Hi all! Jerry here again to continue the AD hardening series. This time I want to address the concept of least privilege as it applies to Active Directory. Of the three principles of Zero Trust (verify explicitly, least privilege, assume breach), least privilege is the most achievable using native Active Directory features. It is also a concept that was well established before Windows domains were introduced. Some organizations did a great a great job minimizing administrative access from day one but sadly they were the exception. While we are far more disciplined when granting privileged access today, most domains have a couple decades of accumulated delegated access that needs to be reviewed and revoked where no longer justified. Today I want to walk you through areas typically reviewed during an assessment of Active Directory security as it relates to minimizing privilege.
Why hyper focus on privileged accounts?
When I deliver workshops on credential hygiene, I generally lead off with this diagram to illustrate that the initial access methods can be a moving target, but the pursuit of credentials is a constant. If we can prevent attackers from acquiring useful credentials we can disrupt the rest of their playbook. Accomplishing that involves minimizing the number of privileged accounts, restricting where privileged accounts are exposed (Tier model), deploying Privileged Admin workstations (PAWs), and implementing the protocol hardening settings covered in this series.
Service Accounts
Overprivileged service accounts are far too common. While governance for service accounts has greatly improved in recent years, many organizations still have opportunities to remediate service accounts provisioned before we became disciplined in this area. Placing service accounts in the Domain Admins group is a textbook example of not adhering to the principle of least privilege. This was sometimes done out of convenience and other times due to a lack of clarity regarding the application's true requirements. Once an application has been deployed, it can be very difficult to "right-size" the privileges of the service account, but it is a necessary step.
For the record, organizations who have held the line on minimal service account privileges have found ways to scan for vulnerabilities, deploy security updates, and perform Active Directory backups without placing accounts in Domain Admins or equivalent groups. Before you agree to purchase such products clarify the requirements for the solution. Vendors are far more likely to figure out how to adhere to least privilege before the sale than after.
As you remediate overprivileged service accounts, prioritize accounts with a Service Principal Name (SPN) since they are vulnerable to Kerberoasting attacks. Any such account that cannot have its privileges reduced should be enabled for AES and given a strong password.
Local admin on devices
In the early days of Active Directory, withholding local administrative rights on endpoints was often done to prevent configuration drift and the installation of unlicensed software. Today the position is primarily driven by security risks. Without local administrative privilege it is very difficult for malicious software to be accidentally installed. Additionally, interacting with LSASS memory where credentials are stored requires the Debug programs right which by default is limited to Administrators.
Withholding local administrative rights on endpoints is another area where we are seeing considerable improvement. However, there are often exceptions for select users like developers and system administrators. While it is great to see this progress, any exception should be thoroughly scrutinized to determine if it is necessary or just convenient. For context, consider these scenarios
User Profile
Configuration
Scenario
Blast Radius
Developer
A standard desktop is used for writing code along with productivity work. The developer is a member of administrators group in order to install tools
The developer visits a compromised website and unknowingly installs software (drive-by download) that gives the attacker command and control (C2) of the device. The attacker uses the access to manipulate the code project.
The project containing the malicious binaries is deployed to production servers given the attacker access to sensitive data and credentials
Help desk
The help desktop group has been added to the Administrators group of all endpoints
A user creates a support case after opening a link in a phishing email. The help desktop agent makes an RDP connect to the device which exposes the support credential to the adversary
The attacker uses the credential to move laterally across all endpoints in the domain
User Right Assignments
The User Rights Assignment (URA) settings in the Default Domain Controllers Policy are often bloated with delegations that have accumulated since the first domain controller was promoted. A quick review will often reveal privileges granted to defunct accounts, the IUSR account and other difficult to justify delegations.
To understand Microsoft's best practice for URAs on Domain Controller I suggest you download the Windows Server 2022 Security Baseline and review the group policy report named MSFT Windows Server 2022 - Domain Controller. Better yet you could use Policy Analyzer to compare your environment to the baseline as explained in this article.
The need to review and harden URAs is not limited to Domain Controllers. The same review should be performed for all domain-joined devices.
Group Policy Delegations
Once adversaries acquire privileged credentials, they often use native tools to accomplish their objectives. Manipulation of existing GPOs is a perfect example of such "Living off the Land" techniques. This threat can be compounded by delegating GPO management rights across various support groups. While decentralized GPO management can make operational tasks seem more efficient, it comes at a price.
The group named Group Policy Creator Owners has contributed to this issue. Members of the group can create new GPOs for which they will have full control. The net result is distributed GPO management permissions which can give an attacker many options to deliver a payload via a GPO. As a result, the use of Group Policy Creator Owners is no longer recommended. Instead, operational processes to minimize policy delegations should be implemented. Historically the Advanced Group Policy Management tool was Microsoft's solution for centralized GPO management but extended support for AGPM will end in April of 2026. In light of that you may want to consider a 3rd party tool that offers similar features.
If you are on the fence about addressing this issue, I recommend you consider that by default any authenticated user can read the ACLs of GPOs. An attacker can use any victims account to quickly determine which accounts can modify a GPO. From there they just need to acquire one of those desktop, helpdesk or similar support accounts.
Organizational Unit Delegations
OU delegations are another area where privileges seem to accumulate over time. Sometimes these delegations have been well thought out and implemented. Other times they are the result of a less structured approach. Below are some examples of elevated permissions that can be useful to an adversary.
Reset passwords
Join devices to the domain
Read confidential attributes
Create and modify groups
Create and modify user accounts
Create and modify computer accounts
Link GPOs
Replicate Directory Changes - All (permission require to replicate password from a domain controller used by DCSync)
The Delegation of Control Wizard in Active Directory Users and Computers makes it very easy to grant new permissions on OUs. However, it has no functionality to easily identify what has been custom delegated or revoke the granted rights. A free tool to review what has been delegated is AD ACL Scanner which was written by Robin Granberg. AD ACL Scanner has many features that I think you will find useful as you review your domain and look for ways to remediate permissions applied to OUs.
Privileged Groups
Minimizing membership of privileged groups is a fundamental step in adhering to the principle of least privilege. While removing unnecessary accounts from these groups might be perceived as a lack of trust in individuals and taken personally, it's important to consider the broader context of credential theft and lateral movement. The issue is more about trust in devices rather than individuals. Those who understand these risks are usually quick to relinquish any level of privilege that exceeds what is necessary for their roles. As you work on reducing your privileged group memberships, it's helpful to communicate that the primary concern is device trust.
When planning the membership of privileged groups, it is beneficial to distinguish between service administration and data administration. Service administration, as the name suggests, involves operational support for Active Directory Domain Services, including tasks such as promoting and supporting domain controllers, managing replication, and updating the schema. These tasks necessitate membership in the built-in privileged groups and cannot be delegated more granularly. On the other hand, data administration encompasses the management of users, groups, password resets, GPOs, and attributes, all of which can be delegated without relying on the built-in groups.
The table below lists the built-in groups that represent the most privilege which should be given priority when performing a Tier 0 access review.
Group Name
Recommendation
Account Operators
Account Operators group does not map well to how organizations operate. More appropriate delegations can be implemented to more granularly control the management of objects. As a result, the recommendation is to leave this group empty.
Administrators
Given Administrators grants full control to the Domain Controller’s OS, membership should be limited to accounts responsible for operational support of directory services. Due to nesting, there is no need for members of Domain Admins to also be direct members of Administrators.
Membership should be limited to resources responsible for operational support of domain controllers.
Enterprise Admin
In multi domain forests this group is nested in the Administrators group of every domain. When a centralized team is responsible for all domains, this group is often used to minimize the number of accounts an Active Directory administrator would need to possess. However, it is important to consider the blast radius if such an account was compromised.
Group Policy Creator Owners
As previously mentioned, this group allows members to create new GPOs for which they will have full control. Given that will result in decentralized management of GPOs, it is recommended to leave this group empty and pursue other solutions to minimize accounts that can manage group policies.
Print Operators
Domain Controllers should never host print queues or have the print spooler service enabled. In addition to having no members, print operators should have the URAs Load and unload devices drivers and Allow log on locally removed from the Default Domain Controller policy.
Remote Desktop Users
Remote desktop privileges should be limited to accounts used to perform service administration of Active Directory. Additionally, network connectivity to the RDP service (3389) on domain controllers should be restricted using firewall rules or IPsec.
Schema Admins
Schema modification is a very rare event. This group should remain empty and only populated when actively extending the schema.
The following groups are considered to be equivalent to Tier 0 given they could be used in some manner to elevate privileges. Membership of these groups should also be minimized and monitored for modification.
Group Name
Recommendation
Incoming Forest Trust Builders Group
Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this domain. By default, this group has no members.
Key Admins Group
This group is granted write access to msDS-KeyCredentialLink attribute of user and computer objects in a domain which is used to store public keys related to Passwordless authentication such as Windows Hello for Business. The group should be limited to accounts that administer WHFB keys and similar Passwordless key pair credentials
Enterprise Key Admins Group
This group is the same as Key Admins except the scope is the forest instead of just a domain.
Network Configuration Operators Group
This domain group grants the ability to manage TCP/IP and other network configuration settings on domain controllers. It could be used to enable a AiTM attack by manipulating name resolution and IP routing.
Read-only Domain Controllers Group
This group should only contain actual RODCs assuming you must have RODCs. Additionally, some third-party products are designed to be in the group in or order to emulate a RODC. The security risks introduced by such solutions should be fully evaluated.
Replicator Group
This is a legacy group that previously was used for Sysvol replication. By default, it has no members and should remain empty.
Storage Replica Administrators Group
This group can manage storage replicas on domain controllers. By default, this group has no members and should remain empty.
System Managed Accounts Group
This is a new group introduced with Server 2016. By default, the only member is the default account. This group should not have its membership manually modified.
Certificate Service DCOM Access Group
Members of this group can connect to certification authorities in the enterprise and by default is empty. Typically, only PKI administrators need to be added as members of this group.
Allowed RODC Password Replication Group
Members in this group can have their passwords replicated to all read-only domain controllers in the domain. Privileged accounts should not be members.
Cert Publishers Group
Members of this group are permitted to publish certificates to the directory. Membership should be limited to the accounts intended to be used for publishing certificates such as PKI administrators. Additionally, the computer accounts of the Enterprise CAs need to be in this group.
