Active Directory – Trentent Tye

Group Policy – Monolithic vs Functional Design and Performance Evaluation

2018-04-09

4 Comments

Group Policy Design is a hotly discussed topic, with lots of different ideas and discussions. However, there is not a whole lot of actual metrics. ADM and ADMX templates apply registry keys in an ‘enforced’ manner. That is, if you or the machine has access to read the policies, the registry keys within are applied. If you stuck purely to ADM/ADMX policies but wanted to do dynamic filtering or application of the keys/values based on a set of criteria you’d probably design multiple policies and nested organizational units (OUs). From here, you could filter certain policies based on the machine or user location in the OU structure or by filtering on the policies themselves and denying access to certain groups or doing explicit allows to certain groups. This design style, back in the day, was called “functional” design.

However, the alternative style, “monolithic” design, simplifies the group policy object (GPO) design into much fewer GPO’s.

Setup

My test setup is very simple; a organizational unit (OU) with inheritance blocked to control the application of the GPO’s. I created 100 individual GPO’s with a single registry value, and 1 GPO with 100 values. I chose to do a simple registry addition as it should be the best performance option for group policy. I created a custom ADMX file for this purpose:

<?xml version="1.0" encoding="utf-8"?>
<!--  (c) 2018 TheoryPC  -->
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="theorypc" namespace="trentent.Policies.theorypc" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <policies>
    <policy name="TrententTest_001" class="Machine" displayName="$(string.Value001)" explainText="$(string.explain_Help)" key="Software\Policies\TrententTest" valueName="001">
      <parentCategory ref="windows:System" />
      <supportedOn ref="windows:SUPPORTED_Win2k" />
    </policy>
    <policy name="TrententTest_002" class="Machine" displayName="$(string.Value002)" explainText="$(string.explain_Help)" key="Software\Policies\TrententTest" valueName="002">
      <parentCategory ref="windows:System" />
      <supportedOn ref="windows:SUPPORTED_Win2k" />
    </policy>
    <policy name="TrententTest_003" class="Machine" displayName="$(string.Value003)" explainText="$(string.explain_Help)" key="Software\Policies\TrententTest" valueName="003">
      <parentCategory ref="windows:System" />
      <supportedOn ref="windows:SUPPORTED_Win2k" />
    </policy>
...

<?xml version="1.0" encoding="utf-8"?>

</policyNamespaces>

</policy>

</policy>

</policy>

...

Monolithic simulation:

Functional simulation:

Testing

In testing these two designs I elected to focus on the one factor that would have the most impact: latency. I setup my client machine in the OU, put a WAN emulator that can manipulate latency and measured the performance between the functional and monolithic designs at varying latencies. I looked for the following event ID’s: 4257, 5257, 4016, 5016. The x257 events correspond to when group policy downloads the group policy objects off the SYSVOL file share. The x016 event’s determine how long it took the policy to be processed.

The results:

Raw Data:

Functional GPO – applying 100 registry values
	Event ID 4016 to 5016 (ms)
	Latency	Time (ms)
	0	271
	10	4089
	25	8078
	50	15315
	75	22904
	100	29820

	Event ID 4257 to 5257 – Starting to download policies
	Latency	Time (s)
	0	0
	10	3
	25	6
	50	12
	75	17
	100	22

Monolithic GPO – applying 100 registry values
	Event ID 4016 to 5016 (ms)
	Latency	Time (ms)
	0	117
	10	156
	25	198
	50	284
	75	336
	100	435

	Event ID 4257 to 5257 – Starting to download policies
	Latency	Time (s)
	0	0
	10	0
	25	1
	50	1
	75	1
	100	1

Analysis:

There is a huge edge to the monolithic design. Both in terms of how long it takes to process a single policy vs multiple policies and the resiliency to the effects of latency. Even ‘light’ latency can have a profound impact on performance. Going from 0ms to 10ms increased the length of time to process a functional design by 15 times! The monolithic design, on the other hand, was barely impacted. Even with a latency of 100ms, it only added ~300ms of time to process the policy. I would consider this imperceptible in the real world, where as the functional design going from ~271ms to ~4000ms would be an extremely noticeable impact! Let alone about 30 seconds at 100ms!

Another factor is how much additional time is required to download the policies. This is time in addition to the processing time. This probably shouldn’t be a huge surprise, it appears that group policies are downloaded and processed sequentially, in an order. I’m sure this is necessary to maintain some semblance of prediction if you have conflicting policies settings, the one last in the list (whether sorted alphabetically or what have you) can be relied on to be the winner.

Adding latency, even just a little latency, has a noticeable impact. And the more policies, the more traffic, the more the impact of latency. Again, a loss for a functional design and a win for a more monolithic design.

Conclusion:

Group Policy Objects can have a large impact on user experience. The goal should be to minimize them to as few as possible. As with everything, there are exceptions to the rules, but for Group Policy it’s important to try and maintain this rule. Even just a little latency between the domain controller and the client can have a massive impact in group policy performance. This can impact the length of time it takes a machine to boot, to delaying a user logging into a system.

The winlogon notification subscriber TermSrv failed a critical notification event.

2016-02-03

by trententtye

in Blog, Uncategorized

No Comments

When launching a Citrix application a user was getting a the ‘Citrix launch bar’ then, after a few seconds, it would immediately go away. Checking the Application log in the event viewer displayed these entries:

The winlogon notification subscriber TermSrv failed a critical notification event. Event ID 6001
The winlogon notification subscriber Sens failed a notification event. Event ID 6004

The root cause?

