Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Sun, 15 Mar 2026 23:22:30 GMT https://www.techtarget.com/searchwindowsserver editor@techtarget.com <p>When an organization upgrades its domain controllers to Windows Server 2025, the primary focus will undoubtedly be on planning for and performing the actual upgrade. However, there might be various tasks that need to be performed after the upgrade is complete.</p> <p>This article discusses several steps you can take after <a href="https://www.techtarget.com/searchwindowsserver/tip/Plan-your-domain-controller-migration-to-Windows-Server-2025">upgrading to Windows Server 2025</a>, including many configurations that can help enhance the security of your Active Directory environment. We'll also cover the ongoing monitoring and maintenance tasks to perform once your upgrade is in place and fully configured.</p> <section class="section main-article-chapter" data-menu-title="Domain controller configuration for Windows Server 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Domain controller configuration for Windows Server 2025</h2> <p>While none of these configuration tasks are absolute requirements -- and some might not be necessary in every organization -- they are intended to help you get the most benefit from the new Windows Server operating system.</p> <h3>Enable JET 32 KB page sizing</h3> <p>Ever since the days of Windows 2000, Active Directory's JET Blue Extensible Storage Engine database has used an 8 KB page size. Windows Server 2025 enables the page size to increase to 32 KB, significantly improving domain controller scalability.</p> <p>Although there is nothing overly difficult about transitioning to 32 KB database pages, the process can be rather cumbersome, especially in larger organizations. In order to use the larger page sizes, Windows Server 2025 must be running on all of your domain controllers, and you also must be using the Windows Server 2025 domain and forest <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-functional-levels">functional levels</a>.</p> <p>If you have any domain controllers that were upgraded from earlier versions of Windows using an in-place upgrade, then those domain controllers will not be able to accommodate 32 KB database pages. This can make increasing the page size more complex, as you must demote those domain controllers, perform a clean Windows Server 2025 installation and then promote the machines back to domain controller status. Make sure that your backup software is compatible with the larger page size before proceeding; Microsoft Learn provides a <a target="_blank" href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/32k-pages-optional-feature" rel="noopener">full list of requirements</a>.</p> <h3>Configure account lockout policies</h3> <p>This is also a good time to revisit your organization's account lockout policy. Attackers seeking to gain access to certain accounts will sometimes resort to <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force attacks</a>, in which they attempt potentially millions of different passwords until they are able to successfully log in. The countermeasure to such attacks is to use an account lockout policy. In doing so, however, organizations will need to make a choice.</p> <p>Microsoft enables organizations to <a href="https://www.techtarget.com/searchsecurity/tip/Account-lockout-policy-Setup-and-best-practices-explained">configure the account lockout policy</a> to automatically lock accounts after a certain number of failed login attempts. This prevents attackers from gaining access to the accounts through brute-force attacks. Conversely, an attacker could use this mechanism against the organization by launching a denial-of-service attack that causes all of the organization's accounts to be locked out at once.</p> <p>Organizations can select whichever approach best suits their needs. If an organization opts not to lock accounts, it should require long and complex passwords in addition to establishing a notification mechanism that alerts admins to brute-force attempts.</p> <h3>Enforce LDAP signing and encryption</h3> <p>Configuring Active Directory to reject Simple Authentication and Security Layer (SASL) binds that are either unsigned or unencrypted can help improve AD security.</p> <p>Unsigned network traffic can be <a href="https://www.techtarget.com/searchnetworking/definition/anti-replay-protocol#:~:text=What%20is%20a%20replay%20attack%3F">captured and used in a replay attack</a>. When successful, attackers can use the intercepted traffic -- such as communications or data transmission -- to impersonate a legitimate user on the network. Replay attacks can also serve as the basis for a man-in-the-middle attack, wherein attackers alter packets midstream.</p> <p>You can configure AD to require Lightweight Directory Access Protocol (LDAP) signing by way of a simple <a target="_blank" href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server" rel="noopener">change to the group policy</a>. However, clients that rely on unsigned SASL binds or attempt to perform binds over a non-SSL/TLS connection will cease to function.</p> <h3>Deploy delegated Managed Service Accounts</h3> <p>Service accounts have always been somewhat problematic for organizations because they are difficult to secure. In Windows Server 2025, Microsoft introduced a new type of service account called a <i>delegated Managed Service Account</i>, or dSMA. These accounts are based on a device's identity, meaning that the account can only be used by a specific device. The password associated with the account is random and stored in AD. Microsoft <a target="_blank" href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-overview" rel="noopener">makes it possible</a> to migrate existing service accounts to dSMAs.</p> <h3>Configure Windows LAPS features</h3> <p>The local administrator password has always presented a vulnerability for Windows desktops. That's because such an account exists on all desktops -- and attackers know that, in a corporate environment, all the desktops likely use the same local administrator password.</p> <p>Microsoft created Windows Local Administrator Password Solution (LAPS) to address this problem. <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-work-with-the-new-Windows-LAPS-feature">Windows LAPS automatically creates random passwords</a> for all domain-joined Windows desktops.</p> <p>Although Windows LAPS has been around for a while, Microsoft has made some improvements in Windows Server 2025. Among these improvements are automatic account management and image rollback detection. Windows LAPS now also supports the use of passphrases and adjustable password complexity.</p> <h3>Audit and transition authentication protocols</h3> <p>Phasing out the use of legacy protocols in favor of modern, more secure protocols will make your Windows Server environment more secure. One such protocol is NTLMv1.</p> <p>While it is relatively easy to disable the NTLMv1 protocol and transition to either NTLMv2 or Kerberos, haphazardly disabling the protocol can break any processes that depend on it. As such, it's important to audit NTLM usage before disabling the protocol. That way, you can determine exactly which processes, if any, are still using the legacy protocol.</p> <p>If you determine that there are still workloads or clients that depend on NTLMv1, you can work to upgrade or phase out those particular programs and end your NTLMv1 dependency. Microsoft Learn <a target="_blank" href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1" rel="noopener">offers instructions</a> for auditing NTLM usage.</p> <div class="btt-thumbnailContainer"> <span class="btt-thumbnailTitle">Checking Active Directory Replication Health in Windows Server 2025</span> <a class="btt-thumbnailLink" data-video-id="652463" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/652463/image_1059061.png?width=640&amp;height=360"> </div></a> <time class="btt-video-duration" datetime="PT8M5S">8:05</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> </section> <section class="section main-article-chapter" data-menu-title="Monitoring and maintenance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Monitoring and maintenance</h2> <p>Even after everything has been upgraded and reconfigured, it is still important to perform ongoing monitoring of your domain controllers. This monitoring can help detect security issues and problems that could potentially result in an outage. For example, it's a good idea to monitor domain controller replication -- especially in the beginning -- to make sure that your domain controllers are successfully replicating with one another.</p> <h3>Monitor event logs for replication issues and security events</h3> <p>Windows Event Viewer is typically the tool of choice for monitoring Windows. The Directory Services log contains a wealth of information about your AD environment. Similarly, the Security log contains detailed information about various security-related events.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_1-f.jpg 1280w" alt="An image showing Directory Service events recorded the Event Viewer in Windows." data-credit="Brien Posey" height="296" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Event Viewer is an excellent source of information to check for Active Directory replication errors. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Troubleshoot domain controller replication</h3> <p>If you suspect that you are experiencing <a href="https://www.techtarget.com/searchwindowsserver/tip/Active-Directory-replication-troubleshooting-tips-and-tools">AD replication issues</a>, check the Directory Service logs for related events. The following are some of the event IDs to look for:</p> <ul class="default-list"> <li><b>1311.</b> Replication topology problems.</li> <li><b>1988.</b> A lingering object has been detected.</li> <li><b>2042.</b> Too much time has passed since the last successful replication.</li> <li><b>2087.</b> DNS lookup failure.</li> <li><b>2088.</b> A DNS lookup failure has occurred, but the replication succeeded anyway.</li> </ul> <p>These are just a few of the more commonly cited event IDs. You can get more information on these and other event IDs related to AD replication on the <a target="_blank" href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/common-active-directory-replication-errors" rel="noopener">Microsoft Learn website</a>.</p> <p>Although Event Viewer might be helpful, it is not the only source of information related to Active Directory. For example, if you need to determine whether the AD replication process is healthy, you can use the Repadmin.exe command-line tool.</p> <p>Like other Microsoft command-line tools, Repadmin has many different functions associated with it. However, if you just want to quickly get a feel for what's going on, enter the command <span style="font-family: 'courier new', courier, monospace;">repadmin /replsummary</span>. The Repadmin tool will then assess whether replication problems exist and summarize them in a report.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adpost_upgrade_2-f.jpg 1280w" alt="An image shows PowerShell output reporting on Active Directory replication." data-credit="Brien Posey" height="255" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Repadmin tool to see the Active Directory replication status across the domain controllers. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Ensure ongoing domain security and performance</h3> <p>Once you have confirmed your AD environment is healthy and properly configured, your final task is to establish ongoing maintenance and monitoring. You will want to track logons, changes to privileges and similar security events in an effort to prevent a breach. Regular patch management can also go a long way toward keeping Active Directory healthy and secure.</p> <p>It's also crucial to back up your AD environment on a regular basis. Keep in mind that older backup applications might not fully support the Windows Server 2025 domain and forest functional levels. As such, it is important to keep your backup applications up to date to ensure that backups of your Windows Server 2025 Active Directory are fully supported.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America. </i></p> </section> Windows Server 2025 has many new features, but how can you get the most from them? Use this tutorial to configure AD domain controllers and optimize your environment post-upgrade. https://cdn.ttgtmedia.com/rms/onlineimages/code_g1195673150.jpg https://www.techtarget.com/searchwindowsserver/tip/Configure-domain-controllers-after-Server-2025-upgrade Tue, 13 Jan 2026 15:10:00 GMT <p>Although AD traditionally serves as the central authority for managing users, computers and security within an organization's network, Entra ID provides similar functionalities in the cloud, focusing on managing access to cloud applications and resources.</p> <p>Microsoft hybrid identity gives IT admins the best of both worlds, combining on-premises identity infrastructure with <a href="https://www.techtarget.com/searchsecurity/tip/Top-cloud-IAM-best-practices-to-implement">cloud-based identity management</a>.</p> <p>Hybrid identity is a simplified, secure and user-friendly identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>) system. But it also comes with unique implementation challenges and prerequisites IT admins must thoroughly understand before deploying it for their organization.</p> <p>This article covers the components involved in Microsoft hybrid identity, how to prepare for its deployment and an implementation roadmap for launching hybrid identity for your IT environment.</p> <section class="section main-article-chapter" data-menu-title="What is Microsoft hybrid identity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is Microsoft hybrid identity?</h2> <p><i>Hybrid identity</i> refers to Microsoft's integration of on-premises and cloud-based identity infrastructure and management.</p> <p>This system enables users to use a single identity, such as username and password, to access both on-premises resources managed by AD and cloud resources <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">managed by Entra ID</a>, formerly Azure AD. For example, users can use the same credentials to log on to local AD resources that they would use for cloud-based applications, such as Microsoft 365 and other SaaS applications.</p> <p>Hybrid identity is commonly used in environments transitioning to the cloud, as it enables coexistence between legacy systems and modern cloud services. It provides several benefits to IT administrators, including centralized IAM and access to enhanced features, such as conditional access and multifactor authentication (MFA) from Entra ID.</p> </section> <section class="section main-article-chapter" data-menu-title="Key concepts of Microsoft hybrid identity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key concepts of Microsoft hybrid identity</h2> <p>The following components comprise a hybrid identity system:</p> <ul class="default-list"> <li><b>On-premises AD.</b> AD manages user identities, groups and access to internal resources.</li> <li><b>Entra ID.</b> This extends identity capabilities to cloud apps and services.</li> <li><b>Entra Connect or Cloud Sync.</b> These tools synchronize identities between on-premises AD and Entra ID.</li> <li><b>Authentication model.</b> Choose from password hash synchronization (PHS), pass-through authentication (PTA) or <a href="https://www.techtarget.com/searchsecurity/definition/federated-identity-management">federated authentication</a> with AD Federation Service (AD FS).</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/hsearlejones_hybridid_1-f.jpg 1280w" alt="A diagram showing how the Entra ID Connect tool syncs user identities between AD and Microsoft Entra ID." height="508" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Entra ID Connect links the on-premises AD with the cloud-based Microsoft Entra ID to let users work with a single identity for seamless access to local and cloud resources. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Microsoft Entra Connect, formerly known as Azure AD Connect, and Microsoft Entra Cloud Sync are two tools used to synchronize on-premises AD with Microsoft Entra ID. Although both achieve similar outcomes -- syncing identities to the cloud -- they differ in architecture, capabilities and use cases.</p> <h3>Microsoft Entra Connect overview</h3> <p>This comprehensive tool, which is installed on an on-premises Windows Server, provides robust sync and authentication features. Key features include the following:</p> <ul class="default-list"> <li>Directory synchronization, including users, groups and passwords.</li> <li>Password hash sync, pass-through authentication or federation.</li> <li>Custom filtering, such as by organizational unit or attribute values.</li> <li><a href="https://www.techtarget.com/searchwindowsserver/tip/Follow-these-steps-to-remove-the-last-Exchange-Server">Exchange hybrid configuration</a> support.</li> <li>Writeback features, including password, device and group writeback.</li> </ul> <p>Entra Connect's architecture requires a SQL database and runs as a full server application. It comes with a heavier footprint and requires more ongoing maintenance compared to Entra Cloud Sync. Given this, Entra Connect is best for complex enterprise environments, including those with Exchange hybrid deployments, and scenarios that require writeback capabilities.</p> <h3>Microsoft Entra Cloud Sync overview</h3> <p>This lightweight, cloud-managed agent-based tool is designed for simpler and more scalable synchronization. The following are some of its key features:</p> <ul class="default-list"> <li>Lightweight agent-based sync.</li> <li>Password hash sync only.</li> <li>Multiple AD forests supported (with multiple agents).</li> <li>Managed entirely from the cloud with no on-premises UI.</li> </ul> <p>Entra Cloud Sync's architecture uses cloud-based configuration and doesn't require a SQL database. It can be easier to deploy and maintain than Entra Connect, which makes it a good fit for modern, cloud-first organizations, including ones with multiple AD forest environments, and scenarios without the need for writeback.</p> <p><iframe title="Entra Connect vs. Entra Cloud Sync" aria-label="Table" id="datawrapper-chart-uBqFs" src="https://datawrapper.dwcdn.net/uBqFs/1/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="401" data-external="1"></iframe></p> <p> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> <h3>Authentication models</h3> <p><b>Password hash synchronization.</b> With PHS, hashes of user passwords are synced from on-premises AD to Microsoft Entra ID, and the user authenticates directly with Entra ID in the cloud.</p> <p>The advantages of PHS are that it's simple to deploy and manage, and there is no dependency on on-premises servers at logon. It supports single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>), although there is a sync delay when changing user passwords. Some organizations might choose to use other methods because password hashes are stored in the cloud.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Single sign-on for hybrid identity</h3> <p>SSO in a hybrid identity environment enables users to access both on-premises and cloud-based applications and resources using a single set of credentials -- typically their AD username and password -- without being prompted to sign in again each time. In a hybrid identity implementation, SSO authenticates the user once, typically at the time of device login using AD credentials. It automatically passes authentication tokens to cloud applications, such as Microsoft 365 or SharePoint Online. Admins can maintain centralized IAM using AD or Entra ID.</p> </div> </div> <p><b>Pass-through authentication.</b> In this model, users enter credentials in the cloud, and the authentication request is securely passed to an on-premises agent, which validates it against the local AD instance. The advantages of this method are that no password hashes are stored in the cloud, and the agent is lightweight, making it easier for IT administrators to implement than AD FS. It does require the on-premises infrastructure to be online.</p> <p><b>Federation.</b> Microsoft Entra redirects the user to AD FS, an on-premises federation service, for authentication. IT administrators have full control over authentication policies and can implement custom login branding, multifactor options and smart card support. Federation is more complex to deploy and maintain, and it requires multiple servers. However, this authentication method is typically required to satisfy government and regulatory requirements.</p> <p><iframe title="Compare PHS vs. PTA vs. AD FS for authentication" aria-label="Table" id="datawrapper-chart-X8JJv" src="https://datawrapper.dwcdn.net/X8JJv/3/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="544" data-external="1"></iframe> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> </section> <section class="section main-article-chapter" data-menu-title="Why implement hybrid identity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why implement hybrid identity?</h2> <p>Organizations should implement hybrid identity to bridge the gap between on-premises infrastructure and the cloud. This enables a secure, seamless and scalable identity experience across all environments.</p> <p>Here are some key reasons why hybrid identity is beneficial.</p> <h3>Familiarity for users</h3> <p>The use of a single identity for your organization's users lowers frustration, improves productivity and reduces password fatigue. Users often find that their login experience is improved, as it reduces repeated sign-ins. For example, a user can log into their Windows device using AD credentials and open Outlook or Microsoft Teams. Thanks to Entra ID's SSO option and the user's on-premises identity, access is granted without another login.</p> <h3>Simplified management</h3> <p>Most organizations already use on-premises AD. Hybrid identity incorporates existing AD users, groups and policies without the need to recreate them in the cloud. It simplifies user management, <a href="https://www.techtarget.com/searchsecurity/tip/User-provisioning-and-deprovisioning-Why-it-matters-for-IAM">provisioning and deprovisioning</a>, while also ensuring consistent access policies, auditing and role assignments.</p> <h3>Enhanced security</h3> <p>Hybrid identity uses cloud-based conditional access, MFA and risk-based access. It reduces the risk of account compromise from reused or weak passwords. Conditional access policies enable IT administrators to create rules that control how, when and under what conditions users can access corporate resources -- especially cloud apps, such as Microsoft 365. These policies play a key role in <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust security</a> by enforcing the "never trust, always verify" principle. Admins can set specific conditions based on location, device compliance, IP address, the application accessed or user group membership.</p> <p>Conditional access is the gatekeeper of the hybrid identity environment. It analyzes the context of each sign-in and enforces real-time decisions -- allow, block, challenge or restrict access -- to protect corporate data without hindering user productivity.</p> </section> <section class="section main-article-chapter" data-menu-title="Planning for hybrid identity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Planning for hybrid identity</h2> <p>Planning and implementing Microsoft hybrid identity using Entra ID requires understanding your current infrastructure and IAM methods, preparing your environment and carefully deploying it.</p> <p>You must decide which authentication strategy -- PHS, PTA or AD FS -- best suits your organization and its security requirements. Design the identity architecture, including sync scope, domains and forests, and create an implementation roadmap.</p> <p>Implementation requires several technical and organizational prerequisites to ensure a smooth deployment. These cover your on-premises environment, cloud configuration, security planning and infrastructure readiness.</p> <p>The on-premises AD requirements include the following:</p> <ul class="default-list"> <li>At least one <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-forest-AD-forest">AD forest</a> or domain with a functional level of Windows Server 2008 R2 or later.</li> <li>A routable User Principal Name suffix. For example, the UPN must be user@company.com instead of user@localdomain.</li> <li>Consistent and unique user attributes, such as UPN, mail and SAM account name.</li> <li>Cleanup of stale accounts, duplicates and nonstandard naming conventions.</li> </ul> <p>The following infrastructure requirements must be in place:</p> <ul class="default-list"> <li>A dedicated Windows Server to install Microsoft Entra Connect.</li> <li>Administrative access to both on-premises AD and Entra ID tenant.</li> <li>Required network ports open for sync and authentication, such as HTTPS, LDAP or Kerberos.</li> <li>A valid Microsoft Entra ID tenant, either as part of your Microsoft 365 subscription or standalone.</li> <li>At least one verified custom domain in Entra ID.</li> </ul> <p>Then, ensure security and compliance readiness with these steps:</p> <ul class="default-list"> <li>Plan to implement MFA.</li> <li>Define conditional access policies, such as those based on device, location or risk.</li> <li>Prepare to handle identity protection, user risk detections and reporting.</li> </ul> <p>Your deployment strategy should incorporate operational and user readiness. Communicate hybrid identity plans to stakeholders, train IT staff and prepare user education materials for any sign-in behavior changes.</p> <p>The following outlines a typical implementation roadmap:</p> <p><b>Phase 1: Planning</b></p> <ul class="default-list"> <li>Define business goals for hybrid identity.</li> <li>Choose your authentication model (PHS, PTA or AD FS).</li> <li>Design identity architecture (sync scope, domains, forests).</li> </ul> <p><b>Phase 2: Preparation</b></p> <ul class="default-list"> <li>Prepare AD with cleanup and UPN standardization.</li> <li>Prepare server infrastructure for Entra Connect.</li> <li>Review security and compliance requirements.</li> </ul> <p><b>Phase 3: Deployment</b></p> <ul class="default-list"> <li>Install and configure Microsoft Entra Connect.</li> <li>Configure selected authentication method.</li> <li>Set up SSO or seamless SSO (optional).</li> <li>Run initial directory sync (test with pilot users).</li> </ul> <p><b>Phase 4: Testing and validation</b></p> <ul class="default-list"> <li>Validate the following components: <ul class="default-list"> <li>User sign-ins to Microsoft 365 and Entra-protected apps.</li> <li>Password changes and sync behavior.</li> <li>MFA and conditional access, if configured.</li> </ul> </li> <li>Monitor logs and sync health.</li> </ul> <p><b>Phase 5: Rollout</b></p> <ul class="default-list"> <li>Expand sync scope to include all users/groups.</li> <li>Communicate changes to end users.</li> <li>Begin enabling cloud services, such as Teams or SharePoint</li> </ul> <p><b>Phase 6: Optimization</b></p> <ul class="default-list"> <li>Deploy MFA, conditional access and self-service password reset.</li> <li>Consider group writeback or hybrid device join.</li> <li>Monitor and fine-tune performance and logs using Microsoft Entra admin center.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Potential issues with on-premises AD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Potential issues with on-premises AD</h2> <p>Although hybrid identity offers flexibility and control by integrating on-premises AD with Microsoft Entra ID, it also introduces technical and operational challenges that organizations must plan for.</p> <p><b>AD health issues.</b> Replication errors, DNS issues or corrupt AD objects can lead to failed synchronization or incomplete user provisioning in Entra ID. Run <span style="font-family: 'courier new', courier, monospace;">dcdiag</span>, <span style="font-family: 'courier new', courier, monospace;">repadmin</span> and Entra Connect Health checks regularly. Clean up AD objects before sync.</p> <p><b>Password or authentication inconsistencies.</b> Password changes might not sync quickly, especially with PHS. If not redundant, PTA agents or AD FS servers can become single points of failure. Clock drift in AD can cause Kerberos or auth token issues. Use redundant agents, ensure accurate time sync and monitor authentication services.</p> <p><b>Synchronization failures.</b> Microsoft Entra Connect might fail to sync due to connectivity issues, outdated schema or object attribute mismatches -- especially if UPNs don't match verified domains. Be sure to review sync rules, use consistent UPNs and monitor Entra Connect sync logs.</p> <p><b>Security gaps.</b> On-premises AD might not enforce MFA, conditional access or sign-in risk detection. To mitigate security concerns, <a href="https://www.techtarget.com/searchwindowsserver/tip/Using-Azure-AD-conditional-access-for-tighter-security">use Microsoft Entra conditional access and identity protection</a> and enforce cloud policies.</p> <p>Hybrid identity is the cornerstone of a secure, flexible and user-friendly IT environment in the cloud era, especially for organizations transitioning from legacy systems.</p> <p><i>Helen Searle-Jones holds a group head of IT position in the manufacturing sector. She draws on 30 years of experience in enterprise and end-user computing, utilizing cloud and on-premises technologies to enhance IT performance.</i></p> </section> Microsoft hybrid identity combines on-premises AD resources and cloud-based Entra ID capabilities to create a seamless access experience across environments. https://cdn.ttgtmedia.com/rms/onlineimages/cloud_g943065362.jpg https://www.techtarget.com/searchwindowsserver/tip/Understand-the-basics-of-Microsoft-hybrid-identity Thu, 20 Nov 2025 11:00:00 GMT <p>AI took center stage at Microsoft Ignite 2025, this year's installment of the tech giant's annual conference.</p> <p>From Nov. 18-21, conference-goers gathered at San Francisco's Moscone Center for hundreds of live sessions, demonstrations and labs focusing on key topic areas. Key topics this year included cloud and AI platforms, AI-powered security and AI business tools.</p> <p>In a shakeup from years past, Microsoft CEO Satya Nadella did not make an appearance at this year's event. Judson Althoff, CEO of Microsoft's commercial business, delivered the opening keynote -- where he highlighted the company's AI innovations -- alongside senior Microsoft engineering leaders.</p> <p>Dive into our editorial coverage below to catch up on the major announcements and news analysis from this year's Microsoft Ignite conference, and stay tuned for future updates.</p> Our guide to Microsoft Ignite 2025 has everything you need to know about the annual conference, including live news updates, expert analysis and highlights from last year's show. https://www.techtarget.com/searchwindowsserver/conference/Microsoft-Ignite-conference-coverage Mon, 10 Nov 2025 00:00:00 GMT <p>Upgrading an Active Directory forest to run on Windows Server 2025 isn't overly difficult, but the process requires preparation.</p> <p>In its latest Windows Server release, Microsoft <a href="https://www.techtarget.com/searchwindowsserver/tip/See-whats-coming-in-Windows-Server-2025">introduced several Active Directory enhancements</a>, including new features and improved functionality that will appeal to organizations. Before they can implement these features, though, they'll need to migrate their domain controllers to Windows Server 2025.</p> <p>This article provides a walkthrough of the planning required before an AD domain controller migration and then covers the steps involved in performing the actual upgrade.</p> <section class="section main-article-chapter" data-menu-title="Why upgrade Active Directory?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why upgrade Active Directory?</h2> <p>One major development in Windows Server 2025 is the increased database page size. Since the days of Windows 2000, Active Directory has relied on an Extensible Storage Engine database with an 8 KB page size. While this might have been fine 25 years ago, today the page size limitations hinder overall AD scalability. Microsoft has removed these limitations by increasing the page size to 32 KB. Additionally, AD now takes advantage of <a href="https://www.techtarget.com/whatis/definition/NUMA-non-uniform-memory-access">non-uniform memory access</a> nodes and can support up to 64 CPU cores.</p> <p>Microsoft has also taken steps to improve AD security. As an example, the lightweight directory access protocol used by Active Directory now supports TLS version 1.3. Similarly, Active Directory blocks legacy Security Account Manager Remote Procedure Call protocols in favor of more secure alternatives, such as Kerberos. The Microsoft Learn website offers a <a target="_blank" href="https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-windows-server-2025" rel="noopener">full list</a> of the latest AD enhancements.</p> </section> <section class="section main-article-chapter" data-menu-title="Prepare for your domain controller migration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prepare for your domain controller migration</h2> <p>Before upgrading your <a href="https://www.techtarget.com/searchwindowsserver/definition/domain-controller">domain controllers</a> to Windows Server 2025, take the following steps to help ensure a smooth and successful migration.</p> <h3>Assess replication process</h3> <p>The first step involves checking Active Directory to make sure the domain controllers are properly replicating with one another and that the replication process is healthy. This step will also need to be performed again later as part of the migration process. To check the replication status, open PowerShell and enter the command <samp>RepAdmin /ReplSummary</samp>. Make sure there are no replication errors, as shown in Figure 1.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_1-f.jpg 1280w" alt="Screenshot of Windows PowerShell displaying information generated by the RepAdmin tool." data-credit="Brien Posey" height="295" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Check for replication errors by using the RepAdmin tool. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Create an Active Directory backup</h3> <p>This backup should be done at the last minute to ensure capture of all the latest AD changes. Practice restoring your backups to a lab environment so that you can test their integrity. This process helps familiarize the recovery process in case anything goes wrong.</p> <h3>Audit legacy protocols, applications</h3> <p>Evaluate NT LAN Manager usage throughout your organization. NTLM is a legacy protocol that you should ideally phase out as part of the upgrade process. However, you might still have legacy applications that require NTLM, which might force you to continue using the protocol.</p> <h3>Evaluate hardware requirements</h3> <p>These requirements are relatively modest: 1.4 GHz 64-bit CPU; 2 GB of RAM, or 4 GB as recommended for the Desktop Experience; and 32 GB of storage.</p> <p>You should also review the hardware that your existing domain controllers currently use, since domain controllers will almost always require more than just the minimum hardware. This would be a good time to assess whether your existing hardware allocations are sufficient or if you need to allocate more hardware to your domain controllers.</p> <h3>Consider raising functional levels</h3> <p>Finally, decide whether you want to upgrade to the latest domain and forest <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-functional-levels">functional levels</a>. Prior to Windows Server 2025, the highest available functional level was Windows Server 2016. Upgrading to the Windows Server 2025 domain functional level lets you take advantage of all the latest enhancements, but you cannot perform the upgrade until all of the domain controllers within the domain are running Windows Server 2025.</p> <p>Note that upgrading the domain functional level is a one-way operation. Once you upgrade the functional level, you will no longer be able to deploy domain controllers running older versions of Windows.</p> <p>The same basic concept also applies to forest functional level upgrades. Raising the forest functional level to Windows Server 2025 requires all of your domains to be operating at the Windows Server 2025 domain functional level. Once again, this is a one-way operation; once you raise the forest functional level, you can no longer deploy domains at lower functional levels.</p> <p>The importance of having a good AD backup increases exponentially when upgrading functional levels. It's a good idea to create a new one just before raising a functional level.</p> <div class="btt-thumbnailContainer"> <span class="btt-thumbnailTitle">Plan Your Domain Controller Migration to Windows Server 2025</span> <a class="btt-thumbnailLink" data-video-id="652475" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/652475/image_1059089.png?width=640&amp;height=360"> </div></a> <time class="btt-video-duration" datetime="PT14M40S">14:40</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> </section> <section class="section main-article-chapter" data-menu-title="Domain controller migration, step by step"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Domain controller migration, step by step</h2> <p>Once all the prep work has been completed, it's time for the actual domain controller migration. While you can perform an in-place upgrade from Windows Server 2012 R2 or newer Windows Server OSes, the following steps will be for a clean installation onto physical or virtual hardware, as this is usually the preferred option.</p> <h3>1. Install the OS and Domain Services</h3> <p>The first step is to install Windows Server 2025. You will need to join the machine to the AD domain where it will eventually serve as a domain controller before continuing. Take this opportunity to install any available updates.</p> <p>With the OS ready to go, next you will need to install <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Active-Directory-Domain-Services-AD-DS">Active Directory Domain Services</a>. From the GUI, open Server Manager and then choose the <b>Add Roles and Features</b> command from the Manage menu. Work your way through the wizard until you reach the Roles screen. Here, you will need to select the Active Directory Domain Services role. When prompted, be sure to install any required dependency services.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_2-f.jpg 1280w" alt="Screenshot of the Add Roles and Features Wizard showing the server roles selection screen in Server Manager." data-credit="Brien Posey" height="400" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. Install the Active Directory Domain Services role from Server Manager. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>2. Deploy DNS services</h3> <p>Although not technically a requirement, consider where you plan to host the DNS services. Active Directory cannot function without DNS. As such, there is a strong possibility that some of your legacy domain controllers are also functioning as DNS servers. If you are completely doing away with these legacy servers, then you will need to deploy DNS elsewhere.</p> <p>One option is to run the DNS services on your new domain controllers. You can do so by selecting the DNS Server checkbox, shown in Figure 2. You will also need to install the dependency features when prompted. If you are migrating DNS to a new server, remember to modify the IP address configuration used throughout your organization so that it points to the new DNS server.