The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. … Continue reading
Tag Archives: Group Policy Object
Windows Time Configuration Best Practice—Step by Step
The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:
- All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
- All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
- All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.
Microsoft recommends the following:
- Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
- Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.
- There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
- Never put a virtualized domain controller in a saved state.
- Never sync a domain controller time with the virtual host
- Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
- Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
- Do not restore a snapshot to a production domain controller (PDC)
Step1: Remove Time Synchronisation of Guest with Host
Follow the procedure if the host is Hyper-v Host
1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.
2. On the Integration Service, uncheck Time synchronization.
3. Click OK.
Follow the procedure if the host is ESXi Host
1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,
2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.
Step2: Configure Cisco Switch as NTP Source
global configuration mode |
switch# config t |
Enable NTP |
switch(config)#ntp enable |
Show NTP Status |
switch(config)# show ntp status |
configures the NTP server |
switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name] |
configures the NTP peer to communicate over |
switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name] |
Displays the configured server and |
switch(config)#show ntp peers |
Saves the changes |
switch(config)# copy running-config startup-config |
Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.
Step3: Configure a Domain Controller as a NTP Server
Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line.
- Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.
Netdom query fsmo
- Run the following commands from an Elevated command prompt to stops the time service
net stop w32time
- Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied. If you get an access denied, just run it again.
w32tm /unregister
- Re-creates the Registry Settings
w32tm /register
- Starts the service
Net start w32time
- Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.
w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update
when using hardware time source, use this command
w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update
- Updates the configuration
w32tm /config /update
- Restarts the service so the new settings take effect.
net stop w32time && net start w32time
- Syncs the clock to your new NTP servers. This needs to return “The command completed successfully.”
w32tm /resync /rediscover
Query the time configuration to make sure time is configured as desired
W32TM /query /status
w32tm /query /peers
w32tm /query /configuration
Step4: Configure a NTP Server using Group Policy Object
- Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
- Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
- Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.
Clock Discipline Parameters |
|
FrequencyCorrectRate |
4 |
HoldPeriod |
5 |
LargePhaseOffset |
50000000 |
MaxAllowedPhaseOffset |
300 |
MaxNegPhaseCorrection |
300 |
MaxPosPhaseCorrection |
300 |
PhaseCorrectRate |
1 |
PollAdjustFactor |
5 |
SpikeWatchPeriod |
900 |
UpdateInterval |
30000 |
General Parameters |
|
AnnounceFlags |
5 |
EventLogFlags |
2 |
LocalClockDispersion |
10 |
MaxPollInterval |
10 |
MinPollInterval |
6 |
ChainEntryTimeout |
|
ChainMaxEntries |
|
ChainMaxHostEntries |
|
ChainDisable |
|
ChainLoggingRate |
4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),
NtpServer |
au.pool.ntp.org time.windows.com OR IP Address of Cisco Core Switch if you are using Hardware Time Provider. |
Type |
NTP |
CrossSiteSyncFlags |
2 |
ResolvePeerBackoffMinutes |
15 |
ResolvePeerBackoffMaxTimes |
7 |
SpecialPollInterval |
3600 |
EventLogFlags |
1 |
Standard time configuration should look like this:
Location |
Configuration |
Status |
Settings |
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service |
Configure Global Configuration Settings here |
Enabled |
Default |
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers |
Configure Windows NTP Client settings here. |
Enabled |
au.pool.ntp.org time.windows.com |
Enable Windows NTP Client here. Enable |
Enabled |
– |
|
Enable Windows NTP Server here. |
Enabled |
– |
Step5: Create and link a separate GPO for domain joined client or server
- Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
- Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
- Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.
Clock Discipline Parameters |
|
FrequencyCorrectRate |
4 |
HoldPeriod |
5 |
LargePhaseOffset |
50000000 |
MaxAllowedPhaseOffset |
300 |
MaxNegPhaseCorrection |
300 |
MaxPosPhaseCorrection |
300 |
PhaseCorrectRate |
1 |
PollAdjustFactor |
5 |
SpikeWatchPeriod |
900 |
UpdateInterval |
30000 |
General Parameters |
|
AnnounceFlags |
5 |
EventLogFlags |
2 |
LocalClockDispersion |
10 |
MaxPollInterval |
10 |
MinPollInterval |
6 |
ChainEntryTimeout |
|
ChainMaxEntries |
|
ChainMaxHostEntries |
|
ChainDisable |
|
ChainLoggingRate |
4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),
NtpServer |
dc.superplaneteers.com |
Type |
NT5DS |
CrossSiteSyncFlags |
2 |
ResolvePeerBackoffMinutes |
15 |
ResolvePeerBackoffMaxTimes |
7 |
SpecialPollInterval |
3600 |
EventLogFlags |
1 |
Standard configuration should look like this:
Location |
Configuration |
Status |
settings |
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service |
Configure Global Configuration Settings here |
Enabled |
Default |
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers |
Configure Windows NTP Client settings here. |
Enabled |
NT5DS |
Enable Windows NTP Client here. Enable |
Enabled |
– |
|
Enable Windows NTP Server here. |
Disabled |
– |
Broadcasting Time Configuration using DHCP Server
Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.
- Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
- Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.
NTP Client Configuration for domain joined Hyper-v Server 2012
- Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
- Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
- Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.
NTP Client Configuration for non domain joined Hyper-v Server 2012
- Sets the server to sync with the NTP servers
w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update
Where DC.superplaneteers.com is the PDC and Time Provider.
- Restarts the service so the new settings take effect.
net stop w32time && net start w32time
- Syncs the clock to your new NTP servers. This needs to return “The command completed successfully.”
w32tm /resync /rediscover
Query the time configuration to make sure time is configured as desired
W32TM /query /status
w32tm /query /peers
w32tm /query /configuration
NTP Client Configuration in ESXi Host
Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property
On the General Tab, Select Start and Stop with Host
Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok
If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.
Time drifting error in Windows Machine
Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.
Further Study
Timekeeping best practices for Windows on ESXi Host
Detailed explanation of time configuration GPO
Windows 8: Configuring AppLocker Step by Step
AppLocker is a customizable rules that allow/disallow applications, scripts and installers on a per user or per group basis. By using this feature, an administrators can ensure that security and licensing compliance needs are met, and to provide granular level security to align with corporate security compliance. You can configure the following rules in AppLocker via group policy object
- Executable Rules
- Windows Installer Rules
- Script Rules
- Packaged App Rules
AppLocker can be found in Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker location shown in picture
an administrator creates or edits a Group Policy Object based on business needs. Rules can be created to allow/deny any applications/scripts/installers to run per user or per group. The following is an example to create a rule allowing Adobe Acrobat using AppLocker.
Right Click on Executable Rules, Click Create New Rule
On the Permission page, Click Allow, Click Next
Select Publisher, Click Next
Click Browse and go to the C:Program Files (x86)AdobeAcrobat 10.0Acrobat and select Acrobat.exe. If you would like to select specific version, Click Next otherwise drag mouse product name shown product name. in this way you have selected Adobe Acrobat and any version will be allowed by this rule.
On the Exceptions page, Click Next
On the Name page, Click Create.
Now you will see the rule in the following screen
AppLocker is a robust tool to manage corporate compliance and security on the desktop and server platform.
Advanced Group Policy Object Management 4.0
Why do you need Advanced Group Policy Management (AGPM)? If you are a midsize or large organization with several group policy administrator in multiple sites, everybody is playing their part in group policy administration but does not have a proper control in terms of who does what than you are in real mess in production environment. In this scenario, AGPM helps role based GPO management such as who can review, edit, approve and deploy Group Policy objects. AGPM also plays an integral part of change control practice in your organization. AGPM can improve GPO deployment and provide better management in IT department. You can use AGPM to track each version of each GPO and history, just as application developers use version control to track source code. AGPM can be found in Microsoft Desktop Optimization Pack (MDOP). A generic GPO deployment process using AGPM are as follows.
AGPM is combined with server component (the AGPM Service) and a client component (the AGPM snap-in). you have to install Microsoft Advanced Group Policy Management – Server on a system that has access to the policies that you want to manage. you can install the Microsoft Advanced Group Policy Management in a domain controller. An AGPM Client is installed on any system from which Group Policy administrators will review, edit, and deploy GPOs. AGPM provides advanced change control features that can help you manage the lifecycle of GPOs. The following is a Change Control view of AGPM.
The following steps are necessary to change and deploy a GPO:
Check out the GPO from the archive.
Edit the GPO as necessary.
Check in the GPO to the archive.
Deploy the GPO to production.
A controlled GPO can not be changed by any GPO Administrator anytime without prior approval. AGPM keeps a history of changes for each GPO, as shown in screenshot.
You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.
Role-Based Delegation: Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown below delegation model.
Role | View | Compare | Edit | Create | Approve | Deploy |
Reviewer | √ | √ | × | × | × | × |
Editor | √ | √ | √ | √ | × | × |
Approver | √ | √ | √ | √ | √ | √ |
Cross-Forest Management: AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:
Export the GPO from domain A in the first forest to a CAB file, by using AGPM. Import the GPO into the archive in domain B in the second forest, by using AGPM.
