I am in the process of setting up FGPP, but am seeing conflicting results. Here is my scenario:

-There is no default domain policy. The previous IT team have disabled all settings in the default domain policy, yet all domain clients receive the default 42 domain policy regardless. When I look at password settings in RSOP, there is 'not configured' for all password entries.

-I have created my FGPP in Adsiedit, applied it to my IT security group and added a user (myself)

-After creating, when I run against my account, dsgetuser "CN=etcetcetc" -effectivepso I get the response saying the policy is applied to the user
-When I run get-aduserresultantpasswordpolicy -identity username I get the applies to policy, and I see my account max password age is as I have set in the policy (90 days)

However, when I then run net user /domain username, I see my password is still set to expire within the default 42 days.

The AD attribute msDS-ResultantPSO shows my IT password policy as well.

Yet still, net user /domain username and the lockoutstatus.exe tool show my password will expire in 42 days. I have also tried resetting my password since implementing the policy and the new expiry time shows up as 41 days 23 hours straight away. Can someone advise why the two are clashing, and how I can fix this?

Hello all,

I try to use certificate authentication on an ADFS 4.0 server. I used an ECC-256 bit user certificate (ECDSA_P256).ADFS authentication fails with following error in eventlog. 

Exception details:
System.NotSupportedException: The certificate key algorithm is not supported.
   at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
...

Authentication works with none ECC certificates.

My qustions are :

1.) Which key algorithm are supported by ADFS certification authentication ?

2.) Is it possible to add none supported algorithm to ADFS ?

Regards ...

Hi all,

I current having an issue with the processing of Default Domain Policy. I having 2 DC in my environment and the the replication is healthy by using repadmin to verified. But when i check group policy one of the AD having the below error msg. In addition, the event viewer only show this policy so i suspect other is working fine. Hope can get any help from you guys. Thanks



Hi,

We have a customer with 2 DC`s running Windows Server 2012 R2.

They said that if they shutdown DC1 then no one is able to login.

Then I tried it, but I seem to be able to login, one client did take some time, but was able to login at the end.

Since the customer is running VMware, I had a look into vCenter while the DC1 was shutdown, and there something strange happens. Several ESXi hosts suddenly appears as "Not responding", and then offcourse the VM`s running on these ESXi hosts gets disconnected. I was able to boot up the DC1 again, and the ESXi hosts where ok again.

To me this seems like a DNS issue or something else related to AD and not the configuration of the ESXi host?

I have looked into DNS on both servers, and could not find anything wrong except the subdomain called _msdsc within this directory only DC1 is recorded on both DC`s. My question then is should I add DC2 here also on both servers, what happens if this record is not there... could this be related ?

I have also check repadmin and dcdiag and both seem fine.

Thanks for reply

/Regards Andreas

Hi All!

We currently run Microsoft Advanced Threat Analytics, and we quite often get the following error for Windows client PCs and ADFS servers:

I have been over this documentation here: https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide and used their Aorato Skeleton Key Malware Remote DC Scanner tool, but found nothing.

I opened a ticket with Microsoft about this, and they believe it is due to the fact that these accounts haven't changed their passwords in a long time (a lot of them are old accounts for various strange purposes and VIPs that whinge about having to change their password - but lets not get into that, we are soon going to force them into line)

I am only slightly knowledgeable about Kerberos, I want to know the whys/whats/hows about it. Forgive me if I am wrong, I understand that your password is used to hash certain information and that is sent to the KDC, the KDC uses the hash of the password at its end to decyrpt the message, and if it can, then your password is correct. So your password is never sent over the wire. 

I'm assuming, that because these accounts have their passwords hashed with some older cipher, than the KDC tells the client to user an older cipher to encrypt the message, and this is why I am getting the error? Is that correct? and why Microsoft is asking me to change their passwords.