A faulty path for the homedrive AD attribute:

See that ‘Connect’ H: To ‘Path’? That was a bad path.

Removing the attribute or fixing it so that it pointed to a path that the user has access to and exists resolved our issue immediately.

Group Policy Preferences – Scheduled Task fails to apply

2014-10-03

by trententtye

in Blog, Uncategorized

2 Comments

We had a couple issues with scheduled tasks not applying when submitted as a GPP (Group Policy Preference). We turned on tracing via local gpedit.msc (Administrative Templates > System > Group Policy > Logging and tracing). From here we turned on the Scheduled Task logging and events were then stored in the eventvwr.msc (we also turned on tracing which stored a computer.log file here: C:\ProgramData\Group Policy\Trace)

The first error we got was:

2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] No item to delete.
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] pWorkItemV2->Create [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] replaceTask [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] Properties handled. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] EVENT : The computer 'AHS-Add-GlobalPrinters' preference item in the 'CTX XenApp 65 Test {E6775312-AAC0-45C3-8A1C-5F5EA46701A7}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.'%100790275
2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] Completed class - AHS-Add-GlobalPrinters. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] Error suppressed. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]

2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] No item to delete.

2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] pWorkItemV2->Create [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]

2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] replaceTask [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]

2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] Properties handled. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]

2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] EVENT : The computer 'AHS-Add-GlobalPrinters' preference item in the 'CTX XenApp 65 Test {E6775312-AAC0-45C3-8A1C-5F5EA46701A7}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.'%100790275

2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] Completed class - AHS-Add-GlobalPrinters. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]

2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] Error suppressed. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]

So it can’t map between user ID’s. It’d be nice if it told us which mapping failed, but it gives us a pretty good hint. Looking at the XML file the GPP creates (stored here: “C:\ProgramData\Microsoft\Group Policy\History\\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml” )

We saw the following:

<?xml version="1.0" encoding="UTF-8" ?><ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">  
 <TaskV2 clsid="{D8896631-B747-47a7-84A6-C155337F3BC8}" name="AHS-Add-GlobalPrinters" image="1" changed="2014-10-03 17:15:15" uid="{EDDCD78F-46AC-414A-92B2-65D37D12E3F9}" bypassErrors="0" userContext="0" removePolicy="1" desc="Create Network Printer Queues on Cancer Control XenApp Servers" policyApplied="1"> 
 <Properties action="R" name="AHS-Add-GlobalPrinters" runAs="NT AUTHORITY\SYSTEM" logonType="S4U"> 
 <Task version="1.2"> 
 <RegistrationInfo> 
 <Author>HEALTHY\ssalehianadm</Author> 
 <Description>Create Network Printer Queues on Cancer Control XenApp Servers</Description></RegistrationInfo> 
 <Principals> 
 <Principal id="Author"> 
 <RunLevel>HighestAvailable</RunLevel> 
 <LogonType>S4U</LogonType> 
 <UserId>BUILTIN\SYSTEM</UserId></Principal></Principals> 
 <Settings> 
 <IdleSettings> 
 <Duration>PT10M</Duration> 
 <WaitTimeout>PT1H</WaitTimeout> 
 <StopOnIdleEnd>true</StopOnIdleEnd> 
 <RestartOnIdle>false</RestartOnIdle></IdleSettings> 
 <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> 
 <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> 
 <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> 
 <AllowHardTerminate>false</AllowHardTerminate> 
 <AllowStartOnDemand>true</AllowStartOnDemand> 
 <Enabled>true</Enabled> 
 <Hidden>false</Hidden> 
 <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> 
 <Priority>7</Priority></Settings> 
 <Triggers></Triggers> 
 <Actions> 
 <Exec> 
 <Command>C:\Windows\System32\cmd.exe</Command> 
 <Arguments>/c C:\PublishedApplications\AHS-Add-GlobalPrinters.cmd WSLBLPRINT01</Arguments></Exec></Actions></Task></Properties> 
 <Filters>

<?xml version="1.0" encoding="UTF-8" ?><ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">

<Author>HEALTHY\ssalehianadm</Author>

<Description>Create Network Printer Queues on Cancer Control XenApp Servers</Description></RegistrationInfo>

<RunLevel>HighestAvailable</RunLevel>

<UserId>BUILTIN\SYSTEM</UserId></Principal></Principals>

<RestartOnIdle>false</RestartOnIdle></IdleSettings>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<AllowHardTerminate>false</AllowHardTerminate>

<Hidden>false</Hidden>

<Exec>

<Command>C:\Windows\System32\cmd.exe</Command>

<Arguments>/c C:\PublishedApplications\AHS-Add-GlobalPrinters.cmd WSLBLPRINT01</Arguments></Exec></Actions></Task></Properties>

Everything validates. Googling for BUILTIN\SYSTEM brought up that several people were getting the same error when using BUILTIN\SYSTEM. Which makes some sense as “BUILTIN\SYSTEM” isn’t a real account. We renamed it to NT AUTHORITY\SYSTEM. This time we got a new error message:

The computer 'AHS-Add-GlobalPrinters' preference item in the 'CTX XenApp 65 Prod {CB954F1D-7AE5-4706-9BCC-995A0D83CED5}' Group Policy object did not apply because it failed with error code '0x80041316 The task XML contains an unexpected node.' See trace file for more details.

