User Group Policy Loopback Processing

Posted on December 28, 2011 by Tony

Today we are going to assign user settings on servers, a question that I have received on more than a few occasions. How to enable user policies on computer objects.

The GPO-setting is one that is much debated on the net and elsewhere and has been for years. This is nothing new at all but I will try to explain what it actually does.

“User Group Policy Loopback processing” is the magic word that gives the possibility to assign user policy settings to computer objects. Well… sort of. It does not actually apply to computer objects… but it applies to all users that logon to a certain computer object. I am not a GPO-guru as much any more since I tried to get away from the traditional server admin role a few years back.

The setting was originally meant for “kiosk” type computers that need a far more stringent policy than other registered users might need.

This is very handy for us (you) admins that want our support personnel to have higher security on their accounts when logging on to key servers in your enterprise for example. Things like setting the screen saver to 1 min idle time and then locking the console.

Screen saver is a typical user setting that might not need to apply to their local PC but really should apply to all servers that they log on to. (This is again up for discussions outside the scope of this guide).

So, let’s get to it. Run gpmc.msc and create a new GPO. We’ll begin by activating the loopback mode that allows us to assign this policy to computer objects.

Computer Configuration \ Policies \ Administrative Templates \ System \ Group Policy \ User Group Policy loopback processing mode

I Chose to use Replace mode to overwrite any setting that might be there.

Then I set the ScreenSaver values under the User node of the GPO as usual.

Then you link your GPO to some OU that has computers and try it out.

As you can see, the policy has taken effect.

This might come very handy for Terminal Servers as well where yo might want to use the Internet Explorer hack to get higher user density out of your servers.

Posted in Uncategorized | Leave a comment

SOPA and PIPA

Posted on December 20, 2011 by Tony

This site is not meant for preaching politics of any kind, but this seems too important to just skip.

Check this video out that explains some of details of what is going on in the states.

WTF is SOPA?

If you are in the states and can make a difference, please do. This could effectively affect the whole of the Internet if these bills pass the old geezers and farts in congress that don’t understand any of it.

I am born and living in Sweden and I’m concerned about this crap…

Posted in 2008 R2, Active Directory, Certificates, Citrix, Group Policy, Metal, Migration, Server 8, Uncategorized, Windows Clients, Windows Server, XenApp, XenDesktop, XenServer | Leave a comment

DNS Scavenging sillyness

Posted on November 23, 2011 by Tony

Hello once again,

Today I ran into a silly thing regarding DNS Scavenging. I’ve never thought that it would be this silly and I have not run into this previously for reasons I will explain below.

Usually you will want scavenging activated so that your DNS structure is current and old records are discarded.

So you activate aging to begin with and the default values are 7 days no refresh with 7 days refresh. These values mean that once a DNS record is registered, it will not be able to be set a new time stamp for 7 days. Once that period has passed, the record will be given 7 more days to set a new time stamp.

The Netlogon service will try to refresh dynamic records every 24 hours (and every start-up).

I would recommend setting a shorter interval for no-refresh in a dynamic environment. Once both values have passed (14 days), the DNS scavenging will remove the records from the database and cache. (Default run every 7 days)

You also have the option of manually running scavenging by using dnscmd command line or by using the GUI. However…

Here is the silly part. If you have chosen not to use the Automatic scavenging setting, manual scavenging will not run at all. You can try to run it as much as you like, it will simply not do a manual cleanup. You MUST set the server to “Run automatic scavenging every X days/minutes” to be able to use the manual approach.

I’m guessing that if you select 0 days, it will never run automatically and you have the option to only run scavenging manually… but you will still have to select that :)

I have not run into this pitfall earlier since all the previous deployments actually run it automatically at least once a week.

Note that this was found for an Active Directory integrated zone. I’m not sure how this affects primary zones.

Posted in Active Directory, Windows Server | Leave a comment

Server 8 AD Recycle Bin and ADAC

Posted on November 23, 2011 by Tony

Good afternoon,

So I’ve noticed that it is a bit easier to activate the Active Directory Recycle Bin in Server 8 (developer preview).

It is also ALOT easier to administer once activated.

So here’s the activation part.

Start Powershell and import the Active Directory module (or just run “Powershell for Active Directory”). Type: Enable-ADOptionalFeature “Recycle Bin Feature” -Scope ForestOrConfiguration -Target “domainFQDN”

Once it’s activated and you want to recover lost objects, start Active Directory Administrative Center (introduced in Server 2008R2).

Browse to “Deleted Objects” in your domain root and simply right click (or use the task list on the right side) to recover lost objects or OU’s.

Another cool feature of the new ADAC is that you can view the Powershell history that has resulted from you clicking around and making tasks. Simply click in the down-left corner to view the history. This is a great way for you to get the code to write your own scripts and customize them.

One last nice addition is the simplicity to handle and assign PSO’s (Password Policy Objects). Once you have created a few different ones, you can simply assign them with ADAC to your users. It is included in the standard user view.

That’s all for today. Have a great night! Christmas is just around the corner.

Posted in Server 8, Windows Server | Leave a comment