</p> <h3>3. Promote new domain controllers</h3> <p>When the role deployment process is complete, click on the <b>Promote This Server to a Domain Controller</b> link. This will launch the Deployment Configuration Wizard. Select the option to add a new domain controller to an existing domain and then verify that the correct domain is selected. Click <b>Next</b>, and the following screen will ask you to select the capabilities for the new domain controller. Unless you are <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Deploy-a-read-only-domain-controller-for-security-speed">deploying a read-only domain controller</a>, select the default options. While you are at it, you will need to enter and confirm a Directory Services Restore password. Click <b>Next</b> until you complete the wizard. At that point, the server will be configured to act as a domain controller. A reboot is required at the completion of this process.</p> <p>When the reboot is complete, give your new domain controller some time to receive copies of all the objects that currently exist within your Active Directory. Before moving forward, check the replication health using the same method discussed earlier. Make sure that AD replication is functioning properly and the initial replication process is complete before proceeding. If you encounter replication errors, verify that DNS name resolution is working properly and that all the domain controller clocks are correct.</p> <h3>4. Deprovision legacy domain controllers</h3> <p>If you plan to deprovision your legacy domain controllers, it's a good idea to <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-transfer-FSMO-roles-with-PowerShell">transfer Flexible Single Master Operation (FSMO) roles</a>. The role transfer should occur automatically as part of the deprovisioning process, but transferring roles ahead of time can help avoid any surprises. The easiest way to do this is to open an elevated PowerShell session and enter the following command:</p> <pre class="language-powershell"><code>Move-ADDirectoryServerOperationMasterRole -Identity $env:COMPUTERNAME -OperationMasterRole 0,1,2,3,4 -Confirm:$False</code></pre> <p>This command, shown in Figure 3, will transfer all of the operation master roles to your new domain controller. If you only wish to transfer some of the roles, you can change the numbers listed at the end of the command. Each of these numbers represents a role:</p> <ul class="default-list"> <li>0: Primary domain controller emulator.</li> <li>1: Relative identifier master.</li> <li>2: Infrastructure master.</li> <li>3: Schema master.</li> <li>4: Domain naming master.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adupgrade_3-f.jpg 1280w" alt="Screenshot of Windows PowerShell displaying a command that transfers FSMO roles to the local system." data-credit="Brien Posey" height="344" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. Use PowerShell to transfer all FSMO roles to your new domain controller. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>You can verify that the roles have been successfully transferred with the <samp>netdom query fsmo</samp> command.</p> <p>The next step in the process is to begin deprovisioning your legacy domain controllers. The exact steps involved will vary slightly depending on the version of Windows Server in use. At a high level, however, the deprovisioning process involves opening Server Manager and removing the AD Domain Services role.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.</i></p> </section> Windows Server 2025 offers a slew of new Active Directory features, but users must migrate their domain controllers before they can realize the benefits. https://cdn.ttgtmedia.com/rms/onlineimages/security_a244600171.jpg https://www.techtarget.com/searchwindowsserver/tip/Plan-your-domain-controller-migration-to-Windows-Server-2025 Fri, 17 Oct 2025 14:28:00 GMT <p>Most AD administrators are comfortable managing users, groups and organizational units. However, fewer are familiar with managing AD topology.</p> <p>Properly associating physical locations, WAN and LAN connections, and scheduling replication availability enables administrators to ensure the AD database reconciles efficiently and promptly.</p> <p>This article provides a sample AD configuration based on a fictional <a href="https://www.techtarget.com/searchnetworking/definition/What-is-network-mapping">network map</a>. It covers two scenarios: new AD deployments and optimizing existing AD topologies.</p> <p>Use these best practices to configure optimal AD replication.</p> <section class="section main-article-chapter" data-menu-title="Start with a network map"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Start with a network map</h2> <p>Begin with an accurate network map as a visual. Include the environment's physical locations, such as headquarters and branch offices.</p> <p>You should also identify the WAN connections connecting locations and the logical IP subnets at each locale. Finally, identify the domain controller (DC) locations.</p> <p>Figure 1 is a sample diagram of an AD sites configuration.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_1-f.jpg 1280w" alt="A sample network map." height="449" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. This network topology diagram shows a corporate network with three locations. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Pay careful attention to the following components:</p> <ul class="default-list"> <li><b>Physical locations.</b> Headquarters, Branch1, Branch2.</li> <li><b>WAN links.</b> WAN link A and WAN link B.</li> <li><b>Subnets.</b> Seven subnets distributed among the three locations.</li> <li><b>DCs. </b>Five DCs distributed among the three locations.</li> </ul> <p>You'll create AD objects to represent these components. To avoid confusion, <i>location</i> will refer to the physical building, and <i>site</i> will refer to the AD object.</p> <p>The following sections cover two likely scenarios:</p> <ul class="default-list"> <li><b>Deploying a new AD environment.</b> You must create most objects and rename the default objects.</li> <li><b>Optimizing an existing AD environment.</b> You rename existing objects and create any unrepresented objects.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="New AD environments"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New AD environments</h2> <p>Suppose the above network diagram represents an AD environment you intend to build. Once you <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Deploy-a-read-only-domain-controller-for-security-speed">deploy your first DC</a>, you should create the AD sites infrastructure before promoting additional DCs. AD automatically places the DCs in the topology when you promote new DCs with existing sites and subnet objects. If you create the topology in AD Sites and Services after deploying the DCs, you must manually move them.</p> <p>Remember, the goal is to create AD objects representing the components in the diagram.</p> <p>Open the AD Sites and Services console on your existing DC. Then, expand the nodes. Identify the following:</p> <ul class="default-list"> <li>Sites node.</li> <li>Subnets node.</li> <li>Inter-Site Transports and its nested IP node.</li> <li>Servers node.</li> </ul> <p>You will work with these nodes to configure AD sites.</p> <h3>Define AD sites</h3> <p>Begin by renaming the existing Default-First-Site-Name to Headquarters.</p> <p>Next, create the site objects for Branch1 and Branch2. Right-click the <b>Sites</b> node and select <b>New Site</b>. Use descriptive names to identify the locations.</p> <p>Create a site object for the Branch1 and Branch2 locations. You must associate new sites with a link. For now, select <b>DEFAULTIPSITELINK</b>. You can rename the link later.</p> <p>The second site object is for Branch2.</p> <p>AD Sites and Services now displays the three site objects representing your physical locations.</p> <h3>Define site links</h3> <p>Next, create objects to represent the two WAN connections. AD uses these connections for intersite replication. Expand the <b>Inter-Site Transports</b> node and select the <b>IP</b> node. Again, name the links something meaningful to your organization. For this example, the names are WAN-A and WAN-B. Rename the existing DEFAULTIPSITELINK to WAN-A, then create a new site link object for WAN-B.</p> <p>Figure 2 shows how you can right-click the <b>DEFAULTIPSITELINK</b> object to rename it to WAN-A.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_2-f.jpg 1280w" alt="AD Sites and Services menu screenshot." height="163" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. Rename the original DEFAULTIPSITELINK object to WAN-A. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Create a second link for WAN-B.</p> <p>When you create a new site link, give it a name and associate it with the locations the WAN connection accesses. In this case, WAN-B connects Headquarters and Branch2.</p> <p>You now have two objects representing your WAN connections (Figure 3).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_3-f.jpg 1280w" alt="Inter-Site Transports menu screenshot." height="92" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 3. Both WAN connections have objects to represent them. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Per Figure 1, WAN-A connects Headquarters and Branch1, while WAN-B connects Headquarters and Branch2. Use the <b>Add</b> and <b>Remove</b> buttons in the Site Link properties menu to configure the associations.</p> <h3>Define subnets</h3> <p>Next, expand the <b>Subnets</b> node, right-click and select <b>New Subnet</b>. You must enter the subnet prefix using slash notation to <a href="https://www.techtarget.com/searchnetworking/tip/IP-addressing-and-subnetting-Calculate-a-subnet-mask-using-the-hosts-formula">represent the subnet mask</a>, as seen in Figure 4. You must also choose the AD site where the subnet resides.</p> <p>AD Sites and Services displays all seven subnet objects from the network diagram.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_4-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_4-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_4-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_4-f.jpg 1280w" alt="AD Sites and Services subnets menu screenshot." height="267" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 4. AD Sites and Services displays all seven subnets and their site associations. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Place DC objects</h3> <p>The final step is creating computer accounts for the DCs you plan to promote. Open AD Users and Computers, select the DC organizational unit and create a computer object for each DC. Use the computer name that you'll assign to the systems. In this example, the names are DC2, DC3, DC4 and DC5<b>.</b> Remember, DC1 already exists; that's the system where you're building the sites infrastructure.</p> <p>Return to the AD Sites and Services console. Expand each site node -- <b>Headquarters</b>, <b>Branch1</b> and <b>Branch2</b> -- and observe the <b>Servers</b> nodes. These nodes store DC objects. By default, the first DC is already displayed.</p> <p>Promote the remaining four DCs. Note that DC3 and DC4 are in the Branch1 location. Assign these two DCs static IP addresses in one of the subnets for that location. DC5 is in Branch2, so assign it a static IP address in the 192.168.6.0/24 or 192.168.7.0/24 range.</p> <p>When you finish promoting these DCs, AD notes their IP addresses and assigns them to the proper site.</p> <p>Your AD replication infrastructure is now complete. However, you still need to configure the availability and replication schedule of the WAN links. Those steps are covered later in the article.</p> </section> <section class="section main-article-chapter" data-menu-title="Existing AD environments"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Existing AD environments</h2> <p>If you're optimizing an existing AD environment, you must have an accurate network diagram of existing resources. Identify each location, subnet, WAN connection and DC. Once the diagram is correct, you'll either rename existing objects or create new ones. The process is similar to the steps for a new environment.</p> <p>Open the AD Sites and Services console from the Tools menu in Server Manager. Expand all nodes to clearly see what objects exist.</p> <h3>Define AD sites</h3> <p>Confirm you have site objects for Headquarters, Branch1 and Branch2. Rename any existing objects that aren't correct and create any that are missing.</p> <h3>Define site links</h3> <p>Next, check the site links. The demonstration environment has just two WAN connections. You might need to rename the DEFAULTIPSITELINK to WAN-A and create a new one for WAN-B.</p> <h3>Define subnets</h3> <p>Use the same process to confirm that all subnet objects exist. These objects help AD establish the most efficient replication topology for reconciling the AD database.</p> <h3>Place DC objects</h3> <p>Finally, confirm that all five DCs appear. Knowing which DCs are deployed at each location is essential, as you might need to move them to the proper site.</p> <p>Once you create the objects, the AD Sites and Services console displays them in the original network diagram.</p> </section> <section class="section main-article-chapter" data-menu-title="Configure replication"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Configure replication</h2> <p>You can now optimize and configure AD replication by managing the relationships between the sites, site links and DC objects.</p> <h3>Set the link replication schedule</h3> <p>Managing replication is the purpose behind the correct configuration of AD sites. Once your AD Sites and Services console matches your environment's physical configuration, you can <a href="https://www.techtarget.com/searchwindowsserver/tip/Active-Directory-replication-troubleshooting-tips-and-tools">fine-tune replication settings</a>.</p> <p>Organizations with fast and unsaturated WAN connections might not need additional optimization. However, on limited-bandwidth WAN connections, you can schedule when the site link (connection) is available for AD replication.</p> <p>Right-click a site link and select <b>Properties</b>. The <b>General</b> tab contains a cost value and a replication schedule setting. Cost lets you prioritize one link over another in a fault-tolerant mesh topology. The replication schedule defines the frequency of AD replication across the WAN link. The default is 180 minutes and shouldn't be set below 15 minutes. Consider other traffic that relies on the WAN connection when setting this value.</p> <p>Select the <b>Change Schedule</b> button to choose times when replication can't use the WAN connection. For example, if you do nightly backups across the WAN, you might make the WAN unavailable to AD replication at that time. Figure 5 shows that the WAN-A connection is unavailable from 2 a.m. to 4 a.m.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_5-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_5-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_5-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_5-f.jpg 1280w" alt="Screenshot of AD replication schedule." height="350" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 5. Configure hours during which the WAN connection is unavailable for AD replication. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Set DC partners</h3> <p>Right-click the <b>NTDS Settings</b> node under the DC objects to manually define replication partnerships. AD has a built-in topology generator that typically manages this for you. Microsoft recommends this automatic process, but the manual settings are there if needed.</p> <h3>Configure Global Catalog Servers</h3> <p>Microsoft recommends at least one Global Catalog (GC) domain controller at each site so that catalog searches don't cross the WAN connections. Again, this can be fine with robust WAN connections, but keeping GCs near client systems is helpful for less efficient links.</p> <p>To configure a DC as a GC, expand the <b>Servers</b> node under the chosen site. Select the DC, then right-click the <b>NTDS Settings</b> node and select <b>Properties</b>. The checkbox is on the <b>General</b> tab (Figure 6).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_6-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_6-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_6-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_6-f.jpg 1280w" alt="A screenshot showing the GC option in NTDS settings." height="357" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 6. Select the checkbox to configure the DC as a GC. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Monitor replication"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Monitor replication</h2> <p>Now that your AD infrastructure reflects your physical network, it's time to consider replication monitoring. Microsoft provides two tools for managing AD replication beyond using the AD Sites and Services console: repadmin.exe and <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a>.</p> <h3>Use the repadmin tool</h3> <p>The repadmin.exe utility replaces the retired replmon.exe tool. Repadmin.exe is best used as a monitoring utility, though you can make configuration changes to the replication topology if necessary. Manual changes to AD replication aren't common or recommended; let AD manage this for you.</p> <p>Repadmin.exe displays the following essential information:</p> <ul class="default-list"> <li>Replication health.</li> <li>Replication statistics.</li> <li>Replication partners.</li> </ul> <p>Repadmin.exe is your go-to AD replication monitoring tool, especially in small and medium-sized environments. For larger environments, consider using PowerShell to manage replication.</p> <h3>Use Windows PowerShell</h3> <p>The PowerShell AD module provides various AD replication cmdlets to gather information and configure settings (Figure 7). AD replication automation is straightforward, as the cmdlets can import data from CSV files.</p> <p>Here are a few example cmdlets to report information:</p> <ul class="default-list"> <li><samp>Get-ADReplicationSite.</samp></li> <li><samp>Get-ADDomainController.</samp></li> <li><samp>Get-ADReplicationSiteLink.</samp></li> <li><samp>Get-ADReplicationFailure.</samp></li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/garn_adsites_7-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/garn_adsites_7-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/garn_adsites_7-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/garn_adsites_7-f.jpg 1280w" alt="A screenshot showing PowerShell commands used in AD replication tasks." height="469" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 7. The PowerShell AD module provides several cmdlets to manage AD replication. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Use the <samp>Set</samp> cmdlet verb with these PowerShell nouns to manage settings.</p> </section> <section class="section main-article-chapter" data-menu-title="Conclusion"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Conclusion</h2> <p>AD manages its replication topology automatically -- but only if you provide information about your physical environment. AD needs to know the locations of DCs and available WAN connections to determine the best way to configure same-site and cross-site replication. You can also <a href="https://www.techtarget.com/searchenterprisedesktop/tip/When-does-AD-domain-joined-Group-Policy-override-local">link Group Policy Objects to AD sites</a>, enabling location-specific configurations.</p> <p>Use the AD Sites and Services console to create objects representing your organization's locations, WAN connections, subnets and DCs. Be sure to start with an accurate network diagram; in fact, this project is the perfect excuse to review the physical topology, too.</p> <p>Take a few minutes to review AD Sites and Services. Is it current? If not, you might be sacrificing WAN bandwidth, timely replication and optimal DC configurations.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</i></p> </section> AD sites configuration optimizes replication by mapping physical network topology -- locations, WAN links, subnets and domain controllers -- for efficient database synchronization. https://cdn.ttgtmedia.com/rms/onlineimages/disaster_recovery_g175031469.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Configure-AD-sites-for-optimized-replication-topology Wed, 08 Oct 2025 15:31:00 GMT <p>As more organizations adopt multi-platform environments, the role of the Windows sysadmin is evolving.</p> <p>Microsoft administrators in those organizations are now responsible for managing Linux systems alongside the traditional Windows infrastructure. This responsibility can be daunting, but integrating Linux systems into Active Directory (AD) can alleviate some of this anxiety by providing a <a href="https://www.techtarget.com/searchwindowsserver/tip/New-Active-Directory-features-coming-in-Windows-Server-2025">unified authentication and identity management approach.</a> This article will explain why this integration can benefit the organization, some of the typical challenges that occur when adding Linux machines to Active Directory and how to perform troubleshooting from Linux systems.</p> <section class="section main-article-chapter" data-menu-title="Why join Linux machines to Active Directory?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why join Linux machines to Active Directory?</h2> <h3>1. Centralized user management</h3> <p>One of the primary reasons to integrate Linux machines with Active Directory is centralized user management. Organizations can use existing user accounts, groups and security policies. Administrators can <a href="https://www.techtarget.com/searchwindowsserver/tip/What-should-admins-know-about-Microsoft-Entra-features">manage user permissions</a>, authentication and policies from a single point, streamlining operations and minimizing administrative overhead.</p> <h3>2. Enhanced security compliance</h3> <p>Active Directory offers enterprise-grade security features such as password policies, multifactor authentication, group policies and account lockout thresholds.</p> <p>Extending Active Directory to Linux systems ensures consistent security enforcement and compliance across Windows and Linux systems, reducing vulnerabilities and enhancing overall security posture.</p> <h3>3. Resource management</h3> <p>Domain-joined Linux machines simplify resource management, allowing users to access shared resources such as file shares and printers without needing multiple accounts. This can improve productivity by providing seamless access to shared resources across platforms, fostering a more cohesive user experience.</p> <p>Note that Linux machines cannot use <a href="https://www.techtarget.com/searchwindowsserver/definition/Group-Policy-Object">Group Policy Object (GPO)</a> policies and Windows-centric management tools, even after they are domain-joined.</p> </section> <section class="section main-article-chapter" data-menu-title="Challenges for Windows sysadmins"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges for Windows sysadmins</h2> <p>Many Windows admins prefer a graphical user interface (GUI) for system management. However, Linux system administration relies heavily on command-line interface (CLI) operations. This transition can be challenging, as many straightforward tasks in a GUI-based tool, such as Active Directory Users and Computers (ADUC), may require more complex commands in Linux.</p> <p>Linux and Windows use different file systems, which can lead to confusion. For example, Linux uses a hierarchical file system starting from the root directory (/), while Windows uses drive letters. Permissions also differ significantly: Linux employs a user/group/other permission model, while Windows uses <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Reveal-Windows-file-server-permissions-with-PowerShells-help">Access Control Lists (ACLs) that allow for more granular permission settings</a> but with more complexity.</p> <p>In Windows, user and group management is often handled through AD, which provides a straightforward model for assigning permissions. In contrast, standard, out-of-the-box Linux employs a simpler model, with users and groups defined in files. Understanding these differences at the conceptual level is crucial for effective management and troubleshooting.</p> </section> <section class="section main-article-chapter" data-menu-title="Active Directory pre-flight checks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Active Directory pre-flight checks</h2> <p>Follow this checklist of items to verify before attempting to set up Linux on Active Directory. Finishing this advance work will help avoid troublesome issues later.</p> <ul class="default-list"> <li><b>Verify connectivity: </b>Use ping to<b> </b>check basic connectivity between the server and Linux clients. Ensure the required ports are open on the server. Rather than disabling firewalls, configure them to allow specific traffic from Linux clients to the server.</li> <li><b>DNS configuration:</b> Make sure your client can perform an nslookup on the Active Directory server's <a href="https://www.techtarget.com/whatis/definition/fully-qualified-domain-name-FQDN">fully qualified domain name (FQDN)</a>. It is vital to have the correct time set and synced across all the servers. Set up servers to use the same local DNS server to avoid complex DNS issues.</li> <li><b>Time synchronization: </b>Ensure correct time settings and synchronization across all servers involved. Time discrepancies can cause authentication failures and other critical issues.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Configure SSSD for Active Directory integration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Configure SSSD for Active Directory integration</h2> <p>The System Security Services Daemon (SSSD) is a key component for connecting Linux systems with Active Directory. SSSD offers the integration functionality from Linux to several back-end authentication <a target="_blank" href="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/understanding-sssd-and-its-benefits_configuring-authentication-and-authorization-in-rhel#identity-and-authentication-providers-for-SSSD_understanding-SSSD-and-its-benefits" rel="noopener">mechanisms</a>, with particularly strong support for Active Directory domains. This enables seamless authentication between Linux systems and enterprise directory services</p> <p>The following guide explains how to set up and configure SSSD on an Ubuntu VM to interact <a href="https://www.techtarget.com/searchwindowsserver/video/Use-a-Windows-Server-2019-domain-controller-or-go-to-Azure">with a Windows 2019 Active Directory domain controller</a>.</p> <h3>Install required packages</h3> <p>First, install the following packages: <b>sssd-ad</b>, <b>sssd-tools</b>, <b>realmd</b> and <b>adcli</b>. You can install them using the Ubuntu package manager.</p> <p><span style="font-family: 'courier new', courier, monospace;">sudo apt update</span><br><span style="font-family: 'courier new', courier, monospace;">sudo apt install -y sssd-ad sssd-tools realmd adcli cifs-utils</span></p> <h3>Discover the Active Directory domain</h3> <p>The <b>realm</b> command to discover and verify the Active Directory domain depends on proper DNS and Kerberos functionality.</p> <p><span style="font-family: 'courier new', courier, monospace;">sudo realm -v discover Active Directory.tttest.local</span></p> <p>If successful, the Linux system will find and gather information about the Active Directory domain.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/sburns_ad-linux_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/sburns_ad-linux_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/sburns_ad-linux_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/sburns_ad-linux_1-f.jpg 1280w" alt="A Linux terminal window shows the command that discovers an Active Directory domain." height="313" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Linux realm command to find and collect information about the Active Directory domain. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Check all dependencies</h3> <p>If there are errors, it is very likely a DNS issue. <a href="https://www.techtarget.com/searchnetworking/tip/Troubleshoot-name-resolution-on-Windows-Linux-and-macOS">Issues with DNS resolution</a> cause a large proportion of join errors. Also, check for time skew. Lastly, ensure the host name and the FQDN are correct and share the same network domain name and name server.</p> <h3>Join the Active Directory domain</h3> <p>To join the domain, use the following command:</p> <p><span style="font-family: 'courier new', courier, monospace;">sudo realm join --user=administrator yourdomain.com</span></p> <p>Replace <b>administrator</b> with an account that permits machines to join the domain. For this tutorial, we are using the domain administrator account.</p> <p>To verify the domain join, use the command:</p> <p><span style="font-family: 'courier new', courier, monospace;">sudo realm list</span></p> <p>The output will show all Active Directory domains the system is connected to if properly integrated. To verify, check the <a href="https://www.techtarget.com/searchwindowsserver/tip/Speed-up-onboarding-with-Active-Directory-user-templates">ADUC tool on Windows Server</a>. The Linux system should appear in the Computers container.</p> <p>At this point, you can log in to the Linux system using Active Directory credentials. However, users must use the fully qualified login name, such as <a target="_blank" href="mailto:bob@tttest.local" rel="noopener">bob@tttest.local</a>, rather than just the user name bob.</p> <p>When configuring the domain configuration, the <b>realm</b> command will make the changes to enable basic Active Directory authentication. This same process can be used on Ubuntu Desktop with the <b>Use Active Directory </b>option during installation.</p> <h3>Be aware of sssd.conf</h3> <p>After joining the domain, know that the SSSD configuration file (sssd.conf) exists. You can customize it further to optimize authentication. While the basic domain join gets default settings, you may need to adjust this file for specific authentication requirements.</p> <h3>Configure host resolution and CIFS</h3> <p>To use Windows file sharing, you must <a href="https://www.techtarget.com/searchstorage/answer/NFS-vs-CIFS">configure Common Internet File System (CIFS),</a> a network file-sharing protocol. We have already installed the required package to start the CIFS configuration.</p> <p>Edit the <b>/etc/fstab</b> file to add entries for your Windows file shares to have them mount automatically at boot.</p> <p><span style="font-family: 'courier new', courier, monospace;">//server/share /mnt/mountpoint cifs credentials=/path/to/credentials,uid=1000,gid=1000 0 0</span></p> <p>To test the mount without a reboot, run the following command:</p> <p><span style="font-family: 'courier new', courier, monospace;">sudo mount -a</span></p> <p>No errors mean it was successful. If there are errors, it's usually due to formatting problems.</p> <p>Be aware of some more nuanced aspects of CIFS security. You can apply Linux filesystem <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Reveal-Windows-file-server-permissions-with-PowerShells-help">permissions to mounted Windows file shares</a>. Linux uses numeric mode values to set permissions, such as 0755 for owner/full access. These permissions only apply at the share mount level, not to individual files within the Windows system. Linux permissions act as an additional filter on top of Windows ACLs, which means a file will not be accessible if the Linux permission restricts access, even if the user has access via the Windows ACL. Windows admins must learn how to adapt to this hybrid arrangement, which can lead to issues since two permission systems are in effect simultaneously.</p> </section> <section class="section main-article-chapter" data-menu-title="Troubleshooting Linux integration with Active Directory"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Troubleshooting Linux integration with Active Directory</h2> <h3>Interpret Linux system logs</h3> <p>One of the best tools for troubleshooting in Linux is system logs, typically located in <b>/var/log </b>directory. Key logs to review for problems include:</p> <ul class="default-list"> <li><span style="font-family: 'courier new', courier, monospace;">/var/log/secure</span>: Authentication logs that capture SSSD events.</li> <li><span style="font-family: 'courier new', courier, monospace;"><b>/var/log/messages</b></span>: General system messages.</li> <li><span style="font-family: 'courier new', courier, monospace;"><b>/var/log/syslog</b></span>: Comprehensive system and service messages.</li> </ul> <p>Use the tail command to view logs in real time:</p> <p><span style="font-family: 'courier new', courier, monospace;">tail -f /var/log/secure</span></p> <h3>Get familiar with diagnostic tools</h3> <p>If a user cannot log in, use these diagnostic tools:</p> <ul class="default-list"> <li><strong><span style="font-family: 'courier new', courier, monospace;">id "username"</span></strong> - Check if the system recognizes a user.</li> <li><span style="font-family: 'courier new', courier, monospace;"><b><u>g</u></b><strong>etent passwd "username"</strong></span> - Display user account information from Active Directory.</li> <li><span style="font-family: 'courier new', courier, monospace;"><b>sssctl</b></span> - A command-line tool for SSSD that shows information about users, groups and cache status.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Key takeaways for integrating Linux with Active Directory"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key takeaways for integrating Linux with Active Directory</h2> <p>Integrating Linux machines into Active Directory brings several benefits, including centralized user management, consistency with security policies and compliance, and simplified resource access.</p> <p>While challenges exist, particularly for Windows administrators transitioning to manage Linux systems, it's essential to learn the key differences in permission models, how to work with file-based configurations and how to use the command line for troubleshooting.</p> <p>By following the outlined steps for configuring SSSD and utilizing diagnostic tools, IT teams can effectively <a href="https://www.techtarget.com/searchwindowsserver/ehandbook/Windows-and-Linux-What-systems-administrators-need-to-know">manage a multi-platform environment</a> that takes advantage of the strengths of both Linux and Windows systems.</p> </section> This tutorial explains the benefits of this integration, how to connect Linux systems to the Microsoft directory service and how to troubleshoot authentication issues. https://cdn.ttgtmedia.com/rms/onlineimages/code_g1133924836.jpg https://www.techtarget.com/searchwindowsserver/tutorial/How-to-join-Linux-to-an-Active-Directory-domain Fri, 19 Sep 2025 10:38:00 GMT <p>Following the WSUS deprecation notice, enterprises that have yet to shift their patch management process will want to take a closer look at alternatives, such as the Azure Arc and the Azure Update Manager service.</p> <p>Patch management is a critical task to keep Windows Server environments secure, stable and performant. In September 2024, Microsoft signaled to customers that it will <a href="https://www.techtarget.com/searchwindowsserver/tip/The-Microsoft-patch-management-guide-for-admins">no longer add new features to Windows Server Update Services (WSUS)</a> and recommended exploring other avenues. Microsoft offers several options to keep Windows Server up to date with the latest software. One tool that has been gaining traction since its introduction in November 2019 is Azure Arc, a tool for admins to manage on-premises and cloud infrastructure via the Azure control plane. Azure Arc also extends Azure services, such as Azure Monitor and Azure Policy, to Windows Server workloads in the data center. This tutorial will cover the Azure Arc setup process and run through the <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-use-Windows-Server-2025-hotpatching">patch deployment of an on-premises server</a>.</p> <section class="section main-article-chapter" data-menu-title="Why Azure Arc is an effective tool for patching"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why Azure Arc is an effective tool for patching</h2> <p>Larger organizations often rely on either WSUS or on a third-party patch management tool. These utilities can scale to handle many servers, while also providing rich reporting capabilities to help organizations assess their patch management status.</p> <p>Although WSUS does a good job of keeping Windows machines up to date with the latest fixes, it is primarily designed for on-premises patch management. Companies that host workloads both on premises and in the Azure cloud might use a patch management tool in their data center and another within Azure. However, there is a convenient way to use the Azure Update Manager to handle patch management both in the cloud and on-premises.</p> <p>The key to using Azure Arc with on-premises servers is to "Arc-enable" the servers, as Microsoft calls it. Azure Arc is a service designed to manage physical servers and VMs both on-premises and in Azure and other clouds. Azure Arc can also <a href="https://www.techtarget.com/searchitoperations/tutorial/Manage-Kubernetes-clusters-with-PowerShell-and-kubectl">handle Kubernetes clusters</a> and databases.</p> <p>Arc-enabling a server or VM just requires installing the Azure Connected Machine agent onto the server. There's no need to set up a VPN or establish direct connectivity to Azure, as long as the machine has Internet access.</p> <p>Microsoft makes the Azure Arc control plane available for free. This means that you can use Azure Arc to tag resources and to enable search and indexing for those resources. The free Azure Arc plan also lets you take advantage of <a href="https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC">Role Based Access Control (RBAC)</a> permissions and you can use templates to automate various tasks. If an organization is using VMware vCenter or System Center Virtual Machine Manager, then you can use the Azure Arc control plane to inventory your resources and to perform lifecycle management for your VMs. To use Azure Update Manager in Arc-enabled VMs costs $0.162 per server per day or $5 per server per month for months with 31 days.</p> <p>Microsoft does not charge when a customer uses Azure Update Manager in the following scenarios:</p> <ul class="default-list"> <li>the Arc-enabled VM has Extended Security Updates (ESUs);</li> <li>the subscription that hosts the Arc-enabled VM also has Microsoft Defender for Servers Plan 2; or</li> <li>the Arc-enabled VM uses Windows Server licenses with either active Software Assurance license or <a href="https://www.techtarget.com/searchwindowsserver/tip/Understand-how-Windows-Server-2025-PAYG-licensing-works">Windows Server pay-as-you-go</a>.</li> </ul> <p>While Microsoft allows free access to the Azure Arc control plane, any Azure cloud services exposed through SCVMM or VMware vCenter will incur standard Azure usage charges. The same holds true for Azure services consumed through Arc-enabled Kubernetes clusters. Microsoft also charges a fee for Extended Security Updates (ESUs) for legacy systems and using Azure Arc to manage SQL Server instances.</p> </section> <section class="section main-article-chapter" data-menu-title="How to connect Azure Arc to a server using the Azure portal"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to connect Azure Arc to a server using the Azure portal</h2> <p>Configuring servers to use Azure Arc involves deploying the Azure Connected Machine agent to the VMs, using the Azure portal, <a href="https://www.techtarget.com/searchcloudcomputing/tip/Evaluate-Azure-CLI-vs-PowerShell-for-resource-management">Azure CLI or PowerShell.</a></p> <p>First, log in to the Azure portal and open the Azure Arc service. Click the <b>Add Resources</b> button, then click on the <b>Add/Create</b> button under the <b>Machines</b> section. Choose the <b>Add a Machine</b> option after the prompt to begin the onboarding process.</p> <p>Next, the console will prompt to specify the type of resource to onboard. For the purposes of this article, choose <b>Add a Single Server with Installer</b>. (Azure Arc also provides options to onboard multiple servers at once, including Linux VMs.) Azure Arc will download an installer file in your browser. Copy the installer file to the server you want to manage with Azure Arc.