The Sysadmins

Tips and tricks from the Sysadmins

Page 3 of 15

Group Policy – Internet Explorer Security Zones

There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Site to Zone Assignment List

Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Internet Explorer Site to Zone Assignment

Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.

Internet Explorer Trusted Sites

Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

In this example I have added http://intranet.corp.local to the Trusted sites (2).

Zone Assignments

Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.

Trusted Sites Greyed Out

If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.

Group Policy Preferences Registry Items

This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.

I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.

Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.

GPP Registry to Set Security Zones

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
  • Value name will typically be http or https
  • Value type is REG_DWORD
  • Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

This is what you will see on the client machine.

Trusted Sites Not Grayed Out

If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.

Require server verification (https:) for all sites in this zone

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • Value name is Flags
  • Value type is REG_DWORD
  • Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal

IEGPZones8

Takeaway

  • User Site to Zone Assignment to prevent users from editing the Security Zone Sites
  • User Group Policy Preferences to allow users to edit the Security Zone Sites

Group Policy – Internet Explorer 11 Group Policy Preferences

With Internet Explorer 11 being released a couple of days ago for Windows 7 / Server 2008 R2 and Internet Explorer Maintenance being deprecated since IE10- you’re going to want to use one of the alternative methods (Group Policy Preferences, Administrative Templates or the Internet Explorer Administration Kit) to configure Internet Explorer for your organisation. If you’re used to configuring Internet Explorer with Group Policy Preferences, you’ll be thinking “not a problem” and install IE11 onto an administration machine or a server assuming it will add the option to create a new GPP for Internet Explorer 11. This is what you’ll see if you try that.

Note – You will need Windows 8 / Server 2012 or above with RSAT to see the Group Policy preference settings for Internet Explorer 10.

Group Policy Preferences Internet Explorer 10

Where is the option to add an Internet Explorer 11 Group Policy Preference Internet Settings Policy?

There is no option. The Internet Explorer 10 option actually covers Internet Explorer from version 10 to … 99! That’s right 99. To prove this and to visually confirm this is the case, create a policy by using Internet Explorer 10 Internet Settings and find the unique ID of the GPO.

IE11GPP

Browse to \\DC\SYSVOL\Domain\Policies\uniqueID\User\Preferences\InternetSettings and open the InternetSettings XML document in notepad. Note the 5th line which states version 10.0.0.0 -> 99.0.0.0.

IE10 GPP Internet Settings

If you’re looking to use Group Policy Preferences to configure Internet Explorer 11, using the Internet Explorer 10 Internet Settings option will work for version 11 and future releases of Internet Explorer.

Group Policy – Internet Explorer 10+ and the Death of IEM

If you’ve used Group Policy Internet Explorer Maintenance (IEM) to configure your organisations Internet explorer settings and are looking to upgrade to IE10 or above you will find that the settings defined with IEM will no longer work. Not only that but if you try to modify the GPO from a machine running IE10 you will not be able to modify the GPO settings.

DeathofIEM

Settings configured with IEM are not automatically removed when you upgrade from IE9 -> IE10, however any changes made to the IEM GPO will not be reflected by the clients and any new users logging onto a machine with IE10 will not receive the IEM settings.

  • If UserA is logged onto a Windows 7 machine running IE9 and the user updates to IE10. The settings from IEM will be retained- but not enforced by Group Policy.
  • If UserB logs onto the same Windows 7 machine for the first time after IE10 has been installed, they will not receive any IEM settings.
  • If you are deploying or using Windows 8 (which ships with IE10) no settings from IEM will apply, ever.

IEM has been dropped in favour Group Policy preference, Administrative Templates and the Internet Explorer Administration Kit 10 (IEAK 10). This post will run you through a couple of common settings you may need to migrate across. I will cover setting the home page and proxy settings.

Setting Home Page with Group Policy Preferences

Open the Group Policy Management Console and create a new GPO. Browse to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings. Right click and choose New -> Internet Explorer 10. Why isn’t IE11 listed? See here.

Note – You will need Windows 8 / Server 2012 or above with RSAT to see the Group Policy preference settings for Internet Explorer 10.

Group Policy Preferences Internet Explorer 10

Enter the URL of the Home page you wish to set, and select start with home page. Notice the red dots underlining the home page entry.

Group Policy Preferences Internet Explorer 10 Home Page

You must press F5 (or F6), to confirm the entry. If you do not the setting will not be applied. Once you have done so, the entry turns green.

Function keys:

F5 – Enable all settings on the current tab.
F6 – Enable the currently selected setting.
F7 – Disable the currently selected setting.
F8 – Disable all settings on the current tab.

Group Policy Preferences Internet Explorer 10 Home Page F5

Setting a Proxy with Group Policy Preferences

Create or modify an existing Internet Settings policy as explained above, this time head over the connection tab -> Lan Settings.

Internet Explorer 10 Group Policy Preferences Proxy Setting

Specify the proxy, again note the red dots showing that the setting have not been confirmed. Press F5 to confirm.

Internet Explorer 10 Group Policy Preferences Proxy Setting F5

Takeaway

  • Internet Explorer Maintenance will NOT apply to to Internet Explorer 10 or above
  • You will not be able to modify existing IEM GPOs from machines with IE10 or above installed
  • Press F5 to confirm entries made to Group Policy Preferences Internet Settings, basically- make sure you’re green!

SCCM 2012 – Creating Device Collections

Device collections in System Center 2012 Configuration Manager represent a logical container for a grouping of devices. These collections can then be used to perform a number of tasks, such as deploying software, compliance settings or task sequences. I’ve outlined 4 of the most common collection types below.

Device Collection based on OU

1. Browse to Assets and Compliance, right click on Device Collections and select “Create Device Collection”.

Create Device Collection

2. Give the collection a meaningful name, and set the limiting collection.

Give the collection a meaningful name

3. Add a Query Rule.

Select Query Rule

4. Edit Query Statement.

Edit Query Statement

5. Head to the criteria tab, and click on the new star item.

Select new query on the criteria tab

6. Click on Select, and set the attribute class to System Resource and attritube to System OU Name.

Enter the required criteria properties

7. Operator should be set to is equal to, click on values to choose the desired OU. It should read Domain/OU/ChildOU.

Attribute Class System Resources Attribute System OU Name

8. Next, Next through the rest of the wizard.

Rule is complete

9. The device collection has now been created.

Query Language

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "THESYSADMINS.LOCAL/LONDON/LAPTOPS"

Device Collection based on an Active Directory Security Group
Continue reading

Group Policy Preferences – 1. Deploying Registry Settings

Group Policy Preferences allow you to deploy and modify registry settings quickly and easily. This post will run through a couple of examples to give you a starting point and some guidance for using this in your own environment. As with any Group Policy based changes, use a test Organizational Unit to confirm and test changes before making them live.

Example 1

You have made some changes to HKEY_LOCAL_MACHINE on a reference machine, and would like to deploy the same registry settings to an OU of computers.

1. Open the Group Policy Management Console

2. Right click Group Policy Objects and select New, give the GPO a meaningful name, this does not link it to an OU so will not affect any computers or users. This is a good practice to get into. If you create at a live OU level, any changes (and mistakes) will be deployed if you’re unlucky enough for the computers or users to perform a Group Policy refresh as you’re creating the GPO. Always link the GPO later, when you have tested it.

3. Right click the New GPO, and select edit

4. Expand Computer Configuration, Preferences, Windows Settings and head down to Registry. Right Click and select New, you will be present with 3 options.

  • Registry Item allows you to manually change single entries of the registry
  • A collection simply allows you to organize registry preference items into a folder, this can be useful if you need to set item level targeting over a bunch of registry changes
  • Registry Wizard allows you to use the local machine as a reference, or connect to a remote machine to add multiple entries, this is the method we will use this this example

Group Policy Preferences Registry

When using the Registry wizard, the remote computer must have the Remote Registry service enabled, otherwise you will be greeted with the error message “The network path was not found”.

Group Policy Preferences Registry

Group Policy Preferences Registry

To resolve this, enable the service on the remote machine with the following commands

sc config remoteregistry start =demand

(this sets the service to manual, it’s disabled by default)

net start remoteregistry

Group Policy Preferences Registry

It will then allow you to select items from the HKEY_LOCAL_MACHINE and HKEY_USERS on the remote machine, if you need other areas of the registry you will need to install the Remote Server Administration Tools onto the reference computer and add the Group Policy Preferences Console via Programs and Turn Windows Features on or off. Run through the same process on the remote machine’s console to import the relevant registry items.

RSAT for Windows 7
RSAT for Windows 8

In this example we’re okay, as we want to pull settings from the HKEY_LOCAL_MACHINE.

5. Browse to the required location and tick the required keys and values to import into the GPP. Click Finish.

Group Policy Preferences Registry

6. Now you can expand the entries we imported with the wizard to review. Common tasks are available, as usual with Group Policy Preferences, if you right click an entry and select properties, then choose the common tab. By default the entries are set to Update

GroupPolicy1Registry_9

If you ever notice that the hive column isn’t populated after the import, double click on the entry or right click and select properties. Without changing anything click OK, this will then populate the hive entry. I’ve only seen this a couple of times… but if it isn’t populated the settings won’t get deployed, so it’s worth mentioning!

Example 2

If you want to manually add, remove or change a registry key you can do so using the registry item. You can only add one entry at a time with this method.

Group Policy Preferences Registry

Example below, it will create new keys if needed so if you enter HKEY_LOCAL_MACHINE\Software\1\2\3\4\5 it’ll create the 1,2,3,4,5 keys if they are not already present.

GroupPolicy1Registry_10

The default behavior when using Group Policy Preferences to modify the registry is “update”. Let’s look at the 4 options and what they mean.

Create

  • Creates the item
  • Does nothing if the item already exists

Let me expand on the 2nd point. If there is already a DWORD with the value of 1, and you create a Group Policy Preference with the same DWORD set to 2 with the option of Create- nothing would happen to the DWORD. It would remain at 1.

Update (Default)

  • If the item already exists, it will update with the configuration specified in the Group Policy Preference
  • It the item does not exist, it will be created

It is important to understand that Group Policy Preferences doesn’t lock the registry item, it merely (as it’s name suggests) uses it as a preference. So if you set a DWORD to 1, depending on the area of the registry a user could go and set that to 0 which would stick until a Group Policy update occurred and the item was re-evaluated.

Replace

  • Delete existing item if it already exists and create a new object

There aren’t many situations where you would need to delete an item before populating it again, I can’t say I’ve used this to modify registry items before. But there may be a case for you to use it.

Delete

  • Deletes the item

I’d like to thank you for reading and I hope it’s been informative for you!

Group Policy – GPUpdate an OU of Computers

There are times when you need to remotely refresh the group policy on a group of computers, bypassing the 90 minute (+30 minute offset) default interval. Let’s look at 3 ways to achieve that, two of the methods require Server 2012 or Windows 8 with the remote administration tools to initiate the refresh, and the 3rd method can be initiated from Windows 7 or Server 2008 R2.

Method 1. Server 2012 introduced the functionality to remotely refresh Group Policy settings for all computers in an OU from the Group Policy Management Console (GPMC). When you use this method, there is a random delay of up to 10 minutes, with the view of decreasing load on network traffic- this random delay cannot be configured when using the GUI. This method supports a Group Policy refresh for Windows Server 2012 R2 Preview, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8.1 Preview, Windows 8, Windows 7 and Windows Vista clients.

Open the GPMC, right click the OU of Computers you’d like to refresh and select Group Policy Update.

GPUpdate1

This will return the number of computer objects in the OU, and ask if you’re sure.

GPUpdate2

This will run a GPUpdate /force on all computer objects in the OU selected and any child OUs and will refresh both the computer and user policies.

GPupdate3

Method 2. This method, requires Server 2012, or Windows 8 with the remote server administration tools. The following command will retrieve the computer objects from the Servers OU and run the Invoke-GPUpdate against them.

get-adcomputer -SearchBase "OU=Servers,DC=thesysadmins,DC=local" -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; "Refreshing host $_."}

Be aware, this method will display the command prompt with “Updating Policy” on the computer objects you run it against. So bear this in mind if you’re running this against your desktops or laptops with users logged in.

GPupdate6

Method 3. Fear not! If you’re not using Server 2012, you can still achieve the above with fairly little effort using Powershell to generate a list of computers and PSEXEC to run the GPUpdate command. The following Powershell will get you a list of computers from the Servers OU and export them to a text file on the C drive. You can replace this with a UNC path if desired. I’ve added a dummy first entry to the text file, for some reason PSExec fails the first entry so this gets around that.

Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=thesysadmins,DC=local" | Select -expand Name | Out-File -Encoding utf8 "C:\Servers.txt" -append

PSEXEC will connect to each of the machines in the Desktops.text and run a gpupdate /force, this method isn’t particuarly quick but it gets the job done.

psexec @"C:\Servers.txt" gpupdate /force

GPupdate4

Licensing – Upgrade 2008 R2 KMS Host to Support Server 2012 and Windows 8

This post will cover updating an existing Server 2008 R2 KMS host to allow the activation of Server 2012 and Windows 8 clients. The update will carry across your existing activation count and if you currently use your KMS host for Microsoft Office activations, this will go untouched.

Once this update has been applied the KMS host will be able to service the following KMS clients:

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows 8
  • Windows 7
  • Windows Vista

Before running the update, I’d recommend you record the output of your existing configuration by running:

slmgr /dli all > before.txt.

Download the required KB2757817 update package from here: http://support.microsoft.com/kb/2757817

Run the installer and select yes.

Update kms for server 2012

Update KMS to support Windows 8

Update KMS to support Server 2012

Once the installation is complete you must restart the server.

To install and activate your new KMS license key. Use the following command to add the new key:

cscript %windir%\system32\slmgr.vbs /ipk

Then to activate:

cscript %windir%\system32\slmgr.vbs /ato

cscript %windir%\system32\slmgr.vbs /ipk

Now would be a good time to run slmgr /dli all > after.txt and compare with your results from earlier. The text file should state:

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System – Windows Server(R), VOLUME_KMS_2012_C channel
Partial Product Key: partialkeyhere
License Status: Licensed

If you want some additional confirmation, dig into the key management event log and look for events with the ID of 12290. You’re mainly looking for the license state near the far right, you want to see “1” meaning the client is activated. Here are the various licensing states:

  • 0 – Unlicensed
  • 1 – Licensed (Activated)
  • 2 – OOB grace
  • 3 – OOT grace
  • 4 – NonGenuineGrace
  • 5 – Notifications
  • 6 – Extended Grace
Troubleshooting KMS Event Log

Troubleshooting KMS Event Log

More information about troubleshooting KMS can be found here: http://technet.microsoft.com/en-us/library/ee939272.aspx

« Older posts Newer posts »