Microsoft has just released Security Compliance Manager v2.5 beta https://connect.microsoft.com/site715/program2682 along with a heap of new security baseline for you to use to compare against your environment. In case you are not familiar with SCM then it is a great product from Microsoft that consolidates all the best practice for their software with in-depth explanation for each setting.
Notably this new version has security baselines for Exchange Server 2010 and 2007. These baseline are also customised for the specific role of the server. Also interesting is the baseline settings not only include group policy computer settings but also Powershell command to configured aspects of the product that are not as simply to make as a registry key change.
As you can see from the image below the PowerShell script to perform the required configuration is listed in the detail pain…
As yet I can only assume you need to copy the PS command and make you own script for you to run again your exchange server. Still better than nothing… and the software is still beta so we are likely to see more improvements soon…
Today I experienced Serendipity with the error “Unable to find a default server with Active Directory Web Services running.” in PowerShell with Windows 7. This message was occurring when trying to create some new OU’s using the New-ADOrganizationalUnit command. Initially I thought it was due to not having the required Active Directory Powershell commands installed but then I realised that the “Import-Module ActiveDirectory” command was loading find so that couldn’t be the problem.
About this time I then noticed a new blog post http://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was getting this message. The environment I was dealing with was a Windows 2008 only domain environment meaning that there was no ADWS for PowerShell in Windows 7 to utilise. This article explained that both PowerShell and the the Active Directory Administrative Center (ADAC) in Windows 7/2008 R2 used the WS-* protocols and therefore needed a ADWS server somewhere in the domain to work. Not having an ADWS DC in the environment meant that these tools would not work…
So to get around this issues you will need to either need to spin up a Windows Server 2008 computer to run the commands or apply the necessary KB’s to some of the domain controllers your environment to enable ADWS.
Update: I just learnt that the AD PowerShell commands are only supported on Windows 7/2008 R2.
The moral of this story is that its always good practice to make sure that your server and client infrastructure are upgraded together due to the advantages of the tight integration the two product have with one another.
Jeffery Hicks (PowerShell MVP) has just recently written a power shell command call Get-GPOBackup to address and issues with managing GPO backups.
The GroupPolicy module from Microsoft offers a great deal of functionality from a command line. In terms of regular maintenance or administration it is pretty hard to beat, especially if you have 100s or 1000s of GPOs. When you have such a large number, backing them up is critical and easy to accomplish with the Backup-GPO cmdlet. However, if you want to restore or import from a backup, you have to resort to the graphical Group Policy Managment Console. I couldn’t find any way to manage GPO backups from PowerShell so I wrote my own.
Fine Grained Password Polices (FGPP) allow IT administrator to apply password and account lockout policies to different users or groups of users in you domain. The major pain about FGPP is that you cant just use Group Policy to use them instead you have to use ADSIEDIT to make the changes… Major PITA.
But lucky some of the pain about making changes to the FGPP can be reduce by using PowerShell to Automate the process to make it easier to apply multiple FGPP. So to see how to do this Manoj Ravikumar Nair has just done a video on TechNet Edge showing how to do the whole process.
In this video, I use the Active Directory Module for Windows PowerShell introduced in Server 2008 R2 to create and configure Fine-Grained Password Policy, a new feature introduced in Server 2008 that allows having multiple password and account lockout policies in a Domain. I also walk you through the process of raising the domain functional level using PowerShell.
Recently, I have been working a lot with PowerShell to automate the creation of a full AD site OU structure (with Group Policy and all) along with all the necessary delegated permissions. One of the limitation of the out of the box AD PowerShell commands is there is no easy way (but apparently there is a really hard way) to delegate permission to Active Directory OU’s. Luckily Quest Software have helped a lot here and they have offered a set of FREE PowerShell commands for Active Directory called “ActiveRoles Management Shell for Active Directory” one of which is called Add-QADPermission which greatly simplifies the process of delegation security in AD.
This wizard allows you to delegate some common tasks (see below) to your OU’s in you Active Directory however the permissions they apply are not straight forward simple permissions.
What I will show you how to do is how to perform some of the common delegation tasks that the “Delegation of Control Wizard” using a PowerShell command so you can automate the process for creating new OU’s in your environment. I know this is not strictly an Group Policy topic but it is one closely related and one I think many Group Policy admins will find useful.
The Command tasks I will show you are the one’s that I almost exclusively use when delegating permissions to Active Directory, they are:
Create, delete and manage user accounts
Reset user passwords and force password change at next logon