Cloneable Domain Controllers Group
Membership of this group should be limited to domain controllers you wish to clone.
Cryptographic Operators Group
Members are authorized to perform cryptographic operations. Membership should be limited to accounts that require this right for Certificate Services administration
Distributed COM Users Group
Members are allowed to launch, activate and use Distributed COM objects on domain controllers.
DnsUpdateProxy Group
This group is intended to be used by DHCP servers which are registering DNS records on behalf of DHCP clients. The group should only include those DHCP servers.
DnsAdmins Group
Group used to delegate management of DNS zones. This group was not introduced until Server 2003. Prior to then it was common to add an account to Domain Admins in order to manage DNS (e.g. Infrastructure team). Zones created before Windows 2003 need to have the ACLs updated to delegate access to this group.
Domain Controllers Group
This group has the extended right Replicating Directory Changes All. Members can replicate account passwords using that permission. Membership should be limited to domain controllers.
Enterprise Read-only Domain Controllers Group
This group has the extended right Replicating Directory Changes and should be limited to RODCs. Given RODCs are not without risks careful consideration should be given before deploying RODCs.
Kerberos Delegation
Kerberos Delegation enables an account or device to acquire Kerberos service tickets on behalf of another account. It is often referred to as Kerberos Double Hop authentication and is regularly explained using a diagram like this one.
An overly simplified explanation of the flow is:
The IIS server has been "trusted for delegation". The user connects to the IIS server using a Kerberos service ticket previously acquired and also provides a copy of its TGT.
An application running on the IIS server needs to connect to the SQL server as the user, so it presents the user's TGT to the domain controller and requests a service ticket for the SQL server.
The IIS server presents the service ticket to the SQL server and is authenticated in the context of the user's account.
In a perfect world this architecture works great. The user has a SSO experience and is only able to access the data it has been granted to it in the SQL database. However, in the real-world web servers sometimes get compromised, which could allow an adversary to acquire service tickets to other SPN enabled resources by leveraging the users shared TGT.
To mitigate that risk, we want to "constrain" or limit the delegation to select target SPNs. This screenshot shows an example of constrained delegation which limits CONTOSO-WEB1 delegation to the SQL SPN set on the CONTOSO-DB1 computer account. If CONTOSO-WEB1 was to be compromised, the attacker could still acquire service tickets to the CONTOSO-DB1 but not for any other targets.
When Active Directory was first introduced an account was either trusted (unconstrained) or not trusted for delegation. Constrained delegation was introduced with Windows 2003 and Server 2012 R2 took things a step further with Resource-based constrained delegation (RBCD) which allows the trust to be configured on the backside service rather than the frontend service. Additionally, RBCD was designed to work over trust relationships. The following PowerShell queries can be used to locate any computer or user object that has been trusted for unconstrained delegation. If you discover any such objects they should be reconfigured for constrained delegation.
In most cases, privileged accounts used to administer Active Directory do not access applications that require Kerberos delegation. As result, least privilege can be imposed on those accounts by configuring the option Account is sensitive and cannot be delegated. Once enabled the account is incapable of sharing a copy of its TGT with a device that has been trusted for delegation (uncontained or constrained).
Exchange Permissions
When Exchange was first integrated with Active Directory (Exchange 2000), a shared permission model was the only option which gave Exchange servers and Exchange administrators the ability to create and manage objects along with elevated permissions on the domain controllers. At the time, Domain and Exchange administration was often performed by the same team so there was little concern about violating the principle of least privilege. Eventually those responsibilities began to diverge to sperate teams and the concept of split permissions was introduced with Exchange 2010 SP1. Organizations that will continue to have on-prem Exchange servers are encouraged to implement Active Directory split permissions which will change how some operational processes are performed such as creating mailbox users or managing distribution groups. RBAC split permissions is another alternative but it does not provide the same level of privilege reduction for the Exchange objects (Exchange Trusted Subsystem, Exchange Servers group, Organization Management)
For a time, it was necessary to keep an Exchange server on-prem to perform recipient management even after all mailboxes were moved to Exchange Online. That is no longer a requirement due to a new set of Exchange Management Tools. Organizations who adopt the new tools can remove any remaining Exchange servers and then use the CleanupActiveDirectoryEMT.ps1 script to remove the Exchange related permissions from Active Directory.
If the Exchange shared permission cannot be removed, the Exchange Servers and Exchange administrators should be considered Tier 0 rather than Tier 1.
Credential Vaulting
In discussions about revamping privileged access, the concept of credential vaulting often comes up. Credential vaults can be a key component of a privileged account management solution, but how and where you use your account while it's checked out still matters. Consider this scenario:
3:00 AM - CONTOSO-FS1 (file server) is compromised. Malicious software is installed that will ship off newly acquired credentials to the adversary.
9:00 AM - Joe Admin checks out his Domain Admin account from the vault which required multi-factor authentication (MFA).
11:00 AM - Joe Admin logs on to CONTOSO-FS1 to manage some file share permissions.
11:01 AM - The adversary receives a message containing the NTLM hash of Joe's account.
11:30 AM - The adversary uses Joe's account to perform a DCSync attack, replicating the credentials of all domain user objects (including service accounts).
5:00 PM - Joe finishes his workday and his account goes back in the vault.
11:00 PM - Joe calls it a day and sleeps well knowing his Domain Admin account is in the vault.
8:00 AM - Joe returns to the office and is informed of a total compromise of Active Directory.
8:30 AM - Joe cancels any vacation plans he had for the next three months.
Hopefully my example illustrates that imposing security tiers for accounts and devices is still relevant, even with a credential vaulting solution. A few observations from it are:
Proper hardening and monitoring via an Endpoint Detection and Response (EDR) product would have helped mitigate the initial compromise of CONTOSO-FS1.
Joe exposed a Tier 0 account to perform a Tier 1 function. He should have used a separate account to manage Tier 1 devices.
MFA secured the check-out of the account but provided no protection against passing the hash once the account was used.
If Joe had been a member of the Protected Users group, authentication would have been limited to Kerberos, and the NTLM hash would not have been in the LSASS memory of CONTOSO-FS1.
Adversaries pursue multiple forms of persistence to ensure they retain access. By the time Joe's account was checked back in the adversary already acquired alternative privileged credentials.
User Account Control
User Account Control is a security feature which can minimize the privilege used to launch processes. It is based on a split token model where privileged users begin their session with a full and low privilege token as depicted in the diagram below. Processes are launched default using the low privilege token but can switch to the high privilege token with consent. To be clear, this is a defense in the depth measure that is not intended displace other security controls or credential hygiene practices.
Microsoft baselines recommend the following UAC setting be implemented on domain controller.
Setting name
Domain Controller Recommendation
(Server 2022 baseline)
Default Setting
Admin Approval Mode for the Built-in Administrator account
Enabled
Not defined
Allow UIAccess applications to prompt for elevation without using the secure desktop
Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode
Prompt for consent on the secure desktop
Prompt for consent for non-Windows binaries (default)
Behavior of the elevation prompt for standard users
Automatically deny elevation requests
Prompt for credentials
Detect application installations and prompt for elevation
Enabled
Enabled
Only elevate executables that are signed and validated
Disabled
Only elevate UIAccess applications that are installed in secure locations
Enabled
Enabled
Run all administrators in Admin Approval Mode
Enabled
Enabled
Switch to the secure desktop when prompting for elevation
Enabled
Virtualize File And Registry Write Failures To Per User Locations
Enabled
Enabled
Hopefully this information will help you review your Active Directory environment and identify opportunities to reduce excessive privileges. As you plan your remediations just keep these Do's and Don'ts in mind.
Do utilize tools to help you perform a deep scan of your environment. Microsoft Unified customers have access to the On-Demand Active Directory Security Assessment as part of their contract. If that is not an option, there are some nice 3rd party assessment tools that are either free or low cost.
Don't be afraid to take action once you discover issues. Test the changes in an isolated environment to raise your comfort level. Once you have documented your rollback plan move forward with securing your environment.
Dodocument the changes you make. That will help with troubleshooting if something does not go as planned.
Do proactively monitor for changes in privileged access.
Do mark privileged accounts and groups as "sensitive" if you are using Defender for Identity (MDI). MDI is already aware of which built in privilege groups are sensitive but you will need to let it know about any user, group or device that you have delegated privilege.
"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageListMenu\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageListMenu-1745505307000"}],"message({\"id\":\"message:4367501\"})":{"__ref":"BlogReplyMessage:message:4367501"},"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745505307000"}]},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","possibleValues":["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1746563193414":{"__typename":"CachedAsset","id":"pages-1746563193414","value":[{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746563193414,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc","height":512,"width":512,"mimeType":"image/png"},"Rank:rank:4":{"__typename":"Rank","id":"rank:4","position":6,"name":"Microsoft","color":"333333","icon":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}"},"rankStyle":"OUTLINE"},"User:user:199458":{"__typename":"User","id":"user:199458","uid":199458,"login":"JerryDevore","deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xOTk0NTgtMjE2MTAzaTQ5NzZEMDQ5RUJBQjQzNzc"},"rank":{"__ref":"Rank:rank:4"},"email":"","messagesCount":48,"biography":null,"topicsCount":8,"kudosReceivedCount":146,"kudosGivenCount":30,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2018-09-20T13:07:12.214-07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"Category:category:cis":{"__typename":"Category","id":"category:cis","entityType":"CATEGORY","displayId":"cis","nodeType":"category","depth":4,"title":"Core Infrastructure and Security","shortTitle":"Core Infrastructure and Security","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","entityType":"CATEGORY","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","entityType":"CATEGORY","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","entityType":"CATEGORY","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:CoreInfrastructureandSecurityBlog":{"__typename":"Blog","id":"board:CoreInfrastructureandSecurityBlog","entityType":"BLOG","displayId":"CoreInfrastructureandSecurityBlog","nodeType":"board","depth":5,"conversationStyle":"BLOG","repliesProperties":{"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"FREEFORM_ONLY","description":"","title":"Core Infrastructure and Security Blog","shortTitle":"Core Infrastructure and Security Blog","parent":{"__ref":"Category:category:cis"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:cis"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme":{"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","args":[]}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","args":[]}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"eventPath":"category:cis/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:CoreInfrastructureandSecurityBlog/"},"BlogTopicMessage:message:4366626":{"__typename":"BlogTopicMessage","uid":4366626,"subject":"Active Directory Hardening Series - Part 7 – Implementing Least Privilege","id":"message:4366626","revisionNum":5,"repliesCount":1,"author":{"__ref":"User:user:199458"},"depth":0,"hasGivenKudo":false,"board":{"__ref":"Blog:board:CoreInfrastructureandSecurityBlog"},"conversation":{"__ref":"Conversation:conversation:4366626"},"messagePolicies":{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","args":[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","args":[]}}},"contentWorkflow":{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnToAuthor":null,"canPublish":null,"canReturnToReview":null,"canSchedule":false},"shortScheduledTimezone":null},"readOnly":false,"editFrozen":false,"moderationData":{"__ref":"ModerationData:moderation_data:4366626"},"teaser":"","body":"
Hi all! Jerry here again to continue the AD hardening series. This time I want to address the concept of least privilege as it applies to Active Directory. Of the three principles of Zero Trust (verify explicitly, least privilege, assume breach), least privilege is the most achievable using native Active Directory features. It is also a concept that was well established before Windows domains were introduced. Some organizations did a great a great job minimizing administrative access from day one but sadly they were the exception. While we are far more disciplined when granting privileged access today, most domains have a couple decades of accumulated delegated access that needs to be reviewed and revoked where no longer justified. Today I want to walk you through areas typically reviewed during an assessment of Active Directory security as it relates to minimizing privilege.
\n
Why hyper focus on privileged accounts?
\n
When I deliver workshops on credential hygiene, I generally lead off with this diagram to illustrate that the initial access methods can be a moving target, but the pursuit of credentials is a constant. If we can prevent attackers from acquiring useful credentials we can disrupt the rest of their playbook. Accomplishing that involves minimizing the number of privileged accounts, restricting where privileged accounts are exposed (Tier model), deploying Privileged Admin workstations (PAWs), and implementing the protocol hardening settings covered in this series.
\n\n
Service Accounts
\n
Overprivileged service accounts are far too common. While governance for service accounts has greatly improved in recent years, many organizations still have opportunities to remediate service accounts provisioned before we became disciplined in this area. Placing service accounts in the Domain Admins group is a textbook example of not adhering to the principle of least privilege. This was sometimes done out of convenience and other times due to a lack of clarity regarding the application's true requirements. Once an application has been deployed, it can be very difficult to \"right-size\" the privileges of the service account, but it is a necessary step.
\n
For the record, organizations who have held the line on minimal service account privileges have found ways to scan for vulnerabilities, deploy security updates, and perform Active Directory backups without placing accounts in Domain Admins or equivalent groups. Before you agree to purchase such products clarify the requirements for the solution. Vendors are far more likely to figure out how to adhere to least privilege before the sale than after.
\n
As you remediate overprivileged service accounts, prioritize accounts with a Service Principal Name (SPN) since they are vulnerable to Kerberoasting attacks. Any such account that cannot have its privileges reduced should be enabled for AES and given a strong password.
\n
Local admin on devices
\n
In the early days of Active Directory, withholding local administrative rights on endpoints was often done to prevent configuration drift and the installation of unlicensed software. Today the position is primarily driven by security risks. Without local administrative privilege it is very difficult for malicious software to be accidentally installed. Additionally, interacting with LSASS memory where credentials are stored requires the Debug programs right which by default is limited to Administrators.
\n
Withholding local administrative rights on endpoints is another area where we are seeing considerable improvement. However, there are often exceptions for select users like developers and system administrators. While it is great to see this progress, any exception should be thoroughly scrutinized to determine if it is necessary or just convenient. For context, consider these scenarios
\n
\n
\n\n
\n
\n
User Profile
\n
\n
\n
Configuration
\n
\n
\n
Scenario
\n
\n
\n
Blast Radius
\n
\n
\n
\n
\n
Developer
\n
\n
\n
A standard desktop is used for writing code along with productivity work. The developer is a member of administrators group in order to install tools
\n
\n
\n
The developer visits a compromised website and unknowingly installs software (drive-by download) that gives the attacker command and control (C2) of the device. The attacker uses the access to manipulate the code project.
\n
\n
\n
The project containing the malicious binaries is deployed to production servers given the attacker access to sensitive data and credentials
\n
\n
\n
\n
\n
Help desk
\n
\n
\n
The help desktop group has been added to the Administrators group of all endpoints
\n
\n
\n
A user creates a support case after opening a link in a phishing email. The help desktop agent makes an RDP connect to the device which exposes the support credential to the adversary
\n
\n
\n
The attacker uses the credential to move laterally across all endpoints in the domain
\n
\n
\n\n
\n
\n
User Right Assignments
\n
The User Rights Assignment (URA) settings in the Default Domain Controllers Policy are often bloated with delegations that have accumulated since the first domain controller was promoted. A quick review will often reveal privileges granted to defunct accounts, the IUSR account and other difficult to justify delegations.
\n\n
To understand Microsoft's best practice for URAs on Domain Controller I suggest you download the Windows Server 2022 Security Baseline and review the group policy report named MSFT Windows Server 2022 - Domain Controller. Better yet you could use Policy Analyzer to compare your environment to the baseline as explained in this article.
\n
The need to review and harden URAs is not limited to Domain Controllers. The same review should be performed for all domain-joined devices.
\n
Group Policy Delegations
\n
Once adversaries acquire privileged credentials, they often use native tools to accomplish their objectives. Manipulation of existing GPOs is a perfect example of such \"Living off the Land\" techniques. This threat can be compounded by delegating GPO management rights across various support groups. While decentralized GPO management can make operational tasks seem more efficient, it comes at a price.
\n
The group named Group Policy Creator Owners has contributed to this issue. Members of the group can create new GPOs for which they will have full control. The net result is distributed GPO management permissions which can give an attacker many options to deliver a payload via a GPO. As a result, the use of Group Policy Creator Owners is no longer recommended. Instead, operational processes to minimize policy delegations should be implemented. Historically the Advanced Group Policy Management tool was Microsoft's solution for centralized GPO management but extended support for AGPM will end in April of 2026. In light of that you may want to consider a 3rd party tool that offers similar features.
\n
If you are on the fence about addressing this issue, I recommend you consider that by default any authenticated user can read the ACLs of GPOs. An attacker can use any victims account to quickly determine which accounts can modify a GPO. From there they just need to acquire one of those desktop, helpdesk or similar support accounts.
\n
Organizational Unit Delegations
\n
OU delegations are another area where privileges seem to accumulate over time. Sometimes these delegations have been well thought out and implemented. Other times they are the result of a less structured approach. Below are some examples of elevated permissions that can be useful to an adversary.
\n
\n
\n
Reset passwords
\n
\n
\n
Join devices to the domain
\n
\n
\n
Read confidential attributes
\n
\n
\n
Create and modify groups
\n
\n
\n
Create and modify user accounts
\n
\n
\n
Create and modify computer accounts
\n
\n
\n
Link GPOs
\n
\n
\n
Replicate Directory Changes - All (permission require to replicate password from a domain controller used by DCSync)
\n
\n
The Delegation of Control Wizard in Active Directory Users and Computers makes it very easy to grant new permissions on OUs. However, it has no functionality to easily identify what has been custom delegated or revoke the granted rights. A free tool to review what has been delegated is AD ACL Scanner which was written by Robin Granberg. AD ACL Scanner has many features that I think you will find useful as you review your domain and look for ways to remediate permissions applied to OUs.
\n\n
Privileged Groups
\n
Minimizing membership of privileged groups is a fundamental step in adhering to the principle of least privilege. While removing unnecessary accounts from these groups might be perceived as a lack of trust in individuals and taken personally, it's important to consider the broader context of credential theft and lateral movement. The issue is more about trust in devices rather than individuals. Those who understand these risks are usually quick to relinquish any level of privilege that exceeds what is necessary for their roles. As you work on reducing your privileged group memberships, it's helpful to communicate that the primary concern is device trust.
\n
When planning the membership of privileged groups, it is beneficial to distinguish between service administration and data administration. Service administration, as the name suggests, involves operational support for Active Directory Domain Services, including tasks such as promoting and supporting domain controllers, managing replication, and updating the schema. These tasks necessitate membership in the built-in privileged groups and cannot be delegated more granularly. On the other hand, data administration encompasses the management of users, groups, password resets, GPOs, and attributes, all of which can be delegated without relying on the built-in groups.
\n
The table below lists the built-in groups that represent the most privilege which should be given priority when performing a Tier 0 access review.
\n
\n
\n\n
\n
\n
Group Name
\n
\n
\n
Recommendation
\n
\n
\n
\n
\n
Account Operators
\n
\n
\n
Account Operators group does not map well to how organizations operate. More appropriate delegations can be implemented to more granularly control the management of objects. As a result, the recommendation is to leave this group empty.
\n
\n
\n
\n
\n
Administrators
\n
\n
\n
Given Administrators grants full control to the Domain Controller’s OS, membership should be limited to accounts responsible for operational support of directory services. Due to nesting, there is no need for members of Domain Admins to also be direct members of Administrators.
Membership should be limited to resources responsible for operational support of domain controllers.
\n
\n
\n
\n
\n
Enterprise Admin
\n
\n
\n
In multi domain forests this group is nested in the Administrators group of every domain. When a centralized team is responsible for all domains, this group is often used to minimize the number of accounts an Active Directory administrator would need to possess. However, it is important to consider the blast radius if such an account was compromised.
\n
\n
\n
\n
\n
Group Policy Creator Owners
\n
\n
\n
As previously mentioned, this group allows members to create new GPOs for which they will have full control. Given that will result in decentralized management of GPOs, it is recommended to leave this group empty and pursue other solutions to minimize accounts that can manage group policies.
\n
\n
\n
\n
\n
Print Operators
\n
\n
\n
Domain Controllers should never host print queues or have the print spooler service enabled. In addition to having no members, print operators should have the URAs Load and unload devices drivers and Allow log on locally removed from the Default Domain Controller policy.
\n
\n
\n
\n
\n
Remote Desktop Users
\n
\n
\n
Remote desktop privileges should be limited to accounts used to perform service administration of Active Directory. Additionally, network connectivity to the RDP service (3389) on domain controllers should be restricted using firewall rules or IPsec.
