GPO Template to secure Computers joined to a 2012 Domain

Similar Messages

• Can A Windows 2000 Client Join A Windows 2012 Domain ?

  I have set up a Server 2012 VM that I have configured as a DC.  The desktop environment consists of Windows 7, Windows XP and a few Windows 2000 machines.  All desktops can JOIN the 2012 domain, but when I try to add domain users to any of the
  Windows 2000 (SP4) workstations, it fails with the error "The trust relationship between this workstation and the primary domain failed".
  Unjoining the workstation from the domain (or going into ADUC and deleting the Win 2000 computer from the domain) and trying again yields the same result.  I do not have this problem when the Windows 2000 machines are joined to a Server 2008 R2 domain.
  At this point, I'm leaning towards setting it up as a 2008 R2 DC, and moving to a 2012 DC once we have weaned ourselves off of the Windows 2000 desktops.  Is there any hope of getting things to work with a 2012 DC from the start ?

  Hi,
  Based on my research, Windows 2000 client is not supported for Windows 2012 DC.
  Windows client and Windows Server operating systems that are supported to join Windows Server 2012 domains
  The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012:
  Client operating systems: Windows 8, Windows 7, Windows Vista, Windows XP
  Computers that run Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or
  may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see
  Running Windows 8 member computers in Windows Server 2003 domains.
  Server operating systems: Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003
  Cataleya Li
  TechNet Community Support

• IE 11 security settings / Server 2012 domain joined server

  Can someone clarify how the Security settings are automatically managed on domain jointed computers in IE 11 / Server 2012 R2:
  There seem to be different settings depending on the IE Enhanced Security Settings.
  I particular if IE Enhanced Security Settings are on, Security is forced to High for Internet and admins cannot change it.
  If IE Enhanced Security Settings is off for admins Security is forced to Medium High and admins cannot change it
  If IE Enhanced Security Settings is off Security is Medium-High and admins can change it
  Is this by design?
  Run As Administrator seems to have no effect.
  This only happens on domain joined systems
  CarolChi

  Hi CarolChi,
  IE-ESC is a feature from Windows Server. Yes, just as what your think, this behavior is by design.
  For more information, please read this article:
  Internet Explorer Enhanced Security Configuration changes the browsing experience
  http://support.microsoft.com/kb/815141
  Karen Hu
  TechNet Community Support

• Generate documents(word,Excel,PowerPoint) from Document Templates with Security Markings programmatically

  Hi
  It is required to create office document (can be word, Excel, PowerPoint etc) from predefined template with security markings programmatically within SharePoint Document libraries..
  help with example source and references appreciated.
  Best

  Hi,
  According to your post, my understanding is that you want to create a document based on a predefined template.
  When we create a predefined template, actually the template is bound to the content type, we can retrieve it using its url.
  web.Lists[YourList].ContentTypes[yourContentTypeId].DocumentTemplateUrl
  Then we can retrieve the predefined template as an SPFile, and use the
  OpenBinary() method to get the byte[].
  There is an article about this topic, you can refer to it.
  http://nickgrattan.wordpress.com/2008/12/08/code-for-creating-new-documents-based-on-a-content-type-and-template/
  More reference:
  http://sharepoint.stackexchange.com/questions/22253/how-do-i-create-a-new-document-in-a-document-library-according-to-a-template-in
  http://sharepoint.stackexchange.com/questions/60506/programmatically-create-a-new-document-based-on-a-content-type-template
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• CM 2012 System Discovery " Only discover computers that have logged onto Domain in given period of time"

  Hello,
   CM 2012 now has a options " Only discover computers that have logged onto Domain in given period of time". Which Active directory property it looks into. is it looking into lastpwset or some other properties. Please let me know the details of
  this option, specifically what properties it looks into to find out the information.
  Thank you

  That would be the LastLogonTimeStamp Attribute for the computer account.
  http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Templates in SCVMM 2008 R2 and SCVMM 2012 R2

