John Policelli's Blog

Covering Identity and Access Solutions, Unified Communications, Collaboration, and Infrastructure

Tag Archives: Group Policy

Updated Group Policy Search Service

The Group Policy Search (GPS) service is a web application hosted on Windows Azure, which enables you to search for registry-based Group Policy settings used in Windows operating systems.

GPS version 1.1.4 is live at http://gps.cloudapp.net.  Version 1.1.4 includes registry-based policy settings from Windows 8 and Windows Server 2012, performance improvements, bug fixes, and a few little surprises.  It’s the easiest way to search for a Group Policy setting.  The changelog is as follows:

  1. Added support for Windows 8 and Windows Server 2012
  2. Added new icons in front of the policies to mark whether they are user or machine based
  3. Added auto language detection for the supported languages (en, de, fr, it, es)
  4. Added support for ajax navigation
  5. Got rid of the x-ua-compatible
  6. Suggestions should behave better now
  7. Fixed some bugs

Hotfix Released to Improve Group Policy Preferences Targeting by Computer Group Membership

As discussed in detail in a post on the AskDS team blog, using security groups for Group Policy preferences (GPP) targeting was a really bad idea. So much so that it would typically result in a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy GPP to the computer. Microsoft recently released a hotfix that addresses this issue by changing how the Security Group Targeting item calculates computer group membership.

If you are using, or plan to use, computer group membership for GPP targeting, you’ll want to install this hotfix. Information pertaining to the hotfix can be found in the Microsoft Knowledgebase article 2561285. Additional information on the issue can be found here. Additional information on the resolution can be found here.

Updated Description of Password Complexity

Microsoft has updated/corrected the description of the rules for password complexity for Active Directory. The updated description can be found at http://technet.microsoft.com/en-us/library/cc786468(WS.10).aspx. Here’s a snippet:

This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.

If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

  • Passwords must not contain the user’s entire samAccountName (Account Name) value or entire displayName (Full Name) value. Both checks are not case sensitive:
    • The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.
    • The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
  • Passwords must contain characters from three of the following five categories:
    • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    • Base 10 digits (0 through 9)
    • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"’<>,.?/
    • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

Group Policy Cmdlets in Windows PowerShell

Microsoft has made Group Policy cmdlets for Windows PowerShell available. These cmdlets, roughly 25 in total, can be used to:

  • Maintain GPOs (create, remove, backup, reporting, and import)
  • Associate GPOs with AD DS containers (link, update, and remove)
  • Set inheritance and permissions on AD DS OUs and domains
  • Configure registry-based settings and Group Policy Preferences Registry settings

Continue reading

Active Directory and Active Directory Domain Services Port Requirements MS Document Published

Does this sound familiar…you need to determine the port requirements for Active Directory and you find yourself having to refer to multiple KB articles. Well I have found myself in this situation many times, and I am happy to report that Microsoft has published a document that covers all Active Directory components (i.e. Replication, Trusts, GCs, RODCs, DNS, User and Computer Authentication, Group Policy, and Active Directory Web Services). I personally requested this whitepaper from MS, and helped the MS documentation team create it. The document can be found here: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx.