Tag Archives: Group Policy

Step-by-Step Guide to exclude user or user group from group policy

After few sick weeks I am back in blogging :). In an active directory infrastructure some time you may need to exclude user or user group from a group policy. It can be due to application setting or system setting. Sometime I seen administrators create separate OU and move users there just to get user exclude from particular group policy. It is not necessary to create new OU to exclude users from GPO. In this post I am going to demonstrate how you can exclude a user or group from a GPO.

1)    Log in to a server with administrator privileges (it can be DC server or a server with group policy management feature installed on). I am using windows server 2016 TP5 DC for the demo.
2)    Open the Group policy mmc with server manager > tools > group policy management


3)    Then expand the tree and go to the group policy that you like to exclude users or group. In my demo it’s going to be GP called Test1


4)    Click on the selected GPO and in right hand panel it will list the settings. Click on delegation tab.


5)    Then click on the Advanced button


6)    In window, click on add to add the user or the group that you like to exclude



7)    Then in the permission list, you can see by default Read permission is allowed. Leave it same and scroll down the list to select permission called Apply group policy. Then click on deny permission.


8)    Then click on OK to apply the changes. In warning message click on Yes. Now we successfully exclude user2 from the Test1 GPO.



Hope this post informative and if you got any questions feel free to contact me on rebeladm@live.com

Step-By-Step Guide to enable Advanced Security Audit Policy: DS Access

More than any other system active directory in an organization important in security perspective. Even a small change in Organization’s AD can cause a major business impact. Preventing any unauthorized access, unplanned change in AD environment should prevent in first place but if similar thing happened in your AD environment you should have enough information to answer questions such as what has changed?, when it happened and who did it ?

As you know the computer security threats are changing every day, sometime the default event logs may not help to answer above questions.  Microsoft understand these modern requirements and with windows 2008 R2 they introduce “Advanced Security Audit Policy”. This give you 53 options to tune up the auditing requirement and you can collect more in granular level information about your infrastructure events.  It is have 10 categories and in this demo I am going to talk about the “DS Access” category which is focused on Active Directory Access and Object Modifications.


Advanced Security Audit Policy is need to enable via GPO. These events happens records on Domain controllers.  There for the policy should only target the Domain Controllers. This can enabled on “Default Domain Controllers Policy” in AD.

Let’s see how to enable this GPO setting.

In my Demo I am using AD server with Windows 2016 TP4.
1)    Log in to the Server as Domain Admin
2)    Load Group policy management editor using Server Manager > Tools > Group Policy Management
3)    Expand the Domain Controllers OU, then right click on Default Domain Controllers Policy and edit.


4)    Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access


There are 4 subcategories under DS Access. Let’s see what each and subcategory capable of.

Audit Detailed Directory Service Replication

This security policy setting can be used to generate security audit events with detailed tracking information about the data that is replicated between domain controllers. This audit subcategory can be useful to diagnose replication issues.

If its enabled following events will be appear in logs

Event ID

Event message


An Active Directory replica source naming context was established.


An Active Directory replica source naming context was removed.


An Active Directory replica source naming context was modified.


An Active Directory replica destination naming context was modified.


Attributes of an Active Directory object were replicated.


Replication failure begins.


Replication failure ends.


A lingering object was removed from a replica.

Audit Directory Service Access

This security policy setting determines whether the operating system generates events when an Active Directory Domain Services (AD DS) object is accessed.
These events are similar to the Directory Service Access events in previous versions of Windows Server operating systems.

If its enabled following events will be appear in logs

Event ID

Event message


An operation was performed on an object.

Audit Directory Service Changes

This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are:
•    Create
•    Delete
•    Modify
•    Move
•    Undelete
Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.

If its enabled following events will be appear in logs

Event ID

Event message


A directory service object was modified.


A directory service object was created.


A directory service object was undeleted.


A directory service object was moved.


A directory service object was deleted.

