Master Class
Active Directory Security
Deep Dive Level 2
Master Class
Active Directory
Security Deep Dive
Level 2

Course overview

Over the last few years, questions about even more in-depth topics and approaches in our Advanced Master Classes Master Class: Securing Active Directory Deep Dive (SADDD-L1) have become louder and louder. Here is our answer:

Three days of the most intensive Active Directory Security topics – look forward to our Deep Dive LEVEL 2!

We promise: Indispensable, highly specialized know-how from our top specialists for you and your daily work.

Please note that prior participation in the Master Class: Securing Active Directory Deep Dive (SADDD-L1) workshop is mandatory.

Target group

This course is aimed at experienced system administrators, consultants and Active Directory designers. After this seminar you will be able to design, implement and consult Active Directory in a highly secure manner.


  • At least 5 years of experience with Active Directory and client systems
  • Mandatory prerequisite: prior participation in Master Class: Securing Active Directory Deep Dive (SADDD-L1)

Course Objective

In this LEVEL 2 master class course, the topic of Active Directory security is further deepened.

Is your environment critical or are you in the “supply chain”? Do you even have a confidentiality obligation?

No problem: we will show you how you can reliably secure your environment. After more than 100 training courses in this area, this course was created as a worthy successor to the “Master Class Active Directory Security”.

Therefore: Understanding, hardening and monitoring so that you can sleep better.

Course content

  • Repetition of the best practices from the MasterClass Securing Active Directory FastPass
  • LAPS for domain controllers – does NOT work – but it does!
    We will show you how to secure the DSRM password on a rolling basis and in encrypted form, including the password history!
  • DSRM user: From emergency administrator to domain admin:
    What a simple registry hack can trigger and what you should absolutely do about it…
  • Unified Write Filter – a completely unknown solution for Windows 10/11 clients: Kiosk mode for professionals and for Privileged Admin Workstation – PAWs with “sheriff cards”
  • Multitenant Active Directory – how to hide organizational units (Ous) for administrators who should not see them: Object List
    Nobody dares to do it – we show you how to do it and how the professionals do it!
  • MBAM & Bitlocker: Bitlocker on Steroids
    Microsoft BitLocker Administration and Monitoring 2.5 – even if extended support ends in 2026 – MBAM is definitely worth a look!
  • Hiding TIER-0 admins via Powershell
    What I can’t see, I can’t attack…
    How to hide your crown jewels…
  • Bloodhound: Hunting for privileges
    Installing and using Bloodhound – let’s hunt for privileges!
  • PAM feature with Server 2016: JEA & JIT
    Just enough administration with JustInTime
    With Server 2016 came – undiscovered by most – the PAM feature:
    Privileged Access Management for users: time-to-live for administrators who need to manage tickets
  • When it needs to be less:
    Authentication Silos & Authentication Policies
    Who, how, where and when…
  • Tier models in detail
    Setting up, maintaining and administering tier and ESAE models in practice
  • Windows Defender for Identity
  • Lithnet Active Directory Password Protection
  • DNS-SEC – operating DNS in a highly secure manner
    Trust Anchors
    DNS over https ( DoH )
  • SMB encryption AES 256
    SMB highly secure operation
  • UNC Hardening
  • From DNS-Admin to DomainAdmin
    How to go from small to big…
  • LocalAccountTokenFilterPolicy
  • LDAP-S, signing and channel binding
    What it’s all about and why LDAP-S is not LDAP-signing…
  • LDAP-S and SSL V2, V3 and TLS V1 – what is LDAP-S in detail?
  • “Notes from the field – our experience from 10 years of hardening Active Directory
    • LAPS
    • Protected Users
    • KRBTGT Reset
    • PingCastle
  • Questions from the participants

Training environment

The training environment works entirely with Hyper-V. To set up the training environment proactively, we use a Powershell script with which you can create new virtual machines in seconds. The script was developed by your trainer himself and enables the training to be set up as required by the customer extremely quickly and with little effort.


Each participant is provided with a dedicated server in a data center with a total of 1 Gbit connection to the Internet. Each participant server is equipped as follows:

  • 128 – 256 GB RAM
  • at least 40 vCores
  • 2 NVME SSDs with at least 3,000 MB/s write and at least 2,000 MB/s read speed
  •  Gbit to the Internet total bandwidth

Your trainer

The Master Class was developed by Andy Wendel and is conducted by himself and his experienced team.

Andy Wendel is a Senior Data Center and Cloud Architect and Certified Security Master Specialization Advanced Windows Security. He was and is trained by the internationally renowned security experts Paula Januszkiewicz and Sami Laiho. This certification is renewed every year. Andy Wendel has been working as an IT trainer and consultant since the late 1990s and is also a certified Microsoft Learning Consultant (MCLC). Microsoft has only awarded 56 Certified Learning Consultants worldwide.


Duration: 5 days

This post is also available in: German