Exclude One Computer from GPO

Exclude One Computer from GPO KB ID 0001852

Problem

You have a requirement that you want one computer (or a group of computers) NOT to have a specific GPO applied. If that is the case, then this is how to simply achieve that goal

Note: The same procedure can be used to Exclude a GPO from one user (or a group of users).

Solution : Exclude One Computer from GPO

Let’s find the computer in question, in my case it’s called PNL-ZERTO-2022, take a note of which OU it is in.

From the Group Policy Management console (on a DC or another machine that has the management tools installed) Locate that OU, you can see that there are some GPOs directly linked to that OU, but to see all the GPOs affecting that OU you need to go to the ‘Group Policy Inheritance’ tab.

On the computer itself i can run gpresult /r and it will show me all the COMPUTER GPOs that are being applied. For this exercise I want to stop the policy called CP-Wireless-Policy applying to this machine.

Back in our Group Policy Management Console locate the GPO in question then under Security Filtering > Add > Add in the computer object (remember computers is not selected by default so you may need to tick the box).

Delegation Tab > Select the computer > Advanced > Select the computer > Tick to DENY full control > Apply > Yes > OK.

Exclude One Computer from GPO : Testing

Before you leave the Group Policy Management console, you can simply create a group policy modelling element that tests the policy you want NOT to be applied, has been Denied.

On your client machine, after a reboot, or a force of group policy, running gpresult /r should show the the CP-Wireless-Policy is no longer being applied.

Exclude one Computer from GPO (GPP)

If you are deploying GPP group policy preferences, then you can also use Item-Level Targeting, and then set the targeting to the computer-name-IS-NOT (so that it applies to all other computer names.

Related Articles, References, Credits, or External Links

NA

Find Specific GPO Settings

Find Specific GPO Settings KB ID 0001850

Problem

To find Specific GPO Settings are being applied, and which GPO is affecting which setting, you can generate an html report, there are two ways of doing this. You can either run the report on the affected machine, or if you do not have access, you can generate the same report on a domain controller (or any machine that has the group Policy Management console installed).

Solution: Find Specific GPO Settings (Locally)

On the machine in question run the following command (remember to be logged in with the credentials of an affected user!)

[box]

gpresult /h %temp%\results.html & %temp%\results.html

[/box]

It will take a little while for the report to be generated but it ‘should’ open in you default browser, like so.

From here you can see a list of all the applied GPOs, and drill down into each setting, and see the ‘Wining GPO‘ that applied that setting.

Solution: Find Specific GPO Settings (Centrally)

Most people are unaware that you can do the same from any machine that’s running the Group Policy Management administrative tool, it has a section called group policy modelling. the reason this exists is to ‘try out’ the effect of changing groups, OUs and WMI filters to see how that affects the application of GPOs to both users and computers however, if you just plus in the computer name and the users name and accept all the defaults it will give you the SAME report you generated above.

From Administrative tools > Group policy management > Group Policy modelling > Group Policy modelling wizard > Next > Next (unless you want to change the DC queried).

 

Select the user and computer in question > Next > Next  > Next.

Next > Next > Next.

Next  > Next > Finish.

The report will be rendered on screen, with the same information as if you had run gpresult manually on the client.

Related Articles, References, Credits, or External Links

NA

Auto Update ADMX Files

Auto Update ADMX KB ID 0001824

Problem

It’s been a long time since I ran through setting up a central policy definitiosn store. In that time, you’ve probably had to copy ADMX (and ADML) files into your central store manually. Microsoft updates typically DO download updates but puts them (usually) in C:\Windows\PolicyDefinitions, There’s probably a sensible reason for that.

When someone cleverer than I has scripted this,  and included support not just for Windows, but for;

  • Adobe Acrobat
  • Adobe Reader
  • Base Image Script Framework (BIS-F)
  • Citrix Workspace App
  • FSLogix
  • Google Chrome
  • Microsoft Desktop Optimization Pack
  • Microsoft Edge (Chromium)
  • Microsoft Office
  • Microsoft OneDrive (installed or Evergreen)
  • Microsoft Windows 10 (1903/1909/2004/20H2/21H1/21H2/22H2)
  • Microsoft Windows 11 (21H2/22H2)
  • Mozilla Firefox
  • Zoom Desktop Client

Solution: Auto Update ADMX

Execute the following command.

[box]

Install-Script -Name EvergreenADMX

[/box]

Answer any questions with a ‘Y’.

Now to test the script you can simply run Evergreenadmx.ps1 and it should run though manually. Once you’ve ascertained that it runs without error you can use the following syntax to update you central store*

[box]

EvergreenAdmx.ps1 -Windows11Version "22H2" -PolicyStore "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions"

[/box]

*Note: Assuming you’re on a domain controller!

