What is Group Policy Loopback Processing in Active Directory?

Or, How to enable Group Policy Loopback Processing for a Group Policy Object?

Or, In what situation, you should think of using Group Policy Loopback Processing?

Descriptions:

Guys, Group Policy Loopback Processing is one of the cool feature of Active Directory Group Policy Management but you must be conscious and understand it very well while playing with this feature. Please note that Group Policy Loopback Processing is only supported in Active Directory Environment. There may be some case where you may need to apply a User Based Policy on Computers OU or a Computer based policy on Users OU.

In this kind of scenario, you can use Group Policy Loopback Processing to achieve your goals.

How to enable Group Policy Loopback Processing for a GPO?

Steps: Open Group Policy Management Console (gpmc.msc) > Locate the GPO on which you want to enable “Group Policy Loopback Processing” > Right Click on the GPO and Select Edit > Navigate to Computer Configuration\Policies\Administrative Templates\System\Group Policy > Select Configure User Group Policy Loopback Processing Mode and Open it.

Select Enable > Now Choose the options as per your requirement “Merge” or “Replace” > Click OK.

Note: if you are not sure choosing replace mode, you may go ahead with Merge option. Make sure you understand the risk before applying these settings to any production GPO.

Understanding Merge and Replace Modes in Group Policy Loopback Processing.

Merge Mode
In this mode, when the user logon process initiated, the user's list of GPO is gathered by using the function GetGPOList. The GetGPOList function is then processed by using the computer's location based OUs in AD.

Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

There are some good stuffs related to this concept written well on MS TechNet. You may refer the below TechNet article for more.

https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

Applying Group policy specifically on selected security groups of users or computers in Active Directory.

Or, How to apply a group policy on a Security Group in AD?

Or, What is group policy security filtering in Active Directory? 

Descriptions:

In real world, this is very genuine requirement when someone in your company can ask you to apply a Desktop Wallpaper or some other controls on some specific users or computers. You know it well that you can apply group policy on Users or Computers based on OU in which they are. Means, your group policy became very specific to OU or OU oriented.

You can’t move any user or computer to any other OU as their existing Group Policies may go away or will be messed and may cause lots of issues.

But there is some way to achieve the above stated requirement:

1. Group Policy Security Filtering

2. Group Policy Loopback Processing

There are some technical concepts and understandings that you should understand well before playing with these features else you may make blunders instead of doing things right.

Here in this article, I will explain about first option “Group Policy Security Filtering”. We will discuss about GPO Loopback processing in next article.

Additionally, I will suggest not to go with Group Policy Loopback Processing option if your requirement is being achieved by using Group Policy Security Filtering.

What is Group Policy Security Filter?

Group Policy Security Filter allows you to apply a group policy on a specific user, computer or security group. E.g. If in case you have applied a Group Policy on a OU which is having 10 users and you have added only two users in security filter of the applied GPO, the settings defined under specified GPO will be applied on only those two users which are added there in security filter option.

Steps: How to apply group policy on a Security Group in AD or on a specific user?

Select your group policy > Go to Scope option > Under Security Filtering, click on Add button > Select your Security Group and add here.

Now, go to Delegation tab > make sure the security group you added in above step is appearing here > Now Click on Advanced

Set the Authenticated Users Permission Level for the specified Group Policy as shown in below screenshot. Authenticated Users should be having Read only rights and must not be allowed to Apply group policy.

Select Authenticated Users > Enable Check Mark on Read > Uncheck the option Apply Group Policy > Click OK to save the changes

Set the Security Group Permission Level for the specified Group Policy as shown in below screenshot. Your Security Group should be having Read and must be allowed to Apply group policy.

Select Your Security Group > Enable Check Mark on Read > Enable check mark on Apply Group Policy > Click OK to save the changes.

That’s all my friends. Now you can check your client machines if they are having applicable GPOs applied on them. Run gpupdate /force on Server and Client both to get the result quickly or try logging off. 

How to add a custom field or attribute in user’s mailbox in Office365 server?

Or, Adding additional custom fields in email mailbox’s properties hosted on Office365 server.

Or, Office365 mailbox additional custom field in mailbox properties.

Or, Exporting custom attribute of all User mailboxes in Office365.

