Trustworthy computing: non-SDL view

Take notice: My new feed address is now Please re-subscribe. Well, finally it is my time to scold Microsoft. I’m not a fun of this type of self-promotion, still I believe that the only way to move forward is to receive, process and answer some constructive criticism. So let’s begin: Several years ago Microsoft announced its widely-known Trustworthy Computing initiative (actually they just celebrated its 10 years). I probably don’t have to remind you the goals and means for the initiative to you, they all can be found without any problems. Anyway, this letter doesn’t pretend to be some … Continue reading Trustworthy computing: non-SDL view


Yep. Speaking. I’m speaking of on TechEd Russia. This time it is more than 3000 people, 150 events and so on and so forth. And I’m going to be a part of this IT feast. I’ll be delivering a session about implementing a Role Based system of infrastructure administration in MS based environment. Hopefully some of you will attend by a chance, though usually English speaking don’t visit our Russian events. While being quite sure I did what I’m going to describe to my listeners, I’m also aware that every infrastructure has its own features and can give us very … Continue reading Speaking…

Delegate permissions for creating GPO objects in other domain

The task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed. At least I don’t know a way … Continue reading Delegate permissions for creating GPO objects in other domain

%SystemRoot%System32 Secrets: AzMan

To be honest, I had been thinking of it as of some unneeded tool for quite a long time before I had a close look on the console and its abilities. I was wrong. It is really powerful instrument to manage or delegate permissions for an application. It is as powerful that I’m only teasing you in this article, before creating one or more big articles about it. Imagine, you need a person to have a full control over some Hyper-V virtual machine, including the right to delete it, but the only thing he or she is not to do … Continue reading %SystemRoot%System32 Secrets: AzMan

Delegating something… “I don’t see the attribute I want to delegate!”

As I have been dealing with some delegation tasks recently, I had to recall some basic stuff. Actually, it took me two occasions of “suddenly missing attributes” to get on the problem seriously and find out the fact that “filtered attributes” can be related not only to RODCs =,,) So, the situation generally renders as the following: you are trying to delegate permissions for an attribute in AD through the Delegation wizard and find out that you cannot, because you don’t see the attribute in the wizard. Let me show you an example. Suppose I’m trying to delegate permissions for … Continue reading Delegating something… “I don’t see the attribute I want to delegate!”

Delegating authority over a DNS zone

I’m back. Sorry for such a long absence: all those conferences and MVP gatherings take too much of endurance, though are very useful and pleasant. But now I’m really back and today we will delegate control over one of our DNS zones (without granting control over the whole DNS server or even AD) to, say, junior administrator. It is obvious that we can just give him necessary rights for the zone using permission tab in its properties menu: but that still doesn’t give you rights to connect to your DNS server through mmc console: What shall we do to give … Continue reading Delegating authority over a DNS zone