Latest Entries »

How to remove a DFS namespace server if not accessible:

in the example below; I have a DFS root called dfsroot and two domain controllers not accessible.

how to remove those namespace servers from a command line because dfsmgmt.msc cannot do it:


dfsutil diag unmapdomroot \\my.domain.local\dfsroot \\dcserver1\dfsroot

dfsutil diag unmapdomroot \\my.domain.local\dfsroot \\dcserver2\dfsroot



C:\Windows\System32\inetsrv\appcmd.exe set config /section:applicationPools /[name=’myapppool’].processModel.identityType:SpecificUser /[name=’myapppool’].processModel.userName:’mydomain\user1′ /[name=’myapppool’].processModel.password:’PassW0rd’

Message Header analyzer

How to troubleshoot email message:

plug-in for outlook:




This will simplify the lineup of troubleshooting tools available for Outlook while at the same time provide the same level of Outlook scanning capabilities as OffCAT. In addition, SaRA also offers several enhancements including the ability to identify and fix specific issues with Outlook, Office Setup, OneDrive for Business, and several other Office programs.

Which OffCAT features are not found today in SaRA?

The OffCAT team migrated the most frequently used features to SaRA. Here are the features that were not migrated and links to alternative resources (if available).

Note, SaRA does provide scenarios that identify and address issues with the following Office programs:

  • Outlook
  • Office Setup and Activation
  • OneDrive for Business
  • Skype for Business
  • KMS client activation

To troubleshoot KMS activation issues, we recommend these resources:
Troubleshoot volume activation for Office 2016
Troubleshoot volume activation for Office 2013

  • Real-time logging


Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network. Recently, some frameworks (e.g. BloodHound) have automated that mapping process.

By default, the SAM can be accessed remotely (via SAMR) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 1607) the default permissions were changed to allow remote access only to administrators. An accompanying Group Policy setting was added, which gives a user-friendly interface to alter these default permissions.

SAMR: Remote Querying of SAM

The Security Account Manager Remote Protocol (SAMR) exposes the security accounts manager database for a remote authenticated domain user. It does so for both local and domain accounts. There are five objects that are exposed by the protocol; server, domain, group, alias and user. All these objects can be updated and read, and some (user, group and alias) can also be created and deleted.

Flow and Usage

The basic flow of using the SAMR protocol is as such:

  1. Connect to a server (the remote machine).
  2. Enumerate/lookup the server for domains.
  3. Open the domain of interest.
  4. Lookup a user or alias/group in the domain.
  5. Open the user/alias of interest.
  6. Query the user/alias of interest.

There are a few tools that utilize these API calls, such as Net User/Group, PowerSploit’s Get-NetLocalGroup and Imapcket’s SAMRdump. Net User and Net Group are Windows built-in command line tools. With these tools an authenticated user can add or modify and display information on users or groups respectively on the local machine or its domain controller. The Get-NetLocalGroup queries a remote machine for its local groups (including the “Administrators” and “Users” groups). SAMRdump, queries the target machine for its local users (using the EnumDomainUsers on the target machine). MicrosoftATA detects the use of such query and alerts the security administrator about it.

Hardening SAM Remote access:




GPO – backup all

To backup all GPOs: Backup-Gpo -All -Path \\myserver\gpobackup

Understanding the precedence of Retention policy with Security&Compliance center and the other O365 applications

Office 365 groups retention and expiration:

retention policy define with Security&Compliance wins

After expiration (inactivity days), the o365 group will be soft deleted and can be recovered in the next 30 days, except if a retention policy is greater. The owner(s) will be informed 30 days,15 days,1 day before group expiration.


Onedrive data deletion and retention:

by default 30 days