Group Policy and WMI Filters–Round 2

Sexy Coffee at North Denver and Rosa Parks Way in Portland, Oregon - Wikipedia user Visitor7This is more of a link dump than anything else.  I was asked what I thought of a WMI-related Group Policy change.

I don’t much care for them.

So I know that WMI Filter queries are a bad idea, but didn’t know how to measure that badness until I saw this blog post (WMI filter queries and thoughts on performance) by Martin Binder.

You can enclose your WMI Filter in a PowerShell “Measure-Command” command, and measure it that way.

Measure-Command { for ( $i=1; $i -le 1000; $i++ ) { Get-WmiObject –Query "SELECT Model FROM Win32_ComputerSystem WHERE Model LIKE 'Compaq Presario A%BB%'" } } | Select-Object TotalMilliseconds | Format-List

Output:
TotalMilliseconds : 23308.6037

As the command is looping 1000 times, you’d divide by 1000 and get the answer 23 milliseconds.

References:
Group Policy and WMI filtering slowness
Optimizing Group Policy WMI Filters
Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI)

Assorted Active Directory things

Active Directory LogoPowershell
Getting a list of users in your AD domain via Powershell
Getting a list of printers published in an Active Directory domain
Detecting inactive computers in your domain:
Get-ADComputer -Filter * -Properties Name, LastLogonDate

Vbscript
Getting a list of users in an AD Group using Vbscript.

Quest Active Server Roles PowerShell (obsolete)
… was purchased by Dell, who have turned it into a commercial product.
Detecting inactive computers in your AD domain
Getting a list of users in an Active Directory group
Getting a list of users in your AD domain

So what does the Group Policy Preferences Drive Mapping log file contain?

Once you enable the logging via Group Policy, you’ll end up with a log file which contains:

  • Environment variable dump
  • Group Policy settings
  • Drive mapping lists (but not the actual path)

If you are like me, and misspell a file path, you’ll see an error like this:

2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Passed filter [FilterGroup].
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Filters passed.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Set user security context.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Adding child elements to RSOP.
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Properties handled. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Set system security context.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] EVENT : The user 'G:' preference item in the 'Map-Network-Drives {E089D01A-C249-48F5-8049-9C8FC96AA38F}' Group Policy object did not apply because it failed with error code '0x80070035 The network path was not found.'%100790273
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Error suppressed. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Completed class <Drive> - G:.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] {67803C61-824B-4ABA-ABFF-65E8687B0E59}

Three things to note:

  1. Windows Explorer will accept a “\” in a network path, Group Policy Preferences won’t.
    ie.  \\NODDYLAND\HOMEDRIVE\BE01\ vs \\NODDYLAND\HOMEDRIVE\BE01
  2. GPP will wait 3+ seconds before timing out with an error.
    Multiple wrong/missing paths will slow down your user’s logon experience.
  3. The error will also write into the Event Log.

AppLocker and applications which install in the users profile directory.

Google Chrome can be installed without administrator privileges - Continue(shout out to: Google Chrome, Mozilla Firefox and Microsoft’s SharePoint Designer)

Gee thanks guys.

We implemented AppLocker to improve our IT security, and you chaps decided to be clever.  The typical call to the Help Desk was
“My Google Chrome doesn’t work anymore.”

Well no, we block applications which are installed into the users profile directory.  Which is what Google Chrome/Firefox/Sharepoint Designer do.

The fix was to install Google Chrome with an Admin account.

AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

Saturday Link Roundup–Group Policy, Kerberos, BranchCache

grouppolicy_thumb.jpgGroup Policy

Kerberos

BranchCache

Consolidated list of AGPM resources

Advanced Group Policy Management logoThe bulk of these links are from the Microsoft Canberra Premier Field Engineering Team Blog November 2015 post.

Setup

Advanced Use, Auditing and Troubleshooting

Powershell and Scripting

Other Reading

Blogs

“Index was outside the bounds of the array” error with AGPM

AGPM Out of bounds error… when trying to edit a Group Policy Preference which uses Item Level Targetting.

Using AGPM.

The underlying cause it that only AGPM 4.0 SP3 and later clients that support Windows 10.  So if you are using an older AGPM client, you need to upgrade in order to safely edit Windows 10 Group Policies.

But to upgrade your AGPM client, you may need to upgrade your AGPM Server; both the AGPM install on the server and the Server Operating System.

The Microsoft advice is ambiguous.

Getting a list of users in your AD domain via Powershell

Get-ADUser -Filter * -Properties HomeDirectory,LastLogonDate | Select-Object Name, LastLogonDate, HomeDirectory

will cause the following to display

Name       LastLogonDate          HomeDirectory
----       ---------------------  ---------------

CollinsP   11/12/2015 6:04:12 AM  \\wisefaq.com\HomeDrive\CollinsP
SprouleK   19/12/2015 2:08:12 PM  \\wisefaq.com\HomeDrive\SprouleK
ReithP     23/12/2015 8:45:54 PM  \\wisefaq.com\HomeDrive\ReithP

How to output to a file?
Get-ADUser –Filter * -Properties HomeDirectory,LastLogonDate | Select-Object Name, LastLogonDate, HomeDirectory | Export-CSV 'c:\temp\AllDomainUserNames.CSV'

This article seem familar?  That will be because I wrote how to do this with Quest Active Server Roles Powershell Module, back in 2010.

The Microsoft page on Get-ADUser is here.

So where, oh where is “AGPM.ADM”?

Advanced Group Policy Management logoDespite several Microsoft Advanced Group Policy Management pages saying

You can centrally configure optional logging and tracing for Advanced Group Policy Management (AGPM) using Administrative templates.

they don’t tell you where to find the Group Policy AGPM.ADM or AGPM.ADMX files.

After much searching, and time wasted; I can tell you that if you install the AGPM client, you will have a copy of AGPM.ADMX dropped into your local %windir%\PolicyDefinitions directory.

References:
Configure Logging and Tracing
Ask the Directory Services Team – AGPM Production GPOs (under the hood)
Active Directory Infrastructure Self-Study Training Kit: Stanek & Associates Training Solutions