Troubleshooting time sync issues on a AD domain computer

Most time there should be warning events in the System event log, with a source called Time-Service. 

To verify network connection and ntp settings you can use w32tm.

show source server:

w32tm /query /source

verify network connectivity to an NTP server:

w32tm /stripchart /computer:ntp01.mydomain.zz

show configuration:

w32tm /query /configuration

(NT5DS using domain hierarchy)

force client to use domain hierarchy:

w32tm /config /syncfromflags:domhier /update

Microsoft Security Compliance Toolkit

For someone who hasn‘t any sec baseline tools for Windows and Microsoft products, you should check it out. Microsoft Security Compliance Toolkit is a collection of tools and templates released by Microsoft to give security admins access to recommended security configuration baselines for Windows OS and some Microsoft products. You can manage both domain and local policies!

You can download the tool here:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

Start Windows PowerShell using Keyboard shortcuts

Start Windows PowerShell using Keyboard shortcuts

Run as User:  WIN + x in the menu press i

Run as Admin: WIN + x in the menu press a

Windows 10’s File Explorer is getting tabs support

Now in the latest Windows 10 Build 17618 (RS5) Microsoft added tabs support into File Explorer. It was a highly-requested feature from community.

Apart from File Explorer, other built-in traditional programs like Command Prompt, PowerShell and Notepad are also supported. MS also enabled this feature for Mail, Calendar, OneNote, and MSN News App. So a user can switch between these Apps just like switching between tabs
in Internet browsers.

Update ADMX files for Windows 10 1709 in your Central Store

Download and install Windows_10_Fall_Creators_Update_1709_ADMX.msi

https://www.microsoft.com/en-US/download/confirmation.aspx?id=56121

All admx and adml files will be extracted to “C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)\PolicyDefinitions”.

Now backup your actual Central Store folder:

 \\yourdomain.com\SYSVOL\yourdomain.com\Policies\PolicyDefinitions 

and after that, copy and replace the extracted ADMX and ADML files to the PolicyDefinitions folder.

For some reasons 5 amdl files are not in the other language folders... you have to copy the following adml files from en-us to all other folders, to avoid errors.

GroupPolicy-Server.adml
GroupPolicyPreferences.adml
MMCSnapIns2.adml
TerminalServer-Server.adml
WindowsServer.adml

After replication finished, you can administrate the new features of Win10 on all DCs.

Largest FREE Microsoft eBook Giveaway!

Largest FREE Microsoft eBook Giveaway! I’m Giving Away MILLIONS of FREE Microsoft eBooks again, including: Windows 10, Office 365, Office 2016, Power BI, Azure, Windows 8.1, Office 2013, SharePoint 2016, SharePoint 2013, Dynamics CRM, PowerShell, Exchange Server, System Center, Cloud, SQL Server and more!

Check it out!
https://blogs.msdn.microsoft.com/mssmallbiz/2017/07/11/largest-free-microsoft-ebook-giveaway-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepo/

Windows 10 deployment and management lab kit

The Windows 10 Deployment and Management Lab Kit includes everything you need to review the new in-place upgrade option plus traditional deployment methods and other management tools.

Just get the lab here. 

Hide a Windows Update in Windows 10

1. Just download wushowhide.diagcab
2. Run wushowhide.diagcab
3. Click on Next
4. Click Hide updates
5. Select the updates you want to hide
6. Click on Next and Close

Scan for Ransomware and send an E-Mail on detection using Powershell

Check out my new post on technet:
https://gallery.technet.microsoft.com/Scan-for-Ransomware-and-cb075ccb

Powershell Active Directory Excel Report

This script reports information about your Active Directory infrastructure and save it in an Excel file.
It´s using Powershell in combination of the Acitve Directory module. If you want to run this script, RSAT must be installed.
The following information will be saved into the Excel file.

• users that was created in the last 24 hrs
• users with the flag password never expires set
• disabled users
• users that never changed there passwords
• computers that have not logged on for more then 90 days
• disabled computers
• all DCs in your domain
• all DHCP servers in your Forest
• all Subnets with the associated Site and Location name in your Forest
• FSMO role holders in your Forest
• FSMO role holders in your Domain
• DOMAINNAME PW Policy
• DOMAINNAME GPOs
• DOMAINNAME OUs

After the script finished the report will popup.

