Category Archives: Windows

A Simple Explanation of Group Policy Inheritance in Active Directory

WARNING:  This post involves playing around with Active Directory, so don’t do this in a production environment.  You use this information at your own risk.  For other warnings, please see the disclaimer.

Group Policy is an incredibly powerful feature in Active Directory that allows one to implement specific configurations for users and computers. By creating Group Policy objects (GPOs), administrators can apply thousands of different settings to objects within Active Directory by linking the GPO to sites, domains, or organizational units (OUs).

Unfortunately, Group Policy’s flexibility can also increase its complexity.  It’s one thing to specify a single setting, such as a password complexity rule, to the entire domain.  It’s an entirely different thing to specify unique configurations for thousands of users or computers spread across different geographic areas.  One area where there can be confusion is in determining which settings are applied to a particular user or computer when multiple policies exist.

Inheritance in Group Policy works very similarly to inheritance when it comes to NTFS permissions.  The basic rule is “settings on parent objects are inherited by child objects”.

For example, let’s say you have an Organizational Unit (OU) hierarchy as follows:

AD-1.PNGEvery Active Directory domain has a “Default Domain Policy” which is a Group Policy Object (GPO) which contains the default settings for the domain.  That GPO is linked to the domain:

DDP.PNG

Because it is linked to the domain, every OU under the domain inherits the settings of the Default Domain Policy GPO.

Let’s say the Default Domain Policy configures users to get a green desktop background.  Regardless of where your user account is in the domain, you end up with a green desktop because the settings in the Default Domain Policy are inherited by all child objects (everything in the domain).

ddp-green.pngNobody has to enforce this; it’s just how Group Policy works.

Now, let’s say that you need to create some settings for your sales department.  So you create a GPO called “Sales Stuff” and you link it to the Sales OU:

ssgpo.pngOnce you do that, the settings in Sales Stuff is applied to everything in the Sales OU, including Managers, Sales Reps and Sales Admin and everything they contain.  Again, this is just how Group Policy works.

When multiple GPOs are applied, they are applied from the top down.  So, the first GPO applied is the Default Domain Policy and the second is the Sales Stuff.  (It’s not quite like that, but close enough for this discussion).

As each policy is applied, it will overwrite conflicting settings that previous policies applied.  In our example, the Default Domain Policy GPO changes the desktop color to green.  But, let’s say the Sales Stuff policy has the desktop color set to yellow.

Well, the first policy applied when you logon is the topmost policy.  That’s the Default Domain Policy.  So, it changes the setting on your computer to make the desktop background green.  However, the Sales Stuff policy is applied next and it changes the setting to make the desktop background yellow.

ssp-yell.png
The end result is your desktop is yellow.

Keep in mind, this only applies for configured settings which conflict with each other.  In this case, the desktop color.  But, if the Default Domain Policy also dictated what kind of mouse pointer you had, and that wasn’t specified in the Sales Stuff policy, the Default Domain Policy settings would be there, and because they won’t get overwritten by the Sales Stuff GPO, they would apply.

Well, the CEO will have none of that!  By God, those desktops are going to be green, or some heads are going to roll!

No problem.  In your Group Policy Management console, right-click on the Default Domain Policy and select “Enforced”.

Untitled.png
Now, the Sales Stuff policy cannot overwrite the Default Domain Policy settings (and neither can any other GPO).  So, when you log on, any setting the Sales Stuff policy would have overwritten, including the desktop color, are kept intact.

ssp-green.pngSo, regardless of the Sales Stuff settings, your desktop is green.

This is a very simplified explanation, but I hope it might clear up some fog on how this works.

 

Advertisements

Moving the Offline Folder Cache in Windows (7, 8, 8.1 and 10)

WARNING:  This post involves playing around with your operating system’s registry.  You use this information at your own risk.  For other warnings, please see the disclaimer.

I’m a big fan of Windows’ offline folder caching and have used it on my laptops for over a decade.  One thing I don’t like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  (By default, it’s found at \Windows\CSC).

