www.kreslavsky.com

In System properties window you can various information about  Windows system .
You may wish to block it to prevent users from accessing it  and do changes.

You can easily disable access to My Computer context menu through AD Group Policy.
This solution doesn’t block access to menus, only hides it from right click. Menu  can still be accessed Windows key + Pause/Break key.

To disable it Open Group Policy Manager
Navigate to User Configuration > Policies > Administrative Templates > Desktop
Double Click on “Remove Properties from the Computer icon context menu” and change it to “Enabled”

Windows 7 Trial Download

• Leave a comment... (0)

There is no 100% foolproof  solution that blocks local admin users access the option of disjoining their computer from domain , but you can make it harder to get to system menu.

I remove the "properties" from when you right click on my computer.
Then i also remove system applet from control panel menu ,and disable registry editing.

To disable right click on my computer go to Group Policy.
Navigate to  User Configuration>Administrative templates>Desktop
Locate “Remove Properties from the My Computer context menu” and set it to “Enable”

You should check also How disable  Right Click Properties on my computer on windows 7/Vista

Than navigate to User Configuration>Administrative templates>Control PanelLocate “Hide specified Control Panel applets”Set it to “Enabled” and add Sysdm.cpl to the list of disallowed Control Panel applets.

To block Sysdm.cpl  from executing

Navigate to User Configuration>Administrative Templates>System

Navigate to “Don’t run specified Windows application” set it to “Enabled” and add Sysdm.cpl  to the list of disallowed applications

• Leave a comment... (0)

Error c1038a21 appears when you try to view properties of public folder system folder – Schedule + free busy or offline address book folder

Microsoft have a article on how to fix it , but in there guide they recommend usage of Information Store Viewer (MDBVu32).

I prefer to use PFDAVAdmin that can be downloaded from here it is much easier .

1. Run PFDAVAdmin
2. Press on file>connect
3. Fill your DC settings like on screenshot bellow (don’t forget to select public folders)
   
4. Navigate to problematic folder – schedule free busy for example
   
5. Right click on it and chose “property editor”
   
6. Select PRF_PF_PROXY from property dropdown
   mark clear and press execute.
   

That’s it, that should fix the problem.

• Leave a comment... (0)

The issue occurs when you are trying to create mailbox for new user using ADUC in Exchange 2003
By Microsoft the reason for the issue is : After upgrade of the forest to a 2003 native mode functional level, the Recipient Update Service may overwrite the value of the homeMDB attribute for new Microsoft Exchange Server 2003 users.

To fix the issue:

1. Open ADSI Edit.
2. Double-click the Configuration container
3. Expand CN=Services
4. Expand CN=Microsoft Exchange,
5. Expand CN=<Your ExchangeOrganizationName>.
6. Click CN=System Policies.
7. In the right pane, right-click CN=Mailbox Enable User, and then click Properties.
8. Scroll down to select the purportedSearch attribute, and then click Edit.
9. Clear the attribute, and then use the following filter to configure the attribute:
   (&(objectCategory=person)(objectClass=user)(mailnickname=*)(homeMdb=*))
10. Click OK .

Solution was been created with the help of the following article:http://technet.microsoft.com/en-us/library/aa998426.aspx

note:You must enter the attribute without any spaces, exactly as it is.

• Leave a comment... (0)

Finding Disabled Users:

get-qaduser –disabled

Create a new Active Directory user:

new-QADUser -name '<User CN>' -parentContainer '<Parent DN>' -UserPassword
'<Password>' -FirstName '<User First Name>' -LastName '<User Last Name>'
-UserPrincipalName '<User UPN>'

Create multiple users in Active Directory:

$parentDN = “<ParentDN>" $strPass = “userPaswd” For ($i = 1; $i -le 1000; $i++) { $strUserName = “User” + $i New-QADUser -name $strUserName -parentContainer $parentDN -UserPassword $strPass }

Modify Attributes for several users:

$strfileServer = "\\Servername\"
$objOU = [ADSI] "LDAP://<OU DN>"
$objOU.psbase.Children |% {
    $uac = [int](($_.userAccountControl).ToString())
    if (($_.objectClass -eq "user") -and (($uac -band 2) -eq 0))
    {
        $_.put("homeDirectory", $strFileServer + $_.sAMAccountName)
        $_.SetInfo()
    }
}

Delete user in Active Directory

remove-QADObject -identity <User DN>

Set user profile in Active Directory

get-QADUser -identity "<User DN>" |
set-QADUser -HomeDirectory '\\Servername\Katrin' -HomeDrive
'H:' -ProfilePath '\\server1\profiles\jsmith'
-scriptpath '\\dcname\netlogon\logonscript.vbs'

Move User to other OU

move-QADObject -Identity <UserDN> -NewParentContainerName <New OU DN>

Find Locked User Accounts

Get-QADuser -locked

Unlock User Account

Unlock-QADUser -Identity <UserDN>

Retrieve Password lockout policy

Get-QADObject domainname.com | format-list Name, *password*, *lockout*

• Leave a comment... (1)

