Bart's Weblog

Just a blog…

Archive for the ‘Active Directory’ Category

Group Policy Management MMC problem: ‘Wired Network Policy Management’

Posted by bartvdw on 0101/0606/2018

After testing membership of the ‘Protected Users’ security group (introduced in Windows Server 2012 R2), I was getting following error after expanding ‘Computer Configuration\Policies\Windows Settings\Security Settings’:

mmc error protected user gpo wired config

Keep this in mind when using this group! Unfortunately I’m unable to find documentation about this effect, or have proper logs pointing to this group…

 

References (‘Protected Users’  security group)

Protected Users Security Group
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

How to Configure Protected Accounts
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

 

Advertisements

Posted in Active Directory, GPO, Group Policy, Microsoft, Security, Windows, Windows Server 2012 R2, Windows Server 2016 | Leave a Comment »

SearchOCR.admx error after importing Windows 1803 ADMX files

Posted by bartvdw on 2727/0505/2018

After you import Windows 1803 ADMX files, you’ll get an error about ‘searchocr.admx’:

Resource ‘$(string.Win7Only)’ referenced in attribute displayName could not be found.
File %path_sysvol%\…\Policies\PolicyDefinitions\searchocr.admx, line 12, column 69

It appears that the Windows 1803 ADMX files do contain a newer version of the ‘SearchOCR.adml’ file, but not of the ADMX itself, which breaks the functionality. Although editing the ADML file can solve the issue, here some other options:

  • Copy back the ADML from your backup (you backup your ‘PolicyDefintions’ prior updating, right?)
  • Copy the ADML from Windows 1511 ADMX files
  • Install ‘Windows TIFF IFilter’ (TIFFIFilter) on a Windows10/Server 2016 and fetch the ADMX/ADML from there
  • Remove both the ADMX and ADML at once if you haven’t got GPO’s for Windows TIFF Filter

According to a post somewhere there are some other ‘orphaned’ ADML files as well, need to have a closer look at those later.

Microsoft published a KB for this on May 22, 2018.

References

“Resource ‘$(string id=Win7Only)’ referenced in attribute displayName could not be found” error when you open gpedit.msc in Windows
https://support.microsoft.com/en-us/help/4292332/error-when-you-open-gpedit-msc-in-windows

How to fix SearchOCS.ADMX Error after upgrade to Windows 1803 ADMX files
https://www.grouppolicy.biz/2018/05/how-to-fix-searchocs-admx-error-after-upgrade-to-windows-1803-admx-files/

Administrative Templates (.admx) for Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=48257

Posted in Active Directory, ADMX, GPO, Group Policy, Microsoft, Windows, Windows 10, Windows Server 2016 | Leave a Comment »

Quick post: Windows 10 1511 will no longer receive security updates

Posted by bartvdw on 1111/1010/2017

Update 27/11/2017: Microsoft will be providing updates to address critical and important security issues until April 2018 for Windows 10 1511 builds, but only for Enterprise and Educational SKU’s. See: https://blogs.technet.microsoft.com/windowsitpro/2017/11/14/progressing-windows-as-a-service/

Update 01/05/2018: Included build numbers for 1709 and 1803 releases. Will transform this post to a page shortly. Also updated the Get-ADComputer filtering to include on Windows 10 (build 14393 will also return Windows Server 2016) and the -Property parameters to speed up the search. Corrected build number 1703 (typo).

 

Well that was known well advance, but now it’s really there (10/10/2017): Windows 10 1511 will no longer receive security updates…

MS link: https://support.microsoft.com/en-us/help/4035050/windows-10-version-1511-will-no-longer-receive-security-updates

 

That means, if you haven’t done so yet, it’s advised to check your environment. Normally you already invested time to upgrade these build versions, but I like to double check things now and then.

  1. Your deployment solution (if you haven’t got one… ;-))
  2. Active Directory

 

For the first it’s difficult to collect all possibilities as I mainly work with Symantec Altiris (ITMS), but for AD it’s really straight forward.

