Category Archives: Delegation of Control

Ten things you should know about Azure AD Administrative Units

An Administrative Unit (AU) is an Azure AD resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or other segment of the organization. Admins can use Administrative Units to delegate permissions to regional administrators or to set […]


KnowledgeBase: The Device Administrator Role is not available on the Roles and Administrators pane in the Azure Portal

Swimming against the stream of all Azure Roles being available in the Roles and administrators pane of the Azure AD Portal, the Device administrator role is missing here. Now, let’s explore how to add additional administrators to Azure AD-joined devices.   About Azure AD Join Organization-owned Windows-based devices used to be joined to Active Directory. […]


Ten things you need to know about Assigning Groups to Azure AD Roles

Last week, Alex Simons announced on behalf of his team the Public Preview of assigning groups to Azure AD roles with a blogpost titled Assigning groups to Azure AD roles is now in public preview! on the Microsoft Tech Community. Ten things you need to know Assigning groups to Azure AD Roles sounds perfect, but […]


Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

As you might recall, Microsoft offered a solution to systems administrators to set the local administrator password on domain-joined devices using Group Policy Preferences, but ended the solution, almost a year ago, when the encoding mechanism was decoded and an attack was created towards this vulnerability (CVE-2014-1812).   Introducing LAPS Yesterday, Microsoft introduced version 6 […]


KnowledgeBase: You receive a "Your request could not be processed" error when using Azure Self-service Password Reset (SSPR)

Recently, after deploying Azure Self-service Password Reset (SSPR) for a customer, I discovered some odd behavior. After we worked through the error tree, we finally worked out the issue. Since it wasn’t documented yet (many other errors are!) at Microsofts KnowledgeBase, here it is.   The situation In an organization with an on-premises Active Directory […]


I’m still an ADPrep kinda guy

In Windows Server 2012, Microsoft introduced the new streamlined Active Directory Domain Services Configuration Wizard, that in most Microsoft documentation is labeled the successor to dcpromo.exe. I’m a big fan of the new wizard, but there’s one feature I don’t use: the automatic Active Directory preparation steps it can perform for you to update the […]


New features in Active Directory Domain Services in Windows Server 2012, Part 19: Offline Domain Join Improvements

This entry is part 18 of 21 in the series New features in AD DS in Windows Server 2012

With Windows 7 and Windows Server 2008 R2 Microsoft introduced a new Active Directory feature called Offline Domain Join (ODJ). This feature allows for clients to be joined to an Active Directory domain, without the need of having a direct connection to any of the Domain Controllers for the Active Directory domain.


Tip: Zohno’s Z-Hire & Z-Term (freeware)

Many software vendors and organizations have adopted workflow tools to accommodate their needs towards faster delivery of the same quality. At least, getting an OK from a senior executive, is something that can be automated to save time, right? Another angle a lot of organization explore is Delegation of Control. Why wait for a centralized […]


From the Field: the Case of Display Issues (garbled or missing Text) in Active Directory Administrative Center

I’ve been working with Active Directory Administrative Center (ADAC) for a while now, but didn’t have time to look at Delegation of Control lately. Yesterday I finally came round to configuring it and was baffled by a serious issue