Showing posts with label GPO. Show all posts
Showing posts with label GPO. Show all posts

Tuesday, July 28, 2015

Set-ExecutionPolicy: Can not set execution policy

Hello their maledetos nerds !!! ehehehehe
When trying to run a certain PS script remotely on an Exchange server, I came across the following error message:
. \ UpdateIndexAllMailboxDatabases.ps1: File C: \ Temp \ SCRIPTS \ EXCHANGE \UpdateIndexAllMailboxDatabases.ps1 can not be loaded. The file C: \ Temp \ SCRIPTS \ EXCHANGE \UpdateIndexAllMailboxDatabases.ps1 is not digitally signed. The script will not execute on the system. Please see "get-help about_signing" for more details ..
At line: 1 char: 37
... After a Get-ExecutionPolicy had the RemoteSigned return .There think twice !!! Set-ExecutionPolicy Unrestricted and was returned the following message:
Execution Policy Change
The execution policy helps protect you from scripts That You do not trust. Changing the execution policy might expose you to the security risks described in the help topic at about_Execution_Policies
http://go.microsoft.com/fwlink/?LinkID=135170 . Do you want to change the execution policy?
[Y] Yes [N] No [S] Suspend Help (default is "Y") [?] Y
Set-ExecutionPolicy: Windows PowerShell execution policy successfully updated your, but the setting is overridden by
the policy defined at a more specific scope. Due to the override, your shell will retain its current effective
execution of policy RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings.For more
information please see "Get-Help Set-ExecutionPolicy".
At line: 1 char: 1
+ Set-ExecutionPolicy Unrestricted
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: PermissionDenied: (:) [Set-ExecutionPolicy] SecurityException
+ FullyQualifiedErrorId: ExecutionPolicyOverride, Microsoft.PowerShell.Commands.SetExecutionPolicyCommand
As recommended in the message, I ran the cmdlet to list the policy of execution policy by scope
Get-ExecutionPolicy -List
Scope ExecutionPolicy
- -----
MachinePolicy RemoteSigned
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
... Immediately I performed the following Set-ExecutionPolicy -Scope MachinePolicy -executionpolicy Bypass command for the policy to be released ... ops:
Set-ExecutionPolicy: Can not set execution policy. Execution policies at the MachinePolicy or UserPolicy scopes must beset through Group Policy.
To correct this error, we are forced to make this modification directly in season record:
HKLM: \ Software \ Policies \ Microsoft \ Windows \ PowerShell and change the value ExecutionPolicy   toBypass.
By rerunning the command to list the scope for policy, we realize that now really the setting was uncommitted !!
Get-ExecutionPolicy -List
Scope ExecutionPolicy
- -----
MachinePolicy Bypass
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
Then I could run my script and they all lived happily ever after!
Posted by às No comments:
TAGS: , , , , ,

