy the agent to our workstation and confirm that the password is now random and stored in AD. During the configuration of the workstation, I set the admin password as “Password1”, secure I know.
In May 2015 Microsoft released Local Administrator Password Solution (LAPS) to help address the issue of keeping local administrator accounts secure. Setting the account password by GPO generally means a large number of computers will have the same password. LAPS provides the ability for workstations to have randomly generated passwords, that are constantly refreshed and easy to retrieve. Managed workstations will set a random password which is stored in an AD attribute called ms-Mcs-AdmPwd.