How to enable remote desktop by using group policy

This is one of the requirement I came across when I got to know I’m stuck without a remote desktop to a server in their network when I wanted to troubleshoot an issue. I have already had the access to the DC thanks to a third party software but forgot to enable the remote desktop feature in the other servers! Sad smile

Anyway the answer I found it within the Group Policy by enabling 2 settings. I thought of sharing that information with you all.

always make sure your servers are group by creating necessary OU’s. This is not a rule but a best practice I follow, so it makes life easier. Once that part is completed go to the GPMC,

image

Make sure to highlight the correct OU and create a new GPO, in my case I’ve named it as “Remote access policy” after that edit the policy in the following settings,

Computer Configuration —> Administrative Templates —> Windows Components —> Terminal Services —> Terminal Server —> Connections and after that enable the GPO setting name as “ Allow users to connect remotely using Terminal services”

image

After that you need to enable an exception through the Windows firewall to allow the RDP connections. For that edit the GPO name as “ Allow inbound Remote Desktop exceptions” Path goes as follows,

Computer Configuration —> Administrative template —> Network —> Network Connections —> Windows Firewall —> Domain Profile

That’s all from the Group Policy side. After that you can await until Group Policy get refresh at the target machines side according to default time period. Well that time is between every 90 –120 minutes and we don’t want to wait that long rightSmile what we need to find out is a  way to refresh the group policy in the remote machines from our console. For that we have few ways we can execute the group policy in the remote machine. but now my focus will be going for two programs.  One is use a utility called “PsExec” developed by Mark Russinovich. You can download it from here.  This is as far as I concern one of the easiest method to do without any scripting.

Download the tool and extract it to the %systemroot% it’s much easier when you to the CMD typing.

image image

image image

Now switching back to the remote PC we can have a look into the GPO effectiveness,

image

And that is what I called “Happy Day Smile

Second method is by using a software called “SPECOPS GPUPDATE” developed by SPECOPS software company. the best thing is the above mention software utility is free. It directly integrate with the Active Directory and you can update the target OU’s within the ADCU console itself!

For this demonstration I went ahead and installed the software to the AD. This software requires Windows Power Shell and as well as .Net Framework. make sure you have open the necessary firewall ports as well.

imageimage

As you can see you can select “Gpupdate” and silently execute the Power Shell command or select the options called “ Specops Gpupdate” which open nice GUI. Under the GUI apart from executing the GPO’s you have few other options as well. Once you select the Gpupdate option you’ll be greeted with few screen and finally the progress screen,

image

As you can see both software offers flexibility for us to execute the GP update remotely to the network pc’s where as SPECOPS GPUPDATE has gone the extra mile to offer more features. If you need more features on the SPECOPS you can check on the SPECOPS GPUPDATE Pro version.

So next time when you’re stuck it’s always better to keep these 2 software in your toolbox.

Group Policy Central Store (Windows 2008)

With the introduction of Windows 2008 Microsoft redefined the concept of Group Policy Central store. Group Policy central store is a simply a central storage place to keep the administrative templates. In windows 2003 and XP age we have received many Administrative templates from Microsoft and other vendors, but the key question is where to store them. If we keep them in one server then the other server won’t be able to retrieve them.

With windows 2008 Microsoft introduce the concept on central storage. Now you can keep all the administrative templates in a central place and replicate between windows 2008 domain controllers. Windows 2008 and Vista natively support this but Windows 2003 and Windows XP don’t support it out of the box.

How it works is simply by checking if the templates available in a central place or not. If the machine couldn’t find templates in a central place it will load the template from machine local template section. So as you can see the functionality is very simple but still brings great flexibility J

So how to configure this? In the windows 2008 domain controller go to %SystemRoot%\SYSVOL\domain\Policies Create a folder called “Policy definitions”. Leave it as it is and then move to c:\windows\Policy Definitions and copy the contents in that folder and paste them to %System Root%\SYSVOL\domain\Policies

Once contents copied to the relevant folder go to GPMC and try to open a GPO. Upon opening expand Administrative Template. When you click that in the right hand pane you’ll be able to see “Administrative Templates: Policy Definitions (ADMX files) retrieved from central stores.

As a practice whenever you modify the GPO’s keep an eye of the locations where the GPO’s administrative getting loaded from. As you can see, keeping group policy templates in a central location can be a significant administrative issue for companies. However, Windows Server 2008 ability to create a central store for Administrative Templates have simplified the process and monitoring of the templates.

