GPO Template to secure Computers joined to a 2012 Domain
Hi,
We are looking to implement a "Quarenteen OU" for new machines that join our domain. I've found out how to change the behavior of assigning machines to a different OU than the Computers OU using the redircmp command. Does anyone have
a good "template" resource of default security polices to assign a new Server/destkop machine that gets placed into such a quarenteen OU to ensure its secure before moving it to a different/seperate OU? I'm currently looking for knowledge base
articles that cover this. Any help would be greatly appreciated.
Thanks,
Kevin C.
Hi Kevin,
Based on description, we can follow the suggestion provided by Martin to assign security policies to these machines.
SCM provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices, allowing
us to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.
Regarding SCM, the following articles can be referred to for more information.
Microsoft Security Compliance Manager (SCM) - Getting Started
http://social.technet.microsoft.com/wiki/contents/articles/1866.microsoft-security-compliance-manager-scm-getting-started.aspx
Microsoft Security Compliance Manager
http://technet.microsoft.com/en-us/library/cc677002.aspx
Security Compliance Manager (SCM)
http://technet.microsoft.com/en-in/solutionaccelerators/cc835245.aspx
Best regards,
Frank Shen
Similar Messages
-
Can A Windows 2000 Client Join A Windows 2012 Domain ?
I have set up a Server 2012 VM that I have configured as a DC. The desktop environment consists of Windows 7, Windows XP and a few Windows 2000 machines. All desktops can JOIN the 2012 domain, but when I try to add domain users to any of the
Windows 2000 (SP4) workstations, it fails with the error "The trust relationship between this workstation and the primary domain failed".
Unjoining the workstation from the domain (or going into ADUC and deleting the Win 2000 computer from the domain) and trying again yields the same result. I do not have this problem when the Windows 2000 machines are joined to a Server 2008 R2 domain.
At this point, I'm leaning towards setting it up as a 2008 R2 DC, and moving to a 2012 DC once we have weaned ourselves off of the Windows 2000 desktops. Is there any hope of getting things to work with a 2012 DC from the start ?Hi,
Based on my research, Windows 2000 client is not supported for Windows 2012 DC.
Windows client and Windows Server operating systems that are supported to join Windows Server 2012 domains
The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012:
Client operating systems: Windows 8, Windows 7, Windows Vista, Windows XP
Computers that run Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or
may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see
Running Windows 8 member computers in Windows Server 2003 domains.
Server operating systems: Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003
Cataleya Li
TechNet Community Support -
IE 11 security settings / Server 2012 domain joined server
Can someone clarify how the Security settings are automatically managed on domain jointed computers in IE 11 / Server 2012 R2:
There seem to be different settings depending on the IE Enhanced Security Settings.
I particular if IE Enhanced Security Settings are on, Security is forced to High for Internet and admins cannot change it.
If IE Enhanced Security Settings is off for admins Security is forced to Medium High and admins cannot change it
If IE Enhanced Security Settings is off Security is Medium-High and admins can change it
Is this by design?
Run As Administrator seems to have no effect.
This only happens on domain joined systems
CarolChiHi CarolChi,
IE-ESC is a feature from Windows Server. Yes, just as what your think, this behavior is by design.
For more information, please read this article:
Internet Explorer Enhanced Security Configuration changes the browsing experience
http://support.microsoft.com/kb/815141
Karen Hu
TechNet Community Support -
Hi
It is required to create office document (can be word, Excel, PowerPoint etc) from predefined template with security markings programmatically within SharePoint Document libraries..
help with example source and references appreciated.
BestHi,
According to your post, my understanding is that you want to create a document based on a predefined template.
When we create a predefined template, actually the template is bound to the content type, we can retrieve it using its url.
web.Lists[YourList].ContentTypes[yourContentTypeId].DocumentTemplateUrl
Then we can retrieve the predefined template as an SPFile, and use the
OpenBinary() method to get the byte[].
There is an article about this topic, you can refer to it.
http://nickgrattan.wordpress.com/2008/12/08/code-for-creating-new-documents-based-on-a-content-type-and-template/
More reference:
http://sharepoint.stackexchange.com/questions/22253/how-do-i-create-a-new-document-in-a-document-library-according-to-a-template-in
http://sharepoint.stackexchange.com/questions/60506/programmatically-create-a-new-document-based-on-a-content-type-template
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support -
Hello,
CM 2012 now has a options " Only discover computers that have logged onto Domain in given period of time". Which Active directory property it looks into. is it looking into lastpwset or some other properties. Please let me know the details of
this option, specifically what properties it looks into to find out the information.
