POSH - J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist

Script to modify the defaultSecurityDescriptor attribute on the Group-Policy-Container schema class object

July 7, 2021June 29, 2016 by Jeremy Saunders

Last week I published an article about the changes in the behavior of Group Policy processing after the deployment of security update MS16-072 under KB3163622. It included a script to assist with the remediation of Group Policy permissions: Script to report on and remediate the Group Policy security change in MS16-072.

Of course that’s not where it ends. What about new Group Policies? Do you create a procedure that requires you to add “Domain Computers” with Read permission every time you create a new Group Policy Object (GPO)? No…of course not!

What we need to do now is change the defaultSecurityDescriptor attribute on the Group-Policy-Container schema class object so that new GPOs are created with Domain Computers having Read permissions by default. Microsoft didn’t released an official script or method to do this, so here’s the next best thing.

Script to report on and remediate the Group Policy security change in MS16-072

July 30, 2016June 22, 2016 by Jeremy Saunders

On June 14th 2016 Microsoft released security update MS16-072 under KB3163622 that changes the behavior of Group Policy processing so that user group policies are now retrieved by using the machine’s security context instead of the user’s security context. This is a by-design behavior change from Microsoft to protect computers from a security vulnerability.

Update 23/06/2016: Microsoft finally released an official response to this patch via the Directory Services team: Deploying Group Policy Security Update MS16-072 \ KB3163622

This is a problem for people that implement security filtering on their Group Policy Objects (GPOs), as it removes the default Authenticated Users group not only from the “Apply group policy” permission, but also from the “Read” permission.

Script to Import and Bind a Certificate to the Default Web Site

January 4, 2015 by Jeremy Saunders

This Powershell script will import and bind a certificate to the Default Web Site. I use this script for Citrix StoreFront and Director deployments, but it’s written to be very flexible and versatile so can be used for other tasks.

The original idea came from scripts written by Thomas Albaek and Jerome Quief for Citrix StoreFront.

The way I’ve written this script it will actually remove any existing certificate bindings first, which is really handy for pushing out updated certificates as I found that other scripts written to do this task would fail when run more than once.

Script to Change the Drive Letter of all CDROM and DVD Drives

June 26, 2016January 4, 2015 by Jeremy Saunders

This PowerShell script will change the drive letter of all CDROM & DVD Drives found starting from whatever is set as $LastDriveLetter variable, working backwards until it finds an available drive letter.

Too many IT Pros leave CDROM/DVD Drives as the drive letter Windows assigns them when first detected, which is typically usually either D: or E:. Then when adding new volumes they choose the next available drive letter instead of moving the CDROM/DVD Drive(s) out of the way. I’m a stickler for this, as I like to see consecutive drives letters used for the logical disks.

The easiest way to ensure all builds are standardised is to run a script during the build process that assigns a new drive letter to the connected CDROM/DVD Drive(s).

Custom MDT Wizard For Network Settings

January 5, 2015January 4, 2015 by Jeremy Saunders

Setting a fixed IP Address during the MDT task sequences has always been ugly. It’s an area that I believe needs to be revisited by Microsoft.

I don’t like the concept behind the “Apply Network Settings” task action. I don’t find it dynamic enough. In my opinion it’s too cumbersome and involved.
The old “NICSettings_Definition_ENU.xml” custom pane no longer works from MDT 2012 and above as pointed out by a commenter on Michael Niehaus article about Customizing Wizards with MDT 2012.
I don’t like the way the ZTINicUtility.vbs and ZTINICConfig.wsf scripts have been constructed. Too messy and too hard to follow. I appreciate that these have ended up the way they are over time, but a fresh start would be my recommendation.

I just found that everything out of the box was too messy and static. There are a couple of different blogs by others on this, but they also seemed quite awkward.

Of course if you’re looking to automate as much as possible, which is what I strive for, then some back-end apps require a fixed/static IP address set before they’re installed. Sure you can reserve addresses in DHCP, but that’s a management touch point I wanted to avoid. I prefer to allocate in the design and build out based on that.

I wanted something slick and simple so I created my own.

Script to Create a Summary Overview and Full Report of all Contact Objects in a Domain

March 22, 2016January 2, 2015 by Jeremy Saunders

This PowerShell script is one of the most comprehensive you will find that provides a thorough overview and full report of all contact objects in a domain. It is the culmination of many Active Directory audit and reviews and therefore contains valuable input from many customers.

