Microsoft Security Compliance Toolkit

For someone who hasn‘t any sec baseline tools for Windows and Microsoft products, you should check it out. Microsoft Security Compliance Toolkit is a collection of tools and templates released by Microsoft to give security admins access to recommended security configuration baselines for Windows OS and some Microsoft products. You can manage both domain and local policies!

You can download the tool here:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Find and delete unlinked (orphaned) GPOs with PowerShell

Just check out my new post "Find and delete unlinked (orphaned) GPOs with PowerShell" on 4sysops.com!


https://4sysops.com/archives/find-and-delete-unlinked-orphaned-gpos-with-powershell/

Get new group membership to apply a GPO to a computer without a restart

If you add a computer to an AD group that is assigned to a GPO, you need to restart the computer to get the new group membership.

If you want to bypass this, you can delete the Kerberos ticket.

Run the following command as an admin to do this:
klist -li 0x3e7 purge

Et voila, your computer get its new membership!

After that you can run a gpupdate to apply the assgined Policies.

Update ADMX files for Windows 10 1709 in your Central Store

Download and install Windows_10_Fall_Creators_Update_1709_ADMX.msi

https://www.microsoft.com/en-US/download/confirmation.aspx?id=56121

All admx and adml files will be extracted to “C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)\PolicyDefinitions”.

Now backup your actual Central Store folder:

 \\yourdomain.com\SYSVOL\yourdomain.com\Policies\PolicyDefinitions 

and after that, copy and replace the extracted ADMX and ADML files to the PolicyDefinitions folder.

For some reasons 5 amdl files are not in the other language folders... you have to copy the following adml files from en-us to all other folders, to avoid errors.

GroupPolicy-Server.adml
GroupPolicyPreferences.adml
MMCSnapIns2.adml
TerminalServer-Server.adml
WindowsServer.adml

After replication finished, you can administrate the new features of Win10 on all DCs.

Powershell Set GPO permissions based on Naming Convention

Set GPO permissions based on naming convention/displayname using Powershell:
https://gallery.technet.microsoft.com/Set-GPO-permissions-based-812d21e2

Powershell: Get GPOs with unknown SIDs

This script will save all GPOs with unknown SIDs to a csv named GPOWithUnknownSIDs-DATE.csv. The file includes the GPO Displaynames and the unknown SIDs.

Donwload the script from techet:
https://gallery.technet.microsoft.com/Get-GPOs-with-unknown-SIDs-38e276bd

Get a list of ALL the GP names and GUIDS

Just change: DC=yourdomin,DC=com to your domain name.

Dsquery * "CN=Policies,CN=System,DC=yourdomin,DC=com" -filter (objectClass=groupPolicyContainer) -attr Name DisplayName

Count number of GPOs using Powershell

Hi guys,

today I want to show you, how to count your GPOs. I also want to show you how to create filters that could be useful...

This script will show you the number of all GPOs in your domain:

$GPOCOunt = ((Get-GPO -All).count)
Write-Host "Number of GPOs: $GPOCOunt"

If you have a naming convention in place, you could filter and count these GPOs.
For example you name GPOs based on location shortcuts like US.
So lets get all GPOs starting with "US":

# Get all GPOs that are starts with US
$GPOCOuntUS = ((Get-GPO -All | where{($_.displayname –like “US*”)}))
# Count them
$GPOCOuntUS2 = $GPOCOuntUS.count
# Write output
Write-Host "Number of GPOs for US: $GPOCOuntUS2"

Another good filter (almost all use it I think...) is test
So lets get all GPOs that include the word test:
$GPOCOuntTest = ((Get-GPO -All | where{($_.displayname –like “*test*”)}))
$GPOCOuntTest2 = $GPOCOuntTest.count
Write-Host "Number of your TEST GPOs: $GPOCOuntTest2"

Protect your systems against Ransomware / CrypVault using GPO

Hi guys,
In this post I will show you how to block the gpg.exe that is used by Ransomware named CrypVault for file encryption.

Create a GPO (I will attach my GPO so you can import the settings!)
User Configuration/Policies/Windows Settings/Software Restriction Policies/Additional Rules
Create Path and Hash Rules for the known gpg.exe Versions.
 

The virus will not able to execute the tool anymore.


I would recommend to add all gpg.exe hashes to the Policy, because the exclusion of gpg.exe and gpg2.exe will not apply if the EXE will be renamed!

The attached GPO including the paths and all Hashes of gpg.exe up to version 2.3.0.


You can import this GPO by creating a new GPO, right-click it and Select Import Settings. Follow the wizard to import the settings.

Please test before you implement this setting and also verify that this tool is not used by your users.

If your users are using the gpg.exe, you can only restrict the execution to %temp%, because the virus will copy the gpg.exe to this location the most time...

Powershell Active Directory Excel Report

This script reports information about your Active Directory infrastructure and save it in an Excel file.
It´s using Powershell in combination of the Acitve Directory module. If you want to run this script, RSAT must be installed.
The following information will be saved into the Excel file.