I have a few questions (assuming my assumptions are correct)

1. I asked a user to change their password (via going ctrl+alt+del on their Windows 7 PC and clicking Change a password), however ATA was still picking up encryption downgrades for this user on both their Windows 7 PC and ADFS. Would the fact that they have previously negotiated lower encryption with the KDC cause the new password to still be hashed with a weaker cipher?
2. I then changed the password for the user above via Active Directory Users and Computers (dsa.msc), and now I no longer get the ATA alerts when they log onto ADFS, but i still get them when they log onto their Windows 7 PC. Is there anything I need to do for the Windows 7 PC to ensure it uses the strongest cipher for this account?
3. Is there any way for me to find out, by querying AD, what users have passwords that are hashed in an older cipher?
4. When did Microsoft make this cipher change? What did they change their cipher from/to, and how can I enforce the stronger cipher? (I seem to be struggling finding this information)

Thanks all, I apologise for my ignorance!

Some notes:

1. I can cause ATA to log the Encryption downgrade activity, just by doing a failed logon to any computer / ADFS with the users that have really old passwords. (I assume this is because even though my password is incorrect, it is hashed using a more superior cipher, and that the KDC still needs to negotiate a lower cipher with the client)
2. The computer accounts all havemsDS-SupportedEncryptionTypes set to 28 (0x1C)
3. Please do not reply and ask me to submit my question to the ATA forums, I submitted this question there some time ago and got no response, this question relates mainly to Kerberos.
   

Hi,

I have an existing Windows Server 2008 SP2 Standard Edition assigned as domain controller. I would like join Windows Server 2012 R2 machine into this existing domain. Whether this is possible. Is there any kind of Active directory compatibility matrix for Windows Server 2008 SP2 Standard Edition for compatible client OS Editions?? 

Thanks & Regards,

Thulasidas

Hello,
I'm try to add a new W2016 DC to my domain (2 DC W2008 R2 already presents), I can't procede to promote W2016 to DC because says that forest level is W2000.

In both DC W2008, in mmc gui, "Active Directory Domains and Trusts" say "Current forest functional level:Windows Server 2008"

In ldp.exe, in DC1: forestFunctionality: 0 = (WIN2000 );

but in DC2: forestFunctionality: 3 = (WIN2008 ); 

How can I solve this issue?

thank you in advance.

Hi

I'm trying to create a new child domain (F) in a mixed 2012R2 / 2016 DC environment best pictured as follows

DCPROMO.LOG on the server shows the following and I'm struggling to find any relevant information for a fix

-----------------------------------------

------------------------------------------

All sensible suggestions gratefully received

Thanks

I needed to virtualize the only domain controller (2008 r2) to solve the problem of dying hardware.  I temporarily promoted a 2016 server to a DC, and transferred the FSMO roles, and let everything propagate, just in case.  After the P2V migration succeeded, I transferred the FSMO roles back, and demoted the 2016 server back to a member server.  That's when the trouble started.  The demotion did not go perfectly, as per usual, so I cleaned the Metadata in ntdsutil, I removed the 2016 server from Sites and Services, and checked it was not in ADUC.  Then I removed references to the 2016 server from the DNS.  I have done this whole process literally dozens of times, but lo and behold, going back and looking, I still see SOME of the DNS records, and this is causing me to be unable to add a new DC, leaving me still stuck with a single DC for the domain.  Yes the 2016 server is still in the domain, as a member server and serves as the main file storage for the company.  No telling how many shortcuts there are on peoples desktops pointing to it, so renaming it is not a good option.  Incidentally, I can't promote it back to a DC either, because the object still exists SOMEWHERE in AD. 

Here is what I experience(d) with DNS:

• Removed the CNAME in _msdcs.domain.local, and everywhere in that sub-tree.

• Removed the CNAME in company.domain.local, and everywhere in that sub-tree.

• removed all reference to it in Reverse Lookup Zone.

As soon as you refresh the DNS, the references come back in company.domain.local, but not in _msdcs.domain.local or in the reverse lookup zone.

I may be wrong, but I'm guessing there is someplace in ADSIedit where I can find and delete this, but I don't even know where to start to look.  

