Exchange 2007 - Exchange Management Shell - Exchange Management Console

How to Remove Registry Key Using Batch File

Posted by Usman under Active Directory

You can use the following syntax to remove any registry key using batch file.

1- Create a New Text File in NotePad and Save as  “File.bat”

2- Open File.Bat in NotePad and put following syntax

REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent” /v “AgentGUID” /f

You can use your own registry key path !

/f switch will delete key without prompting Yes/No !

How to add Exceptions in Windows Firewall Using GPO

Posted by Usman under Active Directory

You can use this group policy to open specific ports on windows firewall using GPO

1- Open Active Directory Users and Computers
2- Right Click on Domain Name or OU on which you want to apply this firewall Exceptions
3- Click Group Policy Tab, Click on Policy name and Click Edit !
4- Expand Computer Configuration –> Administrative Templates –>Network –> Network Connections  –>Windows Firewall –> Domain Profile
5-  Click Windows Firewall: Define Port Exceptions , Click Enable
6- Click On show , Click on ADD

You have to write syntax like this

Port:Transport:Subnet:Status:Name

Port: Port is Port Number like 80 or 8080
Transport: TCP or UDP
Subnet: Networks
Status: Enabled or Disabled
Name: Name of Exception

Example

8080:TCP:192.168.0.1/16:enabled:HTTP Access

Software Restriction through Group Policies

Posted by Nausherwan under Active Directory

If we want to restrict any software for usage through group policy.

1. Go to particular OU and right click on it and go into the Group policy properties.

2. Go to user configuration and click on Windows Settings —> Security Settings —->Software Restrictions.

3. In enforcement tab, we have to check all software files and All users except Local Administrator.

4. We have to define new path rule based policy.

5. Path will include that software installation path which you want to block. For e.g C:\Program Files\Microsoft Office. (What ever the software you want to block).

6. Close the Group policy console.

Hide all drives except Z drive using group policy

Posted by under Active Directory

By Default You can hide drives with following combination Using GPO !

• Restrict A, B, C and D drives only
• Restrict A, B and C drives only
• Restrict A and B drives only
• Restrict all drives
• Restrict C drive only
• Restrict D drive only
• Do not restrict drives

Now if you will setup home drive (Z:) for a user , that drive will be hide like others. To resolve this issue we can create custom ADM template to show only home drive.

Craete a Note Pad file and  rename it to  HideDrives.adm , Paste the following code into

CLASS USER

CATEGORY !!CustomizedSettings
CATEGORY !!WindowsExplorer
KEYNAME “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”
POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME “NoDrives”
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!CDOnly VALUE NUMERIC 12
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!AllExceptZ VALUE NUMERIC 33554431
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY

POLICY !!NoViewOnDrive
EXPLAIN !!NoViewOnDrive_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME “NoViewOnDrive”
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!CDOnly VALUE NUMERIC 12
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!AllExceptZ VALUE NUMERIC 33554431
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY

END CATEGORY ; !!WindowsExplorer

END CATEGORY ; !!CustomizedSettings

[STRINGS]
ABCDOnly=”Restrict drives A, B, C and D only”
ABConly=”Restrict drives A, B and C only”
ABOnly=”Restrict drives A and B only”
AllExceptZ=”Restrict all drives except Z”
ALLDrives=”Restrict all drives”
COnly=”Restrict drive C only”
DOnly=”Restrict drive D only”
CDOnly=”Restrict drives C and D only”
NoDrives=”Hide these drives in Explorer”
NoDrivesDropdown=”Choose one of the following combinations:”
NoDrives_Help=”*** Copy and paste this entry from %SYSTEMROOT%\inf\system.adm! ***”
NoViewOnDrive=”Restrict access to these drives”
NoViewOnDrive_Help=”*** Copy and paste this entry from %SYSTEMROOT%\inf\system.adm! ***”
RestNoDrives=”Do not restrict any drives”

CustomizedSettings=”Customized Settings”
WindowsExplorer=”Windows Explorer”

; Pattern to hide drives; convert the binary to decimal:
; zyxwvutsrqponmlkjihgfedcba
; 00000000000000000000001100

Now place this file to on your DC in following location.

C:\windows\inf

Open Group Policy Editor.

Administrative Templates->Right Clik->Add/Remove Templates.
Click add and select HideDrives.adm file

User Configuration –> Administrative Templates –> Customized Settings –> Windows Explorer
Hide these drives in explorer - Properties - Select Enable and Restrict all drives except Z from Combo box

How to change the default location of new user accounts and computers

Posted by under Active Directory

When you create a new user in active directory , new user account and computer put in predefined Active Directory OUs “Users” and “Computers”. DCPROMO put all newly user accounts in  “Users” AD container and all computers in “Computers” AD container.

The Users and Computers containers aren’t AD organizational units (OUs), so you can’t link OU-level Group Policy Objects (GPOs) to them. If you want to apply GPO on OUs level You must create new OUs for users and computer objects, it will make easier management of Active Directory. Its a good practise to change the default location of newly created users and computer objects. You can change the default when creating users using scripts, You can use Redirusr and Redircmp command-line utilities

Example:

Organizational Unit: usersou

Domain                  : Contoso.com

redirusr ou=usersou,dc=contoso,dc=com

Before executing this command , please make sure that “usersou” must exist in active directory.This command is only compatible with windows 2003 server , you cant execute in windows 2000 server and NT 4.0.

How to assign Domain Joining rights to a normal user

Posted by under Active Directory

In active directory by default “Account Operators” have domain joining  rights to workstation but if you dont want to add a user in “Account Operator” group then you can assign domain joinging rights to a normal user with following procedure.

1. Click Start, click Run, type dsa.msc, and then click OK.
2. In the task pane, expand the domain node.
3. Locate and right-click the OU that you want to modify, and then click
Delegate Control.
4. In the Delegation of Control Wizard, click Next.
5. Click Add to add a specific user or a specific group to the Selected users
and groups list, and then click Next.
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from the list,
click to select the following check boxes: . Computer objects
. Create selected objects in this folder
. Delete selected objects in this folder

8. Click Next.
9. In the Permissions list, click to select the following check boxes:. Reset
Password
. Validated write to DNS host name
. Read and write Account Restrictions
. Validated write to service principal name

10. Click Next, and then click Finish.
11. Close the “Active Directory Users and Computers” MMC snap-in.

How to find out current Schema Version of Active Directory

Posted by under Active Directory

We can find out current schema version of active directory using following two methods

1- AdsiEdit.Msc

Navigate to:

“CN=Schema,CN=Configuration,DC=domain,DC=local“

and you can find current “objectVersion” attribute.

2-  DsQuery Command Line

“dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion“

Here is ObjectVersion of Active Directory Schema.

13 -> Windows 2000 Server
30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 -> Windows Server 2003 R2
44 -> Windows Server 2008 RTM