Showing posts with label Group Policy. Show all posts
Showing posts with label Group Policy. Show all posts

Tuesday 4 July 2017

Delete temp files using group policy logon script

Or, Logon script for deleting temp files from windows directory using group policy
Or, Temp file deletion group policy for windows machines

Description: You can create a .bat file using the script given below and can use it in group policy logon script section.

Steps:
Open Notepad > Paste this script (modify the folders path as per your requirements) > save this file as tempdeletion.bat
----------------------------------------------------------------------------------------------------------------------
set folder="%temp%"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
set folder="C:\Windows\Temp"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
set folder="%localappdata%\Microsoft\Windows\INetCache\IE"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
-----------------------------------------------------------------------------------------------------------------------

In my case, I have taken following temp directory path in the above script:
%temp%
C:\Windows\Temp
%localappdata%\Microsoft\Windows\INetCache\IE

Once you have the .bat script ready with you, you can use this script as logon script in any GPO and link with any OU as per your requirements.


Cheers, let me know if you have any query or feedback.

Saturday 8 October 2016

What is Group Policy Loopback Processing in Active Directory?

Or, How to enable Group Policy Loopback Processing for a Group Policy Object?
Or, In what situation, you should think of using Group Policy Loopback Processing?

Descriptions:
Guys, Group Policy Loopback Processing is one of the cool feature of Active Directory Group Policy Management but you must be conscious and understand it very well while playing with this feature. Please note that Group Policy Loopback Processing is only supported in Active Directory Environment. There may be some case where you may need to apply a User Based Policy on Computers OU or a Computer based policy on Users OU.

In this kind of scenario, you can use Group Policy Loopback Processing to achieve your goals.

How to enable Group Policy Loopback Processing for a GPO?

Steps: Open Group Policy Management Console (gpmc.msc) > Locate the GPO on which you want to enable “Group Policy Loopback Processing” > Right Click on the GPO and Select Edit > Navigate to Computer Configuration\Policies\Administrative Templates\System\Group Policy > Select Configure User Group Policy Loopback Processing Mode and Open it.










Select Enable > Now Choose the options as per your requirement “Merge” or “Replace” > Click OK.

















Note: if you are not sure choosing replace mode, you may go ahead with Merge option. Make sure you understand the risk before applying these settings to any production GPO.

Understanding Merge and Replace Modes in Group Policy Loopback Processing.

Merge Mode
In this mode, when the user logon process initiated, the user's list of GPO is gathered by using the function GetGPOList. The GetGPOList function is then processed by using the computer's location based OUs in AD.

Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

There are some good stuffs related to this concept written well on MS TechNet. You may refer the below TechNet article for more.

Wednesday 21 September 2016

Applying Group policy specifically on selected security groups of users or computers in Active Directory.

Or, How to apply a group policy on a Security Group in AD?
Or, What is group policy security filtering in Active Directory? 

Descriptions:
In real world, this is very genuine requirement when someone in your company can ask you to apply a Desktop Wallpaper or some other controls on some specific users or computers. You know it well that you can apply group policy on Users or Computers based on OU in which they are. Means, your group policy became very specific to OU or OU oriented.

You can’t move any user or computer to any other OU as their existing Group Policies may go away or will be messed and may cause lots of issues.

But there is some way to achieve the above stated requirement:
1. Group Policy Security Filtering
2. Group Policy Loopback Processing

There are some technical concepts and understandings that you should understand well before playing with these features else you may make blunders instead of doing things right.
Here in this article, I will explain about first option “Group Policy Security Filtering”. We will discuss about GPO Loopback processing in next article.

Additionally, I will suggest not to go with Group Policy Loopback Processing option if your requirement is being achieved by using Group Policy Security Filtering.

What is Group Policy Security Filter?
Group Policy Security Filter allows you to apply a group policy on a specific user, computer or security group. E.g. If in case you have applied a Group Policy on a OU which is having 10 users and you have added only two users in security filter of the applied GPO, the settings defined under specified GPO will be applied on only those two users which are added there in security filter option.

Steps: How to apply group policy on a Security Group in AD or on a specific user?

Select your group policy > Go to Scope option > Under Security Filtering, click on Add button > Select your Security Group and add here.



