</p> <p>Next, go to the VM to manage and launch the executable. The installer will start a wizard for the installation process, which will require signing into Azure and choosing the subscription. When complete, Azure Arc can now manage the VM via the Azure Connected Machine agent.</p> </section> <section class="section main-article-chapter" data-menu-title="How to manage patches for Arc-enabled servers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to manage patches for Arc-enabled servers</h2> <p>After onboarding the server to Azure Arc, configure that server to receive updates. Start by opening the Azure Update Manager service in the Azure portal, then select the <b>Resources</b> tab and click <b>Machines</b>. The Arc-enabled server should be listed on the <b>Machines</b> tab.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/posey_azurearc_1-f.jpg 1280w" alt="A menu showing the Machines page in Azure Update Manager." height="163" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>After adding the server to Azure Arc, it should be listed on the Machines page. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The screenshot shows a console message that "1 out of 1 machine(s) don't have update data." To enable automatic updates for the machine, click the <b>Enable Now</b> link located at the end of the message. Alternatively, click the <b>Check for Updates</b> button to start an immediate update check for the VM.</p> <p>After the update assessment, the Azure Update Manager dashboard may show a message about pending updates. Click the message to see the results. The options are to either install the updates immediately or <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Creating-a-patch-management-policy-Step-by-step-guide">schedule them during a maintenance window</a>. Note that there might be delays when forcing an immediate update. During testing, it took 30 minutes from the start of the update until the dashboard updated the VM's status. IT administrators will need to account for this delay when verifying update compliance and to avoid unnecessary troubleshooting.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/posey_azurearc_2-f.jpg 1280w" alt="A menu in Azure Update Manager showing the recommended updates for the selected VM." height="215" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Select the VM to see the available updates. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How to connect a server to Azure Arc with PowerShell"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to connect a server to Azure Arc with PowerShell</h2> <p>Instead of the Azure portal, PowerShell is another option for admins who prefer this method. To start, install the <b>Az.ConnectedMachine</b> module with this command:</p> <p><span style="font-family: 'courier new', courier, monospace;"><b>Install-Module -Name Az.ConnectedMachine</b></span></p> <p>Next, use the <b>Connect-AZAccount</b> command to log into Azure. Lastly, install the Azure Connected Machine agent with this command:</p> <p><span style="font-family: 'courier new', courier, monospace;"><b>Connect-AzConnectedMachine -ResourceGroupName myResourceGroup -Name myMachineName -Location &lt;region&gt;</b></span></p> <p>The command downloads the Connected Machine agent, installs it on the server, creates the Azure Arc-enabled server resource and associates it with the agent. The onboarding process takes a few minutes to complete.</p> <p>This concludes the setup necessary to use Azure Arc for patch management. However, for other tasks that require secure remote access, Azure Arc allows connections to Arc-enabled machines <a href="https://www.techtarget.com/searchvirtualdesktop/tip/How-to-enable-RDP-remotely-with-several-different-methods">using Remote Desktop Protocol (RDP)</a> and the Windows Admin Center extension in Azure or SSH with either Azure CLI or PowerShell.</p> </section> <section class="section main-article-chapter" data-menu-title="How to use the reporting feature in Azure Arc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use the reporting feature in Azure Arc</h2> <p>While the Azure Update Manager dashboard provide information regarding the patch management status of Arc-enabled machines, Azure Arc can generate more detailed reports.</p> <p>To start, expand the console's <b>Monitoring</b> container and then click on the <b>Reports</b> tab. Next, click on the <b>Overview</b> report in the Azure Update Manager section.</p> <p>At the <b>Reports</b> screen, select the subscription from the menu. By default, the report will span the entire tenant, so it's helpful to filter by region, resource type and time range. You can save the report by clicking on the Save icon.</p> <p>You can filter the report by location, resource type, or time range. Azure Workbooks connect to Azure Arc for even more granular <a target="_blank" href="https://docs.azure.cn/en-us/update-manager/manage-workbooks" rel="noopener">information</a> related to patching, including compliance status across the infrastructure, security update install success rates and update deployment history.</p> </section> Admins should explore their patching options now that Microsoft deprecated WSUS. Azure Arc offers integration with Azure to give the operations team a unified management approach. https://cdn.ttgtmedia.com/rms/onlineimages/container_g1294273513.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Azure-Arc-setup-tips-for-on-premises-server-management Wed, 03 Sep 2025 13:34:00 GMT <p>Defragmentation, also known as <i>defragging</i> or <i>defrag</i>, is the process of rearranging data on a storage medium, such as a hard disk drive (<a href="https://www.techtarget.com/searchstorage/definition/hard-disk-drive">HDD</a>), to ensure efficient storage and access.</p> <p>Defragmenting a hard drive can improve a computer's or laptop's performance and speed. To reduce fragmentation, a disk optimization tool typically uses compaction to free up larger areas of space. Certain disk defragmentation tools might try to keep smaller files together, especially if they're often accessed sequentially.</p> <p>Fragmentation is less common in Linux-based file systems. The Linux journaling system stores data across multiple locations on the disk and automatically moves it around as soon as it senses fragmentation.</p> <p>Longtime users of Windows and Mac computers will remember when defragmentation was strictly a manual process they had to initiate themselves. However, Windows and <a href="https://www.techtarget.com/whatis/definition/Mac-OS">macOS</a> have been automatically defragmenting disks for some time -- Windows, since the Vista release, and macOS since Mac OS X 10.2.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/Qnk2FP3_r-I?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <section class="section main-article-chapter" data-menu-title="Why is defragmentation important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is defragmentation important?</h2> <p>Defragmentation can solve and mitigate computer problems such as slow speeds, freezes and extended boot times. If there is not enough contiguous space to hold complete files on an HDD, files can become fragmented, and the storage <a href="https://www.techtarget.com/whatis/definition/algorithm">algorithms</a> on the disk separate the data to fit it inside the available space. Defragmentation consolidates these fragmented files so all the related pieces are aligned.</p> <p>A fragmented hard drive is like a huge, jumbled-up load of laundry, with all the different clothing types and colors mixed up. Once the HDD is defragmented, system performance improves because all the jumbled-up data is reorganized and stored appropriately.</p> </section> <section class="section main-article-chapter" data-menu-title="The benefits of defragging"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The benefits of defragging</h2> <p>The following are the main benefits of defragmenting a hard drive:</p> <ul class="default-list"> <li><b>Files stay organized.</b> Over time, adding and deleting files from a hard drive can scatter the data, especially if it is running low on storage space. Defragmentation organizes the individual files, resulting in improved hard drive speed.</li> <li><b>Unused space is freed.</b> Any unused space on a hard drive can be maximized by defragmentation. Sometimes, it can also create more usable space if <a href="https://www.techtarget.com/whatis/definition/bit-binary-digit">bits</a> of data are left over from deleted files.</li> <li><b>The HDD life is extended.</b> With regular defragmentation, the files on a hard drive stay organized. This means the mechanical and <a href="https://www.computerweekly.com/feature/Spinning-disk-hard-drives-Good-value-for-many-use-cases">spinning components of a hard drive</a> aren't used as extensively, which, in turn, extends the lifespan of a hard drive.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/example_of_file_fragmentation-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/example_of_file_fragmentation-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/example_of_file_fragmentation-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/example_of_file_fragmentation-f.png 1280w" alt="An image showing an HDD before and after defragmentation. " height="179" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>This shows a hard drive before and after defragmentation. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How does fragmentation occur?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does fragmentation occur?</h2> <p>Fragmentation happens over time and can be caused by many different things. The following are a few reasons why fragmentation occurs inside a hard drive:</p> <ul class="default-list"> <li>If an excessively large file, such as a media or movie file, cannot fit into the empty spaces on a hard drive, fragmentation will occur.</li> <li>If an existing file is updated, but the space it occupies does not have room for any new changes, then it will cause fragmentation.</li> <li>The file system -- the part of the operating system (OS) that controls how files are stored -- might break the files into smaller chunks when trying to save them quickly.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to perform defragmentation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to perform defragmentation</h2> <p>Most contemporary OSes have built-in disk defragmentation tools that perform the defragmentation process automatically. However, some OSes, such as Microsoft <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-7">Windows 7</a> and beyond, can also be defragmented manually.</p> <p>To manually defragment a hard drive on a <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Troubleshooting-the-most-common-issues-with-Windows-11">Windows 11 machine</a>, perform the following steps:</p> <ol class="default-list"> <li>Go to the search bar on the Start menu and type <b>defrag</b>.</li> <li>On the <b>Defragment and Optimize Drives </b>option, select the drive that needs to be defragmented and click on <b>Optimize</b>.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/defrag-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/defrag-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/defrag-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/defrag-f.jpg 1280w" alt="A screenshot showing the defragmentation process for a Windows SSD." height="466" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>This shows the defragmentation process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>This process is almost identical to defragmenting a server hard drive, such as a <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Server-2016">Windows Server 2016</a> or a <a href="https://www.techtarget.com/searchwindowsserver/tip/Compare-the-features-in-the-Windows-Server-2022-editions">Windows Server 2022</a> drive.</p> <p>It is also possible to change the schedule of defragmentation on a Windows 11 machine using the following steps:</p> <ol class="default-list"> <li>Go to the search bar on the Start menu and type <b>defrag</b>.</li> <li>On the <b>Defragment and Optimize Drives </b>option, select the drive where defragmentation needs to be rescheduled, and click on <b>Change settings</b> under <b>Scheduled optimization</b>. Options include daily, weekly, monthly or not at all.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="How often do you need to defrag a hard drive?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How often do you need to defrag a hard drive?</h2> <p>The frequency of defragging a hard drive depends on its usage. Because modern versions of both Windows and macOS come with built-in optimization tools, there's no need to manually perform defragmentation, especially if the computer is always on. However, if a device is routinely shut down after each use, its built-in defragmentation utilities might be prevented from running automatically. In such cases, running the defragmentation utility once a month is probably a good idea.</p> <p>By default, a Windows 11 machine defragments a hard drive once a week; macOS does not have a defragmentation schedule option but defragments in real time.</p> </section> <section class="section main-article-chapter" data-menu-title="How long does disk defragmentation take?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How long does disk defragmentation take?</h2> <p>The time required for defragmentation of a disk drive can vary considerably, due to the following factors:</p> <ul class="default-list"> <li><b>The size of the drive.</b> The larger the drive, the longer the defragmentation process lasts.</li> <li><b>Speed of the hard drive.</b> The faster the drive, the faster the defragmentation process goes.</li> <li><b>Speed of the processor. </b>The faster the processor executes the process, the faster the defragmentation proceeds.</li> <li><b>Fragmentation level.</b> The more fragmented the drive, the longer the defragmentation takes.</li> <li><b>First-time defragmentation. </b>If a hard drive has never been defragmented before, the first time might take longer than normal.</li> </ul> <p>It is also important to remember that solid-state drives do not require defragmentation.</p> </section> <section class="section main-article-chapter" data-menu-title="What's the difference between defragmentation and disk cleanup?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What's the difference between defragmentation and disk cleanup?</h2> <p>The terms <i>defragmentation</i> and <i>disk cleanup</i> are sometimes used interchangeably, but this is incorrect: They are different.</p> <p>Disk defragmentation is strictly limited to reorganizing the physical storage of data to group related data and improve storage and retrieval efficiency.</p> <p>Disk cleanup is also about storage efficiency, but its purpose is to remove files from storage that have accumulated over time but are no longer necessary. This includes temp files, system files and other files that are just taking up space.</p> <p><i>Primary data storage is often all-flash, but solid-state hybrid drives (SSHD) blend flash and hard disk drives. Learn </i><a href="https://www.techtarget.com/searchstorage/feature/Hybrid-drive-vs-SSD-Whats-best-for-your-organization"><i>how an SSHD differs from an SSD and an HDD</i></a>,<i> </i><i>and the benefits and drawbacks of each.</i></p> </section> Defragmentation, also known as 'defragging' or 'defrag,' is the process of rearranging the data on a storage medium, such as a hard disk drive (HDD), to ensure efficient storage and access. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchwindowsserver/definition/defragmentation Wed, 20 Aug 2025 15:37:00 GMT <p>Microsoft Managed Desktop (MMD) was a cloud-based device management service from Microsoft that helped organizations simplify device provisioning, configuration, maintenance and management, and streamline ITSM, operations, compliance, security monitoring and response.</p> <p>MMD required purchase of the <a href="https://www.techtarget.com/searchcontentmanagement/news/366615864/New-Microsoft-365-Copilot-AI-agents-focus-on-productivity">Microsoft 365</a> E3 license and assigning <a href="https://www.techtarget.com/searchsecurity/definition/Windows-Defender-Advanced-Threat-Protection-ATP">Microsoft Defender for Endpoint</a> (or equivalents) to all MMD users.</p> <p>On July 31, 2024, Microsoft halted service of MMD, meaning<b> </b>it no longer provides security updates, quality updates or technical support for MMD. Microsoft's engineers also no longer address service requests from MMD customers.</p> <section class="section main-article-chapter" data-menu-title="Device services under MMD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Device services under MMD</h2> <p>As a device management offering, MMD included a host of device-related services. Microsoft delivered these services <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-computing">using the cloud</a> to organizations that purchased an MMD subscription.</p> <p>The services offered covered five key areas:</p> <ol class="default-list"> <li>Device setup.</li> <li>Inventory.</li> <li>Firmware and driver updates.</li> <li>Accessories.</li> <li>Support.</li> </ol> <p>Under <b>device setup</b>, Microsoft preconfigured devices with the then-current version of <a href="https://www.techtarget.com/searchwindowsserver/definition/Windows">Windows</a> (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-10">Windows 10</a> or <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Troubleshooting-the-most-common-issues-with-Windows-11">11</a>). Organizations would also receive apps and configurations for those devices using the cloud. For device provisioning (naming, configuration), Microsoft used <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-Autopilot">Windows Autopilot</a> to limit downtime and deliver a seamless user experience. Microsoft also used <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Microsoft-Endpoint-Manager-MEM">Microsoft Endpoint Manager</a> and <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-manage-a-migration-to-Microsoft-Entra-ID">Microsoft Entra ID</a> for device configuration and management.</p> <p>To facilitate device <b>inventory management</b> using MMD, Microsoft tracked all devices. All managed devices were monitored continuously for security issues. Microsoft also updated the device status in the admin center of <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-add-and-enroll-devices-to-Microsoft-Intune">Microsoft Intune</a> -- the company's command center for managing and securing endpoints and reducing the complexity of IT and security operations.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/itchannel-intune.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/itchannel-intune_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/itchannel-intune_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/itchannel-intune.png 1280w" alt="A chart describing Microsoft Intune, which is an endpoint management tool." height="374" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Intune is Microsoft's command center for managing and securing endpoints. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>All MMD devices received the latest <a href="https://www.techtarget.com/whatis/definition/firmware"><b>firmware</b></a><b> and </b><a href="https://www.techtarget.com/searchenterprisedesktop/definition/device-driver"><b>driver</b></a><b> updates</b> from Windows Update by default to keep the devices running smoothly and securely. Microsoft also managed proactively the most secure and stable versions of Windows 10/11 and Microsoft 365 Apps for enterprise and created a security baseline to keep users and devices secure in accordance with its own security best practices.</p> <p>Under MMD, any <b>accessories</b> accompanying MMD-covered devices were covered by the same services as the device itself. However, the warranty terms for the device and its accessories could differ so Microsoft advised users to check the warranty terms when selecting one or more devices for MMD.</p> <p><b>Support</b> was the fifth key MMD pillar. Microsoft's support agents addressed customers' questions about device functionality and helped diagnose device issues. Dedicated service engineers provided service management and operational support; a team of security specialists provided <a href="https://www.techtarget.com/iotagenda/tip/5-IoT-security-threats-to-prioritize">device security monitoring</a> and remediation services.</p> <p>MMD brought together Microsoft 365 Enterprise (including Windows 10/11 Enterprise and Office apps). On purchasing an MMD subscription, users would continue to get the latest versions of Windows 10, Windows 11 and Microsoft 365 Apps for enterprise. The service integrated with the Microsoft App Assurance program to help Microsoft's experts diagnose and remediate application compatibility issues for devices.</p> <p>Certain services were <i>not</i> included in MMD:</p> <ul class="default-list"> <li>Personalizing and customizing devices and any accessories provided with the MMD service.</li> <li>Recovery of data stored on the device's internal storage system.</li> <li>Powering on and setting up devices.</li> </ul> <p><i>Note: Support for Windows 10 will end in October 2025, so Windows 10 users are advised to </i><a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-perform-an-in-place-upgrade-to-Windows-11"><i>transition</i><i> to Windows 11</i></a><i> as soon as possible.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of MMD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of MMD</h2> <p>Organizations that purchased the MMD subscription found a key benefit in <b>technical and operational support</b> from Microsoft experts. Microsoft's Service Engineering (operations) team responded to support requests related to incidents, requests for information (RFI) and change requests.</p> <p>Organizations also received support from Microsoft's Security Operations Center (<a href="https://www.techtarget.com/searchsecurity/definition/Security-Operations-Center-SOC">SOC</a>) team. The team's main objective was to protect MMD devices and data, so an MMD subscription included <b>device</b> <b>security monitoring and incident response</b>.</p> <p>The SOC team used numerous tools and technologies related to device security and Identity and Access Management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>), including the Microsoft Security Baseline, Microsoft Entra managed identities, <a href="https://www.techtarget.com/searchsecurity/definition/biometric-authentication">biometric authentication</a> and predefined device profiles. To further secure MMD devices, SOC security engineers installed Microsoft Defender antivirus and used a volume <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a> solution (Windows <a href="https://www.techtarget.com/searchenterprisedesktop/definition/BitLocker">BitLocker</a>). Additionally, they used Microsoft Defender for Endpoint for security threat monitoring and secured devices with the latest security updates.</p> <p>MMD also provided <b>visibility into device and app performance</b>. The SOC team monitored security threats and used data from the latest threats to respond to security alerts and manage security incidents. Through proactive monitoring, MMD remediated common security issues, including issues related to stop errors, Microsoft Defender Firewall and BitLocker. The service also monitored devices, provided insights about device health and provided early warnings about security issues. In this way, MMD provided nonstop protection for MMD devices.</p> <p>MMD ensured that <b>devices were automatically in sync</b> with the latest Windows quality updates. Admins and users could focus on other, more important tasks.</p> <p>On purchasing a subscription for MMD, organizations could configure <b>additional optional services</b>, especially if they needed to protect high-value corporate assets. They could back up important information on the device to <a href="https://www.techtarget.com/searchmobilecomputing/definition/Microsoft-OneDrive">OneDrive</a> for Business. Microsoft would ensure the secure functionality of the OneDrive client and sync all data toward OneDrive for Business back end in Microsoft 365 Apps. Companies that required high levels of information security could purchase Windows Information Protection (WIP) or <a href="https://www.techtarget.com/searchcloudcomputing/definition/Windows-Azure">Azure</a> Information Protection. Microsoft <a href="https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Obsolete-vs-deprecated-in-software-development">deprecated</a> WIP starting in July 2022. Azure Information Protection is now known as Microsoft Purview Information Protection.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud-based infrastructure and deployment rings of MMD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud-based infrastructure and deployment rings of MMD</h2> <p>Through the MMD service, Microsoft connected devices to a modern cloud-based infrastructure. All functionalities and services under MMD were delivered using the cloud including the following:</p> <ul class="default-list"> <li>Device provisioning.</li> <li>Device configuration.</li> <li>Device management (including updates).</li> <li>Device security monitoring.</li> <li><a href="https://www.techtarget.com/searchitoperations/definition/IT-incident-management">Incident response</a>.</li> <li>ITSM and operations.</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/yo7l3hn1H6I?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>To safely roll out operating system updates and policies, Microsoft used <i>update groups</i>; to manage Windows quality updates, MMD used four <i>deployment rings</i>. Under this four-ring system, MMD created four Microsoft Entra ID assigned groups that were then used to segment devices into update groups.</p> <p>The four MMD deployment rings were as follows:</p> <ul class="default-list"> <li><b>Modern Workplace Devices -- Test.</b> Deployment ring for testing update deployments before production rollout.</li> <li><b>Modern Workplace Devices -- First.</b> Production deployment ring for early adopters.</li> <li><b>Modern Workplace Devices -- Fast.</b> Deployment ring for fast production rollout and adoption.</li> <li><b>Modern Workplace Devices -- Broad.</b> Deployment ring for broad, organizationwide rollout.</li> </ul> <p>MMD "calculated" the rings, determining which device should be assigned to which ring, during device registration based on the existing managed device size of the MMD tenant. Each of these four rings aligned with different update deployment policies to control and streamline the rollout of updates to the devices registered under MMD. The assignment of MMD devices to one of the four rings also ensured that the service would have the proper representation of the device diversity across the organization.</p> <p>MMD monitored the devices in each ring to provide automated deployment ring remediation functions. These functions were meant to minimize the vulnerability of devices to security threats. The devices could be in a vulnerable state if they were not assigned to a deployment ring during the device registration process or if IT admin made changes to objects created during MMD tenant enrollment.</p> </section> <section class="section main-article-chapter" data-menu-title="Roles and responsibilities under MMD"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Roles and responsibilities under MMD</h2> <p>The MMD service provided a range of roles and responsibilities, some of which belonged to Microsoft and others assigned to the customer. The roles that belonged to Microsoft included the following:</p> <ul class="default-list"> <li><b>MMD service support.</b> The MMD Operations team was responsible for technical remediation, change requests and incident management for the organization's MMD environment. This team was also in charge of creating and managing devices and user groups.</li> <li><b>Mobile Device Management (MDM) policy management.</b> Microsoft applied appropriate and proven MDM policies and optimized the configuration of <a href="https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management">MDM</a> devices during setup.</li> <li><b>Security monitoring and update monitoring.</b> Microsoft actively monitored MMD devices to mitigate threats and ensure that the latest updates (quality and features) were installed for the devices.</li> <li><b>Change management.</b> Microsoft notified MMD customers when Microsoft <a href="https://www.techtarget.com/searchcio/definition/change-management">planned to make changes</a> to the MMD environment, such as feature updates, new features, new applications, client hotfixes for issues, security updates or feature <a href="https://www.techtarget.com/whatis/definition/deprecated">deprecations</a>.</li> <li><b>User support.</b> In case of device issues affecting users, IT teams could raise support requests to Microsoft; Microsoft was obligated to respond to these issues in accordance with severity definitions.</li> </ul> <p>Certain roles and responsibilities were assigned to MMD customer organizations and not provided by Microsoft. For example, organizations were required to have their own change management process and take responsibility for all identity management tasks. Customers were also responsible for the following:</p> <ul class="default-list"> <li>Managing Microsoft 365 services and policies.</li> <li>Collaboration tools, SharePoint server administration and domain management.</li> <li>Providing user support directly or using a designated support partner.</li> <li>Security monitoring and incident response of non-MMD devices.</li> </ul> <p><i>While</i> <a href="https://www.techtarget.com/searchitoperations/feature/ITSM-meets-AI-Capabilities-challenges-and-whats-next"><i>AI has the potential to transform ITSM</i></a><i>, organizations face several potential challenges when implementing these technologies. Also, see how to </i><a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-incident-response-playbook"><i>create an incident response playbook with template</i></a><i>.</i></p> </section> Microsoft Managed Desktop (MMD) was a cloud-based device management service from Microsoft that helped organizations simplify device provisioning, configuration, maintenance and management, and streamline IT service management (ITSM), operations, compliance, security monitoring and response. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/whatis/definition/Microsoft-Managed-Desktop-MMD Wed, 13 Aug 2025 00:00:00 GMT <p>Busy Microsoft admins need all the help they can get, particularly in security-related areas.</p> <p>An improper configuration can cascade into a lapse in security and cause untold damage to the enterprise, or put the organization under intense scrutiny if it fails a <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Find-and-fix-server-problems-with-Best-Practices-Analyzer">compliance audit</a>. Microsoft offers the Microsoft Security Compliance Toolkit to identify problems with infrastructure settings so that admins can shut these gaps to maintain a consistent security posture and avoid disruption.</p> <section class="section main-article-chapter" data-menu-title="What is the Microsoft Security Compliance Toolkit?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the Microsoft Security Compliance Toolkit?</h2> <p>The Microsoft Security Compliance Toolkit is a set of tools that admins can use to compare existing Group Policy Objects (GPOs) against Microsoft's recommended security baselines.</p> <p>Administrators can see if their organization's policies differ from Microsoft's suggestions and can apply <a href="https://www.techtarget.com/searchwindowsserver/tip/Windows-Server-security-hardening-guide-for-admins">more secure policy settings</a> if necessary. The tools are suitable for local GPOs and Active Directory. The Security Compliance Toolkit also includes a tool to reset the security descriptor for almost any object.</p> <p>The toolkit enables admins to edit GPOs, store them in GPO backup format, and apply them via domain controllers or test environments to check for issues.</p> </section> <section class="section main-article-chapter" data-menu-title="How to use the Microsoft Security Compliance Toolkit"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use the Microsoft Security Compliance Toolkit</h2> <p>Admins can <a target="_blank" href="https://www.microsoft.com/en-us/download/details.aspx?id=55319" rel="noopener">download</a> the Security Compliance Toolkit from Microsoft's site, which hosts zip files that correspond to the security baseline packages for Windows Server, Windows 10, Windows 11, Microsoft 365 Apps for Enterprise and Microsoft Edge. The other files are the Policy Analyzer, Local Group Policy Object utility and Set Object Security application.</p> <h3>Policy Analyzer tool</h3> <p>The Policy Analyzer compares sets of GPOs -- such as the security baselines provided by Microsoft -- and checks against a system's local security policy and registry settings. The Policy Analyzer checks for inconsistencies and redundant settings, and tracks changes by comparing baselines taken at different times.</p> <p>Start by creating a policy rules file with the organization's current policy settings. The easiest method is to open the Group Policy Management Console (<a href="https://www.techtarget.com/searchwindowsserver/definition/Group-Policy-Management-Console">GPMC</a>), right-click on a GPO and select <b>Back Up</b> from the shortcut menu.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bp-toolkit1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bp-toolkit1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bp-toolkit1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bp-toolkit1-f.jpg 1280w" alt="Screenshot of the Group Policy Management window." data-credit="Brien Posey/Informa TechTarget" height="398" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Right-click on a GPO and select the backup command from the menu. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Next, launch the Policy Analyzer. Click the <b>Add</b> button and select the <b>Add files from GPO(s)</b> command from the File menu. Select the folder that corresponds to the GPO backup and load it by clicking the <b>Import</b> button.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bp-toolkit2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bp-toolkit2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bp-toolkit2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bp-toolkit2-f.jpg 1280w" alt="Screenshot of the Policy File Importer window." data-credit="Brien Posey/Informa TechTarget" height="296" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Import the policy file from the Policy Analyzer. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Next, enter a name when prompted for a policy rules file and click <b>Save</b>. The main Policy Analyzer screen will open. The console contains buttons used to view or compare the policy settings and to compare the policy settings to the effective state.</p> <p>Microsoft recently packaged the GPO2PolicyRules utility with Policy Analyzer. GPO2PolicyRules automatically converts GPO backups to Policy Analyzer rules files.</p> <p>Use it by running <samp>GPO2PolicyRules.exe</samp> from a command prompt, followed by the desired GPO backup and the output file that you want to create.</p> <h3>Local Group Policy Object tool</h3> <p>The Local Group Policy Object (LGPO) tool runs from the command line and manages the system's local security policy. This tool offers several capabilities related to local policy settings:</p> <ul class="default-list"> <li><b>Import and apply settings.</b> The tool works with several sources, including registry policy files, security templates, auditing backups and LGPO text files.</li> <li><b>Policy backup.</b> Export local policy to a GPO backup for safekeeping and deployment to other systems.</li> <li><b>Verification.</b> Run a check of Group Policy settings before widespread deployment.</li> <li><b>Non-domain system management.</b> Automate configuration and deployment across multiple systems not connected to the domain.</li> </ul> <p>The LGPO tool's syntax is relatively complex, as it supports numerous parameters. You can view the full syntax by running <samp>LGPO.exe</samp> from a command prompt.</p> <p>For example, to create a backup of a local GPO, enter this command:</p> <pre class="language-none"><code>LGPO.exe /b &lt;path&gt; /n &lt;group policy name&gt;</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bp-toolkit3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bp-toolkit3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bp-toolkit3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bp-toolkit3-f.jpg 1280w" alt="Screenshot of LGPO backup creation in the Windows command prompt." data-credit="Brien Posey/Informa TechTarget" height="204" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The LGPO utility creates a backup of a local GPO to a folder on the machine. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Set Object Security tool</h3> <p>Set Object Security applies a security descriptor to files, folders, <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Learn-how-to-set-up-Windows-Server-2022-SMB-compression">SMB shares</a> or nearly any other type of object. A common use is to restore the default security descriptor to a system's root folder.</p> <p>To use the tool, run the <samp>SetObjectSecurity.exe</samp> command, followed by several parameters:</p> <ul class="default-list"> <li><b>ObjType.</b> The type of object to secure, such as FILE, KEY, eventlog, printer, share or kobject, to name a few. Object types are case sensitive.</li> <li><b>ObjName.</b> The name of the object to secure, such as a file, folder or <a href="https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe">registry key</a>.</li> <li><b>SDDL.</b> The SDDL is the security descriptor to apply, written in Security Descriptor Definition Language. Use a tool such as AccessChk to get the SDDL from an object.</li> </ul> <p>The following example shows the Set Object Security tool executing a set of policy rules that were converted from a GPO backup:</p> <pre class="language-none"><code>SetObjectSecurity.exe FILE C:\ "O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)"</code></pre> </section> <section class="section main-article-chapter" data-menu-title="How to apply security baselines to Windows Server"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to apply security baselines to Windows Server</h2> <p>Before executing any changes to a production system, admins should follow best practices and test deploying the security baselines to Windows Server systems in a nonproduction environment.</p> <p>To use Microsoft's recommended security configuration baselines for Windows Server versions before <a href="https://www.techtarget.com/searchwindowsserver/tip/Learn-how-the-Windows-Server-2025-editions-differ">Windows Server 2025</a>, download the Microsoft Security Compliance Toolkit files used to configure Group Policy settings. The files contain documentation, Group Policy reports, GPOs for different setups, PowerShell scripts to assist with the deployment, and GPO templates in ADMX and ADML formats.</p> <p>To start, open GPMC and open Group Policy Management.</p> <p>Next, right-click on Group Policy Objects in the domain and forest to create the GPO, then rename the GPO to give it a descriptive name based on the baseline name.</p> <p>Right-click on the GPO and choose <b>Import Settings</b>, then select the baseline GPO for the server role from the folder with the extracted security baseline files.</p> <p>Link the GPO to the domain or the organizational unit, then enable the GPO settings. Run the following command to force the Group Policy update on the test system:</p> <pre class="language-none"><code>gpupdate /force</code></pre> <p>Check the event log for any errors related to Group Policy.</p> </section> <section class="section main-article-chapter" data-menu-title="New security baseline method arrives with Windows Server 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New security baseline method arrives with Windows Server 2025</h2> <p>With Windows Server 2025, Microsoft introduced the OSConfig platform to apply a desired state configuration for security baselines.