Or, Export all user’s mailbox list of Office365 server with custom attributes.

Descriptions: 

If you are an Office365 online exchange server administrator, you may have faced this query or may face in future. This situation typically arises when you have your AD domain completely separate and your email Office365 server domain is not integrated with your AD domain.

For example: Your AD domain may be yourcompanydomain.net and your Email domain of Office365 server is yourcompanydomain.com.

Scenario:

Your management team wants you to put Employee ID of every user for reference purpose as a unique identifier of AD accounts as well as for email accounts so that it can be easily tracked which user ID or email ID belongs to which users when performing reconciliation of AD or Email accounts to get them in sync (Ideally you should be having equal number of AD and Email accounts always except Service accounts and DLs).

There may be situation where you may have multiple users with same Display Name (login ID can be different), in this case it will be tough for you to identify who is the actual user you are targeting for any specific purpose. Now if you have had the employee ID written for all users somewhere in AD account’s and email account’s properties, it could have been easy to identify the actual users and map them accordingly.

Options available in AD and Office365(may be considered if suited best for your need):

AD (Active Directory): You have Description field where you can specify the Employee ID if all other relevant AD fields you are already using for some purpose.

Now when you want to export the AD users accounts with description fields and other required fields, you can read my another article “Exporting AD Users”.

Office365: You can go to mailbox properties and specify the custom attribute and values with Employee ID.

Now to export the all Email mailboxes with defined custom attributes in mailbox’s properties, you may use/run below command on Office365 PowerShell:

--------------------------------------------------------------------------------------------------------------------------

Get-Mailbox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Select RecipientTypeDetails,Name,Alias,CustomAttribute1 | Export-Csv -Path D:\CAT.csv

--------------------------------------------------------------------------------------------------------------------------

To know how to connect to Office365 PowerShell, please see my another article:

How to connect Office365 PowerShell?

You can refer below screenshot for more details in graphical view.

Now you have the CAT.CSV report with all mailboxes and custom attributes in your D:\ drive. Yes, off-course the Custom attributes will be having the employee IDs that you had already entered there in the user’s mailbox properties.

Cheers, Please write me back if you have any query or feedback..

How to export active directory users list without any additional tool, powershell or script?

Or, The easiest and the coolest way of exporting All AD users list to csv file.

Or, Getting list of all AD users using active directory GUI interface and exporting them to csv/txt file.

Or, How to export AD users list to a txt or csv file?

Descriptions:

I don’t know why Microsoft does not highlight these kind of features well to the techies across the world. Trust me, it has been too late if you really don’t know “you can export AD users, Computers, Groups, Disabled AD Users etc.. without any additional tool”. Yes, I am right, without any additional tool you can have such reports exported to a CSV or TXT file using Active Directory Query feature.

I am not surprised, if you are thinking where the hell this “Active Directory Query” features is and how to use this? Same thing runs in to my mind when I come to know about this feature for the first time. :)

Guys, have you noticed “Saved Query”, a small folder under “Active Directory Users and Computers”  tree when you open “Active Directory Users and Computers” management console either by opening it directly from Server Manager or by using “dsa.msc” from your local computer?

No??? Okay, No problem at all. Let me explain little bit about this.

What is this “saved query” folder for under “Active Directory Users and Computers” management console?

This folder is the one which contains the saved queries when you use any active directory based query to get Active Directory objects reports using GUI feature of Active Directory Query tool. From here, you can generate many kind of reports, let me say it most of the available reports in AD.

How to use this?

There is no scripting, programming or Powershell expertise required for performing this task. If you have basic idea about AD objects, you can perform these steps easily.

Warning:  If you are not sure about any feature or query you are selecting/executing, better you consult your seniors before going ahead. Proceed with further steps only if you understand the steps to avoid any accidents else ignore this.

Steps:

Open Active Directory Users and Computers Console > Right Click on “Saved Query” Folder

Click on New > Query

Give any friendly name > Make sure your domain in selected under Query root section > Make sure “Include subcontainers” is checked > Click on “Define Query”.