When you import the GPO into the second forest, you can import it as a new controlled GPO. You can also import it to replace the settings of an existing GPO that is checked out of the archive.
Install AGPM Server: Computers on which you want to install AGPM must meet the following requirements and you must be domain admin to create AGPM roles. If you have AGPM 3.0 installed, you do not have to upgrade the operating system before you upgrade to AGPM 4.0. AGPM Server Requirements are as follows.
- GPMC Features for Windows Server 2008 R2 or Windows Server 2008
- Remote Server Administration Tools for Windows 7
- WCF Activation; Non-HTTP Activation
- Windows Process Activation Service
- Process Model
- .NET 3.5 SP1 Environment
- Configuration APIs
you can install AGPM Server on the member server or domain controller that will run the AGPM Service, and you configure the archive. All AGPM operations are managed through this Windows service and are executed with the service’s credentials. The archive managed by an AGPM Server can be hosted on that server or on another server in the same forest. Log on with an account that is a member of the Domain Admins group. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Server.
In the Welcome dialog box>click Next>accept the terms and then click Next.
In the Application Path dialog box, select a location in which to install AGPM Server. The computer on which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next.
This account must be a member of the either the Domain Admins group or, for a least-privilege configuration, the following groups in each domain managed by the AGPM Server: Group Policy Creator Owners and Backup Operators
In the AGPM Service Account dialog box, select a service account under which the AGPM Service will run and then click Next.
In the Port Configuration dialog box, type a port on which the AGPM Service should listen. Do not clear the Add port exception to firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.
Click Install, and then click Finish to exit the Setup Wizard.
Important! Do not change settings for the AGPM Service through Administrative Tools and Services in the operating system. Doing this can prevent the AGPM Service from starting.
Install AGPM Client: AGPM Client 4.0 requires Windows Server 2008 R2, Windows Server 2008, Windows 7 and the GPMC from RSAT. Both 32-bit and 64-bit versions are supported. AGPM Client can be installed on a computer that is running AGPM Server. AGPM clients requirements are as follows.
- GPMC for Windows Server 2008 or Windows 7
- Remote Server Administration Tools for Windows 7
- .NET Framework 3.0 or later version Features
Before you begin this scenario, create four user accounts for AGPM Administrator (Full Control), Approver, Editor, and Reviewer. These accounts must be able to send and receive e-mail messages. Assign Link GPOs permission to the accounts that have the AGPM Administrator, Approver and Editor roles.
Each Group Policy administrator—anyone who creates, edits, deploys, reviews, or deletes GPOs—must have AGPM Client installed on computers that they use to manage GPOs. For this scenario, you install AGPM Client on at least one computer. You do not need to install AGPM Client on the computers of end users who do not perform Group Policy administration. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Client.
In the Welcome dialog box, click Next>accept the terms and then click Next>select a location in which to install AGPM Client. Click Next.
In the AGPM Server dialog box, type the DNS name or IP address for the AGPM Server and the port to which you want to connect. The default port for the AGPM Service is 4600. Do not clear the Allow Microsoft Management Console through the firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.
In the Languages dialog box, select one or more display languages to install for AGPM Client.
Click Install>click Finish to exit the Setup Wizard.
To configure an AGPM Server connection for all GPO administrators
On a computer on which you have installed AGPM Client, log on with the user account that you selected as the Archive Owner. Click Start>point to Administrative Tools>click Group Policy Management to open the GPMC.
In the details pane, double-click AGPM: Specify default AGPM Server (all domains). In the Properties window, select Enabled and type the DNS name or IP address and port (example, MicrosoftGURU.com.au:4600) for the server hosting the archive. Click OK>Click close the Group Policy Management Editor window.
Configure e-mail notification: As an AGPM Administrator (Full Control), you can designate the e-mail addresses of Approvers and AGPM Administrators to whom an e-mail message that contains a request is sent when an Editor tries to create, deploy, or delete a GPO. In the details pane, click the Domain Delegation tab> Type following From e-mail address field>type the e-mail address for the user account to which you intend to assign the Approver role>type a valid SMTP mail server. In the User name and Password fields, type the credentials of a user who has access to the SMTP service. Click Apply.
To delegate access to all GPOs throughout a domain: On the Domain Delegation tab>click the Add button>select the user account from Domain>Select GPO Role as Editor>click OK. Repeat the process for Reviewer and Approver Role.
Create a GPO: In an environment that has multiple Group Policy administrators, those with the Editor role can request that new GPOs be created. However, that request must be approved by someone with the Approver role.
