Slide 1 Slide 2 Slide 3 Slide 4 Slide 5
Posted by vikas vohra | 0 comments

Create and Use Starter GPOs

Create and Use Starter GPOs 
When you create a new GPO in the GPMC, you are given the opportunity to base the new GPO on a starter GPO. Because the settings of the starter GPO are then imported into the new GPO, this allows you to use a starter GPO to define the base configuration settings for a new GPO. In a large organization, you want to create different categories of starter GPOs based on the users and computers they will be used with, or based on the required security configuration.

You can create a starter GPO by following these steps:
1. In the GPMC, expand the entry for the forest you want to work with, and then double-click the related Domains node to expand it.
2. Right-click Starter GPOs and then select New. In the New Starter GPO dialog box, type a descriptive name for the new GPO, such as General Management User GPO. If desired, enter comments describing the GPO’s purpose. Then click OK.
3. Right-click the new GPO and then choose Edit. In the policy editor, configure the necessary policy settings and then close the policy editor.
Posted by vikas vohra | 0 comments

Group Policy Object Modeling in Windows Server 2008

If you have ever done much work with group policies, then you have undoubtedly found out that managing group policies are an organization wide basis can be a complicated endeavor. That's primarily due to the hierarchical nature of group policies. Group policy settings can be applied at the OU, site, domain, and local computer levels. All of these various group policy objects combine to form the effective policy.

As if combining settings for multiple group policy objects were not enough, contradictory settings can, and often do exist within the various group policy objects. Not only can two separate group policy objects contained directly contradictory settings, the group policy settings that apply to the computer can sometimes also contradict with group policy settings applied to a user.
Windows has all kinds of rules for automatically dealing with contradictory group policy settings. Even so, you as an administrator need to know the outcome of these conflict resolutions and what the effective policy look like once the various policy elements have been combined. In Windows Server 2003 this was known as the resultant set of policy. In Windows Server 2008, Microsoft has changed the name to group policy modeling.

Why Do Group Policy Modeling?

There are several different reasons why you might want to engage in group policy modeling. For starters, even if everything appears to be running smoothly is a good idea to periodically use group policy modeling just to make sure that group policies are being applied in the way that you think that they are. Group policy modeling is also extremely useful in situations in which you are reorganizing the Active Directory or creating new group policy objects.

Performing Group Policy Modeling

To perform group policy modeling begin by opening the Group Policy Management Console. When the console opens, right-click on the Group Policy Modeling container and choose theGroup Policy Modeling Wizard command from the shortcut menu. When you do, Windows will launch the Group Policy Modeling Wizard.
Click Next to bypass the wizard's welcome screen, and you will be taken to the Domain Controller Selection screen, shown in Figure A. As you can see in the figure, the screen asks you to choose the domain that you want to analyze, and then asks you to either choose a domain controller or specify that any domain controller can be used.
Figure A You must specify the domain that you want to analyze.
Click Next, and you will be taken to a screen that asks which user and/or computer you want to simulate the policy settings for. In both cases, you can either specify a particular container or an individual user and/or computer. That way, you can either evaluate a specific user and/or computer, or you can about your weight all of the users and/or computers within a particular container. You can see what this screen looks like in Figure B.
Figure B This is where you specify the Active Directory objects that you want to evaluate.
Click Next, and you will be taken to a page that gives you the chance to select a particular site. If you do not have any non-default sites defined, then you can just skip this page by clicking Next.
The next page that you will see allows you to enter alternate network location for a user and computer containers. The basic idea behind this screen is that it allows you to perform various what if scenarios. For example, you can see what would happen to the group policy settings if you were to move the computer in question to a different Active Directory container. Of course you do not have to specify an alternate location unless there is a particular location that you need to test.
When you click Next, you will see a screen listing all of the security groups that the currently selected user is a member of. You have the option of simulating changes to the users group membership if you want. When you're done entering any desired changes, click Next. You will now be given the chance to entering WMI filters that you want to use. Add any desired filters, and click Next.
You should now see a summary screen listing the options that you have specified. Make sure that everything looks okay, and then click Next, followed by Finish. When you do, Windows will display a screen similar to the one that is shown in Figure C. This screen allows you to see the outcome of your proposed configuration.
Figure C Your proposed changes are displayed in the Group Policy Management Console.
Posted by vikas vohra | 0 comments

Loop back processing in group policy in MCTS

Loopback processing of Group Policy, explained.

Hi guys,

Today I want to write a few words about Loopback processing of Group Policy. When you deal with this setting for the first time it may be a little bit confusing. You can find explanations of this policy setting on the internet, but in my case I will try to explain everything in simple words.

As we know group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU) Green and RedGreen OU contains a Computer account and Red OU contains User account. The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account. The Red policy, which has settings “Computer Configuration 1” and“User Configuration 1”, is applied to the OU with the User account. If you have a look at the picture below it will become clearer.

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:

As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:

As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

As you have probably noticed, the picture above says “Loopback in replace mode”. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.

In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.

Thank you!

Posted by vikas vohra | 0 comments

Importing Users with LDIFDE

Importing Users with LDIFDE

You can also use Ldifde.exe to import or export Active Directory objects, including users. The
Lightweight Directory Access Protocol Data Interchange Format (LDIF) is a draft Internet
standard for file format that can be used to perform batch operations against directories that
conform to t he LDAP standards. LDIF supports both import and export operations as well as
batch operations that modify objects in the directory. The LDIFDE command implements these
 batch operations by using LDIF files.

Posted by vikas vohra | 0 comments

Importing users with CSVDE

CSVDE is a command-line tool that imports or exports Active Directory objects from or to a
comma-delimited text file (also known as a comma-separated value text file, or .csv file).
Comma-delimited files can be created, modified, and opened with tools as familiar as Notepad
and Microsoft Office Excel. If you have user information in existing Excel or Microsoft Office
Access databases, you will find that CSVDE is a powerful way to take advantage of that 
information to automate user account creation.

Posted by vikas vohra | 0 comments

Roaming profile

For the incompatibility between Version 1 user profiles (Windows 2000, Windows XP, Windows Server 2003) and Version 2 user profiles (Windows Vista, Windows Server 2008), a new roaming user profile (the folder with V2 suffix to distinguish from former user profiles ) have to be set for users that logon to Windows Vista and Windows Server 2008.

About the default network profile in the NETLOGON share, it is a default users profile template for domain users just like the local default users profiles. When a user without roaming profile first time logon to a domain joined computer, this new created profile will originate from a default network user profile if it is available. If not, Windows will use the local default profile as a template. It seems there is not any relationship with the roaming profile we discussed.

Posted by vikas vohra | 0 comments

Automating the creation of user accounts.

 you learned how to create a user account in the Active Director y Users and Com-
puters snap-in. 
  • Create users from user account Templates
  • using active directory command line tools
  • Import users with CSVDE
  • Import users with LDIFDE

Posted by vikas vohra | 0 comments

Components of an active directory infrastucture

Components of an active directory infrastucture :