 

PowerShell query for all Windows 10 builds before 1607:

Get-ADComputer -Filter {OperatingSystem -like "Windows 10*" -and OperatingSystemVersion -like "10.0 (10*"} -Property Name,OperatingSystem,OperatingSystemVersion | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto

 

Query for all Windows 10 build 1511 specific:

Get-ADComputer -Filter {OperatingSystem -like "Windows 10*" -and OperatingSystemVersion -eq "10.0 (10586)"} -Property Name,OperatingSystem,OperatingSystemVersion | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto

 

Build version translations:

  • 1511 = 10586
  • 1607 = 14393
  • 1703 = 15063
  • 1709 = 16299
  • 1803 = 17134

 

References

Inventorying Computers with AD PowerShell – https://blogs.technet.microsoft.com/askds/2010/02/04/inventorying-computers-with-ad-powershell/

Windows 10 and Windows Server update history – https://support.microsoft.com/en-us/help/4043454

Posted in Active Directory, PowerShell, Windows 10 | Leave a Comment »

Quick post: GPO WMI filtering and performance

Posted by bartvdw on 2222/0909/2017

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).

 

Quick recap which controls are available:

  • Organizational units (OUs)
    • Group user/computer objects in OUs
    • Link GPOs to OUs
  • Security
    • Change GPO security so that the GPO applies to specific groups
    • Required permissions: read + apply group policy
    • Works not only for users, but also for computer accounts
  • WMI filters
    • Specify a WMI query
    • The GPO is applied only if the query returns true
    • Applies to entire GPOs
  • Item-level targeting (ILT)
    • Specify targeting criteria
    • A setting is applied only if the criteria match
    • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
    • Available for Group Policy Preferences (GPPs) only, not for Policies

 

For WMI filtering there are some good tips:

  • Use when required (obviously)
  • Do NOT use Select *, but target your filter
  • Test performance with Measure-Command, and loop 1000x for more accurate results
  • Use SDM / GPOGuy WMIFTest utility to validate your filters against systems

 

Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q

}

};

$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum

 

(Replace the query with your actual filter and test with targeted and Select *)

 

I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).

 

Windows 10 on Surface Pro 4 results:

 

Test results on 2012 R2 server physical

 

Test results on 2012 R2 virtual

 

So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.

 

So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.

 

Comments welcome, as always!

References

How Group Policy Impacts Logon Performance #3: WMI Filters & ILT – https://helgeklein.com/blog/2016/01/how-group-policy-impacts-logon-performance-3-wmi-filters-ilt/

WMI filter queries and thoughts on performance – http://evilgpo.blogspot.be/2014/11/wmi-filter-queries-and-thoughts-on.html

Showdown – WMI Filter vs Item Level Targeting – http://evilgpo.blogspot.be/2014/11/showdown-wmi-filter-vs-item-level.html

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences – https://blogs.technet.microsoft.com/grouppolicy/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences/

Group Policy and Logon Impact – https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/

WMI Filter Friday – https://blogs.technet.microsoft.com/grouppolicy/2010/03/19/wmi-filter-friday/

Digging Into Group Policy WMI Filters and Managing them through PowerShell – https://sdmsoftware.com/group-policy-blog/gpmc/digging-into-group-policy-wmi-filters-and-managing-them-through-powershell/

Group Policy WMI filters for Windows 7/8/8.1/10 – https://deploywindows.info/2016/11/03/group-policy-wmi-filters-for-windows-788-110/

Using Group Policy WMI filters? Computers booting slow? – https://deploywindows.info/2016/02/15/using-group-policy-wmi-filters-computers-booting-slow/

Creating WMI Filters and GPOs with PowerShell – https://www.darkoperator.com/blog/2012/3/23/creating-wmi-filters-and-gpos-with-powershell.html

Fun with WMI Filters in Group Policy – https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/

GPO Migration with PowerShell – Now including WMI filters – https://blogs.technet.microsoft.com/ashleymcglone/2014/08/11/gpo-migration-with-powershell-now-including-wmi-filters/

WMI Filter Validation Utility

https://sdmsoftware.com/gpoguy/free-tools/library/wmi-filter-validation-utility/

Posted in Active Directory, Group Policy, Windows, Windows Server 2012 | Leave a Comment »

Schemus Active Directory synchronisation tool

Posted by bartvdw on 2121/0505/2015

Recently had some questions in regards to the Schemus tool, which is a tool used to synchronize Active Directory information to cloud services, such as Symantec, Websense, etc. and I wanted to share that specific information.

