Autodeploy a certificate to all workstations using GPO

Similar Messages

• Run Batch file using GPO in all users with Windows 2008 R2

  Dear Sir,
  We have to install one software packages in all laptops using GPO. we have batch file and using this we can install software.
  is there any way to install automatic by this batch file?
  this is not msi packages.
  Regards,
  Sunil 
  SUNIL PATEL SYSTEM ADMINISTRATOR

  > Please provide how to configure...
  https://technet.microsoft.com/en-us/magazine/dd630947.aspx
  https://technet.microsoft.com/library/cc779329.aspx
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Ower right services file in driver\etc folder using gpo

  Dear All,
  we require to over write services file in all pc using gpo
  pls help
  SUNIL PATEL SYSTEM ADMINISTRATOR

  Hello,
  please see about using GPP
  https://technet.microsoft.com/en-us/library/cc772536.aspx or check with GPO
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/7419b060-7d7a-44af-9d06-d8ca838e1eea/group-policy-preferences-files-replace?forum=winserverGP
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Windows Server 2008 R2: Using PowerShell to send a MSI file to all workstations

  Hello!
  We are currently using Windows Server 2008 R2. In the upcoming months, we are releasing new software. Instead of touching all the machines with gpupdate /force, we would like to know if we could somehow use Windows PowerShell and send that
  command to all the computers in our organization? We are currently in the process of using Group Policy Management to set up the new GPO. After we create them, we would like to send the MSI file to all workstations. I know it is SUPER easy to do within Windows
  Server 2012... as I have read articles and seen screenshots. I am just having a hard time figuring out how to make it work with Windows Server 2008 R2.
  Thanks!
  Megan

  New-PSSession -computername Computer
  where Computer is one of your remote computers.  If that succeeds, great!  But I'm guessing it won't and enabling that on all of your computers would require more effort than what you're trying to accomplish in the first place.
  Psexec is free to download and you don't have to deploy it:
  http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  As far as identifying your target computers, it really depends on your environment.  Get-ADComputer is effective, but the example I provided above would get literally every computer in your active directory - is this something you want to deploy to
  any and all servers, workstations, etc?  How big and complex is your AD?  Is this something you need to coordinate with all your systems around about the same time, or can it be staggered?  Do you expect your target computers not to reboot between
  now and then?  I know that's a lot of questions, but your question is loaded and not easy to answer without knowing more about your environment.
  What about this?
  http://technet.microsoft.com/en-us/library/jj134201.aspx
  There is a requirement to have certain firewall exceptions on your target systems, but hopefully they are because that is the best approach.
  I hope this post has helped!

• Hibernate all workstations idle for at least 30 minutes, after 10:00pm

  Recently i came a across a challenge launched by my boss: Hibernate all workstations idle for at least 30 minutes, after 10:00pm.
  By GPO, i can. So, i wrote a script.
  I'm using a System.Runtime.InteropServices;
  I'm not good in scripts, for this i need help to improve it.
  Please, help me. Thank you.

  Recently i came a across a challenge launched by my boss: Hibernate all workstations idle for at least 30 minutes, after 10:00pm.
  By GPO, i can. So, i wrote a script.
  I'm using a System.Runtime.InteropServices;
  I'm not good in scripts, for this i need help to improve it.
  Please, help me. Thank you.
  You ask for help improving a script that you already wrote, but you don't provide said script, nor tell us which part of the script you're having difficulties with... This makes it a bit hard to help you...
  Still, I would not suggest going down the route of creating a script for this. Yes it can obviously be done, but there are mechanisms out there that are already more appropriate for handling such things which do not involve re-inventing the wheel: GPO and
  Scheduled Tasks are two of them.
  If you create it as a *pure* script with no "help" from outside applications, you need to consider these things:
  - How do I deploy the script to every machine?
  - The script will need to be running in the background the whole time, from the time the computer starts up until it shuts down (it will sit idly doing absolutely nothing until it's past 10:00, but it will be running in the background nonetheless).
  - How do you ensure it's running properly?
  - Who will support it going forward?
  If you use a GPO, you don't have to worry about any of those things (except about how to tell whether it's running properly).
  Alternatively, you could also create a scheduled task which kicks off at 10:00 daily with a condition of only start if computer is idle for over 30m where the command that it executes is to hibernate the computer. Scheduled tasks can also be created by GPO,
  so you don't have to worry about many of the things you would normally have to worry about if you were using a script.
  Again, don't try to re-invent the wheel unless there is some benefit to it. From what you told us about your requirements, there isn't in your particular case.