Now, go to Delegation tab > make sure the security group you added in above step is appearing here > Now Click on Advanced





















Set the Authenticated Users Permission Level for the specified Group Policy as shown in below screenshot. Authenticated Users should be having Read only rights and must not be allowed to Apply group policy.

Select Authenticated Users > Enable Check Mark on Read > Uncheck the option Apply Group Policy > Click OK to save the changes




















Set the Security Group Permission Level for the specified Group Policy as shown in below screenshot. Your Security Group should be having Read and must be allowed to Apply group policy.

Select Your Security Group > Enable Check Mark on Read > Enable check mark on Apply Group Policy > Click OK to save the changes.



















That’s all my friends. Now you can check your client machines if they are having applicable GPOs applied on them. Run gpupdate /force on Server and Client both to get the result quickly or try logging off. 

Monday 18 July 2016

Why should you audit Group Policy and how do you go about it?

Group Policy gives network administrators the ability to define user, security, and organization-wide policies in bulk throughout the network. However, any minor changes to these policies can have massive implications to the user and to network. Continuous auditing and monitoring of Group Policy ensures that you are constantly aware whenever someone attempts to alter Group Policy or misuse Domain Controllers, member servers or Active Directory computers. In this article we will explain how you can use native tools to perform a basic GPO audit.

Group Policy change auditing using native features:

Change auditing Group Policy using native features can be broken down into three steps:
NOTE: Native auditing is very basic in nature – it may change events and will therefore not be very useful when trying to perform forensic analysis of change events.

Enabling DS Access auditing:
DS Access is enabled by editing the Default Domain Controller Policy using the Group Policy Management Editor. Auditing is enabled for Success and Failure events for the two subcategories— Audit Directory Service Access and Audit Directory Service Changesof the DS Access audit policy.





















Note: To do this, right-click Default Domain Controller Policy and click Edit; when the Group Policy Management Editor appears, expand to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies, and select DS Access. Double-click Audit Directory Service Access / Audit Directory Service Access, check the checkbox Configure the following audit events and select Success and Failure. Click Apply; click OK.

Configuring SACL entries for Group Policy Container objects:
SACL entries for the Group Policy Container objects are configured using the ADSI Edit as follows
1. In ADSI Edit, connect to Default naming context and navigate to DC=domain name, and CN=System.
2.  Right-click CN=Policies, and select Properties.
3. Under the Security tab, click Advanced.
4. Under the Auditing tab, click Add.
5. Now, Add Everyone in the Name field, select This object and all descendant objects in the Applies onto box, and check the checkboxes under Successful for the Create groupPolicyContainer objects and Delete groupPolicyContainer objects
Finally, click OK, and close all the open dialogue boxes.

















In the same way, create another auditing entry. This time, select Everyone in the Name field, select Descendant groupPolicyContainer objects in the Applies onto field, and select the check boxes under Successful for Write all properties, Delete, and Modify permissions.

























Viewing Group Policy change events in Windows Security logs:
After enabling auditing, Group Policy change events are recorded in the Windows Security logs. To view them, search for the relevant IDs using the Event Viewer. Some relevant event IDs are:

5136
A directory service object was modified
5137
A directory service object was created
5138
A directory service object was undeleted
5139
A directory service object was moved
5141
A directory service object was deleted


Article Summary

Group Policy settings play a vital role in determining what domain users can and cannot do in the Active Directory environment. Because of this, administrators must be vigilant when it comes to monitoring changes and modifications to it.
Trying to use native auditing tools to perform regular, detailed audits of Group Policies can be a difficult and lengthy process. Even if you devote the time to it, often the best configurations fail to capture all of the changes that occur. 
This leaves you with two alternatives; using Microsoft’s Advanced Group Policy Management (AGPM) or deploying a specialized Active Directory auditing solution like LepideAuditor Suite, This is one such solution that provides a scalable means to instantly see who, what, where and when changes are made to the Active Directory. It sends real time alerts and provides detailed reports to help with all manner of security, system management and security challenges that your organization may face (without breaking the bank). 

Saturday 25 June 2016

Trusted Zone List Group Policy Update Failed With Error.

Or, Group Policy Update Error “Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the “More information” link” while updating Group Policy after applying “Internet Explorer Zonemapping settings.” Through GPO.