1	The computer 'AHS-Add-GlobalPrinters' preference item in the 'CTX XenApp 65 Prod {CB954F1D-7AE5-4706-9BCC-995A0D83CED5}' Group Policy object did not apply because it failed with error code '0x80041316 The task XML contains an unexpected node.' See trace file for more details.

This doesn’t tell us a whole lot of information. What is the unexpected node? Looking again at the XML file it looked like so:

<?xml version="1.0" encoding="UTF-8" ?><ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">  
<TaskV2 clsid="{D8896631-B747-47a7-84A6-C155337F3BC8}" name="AHS-Add-GlobalPrinters" image="1" changed="2014-10-03 17:15:15" uid="{EDDCD78F-46AC-414A-92B2-65D37D12E3F9}" bypassErrors="0" userContext="0" removePolicy="1" desc="Create Network Printer Queues on Cancer Control XenApp Servers" policyApplied="1"> 
<Properties action="R" name="AHS-Add-GlobalPrinters" runAs="NT AUTHORITY\SYSTEM" logonType="S4U"> 
<Task version="1.2"> 
<RegistrationInfo> 
<Author>HEALTHY\ssalehianadm</Author> 
<Description>Create Network Printer Queues on Cancer Control XenApp Servers</Description></RegistrationInfo> 
<Principals> 
<Principal id="Author"> 
<RunLevel>HighestAvailable</RunLevel> 
<LogonType>S4U</LogonType> 
<GroupId>NT AUTHORITY\SYSTEM</GroupId></Principal></Principals> 
<Settings> 
<IdleSettings> 
<Duration>PT10M</Duration> 
<WaitTimeout>PT1H</WaitTimeout> 
<StopOnIdleEnd>true</StopOnIdleEnd> 
<RestartOnIdle>false</RestartOnIdle></IdleSettings> 
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> 
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> 
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> 
<AllowHardTerminate>false</AllowHardTerminate> 
<AllowStartOnDemand>true</AllowStartOnDemand> 
<Enabled>true</Enabled> 
<Hidden>false</Hidden> 
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit> 
<Priority>7</Priority></Settings> 
<Triggers></Triggers> 
<Actions> 
<Exec> 
<Command>C:\Windows\System32\cmd.exe</Command> 
<Arguments>/c C:\PublishedApplications\AHS-Add-GlobalPrinters.cmd WSLBLPRINT01</Arguments></Exec></Actions></Task></Properties> 
<Filters>

<?xml version="1.0" encoding="UTF-8" ?><ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">

<Author>HEALTHY\ssalehianadm</Author>

<Description>Create Network Printer Queues on Cancer Control XenApp Servers</Description></RegistrationInfo>

<RunLevel>HighestAvailable</RunLevel>

<GroupId>NT AUTHORITY\SYSTEM</GroupId></Principal></Principals>

<RestartOnIdle>false</RestartOnIdle></IdleSettings>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<AllowHardTerminate>false</AllowHardTerminate>

<Hidden>false</Hidden>

<Exec>

<Command>C:\Windows\System32\cmd.exe</Command>

<Arguments>/c C:\PublishedApplications\AHS-Add-GlobalPrinters.cmd WSLBLPRINT01</Arguments></Exec></Actions></Task></Properties>

The difference that I can see:

<GroupId>NT AUTHORITY\SYSTEM</GroupId>

The SYSTEM account is NOT a group. We changed how we selected the SYSTEM account by “Browsing” AD, going into the root of the domain, going into the Builtin OU, and selecting SYSTEM. This populated as “NT AUTHORITY\Well-Known-Security-Id-System”. This will fail because there is no such user account called “Well-Known-Security-Id-System”. At this point we renamed it to “NT AUTHORITY\SYSTEM”.

Boom, GPP Scheduled task now worked without issue. Checking the XML the difference by manually selecting the SYSTEM account changed

<GroupId>NT AUTHORITY\SYSTEM</GroupId>

<UserId>NT AUTHORITY\SYSTEM</UserId >

SO.

If you are having issues with your GPP Scheduled task item running as the SYSTEM account I would HIGHLY recommend you check your XML file and confirm it is set as “NT AUTHORITY\SYSTEM” and it is surrounded by UserId NOT GroupId.

Domain Controller doesn’t replicate DNS and has other replication issues

2012-04-10

by trententtye

in Blog, Uncategorized

No Comments

We recently demoted a global catalog domain controller and then re-promoted because of issues we were having post-demotion. When a DC is demoted it changes it’s computer account to have less rights then it would if it were a DC. Somewhere along the line the promotion didn’t change it’s account back and after the computer account password expired we started having replications issues. This didn’t really affect us too much until 14 days after the password expired and the DC couldn’t replicate back to the domain. All of our DNS zones couldn’t replicate to it and subsequently became “stale” and were scavenged and removed. This caused issues for everyone at that site as they couldn’t access various resources that we utilize DNS for.

The symptoms were:
All DNS zones were gone except for the primary zone.
“error no trust sam account” occurred while running “nltest /dsregdns”
This error was in the DNS event log:

“The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.ccs.corp. This prevents the zones that should be replicated to all DNS servers in the ccs.corp forest from replicating to this DNS server.

To create or repair the forest-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click ‘Create Default Application Directory Partitions’. Follow the instructions to create the default DNS application directory partitions. For more information, see ‘To create the default DNS application directory partitions’ in Help and Support. “

And this error:

The attempt to establish a replication link for the following writable directory partition failed.

dcdiag reported the last replication was 2 weeks ago
repadmin /showreps reported it failed.