Thank youThat would be the LastLogonTimeStamp Attribute for the computer account.
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Gerry Hampson | Blog:
www.gerryhampsoncm.blogspot.ie | LinkedIn:
Gerry Hampson | Twitter:
@gerryhampson -
Templates in SCVMM 2008 R2 and SCVMM 2012 R2
Hi Experts,
I have few questions regarding VM Template creation using SCVMM.
1. What is the difference between VM templates in SCVMM 2008 R2 and SCVMM 2012 R2 ?
2. I could not see the three folders (Snapshots, Virtual hard disks and Virtual Machines) of SCVMM 2008 R2 template in a template created using SCVMM 2012 R2. Only the vhd files are present in the template. What about the config.xml file?
3. Can we customize the config.xml for our VM installations?
4. Do we need to sysprep a VM or vhd file before creating a Template ? If yes, how to do it ?
Thanks,
SaleemThe reason that I am confused is that you should not have gotten a config.xml file, even with VMM 2008.
The only time that SCVMM ever saved that (that I recall) is when a VM was stored to the Library, which is a different action than creating a template.
All of the template settings are stored in the SCVMM database. If you have a custom unattend.xml that is merged with the one that SCVMM generates on the fly at deployment time, then that is stored in the Library. But the one that SCVMM generates
based on the OS Profile is never physically save in the Library. SCVMM always uses an unattend.xml whenever a Windows OS template is deployed.
http://technet.microsoft.com/en-us/library/bb740827.aspx
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Disclaimer: Attempting change is of your own free will. -
What best way to turn on all computers remotely using sccm 2012 sp 1
what best way to turn on all computers remotely using sccm 2012
and what the difference between wake on lan and out of band service point roleHey!!! I am a 1E engineer and MVP... we started the power management movement with our very first software product, created around 12 or so years ago, called 1E WakeUp. The complete solution which manages power on (integrated with SCCM, or stand alone if
you are not an SCCM shop) and power off (under a tightly controlled process) is called
NightWatchman
Here is a
recent blog post I authored that was the last in a series documenting the entire wake-up process including how it integrates with SCCM or stood up standalone. It contains links to those earlier posts that explain our entire technology, so you will likely
want to read all of them in order for a full understanding of our technology. It works incredibly well, is the most mature solution in the industry, and is extremely simple to install with minimal resources.
If you have any questions, feel free to reach out to me privately
Ed Aldrich | 1E | Pre-Sales Solutions Engineer | ConfigManager MVP 2003-2012 -
How to uninstall/remove security update for SQL Server 2012
My requirement is to uninstall/remove security update for SQL
Server 2012 Service Pack 1 only. so are these below steps are correct or do I need to take any extra precaution for uninstallation?
Go to Control panelàProgramsà
Programs and FeaturesàInstalled Updrtes, right click on update and uninstall
As per my knowledge in SQL Server 2005, we cannot uninstall a service pack. we have to uninstall SQL Server 2005 completely, and reinstall SQL Server 2005 with previous service
packs and updates. but Starting SQL Server 2008, we can uninstall a service pack using Control Panel.
Rahulhttp://blogs.msdn.com/b/askjay/archive/2011/02/07/uninstalling-a-sql-server-service-pack.aspx
Best Regards,Uri Dimant SQL Server MVP,
http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting:
Large scale of database and data cleansing
Remote DBA Services:
Improves MS SQL Database Performance
SQL Server Integration Services:
Business Intelligence -
Security Update for Windows Server 2012 R2 (KB3042553)
Hello,
Security Update for Windows Server 2012 R2 (KB3042553) has been advised to be critical update to deal with Vulnerability in HTTP.sys which could allow remote code execution.
However due to some reason I am unable to apply the patch to any of the Windows 2012 R2 servers. It errors - The update is not applicable to your computer, when tried to install manually / locally.
I tried to push it via WSUS and the patch is not getting detected by the servers.
Regional language settings are set to match Windows display language (Which is English).
Is anyone else experiencing this issue too? If so is there way to get this deployed please.
Thank you.