From the Find drop down menu, Select “Custom Search”

Click on “Field”

Choose the field you wish (in my case, Let’s take “User” field) > Choose “Display Name” in the sub-fields window

Make sure the first blank box is containing the field you selected (in our case, its Display Name) > in the value field, please put a single star (*) > Click on OK

You should be able to see the Query String section like as highlighted in below screenshot > Click OK

Wow...!!! here you have the list of all AD users of your domain.

To export them to a txt or csv file, right click on your query that you created (in my case its AllUsersMyDomain) > Click on Export List

Browse the computer location where you wish to save this file > Select the desired file format > Click on Save.

That’s it Guys… want to explore more on this query tool? Just follow the same steps and select any other custom field.

Cheers, please write me back if you have any query or feedback about this article. 

How to check ruining LDAP session on Active Directory server?

Or, Get LDAP session list and counts in Active Directory Server.

See also: What is LDAP Session in Active Directory?

Descriptions:

To get the list the list of running LDAP sessions on an Active Directory Server, please follow below steps:

Steps: Open CMD (run as administrator) > Type net session > Hit Enter

Now you will be able to all active sessions as highlighted in below screenshot:

You can use “Net” command for multiple purposes. For more please see the below screenshot:

What is LDAP Session in Active Directory?

Or, LDAP client sessions limit reached, OPManager DC monitoring alert.

Or, What should be the threshold or session limit for LDAP sessions occurs in Active Directory?

Descriptions:

This is a very commonly known and a useful NTDS object counter for Monitoring Active Directory running sessions, which Indicates the total number connected LDAP session by various LDAP clients.

The good way to avoid/ignore this kind of alert, is to configure your monitoring tool to not send any email alert even if the session counters reached to 500-600 or the number of clients that you may have.

YOU NOT NEED TO WORRY: As such there is no specific limit in number for LDAP client’s sessions. The only thing you should care about this is, when the number of clients increased, the number of session will be increased and when the number of session increases, the load on the server increases accordingly.

So, by monitoring these session values, you can actually identify when your almost clients are connected to active directory to have some idea about peak hrs utilization, server resources utilization reasons, CPU/Memory spike for some time duration etc.

Hope it helps, cheers...

See Also: How to check ruining LDAP session on Active Directory server?

Why should you audit Group Policy and how do you go about it?

Group Policy gives network administrators the ability to define user, security, and organization-wide policies in bulk throughout the network. However, any minor changes to these policies can have massive implications to the user and to network. Continuous auditing and monitoring of Group Policy ensures that you are constantly aware whenever someone attempts to alter Group Policy or misuse Domain Controllers, member servers or Active Directory computers. In this article we will explain how you can use native tools to perform a basic GPO audit.

Group Policy change auditing using native features:

Change auditing Group Policy using native features can be broken down into three steps:

NOTE: Native auditing is very basic in nature – it may change events and will therefore not be very useful when trying to perform forensic analysis of change events.

Enabling DS Access auditing:

DS Access is enabled by editing the Default Domain Controller Policy using the Group Policy Management Editor. Auditing is enabled for Success and Failure events for the two subcategories— Audit Directory Service Access and Audit Directory Service Changes—of the DS Access audit policy.

Note: To do this, right-click Default Domain Controller Policy and click Edit; when the Group Policy Management Editor appears, expand to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies, and select DS Access. Double-click Audit Directory Service Access / Audit Directory Service Access, check the checkbox Configure the following audit events and select Success and Failure. Click Apply; click OK.

Configuring SACL entries for Group Policy Container objects:

SACL entries for the Group Policy Container objects are configured using the ADSI Edit as follows

1. In ADSI Edit, connect to Default naming context and navigate to DC=domain name, and CN=System.

2.  Right-click CN=Policies, and select Properties.

3. Under the Security tab, click Advanced.

4. Under the Auditing tab, click Add.

5. Now, Add Everyone in the Name field, select This object and all descendant objects in the Applies onto box, and check the checkboxes under Successful for the Create groupPolicyContainer objects and Delete groupPolicyContainer objects. 
Finally, click OK, and close all the open dialogue boxes.

In the same way, create another auditing entry. This time, select Everyone in the Name field, select Descendant groupPolicyContainer objects in the Applies onto field, and select the check boxes under Successful for Write all properties, Delete, and Modify permissions.

