Saturday, April 25, 2020

Changing Default Containers to OU's in AD

Change the default OUs for Users and Computers in Active Directory

In windows by default there are two containers, the Computers container and Users Containers.  When you join new workstations, servers or add new users to your domain they will show up in either of these by default and no policies will be applied to them until you move the user or computer object into an OU. This is because Group Policy Objects do not apply to containers only OU's. Luckily you can change where active directory puts computers and users upon creation using the following commands:

Set the default OU for new computers to land in using redircmp
C:\Windows\system32>redircmp "OU=New Computers,OU=Computers,OU=NORTH COAST,DC=ncc,DC=lan"
Redirection was successful.

Set the default OU for new user accounts to land in using redirusr
C:\Windows\system32>redirusr "OU=New Accounts,OU=Accounts,OU=NORTH COAST,DC=ncc,DC=lan"
Redirection was successful.

Once done you should find that newly added users and computer land in your newly designated OU's which will allow you to do things like automatically push software to new workstations via group policy or make sure that new users get their home folders and network drives mapped without any further changes.

Useful Links

Useful Links

A collection of things that I've found useful for one reason or another during my time troubleshooting windows workstations and helping end users. Hopefully you will find them as helpful as I have.

Windows Utilities

The links to these tools contain the MD5 as the downloads are hosted by myself from a Backblaze bucket you should check the MD5 of what you download before you run any of it, checking the MD5 does not make the software safe but it does make sure that at least you got what you attempted to download.  None of this software is mine this is just a collection of links to acquire it use at your own risk.

TFC MD5: 788fcddd88240a85039f7f561093b118
The temp file cleaner by old-timer is a classic utility designed to clean all the old temp files off of windows systems, works with Windows xp - Windows 10
Take Ownership MD5: 38a8674b9bb64a27ec999fcc9e3df662
An old registry hack that enables a take ownership right click option, useful for when you’re stuck with a file you can’t seem to change the permissions of even though you have admin access.
hpflash1 MD5: e30ffd26b45c78303085dc4f35a24a80
The HP flash utility, great for making DOS boot drives.
DoubleDriver MD5: 98f948a5806cf6d84bfb2dabc8c48a95
Double Driver, the unsung hero of printer migrations and new system builds. This utility can suck the drivers right out of an existing windows install and throw them directly at a new one.
Putty! For all your SSH, Serial and Telnetting needs.

References

Group Policy Reference : Group Policy Administrative Templates

Windows CLI things

Get the service tag of dell PC's from Command Prompt or Powershell
wmic bios get serialnumber

Expire a computers kerberos ticket thus forcing the computer to get a new one this helps windows detect a change in AD OU's without rebooting so that you can run gpupdate /force without needing to reboot. Useful for systems that cant be shut down but do need to be moved in AD.
klist -li 0x3e7 purge

Getting the group policy results from a workstation through psexec, replace $User-Logged-In with a logged in user.
gpresult /user $User-Logged-In /scope computer /r

Group Policy Troubleshooting from the Command Prompt

Group Policy CMD

A series of useful tips and tools for diagnosing group policy issues in windows.

Force a system to expire its current kerberos ticket, this will make the system check what OU its in and thus apply any new group policy's.  Useful if you have moved a computer to a new OU and need it to apply the new policies of that OU but cant afford the down time of a reboot.
klist -li 0x3e7 purge

Change what domain controller group policy is being pulled from.  This is especially useful if you have just discovered that your DFSR SYSVOL is no longer replicating correctly.
nltest /dsgetdc:example.com
nltest /Server:$ClientComputerName /SC_RESET:example.com\dc.example.com

Get a list of applied policies.
gpresult /r

Getting the group policy results from a workstation through psexec.
gpresult /user $User-Logged-In /scope computer /r

See remotely installed printers:
wmic printer list brief
wmic printer get name

The above just shows a short list of printer attached to the system you run the command on. It will also show what computer a printer is connected to if there's a network printer. You can also use this to get a very detailed list of configuration for each printer installed on a system:
wmic printer list full

To output it to a text file, append this to the end of the command:
wmic printer list brief >> c:\users\admin\documents\printerlist.txt

Friday, April 24, 2020

Implementing Software Restriction Policy on Windows

Software Restriction Baseline

A guide for setting up Software Restrictions in Group Policy.
Under Enforcement Properties set "All software files except libraries (such as DLLs)", "All users except local administrators" (which will allow members of the local administrators group to bypass the policy completely) and ignore certificate rules unless you are planning to whitelist software via certificates, this can be handy for allowing user to install some programs to %appdata% such as slack, and or certain video conferencing software.

Under Designated File Types remove .lnk files, leaving this option enabled can cause start menu items to stop working as well as all shortcuts to exe files which are now pervasive through the windows operating system. This is mentioned in the NSA document but they list making a rule to allow it, other sources recommend removing it from the designated file types list which seems to be the correct way to do this.
Under Security Levels set the policy to Disallow, this will prevent software from running regardless of the access rights of the user.

Paths the NSA recommends restricting

These have been taken from the NSA document: https://apps.nsa.gov/iaarchive/library/reports/application-whitelisting-using-srp.cfm
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Debug
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\PCHEALTH\ERRORREP
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Registration
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\catroot2
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\com\dmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\FxsTmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\drivers\color
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\PRINTERS
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\spool\SERVERS
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\com\dmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\FxsTmp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\SysWOW64\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Tasks
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\Temp
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\tracing

Paths the NSA recommends allowing

In the original document there is an invisible space right before "Windows" to be cautious of the below line has been corrected.
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

as well as sysvol so any logon scripts you have will still run, not adding this will break any logon scripts you have.
\\%USERDNSDOMAIN%\Sysvol\

An alternate value for the x86 directory might be needed in certain versions of windows, it is not needed for windows 10. to add if the x86 exception listed by the NSA is causing difficulties adding the below line might resolve them. This should not be necessary in most cases.
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%

Blocking The Windows Store and Xbox apps in Windows 10

Windows Store, blocking this will disable users from launching the windows store and thus prevent users from installing apps from it.
%programfiles%\WindowsApps\Microsoft.WindowsStore*

Xbox Apps, Windows 10 ships with a couple different xbox applications, removing these is problematic but blocking them from running is not. This will prevent users from downloading PC games or connecting to and streaming from xbox systems on the network or outside of it. (Microsoft is adding an ability to connect to a home xbox in a future xbox release.)
%programfiles%\WindowsApps\Microsoft.Xbox*

Whitelisting modern applications

Some windows applications such as OneDrive run from appdata, as such you may need to whitelist additional locations so that these applications can function properly, this also goes for windows store applications. In the case of OneDrive the path is
%localappdata%\Microsoft\Onedrive\

Applications installed from the windows app store (if you have chosen not to block them) will install to the directory C:\Program Files\WindowsApps whitelisting the specific directory can allow these to run, windows will allow you to use wildcards in the path names so for example
C:\Program Files\WindowsApps\spo*
Will allow any app contained within any folder under WindowsApps that begins with "spo" to run, in this example spotify as installed from the windows app store would run.

Other Considerations