Kumar GHi Kumar,
I suggest you check the file version of Http.sys and compare it with the one documented in the KB article below:
MS15-034: Vulnerability in HTTP.sys could allow remote code execution: April 14, 2015
https://support.microsoft.com/en-us/kb/3042553
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
The MS15-10 Security Update for Windows Server 2012/R2 Essentials and the Client Restore Functionality - The Windows Server Essentials and Small Business Server Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/sbs/archive/2015/03/13/the-ms15-10-security-update-for-windows-server-2012-r2-essentials-and-the-client-restore-functionality.aspx
FYIHi Susan. I hope there's a better 'fix' coming to replace this "uninstall the updates, restore, then reinstall the updates after the restore". This kind of workaround requires that all of us remember that there's a problem
with KB3023562 and KB3004375 from now until the end of WS2012E. Not sure I'll remember this 6 months from now when the problem crops up during a restore. -:(
Merv Porter
========================= -
Install Exchange on a 2013 Member server and later join it to a domain
I'm installing Exchange 2013 on a 2012 Server at our depot. It will be joined to a SBS2003 Domain at a later date. What precaution do I need to make. Especially during the preinstall?
Bonnie WhalonThat is exactly what I meant by "no".
An Exchange installation is more than installing the bits, it's configuring everything, which includes a huge amount of configuration in Active Directory. Further once you've installed Exchange on a member server, you can't rename it.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Ramifications of joining Lion to a domain?
Hi folks. Just got a mac at work and joined it to the domain to try it but after that I couldn't install any applications without the domain administrator account which is not going ot work obviously because that's not me I want to know what other major ramifications there are if I do join to the domain. I had to disjoin to get back to normal. Also, for that specific problem, how do I become a "local administrator" (windows equivalent) of the machine if I do join back to the domain. I need to be able to do everything on this machine. No limitations. Thanks.
Hi,
What is the purpose of having two NIC's in DC's?
Generally multihomed domain controller is supported. However it’s not recommended as numerous issues can occur in such an environment, mostly in name resolution.
First you need to establish a network connectivity between the two sites. As i said you need a layer 3 network device which can route packets between networks.
Once you have the connectivity and the necessary ports opened between firewalls, you can go ahead and create forest trust and give necessary permissions to the resources.
For Creating forest trust you have to prepare DNS to resolve the other domain name properly.Use conditional forwarder or secondary or stub zone.
Active
Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
How to create a cross-forest trust in Active Directory
http://searchwindowsserver.techtarget.com/tip/How-to-create-a-cross-forest-trust-in-Active-Directory
Checklist: Creating a forest trust
http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspx
Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).asp
Regards,
Rafic
If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Printer GPOs fail on some computers but work on others - error code 0x80070034
Hello, I have a couple of GPOs that roll our printers. They have been running smoothly for quite some time, then suddenly started giving our errors on our newer machines. Meaning, the GPOs will work fine on some clients but will not work on others. Also
all other GPOs work fine on all clients. The clients are similar Lenovo Windows 7 64-bit machines.
This is the error: Event ID: 4098, Group Policy Printers. The computer '123.123.123.123' preference item in the 'Deploy printers - {3F6DE6D0-86DC-4D1F-AB99-81BC07F23F3C}' Group Policy object did not apply because it failed with error code '0x80070034 You
were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name.' This error was suppressed.
I turned every stone I could think of on the problematic machines but cannot find out a reason. I disabled anti-virus/firewall, I logged in as domain admin and I tried both user & computer GPOs. No luck. Notice that I can successfully connect manually
to the Printer shares (the ones used to distribute the drivers).
Domain is Win2008 R2. The printers "live" on a Win2012 machine and the drivers come from there. I am using Group Policy Preferences. Ideas are welcome.
Thanks
ChristosHello and thanks for the suggestion. Yes the drivers are okay, all clients (working and not) run the same Win 7 x64. Let me summarize the situation:
- The GPO runs because the printer IP ports are created
- The Printer Shares (that distribute the drivers) are accessible because the printer is installed without any problems/warnings if I manually double click on them (the shares)
- Security prompts for driver installs are disabled
I also noticed the following. The error says "The computer '123.123.123.123' preference item in the Group Policy object ... etc" The IP mentioned in that error is NOT the computer/client running the GPO but the IP address of the target printer.
So the client thinks the Printer already exists or the IP is already taken (or something of that sort).
Here is the GPresult XML for this
<GPO>
<Name>Printers - deploy - user</Name>
<Path>
<Identifier xmlns="http://www.microsoft.com/GroupPolicy/Types">{5C21
1010-F5E0-445C-99F3-0B8A9D9CB680}</Identifier>
<Domain xmlns="http://www.microsoft.com/GroupPolicy/Types">mydomain.com</Domain>
</Path>
<VersionDirectory>34</VersionDirectory>
<VersionSysvol>34</VersionSysvol>
<Enabled>true</Enabled>
<FilterId>MSFT_SomFilter.ID="{6272C5C1-9C4E-40B7-BD5A-277ED70B337D}",Domain="mydomain.com"</FilterId>
<FilterName>Any Win Desktop OS</FilterName>
<IsValid>true</IsValid>
<FilterAllowed>true</FilterAllowed>
<AccessDenied>false</AccessDenied>
<Link>
<SOMPath>mydomain.com/Configuration/Sites/MainOffice</SOMPath>
<SOMOrder>3</SOMOrder>
<AppliedOrder>1</AppliedOrder>
<LinkOrder>4</LinkOrder>
<Enabled>true</Enabled>
<NoOverride>false</NoOverride>
</Link>
</GPO> -
Renaming all computers and joining them to new domain
Hi guys,
I'm really hoping someone can help me out. I'm an IT Admin with no actual training (please don't ask lol) so I'm not very knowledgeable and everything I've learned has been by reading forums and trial and error.