  Hi Experts,
  I have few questions regarding VM Template creation using SCVMM.
  1. What is the difference between VM templates in SCVMM 2008 R2 and SCVMM 2012 R2 ?
  2. I could not see the three folders (Snapshots, Virtual hard disks and Virtual Machines) of SCVMM 2008 R2 template in a template created using SCVMM 2012 R2. Only the vhd files are present in the template. What about the config.xml file?
  3. Can we customize the config.xml for our VM installations?
  4. Do we need to sysprep a VM or vhd file before creating a Template ? If yes, how to do it ?
  Thanks,
  Saleem

  The reason that I am confused is that you should not have gotten a config.xml file, even with VMM 2008.
  The only time that SCVMM ever saved that (that I recall) is when a VM was stored to the Library, which is a different action than creating a template.
  All of the template settings are stored in the SCVMM database.  If you have a custom unattend.xml that is merged with the one that SCVMM generates on the fly at deployment time, then that is stored in the Library.  But the one that SCVMM generates
  based on the OS Profile is never physically save in the Library.  SCVMM always uses an unattend.xml whenever a Windows OS template is deployed.
  http://technet.microsoft.com/en-us/library/bb740827.aspx
  Brian Ehlert
  http://ITProctology.blogspot.com
  Learn. Apply. Repeat.
  Disclaimer: Attempting change is of your own free will.

• What best way to turn on all computers remotely using sccm 2012 sp 1

  what best way to turn on all computers remotely using sccm  2012
  and what the difference  between wake on lan and out of band service point role

  Hey!!! I am a 1E engineer and MVP... we started the power management movement with our very first software product, created around 12 or so years ago, called 1E WakeUp. The complete solution which manages power on (integrated with SCCM, or stand alone if
  you are not an SCCM shop) and power off (under a tightly controlled process) is called
  NightWatchman
  Here is a
  recent blog post I authored that was the last in a series documenting the entire wake-up process including how it integrates with SCCM or stood up standalone. It contains links to those earlier posts that explain our entire technology, so you will likely
  want to read all of them in order for a full understanding of our technology. It works incredibly well, is the most mature solution in the industry, and is extremely simple to install with minimal resources.
  If you have any questions, feel free to reach out to me privately
  Ed Aldrich | 1E | Pre-Sales Solutions Engineer | ConfigManager MVP 2003-2012

• How to uninstall/remove security update for SQL Server 2012

  My requirement is to uninstall/remove security update for SQL
  Server 2012 Service Pack 1 only. so are these below steps are correct or do I need to take any extra precaution for uninstallation?
  Go to Control panelàProgramsà
  Programs and FeaturesàInstalled Updrtes, right click on update and uninstall
  As per my knowledge in SQL Server 2005, we cannot uninstall a service pack. we have to uninstall SQL Server 2005 completely, and reinstall SQL Server 2005 with previous service
  packs and updates. but Starting SQL Server 2008, we can uninstall a service pack using Control Panel.
  Rahul

  http://blogs.msdn.com/b/askjay/archive/2011/02/07/uninstalling-a-sql-server-service-pack.aspx
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Security Update for Windows Server 2012 R2 (KB3042553)

  Hello,
  Security Update for Windows Server 2012 R2 (KB3042553) has been advised to be critical update to deal with Vulnerability in HTTP.sys which could allow remote code execution.
  However due to some reason I am unable to apply the patch to any of the Windows 2012 R2 servers. It errors - The update is not applicable to your computer, when tried to install manually / locally.
  I tried to push it via WSUS and the patch is not getting detected by the servers.
  Regional language settings are set to match Windows display language (Which is English).
  Is anyone else experiencing this issue too? If so is there way to get this deployed please.
  Thank you.
  Kumar G

  Hi Kumar,
  I suggest you check the file version of Http.sys and compare it with the one documented in the KB article below:
  MS15-034: Vulnerability in HTTP.sys could allow remote code execution: April 14, 2015
  https://support.microsoft.com/en-us/kb/3042553
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• The MS15-10 Security Update for Windows Server 2012/R2 Essentials and the Client Restore Functionality

  The MS15-10 Security Update for Windows Server 2012/R2 Essentials and the Client Restore Functionality - The Windows Server Essentials and Small Business Server Blog - Site Home - TechNet Blogs:
  http://blogs.technet.com/b/sbs/archive/2015/03/13/the-ms15-10-security-update-for-windows-server-2012-r2-essentials-and-the-client-restore-functionality.aspx
  FYI

