Category Archives: Active Directory

Revisiting Constrained Delegation

Constrained Delegation was introduced in Windows Server 2003 as an improved and more secure version of Unconstrained Delegation. Constrained Delegation allows admins to limit the services to which an impersonated account can connect to. It is using two Kerberos extensions to allow impersonation to only specific services. S4U2Self: An service can request a forwardable Service Ticket on behalf of any

Read more

How to roll out Microsoft LAPS via GPO and why you should do it?

Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. The great thing about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it is free. There are of course better solutions in the market

Read more