Tag Archives: group policy management

Step-by-Step Guide to exclude user or user group from group policy

After few sick weeks I am back in blogging :). In an active directory infrastructure some time you may need to exclude user or user group from a group policy. It can be due to application setting or system setting. Sometime I seen administrators create separate OU and move users there just to get user exclude from particular group policy. It is not necessary to create new OU to exclude users from GPO. In this post I am going to demonstrate how you can exclude a user or group from a GPO.

1)    Log in to a server with administrator privileges (it can be DC server or a server with group policy management feature installed on). I am using windows server 2016 TP5 DC for the demo.
2)    Open the Group policy mmc with server manager > tools > group policy management

gpe1

3)    Then expand the tree and go to the group policy that you like to exclude users or group. In my demo it’s going to be GP called Test1

gpe2

4)    Click on the selected GPO and in right hand panel it will list the settings. Click on delegation tab.

gpe3

5)    Then click on the Advanced button

gpe4

6)    In window, click on add to add the user or the group that you like to exclude

gpe5

gpe6

7)    Then in the permission list, you can see by default Read permission is allowed. Leave it same and scroll down the list to select permission called Apply group policy. Then click on deny permission.

gpe7

8)    Then click on OK to apply the changes. In warning message click on Yes. Now we successfully exclude user2 from the Test1 GPO.

gpe8

gpe9

Hope this post informative and if you got any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.

ie1

The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.

ie2

So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools https://www.microsoft.com/en-gb/download/details.aspx?id=28972
3)    Windows 8.1 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=39296
4)    Windows 10 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=45520

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management

ie3

3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.

ie4

4)    Type the new policy name and click ok

ie5

5)    Then right click on newly added policy and click on edit

ie6

6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.

ie7

7)    Now it will open up the window and its looks similar to typical IE settings interface.

ie8

8)    Type the changes you like to publish.

ie9

9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.

ie10

10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.

ie11

11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.

ie12

12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on rebeladm@live.com

Group policy Troubleshooting – Part 02

This is the Part 02 of the series of posts which explains about methods, tools which can use for group policy troubleshooting. In Part 01 I explain about tool called “Group Policy Results Wizard” which can use for troubleshooting purpose against group policy issues. If you not read it yet you can find it in http://www.rebeladmin.com/2015/08/group-policy-troubleshooting-part-01/

In this post let’s look in to some of other tools.

GPResult.exe command

This is the command version of “Group Policy Results Wizard”. To run it,
1)    Log in to the server
2)    Open command prompt
3)    Type gpresult /s serverorcomputername /user username /r

In here serverorcomputername should replace with the device host name. username should be replace with the username of the account which will evaluate with group policy.

In the demo I used gpresult /s DCM1 /user canitpro\Administrator /r

gp1

gp2

Group Policy Modelling Wizard

This is the advanced and powerful tool which can use on GP troubleshooting. It also gives greater results. Using this we can perform test upon computer, user account using in more detail level and see the impact of different group policies.

To run the tool,
1)    Log in to the DC as domain admin or enterprise admin
2)    Load server manager > tools > group policy management

gp3

3)    Then expand the tree, go to Group policy modelling and then right click on it and select Group Policy Modelling Wizard

gp4

4)    Then it will open the wizard, click next to continue

gp5

5)    Then it’s ask about the domain controller, in here you even can select different domains, sub domains. Do the selections and click next

gp6

6)    Then it’s ask which OUs should use for test. First one is for users and second one is for computers.  After the selection click next

gp7

7)    Then it gives option to select the site. Also you can select to simulate slow link processing and loopback processing, after selection click next to continue

gp8

8)    Then its list down the security groups for the current use. If you need you can select different groups. Click next to continue.

gp9

9)    In next window it list computer security groups, if you need you can add more, click next to continue

gp10

10)    In next window you can add the WMI filters or just use the all linked WMI filters for the users. It depend on the configuration and troubleshooting process. Click next to continue

gp11

11)    In next window you can add the WMI filters or just use the all linked WMI filters for the computers. Click next to continue.

gp12

12)    In next window it gives the summary of the selection. Click next to continue

gp13

13)    Then in next windows click on finish to complete the wizard.

gp14

14)    Then go to console and click on the new object it created and you can see the detail report

gp15

gp16

gp17

If you have any question about the post feel free to contact me on rebeladm@live.com

Group policy Troubleshooting – Part 01

When comes to the group policy troubleshooting in DC environment, mainly it can be one of following issues.

1)    Group policies not applied as expected – it can be to a OU or even to entire domain
2)    Group policies applied but it’s not doing what expected

So where we start? How we can find exact issue and fix it?

Most of the time when it comes to group policy troubleshooting admins jumps in to the group policy mmc. But I recon it’s not the way to start.

1)    Check Event viewer – its good place to start. Check for any event viewer errors, warnings to see if there is error related to GPO
2)    Check if the DC can reachable – if it’s testing from a user pc or server check if it’s can reach the DC properly.
3)    Check the network connectivity and DNS – check if the network connection is okay and also dns settings are correct. If it’s between different subnets make sure dc can reach the target users or computers.

After that we can use the tools provides by the windows server 2012 to analysis the problem. Windows server 2012 provides 3 tools help with GP troubleshooting.

1)    The Group Policy Result Wizard
2)    GPResult.exe command
3)    Group Policy Modelling Wizard

Group Policy Result Wizard

Using the wizard we can identify and GPO related issues against a user computer or a server. To run this tool following requirements need to be fulfilled.

1)    Target should run windows xp operating system or newer
2)    Target must be online and should be able to contact by from source without issue
3)    Need administrative rights to target computer
4)    WMI must be running on target and port 135 and 445 should be open

Let’s see how we can run this tool.

1)    Log in to DC as domain admin or enterprise admin
2)    Open server manager
3)    Then go to tools > group policy management

gpt1

4)    Then expand the tree and go to group policy results

gpt2

5)    Right click on it and click group policy result wizard

gpt3

6)    Then it will open the wizard. Click next to continue

gpt4

7)    In next page select another computer option and click on brows to select the target computer

gpt5

8)    In next window it ask which user you need to check, select the user and click next

gpt6

9)    Then it gives the summary and click next to proceed

gpt7

10)    Then click finish to exit from the wizard

gpt8

11)    then we can see the result page from console

gpt9

gpt10

gpt11

gpt12

This is the end of part 01 and in next post let’s see how we can use other 2 tools.

If you have any questions about the post feel free to contact me on rebeladm@live.com