Group Policy

LAPS missing from GPO

simone.corbisiero Leave a comment

Don’t worry if LAPS is missing from GPO: most likely it’s not being copied to your SYSVOL share and it can be fixed real quick. Obviously, you must have LAPS installed on the machine where you’re trying to create the group policy object on (I installed it on a Domain Controller to keep things simple):

  • Copy  C:\Windows\PolicyDefinitions\AdmPwd.admx to \\itdroplets\sysvol\itdroplets.com\Policies\PolicyDefinitions
  • Copy C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to \\itdroplets\sysvol\itdroplets.com\Policies\PolicyDefinitions\en-US

gpo-laps

Read More

The user does not have RSoP data

simone.corbisiero Leave a comment

This is an error you get back from running GPRESULT /R and it happens because the user you’re running this command with isn’t logged on the system.
For instance you want to check the policies applied to your computer but you’re not logged on with your administrator account. So you would run a command line prompt as a different user and then run gpresult /r or gpresult /r /scope computer getting stuck at The user does not have RSoP data.

gpresult-the-user-does-not-have-rsop-dataIn order to avoid this warning, you can run the following:

Where itdroplets\myuser is the user account that is logged on that workstation at the minute.

If you’re running this with PSEXEC (remotely) and you don’t know who’s logged on, run the following (with your admin account):

Where PC01 is the target computer. Note that this command might fail if ran it as above but it won’t if you run it with psexec like this:

 

Read More

Active Directory Auditing

simone.corbisiero Leave a comment

Active Directory Auditing is very important for large organisations where there’s a high number of technical resources, from different teams, accessing and modifying Active Directory. Active Directory Auditing comes with a cost though: an enormous amount of logs created.

Having so many logs will mean that you won’t be able to troubleshoot much as what you’re looking for might be long gone. If you work in a smaller company, then manually sorting these logs shouldn’t be a big deal, but again, remember that a Domain Controller in general does generate a lot of events. I would suggest to integrate Active Directory Auditing with something like System Center Operations Manager (SCOM) to help you out catching what you’re interested on.

This article wants to show you how to enable Active Directory Auditing. Remember also that you will have to enable it for each single (writable) Domain Controller that you have. This is very important or else you will only be able to track changes happening on a single domain controller (unless that is what you intend to do). What could be used to achieve this quickly and with the least effort as possible? Group Policies obviously!

Domain Controllers are stored in the same OU by default, and they also have a Default Domain Controllers Policy.
If you’re reading this, it means that you probably already know what Policy you want to enable, so I will go straight to the point. Auditing data will be stored in the Security logs.

  1. Open Group Policy Management (from Administrative Tools).
  2. Keep expanding until you reach the Domain Controllers OU.
  3. Right click on Default Domain Controllers Policy and click Edit.
    • GPO-Edit
  4. Once the Editor has started, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
    • GPO-AuditAccountManagement
  5. Now you can see the list of audits that you can turn on/off. You can either define to log just the success or just the Failures or both.
    • GPO-AuditAccountManagement-2

Read More

Disable This PC is eligible for a free upgrade to Windows 10

simone.corbisiero Leave a comment

If you’re receiving a pop-up on your Windows 7, Windows 8 and Windows 8.1 client that tells you that This PC is eligible for a free upgrade to Windows 10, then you’re probably running an OEM version of Windows. If this is happening at work and you know you should have a version of Windows Volume License, then you might have found a client wrongly imaged as Windows 10 is free to be upgraded only on OEM version of the OS (at least until today 17th of March 2016). Check out this article about Check what type of Windows License is installed.

Either ways, let’s see how we can get rid of This PC is eligible for a free upgrade to Windows 10 prompt. I set up a GPO for it, but I used the registry to make the change and not any Policy Template.

this_pc_is_eligible_for_a_free_upgrade_to_Windows_10

These are the two Registry Keys you will need to add in order to stop this from prompting again:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

Subkey: HKLM\Software\Policies\Microsoft\Windows\Gwx
DWORD value: DisableGwx = 1 (more…)

Read More

Prevent users from using PST

simone.corbisiero Leave a comment

This article, I think, it’s pretty interesting as I’ll show you how to set up a new GPO to prevent users from using PST files in Microsoft Outlook without the need to install any Office ADM Templates.

All the GPO will do is create/modify a few registry keys (one for each version of Microsoft Office). There are two ways, depending on your environment you can choose either one or the other. The first one it’s the cleanest way to do it but it’s only supported from Windows 7 and above (and from Windows Server 2008). The second one it’s a bit more “rusty” as it basically launches a batch file and that’ll do the work. Both worked for me but at the end I chose to use option number 1 as the few XP/Vista machines we have, are about to go.

Note that I want to prevent users from growing their current PST files, this GPO will still allow them to access their existing PST files. I think this is very important. Also, they’ll be allowed to create new PST files and to attach existing ones at a later stage but they won’t be able to modify them (only create subfolders which is kind of useless).

Before showing you the configuration of both the GPOs, I will show you the core of how to prevent users from using PST files in Outlook by creating a new registry key for each Office version. For instance, if you want to deny Outlook 2016 users to add new items to their PST files, all you need to do is create this new registry Key:

And then create a REG_DWORD (value set to 1) named PstDisableGrow. You can do the same with any Office version, I went down to 11.0.

Important: This only works on the HKEY_CURRENT_USER Registry! So you must run it with the end-user account.

You can add these keys with a batch file with just a line for each version [Notice how I used echo Y | – This will skip the confirmation as it’s going to “press” it for you].

Or remove them once you want to allow the users to fully utilised PST files.

For both the GPOs, I am creating a group in Active Directory that will contain all users I want to allow PSTs for. Also, both the GPOs have been set to run only on workstations, avoiding Servers:

GPO - WMI Filtering Workstation - WMI Filter

Option #1 – Using only the standard GPO Editor (From Windows Server 2008+) for Windows 7+ clients.

  • Create a new GPO and Edit it – I called it Disable PST Grow.
  • Navigate to User Configuration\Prefernces\Windows Settings\Registry.
    • Disable PST Grow GPO Registry
  • Right click on Registry and select New > Registry Item.
  • Under Action, select Update. Fill in the rest as per the below screenshot.
    • Disable PST Grow GPO Registry - Update - General

If you also want to have an exception group, keep on reading the extra few steps. (more…)

Read More