Archive for Group Policy

A friend and former co-worker of mine (Sean Deuby) has some excellent Active Directory Troubleshooting guides available online for free.  These aren’t going to solve every problem for you but are great to ensure you have covered your basis when trying to troubleshoot Active Directory.  Take a look at the link to see all the great help he has.

You know…is the Internet great?  I mean really think about all the great things that are available at our finger tips, things like these great troubleshooting guides.  The Internet hasn’t always been great but I’d say over the last 5 years it has really blossomed well.  I know there is bad and harmful things out there but I really do believe that there is more good than bad…OK, time for me to stop thinking out loud again.  Smile


I was working an issue where I couldn’t import Group Policy’s settings to a new policy from one environment to another using GPMC.  The error message I got was the following:

GPO: Test GPO V1.0…Failed

The overall error was: The system cannot find the file specified.
Additional details follow.

[Error] The task cannot be completed. There was an error with extension [Registry]. The file [domain_namesysvoldomain_namePolicies{AAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}Admadmfiles.ini] cannot be accessed.
The following error occurred:
The system cannot find the file specified.

I got the policy from in a zipped format and all seemed well when I unzipped it.  The first thing I did was try to copy the admfiles.ini from another policy into the new policy I was trying to import the settings to.  That didn’t work.  I then took a closer look into the policy that was unzipped.  I noticed after digging further into the guts of this policy that it was in fact missing not only this file but also GptTmpl.inf and install.ins.  The culprit was Outlook blocking certain types of files due to a security configuration.

To resolve this I had to password protect the zip file to ensure those three files came through.  Once I tried to import the settings with all the files there…it worked!  Imagine that.

I pulled together a few links to help point people in the right direction on resources for AD in Windows Server 2008.  You’ll find all kinds of goodies, from virtual labs to videos by some of your favorite public speakers and of course what I think are the must have…the Guides!

Links and Documents:
AD DS Operations Guide

AD DS Design Guide

AD DS Deployment Guide

Server 2008 Auditing AD DS Changes Step-by-Step Guide

Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Step-by-Step Guide for Read-Only Domain Controllers

Free Virtual Labs:
Managing Active Directory – Directory Services

Fine Grained Password Settings in Windows Server 2008 (Beta 3)

AD in Server 2008

Fine Grained Password Policies

Prepare for RODCs

Install a RODC from IFM

Group Policy in 2008

If you haven’t noticed yet, Windows Server 2008 has several more User Right Assignments in the Local Policy settings.  If you’re looking for a definition of one or all take a look below.  These are the same settings that are found in Group Policy located at this path – Computer ConfigurationWindows SettingsLocal PoliciesUser Right Assignment.


Access Credential Manager as a trusted caller

This policy setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users” saved credentials might be compromised if this user right is assigned to other entities.

By default, no accounts are assigned this right. However, to enforce the default setting, the Access Credential Manager as a trusted caller setting is restricted to No One for the SSLF environment discussed in the security guide.

Act as part of the operating system

This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. For this reason, the Act as part of the operating system setting is restricted to No one for both of the environments that are discussed in this guide.

Add workstations to domain

This policy setting only takes effect when applied to domain controllers.

Adjust memory quotas for a process

This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, this setting could be used to launch a denial of service (DoS) attack.

For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service groups for the SSLF environment. The setting is configured to Not Defined for the EC environment.

Allow log on locally

This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the computer keyboard require this user right.

Microsoft recommends that you enable this setting through Group Policy and restrict this right to members of the Administrators group. Assign this user right to the other Operator level administrative security groups,such as Backup Operators or Server Operators,if your organization requires that they have this capability.

Allow log on through Terminal Services

This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. Microsoft recommends that you restrict this user right to the Administrators group to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. Dedicated Terminal Servers will require additional configuration.

Back up files and directories

This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.

Bypass traverse checking

This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.

Change the system time

This policy setting determines which users and groups can change the time and date of the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, which may not be the actual time that the events occurred.

Change the time zone

This setting determines which users can change the time zone of the computer. This setting capability poses no great risk for the computer. However, modifications to this setting affect all users and applications on the computer, which could cause confusion in shared terminal server environments.

Create a pagefile

This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.

Create a token object

This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments in which security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.

Create global objects

This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.

Users who can create global objects could affect processes that run under other users” sessions. This capability could lead to a variety of problems, such as application failure or data corruption.