\n
\n
\n
\n
\n
Schema Admins
\n
\n
\n
Schema modification is a very rare event. This group should remain empty and only populated when actively extending the schema.
The following groups are considered to be equivalent to Tier 0 given they could be used in some manner to elevate privileges. Membership of these groups should also be minimized and monitored for modification.
\n
\n
\n\n
\n
\n
Group Name
\n
\n
\n
Recommendation
\n
\n
\n
\n
\n
Incoming Forest Trust Builders Group
\n
\n
\n
Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this domain. By default, this group has no members.
\n
\n
\n
\n
\n
Key Admins Group
\n
\n
\n
This group is granted write access to msDS-KeyCredentialLink attribute of user and computer objects in a domain which is used to store public keys related to Passwordless authentication such as Windows Hello for Business. The group should be limited to accounts that administer WHFB keys and similar Passwordless key pair credentials
\n
\n
\n
\n
\n
Enterprise Key Admins Group
\n
\n
\n
This group is the same as Key Admins except the scope is the forest instead of just a domain.
\n
\n
\n
\n
\n
Network Configuration Operators Group
\n
\n
\n
This domain group grants the ability to manage TCP/IP and other network configuration settings on domain controllers. It could be used to enable a AiTM attack by manipulating name resolution and IP routing.
\n
\n
\n
\n
\n
Read-only Domain Controllers Group
\n
\n
\n
This group should only contain actual RODCs assuming you must have RODCs. Additionally, some third-party products are designed to be in the group in or order to emulate a RODC. The security risks introduced by such solutions should be fully evaluated.
\n
\n
\n
\n
\n
Replicator Group
\n
\n
\n
This is a legacy group that previously was used for Sysvol replication. By default, it has no members and should remain empty.
\n
\n
\n
\n
\n
Storage Replica Administrators Group
\n
\n
\n
This group can manage storage replicas on domain controllers. By default, this group has no members and should remain empty.
\n
\n
\n
\n
\n
System Managed Accounts Group
\n
\n
\n
This is a new group introduced with Server 2016. By default, the only member is the default account. This group should not have its membership manually modified.
\n
\n
\n
\n
\n
Certificate Service DCOM Access Group
\n
\n
\n
Members of this group can connect to certification authorities in the enterprise and by default is empty. Typically, only PKI administrators need to be added as members of this group.
\n
\n
\n
\n
\n
Allowed RODC Password Replication Group
\n
\n
\n
Members in this group can have their passwords replicated to all read-only domain controllers in the domain. Privileged accounts should not be members.
\n
\n
\n
\n
\n
Cert Publishers Group
\n
\n
\n
Members of this group are permitted to publish certificates to the directory. Membership should be limited to the accounts intended to be used for publishing certificates such as PKI administrators. Additionally, the computer accounts of the Enterprise CAs need to be in this group.
\n
\n
\n
\n
\n
Cloneable Domain Controllers Group
\n
\n
\n
Membership of this group should be limited to domain controllers you wish to clone.
\n
\n
\n
\n
\n
Cryptographic Operators Group
\n
\n
\n
Members are authorized to perform cryptographic operations. Membership should be limited to accounts that require this right for Certificate Services administration
\n
\n
\n
\n
\n
Distributed COM Users Group
\n
\n
\n
Members are allowed to launch, activate and use Distributed COM objects on domain controllers.
\n
\n
\n
\n
\n
DnsUpdateProxy Group
\n
\n
\n
This group is intended to be used by DHCP servers which are registering DNS records on behalf of DHCP clients. The group should only include those DHCP servers.
\n
\n
\n
\n
\n
DnsAdmins Group
\n
\n
\n
Group used to delegate management of DNS zones. This group was not introduced until Server 2003. Prior to then it was common to add an account to Domain Admins in order to manage DNS (e.g. Infrastructure team). Zones created before Windows 2003 need to have the ACLs updated to delegate access to this group.
\n
\n
\n
\n
\n
Domain Controllers Group
\n
\n
\n
This group has the extended right Replicating Directory Changes All. Members can replicate account passwords using that permission. Membership should be limited to domain controllers.
\n
\n
\n
\n
\n
Enterprise Read-only Domain Controllers Group
\n
\n
\n
This group has the extended right Replicating Directory Changes and should be limited to RODCs. Given RODCs are not without risks careful consideration should be given before deploying RODCs.
\n
\n
\n\n
\n
\n
Kerberos Delegation
\n
Kerberos Delegation enables an account or device to acquire Kerberos service tickets on behalf of another account. It is often referred to as Kerberos Double Hop authentication and is regularly explained using a diagram like this one.
\n
\n\n
\n
An overly simplified explanation of the flow is:
\n
\n\n
The IIS server has been \"trusted for delegation\". The user connects to the IIS server using a Kerberos service ticket previously acquired and also provides a copy of its TGT.
\n\n\n
An application running on the IIS server needs to connect to the SQL server as the user, so it presents the user's TGT to the domain controller and requests a service ticket for the SQL server.
\n\n\n
The IIS server presents the service ticket to the SQL server and is authenticated in the context of the user's account.
\n\n
In a perfect world this architecture works great. The user has a SSO experience and is only able to access the data it has been granted to it in the SQL database. However, in the real-world web servers sometimes get compromised, which could allow an adversary to acquire service tickets to other SPN enabled resources by leveraging the users shared TGT.
\n
To mitigate that risk, we want to \"constrain\" or limit the delegation to select target SPNs. This screenshot shows an example of constrained delegation which limits CONTOSO-WEB1 delegation to the SQL SPN set on the CONTOSO-DB1 computer account. If CONTOSO-WEB1 was to be compromised, the attacker could still acquire service tickets to the CONTOSO-DB1 but not for any other targets.
\n
\n\n
When Active Directory was first introduced an account was either trusted (unconstrained) or not trusted for delegation. Constrained delegation was introduced with Windows 2003 and Server 2012 R2 took things a step further with Resource-based constrained delegation (RBCD) which allows the trust to be configured on the backside service rather than the frontend service. Additionally, RBCD was designed to work over trust relationships. The following PowerShell queries can be used to locate any computer or user object that has been trusted for unconstrained delegation. If you discover any such objects they should be reconfigured for constrained delegation.
In most cases, privileged accounts used to administer Active Directory do not access applications that require Kerberos delegation. As result, least privilege can be imposed on those accounts by configuring the option Account is sensitive and cannot be delegated. Once enabled the account is incapable of sharing a copy of its TGT with a device that has been trusted for delegation (uncontained or constrained).
\n
\n\n
\n
Exchange Permissions
\n
When Exchange was first integrated with Active Directory (Exchange 2000), a shared permission model was the only option which gave Exchange servers and Exchange administrators the ability to create and manage objects along with elevated permissions on the domain controllers. At the time, Domain and Exchange administration was often performed by the same team so there was little concern about violating the principle of least privilege. Eventually those responsibilities began to diverge to sperate teams and the concept of split permissions was introduced with Exchange 2010 SP1. Organizations that will continue to have on-prem Exchange servers are encouraged to implement Active Directory split permissions which will change how some operational processes are performed such as creating mailbox users or managing distribution groups. RBAC split permissions is another alternative but it does not provide the same level of privilege reduction for the Exchange objects (Exchange Trusted Subsystem, Exchange Servers group, Organization Management)
\n
For a time, it was necessary to keep an Exchange server on-prem to perform recipient management even after all mailboxes were moved to Exchange Online. That is no longer a requirement due to a new set of Exchange Management Tools. Organizations who adopt the new tools can remove any remaining Exchange servers and then use the CleanupActiveDirectoryEMT.ps1 script to remove the Exchange related permissions from Active Directory.
\n
If the Exchange shared permission cannot be removed, the Exchange Servers and Exchange administrators should be considered Tier 0 rather than Tier 1.
\n
Credential Vaulting
\n
In discussions about revamping privileged access, the concept of credential vaulting often comes up. Credential vaults can be a key component of a privileged account management solution, but how and where you use your account while it's checked out still matters. Consider this scenario:
\n
\n
3:00 AM - CONTOSO-FS1 (file server) is compromised. Malicious software is installed that will ship off newly acquired credentials to the adversary.
\n
\n
\n
9:00 AM - Joe Admin checks out his Domain Admin account from the vault which required multi-factor authentication (MFA).
\n
\n
\n
11:00 AM - Joe Admin logs on to CONTOSO-FS1 to manage some file share permissions.
\n
\n
\n
11:01 AM - The adversary receives a message containing the NTLM hash of Joe's account.
\n
\n
\n
11:30 AM - The adversary uses Joe's account to perform a DCSync attack, replicating the credentials of all domain user objects (including service accounts).
\n
\n
\n
5:00 PM - Joe finishes his workday and his account goes back in the vault.
\n
\n
\n
11:00 PM - Joe calls it a day and sleeps well knowing his Domain Admin account is in the vault.
\n
\n
\n
8:00 AM - Joe returns to the office and is informed of a total compromise of Active Directory.
\n
\n
\n
8:30 AM - Joe cancels any vacation plans he had for the next three months.
\n
\n
\n
Hopefully my example illustrates that imposing security tiers for accounts and devices is still relevant, even with a credential vaulting solution. A few observations from it are:
\n
\n
Proper hardening and monitoring via an Endpoint Detection and Response (EDR) product would have helped mitigate the initial compromise of CONTOSO-FS1.
\n
Joe exposed a Tier 0 account to perform a Tier 1 function. He should have used a separate account to manage Tier 1 devices.
\n
\n
\n
MFA secured the check-out of the account but provided no protection against passing the hash once the account was used.
\n
\n
\n
If Joe had been a member of the Protected Users group, authentication would have been limited to Kerberos, and the NTLM hash would not have been in the LSASS memory of CONTOSO-FS1.
\n
\n
\n
Adversaries pursue multiple forms of persistence to ensure they retain access. By the time Joe's account was checked back in the adversary already acquired alternative privileged credentials.
\n
\n
User Account Control
\n
User Account Control is a security feature which can minimize the privilege used to launch processes. It is based on a split token model where privileged users begin their session with a full and low privilege token as depicted in the diagram below. Processes are launched default using the low privilege token but can switch to the high privilege token with consent. To be clear, this is a defense in the depth measure that is not intended displace other security controls or credential hygiene practices.
\n\n
Microsoft baselines recommend the following UAC setting be implemented on domain controller.
\n
\n
\n\n
\n
\n
Setting name
\n
\n
\n
Domain Controller Recommendation
\n
(Server 2022 baseline)
\n
\n
\n
Default Setting
\n
\n
\n
\n
\n
Admin Approval Mode for the Built-in Administrator account
\n
\n
\n
Enabled
\n
\n
\n
Not defined
\n
\n
\n
\n
\n
Allow UIAccess applications to prompt for elevation without using the secure desktop
\n
\n
\n
\n
\n
\n
Disabled
\n
\n
\n
\n
\n
Behavior of the elevation prompt for administrators in Admin Approval Mode
\n
\n
\n
Prompt for consent on the secure desktop
\n
\n
\n
Prompt for consent for non-Windows binaries (default)
\n
\n
\n
\n
\n
Behavior of the elevation prompt for standard users
\n
\n
\n
Automatically deny elevation requests
\n
\n
\n
Prompt for credentials
\n
\n
\n
\n
\n
Detect application installations and prompt for elevation
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Only elevate executables that are signed and validated
\n
\n
\n
\n
\n
\n
Disabled
\n
\n
\n
\n
\n
Only elevate UIAccess applications that are installed in secure locations
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Run all administrators in Admin Approval Mode
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Switch to the secure desktop when prompting for elevation
\n
\n
\n
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Virtualize File And Registry Write Failures To Per User Locations
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n\n
\n
\n
\n
Hopefully this information will help you review your Active Directory environment and identify opportunities to reduce excessive privileges. As you plan your remediations just keep these Do's and Don'ts in mind.
\n
\n
Do utilize tools to help you perform a deep scan of your environment. Microsoft Unified customers have access to the On-Demand Active Directory Security Assessment as part of their contract. If that is not an option, there are some nice 3rd party assessment tools that are either free or low cost.
\n
\n
\n
Don't be afraid to take action once you discover issues. Test the changes in an isolated environment to raise your comfort level. Once you have documented your rollback plan move forward with securing your environment.
\n
\n
\n
Dodocument the changes you make. That will help with troubleshooting if something does not go as planned.
\n
\n
\n
Do proactively monitor for changes in privileged access.
\n
\n
\n
Do mark privileged accounts and groups as \"sensitive\" if you are using Defender for Identity (MDI). MDI is already aware of which built in privilege groups are sensitive but you will need to let it know about any user, group or device that you have delegated privilege.
Hi all! Jerry here again to continue the AD hardening series. This time I want to address the concept of least privilege as it applies to Active Directory. Of the three principles of Zero Trust (verify explicitly, least privilege, assume breach), least privilege is the most achievable using native Active Directory features. It is also a concept that was well established before Windows domains were introduced. Some organizations did a great a great job minimizing administrative access from day one but sadly they were the exception. While we are far more disciplined when granting privileged access today, most domains have a couple decades of accumulated delegated access that needs to be reviewed and revoked where no longer justified. Today I want to walk you through areas typically reviewed during an assessment of Active Directory security as it relates to minimizing privilege.
\n
Why hyper focus on privileged accounts?
\n
When I deliver workshops on credential hygiene, I generally lead off with this diagram to illustrate that the initial access methods can be a moving target, but the pursuit of credentials is a constant. If we can prevent attackers from acquiring useful credentials we can disrupt the rest of their playbook. Accomplishing that involves minimizing the number of privileged accounts, restricting where privileged accounts are exposed (Tier model), deploying Privileged Admin workstations (PAWs), and implementing the protocol hardening settings covered in this series.
\n\n
Service Accounts
\n
Overprivileged service accounts are far too common. While governance for service accounts has greatly improved in recent years, many organizations still have opportunities to remediate service accounts provisioned before we became disciplined in this area. Placing service accounts in the Domain Admins group is a textbook example of not adhering to the principle of least privilege. This was sometimes done out of convenience and other times due to a lack of clarity regarding the application's true requirements. Once an application has been deployed, it can be very difficult to \"right-size\" the privileges of the service account, but it is a necessary step.
\n
For the record, organizations who have held the line on minimal service account privileges have found ways to scan for vulnerabilities, deploy security updates, and perform Active Directory backups without placing accounts in Domain Admins or equivalent groups. Before you agree to purchase such products clarify the requirements for the solution. Vendors are far more likely to figure out how to adhere to least privilege before the sale than after.
\n
As you remediate overprivileged service accounts, prioritize accounts with a Service Principal Name (SPN) since they are vulnerable to Kerberoasting attacks. Any such account that cannot have its privileges reduced should be enabled for AES and given a strong password.
\n
Local admin on devices
\n
In the early days of Active Directory, withholding local administrative rights on endpoints was often done to prevent configuration drift and the installation of unlicensed software. Today the position is primarily driven by security risks. Without local administrative privilege it is very difficult for malicious software to be accidentally installed. Additionally, interacting with LSASS memory where credentials are stored requires the Debug programs right which by default is limited to Administrators.
\n
Withholding local administrative rights on endpoints is another area where we are seeing considerable improvement. However, there are often exceptions for select users like developers and system administrators. While it is great to see this progress, any exception should be thoroughly scrutinized to determine if it is necessary or just convenient. For context, consider these scenarios
\n
\n
\n\n
\n
\n
User Profile
\n
\n
\n
Configuration
\n
\n
\n
Scenario
\n
\n
\n
Blast Radius
\n
\n
\n
\n
\n
Developer
\n
\n
\n
A standard desktop is used for writing code along with productivity work. The developer is a member of administrators group in order to install tools
\n
\n
\n
The developer visits a compromised website and unknowingly installs software (drive-by download) that gives the attacker command and control (C2) of the device. The attacker uses the access to manipulate the code project.
\n
\n
\n
The project containing the malicious binaries is deployed to production servers given the attacker access to sensitive data and credentials
\n
\n
\n
\n
\n
Help desk
\n
\n
\n
The help desktop group has been added to the Administrators group of all endpoints
\n
\n
\n
A user creates a support case after opening a link in a phishing email. The help desktop agent makes an RDP connect to the device which exposes the support credential to the adversary
\n
\n
\n
The attacker uses the credential to move laterally across all endpoints in the domain
\n
\n
\n\n
\n
\n
User Right Assignments
\n
The User Rights Assignment (URA) settings in the Default Domain Controllers Policy are often bloated with delegations that have accumulated since the first domain controller was promoted. A quick review will often reveal privileges granted to defunct accounts, the IUSR account and other difficult to justify delegations.
\n\n
To understand Microsoft's best practice for URAs on Domain Controller I suggest you download the Windows Server 2022 Security Baseline and review the group policy report named MSFT Windows Server 2022 - Domain Controller. Better yet you could use Policy Analyzer to compare your environment to the baseline as explained in this article.
\n
The need to review and harden URAs is not limited to Domain Controllers. The same review should be performed for all domain-joined devices.
\n
Group Policy Delegations
\n
Once adversaries acquire privileged credentials, they often use native tools to accomplish their objectives. Manipulation of existing GPOs is a perfect example of such \"Living off the Land\" techniques. This threat can be compounded by delegating GPO management rights across various support groups. While decentralized GPO management can make operational tasks seem more efficient, it comes at a price.
\n
The group named Group Policy Creator Owners has contributed to this issue. Members of the group can create new GPOs for which they will have full control. The net result is distributed GPO management permissions which can give an attacker many options to deliver a payload via a GPO. As a result, the use of Group Policy Creator Owners is no longer recommended. Instead, operational processes to minimize policy delegations should be implemented. Historically the Advanced Group Policy Management tool was Microsoft's solution for centralized GPO management but extended support for AGPM will end in April of 2026. In light of that you may want to consider a 3rd party tool that offers similar features.
\n
If you are on the fence about addressing this issue, I recommend you consider that by default any authenticated user can read the ACLs of GPOs. An attacker can use any victims account to quickly determine which accounts can modify a GPO. From there they just need to acquire one of those desktop, helpdesk or similar support accounts.
\n
Organizational Unit Delegations
\n
OU delegations are another area where privileges seem to accumulate over time. Sometimes these delegations have been well thought out and implemented. Other times they are the result of a less structured approach. Below are some examples of elevated permissions that can be useful to an adversary.
\n
\n
\n
Reset passwords
\n
\n
\n
Join devices to the domain
\n
\n
\n
Read confidential attributes
\n
\n
\n
Create and modify groups
\n
\n
\n
Create and modify user accounts
\n
\n
\n
Create and modify computer accounts
\n
\n
\n
Link GPOs
\n
\n
\n
Replicate Directory Changes - All (permission require to replicate password from a domain controller used by DCSync)
\n
\n
The Delegation of Control Wizard in Active Directory Users and Computers makes it very easy to grant new permissions on OUs. However, it has no functionality to easily identify what has been custom delegated or revoke the granted rights. A free tool to review what has been delegated is AD ACL Scanner which was written by Robin Granberg. AD ACL Scanner has many features that I think you will find useful as you review your domain and look for ways to remediate permissions applied to OUs.
\n\n
Privileged Groups
\n
Minimizing membership of privileged groups is a fundamental step in adhering to the principle of least privilege. While removing unnecessary accounts from these groups might be perceived as a lack of trust in individuals and taken personally, it's important to consider the broader context of credential theft and lateral movement. The issue is more about trust in devices rather than individuals. Those who understand these risks are usually quick to relinquish any level of privilege that exceeds what is necessary for their roles. As you work on reducing your privileged group memberships, it's helpful to communicate that the primary concern is device trust.
\n
When planning the membership of privileged groups, it is beneficial to distinguish between service administration and data administration. Service administration, as the name suggests, involves operational support for Active Directory Domain Services, including tasks such as promoting and supporting domain controllers, managing replication, and updating the schema. These tasks necessitate membership in the built-in privileged groups and cannot be delegated more granularly. On the other hand, data administration encompasses the management of users, groups, password resets, GPOs, and attributes, all of which can be delegated without relying on the built-in groups.
\n
The table below lists the built-in groups that represent the most privilege which should be given priority when performing a Tier 0 access review.