$dcname = <DomainDNSName>
$newSite = "NewSite Name"
$context = New-Object
System.DirectoryServices.ActiveDirectory.DirectoryContext(‘DirectoryServer’, $dcname)
$dc =
[System.DirectoryServices.ActiveDirectory.DomainController]::getDomainController ($context)
$dc.MoveToAnotherSite($newSite)

Where DomainDNSName – Enter your DNS domain name

• Leave a comment... (0)

To move windows group to other domain download ADMT Tool

1. Install Active Directory Migration Tool
2. Open the ADMT MMC snap-in it is located in Administrative Tools.
3. Chose source and destination domains and click Next.
4. On the Group Selection screen, chose the group that you want to migrate and click Next.
5. On the next screen, select Browse and locate the desired OU.
6. On the Group Options screen, select one or more of the following and click Next:

   Update user rights: Copies any user rights that are assigned in the source domain to the target domain.

   Copy group members:Specifies whether the user objects that belong to the group should be migrated along with the group.

   Adds the security identifiers (SIDs) of the migrated group accounts in the source domain to the SID history of the new group in the target domain.

• On the Naming Conflicts screen, select whether you want to migrate group objects that conflict with objects in the target domain and click Next.
• Follow the remainder of the wizard to complete the migration.

• Leave a comment... (0)

If you want to redirect domain user folders to NTFS or Storage share, you need to set the permissions like in the list bellow:

Creator Owner => Full Control on “Subfolders and Files Only”

Security group of users needing to put data on share => List Folder/Read Data, Create Folders/Append Data  on “This Folder Only”

System =>  Full Control, on “This Folder, Subfolders and Files”

In addition you can add Domain Admins security group to have permissions on user folders:

• Open Group Policy Management
• Navigate to Computer Configuration>Administrative Templates>System>User Profiles
• Set “Add the Administrator security group to the roaming user profile share” to enabled

• Leave a comment... (0)

• Open Group Policy Editor:
• Link Policy to relevant OU
• Navigate to User Configuration>Administrative Templates>Start menu and taskbar.
• Edit “Prevent Changes to Taskbar and Start Menu Settings”
• Set it to enable
  
• Pres OK

Note: To enforce group policy: Navigate to Start>Run type gpupdate /force and hit Enter

• Leave a comment... (0)

Creating a Group Using a graphical user interface

1. Open the Active Directory Users and Computers .
2. In the left pane, browse to the parent container of the new group, right-click on it, and select New Group.
3. Enter the name of the group and select the group type (global, domain local, or universal) and group type (security or distribution).
4. Click OK.

Using dsadd in command-line interface

dsadd group “<GroupDN>” -scope <GroupScope> -secgrp yes|no -desc “<GroupDesc>“

Where <GroupDN> replace with DN of the group ,

Where <GroupScope> use one of the above

• l – for domain local
• g – for global
• u – for universal

Where –secgroup

• yes if the group is a security group
• no for any other

Where desc fill group description

Using dsadd in command-line interface

> admod -b “<GroupDN>” objectClass::group groupType::
“<GroupType>” sAMAccountName::”<Pre-Windows2000Name>” -add

Example: We will create global security group called “Accounting” in Accounting OU in testdomain.com

> dsadd group "cn=Accounting,ou=Accounting,dc=testdomain,dc=com"-scope global-
secgrp yes

> admod-b "cn=Accounting,ou=Accounting,dc=testdomain,dc=com" groupType::-2147483646
sAMAccountName::"Finance Users" -add

When using AdMod, you need specify the numeric value for group type, These values are predefined in Active Directory

Universal Distribution Group Value – “8”

Universal Security Group Value – “–2147483640”

Domain Local Distribution Group Value – “4”

Domain Local Security Group Value – “–2147483644”

Global Distribution Group Value – “2”

Global Security Group Value – “–2147483646”

Create Group Using VBScript

Example bellow shows how to create a global security group.

' ------  CONFIGURATION ------
strGroupParentDN = "<GroupParentDN>" ' e.g. ou=Groups,dc=testdomain,dc=com
strGroupName     = "<GroupName>"     ' e.g. Accounting
strGroupDescr    = "<GroupDesc>"     ' e.g. Accounting group
' ------ END CONFIGURATION ---------

' Constants taken from ADS_GROUP_TYPE_ENUM
Const ADS_GROUP_TYPE_GLOBAL_GROUP       = 2
Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 4
Const ADS_GROUP_TYPE_SECURITY_ENABLED   = -2147483648
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 8

set objOU = GetObject("LDAP://" & strGroupParentDN)
set objGroup = objOU.Create("group","cn=" & strGroupName)
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _
                         Or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.Put "sAMAccountName", strGroupName
objGroup.Put "description", strGroupDescr
objGroup.SetInfo

Create Group Using PowerShell

To create a group using the Quest cmdlets, use the following syntax:

Where <Parent OU DN> – Fill OU DN

Where <GroupName> – Fill Group Name

After –grouptype – set group type (Distribution or Security)

After –groupscope – set if (Universal, Domain Local)

• Leave a comment... (0)