Verifying GPO Replication

How will my dear readers !!
I am in a constant search for a script that brings me the replication time of Sysvol ... remembering that the environment in question is "Windows Server 2003" as functional mode domain; that is, we only have the ability to replicate the Sysvol with FRS ... who can help ... .eheheheheh
... During this journey, I came across a very cool function called Get-ADGPOReplication filtering results of the cmdlet Get-GPO so we can compare the versions of each GPO Sysvol on all domain DCs !! So we can verify that replication as well as the policy objects are consistent throughout the domain ... I know at this time hit that will thrill cry !!
Below function code:
function Get-ADGPOReplication
{
<#
.SYNOPSIS
This function retrieve one or all the GPO and Their report DSVersions and SysVolVersions (Users and Computers)
.DESCRIPTION
This function retrieve one or all the GPO and Their report DSVersions and SysVolVersions (Users and Computers)
.PARAMETER GPOName
Specify the name of the GPO
All .PARAMETER
Specify That You want to retrieve all the GPO (slow if you have a lot of Domain Controllers)
.EXAMPLE
Get-ADGPOReplication -GPOName "Default Domain Policy"
.EXAMPLE
Get-ADGPOReplication -All
.NOTES
Francois-Xavier Cat
lazywinadm
lazywinadmin.com
VERSION HISTORY
1.0 22/09/2014 Initial version
Adding some more Error Handling
Fix some typo
#>
#requires -version 3
[CmdletBinding ()]
PARAM (
[Parameter (Mandatory = $ True, ParameterSetName = "One")]
[String []] $ GPOName,
[Parameter (Mandatory = $ True, ParameterSetName = "All")]
[Switch] $ All
)
BEGIN
{
TRY
{
if (-not (Get-Module ActiveDirectory -Name)) {Import-Module ActiveDirectory -Name -ErrorAction Stop -ErrorVariable ErrorBeginIpmoAD}
if (-not (Get-Module -Name GroupPolicy)) {Import-Module -Name GroupPolicy -ErrorAction Stop -ErrorVariable ErrorBeginIpmoGP}
}
CATCH
{
Write-Warning -Message "[BEGIN] Something wrong happened"
IF ($ ErrorBeginIpmoAD) {Write-Warning -Message "[BEGIN] Error while Importing the module Active Directory"}
IF ($ ErrorBeginIpmoGP) {Write-Warning -Message "[BEGIN] Error while Importing the module Group Policy"}
Write-Warning -Message "[BEGIN] $ ($ Error [0] .exception.message)"
}
}
PROCESS
{
FOREACH ($ DomainController in ((Get-ADDomainController -ErrorAction Stop -ErrorVariable ErrorProcessGetDC -filter *). Hostname))
{
TRY
{
IF ($ psBoundParameters ['GPOName'])
{
Foreach ($ GPOItem in $ GPOName)
{
$ GPO = Get-GPO -Name $ GPOItem -Server $ DomainController -ErrorAction Stop -ErrorVariable ErrorProcessGetGPO
[PSCustomObject] [ordered] {@
GroupPolicyName = $ GPOItem
DomainController = $ DomainController
UserVersion = $ GPO.User.DSVersion
UserSysVolVersion = $ GPO.User.SysvolVersion
ComputerVersion = $ GPO.Computer.DSVersion
ComputerSysVolVersion = $ GPO.Computer.SysvolVersion
} #PSObject
} #Foreach ($ GPOItem in $ GPOName)
} #IF ($ PsBoundParameters ['GPOName'])
IF ($ psBoundParameters ['All'])
{
$ GPOList = Get-GPO -All -Server $ DomainController -ErrorAction Stop -ErrorVariable ErrorProcessGetGPOAll
foreach ($ GPO in $ GPOList)
{
[PSCustomObject] [ordered] {@
GroupPolicyName = $ GPO.DisplayName
DomainController = $ DomainController
UserVersion = $ GPO.User.DSVersion
UserSysVolVersion = $ GPO.User.SysvolVersion
ComputerVersion = $ GPO.Computer.DSVersion
ComputerSysVolVersion = $ GPO.Computer.SysvolVersion
} #PSObject
}
} #IF ($ PsBoundParameters ['All'])
} #TRY
CATCH
{
Write-Warning -Message "[PROCESS] Something wrong happened"
IF ($ ErrorProcessGetDC) {Write-Warning -Message "[PROCESS] Error while running retrieving Domain Controllers with Get-ADDomainController"}
IF ($ ErrorProcessGetGPO) {Write-Warning -Message "[PROCESS] Error while running Get-GPO"}
IF ($ ErrorProcessGetGPOAll) {Write-Warning -Message "[PROCESS] Error while running Get-GPO -All"}
Write-Warning -Message "[PROCESS] $ ($ Error [0] .exception.message)"
}
} #FOREACH
} #PROCESS
}
  1. Create a .ps1 file containing the code above, or download it here
  2. Run the script in PS ISE as administrator
  3. Run the function !!
1
We have some syntax options, such as:
To bring the result of a single GPO:
Get-ADGPOReplication -GPOName "Default Domain Policy"
To bring the result of some policies:
Get-ADGPOReplication -GPOName "Default Domain Policy", "Default Domain Controllers Policy"
To bring its results for the All Policies:
Get-ADGPOReplication -All
We can also improve the filters with the following command:
Get-ADGPOReplication -all | Out-GridView -Title "GPO Verify $ (Get-Date)"
2
... Now we just need to be able to filter the time required for a change in Sysvol, is uncommitted in all domain DC's.
Posted by às No comments:
TAGS: , , , , , ,

Wednesday, February 1, 2012

Wallpaper does not load in Windows 7 via GPO

A known bug in Windows 7 and Windows Server 2008 R2 is for the loading of the wallpaper, when it is configured via GPO.

