administrator password reset:
password history – no
password min. age – no
password complexity – yes

user password change:
password history – yes
password min. age – yes
password history – yes

scenario:
administrator reset of user password, if user must change password at next logon is enabled then the user is able to change the password (password history is taken into account i.e. you can’t change the password to what it was just reset to)
administrator reset of user password, if user must change password at next logon is not enabled and password min. age is enabled then user is unable to change the password

password expiration:
MsDS-UserPasswordExpiryTimeComputed (2008 and above only)

account lockout:
lockoutTime – reset to 0 to unlock account (confirmed)
resetting a password alone does not unlock an account

ADFS 2.0 behavior:
locked account
expired password – the user name or password is incorrect
user must change password at next logon – the user name or password is incorrect

ADFS 3.0 behavior:
locked account – incorrect user ID or password
expired password – your password has expired
user must change password at next logon – your password has expired

sources:
http://www.selfadsi.org/extended-ad/user-unlock.htm

i typically find most of google’s UI changes to be fairly reasonable (excluding the google+/hangouts change). i really disliked the huge blocky “enhanced bookmarks” that debuted in recent chrome releases though. this is something that i could not get used to.

i have 100’s of bookmarks and i need to have a list view. why don’t i just use the search function? i do. but even this is worsened by the new look since i can’t easily see the full titles of the bookmarks.

so i had to find out how to restore the old look. thankfully, it’s quite easy…

chrome://flags
set “enable enhanced bookmarks” to disabled

source: http://www.computerworld.com/article/2852986/chrome-users-attack-new-graphical-bookmarks-manager.html

ADMT is installed in the destination/target domain. a password migration dll is installed on a DC in the source domain.

DNS – create a conditional forwarder or stub zone for the other domain’s zone
trust settings:
forest trust, two-way, both domains, forest-wide authentication

also the current release of ADMT will definitely not install on anything newer than sql express 2008 (trust me i tried).

path to ADMT install: c:\windows\admt
creation of encryption key in target domain: admt key /option:create /sourcedomain:mysource.local /keyfile:c:\fmp\filemigpass.pes /keypassword:Password1
^create c:\fmp path first

it’s recommended to create an ADMT user for migration purposes. the user will need to have admin rights in both domains.

the password export server service on the source DC must be ran with an account that has admin privileges in the target/destination domain. also the PES service needs to be started manually.
make sure to run the PES installer as admin (https://support.microsoft.com/en-us/kb/2004090)

accounts to migrate can be individually selected, selected by OU, or loaded from a CSV
maintaining SID history is optional for interforest migrations

test runs:
#1 – 225 accounts migrated in 10 minutes, given that…approx. 1350 could be done in an hour
#2 – 100 or so accounts in 5 minutes. speed of migration seems to be consistent despite excluding several attributes. passwords migrated. this is the 2nd time i’ve noticed “user must change password at next logon” being enabled despite not being enabled on the source user
#3 – tested out password updating via the migrate & merge option. it worked
#4 – tested a mass migration with merging only password changes. speed of migration remained similar to test run #1. also want to make note that UPN suffixes of migrated users seem to always be changed to a suffix of the target domain.

there appears to be a better way to migrate only password changes using the password migration wizard. my initial testing reveals that this is a much faster process than the method i was mentioning above.

most important source:
http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx

other sources:
http://blogs.interfacett.com/how-to-configure-forest-level-trust-in-windows-server
https://anderseideblog.wordpress.com/2014/02/12/lab-migrate-office-365-synced-users-from-one-on-prem-forest-to-another-forest/ (great info here regarding forest chance and dirsync)
https://technet.microsoft.com/en-us/library/cc974335(v=ws.10).aspx
http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html

quick example:
display filter “ip.src == 10.10.10.10 or ip.dst == 10.10.10.10”
jimmie has pointed out that using “ip.addr == 10.10.10.10” is simpler

ip.addr == 10.10.10.0/24 will list all addresses for a particular network
tcp.port eq 636 will list all entries for a particular port
typing a protocol name such as “ldap” or “ssl” will filter on those protocols

more examples here:
http://wiki.wireshark.org/DisplayFilters

apparently it is possible to decrypt SSL packets if you have the appropriate private key:
https://wiki.wireshark.org/SSL#SSL_dissection_in_Wireshark

Import-Csv [path to csv] | ForEach {Add-DistributionGroupMember -Identity [dist group] -Member $_.PrimarySmtpAddress}

the csv would look like so:
PrimarySmtpAddress
user1@mydomain.com
user2@mydomain.com
…and so on…

when rerunning the powershell command above on an updated csv, it will display a quick error for entries that are already dist. group members and continue processing new additions. the above will not process member removals of course.

related powershell:
New-DistributionGroup -Name [dist group] -Type Distribution
Remove-DistributionGroup [dist group]
Add-DistributionGroupMember [dist group] -Member [user]
Set-DistributionGroup [dist group] -RequireSenderAuthenticationEnabled $False
Set-DistributionGroup -Identity [dist group] -ManagedBy [user]
Set-DistributionGroup [dist group] -EmailAddresses SMTP:user@mydomain.com
Get-DistributionGroupMember [dist group]
Get-DistributionGroupMember [dist group] | Export-Csv [path to csv]

info from:
http://o365info.com/manage-distribution-groups-by-using/
https://johnacook.wordpress.com/2010/04/19/add-users-to-a-distribution-group-from-a-csv-file-in-exchange-20072010-powershell/
https://exchangemaster.wordpress.com/2010/04/15/add-users-to-a-distribution-group-from-a-csv-file-in-exchange-20072010-powershell/

alternatively, outlook contact groups can be used instead of distribution groups. to import contacts from a csv in outlook go to File->Open->Import. a contact group can then be created based off of the imported contacts.

source: https://support.office.microsoft.com/en-us/article/Create-a-contact-group-from-a-list-of-contacts-in-Excel-4d7ab35c-0bdf-4dc2-8279-477c1a79ab72?CorrelationId=27bb83e7-78ee-45ff-bdbd-0cd4327c1cdd&ui=en-US&rs=en-US&ad=US

https://www.us-cert.gov/ncas
http://www.threatbrief.com
http://www.tripwire.com/state-of-security/
http://www.insidecybersecurity.com
https://www.recordedfuture.com/blog/
http://www.cyberreconnaissance.com
https://blog.cyveillance.com
http://www.datalossdb.org
https://www.fireeye.com/cyber-map/threat-map.html

on a poweredge r510, i was trying to use the latest DUP to upgrade the idrac firmware and received “failed to access virtual usb device” followed up by the update failing to apply. i saw some forum posts saying that having an older version of OMSA installed could cause this. i installed the latest OMSA and it didn’t not resolve this error.

to get past this i ended up going to the virtual media settings in the idrac and setting the status to “detach” instead of “attach”.

another issue with vmware tools occasionally showing up as “not running”. i’ve definitely pinpointed an issue with vmware tools 5.5u1. i’d recommend not installing this version if it can be avoided. the windows event log listed event id 16001 – “a TDI filter (\driver\vnetflt) was detected. this filter has not been certified by microsoft and may cause system instability.” a google of that revealed the following post: https://communities.vmware.com/thread/464467

the post describes that there’s an issue with the vshield endpoint driver in vmware tools 5.5u1. the issue can be resolved by uninstalling vmware tools and reinstalling but choosing a typical install instead of complete -or- by doing a change on the vmware tools msi and removing the vshield driver.

i have used the change method and am awaiting the results. at this point i’m unsure whether this affects windows server releases other than 2012.

update 2/25/2015:
i’ve encountered a somewhat similar issue with a windows 2008 r2 domain controller…not the same exact problem, but it was still resolved by removing the vshield driver (which is now named the VMCI driver – guest introspection drivers). this particular DC would become unresponsive after a nightly scheduled system state backup. the 5.5u2 version of vmware tools did not resolve the issue which makes me think there is something with the 5.5 release’s vshield driver that simply does not get along with domain controllers.

i went through the process of upgrading vcenter operations manager 5.7.x to 5.8.x today. the process is fairly easy, yet also odd, since it’s a 2 part process.

first install the vcops pak file by going to https://vcops.mydomain.com/admin -> update tab. after the update finished i was unable to login to vcops until i ran the following from the command line:
/usr/lib/vmware-vcops/user/conf/install/resetadminpwd.sh <password>
otherwise i would simply receive “verifying login information” after login and never proceed further
further info: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2078313

after verifying the update is successful, the license for vcops needs to be reapplied. the license can be found under the my vmware portal -> all downloads -> all products -> vsphere w/ operations management. details here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2059123

it’s then recommended to restart vcops services from the admin portal.

part 2 involves upgrading the suse linux OS used by vcops. first upload the pak file via SFTP to the UI VM then run:
/usr/lib/vmware-vcops/user/conf/upgrade/va_sles11_spx_init.sh /data/<pak file>
after the upgrade finishes restart the vapp (vapp power off is the correct method to shutdown a vapp).

source (most important link): https://www.vmware.com/support/vcops/doc/vcops-584-vapp-release-notes.html#upgrade