Audit Directory Service Replication

This security policy setting determines whether the operating system generates audit events when replication between two domain controllers begins and ends.

If its enabled following events will be appear in logs

Event ID

Event message


Synchronization of a replica of an Active Directory naming context has begun.


Synchronization of a replica of an Active Directory naming context has ended.

According to Microsoft best practices https://technet.microsoft.com/en-us/library/dn487457.aspx i am going to enable

Audit Directory Service Access
Audit Directory Service Changes

Sub categories for both success and failure events. To do that double click on each subcategory and enable audit events.




After GPO apply now I can see the new events under logs. For testing I added new GPO under IT OU and in logs I can see the detail info about the activity.


If any question about the post feel free to ask me on rebeladm@live.com

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.


The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.


So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools https://www.microsoft.com/en-gb/download/details.aspx?id=28972
3)    Windows 8.1 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=39296
4)    Windows 10 machine with latest RSAT tools https://www.microsoft.com/en-us/download/details.aspx?id=45520

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management


3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.


4)    Type the new policy name and click ok


5)    Then right click on newly added policy and click on edit


6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.


7)    Now it will open up the window and its looks similar to typical IE settings interface.


8)    Type the changes you like to publish.


9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.


10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.


11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.


12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on rebeladm@live.com

Group policy Troubleshooting – Part 02

This is the Part 02 of the series of posts which explains about methods, tools which can use for group policy troubleshooting. In Part 01 I explain about tool called “Group Policy Results Wizard” which can use for troubleshooting purpose against group policy issues. If you not read it yet you can find it in http://www.rebeladmin.com/2015/08/group-policy-troubleshooting-part-01/

In this post let’s look in to some of other tools.

GPResult.exe command

This is the command version of “Group Policy Results Wizard”. To run it,
1)    Log in to the server
2)    Open command prompt
3)    Type gpresult /s serverorcomputername /user username /r

In here serverorcomputername should replace with the device host name. username should be replace with the username of the account which will evaluate with group policy.

In the demo I used gpresult /s DCM1 /user canitpro\Administrator /r



Group Policy Modelling Wizard

This is the advanced and powerful tool which can use on GP troubleshooting. It also gives greater results. Using this we can perform test upon computer, user account using in more detail level and see the impact of different group policies.

To run the tool,
1)    Log in to the DC as domain admin or enterprise admin
2)    Load server manager > tools > group policy management


3)    Then expand the tree, go to Group policy modelling and then right click on it and select Group Policy Modelling Wizard


4)    Then it will open the wizard, click next to continue


5)    Then it’s ask about the domain controller, in here you even can select different domains, sub domains. Do the selections and click next


6)    Then it’s ask which OUs should use for test. First one is for users and second one is for computers.  After the selection click next


7)    Then it gives option to select the site. Also you can select to simulate slow link processing and loopback processing, after selection click next to continue


8)    Then its list down the security groups for the current use. If you need you can select different groups. Click next to continue.


9)    In next window it list computer security groups, if you need you can add more, click next to continue


10)    In next window you can add the WMI filters or just use the all linked WMI filters for the users. It depend on the configuration and troubleshooting process. Click next to continue


11)    In next window you can add the WMI filters or just use the all linked WMI filters for the computers. Click next to continue.


12)    In next window it gives the summary of the selection. Click next to continue


13)    Then in next windows click on finish to complete the wizard.


14)    Then go to console and click on the new object it created and you can see the detail report




If you have any question about the post feel free to contact me on rebeladm@live.com

Group policy Troubleshooting – Part 01

When comes to the group policy troubleshooting in DC environment, mainly it can be one of following issues.

1)    Group policies not applied as expected – it can be to a OU or even to entire domain
2)    Group policies applied but it’s not doing what expected

So where we start? How we can find exact issue and fix it?

Most of the time when it comes to group policy troubleshooting admins jumps in to the group policy mmc. But I recon it’s not the way to start.

