Filtered GPO’s are broken

When Rebooting Is Not The Answer

I was updating a logon script today and realized that for some reason it wasn’t applying to the machine.   I ran rsop and gpresult but neither one showed the policy or the logon script.  The gpo was filtered to a specific group of users and the user was clearly a member of the group so I was befuddled what was going on.  I finally found a Security update KB 3159398 for Group Policy that came out in June that while fixing a dangerous man-in-the-middle attack breaks filtering if Domain Computer group does not have read permissions to the OU.  Follow the below steps to fix and your gpo will be working like normal.

  1. Open up the gpo in group policy management and click the delegation tab.
  2. Click Add and type in domain computers.capture
  3. Set permissions to read as is the default.capture2
  4. Enjoy your fixed GPO’s!

Link to Microsoft Security update and known…

View original post 3 more words

Alternate Names for File Servers

When Rebooting Is Not The Answer

I had a server I had to quickly give a alternate name to so that the existing users could point to the new server but I didn’t want to rename it the same as the old one.  Traditionally you would simply add the following registry entry.

Registry location:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters
DWORD name: DisableStrictNameChecking
DWORD value: 1

Problem is this only works if you have SMB1.0 enabled on both the server and client and you know how unsecure that is (think EternalBlue exploited by Wanna cry).

The proper way is to use netdom to add an alternative name by doing the below.

This will add a new SPN in active directory for the current machine name.

Special thanks to Dimitri’s Wanderings which is in the first link below as that saved me a lot of time.

https://dimitri.janczak.net/2016/09/26/multiple-server-names-on-windows/

https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias

View original post

All Group Policy Settings for Windows 10 1703, aka Creators Update

Colin Ford

This is a follow up to my previous post New Group Policy Settings for Windows 10 1703, aka Creators Update. My previous post contained the small list of group policy settings that only apply to Windows 10 1703 and Edge in 1703. New group policies were also exposed in 1703 that apply to various operating systems and browsers which I will list here.

View original post 122 more words

Power BI : Active Directory v/s SCCM Boundaries

Purpose : Active Directory Sites and System Center Configuration Manager Boundaries are hard to keep in sync - especially in an environment where there are regular changes and several team managing each technology separately. This Power BI dashboard solution will help analyze and reduce down the gaps in SCCM. The dashboard will help SCCM administrators … Continue reading Power BI : Active Directory v/s SCCM Boundaries