Last week I published an article about the changes in the behavior of Group Policy processing after the deployment of security update MS16-072 under KB3163622. It included a script to assist with the remediation of Group Policy permissions: Script to report on and remediate the Group Policy security change in MS16-072.

Of course that’s not where it ends. What about new Group Policies? Do you create a procedure that requires you to add “Domain Computers” with Read permission every time you create a new Group Policy Object (GPO)? No…of course not!

What we need to do now is change the defaultSecurityDescriptor attribute on the Group-Policy-Container schema class object so that new GPOs are created with Domain Computers having Read permissions by default. Microsoft didn’t released an official script or method to do this, so here’s the next best thing. [click to continue…]

{ 4 comments }

Script to report on and remediate the Group Policy security change in MS16-072

June 22, 2016

On June 14th 2016 Microsoft released security update MS16-072 under KB3163622 that changes the behavior of Group Policy processing so that user group policies are now retrieved by using the machine’s security context instead of the user’s security context. This is a by-design behavior change from Microsoft to protect computers from a security vulnerability. Update 23/06/2016: Microsoft […]

Read the full article →

Netlogon parser for Message Analyzer

January 25, 2015

The Microsoft Message Analyzer is a very cool tool which helps us read and analyse a number of different log and trace file formats. In fact Message Analyzer is the replacement for the old Network Monitor (AKA Netmon) tool. Brandon Wilson from Microsoft wrote a parser for the NetLogon.log files. Here are the references to Brandon’s TechNet blogs: […]

Read the full article →

Script to Import and Bind a Certificate to the Default Web Site

January 4, 2015

This Powershell script will import and bind a certificate to the Default Web Site. I use this script for Citrix StoreFront and Director deployments, but it’s written to be very flexible and versatile so can be used for other tasks. The original idea came from scripts written by Thomas Albaek and Jerome Quief for Citrix StoreFront. The way I’ve written […]

Read the full article →

Script to Change the Drive Letter of all CDROM and DVD Drives

January 4, 2015

This PowerShell script will change the drive letter of all CDROM & DVD Drives found starting from whatever is set as $LastDriveLetter variable, working backwards until it finds an available drive letter. Too many IT Pros leave CDROM/DVD Drives as the drive letter Windows assigns them when first detected, which is typically usually either D: or E:. Then […]

Read the full article →

Custom MDT Wizard For Network Settings

January 4, 2015

Setting a fixed IP Address during the MDT task sequences has always been ugly. It’s an area that I believe needs to be revisited by Microsoft. I don’t like the concept behind the “Apply Network Settings” task action. I don’t find it dynamic enough. In my opinion it’s too cumbersome and involved. The old “NICSettings_Definition_ENU.xml” […]

Read the full article →

Script to Create a Summary Overview and Full Report of all Contact Objects in a Domain

January 2, 2015

This PowerShell script is one of the most comprehensive you will find that provides a thorough overview and full report of all contact objects in a domain. It is the culmination of many Active Directory audit and reviews and therefore contains valuable input from many customers. A lot of thought has been put into the logic […]

Read the full article →

Script to Create an Overview and Full Report of all Group Objects in a Domain

January 2, 2015

This PowerShell script is one of the most comprehensive you will find that provides a thorough overview and full report of all group objects in a domain. It is the culmination of many Active Directory audit and reviews and therefore contains valuable input from many customers. A lot of thought has been put into the logic within […]

Read the full article →

Script to Create an Active Directory Schema Update Report

June 22, 2014

This PowerShell script was written by the awesome Ashley McGlone (AKA Goatee PFE) and published to the TechNet Script Center. It was also blogged on the Scriting Guy TechNet site. However, it did need some updates to keep up with the newer schema updates as well as adding the SCCM (ConfigMgr) versions. As Ashley has […]

Read the full article →

Script to Create an Overview of all Computer Objects in a Domain

June 22, 2014

This PowerShell script will provide an overview and count of all computer objects in a domain based on Operating System and Service Pack. It helps an organisation to understand the number of stale and active computers against the different types of operating systems deployed in their environment. Computer objects are filtered into 4 categories: Windows Servers […]

Read the full article →