Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Monday, August 31, 2015

Windows 10 - Useful Group Policies (Part 1 of ??)

So I've got the RTM version of Windows 10 x64 Pro installed in a VM and on a laptop. My first step with an OS is to pin down irritating things and figure out how to get rid of them in an automated fashion. Once I figure out all of that, I can then dip my toe into the MDT/WDS world and get a standard build going.

I put my Windows 10 computers in the same OU as my other computers.

You also need to import the Windows 10 Group Policies into your Central Store. You can read about how to do this on Technet here.

Create a Windows 10 WMI Filter

For your WMI filter, you'll want to use this query:
select * from Win32_OperatingSystem where Version like "10.%"

Now, create a Windows 10 GPO, link that WMI filter to it, and link it to your OU.

With that accomplished, we can now begin setting up the Windows 10 GPO.

First GPO setting: Loopback Processing
I'll split these GPOs up to apply to user/computer OUs later, but right now I want everything together, and I want any user that logs into a Windows 10 box to get the same settings. To do this, I will use loopback processing. This can be a tricky feature, so I always refer to this handy guide when I do it. Basically, you use this when you want a set of "user" group policies to apply to computers in an OU no matter who logs in. Loopback processing is usually used when you have a single-purpose computer that is locked down, like a kiosk, but in this case it's a test machine. You will find the policy in Computer\Policies\Administrative Templates\System\Group Policy, and it's called "Configure Group Policy loopback processing mode. I set that the to enabled and replace (see the article linked above).

Now how about some settings?

Ok, Ok. Here's what I'm using so far:

Computer\Policies\Administrative Templates\System\Logon
Show first sign-in animation, Disabled
Turn off picture password sign-in, Enabled
Turn on PIN sign-in, Disabled

Computer\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds
Disable pre-release features or settings, Disabled (this one is confusing, pay attention to the description!)
Toggle user control over Insider builds, Disabled

Computer\Policies\Administrative Templates\Windows Components\Delivery Optimization
Download Mode: Enabled (None)
We're still talking about what we're going to do about Windows 10's bittorrent-like ability to propagate downloads. It seems really cool, but we need to do our due diligence and all of that.

Computer\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features
Allow fallback to SSL 3.0 (Internet Explorer), Enabled (No Sites)
Beware the Poodle!

Computer\Policies\Administrative Templates\Windows Components\Microsoft Edge
Send all intranet traffic over to Internet Explorer, Enabled

Computer\Policies\Administrative Templates\Windows Components\OneDrive
Prevent the usage of OneDrive for file storage, set to HELL YES.

These turn off Cortana, and also disable the "web" part of the start menu search. I only want to search my computer.
Computer\Policies\Administrative Templates\Windows Components\Search
Allow Cortana, Disabled
Do not allow web search, Enabled
Don't search the web or display web results in search, Enabled



Tomorrow, I'll post some Group Policy Preferences, covering some registry entries that turn off some undesired features.

Friday, August 28, 2015

Powershell Script to report all Exchange Public Folder Permissions

One project I'm currently working on is to go through all of our groups and make us a one-resource/one-group shop as far as AD is concerned. This has been a BIG job. Security-enabled distribution groups have been given rights to file shares and added to local server groups, among a ton of other miscellaneous crap.

One step in organizing what each group actually has rights to is for me to go through our Public Folder infrastructure and ferret out who has access to what. We've got over a hundred public folders. I started doing this manually and after about two folders I thought, "This has to be possible with Powershell." Well, guess what?

As usual, make sure c:\temp is present, as that's where I write my files. Also, I wrote this to run from my local (Exchange 2010) management shell.

Further comments are within the script.

######### BEGIN SCRIPT #########

Write-Host -Foreground Red "This script must be run from the Exchange Management Shell!"
$Init = Read-Host "Press Enter to Continue"

#Get all of the Public Folders
$PublicFolders = get-publicfolder -recurse

#Create a new array to hold the data
$Permissions = @()

Foreach ($Folder in $PublicFolders){
#Full path and name of the public folder
[string]$Foldername = ($Folder.ParentPath) + '\' + ($Folder.Name)

#Get the permissions of the public Folder
$FolderPermissions = Get-PublicFolderClientPermission $Folder

Foreach ($Entry in $Folderpermissions){
#If the User identity in NOT Null
If (($Entry.User).ActiveDirectoryIdentity){
#Get the User Identity of the permission
$UserIdentity = (($Entry.User).ActiveDirectoryIdentity).ToString()

#Create a new object to hold the data
$PermissionItem = New-Object System.Object

#Put the Full path and name of the public folder into the object
$PermissionItem | Add-Member -type NoteProperty -name Folder -value $FolderName

#Put the User Identity of the permission into the object
$PermissionItem | Add-Member -type NoteProperty -name User -value ($Entry.User).ExchangeAddressBookDisplayName

#Had to get funky here, and the Accessrights are an array and not readily enumaratable (is that even a word?)
Foreach ($Value in ($Entry.AccessRights)){$Rights = (($Value.Permission).ToString())}

#Add the user's rights to the object
$PermissionItem | Add-Member -type NoteProperty -name Rights -value $Rights

#Add the object into the array
$Permissions += $PermissionItem
} #End If
} #End Foreach $Entry
} #End Foreach $Folder

#Export unique user values to a text document
$Permissions | select user -unique | sort user | out-file "C:\temp\UniquePublicFolderPermissions.txt"

#Export the permissions for all folders to CSV
$Permissions | Export-CSV "C:\temp\AllPublicFolderPemissions.csv" -NoTypeInformation

######### END SCRIPT #########

Wednesday, August 26, 2015

Windows 10 - Crappy Update Release KB Articles

IT Pros are having a lot of problems with the lack of explanation in Windows 10 updates. Microsoft's position on these seems to be "Trust us, you should install this update."

I can't say it any better than this user voice feature request did.

Do MS sysadmins a favor and vote this feature request up!

Tuesday, August 25, 2015

WDS Server not Responding to PXE Requests?

A curious issue befell me yesterday. I was trying to image a PC using our tried and true WDS server. I think WDS is WAY too complicated, and for some reason my eyes start to gloss over when I'm trying to read the documentation. This Windows service really needs an easy button. I realize the complexity lends to WDS's vast customization, but I've got a fairly simple environment; it shouldn't be this complicated.

Anyway, so I press F12 to PXE boot the computer, and it times out. I restart my DHCP service, which is on a different server, double-check that the DHCP options are what they should be, and try again, multiple times. Rebooting the WDS server accomplished zilch. I try a network drop in a different office; nothing. I try a new laptop and it works! Well, so it's not DHCP, and it's not the WDS server. It's not the network. What the crap?

Multiple blog posts and Technet articles regurgitate the same advice, that the DHCP settings are wrong. Nope. THEN I finally found the needle in the haystack, this Technet post.

The first solution outlined was a bit scary: run WDSUTIL /delete-AutoAddDevices /devicetype:approveddevices

In the past, I removed computers listed in the "Active Directory Prestaged Devices" only to find that they had also been removed from Active Directory. Again, I'll admit that I don't really know what I'm doing with this thing. I claim ignorance! So, removing devices with WDSUTIL is scary to me.

The second option, though, turned out to be the magical one that made everything work again!

1. On the WDS server, open Windows Deployment Services and stop the services.
2. Copy all files in \RemoteInstall\Mgmt and paste them to a temp folder
3. Start the WDS service (those files will be recreated)
4. Try your PXE boot.
5. When it works, delete the files you copied to the temp folder