On a computer on which you have installed AGPM Client, log on with a user account that is assigned the Editor role in AGPM. In the Group Policy Management Console tree>click Change Control>Click managed GPOs. Right-click the Change Control node>click New Controlled GPO.
Click Submit. The new GPO is displayed on the Pending tab.
To approve the pending request to create a GPO
On a computer on which you have installed AGPM Client, log on with a user account that has the role of Approver in AGPM. Open the e-mail inbox for the account, and notice that you have received an e-mail message from the AGPM alias with the Editor’s request to create a GPO.
In the Group Policy Management Console tree>click Change Control>Click manage GPOs. On the Contents tab>click the Pending tab to display the pending GPOs. Right-click on Pending GPO>click Approve. Click Yes to confirm approval and move the GPO to the Controlled tab.
Edit a GPO: You can use GPOs to configure computer or user settings and deploy them to many computers or users. In this step, you use an account that has the Editor role to check out a GPO from the archive, edit the GPO offline, check the edited GPO into the archive, and request deployment of the GPO to the production environment. For this scenario, you configure a setting in the GPO to require that the password be at least eight characters long.
On a computer on which you have installed AGPM Client, log on with a user account that has the role of Editor in AGPM. In the Group Policy Management Console>click Change Control>manage GPOs. On the Contents tab in the details pane>click the Controlled tab to display the controlled GPOs. Right-click Managed GPOs>click Check Out>Type a comment > click OK. click Close.
To request the deployment of the GPO to the production environment, On the Controlled tab, the state of the GPO is identified as Checked In>right-click managed GPO>click Deploy.
Because this account is not an Approver or AGPM Administrator, you must submit a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.
When the AGPM Progress window indicates that overall progress is complete, click Close. MyGPO is displayed on the list of GPOs on the Pending tab.
Review and deploy a GPO: In this step, you act as an Approver, creating reports and analyzing the settings and changes to settings in the GPO to determine whether you should approve them. After you evaluate the GPO, you deploy it to the production environment and link the GPO to a domain or an organizational unit (OU). The GPO takes effect when Group Policy is refreshed for computers in that domain or OU.
On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.
Open the e-mail inbox for the account and notice that you have received an e-mail message from the AGPM alias with an Editor’s request to deploy a GPO. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
On the Contents tab in the details pane>click the Pending tab>Double-click a single managed GPO to display its history. Review the settings in the most recent version of GPO.
To deploy the GPO to the production environment
On the Pending tab, right-click a single managed GPO and then click Approve.
Type a comment to include in the history of the GPO>Click Yes. When the AGPM Progress window indicates that overall progress is complete, click Close.
To link the GPO to a domain or organizational unit
In the GPMC, right-click either the domain or an organizational unit (OU) to which you want to apply the GPO that you configured, and then click Link an Existing GPO. In the Select GPO dialog box>click selected GPO>click OK.
Use a template to create a GPO: In this step, you use an account that has the Editor role to create and use a template. That template is a static version of a GPO for use as a starting point for creating new GPOs. Although you cannot edit a template, you can create a new GPO based on a template. Templates are useful for quickly creating multiple GPOs that include many of the same policy settings.
On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. In the Group Policy Management Console tree>click Change Control>Click manage GPOs.
On the Contents tab in the details pane>click the Controlled tab>Right-click on a single GPO>click Save as Template to create a template incorporating all settings currently in GPO.
Type a name of Template and a comment, then click OK>click Close. To request that a new GPO be created and managed through AGPM. Click the Controlled tab>Right-click the Change Control node>click New Controlled GPO.
In the New Controlled GPO dialog box, type your e-mail address in the Cc field. Type a name of GPO as the name for the new GPO. Type a comment for the new GPO.
Click Create live so that the new GPO will be deployed to the production environment immediately upon approval.
For From GPO template>select Template>Click Submit>click Close. The new GPO is displayed on the Pending tab.
To check the GPO out from the archive for editing
On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. Right-click GPO>click Check Out>Type a comment to be displayed in the history of the GPO while it is checked out>click OK>click Close. On the Controlled tab, the state of the GPO is identified as Checked Out.
To edit the GPO offline and configure the account lockout duration
On the Controlled tab>right-click GPO>click Edit to open the Group Policy Management Editor window and change an offline copy of the GPO. For this scenario, configure the minimum password length:
Under Computer Configuration>double-click Policies>Click Windows Settings>Click Security Settings>Click Account Policies>Click Account Lockout Policy.
In the details pane, double-click Account lockout duration. In the properties window, check Define this policy setting, set the duration to 30 minutes, and then click OK.
Close the Group Policy Management Editor window.