DOWNLOAD the script

Group Policy / Administrative Template files for Windows 10 in a Windows 2008 or 2012 Domain

To get the new features in Windows 10 for a Windows 2008 or 2012 domain you have to do the following steps:

- Download set of Administrative Template files for Windows 10.

- Install the downloaded MSI on a computer

- On the computer copy the folder "PolicyDefinitions" located in "C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\" to "\\YourDomain\SYSVOL\YourDomain\Policies"

Note: If you have not all adml files in your domain only copy the needed ones

- If you have more than one DC the folder will be replicated depending on your schedule interval in Site and Services

LDAP Queries for Users, Computers, Groups and Service Connection Points v2

Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.

Computer accounts

Computer accounts starting with WS
(objectcategory=computer)(samaccountname=WS*)

Computer accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description

Computer accounts with MS-SQL installed
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))

Computer accounts with a Server OS
(&(objectCategory=computer)(operatingsystem=*server*))

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find all computer accounts for whom a manager is specified
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))

Find All Workstations
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

Find all 2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))

Disabled Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))

Enabled Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))

SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Exchange Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Find all Windows 8.0 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 8*)(operatingSystemVersion=6.2 (9200))) 

Find all Windows 8.1 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 8.1*))

Find all Windows Server 2012 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))

Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)(operatingSystemVersion=6.2 (9200))) 

 Find all Windows Server 2012 R2 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*)) 

Find all Windows 10 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 10*))

User accounts

Find all user accounts
(&(objectCategory=person)(objectClass=user))

Find all user accounts for whom a password is not required
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))

Find all user accounts that do not require a SmartCard for logon
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))

Find users that have non-expiring passwords
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

To find all user accounts that have the name “Mueller” in them
(objectcategory=person)(samaccountname=*Mueller*)

Locked out user accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

Useraccounts starting with "A" in the Attribute "Common Name"
(&(objectCategory=user)(cn=A*))

Diabled user accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Useraccounts without an value in Attribute "Mail"
(&(objectCategory=person)(objectClass=user)(!mail=*))

Useraccounts with Mail Enabled
(objectClass=user)(mail=*)

Useraccounts that have never logged on
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))

Users that have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Users find who have admin in description field
(objectcategory=person)(description=*admin*)

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Find non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that need to change password on next login
(&(objectCategory=user)(pwdLastSet=0))

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all mail-enabled groups hidden from the Global Address list (GAL)
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))

Find all mail-enabled security groups
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))

Find all mailbox-enabled accounts
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))

Find all mailbox-enabled accounts with Outlook Web Access (OWA) disabled
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

(&(&(objectCategory=person)(objectClass=user))(lastLogon>=129772445240000000))

Groups

To find all groups that have no members
(objectCategory=group)(!member=*)

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

Find all global security groups
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Find all distribution groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))

List all groups with sec- prefix convention
(&(objectCategory=group)(name=*sec-*))

Find all security groups with members
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))

Service connection Points

Find all service connection points
(objectCategory=serviceConnectionPoint)

Find all service connection points that do not have service bindings specified
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))

Find all service connection points that do not have a service DNS name specified
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))

Get the old Windows Update Control Panel applet back in Windows 10 build 9926

To get the old Windows Update Control Panel applet back you have to run the following *.reg file.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX]
"IsConvergedUpdateStackEnabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"UxOption"=dword:00000000

Save the above lines via text editor and save it like "wupdate.reg". Then execute it and you will get the old windows update view.

Create the Windows 10 GodMode folder and Shortcuts for the listed tasks

Today I wanna show you how to create the "GodMode" folder.

To create the "GodMode" folder, create a New Folder and name it

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}. 

 

GodMode is only the name, you can replace it with another one.

So if you renamed the folder you can change most of your settings from the "GodMode" folder.

If you want only to access some of the listed tasks, right-click one and click "Create Shortcut".