GPMC Search Item – with “User Configuration” it does not work

 

Today I  opened GPMC on the Windows Server 2019 Preview and really after long time I tried to use Search Item in GPMC console. I was surprised that Search Item with User Configuration did not allow me to add any condition. Please check in the picture below. It is suprise that same behavior I can see on S2K12R2, Windows 10 and etc….so it is nothing new :(. I spent some time with searching on  internet than I found TechNet article about it.  – https://social.technet.microsoft.com/wiki/contents/articles/23169.the-value-drop-down-list-is-grayed-out-when-you-perform-search-for-group-policy-objects-in-gpmc.aspx

Because I did not find any advice except article above I believe that more articles about this bug (or what it is) could be useful.

All what is necessary to do is open REGEDIT , go to this path (go to the part of registry, where OS has Client Side Extension for GPO) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4D2F9B6F-1E52-4711-A382-6A8B1A003DE6}]

click on GPextension with number above and choose export ! Yes, we should backup this key, because it should be our first step before we do any change in registry.

 

When we have backup, right click on GPExtension {4D2F9B6F-1E52-4711-A382-6A8B1A003DE6} again and choose “Permissions….”  perform 3 steps describes in the pictures. Change owner to your account used for logon. After we change owner, full control “Access” should be visible for our new owner.

 

Now we have to change Default value of REG_SZ which is empty. We have to put there this string RemoteApp and Desktop Connections , lets check picture below

 

Now is necessary close GPMC and open this console again. Try to use Search Item and choose User Configuration, now it should be ok 🙂 . Tested and for me it is working 🙂 . Thanks

 

 

How to re-configure ADFS Proxy Server which reports problems

How fix the problem in the picture ?  Affected server was  Sxxxxxxx.

 

Open up Remote Access management console and You see red. The red color is nice but in this case it means that something is wrong.

1_LI

 

 

We need to reset WAP configuration, in Registry we have to change value 2 = configured to the Value 1 = not configured

2

 

 

Use powershell.exe Install-WebApplicationProxy -CertificateThumbprint “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx” -FederationServiceName “xxxxxx.com” (but it did not work for me same good as GUI for server ADFS 3.0 S2K12 R2 🙁 ….)

or through console Remote Access management we configured WAP again. It requires name of ADFS service – xxxxxxxxxxx.com, usually service account – axxxxxx  and choose the right certificate –  right ADFS certificate with name xxxxxxxxxxx.com. Although we did this, the service tried to use different, self-signed certificate , In ADFS event log we could see „Unable to retrieve proxy configuration data from the Federation Service + thumbprint  of bad certificate not our ADFS certificate “ In mmc.exe we could see only the certificate for MS SCOM, xxxxxxxxxxx.com and some expirated self-signed certificates but we could not see the certificate with thumbprint found in event log. By Powershell  we could list it (example is below), we found bad certificate + others and we removed all certificates self-signed certificate.

 

Get-WebApplicationProxySslCertificate, Get-ChildItem -Path cert:\LocalMachine\My | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

3_LI

 

When we removed the self-signed certificates, we tried to complete the wizard again and it was success

4_LI

 

 

Now it is working well. Do not worry that we see server xxxxxx twice, we could see it because in my case we configured WAP after the server has been configured with postfix (full computer name), because for MS SCOM monitoring it is require.

 

5_LI 6_LI

 

 

The result of testing availability https://[name of your ADFS]/adfs/ls/IdpInitiatedSignon.aspx from internet. Tested from page – https://www.site24x7.com/check-website-availability.html

 

7_LI

 

Novinky v Powershell v 5

Transcript loggining – GPO ( loguje všechno, i příkazy Exchange, AD admin center atd.,  které běží na pozadí!)

GPO cesta k nastavení:
Computer Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on PowerShell Transcription
New commands v powershell v.5  ———
Compress-archive
Expand-archive

New-temporaryfile
Drive pouze – [system.io.file]::gettempfile()

Přístup do stránky (ctrl +c)
Get-clipboard -format

New-guid
Drive pouze – [guid]::newGuid()

Clear-recyclebin

Jak volat registry key:
Get-itempropertyvalue

Převody:
“hello world ” | Format-hex

Převedení zprávy do nečitelného textu :)(zakryptuj si to)
Crypto rfc5652 (base 64)
Protect-cmsmessage

Práce s balíčky 🙂
Get-package, find-package, remove -package

Jak zabránit obnově smazaných dat na disku – NTFS ?

