Reset Password Expiration

Resetting the password expiration in Active Directory might come in handy when a user’s password has expired and don’t have the chance to change it yet (perhaps due to network restrictions).
The Help Desk team, rather than resetting the user’s password, can reset the password expiration time without compromising security by knowing the temporary password.
Obviously, changing password is itself a security issue, so this should not be used just because you’re too bored to change your own account’s password. 🙂
Note that what you’re going to perform is not resetting the password expiration value but you’re resetting the last password set date.

There are three ways of doing this, via Active Directory Users and Computers, via ADSI Edit and via Powershell.

Active Directory Users and Computers (ADSI is very similar once you open the Object’s properties)

  1. Open Active Directory Users and Computers
  2. Click on View and select Advanced Features
    • active-directory-users-and-computers_advanced-features
  3. Now open up the object for which you want to reset the password expiration and go to the Attribute Editor‘s tab.
  4. Click once on the Attribute column, this will sort it by name.
  5. Scroll down to pwdLastSet.
    • active-directory-users-and-computers_attribute-editor-pwdlastset
  6. Click Edit, delete the current entry, type 0 (zero) and click Ok.
    • active-directory-users-and-computers_pwdlastset-0
  7. Click Ok to save the changes.
  8. Open the object again, repeat the steps above to reach the pwdLastSet attribute and, this time, assign -1 and click Ok and Ok again to save the changes. This will reset the password last set to “now”.
    • active-directory-users-and-computers_pwdlastset_-1


This one’s my favourite because it’s quick and easy. Run Powershell from a machine where Active Directory’s powershell module is installed (a domain controller will do). Make sure you have admin rights on the target user (or make sure you run powershell as an administrator).
Finally, run the following commands (they’re all commented to make it easier for you to understand the steps).


Read More

Bitlocker Error 0x80005000

A problem occurred during BitLocker setup. You may need to restart BitLocker setup to continue. Error code 0x80005000.
This is the error you get when trying to enable BitLocker to a drive on a machine joined to the domain that is sitting in an OU that contains a “/” (forward slash) in its name.
Renaming the OU and remove the “/” off its name will fix the issue and you will be able to encrypt the drive you were trying to encrypt before getting BitLocker Error 0x80005000.


Read More

LAPS missing from GPO

Don’t worry if LAPS is missing from GPO: most likely it’s not being copied to your SYSVOL share and it can be fixed real quick. Obviously, you must have LAPS installed on the machine where you’re trying to create the group policy object on (I installed it on a Domain Controller to keep things simple):

  • Copy  C:\Windows\PolicyDefinitions\AdmPwd.admx to \\itdroplets\sysvol\\Policies\PolicyDefinitions
  • Copy C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to \\itdroplets\sysvol\\Policies\PolicyDefinitions\en-US


Read More

Active Directory Auditing

Active Directory Auditing is very important for large organisations where there’s a high number of technical resources, from different teams, accessing and modifying Active Directory. Active Directory Auditing comes with a cost though: an enormous amount of logs created.

Having so many logs will mean that you won’t be able to troubleshoot much as what you’re looking for might be long gone. If you work in a smaller company, then manually sorting these logs shouldn’t be a big deal, but again, remember that a Domain Controller in general does generate a lot of events. I would suggest to integrate Active Directory Auditing with something like System Center Operations Manager (SCOM) to help you out catching what you’re interested on.

This article wants to show you how to enable Active Directory Auditing. Remember also that you will have to enable it for each single (writable) Domain Controller that you have. This is very important or else you will only be able to track changes happening on a single domain controller (unless that is what you intend to do). What could be used to achieve this quickly and with the least effort as possible? Group Policies obviously!

Domain Controllers are stored in the same OU by default, and they also have a Default Domain Controllers Policy.
If you’re reading this, it means that you probably already know what Policy you want to enable, so I will go straight to the point. Auditing data will be stored in the Security logs.

  1. Open Group Policy Management (from Administrative Tools).
  2. Keep expanding until you reach the Domain Controllers OU.
  3. Right click on Default Domain Controllers Policy and click Edit.
    • GPO-Edit
  4. Once the Editor has started, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
    • GPO-AuditAccountManagement
  5. Now you can see the list of audits that you can turn on/off. You can either define to log just the success or just the Failures or both.
    • GPO-AuditAccountManagement-2

Read More