The solution was from here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329860

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
On a domain controller that is in the “healthy” part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
301423 How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.
Expand DC=example,DC=com.
Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the “Symptoms” section of this article), and then click Properties.
Click the Attributes tab (if it is not already selected).
In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.
If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.
Click Apply, click OK, and then quit the ADSI Edit snap-in

List of exportable AD attributes

2012-03-29

by trententtye

in Blog, Uncategorized

No Comments

It appears the following AD attributes are exportable from LDIFDE or CSVDE:

DN,objectClass,ou,distinguishedName,name,description,sAMAccountName,objectCategory,instanceType,whenCreated,whenChanged,uSNCreated,uSNChanged,dSCorePropagationData,cn,member,groupType,displayName,info,extensionAttribute1,managedBy,publicDelegatesBL,extensionAttribute14,extensionAttribute15,mail,sn,givenName,homeMTA,proxyAddresses,homeMDB,garbageCollPeriod,mDBUseDefaults,mailNickname,protocolSettings,internetEncoding,userAccountControl,badPwdCount,codePage,countryCode,badPasswordTime,lastLogoff,lastLogon,pwdLastSet,primaryGroupID,accountExpires,logonCount,showInAddressBook,legacyExchangeDN,userPrincipalName,textEncodedORAddress,msExchHomeServerName,msExchMailboxSecurityDescriptor,msExchUserAccountControl,msExchMailboxGuid,msExchPoliciesIncluded,msExchMailboxAuditLogAgeLimit,msExchRecipientDisplayType,msExchAddressBookFlags,msExchRBACPolicyLink,msExchDumpsterQuota,msExchArchiveQuota,msExchRecipientTypeDetails,msExchMDBRulesQuota,msExchTransportRecipientSettingsFlags,msExchArchiveWarnQuota,msExchDumpsterWarningQuota,msExchUMEnabledFlags2,msExchModerationFlags,msExchProvisioningFlags,msExchUMDtmfMap,msExchBypassAudit,msExchMailboxAuditEnable,msExchWhenMailboxCreated,msExchTextMessagingState,reportToOriginator,msExchRequireAuthToSendTo,msExchALObjectVersion,msExchArbitrationMailbox,msExchCoManagedByLink,msExchHideFromAddressLists,msExchGroupDepartRestriction,msExchGroupJoinRestriction,reportToOwner,replicatedObjectVersion,replicationSignature,msExchADCGlobalNames,dLMemDefault,oOFReplyToOriginator,msExchPoliciesExcluded,delivContLength,authOrig,dLMemSubmitPerms,dLMemSubmitPermsBL,displayNamePrintable,altRecipientBL,adminCount,hideDLMembership,managedObjects

I’ve exported using CSVDE using all these attributes and managed to import back into a different AD domain (and finding and replacing DC=XXX,DC=COM) and these attributes appear to import cleanly without error

Group Creation Script

2011-11-18

by trententtye

in Blog, Uncategorized

No Comments

The final script:

:This script will create the proper domain local group and global groups
:The only input this script needs is the UNC path to the folder. At the end
:of this script the only thing you'll need to do is add the users from the actual
:folder to the global group.
:
:eg create-groups.cmd "\\file01\HR\HR Support Group\HR Team\HR Support Services"

SET /P Permissions=What permissions will this group have ([F]ULL/[M]ODIFIY/[RO]READ ONLY)?

IF /I '%PERMISSIONS%' EQU 'F' SET PERMISSIONS=FULL
IF /I '%PERMISSIONS%' EQU 'M' SET PERMISSIONS=MODIFY
IF /I '%PERMISSIONS%' EQU 'RO' SET PERMISSIONS=RO





:ECHO %1 |sed "s/\\\\//g"|sed "s/\\/\./g" | sed "s/\"//g" 

:We parse the command line for the UNC structure, now we need to find the last folder
for /F "tokens=*" %%A IN ('ECHO %1 ^|sed ^"s/\\\\//g^"^|sed ^"s/\\/\./g^" ^| sed ^"s/\^"//g^"') DO set groupname=%%A


set str=%groupname%
set N=0
setLocal EnableDELAYedExpansion

:loop
if !N! equ 55 (
goto :exceedcharacterquota
)

set /A N+=1

ECHO N=!N!
if "!str:~1!" neq "" (
set str=!str:~1!
goto :loop
)
goto :skip-string-modification

:if string length exceeds 55 chars, take the first 25 chars and the last 25 chars with an ellipse (...)
:in between.
:exceedcharacterquota
set string-part-one=!groupname:~0,25!
set string-part-two=!groupname:~-25!
set GROUPNAME=!string-part-one!...!string-part-two!


