Bart's Weblog

Just a blog…

Archive for the ‘Active Directory’ Category

Quick post: Windows 10 1511 will no longer receive security updates

Posted by bartvdw on 1111/1010/2017

Update 27/11/2017: Microsoft will be providing updates to address critical and important security issues until April 2018 for Windows 10 1511 builds, but only for Enterprise and Educational SKU’s. See:


Well that was known well advance, but now it’s really there (10/10/2017): Windows 10 1511 will no longer receive security updates…

MS link:


That means, if you haven’t done so yet, it’s advised to check your environment. Normally you already invested time to upgrade these build versions, but I like to double check things now and then.

  1. Your deployment solution (if you haven’t got one… ;-))
  2. Active Directory


For the first it’s difficult to collect all possibilities as I mainly work with Symantec Altiris (ITMS), but for AD it’s really straight forward.


PowerShell query for all Windows 10 builds before 1607:

Get-ADComputer -Filter {OperatingSystemVersion -like "10.0 (10*"} -Property * | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto


Query for all Windows 10 build 1511 specific:

Get-ADComputer -Filter {OperatingSystemVersion -eq "10.0 (10586)"} -Property * | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto


Build version translations:

  • 1511 = 10586
  • 1607 = 14393
  • 1703 = 1506



Inventorying Computers with AD PowerShell –



Posted in Active Directory, PowerShell, Windows 10 | Leave a Comment »

Quick post: GPO WMI filtering and performance

Posted by bartvdw on 2222/0909/2017

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).


Quick recap which controls are available:

  • Organizational units (OUs)
    • Group user/computer objects in OUs
    • Link GPOs to OUs
  • Security
    • Change GPO security so that the GPO applies to specific groups
    • Required permissions: read + apply group policy
    • Works not only for users, but also for computer accounts
  • WMI filters
    • Specify a WMI query
    • The GPO is applied only if the query returns true
    • Applies to entire GPOs
  • Item-level targeting (ILT)
    • Specify targeting criteria
    • A setting is applied only if the criteria match
    • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
    • Available for Group Policy Preferences (GPPs) only, not for Policies


For WMI filtering there are some good tips:

  • Use when required (obviously)
  • Do NOT use Select *, but target your filter
  • Test performance with Measure-Command, and loop 1000x for more accurate results
  • Use SDM / GPOGuy WMIFTest utility to validate your filters against systems


Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q



$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum


(Replace the query with your actual filter and test with targeted and Select *)


I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).


Windows 10 on Surface Pro 4 results:


Test results on 2012 R2 server physical


Test results on 2012 R2 virtual


So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.


So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.


Comments welcome, as always!


How Group Policy Impacts Logon Performance #3: WMI Filters & ILT –

WMI filter queries and thoughts on performance –

Showdown – WMI Filter vs Item Level Targeting –

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences –

Group Policy and Logon Impact –

WMI Filter Friday –

Digging Into Group Policy WMI Filters and Managing them through PowerShell –

Group Policy WMI filters for Windows 7/8/8.1/10 –

Using Group Policy WMI filters? Computers booting slow? –

Creating WMI Filters and GPOs with PowerShell –

Fun with WMI Filters in Group Policy –

GPO Migration with PowerShell – Now including WMI filters –

WMI Filter Validation Utility

Posted in Active Directory, Group Policy, Windows, Windows Server 2012 | Leave a Comment »

Schemus Active Directory synchronisation tool

Posted by bartvdw on 2121/0505/2015

Recently had some questions in regards to the Schemus tool, which is a tool used to synchronize Active Directory information to cloud services, such as Symantec, Websense, etc. and I wanted to share that specific information.

