Can I change custom attributes in EO once user lost EO license ? (Hybrid env.)

Answer is yes, you can, however not to the any value you want. If your organization sync AD extensibleAttributes to EO, and use them for some advance filtering etc. could be problem once user lost EO license and some change in extensibleAttributes in AD happens (usually you do some cleanup of values, or you replace original value by some neutral which means user is not active etc. ). This change is not sync to EO anymore, because user is missing EO license (O365 license).
Result can looks like this: in AD extansibleAttribute1 = “” , in EO customAttribute1 = “Marketing”

This could be the problem when you use Dynamic Distribution Groups which have members based on customAttributes . User does not have license, and customAttributes still show in EO original values from AD from age of success AD sync.

There are some ways how to solve it. You coul add back EO license to the user and wait for sync which will change the value/’s in customAttributes in EO, or setup/cleanup values in AD in extensibleAttributes, wait for Azure AD sync (this action requires that user without EO license is still sync to Azure !) and setup same value in EO via powershell 🙂 , yes simple, but sometime can head may spin:)

Delegate permission to manage „User cannot change password“ in User ‚Account Options‘

Hey, have you noticed, when you delegate write permissions for nt_SecurityDescriptor, you still cannot change an option ‚User cannot change password‘ ? When you try mark this option and save, all looks fine, because you can save it, but once you open user account properties again, you see that option ‚User cannot change password‘ is blank :\ . This is cause by missing permission to add ‚Everyone‘ – DENY in security Tab. Yes, you also must have permission to modify permission of user object. If you do not want to give Full permission, you must explicitly add and allow ‚modify permissions‘

User Object – Account Options

ADLDS and Password Policies

Have you ever thought about how password policies are managed in ADLDS ? This short article will describe how it works.

When host server of the ADLDS instance is domain member, domain password policies are applied.  Host server in workgroup is using local password policies. To ignore inherited domain password policies can be done by using ADSIEdit.
Open ADSIEdit and connect to the Configuration naming context on the LDAP server., please find path below.

On the object:
CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={guid},
there is a multi-valued attribute called msDS-Other-Settings. The attribute ADAMDisablePasswordPolicies has by default value 0, set value to 1 means disable inheritance from domain and start using local password policies of the host server.

GPMC Search Item – with „User Configuration“ it does not work


Today I  opened GPMC on the Windows Server 2019 Preview and really after long time I tried to use Search Item in GPMC console. I was surprised that Search Item with User Configuration did not allow me to add any condition. Please check in the picture below. It is suprise that same behavior I can see on S2K12R2, Windows 10 and etc….so it is nothing new :(. I spent some time with searching on  internet than I found TechNet article about it.  –

Because I did not find any advice except article above I believe that more articles about this bug (or what it is) could be useful.

All what is necessary to do is open REGEDIT , go to this path (go to the part of registry, where OS has Client Side Extension for GPO) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4D2F9B6F-1E52-4711-A382-6A8B1A003DE6}]

click on GPextension with number above and choose export ! Yes, we should backup this key, because it should be our first step before we do any change in registry.


When we have backup, right click on GPExtension {4D2F9B6F-1E52-4711-A382-6A8B1A003DE6} again and choose „Permissions….“  perform 3 steps describes in the pictures. Change owner to your account used for logon. After we change owner, full control „Access“ should be visible for our new owner.


Now we have to change Default value of REG_SZ which is empty. We have to put there this string RemoteApp and Desktop Connections , lets check picture below


Now is necessary close GPMC and open this console again. Try to use Search Item and choose User Configuration, now it should be ok 🙂 . Tested and for me it is working 🙂 . Thanks



Active Directory on Windows Server version(DFL, FFL) – new features

 List of changes with Domain and Forest functional levels

2008 Domain functional level:

  • Multiple password policies per domain
  • User-viewable last logon information
  • Increased Kerberos encryption
  • DFS replication for SYSVOL shares

2008 R2 Domain functional level:

  • Better and more automated service account management
  • Security logs and access lists based on authentication type

2008 R2 Forest functional level:

  •  AD „recycle bin“

2012 R2 Domain functional level:

  • Restricted admin mode – Mstsc /restrictedadmin (it is not store admin passwordon remote desktop to LSA)
  • LSA Protection
  • Protected user groups
  • Authentication Polices
  • Silos (management for authentication polices)
  • Kerberos Armoring

2012 R2 Forest functional level:

  • nothing

2016 domain functional level:

All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:

  • DCs can support rolling a public key only user’s NTLM secrets.
  • DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
  • Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. – >
  • Temporary Group Membership : It requires to enable the Privileged Access Management Feature in Windows Server 2016 forest

For more information see ‚What’s New in Kerberos Authentication and What’s new in Credential Protection‘

2016 forest functional level:

All of the features that are available at the Windows Server 2012R2 forest functional level, and the following features, are available:

  • Privileged access management (PAM) using Microsoft Identity Manager (MIM)
  • (PAM) Groups membership expiration, (PIM)Shadow Security Principals )