1)    Check Event viewer – its good place to start. Check for any event viewer errors, warnings to see if there is error related to GPO
2)    Check if the DC can reachable – if it’s testing from a user pc or server check if it’s can reach the DC properly.
3)    Check the network connectivity and DNS – check if the network connection is okay and also dns settings are correct. If it’s between different subnets make sure dc can reach the target users or computers.

After that we can use the tools provides by the windows server 2012 to analysis the problem. Windows server 2012 provides 3 tools help with GP troubleshooting.

1)    The Group Policy Result Wizard
2)    GPResult.exe command
3)    Group Policy Modelling Wizard

Group Policy Result Wizard

Using the wizard we can identify and GPO related issues against a user computer or a server. To run this tool following requirements need to be fulfilled.

1)    Target should run windows xp operating system or newer
2)    Target must be online and should be able to contact by from source without issue
3)    Need administrative rights to target computer
4)    WMI must be running on target and port 135 and 445 should be open

Let’s see how we can run this tool.

1)    Log in to DC as domain admin or enterprise admin
2)    Open server manager
3)    Then go to tools > group policy management


4)    Then expand the tree and go to group policy results


5)    Right click on it and click group policy result wizard


6)    Then it will open the wizard. Click next to continue


7)    In next page select another computer option and click on brows to select the target computer


8)    In next window it ask which user you need to check, select the user and click next


9)    Then it gives the summary and click next to proceed


10)    Then click finish to exit from the wizard


11)    then we can see the result page from console





This is the end of part 01 and in next post let’s see how we can use other 2 tools.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Group Policy Slow Link Detection

In an active directory infrastructure, we use group policies to push security settings and other computer configuration from central location. It can be apply for computer level or user level. In an organization it’s important to maintain proper design on group policies and its hierarchy as complexity, applying order can cause issues on network.

This is very important when you deals with multi-site environment. Because these group policies can be bottleneck to the bandwidth usage between remote sites to the main site. This is something most administrators do not pay attention. I agree it’s depend on the group policies and its use, but for ex- let’s assume we have 10 group policies from to apply users in remote site.  The link between locations are 512kb, just imagine if 100 workstations log on in morning and initiate these group policies how much bandwidth will use? Also what about a user logs from remote location? Can we expect they always get good speed?

Well, Microsoft have an answer for this. Before apply group policies to a workstation it check for the connection speed from distributing server to workstation, by default any link speed below 500kbps Microsoft take as Slow-Link. Once it’s detected a slow-link, it will automatically block some of the group policies. So if you having issues with getting all the group policies on workstation on remote location (can be even in local network if NIC are maxed out due to its activities or virus) this is one place to check.

Here is list of components will process and will not process in slow-link detection.



Administrative Templates


Group Policy Preferences




802.3 Group Policy




IE maintenance


Internet Explorer Zone Mapping


IP Security


QoS Packet Scheduler


Microsoft Offline Files


Software Restriction Policies


Windows Search




Deployed Printer Connections


Disk Quotas


Folder Redirection




Software Installation


How to change this default limit?

We can change the default limit as per our infrastructure needs. To do this,

Log in to the DC server as the domain admin or enterprise admin.

Then Server Manager > Tools > Group Policy Management


Then go to the relevant policy and right click on and edit.


This setting can be change on computer configuration level or user configuration level. Both are located in same path. Policies\Administrative Templates\System\Group Policy

In here there is option called, configure group policy slow link detection


Double click on it to change. By default it is in not configure status. Even if you disable this or not configure it, system still detects any link below 500kbps as slow-link.


Once it is enabled, you can set speeds in kbps (kilobyte per second).


If you set speed to 0 it will disable this feature. Also we can force system to think all WWAN connections as slow links.

If you have any question about the post feel free to contact me on rebeladm@live.com

How to install Certificate Services in Domain Environment ?

In here with the demonstration I will show how to install active directory certificate services and how we can use the issued certificate for different tasks. specifically i will demonstrate how to issue company’s trusted certificates for each and every client who connects to the domain.