\n
\n
\n\n
\n
\n
Group Name
\n
\n
\n
Recommendation
\n
\n
\n
\n
\n
Account Operators
\n
\n
\n
Account Operators group does not map well to how organizations operate. More appropriate delegations can be implemented to more granularly control the management of objects. As a result, the recommendation is to leave this group empty.
\n
\n
\n
\n
\n
Administrators
\n
\n
\n
Given Administrators grants full control to the Domain Controller’s OS, membership should be limited to accounts responsible for operational support of directory services. Due to nesting, there is no need for members of Domain Admins to also be direct members of Administrators.
Membership should be limited to resources responsible for operational support of domain controllers.
\n
\n
\n
\n
\n
Enterprise Admin
\n
\n
\n
In multi domain forests this group is nested in the Administrators group of every domain. When a centralized team is responsible for all domains, this group is often used to minimize the number of accounts an Active Directory administrator would need to possess. However, it is important to consider the blast radius if such an account was compromised.
\n
\n
\n
\n
\n
Group Policy Creator Owners
\n
\n
\n
As previously mentioned, this group allows members to create new GPOs for which they will have full control. Given that will result in decentralized management of GPOs, it is recommended to leave this group empty and pursue other solutions to minimize accounts that can manage group policies.
\n
\n
\n
\n
\n
Print Operators
\n
\n
\n
Domain Controllers should never host print queues or have the print spooler service enabled. In addition to having no members, print operators should have the URAs Load and unload devices drivers and Allow log on locally removed from the Default Domain Controller policy.
\n
\n
\n
\n
\n
Remote Desktop Users
\n
\n
\n
Remote desktop privileges should be limited to accounts used to perform service administration of Active Directory. Additionally, network connectivity to the RDP service (3389) on domain controllers should be restricted using firewall rules or IPsec.
\n
\n
\n
\n
\n
Schema Admins
\n
\n
\n
Schema modification is a very rare event. This group should remain empty and only populated when actively extending the schema.
The following groups are considered to be equivalent to Tier 0 given they could be used in some manner to elevate privileges. Membership of these groups should also be minimized and monitored for modification.
\n
\n
\n\n
\n
\n
Group Name
\n
\n
\n
Recommendation
\n
\n
\n
\n
\n
Incoming Forest Trust Builders Group
\n
\n
\n
Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this domain. By default, this group has no members.
\n
\n
\n
\n
\n
Key Admins Group
\n
\n
\n
This group is granted write access to msDS-KeyCredentialLink attribute of user and computer objects in a domain which is used to store public keys related to Passwordless authentication such as Windows Hello for Business. The group should be limited to accounts that administer WHFB keys and similar Passwordless key pair credentials
\n
\n
\n
\n
\n
Enterprise Key Admins Group
\n
\n
\n
This group is the same as Key Admins except the scope is the forest instead of just a domain.
\n
\n
\n
\n
\n
Network Configuration Operators Group
\n
\n
\n
This domain group grants the ability to manage TCP/IP and other network configuration settings on domain controllers. It could be used to enable a AiTM attack by manipulating name resolution and IP routing.
\n
\n
\n
\n
\n
Read-only Domain Controllers Group
\n
\n
\n
This group should only contain actual RODCs assuming you must have RODCs. Additionally, some third-party products are designed to be in the group in or order to emulate a RODC. The security risks introduced by such solutions should be fully evaluated.
\n
\n
\n
\n
\n
Replicator Group
\n
\n
\n
This is a legacy group that previously was used for Sysvol replication. By default, it has no members and should remain empty.
\n
\n
\n
\n
\n
Storage Replica Administrators Group
\n
\n
\n
This group can manage storage replicas on domain controllers. By default, this group has no members and should remain empty.
\n
\n
\n
\n
\n
System Managed Accounts Group
\n
\n
\n
This is a new group introduced with Server 2016. By default, the only member is the default account. This group should not have its membership manually modified.
\n
\n
\n
\n
\n
Certificate Service DCOM Access Group
\n
\n
\n
Members of this group can connect to certification authorities in the enterprise and by default is empty. Typically, only PKI administrators need to be added as members of this group.
\n
\n
\n
\n
\n
Allowed RODC Password Replication Group
\n
\n
\n
Members in this group can have their passwords replicated to all read-only domain controllers in the domain. Privileged accounts should not be members.
\n
\n
\n
\n
\n
Cert Publishers Group
\n
\n
\n
Members of this group are permitted to publish certificates to the directory. Membership should be limited to the accounts intended to be used for publishing certificates such as PKI administrators. Additionally, the computer accounts of the Enterprise CAs need to be in this group.
\n
\n
\n
\n
\n
Cloneable Domain Controllers Group
\n
\n
\n
Membership of this group should be limited to domain controllers you wish to clone.
\n
\n
\n
\n
\n
Cryptographic Operators Group
\n
\n
\n
Members are authorized to perform cryptographic operations. Membership should be limited to accounts that require this right for Certificate Services administration
\n
\n
\n
\n
\n
Distributed COM Users Group
\n
\n
\n
Members are allowed to launch, activate and use Distributed COM objects on domain controllers.
\n
\n
\n
\n
\n
DnsUpdateProxy Group
\n
\n
\n
This group is intended to be used by DHCP servers which are registering DNS records on behalf of DHCP clients. The group should only include those DHCP servers.
\n
\n
\n
\n
\n
DnsAdmins Group
\n
\n
\n
Group used to delegate management of DNS zones. This group was not introduced until Server 2003. Prior to then it was common to add an account to Domain Admins in order to manage DNS (e.g. Infrastructure team). Zones created before Windows 2003 need to have the ACLs updated to delegate access to this group.
\n
\n
\n
\n
\n
Domain Controllers Group
\n
\n
\n
This group has the extended right Replicating Directory Changes All. Members can replicate account passwords using that permission. Membership should be limited to domain controllers.
\n
\n
\n
\n
\n
Enterprise Read-only Domain Controllers Group
\n
\n
\n
This group has the extended right Replicating Directory Changes and should be limited to RODCs. Given RODCs are not without risks careful consideration should be given before deploying RODCs.
\n
\n
\n\n
\n
\n
Kerberos Delegation
\n
Kerberos Delegation enables an account or device to acquire Kerberos service tickets on behalf of another account. It is often referred to as Kerberos Double Hop authentication and is regularly explained using a diagram like this one.
\n
\n\n
\n
An overly simplified explanation of the flow is:
\n
\n\n
The IIS server has been \"trusted for delegation\". The user connects to the IIS server using a Kerberos service ticket previously acquired and also provides a copy of its TGT.
\n\n\n
An application running on the IIS server needs to connect to the SQL server as the user, so it presents the user's TGT to the domain controller and requests a service ticket for the SQL server.
\n\n\n
The IIS server presents the service ticket to the SQL server and is authenticated in the context of the user's account.
\n\n
In a perfect world this architecture works great. The user has a SSO experience and is only able to access the data it has been granted to it in the SQL database. However, in the real-world web servers sometimes get compromised, which could allow an adversary to acquire service tickets to other SPN enabled resources by leveraging the users shared TGT.
\n
To mitigate that risk, we want to \"constrain\" or limit the delegation to select target SPNs. This screenshot shows an example of constrained delegation which limits CONTOSO-WEB1 delegation to the SQL SPN set on the CONTOSO-DB1 computer account. If CONTOSO-WEB1 was to be compromised, the attacker could still acquire service tickets to the CONTOSO-DB1 but not for any other targets.
\n
\n\n
When Active Directory was first introduced an account was either trusted (unconstrained) or not trusted for delegation. Constrained delegation was introduced with Windows 2003 and Server 2012 R2 took things a step further with Resource-based constrained delegation (RBCD) which allows the trust to be configured on the backside service rather than the frontend service. Additionally, RBCD was designed to work over trust relationships. The following PowerShell queries can be used to locate any computer or user object that has been trusted for unconstrained delegation. If you discover any such objects they should be reconfigured for constrained delegation.
In most cases, privileged accounts used to administer Active Directory do not access applications that require Kerberos delegation. As result, least privilege can be imposed on those accounts by configuring the option Account is sensitive and cannot be delegated. Once enabled the account is incapable of sharing a copy of its TGT with a device that has been trusted for delegation (uncontained or constrained).
\n
\n\n
\n
Exchange Permissions
\n
When Exchange was first integrated with Active Directory (Exchange 2000), a shared permission model was the only option which gave Exchange servers and Exchange administrators the ability to create and manage objects along with elevated permissions on the domain controllers. At the time, Domain and Exchange administration was often performed by the same team so there was little concern about violating the principle of least privilege. Eventually those responsibilities began to diverge to sperate teams and the concept of split permissions was introduced with Exchange 2010 SP1. Organizations that will continue to have on-prem Exchange servers are encouraged to implement Active Directory split permissions which will change how some operational processes are performed such as creating mailbox users or managing distribution groups. RBAC split permissions is another alternative but it does not provide the same level of privilege reduction for the Exchange objects (Exchange Trusted Subsystem, Exchange Servers group, Organization Management)
\n
For a time, it was necessary to keep an Exchange server on-prem to perform recipient management even after all mailboxes were moved to Exchange Online. That is no longer a requirement due to a new set of Exchange Management Tools. Organizations who adopt the new tools can remove any remaining Exchange servers and then use the CleanupActiveDirectoryEMT.ps1 script to remove the Exchange related permissions from Active Directory.
\n
If the Exchange shared permission cannot be removed, the Exchange Servers and Exchange administrators should be considered Tier 0 rather than Tier 1.
\n
Credential Vaulting
\n
In discussions about revamping privileged access, the concept of credential vaulting often comes up. Credential vaults can be a key component of a privileged account management solution, but how and where you use your account while it's checked out still matters. Consider this scenario:
\n
\n
3:00 AM - CONTOSO-FS1 (file server) is compromised. Malicious software is installed that will ship off newly acquired credentials to the adversary.
\n
\n
\n
9:00 AM - Joe Admin checks out his Domain Admin account from the vault which required multi-factor authentication (MFA).
\n
\n
\n
11:00 AM - Joe Admin logs on to CONTOSO-FS1 to manage some file share permissions.
\n
\n
\n
11:01 AM - The adversary receives a message containing the NTLM hash of Joe's account.
\n
\n
\n
11:30 AM - The adversary uses Joe's account to perform a DCSync attack, replicating the credentials of all domain user objects (including service accounts).
