Deploy Work Folder in Azure Cloud

Gallery

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. … Continue reading

Windows Time Configuration Best Practice—Step by Step

The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:

  • All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
  • All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
  • All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.

Microsoft recommends the following:

  • Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
  • Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.

  • There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
  • Never put a virtualized domain controller in a saved state.
  • Never sync a domain controller time with the virtual host
  • Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
  • Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
  • Do not restore a snapshot to a production domain controller (PDC)

Step1: Remove Time Synchronisation of Guest with Host

Follow the procedure if the host is Hyper-v Host

1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.

2. On the Integration Service, uncheck Time synchronization.

3. Click OK.

Follow the procedure if the host is ESXi Host

1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,

2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.

Step2: Configure Cisco Switch as NTP Source

global configuration mode

switch# config t

Enable NTP

switch(config)#ntp enable

Show NTP Status

switch(config)# show ntp status

configures the NTP server

switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

configures the NTP peer to communicate over
the specified NTP Server

switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

Displays the configured server and
peers.

switch(config)#show ntp peers

Saves the changes

switch(config)# copy running-config startup-config

Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.

Step3: Configure a Domain Controller as a NTP Server

Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line. 

  1. Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.

Netdom query fsmo

  1. Run the following commands from an Elevated command prompt to stops the time service

net stop w32time

  1. Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied.  If you get an access denied, just run it again.

w32tm /unregister

  1. Re-creates the Registry Settings

w32tm /register

  1. Starts the service

Net start w32time

  1. Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.

w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update

when using hardware time source, use this command

w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update

  1. Updates the configuration

w32tm /config /update

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

Step4: Configure a NTP Server using Group Policy Object

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

au.pool.ntp.org time.windows.com

OR

IP Address of Cisco Core Switch if you are using Hardware Time Provider.

Type

NTP

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard time configuration should look like this:

Location

Configuration

Status

Settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

au.pool.ntp.org

time.windows.com

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Enabled

Step5: Create and link a separate GPO for domain joined client or server

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

dc.superplaneteers.com

Type

NT5DS

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard configuration should look like this:

Location

Configuration

Status

settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

NT5DS

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Disabled

Broadcasting Time Configuration using DHCP Server

Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.

  1. Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
  2. Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.

NTP Client Configuration for domain joined Hyper-v Server 2012

  1. Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
  2. Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
  3. Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.

NTP Client Configuration for non domain joined Hyper-v Server 2012

  1. Sets the server to sync with the NTP servers

w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update

Where DC.superplaneteers.com is the PDC and Time Provider.

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

NTP Client Configuration in ESXi Host

Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property

clip_image002[4]

On the General Tab, Select Start and Stop with Host

clip_image004[4]

Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok

clip_image006[4]

If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.

clip_image008[4]

Time drifting error in Windows Machine

Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.

clip_image010[4]

Further Study

Microsoft Reference

Time Drifting Issue

Timekeeping best practices for Windows on ESXi Host

Detailed explanation of time configuration GPO

Cisco NTP Network Appliance

Windows 8: Configuring AppLocker Step by Step

AppLocker is a customizable rules that allow/disallow applications, scripts and installers on a per user or per group basis. By using this feature, an administrators can ensure that security and licensing compliance needs are met, and to provide granular level security to align with corporate security compliance. You can configure the following rules in AppLocker via group policy object

  • Executable Rules
  • Windows Installer Rules
  • Script Rules
  • Packaged App Rules

AppLocker can be found in Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker location shown in picture

image

an administrator creates or edits a Group Policy Object based on business needs. Rules can be created to allow/deny any applications/scripts/installers to run per user or per group. The following is an example to create a rule allowing Adobe Acrobat using AppLocker.

