Archive for the ‘GPO’ Category

Remote Powershell in domain environment

March 21st, 2014 3 comments

Sometimes you need to run some command on remote computer. If you don’t want to bother user using Remote Assistance or user is not at the computer you can try Remote Powershell. Powershell was new feature when Windows Vista and Windows Server 2008 came. So we can divide operating systems into three categories. Each category requires some things and some requirements.

Windows 7 / Windows Server 2008 R2 and higher

  • Needs to open ports in firewall (is your firewall is not open all the way)
  • Needs to enable and configure WinRM
  • Needs to configure WinRM service to run

Windows Vista / Windows Server 2008

  • Needs everything from first group
  • Needs to install PowerShell 2.0

Windows XP / Windows Server 2003

  • Needs everything from second group
  • Needs to install .NET Framework

Probably your environment will be mixed of all three types of operating systems. So let’s look how to configure it. I will use GPOs everywhere it can be used.

Enable Remote PowerShell for Windows Vista and Windows Server 2008

Create GPO and set following:

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow automatic configuration of listeners (Allow Remote Server management through WinRM):

Firewall exceptions

Firewall exceptions for Windows 7 / Windows Server 2008 and higher

If you have Microsoft firewall closed and you need to make exception using GPO in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions:

Firewall exceptions for Windows XP / Windows Server 2003

You have to define New Firewall rule under Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules and create new Inbound rule with predefined type “Windows Remote Management”:

Configure Service

To enable Remote Powershell I need to configure service. WinRM service has to start automatically. Create new setting in GPO in Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Setup service Windows Remote Management (WS-Management) following way:

Let’s change startup for this service using GPO settings under Computer Configuration > Preferences > Control Panel Settings > Services. Create new Service setting with following settings:

Windows XP / Windows 2003 specialities

To make Powershell work remotely on older operating systems you need to make sure your operating systems have installed two hotfixes: KB968930 and KB951847. These hotfixes are distibuted via Windows Updates so if you use WSUS, there updates are already on your older operating systems.

To enable PowerShell for remote connection you need to enable it using startup script. So you need to create new GPO which will run only on older OS. You can use following WMI filter to make this GPO apply only on older OS:

You can use following script as a startup script to enable Powershell Remote for Windows XP.

To test it you can run following command:

Enter-PSSession -ComputerName COMPUTER_NAME

Active Directory Users and Computes Implementation

To make it look better you can implement connection to computer using Active Directory Users and Computers.

On location \\domain.local\NETLOGON create new Powershell.vbs file:

' ' Script to run Remote Powershell on domain computer '

Set wshArguments = WScript.Arguments Set objComputer = GetObject(wshArguments(0))

' ' Check if Remote Assistance is installed '

Set fso = CreateObject("Scripting.FileSystemObject") 
If (fso.FileExists("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe")) Then  
' Is istalled  
   Set objShell = WScript.CreateObject("WScript.Shell")  
   Return = objShell.Run("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit \\domain.local\NETLOGON\Remote_Session.ps1" & objComputer.dNsHostName, 1, false) 
   ' Is not installed, error.  
   Wscript.Echo "Microsoft Remote PowerShell is not enabled on this machine." 
End If

On location \\domain.local\NETLOGON create new Remote_Session.ps1 file:


Enter-PSSession -ComputerName $computername

 When files are ready, you need to create new record in Active Directory using adsiedit.msc. Connecto to configuration partition of your domain:

Go to Configuration > CN=Configuration,DC… > CN=DisplaySpecifiers > CN=409 > CN=computer-Display and edit property called adminContextMenu.

Add another record into existing list of records. I used following record:

3, &PowerShell Remote,\\domain.local\NETLOGON\Powershell.vbs

which means:

3 – order of record in the list of records (if you have only one existing record, your number will be 2)

&PowerShell Remote – name of the item in context menu

\\domain.local\NETLOGON\Powershell.vbs – path to vbs script you created

Here is how it looks in one of the environments:

When all is done, your Active Directory Users and Computers console has to be reopened and you will find new record under computer account:

When you click on this new item in context menu new powershell window opens. This powershell window is remote powershell windows from remote computer.

I hope people start using powershell more often,

Internet Explorer 10.0 doesn’t get Proxy settings from Preferencies

October 17th, 2013 6 comments

I had weird problem today. Customer called that GPO I have created to set Proxy server for Internet Explorer doesn’t work anymore on Windows 7. He was right. There was Internet Explorer 10 installed on Windows 7. Proxy configuration was made by Internet Explorer Maintenance:

This was not applied on Windows 7 Internet Explore 10, even there was eventlog it should be applied. Then I set these settings using GPO Preferences. I could create settings just for IE 5,6,7 and 8:

I have decided to create settings using Internet Explorer 8. I set all settings I wanted and saved GPO:

Nothing happened. It’s because this settings are limited to Internet Explorer 8.0. So we need to dig into XML file which handles these settings. XML file InternetSettings.xml is located at \\DOMAIN\SYSVOL\DOMAIN\Policies\{76C1E5D1-9CA6-4682-AD41-FD038DDED1E9}\User\Preferences\InternetSettings. When you open this file you can see XML file with all settings. There is one attribute called MAX which defines on which version these settings are applied. I changed it to value “” and now everything works:

What a stupid work around 🙂

Quickie: GPO Preferences variables

January 21st, 2013 1 comment

When you want to use system variables in GPO Preferences you can do so. For example: if you want to create folder on user’s desktop called as computer name, you can use variable in New Folder Properties:


GPO Preferences for New Folder

If you don’t know what variables you are able to use in Preferences input fields you can press F3 and it will display you a list of variables you can use:


List of variables in GPO Preferences


I just found info at Microsoft.

Categories: GPO, Microsoft, Quickie Tags: , , ,

Internet Explorer Proxy Settings via GPO not working

October 22nd, 2012 2 comments

One of our customer just released the beauty and power of GPO. They started to use it more and more. Couple days ago they set brand new GPO with following settings:

  • Proxy IP was set with port 3128 for all protocols
  • Exceptions for couple websites and local addresses


IE Proxy GPO

Read more…

#5 GPO Serial – WMI Filtre a Loopback Processing

Takže po dlhšej dobe pokračujem. Dneska popišem WMI filtre a taktiež Loopback Processing.

WMI Filtre

 WMI filtre sa používajú na to, aby sa lepšie špecifikovali podmienky aplikovania GPO politík. Ale najprv si vysvetlime, čo to vlastne WMI je. WMI je skratka od Windows Management Instrumentation, čo predstavuje rozhranie cez ktoré je možné tak vyčítať rôzne údaje z OS ako aj samotné nastavenia OS meniť. WMI si predstavte ako databázu na každom Windows OS. Pomocou podobných príkazov ako sú SQL príkazy je možné vyčítavať rôzne informácie. Napríklad je možné vyčitať informácie o type a modele BIOSu na počítači. Ďalej napríklad informácie o veľkosti RAM pamäte, verzia OS, zoznam hotfixov, rýchlosť otáčok ventilátora na CPU,…

Read more…

Categories: GPO, Windows Tags: , , ,

Disable OutlookAnywhere in Outlook

January 31st, 2012 No comments

This days I was installing one Exchange 2007 server into existing Exchange organization (two other Exchange 2007 servers). I enabled one new server all features which Exchange 2007 brings to clients: Outlook Anywhere, Autodiscover, ActiveSync. After couple days we discovered that by this setting not only local users were affected, but all clients connecting into Exchange Organization (also those connecting to two old servers).

Read more…

#4 GPO Serial – Aplikovanie GPO

November 7th, 2011 7 comments

Skor nez si vysvetlime ako sa aplikuju GPO politiky na pocitace a uzivatelov, vysvetlime si ako editovat GPO politiky. Ked si ujasnime tuto jednoduchu vec, mozeme sa pustit do hlbsej analyzy aplikovania GPO politik.

Editovanie GPO politik

O vytvoreni a linkovani GPO politiky som pisal v predchadzajucej casti serialu. Ked uz mame vytvorenu GPO politiku potrebujeme v nej zmenit nastavenia, aby sa tie nasledne aplikovali na pocitac alebo uzivatela. Editovanie GPO politiky zacneme pravym tlacidlom na GPO politiku a vyberom Edit:

Read more…

#3 GPO Serial – GPO v domene cast 2.

October 25th, 2011 No comments

Group Policy Management Console (GPMC)

Velmi davno, ked boli GPO politiky este v plienkach, na Windows 2000 bol velmi velky problem spravovat samotne GPO politiky. Robilo sa to cez konzolu Active Directory Users and Computers, kde sa museli na danu uroven v AD zapnut Properties a nasledne sa vybrala zalozka Group Policy, kde sa dalo dalej krvopotne manipulovat s GPO politikami:

Read more…

#2 GPO Serial – GPO v domene cast 1.

October 12th, 2011 No comments

Ako som spominal v predchadzajucom clanku, lokalne politiky nie su moc vhodne na centralne spravovanie prostredia, kedze kazda lokalna politika zije svoj “lokalny zivot” 🙂 Na centralne spravovanie politik pre koncove pocitace potrebujeme funkcnu Active Directory (dalej len AD) domenu a v nej vyuzijeme Group Policy Object. Ale co to vlastne ten Group Policy Object je?

Read more…

#1 GPO Serial – Lokalne Politiky

October 7th, 2011 No comments

Skor ako sa pustime do samotnych Active Directory GPO, by som rad pripomenul, ze na kazdom pocitaci od Windows 2000 su Local Group Policy. Jedna sa o lokalne politiky. Ku tymto lokalnym politikam sa dostaneme spustenim prikazu gpedit.msc. Ked si spustime dany prikaz na pocitaci uvidime nasledovnu obrazovku:


Read more…