</p> <p>Microsoft integrated security baselines into the OS via the OSConfig PowerShell module, which removes the need to download files. The native PowerShell tooling updates the settings with one command rather than requiring multiple tools. OSConfig also features an automated method to keep systems within compliance with a <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-use-Microsoft-365-DSC-to-avoid-configuration-drift">drift control</a> mechanism.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.</i></p> </section> Learn how to work with the tools and security baselines provided by Microsoft to tighten the defenses in the Windows environment. https://cdn.ttgtmedia.com/rms/onlineimages/security_a218339023.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Secure-Windows-with-Microsofts-Security-Compliance-Toolkit Tue, 29 Jul 2025 15:18:00 GMT <p>Local administrator passwords are challenging from a security standpoint, but an updated feature in Windows can reduce the worry associated with this administrative need.</p> <p>Nearly every Windows device contains a local administrator account -- that's a basic security problem. These accounts are necessary for an admin to log in to the device to correct a problem connecting to AD. Organizations that want more security around these credentials can use the Windows Local Administrator Password Solution (LAPS), which automates password management of the local administrator account to <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/tutorial/Learn-to-monitor-group-memberships-with-PowerShell" rel="noopener">keep the environment more secure</a>. Microsoft updated this feature in April 2023 to make it a native part of the Windows OS. This article covers improvements made in Windows LAPS, methods to deploy it and considerations when migrating from the earlier LAPS version.</p> <section class="section main-article-chapter" data-menu-title="What is Windows LAPS?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is Windows LAPS?</h2> <p>Windows LAPS automatically manages and rotates the local administrator password on domain-joined Windows devices for Windows Server and the client OS. Microsoft developed the security measure to protect organizations from various attacks, such as <a href="https://www.techtarget.com/searchsecurity/definition/pass-the-hash-attack">pass the hash</a>.</p> <p>Local administrator password rotation is critical because, if an attacker accesses a nonmanaged local administrator password, they could use it to breach all domain-joined devices. Worse still, these passwords tend to be static, so an attacker could potentially use them to gain permanent access to an organization's resources.</p> <p>Windows LAPS <a href="https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices">generates complex passwords</a> for the local administrator account and rotates them on a schedule from seven to 365 days based on the configuration.</p> <p>When admins need to access a device, they get the current password from AD or the cloud-based identity and access management platform Microsoft Entra ID, formerly known as Azure Active Directory. The admin then logs in as the local administrator. <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-find-and-customize-your-PowerShell-profile">For added security</a>, Windows LAPS can rotate the password automatically after use.</p> <p>Since April 2024, Microsoft integrated Windows LAPS with the Windows OS.</p> </section> <section class="section main-article-chapter" data-menu-title="What's new with Windows LAPS?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What's new with Windows LAPS?</h2> <p>Microsoft has made significant enhancements to Windows LAPS in recent years. The company deprecated its earlier version -- the company refers to this as legacy Microsoft LAPS -- as of Windows 11 23H2 in favor of this update.</p> <p>Here are some of the enhancements in Windows LAPS:</p> <ul class="default-list"> <li>Windows LAPS manages accounts automatically. Normally, Windows LAPS functions in manual mode. This enables the administrator to control all aspects of the local administrator account except for the password. When using automatic account management, Windows LAPS automates certain configuration details. Specifically, the account is made a member of the local administrators group, and the "password not required" and "password never expires" flags are disabled. The account description is also modified to indicate that Windows LAPS controls the account.</li> <li>Besides generating passwords, Windows LAPS can also create passphrases. Depending on the complexity setting, passphrases can consist of long words, short words or short words with unique prefixes.</li> <li>Microsoft introduced OS image rollback detection for Windows LAPS. If the admin reverted a system to a prior state by restoring a backup or <a href="https://www.techtarget.com/searchitoperations/tip/A-beginners-guide-to-Hyper-V-checkpoints">applying a Hyper-V snapshot</a>, that could lead to a password mismatch. Windows LAPS handles this problem by detecting the issue and forcing an immediate password rotation.</li> <li>Windows LAPS stores local administrator passwords in <a href="https://www.techtarget.com/searchwindowsserver/tip/What-are-the-Microsoft-Entra-ID-benefits-for-on-prem-admins">AD and Microsoft Entra ID</a>. Legacy Microsoft LAPS only worked with AD.</li> <li>Windows LAPS protects against additional threats, including pass-the-hash attacks.</li> <li>Windows LAPS supports Azure's role-based access control.</li> <li>Windows LAPS supports the password encryption and password history.</li> <li>Windows LAPS automates the management and storage of passwords for the <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/definition/Directory-Services-Restore-Mode-DSRM" rel="noopener">Directory Services Restore Mode</a> account on the domain controller.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are Windows LAPS limitations?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are Windows LAPS limitations?</h2> <p>Windows LAPS and legacy Microsoft LAPS cannot manage the same account on the same machine. Microsoft recommends switching systems to Windows LAPS. However, there are some considerations:</p> <ul class="default-list"> <li>Because Windows LAPS has a learning curve, Microsoft offers a legacy Microsoft LAPS emulation mode to ease the transition period.</li> <li>Another option is to use both legacy Microsoft LAPS and Windows LAPS side by side until you are comfortable with the new version.</li> <li>If you decide to use both security features on the same machine, then you need to create an additional local administrator account on managed devices with a different name for use with the Windows LAPS policies.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are Windows LAPS prerequisites?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are Windows LAPS prerequisites?</h2> <p>Windows LAPS works on the following Windows OSes with the April 11, 2023, update or later installed:</p> <ul class="default-list"> <li>Windows 11 23H2.</li> <li>Windows 11 22H2.</li> <li>Windows 11 21H2.</li> <li>Windows 10.</li> <li>Windows Server 23H2.</li> <li>Windows Server 2022.</li> <li>Windows Server 2019.</li> </ul> <p>Windows Server 2025, released in November 2024, also supports Windows LAPS.</p> <p>Microsoft includes Windows LAPS as part of the Windows OS -- added through Windows Update -- rather than requiring a separate download.</p> </section> <section class="section main-article-chapter" data-menu-title="Key differences between Windows LAPS and legacy Microsoft LAPS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key differences between Windows LAPS and legacy Microsoft LAPS</h2> <p>There are several key differences between Windows LAPS and legacy Microsoft LAPS, including the following:</p> <ul class="default-list"> <li>Windows LAPS is built into Windows 11, <a href="https://www.techtarget.com/searchenterprisedesktop/news/252526389/Latest-Windows-11-update-adds-tabbed-File-Explorer">starting with 22H2</a>, and Windows Server 2022 with updates and newer versions of Windows.</li> <li>Windows LAPS supports Microsoft Entra ID and AD. Legacy Microsoft LAPS only worked with AD.</li> <li>Legacy Microsoft LAPS was a standalone tool and required standalone Group Policy settings.</li> <li>Although legacy Microsoft LAPS is still supported, Microsoft has deprecated it. Microsoft recommends adopting Windows LAPS, regardless of infrastructure arrangement.</li> </ul> <div class="btt-thumbnailContainer"> <span class="btt-thumbnailTitle">How to work with the new Windows LAPS feature</span> <a class="btt-thumbnailLink" data-video-id="645321" data-channel-id="18865"> <div class="btt-thumbnailImgContainer"> <img class="btt-videoBtThumbnail" src="https://cdn.brighttalk.com/ams/california/images/communication/645321/image_1044012.png?width=640&amp;height=360"> </div></a> <time class="btt-video-duration" datetime="PT6M12S">6:12</time> </div> <div class="btt-modal"> <div class="btt-modal-content"></div> </div> </section> <section class="section main-article-chapter" data-menu-title="How to migrate from legacy Microsoft LAPS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to migrate from legacy Microsoft LAPS</h2> <p>Before you can migrate from legacy Microsoft LAPS, some prep work is necessary. You start by identifying the machines using the legacy version and then verifying they run an OS that is compatible with Windows LAPS. It's also a good idea to ensure those systems have the latest patches.</p> <p>Next, prepare the <a href="https://www.techtarget.com/searchwindowsserver/answer/Understand-Active-Directory-basics-for-enterprise-success">AD infrastructure</a>. You must update the schema -- the definition of the structure of the database -- because Windows LAPS adds new attributes to AD. Back up the AD environment, and then extend the schema using the <span style="font-family: courier new, courier, monospace;">Update-LapsADSchema</span><b> </b>cmdlet. You might need to apply some permissions using the <span style="font-family: courier new, courier, monospace;">Set-LapsADComputerSelfPermission</span> cmdlet, which gives the computer account the ability to update Windows LAPS password attributes and also enables password rotation.</p> <p>Next, decide if you want to allow coexistence between legacy Microsoft LAPS and Windows LAPS or if you want to perform a cutover migration. At a minimum, you must enable and configure the Windows LAPS Group Policy settings. If you disable legacy Microsoft LAPS, then you must set the legacy Microsoft LAPS Group Policy settings to "not configured." Only do this after you have verified Windows LAPS is working.</p> <p>Next, verify that passwords are being stored correctly with the following PowerShell command.</p> <pre class="language-powershell"><code>Get-LapsADPassword -Identity &lt;ComputerName&gt;</code></pre> <p>Next, delete the machine's local administrator password and expiration data in AD with the following command.</p> <pre class="language-powershell"><code>Set-ADComputer -Identity "ComputerName" -Clear "ms-Mcs-AdmPwd","ms-Mcs-AdmPwdExpirationTime"</code></pre> <p>To remove these attributes from multiple machines in an organizational unit (OU), adapt the following PowerShell command to your infrastructure.</p> <pre class="language-powershell"><code>Get-ADComputer -Filter * -SearchBase "OU=Computers,DC=domain,DC=com" | Set-ADComputer -Clear "ms-Mcs-AdmPwd","ms-Mcs-AdmPwdExpirationTime"</code></pre> </section> <section class="section main-article-chapter" data-menu-title="How to deploy Windows LAPS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to deploy Windows LAPS</h2> <p>There are two options to deploy Windows LAPS. The first is to <a target="_blank" href="https://www.techtarget.com/searchenterprisedesktop/tip/Using-the-Intune-management-extension-for-PowerShell-scripts" rel="noopener">use Intune</a> to create a LAPS policy that admins push to managed Windows devices.</p> <p>The other option is to push LAPS settings to managed devices using Group Policy, which is only appropriate when managing domain-joined Windows devices.</p> </section> <section class="section main-article-chapter" data-menu-title="How to create the Intune policy for Windows LAPS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to create the Intune policy for Windows LAPS</h2> <p>From the Microsoft Intune admin center, go to the <b>Endpoint security</b> tab to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Understanding-how-GPOs-and-Intune-interact">create the policy</a> for Windows LAPS.</p> <p>Click on <b>Account protection</b> and then the <b>Create Policy</b> link.</p> <p>The interface displays a prompt to choose a platform and a profile.</p> <p>Set the platform to <b>Windows</b> and the profile to <b>Local Admin Password Solution (Windows LAPS)</b>.</p> <p>Click <b>Create</b>.</p> <p>When prompted, give the profile a name.</p> <p>Click <b>Next</b> to move to the <b>Configuration settings</b> screen.</p> <p>Specify the desired backup directory, <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/tip/Construct-a-solid-Active-Directory-password-policy" rel="noopener">password length and complexity requirements</a>, and other relevant settings.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_windows_laps1-f.jpg 1280w" alt="Windows LAPS password settings" height="314" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>In Microsoft Intune, set the password length and complexity requirements for Windows LAPS. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Click <b>Next</b> to advance to the <b>Scope Tags</b> tab.</p> <p>Select a custom scope tag -- if one exists -- or the default one.</p> <p>Click <b>Next</b> to open the <b>Assignments</b> tab.</p> <p>Select the group to which you want to apply the policy.</p> <p>Set the <b>Target Type</b> to <b>Include</b> or <b>Exclude</b>, depending on whether you want the group included in the policy.</p> <p>Click <b>Next</b> to advance to the <b>Review + Create</b> screen.</p> <p>Take a moment to review the settings shown on this screen. If everything looks good, click the <b>Create</b> button to build the policy.</p> </section> <section class="section main-article-chapter" data-menu-title="How to set up Group Policy for Windows LAPS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to set up Group Policy for Windows LAPS</h2> <p>You can use Group Policy settings to push Windows LAPS settings to domain-joined devices, but you must first prepare AD by extending the schema to support Windows LAPS and provide the necessary permissions.</p> <p>It's a good idea to <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/tutorial/Get-back-on-the-mend-with-Active-Directory-recovery-methods" rel="noopener">back up AD</a> to roll back the changes if necessary.</p> <p>Next, open an elevated PowerShell session on your domain controller, and then enter the following command to update the AD schema.</p> <pre class="language-powershell"><code>Update-LapsADSchema</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_windows_laps2-f.jpg 1280w" alt="Active Directory schema update" height="315" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Run the PowerShell command to update the schema in Active Directory. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If an error about the command not being recognized appears, check that the server has all available updates, and confirm its role as a domain controller.</p> <p>Next, configure Windows LAPS.</p> <p>Grant the domain-joined computers permission to use Windows LAPS. The easiest way is to grant permission to the <b>Computers</b> container in AD. The command syntax varies depending on your <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/tip/Active-Directory-nesting-groups-strategy-and-implementation" rel="noopener">AD structure</a>. In the case of a single domain forest with the name poseylab.com, the PowerShell command is the following.</p> <pre class="language-powershell"><code>Set-LapsADComputerSelfPermission -Identity "CN=Computers,DC=poseylab,DC=com"</code></pre> <p>Use Group Policy Management Editor to find the LAPS-related Group Policy settings in the Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; LAPS section.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_windows_laps3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_windows_laps3-f.jpg 1280w" alt="Windows LAPS group policy settings" height="385" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Configure the Windows LAPS settings at the Group Policy level. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Configure the policy settings to meet your organization's needs.</p> <p>Passwords for local administrator accounts are not going away, so the updated Windows LAPS is Microsoft's attempt to make the best of the situation. This automated process is an improvement on the legacy Microsoft LAPS system, so it is worthwhile to see if it works for your organization.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.</i></p> </section> Microsoft improved the feature that automates local administrator password management in Windows Server and the client OS. This tutorial explains the updates and how to set it up. https://cdn.ttgtmedia.com/rms/onlineimages/check_g530502390.jpg https://www.techtarget.com/searchwindowsserver/tip/How-to-work-with-the-new-Windows-LAPS-feature Fri, 13 Jun 2025 09:00:00 GMT <p>When you struggle to remember your work password -- particularly after a long vacation -- you can accidentally trigger a security policy that freezes you out of your laptop until someone from IT can come to the rescue. Many organizations automatically lock a user's account after a set number of failed login attempts. This account lockout policy is designed to stop brute-force attacks from <a target="_blank" href="https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-how-to-prevent-them" rel="noopener">hackers trying to find a user's password</a>. But lockouts happen for other reasons, such as password mismatches when a user leaves home to work in the office or when an application uses an automated login process with expired credentials. By using <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a> to monitor event logs, admins can find these issues and track down the cause to determine whether there is malicious intent or a more innocent reason. This tutorial explains how to use automation to correct Active Directory account lockouts and monitor for suspicious activity.</p> <section class="section main-article-chapter" data-menu-title="What are causes of Active Directory account lockouts?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are causes of Active Directory account lockouts?</h2> <p>Not all account lockouts are from malicious sources or even from users who forget their passwords.</p> <p>Applications often rely on a service account for the necessary permissions to function. However, if the service account's password changes and the application does not get the updated password, this can lock the <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/tip/Get-a-grasp-on-using-group-managed-service-accounts" rel="noopener">service account</a>.</p> <p>Redundant login information is another reason for account lockouts. An enterprise user might have a dozen or more credentials tied to a common username. It takes effort to keep track of all these accounts. It's not difficult to foresee someone using the wrong set of credentials multiple times until they trigger an account lockout in Active Directory.</p> <p>Account lockouts can also occur when users change work locations. A common scenario is when a user switches from working on a domain-joined Windows desktop in the office to a Windows laptop at home not connected to a network. Because the laptop is offline, it does not record password changes. The user must log in with the old password. If the user brings that laptop into the office and attempts to access the network, the combination of password mismatch and end-user confusion could lead to an account lockout.</p> </section> <section class="section main-article-chapter" data-menu-title="Account lockout policies can help and hinder admins"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Account lockout policies can help and hinder admins</h2> <p>One of the main reasons account lockouts are problematic is that they tend to happen silently. As an administrator, you might never even know that an account lockout has occurred unless a user calls or you see an account lockout event <a target="_blank" href="https://www.techtarget.com/searchwindowsserver/tip/Filter-and-query-Windows-event-logs-with-PowerShell" rel="noopener">listed in the Windows event logs</a>.</p> <p>Account lockouts can be problematic for IT because, while unlocking accounts and resetting passwords is simple enough, a high volume of reset requests or account lockout tickets can overload the help desk and waste the IT staff's time. Of course, these lockouts affect the end user, who cannot work while waiting for a fix to their account lockout.</p> <p>Even though Active Directory account lockouts are meant to keep an organization secure, they sometimes backfire. Users frustrated by account lockouts might try to sidestep the organization's security protocols and write down their passwords or use weak passwords that are easy to remember. An automated brute-force attack could cycle through every user in an organization and cause widespread damage by locking out every account; one way to counteract this is to set the account lockout threshold to 0, which never locks any accounts but relies on other security means to prevent these hack attempts.</p> </section> <section class="section main-article-chapter" data-menu-title="How to investigate account lockouts in the Windows event logs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to investigate account lockouts in the Windows event logs</h2> <p>To search the event logs for account lockout events, it's best to begin by checking the Security log for <b>Event ID 4740: A user account was locked out</b>. While this event indicates an account was locked out, it doesn't explain why.</p> <p>When investigating this issue, search for other events that can provide more information, such as <b>Event ID 4625: An account failed to log on</b>. This event usually <a target="_blank" href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625" rel="noopener">details</a> why the login failure occurred. For example, you might find that the user entered their password incorrectly or that they tried to log in outside of authorized hours.</p> <p>To stay ahead of these lockout situations, one option is to use PowerShell to check for lockouts in event logs with the following command.</p> <pre class="language-powershell"><code>Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} | Select-Object TimeCreated, Message | Format-Table -Wrap</code></pre> <p>The following details the specifics of this command:</p> <ul class="default-list"> <li>The <span style="font-family: courier new, courier, monospace;">Get-WinEvent</span> cmdlet queries Windows event logs.</li> <li><span style="font-family: courier new, courier, monospace;">FilterHashTable</span> specifies the items to search for within the event logs. In this case, the <span style="font-family: courier new, courier, monospace;">LogName</span> parameter targets the <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-filter-Security-log-events-for-signs-of-trouble">Windows Security log</a> and filters for instances of Event ID 4740, referring to account lockout events in Active Directory.</li> <li>The command pipes results into the <span style="font-family: courier new, courier, monospace;">Select-Object</span> cmdlet, which displays the time when the event was created and event details, such as the device, user's name and domain.</li> <li>The <span style="font-family: courier new, courier, monospace;">Format-Table</span> cmdlet, along with the <span style="font-family: courier new, courier, monospace;">Wrap</span> parameter, forces PowerShell to display the pertinent information neatly in a table. Normally, PowerShell output truncates the account lockout message.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/bposey_adlockout1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/bposey_adlockout1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/bposey_adlockout1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/bposey_adlockout1-f.jpg 1280w" alt="PowerShell lockout query" height="293" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use PowerShell to query the event log to show Active Directory account lockout events. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>In a production environment, this Active Directory account lockout query could draw excessive results because it <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Query-event-logs-with-PowerShell-to-find-malicious-activity">checks the Security event log</a> for all instances of <b>Event ID 4740</b>, regardless of when the event occurred. The best way to address this problem is to use the <span style="font-family: courier new, courier, monospace;">StartTime</span> filter. For example, the following command looks at events from the last 24 hours.</p> <pre class="language-powershell"><code>$Start=(Get-Date).AddDays(-1) Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740;StartTime=$Start} | Select-Object TimeCreated, Message | Format-Table -Wrap</code></pre> <p>The following details the specifics of this command:</p> <ul class="default-list"> <li>The variable named <span style="font-family: courier new, courier, monospace;">$Start</span><b> </b>serves as a starting point for the log search. <span style="font-family: courier new, courier, monospace;">Get-Date.AddDays(-1)</span> tells PowerShell to subtract one day from the current time. To check logs through the previous week, use <span style="font-family: courier new, courier, monospace;">AddDays(-7)</span>.</li> <li>The second command is identical to the previous one, except <span style="font-family: courier new, courier, monospace;">StartTime=$Start</span> is added as a parameter to the filter hash table to instruct PowerShell to ignore results older than the date and timestamp in the <span style="font-family: courier new, courier, monospace;">$Start</span> variable.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to check your organization for account lockouts"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to check your organization for account lockouts</h2> <p>Another way to use PowerShell to check for Active Directory lockouts is to query a user account using the <span style="font-family: courier new, courier, monospace;">Get-ADUser</span> cmdlet and then check the value of the<b> </b><span style="font-family: courier new, courier, monospace;">LockedOut</span><b> </b>property.</p> <p>The problem with this approach is reliability. It works if Active Directory treats the account lockout status as a stored property, but it does not work if it is a calculated property.</p> <p>Instead, use the <span style="font-family: courier new, courier, monospace;">Search-ADAccount</span> cmdlet for more consistent results. If you want to see a list users whose accounts are currently locked out, you can use this PowerShell command.</p> <pre class="language-powershell"><code>Search-ADAccount -LockedOut | Select-Object SamAccountName, LockedOut</code></pre> <p>The following details the specifics of this command:</p> <ul class="default-list"> <li>The <span style="font-family: courier new, courier, monospace;">Search-ADAccount</span> cmdlet is designed to look at various user account properties.</li> <li>The <span style="font-family: courier new, courier, monospace;">LockedOut</span> parameter designates whether an account is locked.</li> <li>The <span style="font-family: courier new, courier, monospace;">Select-Object</span> cmdlet determines the information displayed within the output. In this case, the command shows the Security Account Manager (SAM) account name -- or the username -- and the <span style="font-family: courier new, courier, monospace;">LockedOut</span> status.</li> </ul> <p>To check to see whether a specific user has been locked out, use this command.</p> <pre class="language-powershell"><code>Search-ADAccount -LockedOut | Where-Object {$_.SAMAccountName -eq "&lt;username&gt;"} | Select-Object SamAccountName, LockedOut</code></pre> <p>This command is nearly identical to the previous command, except for the <span style="font-family: courier new, courier, monospace;">Where-Object</span> cmdlet, which filters the list to show results for the specified user. The command returns a status of <span style="font-family: courier new, courier, monospace;">True</span> if the user is locked out. No results show otherwise.</p> <p>To unlock an account, use the following PowerShell command, replacing <span style="font-family: courier new, courier, monospace;">&lt;username&gt;</span> with the name of the user whose account you wish to unlock.</p> <pre class="language-powershell"><code>Unlock-ADAccount &lt;username&gt;</code></pre> <p>If you want to unlock the locked accounts, use this command.</p> <pre class="language-powershell"><code>Search-ADAccount -LockedOut | Unlock-ADAccount</code></pre> <p>The following details the specifics of this command:</p> <ul class="default-list"> <li>The <span style="font-family: courier new, courier, monospace;">Search-ADAccount</span> cmdlet finds locked-out users.</li> <li>The results are piped into the <span style="font-family: courier new, courier, monospace;">Unlock-ADAccount</span> cmdlet, which removes the lockout status.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to use the ADUC console to unlock accounts"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use the ADUC console to unlock accounts</h2> <p>PowerShell tends to be the quickest and easiest option for unlocking accounts for certain scenarios, such as if you have a lot of accounts to unlock or if you aren't sure which accounts need attention, but it isn't your only option. You can also unlock accounts <a href="https://www.techtarget.com/searchwindowsserver/tip/Speed-up-onboarding-with-Active-Directory-user-templates">using the Active Directory Users and Computers (ADUC) console</a>:</p> <ul class="default-list"> <li>Open the console, and then right-click on the account to unlock and select the <b>Properties</b> command from the shortcut menu to open the user's properties sheet.</li> <li>Select the <b>Account</b> tab, and then select the <b>Unlock</b> <b>Account</b> checkbox.</li> <li>Click <b>OK</b> to complete the process.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to troubleshoot frequent account lockouts"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to troubleshoot frequent account lockouts</h2> <p>Frequent account lockouts can be a headache. When that happens, they are usually tied to a few specific causes.</p> <p>One reason is cached credentials. Avoid this problem by always prompting users for their credentials rather than enabling Windows to remember them.</p> <p>If a user device is often locked out while using a mobile device, consider enlisting Microsoft's Conditional Access policies. These policies reduce lockouts through more stringent login verification methods, such as using geographic location to prevent hack attempts or requiring Microsoft Authenticator to <a href="https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks">implement passwordless authentication</a>.</p> <p>You can also review the Active Directory account lockout settings in Group Policy and adjust the lockout threshold or the lockout duration to align them to your security requirements.</p> <p>Some legacy applications store credentials inside the application. This setup can trigger lockouts if the password is changed without adjusting it in the application. It's best to limit this practice if possible and to avoid a lockout policy for accounts only used by these applications.</p> <p>Finally, <a href="https://www.techtarget.com/searchwindowsserver/tip/Active-Directory-replication-troubleshooting-tips-and-tools">Active Directory replication health problems</a> sometimes cause account lockouts in complex Active Directory environments, such as when replication falters or there's a delay in replication between domain controllers. To check the Active Directory's replication status, use the <span style="font-family: courier new, courier, monospace;">repadmin /replsummary</span> command.</p> </section> <section class="section main-article-chapter" data-menu-title="What are some security considerations related to account lockouts?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are some security considerations related to account lockouts?</h2> <p>When determining how to manage account lockouts in your organization, consider your options carefully.</p> <p>First, it's important to adhere to least-privilege access principles, meaning that admins have just the permissions needed to do their jobs. The downside is that this limits the scope of how administrators use PowerShell to prevent unauthorized account lockout management.</p> <p>Second, while it is possible to build PowerShell scripts that automate the account unlocking process, it's important to protect those scripts from unauthorized access.<b> </b>If you have properly implemented least-privilege access, then this restricts unsanctioned access to these scripts. This limitation prevents any malicious modifications to your code and stops attackers from accessing the code to learn more about your infrastructure.</p> <p>Finally, checking account access patterns before unlocking an account is important. If you find that an account -- <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Learn-to-adjust-the-AdminCount-attribute-in-protected-accounts">particularly a privileged account</a> -- gets locked repeatedly, it may be an indication that an attacker is targeting that account.</p> </section> <section class="section main-article-chapter" data-menu-title="How to define the organization's lockout policy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to define the organization's lockout policy</h2> <p>You adjust the account lockout policy settings by using the Group Policy Management Editor and navigating to the following menu: Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Account Lockout Policy. The Group Policy settings provide options to adjust the account lockout duration, threshold and lockout reset counter.</p> <p>Microsoft does not have a universally applicable best practice for account lockouts. Some Microsoft <a target="_blank" href="https://learn.microsoft.com/en-us/services-hub/unified/health/remediation-steps-ad/set-the-account-lockout-threshold-to-the-recommended-value" rel="noopener">documentation</a> suggests setting the account lockout threshold to either 0 -- to prevent denial-of-service attacks -- or to 10. If you configure accounts to be locked out, Microsoft recommends keeping the account lockout duration relatively short, such as 15 minutes.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.</i></p> </section> Entering the wrong credentials so many times can block users from logging in. This tutorial explains how to find and correct these issues and other lockout events. https://cdn.ttgtmedia.com/rms/onlineimages/security_a135187239.jpg https://www.techtarget.com/searchwindowsserver/tip/How-to-fix-Active-Directory-account-lockouts-with-PowerShell Mon, 09 Jun 2025 09:00:00 GMT <p>In today's complex and ever-expanding IT environments, no one has time to wait for a PowerShell script to plod along to completion, especially when timeliness is crucial.</p> <p>As an administrator who wants to automate extensively with <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a>, you get to the point where you want to write advanced scripts that easily handle complex tasks. Sometimes, performance is slow for various reasons and waiting for the script to finish almost defeats the purpose of writing it. While having many PowerShell consoles open like tabs on a browser isn't necessarily bad, if you work this way because your scripts are slow, that is a problem. Thankfully, PowerShell has a feature called background jobs to run scripts and commands in parallel. This enables you to execute a long-running task in the background without affecting the current console. Let's take a more in-depth look at what PowerShell background jobs are, how you can start using and managing them, and examples of how to use them.</p> <section class="section main-article-chapter" data-menu-title="What is a job in PowerShell?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a job in PowerShell?</h2> <p>In all cases, a job is a task that PowerShell runs asynchronously, meaning that it runs the command or script without affecting the prompt's availability. PowerShell has several background job types:</p> <ul class="default-list"> <li><b>RemoteJob.</b> Commands and scripts that run through a remote session.</li> <li><b>ThreadJob.</b> Commands and scripts that run in a separate thread of the same process as the parent PowerShell process.</li> <li><b>BackgroundJob.</b> Commands and scripts that run in a separate process from the parent PowerShell process.</li> </ul> <p>The choice between a ThreadJob and a BackgroundJob comes down to process isolation and performance. A script running in the same process, even as a different thread, can affect the parent process. If a ThreadJob encounters a terminating error, then it can affect the parent process. While this is not the case with a BackgroundJob, running in a separate process does add some overhead, including how objects are handled since you cannot receive a live object from a BackgroundJob.</p> <p>Generally, because BackgroundJobs are more extensive, they are the recommended job type and are what are examined for the rest of this article.</p> </section> <section class="section main-article-chapter" data-menu-title="The basics of managing PowerShell background jobs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The basics of managing PowerShell background jobs</h2> <p>PowerShell background job management is done with cmdlets that are part of the Microsoft.PowerShell.Core snap-in.</p> <p>The easiest way to see the available commands is to query with <span style="font-family: courier new, courier, monospace;">Get-Command</span> to get all commands that end with<b> </b><span style="font-family: courier new, courier, monospace;">-Job</span>, using the <span style="font-family: courier new, courier, monospace;">Format-Table</span> alias for cleaner output.</p> <pre class="language-powershell"><code>Get-Command *-Job | ft -a</code></pre> <p>Here is the output from PowerShell 7.5.<br><br><b></b></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_1-f.jpg 1280w" alt="PowerShell 7.5 job commands" height="207" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>This is the list of job-related cmdlets in PowerShell 7.5. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>And here is the output for Windows PowerShell.<br><br></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_2-f.jpg 1280w" alt="Job cmdlets in Windows PowerShell" height="220" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>This is the list of commands for jobs in Windows PowerShell. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Upon closer examination, you see <span style="font-family: courier new, courier, monospace;">Resume-Job</span> and <span style="font-family: courier new, courier, monospace;">Suspend-Job</span> are no longer available in PowerShell 7.5, but this tutorial provides examples that work with Windows PowerShell and PowerShell 7.</p> <p>One of the great things about PowerShell is you can infer from cmdlet names what they do. Want to start a job? Let's try <span style="font-family: courier new, courier, monospace;">Start-Job</span>.