User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Note: You may also see Event ID 1101
Event ID 1101
Log Name: System Source: Microsoft-Windows-GroupPolicy Event ID: 1101 Task Category: None Level: Error Keywords: User: SYSTEM Computer: PNL-PROD-WIN10.pnl.com Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.
Solution
Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.
After that everything was peachy!
Related Articles, References, Credits, or External Links
I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
4. Right click your new policy > Edit.
5. Navigate to;
[box]
Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections
[/box]
6. Set the policy to disabled.
7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).
SBS Note
An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under ‘My Business’.
Related Articles, References, Credits, or External Links
For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.
<Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
<Name>: A simple text entry to define what the exception is.
8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)
10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.
11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.
Related Articles, References, Credits, or External Links
There are a few occasions when you need to know an objects ‘Distinguished Name’ (DN). For me it’s usually when I’ve got a device that needs to do LDAP/LDAPS lookups, (RSA Appliance, Netscaler, Cisco FirePOWER, etc). Today someone needed to ‘bind’ a Checkpoint firewall to Active Directory, and asked me to create user, and give them the DN and password.
I’ve mentioned ldp.exe many times, but never dedicated a post to it, it’s a tiny executable, that was first seen in the server 2003 support tools. With 2008 you needed to add the Active Directory Lightweight Directory Service Role to get it. With server 2012 and 2016 you will get it on any Domain Controller.
For a member server, (or non domain joined server) you can add LDP.exe by simply adding the following feature from server manager.
LDP Usage
Windows Key+R > ldp {Enter} > Connection > Connect > select localhost, (if you are on the DC, or the FQDN of a DC if you are not). Normally port 389 is fine, but if you have enabled LDAPS, you might want to use port 636, and tick SSL also > OK.
Now you need to bind to LDAP, I’m using my logged on account, but if you want to test a user account can bind to Active Directory, then you can specify a username/password and domain > OK.
Note: To bind to, and read all objects in Active Directory, only domain user is required.
Now to view anything > View > Tree > Select the root DN to view all of AD, (in my case DC=pnl,DC=com) > OK.
You can now browse your AD, and get the DN for any object.
Related Articles, References, Credits, or External Links
On EE this morning someone asked this question and I realised I’ve never written it up. So If you want to add a new domain to an already working Exchange deployment how do you do it?
Solution
Firstly, you need to have purchased the new domain name, and have the DNS records setup properly for the new domain name. See the following article;
Log into Exchange Admin Center > Mail Flow > Accepted Domains > Add.
Add a sensible name > Enter the new domain name > Select Authoritative > Save.
Create a User Mailbox For the New Domain
If you only have a few users to setup you can do them manually within the Exchange Admin Center > Recipients > Mailboxes > Add.
On the properties of the new recipient you can edit the email addresses associated with it.
Change and add accordingly.
Remember for individual users to untick the ‘Automatically update email addresses based on the email address policy applied to this recipient’ > then change the Clients ‘Reply address’ > OK > Save.
Create an Email Address Policy And Apply It to an OU
The procedure above does not scale well if you have a lot of users to allocate a new domain to, so you can write a new email address policy, and apply it to a particular OU, then create/import your new users into this OU, mail enable them, and they will all get the correct Email addresses.
Mail flow > Email Address polices > Add.
Add a new policy with the email format you require;
Repeat to add multiple email address formats > Save.
Scroll down to where you want to apply the policy to and select ‘recipient container’, (because OU would have been to simple).
Select the OU with your users in > OK.
Note: You don’t have to use OU’s you can use other things like ‘department’ which will get read from the users AD object.
OK
With the policy selected > Apply.
Now go and have a few cups of coffee, and your users will get the new policy.
Related Articles, References, Credits, or External Links
It’s been a while since I wrote Part 4, so it’s time to wrap this up. Now we have Composer installed on the Virtual Center, we can start to deploy our linked clone desktops.
Solution
VMware View – Prepare your Source Machine
1. I’ve already covered how to prepare your Windows 7 client machine to be a View client here. Once that’s done, release its IP address (ipconfig /release) and shut it down.
2. With your source machine shut down, take a snapshot of the machine.
VMware View – Create an Automated Linked Clone Pool
3. Log into your VMware View Administrator console > Inventory > Pools > Add.
4. Automated > Next.
5. Dedicated > Next (unless you want a floating user assignment, the description of each is on this page).
6. View Composer linked clones > Next (ensure your vCenter is listed, and has “Yes” in the View Composer section).
7. Give the pool an ID, name, and description. (Note: If you use folders for your VM’s, you can also select those here).
8. I tend to stick with the defaults, except I let the users reset their desktops > Next.
9. I’m not redirecting any disposable files or profiles > Next.
10. Expand Security > Logins > Create a new login.
11. For the default Image, browse to your source machine, then select the snapshot. Set the Folder, Host/Cluster, and Resource pool as applicable. Then browse for a datastore.