To solve the problem, we can take the following actions:

  • Enter the machine's registry ( http://en.kioskea.net/faq/589-how-to-open-registry )
  • Navigate to the following key:
    • HKEY_CURRENT_USER \ Control Panel \ Desktop
  • Find the REG_SZ value called Wallpaper
  • Change the value with the path where the wallpaper is shared.

image

You can download a fix that will make the change:

If necessary change on multiple workstations, we can effect such change through thePreferences via GPO. As the image below:

image

If your domain is Windows Server 2003 and either does not support the Preferences feature, you need the distribution via script to make the change key in the registry.

The following example:

Const HKEY_CURRENT_USER = & H80000001

strComputer = "."
Set oReg = GetObject ("winmgmts: {ImpersonationLevel = impersonate}! \ \" & _
strComputer & "\ root \ default: StdRegProv")
strKeyPath = "Control Panel \ Desktop"
strValueName = "Wallpaper"
strValue = "\ \ server \ share \ wallpaper.jpg"
oReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue

Posted by às No comments:
TAGS: , , , , ,

Libraries and removes the Control Panel icon from the desktop

Personal

This tip can be useful when we set a very restrictive policy in Windows 7 ... .. when we forced the classic theme, the system includes a shortcut on the desktop shell of theLibraries folder and Control Panel. Via GPO until you remove the shortcuts, but it is also remove any link placed on the desktop, even if it is created via logon script ...

The method I found to solve this hurdle, it was deleting the following registry keys:

Remove icon library:

Remove icon in Control Panel:

For those who need to do a VBS for this ... ... follows:

Const HKEY_LOCAL_MACHINE = & H80000002
strComputer = "."
on error resume next
Set oReg = GetObject ("winmgmts: {ImpersonationLevel = impersonate}! \ \" & _
strComputer & "\ root \ default: StdRegProv")
strKeyPath =
strKeyPath =
strKeyPath =
oReg.DeleteKey HKEY_LOCAL_MACHINE, strKeyPath

I hope it's useful!

Posted by às No comments:
TAGS: , , , ,

Monday, March 28, 2011

Script to do a merge between GPO's

Below is the url regarding PowerShell script to perform a merge of two GPO's

http://blogs.technet.com/b/ashleymcglone/archive/2011/01/19/finally-copy-and-merge-gpos-powershell-saves-the-day.aspx

Posted by às No comments:
TAGS: , , , , ,

Sunday, June 27, 2010

GPO Search

Ladies and gentlemen!

I've been googling and found a very cool application provided by our Windows Azure … it is a website where we can search GPO and registry settings!! Pretty cool, what's more we have provider for IE 7 and 8.

http://gps.cloudapp.net/

Quick video showing the Following uses of the site ...

 

Posted by às No comments:
TAGS: , , , ,

Thursday, December 3, 2009

Configuring multiple GPO ´ s locations in Windows Vista, Windows, and Windows Server 2008 R2

Ladies and gentlemen, I will show a cool feature we from Windows Vista, which is to create multiple local group policy.

In earlier versions of operating systems (Windows 2000, 2003 and XP) we have only one layer, where we have the local GPO applied to all local users and groups from the machine. With Windows Vista and beyond, we have three layers to work with the local GPO´ s:

  1. The first layer, we have a default local GPO, where configure both user configuration options as this computer is applied to all including local administrators.
  2. In the second layer, ´ s we GPO that will be applied to users in the Administrators group and GPO ´ s that will be applied to common users. None of these objects local group policy contains settings for your computer.
  3. The third layer contains GPO ´ (s) that will be applied to a specific user and those Group Policy objects, we can only user settings.

In case of conflict between the GPO ´ s, the last GPO applied is that prevaleçe and the order in which they are applied is ..... Default (1st local GPO) layer, GPO for administrators and non-administrators (2nd layer) and finally the GPO to specific user (3rd layer)

In the case of a computer in a domain, the GPO ´ s site, domain, and OU GPO will prevail over the ´ s locations. You can also turn off the processing of local GPO ´ s, configuring the option "turn off Local Group Policy objects processing" in "computer Configuration Administrative Templates \System \ policy" in the domain GPO.

