A Smattering of Group Policy and Modicum of AD


Hey Everyone, I’ve been doing a lot of risk assessments and knowledge transfer sessions recently for Group Policy and AD for UK Premier customers. I’ve been finding that a lot of customers have the same issues or want more information on the same concepts. I normally follow up individually with each customer to send them further reading or extra info, so I’ve decided to put all of these handy links into one blog post so I have one reference point to then send on to customers. I will carry on updating this list over time if and when I want to share more reference material, so check back! If you have any other suggestions, then feel free to pop them into the comments.

So here it is, loads of Group Policy and AD goodness here for your reference:

 

Stale Groups and Group Memberships

Use these scripts to identify groups with common members and also where these groups are assigned permissions on file shares.

http://blogs.technet.com/b/ashleymcglone/archive/2014/03/14/using-powershell-to-find-stale-and-duplicate-active-directory-groups.aspx

http://blogs.technet.com/b/ashleymcglone/archive/2014/03/17/powershell-to-find-where-your-active-directory-groups-are-used-on-file-shares.aspx

 

AD ACL Scanner

This PowerShell script is written by Robin Granberg, a Swedish PFE, who is the king when it comes to all things AD permission related and custom AD delegation. He is also one of the architects of the Premier POP–AD Delegation offering where we can help you implement a role based access control model in your environment, if you’re interested and are a Premier customer speak to you TAM!

https://adaclscan.codeplex.com/

 

GPO Debug Logging

Enabling GPO Debug Logging:

http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

Parsing the GPSvc log:

http://blogs.technet.com/b/askds/archive/2015/04/17/a-treatise-on-group-policy-troubleshooting-now-with-gpsvc-log-analysis.aspx

Enabling CSE Debug Logging

https://technet.microsoft.com/en-us/library/cc759167(v=ws.10).aspx

http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx

Use this tool to parse the event viewer for Group Policy related events:

http://blogs.technet.com/b/grouppolicy/archive/2007/02/08/gplogview.aspx

 

List of Client Side Extensions

Group Policy Client Side Extensions can be a bit of a mystery because they are not very well documented. There isn’t one list in Microsoft where we can refer to each GPO setting and the CSE that is responsible for configuring it at the client side. The reason for this is because each product group is responsible for providing the Group Policy team with the settings and the client code to implement them in the form of a CSE. Group Policy is just the vessel for distributing these settings, it is not necessarily responsible for each of the settings, hence we don’t have a definitive list. However, never fear as Mark Empson, also known as Captain GPO, has documented some of the CSEs for us and what their GUIDs are:

http://blogs.technet.com/b/mempson/archive/2010/12/01/group-policy-client-side-extension-list.aspx

 

Slow Boot Slow Logon – are GPOs to Blame?

This isn’t technically related to AD and GPOs, however a lot of the time Group Policy gets blamed for slow booting and login times for user’s machines which is why I’ve included it here. If you read the Ask PFE Platforms blog, you are probably familiar with the series they did on SBSL, if not then you should be reading it! They talk through using Xperf and then Windows Performance Analyser for assessing boot times in Windows, this is mandatory reading for any client admins out there:

http://blogs.technet.com/b/askpfeplat/archive/tags/sbsl/

Folder redirection and roaming user profiles can eat up the seconds during logon for users, especially if you have slow storage or latency on the network. Can you replace folder redirection and RUP in your environment? Maybe. If you are licensed for MDOP then check out UE-V, it may fit your requirements:

https://technet.microsoft.com/en-us/windows/hh943107.aspx

Start-up scripts are also another culprit of slow boot times, check out this post to see if you can replace your scripts:

http://blogs.technet.com/b/askpfeplat/archive/2015/04/27/the-startup-script-is-dead.aspx

If you can replace the old login script which performs drive maps using Group Policy Preferences, then check out this post which will help you configure it:

http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

Further to above posts see some general guidance on group policy and logon times:

http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx

 

Consolidate Policies

The following PowerShell script can be used to merge policies where you are trying to consolidate:

http://blogs.technet.com/b/ashleymcglone/archive/2011/01/19/finally-copy-and-merge-gpos-powershell-saves-the-day.aspx

 

