Group Policy Management MMC problem: ‘Wired Network Policy Management’

After testing membership of the ‘Protected Users’ security group (introduced in Windows Server 2012 R2), I was getting following error after expanding ‘Computer Configuration\Policies\Windows Settings\Security Settings’:

Keep this in mind when using this group! Unfortunately I’m unable to find documentation about this effect, or have proper logs pointing to this group…

 

References (‘Protected Users’  security group)

Protected Users Security Group
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

How to Configure Protected Accounts
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

 

Windows Server 2016 and Windows Defender

Recently I was working on a recently deployed Windows Server 2016 and opened Task Manager for some reason. Windows Defender processes were taking away quite some CPU, and upon checking in the Settings panel noticed that all AV scanning features were enabled. The server had third-party AV installed though…

By default Windows Defender is installed on Windows Server 2016, but unlike Windows 10, it doesn’t disable the AV if a third-party AV is detected. Why this is, no idea.

In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.

 

Remove Windows Defender AV using PowerShell:

Uninstall-WindowsFeature -Name Windows-Defender,Windows-Defender-Gui -IncludeManagementTools -Restart:[$false|$True] [-Remove]

* A restart is required after the operation. If you use the -Remove switch, payload will be removed from the system as well.

 

This removes the Windows Defender AV from the system. Another approach could be to control the functionality through GPO.

 

References

Windows Defender Antivirus on Windows Server 2016
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016

 

 

Windows UAC and (mostly) file servers challenge…

Not only on file servers, but on any server hosting data, when you login and try to access a folder you could get following popup, even though your are either member of the local ‘Administrators’ group or the ‘Domain Admins’ (which is nested in local ‘Administrators’ by default):

When you try to view/edit the security:

This is caused by UAC, on by default and recommended to keep it turned on. You could disable the Admin Approval mode, or disable UAC, but why not make it work as it should without disabling any of the UAC settings?

Create a new AD group, don’t nest it into ‘Domain Admins’ or the local ‘Administrators’ group of the target server, as you’ll be facing it again.

Add NTFS ACL’s for this group as follows:

Afterwards you should be fine to access the folder, edit permissions, and so on without the UAC prompt. Alternatively you can always manage the folder remotely using the UNC path without being prompted as well! So no need to turn off UAC at all 🙂

 

SearchOCR.admx error after importing Windows 1803 ADMX files

After you import Windows 1803 ADMX files, you’ll get an error about ‘searchocr.admx’:

Resource ‘$(string.Win7Only)’ referenced in attribute displayName could not be found.
File %path_sysvol%\…\Policies\PolicyDefinitions\searchocr.admx, line 12, column 69

It appears that the Windows 1803 ADMX files do contain a newer version of the ‘SearchOCR.adml’ file, but not of the ADMX itself, which breaks the functionality. Although editing the ADML file can solve the issue, here some other options:

• Copy back the ADML from your backup (you backup your ‘PolicyDefintions’ prior updating, right?)
• Copy the ADML from Windows 1511 ADMX files
• Install ‘Windows TIFF IFilter’ (TIFFIFilter) on a Windows10/Server 2016 and fetch the ADMX/ADML from there
• Remove both the ADMX and ADML at once if you haven’t got GPO’s for Windows TIFF Filter

According to a post somewhere there are some other ‘orphaned’ ADML files as well, need to have a closer look at those later.

Microsoft published a KB for this on May 22, 2018.

References

“Resource ‘$(string id=Win7Only)’ referenced in attribute displayName could not be found” error when you open gpedit.msc in Windows
https://support.microsoft.com/en-us/help/4292332/error-when-you-open-gpedit-msc-in-windows

How to fix SearchOCS.ADMX Error after upgrade to Windows 1803 ADMX files
https://www.grouppolicy.biz/2018/05/how-to-fix-searchocs-admx-error-after-upgrade-to-windows-1803-admx-files/

Administrative Templates (.admx) for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=48257

DFS and FQDN in referrals

Recently learned something new, at least is was to me, about DFS and FQDN in referrals.

“The default behavior of DFS is to use NetBIOS names for all network shares that are configured in the DFS Namespace.”

That one I didn’t know… And yes this has a huge performance impact when working for example with Mac OS X clients. After configuring DFS (domain namespace) the time it took to just display the list of folders was extremely slower than connecting directly to the file server share. After changing the DFS behavior to use FQDN in referrals, the performance was dramatically improved.

Next there are some more Mac OS X specific configurations to optimize SMB though, testing those as well, but no further changes on DFS level as far as I know today.

 

References

Configure DFS-Namepaces to use Fully Qualified Domain Names – (It’s not the default).
https://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/

How to configure DFS to use fully qualified domain names in referrals
https://support.microsoft.com/en-sg/help/244380/how-to-configure-dfs-to-use-fully-qualified-domain-names-in-referrals

Quick post: Windows 10 1511 will no longer receive security updates

Update 27/11/2017: Microsoft will be providing updates to address critical and important security issues until April 2018 for Windows 10 1511 builds, but only for Enterprise and Educational SKU’s. See: https://blogs.technet.microsoft.com/windowsitpro/2017/11/14/progressing-windows-as-a-service/

Update 01/05/2018: Included build numbers for 1709 and 1803 releases. Will transform this post to a page shortly. Also updated the Get-ADComputer filtering to include on Windows 10 (build 14393 will also return Windows Server 2016) and the -Property parameters to speed up the search. Corrected build number 1703 (typo).

Update 29/12/2018: Microsoft extended support for Enterprise and Education SKU’s couple of months ago; added Lifecycle Fact Sheet to the references. Added 1809 build number.

Well that was known well advance, but now it’s really there (10/10/2017): Windows 10 1511 will no longer receive security updates…

MS link: https://support.microsoft.com/en-us/help/4035050/windows-10-version-1511-will-no-longer-receive-security-updates

That means, if you haven’t done so yet, it’s advised to check your environment. Normally you already invested time to upgrade these build versions, but I like to double check things now and then.

1. Your deployment solution (if you haven’t got one… ;-))
2. Active Directory

For the first it’s difficult to collect all possibilities as I mainly work with Symantec Altiris (ITMS), but for AD it’s really straight forward.

PowerShell query for all Windows 10 builds before 1607:

Get-ADComputer -Filter {OperatingSystem -like "Windows 10*" -and OperatingSystemVersion -like "10.0 (10*"} -Property Name,OperatingSystem,OperatingSystemVersion | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto

Query for all Windows 10 build 1511 specific:

Get-ADComputer -Filter {OperatingSystem -like "Windows 10*" -and OperatingSystemVersion -eq "10.0 (10586)"} -Property Name,OperatingSystem,OperatingSystemVersion | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto

Build version translations:

• Initial version = 10240
• 1511 = 10586
• 1607 = 14393
• 1703 = 15063
• 1709 = 16299
• 1803 = 17134
• 1809 = 17763

References

Inventorying Computers with AD PowerShell – https://blogs.technet.microsoft.com/askds/2010/02/04/inventorying-computers-with-ad-powershell/

Windows 10 and Windows Server update history – https://support.microsoft.com/en-us/help/4043454

Windows lifecycle fact sheet – https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

Quick post: GPO WMI filtering and performance

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).

 

Quick recap which controls are available:

• Organizational units (OUs)
  • Group user/computer objects in OUs
  • Link GPOs to OUs
• Security
  • Change GPO security so that the GPO applies to specific groups
  • Required permissions: read + apply group policy
  • Works not only for users, but also for computer accounts
• WMI filters
  • Specify a WMI query
  • The GPO is applied only if the query returns true
  • Applies to entire GPOs
• Item-level targeting (ILT)
  • Specify targeting criteria
  • A setting is applied only if the criteria match
  • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
  • Available for Group Policy Preferences (GPPs) only, not for Policies

 

For WMI filtering there are some good tips:

• Use when required (obviously)
• Do NOT use Select *, but target your filter
• Test performance with Measure-Command, and loop 1000x for more accurate results
• Use SDM / GPOGuy WMIFTest utility to validate your filters against systems

 

Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q

}

};

$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum

 

(Replace the query with your actual filter and test with targeted and Select *)

 

I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).

 

Windows 10 on Surface Pro 4 results:

 

Test results on 2012 R2 server physical

 

Test results on 2012 R2 virtual

 

So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.

 

So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.

 

Comments welcome, as always!

References

How Group Policy Impacts Logon Performance #3: WMI Filters & ILT – https://helgeklein.com/blog/2016/01/how-group-policy-impacts-logon-performance-3-wmi-filters-ilt/

WMI filter queries and thoughts on performance – http://evilgpo.blogspot.be/2014/11/wmi-filter-queries-and-thoughts-on.html

Showdown – WMI Filter vs Item Level Targeting – http://evilgpo.blogspot.be/2014/11/showdown-wmi-filter-vs-item-level.html

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences – https://blogs.technet.microsoft.com/grouppolicy/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences/

Group Policy and Logon Impact – https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/

WMI Filter Friday – https://blogs.technet.microsoft.com/grouppolicy/2010/03/19/wmi-filter-friday/

Digging Into Group Policy WMI Filters and Managing them through PowerShell – https://sdmsoftware.com/group-policy-blog/gpmc/digging-into-group-policy-wmi-filters-and-managing-them-through-powershell/

Group Policy WMI filters for Windows 7/8/8.1/10 – https://deploywindows.info/2016/11/03/group-policy-wmi-filters-for-windows-788-110/

Using Group Policy WMI filters? Computers booting slow? – https://deploywindows.info/2016/02/15/using-group-policy-wmi-filters-computers-booting-slow/

Creating WMI Filters and GPOs with PowerShell – https://www.darkoperator.com/blog/2012/3/23/creating-wmi-filters-and-gpos-with-powershell.html

Fun with WMI Filters in Group Policy – https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/

GPO Migration with PowerShell – Now including WMI filters – https://blogs.technet.microsoft.com/ashleymcglone/2014/08/11/gpo-migration-with-powershell-now-including-wmi-filters/

WMI Filter Validation Utility

https://sdmsoftware.com/gpoguy/free-tools/library/wmi-filter-validation-utility/

Schemus Active Directory synchronisation tool

Recently had some questions in regards to the Schemus tool, which is a tool used to synchronize Active Directory information to cloud services, such as Symantec, Websense, etc. and I wanted to share that specific information.

Before you begin, it’s interesting to know:
& = AND
| = OR
! = NOT

If you use if to synchronize email addresses, you have the option to define the OU’s where to look for users if your AD is segmented accordingly, but the problem can be if both users and mail-enabled user reside in the same OU. To overcome that problem (as in: let’s exclude mail-enabled users), add this to the search filter: (!(msExchRecipientTypeDetails=128))

Full example: (|(&(objectCategory=person)(objectClass=user)(!(msExchRecipientTypeDetails=128)))(objectCategory=group))

(add objectCategory definitions if required, such as distribution groups, public folders, …)

Another thing that can cause troubles is that by default the tool uses %mail% variable to look up the primary email address, however that attribute is not maintained by Exchange, it’s an AD attribute and therefor it can have any value, even empty. That means that if the person who creates users must fill in that attribute correctly or you will have issues. To overcome that, change the Primary Mail attribute to following value: %proxyAddresses{s/(SMTP:|.*:.*)(.*)/$2/}%

By defining ‘SMTP’ (uppercase), we indicate we want the primary email address, the line Mail Aliases defines the same string, but with ‘smtp’ lowercase.

For Websense it can be difficult to synchronize users that have no mailbox or email address (ex. web filtering service, for authentication), in that case change the Primary Mail string to %userPrincipleName% as that should exist and filled in correctly.

msExchRecipientTypeDetails AD values: http://www.msexchange.org/kbase/ExchangeServerTips/MicrosoftOffice365/ExchangeOnline/msexchangerecipienttypedetails-active-directory-values.html

VMware: Current known issues vCenter Server 5.5

These few issues I’ve encountered myself with VMware vCenter Server 5.5, and I think there are good to know/remember…

Active Directory authentication fails when vCenter Single Sign-On 5.5 runs on Windows Server 2012 and the AD Domain Controller is also on Windows Server 2012 (2060901)
http://kb.vmware.com/kb/2060901

vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups
http://blogs.vmware.com/vsphere/2013/09/vcenter-single-sign-on-5-5-not-recognizing-nested-active-directory-groups.html

vCenter Server not listed in the inventory after installing or upgrading to vSphere 5.5 (2059528)
http://kb.vmware.com/kb/2059528

vCenter Server 5.5 displays a yellow warning in the Summary tab of hosts and reports the error: Quick stats on hostname is not up-to-date (2061008)
http://kb.vmware.com/kb/2061008

Symantec: General availability Backup Exec 2012 SP2 & Backup Exec 2010 SP3

Backup Exec 2010 R3 revision 5204 Service Pack 3 Release Notes
http://www.symantec.com/business/support/index?page=content&id=TECH208601

Backup Exec 2010 R3 revision 5204 Service Pack 3
http://www.symantec.com/business/support/index?page=content&id=TECH203157

Backup Exec 2012 revision 1798 Service Pack 2 Release Notes
http://www.symantec.com/business/support/index?page=content&id=TECH208600

Backup Exec 2012 revision 1798 Service Pack 2
http://www.symantec.com/business/support/index?page=content&id=TECH203155