Scheduling Auto Update ADMX

Here I’m creating a Scheduled task (If you feeling lazy simply import this one) Give it a sensible name > I would set it to run monthly Unless you are downloading browser and application ADMX files also > I’ve scheduled it for the second Wednesday of the month (See what I did there?)

Set the task to ‘Start a Program‘.

Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -ExecutionPolicy ByPass -Command “& ‘C:\Scripts\EvergreenAdmx\EvergreenAdmx.ps1′ -Windows11Version ’22H2’ -PolicyStore ‘C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions'”

Related Articles, References, Credits, or External Links

OneDrive GPO (Domain Group Policy)

OneDrive GPO (Domain Group Policy)

OneDrive GPO KB ID 0001821

Problem

The administrative template that you get with Win11 is somewhat out of date, so if you want to manage OneDrive with domain group policy your options are limited, if only there was a newer administrative template!

Well, there is, and it gets updated and sent to you quite regularly. Microsoft just do a good job of hiding it.

Solution OneDrive GPO

Depending on your deployment the files you need can be in different locations, the biggest challenge is finding them. execute the following PowerShell to locate them.

[box]

$OnePath = ("$env:LOCALAPPDATA\Microsoft\OneDrive", `
"$env:ProgramFiles(x86)\Microsoft\OneDrive", `
"$env:ProgramFiles\Microsoft OneDrive")
$OnePath | foreach{
    Get-ChildItem "$_\*\adm\onedrive.adm?" -ErrorAction SilentlyContinue
}

[/box]

As you can (above) see mine are in my user profile. The folder that they are in will also give you the build number, so you can check occasionally for updates (that will get pulled down when your OneDrive client gets updated).

Go to that directory and you will find the ADMX and ADML files.

Note: For anyone who is not English speaking, there may be a different ADML file in the locale folders you can see above.

Copy the OneDrive.admx file into your PolicyDefinitions folder (if unsure of the path, see below. obviously substitute your own domain name and here I’m on a domain controller so the SYSVOL volume on my local drive).

Now change to the INPUT LOCALE folder (in my case en-US) and copy the OneDrive.adml file into that folder.

Then when you are in the Group Policy Management Editor you will see the updated OneDrive options.

[box]

Computer Configuration > Policies > Administrative Templates > OneDrive

[/box]

If you can’t see them ensure your policy definitions have been setup correctly.

Related Articles, References, Credits, or External Links

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Group Policy: Item-Level Targeting

KB ID 0001654

Problem

Yesterday I wrote a post about Deploying a ‘Mapped’ Drive to a couple of users using Group Policy. This received a comment that was basically ‘Why not simply use Client Targeting?’ To be fair that’s a good point, I was using a Group Policy Preference and they can be specifically targeted. So here’s how to do that.

Solution

If you do not already have one, create a group for your users.

Add the users, (as appropriate).

On a Domain Controller > Administrative Groups > Locate the OU that contains your users (Note: if your users are in multiple OU’s, then after you have created the policy simply ‘Link‘ it to the applicable OUs).

Edit the policy.

User Configuration > Preferences > Windows Settings > Drive Maps > New  > Mapped Drive > Action = Create > Location = Set the UNC path to the mapped drive > Tick ‘reconnect’ > Label as ‘What you want the user to see it called’ > Select the drive letter you want.

Common tab > Select Item-level targeting  > Targeting > New Item.

Security Group. (Look at all the other cool stuff you can specify to target this group policy preference!)

Add in your security group > OK > OK > Apply > OK

Then either wait, or force a group policy update.

To prove it’s not all ‘Smoke and Mirrors‘, I log on as one of those users and…

Related Articles, References, Credits, or External Links

NA

Windows Server – Change Your Password in an RDP Session (Send Ctrl+Alt+Del)

KB ID 0001183 

Problem

Colleague: Windows Server, Where’s Windows Security gone?

Me: Eh?

Colleague: Windows Security!

Me: What are you trying to do?

Colleague: I want to change my password and I can’t send a Ctrl+Alt+Delete to the remote server.

Well I know that pressing Crtl+Alt+Delete would let you change your password like so;

I wasn’t aware that in Server 2008 and earlier if you were connected via RDP you got a ‘Windows Security’ option that lets you do the same, like so;

This is because if you press Ctrl+Alt+Delete it will execute on YOUR machine not the remote one. But this option is not included in Windows 2012 any more.

Solution

Well you can just normally use Ctrl+Alt+END while in an RDP session. But like me, my colleague was using a Mac and we don’t have an END key!

Mac OSX Sent a Ctrl+Alt+END Sequence

If your RDP connected from OSX then use Ctrl+Alt+Fn+Backspace

If your RDP connected using a Mac Keyboard, or from a VM session on your Mac (i.e. from a VMware Fusion Windows Machine), then use Ctrl+Alt+Fn+Right-Arrow.