• Deploying user certificates to all users

  I need to deploy user certificates to all my employees. It will save me from sending them an email to load up mmc, click on certificates and then go down to user>personal and right click and request user certificate.
  I checked the user certificate permissions and domain users has enroll and read as allowed. There is no auto enroll. I then created a group policy under user configuration>Windows Settings> Security Settings>Public Key Policies.
  Under public key policies, I enabled the certificate services celient - certificate enrollment policy and checked the box for active directory enrollment. I then clicked on Certificate services client - auto enrollment and enabled it check the boxes to update
  certificates that use cert templates and renew expired certificates.
  Next I applied the GPO on the root of the domain using authenticated users for security group on the GPO so all users get it. Since I have pushed it, when I check all system using MMC> certificates no one has a user certificate. Can someone explain why
  this is not working?

  Hi,
  >>I am using windows server 2008 R2. Should I see an autoenroll permission for this user template?
  As far as I know, to enable autoenrollment, users should be granted Read, Enroll, and Autoenroll permissions.
  Regarding how to configure certificate enrollment, the following articles can be referred to as reference.
  Configure Certificate Autoenrollment
  http://technet.microsoft.com/en-us/library/cc731522.aspx
  Issuing Certificates Based on Certificate Templates
  http://technet.microsoft.com/en-us/library/Cc753452.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Same certificates for two servers using Sun Java WS 6.1sp5 with Crypto card

  Hi,
  I have 2 Sun java webserver 6.1 sp5 installed on two machines as :
  Single webserver1 instance on hostmachine1
  Single webserver1 instance on hostmachine2.
  (both instance names are same)
  I have created server certificate and installed it using External cryptographic module: Sun Crypto Accelerator 500 on hostmachine1.
  It is perfectly working fine.
  Now,for hostmachine2, I created trust database with same password as for hostmachine1, I copied the two files
  https-webserver1-hostmachine1-key3.db and
  https-webserver1-hostmachine1-cert8.db from hostmachines1 and then put on the hostmachines2 (in an serverroot/alias folder ) and then renamed them as
  https-webserver1-hostmachine2-key3.db and
  https-webserver1-hostmachine2-cert8.db
  Then I went to preferences->Edit socket listen, but security was disabled.
  I restarted the webserver, but security was still disabled.
  What is the problem??
  Please inform me as well as at my email address [email protected]
  Please do reply me as I am waiting anxiously.
  Thanks.
  Taqi

  Hello,
  The problem you are reporting is not expected.
  Hope you are not trying on admin server.
  I am not sure why you removed all files from alias directory.
  Please do the following in a fresh installation:-
  1) install ws6.1sp5.
  2) copy cert and key db from the working systems to the alias
  directory of the instance.
  3) move the db files to the new name (make this name right).
  4) through admin server GUI select instance (Manage server).
  5) go to edit listen socket.
  6) turn on security and select OK.
  7) then press Apply button.
  8) then press Apply changes.
  9) it will restart your instance server and will ask you for the password.
  10) supply the security password of the first server.
  11) it will restart your instance server in https mode.
  This works fine.

• Use GPO to set default language options, IME, display settings?

  new to GPO, we have a small Windows Server 2012 domain, all clients on Win7 or Win8.  All the clients require the following changes, anything I can automate this with GPO?  thanks
  Under Control Panel\Clock, Language, and Region\Language > Add Traditional Chinese HK SAR
  Under Control Panel\Clock, Language, and Region\Language > Traditional Chinese HK SAR > Options, Add Microsoft Quick IME
  Under Control Panel\Clock, Language, and Region\Language\Advanced settings - change language bar hot keys
      - CTRL+SHIFT+0 ------  To English (United States) - US
      - CTRL+SHIFT+0 ------  To Chinese (Traditional, Taiwan) - Microsoft Quick IME
  Under Control Panel > Region > Advimistrative > Change System Locale...  change to Chinese HK SAR for non-unicode programs
  Control Panel\Appearance and Personalization\Display > Change the size of all items, use custom 123%.
  Control Panel\Appearance and Personalization\Display > Update Text size to 8 for Title bars, Menu, Message Boxes, Icons, Tooltips
  I found this for the display scaling registry changes but it is for 125% and it uses 78 for the dword value, not sure about custom 123%.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/882f17a6-7465-4aa6-8cea-27aa37a28a4d/gpo-to-set-default-windows-7-display-scaling-to-125?forum=winserverGP