12. Here I’ve selected to store my disks on different datastores. If you can, put your replica disk on the FASTEST storage, as this gets the most “Read” traffic > OK > Next.
13. The domain should auto populate > Pick an OU to place the new machines into, then select either to use quickprep (the VMware one), or Sysprep (the Microsoft one). > Next.
Note: You can also use a customization specification (yes Americans are worse at spelling than me!), you set these up in the VI client on the home screen under ‘Customization Specifications Manager’.
14. Review the information > Finish.
15. Now you have you pool, you need to allow your users to connect to it, with it selected press ‘Entitlements’.
16. Add in the users and/or groups you want to grant access to > OK.
17. It can take a while for the replica to be created then all the linked clones to become ‘Available’ watch progress under ‘Inventory > Desktops’.
18. When available you should be able to connect to them using the VMware View Client.
19. And finally get your new Windows 7 linked clone desktop.
Related Articles, References, Credits, or External Links
Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.
Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.
Solution
Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.
Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).
4. Then allow this connection server to accept kiosk connections with the following command;
[box]vdmadmin -Q -enable -s PNL-CS[/box]
Note: Where PNL-CS is the name of my VMware Connection Server.
5. You can view the settings configured on this connection server with the following command;
[box]vdmadmin -Q -clientauth -list[/box]
6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.
7. Manual Pool > Next.
8. Dedicated > Next.
9. vCenter virtual Machines > Next.
10. Next.
11. Give the pool an ID and Display name > Next.
12. Select the machine you are using as the source for the Kiosk machine > Next.
13. When the pool is created > Entitlements.
14. Add in the group that you created in step 1 > OK.
15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.
Step 3: Connect to the Kiosk Machine
16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.
Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.
17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.
Related Articles, References, Credits, or External Links
Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.
Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.
Solution
Create a “Roaming Profile” Network share with the correct permissions
1. On a network accessible server, create a folder and set the SHARE permissions as follows;
Share Permissions
Everyone = Read. Domain Users = Full Control.
Note: You may also want to DISABLE Caching on this folder.
2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;
Security / NTFS Permissions
Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.
Note: I’m using domain users, you might have a different security group that you want to substitute.
3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).
Here you will find the folders that can be redirected to a central location.
13. For example, here I’m redirecting the users “My Documents” folder.
14. And their “My Pictures” folder.
15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.
16. Now when your users connect to their View Desktops.
17. Their user profile will be persistent.
18. Because their settings are stored in your profile shared folder.
Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.
Related Articles, References, Credits, or External Links
A few months ago I put in a new network at a school, they were using a vbs script to deploy all their classroom printers, and I had a quick (unsuccessful) attempt to do the same. But time was against me and I used GPP and location variables to solve the problem.
I did however take a copy of the script to have a play with, so yesterday while it was quiet I dropped a copy on the test network, and failed again! So I trawled round the internet and cobbled together a new script which works they way I wanted.
Note: Please do not email me and ask “Can you change the scripts to do xyz” you probably know as much about vbs as I do!
Solution
Requirements
1. I want the script to run and map the printers based on the OU that the computer is in, in these example I’ve only got two OU’s, but in a live environment you might want all the computers in the maths classroom to get the black and white laser printer in that classroom as the default printer and also be connected to the colour printer in the same room.
2. On my test network I’ve only got two printers, an HP 4600 Colour Laser, and an HP 3055 multifunction printer, so to illustrate how the script works I’ll map both printers to the computers in both OU’s, but I’ll change the default printer for OU1 and OU2. Both these printers are already setup and installed on my server.
Note: You may need to add x64 AND x32 bit drivers to your printers if you have a mix of client operating systems, as they download the driver from the server.
Script to Map Printers Based on OU
3. This script will remove any mapped network printers, Note: Local printers are NOT removed. It will then connect the printers you require for each OU. Lastly it will set the default printer.
Note: You need to connect the printer before you can set it as default.