Other Solution

From within the RDP session, launch the on-screen keyboard, (Start > Run > osk). Then Press Ctrl+Alt on your physical keyboard, and click the delete key on the on-screen keyboard with your mouse cursor like so;

 

 

BETTER Solution

Within the RDP session open powershell and run the following command;

[box]

(New-Object -COM Shell.Application).WindowsSecurity()

[/box]

 

Or use the following VB shortcut.

[box]

Set objShell = CreateObject("Shell.Application")
objShell.WindowsSecurity

[/box]

Scalable Solution (Create Password Reset Shortcut)

Create a shortcut for;

[box]

explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

[/box]

 

Note: If you have a bunch of  RDP servers you wanted to roll this out to, you can set it up on your administrative account, capture your start menu to an XML file, and then distribute that start menu to all your users via group policy, (not available with server 2012 or earlier).

Related Articles, References, Credits, or External Links

NA

Gpupdate: Windows Could Not Locate the Directory Object

KB ID 0001625

Problem

Saw this on a Windows client on my test network;

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Note: You may also see Event ID 1101

Event ID 1101

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1101
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: PNL-PROD-WIN10.pnl.com
Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Solution

Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.

After that everything was peachy!

Related Articles, References, Credits, or External Links

NA

Add The ‘Group Policy Management Console’

KB ID 0001615

Problem

On a Domain Controller you will get Group Policy Management, (by default) listed under administrative tools. But if you have a ‘Management Server‘ of a ‘Jump Box‘, that you want to install the tool onto, (without making it a domain controller!) Then do the following;

Option 1: Install GPMC with Powershell

This is the quickest and simplest option! Open a PowerShell Windows and execute the following command;

[box]

Install-WindowsFeature –Name GPMC

[/box]

 

Note: For older, (Windows Server 2012 and older) servers use the following commands instead.

[box]

Import-Module servermanager
Add-WindowsFeature –Name GPMC

[/box]

Option 2: Install GPMC with Add Roles and Features

From Server Manager > Manage > Add Roles And Features > Proceed to ‘Features‘ > Select Group Policy Management > Next > Finish.

Related Articles, References, Credits, or External Links

NA

Windows Group Policy – Disable The Local Windows Firewall

KB ID 0001090

Problem

I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections

[/box]

6. Set the policy to disabled.

7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).

SBS Note

An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under  ‘My Business’.

Related Articles, References, Credits, or External Links

Windows – Open a Firewall Port with Group Policy

Group Policy Preferences and Client Side Extensions

Group Policy Preferences KB ID 0000389

Problem

Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the “Client side Extensions” (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way. From windows 7 onwards they are already installed.

Solution : Group Policy Preferences

You may not have noticed, but if you edit or create a group policy anow, you will see there is a “Preferences” branch. Most IT Pro’s will have seen the addition of the “Policies” folder some time ago because it adds an extra level to get to the policies that were there before 🙂

OK Cool! What can you do with them?

1. Computer Preferences: Windows Settings

Environment: Lets you control, and send out Environment variables via Group Policy.

Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section).

Folder: As above, but for folders.

Ini Files: Allows you to Create, Replace, Update or Delete an ini file.

Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.

Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.

Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.

2. Computer Preferences: Control Panel Settings

Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings via group policy. (Note: there’s a bug if your using SQL authentication see here).

Devices: Lets you enable and disable hardware devices by type and class, to be honest it’s a little “clunky”.

Folder Options: Allows you to set “File Associations” and set the default programs that will open particular file extensions.

Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups. Handy if you want to create an additional admin account, or reset all the local administrators passwords via group policy.

Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you use PPTP Windows Server VPN’s.

Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS’s they are Power Plans. This is much needed, I’ve seen many “Is there a group policy for power options?” or disabling hibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e. only apply if there is a battery present).

Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to have the accounts printer. for further info see,

Deploying Printers with Group Policy Preferences

Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could be handy to deploy a patch or some virus/malware removal process.

Service: Essentially anything you can do in the services snap in you can push out through group policy, set services to disables or change the logon credentials used for a service. In addition you can set the recovery option should a service fail.

3. User Configuration: Windows Settings

Applications: Answers on a Postcard? I can’t work out what these are for!

Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assign mapped drives on a user/group basis.

Environment: As above lets you control and send out Environment variables via Group Policy, but on a user basis.

Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the next section), but on a user basis.

Folders: As above, but for folders on a user by user basis.

Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.

Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send out via group policy, this time for users not computers.

Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy for users.

4. User Configuration: Control Panel Settings

All of the following options are covered above on “Computer Configuration”

Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks

Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis.

Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard.

Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user.

 

Related Articles, References, Credits, or External Links

Deploying Printers with Group Policy Preferences