Create permanent shared objects

This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.

Create symbolic links

This policy setting determines which users can create symbolic links. In Windows Server 2008, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk file) to another file system object, which can be a file, folder, shortcut or another symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only works from within the Windows shell. To other programs and applications, shortcuts are just another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature of the NTFS file system.

Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only members of the Administrators group can create symbolic links.

Debug programs

This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right. However, developers who are debugging new system components need it.

Deny access to this computer from the network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Deny log on as a batch job

This policy setting prohibits users from logging on to a computer through a batch-queue facility, which is a feature in Windows Server 2008 that you can use to schedule jobs to run automatically one or more times in the future.

Deny log on as a service

This policy setting determines whether users can log on as a service. Accounts that can log on as a service could be used to configure and launch new unauthorized services, such as a keylogger or other malware.

Deny log on locally

This policy setting prohibits users from logging on locally to the computer console. If unauthorized users can log on locally to a computer, they can download malicious code or elevate their privileges on the computer. In addition, if attackers have physical access to the console, there are other risks to consider. This user right should not be assigned to those users who need physical access to the computer console.

Deny log on through Terminal Services

This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.

Enable computer and user accounts to be trusted for delegation

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory®. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

Force shutdown from a remote system

This policy setting allows users to shut down Windows–based computers from remote locations on the network. An unauthorized shut down of a server is a type of denial of service (DoS) condition that makes the computer unavailable to service user requests. Microsoft recommends to only assign this user right to highly trusted administrators.

Generate security audits

This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.

Impersonate a client after authentication

This policy setting allows programs to impersonate a user so that the program can act on behalf of the user. Requiring authentication first helps prevent elevation of privilege attacks.

Services that the Service Control Manager starts have the built-in group "Service" added by default to their access tokens. COM servers that the COM infrastructure starts and configures to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started.

In addition, a user can impersonate an access token if any of the following conditions exist:

  • The access token that is being impersonated is for the same user that is making the request.
  • The user, in this logon session, logged on to the network with explicit credentials to create the access token.
  • The requested level is less than Impersonate, such as Anonymous or Identify.

An attacker with the Impersonate a client after authentication user right could create a service that impersonates any logged on user in order to elevate the attacker”s level of access to that of the logged on user or to the level of the client computer”s system account.

Increase a process working set

This policy setting determines which user accounts can increase or decrease the size of a process working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

This right is granted to all users by default. However, increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. It would be possible for malicious code to increase the process working set to a level that could severely degrade system performance and potentially cause a denial of service. Certain environments can help mitigate this risk by limiting which users can increase the process working set.

Increase scheduling priority

This policy setting allows users to change the amount of processor time that a process uses. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service (DoS) condition for a computer.

Load and unload device drivers

This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required to add local printers or printer drivers in Windows Server 2008.

Lock pages in memory

This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned and abused, significant degradation of system performance can occur.

Log on as a batch job

This policy setting allows accounts to log on using the Task Scheduler service. Because the Task Scheduler is often used for administrative purposes, you may need this right in the EC environment. However, Microsoft recommends restricting its use in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.

Log on as a service

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on all computers in an SSLF environment, but because many applications may require this right, you should carefully evaluate and test this setting before configuring it in an EC environment. On servers running Windows Server 2008, no users or groups have this right by default.

Manage auditing and security log

This policy setting determines which users can change the auditing options for files and directories and clear the Security log. Because this capability represents a relatively small threat, this setting enforces the default value of the Administrators group for both the EC and SSLF environments.

Modify an object label

This policy setting determines which users can change the integrity level of objects, such as files, registry keys or processes owned by other users. Note that a user can change the integrity level of an object that is owned by that user to a lower level without holding this privilege.

Modify firmware environment values

This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values could lead to a hardware failure that would result in a DoS condition.

Because this capability represents a relatively small threat, this setting enforces the default value of the Administrators group for both the EC and SSLF environments.

Perform volume maintenance tasks

This policy setting allows users to manage the system”s volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a DoS condition.

Profile single process

This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that they could use to mount an attack on the system.

Profile system performance

This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system”s active processes and provide insight into the potential attack surface of the computer. This setting enforces the default of the Administrators group for both the EC and SSLF environments.

Remove computer from docking station

This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. This setting is not usually relevant in server scenarios.