  Hi lilyl,
  According to your description, you would like to deploy some settings about language and display via GPO.
  According to my knowledge, the steps you provided are from Windows 8 clients. Based on my test, you can use the following methods to realize:
  Add Traditional Chinese HK SAR. Locate the registry key HKEY_CURRENT_USER\Keyboard Layout\Preload, and then add a String Value "next number"(which has not been used)=00000404.
  The region settings. Please refer to the similar post:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/ec6a290e-fc09-4be6-9f6a-1f532d338606/change-regional-settings-locale-settings-and-keyboard-layout-using-group-policy?forum=winserverGP
  The display settings. The post you provided tells us the related registry keys, and you should try to find the right value since you want to custom it.
  In addtion, please refer to the following article to learn to deploy a registry item:
  http://technet.microsoft.com/en-us/library/cc753092.aspx
  Regards,
  Lany Zhang

• Is there a group policy to force all workstations in an OU to logoff?

  Hello,
  Is there a group policy to force all workstations in an OU to logoff?
  Thanks in advance.

  I have not seen a policy related to log off users of specific OU's, but why not to give this a try:
  import-module activedirectory
  $Computers=Get-ADComputer -Filter * -SearchBase "ou=hadock,dc=hadock,dc=net"
  foreach($PC in $Computers)
  (Get-WmiObject win32_operatingsystem -ComputerName $PC.name).win32shutdown(4)
  Above script uses WMI to send force logoff requests to clients in Hadock OU.
  Hope it helps.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer
  or to mark this post as
  and helpfull to other poeple.

• By changing CDP do i need to reissue the CA certificate and all previously certificates?

  Hi all,
  Given a Windows 2003 based CA what would be the impact of changing the CRL Distribution Point?
  I mean if i change the CDP by adding or removing entries in the Extensions tab of the CA properties, do i need to reissue a CA certificate and all  previously issued certificates?
  Many thanks,

  Well, that depends. When you change the extension for a new CDP location, that setting is used for certificates issued or renewed from that moment going forward. Do you have to renew the old certificates? That's the part that depends on your objective. If
  you want ALL certificates to use the new location and not the old one, then yes, all the existing certificates would need to be renewed. The extension property is permanently affixed to the certificate.
  If the CDP point in question is an HTTP location it may be possible to use DNS to "move it". One of the things I often advocate is the use of a DNS name alias that is resolvable internally and externally. With this defined as the CDP/AIA location,
  you can move the location around as future needs dictate without reissuing anything. 
  If you were not fortunate enough to have an alias, one other option is to retire the host name that the current CDP is located on (some random server) and use that as an alias in DNS (A Record or C Name) and point to a new location.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• The most useful GPOs in Windows Server 2012R2

  What are in your opinion the most useful GPOs in Server 2012 R2 that improving the work of the administrator and raising level of network security.
  Cloud you share your opinion. please?
  This topic first appeared in the Spiceworks Community

  Good Morning All,I'm currently trying to run a script to convert all xls files to xlsxI am using a script written here:
  https://gist.github.com/gabceb/954418The script as is:PowershellAdd-Type -AssemblyName Microsoft.Office.Interop.Excel$xlFixedFormat = [Microsoft.Office.Interop.Excel.XlFileFormat]::xlOpenXMLWorkbookwrite-host $xlFixedFormat$excel = New-Object -ComObject excel.application$excel.visible = $false$folderpath = "C:\temp\test\test_1"$filetype ="*xls"Get-ChildItem -Path $folderpath -Include $filetype -recurse | ForEach-Object `{ $path = ($_.fullname).substring(0, ($_.FullName).lastindexOf(".")) "Converting $path" $workbook = $excel.workbooks.open($_.fullname) $path += ".xlsx" $workbook.saveas($path, $xlFixedFormat) $workbook.close() ## Create old folder and move original files here $oldFolder = $path.substring(0, $path....