Right Click on Executable Rules, Click Create New Rule

image

On the Permission page, Click Allow, Click Next

image

Select Publisher, Click Next

image

Click Browse and go to the C:Program Files (x86)AdobeAcrobat 10.0Acrobat and select Acrobat.exe. If you would like to select specific version, Click Next otherwise drag mouse product name shown product name. in this way you have selected Adobe Acrobat and any version will be allowed by this rule.

image

image

On the Exceptions page, Click Next

image

On the Name page, Click Create.

image

Now you will see the rule in the following screen

image

AppLocker is a robust tool to manage corporate compliance and security on the desktop and server platform.

Advanced Group Policy Object Management 4.0

Why do you need Advanced Group Policy Management (AGPM)? If you are a midsize or large organization with several group policy administrator in multiple sites, everybody is playing their part in group policy administration but does not have a proper control in terms of who does what than you are in real mess in production environment. In this scenario, AGPM helps role based GPO management such as who can review, edit, approve and deploy Group Policy objects. AGPM also plays an integral part of change control practice in your organization. AGPM can improve GPO deployment and provide better management in IT department. You can use AGPM to track each version of each GPO and history, just as application developers use version control to track source code. AGPM can be found in Microsoft Desktop Optimization Pack (MDOP). A generic GPO deployment process using AGPM are as follows.

  

image

AGPM is combined with server component (the AGPM Service) and a client component (the AGPM snap-in). you have to install Microsoft Advanced Group Policy Management – Server on a system that has access to the policies that you want to manage. you can install the Microsoft Advanced Group Policy Management in a domain controller. An AGPM Client is installed  on any system from which Group Policy administrators will review, edit, and deploy GPOs. AGPM provides advanced change control features that can help you manage the lifecycle of GPOs.  The following is a Change Control view of AGPM.

31

The following steps are necessary to change and deploy a GPO:

Check out the GPO from the archive.

32

Edit the GPO as necessary.

33

Check in the GPO to the archive.

33

Deploy the GPO to production.

32

A controlled GPO can not be changed by any GPO Administrator anytime without prior approval. AGPM keeps a history of changes for each GPO, as shown in screenshot.

34

You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.

35

Role-Based Delegation: Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown below delegation model.

30

Role View Compare Edit Create Approve Deploy
Reviewer × × × ×
Editor × ×
Approver

Cross-Forest Management: AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:

Export the GPO from domain A in the first forest to a CAB file, by using AGPM. Import the GPO into the archive in domain B in the second forest, by using AGPM.

36

When you import the GPO into the second forest, you can import it as a new controlled GPO. You can also import it to replace the settings of an existing GPO that is checked out of the archive.

Install AGPM Server: Computers on which you want to install AGPM must meet the following requirements and you must be domain admin to create AGPM roles. If you have AGPM 3.0 installed, you do not have to upgrade the operating system before you upgrade to AGPM 4.0.  AGPM Server Requirements are as follows.

  • GPMC Features for Windows Server 2008 R2 or Windows Server 2008
  • Remote Server Administration Tools for Windows 7
  • WCF Activation; Non-HTTP Activation
  • Windows Process Activation Service
  • Process Model
  • .NET 3.5 SP1 Environment
  • Configuration APIs

you can install AGPM Server on the member server or domain controller that will run the AGPM Service, and you configure the archive. All AGPM operations are managed through this Windows service and are executed with the service’s credentials. The archive managed by an AGPM Server can be hosted on that server or on another server in the same forest. Log on with an account that is a member of the Domain Admins group. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Server.

1

23

In the Welcome dialog box>click Next>accept the terms and then click Next.

4

In the Application Path dialog box, select a location in which to install AGPM Server. The computer on which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next.

567

This account must be a member of the either the Domain Admins group or, for a least-privilege configuration, the following groups in each domain managed by the AGPM Server: Group Policy Creator Owners and Backup Operators

8

In the AGPM Service Account dialog box, select a service account under which the AGPM Service will run and then click Next.

9

In the Port Configuration dialog box, type a port on which the AGPM Service should listen. Do not clear the Add port exception to firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.