:skip-string-modification
setLocal disableDELAYedExpansion
:Remove any trailing spaces
for /F "tokens=*" %%A IN ('ECHO %GROUPNAME% ^|sed ^"s/ $//g^"') DO set groupname=%%A
ECHO GROUP=%GROUPNAME%

:Sets OU to domain local resource group...
SET OUL=OU=Resource,OU=Security Groups,OU=AD Project 3,DC=CCS,DC=CORP
dsadd group "CN=F.lg.%GROUPNAME%.%PERMISSIONS%,%OUL%" -desc %1 -secgrp yes -scope l

:Sets OU to Global group...
SET OUG=OU=Global,OU=Security Groups,OU=AD Project 3,DC=CCS,DC=CORP
dsadd group "CN=gg.%GROUPNAME%.%PERMISSIONS%,%OUG%" -desc %1 -secgrp yes -scope g

:adds the global group to the domain local group
dsmod group "CN=F.lg.%GROUPNAME%.%PERMISSIONS%,%OUL%" -addmbr "CN=gg.%GROUPNAME%.%PERMISSIONS%,%OUG%"

:This script will create the proper domain local group and global groups

:The only input this script needs is the UNC path to the folder. At the end

:of this script the only thing you'll need to do is add the users from the actual

:folder to the global group.

:eg create-groups.cmd "\\file01\HR\HR Support Group\HR Team\HR Support Services"

SET /P Permissions=What permissions will this group have ([F]ULL/[M]ODIFIY/[RO]READ ONLY)?

IF /I '%PERMISSIONS%' EQU 'F' SET PERMISSIONS=FULL

IF /I '%PERMISSIONS%' EQU 'M' SET PERMISSIONS=MODIFY

IF /I '%PERMISSIONS%' EQU 'RO' SET PERMISSIONS=RO

:ECHO %1 |sed "s/\\\\//g"|sed "s/\\/\./g" | sed "s/\"//g"

:We parse the command line for the UNC structure, now we need to find the last folder

for /F "tokens=*" %%A IN ('ECHO %1 ^|sed ^"s/\\\\//g^"^|sed ^"s/\\/\./g^" ^| sed ^"s/\^"//g^"') DO set groupname=%%A

set str=%groupname%

set N=0

setLocal EnableDELAYedExpansion

:loop

if !N! equ 55 (

goto :exceedcharacterquota

)

set /A N+=1

ECHO N=!N!

if "!str:~1!" neq "" (

set str=!str:~1!

goto :loop

)

goto :skip-string-modification

:if string length exceeds 55 chars, take the first 25 chars and the last 25 chars with an ellipse (...)

:in between.

:exceedcharacterquota

set string-part-one=!groupname:~0,25!

set string-part-two=!groupname:~-25!

set GROUPNAME=!string-part-one!...!string-part-two!

:skip-string-modification

setLocal disableDELAYedExpansion

:Remove any trailing spaces

for /F "tokens=*" %%A IN ('ECHO %GROUPNAME% ^|sed ^"s/ $//g^"') DO set groupname=%%A

ECHO GROUP=%GROUPNAME%

:Sets OU to domain local resource group...

SET OUL=OU=Resource,OU=Security Groups,OU=AD Project 3,DC=CCS,DC=CORP

dsadd group "CN=F.lg.%GROUPNAME%.%PERMISSIONS%,%OUL%" -desc %1 -secgrp yes -scope l

:Sets OU to Global group...

SET OUG=OU=Global,OU=Security Groups,OU=AD Project 3,DC=CCS,DC=CORP

dsadd group "CN=gg.%GROUPNAME%.%PERMISSIONS%,%OUG%" -desc %1 -secgrp yes -scope g

:adds the global group to the domain local group

dsmod group "CN=F.lg.%GROUPNAME%.%PERMISSIONS%,%OUL%" -addmbr "CN=gg.%GROUPNAME%.%PERMISSIONS%,%OUG%"

LDAP query for just users

2011-10-14

by trententtye

in Blog, Uncategorized

No Comments

We have numerous “mailbox only” user accounts in our AD. I’ve been asked for a query of all the user accounts on our domain. The query needs to exclude these accounts and disabled accounts as we’re only interested in active user accounts. This is what I came up with:

adfind -f "&(objectcategory=person)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)(!(msExchRecipientTypeDetails=4)(!(msExchRecipientDisplayType=7)(!(msExchRecipientDisplayType=8)(!(extensionattribute1=Service Account))))))" -csv -csvdelim ;

1	adfind -f "&(objectcategory=person)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)(!(msExchRecipientTypeDetails=4)(!(msExchRecipientDisplayType=7)(!(msExchRecipientDisplayType=8)(!(extensionattribute1=Service Account))))))" -csv -csvdelim ;

This query does the following:
Find all user accounts (objectcategory=person)(samaccountname=*)
But NOT
Disabled accounts (userAccountControl:1.2.840.113556.1.4.803:=2)
Exchange Shared Mailboxes: (msExchRecipientTypeDetails=4)
Exchange Rooms: (msExchRecipientDisplayType=7)
Exchange Equipment: (msExchRecipientDisplayType=8)
Service Accounts: (extensionattribute1=Service Account)

MS Software usually adds “SERVICE ACCOUNT” to the extensionattribute1.

