Assorted Active Directory things

Active Directory LogoPowershell
Getting a list of users in your AD domain via Powershell
Getting a list of printers published in an Active Directory domain
Detecting inactive computers in your domain:
Get-ADComputer -Filter * -Properties Name, LastLogonDate

Vbscript
Getting a list of users in an AD Group using Vbscript.

Quest Active Server Roles PowerShell (obsolete)
… was purchased by Dell, who have turned it into a commercial product.
Detecting inactive computers in your AD domain
Getting a list of users in an Active Directory group
Getting a list of users in your AD domain

So what does the Group Policy Preferences Drive Mapping log file contain?

Once you enable the logging via Group Policy, you’ll end up with a log file which contains:

  • Environment variable dump
  • Group Policy settings
  • Drive mapping lists (but not the actual path)

If you are like me, and misspell a file path, you’ll see an error like this:

2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Passed filter [FilterGroup].
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Filters passed.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Set user security context.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Adding child elements to RSOP.
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Properties handled. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Set system security context.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] EVENT : The user 'G:' preference item in the 'Map-Network-Drives {E089D01A-C249-48F5-8049-9C8FC96AA38F}' Group Policy object did not apply because it failed with error code '0x80070035 The network path was not found.'%100790273
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Error suppressed. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Completed class <Drive> - G:.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] {67803C61-824B-4ABA-ABFF-65E8687B0E59}

Three things to note:

  1. Windows Explorer will accept a “\” in a network path, Group Policy Preferences won’t.
    ie.  \\NODDYLAND\HOMEDRIVE\BE01\ vs \\NODDYLAND\HOMEDRIVE\BE01
  2. GPP will wait 3+ seconds before timing out with an error.
    Multiple wrong/missing paths will slow down your user’s logon experience.
  3. The error will also write into the Event Log.

AppLocker and applications which install in the users profile directory.

Google Chrome can be installed without administrator privileges - Continue(shout out to: Google Chrome, Mozilla Firefox and Microsoft’s SharePoint Designer)

Gee thanks guys.

We implemented AppLocker to improve our IT security, and you chaps decided to be clever.  The typical call to the Help Desk was
“My Google Chrome doesn’t work anymore.”

Well no, we block applications which are installed into the users profile directory.  Which is what Google Chrome/Firefox/Sharepoint Designer do.

The fix was to install Google Chrome with an Admin account.

AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

Saturday Link Roundup–Group Policy, Kerberos, BranchCache

grouppolicy_thumb.jpgGroup Policy

Kerberos

BranchCache

Consolidated list of AGPM resources

Advanced Group Policy Management logoThe bulk of these links are from the Microsoft Canberra Premier Field Engineering Team Blog November 2015 post.

Setup

Advanced Use, Auditing and Troubleshooting

Powershell and Scripting

Other Reading

Blogs

“Index was outside the bounds of the array” error with AGPM

AGPM Out of bounds error… when trying to edit a Group Policy Preference which uses Item Level Targetting.

Using AGPM.

The underlying cause it that only AGPM 4.0 SP3 and later clients that support Windows 10.  So if you are using an older AGPM client, you need to upgrade in order to safely edit Windows 10 Group Policies.

But to upgrade your AGPM client, you may need to upgrade your AGPM Server; both the AGPM install on the server and the Server Operating System.

The Microsoft advice is ambiguous.

Getting a list of users in your AD domain via Powershell

Get-ADUser -Filter * -Properties HomeDirectory,LastLogonDate | Select-Object Name, LastLogonDate, HomeDirectory

will cause the following to display

Name       LastLogonDate          HomeDirectory
----       ---------------------  ---------------

CollinsP   11/12/2015 6:04:12 AM  \\wisefaq.com\HomeDrive\CollinsP
SprouleK   19/12/2015 2:08:12 PM  \\wisefaq.com\HomeDrive\SprouleK
ReithP     23/12/2015 8:45:54 PM  \\wisefaq.com\HomeDrive\ReithP

How to output to a file?
Get-ADUser –Filter * -Properties HomeDirectory,LastLogonDate | Select-Object Name, LastLogonDate, HomeDirectory | Export-CSV 'c:\temp\AllDomainUserNames.CSV'

This article seem familar?  That will be because I wrote how to do this with Quest Active Server Roles Powershell Module, back in 2010.

The Microsoft page on Get-ADUser is here.

So where, oh where is “AGPM.ADM”?

Advanced Group Policy Management logoDespite several Microsoft Advanced Group Policy Management pages saying

You can centrally configure optional logging and tracing for Advanced Group Policy Management (AGPM) using Administrative templates.

they don’t tell you where to find the Group Policy AGPM.ADM or AGPM.ADMX files.

After much searching, and time wasted; I can tell you that if you install the AGPM client, you will have a copy of AGPM.ADMX dropped into your local %windir%\PolicyDefinitions directory.

References:
Configure Logging and Tracing
Ask the Directory Services Team – AGPM Production GPOs (under the hood)
Active Directory Infrastructure Self-Study Training Kit: Stanek & Associates Training Solutions

Network drives were dropping out

grouppolicy_thumb.jpgNetwork drives were dropping out.  We were also seeing 15+ minutes slow logon times at some remote sites.

We’d mostly see the slow logon times with Windows 7.  We’d see the “network drives dropping out” issue with Windows 8.

Looking at OfflineFiles event log we saw several 1004 events logged.  Looking at the details of the event, we’d see details like:
Path \\Noddyland\CorpData$ transitioned to slow link with latency = 140 and bandwidth = 202123

Why was it happening?  The following table might help:

Operating system Slow bandwidth limit Slow latency threshold
Windows XP 64Kbps n/a
Windows Vista <nil> (opt-in policy) n/a
Windows 7 64Kbps 80ms
Windows 8 64Kbps 35ms

From the event above “transitioned to slow link with latency = 140 and bandwidth = 202123“, you can see we had plenty of bandwidth, but our network latency was too high at 140ms.  Which triggered the network share (\\Noddyland\CorpData$) to go Offline.

We fixed the issue by setting Latency=200 for \\Noddyland\CorpData$, in Group Policy Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode.

References:
“Configure slow-link mode” policy on Vista for Offline Files
Configuring New Offline Files Features for Windows 7 Computers Step-by-Step Guide
Slow-Link with Windows 7 and DFS Namespaces
The “Configure slow-link mode” Policy is not taking effect