A lot of thought has been put into the logic within this script to help an organisation understand:

Contacts that are mail-disabled
Contacts that are ADFS Farm objects, which are Contact objects located under the certificate sharing container.
Contacts that are UM Integration objects
Contacts that are conflicting/duplicate objects (name contains CNF:)
Contacts that have expired
Contacts that have no manager set
Contacts that have been left in the default Users container (CN=Users)

FYI:

Mail-enabled contacts are derived from the targetAddress, proxyAddresses, legacyExchangeDN, and mailNickName attributes.

Script to Create an Overview and Full Report of all Group Objects in a Domain

March 22, 2016January 2, 2015 by Jeremy Saunders

This PowerShell script is one of the most comprehensive you will find that provides a thorough overview and full report of all group objects in a domain. It is the culmination of many Active Directory audit and reviews and therefore contains valuable input from many customers.

A lot of thought has been put into the logic within this script to help an organisation understand:

A breakdown of each group type (category and scope) that have been created
Groups with no members
Groups that are flagged as critical system objects
Groups that are protected objects (AdminSDHolder) where their adminCount attribute is set to 1
Groups that are conflicting/duplicate objects (name contains CNF: and/or sAMAccountName contains $Duplicate)
Groups that are mail-enabled
Distribution groups that are mail-disabled
Groups that are Unix-enabled
Groups that have expired
Groups with SID history
Groups with no Manager (managedBy)
The non-“Microsoft” default groups that have been left in the default Users container

FYI:

Mail-enabled groups are derived from the proxyAddresses, legacyExchangeDN, mailNickName, and reportToOriginator attributes, where reportToOriginator must be set to TRUE. This is not well documented.
Unix-enabled groups are derived from the gidNumber, msSFU30Name, and msSFU30NisDomain attributes.

Script to Create an Active Directory Schema Update Report

January 3, 2015June 22, 2014 by Jeremy Saunders

This PowerShell script was written by the awesome Ashley McGlone (AKA Goatee PFE) and published to the TechNet Script Center. It was also blogged on the Scriting Guy TechNet site. However, it did need some updates to keep up with the newer schema updates as well as adding the SCCM (ConfigMgr) versions. As Ashley has not updated it since 19th September 2013 I thought I’d update it myself and post it here until he gets the time to update the script and publish an updated version.

It will report the versions of the following products as per the sample screen shot from one of my customers:

Active Directory
Exchange
Lync
System Center Configuration Manager (SCCM) – ConfigMgr

Please ensure you read the Scripting Guy’s blog titled “How to Find Active Directory Schema Update History by Using PowerShell“, which provides some great documentation on the script as well as some valuable comments that have helped to implement the updates.

The original script can be found here on the TechNet Script Center: PowerShell Active Directory Schema Update Report

Script to Create an Overview of all Computer Objects in a Domain

September 2, 2016June 22, 2014 by Jeremy Saunders

This PowerShell script will provide an overview and count of all computer objects in a domain based on Operating System and Service Pack. It helps an organisation to understand the number of stale and active computers against the different types of operating systems deployed in their environment.

Computer objects are filtered into 4 categories:

Windows Servers
Windows Workstations
Other non-Windows (Linux, Mac, etc)
Windows Cluster Name Objects (CNOs) and Virtual Computer Objects (VCOs)

A Stale object is derived from 2 values ANDed together:

PasswordLastChanged > $MaxPasswordLastChanged days ago
LastLogonDate > $MaxLastLogonDate days ago

By default the script variable for $MaxPasswordLastChanged is set to 90 and the variable for $MaxLastLogonDate is set to 30. These can easily be adjusted to suite your definition of a stale object.

The Active objects column is calculated by subtracting the Enabled_Stale value from the Enabled value. This gives us an accurate number of active objects against each Operating System.

Script to Create a Report of Members of Privileged Groups

June 17, 2014June 9, 2014 by Jeremy Saunders

This PowerShell script will create a report of users that are members of the following privileged groups:

Enterprise Admins
Schema Admins
Domain Admins
Cert Publishers
Administrators
Account Operators
Server Operators
Backup Operators
Print Operators

This is the default list of privileged groups I’ve set, but you can adjust the privileged groups directly within the getForestPrivGroups function if needed.

The original script was written by Doug Symalla from Microsoft and posted onto the TechNet Script Center: List Membership In Privileged Groups

This was accompanied by two TechNet Blogs:

The script was okay, but needed several updates to be more accurate and bug free. As Doug had not published an update since 26th April 2013, I though that I would. The changes I made are documented in the script.