How to deploy latest Windows GPO ?

The Central Store. To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools by default. The Group Policy tools use all .admx files that are inContinue reading “How to deploy latest Windows GPO ?”

GPO – PowerShell GPO management

GPO Basics: 1) Structure of a GPO: Group Policy Container (GPC) which exists in Active Directory and the Group Policy Template (GPT) where the actual content of your GPOs resides. A third component, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to properly process the Group Policies assigned toContinue reading “GPO – PowerShell GPO management”

GPO – MS15-011 Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

Security update MS15-011 & MS15-014 installed which hardens the UNC paths for SYSVOL & NETLOGON & the following registry keys being pushed using group policy: RequirePrivacy=1 RequireMutualAuthentication=1 RequireIntegrity=1 Other related article: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

GPO – Deploying Group Policy Security Update MS16-072 \ KB3163622

https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/ After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This by-design behavior change protects domain joined computers from a security vulnerability. Check if “Authenticated Users” group read permissions were removed intentionally by the admins. If not, then you should probably add those back. For example, if you doContinue reading “GPO – Deploying Group Policy Security Update MS16-072 \ KB3163622”

AD: Best GPO settings to prevent hackers

Here are my recommendations to secure your computers and your domain: Configuration\Windows Setting\Security Settings leaf. Rename the Local Administrator Account: If the bad guy doesn’t know the name of your Administrator account, he’ll have a much harder time hacking it. Disable the Guest Account: One of the worst things you can do is to enableContinue reading “AD: Best GPO settings to prevent hackers”

DFS dirty-shutdown stopping DFS replication

DFS dirty-shutdown stopping DFS replication: DFSR event ID 2213 in Windows Server 2008 R2 or Windows Server 2012: https://support.microsoft.com/fr-fr/kb/2846759 How to disable the Stop Replication functionality in AutoRecovery To have DFSR perform AutoRecovery when a dirty database shutdown is detected, edit the following registry value after hotfix 2780453 (http://support.microsoft.com/kb/2780453) is installed in Windows Server 2008Continue reading “DFS dirty-shutdown stopping DFS replication”

How to push Registry values with GPO preferences ?

You can push out registry keys or values using GP Preferences (GPPs): Comparison results table : http://timstechnoblog.blogspot.fr/2010/10/group-policy-preferences-registry-items.html If you are deploying multiple keys through GPPs, things to look out for are Order of GPP and the path of Key. For e.g. You may be overwriting a key location which you created at order1 by using the ReplaceContinue reading “How to push Registry values with GPO preferences ?”

Understanding GPO loopback processing

Loopack processing explained by MS AD blog team: http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx Previous explanation: Group Policies are normally applied to the user or their PC depending on where they are located in Active Directory. There are occasions, especially for terminal servers, when you wish users to have certain policies applied depending on which computer they log on to.Continue reading “Understanding GPO loopback processing”