Windows 7 and Windows 2008 R2 complete Group Policy reference sheet is out!

Microsoft finally released the complete set of information which contains the Group Policy settings contains for Windows 7 and the Windows 2008 R2. This is a very comprehensive excel sheet. If you want to find about the nifty features and new improvements this is one sheet you need to have. Apart from that they have also added the Windows Vista, Windows 2008 SP2 as well. Complete list can be downloaded from Microsoft web site.

You can click here to download.

Windows Server 2008 – Fine Grained Password Policy Walkthrough

Windows 2008 has lot of new technologies to offer and along with SP2 it has been increased. Branch office caching, Active Directory recycle bin..etc. Among those one of the cool feature is Fine grained password policy. Using this method you can given different set of password polices to selected users or group despite of the default password policy.

This may sound good if you have wish to have different password policy to managers and different password polices to general users and avoid the hassle you face when they forget their complex password. (you know what I mean..right 🙂 Of course you might have been using the password filter or deploy multiple domains to archive this but end of the day those are really frustrating and time consuming methods.

so now you had the taste of the feature let’s get our sleeves up for the work 🙂 To make things easier I am going to built this article based on a scenario based method.

Contoso.com is the default domain of the fictitious company and Neo parker has been the CEO. He don’t like the idea of having a complex password to remember and prefers to have a simple password as his account password. So without breaking the security on the entire domain level you’re going to reduce the password complexity and the minimum of 5 characters to his passwords.

4

Requirements: your AD domain functional level has to be raised to windows 2008.

First have a look into your existing domain-wide default password policies,

  1. Start –> Run –> gpmc.msc
  2. Expand Forest: yourforest.com.
  3. Expand Domains\yourdomain.com.
  4. Right Click Default Domain Policy and Click Edit.
  5. Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

1

So now we need to create the Password Setting object (PSO). in order to do that we need to open the ADSI edit. I have to warn ADSI edit is not a place to mess around with unless you know exactly what you’re doing!

Go to Start–> Administrative tools –> ADSI edit –> select the default settings to connect to the domain. After that in order to create the PSO browse to Expand to Default Naming content\DC=Contoso,DC=com\CN=System\CN=Password Settings Container\

Right click and select new Object,

3

After that you have to select msDS-PasswordSettings and click next

5

After that we are coming to complex part of giving the parameters, this is the place you have to pay attention and provide the correct parameters. For detail step by step you can visit here

First setting being ask is to provide a name for the policy, you can give an fancy name but stick to a one that is meaningful,

6

Next setting is msDS\PasswordsSettingsPrecedence. Assuming the user is a member of 2 or more groups and having different password polices the number you set here will determine which policy to take procedure. So set the value to 1 to make sure this policy will apply all the time to Neo

test

Next one is msDS-PasswordReversibleEncryptionEnabled which is self explanatory

8

Next few option are really self explanatory so I’ll insert the parameter and the value until we come up with another interesting value 🙂

msDS-PasswordHistoryLength (Also self explanatory… you can keep up to 1024)
Value = 10

(domain default: 24)

· msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah)
Value = True

· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)

Value = 5

After that we are being request to provide values for MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration.

So let us walk through the first one of this kind, msDS-MinimumPasswordAge

12

In the above picture I have provided the value of 1 day. First section is days, then hours, minutes and seconds. Next is

msDS-MaximumPasswordAge

13

I hope rest process will be easy for you as we discuss here. so instead of the screenshots let me provide the values as follows,

msDS-LockoutThreshold

Value = 0

msDS-LockoutObservationWindow

Value =00:00:06:00

msDS-LockoutDuration

Value = 00:00:06:00

Once you complete the last step you will click the Finish button to complete the steps. If you encounter any errors please have a look into the values you have provided.

15

so now we have provided Neo minimum characters 5 to his password and still enabled the Password complexity parameter and provide less time value for the Lockdown duration 🙂

but still we are not completed because we have to tell the system this PSO need to be apply to Neo. If we double click the
msDS-PSOAppliesTo parameter we have the option to provide the particular user’s or Group’s DN.
20

so now what how to find the DN value? well my friends we have to walk to the Active Directory Users and computers, and enabled the Advances Features,

17

After that we need to go to the properties of the Neo’s account and select the Attribute Editor which shows the DN of Neo’s user account.

18

Copy that value and we go back to the ADSI editor CN=System –>CN=Password Settings and under the current PSO paste the values you have copied from Neo’s account,

21

Wola that complete the lengthy task.

For more information you can refer here,