To compare a GPO to another GPO and to a template
To compare Test GPO1 and Test GPO2, On the Controlled tab, click Test GPO1>Press CTRL and click Test GPO2. Right-click Test GPO2, point to Differences, and then click HTML Report.
To delete a GPO
On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
On the Contents tab>click the Controlled tab to display the controlled GPOs>Right-click GPO, and then click Delete. Click Delete GPO from archive and production to delete both the version in the archive and the deployed version of the GPO in the production environment. Type a comment to be displayed in the audit trail for the GPO>click OK>click Close.
To restore a deleted GPO
On the Contents tab>click the Recycle Bin tab to display deleted GPOs>Right-click GPO>click Restore.
Type a comment to be displayed in the history of the GPO>click OK> click Close.
Important! Restoring a GPO to the archive does not automatically redeploy it to the production environment.
To roll back to an earlier version of a GPO
On the Contents tab>click the Controlled tab>Double-click MyGPO to display its history>Right-click the version to be deployed>click Deploy>click Yes>click Close.
Last but not least PowerShell commands are very handy to work with GPO on the fly. Before you can use PowerShell command you have to install Active Directory Web Services in any Domain Controller in your AD infrastructure. Download PowerShell v2 and install on a utility server or windows 7 admin PC. Open PowerShell Window as an Administrator and type following commands.
get-command –module grouppolicy
get-command –module grouppolicy | get-help
List of PowerShell Command for GPO and their functionality:
Backup-GPO Backs GPO
Copy-GPO Copies a GPO.
Get-GPInheritance Retrieves GPO inheritance
Get-GPO Gets one GPO or all GPOs
Get-GPOReport Generates a report in either XML or HTML
Get-GPPermissions Gets the permission level for security principals
Get-GPPrefRegistryValue Retrieves one or more registry preference
Get-GPRegistryValue Retrieves one or more registry-based policy settings
Get-GPResultantSetOfPolicy Outputs the Resultant Set of Policy (RSoP) information
Get-GPStarterGPO Gets one Starter GPO or all Starter GPOs in a domain.
Import-GPO Imports the Group Policy settings from a backed-up GPO
New-GPLink Links a GPO to a site, domain, or OU.
New-GPO Creates a new GPO.
New-GPStarterGPO Creates a new Starter GPO.
Remove-GPLink Removes a GPO link from a site, domain, or OU.
Remove-GPO Deletes a GPO.
Remove-GPPrefRegistryValue Removes one or more registry preference items
Remove-GPRegistryValue Removes one or more registry-based policy settings
Rename-GPO Assigns a new display name to a GPO.
Restore-GPO Restores one GPO or all GPOs in a domain from
Set-GPInheritance Blocks or unblocks inheritance for a specified domain or OU.
Set-GPLink Sets the properties of the specified GPO link.
Set-GPPermissions Grants a level of permissions to a security principal
Set-GPPrefRegistryValue Configures a registry preference item
Set-GPRegistryValue Configures one or more registry-based policy settings
Relevant References:
Active Directory Best Practice
Download Advanced Group Policy from TechNet
Finally! Copy and merge GPOs! PowerShell saves the day!
Microsoft® Desktop Optimization Pack (MDOP)
Choosing Which Version of AGPM to Install
Remove initial configuration wizard on Windows Server 2008 using GPO
Gallery
Open GPO management console using administrative privilege. Create and link a GPO with Enterprise Server OU. Right Click on Enterprise Server OU> Click on Property Expand and locate Server Manager section in the following section of GPO. Expand Computer Configuration>Expand … Continue reading
How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step
Gallery
WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD … Continue reading
Group Policy for Windows 7 and Windows Server 2008 R2
Gallery
This gallery contains 6 photos.
Microsoft Advanced Group Policy Management (AGPM) 4.0 advance control and management feature for computers running Windows 7 and Windows Server 2008 R2. Systems administrator will be able to do change control on each features deployed through GPO. AGPM 4.0 introduces … Continue reading
Ban portable application/games through GPO
Gallery
This gallery contains 10 photos.
Ø Open GPO management console Ø Right click and edit the specific GPO or Create and link new GPO and Edit Ø User Configuration>Security Settings>Software Restriction Policies Ø Right Click Software restriction policies>create Ø Right click on Additional Rules>New Hash … Continue reading
How to create Admin image of Solidworks 2009 and deploy through GPO or command prompt
Gallery
you must have solidworks license server installed and running before you prepare admin image. Step1 Open a Command Prompt window (in Windows, click Start, Run, type cmd, and click OK) and enter: msiexec /a \\yourserver\solidworks2009\swwi\data\English_i386_SolidWorks.msi In the SolidWorks Setup Wizard, … Continue reading