1011121314

Click Install, and then click Finish to exit the Setup Wizard.

Important! Do not change settings for the AGPM Service through Administrative Tools and Services in the operating system. Doing this can prevent the AGPM Service from starting.

Install AGPM Client: AGPM Client 4.0 requires Windows Server 2008 R2, Windows Server 2008, Windows 7 and the GPMC from RSAT. Both 32-bit and 64-bit versions are supported. AGPM Client can be installed on a computer that is running AGPM Server. AGPM clients requirements are as follows.

Before you begin this scenario, create four user accounts for AGPM Administrator (Full Control), Approver, Editor, and Reviewer. These accounts must be able to send and receive e-mail messages. Assign Link GPOs permission to the accounts that have the AGPM Administrator, Approver and Editor roles.

Each Group Policy administrator—anyone who creates, edits, deploys, reviews, or deletes GPOs—must have AGPM Client installed on computers that they use to manage GPOs. For this scenario, you install AGPM Client on at least one computer. You do not need to install AGPM Client on the computers of end users who do not perform Group Policy administration. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Client.

15

In the Welcome dialog box, click Next>accept the terms and then click Next>select a location in which to install AGPM Client. Click Next.

1617

In the AGPM Server dialog box, type the DNS name or IP address for the AGPM Server and the port to which you want to connect. The default port for the AGPM Service is 4600. Do not clear the Allow Microsoft Management Console through the firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.

1819

In the Languages dialog box, select one or more display languages to install for AGPM Client.

202122

Click Install>click Finish to exit the Setup Wizard.

To configure an AGPM Server connection for all GPO administrators

On a computer on which you have installed AGPM Client, log on with the user account that you selected as the Archive Owner. Click Start>point to Administrative Tools>click Group Policy Management to open the GPMC.

In the details pane, double-click AGPM: Specify default AGPM Server (all domains). In the Properties window, select Enabled and type the DNS name or IP address and port (example, MicrosoftGURU.com.au:4600) for the server hosting the archive. Click OK>Click close the Group Policy Management Editor window.

24

Configure e-mail notification: As an AGPM Administrator (Full Control), you can designate the e-mail addresses of Approvers and AGPM Administrators to whom an e-mail message that contains a request is sent when an Editor tries to create, deploy, or delete a GPO. In the details pane, click the Domain Delegation tab> Type following From e-mail address field>type the e-mail address for the user account to which you intend to assign the Approver role>type a valid SMTP mail server. In the User name and Password fields, type the credentials of a user who has access to the SMTP service. Click Apply.

37

 To delegate access to all GPOs throughout a domain: On the Domain Delegation tab>click the Add button>select the user account from Domain>Select GPO Role as Editor>click OK. Repeat the process for Reviewer and Approver Role.

232425

26272829

Create a GPO: In an environment that has multiple Group Policy administrators, those with the Editor role can request that new GPOs be created. However, that request must be approved by someone with the Approver role.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the Editor role in AGPM. In the Group Policy Management Console tree>click Change Control>Click managed GPOs. Right-click the Change Control node>click New Controlled GPO.

38

Click Submit. The new GPO is displayed on the Pending tab.

To approve the pending request to create a GPO

On a computer on which you have installed AGPM Client, log on with a user account that has the role of Approver in AGPM. Open the e-mail inbox for the account, and notice that you have received an e-mail message from the AGPM alias with the Editor’s request to create a GPO.

In the Group Policy Management Console tree>click Change Control>Click manage GPOs. On the Contents tab>click the Pending tab to display the pending GPOs. Right-click on Pending GPO>click Approve. Click Yes to confirm approval and move the GPO to the Controlled tab.

39

40

Edit a GPO: You can use GPOs to configure computer or user settings and deploy them to many computers or users. In this step, you use an account that has the Editor role to check out a GPO from the archive, edit the GPO offline, check the edited GPO into the archive, and request deployment of the GPO to the production environment. For this scenario, you configure a setting in the GPO to require that the password be at least eight characters long.