Error Details:
----------------------------------------------------------------------------------------------------------------------------------------------------------
C:\Users\test12>gpupdate
Updating policy…
Computer Policy update has completed successfully.
User Policy update has completed successfully.
The following warnings were encountered during user policy processing:
Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the “More information” link.
For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
C:\Users\test12>
---------------------------------------------------------------------------------------------------------------------------------------------------------

Error Screenshot:











The Solution worked for me:
After trying lots of KBs here and there I noticed, I am not configuring the URLs listing properly. I was giving the URLs name correctly but was not filling the sequence numbers for all the URLs I was entering. So the trick worked for me is, I just given the sequence numbers in Value filed of the Site to Zone Assignment List and that worked for me like a charm…

Below is the screenshot of correctly deploying the Site to Zone Assignment List URLs list. In my case, I have used *.thedomainname.com etc… you can use URLs like http://thedomainname.com as well…that’s your choice…























Cheers.. Please write me back if you have any query or feedback..

Wednesday 15 June 2016

How to enable Active Directory Recycle Bin?

Or, Enabling Recycle Bin in Active Directory Windows Server 2012 R2.
Or, Easiest way to recover accidentally deleted items in Active Directory.

Guys, all we know that Microsoft has introduced a loving feature of active directory which is known as “Active Directory Recycle Bin”.  By using this feature, you can recover accidentally deleted items like Users, OU, and Computers from AD within few seconds. Afraid of imagining the recovery process of these objects now using traditional method of System State Backup and recovery.

Here are Steps to enable Active Directory Recycle Bin:

Open Server Manager > Go to Tools > Click on Active Directory Administrative Center









Select your domain > In the Right side task area, Click on Enable Recycle Bin


How to check all configured settings in Group Policy Object (Active Directory)?

Or, How to see all defined settings in a Group Policy Object (Active Directory)?

Steps:
Open Group Policy Management Console > Go to Group Policy Objects > Select any of the Group Policy Object (in my case, it’s “Logon Message Policy” > Go to Settings tab > Click on “Show All”.


Now, you will be able see all defined policies of that particular Group Policy Object. Please refer the below screenshot for GUI view of the above explained settings:

Saturday 11 June 2016

Group policy to deploy screensaver on domain computers.

Or, How to create screensaver Group Policy in Windows server 2012 R2?

Steps:
Login to your Domain Comtroller Server > Open Group Policy Management Console > Create a New Group Poliy Object > Go to User Configurations > Policies> Administrative Templates > Personalization

Enable the policy options as shown in below screenshots, you can choose more policy options as per your individual need.











In my case Screensaver time out value is 300 seconds (5 minutes)























Here you need to give complete shared path of the .scr file you have created.























Run gpupdate /force  on Server and Client both to update the policy immediately.

Good Luck, please write me back for any query of feedback…




How to create a common folder all users across domain using Group Policy?

Or, Create a folder in all user’s profile using Group Policy.

Steps:
Login to your Domain Controller Server > Open Group Policy Management Console > Create a New Group Policy Object > Go to User Configurations > Preferences > Windows Settings > Folders> Right Click and Select New Folder > Select the action Create in this case or any action you want (Update/Delete etc..) > Select path where you want this folder to be created > Run gpupdate /force to update the policy forcefully.

Example: if the path is C:\users\testfolder , a Folder with the name “testfolder” will be created under every user’s computers path C:\Users.


You may refer the below screenshot for your reference:

















How to Copy files across all domain computers using Group Policy?

Or, Group Policy to delete or copy files across all domain computers.

Note: If you want to copy all files from a specific source, use *.* at end the files path. e.g. \\SharedFolder\*.*

Steps:
Login to your Domain Controller Server > Open Group Policy Management Console > Create a New Group Policy Object > Go to User Configurations > Preferences > Windows Settings > Files > Right Click and Select New File > Select the action you want (Update/Create/Delete etc..) > Select Source and Destinations > Run gpupdate /force to update the policy forcefully.

You may refer the below screenshot for your reference:












Cheers, please write me back if you have any query or feedback on this article…

Tuesday 23 February 2016

What is Group Policy in AD?

Or, What is use of Group Policy in Active Directory?

Group Policy is a GUI interface from where you can change registry values of one/multiple machines from a central management console.

It is used to push user or computer defined policy in domain environment whether it is restrictions, privilege or deployments.