</p> <pre class="language-powershell"><code>Start-Job -ScriptBlock {Write-Host 'this command runs in a background job'}</code></pre> <p>There is no <span style="font-family: courier new, courier, monospace;">Write-Host</span> output, but rather a job object. The background job runs asynchronously and requires specific commands to check on its status and find its output. If you didn't assign the output of that command to a variable, as in this example, pay attention to the <span style="font-family: courier new, courier, monospace;">Id</span>. Use <span style="font-family: courier new, courier, monospace;">Get-Job</span> to find the job information.</p> <pre class="language-powershell"><code>Get-Job -Id 4</code></pre> <p>Now, you can see the state marked as Completed.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_3-f.jpg 1280w" alt="background job information" height="72" width="557"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Get-Job cmdlet to find information about a specific background job. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>To receive the data from the job, check that the <span style="font-family: courier new, courier, monospace;">HasMoreData</span> property is <span style="font-family: courier new, courier, monospace;">True</span>, indicating available output. Use <span style="font-family: courier new, courier, monospace;">Receive-Job</span><b> </b>to collect that data, assigning the output to a variable.</p> <pre class="language-powershell"><code>$jobOutput = Receive-Job -Id 4</code></pre> <p>In this case, the data was simply output from <span style="font-family: courier new, courier, monospace;">Write-Host</span>. The <span style="font-family: courier new, courier, monospace;">$jobOutput</span> variable is empty.</p> <p>If you need to wait for a job to complete, which command can you use? Let's try <span style="font-family: courier new, courier, monospace;">Wait-Job</span>.</p> <pre class="language-powershell"><code>Wait-Job -Id 4</code></pre> <p>PowerShell pauses until the job completes. In this case, it returns immediately. However, since you are in PowerShell, use the pipeline to pass the output of each command to the next command to make a nice one-liner.</p> <pre class="language-powershell"><code>Start-Job -ScriptBlock {Write-Host 'Pipeline'} | Wait-Job | Receive-Job</code></pre> <p>The <span style="font-family: courier new, courier, monospace;">Wait-Job</span> cmdlet is useful when you need a specific job to complete before the next command.</p> <p>Finally, to remove the job, use <span style="font-family: courier new, courier, monospace;">Remove-Job</span>.</p> <pre class="language-powershell"><code>Remove-Job -Id 4</code></pre> <p>Any remaining jobs are removed when the PowerShell session closes.</p> </section> <section class="section main-article-chapter" data-menu-title="How background jobs differ from Start-Process"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How background jobs differ from Start-Process</h2> <p>If you think background jobs are a fancy wrapper around <span style="font-family: courier new, courier, monospace;">Start-Process</span>, you aren't completely wrong. While they both run processes that are separate from the main PowerShell session, background jobs can continue to interact with the parent session to check the status and perform other actions. <span style="font-family: courier new, courier, monospace;">Start-Process</span> does not have the same functionality.</p> <p>Replicating the earlier example, try the following -- replacing <span style="font-family: courier new, courier, monospace;">pwsh</span> for <span style="font-family: courier new, courier, monospace;">powershell</span> in Windows PowerShell.</p> <pre class="language-powershell"><code>Start-Process pwsh -ArgumentList '-c Write-Host "this command runs in a background job"'</code></pre> <p>Running that command opens and closes the PowerShell console in a flash, leaving no indication if it worked.</p> <p>Reproducing background jobs with <span style="font-family: courier new, courier, monospace;">Start-Process</span> requires significant work to construct a redirect of standard input/output from the process and then perform object serialization that loads back into the original parent PowerShell process. All this effort is redundant to recreate the functionality that already exists in background jobs. You might prefer <span style="font-family: courier new, courier, monospace;">Start-Process</span> to a background job for process isolation from the parent PowerShell session when launching a GUI application or running a process with different credentials.</p> </section> <section class="section main-article-chapter" data-menu-title="How to use background jobs in scripts"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use background jobs in scripts</h2> <p>Converting your PowerShell code to run as a background job might require some effort. Background jobs do not provide interactive input to the parent session. For example, checking the job in the following command gives a state of Blocked.</p> <pre class="language-powershell"><code>Start-Job -ScriptBlock {Read-Host 'Data please: ';Read-Host 'More data: '}</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_4-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_4-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_4-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_4-f.jpg 1280w" alt="background job blocked state" height="138" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A PowerShell background job shows its state as Blocked, which prevents interactive input. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>To pass data to a job, you can use the <span style="font-family: courier new, courier, monospace;">-ArgumentList</span> parameter and a scriptblock that has a <span style="font-family: courier new, courier, monospace;">param()</span> block.</p> <pre class="language-powershell"><code>Start-Job -ScriptBlock {param($string)Write-Host $string} -ArgumentList 'Output from job'</code></pre> <p>This screenshot shows the output from the string in the <span style="font-family: courier new, courier, monospace;">-ArgumentList</span><b> </b>parameter was passed and handled by the job.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_5-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_5-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_5-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_5-f.jpg 1280w" alt="background job data" height="113" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The PowerShell code shows how to send data to a background job. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Error handling also needs to be considered. If a stopping error occurs, the job fails. For example, if you run the following simple script and then query the job, it returns a Failed<b> </b>state.</p> <pre class="language-powershell"><code>Start-Job -ScriptBlock {Throw 'error'} Get-Job -Id 14</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_6-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_6-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_6-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_6-f.jpg 1280w" alt="check for background jobs errors" height="137" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Check for errors with jobs using the Get-Job cmdlet. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Therefore, it is important to handle any errors and to only force the script to stop on errors if that is the desired behavior.</p> <p>One approach to make this process significantly easier is to debug the script in an interactive session, paying attention to input, output and errors, and then add steps to log to a file to track execution information. The logging can include simple checkpoints to denote which sections of the script were executed or can take a more comprehensive approach that logs errors and object properties.</p> </section> <section class="section main-article-chapter" data-menu-title="How to handle data from PowerShell background jobs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to handle data from PowerShell background jobs</h2> <p>PowerShell is not a <a href="https://www.techtarget.com/whatis/definition/strongly-typed">strongly typed programming language</a>. This might not be a problem, but it is something to be aware of when working across different execution contexts. Objects returned from background jobs go through a serialization and deserialization process, which affects the functionality.</p> <p>Receiving data from a background job is almost as easy as receiving data from any other cmdlet in PowerShell. Use <span style="font-family: courier new, courier, monospace;">Receive-Job</span> to collect data output. For example, the following PowerShell command gets the file object.</p> <pre class="language-powershell"><code>Start-Job -ScriptBlock {Get-Item C:\tmp\test.txt} | Wait-Job | Receive-Job</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_7-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_7-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_7-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_7-f.jpg 1280w" alt="output file details" height="123" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The PowerShell command checks the file and outputs the file details. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The returned object looks like a legitimate <span style="font-family: courier new, courier, monospace;">FileInfo</span> object, but double-check with the following code, which checks the type.</p> <pre class="language-powershell"><code>$file = Start-Job -ScriptBlock {Get-Item C:\tmp\test.txt} | Wait-Job | Receive-Job $file.GetType()</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_8-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_8-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_8-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_8-f.jpg 1280w" alt="object type check" height="90" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The code creates a background job to get file information and then displays the object type. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>If you do the same thing in the interactive session, then you get the expected type.<br><b><br></b></p> <pre class="language-powershell"><code>$file = Get-Item C:\tmp\test.txt $file.GetType()</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_9-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_9-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_9-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_9-f.jpg 1280w" alt="checking object type" height="93" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>The same code from the interactive session returns a different object type. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The results differ because PowerShell serializes the object and then deserializes the object when returning it from a background job. The properties or data are preserved, but the methods -- actions or functions invoked with parentheses -- are not available.</p> <p>For example, these commands work in an interactive session but don't work if you receive the <span style="font-family: courier new, courier, monospace;">FileInfo</span> object from a job, as shown here.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_10-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_10-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_10-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_10-f.jpg 1280w" alt="objects from background jobs" height="116" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>While objects from jobs appear similar to those obtained directly, those returned from a background job lose their methods and limit their functionality. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>A background job is ideal for use with data-only objects, such as <span style="font-family: courier new, courier, monospace;">PSCustomObject</span>.</p> </section> <section class="section main-article-chapter" data-menu-title="How to scale PowerShell background jobs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to scale PowerShell background jobs</h2> <p>While running a single PowerShell task in the background is helpful, the real benefit comes by running <a href="https://www.techtarget.com/searchwindowsserver/tip/PowerShell-commands-to-copy-files-Basic-to-advanced-methods">several background jobs concurrently</a>, especially when time is of the essence.</p> <p>For example, maybe you need to run <span style="font-family: courier new, courier, monospace;">gpupdate</span> to apply Group Policy changes on all your servers ASAP. With a <span style="font-family: courier new, courier, monospace;">foreach</span> loop and no background jobs, this task runs on each server sequentially as in the following PowerShell script.</p> <pre class="language-powershell"><code>$servers = Get-ADComputer -filter {OperatingSystem -like "*Windows Server*"} foreach ($server in $servers) { Invoke-Command -ComputerName $Server.Name -ScriptBlock { gpupdate.exe /force } }</code></pre> <p>The script processes each server sequentially, performing the update on a server before it moves to the next. For an enterprise with hundreds or thousands of servers, this procedure could take a long time.</p> <p>However, with background jobs, PowerShell can complete this quickly.</p> <p>The first idea might be to use the <span style="font-family: courier new, courier, monospace;">-AsJob</span> parameter on <span style="font-family: courier new, courier, monospace;">Invoke-Command</span> and end up with the following.</p> <pre class="language-powershell"><code>$servers = Get-ADComputer -filter {OperatingSystem -like "*Windows Server*"} foreach ($server in $servers) { Invoke-Command -ComputerName $Server.Name -AsJob -ScriptBlock { gpupdate.exe /force } }</code></pre> <p>Due to job overhead and depending on the number of servers, this script could overload the local machine. You can manage this by <a href="https://www.techtarget.com/searchitoperations/tutorial/Build-a-PowerShell-performance-monitoring-script-step-by-step">monitoring the number of jobs</a> running with the following command:</p> <pre class="language-powershell"><code>(Get-Job -State Running).Count</code></pre> <p>The number of jobs that can be run simultaneously varies depending on the host system, but a good place to start for a simple script like this might be 20. Let's update the script accordingly and have it sleep for five seconds if the count is 20 or greater to prevent system overload.</p> <pre class="language-powershell"><code>$servers = Get-ADComputer -filter {OperatingSystem -like "*Windows Server*"} foreach ($server in $servers) { while ((Get-Job -State "Running").Count -ge 20) { Start-Sleep -Seconds 5 } Invoke-Command -ComputerName $Server.Name -AsJob -ScriptBlock { gpupdate.exe /force } }</code></pre> <p>Now, you have a solution to apply Group Policy changes to all servers in AD in a quick and scalable fashion. Before running a script like this in your environment, properly source your servers. For example, you may have an <a href="https://www.techtarget.com/searchwindowsserver/definition/organizational-unit-OU">organizational unit</a> that you can use with the <span style="font-family: courier new, courier, monospace;">-SearchBase</span> parameter to target specific servers rather than all of them.</p> <p>Be aware that using <span style="font-family: courier new, courier, monospace;">Invoke-Command</span> with the <span style="font-family: courier new, courier, monospace;">-AsJob</span><b> </b>parameter technically initiates a RemoteJob, not a BackgroundJob. However, a RemoteJob is handled in the same way as a BackgroundJob, so <span style="font-family: courier new, courier, monospace;">Get-Job</span>,<b> </b><span style="font-family: courier new, courier, monospace;">Wait-Job</span><b> </b>and<b> </b><span style="font-family: courier new, courier, monospace;">Receive-Job</span> still work with this method.</p> </section> <section class="section main-article-chapter" data-menu-title="How to work with data at scale with background jobs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to work with data at scale with background jobs</h2> <p>After running many jobs, it can be daunting to track the state of each of them, especially in the previous example where the script ran a <a href="https://www.techtarget.com/searchwindowsserver/tip/Automate-Active-Directory-jobs-with-PowerShell-scripts">command on every server in AD</a>. To track status on a per-job basis, you can give each of them meaningful names in several ways:</p> <ul class="default-list"> <li><span style="font-family: courier new, courier, monospace;">-Name</span> parameter in <span style="font-family: courier new, courier, monospace;">Start-Job</span>.</li> <li><span style="font-family: courier new, courier, monospace;">-JobName</span> parameter in <span style="font-family: courier new, courier, monospace;">Invoke-Command</span>.</li> <li><span style="font-family: courier new, courier, monospace;">Location</span> property on the job itself.</li> </ul> <p>If you are running a group of jobs that target specific resources, folders in file shares or IP addresses on a network, then you can track that information by using the <span style="font-family: courier new, courier, monospace;">-Name</span> parameter in <span style="font-family: courier new, courier, monospace;">Start-Job</span>.</p> <pre class="language-powershell"><code>$fileShares = Get-Content C:\temp\fileshares.txt foreach ($share in $fileShares) { Start-Job -Name $share -ScriptBlock { param($share) # do something with $share } -ArgumentList $share }</code></pre> <p>Running <span style="font-family: courier new, courier, monospace;">Get-Job</span><b> </b>shows the name of the share for each job.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_11-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_11-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_11-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_11-f.jpg 1280w" alt="-Name parameter" height="87" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Using the -Name parameter displays the status of the background jobs. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Or, if you are working with a RemoteJob, as in the gpupdate example, you could either use the <span style="font-family: courier new, courier, monospace;">-JobName</span><b> </b>parameter or the <span style="font-family: courier new, courier, monospace;">Location</span> property. For example, when running a job on a remote system, the name of the remote host in the <span style="font-family: courier new, courier, monospace;">Location</span> property appears after running the following PowerShell command.<br><br></p> <pre class="language-powershell"><code>Invoke-Command -AsJob -ScriptBlock {write-host 'yes'} -ComputerName dc.domain.local</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ah_psjobs_12-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ah_psjobs_12-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ah_psjobs_12-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ah_psjobs_12-f.jpg 1280w" alt="background jobs location property" height="68" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Target specific resources in background jobs by using the location property. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>That enables you to easily run a <a target="_blank" href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-job?view=powershell-7.5" rel="noopener">report</a> on the status of each job in a scalable fashion, such as the following example.</p> <pre class="language-powershell"><code>$report = while ((Get-Job -HasMoreData $true).Count -gt 0) { foreach ($job in (Get-Job -HasMoreData $true)) { [pscustomobject]@{ Share = $job.Name JobState = $job.State Data = Receive-Job -Job $job } } }</code></pre> <p>If you have long-running jobs, then you might need to wait for them to finish before running the report.</p> <p><i>Anthony Howell is an IT strategist with extensive experience in infrastructure and automation technologies. His expertise includes PowerShell, DevOps, cloud computing, and working in both Windows and Linux environments.</i></p> </section> When you need a PowerShell script to execute as quickly as possible, try this native feature to run multiple jobs in parallel to overcome processing bottlenecks. https://cdn.ttgtmedia.com/rms/onlineimages/keyboard_g1140860048.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Try-these-PowerShell-Start-Job-examples-for-more-efficiency Mon, 02 Jun 2025 09:00:00 GMT <p>The Windows Management Instrumentation Command-line (WMIC) utility is a command-line interface (<a href="https://www.techtarget.com/searchwindowsserver/definition/command-line-interface-CLI">CLI</a>) for working with Windows Management Instrumentation (<a href="https://www.techtarget.com/searchwindowsserver/definition/Windows-Management-Instrumentation">WMI</a>), a Web-Based Enterprise Management (WBEM) framework for accessing and managing information about Windows computers in enterprise environments.</p> <section class="section main-article-chapter" data-menu-title="What is the purpose of WMIC?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the purpose of WMIC?</h2> <p>The main purpose of WMIC (Wmic.exe) is to provide a user-friendly CLI that allows <a href="https://www.techtarget.com/searchwindowsserver/definition/Windows">Windows</a> local system admins to access WMI. WMIC is fully compatible with existing shells and utility commands. Admins can use many prebuilt commands at the WMIC command prompt to do everything from the following:</p> <ul class="default-list"> <li>Determine what aliases are available for WMIC.</li> <li>List all the processes on specified computers where the ProcessID is greater than a certain number.</li> <li>Add to the list of nodes from which information is to be retrieved.</li> <li>Retrieve properties or call on a defined method.</li> <li>Perform specific actions using verbs like <i>Assoc</i> (to show the associations that the Administrators group has with the system), <i>Create</i> (to add a variable with a specific name and set its value to a folder below the Program Files folder), <i>Delete</i> (to delete an environment variable), <i>List</i> (to show data, such as system properties, object status or instance paths), and <i>Get</i> (to return the boot-partition <a href="https://www.techtarget.com/whatis/definition/Boolean">Boolean</a> description string).</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Benefits of WMIC"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of WMIC</h2> <p>Without WMIC, do-it-yourself systems management with WMI can be very difficult. One reason is that system admins would need to know a programming language like <a href="https://www.techtarget.com/searchdatamanagement/definition/C">C++</a> or a <a href="https://www.techtarget.com/whatis/definition/scripting-language">scripting language</a> like VBScript to write scripts. These scripts would be needed to gather information by means of WMI. But with WMIC, admins don't have to write scripts. Instead, they can use the utility on a local machine regardless of WMI namespace permissions to obtain management data from remote computers with WMI.</p> <p>The WMIC utility also eliminates the need to use WMI-based applications, the WMI Scripting API or tools to manage WMI-enabled computers. It provides a simple and intuitive way, plus batch scripts to extend WMI for operation from several command-line interfaces.</p> <p>Admins don't need to understand the WMI namespace to use WMIC. They can use the utility on local machines regardless of WMI namespace permissions. WMIC makes DIY systems management less complex by using <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-to-find-and-customize-your-PowerShell-profile"><i>aliases</i></a><i>.</i> An alias refers to a simple renaming of a class, property or method. Aliases take simple commands entered at the WMIC command line and then act on the WMI namespace in a predefined manner. By functioning as user-friendly syntax intermediaries between the user (admin) and the WMI namespace, aliases in WMIC make it easier for admins to use and read WMI for accessing management information.</p> </section> <section class="section main-article-chapter" data-menu-title="How does WMI work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does WMI work?</h2> <p>WMI is Microsoft's implementation of WBEM -- a set of management specifications for defining how resources in <a href="https://www.techtarget.com/searchitoperations/The-definitive-guide-to-enterprise-IT-monitoring">enterprise computing environments</a> can be discovered, accessed and manipulated. WMI is also based on the Common Information Model (<a href="https://www.techtarget.com/searchstorage/definition/Common-Information-Model">CIM</a>), a computer industry standard for representing systems, devices, applications and other managed components. The CIM standard lets <a href="https://www.techtarget.com/searchnetworking/definition/system-administrator">system administrators</a> and management programs control devices and applications from multiple manufacturers or sources in the same way.</p> <p>WMI provides users with information about the status of local or remote computer systems and supports the following actions:</p> <ul class="default-list"> <li>Establish a connection to a remote computer to obtain data about it, such as its <a href="https://www.techtarget.com/whatis/definition/domain">domain</a> or currently logged-on user.</li> <li>Control hardware or software.</li> <li>Get information about a hardware component, such as its properties, presence or state.</li> <li>Get information about the hardware state or logical volume of a disk drive.</li> <li>Get information about software or operating system, i.e., its version.</li> <li>Get event notifications.</li> <li>Add a new printer connection for a remote computer.</li> <li>Find all the installed hotfixes on a specific computer.</li> <li>Back up or clear log files.</li> <li>Get event data from NT Event log files.</li> <li>Change file or folder properties.</li> <li>Create (or modify) registry keys and values.</li> <li>Access (or refresh) data about computer performance.</li> <li>Create processes and get information related to a running process, such as the account under which it is running.</li> <li>Get information about scheduled tasks and implemented services.</li> </ul> <p>The WMIC utility provides an interface to WMI that makes it easy to access information and perform administrative functions. To obtain any of the data listed above, admins can write a script or application in a language like C++, <a href="https://www.techtarget.com/whatis/definition/C-Sharp">C#</a> or WMI .NET. The other option is to use the WMIC utility, which makes it easy to access WMI for the above tasks. It provides an interface to WMI that makes it easy to access information and perform administrative functions without having to write a script.</p> <p>To supply data to WMI, admins need to write a WMI COM provider. They can do this with the WMI ATL Wizard in <a href="https://www.techtarget.com/searchsoftwarequality/news/366585953/Microsoft-Visual-Studio-Azure-updates-target-AI-developers">Visual Studio</a> or by using COM directly in any integrated development environment (<a href="https://www.techtarget.com/searchsoftwarequality/definition/integrated-development-environment">IDE</a>). A simpler method is to create a managed code provider by using WMI in the <a href="https://www.techtarget.com/whatis/definition/NET-Framework">.NET Framework</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="WMIC modes of operation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>WMIC modes of operation</h2> <p>WMIC operates in two modes: <i>interactive</i> and <i>noninteractive</i>.</p> <h3>Interactive mode</h3> <p>Users can use WMIC in interactive mode when they first start WMIC. When WMIC starts in interactive mode, the default WMIC role is <b>Root\cli. </b>Once Windows installs the utility on the computer, the user will see the WMIC command prompt, wmic:root\cli&gt;. Then, they can enter <a href="https://www.techtarget.com/searchwindowsserver/tip/What-do-admins-need-to-know-about-the-CLI-for-Microsoft-365">a relevant command</a> on one line. After one command runs, the WMIC command prompt will reappear, and the user can insert new comments (again, on one line).</p> <p>Once in interactive mode, the user can run WMIC commands without specifying the wmic keyword at the beginning of each command. The user remains in this mode until they specifically exit from it by entering the <i>Quit</i> or <i>Exit</i> commands. The interactive mode is most useful if the user needs to enter a series of WMIC commands.</p> <p>Here's how to run WMIC in interactive mode:</p> <ol class="default-list"> <li>Click <b>Start</b> &gt; <b>Run</b></li> <li>Type <b>WMIC</b></li> <li>Press <b>ENTER</b></li> <li>Type the alias, command or global switch that WMIC is to perform.</li> </ol> <h3>Noninteractive mode</h3> <p>WMIC can also be used in noninteractive mode. In this mode, the WMIC command prompt disappears after WMIC performs a previously entered command. This mode is useful for carrying out one-off tasks or when including WMIC commands in a <a href="https://www.techtarget.com/searchwindowsserver/definition/batch-file">batch file</a> (doing this removes the need to retype command sequences in order to repeat common tasks).</p> <p>The WMIC interactive mode can be invoked at a Terminal command prompt just like other commands. A user can invoke WMIC noninteractive mode by preceding the WMIC command with the utility's name. For example, Figure 1 shows a WMIC command at a command prompt in <a href="https://www.techtarget.com/searchwindowsserver/tip/What-admins-should-know-about-Microsoft-Windows-Terminal">Windows Terminal</a>. This command retrieves information about currently running processes that are named RuntimeBroker.exe.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_1-f.jpg 1280w" alt="Screenshot of a WMIC command." height="191" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The WMIC command retrieves information about currently running processes that are named RuntimeBroker.exe. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The command begins with the wmic keyword -- the utility's name -- followed by the command body. The body starts with the alias process. Aliases play an integral role in the WMIC utility. They provide friendly names that abstract the more complex underlying logic needed to retrieve WMI information and carry out administrative tasks. In this case, the process alias is used to retrieve a list of specific <a href="https://www.techtarget.com/whatis/definition/process">processes</a>, as qualified by the WHERE option and its name value.</p> <p>The process alias and its WHERE option are then followed by the verb list, which is one of multiple verbs WMIC supports. A verb carries out some type of action. In this context, the list verb returns information about the specified processes. The verb is also accompanied by the brief option, which tells WMI to return only a subset of the available information about each process.</p> <p>When a user runs a WMIC command in noninteractive mode, they're returned to the command prompt after the command has completed. However, if they want to work interactively with WMIC, they should type <b>wmic</b> at the command prompt and press <b>Enter</b>. The command prompt changes to wmic:root\cli, as shown in Figure 2.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_2-f.jpg 1280w" alt="Screenshot of command prompt changes." height="204" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Once a user types wmic at the command prompt and presses Enter, the command prompt changes to wmic:root\cli. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Here's how to run WMIC in noninteractive mode:</p> <ol type="1" start="1" class="default-list"> <li>Open Command prompt.</li> <li>Here, type <b>WMIC</b>.</li> <li>Type the command, aliases or global switches WMIC should perform.</li> <li>Press <b>ENTER</b>.</li> </ol> <p>Another option for running WMIC is to invoke the utility directly in the Run dialog box. This method is available locally or through a .NET Server Terminal Services session. After the user opens the dialog box, they can type <b>wmic</b> in the text box and click <b>OK</b>. This launches a Terminal window with the WMIC command prompt active, where they can enter commands, as shown in Figure 3.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/sheldon_wmic_screenshot_3-f.jpg 1280w" alt="Screenshot of a Run dialog box." height="196" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Users can run WMIC by invoking the utility directly in the Run dialog box. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="WMIC commands list"> <h2 class="section-title"><i class="icon" data-icon="1"></i>WMIC commands list</h2> <p>Admins can choose from numerous WMIC commands to easily access and use WMI and the WMI namespace. Commonly used commands include the following:</p> <ul class="default-list"> <li><b>CLASS.</b> To escape from WMIC's default alias mode to directly access <i>classes</i> in the WMI schema.</li> <li><b>PATH.</b> To escape from WMIC's default alias mode to directly access <a href="https://www.techtarget.com/whatis/definition/instance"><i>instances</i></a> in the WMI schema.</li> <li><b>CONTEXT.</b> To display the current values of all global switches.</li> <li><b>QUIT.</b> To exit from WMIC.</li> <li><b>EXIT.</b> To exit from WMIC.</li> </ul> <p>In addition to commands, WMIC uses global switches, aliases, verbs and Command-line Help. Global switches are settings that apply to the entire WMIC session, aliases are the syntax intermediaries between users and the WMI namespace, and verbs are the specific actions a user wants WMI to take.</p> <p>Users can get help on individual WMIC elements by using the <a href="https://www.techtarget.com/whatis/post/CLI-commands-every-IT-pro-should-know">Command-line Help</a>. Specific characters must be typed at a WMIC command prompt to find specific information. For example, they can review a complete list of aliases and global switches by entering /? or -? at the command prompt, or get information about a specific alias by entering the alias name, followed by /? Similarly, &lt;command_name&gt; /? will show information about one command while &lt;alias_name&gt; /? will show information about one alias.</p> </section> <section class="section main-article-chapter" data-menu-title="Is WMIC still used?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Is WMIC still used?</h2> <p>Microsoft <a href="https://www.techtarget.com/whatis/definition/deprecated">deprecated</a> the WMIC utility beginning with versions 21H1 of <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-10">Windows 10</a> and the 21H1 semi-annual release of Windows Server. It has been superseded by Windows <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a> for WMI. For that reason, administrators will want to invest their time in PowerShell for WMI. However, they might need to understand WMIC if working with legacy systems or WMIC scripts, in which case, having some knowledge of the utility could be useful.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/C6HdheMRyPw?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>It's important to note that only the WMIC utility has been deprecated. WMI remains unchanged and can still be used to obtain management data about managed <a href="https://www.techtarget.com/whatis/definition/component">components</a> like systems, applications, networks and devices. Enterprise admins can also use Windows Management Infrastructure (MI), the next generation of WMI to remotely manage Windows computer systems.</p> <p><i>The Windows Command Prompt and PowerShell can perform similar tasks, but their methods might influence users to prefer one over the other. </i></p> </section> The Windows Management Instrumentation Command-line (WMIC) utility is a command-line interface (CLI) for working with Windows Management Instrumentation (WMI), a Web-Based Enterprise Management (WBEM) framework for accessing and managing information about Windows computers in enterprise environments. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/searchenterprisedesktop/definition/Windows-Management-Instrumentation-Command-line-WMIC Fri, 25 Apr 2025 12:11:00 GMT <p>Copying files between folders, drives and machines can be a waste of your time if you do it manually on a regular basis. A bit of PowerShell know-how automates this tedious process and even handles the most complex situations.</p> <p>Once you understand the parameters associated with the <span style="font-family: courier new, courier, monospace;">Copy-Item</span> command and how they work together, you can produce comprehensive scripts with more advanced <span style="font-family: courier new, courier, monospace;"><a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a></span> commands to copy files and directories.</p> <p>The examples in this article work on both Windows PowerShell and PowerShell 7.</p> <p>PowerShell has providers -- .NET programs that expose the data in a data store for viewing and manipulation -- and a set of <a href="https://www.techtarget.com/searchdatacenter/feature/Build-your-PowerShell-command-cheat-sheet-with-these-basics">generic cmdlets</a> that work across providers.</p> <p>These include the following cmdlets:</p> <ul class="default-list"> <li><span style="font-family: courier new, courier, monospace;">*-Item</span></li> <li><span style="font-family: courier new, courier, monospace;">*-ItemProperty</span></li> <li><span style="font-family: courier new, courier, monospace;">*-Content</span></li> <li><span style="font-family: courier new, courier, monospace;">*-Path</span></li> <li><span style="font-family: courier new, courier, monospace;">*-Location</span></li> </ul> <p>With a default installation of PowerShell or Windows PowerShell, you can use the <span style="font-family: courier new, courier, monospace;">Copy-Item</span> cmdlet to copy files, registry keys and variables. This is facilitated by the provider feature that enables interaction with different content types with the same command. Some modules include custom providers, such as the <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-users-with-key-PowerShell-Active-Directory-commands">AD module</a>, which enable you to use those generic cmdlets in the AD data they expose. Run the following command to see the PowerShell providers in your PowerShell session.</p> <pre class="language-powershell"><code>Get-PsProvider</code></pre> <p>For example, these are the providers available in the <a href="https://www.techtarget.com/searchwindowsserver/tip/Why-you-should-consider-an-upgrade-from-PowerShell-51-to-7">PowerShell 7 session</a> on my Windows 11 machine.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-1-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-1-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-1-f.jpg 1280w" alt="PowerShell providers" height="156" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use the Get-PsProvider cmdlet to list the available PowerShell providers in the current session. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="How do you use the Copy-Item command?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How do you use the <span style="font-family: courier new, courier, monospace;">Copy-Item</span> command?</h2> <p>The simplest form of <span style="font-family: courier new, courier, monospace;">Copy-Item</span> involves a source path and a destination path. To use the FileSystem provider, specify the paths by starting with a drive letter and a colon on Windows or a forward slash on Linux.</p> <p>Using <span style="font-family: courier new, courier, monospace;">.\</span> or <span style="font-family: courier new, courier, monospace;">./</span> to represent the current directory infers the current path based on the current working directory, which doesn't have to be a FileSystem provider path. You can always check your current working directory with the <span style="font-family: courier new, courier, monospace;">Get-Location</span> command.</p> <p>The example in the following PowerShell command copies a single file located at the <span style="font-family: courier new, courier, monospace;">Path</span> parameter to the location specified in the <span style="font-family: courier new, courier, monospace;">Destination</span> parameter.