Restructure the xio.bio Active Directory after years of accumulated cruft.
End state: AD holds only the few accounts that genuinely need Windows-side
authentication (Kerberos / SMB / RDP). Everything else — app-only users,
all application access groups — moves to Authentik. AD groups exist only
for login, file shares, and GPO targeting.
This page is the change log for that work. If anything breaks after a
date listed here, this is the page to consult before reaching for the
ESXi snapshot rollback.
OU=StandardUser — sequential evaluation each loginGpNetworkStartTimeoutPolicyValue not set → 30 s wait when AD unreachableAuthentik (= login frontend for ALL apps)
├── App-only users (Wiki, Plex, Immich, BBB, Nextcloud)
└── Mirror of AD users via LDAP source
|
▼ LDAP read-bind
AD (xio.bio) = Windows-identity store
├── Korff family (real people who use Terminal Servers / RDP)
├── IO staff (employees with Windows logins)
└── Service accounts (Kerberos-only — Printer, ServiceLDAP, Console)
Group-of-record migrates from AD to Authentik for app-permission groups
(e.g. GS-Nextcloud → Authentik group). AD groups exist for: file
shares, GPO targeting, RDP allow-list, service-account roles. 8 AD
groups total vs the 40+ in the pre-state.
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target xio.bio
Effect: deleted-object tombstones live for 180 days and can be restored
via Restore-ADObject -Identity <DN>. Irreversible (cannot be turned
off again — that's the design). Pre-requisite for safe Phase B+.
OUs created (renamed from Users/Computers to avoid collision with the
default CN=Users / CN=Computers containers — Microsoft best-practice
pattern for that case):
OU=People,DC=xio,DC=bio
OU=Korff,OU=People,... (Korff family members)OU=IO,OU=People,... (IO employees)OU=Service,OU=People,... (service accounts incl. Console)OU=Devices,DC=xio,DC=bio
OU=Servers,OU=Devices,...OU=Workstations,OU=Devices,...OU=Laptops,OU=Devices,...OU=Groups,DC=xio,DC=bioGroups to create (8 total):
| Group | Purpose | Members |
|---|---|---|
g-korff |
Family — share + GPO targeting | A, F, H, M, R, L.Korff |
g-korff-admin |
Family admins | A.Korff, L.Korff |
g-io-staff |
Employees | J.Placzek, K.Ekelt, MA3, Outdoor |
g-io-admin |
IO admins (= Korff admins, semantically scoped) | A.Korff, L.Korff |
g-svc |
Service accounts | Console, Printer, ServiceLDAP, F.Korff, LDAP-Account (TBD) |
g-pc-workstation |
Computer-OU GPO target | PC-IO-* |
g-pc-laptop |
Computer-OU GPO target | NB-IO-* |
g-rdp-allowed |
Who may RDP into Windows boxes | A, L.Korff, J.Placzek, K.Ekelt |
New users created:
lena@korff.wtf, in OU=Korff,OU=People. Member of Domänen-Admins, g-korff, g-korff-admin, g-io-admin, g-rdp-allowed. Initial password in .secrets/credentials.env as AD__L_KORFF__INITIAL_PASSWORD, ChangePasswordAtLogon=TRUE.k.ekelt@io-event.com, in OU=IO,OU=People. Member of g-io-staff, g-rdp-allowed. Initial password in .secrets/credentials.env as AD__K_EKELT__INITIAL_PASSWORD, ChangePasswordAtLogon=TRUE.Memberships added (alongside existing GU-* memberships, fail-safe parallel):
g-korff ← A.Korff, H.Korff, M.Korff, R.Korff, L.Korff (5 real Korff family members; F.Korff stays out — it's the shared family-NC bind, not a person)g-korff-admin ← A.Korff, L.Korffg-io-admin ← A.Korff, L.Korffg-io-staff ← J.Placzek, MA3, K.Ekeltg-rdp-allowed ← A.Korff, H.Korff, M.Korff, R.Korff, J.Placzek, MA3, L.Korff, K.Ekeltg-svc ← F.Korff, ServiceLDAP, LDAP-Account, Printer, ConsoleOld GU-* / GP-UC-* groups remain untouched until Phase K (post-Authentik
migration).