  Hi Susan.  I hope there's a better 'fix' coming to replace this "uninstall the updates, restore, then reinstall the updates after the restore".  This kind of workaround requires that all of us remember that there's a problem
  with KB3023562 and KB3004375 from now until the end of WS2012E.  Not sure I'll remember this 6 months from now when the problem crops up during a restore.   -:(
   Merv Porter
  =========================

• Install Exchange on a 2013 Member server and later join it to a domain

  I'm installing Exchange 2013 on a 2012 Server at our depot. It will be joined to a SBS2003 Domain at a later date.   What precaution do I need to make.  Especially during the preinstall?
  Bonnie Whalon

  That is exactly what I meant by "no".
  An Exchange installation is more than installing the bits, it's configuring everything, which includes a huge amount of configuration in Active Directory.  Further once you've installed Exchange on a member server, you can't rename it.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Ramifications of joining Lion to a domain?

  Hi folks.  Just got a mac at work and joined it to the domain to try it but after that I couldn't install any applications without the domain administrator account which is not going ot work obviously because that's not me   I want to know what other major ramifications there are if I do join to the domain.  I had to disjoin to get back to normal.  Also, for that specific problem, how do I become a "local administrator" (windows equivalent) of the machine if I do join back to the domain.  I need to be able to do everything on this machine.  No limitations.  Thanks.

  Hi,
  What is the purpose of having two NIC's in DC's?
  Generally multihomed domain controller is supported. However it’s not recommended as numerous issues can occur in such an environment, mostly in name resolution.
  First you need to establish a network connectivity between the two sites. As i said you need a layer 3 network device which can route packets between networks. 
  Once you have the connectivity and the necessary ports opened between firewalls, you can go ahead and create forest trust and give necessary permissions to the resources.
  For Creating forest trust  you have to prepare DNS to resolve the other domain name properly.Use conditional forwarder or secondary or stub zone. 
  Active
  Directory Firewall Ports - Let's Try To Make This Simple 
  http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
  How to create a cross-forest trust in Active Directory
  http://searchwindowsserver.techtarget.com/tip/How-to-create-a-cross-forest-trust-in-Active-Directory
  Checklist: Creating a forest trust 
  http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspx
  Accessing resources across forests
  http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).asp
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• Printer GPOs fail on some computers but work on others - error code 0x80070034

  Hello, I have a couple of GPOs that roll our printers. They have been running smoothly for quite some time, then suddenly started giving our errors on our newer machines. Meaning, the GPOs will work fine on some clients but will not work on others. Also
  all other GPOs work fine on all clients. The clients are similar Lenovo Windows 7 64-bit machines.
  This is the error: Event ID: 4098, Group Policy Printers. The computer '123.123.123.123' preference item in the 'Deploy printers - {3F6DE6D0-86DC-4D1F-AB99-81BC07F23F3C}' Group Policy object did not apply because it failed with error code '0x80070034 You
  were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name.' This error was suppressed.
  I turned every stone I could think of on the problematic machines but cannot find out a reason. I disabled anti-virus/firewall, I logged in as domain admin and I tried both user & computer GPOs. No luck. Notice that I can successfully connect manually
  to the Printer shares (the ones used to distribute the drivers).
  Domain is Win2008 R2. The printers "live" on a Win2012 machine and the drivers come from there. I am using Group Policy Preferences. Ideas are welcome.
  Thanks
  Christos