Before you begin, it’s interesting to know:
& = AND
| = OR
! = NOT

If you use if to synchronize email addresses, you have the option to define the OU’s where to look for users if your AD is segmented accordingly, but the problem can be if both users and mail-enabled user reside in the same OU. To overcome that problem (as in: let’s exclude mail-enabled users), add this to the search filter: (!(msExchRecipientTypeDetails=128))

Full example: (|(&(objectCategory=person)(objectClass=user)(!(msExchRecipientTypeDetails=128)))(objectCategory=group))

(add objectCategory definitions if required, such as distribution groups, public folders, …)

Another thing that can cause troubles is that by default the tool uses %mail% variable to look up the primary email address, however that attribute is not maintained by Exchange, it’s an AD attribute and therefor it can have any value, even empty. That means that if the person who creates users must fill in that attribute correctly or you will have issues. To overcome that, change the Primary Mail attribute to following value: %proxyAddresses{s/(SMTP:|.*:.*)(.*)/$2/}%

By defining ‘SMTP’ (uppercase), we indicate we want the primary email address, the line Mail Aliases defines the same string, but with ‘smtp’ lowercase.

For Websense it can be difficult to synchronize users that have no mailbox or email address (ex. web filtering service, for authentication), in that case change the Primary Mail string to %userPrincipleName% as that should exist and filled in correctly.

msExchRecipientTypeDetails AD values: http://www.msexchange.org/kbase/ExchangeServerTips/MicrosoftOffice365/ExchangeOnline/msexchangerecipienttypedetails-active-directory-values.html

Posted in Active Directory, Schemus, Symantec, Websense | Leave a Comment »

Best practices for DNS settings on DC and domain members

Posted by bartvdw on 1717/0707/2013

Very good and to the point summary!

http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Posted in Active Directory, DNS, Microsoft, Windows | Leave a Comment »

VMware: ESXi Active Directory integration and default AD group

Posted by bartvdw on 0202/0505/2013

Came across this nice to know configuration item when joining ESXi hosts in Active Directory: the default AD group “ESX Admins”. Read the link below for details!

Undocumented parameters for ESXi 5.0 Active Directory integration
http://www.v-front.de/2012/01/undocumented-parameters-for-esxi-50.html

Posted in Active Directory, ESX(i), VMware | Leave a Comment »

Complete Step by Step to Remove an Orphaned Domain Controller

Posted by bartvdw on 1919/0303/2013

Great article describing all different steps and scenario’s, a must read!

Complete Step by Step to Remove an Orphaned Domain Controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

Posted in Active Directory, Microsoft, Windows | Leave a Comment »

AD: Migrate FRS to DFSR

Posted by bartvdw on 1919/1111/2012

Short background: FRS is used to replicate SYSVOL between domain controllers since Windows Server 2000. However starting with WS2008 you can migrate to DFSR for this replication, if you meet the requirements ofcourse.

Below some great resources which explain why you want to migrate and how to execute it.

SYSVOL Migration Series: Part 1 – Introduction to the SYSVOL migration process
http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

SYSVOL Migration Series: Part 2 – Dfsrmig.exe: The SYSVOL migration tool
http://blogs.technet.com/filecab/archive/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool.aspx

SYSVOL Migration Series: Part 3 – Migrating to the Prepared State
http://blogs.technet.com/filecab/archive/2008/03/05/sysvol-migration-series-part-3-migrating-to-the-prepared-state.aspx

SYSVOL Migration Series: Part 4 – Migrating to the ‘REDIRECTED’ state
http://blogs.technet.com/filecab/archive/2008/03/17/sysvol-migration-series-part-4-migrating-to-the-redirected-state.aspx

SYSVOL Migration Series: Part 5 – Migrating to the ‘ELIMINATED’ state
http://blogs.technet.com/filecab/archive/2008/03/19/sysvol-migration-series-part-5-migrating-to-the-eliminated-state.aspx

FRS to DFSR Migration Tool Released
http://blogs.technet.com/b/askds/archive/2010/05/27/frs-to-dfsr-migration-tool-released.aspx

Migrating SYSVOL replication from NTFRS to DFSR using Windows Server 2008 R2
http://www.virtuallyimpossible.co.uk/migrating-sysvol-replication-from-ntfrs-to-dfsr/

FRS to DFSR migration guide published
http://blogs.technet.com/b/askds/archive/2010/04/20/frs-to-dfsr-migration-guide-published.aspx

Posted in Active Directory, Microsoft, Windows | 1 Comment »

Active Directory Replication Status Tool

Posted by bartvdw on 0202/0808/2012

http://jorgequestforknowledge.wordpress.com/2012/07/19/active-directory-replication-status-tool/

Posted in Active Directory, Microsoft | Leave a Comment »