Currently still in OU=StandardUser. Moving them to OU=People/{Korff,IO,Service}
loses the 14 GPOs linked to OU=StandardUser. Deferred until either:
Existing users move into the new OU layout. Group memberships are added
to the new g-* groups in parallel; the old GU-* / GP-* memberships
stay until Phase K removes the obsolete groups.
23 computer objects with lastLogon > 540 days ago were disabled (not
deleted — fully recoverable via Enable-ADAccount). Their Description
field was prefixed with Disabled 2026-04-30 by AD cleanup phase D (last login >540d). for traceability.
Disabled (sorted by days-ago):
VM-TS-02 (2198d), VM-TS-01 (2198d), VM-TS-03 (1951d), VM-SW-11 (1849d),
VM-SW-12 (1809d), NB-IO-02 (1787d), VM-TS-30 (1737d), VM-SW-30 (1736d),
NB-IO-03 (1598d), PC-IO-05 (1596d), VM-TS-31 (1577d), TRUENAS (1566d),
VM-TS-14 (1535d), PC-IO-03 (1530d), NB-IO-01 (1496d), VM-SL-40 (1384d),
PC-IO-04 (1291d), VM-SW-01 (1201d), VM-SW-02 (1191d), VM-TS-11 (775d),
SV-IO-03 (765d), NB-IO-05 (711d), NB-IO-04 (658d).
Active computers post-cleanup (12): VM-DC-01, VM-DB-02, VM-SW-03,
VM-TS-12, SV-IO-02, ADMINISTRATOR, NB-IO-06, NB-IO-07, PC-IO-01,
PC-IO-02, PC-IO-06, PC-IO-07.
Deletion of disabled computer objects: deferred 30 days
(target date 2026-05-30). If anyone needs them sooner, Enable-ADAccount
brings them back.
Deleted via Remove-ADUser. AD Recycle Bin (Phase A) holds tombstones
for 180 days; restore via:
Get-ADObject -Filter 'IsDeleted -eq $true' -IncludeDeletedObjects -SearchBase 'CN=Deleted Objects,DC=xio,DC=bio'
Restore-ADObject -Identity '<DN-of-tombstone>'
| User | Last actual login | Reason |
|---|---|---|
R.Kunz (Raphael Kunz) |
2022-01-15 (disabled) | Ex-employee 4+ years stale |
M.Foord (Mark Foord) |
2022-05-29 (disabled) | Ex 4+ years stale |
ServiceCam |
NEVER | Old surveillance-cam construct (user confirmed) |
Service |
2021-11-01 | Generic 4.5y stale, no owner |
Decisions clarified mid-cleanup (2026-04-30):
Console — KEEPS — it's a stage/lighting console with its owng-svc.J.Placzek — moves to Authentik, not deleted from AD now. ADLDAP-Account — held: created 2020-04, never logged in. Will beOutdoor — held: last login 2020-11 (5.5 y stale). Need user to15 orphan GPOs were backed up to C:\GPO-Archive\2026-04-30\ on VM-DC-01
via Backup-GPO, then deleted. Restore via:
Restore-GPO -Path 'C:\GPO-Archive\2026-04-30' -Name '<GPO name>'
Deleted: Dokumente LOKAL, Interne Security, Notepad, Thunderbird,
Dokumente Korff, Windows Admin Center, Biometric Login, Video Korff,
VLC, 7 Zip, Biometrie, Office 365, WSUS, Musik Korff,
Deaktivate Searchbar.
GPO total: 42 → 28 (33 % reduction).