WARNING:  If this isn’t a FRESH installation of Windows, make sure you have synchronized your offline files.  This procedure will ERASE ALL EXISTING OFFLINE FILES AND FOLDERS!!!

In order to move the cache, follow these steps:

1. Clear the content of your existing cache
Yeah, you have to do this.  And, it’s not a very obvious procedure.  You end up creating a registry key that resets the cache at startup and then deletes itself.  Here’s the command to create the registry key (you can do this at a command prompt):

REG ADD “HKLM\System\CurrentControlSet\Services\CSC\Parameters” /v FormatDatabase /t REG_DWORD /d 1 /f

Once you’ve done this, reboot.

2. Create the folder in the location where you’d like to have your cache
I always like to keep my data separate from my OS by storing it on a different drive (or, at the very least, a different partition).  For this example, I’m using the path X:\Data\Cache

3. Create a new registry value
Open Registry Editor and browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSC\Parameters

This is the same key we modified before.  Notice how there’s no “FormatDatabase” value even though we added it prior to the last reboot.

Right-click on Parameters, hover on New and select String Value:

String Value Key Menu

Name the new string value “CacheLocation”:

CacheLocation

Double-click on CacheLocation and input the path to the new cache location and then click “OK”:

Edit String

Notice the “\??\” in the value.  This is an NT Object Path used by the OS to reference the local path.  (If it was “\??\UNC\, it would be referencing a network path.)  You must use this format.

You’ll see the value populated now in your registry editor:

CacheLocation Populated

4. Reboot
 Once the OS is back up, it should be using the new location.  You can test this by opening the new folder and you should see a folder in there called “v.2.0.6”.  You should get a permission error if you try to open that folder.

I hope you find this useful!  If you see anything wrong, please let me know.

Moving the Offline Folder Cache in Windows 7, Windows 8 and Windows 8.1

WARNING:  This post involves playing around with your operating system’s registry.  You use this information at your own risk.  For other warnings, please see the disclaimer.

I’m a big fan of Windows’ offline folder caching and have used it on my laptops for over a decade.  One thing I don’t like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  (By default, it’s found at \Windows\CSC).

WARNING:  If this isn’t a FRESH installation of Windows, make sure you have synchronized your offline files.  This procedure will ERASE ALL EXISTING OFFLINE FILES AND FOLDERS!!!

In order to move the cache, follow these steps:

1. Clear the content of your existing cache
Yeah, you have to do this.  And, it’s not a very obvious procedure.  You end up creating a registry key that resets the cache at startup and then deletes itself.  Here’s the command to create the registry key (you can do this at a command prompt):

REG ADD “HKLM\System\CurrentControlSet\Services\CSC\Parameters” /v FormatDatabase /t REG_DWORD /d 1 /f

Once you’ve done this, reboot.

2. Create the folder in the location where you’d like to have your cache
I always like to keep my data separate from my OS by storing it on a different drive (or, at the very least, a different partition).  For this example, I’m using the path X:\Data\Cache

3. Create a new registry value
Open Registry Editor and browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSC\Parameters

This is the same key we modified before.  Notice how there’s no “FormatDatabase” value even though we added it prior to the last reboot.

Right-click on Parameters, hover on New and select String Value:

String Value Key Menu

Name the new string value “CacheLocation”:

CacheLocation

Double-click on CacheLocation and input the path to the new cache location and then click “OK”:

Edit String

Notice the “\??\” in the value.  This is an NT Object Path used by the OS to reference the local path.  (If it was “\??\UNC\, it would be referencing a network path.)  You must use this format.

You’ll see the value populated now in your registry editor:

CacheLocation Populated

4. Reboot
 Once the OS is back up, it should be using the new location.  You can test this by opening the new folder and you should see a folder in there called “v.2.0.6”.  You should get a permission error if you try to open that folder.

I hope you find this useful!  If you see anything wrong, please let me know.