Before you begin, it’s interesting to know:
& = AND
| = OR
! = NOT

If you use if to synchronize email addresses, you have the option to define the OU’s where to look for users if your AD is segmented accordingly, but the problem can be if both users and mail-enabled user reside in the same OU. To overcome that problem (as in: let’s exclude mail-enabled users), add this to the search filter: (!(msExchRecipientTypeDetails=128))

Full example: (|(&(objectCategory=person)(objectClass=user)(!(msExchRecipientTypeDetails=128)))(objectCategory=group))

(add objectCategory definitions if required, such as distribution groups, public folders, …)

Another thing that can cause troubles is that by default the tool uses %mail% variable to look up the primary email address, however that attribute is not maintained by Exchange, it’s an AD attribute and therefor it can have any value, even empty. That means that if the person who creates users must fill in that attribute correctly or you will have issues. To overcome that, change the Primary Mail attribute to following value: %proxyAddresses{s/(SMTP:|.*:.*)(.*)/$2/}%

By defining ‘SMTP’ (uppercase), we indicate we want the primary email address, the line Mail Aliases defines the same string, but with ‘smtp’ lowercase.

For Websense it can be difficult to synchronize users that have no mailbox or email address (ex. web filtering service, for authentication), in that case change the Primary Mail string to %userPrincipleName% as that should exist and filled in correctly.

msExchRecipientTypeDetails AD values:

Posted in Active Directory, Schemus, Symantec, Websense | Leave a Comment »

Best practices for DNS settings on DC and domain members

Posted by bartvdw on 1717/0707/2013

Very good and to the point summary!

Posted in Active Directory, DNS, Microsoft, Windows | Leave a Comment »

VMware: ESXi Active Directory integration and default AD group

Posted by bartvdw on 0202/0505/2013

Came across this nice to know configuration item when joining ESXi hosts in Active Directory: the default AD group “ESX Admins”. Read the link below for details!

Undocumented parameters for ESXi 5.0 Active Directory integration

Posted in Active Directory, ESX(i), VMware | Leave a Comment »

Complete Step by Step to Remove an Orphaned Domain Controller

Posted by bartvdw on 1919/0303/2013

Great article describing all different steps and scenario’s, a must read!

Complete Step by Step to Remove an Orphaned Domain Controller

Posted in Active Directory, Microsoft, Windows | Leave a Comment »

AD: Migrate FRS to DFSR

Posted by bartvdw on 1919/1111/2012

Short background: FRS is used to replicate SYSVOL between domain controllers since Windows Server 2000. However starting with WS2008 you can migrate to DFSR for this replication, if you meet the requirements ofcourse.

Below some great resources which explain why you want to migrate and how to execute it.

SYSVOL Migration Series: Part 1 – Introduction to the SYSVOL migration process

SYSVOL Migration Series: Part 2 – Dfsrmig.exe: The SYSVOL migration tool

SYSVOL Migration Series: Part 3 – Migrating to the Prepared State

SYSVOL Migration Series: Part 4 – Migrating to the ‘REDIRECTED’ state

SYSVOL Migration Series: Part 5 – Migrating to the ‘ELIMINATED’ state

FRS to DFSR Migration Tool Released

Migrating SYSVOL replication from NTFRS to DFSR using Windows Server 2008 R2

FRS to DFSR migration guide published

Posted in Active Directory, Microsoft, Windows | 1 Comment »

Active Directory Replication Status Tool

Posted by bartvdw on 0202/0808/2012

Posted in Active Directory, Microsoft | Leave a Comment »

Active Directory and the Resilient File System (ReFS)

Posted by bartvdw on 0202/0808/2012

Posted in Active Directory, Microsoft, Windows Server 2012 | Leave a Comment »

Windows Server 2012: Goodbye dcpromo !

Posted by bartvdw on 1313/0606/2012

With the new release Windows Server 2012 the command dcpromo is no more… If you type in the command you will receive a pop-up informing you it has moved to Server Manager.

The link below describes how to promote a Windows Server 2012 to domain controller step-by-step.

As always this also has a new schema version, for the RC version it’s currently 56. My earlier post with the AD schema numbers has also been updated with this information.

Promote Windows Server 2012 to Domain Controller, step-by-step

Active Directory schema version numbers

Posted in Active Directory, Windows, Windows Server 2012 | 1 Comment »