Saving and restoring ACL’s on OU’s

2011-09-13

by trententtye

in Blog, Uncategorized

No Comments

Saving and moving OU ACLs

I’ve written a batch file that will move ACLs from one OU to another. It works by you outputting the results of a ACL from a OU to a text file, specifying the new OU in a batch file and inputting the text file you just created. I use three utilities to accomplish this: adfind.exe, sed.exe and dsacls.exe.
The command to save the text file is:

MS DOS

adfind -b "OU=Users,OU=LAB,DC=LAB,DC=CORP" -f (distinguishedName=OU=Users,OU=LAB,DC=LAB,DC=corp) -sddl++ -resolvesids -onlydacl ntsecuritydescriptor -sddlnotfilter ;inherited| sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" > %PATHTOFILE%.txt

1

adfind -b "OU=Users,OU=LAB,DC=LAB,DC=CORP" -f (distinguishedName=OU=Users,OU=LAB,DC=LAB,DC=corp) -sddl++ -resolvesids -onlydacl ntsecuritydescriptor -sddlnotfilter ;inherited| sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" > %PATHTOFILE%.txt

From here, you need to delete the header in the text file and the footer.
Once that is done, run this script, changing the two variables at the top:

MS DOS

:RESTORE-OU-ACL.CMD :Restore OU Properties SET TARGETOU=OU=Users Accounts,OU=AD Project 3,DC=LAB,DC=CORP SET TARGETFILE="New Text Document (5).txt" @ECHO OFF SETLOCAL ENABLEDELAYEDEXPANSION for /F "tokens=1-6 delims=;" %%A IN ('type %TARGETFILE%') DO ( SET PROP= SET INHERIT=0 IF "%%C" EQU " " SET PROP=GA ECHO CALL :PROPERTYACL %%C CALL :PROPERTYACL %%C ECHO CALL :INHERITANCE %%B CALL :INHERITANCE %%B SET PROPERTY= IF /I "%%D" NEQ " " SET PROPERTY=%%D ECHO PROPERTY=!PROPERTY! SET TARGET= IF /I "%%E" NEQ " " SET TARGET=%%E ECHO TARGET=!TARGET! ECHO dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!" dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!" ) GOTO:EOF :INHERITANCE REM We need to figure out what ACLS we're dealing with... FOR /F "tokens=*" %%Z IN ('ECHO %*') DO ( IF '!INHERIT!' EQU '/I:S' GOTO:EOF ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT]" IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:T ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT][INHERIT ONLY]" IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:S ECHO %%Z | FINDSTR /I /C:"INHERIT" IF '!ERRORLEVEL!' EQU '1' SET INHERIT=/I:P ECHO INHERIT=!INHERIT! ) GOTO:EOF :PROPERTYACL REM We need to figure out what ACLS we're dealing with... FOR /F "tokens=*" %%Z IN ('ECHO %*') DO ( ECHO %%Z | FINDSTR /I /C:"WRT PROP" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!WP ECHO %%Z | FINDSTR /I /C:"READ PROP" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!RP ECHO %%Z | FINDSTR /I /C:"CTL" IF '!ERRORLEVEL!' EQU '0' SET PROP=CA ECHO %%Z | FINDSTR /I /C:"[CR CHILD]" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!CC ECHO %%Z | FINDSTR /I /C:"[DEL CHILD]" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!DC ECHO %%Z | FINDSTR /I /C:"[LIST CHILDREN]" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LC ECHO %%Z | FINDSTR /I /C:"[LIST OBJECT]" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LO ECHO %%Z | FINDSTR /I /C:"[READ]" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GR ECHO %%Z | FINDSTR /I /C:"[FC]" IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GA ECHO PROP=!PROP! ) GOTO:EOF :/I:P = This Object Only *BLANK* :/I:S = Child Objects Only [CONT INERIT][INHERIT ONLY] :/I:T = This object and all child objects [CONT INERIT] :Blank inheritance = /I:P :When "Properties" are set, it should be /I:S :When there are no properties listed at all ACL should be GA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

:RESTORE-OU-ACL.CMD
:Restore OU Properties
SET TARGETOU=OU=Users Accounts,OU=AD Project 3,DC=LAB,DC=CORP
SET TARGETFILE="New Text Document (5).txt"

@ECHO OFF

SETLOCAL ENABLEDELAYEDEXPANSION
for /F "tokens=1-6 delims=;" %%A IN ('type %TARGETFILE%') DO (
SET PROP=
SET INHERIT=0
IF "%%C" EQU " " SET PROP=GA
ECHO CALL :PROPERTYACL %%C
CALL :PROPERTYACL %%C

ECHO CALL :INHERITANCE %%B
CALL :INHERITANCE %%B

SET PROPERTY=
IF /I "%%D" NEQ " " SET PROPERTY=%%D
ECHO PROPERTY=!PROPERTY!
SET TARGET=
IF /I "%%E" NEQ " " SET TARGET=%%E
ECHO TARGET=!TARGET!
ECHO dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!"
dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!"

)
GOTO:EOF

:INHERITANCE
REM We need to figure out what ACLS we're dealing with...
FOR /F "tokens=*" %%Z IN ('ECHO %*') DO (
IF '!INHERIT!' EQU '/I:S' GOTO:EOF
ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT]"
IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:T
ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT][INHERIT ONLY]"
IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:S
ECHO %%Z | FINDSTR /I /C:"INHERIT"
IF '!ERRORLEVEL!' EQU '1' SET INHERIT=/I:P
ECHO INHERIT=!INHERIT!
)
GOTO:EOF

:PROPERTYACL
REM We need to figure out what ACLS we're dealing with...
FOR /F "tokens=*" %%Z IN ('ECHO %*') DO (
ECHO %%Z | FINDSTR /I /C:"WRT PROP"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!WP
ECHO %%Z | FINDSTR /I /C:"READ PROP"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!RP
ECHO %%Z | FINDSTR /I /C:"CTL"
IF '!ERRORLEVEL!' EQU '0' SET PROP=CA
ECHO %%Z | FINDSTR /I /C:"[CR CHILD]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!CC
ECHO %%Z | FINDSTR /I /C:"[DEL CHILD]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!DC
ECHO %%Z | FINDSTR /I /C:"[LIST CHILDREN]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LC
ECHO %%Z | FINDSTR /I /C:"[LIST OBJECT]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LO
ECHO %%Z | FINDSTR /I /C:"[READ]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GR
ECHO %%Z | FINDSTR /I /C:"[FC]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GA

ECHO PROP=!PROP!
)
GOTO:EOF

:/I:P = This Object Only *BLANK*
:/I:S = Child Objects Only [CONT INERIT][INHERIT ONLY]
:/I:T = This object and all child objects [CONT INERIT]
:Blank inheritance = /I:P
:When "Properties" are set, it should be /I:S
:When there are no properties listed at all ACL should be GA

Generate a CSV from your GPO’s per OU

2011-07-28

by trententtye

in Blog, Uncategorized

No Comments

If you come into an environment like I have, you’ll find that some companies prefer to break out their AD structure by location and then generate a OU structure that matches it. Physically, this is understandable and you can understand what’s where. Logically, this causes issues because AD utilizes an inheritance model and this gets complicated and very messy very quickly if you do not follow a strict model. This model falls on its face when you have a centralized IT force. As an example, the company I worked for acquired numerous other companies and a each company/location had it’s own IT workforce. Eventually, the company consolidated all of these external IT departments into one. The IT staff then standardized each site for GPO’s. Which made having each one redundant.

This is a mockup of the OU structure:

And the GPO’s applied:

If you look closely, you can see that some sites are missing some GPO’s, some have an extra GPO, and some have the same. The goal I was given is that I need to consolidate the OU’s with the same GPO’s applied and then I can examine the disparate ones individually. In order to make a nice spreadsheet to do this I created this script (run on Windows, I added awk, sed, and grep to the windowssystem32 folder and installed group policy management).

Since the structure has a nice, predictable “end” OU (eg, Laptops, Desktops, Users) I could script for that keyword:

MS DOS

:Lets grab all the OU's cscript "%programfiles%\gpmc\scripts\dumpsominfo.wsf" "Desktops" /showinheritedlinks > desktop-gpo-links.txt :now we're going to parse out all the GPO's :what this next line does is print the file to stdout, piping stdout to awk :awk then grabs and prints out the text in the range "OU=Desktop" to "-- Who" :this stdout is then piped to grep which retrieves the path from that selection of text :grep then removes all other lines that contain path or two "--". From here, :awk then removes the first column and prints out the rest of the GPO's. The last :awk command then removes all duplicates. type desktop-gpo-links.txt | awk "/OU=Desktop/,/-- Who/" | grep -v -E "Path" | grep -v -E "\-\-" | awk "{ for (i=2; i<=NF; i++) printf \"%%s \", $i; printf \"\n\"; }" | awk "! a[$0]++" | sed.exe "s/ $//g" > GPOs.txt :::::::::: :Next we need to pull out all the OU's that this is applying against type desktop-gpo-links.txt | grep -E "Path" > ou.txt :now we prepare the header's... ECHO Site > header.txt type GPOs.txt | sed ":a;N;$!ba;s/\n/,/g" >> header.txt sed -i ":a;N;$!ba;s/\n//g" header.txt type header.txt > desktop-gpos.csv :print the ou's into the desktop-gpos.csv type ou.txt >> desktop-gpos.csv SETLOCAL ENABLEDELAYEDEXPANSION for /f "tokens=*" %%A IN ('type "desktop-GPO-links.txt" ^| Grep.exe -E "Path"') DO ( for /f "tokens=*" %%a in ('type gpos.txt') DO ( awk "/%%A/,/-- Who/" "desktop-GPO-links.txt" | grep.exe -E "%%a$" IF '!ERRORLEVEL!' EQU '0' sed.exe -i "/%%A/s|$|,x|g" desktop-gpos.csv IF '!ERRORLEVEL!' EQU '1' sed.exe -i "/%%A/s|$|,|g" desktop-gpos.csv ) ) :last we know need to exchange the ,OU and ,DC commas to something else because :excel will automatically change them to new columns. sed.exe -i "s/,OU/;OU/g" desktop-gpos.csv sed.exe -i "s/,DC/;OU/g" desktop-gpos.csv :and we remove the "Path " string just for nice-ness: sed -i -r "s/Path.+Desktops/Desktops/g" desktop-gpos.csv del sed* /q

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

:Lets grab all the OU's
cscript "%programfiles%\gpmc\scripts\dumpsominfo.wsf" "Desktops" /showinheritedlinks > desktop-gpo-links.txt

:now we're going to parse out all the GPO's
:what this next line does is print the file to stdout, piping stdout to awk
:awk then grabs and prints out the text in the range "OU=Desktop" to "-- Who"
:this stdout is then piped to grep which retrieves the path from that selection of text
:grep then removes all other lines that contain path or two "--". From here,
:awk then removes the first column and prints out the rest of the GPO's. The last
:awk command then removes all duplicates.

type desktop-gpo-links.txt | awk "/OU=Desktop/,/-- Who/" | grep -v -E "Path" | grep -v -E "\-\-" | awk "{ for (i=2; i<=NF; i++) printf \"%%s \", $i; printf \"\n\"; }" | awk "! a[$0]++" | sed.exe "s/ $//g" > GPOs.txt

::::::::::
:Next we need to pull out all the OU's that this is applying against
type desktop-gpo-links.txt | grep -E "Path" > ou.txt