\n
\n
\n
5:00 PM - Joe finishes his workday and his account goes back in the vault.
\n
\n
\n
11:00 PM - Joe calls it a day and sleeps well knowing his Domain Admin account is in the vault.
\n
\n
\n
8:00 AM - Joe returns to the office and is informed of a total compromise of Active Directory.
\n
\n
\n
8:30 AM - Joe cancels any vacation plans he had for the next three months.
\n
\n
\n
Hopefully my example illustrates that imposing security tiers for accounts and devices is still relevant, even with a credential vaulting solution. A few observations from it are:
\n
\n
Proper hardening and monitoring via an Endpoint Detection and Response (EDR) product would have helped mitigate the initial compromise of CONTOSO-FS1.
\n
Joe exposed a Tier 0 account to perform a Tier 1 function. He should have used a separate account to manage Tier 1 devices.
\n
\n
\n
MFA secured the check-out of the account but provided no protection against passing the hash once the account was used.
\n
\n
\n
If Joe had been a member of the Protected Users group, authentication would have been limited to Kerberos, and the NTLM hash would not have been in the LSASS memory of CONTOSO-FS1.
\n
\n
\n
Adversaries pursue multiple forms of persistence to ensure they retain access. By the time Joe's account was checked back in the adversary already acquired alternative privileged credentials.
\n
\n
User Account Control
\n
User Account Control is a security feature which can minimize the privilege used to launch processes. It is based on a split token model where privileged users begin their session with a full and low privilege token as depicted in the diagram below. Processes are launched default using the low privilege token but can switch to the high privilege token with consent. To be clear, this is a defense in the depth measure that is not intended displace other security controls or credential hygiene practices.
\n\n
Microsoft baselines recommend the following UAC setting be implemented on domain controller.
\n
\n
\n\n
\n
\n
Setting name
\n
\n
\n
Domain Controller Recommendation
\n
(Server 2022 baseline)
\n
\n
\n
Default Setting
\n
\n
\n
\n
\n
Admin Approval Mode for the Built-in Administrator account
\n
\n
\n
Enabled
\n
\n
\n
Not defined
\n
\n
\n
\n
\n
Allow UIAccess applications to prompt for elevation without using the secure desktop
\n
\n
\n
\n
\n
\n
Disabled
\n
\n
\n
\n
\n
Behavior of the elevation prompt for administrators in Admin Approval Mode
\n
\n
\n
Prompt for consent on the secure desktop
\n
\n
\n
Prompt for consent for non-Windows binaries (default)
\n
\n
\n
\n
\n
Behavior of the elevation prompt for standard users
\n
\n
\n
Automatically deny elevation requests
\n
\n
\n
Prompt for credentials
\n
\n
\n
\n
\n
Detect application installations and prompt for elevation
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Only elevate executables that are signed and validated
\n
\n
\n
\n
\n
\n
Disabled
\n
\n
\n
\n
\n
Only elevate UIAccess applications that are installed in secure locations
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Run all administrators in Admin Approval Mode
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Switch to the secure desktop when prompting for elevation
\n
\n
\n
\n
\n
\n
Enabled
\n
\n
\n
\n
\n
Virtualize File And Registry Write Failures To Per User Locations
\n
\n
\n
Enabled
\n
\n
\n
Enabled
\n
\n
\n\n
\n
\n
\n
Hopefully this information will help you review your Active Directory environment and identify opportunities to reduce excessive privileges. As you plan your remediations just keep these Do's and Don'ts in mind.
\n
\n
Do utilize tools to help you perform a deep scan of your environment. Microsoft Unified customers have access to the On-Demand Active Directory Security Assessment as part of their contract. If that is not an option, there are some nice 3rd party assessment tools that are either free or low cost.
\n
\n
\n
Don't be afraid to take action once you discover issues. Test the changes in an isolated environment to raise your comfort level. Once you have documented your rollback plan move forward with securing your environment.
\n
\n
\n
Dodocument the changes you make. That will help with troubleshooting if something does not go as planned.
\n
\n
\n
Do proactively monitor for changes in privileged access.
\n
\n
\n
Do mark privileged accounts and groups as \"sensitive\" if you are using Defender for Identity (MDI). MDI is already aware of which built in privilege groups are sensitive but you will need to let it know about any user, group or device that you have delegated privilege.
","kudosSumWeight":10,"postTime":"2025-01-16T04:51:01.078-08:00","images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LUJEYXdXMg?revision=5\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LXFyZ3BIRg?revision=5\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LXZkSEZtbA?revision=5\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LVI4cDZGcw?revision=5\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LVQzNW5MZw?revision=5\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LTA1eEcwVQ?revision=5\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LWZxNEdUYw?revision=5\"}"}}],"totalCount":7,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"tags":{"__typename":"TagConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDE","node":{"__typename":"Tag","id":"tag:ADHardening","text":"ADHardening","time":"2024-10-10T11:29:46.413-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuM3wyLjF8b3wxMHxfTlZffDI","node":{"__typename":"Tag","id":"tag:JerryDevore","text":"JerryDevore","time":"2020-02-19T20:21:10.270-08:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":16,"rawTeaser":"","introduction":"","coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision":{"__ref":"Revision:revision:4366626_5"},"latestVersion":{"__typename":"FriendlyVersion","major":"1","minor":"0"},"metrics":{"__typename":"MessageMetrics","views":12974},"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"placeholder":false,"originalMessageForPlaceholder":null,"contributors":{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":[]},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies":{"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","args":[]}}},"archivalData":null,"replies":{"__typename":"MessageConnection","edges":[{"__typename":"MessageEdge","cursor":"MjUuM3wyLjF8aXwxMHwxMzI6MHxpbnQsNDM2NzUwMSw0MzY3NTAx","node":{"__ref":"BlogReplyMessage:message:4367501"}}],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}},\"first\":1})":{"__typename":"RevisionConnection","totalCount":5}},"Conversation:conversation:4366626":{"__typename":"Conversation","id":"conversation:4366626","solved":false,"topic":{"__ref":"BlogTopicMessage:message:4366626"},"lastPostingActivityTime":"2025-01-17T00:09:24.427-08:00","lastPostTime":"2025-01-17T00:09:24.427-08:00","unreadReplyCount":1,"isSubscribed":false},"ModerationData:moderation_data:4366626":{"__typename":"ModerationData","id":"moderation_data:4366626","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LUJEYXdXMg?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LUJEYXdXMg?revision=5","title":"clipboard_image-3-1736952104789.png","associationType":"BODY","width":822,"height":411,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LXFyZ3BIRg?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LXFyZ3BIRg?revision=5","title":"clipboard_image-4-1736952104794.png","associationType":"BODY","width":982,"height":483,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LXZkSEZtbA?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LXZkSEZtbA?revision=5","title":"clipboard_image-5-1736952104795.png","associationType":"BODY","width":1025,"height":689,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LVI4cDZGcw?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LVI4cDZGcw?revision=5","title":"clipboard_image-6-1736952104794.png","associationType":"BODY","width":687,"height":360,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LVQzNW5MZw?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LVQzNW5MZw?revision=5","title":"clipboard_image-7-1736952104794.png","associationType":"BODY","width":468,"height":535,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LTA1eEcwVQ?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LTA1eEcwVQ?revision=5","title":"clipboard_image-8-1736952104794.png","associationType":"BODY","width":368,"height":110,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LWZxNEdUYw?revision=5\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY2NjI2LWZxNEdUYw?revision=5","title":"clipboard_image-10-1736952633683.png","associationType":"BODY","width":1148,"height":739,"altText":""},"Revision:revision:4366626_5":{"__typename":"Revision","id":"revision:4366626_5","lastEditTime":"2025-01-16T04:51:01.078-08:00"},"CachedAsset:theme:customTheme1-1746563192906":{"__typename":"CachedAsset","id":"theme:customTheme1-1746563192906","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","defaultMessageFontFamily":"var(--lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#1E1E1E","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1745505307000","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:CoreInfrastructureandSecurityBlog-1746563191129":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:CoreInfrastructureandSecurityBlog-1746563191129","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps":{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":{"community.widget.breadcrumbWidget":{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOCKED","bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"OneColumnQuiltSection","columnMap":{"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var(--lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"MainSideQuiltSection","columnMap":{"main":[],"side":[],"__typename":"MainSideSectionColumns"}}],"__typename":"QuiltContainer"},"__typename":"Quilt","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1745505307000","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1745505307000","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1746563127702":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1746563127702","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.community_banner","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1745505307000","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"QueryVariables:TopicReplyList:message:4366626:5":{"__typename":"QueryVariables","id":"TopicReplyList:message:4366626:5","value":{"id":"message:4366626","first":10,"sorts":{"postTime":{"direction":"DESC"}},"repliesFirst":3,"repliesFirstDepthThree":1,"repliesSorts":{"postTime":{"direction":"DESC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":true,"useBody":true,"useKudosCount":true,"useTimeToRead":false,"useMedia":false,"useReadOnlyIcon":false,"useRepliesCount":true,"useSearchSnippet":false,"useAcceptedSolutionButton":false,"useSolvedBadge":false,"useAttachments":false,"attachmentsFirst":5,"useTags":true,"useNodeAncestors":false,"useUserHoverCard":false,"useNodeHoverCard":false,"useModerationStatus":true,"usePreviewSubjectModal":false,"useMessageStatus":true}},"ROOT_MUTATION":{"__typename":"Mutation"},"CachedAsset:component:custom.widget.community_banner-en-us-1746563227843":{"__typename":"CachedAsset","id":"component:custom.widget.community_banner-en-us-1746563227843","value":{"component":{"id":"custom.widget.community_banner","template":{"id":"community_banner","markupLanguage":"HANDLEBARS","style":".community-banner {\n a.top-bar.btn {\n top: 0px;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0px;\n background: #0068b8;\n color: white;\n padding: 10px 0px;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0px !important;\n font-size: 14px;\n }\n}\n","texts":{},"defaults":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.community_banner","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_community_banner_community-banner_1x9u2_1 {\n a.custom_widget_community_banner_top-bar_1x9u2_2.custom_widget_community_banner_btn_1x9u2_2 {\n top: 0;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0;\n background: #0068b8;\n color: white;\n padding: 0.625rem 0;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0 !important;\n font-size: 0.875rem;\n }\n}\n","tokens":{"community-banner":"custom_widget_community_banner_community-banner_1x9u2_1","top-bar":"custom_widget_community_banner_top-bar_1x9u2_2","btn":"custom_widget_community_banner_btn_1x9u2_2"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.HeroBanner-en-us-1746563227843":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1746563227843","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node"},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-us-1746563227843":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1746563227843","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n\n.social-share {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n\n.sharing-options {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 43px;\n border-radius: 0px 7px 7px 