I regularly work with multiple Azure Active Directory and Office 365 tenants, recently I wanted to utilise a domain that was attached to a tenant that had expired in December 2015, but did not know how to recover it.

The various portals that you can utilise offer very little guidance.

Azure Active Directory was a little more than useless

AAD Error

but the new Office 365 portal offered hope, with an indication as to which tenant it was attached to.

O365 Clue

So now what are my credentials?

Recover Account

Fortunately there is a link to reset your account details which were emailed to my email address which I added when creating the tenant.

So once I had recovered my credentials then I could access the portal and delete the domain.


If you get the message below, you have objects(users, groups or contacts) in the directory that still have the domain you are trying to delete associated to them.


The domain is now removed and can be utilised in another tenant.




In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.



group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run mark.parris is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.



As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft




Last year at TechED Berlin, I was complaining to the MDOP team that the backspace did not work in the GPMC when AGPM was installed.  It transpires the issue is not with AGPM per se, but with the GPMC.

Yesterday, whilst looking through the new KB’s I discovered this one: BACKSPACE or arrow keys do not work in MMC on a computer that is running Windows 7 or Windows Server 2008 R2 (KB 2466373)

On closer inspection the article is specifically targeting the GPMC

  • You have a computer that is running Windows 7 or Windows Server 2008 R2.
  • You customize a Microsoft Management Console (MMC) that has the Group Policy Management Console (GPMC) snap-in.
  • You select any Group Policy object (GPO), and then you click the Settings tab in the details pane.
  • You select another node in the console tree, and then you use the BACKSPACE or arrow keys to perform some operations.

In this scenario, the BACKSPACE or arrow keys do not work. You have to use the mouse to perform operations.

To resolve the issue a Hotfix is needed which is not included in Service Pack 1.

KB Article is Here.

Back in April as part of the UK TechDays week, I arranged an evening session with Dan Pearson of David Solomon Expert Seminars on Windows Crash Dump Analysis and Windows Performance Troubleshooting and Analysis, everyone who attended thought it was an excellent session and very worthwhile.

Dan is back in London this October to teach the full 5 day course on Windows Operating System Internals, I am thinking of attending and if you have some spare training budget, I would recommend this course without hesitation.

Course Insight.

This class, aimed at both developers and IT Professionals, describes the internals of the Windows operating system kernel (both 32-bit and 64-bit and updated for Windows 7 and Windows Server 2008 R2) and related core components and mechanisms such as memory management, thread scheduling, interrupt processing, time accounting, security, and crash dump analysis. It shows you how to dig into the system with advanced troubleshooting tools, such as the Kernel Debugger and key tools from Sysinternals such as Process Explorer and Process Monitor.

If you’re an IT professionals deploying and supporting Windows servers and workstations, this class will help you help you troubleshoot difficult problems as well as understand the true meaning behind key system performance counters. Developers benefit by being able to understand the platform more deeply, which enables understanding performance trade-offs as well as being able to debug system level issues more effectively.

Full Details can be found here

Microsoft have released version 1.4 of the Sysinternals tool “Active Directory Explorer “.  AD Explorer is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.

Recently I had a couple of issues with Resultant Set of Policy (RSOP) and enabling it to work for IT teams who were not Administrators.

One issue I had was that every time Resultant Set of Policy was run for users with delegated permissions (and on further testing “Domain Admins” too) they all received an error message stating “provider not loaded“.

This transpired to be a relatively simple fix and was nothing to do with delegated permissions.

The Resultant Set of Policy service had been disabled on all domain controllers and to resolve this issue I enabled the Resultant Set of Policy service on all the domain controllers.

The other issue I had was “Access Denied” when selecting the Domain Controller to run the Resultant Set of Policy against, when in planning mode for users with delegated RSOP rights – Administrators functioned correctly.

After some research I discovered Resultant Set of Policy in Planning mode needs some additional DCOM permissions set in order for it to work remotely when not an Administrator.

To enable delegated groups to run Resultant Set of Policy in Planning mode remotely, DCOM permissions on all Domain Controllers need to be amended, this group policy setting needs to be configured and applied to all domain controllers.

DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

By default the Everyone group only had the permission to execute and activate DCOM locally, where as Domain Admins had local and remote execute and activate permissions.

By adding the group that had the delegation RSOP permissions set and adding to their default permissions the “Remote Activation” right resolved the issue and Resultant Set of Policy (Planning Mode) now functioned remotely for the teams that needed the functionality but are not administrators.

This week saw the UK have its first ever TechDays event (TechDays deliver content similar to that of TechED, but are free and a lot smaller).  As part of the TechDays week Microsoft asked community leads such as myself and Mark Wilson to organise Microsoft technology “fringe events”, but what topic do we chose for the fringe event and who can we get to present?

As good fortune would have it, in February of this year whilst attending the MVP summit in Redmond,  I was interviewed by Joey Snow for edge TV;  after the interview concluded, I found out that Joey was going to be in London for the UK TechDay’s events;  I asked Joey to present for the WSUG, as our TechDays fringe event – Joey agreed and once his very efficient assistant (Charlyn) had confirmed his attendance, we were all set.

On Monday 12th April, many eager IT professionals listened to Joey speak on Windows Server 2008 R2’s BranchCache and the Windows Server 2008 R2 migration toolset. A huge thank you goes out to Joey for doing this from myself, Mark Wilson and the attendees of Monday night’s session.


Branch Cache Deep Dive
Windows Server 2008 R2 Migration Toolset

Moving forward to early March, I received via the bi-weekly TechNet Flash, news that David Solomon Seminars would be teaching a class on Windows Internals in London, during TechDays week; so taking the bull by the horns, I email David Solomon, who puts me in touch with Dan Pearson who is taking the class in London. Dan readily agrees to deliver an evening session on Windows crash dump analysis and performance troubleshooting. – Wow what a session, what a turn out, the content was brilliant, the demos were real and it was so good that the attendees did not want to leave and we only left the the room, when we were kicked out at 9:30pm.   The next time David Solomon seminars are in London and if it fits my schedule, I intend to take Dan’s Windows Internals Class and if there is anyone else looking for a better understanding of how Windows works – I hope to see you there.

The picture above is an example Dan showed us, that by attaching a Debugger to a Windows machine you could alter the Blue Screen of Death to create a Red Screen of Death.


Windows Crash Dump Analysis
Windows Performance Troubleshooting and Analysis – TechDays