Co třeba příklad, kdy mám na počítači nebo serveru nějaká data, která nechci aby čelt někdo jiný (server bude využívat cizí admin a já zde ukládal důvěrná data). Data na serveru smažu, ale to nikomu nezabrání aby byla data obnovena. Tedy dokud neprovedu alespon jedno přepsání na disku v místě, kde byla původní data zapsána.

K tomuto nám slouží integrovaný nástroj cipher.exe .  Tento nástroj je dostupný už od Windows Serveru 2003 :\, no já o něm teda fakt nevěděl :). Na tyhle věci jsem do nedávna používal specilizovaný nástroj třetí strany 🙂 .

cipher

 

C:\Users\svobodma>cipher /?

Displays or alters the encryption of directories [files] on NTFS partitions.

CIPHER [/E | /D | /C]
[/S:directory] [/B] [/H] [pathname […]]

CIPHER /K [/ECC:256|384|521]

CIPHER /R:filename [/SMARTCARD] [/ECC:256|384|521]

CIPHER /U [/N]

CIPHER /W:directory

CIPHER /X[:efsfile] [filename]

CIPHER /Y

CIPHER /ADDUSER [/CERTHASH:hash | /CERTFILE:filename | /USER:username]
[/S:directory] [/B] [/H] [pathname […]]

CIPHER /FLUSHCACHE [/SERVER:servername]

CIPHER /REMOVEUSER /CERTHASH:hash
[/S:directory] [/B] [/H] [pathname […]]

CIPHER /REKEY [pathname […]]

/B Abort if an error is encountered. By default, CIPHER continues
executing even if errors are encountered.
/C Displays information on the encrypted file.
/D Decrypts the specified files or directories.
/E Encrypts the specified files or directories. Directories will be
marked so that files added afterward will be encrypted. The
encrypted file could become decrypted when it is modified if the
parent directory is not encrypted. It is recommended that you
encrypt the file and the parent directory.
/H Displays files with the hidden or system attributes. These files
are omitted by default.
/K Creates a new certificate and key for use with EFS. If this
option is chosen, all the other options will be ignored.

Note: By default, /K creates a certificate and key that conform
to current group policy. If ECC is specified, a self-signed
certificate will be created with the supplied key size.

/N This option only works with /U. This will prevent keys being
updated. This is used to find all the encrypted files on the
local drives.
/R Generates an EFS recovery key and certificate, then writes them
to a .PFX file (containing certificate and private key) and a
.CER file (containing only the certificate). An administrator may
add the contents of the .CER to the EFS recovery policy to create
the recovery key for users, and import the .PFX to recover
individual files. If SMARTCARD is specified, then writes the
recovery key and certificate to a smart card. A .CER file is
generated (containing only the certificate). No .PFX file is
generated.

Note: By default, /R creates an 2048-bit RSA recovery key and
certificate. If ECC is specified, it must be followed by a
key size of 256, 384, or 521.

/S Performs the specified operation on the given directory and all
files and subdirectories within it.
/U Tries to touch all the encrypted files on local drives. This will
update user’s file encryption key or recovery keys to the current
ones if they are changed. This option does not work with other
options except /N.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.
/X Backup EFS certificate and keys into file filename. If efsfile is
provided, the current user’s certificate(s) used to encrypt the
file will be backed up. Otherwise, the user’s current EFS
certificate and keys will be backed up.
/Y Displays your current EFS certificate thumbnail on the local PC.
/ADDUSER Adds a user to the specified encrypted file(s). If CERTHASH is
provided, cipher will search for a certificate with this SHA1
hash. If CERTFILE is provided, cipher will extract the
certificate from the file. If USER is provided, cipher will
try to locate the user’s certificate in Active Directory Domain
Services.
/FLUSHCACHE
Clears the calling user’s EFS key cache on the specified server.
If servername is not provided, cipher clears the user’s key cache
on the local machine.
/REKEY Updates the specified encrypted file(s) to use the configured
EFS current key.
/REMOVEUSER
Removes a user from the specified file(s). CERTHASH must be the
SHA1 hash of the certificate to remove.

directory A directory path.
filename A filename without extensions.
pathname Specifies a pattern, file or directory.
efsfile An encrypted file path.

Used without parameters, CIPHER displays the encryption state of the
current directory and any files it contains. You may use multiple directory
names and wildcards. You must put spaces between multiple parameters.