binaryfactory.ca

Depending on how you use Active Directory in your organization, you may be setting a lot of security policies on workstations, and some of these settings can be problematic during the automated build of computers.

A few workarounds exist to avoid applying those to the workstations being imaged:

* Create a temporary OU for the computer account, and move it to the proper location once the build is done
* Change the order of the steps in your build to avoid issues caused by security settings
* Configure a GPO to override the settings that need to be set only during deployment, and filter that only to machines being used.

For multiple different reasons, I had to use the last option. It is a rather clean option, as it doesn’t involve moving computer accounts after the build or any chances on the domain during the imaging process, other than joining the machine, which is great.

One word of notice: Make sure whatever you are overriding is not a must for security and is simply an “annoyance”, because eventually (within a few minutes probably), a user WILL figure out how you’re doing the filtering and WILL apply it to his own machine, in order to bypass some security settings.

Only a few steps are involved :

1) Create a GPO that will set the values to what they need to be during the build (don’t link it yet)

2) Create a WMI filter called “BoxBeingBuilt” or something similar. Have it do a query on something you know is true only during imaging. If you can’t find anything reliable, do something like this:

Select * from Win32_Environment Where Name = “BuildinDaBox”

3) Ensure your built process sets a system variable with that name at the beginning, and removes it at the end.

Tada!

Having issues pushing SCOM through the Windows firewall?

You opened the Remote Administration exception, you can ping it, you can browse shares, file and print sharing is enabled, yet it still fails?

There is one thing I have not seen documented in the SCOM installation/deployment guides: The agent actually adds an exception for itself when it runs, so if you block local exceptions (What’s the point of having a GPO for the firewall config on your serves if you don’t?) , it will fail.

Add this to your Firewall policy, as a program exception:
%SystemRoot%\422C3AB1-32E0-4411-BF66-A84FEEFCC8E2\MOMAgentInstaller.exe

Be sure to open it for the proper IPs only for added security. Then try to push it again..

Good luck!

Having issues similar to:

Trying to enable EFS on a specific OU, while it’s disable at the top of the structure or domain?
Recovery certificates from two different GPOs mixing up instead of being replaced?

Overall EFS GPOs looking like they aren’t merging properly?

Well, it’s not because EFS GPOs are supposed to behave like black magic. Turns out there’s a bug, Microsoft’s aware of it, but doesn’t think it would be a good idea to FIX IT on Windows XP and 2003.

Thankfully, all it means is you need to edit your GPOs from a Vista, 2008 or Windows 7 machine.

KB : EFS may not be enabled expectedly after you disable a policy and this policy turn off the EFS feature

Opening my EFS GPOs in Windows 7, switching the Allow/Don’t allow and applying the ‘change’ fixed my GPOs. A few minutes later, and stuff was behaving like it should’ve been… Can I have those wasted hours of my life back, Mr. Ballmer?

Today I read a post on Windows Networking by Brien M. Posey about “The Confusion of AD Design”.

He argues that some people use way too many OUs and that “less is more”.

As I said before, there are situations that do warrant using multiple OUs. This is particularly true in situations in which there are multiple administrators, and each administrator needs to be delegated control over a different portion of the network.

Well, I’m not aware of many domains that do not have “multiple administrators that need to be delegated control over a different portion of the network”. Those that don’t have that usually don’t have any OUs created other than the default ones, with every user under Users, and every computer under Computers. Of course there might be some exception, for example a domain used only to host your Exchange servers, however, most companies that pay high priced consultants to come in and set up their Active Directories have structures a little more complex than a 25 employee small business.

Having a lot of OUs can be very useful in almost any big domain structure. Let’s say you have 50 different types of servers. Each of these server sets has their own Hardening rules. You apply a “master” hardening GPO at the top of your OU structure, that locks everything down, and then you unlock things for each application, at the OU level. This way, your OUs apply in the proper order by default, and delegation is pretty easy as each application has their own container.

At least, at the end of the article, he acknowledges this:

Right about now, you might be wondering what I really have against creating multiple OUs. There are a couple of reasons why I do not like using multiple OUs unless I have to. Maybe it’s just laziness on my part, but the first reason why I like to try to stick to using a single OU in an Active Directory design is because having multiple OUs tends to complicate LDAP queries.

Well, just do a subtree search then! Laziness, on my end, makes me want to have a structured design where Group Filtering is the exception rather than the rule.

When working a lot with Group Policy, one thing that I would love being able to do is merging user right assignments. If you’re aware of how to do it, be sure to post a comment (Workaround, 3rd party tool, etc).

Let’s say you have 500 servers. All servers run some agent service that must always be set to automatic, and for which you have customized ACLs. (You grant helpdesk the right to restart the service for example).

Well, this is pretty easy to handle as every service can be handled in different GPOs, so you just create a GPO with your settings, and you link it appropriately.

Now, what if you want to grant the service account that this service uses on every computer the right to “Log On as a Service” ? You could put that in the same GPO, but it would override any other policy that has “Log On as a service” defined and is applied before this one. Wouldn’t it be nice to be able to specify in a GPO that the service account must have “Log on as a service” while keeping the currently specified rights?

Vmware

When I use Windows virtual machines, sometimes the system beep gets annoying to my neighbors.

When I use Linux virtual machines, it goes through my laptop’s PC Speaker, which makes me have a heart attack, and annoys my neighbor.

