Latest Entries »

Suricata IDS:

Snort IDS:

Vulnerability mgmt:






SQL Server performance:

SQL Server Video archive:

Database tasks:

T-SQL reference:

SQL performance and troubleshooting:

Microsoft companion (MOC):

Web sites:

Tips and tricks:

PowerShell: import-module SQLPS

Placement of tempdb in a dedicated disk (Raid 1) ,  same for log files  (RAID 1 or 10) and database files (RAID 5). Also dedicated disk for OS and dedicated disk for SQL server binaries.

Do a dbcc checkdb before each database backup

Use Buffer pool extension

Enable security: create logins, server roles, then for db: create users, database roles, database perms

Privileged the Microsoft service accounts (MSA) to run the SQL services.

Enable SQL audit

Enable DML triggers  (enable logons trigger)

Use SQL profile (but heavy in terms of performance). Else prefer to use (T-SQL) SQL trace (light footprint if well-designed).

Design a backup and restore strategy:

  • To backup: backup full + backup differential + backup transaction log + backup tail_log
  • To restore: restore first the full (with norecovery) + the last differential (with norecovery) + the latest transaction log (with recovery option) and eventually the latest Tail_log (if possible)
  • don’t forget to backup the tail log before to start a restore sequence
  • preferably use “backup device” which contains the full,differential,logs. Then you can backup the “backup device” using the OS backup software (Windows backup, Tivoli SM, Veritas Netbackup…)

Define maintenance plans:

– separate the maintenance plans to backup the system databases from the other databases (include also the check database integrity “dbcc checkdb” before each backup sequence)

– separate the maintenance plans to backup a Application Database from a maintenance plan to check only the Database health: check database integrity, reorganize indexes, update statistics.







How to change the local NIC adapter on Windows 7 or greater, from Public network to Private network, using powershell:

To get NIC settings:

PS C:\windows\system32> get-netconnectionprofile
Name             :
InterfaceAlias   : vEthernet (Connexion Ethernet Intel(R) I217-LM – Virtual
InterfaceIndex   : 17
NetworkCategory  : Public
IPv4Connectivity : Internet
IPv6Connectivity : LocalNetwork

To change the NIC settings to be in private mode:

PS C:\windows\system32> set-netconnectionprofile -InterfaceIndex 17 -NetworkCategory Private

Here is a script to dump the AD extended rights:

AD is mission critical for most of the enterprises today. Here is an article to explain how to dump the AD extended rights applied to AD objects, in order to audit the results to identity persistent threats or persistent hackers gaining control of AD.

Other resources:

To list all the extended rights available for delegation in Active Directory:

BTA opensource tool from “Airbus industry”:



import-module activeDirectory

function DumpExtendedRight([Microsoft.ActiveDirectory.Management.ADObject] $adobject)


foreach($access in $adobject.ntsecurityDescriptor.access)


#ignore well known and normal permissions

if ($access.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Deny) { continue }

if ($access.IdentityReference -eq “NT AUTHORITY\SYSTEM”) { continue }

if ($access.IdentityReference -eq “NT AUTHORITY\SELF”) { continue }

if ($access.IsInherited) { continue }

#check extended right

if ($access.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)


$right = “”;

#this is the list of dangerous extended attributs

#see :

switch ($access.ObjectType)


“00299570-246d-11d0-a768-00aa006e0529” {$right = “User-Force-Change-Password”}

“45ec5156-db7e-47bb-b53f-dbeb2d03c40f” {$right = “Reanimate-Tombstones”}

“bf9679c0-0de6-11d0-a285-00aa003049e2” {$right = “Self-Membership”}

“ba33815a-4f93-4c76-87f3-57574bff8109” {$right = “Manage-SID-History”}

“1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” {$right = “DS-Replication-Get-Changes-All”}

} #end switch

if ($right -ne “”)


“$($access.IdentityReference) can act on the permission of $($ ($($adobject.DistinguishedName)) with extended right: $right

} #endif

} #endif

} #end foreach

} #end function


$allobjects  = Get-ADObject -Filter * -Properties ntSecurityDescriptor -ResultSetSize $null

foreach ($adobject in $allobjects)


DumpExtendedRight $aboject


# End of Script



With my business laptop running Windows 10 enterprise, I experienced a problem with a START Menu not working, Cortana not working. After googling I found this method which works fine in my case:

Before you proceed, you may want to create a system restore point first, so that you can revert back, if you find that the results are not what you expected.

1) Run the following command in an elevated command prompt, to run the System File Checker.

sfc /scannow

Restart after the scan is over and see if it helped.

2) Repair Windows Image. Open an elevated CMD copy-paste the following and hit Enter

Dism /Online /Cleanup-Image /RestoreHealth

Restart after the scan is over and see if it helped.

3) Make Start full screen and back. Enable Tablet Mode and Start Screen and then go back. See if this toggling has helped.

4) Use the Windows 10 Start Menu Troubleshooter from Microsoft.

5) Open an elevated PowerShell window.

NOTE: After the November Update, if you use this method  to fix this problem using the Appx PowerShell cmdlet, it may break your Windows Store apps. But if you have installed Windows 10 Anniversary Update, it is working now.