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\source\path\file.txt -Destination D:\dest\path\text.txt</code></pre> <p>To use a shorter command, PowerShell offers several aliases for its major cmdlets. The following command shows the three aliases -- <span style="font-family: courier new, courier, monospace;">copy</span>, <span style="font-family: courier new, courier, monospace;">cp</span> and <span style="font-family: courier new, courier, monospace;">cpi</span> -- for the <span style="font-family: courier new, courier, monospace;">Copy-Item</span> cmdlet.<b><br></b></p> <pre class="language-powershell"><code>Get-Alias -Definition Copy-Item</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-2-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-2-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-2-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-2-f.jpg 1280w" alt="Get-Alias command" height="147" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Get-Alias command shows how to find the aliases for a cmdlet. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>In <a href="https://www.techtarget.com/searchitoperations/tutorial/How-and-why-PowerShell-Linux-commands-differ-from-Windows">PowerShell on Linux</a>, the <span style="font-family: courier new, courier, monospace;">cp</span> alias does not exist since there is an existing Linux command called <span style="font-family: courier new, courier, monospace;">cp</span>.</p> </section> <section class="section main-article-chapter" data-menu-title="How can you use PowerShell commands to copy files?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How can you use PowerShell commands to copy files?</h2> <p>To show how the various <span style="font-family: courier new, courier, monospace;">Copy-Item</span> parameters work, create a test file with the following command.</p> <pre class="language-powershell"><code>Get-Process | Out-File -FilePath c:\test\p1.txt</code></pre> <p>Use this command to copy a file with the <span style="font-family: courier new, courier, monospace;">Destination</span> parameter. You do not specify a file name in the <span style="font-family: courier new, courier, monospace;">Destination</span> parameter. In this case, it uses the original file name of p1.txt.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\p1.txt -Destination C:\test2\</code></pre> <p>The <span style="font-family: courier new, courier, monospace;">Copy-Item</span> command does not display any message or confirmation when a copy operation is successful, which can be confusing for new users.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-3-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-3-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-3-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-3-f.jpg 1280w" alt="Copy-Item cmdlet" height="87" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Copy-Item cmdlet does not show the results of the operation. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>To take advantage of both the command's alias and position parameters, specify the source and destination in order.</p> <pre class="language-powershell"><code>Copy C:\test\p1.txt C:\test2\</code></pre> <p>Alias use in saved scripts isn't considered best practice and should be avoided for the most part.</p> <p>To get feedback from <span style="font-family: courier new, courier, monospace;">Copy-Item</span>, use the <span style="font-family: courier new, courier, monospace;">PassThru</span> parameter. This feature returns objects for each of the items that were copied. It's a helpful tool to confirm the command performed properly.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\p1.txt -Destination C:\test2\ -PassThru</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-4-g.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-4-g_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-4-g_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-4-g.jpg 1280w" alt="PassThru parameter output" height="126" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The PassThru parameter output shows if the command ran as expected. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The other option to see the results from the <span style="font-family: courier new, courier, monospace;">Copy-Item</span> command is to use the <span style="font-family: courier new, courier, monospace;">Verbose</span> parameter.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\p1.txt -Destination C:\test2\ -Verbose</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-5-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-5-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-5-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-5-f.jpg 1280w" alt="Verbose parameter output" height="42" width="554"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Verbose parameter provides detailed output when running a PowerShell command. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The <span style="font-family: courier new, courier, monospace;">Verbose</span> parameter displays information as the command executes, while the <span style="font-family: courier new, courier, monospace;">PassThru</span> parameter gives the resulting file object.</p> <p>By default, PowerShell overwrites the file if a file with the same name exists in the target folder. If the file in the target directory is set to read-only, you get an error.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\p1.txt -Destination C:\test2\</code></pre> <p></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-6-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-6-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-6-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-6-f.jpg 1280w" alt="read-only error" height="86" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Copy-Item cmdlet returns an error if the file in the destination exists and is set to read-only. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>You need to be a PowerShell Jedi to avoid this error by using the <span style="font-family: courier new, courier, monospace;">Force</span> parameter.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\p1.txt -Destination C:\test2\ -Force</code></pre> <p>PowerShell can rename files as part of the copy process. For example, this code creates nine copies of the p1.txt file called p2.txt through p10.txt.</p> <pre class="language-powershell"><code>2..10 | Foreach-Object { &nbsp;$newname = "p$_.txt" &nbsp;Copy-Item -Path C:\test\p1.txt -Destination C:\test2\$newname Verbose }</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-7-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-7-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-7-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-7-f.jpg 1280w" alt="renaming files during copy process" height="209" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Using the Foreach-Object cmdlet with the Copy-Item cmdlet renames the file copies automatically. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>In this case, the <span style="font-family: courier new, courier, monospace;">..</span> operator creates an array of integers from two to 10. Then, for each of those integers, the code creates a file with the new name.</p> </section> <section class="section main-article-chapter" data-menu-title="How to use PowerShell commands to copy multiple files or folders"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use PowerShell commands to copy multiple files or folders</h2> <p>There are a few techniques to copy multiple files or folders when using PowerShell.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\*.txt -Destination C:\test2\ Copy-Item -Path C:\test\* -Filter *.txt -Destination C:\test2\ Copy-Item -Path C:\test\* -Include *.txt -Destination C:\test2\</code></pre> <p>These commands copy all the .txt files from the test folder to the test2 folder, but the <span style="font-family: courier new, courier, monospace;">Include</span> parameter lets PowerShell be more selective. For example, this command only copies files with a 6 in the file name.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\* -Include *6*.txt -Destination C:\test2\ -PassThru</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-8-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-8-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-8-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-8-f.jpg 1280w" alt="Include parameter in PowerShell" height="147" width="558"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Copy-Item cmdlet with the Include parameter specifies which files to copy. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><span style="font-family: courier new, courier, monospace;">Copy-Item</span> has an <span style="font-family: courier new, courier, monospace;">Exclude</span> parameter to reject certain files from the copy operation. This PowerShell command only copies text files that start with the letter p unless there is a 7 in the name.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\* -Filter p*.txt -Exclude *7*.txt -Destination C:\test2\ -PassThru</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-9-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-9-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-9-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-9-f.jpg 1280w" alt="Exclude parameter in PowerShell" height="207" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Customize the PowerShell commands to copy files from a folder if they begin with a certain letter but ignore them if they contain a particular character. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How to use the Path, Filter, Include and Exclude parameters"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to use the <span style="font-family: courier new, courier, monospace;">Path</span>, <span style="font-family: courier new, courier, monospace;">Filter</span>, <span style="font-family: courier new, courier, monospace;">Include</span> and <span style="font-family: courier new, courier, monospace;">Exclude</span> parameters</h2> <p>A combination of the <span style="font-family: courier new, courier, monospace;">Path</span>, <span style="font-family: courier new, courier, monospace;">Filter</span>, <span style="font-family: courier new, courier, monospace;">Include</span> or <span style="font-family: courier new, courier, monospace;">Exclude</span> parameters refines the copy process even further. However, if you use <span style="font-family: courier new, courier, monospace;">Include</span> and <span style="font-family: courier new, courier, monospace;">Exclude</span> in the same call, <span style="font-family: courier new, courier, monospace;">Exclude</span> is applied after the inclusions.</p> <p>For example, combine <span style="font-family: courier new, courier, monospace;">Path</span>, <span style="font-family: courier new, courier, monospace;">Filter</span>, <span style="font-family: courier new, courier, monospace;">Include</span> and <span style="font-family: courier new, courier, monospace;">Exclude</span>. In this example, the <span style="font-family: courier new, courier, monospace;">Path</span> parameter selects all files in C:\test, the <span style="font-family: courier new, courier, monospace;">Filter</span> parameter finds all files that start with the letter p, the <span style="font-family: courier new, courier, monospace;">Include</span> parameter specifies only .txt files from that selection and the <span style="font-family: courier new, courier, monospace;">Exclude</span> parameter eliminates files with 7 in the name.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\* -Filter p* -Include *.txt -Exclude *7* -Destination C:\test2\ -PassThru</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-10-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-10-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-10-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-10-f.jpg 1280w" alt="Include and Exclude parameters" height="203" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use a combination of the Include and Exclude parameters to add more flexibility to the file copy process. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>You can also supply an array of file names. The path is simplified if your working folder is the source folder for the copy.</p> <pre class="language-powershell"><code>Copy-Item -Path p1.txt,p3.txt,p5.txt -Destination C:\test2\</code></pre> <p>The <span style="font-family: courier new, courier, monospace;">Path</span> parameter also accepts pipeline input. In the following example, PowerShell checks the p*.txt files in the C:\test folder to see if the second character is divisible by two. If so, PowerShell copies the file to the C:\test2 folder.</p> <pre class="language-powershell"><code>Get-ChildItem -Path C:\test\p*.txt | Where-Object {(($_.BaseName).Substring(1,1) % 2 ) -eq 0} | Copy-Item -Destination C:\test2\</code></pre> <p>If you end up with a folder or file name that contains wildcard characters -- *, [, ], ? -- use the <span style="font-family: courier new, courier, monospace;">LiteralPath</span> parameter instead of the <span style="font-family: courier new, courier, monospace;">Path</span> parameter. <span style="font-family: courier new, courier, monospace;">LiteralPath</span> does no interpretation of any wildcard characters and specifies the exact path to an item.</p> </section> <section class="section main-article-chapter" data-menu-title="How to test the Filter, Include and Exclude parameters"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to test the <span style="font-family: courier new, courier, monospace;">Filter</span>, <span style="font-family: courier new, courier, monospace;">Include</span> and <span style="font-family: courier new, courier, monospace;">Exclude</span> parameters</h2> <p>If you are using a complex combination of <span style="font-family: courier new, courier, monospace;">Filter</span>, <span style="font-family: courier new, courier, monospace;">Include</span> and <span style="font-family: courier new, courier, monospace;">Exclude</span>, it can be hard to predict what files PowerShell will copy. To test a <span style="font-family: courier new, courier, monospace;">Copy-File</span> command before executing it, append the <span style="font-family: courier new, courier, monospace;">WhatIf</span> parameter to any <span style="font-family: courier new, courier, monospace;">Copy-File</span> command. PowerShell outputs a description of the operation rather than executing the action.</p> <pre class="language-powershell"><code>Copy-Item -Path C:\test\* -Filter p* -Include *.txt -Exclude *7* -Destination C:\test2\ -PassThru -WhatIf</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-11-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-11-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-11-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-11-f.jpg 1280w" alt="WhatIf parameter" height="239" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The WhatIf parameter helps to troubleshoot a Copy-File command before executing it. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Another method to report on the files is to use <span style="font-family: courier new, courier, monospace;">Get-ChildItem</span>, which utilizes the same <span style="font-family: courier new, courier, monospace;">Path</span>, <span style="font-family: courier new, courier, monospace;">Filter</span>, <span style="font-family: courier new, courier, monospace;">Include</span> and <span style="font-family: courier new, courier, monospace;">Exclude</span> parameters. They function in the same way as with <span style="font-family: courier new, courier, monospace;">Copy-Item</span>. Take the same parameters, remove <span style="font-family: courier new, courier, monospace;">Destination</span> and apply them to <span style="font-family: courier new, courier, monospace;">Get-ChildItem</span>. The command outputs the list of files and folder objects that start with the letter p and have a .txt extension, and it removes any files that have 7 in the file name.</p> <pre class="language-powershell"><code>Get-ChildItem -Path C:\test\* -Filter p* -Include *.txt -Exclude *7*</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-12-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-12-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-12-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-12-f.jpg 1280w" alt="Get-ChildItem cmdlet" height="259" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Get-ChildItem lists files and directories and is another command that can show the results of a copy command before executing it. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Because the command returns the files in an array, you can then work with the file objects and generate a report on the files that would be copied, among other things.</p> </section> <section class="section main-article-chapter" data-menu-title="How to perform a recursive copy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to perform a recursive copy</h2> <p>To copy a folder and its entire contents, use the <span style="font-family: courier new, courier, monospace;">Recurse</span> parameter.</p> <pre class="language-powershell"><code>Copy-Item -Path c:\test\ -Destination c:\test2\ -Recurse</code></pre> <p>A recursive copy works its way through all the subfolders below the C:\test folder. PowerShell then creates a folder named test in the destination folder and copies the contents of C:\test into it.</p> <p>When copying between machines, you can use <a href="https://www.techtarget.com/whatis/definition/Universal-Naming-Convention-UNC">Universal Naming Convention</a> paths to bypass the local machine.</p> <pre class="language-powershell"><code>Copy-Item -Path \\server1\fs1\test\p1.txt -Destination \\server2\arc\test\</code></pre> <p>Another option is to use PowerShell commands to copy files over a <a href="https://www.techtarget.com/searchwindowsserver/tutorial/PowerShell-7-remoting-expands-management-horizons">remoting session</a>. The following command prompts the user for the password to the Administrator account on the remote machine named W16ND01. The session object gets stored in the <span style="font-family: courier new, courier, monospace;">$s</span> variable, which can be used in ensuing commands to run operations on W16ND01.</p> <pre class="language-powershell"><code>$cred = Get-Credential -Credential W16ND01\Administrator $s = New-PSSession -VMName W16ND01 -Credential $cred</code></pre> <p>In this case, <a href="https://www.techtarget.com/searchwindowsserver/tutorial/How-PowerShell-Direct-helps-polish-off-those-VMs">use PowerShell Direct</a> to connect to the remote machine. You need the Hyper-V module loaded to create the remoting session over VMBus. Next, use the following PowerShell commands to copy files to the remote machine.</p> <pre class="language-powershell"><code>Copy-Item -Path c:\test\ -Destination c:\ -Recurse -ToSession $s</code></pre> <p>You can also copy files from the remote machine.</p> <pre class="language-powershell"><code>Copy-Item -Path c:\test\p*.txt -Destination c:\test3\ -FromSession $s</code></pre> <p>The <span style="font-family: courier new, courier, monospace;">ToSession</span> and <span style="font-family: courier new, courier, monospace;">FromSession</span> parameters control the direction of the copy and whether the source and destination are on the local machine or a remote one. Sending data to a remote machine uses <span style="font-family: courier new, courier, monospace;">ToSession</span>, and recieving files from a remote machine uses <span style="font-family: courier new, courier, monospace;">FromSession</span>.</p> <p>Unfortunately, <span style="font-family: courier new, courier, monospace;">ToSession</span> and <span style="font-family: courier new, courier, monospace;">FromSession</span> cannot be used in the same command, nor are relative paths supported. To copy something from your user account's home directory on one server to another while connecting to both servers via PowerShell remoting, get creative while specifying fully qualified paths.</p> <p>In the code in the following example, the remote file from server1 is copied locally and then copied to server2.</p> <pre class="language-powershell"><code>$server1 = New-PSSession -ComputerName server1.domain.com -Credential $cred $server2 = New-PSSession -ComputerName server2.domain.com -Credential $cred $path = 'C:\Users\user\Downloads\file.zip' Copy-Item -Path $path -Destination .\file.zip -FromSession $server1 Copy-Item -Path .\file.zip -Destination $path -ToSession $server2</code></pre> </section> <section class="section main-article-chapter" data-menu-title="How to track the progress of a copy command"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to track the progress of a copy command</h2> <p>A useful addition to <span style="font-family: courier new, courier, monospace;">Copy-Item</span> is the <a href="https://www.techtarget.com/searchwindowsserver/tip/How-admins-can-benefit-from-switching-to-PowerShell-74">introduction of a progress bar in PowerShell 7.4</a>. This feature shows a visual representation of the status of a running command and helps the user estimate how long until the operation completes. This is not supported in Windows PowerShell.</p> <p>The following PowerShell code copies files from the C:\PowerShell folder and its subfolders to the D:\PowerShell folder.</p> <pre class="language-powershell"><code>Copy-Item C:\PowerShell\ D:\PowerShell\ -Recurse</code></pre> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-13-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-13-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-13-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/ahowell-copyfiles-13-f.jpg 1280w" alt="PowerShell progress bar" height="35" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>PowerShell 7.4 introduced a progress bar that can show the status of an ongoing copy command. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The output shows the overall progress of the copy operation in terms of files copied, the total size of data transferred and the current data transfer rate.</p> <p>PowerShell also introduced a <span style="font-family: courier new, courier, monospace;">ProgressAction</span> common parameter that can disable the progress bar if speed is of the essence.</p> <pre class="language-powershell"><code>Copy-Item C:\PowerShell\ D:\PowerShell\ -Recurse -ProgressAction SilentlyContinue</code></pre> </section> <section class="section main-article-chapter" data-menu-title="How to copy files to multiple machines"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to copy files to multiple machines</h2> <p>There are times when a file, such as a configuration file, needs to be copied to multiple remote servers or clients. This is easy enough to do if the machines have PowerShell remoting enabled.</p> <p>First, import the list of computer names. In this example, assume that there is a list of names in a text file, but this could come from an AD query or another source.</p> <pre class="language-powershell"><code>$remoteTargets = Get-Content .\names.txt</code></pre> <p>Next, store the credentials in a variable.</p> <pre class="language-powershell"><code>$cred = Get-Credential</code></pre> <p>Next, use a <span style="font-family: courier new, courier, monospace;">Foreach-Object</span> loop to take advantage of multithreading in PowerShell 7 with the <span style="font-family: courier new, courier, monospace;">Parallel</span> parameter to create a session object, copy the file -- a config.json file -- to the device and close the session.</p> <pre class="language-powershell"><code>$remoteTargets | Foreach-Object -Parallel { &nbsp;&nbsp;&nbsp; $session = New-PSSession -ComputerName $_ -Credential $using:cred &nbsp;&nbsp; Copy-Item -Path .\config.json -Destination C:\ProgramData\app\config.json -ToSession $session Remove-PsSession $session }</code></pre> <p>Note how the code uses the <span style="font-family: courier new, courier, monospace;">$using:</span> syntax to pass the <span style="font-family: courier new, courier, monospace;">$cred</span> variable into the <span style="font-family: courier new, courier, monospace;">Foreach-Object</span> scriptblock.</p> </section> <section class="section main-article-chapter" data-menu-title="How to create backups of a file"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to create backups of a file</h2> <p><span style="font-family: courier new, courier, monospace;">Copy-Item</span> is also useful to create backups for items such as configuration files or frequently modified files in a file share. This example places each backup in a dated folder to provide multiple copies.</p> <p>First, define the date string. The frequency of the backup dictates the format. For example, a daily backup has a date string that only includes the year, month and day or YYYYMMDD format. This is also called the <a href="https://www.techtarget.com/whatis/definition/ISO-date-format">ISO 8601 format</a> for dates and is recommended due to its relative ease to sort.</p> <p>For a simple daily backup, generate the date string with the following PowerShell code.</p> <pre class="language-powershell"><code>$dateStr = Get-Date -Format FileDate</code></pre> <p>This returns a string of the current date as a four-digit year, two-digit month and two-digit day.</p> <p>Next, define the file paths, and create the new directory if needed.</p> <pre class="language-powershell"><code>$source = "C:\ProgramData\app\config.json" $dest = "D:\Backups\app\$dateStr" if (-not (Test-Path $dest -PathType Container)) { &nbsp;&nbsp;&nbsp;&nbsp;New-Item -ItemType "directory" -Path $dest }</code></pre> <p>Lastly, copy the file.</p> <pre class="language-powershell"><code>Copy-Item -Path $source -Destination $dest</code></pre> <p>To get the most out of a backup script, schedule it with the Task Scheduler on Windows or as a cron job on Linux.</p> </section> <section class="section main-article-chapter" data-menu-title="Use advanced PowerShell techniques to check for errors and resume a copy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use advanced PowerShell techniques to check for errors and resume a copy</h2> <p>The <span style="font-family: courier new, courier, monospace;">Copy-Item</span> cmdlet lacks error checking or restart capabilities. For those features, you need to write the code.</p> <p>The following script tests the source file path, calculates the file hash, checks for the file's existence and verifies the integrity of the copied file using a hash comparison. The file copy process occurs within a <a href="https://www.techtarget.com/searchwindowsserver/tip/PowerShell-7-features-admins-should-examine">try/catch block</a> used for exception handling. If an error occurs, a "File copy failed" message is output.</p> <pre class="language-powershell"><code>function Copy-FileSafer { &nbsp;[CmdletBinding()] &nbsp;param ( &nbsp; &nbsp;[string]$path, &nbsp; &nbsp;[string]$destinationfolder &nbsp;) &nbsp;if (-not (Test-Path -Path $path)) { &nbsp; &nbsp;throw "File not found: $path" &nbsp;} &nbsp;$sourcefile = Split-Path -Path $path -Leaf &nbsp;$destinationfile = Join-Path -Path $destinationfolder -ChildPath $sourcefile &nbsp;$b4hash = Get-FileHash -Path $path &nbsp;try { &nbsp;&nbsp; &nbsp;Copy-Item -Path $path -Destination $destinationfolder -ErrorAction Stop &nbsp;} &nbsp;catch { &nbsp; &nbsp;throw "File copy failed" &nbsp;} &nbsp;finally { &nbsp; &nbsp;$afhash = Get-FileHash -Path $destinationfile &nbsp; &nbsp;if ($afhash.Hash -ne $b4hash.Hash) { &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;throw "File corrupted during copy" &nbsp; &nbsp;} &nbsp; &nbsp;else { &nbsp;&nbsp;&nbsp; &nbsp;Write-Information -MessageData "File copied successfully" -InformationAction Continue &nbsp; &nbsp;} &nbsp;} }</code></pre> <p>With additional coding, the script can recursively retry several times. After each copy attempt, the script can <a target="_blank" href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.5&amp;viewFallbackFrom=powershell-7.1" rel="noopener">calculate</a> the hash of the file and compare it to the original. If they match, all is well. If not, an error is reported.</p> <p><i>Anthony Howell is an IT strategist with extensive experience in infrastructure and automation technologies. His expertise includes PowerShell, DevOps, cloud computing, and working in both Windows and Linux environments.</i></p> </section> Take a closer look at these Copy-Item coding examples to build advanced PowerShell scripts that copy files with safety measures to ensure the duplicates reach their destinations. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files13.jpg https://www.techtarget.com/searchwindowsserver/tip/PowerShell-commands-to-copy-files-Basic-to-advanced-methods Tue, 15 Apr 2025 09:00:00 GMT <p>Active Directory (AD) is Microsoft's proprietary directory service that enables network admins to manage users, permissions and their access to networking resources. It runs on <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Server-OS-operating-system">Windows Server</a> and stores information about <a href="https://www.techtarget.com/searchapparchitecture/definition/object">objects</a>, such as shared network resources, on a corporate network in a logical, hierarchical format. This enables administrators to manage those resources, as well as the users who need to access those resources to get their work done.</p> <p>A <a href="https://www.techtarget.com/searchwindowsserver/definition/domain-controller">domain controller</a> is needed to run the AD service. A <a href="https://www.techtarget.com/whatis/definition/domain">domain</a> controller is a server running a version of the Windows Server operating system that has Active Directory Domain Services (<a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Active-Directory-Domain-Services-AD-DS">AD DS</a>) installed. By installing AD DS, admins can configure a specific server role for a computer, such as the role of a domain controller.</p> <section class="section main-article-chapter" data-menu-title="What is the role of Active Directory and what is it used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the role of Active Directory and what is it used for?</h2> <p>Active Directory stores data about all the objects on a network. An object is a single element, such as a user, group, application or shared device, such as a server or printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups.</p> <p>Active Directory uses a set of rules known as the <i><a href="https://www.techtarget.com/searchdatamanagement/definition/schema">schema</a></i> to define object classes and their attributes. The schema also determines the format of each object's name. AD also includes a global catalog that contains information about all the objects. The schema and global catalog make it easy for network admins to identify and manage objects. Also, by storing relevant information about user accounts on a network, such as their names and passwords, AD enables other authorized users and admins on that network to access this information.</p> <p>AD also enables admins, users and applications to publish and find objects and the objects' properties. They can do this via AD's <a href="https://www.techtarget.com/searchdatamanagement/definition/query">query</a> and index mechanism. Additionally, AD provides a <a href="https://www.techtarget.com/searchdisasterrecovery/definition/data-replication">replication</a> service that has two roles. It ensures that all domain controllers in a network contain a complete copy of all directory information for their domain, and it ensures that any change to the data in the directory is replicated to all domain controllers in the domain. By maintaining replicas of directory data on all domain controllers, the replication service ensures the directory's availability and also optimizes its performance for all users.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/windows_server-active_directory-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/windows_server-active_directory-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/windows_server-active_directory-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/windows_server-active_directory-h.png 1280w" alt="what are the services in Active Directory graphic" height="304" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Microsoft Active Directory provides a variety of services to manage network security and control access to applications and other resources. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What is Active Directory Domain Services?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is Active Directory Domain Services?</h2> <p>In older versions of Windows Server -- Windows 2000 Server and Windows Server 2003 -- the directory service was named Active Directory. However, from Windows Server 2008 R2 and Windows Server 2008 onward, Microsoft changed the name of the directory service to Active Directory Domain Services.</p> <p>AD DS stores directory information, including information about user accounts. It does this using a <a href="https://www.techtarget.com/whatis/definition/structured-data">structured data</a> store known as the <i>directory</i>. This directory enables the directory information to be organized in a logical and hierarchical format. AD DS also makes directory data available to authorized network users and administrators, allowing them to access it as required.</p> <p>As with AD, AD DS includes a replication system that automatically builds and updates the global catalog server, which is a domain controller. This catalog stores a full, writable replica of all objects and their attributes in a domain, as well as partial, <a href="https://www.techtarget.com/searchwindowsserver/definition/Read-only">read-only</a> replicas of all the other domains in the <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-forest-AD-forest">forest</a>. Such attribute replication makes it easy for users and admins to search for objects in AD DS.</p> <p>AD DS provides security through built-in sign-in <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authentication</a> and <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access control</a> mechanisms. These mechanisms allow authorized users to access network resources and enable admins to easily manage directory data and organization throughout the network using a single network username and password.</p> <p>To further support network admins, AD DS provides policy-based administration. This enables admins to easily manage even complex networks.</p> </section> <section class="section main-article-chapter" data-menu-title="Active Directory modes, protocols and services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Active Directory modes, protocols and services</h2> <p>Several different services constitute Active Directory. The main service is Domain Services, but Active Directory also has the following other services:</p> <ul class="default-list"> <li><strong>Active Directory Lightweight Directory Services (AD LDS)</strong> is an independent mode of AD, meaning it operates independently of AD domains or forests and can be installed without affecting AD. It provides directory services for applications, including a data store, and uses standard application programming interfaces (<a href="https://www.techtarget.com/searchapparchitecture/definition/application-program-interface-API">APIs</a>) to access application data. However, it doesn't include AD's infrastructure features.</li> <li><strong>Lightweight Directory Access Protocol (<a href="https://www.techtarget.com/searchmobilecomputing/definition/LDAP">LDAP</a>)</strong> is a directory service protocol used to access and maintain directories over a network. Based on a <a href="https://www.techtarget.com/searchnetworking/definition/client-server">client-server</a> model, LDAP runs on a layer above the <a href="https://www.techtarget.com/searchnetworking/definition/TCP-IP">TCP/IP</a> stack. LDAP cannot be used to create directories or to specify how a directory service should operate. Its main function is to help with directory management.</li> <li><strong>Active Directory Certificate Services (AD CS)</strong> is used to generate, manage and share <a href="https://www.techtarget.com/searchsecurity/definition/PKI">public key infrastructure</a> certificates. A certificate uses encryption to enable a user to exchange information over the internet securely with a <a href="https://www.techtarget.com/searchsecurity/definition/public-key">public key</a>. These certificates provide confidentiality through encryption; authenticate computers, users and device accounts on a network; and help to maintain the integrity of digital documents through <a href="https://www.techtarget.com/searchsecurity/definition/digital-signature">digital signatures</a>.</li> <li><strong>Active Directory Federation Services (<a href="https://www.techtarget.com/searchmobilecomputing/definition/Active-Directory-Federation-Services-AD-Federation-Services">AD FS</a>)</strong> authenticates user access to multiple applications -- even on different networks -- using single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>). As the name indicates, SSO only requires the user to sign on once rather than use multiple dedicated authentication keys for each service. By allowing the secure sharing of digital identity and entitlements rights across security and enterprise boundaries, AD FS helps to streamline user experiences as they access internet-facing applications.</li> <li><strong>Active Directory Rights Management Services (AD RMS)</strong> enables organizations to protect their documents using information rights management (<a href="https://www.techtarget.com/searchcontentmanagement/definition/information-rights-management-IRM">IRM</a>). With AD RMS, they can create IRM policies to specify who can access sensitive information, thus preventing its use or misuse by unauthorized people.</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/SK8Yw-CiRHk?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Key features of AD and AD DS logical model"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key features of AD and AD DS logical model</h2> <p>Active Directory Domain Services uses a logical model consisting of forests, domains and organizational units (<a href="https://www.techtarget.com/searchwindowsserver/definition/organizational-unit-OU">OUs</a>). This model is important because it provides a way to do the following:</p> <ul class="default-list"> <li>Store and manage information about network resources.</li> <li>Store and manage application-specific data from directory-enabled applications.</li> <li>Enable administrators to organize users, computers, devices and other elements of a network into a hierarchical containment structure.</li> </ul> <p>Different objects, such as users and devices that share the same database, are on the same domain. A <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory-tree-AD-tree">tree</a> is one or more domains grouped together with hierarchical trust relationships. A forest is a group of multiple trees. Forests provide security boundaries, while domains -- which share a common database -- can be managed for settings such as authentication and encryption. These different elements have the following functions:</p> <ul class="default-list"> <li>A <b>forest </b>is the top-level container in AD DS. It refers to a group of one or more AD domains. It provides a common logical structure for those domains and automatically links them with two-way, transitive trust relationships. These relationships enable AD DS to provide security across multiple domains or forests. They also enable domains to extend authentication services to users in domains outside their own forest.</li> <li>A <b>domain </b>is a container or partition within a forest. It provides network-wide user identity, so user identities need to be created only once. Once that is done, they can be referenced on any computer joined to the forest in which that domain is located. Domains use one or more domain controllers to store user accounts and user credentials, provide authentication services for users and control access to network resources. A domain controller for a particular domain has a copy of the directory for the entire domain in which it is located.