Directory Insights in 10 Minutes

Welcome to Guardians of the Directory, the podcast where we break down real-world threats, best practices, and insights in Active Directory, Entra ID, and Microsoft identity security.

In today’s episode, Craig Birch dives into one of Active Directory’s oldest — and most quietly dangerous — features: the primaryGroupID. While originally designed for POSIX compatibility and legacy systems, this attribute can now be misused to grant hi...

Shadow admins might not wear capes—but they can bring down your Active Directory if left unchecked. In this episode of Directory Insights in 10 Minutes, Craig Birch takes a sharp dive into AD delegations that slip through the cracks—commonly misconfigured permissions that give users dangerous access without being in official admin groups.

You'll learn:

• What shadow admins are and why they’re so often missed

• Key permissions that...

🎙️ In This Episode of Directory Insights in 10 Minutes
Craig Birch breaks down the misunderstood AdminSDHolder object and the SDProp process in Active Directory—why they exist, how they protect privileged groups, and how attackers exploit misconfigurations to maintain persistence.

🔍 What You’ll Learn:
• What AdminSDHolder and SDProp actually do
• Why they matter for Tier 0 group protection
• How attackers abuse them fo...

🎙️ In this episode, Craig Birch breaks down one of Active Directory’s most overlooked threats: Kerberoasting via privileged accounts with Service Principal Names (SPNs).
You’ll learn how attackers exploit this common misconfiguration to extract service tickets and crack credentials offline — and how to identify and fix these accounts without breaking critical apps.

• What SPNs are — and why they matter for security
• How atta...

🎙️ In this episode, Craig Birch exposes one of the most overlooked Active Directory misconfigurations: the “Do not require Kerberos pre-authentication” setting.
Attackers love it — it enables AS-REP Roasting, silent user enumeration, and offline password cracking — and it often flies under the radar of SIEMs and detection tools.

• What Kerberos pre-auth actually does
• How disabling it creates an AS-REP Roasting risk
• Why...

🎙️ In this episode of Directory Insights in 10 Minutes, powered by Guardians of the Directory, Craig Birch walks you through detecting and remediating a legacy misconfiguration that still haunts many AD environments: accounts limited to DES-only Kerberos encryption.

DES is weak, deprecated, and easily cracked — yet it's still lurking in environments where older configurations or forgotten accounts persist.

🔍 What You’ll Learn:•...

🎙️ In this episode, Craig Birch dives into a critical but often overlooked AD misconfiguration: accounts that allow password storage with reversible encryption.
This setting can bypass your domain password policies and expose credentials to plaintext extraction by tools like Mimikatz or DCSync.

🔍 What You’ll Learn:

• Why reversible password encryption is still found in AD environments
• How it allows attackers to dump plainte...

🎙️ In this episode, Craig Birch exposes one of the most dangerous and overlooked misconfigurations in Active Directory: the PasswordNotRequired attribute.

Most AD admins assume password policies apply to all accounts — but this hidden flag allows accounts to exist with blank passwords, silently bypassing domain-wide protections. Attackers know it. Many admins don’t.

🔍 What You’ll Learn:• What the PasswordNotRequired attribute reall...

Directory Insights in 10 Minutes – Episode 1

Welcome to the very first episode of Directory Insights in 10 Minutes, brought to you by Guardians of the Directory.
This series cuts through the noise — no fluff, no filler — just real-world, actionable insights for securing Active Directory and Entra ID.

In this kickoff episode, Craig Birch reveals the #1 most overlooked AD misconfiguration — one that ships insecure by default, is pre...