What I need to do is: rename all of the computers on our domain (about 160 of them) to a simple naming system (we'll say comp1, comp2, etc), join them onto a new domain and reconnect the appropriate printers to each. Also, for some reason it is required
I manually enter the DNS server IP in order for it to see the new domain and be able to connect.
In the past, I've learned that you have to reboot machines between both renames and domain changes so I understand that. What I'm trying to figure out is if I can do all of this by running some sort of "script" or by a group policy or something
instead of doing everything manually (which will require an entire weekend since I have 8 locations to do this for). The machines are WinXP and Win7 and our AD server is 2008 R2.
Also, how does deleting DNS/DHCP records affect anything if I were to delete them during this process? Am I supposed to for a big rename project like this? I only ask because when I've accidentally named a computer to a name that was already on the network,
that caused an issue with DHCP. If you do have time to help me out, I appreciate it but I'll have to request you speak in somewhat laymen's terms. I apologize in advance if I frustrate anyone :)You can script that using netdom.exe: http://support.microsoft.com/kb/298593/en-us
For the DNS records, their updates should be done automatically if you have Dynamic Updates enabled on the DNS level. As for stale DNS records, they will be removed automatically if aging and scavenging is already configured.
How to secure DNS updates on Microsoft DNS servers: http://social.technet.microsoft.com/wiki/contents/articles/21984.how-to-secure-dns-updates-on-microsoft-dns-servers.aspx
How DNS aging and scavenging works: http://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
ADM GPO templates for Reader XI are incomplete and misleading
We've just migrated to Reader XI, and I was hoping to switch configuring the registry settings to the new official Adobe Reader XI ADM templates. However, they are very incomplete. For example, the following registry setting are missing:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockdown
iProtectedView
bUSEWhitelistConfigFile
bEnhancedSecurityInBrowser
bEnhancedSecurityStandalone
bDisableTrustedSites
bDisableTrustedFolders
bDisableOSTrustedSites
Also, the description of many settings are misleading. A good example is "Disable automatic updates" which reads:
Disables automatic updates and removes associated user interface items.
0: Disable and lock the Updater.
1: No effect.
Setting bUpdater disables the user interface items Preferences > Updater and Help > Check for updates are disabled.
This seems logical, however to get a "0" to be set you have to set this GPO to Disabled. So you "Disable" the "Disable automatic updates" GPO. That feels like you are enabling it. Very confusing.
I welcome the release of the official ADM templates, but it looks like a rush job and that benefits noone.Hi,
Thanks for your feedback again. I am not sure if you have noticed that the article you provided has been updated.
As the updated article states in the Addendum section:
Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking,
turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday,
September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.
Best regards,
Frank Shen
Maybe you are looking for
-
Can I have two POP3 Accounts on one mail?
Hello, I'm trying to manage two (2) POP accounts using the Apple e-mail client. One works the other doesn't.
-
How to create a Node variable without fetching in Char Restriction.
Hi Expert - I got the refrence from this thread - [Hierarchy variables in webi / Universe; to create a node variable for hierarchies. Requirement - the characteristic on which you want to create a node variable must not be in Default section and in
-
I cant add more mails , crash to select in settings
I update the new ios 5.1 and fix errors, i need add emails in contact and crash, cose every times The new update contain much errors. My 4.35 version the best but this is very bad I need use my ipad for mails Help Regards
-
Kodak Zi8 doesn't connect to iPad2 camera connection kit
Hi, i have a Kodak Zi8 video camera and want to copy my movies to a iPad2 using the camera connection kit using buildin USB Kable of the Zi8. Unfortunately the iPad shows a messagebox "Dieses Zubehör benötigt zu viel Strom" (accessory need to much cu
-
I've followed the instructions to sync a photo folder from 'my pictures' to my Ipad but can't now find it so not sure if it's worked or not. Please can anyone help?