This is one that I have been thinking about for a while. One of my students in a server 2008 class pointed me to an article that corrected my train of thought. The question is, why is the Everyone group granted access when a share is created? Remember, I’ve been an MCSE since Windows NT4. At that time, the Everyone group included all authenticated users, and those who were on the network anonymously. I found this to be a security vulnerability so I have been advising students to remove this and use the Authenticated Users group instead for general share access for your entire domain. (Caution, it you have a trust relationship set up with another organization, they are also a member of the Authenticated Users group.) This article from Microsoft explains that the anonymous users have been removed from the Everyone group. This change happened in Windows 2003/XP.
With the AD Recycle Bin Turned on, What Happens when you Create a User Account with a Password that does not meet the Password Policy?
This was an interesting observation from one of my Windows Server 2012 classes. While working with the AD Recycle bin in a lab, one of my students discovered some interesting accounts that were created. When he created user accounts that did not meet password complexity requirements, an account is temporarily made and then deleted. When a new password is provided that meets the password requirements, then a new account is made. We discovered this in two places. First off in the Active Directory Administrative Center. This is what caused the initial confusion. Take a look. This is in the Deleted Objects OU. You can see multiple deleted accounts for Test2 and one for Test3. Test3 is a valid, functioning user account. Using the PowerShell command Get-ADObject –IncludeDeletedObjects –Filter * –Properties ObjectSID we can see that indeed, two accounts were created, with one of them deleted. Notice the RID portion of the SID is different. ...
Comments