Ansible on Aperture Zone

Backing up GPOs with Ansible and WinRM

Thu, 02 Apr 2026 00:00:00 +0000

Group Policy Objects are at the heart of any robust Active Directory infrastructure. They define security settings, permissions, device configurations, and software restrictions. In the event of a disaster, human error, or simply a need to roll back after a change, not having a backup of your GPOs means facing hours of tedious reconstruction.

The graphical interface of the Group Policy Management Console does offer a backup feature, but it is manual, easy to overlook, and, most importantly, not versioned. The goal of this article is to automate this process cleanly using Ansible via WinRM, on an infrastructure comprising two separate Active Directory domains, with long-term archiving on a NAS and reporting via email.

Active Directory: krbtgt, from theory to practice

Wed, 01 Apr 2026 00:00:00 +0000

In the first part of this article, we laid the groundwork: what the krbtgt account is, why the Golden Ticket is a serious threat, and a theoretical Ansible architecture for automating rotations. If you haven’t read that part, I encourage you to start there.

Now we’re getting down to business. The playbook in Part 1 was intentionally simplified to illustrate the concept. In a real production environment, things get complicated—the interactive script that refuses to be controlled, the XML file that can’t be found, the Kerberos double-hop that blocks everything, the root forest that isn’t what we think it is. These are all obstacles I’ve encountered and resolved, which I’m documenting here.

Active Directory: krbtgt the scary account

Wed, 25 Mar 2026 00:00:00 +0000

There are elements in Active Directory that we completely forget about because they never come up in day-to-day operations. The krbtgt account is one of them. Though invisible in everyday use, it is at the heart of all Kerberos authentication in your domain—and its compromise is one of the most catastrophic scenarios an attacker could trigger.

In this article, we’ll explore what this account really is, why you need to change its password regularly, and how to automate this process cleanly with Ansible.

Automate network device configuration backup with Ansible

Mon, 23 Mar 2026 00:00:00 +0000

Whether in a home lab or a professional infrastructure, network equipment is often overlooked in backup strategies. We think about backing up VMs, data, and servers—but rarely the configurations of switches and Wi-Fi access points. However, in the event of a failure or hardware replacement, not having the configuration on hand can result in hours of work to rebuild the system.

In this article, we’ll set up an Ansible playbook that automatically backs up our network equipment configurations, stores them locally with a 30-day retention period, and sends an HTML report via email after each run.

Automation with Ansible

Tue, 24 Feb 2026 00:00:00 +0000

Package updates, NTP synchronization, and HTML email notifications on Ubuntu 24.04

Manually managing multiple Linux servers quickly becomes tedious and prone to errors: forgotten updates, undetected time zone differences, inconsistent NTP configurations, etc. Ansible solves this problem by allowing you to automate system administration in a reproducible way, without having to install an agent on the target machines.

We will set up an Ansible server on Ubuntu 24.04 LTS, configure a server inventory, and deploy a complete playbook that performs the following in a single execution: