Tag Archives: GPO

Group Policy: WMI Filters in a nutshell

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the group policy target. This method is only can use to filter the computer objects and it based on computer attribute values. As an example, WMI filters can use to filter out different operating system versions, processor architecture (32bit/64bit), Windows server roles, Registry settings, Event id etc. WMI filters will run against WMI data of the computers and decide if it should apply policy or not. If its match the WMI query it will process the group policy and if its false it will not process the group policy. This method was first introduced with windows server 2003. 

We can use GPMC to create/manage WMI filters. Before apply filter to a GPO, first we need to create it. Single WMI filter can attach to many GPO buy a GPO only can have single WMI filter attached. 

To create WMI filter, Open GPMC, right click on WMI Filter and click New.

wmi1

It will open up the new window where we can define the WMI query. 

wmi2

By clicking on Add button we can define the Namespace and WMI query. As an example, I have created a WMI query to filter out windows 10 operating system runs 32-bit version. 

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

In below you can find few examples of commonly use WMI queries,

To Filter OS – Windows 8 – 64bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

To Filter OS – Windows 8 – 32 bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

To Filter any Windows server OS – 64bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

To apply policy in selected day of the week

select DayOfWeek from Win32_LocalTime where DayOfWeek = 1

Day 1 is Monday. 

Once WMI Filter is created, it need to attach to the GPO. To do that Go to GPMC and select the required GPO. Then under the WMI Filtering section, select the required WMI filter from the drop down box. 

wmi3

Now it is time for testing. Out test query is to target 32 bit windows 10 operating systems. if I try to run it over 64-bit operating system it should not apply. We can check this by running gpupdate /force to apply new group policy and gpresult /r to check results. 

wmi4

Test has been successful and the policy was blocked as I am running windows 10 – 64-bit OS version. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Group Policy Item-Level Targeting

Item-level targeting can use to target group policy preference settings based on application settings and properties of users and computers in granular level. we can use multiple targeting items in preference settings and make selections based on logical operators (AND, OR, IS, IS NOT).

Item-level targeting in group policy preferences can setup/manage using GPMC. To do that open the group policy settings > Go to relevant Preference settings > right click and select properties 

In my example I am using GPO created for IE 10 Settings, there for the path for it is User Configuration > Preferences > Internet Settings > Internet Explorer 10. Then right click and select properties

From properties window, then select Common tab > tick item-level targeting > then click on Targeting button. 

item1

In next window, we can build granular level targeting based on one item or multiple items with logical operators. 

item2

In above example I have built a query based on three setting which is NetBIOS name, Operating System and IP address. In order to apply the preference setting, all three statements should give TRUE value as result as I used AND logical operator. If its OR logical operator the result can have True or False values. 

In the window, New Item menu contained items we can use of targeting. Add Collections allows to create parenthetical grouping. Item Options menu is responsible for defining logical operators. 

WMI Filters is another way of targeting objects in group policies. We will look in to it in next blog post. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-By-Step Guide to enable Advanced Security Audit Policy: DS Access

More than any other system active directory in an organization important in security perspective. Even a small change in Organization’s AD can cause a major business impact. Preventing any unauthorized access, unplanned change in AD environment should prevent in first place but if similar thing happened in your AD environment you should have enough information to answer questions such as what has changed?, when it happened and who did it ?

As you know the computer security threats are changing every day, sometime the default event logs may not help to answer above questions.  Microsoft understand these modern requirements and with windows 2008 R2 they introduce “Advanced Security Audit Policy”. This give you 53 options to tune up the auditing requirement and you can collect more in granular level information about your infrastructure events.  It is have 10 categories and in this demo I am going to talk about the “DS Access” category which is focused on Active Directory Access and Object Modifications.

ds1

Advanced Security Audit Policy is need to enable via GPO. These events happens records on Domain controllers.  There for the policy should only target the Domain Controllers. This can enabled on “Default Domain Controllers Policy” in AD.

Let’s see how to enable this GPO setting.

In my Demo I am using AD server with Windows 2016 TP4.
1)    Log in to the Server as Domain Admin
2)    Load Group policy management editor using Server Manager > Tools > Group Policy Management
3)    Expand the Domain Controllers OU, then right click on Default Domain Controllers Policy and edit.

ds2

4)    Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

ds3

There are 4 subcategories under DS Access. Let’s see what each and subcategory capable of.

Audit Detailed Directory Service Replication

This security policy setting can be used to generate security audit events with detailed tracking information about the data that is replicated between domain controllers. This audit subcategory can be useful to diagnose replication issues.

If its enabled following events will be appear in logs
 

Event ID

Event message

4928

An Active Directory replica source naming context was established.

4929

An Active Directory replica source naming context was removed.

4930

An Active Directory replica source naming context was modified.

4931

An Active Directory replica destination naming context was modified.