Replace a process level token

This policy setting allows one process or service to start another service or process with a different security access token, which an intruder can use to modify the security access token of that sub-process to escalate privileges. This setting enforces the default values of Local Service and Network Service for both the EC and SSLF environments.

Restore files and directories

This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Server 2008. This right also determines which users can set valid security principals as object owners; it is similar to the Back up files and directories user right.

Shut down the system

This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a DoS condition.

Synchronize directory service data

This policy setting determines which users have the authority to synchronize all directory service data.

Take ownership of files or other objects

This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user. This setting enforces the default value of the Administrators group for both the EC and SSLF environments.

I”ve always loved these spreadsheets as they allow a quick and easy way to search for Group Policies.  With Server 2008 live and Vista SP1 out Microsoft has updated their reference sheet to add all the new Group Policy settings.  There are now over 2700 settings you can apply in your environment…have fun!

After spending a bit of time on Amazon I noticed that books, movies, and other random things you can buy all had customer reviews.  I started to think, why don”t white papers and technical documents have the same?  Today I”ve decided to take action against poorly written technical papers and ensure that those companies are held accountable to what they are publishing.  OK, maybe I”m not that gun-ho about it but I do think it would be nice to give a review here and there on stuff i”ve read through.

Today”s review is on the Windows Server 2008 Reviewers Guide.  How interesting to start my reviews on a Reviewers Guide.  From what I can gather this guide has been available since early February and is in two forms, Full and Short.  The Full version weighs in at just under 11 MB while the Short version is just over 8 MB.  Not much a difference on the size.  The Full version is a whopping 250 pages while the Short version is 116 pages.  I actually thought the Short version would have been much shorter.  This review is for the Full version.


Usually when I download these Guides I notice that they are 100% marketing speak and 0% technical.  I was pleasantly surprised that this Guide had only a few areas littered with  marketing junk.  If you can get past the first few pages you are presented with several tables detailing which features work on which edition of Windows Server 2008.  Since this is a new OS i”m quite fond of it since i”m trying to figure out what goes where.

Section 2: Server Virtualization – I really hoped to gather a lot out of this section and quite frankly it did not deliver.  It provides a good high-level overview of Hyper-V but not much of anything when it comes to technical details.  I”m also not sure why there is even a page on Server Core here as it is really out of place.  Feel free to skip this section if you have been working with Virtualization for some time now.

Section 3: Centralized Application Access – This section was all about Terminal Services (TS).  Since there is quite a bit of changes with this service in Windows Server 2008 I again was looking forward to this section.  For me, this one delivered.  It went over all the new features and the best part of the entire section was that it gave you Group Policy locations to configure certain TS options! 

Section 4: Branch Office – All i”ve been hearing about with Sever 2008 is branch office this and branch office that.  Because of that I expected to see a lot of stuff in this section. The Read-Only Domain Controller (RODC) part was decent.  It actually gave some info that I didn”t expect to see like detailing which Active Directory Services attributes that were added to the schema to support RODCs.  I also thought a decent job was done on the BitLocker portion as it went into commands to help install it and Group Policy settings. As for the DFS portion I really wanted to see more.  This one lacked some of the details in the other products from this section.

Section 5: Security and Policy Enforcement – At over 80 pages this was the largest of all sections and covered a wide range of features within Windows Server 2008. The first few areas go over some definitions and can be used for a good reference at a later time.  There were so many in fact that I had to skip ahead because I felt I was studying for an exam. The Routing and Remote Access Service portion was very light and only highlighted some new technologies and removed ones (thanks for finally removing OSPF…it never belonged on a server).  I wanted to see more in the next section on how some of the services would work with IPv6. There was very little detail on that.  The Firewall portion of this section did a good job explaining what changed in Server 2008 from previous versions (client and server).  The Cryptography Next Generation portion provided nothing more then an overview. 

Now we began the Active Directory portion of this section.  Starting with an excellent write up of the Active Directory Certificate Services.  I felt that it was adequately covered hitting all major points of interest.  This portion was followed up by Active Directory Domain Services and the team did another good job on this area.  There isn”t a lot of technical How-To stuff here but it will inform you on what is new.  Federation Services was covered next and there was some good reading there with a nice flow chart to follow along with.  Let”s just say that the Active Directory Lightweight Directory Services was…well…light.  Finishing up Section 5 was an area that I really wanted to read up on, Active Directory Rights Management Services.  I was disappointed but only because I wanted to read more technical information on this product. Perhaps a scenario or two here with some flow charts would have been beneficial.

