Applying Group policy specifically on selected security groups of users or computers in Active Directory.

Or, How to apply a group policy on a Security Group in AD?

Or, What is group policy security filtering in Active Directory? 

Descriptions:

In real world, this is very genuine requirement when someone in your company can ask you to apply a Desktop Wallpaper or some other controls on some specific users or computers. You know it well that you can apply group policy on Users or Computers based on OU in which they are. Means, your group policy became very specific to OU or OU oriented.

You can’t move any user or computer to any other OU as their existing Group Policies may go away or will be messed and may cause lots of issues.

But there is some way to achieve the above stated requirement:

1. Group Policy Security Filtering

2. Group Policy Loopback Processing

There are some technical concepts and understandings that you should understand well before playing with these features else you may make blunders instead of doing things right.

Here in this article, I will explain about first option “Group Policy Security Filtering”. We will discuss about GPO Loopback processing in next article.

Additionally, I will suggest not to go with Group Policy Loopback Processing option if your requirement is being achieved by using Group Policy Security Filtering.

What is Group Policy Security Filter?

Group Policy Security Filter allows you to apply a group policy on a specific user, computer or security group. E.g. If in case you have applied a Group Policy on a OU which is having 10 users and you have added only two users in security filter of the applied GPO, the settings defined under specified GPO will be applied on only those two users which are added there in security filter option.

Steps: How to apply group policy on a Security Group in AD or on a specific user?

Select your group policy > Go to Scope option > Under Security Filtering, click on Add button > Select your Security Group and add here.

Now, go to Delegation tab > make sure the security group you added in above step is appearing here > Now Click on Advanced

Set the Authenticated Users Permission Level for the specified Group Policy as shown in below screenshot. Authenticated Users should be having Read only rights and must not be allowed to Apply group policy.

Select Authenticated Users > Enable Check Mark on Read > Uncheck the option Apply Group Policy > Click OK to save the changes

Set the Security Group Permission Level for the specified Group Policy as shown in below screenshot. Your Security Group should be having Read and must be allowed to Apply group policy.

Select Your Security Group > Enable Check Mark on Read > Enable check mark on Apply Group Policy > Click OK to save the changes.

That’s all my friends. Now you can check your client machines if they are having applicable GPOs applied on them. Run gpupdate /force on Server and Client both to get the result quickly or try logging off. 

How to create NIC Team in Windows Server 2012 R2 ?

Or, Understanding NIC Teaming in Windows Servers.

Or, Step by step guide for configuring NIC Teaming in windows servers with detailed explanation of available features and prerequisites.

Or, Understanding “Additional Properties” and “Load Balancing Modes” of NIC Teaming in Windows Servers.

Prerequisites:

There are few prerequisites you must be considering before going to implement the NIC Teaming for your server, below are few of them:

You should plan for a downtime for at least 10-15 minutes. Because, when you create a NIC Team, the IP configuration of the server is required to be configured again on the logical NIC Team adapter and your server might get inaccessible just after creating the NIC Team because it has not IP configurations on the newly created NIC Team adapter.

If you are doing for a Physical Server, you must be having physical access of the server. Because, when NIC Team creation wizard completes, the IP configuration of the server get erased from the Ethernet adapter and the newly created NIC Team adapter has no IP configurations at that time. So, its simple you don’t have any method to connect to the server if you don’t have any IP configurations inside. 

Yes, you are lucky if you have something like Management IP separately for this server which can allow you to access your server KVM console remotely, else it better you have physical access of the server.

Descriptions:

NIC Teaming is one of the cool feature of Windows Serves which allows you to achieve high speed, redundant Ethernet card requirements when your some specific applications or servers deadly needs it.

Once you are ready with the above explained prerequisites, please proceed with below steps to get it configured as per your requirements:

Steps:

Open Server Manager console > Go to Local Server option > On the NIC Teaming option, Click on Disabled highlighted Hyperlink (as shown in the below screenshot).

Click on Network Adapter tab

Select your Active Adapters (hold Ctrl key and Click on active adapters you need), in my case my two Active Ethernet Adapters are LAN-Primary and LAN-Secondary > Right Click on Selected Active Ethernet Adapters > Click on Add to New Team

Give a friendly logical name for your NIC Team > make sure that the check mark is enabled on NIC Adapters you are going to add in a Team > Click OK

Wait for configurations to be completed

You may see below pop-up (connection has been lost) window. You remember the perquisites I explained above?

Now try to gain access of the server console locally (I accessed it using KVM console in my case).

Open Network Control Panel ( Go to RUN > type ncpa.cpl > Hit enter) > Select your NIC Team > Go to Properties > Select Internet Protocol Version 4(TCP/IPv4) > Click on Properties > do the IP configurations as per your network design > Click OK to save the changes

Please Note: the IP address you will configure here for your NIC Team Logical Network Adapter, the same IP will be used as Server IP going forward for this particular server.

That’s it, you are done. But, if you want to do/check some more configuration settings, you can navigate through NIC Team properties from the Server Manager console.

As you can see in the below screenshot, I have used my both NIC adapters in Active-Active mode.