4934

Attributes of an Active Directory object were replicated.

4935

Replication failure begins.

4936

Replication failure ends.

4937

A lingering object was removed from a replica.

Audit Directory Service Access

This security policy setting determines whether the operating system generates events when an Active Directory Domain Services (AD DS) object is accessed.
These events are similar to the Directory Service Access events in previous versions of Windows Server operating systems.

If its enabled following events will be appear in logs

Event ID

Event message

4662

An operation was performed on an object.

Audit Directory Service Changes

This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are:
•    Create
•    Delete
•    Modify
•    Move
•    Undelete
Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.

If its enabled following events will be appear in logs

Event ID

Event message

5136

A directory service object was modified.

5137

A directory service object was created.

5138

A directory service object was undeleted.

5139

A directory service object was moved.

5141

A directory service object was deleted.

Audit Directory Service Replication

This security policy setting determines whether the operating system generates audit events when replication between two domain controllers begins and ends.

If its enabled following events will be appear in logs

Event ID

Event message

4932

Synchronization of a replica of an Active Directory naming context has begun.

4933

Synchronization of a replica of an Active Directory naming context has ended.

According to Microsoft best practices https://technet.microsoft.com/en-us/library/dn487457.aspx i am going to enable

Audit Directory Service Access
Audit Directory Service Changes

Sub categories for both success and failure events. To do that double click on each subcategory and enable audit events.

ds4

ds5

ds6

After GPO apply now I can see the new events under logs. For testing I added new GPO under IT OU and in logs I can see the detail info about the activity.

ds7

If any question about the post feel free to ask me on rebeladm@live.com

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.

ie1

The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.

ie2

So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools https://www.microsoft.com/en-gb/download/details.aspx?id=28972
3)    Windows 8.1 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=39296
4)    Windows 10 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=45520

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management

ie3

3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.

ie4

4)    Type the new policy name and click ok

ie5

5)    Then right click on newly added policy and click on edit

ie6

6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.

ie7

7)    Now it will open up the window and its looks similar to typical IE settings interface.

ie8

8)    Type the changes you like to publish.

ie9

9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.

ie10

10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.

ie11

11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.

ie12

12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on rebeladm@live.com

Authentication Policies and Authentication Policy Silos

In my last 2 posts I explain about Restricted RDP and Protected User Group features available in windows 2012 R2 directory service to protect your high-privileged accounts. Authentication Policies and Authentication Policy Silos also a feature available for windows server 2012 R2 directory services to protect your AD infrastructure’s high privileged accounts. 

Let me explain in simple terms, in my network I have exchange mail server running. I got exchange administrator. We also got a “Management PC” which uses for the administration tasks. So for fact I know the exchange administrator account should only use either in exchange servers, management pc. If this account is log in to receptionist’s pc there is something wrong.  It can be possible security breach. So what if I can limit this exchange administrator access only to exchange servers and management pc? Also what if I can apply more security for account authentication to protect this high privileged account?   Yes Authentication Policies and Authentication Policy Silos is for that.

Authentication policy defines the Kerberos protocol ticket-granting ticket (TGT) lifetime properties and authentication access control conditions for an account type.

Authentication policies control the following:
•    The TGT lifetime for the account, which is set to be non-renewable.
•    The criteria that device accounts need to meet to sign in with a password or a certificate.
•    The criteria that users and devices need to meet to authenticate to services running as part of the account.

Authentication policy silos are containers to which administrators can assign user accounts, computer accounts, and service accounts. Sets of accounts can then be managed by the authentication policies that have been applied to that container. This reduces the need for the administrator to track access to resources for individual accounts, and helps prevent malicious users from accessing other resources through credential theft. (https://technet.microsoft.com/en-GB/library/dn486813.aspx)

In order to use this, we need to have minimum of windows 2012 R2 domain functional level running. Also need to have Dynamic Access Control Support.

Enable Dynamic Access Control for DC

Let’s see how we can enable DAC support.
1)    Log in to DC as domain or enterprise administrator
2)    Server Manager > Group Policy Management

silo1

3)    Then Create New GPO, go to Computer Configuration > Administrative Templates > System > KDC, then set it to enable and option to always provide claims

silo2

Enable Dynamic Access Control for Hosts and Devices

1)    Log in to DC as domain or enterprise administrator
2)    Server Manager > Group Policy Management
3)    Then Create New GPO, go to Computer Configuration > Administrative Templates > System > Kerberos, then set it to enable

kdc1

This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.

Create Authentication Policy

1)    Log in to DC as domain or enterprise administrator
2)    Go to Server Manager > Active Directory Administrative center

silo3

3)    Then go to “Authentication

silo4

4)    Right click on Authentication policy > New > Authentication Policy

silo5

5)    Then in New Wizard opens. Provide name and Description for it. Also click on “Enforce Policy Restrictions

silo6

6)    Then Under the “User” section define the number of minutes for the TGTL. For this policy I am going to use 4 hours TGTL.

silo7

7)    Then click ok to create the New Policy
8)    Now You can see New Policy is Created

silo8

Create Authentication Policy Silos

To create Policy Silos
1)    Server Manager > Active Directory Administrative center > Authentication Policy Silos

silo9

2)    Right Click > New > Authentication Policy Silo

silo10

9)    Then in new wizard, provide name for policy silo, in my demo I used “Restricted Exchange Administration” then also select “Enforce Policy Restrictions

silo11

3)    Under the authentication policy section select Use a single policy for all principals that belong to this authentication policy. Then from drop down select the authentication policy created in previous section.

silo12

4)    Click on ok to create the policy silo

Assign Policy Silos

Next step is assign this policy silos to objects

1)    In ADAC, go to global search and search for the object

silo13

2)    Double click on object. Once its open the property window go to silos option

silo14

3)    In their select the new policy silo created and click ok
4)    This can be computer object, user accounts

In here in my demo I wanted to protect user1 by login in to pc called DCPM01.
Once this rules applied, when I try to log in to the DCPM01 with user1 I get,

silo15

Hope you get idea about use of authentication policies and policy silos.

If you have any questions feel free to contact me on rebeladm@live.com

Group policy Troubleshooting – Part 02

This is the Part 02 of the series of posts which explains about methods, tools which can use for group policy troubleshooting. In Part 01 I explain about tool called “Group Policy Results Wizard” which can use for troubleshooting purpose against group policy issues. If you not read it yet you can find it in http://www.rebeladmin.com/2015/08/group-policy-troubleshooting-part-01/

In this post let’s look in to some of other tools.

GPResult.exe command

This is the command version of “Group Policy Results Wizard”. To run it,
1)    Log in to the server
2)    Open command prompt
3)    Type gpresult /s serverorcomputername /user username /r

In here serverorcomputername should replace with the device host name. username should be replace with the username of the account which will evaluate with group policy.

In the demo I used gpresult /s DCM1 /user canitpro\Administrator /r

gp1

gp2

Group Policy Modelling Wizard

This is the advanced and powerful tool which can use on GP troubleshooting. It also gives greater results. Using this we can perform test upon computer, user account using in more detail level and see the impact of different group policies.

To run the tool,
1)    Log in to the DC as domain admin or enterprise admin
2)    Load server manager > tools > group policy management

gp3

3)    Then expand the tree, go to Group policy modelling and then right click on it and select Group Policy Modelling Wizard

gp4

4)    Then it will open the wizard, click next to continue

gp5

5)    Then it’s ask about the domain controller, in here you even can select different domains, sub domains. Do the selections and click next

gp6

6)    Then it’s ask which OUs should use for test. First one is for users and second one is for computers.  After the selection click next

gp7

7)    Then it gives option to select the site. Also you can select to simulate slow link processing and loopback processing, after selection click next to continue

gp8

8)    Then its list down the security groups for the current use. If you need you can select different groups. Click next to continue.

gp9

9)    In next window it list computer security groups, if you need you can add more, click next to continue

gp10

10)    In next window you can add the WMI filters or just use the all linked WMI filters for the users. It depend on the configuration and troubleshooting process. Click next to continue

gp11

11)    In next window you can add the WMI filters or just use the all linked WMI filters for the computers. Click next to continue.

gp12

12)    In next window it gives the summary of the selection. Click next to continue

gp13

13)    Then in next windows click on finish to complete the wizard.

gp14

14)    Then go to console and click on the new object it created and you can see the detail report

gp15

gp16

gp17

If you have any question about the post feel free to contact me on rebeladm@live.com

Group policy Troubleshooting – Part 01

When comes to the group policy troubleshooting in DC environment, mainly it can be one of following issues.

1)    Group policies not applied as expected – it can be to a OU or even to entire domain
2)    Group policies applied but it’s not doing what expected

So where we start? How we can find exact issue and fix it?

Most of the time when it comes to group policy troubleshooting admins jumps in to the group policy mmc. But I recon it’s not the way to start.

1)    Check Event viewer – its good place to start. Check for any event viewer errors, warnings to see if there is error related to GPO
2)    Check if the DC can reachable – if it’s testing from a user pc or server check if it’s can reach the DC properly.
3)    Check the network connectivity and DNS – check if the network connection is okay and also dns settings are correct. If it’s between different subnets make sure dc can reach the target users or computers.

After that we can use the tools provides by the windows server 2012 to analysis the problem. Windows server 2012 provides 3 tools help with GP troubleshooting.

1)    The Group Policy Result Wizard
2)    GPResult.exe command
3)    Group Policy Modelling Wizard

Group Policy Result Wizard

Using the wizard we can identify and GPO related issues against a user computer or a server. To run this tool following requirements need to be fulfilled.

