Group Policy for Proxy Settings is not applied on some machines

I have configured a GPO which is publishing the Proxy settings and the Exceptions through a PAC file.

I received many complaints that internet is not working on some machines. First thing i logged in to one of these machines which has a problem and checked the Registry:

Hkey_Current_User\Software\Microsoft\Windows\Current Version\Internet Settings

Check the following Values:

AutoConfigURL    you should see The URL of the PAC file for example: ( http://10.1.1.15/proxy.pac)

Proxy Enable  0   it should be 1

That’s mean that the proxy GPO is not applied on this machine, but if you see the correct values are there then the policy is applied and you have to go through different solution from what I’m writing here for Example try to Delete the Connections Folder under Internet Settings on registry, then open the Internet Explorer the folder should come again and this might solve the problem.

Anyway lets go back to our problem which is the policy is not received at all, so after check i found that its because of the version of the IE which is 11 , but IE Maintenance is deprecated for IE10 / 11 and the policies won’t apply for these versions.

 

Read the rest of this entry »

check what are the GPO’s that applied to a specific machine and Export them on html file

On the machine where you want to check what are the group polices that are applied , run the following command :

c:\ gpresult /h gpresult.html

then go to the c drive and find the html file which has all GPOs’ that are applied to that machine

Find The Distinguished Name for the Active Directory user

some times you need to use the distinguished name for users in AD , this name doesn’t come in Active Directory Users and Computers, so to find such name there are multiple ways you can find them on the link which I’m sharing, but the one i will mention here is by using DSQUERY command:

Dsquery user forestroot –samid “XYZ”

Resources:

http://wiki.zimbra.com/wiki/LDAP_Active_Directory

Give non Administrator user an Access to read the Event logs in Active Directory

I had a Firewall Appliance which requires to read AD logs by using a normal AD user, to fulfill this requirement i found a very good article i want to summarize it and share it with you:

  • First thing we want to Modify the Local Security Policy on the Domain Controller, but this step cant be done if you go directly to the Local Security Policy from the Administrative Tools, to do this you have to go to the Group Policy Management :

Note: you have to use Administrative Privilege ( Domain Admin or Local Administrator on the Server) 

image

go to Domain Controllers –> Default Domain Controller Policy

Right click —-> Edit

Under Computer Configuration—> Windows Settings —> Security Settings —-> Local Policy —> User Rights Assignment

Select and double click on Manage auditing and Security Log

 

image

image

Select Add User or Group —> Browse to add the user —> then OK —> OK

  • The Second Step is to open WMI Manager:

  Go to RUN on start Menu —> Type “wmimgmt.msc

Right click on WMI control —-> select Properties —> security Tap —-> Expand ROOT —->Select Security Folder —> then Security on the bottom of the Box

 

image

Press Add to add the user —-> on the permission check the allow box for Execute Methods —> then OK

image

 

Now this user has the access to read the security AD event log only.

If you have more than one Domain Controller, you have to do the same settings on all of them.

you can test this by login using the same user name, open the server manager —> connect to different computer ( the DC ) —> open the event logs , you will see you have only access to the security logs.

                          Resources:

                        http://www.manageengine.com/products/active-directory-audit/help/admin/domain-settings/authentication-for-collecting-audit-data.html#wmi

                        Search Domain for list of users inside a CSV file to Move them to a specific OU

                        The requirement was to collect list of users distributed over the domain to a specific OU, so we have to take the source of the data from a CSV file then search the domain for the content of this file to move the results to a specific OU.

                        Open  windows Power Shell:

                        Import-module activedirectory
                        $users= import-csv c:\SBCU.csv foreach ($user in $users) { Get-Aduser -filter "Samaccountname -eq ‘$($user.name)’" | Move-ADObject -TargetPath "ou=HRusers ,dc=Contoso,dc=Com" }

                        Inactive Accounts in AD

                        There are many ways to find inactive accounts in Active Directory (i.e. computer or user accounts that have not logged to the domain for an extended period of time).”

                        There are many ways to accomplish the task.TechNet script center has a fair amount of scripts that deal with the problem:

                        http://gallery.technet.microsoft.com/scriptcenter/site/search?query=inactive%20accounts&f%5B1%5D.Value=inactive%20accounts&f%5B1%5D.Type=SearchText&f%5B0%5D.Value=activedirectory&f%5B0%5D.Type=RootCategory&ac=4

                        However, in this post I’d like to shed some light  on a different method using the GUI instead of the command line.

                        You can use “Active Directory administrative center” (available in Windows 2008 R2 and above) to list inactive accounts.

                        From “global search”, select “add criteria” then “users with enabled accounts who have not logged on for more than this number of days”. You can modify the number of days by clicking on the number. For example, you can use the below filter to find users who have not logged on for 90 days (3 months)

                         

                        clip_image001

                         

                        You can see the equivalent LDAP query for the filter using the “convert to LDAP” radio button. Here you can also edit the LDAP query as you see fit. Note that the query makes use of the lastlogontimestamp attribute to find inactive accounts.

                        For a very good explanation of how lastlogontimestamp works, you can check the following article:

                        “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”

                         

                        clip_image001[9]

                         

                        You can also edit the LDAP query to include both user and compute accounts by changing the objectClass in the LDAP query as follows:

                         

                        clip_image001[11]

                         

                        Afterwards, you can easily select the search results and move them all to a separate OU to delete them later.

                        Find AD users with most of their Attributes and save the result to a CSV file