• users that was created in the last 24 hrs
• users with the flag password never expires set
• disabled users
• users that never changed there passwords
• computers that have not logged on for more then 90 days
• disabled computers
• all DCs in your domain
• all DHCP servers in your Forest
• all Subnets with the associated Site and Location name in your Forest
• FSMO role holders in your Forest
• FSMO role holders in your Domain
• DOMAINNAME PW Policy
• DOMAINNAME GPOs
• DOMAINNAME OUs

After the script finished the report will popup.

DOWNLOAD the script

Group Policy / Administrative Template files for Windows 10 in a Windows 2008 or 2012 Domain

To get the new features in Windows 10 for a Windows 2008 or 2012 domain you have to do the following steps:

- Download set of Administrative Template files for Windows 10.

- Install the downloaded MSI on a computer

- On the computer copy the folder "PolicyDefinitions" located in "C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\" to "\\YourDomain\SYSVOL\YourDomain\Policies"

Note: If you have not all adml files in your domain only copy the needed ones

- If you have more than one DC the folder will be replicated depending on your schedule interval in Site and Services

Backup All GPOs using Powershell

I uploaded a new script to backup all GPOs and the Scripts folder located in th sysvol share.
It will be saved to a server in a folder named as the current date.

- Run this script using a schedule task

Open the Task Scheduler on your server.

Right-Click on "Task Scheduler Library" and select "Create a Basic Task".

Define a Name/Description, Trigger...

On the "Action" section you have to select Start a Program and enter the following options.

Program/script: powershell
Add arguments (optional): -file "C:\admin\Scripts\GPOBackup\GPOBackupV2.ps1"

On the "Finish" section checking "Open the Properties dialog for this task when I click Finish" and click "Finish".

To run whether user is logged on or not, select the option in the General tab, click ok and enter credentials.

- Import GPO Backups

To import the backed up GPOs you can use the GPMC:

Right-click "Group Policy Objects" and click on "Manage Backups..."

or using the Powershell command import-gpo:

https://technet.microsoft.com/de-de/library/ee461044.aspx

Set Delegation rights on a specified GPO or all GPOs in your domain using Powershell

First you have to import the groupolicy module in powershell to execute cmdlets. This could be done with the following command:

import-module grouppolicy

Now you can use the following cmdlets to ease the Group Policy permission administration.

• Get-GPPermissions (used to query permissions on GPOs)
• Set-GPPermissions (used to apply permissions on GPOs)

In Windows Server 2012 the cmdlets will be without the s like "Get-GPPermission", but the old cmdlets also work, because Microsoft created an alias.


Find some examples to set permissions on GPOs.

This cmd sets the permission level for the "Test Users" security group to GpoRead for the GPO named "TestGPO1".

Set-GPPermissions -Name TestGPO1 -TargetName "Test Users" -TargetType Group -PermissionLevel GpoRead  


The following cmd sets the permission level for the "Sample GPO Read Access" security group to GpoRead on all GPOs in the domain.

Set-GPPermissions -All -TargetName "Sample GPO Read Access" -TargetType Group -PermissionLevel GpoRead


The following cmd sets the permission level for the "Sample GPO Edit Access" security group to GpoEdit on all GPOs in the domain.

Set-GPPermissions -All -TargetName "Sample GPO Edit Access" -TargetType Group -PermissionLevel GpoEdit



To verify that the commands works can use the "Get-GPPermissions" cmdlet to check it. See attached a sample to check if the first Set-GPPermissions command worked:

Get-GPPermissions -Name TestGPO1 -TargetName "Test Users" -TargetType Group

The console will show the following output:
-------------------------------------------
Trustee         : Test Users

TrusteeType     : Group

PermissionLevel : GpoRead

Inherited       : False   
--------------------------------------------

Group Policy / Administrative Template files for Windows 8 and Windows Server 2012 in a Windows 2008 Domain

To get the new features in Windows 8 and Windows Server 2012 for a Windows 2008 domain you have to do the following steps:

- Donwload the complete set of Administrative Template files for Windows 8 and Windows Server 2012.

- Install the downloaded MSI on a computer

- On the computer copy the folder "PolicyDefinitions" located in "C:\Program Files (x86)\Microsoft Group Policy\Windows Server 2012\" to "\\YourDomain\SYSVOL\YourDomain\Policies"

- If you have more than one DC the folder will be replicated depending on your schedule interval in Site and Services

Backup All GPOs using Task Scheduler and Powershell

Hi guys,
this guide will show you how to create a monthly GPO Backup using a schedule task thats starts a Powershell script.

Download this script from my previous post, change it for your environment and save it to your server on "C:\scripts\GPOBackup".

Start the Task Scheduler located in Administrative Tools. Right-click on "Task Scheduler" and select "Create Task".

On the "General" tab name the task i.e. "GPO Backup" and select "Run wheter user is logged on or not".

On the "Triggers" tab click on "New..." button and select "Monthly". Set the Months and Days you want to backup the GPOs.

On the Actions tab select "Start a program" Browse to the saved script and fill the "Start in" field.

On the last step confirm your configuration and enter the credentials you want to use to run the Schedule Task.

Windows Server 2012 Core Network Companion Guide: Group Policy Deployment

Hi guys,

Microsoft released a guide for deploying GPOs via group membership.

"This guide provides instructions for deploying Group Policy settings to a set of client computers or users by using membership groups rather than account location in the OU hierarchy of a domain."

You can download this guide here.