1)    Target should run windows xp operating system or newer
2)    Target must be online and should be able to contact by from source without issue
3)    Need administrative rights to target computer
4)    WMI must be running on target and port 135 and 445 should be open

Let’s see how we can run this tool.

1)    Log in to DC as domain admin or enterprise admin
2)    Open server manager
3)    Then go to tools > group policy management

gpt1

4)    Then expand the tree and go to group policy results

gpt2

5)    Right click on it and click group policy result wizard

gpt3

6)    Then it will open the wizard. Click next to continue

gpt4

7)    In next page select another computer option and click on brows to select the target computer

gpt5

8)    In next window it ask which user you need to check, select the user and click next

gpt6

9)    Then it gives the summary and click next to proceed

gpt7

10)    Then click finish to exit from the wizard

gpt8

11)    then we can see the result page from console

gpt9

gpt10

gpt11

gpt12

This is the end of part 01 and in next post let’s see how we can use other 2 tools.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Restricted Groups using group policies

In previous post I explain about the different groups we can create in a domain environment. In an organization some time you may need to grant permissions for different users to manage these groups and its memberships. But some time it is better if we can lock some of these memberships for security reasons. For example let’s assume you have a group which have access to financial records of the organization which should only have access to upper management. So membership of the group is important.

Restricted group policy is the answer for that. Using group policy you can specify the membership and enforce. So no one can add or remove members.

Let’s see how we can do it in domain environment.

For the demo I created a group called “Remote Clients” and made usera and userb members of it.
But for the demo I need to restrict the group membership and only use testa user as a member.

restrict1

To do it go to server manager > tools > group policy management

restrict2

Then go to the OU you wish to apply restrict group policy. If it’s going to apply for the organization you can make it global policy as well. Then right click on OU name and select “Create GPO in this domain an link it here

restrict3

Then provide the name for new policy and click ok.

restrict4

Then go to the OU again and right click on the new GPO and click on edit.

restrict5

Then go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder
Right click on it and click “Add Group

restrict6

restrict7

Then go and select the group you need to add, in my demo its Remote Clients. Then click ok.

restrict8

Then it gives option to add members to the group. Also if this group should need to be added as member of another group.

restrict9

In here I added user testa and I need to force the membership only to this user.

restrict10

restrict11

Now it’s all done. Next time when policy applied it will overwrite the current membership.

restrict12

If you have any question feel free to contact me on rebeladm@live.com

Tools to help with group policy design

Design a group policies for organization some time getting more complex. It can make chaos as some time it very hard to revert back the changes pushed from group policies to workstations. Especially things which involves with registry value changes. So proper design is very important.

There are some tools/features comes GPO management which can help with design, test or troubleshooting group policies. Please note none of these recommended to use as permanent solutions to fix group policy design issues.

Block Inheritance

Any GPO setup on the higher level in GPO structure automatically applies to the lower level in the model. For example the “Default Domain Policy” by default in the highest level in structure. So any changes done on that (which is not recommended) also applies to lower level in hierarchy.

In following screenshot, as you can see the default domain policy is automatically inherited to “Test OU” I have created.

gpo1

We can disable this inheritance. To do that, right click on the OU which we need to block the inheritance and click “Block Inheritance”.

gpo2

Once it’s done, we no longer can see the default domain policy which was inherited.

gpo3

Enforced Policies

Using enforced policy option we can enforce policies to apply on lower level in hierarchy. For example let’s assume we have two polices called Policy A and Policy B in height level in hierarchy. In lower level in hierarchy some OU are blocked policy inheritance so these 2 policies by default will not apply to those two. But we still need to push Policy A for everyone in organization no matter what. So by enforcing the policy we can even push it to the OUs even its use block inheritance.

To enforce a policy, right click on the policy you needs to enforce and click on “Enforced”.

gpo4

Then we can see in Test OU, it is inherited even its use block inheritance option.

gpo5

Loopback Processing

As we know we can apply group policies based on the user object or the computer object n active directory. But some special occasions we need to only consider the policies based on computer object. For ex- in a library or public lab, many users may uses the same computer. In that case the computer should stay same for every users. It should not change based on the user policies. It only should use the computer policies which is applied to it.

In group policy management, start to edit the policy you like to configure with loopback processing. Under Computer Configuration\Policies\Administrative Templates\System\Group Policies\ double click on the option “Configure user Group Policy loopback processing mode”.

gpo6

There are 2 modes we can use with it.

gpo7

Replace – This will not consider about user polices at all. It will only apply the computer GPO.
Merge – in this mode it will consider both user and computer polices. But if there is any conflict it always uses the computer policies.

If you have any question about post feel free to contact me on rebeladm@live.com