:now we prepare the header's...
ECHO Site > header.txt
type GPOs.txt | sed ":a;N;$!ba;s/\n/,/g" >> header.txt
sed -i ":a;N;$!ba;s/\n//g" header.txt
type header.txt > desktop-gpos.csv

:print the ou's into the desktop-gpos.csv
type ou.txt >> desktop-gpos.csv

SETLOCAL ENABLEDELAYEDEXPANSION

for /f "tokens=*" %%A IN ('type "desktop-GPO-links.txt" ^| Grep.exe -E "Path"') DO (
for /f "tokens=*" %%a in ('type gpos.txt') DO (
awk "/%%A/,/-- Who/" "desktop-GPO-links.txt" | grep.exe -E "%%a$"
IF '!ERRORLEVEL!' EQU '0' sed.exe -i "/%%A/s|$|,x|g" desktop-gpos.csv
IF '!ERRORLEVEL!' EQU '1' sed.exe -i "/%%A/s|$|,|g" desktop-gpos.csv
)
)

:last we know need to exchange the ,OU and ,DC commas to something else because
:excel will automatically change them to new columns.
sed.exe -i "s/,OU/;OU/g" desktop-gpos.csv
sed.exe -i "s/,DC/;OU/g" desktop-gpos.csv

:and we remove the "Path " string just for nice-ness:
sed -i -r "s/Path.+Desktops/Desktops/g" desktop-gpos.csv

del sed* /q

This generates the following file:

Site ,Windows Update Policy - Workstations,Fabrikcom Workstation Policy,Local Administrator Account - Workstations,Fabrikcom Workstation Policy V2,Fabrikcom IE 7,Windows - Configure Kerberos to use TCP instead of UDP,Default Domain Policy,DisableAutoArchiveOutlook,Fabrikcom Internal Wireless,General Desktop Policy,[Unknown],PowerSchemeOptions,Fabrikcom IT User Policy,GPO_ORG_Outlook Cache Mode Settings
Desktops;OU=New Town;OU=BigCompanyA;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=SanFrancisco;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=NewYork;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=GreekTown;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=Houston;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=Alexandria;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=GreekTown;OU=BigCompanyB;OU=fabrikcom;OU=com,x,,x,x,,x,x,x,x,x,x,,,
Desktops;OU=Okotoks;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Victoria;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Winnipeg;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Malahat;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=Toronto;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=Calgary;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=Vancouver;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=SanJose;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=Houston;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=GoMax;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Richmond;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Kelowna;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Edmonton;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=BigCompanyB-Hamilton;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,
Desktops;OU=ITGroup;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Site ,Windows Update Policy - Workstations,Fabrikcom Workstation Policy,Local Administrator Account - Workstations,Fabrikcom Workstation Policy V2,Fabrikcom IE 7,Windows - Configure Kerberos to use TCP instead of UDP,Default Domain Policy,DisableAutoArchiveOutlook,Fabrikcom Internal Wireless,General Desktop Policy,[Unknown],PowerSchemeOptions,Fabrikcom IT User Policy,GPO_ORG_Outlook Cache Mode Settings

Desktops;OU=New Town;OU=BigCompanyA;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=SanFrancisco;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=NewYork;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=GreekTown;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=Houston;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=Alexandria;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=GreekTown;OU=BigCompanyB;OU=fabrikcom;OU=com,x,,x,x,,x,x,x,x,x,x,,,

Desktops;OU=Okotoks;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Victoria;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Winnipeg;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Malahat;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=Toronto;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=Calgary;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=Vancouver;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=SanJose;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=Houston;OU=BigCompanyC;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=GoMax;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Richmond;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Kelowna;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Edmonton;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=BigCompanyB-Hamilton;OU=BigCompanyB;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Desktops;OU=ITGroup;OU=fabrikcom;OU=com,x,x,x,x,,x,x,x,x,,x,,,

Which looks like this when you put it in Excel:

Nice and pretty and if you add conditional formatting on “x” you can easily identify which OU’s are the same and can be consolidated, or just a nice report on which GPO’s are affecting which OU’s.

XP – Slow user login, constant prompts for accessing file shares

2011-07-13

by trententtye

in Blog, Uncategorized

No Comments

At work we were having an issue that seemed to happen a lot at remote sites. Either login times were glacially slow, users could not access file shares without being prompted over and over again for their credentials and numerous logs of:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: date
Time: time
User: N/A
Computer: Computername
Description: The Security System detected an authentication error for the server ldap/dca.acc.local. The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request. (0xc000005e)”.
For more information, see Help and Support Center at http://support.microsoft.com.
Data: 0000: c000005e

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: date
Time: time
User: N/A
Computer: Computername
Description: The Security System could not establish a secured connection with the server ldap/Computername.domain.com. No authentication protocol was available.
For more information, see Help and Support Center at http://support.microsoft.com.
Data: 0000: c0000388

The fix to these issues is to switch Kerberos to UDP. After doing so the warnings disappeared and accessing file shares worked without constant reprompting. As well, logins for these remote users became much, much faster.

The change to set Kerberos to UDP is here:
http://support.microsoft.com/kb/244474

Start Registry Editor.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters
Note If the Parameters key does not exist, create it now.
On the Edit menu, point to New, and then click DWORD Value.
Type MaxPacketSize, and then press ENTER.
Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
Quit Registry Editor.
Restart your computer.