To demonstrate how to create and apply these GPO ´ s, I use a computer with Windows 7 installed. The first step is to create a common user as shown in image …

image

… then we will work with a UserAdmin (local administrator) and UserComum (user). The next step is to create a custom MMC, we need to add a Group Policy object editor "for each GPO created. To do this, click Start , in Search type MMC.exe, and click OK .

In the Console1 window, ', click file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, and then click Add . Choose the object to the local computer. Click Concluir.

image

Again, click file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, click then add and click Browse . Click the tab, users click não-administradores group … click OK and Finish button.

image

Again, click file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, click then add and click Browse . Click the tab, users click the Administrators group of … click OK and Finish button.

image

Do the same procedure by selecting the object UserAdmin …

image

Click file, click Save and save the MMC with a name of your own …

image

Now we must set up group policies according to our needs. For example, I will configure common users that will disappear the option menu, all programs "Iniciar… menu

image

Logging in with a typical user, you can see that the policy was applied to the user.

image

As an example, administrators set up for a GPO that does not appear Documentos… option

image

Logging in with a user a member of the Administrators group , the GPO is applied … Note that the option "all programs" appears to the user, because it was not a customized GPO …

image

… I customize user GPO to the, UserAdmin in this policy I will disable LOGOFF option and purposely create a conflict, contrary to the GPO applied to group Administradores.

image

Logging with the user, we can see that the Logoff option is disabled and that documents appear to the user, proving the GPO precedence (3rd layer)

image

If you want to remove the policies, do the same process of adding a new object … click Start , Search type MMC.exe, and click OK then click. file, and then click Add or remove snap-in. In the list of available snap-ins, click "Policy object editor" group, click then add and click Browse . Click the tab users, select the user or group you want to delete the policy, click with the right button and choose the option to remove the GPO, as pictured below …

image

I hope that is useful!

Posted by às No comments:
TAGS: , ,

Configuring BitLocker to go through Group Policy

This article show how to configure BitLocker to go in a domain environment through group policies.
… "BitLocker to go" is a resource that is used to encrypt removable disks (external disks, etc…) pendrive. our pre-requirements for configuring a server running Windows Server R2 DC and clients running Windows 7.
The first step is to create a GPO setting. to this end, we will run the tool "Group Policy Management Console" in "administrative tools." for more information about GPMC: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
image
In the container "group policy depended" right click on it, and click New …
image
A name for the policy object, and then click OK. as the figure below:
image
…. Editing a GPO, navigate to the \Program Computer Configuration Administrative Templates \Windows Components \ BitLocker Encryption \ Removable date Driver Drives … below, watch the video where I describe each configuration related to BitLocker to go:

<a href="http://video.msn.com/?mkt=pt-BR&amp;playlist=videoByUuids:uuids:90efecf8-da1b-4772-90a3-46a09b26c1b8&amp;showPlaylist=true" target="_new" title="BitLocker to go GPO">Vídeo: BitLocker to go GPO</a>
Posted by às No comments:
TAGS: , , , ,

MSI authoring with ZERO cost!!rss

Ladies and gentlemen!The next link ´ s two tools to generate MSI packages from other executaveis as exe, etc. ..

Are basic tools that make the packets based on snapshots before and after installation of the software.

Wininstall LE-... that guy comes included with Windows 2000 Server CD)

http://www. softpile. com/utilities/html Miscellaneous/Review_16745_index.

AppDeploy:

http://www. appdeploy. com/tools/asp repackager/download.

... you is recommended that you run the tools ´ s in a clean installation of the operating system.

  1. Run the tool to be the first snapshot.
  2. Install the application in accordance with their necessiades ...
  3. Please boot machine for the comite of pending application installed information ...
  4. Run the tool again to SNAPSHOT is generated the 2nd ...
  5. A differential between the two SNAPSHOT ´ s and a result, the package will be generated.

I hope that is helpful.

Posted by às No comments:
TAGS: ,
Subscribe to: Posts (Atom)