All 12 active computers moved into the new OU=Devices tree:
| Sub-OU | Computers |
|---|---|
OU=Servers,OU=Devices |
VM-DB-02, VM-SW-03, VM-TS-12, SV-IO-02 |
OU=Workstations,OU=Devices |
PC-IO-01, PC-IO-02, PC-IO-06, PC-IO-07 |
OU=Laptops,OU=Devices |
NB-IO-06, NB-IO-07 |
OU=Domain Controllers |
VM-DC-01 (default, untouched) |
CN=Computers (default container) |
ADMINISTRATOR (mystery object — TBD) |
g-pc-workstation populated with the 4 PC-IO-* desktops; g-pc-laptop
populated with the 2 NB-IO-* laptops.
After move, the 23 disabled computer objects from Phase D were deleted
outright (instead of waiting 30 days) — Recycle Bin tombstones hold
180 days. VM-SW-30 needed recursive delete (had a child
rRASAdministrationConnectionPoint from RRAS).
All 11 active users moved out of OU=StandardUser into the new
OU=People tree:
| Sub-OU | Users |
|---|---|
OU=Korff,OU=People |
A.Korff, H.Korff, M.Korff, R.Korff, L.Korff (Lena) |
OU=IO,OU=People |
J.Placzek, MA3, K.Ekelt (Kevin) |
OU=Service,OU=People |
F.Korff (shared NC bind), Console (lighting console NC), Printer, ServiceLDAP, LDAP-Account |
Administrator (built-in) stays in default CN=Users container.
All 19 active GPOs got their links migrated from old (OU=PC,
OU=StandardUser) to new (OU=Devices, OU=People) OUs. During
transition, both links were active (additive). After verifying coverage,
the old links were removed.
Apply ACLs were extended additively so both old (GU-KO, GU-IO,
GS-Nextcloud, GP) AND new (g-korff, g-io-staff, g-svc,
g-pc-workstation, g-pc-laptop) groups grant the policy. This means:
Specific re-links done:
Software GP, MAIN, RDP, MIC Privacy, Login Info View, NTP, PCUpdates → OU=DevicesSoftware GP-PC → OU=Workstations,OU=DevicesSoftware GP-PC-NB → OU=Laptops,OU=DevicesDrive Archive, Drive Cloud User, Drive Family, Drive Media, Drive Scan, Background Test, Ad Removal B, Printer Buero, Printer Lager → OU=PeopleAdditional dead GPOs deleted:
A.Korff Explizit (empty)Desktop Home Folder (empty)Internet Properties (empty)Drive SV-IO-03 (target server SV-IO-03 was disabled, drive map dead)Ad Removal (link disabled)Logon Script Netzlaufwerk Offline (link disabled)All 27 legacy groups (GP-*, GU-*, GS-Nextcloud, GP, GU) were
moved to the new OU=Groups container alongside the 8 new g-* groups.
Total custom groups in OU=Groups: 35.
Old empty OUs deleted: OU=k,OU=StandardUser, OU=StandardUser,
OU=PC. Final OU tree count: 10.
8 truly unused groups deleted (no GPO Apply ACL, no nesting, no
external dependency):
GP-UC-Alex, GP-UC-Dev, GP-UC-IO, GP-UC-Korff,GP-UC-Prod, GP-UC-Stage, GP-UC-Test — user-context groupsGU-EX — ex-employee group (only J.Placzek inside; he goes toCustom group count: 35 → 28.
