GPP is a new technology introduced with Windows Server 2008 to make life of administrators much easy. There are variety no. of settings available in GPPs which helps you manage your system effectively.
Using GPPs you can administer the following components of Operating System. You can manage both these user-based and computer based settings from GPPs. The below list shows the settings available in GPPs. A setting can be applied to either a computer or a user or to both based the setting.
Applications (User-based)
Drive Mapping (User-based)
Environment Variables (User-based and computer-based)
Files (User-based and computer-based)
Folders (User-based and computer-based)
Ini Files (User-based and computer-based)
Registry (User-based and computer-based)
Shortcuts (User-based and computer-based)
Network Shares (Computer-Based)
DataSources (User-based and computer-based)
Devices (User-based and computer-based)
Folder Options (User-based and computer-based)
Internet Settings (User-Based)
Local Users and Groups (User-based and computer-based)
Network Options (User-based and computer-based)
Power Options (User-based and computer-based)
Printers (User-based and computer-based)
Regional Options (User-based)
Scheduled Tasks (User-based and computer-based)
Start Menu (User-Based)
Services (Computer-Based)
If no targets are applied, all the computer/users under this policy will get these settings. If you want to restrict this policy to specific users/computers inside OU, then you need to use targeting. There are 25 targeting options are available which can be used alone or in conjunction with other items. Some of the interesting targets are battery present, computer name, disk space, IP address range, LDAP query, OU, Regkey match, security group, site name, user name and wmi query.
Some of the uses of GPPs are…
You can restrict the desktops local administrators group membership. If any one adds their account to local admins, that will be taken off during the next GPO processing due to GPP setting.
You can execute scripts, commands in user context at scheduled times.
Control power options on laptops/desktops
Easily deploy files to desktops based on user and computer
Push short cuts to user/desktops
And GPPs can definitely replace some of the settings which are being handled by your computer/user login scripts now. Using GPPs for these settings considerably less time than using scripts.
Compatibility…
I am sure many of the users will look for this information after going through the GPP exciting features. Though this feature released with Windows 2008 server, you can happily use GPPs in your existing Windows Server 2003 domain which has XP clients. The only thing you need to do is deploy GPP Client side extensions package from Microsoft. The latest buddies like Windows Vista, Windows 7, and Windows 2008 server will come this CSE by default.
You can read more details about this from below sources…
Today I want to turn my some of the scripting efforts to public.
Sometimes I get requirements to see how many machines are online which are part of a AD security group. I worst method I used to follow was dumping the group member list to some text file and making use of a batch script to ping the machine and check the status. This is pretty good but consuming some of my time for dumping and analyzing. So why below script is born….
You just need to give the group DN in the script and execute it with cscript. That shows the machine status if it is online or not. Feel free to modify the script to match your requirements and let me know if I can be of any help.
‘########################################################################## ‘# Purpose : To check the ping status of computers part of a security group ‘# Author : Sitaram Pamarthi ‘# ‘########################################################################## ‘On Error Resume Next
‘ Replace with your group DN GroupDN=”ldap://CN=Your/ Group Name,OU=Your OU name,DC=domain,DC=com”
Set objGroup = GetObject(GroupDN) objGroup.GetInfo arrMemberOf = objGroup.GetEx(“member”) For Each strMember in arrMemberOf Set objGroup1 = GetObject(“LDAP://” & strMember) strHost=trim(objGroup1.dNSHostName) set objPing = GetObject(“winmgmts:{impersonationLevel=impersonate}”).ExecQuery _ (“select * from Win32_PingStatus where address = ‘” & strHost & “‘”)
for each objRetStatus in objPing if IsNull(objRetStatus.StatusCode) or objRetStatus.StatusCode<>0 then WScript.Echo strhost & “ ==> host not reachable” else Ping = True wscript.echo strhost & ” ==> Machine Reachable” end if next Next
I am an avid fan of quest products when it comes to Active Directory restoration. Their products make you to restore objects in active directory without taking the domain controller offline to DSRM mode. There are many products available in market but it is efficient than other in my opinions. The purpose of writing this post is not give publicity for Quest product but I want to take you through couple of videos from Quest which shows how seamless it is to restore objects from active directory. These videos are completely for Windows 2008 R2 where “Recycle bin” option feature is functional. Refer to Technet if you want to know more about “Recycle bin” optional feature in Active Directory 2008 and “Active Directory Recycle Bin Step-by-Step Guide”.
You can also do this with PowerPack from PowerGUI which is a cost effective solution compared to Quest products. This PowerPack helps you to recover deleted objects from Active Directory recycle bin only but not the items which enterd tombstone — that means it is out of recyclebin.