To understand more about this features, please see below descriptions.

Understanding Additional Properties (NIC Teaming Modes):-

Teaming Modes:

Switch Independent: The very first option on the list is the teaming mode. The default option is Switch Independent mode which lets you build a NIC team without having to be worried about your network switches capability and compatibilities.

Static Teaming:  This teaming mode is a switch dependent mode. This mode requires you to configure both computer and the network switch in order to identify the links that help to build a team.

Switch Dependent: This is known as LACP, and it is based on link aggregation fundamentals. By using this type of NIC teaming you can dynamically reconfigure the NIC team by adding or removing NICs as your requirements.

Understanding Load Balancing Modes:

There are two type of Load balancing mode are available a) Address Hash and b) Hyper-V port. The Address Hash option is the most commonly used load balancing option as it allows traffic to be load balanced across all of the NICs in the team.

The Hyper-V Port option balances traffic per virtual machine basis method. This load balancing feature helps dedicating each virtual machine’s traffic to a specific NIC.

Standby Adapter

The name of the feature is self-explanatory; this feature allows you to decide which network you want to be acting as a load balancing network adapter in the logical NIC Team you have created. Choosing this option, keeps your one NIC in standby mode and another in active mode. The Standby NIC comes in active mode automatically when the primary active NIC fails due to any reason.

Cheers, Please write me back if you have any query, feedback or suggestion on this..

Windows Time Service error 1290 – Windows Server 2008

Or, The Windows Time service failed to start due to the following error: Event ID 7000

Or, System error 1290 has occurred (Windows Time Service – Windows Server 2008)

Error Event in detail:

Log Name:             System

Source:                  Service Control Manager

Date:                     8/27/2016 9:33:13 AM

Event ID:               7000

Task Category:       None

Level:                     Error

Keywords:              Classic

User:                      N/A

Description:

The Windows Time service failed to start due to the following error:

The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.

Error Message when you try to start the Windows Time Service using services.msc.

System error 1290 has occurred.

The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.

Solution (Worked for me):

Just run the below commands on elevated command prompt and that’s it.

w32tm /register

sc config w32time type= own

Please start the Windows Time Service Manually after the command gets completed successfully.

How to prevent “Server Manager” automatic startup at logon?

Or, Disable “Server Manger” automatic launch at startup-Windows Server 2012.

Or, Do not start Server Manager automatically at logon.

Steps:

Open Server Manager > Click on Manage > Click on Server Manager Properties

Enable check mark on “Do not start Server Manager automatically at logon” > Click on OK

How to export active directory users list without any additional tool, powershell or script?

Or, The easiest and the coolest way of exporting All AD users list to csv file.

Or, Getting list of all AD users using active directory GUI interface and exporting them to csv/txt file.

Or, How to export AD users list to a txt or csv file?

Descriptions:

I don’t know why Microsoft does not highlight these kind of features well to the techies across the world. Trust me, it has been too late if you really don’t know “you can export AD users, Computers, Groups, Disabled AD Users etc.. without any additional tool”. Yes, I am right, without any additional tool you can have such reports exported to a CSV or TXT file using Active Directory Query feature.

I am not surprised, if you are thinking where the hell this “Active Directory Query” features is and how to use this? Same thing runs in to my mind when I come to know about this feature for the first time. :)

Guys, have you noticed “Saved Query”, a small folder under “Active Directory Users and Computers”  tree when you open “Active Directory Users and Computers” management console either by opening it directly from Server Manager or by using “dsa.msc” from your local computer?

No??? Okay, No problem at all. Let me explain little bit about this.

What is this “saved query” folder for under “Active Directory Users and Computers” management console?

This folder is the one which contains the saved queries when you use any active directory based query to get Active Directory objects reports using GUI feature of Active Directory Query tool. From here, you can generate many kind of reports, let me say it most of the available reports in AD.

How to use this?

There is no scripting, programming or Powershell expertise required for performing this task. If you have basic idea about AD objects, you can perform these steps easily.

Warning:  If you are not sure about any feature or query you are selecting/executing, better you consult your seniors before going ahead. Proceed with further steps only if you understand the steps to avoid any accidents else ignore this.

Steps:

Open Active Directory Users and Computers Console > Right Click on “Saved Query” Folder

Click on New > Query

Give any friendly name > Make sure your domain in selected under Query root section > Make sure “Include subcontainers” is checked > Click on “Define Query”.

From the Find drop down menu, Select “Custom Search”

Click on “Field”

Choose the field you wish (in my case, Let’s take “User” field) > Choose “Display Name” in the sub-fields window

Make sure the first blank box is containing the field you selected (in our case, its Display Name) > in the value field, please put a single star (*) > Click on OK

You should be able to see the Query String section like as highlighted in below screenshot > Click OK

Wow...!!! here you have the list of all AD users of your domain.

To export them to a txt or csv file, right click on your query that you created (in my case its AllUsersMyDomain) > Click on Export List

Browse the computer location where you wish to save this file > Select the desired file format > Click on Save.

That’s it Guys… want to explore more on this query tool? Just follow the same steps and select any other custom field.