• Installing Secure Certificates in SOAP Scenarios using Business Service

  Hi All,
  We are working on SOAP synchronous scenarios and we are creating Business service for the same. IF We need to communicate through HTTPs protocol then will it be possible to install the SSL certificates as we are using Business Service ?
  It was said intalling certificates will only be possible when we use Business System but not Business Service.
  Regards
  Jayram

  The technical connection does not care about business system or business component. This limitation does not exist.
  Andreas

• I've imported a giant cd collection for my work in wav format for the best quality audio using iTunes version 11.1.1.  I need to transfer this library to our Music workstation using iTunes 11.0.1.  That workstation version of iTunes can't be upgraded for

  I've imported a giant cd collection for my boss in wav format for the best quality audio using iTunes version 11.1.1.  I need to transfer this library to our Music workstation using iTunes 11.0.1.  That workstation version of iTunes can't be upgraded for compatability reasons with other software using iTunes.  When I try to transfer the library I lose all of the CD metadata and end up with only track names.  Is there a way to transfer everything along with the metadata?

  Not easily.  WAV format does not store tag information in the file.  Realize both AIFF (equivalent to WAV) and Apple Lossless (full quality but smaller files) do, so WAV was unfortunately the worst format to chose.
  If you have to go with what you have you will have to explore exporting the library as .xml, moving it and the files to the other computer, then rebuilding a lower version library with the two sets.  I am not sure if you can do it with the library.xml file that already exists or if it too differs according to version.  You may end up having to export the files as a playlist.  You will, of course, lose artwork too, though you can try fetching it from the iTunes Store later.
  Some of what you need to do is outlined in these articles though you have the added limitation that you are not building a library of the same version.  (It really is a piity you choose WAV, otherwise you could have simply added the ripped files and most of the data would have traveled with them.)
  https://discussions.apple.com/message/20401436 - turingtest2 11/2012 post on rebuilding empty/corrupt library after upgrade/crash from previous iTunes library file.
  iTunes: How to re-create your iTunes library and playlists - http://support.apple.com/kb/ht1451

• I want to disable Internet access to user using GPO

  I am using Win Server 2008 R2, I want to disable the users from accessing Internet which are in that OU. Can anyone tell me how is it possible ?

  Hi,
   Disabling Internet access using software on the client is inherently difficult. The client isn't aware of what is an internal resource (like an Intranet page for example) as opposed to an Internet resource. You can use GPOs to disable specific programs
  (like browsers) or to change how traffic is routed by the client but in order to effectively control who can and can't access the Internet, your best bet is a perimeter device like a proxy or firewall that sits between your clients and the Internet and is
  integrated with AD so it can manage access to the Internet based on users, groups, IP addresses, etc.
   The closest you can come without a proxy is to configure a proxy server address for those users using the Internet Explorer Maintenance component (found under User Configuration\Windows Settings). This proxy can either be a non existent address or
  if you want more control over the error messages users get, it can be an internal web server with a page that provide a custom message. The same configuration will allow you to list specific URLs that are exempt in case you have specific web sites, internal
  or external that must be available.
   Note that this option will apply to all browsing, internal and Internet based, but will only impact IE. Internet access using other browsers or other software will not be impacted unless that software leverages the IE proxy configuration (which many
  applications do). 
  Hope this helps,
  Guy

• Connect from workstation using local credentials

  AD is W2008r2,
  recently moved a W2008 WebServer from a PDC to this AD's domain, the local login to the WebServer is still using WebServer local accounts.
  How can I still allow users from W7 workstations to use a "net share" using the WebServer's credentials?
  What we were doing was:
  net use W: \\mxWeb\h  369874125A  /user:mxWeb\user0  from workstations to get access ,
  but since the switch to new AD that gives errors of
  System error 1326 has occurred. Logon Failure: unknown user name or bad password.
  I can not find how to allow this to happen in the Local Security Policy settings.
  (it would be nice to get samba connections from Linux pc's to work again too, Centos 5 & 6 - samba3.6)
  TechNet

  net use W: \\mxWeb.blahblah.COM\h  369874125A 
  /user:mxWeb.blahblah.COM\user0  ?
  User0 is a local use on mxWeb.blahblah.COM.
   Correct?
  try to delete all connection using Net Use * /D first
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.