[box]
'=========================================================================<br />
' MAP PRINTERS BASED ON OU<br />
'<br />
' AUTHOR: PeteLong<br />
' COMPANY: www.petenetlive.com<br />
' DATE: 03/08/12<br />
'=========================================================================<br />
Set objSysInfo = CreateObject("ADSystemInfo")<br />
strName = objSysInfo.ComputerName</p>
<p>arrComputerName = Split(strName, ",")<br />
arrOU = Split(arrComputerName(1), "=")<br />
strComputerOU = arrOU(1)</p>
<p>Set objNetwork = CreateObject("WScript.Network")</p>
<p>'=========================================================================<br />
'STEP 1 - Remove any NETWORK printers (NOT Local Printers)<br />
'=========================================================================</p>
<p>Set WshNetwork = WScript.CreateObject("WScript.Network")<br />
Set Printers = WshNetwork.EnumPrinterConnections</p>
<p>For i = 0 to Printers.Count - 1 Step 2</p>
<p> If Left(ucase(Printers.Item(i+1)),2) = "" Then<br />
WSHNetwork.RemovePrinterConnection Printers.Item(i+1)<br />
End IF<br />
Next</p>
<p>'=========================================================================<br />
'STEP 2 - Connect Printers based on COMPUTER OU membership<br />
'=========================================================================</p>
<p>Select Case strComputerOU<br />
Case "OU1"<br />
objNetwork.AddWindowsPrinterConnection "PNL-DC3055"<br />
objNetwork.AddWindowsPrinterConnection "PNL-DC4600"<br />
objNetwork.SetDefaultPrinter "PNL-DC4600"<br />
Case "OU2"<br />
objNetwork.AddWindowsPrinterConnection "PNL-DC3055"<br />
objNetwork.AddWindowsPrinterConnection "PNL-DC4600"<br />
objNetwork.SetDefaultPrinter "PNL-DC3055"<br />
End Select
[/box]
What you would need to change
Simply change PNL-DC for the name of your print server, add your OU’s and printers, you would just add a new ‘case’ for each OU you require.
4. I’m deploying this script as a USER logon script, though If you wanted you could also use a COMPUTER startup script.
What computers in OU1 would see
What computers in OU2 would see
Related Articles, References, Credits, or External Links
This ensures that traffic that is sent over an RDP connection to a server is protected by TLS/SSL Encryption. IT DOES NOT stop clients connecting to an RDP server if they do not have a trusted certificate. If you need that level of security, that should already be done by 802.1x.
Solution
Create an RDP Certificate Template
1. On the domain CA Launch the Certification Authority Management Console > Certificates Templates > Right click > Manage.
2. Locate, and make a duplicate of, the Computer template.
3. General tab > Set the display and template name to RemoteDesktopSecure.
5. New > Name=SSL Secured Remote Desktop > Object Identifier=1.3.6.1.4.1.311.54.1.2 > OK.
6. Select the policy you have just created > OK.
7. Remove the other policies, so only the one we have just created remains > OK.
8. Security tab > Ensure that the the computer groups you want to apply the template to, are selected for Read and Enroll. (Below I’ve put three examples, firstly I create a group for my servers, secondly I just apply it to my domain controllers, or lastly I allow all Domain Computers). How you want to apply this depends on you.
9. Issue/Publish the new certificate template.
Create a GPO to secure RDP access with Certificates.
10. From the Group Policy Management Console, create (or edit) a GPO and give it a sensible name.
Locate the ‘Server authentication certificate template’ policy.
12. Enable it and set the template name to RemoteDesktopSecure > Apply > OK.
13. In the same location, locate the ‘Require use of specific security layer for remote (RDP) connections’ policy.
14. Enable the policy and set the security layer to SSL (TLS 1.0) > Apply > OK > Exit the policy editor.
15. Link the GPO to an OU that contains the servers you want to apply the policy to.
16. You may need to wait a short while, but eventually the servers will get their certificates.
Note: This view is simply ‘Microsoft Management Console’ with the ‘Certificates (Local Computer)’ snap-in added.
17. To prove it’s working, try connecting from a client that does not trust your Domain CA, and you should see an error something like this.
Check What Certificate RDP Is Using
You can check the thumbprint of the certificate the server is using. Windows Key+R > Regedit {Enter} > Navigate to;
[box]
HKEY_LOCAL_MACHINE
> SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > TemplateCertificate
[/box]
You can check this with the actual Certificate> Windows Key+R > mmc {enter} > File > Add/Remove Snap-in > Certificates > Local Computer > Open Certificates > Personal > Certificates > Locate the certificate you ‘Think’ RDP is using and you can compare its thumbprint with the registry key you found above.
Or you can execute the following PowerShell command to get the RDP certificates thumbprint;