Cheers, please write me back if you have any query or feedback about this article. 

Why should you audit Group Policy and how do you go about it?

Group Policy gives network administrators the ability to define user, security, and organization-wide policies in bulk throughout the network. However, any minor changes to these policies can have massive implications to the user and to network. Continuous auditing and monitoring of Group Policy ensures that you are constantly aware whenever someone attempts to alter Group Policy or misuse Domain Controllers, member servers or Active Directory computers. In this article we will explain how you can use native tools to perform a basic GPO audit.

Group Policy change auditing using native features:

Change auditing Group Policy using native features can be broken down into three steps:

NOTE: Native auditing is very basic in nature – it may change events and will therefore not be very useful when trying to perform forensic analysis of change events.

Enabling DS Access auditing:

DS Access is enabled by editing the Default Domain Controller Policy using the Group Policy Management Editor. Auditing is enabled for Success and Failure events for the two subcategories— Audit Directory Service Access and Audit Directory Service Changes—of the DS Access audit policy.

Note: To do this, right-click Default Domain Controller Policy and click Edit; when the Group Policy Management Editor appears, expand to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies, and select DS Access. Double-click Audit Directory Service Access / Audit Directory Service Access, check the checkbox Configure the following audit events and select Success and Failure. Click Apply; click OK.

Configuring SACL entries for Group Policy Container objects:

SACL entries for the Group Policy Container objects are configured using the ADSI Edit as follows

1. In ADSI Edit, connect to Default naming context and navigate to DC=domain name, and CN=System.

2.  Right-click CN=Policies, and select Properties.

3. Under the Security tab, click Advanced.

4. Under the Auditing tab, click Add.

5. Now, Add Everyone in the Name field, select This object and all descendant objects in the Applies onto box, and check the checkboxes under Successful for the Create groupPolicyContainer objects and Delete groupPolicyContainer objects. 
Finally, click OK, and close all the open dialogue boxes.

In the same way, create another auditing entry. This time, select Everyone in the Name field, select Descendant groupPolicyContainer objects in the Applies onto field, and select the check boxes under Successful for Write all properties, Delete, and Modify permissions.

Viewing Group Policy change events in Windows Security logs:

After enabling auditing, Group Policy change events are recorded in the Windows Security logs. To view them, search for the relevant IDs using the Event Viewer. Some relevant event IDs are:

5136	A directory service object was modified
5137	A directory service object was created
5138	A directory service object was undeleted
5139	A directory service object was moved
5141	A directory service object was deleted

Article Summary

Group Policy settings play a vital role in determining what domain users can and cannot do in the Active Directory environment. Because of this, administrators must be vigilant when it comes to monitoring changes and modifications to it.

Trying to use native auditing tools to perform regular, detailed audits of Group Policies can be a difficult and lengthy process. Even if you devote the time to it, often the best configurations fail to capture all of the changes that occur. 

This leaves you with two alternatives; using Microsoft’s Advanced Group Policy Management (AGPM) or deploying a specialized Active Directory auditing solution like LepideAuditor Suite, This is one such solution that provides a scalable means to instantly see who, what, where and when changes are made to the Active Directory. It sends real time alerts and provides detailed reports to help with all manner of security, system management and security challenges that your organization may face (without breaking the bank). 

Error While Joining Windows server to Domain

Or, Unable to connect an Active Directory Domain Controller while domain joining.

Many of us we face this kind of error’s in our day to day IT Operation Services. There are many reasons for this error like, network Connectivity, Wrong VLAN, Wrong Domain Name, Domain is Down etc. So Today I will take you to one of the reason of this error.

Below is Error Screenshot:

Reason/Solution: I have investigated and Found one reason, I am able to ping IP address but when I am trying to ping with Domain name” Request Timed Out” error coming and host IP address is configured manually. So I checked and Found IP address details for DNS Server is not mentioned.

So Now I have given DNS Server IP Address.

So Domain name is now reachable I can Join that server in domain now. Only Domain Admin user id and password required to join into “Techiessphere.com” Domain.

How to restore a Crashed WSUS Server?

How to Move WSUS Patch Logs and Database from One Drive to Another Drive?

Today My WSUS Server was suddenly showing low disk space in WSUS database drive. After little investigation I decided to move the WSUS Content data from Lower Disk Space Drive to Newly Created Larger Disk Space Drive. I did the following to get it up and running:-

Note: - You must create the new path for local WSUS update storage prior to using WSUSutil.exe

For Example: - If you want WSUS database/contents to moved in New Drive F:\ then you should create a path in this Drive like: - F:\WSUS

> First Go to WSUS Installation Drive: \Program Files\Microsoft Windows Server Update Services\Tools

> Make Sure WSUSutil.exe is available here.

> Now go to Run > Type CMD > Locate to \Tools\WSUSUtil.exe

> Now Run the following command: - wsusutil.exe movecontent F:\WSUS\ F:\move.log

Once you will execute the above command, CMD prompt will look like below:-

Leave this window UN-interrupted till it completed successfully. Hope it will help you…CHEERS....