  Hello and thanks for the suggestion. Yes the drivers are okay, all clients (working and not) run the same Win 7 x64. Let me summarize the situation:
  - The GPO runs because the printer IP ports are created
  - The Printer Shares (that distribute the drivers) are accessible because the printer is installed without any problems/warnings if I manually double click on them (the shares)
  - Security prompts for driver installs are disabled
  I also noticed the following. The error says "The computer '123.123.123.123' preference item in the Group Policy object ... etc" The IP mentioned in that error is NOT the computer/client running the GPO but the IP address of the target printer.
  So the client thinks the Printer already exists or the IP is already taken (or something of that sort).
  Here is the GPresult XML for this
  <GPO>
    <Name>Printers - deploy - user</Name>
    <Path>
      <Identifier xmlns="http://www.microsoft.com/GroupPolicy/Types">{5C21
  1010-F5E0-445C-99F3-0B8A9D9CB680}</Identifier>
      <Domain xmlns="http://www.microsoft.com/GroupPolicy/Types">mydomain.com</Domain>
    </Path>
    <VersionDirectory>34</VersionDirectory>
    <VersionSysvol>34</VersionSysvol>
    <Enabled>true</Enabled>
    <FilterId>MSFT_SomFilter.ID="{6272C5C1-9C4E-40B7-BD5A-277ED70B337D}",Domain="mydomain.com"</FilterId>
    <FilterName>Any Win Desktop OS</FilterName>
    <IsValid>true</IsValid>
    <FilterAllowed>true</FilterAllowed>
    <AccessDenied>false</AccessDenied>
    <Link>
      <SOMPath>mydomain.com/Configuration/Sites/MainOffice</SOMPath>
      <SOMOrder>3</SOMOrder>
      <AppliedOrder>1</AppliedOrder>
      <LinkOrder>4</LinkOrder>
      <Enabled>true</Enabled>
      <NoOverride>false</NoOverride>
    </Link>
  </GPO>

• Renaming all computers and joining them to new domain

  Hi guys, 
  I'm really hoping someone can help me out. I'm an IT Admin with no actual training (please don't ask lol) so I'm not very knowledgeable and everything I've learned has been by reading forums and trial and error.
  What I need to do is: rename all of the computers on our domain (about 160 of them) to a simple naming system (we'll say comp1, comp2, etc), join them onto a new domain and reconnect the appropriate printers to each. Also, for some reason it is required
  I manually enter the DNS server IP in order for it to see the new domain and be able to connect. 
  In the past, I've learned that you have to reboot machines between both renames and domain changes so I understand that. What I'm trying to figure out is if I can do all of this by running some sort of "script" or by a group policy or something
  instead of doing everything manually (which will require an entire weekend since I have 8 locations to do this for). The machines are WinXP and Win7 and our AD server is 2008 R2.
  Also, how does deleting DNS/DHCP records affect anything if I were to delete them during this process? Am I supposed to for a big rename project like this? I only ask because when I've accidentally named a computer to a name that was already on the network,
  that caused an issue with DHCP. If you do have time to help me out, I appreciate it but I'll have to request you speak in somewhat laymen's terms. I apologize in advance if I frustrate anyone :) 

  You can script that using netdom.exe: http://support.microsoft.com/kb/298593/en-us
  For the DNS records, their updates should be done automatically if you have Dynamic Updates enabled on the DNS level. As for stale DNS records, they will be removed automatically if aging and scavenging is already configured.
  How to secure DNS updates on Microsoft DNS servers: http://social.technet.microsoft.com/wiki/contents/articles/21984.how-to-secure-dns-updates-on-microsoft-dns-servers.aspx
  How DNS aging and scavenging works: http://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• ADM GPO templates for Reader XI are incomplete and misleading

  We've just migrated to Reader XI, and I was hoping to switch configuring the registry settings to the new official Adobe Reader XI ADM templates. However, they are very incomplete. For example, the following registry setting are missing:
  HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockdown
  iProtectedView
  bUSEWhitelistConfigFile
  bEnhancedSecurityInBrowser
  bEnhancedSecurityStandalone
  bDisableTrustedSites
  bDisableTrustedFolders
  bDisableOSTrustedSites
  Also, the description of many settings are misleading. A good example is "Disable automatic updates" which reads:
  Disables automatic updates and removes associated user interface items.
  0: Disable and lock the Updater.
  1: No effect.
  Setting bUpdater disables the user interface items Preferences > Updater and Help > Check for updates are disabled.
  This seems logical, however to get a "0" to be set you have to set this GPO to Disabled. So you "Disable" the "Disable automatic updates" GPO. That feels like you are enabling it. Very confusing.
  I welcome the release of the official ADM templates, but it looks like a rush job and that benefits noone.

  Hi,
  Thanks for your feedback again. I am not sure if you have noticed that the article you provided has been updated.
  As the updated article states in the Addendum section:
  Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking,
  turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday,
  September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.
  Best regards,
  Frank Shen