Visit this blog entry to know more about the PowerPack for recovering AD. Below video give you the procedure for operating the PowerPack.
Microsoft Windows 2008 Active Directory Domain Services has many enhanced features in its GUI. The Active Directory Users and Computers, Sites and Services, and Domains and Trusts MMC snap-ins have always been adequate for managing Active Directory. In Windows Server 2008, the basic admin tools have been cleaned up and introduce a couple of nice new features. If you enable Advanced Features, the Properties dialog for each object displays an additional tab titled Attribute Editor. This is the same attribute editor tab used by ADSIEdit, which lets you inspect and edit all of the attributes of the object. The tab itself now offers better decoding of encoded attributes, such as the userAccountControl attribute. Attached image shows how seamlessly the attribute editor is integrated.
Object deletion will be successful only when the following conditions are satisfied.
Has appropriates rights for deleting objects in active directory
The “DisAllow Delete” bit is not set in systemflags attribute of object
The “IsCriticalSystemObject” attribute is not set to TRUE
After meeting above conditions, active directory starts the deletion operation by doing the following..
Sets the “IsDelete” attribute of the object to TRUE
Wipes out all attributes of object except below attributes. Refer to msdn for more details about attributes retained.
attributeID
attributeSyntax
distinguishedName
dNReferenceUpdate
flatName
governsID
groupType
instanceType
lDAPDisplayName
legacyExchangeDN
mS-DS-CreatorSID
mSMQOwnerID
name
nCName
objectClass
objectGUID
objectSid
oMSyntax
proxiedObjectName
replPropertyMetaData
sAMAccountName
securityIdentifier
subClassOf
systemFlags
trustAttributes
trustDirection
trustPartner
trustType
userAccountControl
uSNChanged
uSNCreated
whenCreated
Moves the object to “Deleted Objects” container by renaming it.
Renaming is necessary here as the “deleted objects” container is flat. Object will be renamed to a format similar to “
[OldRDN]�ADEL:[GUID]” where GUID is the Global Unique Identifier of object being deleted.
This completes the deletion process.
Note that deleted objects will still remain in active directory for some days. This time is called tombstone life time. This time is 60 days for forest that are built initially with windows 2000 or 2003 OS and for forests that are built with windows 2003 SP1 or above the tombstone lifetime is 180 days. If you want you can increase them to the value you want by modifying tombstoneLifetime attribute of CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC=yourdomain, DC=COM object from adsiedit.msc.
After the tombstone period the object will be marked for permanent deletion. There is a process called “garbage collection” which runs every 12 hours in domain controllers and the job of this process is to collect objects which has exceeded tombstone lifetime and deleting them. So a deleted object in active directory will still stay in database for days mentioned in tombstone life time plus the no. of hours left for the garbage process to trigger after tombstone expiry.
Objects CAN NOT be retrieved using any mechanism after the deletion by garbage collection process.
In my next post I will take you through the different options available in active directory restoration.
Here in this post, I am *NOT* going to talk about the protection of active directory from external/internal intruders rather I would be talking about protecting Active Directory from Accidental Delete/Move/modify operations.
Sounds weird? But you have to believe that every organization faces the problem of accidental OU/Object deletions by privileged users (I mean administrators mostly). Though it is not intentional, but the damage costs the company. And again, sysadmin is the one who has to break their heads for proper restoral of objects or need to depend on costly restoral software’s.
So, in this post, I will take you through procedures for protecting an OU from moving and deleting
HIGH-ALERT: THIS PROCEDURE IS CONTAINING DENY PERMISSIONS FOR EVERYONE TO ACTIVE DIRECTORY OBJECTS. SO THE READER/FOLLOWERS OF THE DOCUMENT SHOULD BE MUCH CAREFUL WHILE FOLLOWING THE STEPS. AND I CANNOT GUARANTEE THAT IT WORKS IN THE SAME WAY AS I DESCRIBED AND IT DEPENDS ON YOUR AD INFRASTRUCTURE. USE THIS AT YOUR OWN RISK. I AM (SITARAM PAMARTHI) NOT RESPONSIBLE FOR ANY DAMAGES CAUSED BECAUSE OF THIS POST.
Protect from Deletion.
Open dsa.msc(a.k.a Active Directory Users and Computers) and select the properties of Organization Unit you want to protect
Switch to Security Tab and click Advanced to get advanced security settings page
Click on ADD and type Everyone and then click OK to close the window
On permissions entry page, select this object only from Apply onto drop down box and select deny option (or check box) for DETELE and DELETE SUBTREE permissions
Click OK to come out of permissions entry page(click Yes for the warning you message you receive explaining the deny functionality) and click OK on Advanced Security page and OU properties page.