To open an elevated PowerShell prompt, type PowerShell in taskbar Search, and in the result ‘Windows Powershell’ which appears, right-click and select Run as administrator.

Type the following and press Enter:

Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Also rename the c:\users\<>\AppData\Local\TileDataLayer dirctory to  go to c:\users\<>\AppData\Local\TileDataLayer_old

NOTE: after correction remove the _old directory

6) If Cortana or Taskbar search is not working, open Task Manager > File menu > Run new task. Type powershell and select the Create this task with administrative privileges check box and click OK. See this post if your Taskbar is not working in Windows 10.

When you try to start the Windows 10 update assistant on a Windows 10 Enterprise; the tool is stopping at the beginning during the check up of the operating system.

To upgrade to the Windows 10 build 1607 (also called anniversary update !), go to the MVLS web site (the Microsoft Volume Licensing web site) and download the latest Windows 10 enterprise version. Boot on the DVD or USB containing this new version and perform a UPGRADE.


I found another solution that actually works for Windows 10 Enterprise without the need to have an account on MVLS to download the new ISO file. First of all make sure you have a backup of your DATA. Then follow these steps below:
1.Open regedit.exe and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion
2.Change ProductName to Windows 10 Professional
3.Change EditionID to Professional
4.Navigate now to HKLM\Software\Wow6432Node\Microsoft\Wind­ows NT\CurrentVersion
5.Change ProductName to Windows 10 Professional
6.Change EditionID to Professional
7.Close regedit.exe (no need to restart)
8.Start the Windows 10 Pro installation from your installation media. (Download the Media Creation tool from Microsoft – or and click on the Download Tool now)
9.Do the upgrade, will download and install, keep all files & settings.
10.Will reboot several times, once finished, log back in with your Microsoft Account and it will automatically link your enterprise key to the install and you will be back on Enterprise Edition and have Build 1607 installed.


How Domain and Forest trusts work:

EMC ISILON SID translation errors:


Actions to do:

Check Trust relationships

Check Firewall logs and use portqry to test ports required. Also use nltest; netdom command lines.

Check GPO: Network access: Allow anonymous SID/Name translation

and  The following groups have the “Access this Computer from the Network” permission on domain controllers by default:

Authenticated Users

Microsoft Ignite 2016 conference – annoucements:

  • Office avec Tap & Quick Start
  • Yammer integrated with Office 365 Groups
  • SharePoint (SharePoint teamsite, Synchro des librairies, App Android & Windows)
  • Skype Entreprise on Mac
  • Transcription instantanée sur Skype Broadcast
  • PSTN Calling en preview en France

Office at Ignite :

Other annouces regarding Office 365:

Office 365

Connect to expertise and content with new people experiences throughout Office 365

Applying intelligence to security and compliance in Office 365


Skype Entreprise




SharePoint and OneDrive

  • Major OneDrive updates at Ignite 2016 include SharePoint Online sync preview
  • Announcing Feature Pack 1 for SharePoint Server 2016—cloud-born and future-proof
  • Enhanced conditional access controls, encryption controls and site classification in SharePoint and OneDrive
  • Enriching the mobile and intelligent intranet with team news, apps for Android and Windows and more

Tasks to force removal of Exchange 2013

The tasks to force removal of Exchange 2013 are:

The most common reasons are listed below:

  • The deinstallation didn’t finish properly and left attributes or entries in Active Directory
  • The Exchange server is permanent offline and Exchange should be removed
  • An Exchange installation didn’t finish properly and the attributes and entries should be removed

To remove the server open ADSIEdit and go to configuration


CN=Microsoft Exchange
CN=Microsoft Exchange Autodiscover

CN=Default naming context,DC=MYDOMAIN,DC=LOCAL
CN=Microsoft Exchange Security Groups
CN=Microsoft Exchange Security Objects

IIS: Start inetmgr
DELETE the Exchange Back End and Front End websites with the IIS-Manager:

ecp (-> Exchange Control Panel)
EWS (-> Exchange Web Services)
Microsoft server Activsync (-> Exchange Active Sync)
OAB (-> Offline Addressbook)
owa (-> Outlook Web App)
Rpc (-> Remote Procedure Calls)


Also don’t forget to remove the application pools (MSExchange*)


Remove the local computer certificates (MMC, certificates snap-in, computer store)

AD Users and Computers:
DELETE the following users in the “Users” container:

DiscoverySearch Mailbox{GUID}
Exchange Online-ApplicationAccount

DELETE the key “ExchangeServer” under:

DELETE the keys “MSExchange*” under:

Hard Disk directories:
On the server’s hard disk you’ve to DELETE the Exchange Server installation folder.
Usually it’s C:\Program Files\Microsoft\Exchange Server

and c:\ExchangeSetupLogs

remove also d:\ mailboxes or other Exchange logs / monitoring directories

Cleanup Recycle bin

Final reboot


When trusted sites are managed by GPO we can’t even view what servers are trusted using IE menu Tools > Internet Options > Security > Servers because the UI is disabled and won’t let you scroll down:

To solve this problem, from a command line in admin mode:

$(get-item “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey”).property

$(get-item “HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey”).property