New GPO LIGHT-PC linked to OU=Workstations,OU=Devices, security-filtered
on the new g-pc-light group (sole member: PC-IO-07, the stage/show
lighting controller). Settings:
| Setting | Value | Why |
|---|---|---|
| Sleep timeout (AC + DC) | never | LIGHT PC must stay awake during shows |
| Hibernate | disabled | same |
| Display turn-off | never | operator UI must stay on |
| USB selective suspend | disabled | external DMX/MIDI/USB controllers must not drop |
CachedLogonsCount |
50 | extended offline operation when not connected to AD |
| Active hours | 08:00 – 23:00 | no Windows-Update reboots during operating hours |
ScheduledInstallTime |
04:00 daily | install during dead-of-night |
NoAutoRebootWithLoggedOnUsers |
1 | even outside active hours, never reboot if operator logged in |
New GPO Security Baseline linked to OU=Devices enforced. Industry
best-practice hardening for AD-joined Windows clients:
| Setting | Value | Why |
|---|---|---|
| SMB signing required (server + client) | yes | prevents SMB relay attacks |
| SMB1 disabled | yes | deprecated, exploit-ridden |
| LM hash storage | disabled | weak legacy hash, never needed |
LMCompatibilityLevel |
5 | NTLMv2 only — refuse LM/NTLMv1 |
| WDigest plaintext caching | disabled | prevents Mimikatz dumping passwords from memory |
| UAC | EnableLUA=1, ConsentPromptBehaviorAdmin=5 | secure-desktop prompt for admin actions |
| RDP NLA required | yes | prevents pre-auth RDP exploits |
| Anonymous SAM access | restricted | prevents enumeration |
| LLMNR | disabled | broadcast name resolution often abused for relay attacks |
These are non-disruptive on Win10/11 clients (defaults already align in many
cases) but explicitly enforce them via GPO so Group Policy is the source
of truth, not per-client default behaviour.
Pruned 36 stale A-records from xio.bio zone. All matching deleted /
disabled / never-existed AD computer objects. After prune: 58 → 22 A-records.
Pruned: D-1-Alexander, D-Lager, N-DELL-ROWENA, NB-IO-01..05, PC-IO-03..05,
SV-IO-01, sv-io-03 (×2 IPs), TRUENAS, VM-SL-40, VM-SW-01, VM-SW-02,
VM-SW-11 (×2), VM-SW-12 (×2), VM-SW-30, VM-T-2, VM-TS-01..03 (incl. 2nd IPs),
VM-TS-11 (×2), VM-TS-14, VM-TS-30, VM-TS-31, VM-VC-01, vm-vc-02.
The vcenter record (also at 10.100.100.100 like VM-VC-01) was kept —
it's not an AD computer name so the pattern match excluded it.
| Old name | New name | Why |
|---|---|---|
Updates |
WSUS Updates |
DC-side WSUS schedule |
PCUpdates |
Workstation Updates Notifications |
clearer scope |
MAIN |
Workstation Lock Screen |
only sets lock-screen wallpaper |
NTP |
Workstation NTP Client |
scope clear |
MIC Privacy |
Workstation Microphone Privacy |
full English |
Login Info View |
Workstation Logon Verbose Status |
matches setting |
RDP |
Workstation RDP Firewall Allow |
matches setting |
Software GP |
(deleted — replaced by winget GPO) | obsolete |
Software GP-PC |
(deleted — empty) | dead |
Software GP-PC-NB |
(deleted — replaced by winget GPO) | obsolete (Synology dropped) |
Drive Archive |
User Drive Map: Archive (X) |
searchable / consolidatable later |
Drive Cloud User |
User Drive Map: Cloud Personal (O) |
same |
Drive Family |
User Drive Map: Family (F) |
same |
Drive Media |
User Drive Map: Media (M) |
same |
Drive Scan |
User Drive Map: Scan (Q) |
same |
Printer Buero |
User Printer: PI-IO-01 (Office) |
clear physical printer ID |
Printer Lager |
User Printer: PI-IO-02 (Warehouse) |
same |
Ad Removal B |
User Disable Consumer Features |
accurate description |
Also deleted in this pass:
Background Test — Alex's wallpaper experiment, conflicted with Workstation Lock ScreenGU-AL — security filter group of the deleted Background Test\\vm-dc-01\SHARE had "Jeder/Everyone Full Control" at both share-level
and NTFS-level (basic security hole — any LAN user could read or write any
file). Replaced with:
| Layer | Identity | Right |
|---|---|---|
| NTFS | BUILTIN\Administrators |
Full Control |
| NTFS | XIO\Domänen-Admins |
Full Control |
| NTFS | NT AUTHORITY\SYSTEM |
Full Control |
| NTFS | NT AUTHORITY\Authenticated Users |
Read & Execute |
| Share | BUILTIN\Administrators |
Full |
| Share | XIO\Domänen-Admins |
Full |
| Share | NT AUTHORITY\Authenticated Users |
Change |
Plus: Software\old\ (213 MB stale MSIs from 2019-2020), Software\exe\
(5 MB Office 365 installer), Software\log\ (empty) deleted. Old MSIs that
were used by the soon-to-be-deleted Software GP / GP-PC-NB GPOs moved to
Software\archive\2026-04-30-msi\ for rollback safety.
GPO-based MSI software push is functionally deprecated by Microsoft. The
old Workstation Software Install (5 MSIs: outdated 7-Zip, Notepad++ 7.8
from 2019, VLC 3.0.20, Thunderbird 115.9, Chrome) and Laptop Synology Backup Agent GPOs were replaced by winget, which auto-handles install
Implementation:
\\vm-dc-01\SHARE\Software\winget\
├── packages-full.json ← desktops/laptops/terminal
├── packages-servers.json ← servers (admin tools subset)
├── winget-deploy.ps1 ← parametrised install/upgrade engine
├── winget-bootstrap-full.ps1 ← startup-script: registers WingetDeployFull task
└── winget-bootstrap-servers.ps1 ← startup-script: registers WingetDeployServers task
Two new GPOs, each with a Computer Startup Script (PS1 in SYSVOL +
psscripts.ini + gPCMachineExtensionNames registering the Scripts CSE):
| GPO | Linked to | Apply ACL | Packages |
|---|---|---|---|
Endpoint Software (winget) - Full |
OU=Devices |
g-pc-workstation, g-pc-laptop, g-pc-terminal | 7-Zip, VLC, Thunderbird de, Chrome, Notepad++, Nextcloud Desktop Client |
Endpoint Software (winget) - Servers |
OU=Servers + OU=Domain Controllers |
g-pc-server | Chrome, 7-Zip, Notepad++ (admin tools subset) |
New AD groups:
g-pc-server — VM-DC-01, VM-DB-02, VM-SW-03, SV-IO-02g-pc-terminal — VM-TS-12Existing groups updated:
g-pc-workstation — PC-IO-01, PC-IO-02, PC-IO-06, PC-IO-07g-pc-laptop — NB-IO-06, NB-IO-07The bootstrap script registers a scheduled task WingetDeployFull (or
WingetDeployServers) on the client at boot. Task triggers:
Task action: winget install -e --id <pkg> --silent --scope machine for
each package, then winget upgrade --all --silent. Logs to
C:\ProgramData\xio\winget-deploy.log on each client.
Packages are version-pinned-via-latest: every run pulls the current
stable winget manifest. To pin a specific version, edit
packages-*.json and add --version X to the install command.
To add or remove apps cluster-wide: edit the JSON on the share — clients
pick it up at the next 03:00 / 03:30 run, no GPO change needed.
The 5 separate User Drive Map: * GPOs (X/O/F/M/Q) stay separate.
Decision (user, 2026-04-30): finer per-drive control beats the marginal
login-time saving. With Logon Performance GPO already in place
(EnableAsynchronousUGP=1), all 5 GPOs are evaluated in parallel from
the same OU in a single LDAP roundtrip. Real-world impact: ~100-200 ms
extra on first login, ~0 on cached subsequent logins.
Benefits of keeping them separate:
Deferred — needs careful Drives.xml / FolderRedirection.xml work in
SYSVOL, can't be safely automated. Pending:
| Pre | Post |
|---|---|
6× Drive * (Family/Media/Scan/CloudUser/SV-IO-03/Archive) |
1 GPO User Drives with Item-Level-Targeting on group membership |
3× FolderRedirect (Dokumente Korff, Video Korff, Musik Korff) |
1 GPO Korff Folder Redirection (was archived in F-light, will be re-created from backup with consolidated rules) |
A.Korff Explizit |
absorbed into above |
Created GPO Logon Performance, enforced, linked to BOTH:
OU=Devices,DC=xio,DC=bio (new structure)OU=PC,DC=xio,DC=bio (legacy — so existing PCs benefit immediately)Registry settings (computer-side):
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon
SyncForegroundPolicy = 0 (disable "always wait for network")
HKLM\Software\Policies\Microsoft\Windows\System
GpNetworkStartTimeoutPolicyValue = 5 (down from default 30 s)
EnableAsynchronousUGP = 1 (async user GP)
Effect: when AD is unreachable, logon falls back to cached credentials
after 5 seconds instead of 30 seconds. Existing PCs need a gpupdate /force (or reboot) to pick up the change.
