Pod Engine
Podcast thumbnail for Guardians of the Directory

Guardians of the Directory

Claim This Podcast

by Guardian of the Directory

5.0(11 reviews)
19 episodes
Updated Weekly
Accepts GuestsHas SponsorsLocation 🇬🇧

Podcast Overview

Guardians of the Directory is the podcast for everything Active Directory security, management, and recovery. Join us as we dive into best practices, recent security events, listener Q&As, and expert interviews to equip you with the skills needed to protect your AD environment. Whether you’re an IT pro or a cybersecurity enthusiast, each episode delivers actionable insights to help you stay informed and secure. Become a Guardian of the Directory and tune in to strengthen your defenses!

Language

🇺🇲

Publishing Since

11/14/2024

Visit WebsiteAppleView on Apple PodcastsRSS Feed

1 verified contact email on file for Guardians of the Directory

Pitch yourself as a guest, propose sponsorships, or reach out directly to the host.

See contact details

Recent Episodes

Episode thumbnail for Hybrid Identity is Broken: Rethinking AD, Entra ID & the Bridge in Between

August 21, 2025

Hybrid Identity is Broken: Rethinking AD, Entra ID & the Bridge in Between

<p>Welcome to another episode of Guardians of the Directory, where we pull back the curtain on the real-world challenges in securing and managing Active Directory and hybrid identity environments. In this episode, Craig Birch is joined by <strong>Sander Berkouwer</strong>, identity veteran, Microsoft MVP, and author of the Active Directory Administration Cookbook, to have a brutally honest conversation about hybrid identity – and why it&#39;s more than just &quot;messy&quot;... it&#39;s <strong>broken</strong>.</p><p>💡 <strong>Key Takeaways:</strong></p><ul><li><p>Why Hybrid AD isn&#39;t just two directories, and how the real architecture adds a third (and sometimes fourth) layer of identity confusion.</p></li><li><p>What’s really going wrong with Entra Connect Sync, delegated permissions, PowerShell lifecycle issues, and administrative sprawl.</p></li><li><p>ADFS: still lingering, or finally on its way out? Why some orgs are stuck with legacy federation even today.</p></li><li><p>The harsh truth about identity governance: the promise of Entra ID Governance, and the licensing challenges that come with it.</p></li><li><p>What’s actually working for organizations today — and why baby-stepping IAM might be your smartest move yet.</p></li><li><p>The real impact of role sprawl, just-in-time access challenges, and why elevated rights still haunt hybrid AD deployments.</p></li><li><p>Fix or Fail: Craig and Sander rapid-fire common hybrid identity practices and decide what stays and what needs to go.</p></li><li><p>The one thing Sander would fix today if he could: a surprising insight into replication and its ripple effect on the hybrid identity stack.</p></li></ul><p>🔧 Whether you&#39;re wrestling with federation headaches, struggling to consolidate IAM platforms, or just trying to get a handle on delegation and privilege creep, this episode lays out the problems — and a few practical ways forward.</p><p></p>

Episode thumbnail for Blueprinting Zero Trust From: Strategy to Execution with Jerry Chapman

June 26, 2025

Blueprinting Zero Trust From: Strategy to Execution with Jerry Chapman

<p>Welcome back to Guardians of the Directory! In this episode, Craig Birch is joined once again by Zero Trust expert Jerry Chapman for a deep dive into the Zero Trust Blueprint—a practical model to help organizations shift from theory to execution. Jerry shares insights from his work as Co-Chair of the CISA Zero Trust Working Group and provides a clear framework covering assessment, strategy, roadmap development, and execution phases.</p><p>Together, they explore:</p><ul><li><p>The critical role of business assets and protect surfaces</p></li></ul><li><ul><li>The importance of session management, privilege access, and standing permission hygiene in Active Directory</li></ul></li><ul><li><p>Common pitfalls organizations face as they mature their Zero Trust implementations</p></li><li><p>How Zero Trust applies equally to human and non-human identities (including AI!)</p></li><li><p>The value of visibility, automation, and governance in maintaining Zero Trust momentum</p></li></ul><p>If you&#39;re looking for a realistic, actionable guide to embedding Zero Trust in your enterprise—and especially within Active Directory environments—this episode is your blueprint.</p><p><strong>Resources Mentioned:</strong></p><ul><li><p>CISA Zero Trust Maturity Model</p></li><li><p>CISA Zero Trust Working Group</p></li><li><p>Microsoft Entra PIM</p></li><li><p>Next-gen IGA and Certificate Lifecycle Management</p></li></ul><p><strong>Guest Bio:</strong><br>Jerry Chapman is a cybersecurity veteran with over 25 years of experience in identity and Zero Trust. He serves as a Co-Chair for the CISA Zero Trust Working Group and is a recognized thought leader in strategy-driven security.</p><p></p>

Episode thumbnail for AdminSDHolder in Active Directory: Hidden Risks and Persistent Threats