0px;\n}\n.linkedin-icon {\n border-top-right-radius: 7px;\n}\n.linkedin-icon:hover {\n border-radius: 0;\n}\n.social-share-rss-image {\n border-bottom-right-radius: 7px;\n}\n.social-share-rss-image:hover {\n border-radius: 0;\n}\n\n.social-link-footer {\n position: relative;\n display: block;\n margin: -2px 0;\n transition: all 0.2s ease;\n}\n.social-link-footer:hover .linkedin-icon {\n border-radius: 0;\n}\n.social-link-footer:hover .social-share-rss-image {\n border-radius: 0;\n}\n\n.social-link-footer img {\n width: 40px;\n height: auto;\n transition: filter 0.3s ease;\n}\n\n.social-share-list {\n width: 40px;\n}\n.social-share-rss-image {\n width: 40px;\n}\n\n.share-icon {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n\n.share-icon:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n\n.share-icon:hover .label {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n\n.label {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 10px;\n top: 50%;\n transform: translateY(-50%);\n height: 40px;\n border-radius: 0 6px 6px 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px 5px 20px 8px;\n margin-left: -1px;\n}\n.linkedin {\n background-color: #0474b4;\n}\n.facebook {\n background-color: #3c5c9c;\n}\n.twitter {\n background-color: white;\n color: black;\n}\n.reddit {\n background-color: #fc4404;\n}\n.mail {\n background-color: #848484;\n}\n.bluesky {\n background-color: white;\n color: black;\n}\n.rss {\n background-color: #ec7b1c;\n}\n#RSS {\n width: 40px;\n height: 40px;\n}\n\n@media (max-width: 991px) {\n .social-share {\n display: none;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_105bp_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_105bp_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_105bp_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_105bp_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_105bp_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n.custom_widget_MicrosoftFooter_social-share_105bp_138 {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n.custom_widget_MicrosoftFooter_sharing-options_105bp_146 {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 2.6875rem;\n border-radius: 0 0.4375rem 0.4375rem 0;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-top-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-bottom-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 {\n position: relative;\n display: block;\n margin: -0.125rem 0;\n transition: all 0.2s ease;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 img {\n width: 2.5rem;\n height: auto;\n transition: filter 0.3s ease;\n}\n.custom_widget_MicrosoftFooter_social-share-list_105bp_188 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195 {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover .custom_widget_MicrosoftFooter_label_105bp_207 {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n.custom_widget_MicrosoftFooter_label_105bp_207 {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 0.625rem;\n top: 50%;\n transform: translateY(-50%);\n height: 2.5rem;\n border-radius: 0 0.375rem 0.375rem 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 1.25rem 0.3125rem 1.25rem 0.5rem;\n margin-left: -0.0625rem;\n}\n.custom_widget_MicrosoftFooter_linkedin_105bp_156 {\n background-color: #0474b4;\n}\n.custom_widget_MicrosoftFooter_facebook_105bp_237 {\n background-color: #3c5c9c;\n}\n.custom_widget_MicrosoftFooter_twitter_105bp_240 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_reddit_105bp_244 {\n background-color: #fc4404;\n}\n.custom_widget_MicrosoftFooter_mail_105bp_247 {\n background-color: #848484;\n}\n.custom_widget_MicrosoftFooter_bluesky_105bp_250 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_rss_105bp_254 {\n background-color: #ec7b1c;\n}\n#custom_widget_MicrosoftFooter_RSS_105bp_1 {\n width: 2.5rem;\n height: 2.5rem;\n}\n@media (max-width: 991px) {\n .custom_widget_MicrosoftFooter_social-share_105bp_138 {\n display: none;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_105bp_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_105bp_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_105bp_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_105bp_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58","c-list":"custom_widget_MicrosoftFooter_c-list_105bp_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_105bp_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_105bp_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107","social-share":"custom_widget_MicrosoftFooter_social-share_105bp_138","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_105bp_146","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_105bp_156","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_105bp_169","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_105bp_188","share-icon":"custom_widget_MicrosoftFooter_share-icon_105bp_195","label":"custom_widget_MicrosoftFooter_label_105bp_207","linkedin":"custom_widget_MicrosoftFooter_linkedin_105bp_156","facebook":"custom_widget_MicrosoftFooter_facebook_105bp_237","twitter":"custom_widget_MicrosoftFooter_twitter_105bp_240","reddit":"custom_widget_MicrosoftFooter_reddit_105bp_244","mail":"custom_widget_MicrosoftFooter_mail_105bp_247","bluesky":"custom_widget_MicrosoftFooter_bluesky_105bp_250","rss":"custom_widget_MicrosoftFooter_rss_105bp_254","RSS":"custom_widget_MicrosoftFooter_RSS_105bp_1"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1745505307000","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1745505307000","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1745505307000","value":{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","movedMessagePlaceholder.BLOG":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.TKB":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.FORUM":"{count, plural, =0 {This reply has been} other {These replies have been} }","movedMessagePlaceholder.IDEA":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.OCCASION":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholderUrlText":"moved.","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/ThreadedReplyList-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/ThreadedReplyList-1745505307000","value":{"title":"{count, plural, one{# Reply} other{# Replies}}","title@board:BLOG":"{count, plural, one{# Comment} other{# Comments}}","title@board:TKB":"{count, plural, one{# Comment} other{# Comments}}","title@board:IDEA":"{count, plural, one{# Comment} other{# Comments}}","title@board:OCCASION":"{count, plural, one{# Comment} other{# Comments}}","noRepliesTitle":"No Replies","noRepliesTitle@board:BLOG":"No Comments","noRepliesTitle@board:TKB":"No Comments","noRepliesTitle@board:IDEA":"No Comments","noRepliesTitle@board:OCCASION":"No Comments","noRepliesDescription":"Be the first to reply","noRepliesDescription@board:BLOG":"Be the first to comment","noRepliesDescription@board:TKB":"Be the first to comment","noRepliesDescription@board:IDEA":"Be the first to comment","noRepliesDescription@board:OCCASION":"Be the first to comment","messageReadOnlyAlert:BLOG":"Comments have been turned off for this post","messageReadOnlyAlert:TKB":"Comments have been turned off for this article","messageReadOnlyAlert:IDEA":"Comments have been turned off for this idea","messageReadOnlyAlert:FORUM":"Replies have been turned off for this discussion","messageReadOnlyAlert:OCCASION":"Comments have been turned off for this event"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1745505307000","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits":{"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot":{"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management":{"__typename":"Category","id":"category:Content_Management","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune":{"__typename":"Category","id":"category:microsoftintune","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Rank:rank:34":{"__typename":"Rank","id":"rank:34","position":15,"name":"Steel Contributor","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:1314279":{"__typename":"User","id":"user:1314279","uid":1314279,"login":"luchete","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2022-02-21T23:57:03.366-08:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xMzE0Mjc5LW1tYUZ0Tg?image-coordinates=0%2C18%2C442%2C460"},"rank":{"__ref":"Rank:rank:34"},"entityType":"USER","eventPath":"community:gxcuf89792/user:1314279"},"ModerationData:moderation_data:4367501":{"__typename":"ModerationData","id":"moderation_data:4367501","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":"member"},"BlogReplyMessage:message:4367501":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:1314279"},"id":"message:4367501","revisionNum":1,"uid":4367501,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:CoreInfrastructureandSecurityBlog"},"parent":{"__ref":"BlogTopicMessage:message:4366626"},"conversation":{"__ref":"Conversation:conversation:4366626"},"subject":"Re: Active Directory Hardening Series - Part 7 – Implementing Least Privilege","moderationData":{"__ref":"ModerationData:moderation_data:4367501"},"body":"
Useful post. Thanks for sharing!
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"34","kudosSumWeight":2,"repliesCount":0,"postTime":"2025-01-17T00:09:24.427-08:00","lastPublishTime":"2025-01-17T00:09:24.427-08:00","metrics":{"__typename":"MessageMetrics","views":1416},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:cis/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:CoreInfrastructureandSecurityBlog/message:4366626/message:4367501","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-components/community/Navbar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1745505307000","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Nonprofit Community","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","Common-content_management-link":"Content Management","microsoft-learn":"Microsoft Learn","s-q-l-server":"Content Management","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Outlook","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","outlook":"Microsoft 365 Copilot","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1745505307000","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1745505307000","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1745505307000","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1745505307000","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1745505307000","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1745505307000","value":{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1745505307000","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1745505307000","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1745505307000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1745505307000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1745505307000","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1745505307000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1745505307000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1745505307000","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1745505307000","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1745505307000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1745505307000","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1745505307000","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1745505307000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1745505307000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1745505307000","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1745505307000","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1745505307000","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1745505307000","value":{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1745505307000","value":{"description":"{description}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListMenu-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListMenu-1745505307000","value":{"postTimeAsc":"Oldest","postTimeDesc":"Newest","kudosSumWeightAsc":"Least Liked","kudosSumWeightDesc":"Most Liked","sortTitle":"Sort By","sortedBy.item":" { itemName, select, postTimeAsc {Oldest} postTimeDesc {Newest} kudosSumWeightAsc {Least Liked} kudosSumWeightDesc {Most Liked} other {}}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1745505307000","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":{"boardId":"coreinfrastructureandsecurityblog","messageSubject":"active-directory-hardening-series---part-7-–-implementing-least-privilege","messageId":"4366626"},"buildId":"-gVUpXaWnPcjlrLJZ92B7","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.3.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/blogs/BlogArticleWidget/BlogArticleWidget.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","./components/external/components/ExternalComponent.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=BlogMessagePage&entity.id=board%3Acoreinfrastructureandsecurityblog&entity.id=message%3A4366626","strategy":"afterInteractive"}]}
Microsoft