Viewing Group Policy change events in Windows Security logs:

After enabling auditing, Group Policy change events are recorded in the Windows Security logs. To view them, search for the relevant IDs using the Event Viewer. Some relevant event IDs are:

5136	A directory service object was modified
5137	A directory service object was created
5138	A directory service object was undeleted
5139	A directory service object was moved
5141	A directory service object was deleted

Article Summary

Group Policy settings play a vital role in determining what domain users can and cannot do in the Active Directory environment. Because of this, administrators must be vigilant when it comes to monitoring changes and modifications to it.

Trying to use native auditing tools to perform regular, detailed audits of Group Policies can be a difficult and lengthy process. Even if you devote the time to it, often the best configurations fail to capture all of the changes that occur. 

This leaves you with two alternatives; using Microsoft’s Advanced Group Policy Management (AGPM) or deploying a specialized Active Directory auditing solution like LepideAuditor Suite, This is one such solution that provides a scalable means to instantly see who, what, where and when changes are made to the Active Directory. It sends real time alerts and provides detailed reports to help with all manner of security, system management and security challenges that your organization may face (without breaking the bank). 

Error While Joining Windows server to Domain

Or, Unable to connect an Active Directory Domain Controller while domain joining.

Many of us we face this kind of error’s in our day to day IT Operation Services. There are many reasons for this error like, network Connectivity, Wrong VLAN, Wrong Domain Name, Domain is Down etc. So Today I will take you to one of the reason of this error.

Below is Error Screenshot:

Reason/Solution: I have investigated and Found one reason, I am able to ping IP address but when I am trying to ping with Domain name” Request Timed Out” error coming and host IP address is configured manually. So I checked and Found IP address details for DNS Server is not mentioned.

So Now I have given DNS Server IP Address.

So Domain name is now reachable I can Join that server in domain now. Only Domain Admin user id and password required to join into “Techiessphere.com” Domain.

How to install Active Directory in Windows 2012 Server?

Or, How to commission Domain Controller in Windows server 2012?

Or, How to install Domain Controller Services in Windows server 2012?

Or, Step by step installation instruction of Active Directory in Windows Server 2012.

Descriptions:

In Previous version of windows server’s “dcpromo” command was being used to install Active Directory Services. Now Microsoft has done some changes in Active Directory Services installation process, this service can be installed from Roles and Features tab of Server Manager console.

See Also: How to enable active directory recycle bin?

Steps (Active Directory Installation and Configurations):

1. Open Server manager and go to “Manage” and click on “Add roles n Features” or Go to Quick start and click on “Add roles n Features”.

2. Click on “Next”,

Note – Check Destination Server Hostname (It should be same hostname always where you want install Domain Controller).

3. Select “Role-based or feature-based Installation” and Click “Next”

4. Select the server hostname and click on “Next”

5. Select Active Directory Domain Services and Click on Next.

6. Now wizard will ask to add recommended Feature for Active Directory Domain Services. So Click on “Add Feature “, After Click on “Next”.

7. Click on “Next”

8. Click on “Next”

9. We can do manual reboot also its not mandatory So leave reboot option and Click on “Install”.

10. Installation progress windows, It will take few minutes to complete the installation.

11. Click on “close”, Once setup is completed.

12. Now go to server manager and click on yellow flag for configuration on Domain Controller.

13. Click on Promote server as a domain controller

14. If you have existing domain available, then Select “Add a domain Controller to an Existing Domain” and select the “available domain” and then click on “Install” tab.

15. Or if you are installing first domain or New Forest click on “add a New forest”. And give your domain name. then click on “Next”

Note -  Install Tab will not be highlighted yet.

16. Select forest n Domain Functional Levels. Give DSRM Password. (Will help in AD restoration).

17. Click on “Next”

18. Verify NetBIOS name and Click on “Next”

19. Database Store path will be directed to default path, If you wish to save on another location, you can browse the path and save it.

20. Review your configuration for Domain Controller Configuration Very Carefully.

21. All perquisite should be clear and then click on install. after installation will begin. Reboot will occur upon completion.

That's it.. Please wait for installation to be completed, leave it uninterrupted and you are done.

Hope it helped you, please write me back if you have any query or feedback on this.