No FSMO Role on this DC,

The server was being promoted, after reboot, I could login in but could not open anything from system32 "Access Denied" after a while it fixed itself this error but now DNS service is no starting "

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          6/11/2018 4:23:46 PM
Event ID:      1557
Task Category: Replication
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      XYZDC11.com.au
Description:
This directory server has not completed a full synchronization of the following directory partition. This directory server will not available to clients until this task is completed.
 
Directory partition:
DC=com.au
 
An attempt to complete a full synchronization of this directory partition will be tried again later.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="16384">1557</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>5</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2018-11-06T05:23:46.304087400Z" />
    <EventRecordID>529</EventRecordID>
    <Correlation />
    <Execution ProcessID="492" ThreadID="1460" />
    <Channel>Directory Service</Channel>
    <Computer>XYZDC11.com.au</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>DC=Com,DC=au</Data>
  </EventData>
</Event>

aWindows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> dcdiag /kcc
Invalid Syntax: Invalid option /kcc. Use dcdiag.exe /h for help.
PS C:\Windows\system32> repadmin /kcc

Repadmin: running command /kcc against full DC localhost
XYZDC
Current Site Options: (none)
Consistency check on localhost successful.

PS C:\Windows\system32> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = XYZDCDC11
   The directory service on XYZDCDC11 has not finished initializing.
    In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
   at least one replica of this server's writeable domain.  It must also obtain Rid information from the Rid FSMO
   holder.
    The directory service has not signalled the event which lets other services know that it is ready to accept
   requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
   this system as an eligible domain controller.
   * Identified AD Forest.
   The directory service on XYZDCDC11 has not finished initializing.
    In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
   at least one replica of this server's writeable domain.  It must also obtain Rid information from the Rid FSMO
   holder.
    The directory service has not signalled the event which lets other services know that it is ready to accept
   requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
   this system as an eligible domain controller.
   Done gathering initial info.

Doing initial required tests

   Testing server: XYZDC\XYZDCDC11
      Starting test: Connectivity
         The directory service on XYZDCDC11 has not finished initializing.
          In order for the directory service to consider itself synchronized, it must attempt an initial
         synchronization with at least one replica of this server's writeable domain.  It must also obtain Rid
         information from the Rid FSMO holder.
          The directory service has not signalled the event which lets other services know that it is ready to accept
         requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not
         consider this system as an eligible domain controller.
         ......................... XYZDCDC11 passed test Connectivity

Doing primary tests

   Testing server: XYZDC\XYZDCDC11
      Starting test: Advertising
         Warning: the directory service on XYZDCDC11 has not completed initial synchronization.
         Other services will be delayed.
         Verify that the server can replicate.
         Warning: DsGetDcName returned information for\\XYZDCDC02.domain.com, when we were trying to reach XYZDCDC11.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... XYZDCDC11 failed test Advertising
      Starting test: FrsEvent
         ......................... XYZDCDC11 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... XYZDCDC11 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... XYZDCDC11 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 11/06/2018   16:27:18
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the followin
g directory service has consistently failed.
         ......................... XYZDCDC11 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... XYZDCDC11 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... XYZDCDC11 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... XYZDCDC11 passed test NCSecDesc
      Starting test: NetLogons
         ......................... XYZDCDC11 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... XYZDCDC11 passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: A full synchronization is in progress
            from GOULBDC01 to XYZDCDC11
            Replication of new changes along this path will be delayed.
            The full sync is 0 percent complete.
         [Replications Check,XYZDCDC11] A recent replication attempt failed:
            From XYZDCDC02 to XYZDCDC11
            Naming Context:
            The replication generated an error (8461):
            The replication operation was preempted.
            The failure occurred at 2018-11-06 16:31:21.
            The last success occurred at (never).
            1 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         XYZDCDC11: A full synchronization is in progress
            from XYZDCDC02 to XYZDCDC11
            Replication of new changes along this path will be delayed.
            The full sync is 87 percent complete.
         ......................... XYZDCDC11 failed test Replications
      Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=XYZDCDC11,OU=Domain Controllers,
         Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
         ......................... XYZDCDC11 failed test RidManager
      Starting test: Services
         ......................... XYZDCDC11 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 11/06/2018   15:38:55
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 11/06/2018   16:22:27
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you s
hould use only static IPv6 addresses.
         An error event occurred.  EventID: 0x00000416
            Time Generated: 11/06/2018   16:22:28
            Event String:
            The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain domain.com, has dete
rmined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons f
or this:
         An error event occurred.  EventID: 0x0000410B
            Time Generated: 11/06/2018   16:22:48
            Event String:
            The request for a new account-identifier pool failed. The operation will be retried until the request succee
ds. The error is
         ......................... XYZDCDC11 failed test SystemLog
      Starting test: VerifyReferences
         ......................... XYZDCDC11 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : dec
      Starting test: CheckSDRefDom
         ......................... dec passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... dec passed test CrossRefValidation