May 1, 2025

AdminSDHolder in Active Directory: Hidden Risks and Persistent Threats

<p>In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down the often-misunderstood AdminSDHolder object in Active Directory and why it's a high-value target for attackers. Learn how the SDProp process uses it to secure privileged groups—and how misconfigurations or legacy permissions can open the door to persistent access.🔍 What you’ll learn:What AdminSDHolder and SDProp really doWhy this object matters for securing protected groupsHow attackers abuse it for persistenceHow to identify dangerous ACLs and misconfigurationsPowerShell tips to simplify your audit🛠️ PowerShell script to audit AdminSDHolder will be posted in the video description/comments.💡 If AdminSDHolder is compromised, your admin model is too.Subscribe for more quick-hit insights on Active Directory and Entra ID security.Powershell:Import-Module ActiveDirectory# DCSync-related GUIDs$dcsyncGUIDs = @( [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"89e95b76-444d-4c62-991a-0facbeda640c")# Noisy identities to ignore$noisyAccounts = @( "NT AUTHORITY\SELF", "NT AUTHORITY\SYSTEM", "NT AUTHORITY\Authenticated Users", "NT AUTHORITY\INTERACTIVE", "BUILTIN\Pre-Windows 2000 Compatible Access", "Everyone")# AdminSDHolder ACL retrieval$domainNC = (Get-ADDomain).DistinguishedName$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"$adminSDHolder = Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor$acl = $adminSDHolder.nTSecurityDescriptor# Admin group membership mappingfunction Get-AdminGroupMembers { param([string[]]$groupNames) $members = @() foreach ($name in $groupNames) { $group = Get-ADGroup -Identity $name $members += Get-ADGroupMember -Identity $group.DistinguishedName -Recursive | ForEach-Object { $_.SamAccountName } } return $members | Sort-Object -Unique}$adminGroups = @("Domain Admins", "Enterprise Admins", "Administrators")$adminMembers = Get-AdminGroupMembers -groupNames $adminGroups# Filter risky, non-default ACEs$dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and -not ($noisyAccounts -contains $_.IdentityReference.Value) -and ( ($_.ActiveDirectoryRights -band "GenericAll") -or ($_.ActiveDirectoryRights -band "GenericWrite") -or ($_.ActiveDirectoryRights -band "WriteDacl") -or ($_.ActiveDirectoryRights -band "WriteOwner") -or ($_.ActiveDirectoryRights -band "CreateChild") -or ($_.ActiveDirectoryRights -band "Delete") -or ($_.ActiveDirectoryRights -band "DeleteTree") -or ($_.ActiveDirectoryRights -band "ExtendedRight") )}# Output$dangerousACEs | Select-Object ` IdentityReference, ActiveDirectoryRights, InheritanceType, ObjectType, @{Name="ACEType"; Expression={ if ($_.ActiveDirectoryRights -band "GenericAll") { "GenericAll" } elseif ($_.ActiveDirectoryRights -band "GenericWrite") { "GenericWrite" } elseif ($_.ActiveDirectoryRights -band "WriteDacl") { "WriteDacl" } elseif ($_.ActiveDirectoryRights -band "WriteOwner") { "WriteOwner" } elseif ($_.ActiveDirectoryRights -band "CreateChild") { "CreateChild" } elseif ($_.ActiveDirectoryRights -band "Delete") { "Delete" } elseif ($_.ActiveDirectoryRights -band "DeleteTree") { "DeleteTree" } elseif ($_.ActiveDirectoryRights -band "ExtendedRight") { if ($dcsyncGUIDs -contains $_.ObjectType) { "DCSync" } else { "ExtendedRight" } } else { "Other" } }}, @{Name="IsAdminGroupMember"; Expression={ $sam = $_.IdentityReference.Value.Split("\")[-1] $adminMembers -contains $sam }} | Format-Table -AutoSize</p>

19 total episodes available

Deep-dive analytics for Guardians of the Directory

Sign up to explore

Frequently asked questions

Have a different question and can't find the answer you're looking for? Reach out to our support team by sending us an email and we'll get back to you as soon as we can.

What is Guardians of the Directory?

Guardians of the Directory is the podcast for everything Active Directory security, management, and recovery. Join us as we dive into best practices, recent security events, listener Q&As, and expert interviews to equip you with the skills needed to protect your AD environment. Whether you’re an IT pro or a cybersecurity enthusiast, each episode delivers actionable insights to help you stay informed and secure. Become a Guardian of the Directory and tune in to strengthen your defenses!

How often does this podcast release new episodes?

This podcast updates weekly.

Where can I listen to this podcast?

This podcast is available on 7 platforms including Apple Podcasts, Spotify, and more. You can also use the RSS feed directly.

Does this podcast accept guests?

Information about guest appearances is not available.

Legal Disclaimer

Pod Engine is not affiliated with, endorsed by, or officially connected with any of the podcasts displayed on this platform. We operate independently as a podcast discovery and analytics service.

All podcast artwork, thumbnails, and content displayed on this page are the property of their respective owners and are protected by applicable copyright laws. This includes, but is not limited to, podcast cover art, episode artwork, show descriptions, episode titles, transcripts, audio snippets, and any other content originating from the podcast creators or their licensors.

We display this content under fair use principles and/or implied license for the purpose of podcast discovery, information, and commentary. We make no claim of ownership over any podcast content, artwork, or related materials shown on this platform. All trademarks, service marks, and trade names are the property of their respective owners.

While we strive to ensure all content usage is properly authorized, if you are a rights holder and believe your content is being used inappropriately or without proper authorization, please contact us immediately at hey@podengine.ai for prompt review and appropriate action, which may include content removal or proper attribution.

By accessing and using this platform, you acknowledge and agree to respect all applicable copyright laws and intellectual property rights of content owners. Any unauthorized reproduction, distribution, or commercial use of the content displayed on this platform is strictly prohibited.