Central Store

Have you implemented the Group Policy Central Store? If not check out this article:

http://blogs.technet.com/b/askpfeplat/archive/2011/12/12/how-to-implement-the-central-store-for-group-policy-admin-templates-completely-hint-remove-those-adm-files.aspx

If you have implemented it, are you having issues due to inconsistencies with ADMX versions and deprecated settings? If so, check out this hotfix which allows you to override the Central Store on a particular machine:

https://support.microsoft.com/en-us/kb/2917033

Execute those legacy ADM files from your SYSVOL using this article and script:

http://blogs.technet.com/b/askpfeplat/archive/2012/03/14/central-store-and-adm-removal-q-amp-a-with-an-updated-script.aspx

 

Backup, Backup, Backup!!!

Do you backup your AD, probably yes. Do you have a full forest recovery and disaster recovery plan, probably not. So many customers neglect the need to have a fully tested and robust disaster recovery plan in place for AD and GPOs. AD usually underpins your whole environment; you MUST create a DR plan for it! Go through the Forest Recovery whitepaper on TechNet and create one if you haven’t got one already:

https://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=ws.10).aspx

With regards to GPOs, these will be included in your DR plan when you have it but most customers don’t take backups of their GPOs properly. Our very own PoSH Chap Ian Farr can help us out here: http://blogs.technet.com/b/poshchap/archive/2014/04/25/comprehensive-gpo-backup-script.aspx

Again, if you are Premier customer we have an engagement which can help you create your DR plan, ask your TAM about an AD Recovery Execution Service (ADRES).

 

DNS

So many customer do not enable scavenging on their DNS zones, or have it miss-configured, please see this article for information on how to configure DNS scavenging: http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Have you upgraded your environment from Windows 2000 to 2003 to 2008 onwards? If so, did you migrate your _msdcs zone into the application partition? If you didn’t then you should, this still gets picked up in some customer environments today. Please see this article for information on how to configure the _msdcs zone to be in the forestdnszones app partition: https://support.microsoft.com/en-us/kb/817470

Have you configured secure dynamic updates on your DNS zone? This is another one which comes up on the risk assessments quite a lot, see the following article for info on secure updates:

https://technet.microsoft.com/en-us/library/cc961412.aspx

 

AD Replication

Lingering objects are an issue in many environments, you need to remove these and fix your replication for a healthy directory:

http://blogs.technet.com/b/askds/archive/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends.aspx

A nice tool to monitor AD replication:

http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx

If you’re feeling conflicted, then check out another post from PoSH Chap:

http://blogs.technet.com/b/poshchap/archive/2015/03/27/one-liner-use-powershell-to-find-forest-conflict-objects.aspx

 

Time Configuration

Many customers do not consistently configure their Root PDCe to point to an external time source. Follow this article to do this automatically with Group Policy:

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

Stop devastating time drifts in your directory by configuring the max negative and positive phase correction values, again this is missed by many customers:

http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx

 

Post 2003 Eradication

Have you finally got rid of that last 2003 domain controller in your environment? If so, then make sure you perform the post upgrade tasks and don’t just close the project down:

Raise the DFL and FFL:

http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx

Migrate SYSVOL to DFSr

http://blogs.technet.com/b/filecab/archive/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol.aspx

Make use of the AD Recycle Bin:

http://blogs.technet.com/b/canitpro/archive/2014/05/01/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012.aspx

Enable the GPO Central Store as discussed above.

 

Sites and Subnets:

Pretty much every single risk assessment I run the issue of missing subnets gets flagged, use this script to collect missing subnets in AD:

https://gallery.technet.microsoft.com/scriptcenter/Collect-Active-Directory-fa4dff2e

 

Authentication

Having problems with Kerberos? It could be down to duplicate SPNs and UPNs, check this script to find those duplicates:

https://gallery.technet.microsoft.com/scriptcenter/Find-Specific-or-Duplicate-b9c04d01

Are you suffering from token bloat? If so removing sIDHistory data may help, use this script:

http://blogs.technet.com/b/ashleymcglone/archive/2011/11/23/how-to-remove-sid-history-with-powershell.aspx

 

 

Comments (1)
  1. Eoin Ryan says:

    This is a fantastic post, thank you for bringing all these links together, and the helpful context around each.

Comments are closed.

Skip to main content