   Running enterprise tests on : domain.com
      Starting test: LocatorCheck
         ......................... domain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.com passed test Intersite
PS C:\Windows\system32>
PS C:\Windows\system32> repadmin
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:<retries>][:<delay>]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:<cmd>    Displays the list of possible arguments <args>, appropriate
            syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.

Supported <cmd> commands (use /?<cmd> for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp

Note: Most commands take their parameters in the order of "Destination or
      Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
      NC or Object DN if required.

        <DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
        string. For Active Directory Domain Services, this is simply a network
        label (such as a DNS, NetBios, or IP address) of a Domain Controller.
        For Active Directory Lightweight Directory Services, this must be a
        network label of the AD LDS server followed by a colon and the LDAP
        port of the AD LDS instance
            Examples (AD DS):  dc-01
                               dc-01.microsoft.com
            Examples (AD LDS): ad-am-01:2000
                               ad-am-01.microsoft.com:2000

      <Naming Context> is the Distinguished Name of the root of the NC
            Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
      Unicode characters will only display correctly if appropriate fonts and
      language support are loaded.
PS C:\Windows\system32> repadmin

NSW DECC

Hi All,

I have a few DCs. When i review the security logs i can see a lot events like the below:

I have checked a few articles (but can't find anything official by Microsoft) that ANONYMOUS LOGON is used to replicate the password between PDC and each DC. Also i can't find S-1-5-7 under the ForeignSecurityPrincipals Container.

Is there an official Microsoft article about the purpose of ANONYMOUS LOGON and the usage of it ? At what cases and circumstances it is used, as it is a bit annoying to see so many "anonymous logons" ?

Support analyst

Hey DS Gurus!

I have a requirement from our Security department to create a Penalty Box OU that will be used to quarantine machines that may have been compromised by a virus or malware.  The objective would then be to restrict network access for devices in that OU to only be able to communicate with select apps.  The second objective is that the background/wallpaper of the machine should change to a .GIF or some sort of banner to instruct the owner to contact the helpdesk.  

I have never done this before so looking for guidance on how to best accomplish the above.  I've been doing some Googling but so far haven't found much help on this topic.

Any guidance is appreciated.

-Christian

Hello,
I was wondering if any of you could help me with the following.  
I need a better script to check if there are users log in a server(s).
Right now what I am doing is... get the server name and enter it in the script below.  This will tell me if users are on it.

qwinsta.exe /server:SERVER

The problem is... this is time-consuming, i would prefer to the script to grab a TXT file with the list of server, and a script would show me something like:

SERVER1 .... 0 
SERVER2 .... 3
SERVER3 .... 10
SERVER4 .... 0

I been looking for a script, but i havent found one yet.
Thank you for your time

Hello. Here is my objective: Create a new AD account and add it to the domain admins group. This account is going to be used as a "honey" account. It should never be used for anything except as bait for attackers, so if it's used alarms will go off.

Therefore my question is, am I able to modify the permissions / privileges of this specific domain admin account to where it has extremely low level permissions, essentially to where it is more of a standard domain user account with little access to do anything. The reason for this is in case the account does get compromised by an attacker they won't be able to leverage it to cause any harm. I want to accomplish this while still having the account appear in my domain admins group. Is this possible to any extent?