Here i am using a server which is already added to the domain. i have explain how to install domain services in windows 2008 server in one of my previous posts.

The demo environment using windows 2008 standard R2 server and as the client pc i am using windows 7 sp1 pc. This is still valid for windows 2012 as well.

Let’s go ahead and install the certificate services.

To start, log in to the domain server as a domain admin and the open server manager.

Once it open, right click on roles and select add roles.


Once the wizard is open click on next to continue.


From the list select “Active Directory Certificate Services” and click next.


In next window it displays some warning about service and the use of it. Click next to continue.


From next window select the “Certificate authority” as the service and click next to continue.


In next window can select the setup type. Use the default enterprise setup as this is a dc server. Click next to continue.


In next window select the CA type, in here I used the root as this will be the only one used for the demo.


In next window select “create a new private key” option and click next to create pk for the server.


In next window you can change the cryptography settings but I will be using default.


In next window you can change the CA name if need. I will be using the default.

In next window you can define the validity period of the certificates. I will use the default 5 years.


In next window it will ask about the file path to save the certificates database.


The next window it will confirm about the installation and click on install to start the installation.


Once it is installed it will pass the confirmation.


Now we do have the AD CS is installed. Next step is to configure it to issue secure certificate for the computers which are connecting to the domain.

By default there will not be any certificate issues for the computer. To test this I will be log in to a pc which is connected to greenwich.local as user “cs1”(This user is having local admin rights as if not it want show up the certificates which assigned for the computer level).

Once log in go to start > run > mmc
Then it will open the mmc.
Once it open go to File > Add/Remove Snap in


From the window click on certificates and click on add button.


Then in next window select “computer account” as we need to view the certificates issue for the computer. Then click next.


In next window select local computer and click on finish.


Then it will show the added snap in and click on ok to open the snap in.


Once it’s open expand the tree and go to personal > certificates. Then you can see there is on certificate issued for the pc.


Now we need to configure the AD CS to issue certificates for the client computers.

To do that first we need to log back to the server we have installed the AD CS services as domain admin or enterprise admin. Then need to open mmc console like we did on above.

Then go to add/remove snap in as previous step.
From the available snaps-in select “Certificate Authority” and add it.


Then also select “Certificate Templates” and click ok.

Then it will open the console as following


Then click on Certificate templates and from available templates select “Workstation Authentication template”


On the Action menu, click Duplicate Template. The Duplicate Template dialog box opens. Select the template version appropriate for your deployment, and then click OK . The new template properties dialog box opens.



Once its open the window On the General tab, in Display Name , type a new name for the certificate template or keep the default name.


Go to security tab and then select “Domain Computers” from the list. Then from permissions, Under Allow, select the Enroll and Auto enroll permission check boxes, and then click OK .


Then click ok to apply the changes.
Then Double-click Certification Authority , double-click the CA name, and then click Certificate Templates .


On the Action menu, point to New , and then click Certificate Template to Issue . The Enable Certificate Templates dialog box opens.


Click the name of the certificate template you just configured, and then click OK . For example, if you did not change the default certificate template name, click Copy of Workstation Authentication , and then click OK .


Then go to “Group Policy Object Editor” and right-click Default Domain Policy and select edit.

Open Computer Configuration, then Policies, then Windows Settings, then Security Settings, and then Public Key Policies.


In the right hand panel, double-click “Certificate Services Client – Auto-Enrollment” . The Certificate Services Client – Auto-Enrollment Properties dialog box opens.

In the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model , select Enabled .


Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box and click ok.


Now we have everything in place with the configuration. We need to test out by log in to the pc again to see if its issue the certificate now. I will be login in to same computer with user cs1 (these users have local admin rights for this pc otherwise user only can see certificate for the user). After login will load up the mmc as we did in beginning and browse to the same location.



This shows clearly the new certificate which is created for the computer by the certificate server.