LDAP Source ldap-xio-bio in Authentik points at ldap://10.100.0.10:389
(LDAPS 636 reachable but on-prem CA not trusted by Authentik — follow-up
to import the CA chain). Bind: LDAP-Account (DN
CN=LDAP,OU=Service,OU=People,DC=xio,DC=bio), password reset and stored
in .secrets/credentials.env as AD__LDAP_ACCOUNT__PASSWORD,
PasswordNeverExpires=True.
Sync configuration:
DC=xio,DC=bioOU=PeopleOU=Groups(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(sAMAccountName=ServiceLDAP))(!(sAMAccountName=LDAP-Account))(!(sAMAccountName=Printer)))(objectClass=group)user_path_template = "users" (so synced users land at users/People/<OU>/<name>, NOT in the default goauthentik.io/sources/... subfolder)delete_not_found_objects = True — when a user/group is removed from AD or filtered out, sync auto-removes them from AuthentikSynced state (post-cleanup):
Naming convention (codified in inventory/authentik/standard.md):
svc-<name> (e.g. svc-portainer, svc-proxmox, svc-wiki)xio-<name>-<env> where env ∈ {dev, stage, prod} (e.g. xio-aplysia-dev, xio-aplysia-prod, xio-organization-prod)tst-<name> (3-letter prefix for short-lived experiments)<app-slug>-<protocol> (e.g. svc-proxmox-oidc, xio-aplysia-dev-oidc)grp-<purpose>-<role> (e.g. grp-portainer-admin)<type>-<system> (e.g. ldap-xio-bio)App grouping in Authentik (visible in user-facing app library):
xio-aplysia-dev, xio-aplysia-prod, xio-organization-prodsvc-portainer, svc-proxmox, svc-wikiRemoved in cleanup:
n8n + provider n8n-oidc + service-account ak-n8n-client_credentials + policy binding + empty group grp-pdf-api-adminbaden-it + provider baden-it-oidcAlexanderKorff + LenaKorff (LDAP-synced versions kept), bind accounts ServiceLDAP, LDAP-Account, Printer (filtered from sync)All deletions dumped to inventory/authentik/deleted/2026-04-30/ for reference.
When app slugs change (proxmox → svc-proxmox, wiki → svc-wiki), the OIDC issuer URLs
on each client app must be updated. The token / client-id stays the same.
| Client | Status | Action |
|---|---|---|
| Proxmox | ✅ done | Realm authentik issuer-url updated to https://auth.blackreset.com/application/o/svc-proxmox/ via Proxmox API |
| Wiki.js | ✅ done | OIDC strategy issuer + logoutURL updated to https://auth.blackreset.com/application/o/svc-wiki/ via GraphQL mutation |
| Portainer | ⏳ user-side | No API token in repo; user must update OIDC settings in Portainer admin UI to issuer https://auth.blackreset.com/application/o/svc-portainer/ |
| xio-aplysia-dev / xio-aplysia-prod | ✅ user-side (2026-04-30) | Updated by user |
| xio-organization-prod | ⏳ user-side | Self-developed; blackreset team to update OIDC client when convenient |
Get-WindowsFeature audit showed 4 abandoned/broken roles. All removed via
Uninstall-WindowsFeature -Remove:
UpdateServices) — broken since 2020-05-08 (WCF endpoint dead, WsusService Stopped+Disabled). DC itself uses Microsoft Update direct. 15.28 GB content at C:\WSUS purged, three SMB shares (WsusContent, UpdateServicesPackages, WSUSTemp) removed, IIS app pool WsusPool removed.Roles kept: AD-DS, DNS, FileAndStorage-Services, IIS (still needed temporarily for ADFS/ADRMS leftover IIS apps; reassess after reboot finalisation).