Find your Vmware preferences file

Windows: Application Data\VMware\preferences.ini

Linux: ~/vmware/preferences (you could possibly do it in the system wide config as well)

Add this line:

mks.noBeep = TRUE

All beeps should be gone.

Windows itself

If for some reason you use some other Virtualization product that does not allow you to disable beeps, just create a Group Policy on your test domain (you could do it local as well). Configure any non critical service in the GPO to be DISABLED. (I use the print spooler).

Once that is done, browse to the sysvol, find the GPO’s folder, and edit the security policy text file. Replace the name of the service you disabled with “beep”.

The reason we have to do that is because you don’t see the beep service in the list of the GPO editor. But this effectively disables the beep service that Windows uses, well, to beep ! I deploy this on test domains where I “beep” often.

I wrote this a while ago for my wiki. I don’t use the wiki anymore as I don’t have nearly enough info and time to post good in depth technical articles. I find that the blog is a good place for shorter “tips” like this. Note that this was written before Group Policy Preference Extensions were distributed by MS, and that until everyone uses Preference extensions, this is still useful!

Force regional settings and keyboard language

From BinaryFactory

Contents

• 1 Purpose of this article
• 2 Why do this?
• 3 Solution
• 4 How to do it
  • 4.1 What is setlocale
  • 4.2 Extract setlocale.exe
    • 4.2.1 Make a script
    • 4.2.2 Apply the script

Purpose of this article

Centrally manage the keyboard language settings and/or the regional settings of your client computers or terminal servers/Citrix servers.

Why do this?

It seems Microsoft does not think that forcing a default Regional Setting or keyboard language policy is useful. However, many applications rely on the local date or number format, and using different settings on different client computers can cause a lot of problems. For Keyboard settings, it might be very useful to force a default for a group of users who have a locked down access to terminal server. You would think there is a way to do with with Group Policies, but as of Windows 2003 R2, there isn’t.

Solution

Use setlocale

How to do it

First, download this: setlocale

What is setlocale

Setlocale is a great command line application that does exactly what we need. I have uploaded it to this web site. However, I don’t know the license terms for it. The zip file I found contains a readme with no information about the author or the license. If you are the original author and want me to take it offline or link to your web site, please let me know. I tried to find the original author with no luck, but whoever you are: Thanks a lot.

Extract setlocale.exe

Extract setlocale.exe to a share that is readable by everyone. The location of your login scripts is usually a good spot.

Make a script

In the share where you usually put your login scripts, create a new one. Or if you already have a script applied to the users concerned by this, edit it. \\path\to\setlocale.exe 12345678 12345678

The first number represents the regional language you want to use, and the second one, the keyboard. For a complete list, refer to the readme in the zip file of setlocale.

Apply the script

Apply the script to the concerned users, group or O.U. Assigning login scripts is beyond the scope of this article.

Ever get sick of the beeping of your VMs?
Working quietly, logging on to a vm…

BEEEEEP! YOUR PASSWORD HAS EXPIRED SO I FELT LIKE WAKING UP EVERYONE IN THE OFFICE!

Well, if your test lab is in a domain, there is a good permanent fix for you.

Now, the next section is useful to know if you want to know where service configuration in a GPO is stored. If it’s not interesting for you, just go to the “Shortcut” section at the end.

Create a new group policy. Call it DISABLE_THE_BEEPS.

Edit it.

Under Computer configuration, in Windows settings\security settings, open System services.

The service we want to control is called Beep. What…it’s not in there?
God does not want me to live free from these annoying beeps? Will I have to open up my laptop case and rip the PC Speaker apart?

No no no..a simple GPO trick will do it!

Edit Any service in the GPO (If your GPO is linked to an OU with computers, try not to pick a critical service, just in case). I usually take the Print Spooler.
Go in its propertiers, and set the startup mode to Disabled. Click OK.

In GPMC, go to the details page of the DISABLE_THE_BEEPS GPO. Note the Unique ID of the GPO.
Browse to \\yourdomain\SYSVOL\yourdomain\Policies\{unique id}\Machine\Microsoft\Windows NT\SecEdit .
Right click the GptTmpl.inf file and open it with notepad.

The last line should be “Spooler”,4,”"

Replace Spooler by Beep. Save the inf.

You can now review the GPO settings..

Now just make sure the GPO is getting applied to your VMs, and GONE ARE THE BEEPS!

Shortcut:

Create a GPO, browse to it in Sysvol, open the security settings inf, add this at the end of the file:
“Beep”,4,”"

Apply it on servers.

Video

Disabling the Beeps through GPO..

When hardening Windows servers through security templates or Group Policies, it is important to give the proper permissions to services. You might want to grant a helpdesk group the rights to stop, start and pause a service while not being able to change the parameters on the server, and most of all, without being a local admin of that server.

To do that, you create a new Group Policy, and under Computer configuration, you find the System Services section. Then you select your spooler service, you set its startup mode to automatic, and you specify the rights.

Now, the problem is that the default rights the GPMC console shows you is NOT aligned with the actual defaults of Windows !

Here you can see on the left, what GPMC is proposing. On the right, Default Windows 2003 settings.

Now, it is probably a very good thing to remove Power Users. The print spooler might be perfectly fine with what GPMC wants you to use + your own customizations.

However, it is very important to make sure that any service that depends on this service is able to read! For example, if only administrators can read the service, and you have a Fax server that depends on the Print Spooler , it will not be able to start unless the service account it uses is part of Administrators!

Just a thing to keep in mind when hardening a lot of services, or when troubleshooting service startup problems..