</li> <li>An <b>OU</b> is the smallest element of the AD DS logical model. OUs form a hierarchy of containers within a domain. Admins typically use OUs to simplify administrative tasks, such as the application of <a href="https://www.techtarget.com/searchwindowsserver/definition/Group-Policy">Group Policies</a>. OUs are also useful for the delegation of authority, which allows owners to transfer administrative control -- full or limited -- over objects to other users or groups in order to simplify the management of those objects.</li> </ul> <p>The domain-forest-OU model of AD DS applies regardless of the <a href="https://www.techtarget.com/searchnetworking/definition/network-topology">network topology</a> and the number of domain controllers required within each domain.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/windowsserver-domain_forest_configuration-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/windowsserver-domain_forest_configuration-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/windowsserver-domain_forest_configuration-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/windowsserver-domain_forest_configuration-f.png 1280w" alt="domain forest configuration diagram" height="358" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Microsoft uses a tree and forest arrangement to create hierarchies with Active Directory to manage network assets and user access to network resources. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Key features of AD and Active Directory Domain Services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key features of AD and Active Directory Domain Services</h2> <p>One of the main features of AD and AD DS is that they use a structured and hierarchical data store to logically organize and publish directory information, i.e., information about the objects stored in the AD DS directory. These objects may include the following:</p> <ul class="default-list"> <li>Users.</li> <li>Groups.</li> <li>Computers.</li> <li>Domains.</li> <li>OUs.</li> <li>Security policies.</li> </ul> <p>A standardized schema is used to define object classes, attributes and names, as well as the constraints and limits on instances of these objects. The default schema in AD is modeled after the International Organization for Standardization <a href="https://www.techtarget.com/searchsecurity/definition/X509-certificate">X.500</a> series of standards for directory services. It is also extensible, meaning classes and attributes can be added to it and modified as needed. The AD schema is stored in the schema directory partition and replicated to all domain controllers in a forest.</p> <p>Another important feature of AD is that it uses four directory partition types to store and copy different types of data in the Ntds.dit file on a domain's domain controller. Users and administrators can access this information throughout a domain. A directory partition typically contains data about a domain, configuration, schema and applications.</p> <p>AD and AD DS feature a query and index mechanism. This mechanism enables network users or applications to find objects and their properties stored in AD. Finally, AD's replication service distributes directory data across a network. AD includes Knowledge Consistency Checker, which automatically creates replication connections from a source domain controller to a destination domain controller and generates the replication topology for the AD forest.</p> </section> <section class="section main-article-chapter" data-menu-title="Trusting terminology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Trusting terminology</h2> <p>Active Directory relies on <a href="https://www.techtarget.com/searchwindowsserver/tip/Best-Practices-for-Active-Directory-Forest-Trusts">trusts</a> to facilitate authentication and to provide security across multiple domains or forests. These trust relationships apply to both domains and forests in AD. AD trusts work properly only if every resource has a direct trust path to a domain controller in the domain in which it is located. Also, to enable facilitation, Windows checks if a domain being requested by a user or computer already has a trust relationship with the requesting account's domain.</p> <p>The most important trust-related terms used in AD include the following:</p> <ul class="default-list"> <li>A <b>one-way trust</b> is when a first domain (Domain A) allows access privileges to users on a second domain (Domain B). However, Domain B does not allow users access to Domain A. Simply put, it is a unidirectional authentication path between Domains A and B.</li> <li>A <b>two-way trust</b> is when two domains trust each other. Thus, authentication requests can be passed between these domains, meaning each domain enables access to users of the other domain.</li> <li>A <b>trusted domain </b>is a single domain that enables user access to another domain, which is called the <i>trusting domain</i>. Forests used trusted domain objects to store all of the trusted namespaces, such as domain tree names, <a href="https://www.techtarget.com/whatis/definition/User-Principal-Name-UPN">user principal name</a> suffixes, service principal name suffixes and <a href="https://www.techtarget.com/searchsecurity/definition/security-identifier">security identifier</a> namespaces used in partner forests.</li> <li>A <b>transitive trust</b> can extend beyond two domains and allow access to other trusted domains within a forest. In AD, a two-way, transitive trust relationship is automatically established between new domains and parent domains in a forest.</li> <li>A <b>nontransitive trust</b> is a one-way trust that is limited to two domains. It is typically used to deny trust relationships with other domains.</li> <li>A <b>forest trust</b> provides seamless authentication and authorization across multiple AD forests, thus enabling access to resources and other objects in those forests. It can be one-way or two-way transitive.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="History and development of Active Directory"> <h2 class="section-title"><i class="icon" data-icon="1"></i>History and development of Active Directory</h2> <p>Microsoft offered a preview of Active Directory in 1999 and released it a year later with Windows 2000 Server. Microsoft continued to develop new features with each successive Windows Server release.</p> <p>Windows Server 2003 included a notable update to add forests and the ability to edit and change the position of domains within forests. Domains on Windows 2000 Server could not support newer AD updates running in Server 2003.</p> <p>Windows Server 2008 introduced AD FS. Additionally, Microsoft rebranded the directory for domain management as AD DS, and AD became an umbrella term for the directory-based services it supported. AD DS is available in all the latest versions of Windows Server, including Windows Server 2016, Windows Server 2019, Windows Server 2022 and Windows Server 2025.</p> <p>Windows Server 2016 updated AD DS to improve AD security and migrate AD environments to cloud or <a href="https://www.techtarget.com/searchcloudcomputing/definition/hybrid-cloud">hybrid cloud</a> environments. Security updates included the addition of privileged access management. <a href="https://www.techtarget.com/searchsecurity/definition/privileged-access-management-PAM">PAM</a> monitors access to an object, the type of access granted and what actions the user takes. PAM adds bastion AD forests to provide an additional secure and isolated forest environment. Windows Server 2016 ended support for devices on Windows Server 2003.</p> <p>In December 2016, Microsoft released Azure AD Connect, now called Microsoft Entra Connect, to join an on-premises Active Directory system with <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Azure-Active-Directory-Windows-Azure-AD">Azure AD</a>, now called Microsoft Entra ID. Through this integration, organizations could connect all the identities and access controls on their local networks with Microsoft's cloud services, such as <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Microsoft-Office-365-suite">Office 365</a>, and enable user-friendly SSO for those services. Azure AD Connect worked with systems running Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019. All 1.x versions of Azure AD Connect were retired on Aug. 31, 2022.</p> </section> <section class="section main-article-chapter" data-menu-title="Domains vs. workgroups"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Domains vs. workgroups</h2> <p>A <i>workgroup</i> is Microsoft's term for Windows machines connected over a <a href="https://www.techtarget.com/searchwindowsserver/definition/peer-to-peer-network-P2P-network">peer-to-peer (P2P) network</a>. Workgroups are another unit of organization for Windows computers in networks. Workgroups enable these machines to share files, internet access, printers and other resources over the network. P2P networking removes the need for a server for authentication. There are several differences between domains and workgroups:</p> <ul class="default-list"> <li>Domains, unlike workgroups, can host computers from different local networks.</li> <li>Domains can be used to host many more computers than workgroups. Domains can include thousands of computers; workgroups typically have an upper limit of close to 20.</li> <li>In domains, at least one server is a computer, which is used to control permissions and security features for every computer within the domain. In workgroups, there is no server, and computers are all peers.</li> <li>Domain users typically require security identifiers, such as logins and passwords, unlike workgroups.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Main competitors to Active Directory"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Main competitors to Active Directory</h2> <p>Other directory services on the market that provide similar functionality to AD include the following:</p> <ul class="default-list"> <li><b>Red Hat Directory Server</b> is an LDAP-based directory that manages user access to multiple systems in <a href="https://www.techtarget.com/searchdatacenter/definition/Unix">Unix</a> environments. It provides a network-based registry to centralize identity information and includes user ID- and certificate-based authentication to restrict access to data in the directory. In addition, it provides centralized, fine-grained access control over the directory and enhanced data protection, even if the number of systems and users increases.</li> <li><b>Apache Directory</b> is an <a href="https://www.techtarget.com/whatis/definition/open-source">open source</a> project that runs on <a href="https://www.theserverside.com/definition/Java">Java</a> and operates on any LDAP server, including systems on Windows, <a href="https://www.techtarget.com/whatis/definition/Mac-OS">macOS</a> and <a href="https://www.techtarget.com/searchdatacenter/definition/Linux-operating-system">Linux</a>. It provides an LDAP v3-compliant directory server and an <a href="https://www.techtarget.com/searchapparchitecture/definition/Eclipse-Eclipse-Foundation">Eclipse</a>-based directory tool called Apache Directory Studio. Additionally, the software includes an Apache Directory LDAP API that provides a convenient way to access all types of LDAP servers.</li> <li><b>OpenLDAP </b>is another open source alternative to AD. Specifically, it is an open source implementation of LDAP, with modules like a standalone LDAP load balancer <a href="https://www.techtarget.com/whatis/definition/daemon">daemon</a>; standalone LDAP daemon (server); and various libraries, tools and sample clients to implement LDAP.</li> </ul> <p><em>IT must carefully manage various Group Policies for desktops to ensure the correct policies are implemented. Learn when <a href="https://www.techtarget.com/searchenterprisedesktop/tip/When-does-AD-domain-joined-Group-Policy-override-local">AD domain-joined Group Policy overrides local</a>. </em></p> </section> Active Directory (AD) is Microsoft's proprietary directory service that enables network admins to manage users, permissions and their access to networking resources. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/searchwindowsserver/definition/Active-Directory Fri, 11 Apr 2025 09:00:00 GMT <p>Microsoft released Windows Server 2025 in November 2024, introducing various new features. Before planning an upgrade to Windows Server 2025, it's worth examining how this version differs from previous releases.</p> <p>Windows Server 2025 arrived with plenty of updates to appeal to enterprises, including <a href="https://www.techtarget.com/searchwindowsserver/tip/See-whats-coming-in-Windows-Server-2025">enhanced AD functionality, hot patching and improvements in security</a>. Before switching from an older Windows Server, admins should start with a look at the various editions to find the best fit. It's also important to see what's been removed and what might not make it to the next version so you can plan accordingly.</p> <section class="section main-article-chapter" data-menu-title="Compare the Windows Server 2025 editions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Compare the Windows Server 2025 editions</h2> <p>Microsoft offers several editions of Windows Server 2025, including Essentials, Standard, Datacenter and Datacenter Azure.</p> <p>Smaller organizations with limited IT needs might find Windows Server Essentials the right choice for their workloads. Licenses are not available directly from Microsoft and can only be purchased from a hardware OEM, preinstalled on server hardware. Windows Server Essentials is only available on servers with a single CPU with less than 10 cores.</p> <p>The Standard and Datacenter editions are similar with a few key differences. The main one is the Standard edition only licenses Hyper-V for up to two VMs. There is no limit for the Datacenter edition. Likewise, the Standard edition supports the <a href="https://www.techtarget.com/searchwindowsserver/feature/4-Windows-Server-2019-storage-features-to-ease-management">disaster recovery feature Storage Replica</a> but only allows a single partnership and one resource group. A partnership executes replication between two servers or clusters. There is also a volume size limit of 2 TB. The Datacenter edition does not have these limits.</p> <p>Microsoft said it optimized the Windows Server Datacenter Azure edition for use on its cloud platform. Unlike the Standard and Enterprise editions, the Azure edition does not run on physical hardware and can only be installed in a VM. The main difference between Datacenter and Datacenter Azure is the delivery of product updates. The Windows Server Standard and Datacenter editions receive updated features as a part of new releases, which happen every couple of years. In contrast, the Windows Server Datacenter Azure edition gets <a href="https://www.techtarget.com/searchwindowsserver/tip/New-Active-Directory-features-coming-in-Windows-Server-2025">new features through Windows Update</a> annually. Microsoft offers two "major updates" for the Azure edition in the first three years.</p> </section> <section class="section main-article-chapter" data-menu-title="Understand the Windows Server 2025 hardware requirements"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Understand the Windows Server 2025 hardware requirements</h2> <p>Windows Server 2025 requires a 64-bit CPU running at 1.4 GHz at minimum. The CPU must support the following instructions: NX, DEP, CMPXCHG16b, LAHF/SAHF, PrefetchW, Second Level Address Translation (EPT or NPT), POPCNT and SSE4.2. Windows Server 2025 allows for up to 2,048 logical processors.</p> <p>The minimum memory requirement for Windows Server 2025 is 512 MB. However, at least 2 GB of RAM is required to use Desktop Experience, although Microsoft recommends at least 4 GB. If you are installing Windows Server 2025 onto a physical host, then it needs error correction code RAM.</p> <p>Windows Server 2025 supports up to 4 petabytes of RAM on servers with five-level paging; with four-level paging, the limit is 256 TB. <a href="https://www.techtarget.com/searchwindowsserver/feature/Will-Windows-Server-2025-release-spark-VMware-migrations">Organizations using servers with newer Intel processors benefit</a> from the five-level paging to maximize the amount of RAM for more demanding workloads.</p> <p>Windows Server 2025 can be installed on a system with 32 GB of storage, but Microsoft stresses that this is an absolute minimum. If the machine has 16 GB or more of RAM, then the system will use additional storage space to accommodate paging, hibernation and memory dumps. Microsoft recommends 64 GB or more storage space for best performance, particularly when running Desktop Experience.</p> <p>Microsoft said improved support for non-volatile memory express (NVMe) storage in Windows Server 2025 delivers up to 90% more IOPS. Hyper-V VMs can also be hosted on <a href="https://www.techtarget.com/searchstorage/definition/NVMe-over-Fabrics-Nonvolatile-Memory-Express-over-Fabrics">NVMe over Fabrics</a> storage.</p> <p>The minimum networking requirements for Windows Server 2025 include a Gigabit Ethernet adapter that is PCIe-compliant.</p> </section> <section class="section main-article-chapter" data-menu-title="Deprecated features in Windows Server 2025"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Deprecated features in Windows Server 2025</h2> <p>There are a number of features that Microsoft has deprecated in Windows Server 2025. Deprecated does not mean unavailable or unsupported -- just that these features are on notice, will not receive any further enhancements and will likely be removed in the next Windows Server version. Workloads that depend on one or more <a href="https://www.techtarget.com/searchwindowsserver/news/366619234/Microsoft-plugs-two-zero-days-for-February-Patch-Tuesday">deprecated features</a> can run on Windows Server 2025, but customers should look for alternatives to avoid upgrade issues with the next Windows Server release.</p> <p>The deprecated features include the following:</p> <ul class="default-list"> <li>Computer Browser.</li> <li>Failover Clustering Cluster Sets.</li> <li>L2TP and PPTP (in the Routing and Remote Access Services).</li> <li>Network Load Balancing.</li> <li>NTLM.</li> <li>TLS 1.0 and 1.1.</li> <li>WebDAV Redirector service.</li> <li>Windows Internal Database.</li> <li><a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-Management-Instrumentation-Command-line-WMIC">Windows Management Instrumentation Command-line</a>.</li> <li>VBScript.</li> <li>Windows Server Update Services.</li> </ul> <p>Microsoft removed several features in Windows Server 2025, including the following:</p> <ul class="default-list"> <li>IIS 6 Management Console.</li> <li>NTLMv1.</li> <li>Wordpad.</li> <li>SMTP Server.</li> <li>Windows PowerShell 2.0 Engine.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Windows Server 2025 migration planning"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Windows Server 2025 migration planning</h2> <p>Migrating to a new Windows Server OS is not a task to be taken lightly. Even so, migrations are often worthwhile if the organization wants to take advantage of new features and support for the latest hardware.</p> <p>Before an organization can <a href="https://www.techtarget.com/searchwindowsserver/tip/Plan-your-domain-controller-migration-to-Windows-Server-2025">migrate to Windows Server 2025</a>, it must verify that its existing hardware meets the minimum requirements. It is also worth considering the type of migration that is required.</p> <p>If you are running Windows Server 2012 R2 or higher, then you can perform an in-place upgrade to Windows Server 2025. Customers who move to Windows Server 2025 are able to use Windows Update to upgrade to future Windows Server versions. Older server versions must first upgrade to at least Windows Server 2012 R2 to then upgrade to Server 2025.</p> <p>It is extremely important to test the migration in a lab environment prior to attempting to migrate a production server. Testing should not only ensure that the migration process works, but also verify that workloads and applications continue to function properly on Windows Server 2025.</p> <p>When you are ready to move forward with the migration, you should perform a full <a target="_blank" href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj614621(v=ws.11)" rel="noopener">backup</a> of the servers. That way, you have a way to roll back if serious problems occur. It's also a good idea to test your backup to make sure that it functions as intended before you begin the migration.</p> <p><i>Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.</i></p> </section> See what's been gained -- and lost -- in Microsoft's latest version of its server OS before you plan a migration from your existing workloads. https://cdn.ttgtmedia.com/rms/onlineimages/storage_g1197646065.jpg https://www.techtarget.com/searchwindowsserver/tip/Learn-how-the-Windows-Server-2025-editions-differ Tue, 18 Mar 2025 15:49:00 GMT <p>The Server Message Block (SMB) protocol is a <a href="https://www.techtarget.com/searchwindowsserver/definition/client-server-network">client-server</a> communication <a href="https://www.techtarget.com/searchnetworking/definition/protocol">protocol</a> used for sharing access to files, printers, serial ports and other resources on a <a href="https://www.techtarget.com/searchnetworking/definition/network">network</a>. It can also carry transaction protocols for interprocess communication.</p> <p>A group at IBM developed the SMB protocol in the 1980s. The protocol has since spawned multiple variants, also known as <i>dialects</i>, to meet evolving network requirements over the years. Throughout that time, SMB has been widely implemented and continues to be one of the most popular solutions for <a href="https://www.techtarget.com/searchmobilecomputing/definition/file-sharing">file sharing</a> in the workplace.</p> <section class="section main-article-chapter" data-menu-title="What is the Server Message Block protocol used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the Server Message Block protocol used for?</h2> <p>The SMB protocol is mainly used to facilitate shared access to the resources on a network. These may be printers, serial ports, files, directories, etc. SMB also provides client applications with a secure and controlled method for opening, reading, moving, creating and updating files on remote servers. The protocol can also communicate with server programs configured to receive SMB client requests.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/networking-smb.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/networking-smb_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/networking-smb_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/networking-smb.jpg 1280w" alt="Infographic of how the SMB response-request protocol works." height="285" width="520"> <figcaption> <i class="icon pictures" data-icon="z"></i>Server Message Block is known as a response-request protocol between client and server. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How does the SMB protocol work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does the SMB protocol work?</h2> <p>Known as a <i>response-request protocol</i>, the SMB protocol is one of the most common methods used for network communications. In this model, a series of request-response messages are used to initiate and facilitate communication between devices on a computer network.</p> <p>The client sends an SMB request to the server to initiate the connection. When the server receives the request, it sends an SMB response back to the client, establishing the communication channel necessary for a two-way conversation. Once it is granted access, the client can access the required resource for reading, writing, executing and so on. Since the network server has a resource that it shares with one or more clients, the protocol is also known as a <i>server-client protocol</i>.</p> <p>The SMB protocol operates at the <a href="https://www.techtarget.com/searchnetworking/definition/Application-layer">application layer</a> but relies on lower network levels for transport. At one time, SMB ran on top of <a href="https://www.techtarget.com/searchnetworking/definition/NetBIOS">Network BIOS</a> over <a href="https://www.techtarget.com/searchnetworking/definition/TCP-IP">TCP/IP</a> or, to a lesser degree, legacy protocols, such as Internetwork Packet Exchange or NetBIOS Extended User Interface.</p> <p>When SMB was using NBT, it relied on <a href="https://www.techtarget.com/searchnetworking/definition/port">ports</a> 137, 138 and 139 for transport. Now, SMB runs directly over TCP/IP and uses port 445. Port 445 supports <a href="https://www.techtarget.com/searchsecurity/opinion/Understanding-the-importance-of-data-encryption">data encryption</a> and digital signing of SMB packets, providing a more secure means of communication than port 139. Communications with devices that do not support SMB directly over TCP/IP require the use of NetBIOS over the transport protocol.</p> </section> <section class="section main-article-chapter" data-menu-title="SMB protocol in Windows"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SMB protocol in Windows</h2> <p>Over the years, SMB has been used primarily to connect Windows computers. Microsoft Windows operating systems (<a href="https://www.techtarget.com/whatis/definition/operating-system-OS">OSes</a>) since Windows 95 have included client and server SMB protocol support.</p> <p>Windows Server 2012 and up include the SMB 3.0 feature, enabling applications to do the following:</p> <ul class="default-list"> <li>Access and read resources, including files, at a remote server.</li> <li>Create and update files on the remote server.</li> <li>Communicate with server programs that can receive SMB client requests.</li> </ul> <p>The SMB 3.0 protocol can also be used to store <a href="https://www.techtarget.com/searchitoperations/definition/virtual-machine-VM">virtual machine</a> files -- by standalone file servers and <a href="https://www.techtarget.com/whatis/definition/cluster">clustered</a> file servers -- to store user database files on SMB file shares and to reduce application latencies over wide area networks (<a href="https://www.techtarget.com/searchnetworking/definition/WAN-wide-area-network">WANs</a>).</p> <p>These OSes include numerous functionalities to streamline resource sharing and access over a network. One such functionality is SMB Transparent Failover, which simplifies the hardware or software maintenance of nodes in a clustered file server. Admins can perform these maintenance tasks without interrupting any server applications that may be storing data on the file shares. Other key SMB 3.0 features in Windows Server include SMB Scale Out to create file shares that provide simultaneous access to data files, SMB performance counters that enable admins to analyze the performance of SMB 3.0 file shares, SMB Directory Leasing that reduces round trips from client to server and maintains <a href="https://www.techtarget.com/searchstorage/definition/cache">cache</a> coherency, and SMB Encryption that encrypts and protects SMB data on untrusted networks from <a href="https://www.techtarget.com/searchunifiedcommunications/definition/eavesdropping">eavesdropping</a>.</p> <p>Most other OSes also include client components for connecting to SMB resources. In addition, <a href="https://www.techtarget.com/searchdatacenter/definition/Unix">Unix</a>-based systems can use Samba to facilitate SMB access to file and print services.</p> </section> <section class="section main-article-chapter" data-menu-title="What are SMB protocol dialects?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are SMB protocol dialects?</h2> <p>Since the SMB protocol was introduced in the 1980s, a number of SMB dialects have been released that have improved on the original implementation, delivering greater capabilities, scalability, security and efficiency. A client and server can implement different SMB dialects. If they do, the systems must first negotiate the differences between editions before starting a session.</p> <p>Here is a brief overview of the most notable dialects:</p> <ul class="default-list"> <li><b>SMB 1.0 (1984).</b> SMB 1.0 was created by IBM for file sharing in <a href="https://www.techtarget.com/searchsecurity/definition/DOS">DOS</a>. It introduced opportunistic locking (OpLock) as a client-side caching mechanism designed to reduce network traffic. Microsoft later included the SMB protocol in its LAN Manager product and incorporated SMB support into the <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Server-OS-operating-system">Windows Server OS</a>.</li> <li><b>Common Internet File System (1996).</b> <a href="https://www.techtarget.com/searchstorage/definition/Common-Internet-File-System-CIFS">CIFS</a>, an improvement over SMB 1.0, is a Microsoft-developed SMB dialect that debuted in Windows 95. CIFS added support for larger file sizes, direct transport over TCP/IP, and symbolic links and hard links.</li> <li><b>SMB 2.0 (2006).</b> SMB 2.0 was released with Windows Vista in 2006 and Windows Server 2008. It reduced chattiness in SMB 1.0 to improve the protocol's performance and enhance its efficiency, scalability and resiliency. It also added support for <a href="https://www.techtarget.com/searchnetworking/definition/WAN-optimization-WAN-acceleration">WAN acceleration</a>.</li> <li><b>SMB 2.1 (2010).</b> SMB 2.1 was introduced with Windows Server 2008 R2 and Windows 7. The client OpLock leasing model replaced OpLock to enhance caching and improve performance. Other updates included large <a href="https://www.techtarget.com/searchnetworking/definition/maximum-transmission-unit">maximum transmission unit</a> support and improved energy efficiency, which enabled clients with open files from an SMB server to enter sleep mode.</li> <li><b>SMB 3.0 (2012).</b> <a href="https://www.techtarget.com/searchwindowsserver/definition/SMB-30-Server-Message-Block-30">SMB 3.0</a> debuted in Windows 8 and Windows Server 2012. It added several significant upgrades to improve availability, performance, backup, security and management. Noteworthy new features included SMB Multichannel, SMB Direct, Transparent Failover of client access, Remote Volume Shadow Copy Service support, SMB Encryption and more.</li> <li><b>SMB 3.0.2 (2014).</b> SMB 3.0.2 was introduced in Windows 8.1 and Windows Server 2012 R2. It included performance updates and the ability to disable CIFS/SMB 1.0 support, including removal of the related binaries. Other features included CopyFile SRV_COPYCHUNK over SMB support, performance improvements for small input/output <a href="https://www.techtarget.com/searchdatacenter/definition/workload">workloads</a> and automatic rebalancing of scale-out file server clients.</li> <li><b>SMB 3.1.1 (2015).</b> SMB 3.1.1 was released with <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-10">Windows 10</a> and Windows Server 2016. It added support for advanced encryption, preauthentication integrity to prevent man-in-the-middle (<a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">MitM</a>) attacks and Cluster Dialect Fencing, among other updates. Additional features included directory caching, rolling cluster upgrades and direct client support.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Why is SMB vulnerable?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is SMB vulnerable?</h2> <p>In 2017, the <a href="https://www.techtarget.com/searchsecurity/definition/WannaCry-ransomware">WannaCry</a> and Petya <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> attacks exploited a vulnerability in SMB 1.0 that made it possible to load <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> on vulnerable clients and then propagate the malware across networks. Many of these attacks were the result of threat actors exploiting known vulnerabilities in SMB 1.0, such as EternalBlue, EternalRomance, EternalChampion and EternalSynergy.</p> <p>Microsoft subsequently released patches to address these vulnerabilities. However, experts have advised users and administrators to disable SMB 1.0/CIFS on all systems and upgrade to the more secure SMB 3.0.</p> </section> <section class="section main-article-chapter" data-menu-title="Is the SMB protocol safe?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Is the SMB protocol safe?</h2> <p>SMB 3.0 and later are far more secure than previous dialects, having introduced a number of protections. For example, SMB 3.0 added <a href="https://www.techtarget.com/searchsecurity/definition/end-to-end-encryption-E2EE">end-to-end data encryption</a> while protecting data from eavesdropping. Encryption may be enabled for any scenario where data traverses over an untrusted network without incurring costs for deploying IPsec, specialized hardware or WAN accelerators. SMB 3.0 also offered secure dialect negotiation, which helps protect against MitM attacks.</p> <p>SMB 3.1.1 improved on security even further by updating the encryption capabilities of SMB 3.0. The updated protocol also adds preauthentication integrity to protect SMB connections and <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authentication</a> messages again MitM attacks. It also included a mechanism for negotiating the crypto-algorithm -- AES-128-CCM and AES-128-GCM -- on a per-connection basis.</p> <p>That said, SMB 3.0 is not completely safe. In 2020, a vulnerability dubbed SMBGhost (CoronaBlue) was discovered in SMB 3.0. If exploited, it could expose users to remote code execution. To protect users, admins must adopt multiple security strategies, including <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Use-this-10-step-patch-management-process-to-ensure-success">patching</a> against known vulnerabilities, using secure authentication methods and restricting SMB at the host level.</p> </section> <section class="section main-article-chapter" data-menu-title="CIFS vs. SMB"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CIFS vs. SMB</h2> <p>As noted above, CIFS is an early dialect of the SMB protocol developed by Microsoft. Although the terms SMB and CIFS are sometimes used interchangeably, CIFS refers specifically to a single implementation of SMB. That said, application interfaces and technical documentation often refer to them as one and the same, particularly SMB 1.0 and CIFS, using labels such as SMB 1.0/CIFS.</p> <p>However, the distinction between dialects is important to recognize. For example, SMB 1.0 and CIFS do not have the same level of security protections found in later dialects, as demonstrated by the WannaCry ransomware. SMB 3.0 provides far more advanced security protections. For this reason, most modern systems use the newer SMB dialects. For example, Windows 10 and Windows Server 2012 and newer support SMB 3.1.1, the most recent SMB dialect.</p> <p>Dialects also make a difference when it comes to performance. For instance, CIFS was noted for being a <a href="https://www.techtarget.com/searchnetworking/definition/chatty-protocol">chatty protocol</a> that bogged WAN performance due to the combined burdens of latency and numerous acknowledgments. The dialect to follow, SMB 2.0, improved the protocol's efficiency by drastically reducing its hundreds of commands and subcommands down to just 19.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-cifs_nfs_smb-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-cifs_nfs_smb-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-cifs_nfs_smb-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-cifs_nfs_smb-f.png 1280w" alt="Infographic comparing CIFS, NFS and SMB file-sharing protocols." height="336" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>CIFS, NFS and SMB file-sharing protocols compared </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Samba vs. SMB"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Samba vs. SMB</h2> <p>Released in 1992, Samba is an open source implementation of the SMB protocol for Unix systems and <a href="https://www.techtarget.com/searchdatacenter/definition/Linux-distros-Linux-distribution">Linux distributions</a>. The Samba platform includes a server that enables various client types to access SMB resources.</p> <p>The server supports file sharing and print services, authentication and authorization, name resolution, and service announcements (browsing) between Linux/Unix servers and Windows clients. For example, Samba can be installed on a Unix server to provide file and print services to Windows 10 desktops.</p> <p>In addition, Samba makes it possible to integrate Linux/Unix servers and desktops in an <a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory">Active Directory</a> environment. Windows Server systems include built-in SMB support. However, some macOS and Linux systems require Samba for SMB access.</p> </section> <section class="section main-article-chapter" data-menu-title="SMB vs. SFTP"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SMB vs. SFTP</h2> <p>Like SMB, Secure File Transfer Protocol (<a href="https://www.techtarget.com/searchcontentmanagement/definition/Secure-File-Transfer-Protocol-SSH-File-Transfer-Protocol">SFTP</a>) enables secure file transfers between a remote host and one or more local systems. It enables users to securely access, upload, retrieve, download and manipulate remote files over a shared network. All data is encrypted and an <a href="https://www.techtarget.com/searchsecurity/tutorial/How-to-use-SSH-tunnels-to-cross-network-boundaries">Secure Shell (SSH) tunnel</a> is created to safeguard files and ensure secure transfers. Admins can configure granular user access controls to further strengthen security.</p> <p>One of the differences between SFTP and SMB is that SMB enables the sharing of entire file directories. These directories can be mounted as <a href="https://www.techtarget.com/whatis/definition/network-drive">network drives</a> to enable share-level access. Even so, SMB is better suited for small file transfers on a local area network, while SFTP can efficiently handle large batches or files, even over longer distances.</p> <p>Another difference is that SFTP uses SSH port 22 to enable secure connections and communications, while SMB uses port 445 (3.0) or 139 (older versions). Usability also differs between SMB and SFTP. Whereas SMB shares automatically appear as standard network drives and can be easily accessed via Windows File Explorer, an FTP client is required to use SFTP.</p> <p>Older versions of SMB operated over TCP for file transfers and did not provide data encryption support. Encryption is included in SMB 3.0 and above. In Windows Server 2012, SMB 3.1.1 also includes a mechanism to negotiate the crypto-algorithm per connection. The newer versions of SMB also include other security features, like preauthentication integrity and reduced application latencies, to provide security benefits that are on par with SFTP and SSH encryption.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/k3RxOqftzsU?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p><em>Networking enables the internet to function, relying on several key protocols. These essential network protocols facilitate communication and connection across the internet. Learn about <a href="https://www.techtarget.com/searchnetworking/feature/12-common-network-protocols-and-their-functions-explained">common network protocols and their functions</a>.</em></p> </section> The Server Message Block (SMB) protocol is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. https://cdn.ttgtmedia.com/visuals/digdeeper/5.jpg https://www.techtarget.com/searchnetworking/definition/Server-Message-Block-Protocol Mon, 17 Mar 2025 09:00:00 GMT <p>Kerberos is a <a href="https://www.techtarget.com/searchnetworking/definition/protocol">protocol</a> for <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authenticating</a> service requests between trusted <a href="https://www.techtarget.com/searchnetworking/definition/host">hosts</a> across an untrusted network, such as the internet. By providing a <a href="https://www.techtarget.com/iotagenda/definition/gateway">gateway</a> between users and a network, Kerberos helps verify the identities of users and hosts, and it keeps unauthorized or malicious users out of a private network. Kerberos support is built into all major computer operating systems (OSes), including Microsoft Windows, Apple macOS, FreeBSD, Unix and Linux.