User password age and why you cant trust it blindly

There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox – Password never expires
  • Checkbox – User must change password at next logon
  • Value – Maximum password age
  • Value – When was the password last set

So how is all this stored:

[Read more…]

Filter by installdate

I was once asked if you could apply a GPO to computers before a certain date. My first answer was the simple solution, create a group add all computers that exist at that time into the group and then filter on that group.

If possible always do it the simple way, but they asked what would happen if a computer was reinstalled. Since the computer account will be reused it will still be in the group, this was a problem. So at this time we have to decide where to complicate things.

Do we want to complicate the tasksequence and let it remove the computer from the group or do we want to use a WMI filter on the GPO.

WMI filter has limitation they require a working WMI on the client, they also require that the client is running Windows XP or Windows 2003 Server (who has that running anyway right?). Using WMI we can create a simple WMI filter that will allow us to only target computers that are installed or reinstalled after a certain date.

wmifilter - only olders installs

It is a simple as that.

How can I link a GPO to the Computers Container

Well. The easy and correct answer is you cant. The computer container is a container and not an organizational unit. Why not you may wonder. [Read more…]

Deploying Bitlocker protected Workstation using Specops Deploy / OS

For one of my customers I was looking up the correct way of activating BitLocker while using Specops Deploy / OS. So after a little searching on google I understood that I will be in uncharted territory. Well after looking around how my customer currently implemented BitLocker I was able to solve it. This solution is not dependent on any manual changes to the MDT, so its a clean Deploy / OS solution.

Changes to installation group policy

So lets open up our installation GPO, and go straight down to the Specops Deploy / OS parts. Now edit the installation policy and go to the Custom MDT Properties and add the following variables:

Variable Name Value Description
DoNotCreateExtraPartition NO Allows the installer to create required partitions on the drive.
BdeInstallSuppress NO Setting this to anything but YES will start the BDE installation

After doing that all required changes to the installation policy is done.

Save the numerical recovery password to the Active Directory.

Most customers want to be able to access the drive if/when the computer/TPM chip dies. So we need to store the numerical recovery password in another location. So the regular choices are:

  • Manual, risking to forget and getting into trouble.
  • Store in share, better but still more complex than required
  • Store in AD, safe secure and redundant.

So how do we make sure the clients store the recovery password in the AD. Well first of are you running an active directory schema of 2008 or later you are practically done. Otherwise you could extend the Schema to include the Bitlocker parts, or as I would suggest extend the schema with Windows 2012R2. See link below for more information if you dont want to extend schema to Windows 2008 or later. Windows will store the recovery password in an object called ms-FVE-RecoveryInformation that is located below the computer object. This helps in cleanup as when the computer is deleted so is all the keys.

So now we have extended the schema. We still need to instruct our workstations to save the password to the AD. Well here I would suggest going the Group Policy route mostly because I really likes GPOs.

So lets fire up our Group Policy Management Console (gpmc.msc).
Create a new GPO for the Bitlocker settings or select another GPO.
Edit the selected GPO

You are now facing two different places to edit depending on if you are deploying Vista or later.

Window Vista

  • Location: Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption
  • Setting: Store BitLocker recovery information in Active Directory Domain Services
  • Value: Enabled

Window 7 or later

  • Location: Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives
  • Setting: Choose how BitLocker-protected operating system drives can be recovered
  • Value: Enabled

Dont forget to check the box that says Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.

Start the installation

So after being bored for a while looking at a screen doing nothing, the install is complete. We login to the client and open a cmd windows as administrator so we can check the progress. And what do you know, it is encrypting the drive as I am writing this.

Command line windows showing that encryption has started.


Backing Up BitLocker and TPM Recovery Information to AD DS



Dont forget to create a GPO Central Store

It doesn’t matter if your domain is new or old.  If the servers are Windows 2008 or later you could and should use the central store. I have seen both new and upgraded domains that don’t use the concept of the central store.

What is the Central Store

In older versions of windows you copied the administrative templates to each GPO. With Windows 2008 and later you don’t need nor should do so. The Central Store is a directory on the sysvol where all servers can look and multiple policies share the same new admx format files.

I checked I dont have the Central store and it works anyway

Well yes all same level windows have a copy of the same policies in the C:\Windows\PolicyDefinitions directory. But that gives different information based on the client that you used edit the policy. By creating the central GPO store we make sure that all client use the same amdx files.

How do I create a central store then.

Just copy the C:\Windows\PolicyDefinitions directory with subfolders to \\domain.fqdn\sysvol\domain.fqdn\policies\. Its as simple as that.

For more information see How to Implement the Central Store for Group Policy Admin Templates, Completely (Hint: Remove Those .ADM files!)

Push a solid colored background to a Windows Server 2012 or later

So I had a customer that requested that I changed the background color for all users of a RDS solution. Well that seems easy, lets start by right clicking the desktop and selecting personialize, woho. It isn’t there, by default Windows Server does not include Desktop Experience. So lets install it, just for fun. Its not needed really.

This wants to reboot so lets do that and take a coffee [Read more…]

Special NTP GPO for the PDC

Each and every domain should be timesynced to the realworld, outside stockholm where I live. Sorry old joke from the old Swedish Comedy series.

Well all domains should have a reliable time provider, I suggest using an internet source or a GPS source. Also All domains should have a easy to understand time sync tree. I want the PDC to own the time for the domain. But since that role might move, smarts is required. I create a WMI filter and a GPO that I link into the Domain Controllers OU. Please dont move the domain controllers from there..

[Read more…]

Different ways of specifying Internet Explorer Zones

There are a few different ways of doing IE zone.. I dont like all though. I have listed the most common and the way I like.

[Read more…]