This completes OU protection process from Deletion
Refer to this TechNet page for details on protection and in future if you want to really delete the OU which is protected, you need to follow the Remove protection procedure which is described in same TechNet page
Protect from Moving
We can deal with AD permissions similar to Deletion operation for blocking moving, but I don’t suggest that because of complexity involved in doing it. Rather, I would just disable the drag-drop functionality in dsa.msc to achieve this. I think this should suffice the requirement of protecting from moving. If any admin really wants to move OU, he can right click and select move operations.
I don’t want to describe steps here, but I will point to this KB article which is very straight forward.
Happy Learning…, Sitaram Pamarthi
Tags: prevent OUs from deletion, protect OU’s in active directory, prevent OUs from moving
While working with Active Directory Users and Computers, I felt pain sometimes, to see when the user is modified last, home mailbox server, User account is locked or not, and many other parameters. I need to go to user properties and check each piece of information in each tab. Sometimes, I miss to enable “advanced features” option which gives me some more details in properties. I felt it’s enough and questioned myself, “Do I need to really navigate to all tabs in User properties to get the information I want?” and asked my friend “google.com” which showed me some way out J
I found lot of help over internet to add a new option to User Context menu and clicking which invokes a VB script. I quickly followed the procedure and I am able to get the work done in the way I like (“One Click to get User Info”).
Please note that you need to write your own script based on the attributes you want to view. I wrote a script (Get-User-Info.Vbs) which satisfied my needs and placed it at Google Documents for public reference
Procedure:
Logon to any machine where you have Windows 2003 support tools installed and type “adsiedit.msc” in RUN command.
It opens up ADSI Edit MMC. Configuration Container -> “Cn=Configuration,DC=Yourdomain,DC=COM” -> “CN=DisplaySpecifiers” -> “CN=409″
In right hand pane, go to the properties of “CN=User-Display” object and edit the attribute, “adminContextMenu” in Attribute Edit tab
Add the below value (without quotes) to list. There might be some other entries which has 6 at the beginning; choose another number if that is the case
“6, &Show User Info,\yourdomain.comnetlogonget-user-info.vbs”
Note: In above command I mentioned the DFS share. You can change it to any other share in file server as per your convenience. Please remember to place the script at the location your are mentioning
Click on OK to finish your editing and reopen the “Active Directory Users and Computers” MMC.
Now Right click on any user account, and you will be able to see “Show User Info” option. When you click this, the script will get invoked and displays the result you are looking for. Look at the below pictures.
Tags : How to add custom menu in active directory, Easy way to get user information, Quickly access user information, Customize Active Directory to Display User information
By default, Active Directory will not give a option for creating “Container” objects. It only allows you to create Organization units for grouping the AD objects. However, if your situation demands, you can create a container objects by following the below procedure.
Open adsiedit.msc and navigate to schema partition
Select Cn=Schema,CN=Configuration, DC=domain,DC=com in left plane
In right plane, look for cn=contianer object and go to it’s properties
Change the value of defaultHidingValue to FALSE
This will give a option for creating a container object when you right click on any OU/container and select “new” option. Container also will be listed in that list along with OU, User, computer, etc etc.
More about defaultHidingValue attribute:
A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly.
If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-ins—even if the appropriate creation wizard properties are set on the object class’s displaySpecifier object.
If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins.
If the defaultHidingValue value is not set, the default is TRUE.
[If you missed to read part-1 of this article, read it from here]
In part-2, I am going to cover the steps taken by a windows XP computer when the DC it cached goes down. As said earlier, XP caches DC name intially and supplies the DC name to applications that are requesting for it. Also netlogon process frequently checks for the availability of cached DC by doing a LDAP ping. If it finds that cached DC is down, it tries to get another available DC by using /force discovery flag(see nltest help). In this case it may go to a DC which is sitting in other AD site if no local DCs are available. But what I observed is, in some of the cases netlogon is not trying to force rediscover even if the cached DC is down. I guess it has some schedule and it is waiting for it. In this case one can restart netlogon service or use nltest /dsgetdc:domainname.com /force command to refresh the DC list. So now XP is happy that it got another available domain controller at the cost of slow access(because it is in remote site connected by wan links). But remember that XP will not switch automatically to local DC when local DC becomes online again. The netlogon refresh everytime finds the DC(remote one) it cached is available and will not try for force discovery. The XP can get local DC only if either Remote DC it connected goes down or when XP machine is rebooted.
I did some discussion on netlogon behavior in one of the forum and a guy has written to a tool to address the situation where in netlogon fails to get new DC when the cached DC goes down. You can download this tool from here.