Section 6: Web and Application Platform – I”ve been a big fan of IIS since all the great changes that were made with IIS6.  I haven”t had time to look into IIS7 with great detail but this was about to change.  I felt empty after readying this portion.  What about FTP being completely redone?  Nothing!  The last portion is about Transactional NTFS, I think that page and a half will only confuse people and have them wondering how do I turn this on.

Section 7: Server Management –  The first three portions of this section are a very basic introduction to Server Manager.  It is nice to have a reference of all the Roles and Features in Server Manager though. The next area goes over a brief introduction to PowerShell.  As much as I would love to see more technical info here, this is the one area that I can give that a pass on.  PowerShell is not something you want people learning from a Reviewers Guide.  To my dismay there were a total of 4 pages on Server Core and all of them marketing!  I really wish there would have been some more info here.  The same marketing theme was put into the Backup portion but that is ok with me because not many mid-to-large companies use the built in backup tool.  An area I thought would have been really nice was the Windows Reliability and Performance Monitor.  Again there really lacked any details about the feature. The only thing I would have liked to seen added to the Windows Deployment Services (WDS) portion would have been some sample scripts or commands…also any Group Policy settings that apply to WDS.  The Group Policy portion finishes this section off and saves the section in my opinion.  Great job to the people that put that area together.

Section 8: High Availability Introduction – Why is it every guide I read through lacks information on clusters and network load balanced systems?  All 7 pages are marketing and nothing to get the technical person excited about high availability. 

Section 9: Better Together & Section 10: Miscellaneous – Feel free to skip these areas now.  Section 9 is a sales pitch to put Vista and Server 2008 together and Section 10 should have been put in the first section.

It”s now time for my rating.  This is 100% totally subjective to my opinion and only my opinion.  If you feel it should be different let me know by proving feedback in the comments section.  I will rate each section on a scale of 1 – 5 with 5 being the best possible.  Then I will rate the entire guide but it will not just be the average of all the scores.  I will rate it on usefulness to the community.

Brian”s Official Rating Scale
1 = Why were calories spent on this?
2 = Save some trees and don”t print this one
3 = Some areas are good but some aren”t so good
4 = Kept my technical interest and definitely printable
5 = Excellent – Print it out and keep it as a reference in your office


Rating on a scale of 1 – 5
Section 1 2
Section 2 2
Section 3 5
Section 4 4
Section 5 4
Section 6 1
Section 7 3
Section 8 2
Section 9 1
Section 10 1
Windows Server 2008 Reviewers Guide 3

Back in January of 2007 I posted that TechNet Magazine had a really cool poster that showed Active Directory as a Jigsaw puzzle. I noticed in my latest copy of TechNet Magazine that it included two new posters. One of them was another Active Directory poster that showed all the cool new stuff in Windows Server 2008 and the other was one of the Windows Server 2008 Components. I just saw that the both of these are now available to download from Microsoft. This is something you will want to get your hands on and if you don”t get TechNet the magazine this is a great way to print it out too.

If you need a little help learning how to backup and restore Group Policy take a look at this video I have showing how to do it.

Backing up and Restoring Group Policies


Microsoft has always had a great track record of detailing all of the Group Policy settings within their operating systems. They are keeping with that tradition and have released an update to their very popular Group Policy Spreadsheet. The update is that it includes all of the Windows Vista Group Policy settings.

This is by far the greatest tool to use if you use Group Policy. The reason being is that you can search it since it is an Excel spreadsheet. When I”m not sure if a Group Policy setting exists I will open this spreadsheet up and do a search for the feature and it usually leads me to the correct setting. Enjoy!

When Windows Server Longhorn is released it will include 700 more Group Policy settings then Windows Server 2003 with SP1! I for one can”t wait for Longhorn and just reading about all the new Group Policy settings gets me pumped up. Although it would go down in the Guinness book of world records as the longest blog ever I will refrain from sharing every settings with you. What I will do is go over some of the new categories that I think will be most useful.

Group Policy Categories that have some really cool settings in them:

  • Antivirus

  • Deployed Printer Connections

  • Device Installation

  • Networking – Quarantine

  • Terminal Services

  • User Account Protection

You can always find out more on Microsoft”s site, take a look here for more info on all the new categories.

And yes this entry was posted with Word 2007!