Jared ran into a simliar'ish problem recently... There is a thread around here somewhere.

@Super-Sundae : Can you run Sysinternal's RegMon and patch another machine with InTune? That way you can capture the changes.
Perhaps running SysMon at the same time in case it makes changes to file permissions would help..

If you can find out what the policy changes then you should be able to revert on both machines. Hopefully 🙂

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

t only applies the setting when linked to the OU of the user

We'll according to that screenshot, it IS a user setting.

Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?

Yes, it's possible.

Ensure the GPO is applying to the user. For example, if User1 is in the Company > Users OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.

I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.

Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.

A quick update for y'all that are watching/participating in this thread (thank you, by the way!).

Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.

Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.

@dbeato said in GPO for compatibility mode:

@Grey said in GPO for compatibility mode:

A previous admin created a gpo to alter and add an entry under the hive HKEY_CURRENT_USER in Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range66 which forces a single entry for compatibility mode. I've spent a lot of time testing and, while the setting is to apply once and not again, it doesn't seem to allow a user to add more sites to compatibility mode and keep that addition after a reboot.

Has anyone successfully created a GPO for IE11 to enable CM for users to add items, while also pushing a list of our own? Is there a best method around for achieving this goal?

I have not, I only keep adding it through GPO (In the medical field which they have many sites as this).

Ditto - Just have to keep adding them via GPO. So glad we barely use IE 11 anymore.

@NerdyDad

You can use Loopback Processing also.

https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/

Thank you for the help. By posting the screenshots, I realized I had a typo in the file extension. .png vs .jpg
Once I double checked them all it now works.

@eddiejennings said in Logging Domain user authentication failures:

@travisdh1 said in Logging Domain user authentication failures:

@eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.

Ah. What an ..... effective use of resources.

Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.

@scottalanmiller said in Deleting a GPO:

@rojoloco said in Deleting a GPO:

@dave247 I have a few ideas about who they are specifically... but after they decided to be a bunch of dicks about anyone here posting links to their site that shall not be named, they created an account here to spy, presumably. Lot of former 🌶 folks here... Lots of 🖕 🖕 🖕 🖕 🖕 for their informers.

It's a public site, doesn't take much for someone to inform, lol. It's a bit like tattling on a billboard.

That sounds a lot like calling out your Husband by doing this to his ride.

https://us-east-1.tchyn.io/snopes-production/uploads/images/photos/automobiles/graphics/cheating2_small.jpg?resize=419,314

As long as it is on the SysVol\Policies\PolicyDefinitions folder then you should be fine.

@thwr said in Flushing GPOs:

@dbeato said in Flushing GPOs:

You need to setup the settings to Delete or changed to not configured, wait until it applies and then delete the GPOs after confirming they are not applied any longer.

Get-Content c:\temp\gpos.txt | foreach { Get-GPO -Name "$_" | Remove-GPO }

http://jeffwouters.nl/index.php/2013/08/remove-group-policy-objects-through-powershell/

I bet you could do something like this to set all GPOs to "on delete remove from client" too

This assumes a txt file with all GPO names. You could also just use Get-GPO

@Tim_G said in GPO Path?:

@Grey said in GPO Path?:

So, what's the current method to add a single trusted site to my intranet zone in GPO, eh? And where do I modify all of the trusted sites/zones and activex now?

I was answering the above question. Of course these will say not configured, because you haven't configured them yet.

That's the thing though; there is configuration from the previous IT Team.
http://i.imgur.com/CRwvU7j.png
I should be able to edit that and I just can't. The path shown isn't there for me.

@Dashrender said in Windows Offline Files query:

I'm guessing those 8 people didn't make any offline updates to files in that folder, so Windows never checked to see if there were new versions.

They have Read-Only access to the network folder. Another group is tasked of updating it.

@scotth said in Rolling Out Scale Driver Updates with Group Policy on Windows Server 2012 R2:

@scottalanmiller said in Rolling Out Scale Driver Updates with Group Policy on Windows Server 2012 R2:

@scotth said in Rolling Out Scale Driver Updates with Group Policy on Windows Server 2012 R2:

We are just starting to plan our hardware refresh. I'm seriously considering Scale. I like the info that I've seen so far.

We love ours, it has been great.

I'm still pulling down information..... I need a vibrant DR plan in place or decided on before I commit to a platform. It always seems to be overlooked as an afterthought.

Common approach is to get something like a Synology or a ReadyNAS and use the Scale HC3 built in snapshot and export backup functionality to push full image backups on a schedule out to the NAS.

Boy I remember when I came to the understanding that MS really wanted you to build completely separate GPs for users vs devices...

We use Cisco Any Connect that authenticates against AD, but is not tied to any kind of GPS and it works for us just fine. Except for deployment, I see no need in using GPS.

If we use GPS for anything, it's with RADIUS for our wireless network. That works in one location but not the other. And this is only because both locations have different wireless systems and in how each system implements RADIUS and authenticates a laptop against an OU.

@coliver said in Best Way to Deploy EXE Packages via Group Policy:

@coliver said in Best Way to Deploy EXE Packages via Group Policy:

If the EXE has a silent installer flag I would run it as a startup or login task the first time. Just add a check in there to see if it has already been installed.

Meant to say I would put it on a share and have a startup script execute it with the silent flag. Drop a installcomplete.txt file somewhere on the local disk and query for that at startup.

Cool, that's the direction that I was headed.

@Mike-Davis said in What should be in Powershell 101 and Group Policy 101 Sessions at MangoCon 2016?:

In the WPA2-Enterprise deployment session, I'll hit on how you push the cert and SSID to your domain joined devices to have the connect automatically to your WPA2-Enterprise SSID.

I like this idea.