</p> <section class="section main-article-chapter" data-menu-title="What does the Kerberos authentication protocol do?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What does the Kerberos authentication protocol do?</h2> <p>Kerberos provides a standardized way to verify a user's or host's identity over a network. Its aim is to authenticate service requests between trusted hosts, such as <a href="https://www.techtarget.com/searchenterprisedesktop/definition/client">clients</a> and <a href="https://www.techtarget.com/whatis/definition/server">servers</a>, on untrusted networks, like the internet.</p> <p>The protocol's mechanism assumes that the transactions between those hosts are happening on an open network, meaning the <a href="https://www.techtarget.com/searchnetworking/definition/packet">packets</a> traveling on it are susceptible to eavesdropping and tampering. To prevent these issues, it uses secret key <a href="https://www.techtarget.com/searchsecurity/definition/cryptography">cryptography</a>. This facilitates mutual authentication between the hosts and allows their identities to be verified prior to the establishment of a secure network connection. To authenticate user identities and authorize users for access, Kerberos uses <a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-differences-between-symmetric-and-asymmetric-encryption-algorithms">symmetric key cryptography</a> and a <a href="https://www.computerweekly.com/news/1280096067/Five-steps-to-using-the-Kerberos-protocol">key distribution center</a> (KDC).</p> <p>The name Kerberos was taken from Greek mythology; Kerberos (Cerberus) was a three-headed dog who guarded the gates of Hades. Like the mythical dog, the Kerberos protocol has three heads:</p> <ol class="default-list"> <li><b>Client or principal.</b> The entity that initiates a service request on behalf of a user.</li> <li><b>Network resource</b>. The <a href="https://www.theserverside.com/feature/What-is-an-Application-Server">application server</a> that provides access to the network resource requested by the client.</li> <li><b>KDC.</b> A centralized server that<b> </b>acts as Kerberos' trusted third-party authentication service. The KDC includes an authentication server (<a href="https://www.techtarget.com/searchsecurity/definition/authentication-server">AS</a>) that does the initial authentication, a ticket-granting server (TGS) that issues service tickets and connects the service-requesting user to the service server (SS), and a database that stores the details of all verified users to facilitate authentication and authorization.</li> </ol> <p>Kerberos was also designed to interface with secure accounting systems. This provided the third "A" of the authentication, authorization and accounting, or <a href="https://www.techtarget.com/searchsecurity/definition/authentication-authorization-and-accounting">AAA</a>, triad.</p> </section> <section class="section main-article-chapter" data-menu-title="How does the Kerberos authentication protocol work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does the Kerberos authentication protocol work?</h2> <p>A simplified description of how Kerberos works follows; the actual <a href="https://www.techtarget.com/whatis/definition/process">process</a> is more complicated and may vary from one implementation to another:</p> <ol class="default-list"> <li><b>AS request.</b> To access a service, the initiating client starts the Kerberos client authentication process. To do this, it sends an authentication request to the Kerberos KDC AS. The initial authentication request is sent as <a href="https://www.techtarget.com/searchsecurity/definition/plaintext">plaintext</a> because no <a href="https://www.techtarget.com/whatis/definition/sensitive-information">sensitive information</a> is included in the request. The AS verifies that the client is in the KDC <a href="https://www.techtarget.com/searchdatamanagement/definition/database">database</a> and retrieves the initiating client's <a href="https://www.techtarget.com/searchsecurity/definition/private-key">private key</a>.</li> <li><b>AS response.</b> The AS starts the initial authentication by looking for the initiating client's username in the KDC database. If the name is not found, the client cannot be authenticated, and the authentication process stops. Otherwise, the AS sends the client a ticket-granting ticket (TGT) and a <a href="https://www.techtarget.com/searchsecurity/definition/session-key">session key</a>.</li> <li><b>Service ticket request. </b>Once authenticated by the AS, the client asks for a service ticket from the TGS. This request must be accompanied by the TGT sent by the KDC AS.</li> <li><b>Service ticket response.</b> If the TGS can authenticate the client, it sends credentials and a ticket to access the requested service. This transmission is <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encrypted</a> with a session key specific to the user and service being accessed. This proof of identity is used to access the requested "Kerberized" service. That service validates the original request and then confirms its identity to the requesting system.</li> <li><b>Application server request.</b> The client sends a request to access the application server. This request includes the service ticket received in step 4. If the application server can authenticate this request, the client can access the server.</li> <li><b>Application server response.</b> In cases where the client requests the application server to authenticate itself, this response is required. The client has already authenticated itself, and the application server response includes Kerberos authentication of the server.</li> </ol> <p>The service ticket sent by the TGS enables the client to access the desired service. The service ticket is <a href="https://www.techtarget.com/whatis/definition/timestamp">timestamped</a>, so a single ticket can be used for a specific period without having to be reauthenticated.</p> <p>Making the ticket valid for a limited time reduces the possibility that some other user or attacker is able to use it later. The maximum lifetime can be set to 0, in which case service tickets do not expire. Microsoft recommends a maximum lifetime of 600 minutes for service tickets; this is the default value in Windows Server implementations of Kerberos.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/kerberos_authentication_process_diagram-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/kerberos_authentication_process_diagram-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/kerberos_authentication_process_diagram-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/kerberos_authentication_process_diagram-f.png 1280w" alt="Flow chart showing how a user request leads to authentication and approved access" height="416" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>With Kerberos, a client requests access through the authentication server, launching the flow of data requests and, finally, an approved ticket. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Benefits of Kerberos authentication"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of Kerberos authentication</h2> <p>Kerberos provides an extensive and proven authentication mechanism for service systems and users. Users, systems and services relying on Kerberos need only trust the KDC. It runs as a single process and provides two services: the authentication service and the ticket-granting service.</p> <p>Kerberos authentication uses conventional shared-secret cryptography to prevent packets that are traveling across the network from being read or changed.</p> <p>Kerberos' authentication mechanism also protects messages from <a href="https://www.techtarget.com/searchunifiedcommunications/definition/eavesdropping">eavesdropping</a> and replay attacks. This is due to the use of strong cryptography with encrypted secret keys and third-party authorization. Also, <a href="https://www.techtarget.com/searchsecurity/definition/password">passwords</a> are never sent over networks, minimizing the potential for threat actors to steal user identities or impersonate them to access systems and services on the network.</p> <p>Another benefit of Kerberos is that it enables effective access control. IT <a href="https://www.techtarget.com/searchnetworking/definition/system-administrator">admininistrators</a> can enforce security policies to control system access. It also improves user experience because they need to be authenticated only once. As long as the Kerberos ticket is active, users don't have to enter their login credentials multiple times to access a system.</p> </section> <section class="section main-article-chapter" data-menu-title="Kerberos objectives, concepts and terms"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Kerberos objectives, concepts and terms</h2> <p>Goals for the Kerberos system are spelled out in a <a target="_blank" href="https://www.kerberos.org/software/tutorial.html" rel="noopener">tutorial</a> written by Fulvio Ricciardi of the National Institute of Nuclear Physics in Lecce, Italy. They include the following:</p> <ul class="default-list"> <li>Passwords must never be transmitted over the network.</li> <li>Passwords must never be stored on client systems and always must be discarded immediately after they are used.</li> <li>Passwords are never stored in plaintext, even on the ASes.</li> <li>A password is entered only once in each session. This is an early form of single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>) authentication, and it means that users can authenticate themselves just once but still access any systems for which they are authorized.</li> <li>All authentication information is maintained in a centralized AS. The application servers themselves do not store any authentication information. This enables the following features:</li> <li style="list-style: none;"> <ul style="list-style-type: circle;" class="default-list"> <li>An administrator can disable authorization for a user to use <i>any</i> application server from the centralized AS. Access to individual servers is not necessary to revoke authorization.</li> <li>A single user password is enough to access all Kerberos-authenticated services. A user can reset their password just once, no matter how many services they are authenticated to use.</li> <li>Protecting user information is simplified because all user authentication information is stored on one centralized AS rather than on all the individual servers the user is authorized to use.</li> </ul> </li> <li>All parties -- users and application servers -- must authenticate themselves when prompted. Users authenticate when they sign in. Application services may be required to authenticate themselves to the client.</li> <li>Kerberos provides a mechanism for clients and servers to set up an encrypted circuit so that networked communications are private.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="History of Kerberos"> <h2 class="section-title"><i class="icon" data-icon="1"></i>History of Kerberos</h2> <p>Kerberos was developed in the 1980s at the Massachusetts Institute of Technology (MIT) as part of Project Athena. This project, named after the ancient Greek goddess of wisdom, aimed to provide MIT students with easier access to computing resources. One of the outcomes of this groundbreaking project was the development of Kerberos as the authentication system.</p> <p>Before Athena and Kerberos, networked systems at MIT typically authenticated users with a user ID-and-password combination. Systems routinely transmitted passwords "in the clear," meaning unencrypted. Attackers with access to the network could eavesdrop on network transmissions, intercept user IDs and passwords, and then attempt to access systems for which they were not authorized.</p> <p>Kerberos developers set out to provide a network authentication protocol that could authenticate trusted hosts communicating over untrusted networks. In particular, they intended to provide system administrators with a mechanism for authenticating access to systems over an open network -- the internet.</p> <p>Kerberos was initially designed as the Kerberos Authentication and Authorization System in a <a target="_blank" href="https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf" rel="noopener">paper</a> with the same name written by S.P. Miller, B.C. Neuman, J.I. Schiller and J.H. Saltzer. The designers intended Kerberos' authentication as a means for supporting authorization. Thus, its original objectives were to provide a way for users of the MIT network to do the following:</p> <ul class="default-list"> <li>Securely authenticate themselves to the systems they needed to use.</li> <li>Be authorized to access those systems.</li> </ul> <p>In 2005, the <a href="https://www.techtarget.com/whatis/definition/IETF-Internet-Engineering-Task-Force">Internet Engineering Task Force</a> published the Kerberos protocol as a Proposed Standard in <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc4120" rel="noopener">Request for Comments 4120</a>. The MIT Kerberos Consortium was founded in September 2007 to further the development of the technology. In 2013, the consortium was expanded and renamed the MIT Kerberos and Internet Trust Consortium.</p> <p>Since its early days, numerous OSes have incorporated Kerberos' authentication system. Starting with <a href="https://www.techtarget.com/searchenterprisedesktop/definition/Windows-2000">Windows 2000</a>, Microsoft has used the Kerberos protocol as the default authentication method in Windows versions, and it is an integral part of the Windows Active Directory (<a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory">AD</a>) service. <a href="https://www.techtarget.com/searchnetworking/definition/broadband">Broadband</a> service providers also use the protocol to authenticate cable modems and set-top boxes accessing their networks. Many secure systems also use Kerberos for authentication, including file sharing software, file storing mechanisms and SSO systems.</p> <p>The current version of Kerberos -- as of March 2025 -- is V5 Release 1.21.3. This version, which was released in June 2024, is free to download from <a href="https://web.mit.edu/kerberos/" target="_blank" rel="noopener">MIT's Kerberos webpage</a>. It fixes many issues from previous versions, including vulnerabilities in General Support System message token handling and a memory leak in the macOS cache type.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/YvHmP2WyBVY?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="What is Kerberos used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is Kerberos used for?</h2> <p>The protocol is used by default in many widely used networking systems. Some systems in which Kerberos support is incorporated or available are the following:</p> <ul class="default-list"> <li><b>Amazon Web Services (AWS).</b> A cloud computing platform that provides 200-plus services, like compute, storage, databases, analytics and artificial intelligence -- all of which can be accessed on demand from anywhere and in a pay-as-you-go fashion.</li> <li><b>Google Cloud.</b> Similar to AWS, a set of cloud computing services delivered on demand from Google's globally distributed data centers.</li> <li><b>Microsoft Azure.</b> Another cloud computing platform that provides services like compute, storage, networking and analytics delivered over the cloud.</li> <li><b>Apple macOS.</b> A GUI-based OS for Apple's Mac computers.</li> <li><b>Hewlett Packard Unix. </b>A proprietary OS for HP systems that provides high availability and security, plus features for virtualization and workload management for mission-critical computing applications.</li> <li><b>IBM Advanced Interactive eXecutive.</b> A stable and secure Unix-based OS for use in workstations, servers and network-attached storage.</li> <li><b>Microsoft Windows Server.</b> A family of server OSes that implements Kerberos V5 for public key authentication.</li> <li><b>Microsoft AD.</b> A directory service to manage user access and permissions -- it uses a domain controller and Kerberos to authenticate user accounts.</li> <li><b>Oracle Solaris. </b>A proprietary Unix OS and platform for deploying enterprise-grade clouds.</li> <li><b>Red Hat Enterprise Linux.</b> An enterprise Linux platform that runs on all major public clouds, including AWS, Azure and Google Cloud.</li> <li><b>FreeBSD and OpenBSD.</b> Two free, open source, Unix-like OSes suitable for a wide range of applications.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Is Kerberos secure?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Is Kerberos secure?</h2> <p>The Kerberos protocol, which has been widely implemented in recent decades, is considered a secure, mature and safe mechanism for authenticating users. One reason is that it uses strong cryptography, including secret key encryption, to protect sensitive data and to limit resource access only to authenticated and authorized users.</p> <p>Over the years, security researchers have found some weaknesses in specific Kerberos implementations and in the protocol itself. Some of these historic weaknesses as used in Windows networks were <a target="_blank" href="https://dfirblog.wordpress.com/2015/12/13/protecting-windows-networks-kerberos-attacks/" rel="noopener">summarized in a 2015 blog post</a> by security researcher Elmar Nabigaev. They included the following:</p> <ul class="default-list"> <li><b>Pass-the-key attack.</b> This is a form of <a href="https://www.techtarget.com/searchsecurity/definition/pass-the-hash-attack">pass-the-hash attack</a> in which attackers impersonate authorized users by replaying their credentials.</li> <li><b>Pass-the-ticket attack.</b> Attackers intercept and reuse tickets sent to or from an authenticated user to impersonate them and reuse their service tickets.</li> <li><b>Golden ticket attack.</b> This is an attack that uses access to the Windows <a href="https://www.techtarget.com/searchwindowsserver/definition/domain-controller">domain controller</a> to create credentials that give unlimited access to application services.</li> </ul> <p>But these weaknesses have been addressed in subsequent releases, and Kerberos remains a secure choice for authentication applications over the internet.</p> <p>To keep Kerberos secure, you should stay updated on information about its security vulnerabilities that may be published online, particularly on MIT's Kerberos webpage. It's equally important to implement all the software updates that can mitigate or remediate these flaws.</p> </section> <section class="section main-article-chapter" data-menu-title="Kerberos vs. other network authentication protocols"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Kerberos vs. other network authentication protocols</h2> <p>Kerberos is not the only authentication protocol in general use, but it is probably the most widely used one. Kerberos has been proven to be a secure protocol, capable of coping with unexpected input or errors during execution.</p> <h3>Kerberos vs. Microsoft NTLM</h3> <p>Microsoft New Technology LAN Manager (NTLM) is a family of authentication protocols used in Microsoft Windows 10, Windows 11, Windows Server 2019, Windows Server 2022 and Windows Server 2025. These protocols incorporate a <a href="https://www.techtarget.com/searchsecurity/definition/challenge-response-system">challenge-response</a> mechanism to prove to a server that a user knows the password associated with an account, thus authenticating them for accessing that account.</p> <p>Both Microsoft and non-Microsoft applications can use NTLM for user authentication. However, for AD environments, Microsoft prefers Kerberos V5 authentication.</p> <h3>Kerberos vs. LDAP</h3> <p>Lightweight Directory Access Protocol (<a href="https://www.techtarget.com/searchmobilecomputing/definition/LDAP">LDAP</a>) is a standard directory access protocol to connect to and search internet directories. Running above the TCP/IP stack, it offers a method for maintaining and accessing authoritative information about user accounts and for authorizing user access to accounts on networked services.</p> <p>Unlike LDAP, Kerberos is a ticket-based authentication protocol. That said, LDAP and Kerberos are often used together, with LDAP providing authorization services and Kerberos providing authentication services for large networks.</p> <h3>Kerberos vs. RADIUS</h3> <p>The Remote Authentication Dial-In User Service (<a href="https://www.techtarget.com/searchsecurity/definition/RADIUS">RADIUS</a>) protocol was designed to provide an authentication service for dial-in users to remotely access <a href="https://www.techtarget.com/whatis/definition/ISP-Internet-service-provider">internet service providers</a> or corporate networks over direct connections, like dial-up phone lines. RADIUS can be used for authorization and accounting of network services. It can also be integrated with Kerberos to provide stronger authentication.</p> <p>Three different sets of entities use Kerberos:</p> <ol type="1" start="1" class="default-list"> <li><b>Kerberos principal.</b> This is any unique identity that Kerberos can assign a ticket to. For most users, a principal is the same as a user ID. It also includes hosts and services that can be assigned Kerberos tickets. Individual clients are one type of Kerberos principal. The service principal is an identity assigned to an application service that is accessed through Kerberos. A principal is uniquely identified with at least three pieces of information:</li> <ol type="a" start="1" class="default-list"> <li>For users, the principal primary is a username. For hosts, the primary is the word <i>host</i>. For services, the primary name is the service's name.</li> <li>An optional identifier of the principal usually specifies the host name of the system the primary is associated with.</li> <li>Kerberos servers operate in a limited network region, called a <i>realm</i>. Realms are identified by <a href="https://www.techtarget.com/searchnetworking/definition/domain-name-system">domain name system</a> named domains. A principal's realm is the domain name in which the Kerberos server operates.</li> </ol> <li><b>Kerberos application server.</b> This is any system providing access to resources that need client authentication through Kerberos. For example, application servers can include file and print services, terminal emulation, <a href="https://www.techtarget.com/searchsecurity/definition/remote-access">remote</a> computing and <a href="https://www.techtarget.com/whatis/definition/e-mail-electronic-mail-or-email">email</a>.</li> <li><b>Kerberos KDC.</b> The Kerberos authentication process depends on the following KDC components:</li> <ol type="a" start="1" class="default-list"> <li><b>Kerberos database.</b> This maintains a record for each principal in the realm. This is the centralized repository for Kerberos authentication information. It includes identifying information of the principal and the systems and services for which that principal can be authenticated to use.</li> <li><b>Kerberos authentication service.</b> Network clients use this Kerberos service to authenticate themselves to get a TGT, also known as an <i>authentication ticket</i>.</li> <li><b>Kerberos ticket-granting service.</b> This Kerberos service accepts the TGT so that clients can access their application servers.</li> </ol> </ol> <p>Authentication with Kerberos is based on the use of authentication tickets. An authentication ticket indicates that the user is authenticated through the Kerberos authentication service. After it has been granted, the user can request other tickets to access specific application services.</p> <p><em>Authentication is a security layer used to protect all networks and applications. Read up on authentication types, from two-factor authentication to biometrics to certificates. Use these <a href="https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks">user authentication types to secure networks</a>.</em></p> </section> Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/searchsecurity/definition/Kerberos Mon, 10 Mar 2025 09:00:00 GMT <p>Hardcoded passwords have long been a standard in basic security and authentication practices. However, businesses and enterprises that manage critical data require further layers of security.</p> <p>In Azure, service principals are a core part of access control management for applications and automation-related tasks. They represent a form of identity that applications or services use to authenticate and access specific resources in Azure. This helps secure interactions within a cloud environment.</p> <p>Service principals are the modern replacement for the traditional service account that provides security context for specific services. With these principals, access to vital services can be much more fine-grained than a traditional account. Conveniently, principals can also enable access to resources without users needing to memorize or <a href="https://www.techtarget.com/searchitoperations/tutorial/How-to-secure-passwords-with-PowerShell">store passwords</a>.</p> <p>Learn the basic steps to create an Azure service principal, and learn about other security identities that can protect valuable resources.</p> <section class="section main-article-chapter" data-menu-title="Create an Azure service principal"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Create an Azure service principal</h2> <p>Let's walk through an example to better understand how Azure service principals function.</p> <p>When creating a service principal, begin by registering an app in Microsoft Entra ID, which generates a unique application ID. Registration defines the application's identity in Entra ID and is the foundation for creating a service principal.</p> <p>An Azure service principal consists of several discrete fields, such as the following:</p> <ul class="default-list"> <li><b>Application ID.</b> This serves as a unique identifier for the service principal within Entra ID.</li> <li><b>Directory ID. </b>A representation of the Entra ID instance the service principal was created under.</li> <li><b>Client secrets and certificates. </b>The credential the application uses to authenticate itself when calling Azure resources. Certificates are usually preferred over client secrets as they are harder to compromise.</li> <li><b>Role assignments. </b>Role-based access control (<a href="https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC">RBAC</a>) assigns specific roles to the service principal, defining what it can access. Common roles include Contributor, Reader and Owner.</li> <li><b>Environmental variables. </b>These store credentials in pipelines or automation scripts.</li> </ul> <p>Once these fields have been completed, users can deploy their Terraform plan. Be sure to delete the plan when done. Unless users intend to maintain their resource or service principal, they should delete it after use so they <a href="https://www.techtarget.com/searchcloudcomputing/tip/Implement-these-Azure-cost-optimization-best-practices">don't incur further charges through Azure</a>.</p> <p>Let's create an Azure service principal to deploy a Terraform plan and create a basic VM using the Azure CLI and the Terraform app. Ensure that both are installed locally.</p> <h3>Step 1. Create the service principal</h3> <p>Create an Azure service principal with the Azure CLI. Start the CLI from the command line, and log in to Azure using the command <span style="font-family: courier new, courier, monospace;">az login</span>.</p> <p>Once logged in, create the service principal with the following command:</p> <pre><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp; az ad sp create-for-rbac --name "myServicePrincipal" -- role Contributor -- scopes /subscriptions/&lt;SUBSCRIPTION_ID&gt;</span></pre> <p>Replace <span style="font-family: courier new, courier, monospace;">&lt;SUBSCRIPTION_ID&gt;</span> with the appropriate subscription ID.</p> <p>This command outputs the following key information:</p> <ul class="default-list"> <li><b>AppId.</b> The application ID.</li> <li><b>Password.</b> A client secret for this example for brevity.</li> <li><b>Tenant.</b> The directory ID.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/burns_figure1-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/burns_figure1-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/burns_figure1-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/burns_figure1-h.jpg 1280w" alt="View of Azure's output console."> <figcaption> <i class="icon pictures" data-icon="z"></i>This output console displays, prompting the user to enter specific information. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Save this information because you will need this information again to configure Terraform in the system. Verify the service principal using the appId that was provided in the previous command:</p> <pre><span style="font-family: courier new, courier, monospace;">az ad sp show --id &lt;appId&gt;</span></pre> <p>This shows information about the service principal application ID.</p> <h3>Step 2. Set up environment variables</h3> <p>To enable Terraform to authenticate with Azure, set the following environment variables:</p> <pre><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; export ARM_CLIENT_ID="&lt;appId&gt;"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; export ARM_CLIENT_SECRET="&lt;password&gt;"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; export ARM_SUBSCRIPTION_ID="&lt;SUBSCRIPTION_ID&gt;"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp; export ARM_TENANT_ID="&lt;tenant&gt;"</span></pre> <p>Replace <span style="font-family: courier new, courier, monospace;">&lt;appId&gt;</span>, <span style="font-family: courier new, courier, monospace;">&lt;password&gt;</span>,<b> </b><span style="font-family: courier new, courier, monospace;">&lt;SUBSCRIPTION_ID&gt;</span> and <span style="font-family: courier new, courier, monospace;">&lt;tenant&gt;</span> with the values from the output of the service principal creation earlier. This exposes those items as a variable so that Terraform can read them.</p> <h3>Step 3. Deploy a VM using Terraform</h3> <p>Create a new folder for the Terraform configuration file. Copy and paste the below data into a file and save it as main.tf file.</p> <pre><span style="font-family: courier new, courier, monospace;">&nbsp;hcl<br></span><span style="font-family: courier new, courier, monospace;"> &nbsp; provider "azurerm" {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; features {}<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; resource "azurerm_resource_group" "example" {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp; = "example-resources"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; location = "East US"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; resource "azurerm_virtual_network" "example" {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "example-network"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; address_space&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = ["10.0.0.0/16"]<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; location&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = azurerm_resource_group.example.location<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; resource_group_name = azurerm_resource_group.example.name<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; resource "azurerm_subnet" "example" {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "example-subnet"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; resource_group_name&nbsp; = azurerm_resource_group.example.name<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; virtual_network_name = azurerm_virtual_network.example.name<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; address_prefixes&nbsp;&nbsp;&nbsp;&nbsp; = ["10.0.1.0/24"]<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; resource "azurerm_network_interface" "example" {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "example-nic"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; location&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = azurerm_resource_group.example.location<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; resource_group_name = azurerm_resource_group.example.name<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; ip_configuration {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "internal"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; subnet_id&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = azurerm_subnet.example.id<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; private_ip_address_allocation = "Dynamic"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; resource "azurerm_linux_virtual_machine" "example" {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "example-vm"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; location&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = azurerm_resource_group.example.location<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; resource_group_name = azurerm_resource_group.example.name<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; size&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "Standard_DS1_v2"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; network_interface_ids = [<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; azurerm_network_interface.example.id,<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; ]<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; os_disk {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; caching&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "ReadWrite"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; storage_account_type = "Standard_LRS"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; source_image_reference {<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; publisher = "Canonical"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; offer&nbsp;&nbsp;&nbsp;&nbsp; = "UbuntuServer"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sku&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = "22.04-LTS"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; version&nbsp;&nbsp; = "latest"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; admin_username = "azureuser"<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; admin_ssh_key { username&nbsp;&nbsp; = "azureuser" public_key = file("~/.ssh/id_rsa.pub") # Path to your public key }<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp;&nbsp;&nbsp; admin_password = "P@ssw0rd1234!" # Choose a strong password<br></span><span style="font-family: courier new, courier, monospace;">&nbsp;&nbsp; }</span></pre> <p>To deploy it, use the same terminal window as before. Navigate to the newly created Terraform folder, and run the following command: <span style="font-family: courier new, courier, monospace;">terraform init</span>. This command prepares the file and checks that it is properly formatted.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/burns_figure2-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/burns_figure2-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/burns_figure2-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/burns_figure2-h.jpg 1280w" alt="Terraform has been initialized."> <figcaption> <i class="icon pictures" data-icon="z"></i>Once users enter the initialization command, a window displays a 'successfully initialized' message. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The next stage is for Terraform to review and apply the configuration. Use the command <span style="font-family: courier new, courier, monospace;">terraform plan</span>.</p> <p>Finally, assuming no errors, apply the Terraform configuration using the command <span style="font-family: courier new, courier, monospace;">terraform apply</span>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/burns_figure3-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/burns_figure3-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/burns_figure3-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/burns_figure3-h.jpg 1280w" alt="The VM is created successfully."> <figcaption> <i class="icon pictures" data-icon="z"></i>The user's VM is created once they use the apply command. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The administrator needs to confirm the deployment. Confirm the prompt to proceed with deployment by typing <b>yes</b>. Terraform starts creating the resources as defined in the file.</p> <p>Once Terraform deploys, an output message displays showing the VM's IP address. Verify the VM in the Azure portal. The administrator should be able to log in via SSH using the key pair included in the Terraform file. Below is the output of the Terraform plan from this example.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/burns_figure4-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/burns_figure4-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/burns_figure4-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/burns_figure4-h.jpg 1280w" alt="Output message displays the VM IP address."> <figcaption> <i class="icon pictures" data-icon="z"></i>Users see an output message displaying the Terraform plan they launched and their VM's IP address. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Remember, running resources in Azure costs money. Ensure that any unused resources are deleted after use to avoid further charges. Using Terraform and service principals, the administrator can destroy the resources with the <span style="font-family: courier new, courier, monospace;">terraform destroy</span> command.</p> <p>Confirm when prompted, and Terraform removes all resources defined in the main.tf file.</p> </section> <section class="section main-article-chapter" data-menu-title="Azure service principals vs. managed identities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Azure service principals vs. managed identities</h2> <p>Service principals are just one form of security identity in Azure -- <a href="https://www.techtarget.com/searchcloudcomputing/tip/Managed-identity-vs-service-principal-for-Azure-apps">another is managed identities</a>. They provide an identity to applications that access Azure resources. Both service principals and managed identities enable granular, programmatic access to Azure infrastructure without putting passwords into scripts.</p> <p>Managed identities can be system-assigned or user-assigned. With system-assigned managed identities, admins create an identity as a part of a specific Azure resource, such as a VM. That identity shares a lifecycle with its associated resource. When an admin deletes the resource, they also delete the identity. User-assigned identities, on the other hand, are not tied to a specific resource. They have their own lifecycle and can be shared across resources.</p> <p>The key difference between Azure service principals and managed identities is that, with the latter, admins do not have to manage credentials, including passwords.</p> <p>To create a managed identity, go to the Azure portal, and navigate to the managed identity blade. Then, assign a role to the identity. From here, administrators can also set the duration of validity for a managed identity.</p> <p><b>Editor's note:</b><i> This article was updated to reflect changes in the best practices for creating Azure service principals.</i></p> <p><i>Stuart Burns is an enterprise Linux administrator at a leading company that specializes in catastrophe and disaster modeling.</i></p> </section> Service principals are a convenient and secure way to protect Azure resources. Follow this step-by-step guide to create a service principal that defends vital Azure workloads. https://cdn.ttgtmedia.com/rms/onlineimages/maze_g824298136.jpg https://www.techtarget.com/searchcloudcomputing/tip/Why-and-how-to-create-Azure-service-principals Fri, 28 Feb 2025 09:00:00 GMT 60 webmaster@techtarget.com