GPO whack-a-mole: There it is! No, it isn’t!


Have you ever visited a town and attempted to search out the General Post Office so you need to mail a bundle? Or have you ever ever puzzled what your Government Pension Offset could be whilst you succeed in your retirement age? Or if you’re writing some utility code and you wish to have to direction the output of a command into General Purpose Output, what must you do? And that previous Corvette sitting round amassing mud for your storage — perhaps you must chunk the bullet and haul it right down to the scrap store and feature it minimize up and offered as Good for Parts Only. I believe you get the theory. Clearly since it is a tech website online we’re no longer speaking about any previous GPO right here. Nope, I’m speaking a couple of Group Policy Object (GPO), one thing that any Windows Server administrator must be conversant in.

GPOs are mainly bins which are used to retailer coverage knowledge associated with other gadgets (for instance customers, teams, computer systems, folders, printers, and so forth) in an Active Directory woodland. Administrators use GPOs to keep an eye on the configuration of those AD gadgets and to keep an eye on how they paintings and the way customers or gadgets are in a position to get right of entry to them. GPOs are thus a key element of ways Group Policy works in an Active Directory surroundings.

All that is widely recognized and smartly understood by means of any Windows admins price their salt. The downside, alternatively, is that GPOs are so much like rabbits. What I imply is, they generally tend to more than one and proliferate till they begin to transform a pest and a nuisance for managing your company’s Windows Server-based community. A normal undertaking with more than one websites and plenty of loads or hundreds of computer systems can finally end up having dozens and dozens of GPOs or possibly even many loads because the weary administrator tries to keep an eye on or lock down person get right of entry to to other facets of the community in an ever-increasingly granular recreation of whack-a-mole. The end result can temporarily finally end up being a Great Pile Of you already know what the place the admin now not is aware of, for instance, which consumer computer systems at a given website online have Folder Redirection configured for redirecting the saving of the person’s paperwork to a central record repository. I lately got here throughout simply one of these downside that a good friend of mine who administers a big AD infrastructure was once experiencing. In different phrases, his urgent query was once this: Which GPOs in my AD surroundings are getting used to configure Folder Redirection for customers?

Finding a GPO

His answer was once to question Active Directory for the globally distinctive identifier (GUID) of the Client-Side Extension (CSE) for Folder Redirection in Group Policy. The software he used for doing this was once the Dsquery command, which is a command-line software constructed into Windows Server 2008 and later. This command is to be had on any Windows Server that has the Active Directory Domain Services (AD DS) server position put in. Dsquery is available in an entire bunch of flavors equivalent to Dsquery pc, Dsquery person, Dsquery crew, and so forth, however the explicit taste wanted right here was once probably the most basic one: Dsquery *, which can be utilized to search out gadgets within the listing in response to standards specified the usage of a Lightweight Directory Access Protocol (LDAP) question.

To use this command, my good friend first wanted the GUID for the Folder Redirection CSE. This knowledge might be present in an overly previous however nonetheless correct Microsoft Knowledge Base article KB216357 and this instructed him that the GUID for the Folder Redirection element of a GPO is 25537BA6-77A8-11D2-9B6C-0000F8080861. He then merely ran the next Dsquery * command:

dsquery * <Object DN> -scope base -attr objectGUID

Here the parameter <Object DN> can also be forestroot if you wish to have the quest to begin on the root of your Active Directory woodland; domainroot if you wish to get started off with the present area; or the prestigious identify (DN) of a few explicit container node in Active Directory. The -scope base portion signifies that the scope of the quest is for the only object being specified. The ultimate portion -attr objectGUID is used to suggest that the objectGUID characteristic is the particular Active Directory characteristic being looked for. Once the command was once run he filtered the consequences for the particular GUID of 25537BA6-77A8-11D2-9B6C-0000F8080861 and was once in a position to make use of this to search out all GPO gadgets in Active Directory that had the Folder Redirection extension.

Switching to PowerShell


Dsquery * is a particularly great tool you’ll be able to pull from your Active Directory toolbox when you wish to have it. For instance, let’s say you temporarily sought after to learn how many safety teams you might have created for your Active Directory surroundings. A easy command like this will inform you this data:

dsquery * -filter "(&(groupType:1.2.840.113556.1.4.803:=-2147483646))"

The string “(&(groupType:1.2.840.113556.1.4.803:=-2147483646))” on this instance follows the layout for an LDAP seek filter out. This MSDN article explains intimately the LDAP seek filter out syntax and I extremely suggest studying it should you to find you might have insomnia.

Of direction, Windows PowerShell can be used to squeeze this sort of knowledge out of Active Directory, and the specific PowerShell cmdlet you can wish to use right here could be Get-ADObject, which can be utilized both to extract a selected object out of Active Directory for you or to accomplish a seek of Active Directory that retrieves more than one gadgets. Unfortunately, if you wish to retrieve more than one gadgets from Active Directory, you’re nonetheless going to wish to specify some syntax for doing this. But with Get-ADObject you currently have two possible choices of sleep drugs. You can both use specify an LDAPFilter the usage of the similar roughly syntax you’ve realized from the usage of Dsquery * or you’ll be able to use the more recent PowerShell Expression Language (PEL) to jot down question strings you’ll be able to use for question Active Directory.

The PowerShell Expression Language is defined extra totally within the about_ActiveDirectory_Filter lend a hand web page for the Get-ADObject cmdlet and can also be discovered in this TechNet web page.

Well in truth it isn’t — that web page simply issues you to every other lend a hand web page known as about_Regular_Expressions, which is located in this MSDN web page. I all the time to find it interesting how Microsoft assists in keeping shifting documentation round like this from TechNet to MSDN to who is aware of the place one day.

In any case, when you have hassle drowsing and the LDAP seek filter out syntax doesn’t lend a hand, you’ll be able to all the time take a PEL.

Photo credit score: Shutterstock

The publish GPO whack-a-mole: There it is! No, it isn’t! seemed first on TechGenix.

Source hyperlink


Please enter your comment!
Please enter your name here