On a computer on which you have installed AGPM Client, log on with a user account that has the role of Editor in AGPM. In the Group Policy Management Console>click Change Control>manage GPOs. On the Contents tab in the details pane>click the Controlled tab to display the controlled GPOs. Right-click Managed GPOs>click Check Out>Type a comment > click OK. click Close.

To request the deployment of the GPO to the production environment, On the Controlled tab, the state of the GPO is identified as Checked In>right-click managed GPO>click Deploy.

Because this account is not an Approver or AGPM Administrator, you must submit a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.

When the AGPM Progress window indicates that overall progress is complete, click Close. MyGPO is displayed on the list of GPOs on the Pending tab.

Review and deploy a GPO: In this step, you act as an Approver, creating reports and analyzing the settings and changes to settings in the GPO to determine whether you should approve them. After you evaluate the GPO, you deploy it to the production environment and link the GPO to a domain or an organizational unit (OU). The GPO takes effect when Group Policy is refreshed for computers in that domain or OU.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.

Open the e-mail inbox for the account and notice that you have received an e-mail message from the AGPM alias with an Editor’s request to deploy a GPO. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

On the Contents tab in the details pane>click the Pending tab>Double-click a single managed GPO to display its history. Review the settings in the most recent version of GPO.

To deploy the GPO to the production environment

On the Pending tab, right-click a single managed GPO and then click Approve.

Type a comment to include in the history of the GPO>Click Yes. When the AGPM Progress window indicates that overall progress is complete, click Close.

To link the GPO to a domain or organizational unit

In the GPMC, right-click either the domain or an organizational unit (OU) to which you want to apply the GPO that you configured, and then click Link an Existing GPO. In the Select GPO dialog box>click selected GPO>click OK.

Use a template to create a GPO: In this step, you use an account that has the Editor role to create and use a template. That template is a static version of a GPO for use as a starting point for creating new GPOs. Although you cannot edit a template, you can create a new GPO based on a template. Templates are useful for quickly creating multiple GPOs that include many of the same policy settings.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. In the Group Policy Management Console tree>click Change Control>Click manage GPOs.

On the Contents tab in the details pane>click the Controlled tab>Right-click on a single GPO>click Save as Template to create a template incorporating all settings currently in GPO.

Type a name of Template and a comment, then click OK>click Close. To request that a new GPO be created and managed through AGPM. Click the Controlled tab>Right-click the Change Control node>click New Controlled GPO.

In the New Controlled GPO dialog box, type your e-mail address in the Cc field. Type a name of GPO as the name for the new GPO. Type a comment for the new GPO.

Click Create live so that the new GPO will be deployed to the production environment immediately upon approval.

For From GPO template>select Template>Click Submit>click Close. The new GPO is displayed on the Pending tab.

To check the GPO out from the archive for editing

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. Right-click GPO>click Check Out>Type a comment to be displayed in the history of the GPO while it is checked out>click OK>click Close. On the Controlled tab, the state of the GPO is identified as Checked Out.

To edit the GPO offline and configure the account lockout duration

On the Controlled tab>right-click GPO>click Edit to open the Group Policy Management Editor window and change an offline copy of the GPO. For this scenario, configure the minimum password length:

Under Computer Configuration>double-click Policies>Click Windows Settings>Click Security Settings>Click Account Policies>Click Account Lockout Policy.

In the details pane, double-click Account lockout duration. In the properties window, check Define this policy setting, set the duration to 30 minutes, and then click OK.

Close the Group Policy Management Editor window.

To compare a GPO to another GPO and to a template

To compare Test GPO1 and Test GPO2, On the Controlled tab, click Test GPO1>Press CTRL and click Test GPO2. Right-click Test GPO2, point to Differences, and then click HTML Report.

To delete a GPO

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

On the Contents tab>click the Controlled tab to display the controlled GPOs>Right-click GPO, and then click Delete. Click Delete GPO from archive and production to delete both the version in the archive and the deployed version of the GPO in the production environment. Type a comment to be displayed in the audit trail for the GPO>click OK>click Close.

To restore a deleted GPO

On the Contents tab>click the Recycle Bin tab to display deleted GPOs>Right-click GPO>click Restore.

Type a comment to be displayed in the history of the GPO>click OK> click Close.

Important! Restoring a GPO to the archive does not automatically redeploy it to the production environment.

To roll back to an earlier version of a GPO

On the Contents tab>click the Controlled tab>Double-click MyGPO to display its history>Right-click the version to be deployed>click Deploy>click Yes>click Close.

Last but not least PowerShell commands are very handy to work with GPO on the fly. Before you can use PowerShell command you have to install Active Directory Web Services in any Domain Controller in your AD infrastructure. Download PowerShell v2 and install on a utility server or windows 7 admin PC. Open PowerShell Window as an Administrator and type following commands. 

get-command –module grouppolicy

get-command –module grouppolicy | get-help

List of PowerShell Command for GPO and their functionality: 

Backup-GPO                  Backs GPO 

Copy-GPO                      Copies a GPO.

Get-GPInheritance       Retrieves GPO inheritance 

Get-GPO                        Gets one GPO or all GPOs 

Get-GPOReport           Generates a report in either XML or HTML

Get-GPPermissions     Gets the permission level for security principals

Get-GPPrefRegistryValue               Retrieves one or more registry preference

Get-GPRegistryValue                      Retrieves one or more registry-based policy settings

Get-GPResultantSetOfPolicy         Outputs the Resultant Set of Policy (RSoP) information

Get-GPStarterGPO                         Gets one Starter GPO or all Starter GPOs in a domain.

Import-GPO              Imports the Group Policy settings from a backed-up GPO

New-GPLink              Links a GPO to a site, domain, or OU.

New-GPO                   Creates a new GPO.

New-GPStarterGPO Creates a new Starter GPO.

Remove-GPLink        Removes a GPO link from a site, domain, or OU.

Remove-GPO             Deletes a GPO.

Remove-GPPrefRegistryValue Removes one or more registry preference items

Remove-GPRegistryValue Removes one or more registry-based policy settings

Rename-GPO             Assigns a new display name to a GPO.

Restore-GPO             Restores one GPO or all GPOs in a domain from

Set-GPInheritance    Blocks or unblocks inheritance for a specified domain or OU.

Set-GPLink                Sets the properties of the specified GPO link.

Set-GPPermissions    Grants a level of permissions to a security principal

Set-GPPrefRegistryValue Configures a registry preference item

Set-GPRegistryValue  Configures one or more registry-based policy settings

Relevant References:

Active Directory Best Practice

Download Advanced Group Policy from TechNet

Finally! Copy and merge GPOs! PowerShell saves the day!

Microsoft® Desktop Optimization Pack (MDOP)

 

 

Choosing Which Version of AGPM to Install

Active Directory Web Services

 

 

 

 

 

Remove initial configuration wizard on Windows Server 2008 using GPO

Gallery

Open GPO management console using administrative privilege. Create and link a GPO with Enterprise Server OU. Right Click on Enterprise Server OU> Click on Property Expand and locate Server Manager section in the following section of GPO. Expand Computer Configuration>Expand … Continue reading

How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step

Gallery

WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD … Continue reading

Group Policy for Windows 7 and Windows Server 2008 R2

Gallery

This gallery contains 6 photos.

Microsoft Advanced Group Policy Management (AGPM) 4.0 advance control and management feature for computers running Windows 7 and Windows Server 2008 R2. Systems administrator will be able to do change control on each features deployed through GPO. AGPM 4.0 introduces … Continue reading