Disk reclaim post-reboot: ~16 GB.
Pre-state: Windows Defender Firewall was disabled on all 3 profiles. Active interface profile
is DomainAuthenticated. Inbound was effectively unfiltered.
Changes:
DefaultInboundAction=Block, DefaultOutboundAction=Allow. Failsafe scheduled task auto-disabled FW after 10 min if SSH broke; cancelled after smoke-test confirmed SSH still alive.10.100.100.0/24,10.100.0.0/24 → 10.0.0.0/8 (covers all internal subnets including Lager 10.10.100.x, Stage 10.130.0.x, etc.)Any → 10.0.0.0/8LocalSubnet → 10.0.0.0/8UserAuthentication=1 (was 0)OU=Domain Controllers so the DC also gets SMB-signing required, SMB1 disabled, LM hash off, NTLMv2 only, WDigest off, UAC secure desktop, RDP NLA, anonymous SAM blocked, LLMNR off (was only on OU=Devices)After 266 days uptime, DC rebooted to:
UninstallPending features (ADFS, ADRMS-Server, Print-Server, Print-Internet, UpdateServices×3, RSAT-ADRMS, RSAT-Print-Services)Reboot took ~10–30 min due to update install on shutdown. Post-reboot
disk reclaim: ~16 GB (combined WSUS + ADFS + Print spool drivers).
The DC reboot exposed an unwanted cascade: while VM-DC-01 was offline,
Authentik's worker pool exhausted itself on hung LDAP queries, which made
auth.blackreset.com unresponsive — and because Wiki.js validates OIDC
flows through Authentik, wiki.blackreset.com also stopped responding.
Single AD DC + every web app fronting through Authentik = system-wide
outage during DC maintenance.
Mitigation applied to the ldap-xio-bio source:
password_login_update_internal_password = True — when a user logs insync_users_password = False — bulk-sync does NOT pull every user'sScripts: inventory/authentik/harden-ldap-source.py (idempotent).
Note that this does NOT cover users who have never logged in via Authentik
yet — their first login still requires LDAP. For full DC-outage tolerance,
add a Home-side secondary DC.
claude-Clean-Up tokenThe API token used for this engagement (claude-Clean-Up, owner akadmin) has expires=2026-04-28 (past) but expiring=False, so it never auto-invalidates. User to rotate via UI when convenient. Out of scope for this session.
Currently NC binds AD via ServiceLDAP (LDAP) + uses F.Korff as a shared
family-share account. Plan: switch NC to Authentik OIDC, use AD-synced
users + g-* groups for permissions, drop the ServiceLDAP bind.
After NC moves to OIDC: delete GS-Nextcloud (no longer needed). 5 of the
6 remaining legacy "core" groups are also candidates for cleanup as their
references are reviewed.
After 7 days of clean operation post-reboot, consolidate the ESXi snapshot
the user took before this work began.
Per phase:
Restore-ADObject; older via Restore-ADObject from snapshotRestore-ADObject -Identity <DN-of-deleted>; identifier visible in Get-ADObject -Filter * -IncludeDeletedObjects -SearchBase 'CN=Deleted Objects,DC=xio,DC=bio'Backup-GPO to \\\\VM-DC-01\\C$\\GPO-Archive\\<date>\\ first; restore via Restore-GPO -Path ... -Name ...inventory/vm-dc-01/*.ps1 in the project repoinventory/vm-dc-01/audit.txt, gpos.txt,roles.txt, service-accounts-precise.txt in the project repoIm Zuge von policies/printer-access wurden AD-Gruppen GS-Print-Home, GS-Print-Lager, GS-Print-Admin angelegt. Default-Members siehe memory/policy_admin_groups. WSUS bleibt broken (separate Workitem).