Scheduling a Task in Windows 8.1

Backing up your data is the single most important thing you can do to maintain your mental and emotional health as a computer user.  As an IT professional, I stress again and again to my customers that their backups must be a top priority and they must also be frequently tested to ensure they are working properly and consistently.

Of course, this means my own data is vulnerable as I almost never backup my own stuff.

I’m trying to mend my ways and backup the things I find most useful and I do have some pretty spiffy backup software that I use to take image snapshots of my drives.  However, I also want some simple backup jobs that just grab a file here and there so I don’t have to go and muck around with scheduling an entire recovery task.

I’ve created a couple of small batch files that grab some data here and there for my most often-used applications and I scheduled those tasks to run at midnight every night.  If you’ve never scheduled a task in Windows, it’s pretty straightforward.

 

1. Open your Control Panel
In Windows 8.1, you can just right-click on the Windows icon in the lower left corner of the screen and select “Control Panel”.

Start Menu 8.1

Control Panel

2. Select “Schedule Tasks” from the Control Panel
You’ll find this by selecting “System and Security” and looking under the “Administrative Tools” heading.

CP Schedule Tasks

3. In the Task Scheduler interface, select “Create Basic Task” and go through the wizard.
I’ve highlighted it below with a red box.

Create Basic Task Select

Give your task a name.  The description is optional.

Task Name

You have a lot of options for scheduling the task to run.  Feel free to play around with those.  I’m scheduling mine to run daily at midnight, so I’ll keep the default of “Daily”.

Task Trigger

Set your start day and start time and recurrence.  The only time you have to worry about the time zone synchronization is if your computer might be in different time zones as you travel.

Daily Trigger

The next window is a bit frustrating as Microsoft has deprecated two of the options available for scheduled tasks.  This means that those features will be unavailable in a future (probably the next) version of Windows.  So, if you need to automatically send an email or display a message, you’ll want to use PowerShell.  In my case, I don’t need those features, so I’ll keep “Start a program” selected and just click “Next”.

Start a Program

Now, browse to the script you’d like to execute on this schedule and then click “Next”.  (If you have command line arguments or options, you’ll want to specify those in the “Add arguments (optional):” field.)

Select Program

Review the task information and click “Finish”.

Finish

4. Check to make sure the task is active

Once you click “Finish”, you’ll find yourself back at the Task Scheduler interface.  Look under “Active Tasks” and make sure the task you’ve just created appears there.  If so, you’re good to go!

Check Active Task

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.

Accessing Another Windows Computer’s Registry from a Disk in Windows 8.1

WARNING:  This post involves playing around with your operating system’s registry.  You use this information at your own risk.  For other warnings, please see the disclaimer.

Recently, I had to recover some data from another computer which had crashed and the only thing I had left was its hard drive.

While this is a fairly common occurrence, what made this unusual for me was some of the information I needed was in that computer’s registry.

While I’m familiar with access the local machine’s registry as well as a remote machine’s registry, I wasn’t familiar with accessing the registry files directly from a disk.  Here’s how you do it:

1. Open your Registry Editor
Click your Windows icon, type “regedit” and select regedit.exe from the list of apps.

2. Select the desired registry hive
There are several different hives which are stored on disk for your operating system.  To see the file locations for the hives, you can go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\hivelist.  To save you the trip, here they are:

HKEY_LOCAL_MACHINE\SYSTEM:  %windir%\system32\config\SYSTEM
HKEY_LOCAL_MACHINE\SAM:  %windir%\system32\config\SAM
HKEY_LOCAL_MACHINE\SECURITY:  %windir%\system32\config\SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE:  %windir%\system32\config\SOFTWARE

You can also find the Default User registry hive in the same directory:

HKEY_USERS\.DEFAULT:  %windir%\system32\config\DEFAULT

For Windows Vista or later, If you want to find specific users, go to the \Users folder on the root of the drive (assuming you have the old “C:” drive or boot drive) and look for NTUSER.DAT in the root of the user profile directory.  For Windows XP and earlier, you’ll find the profiles under \Documents and Settings.

3. Load the desired registry hive
It doesn’t really matter what hive you want to look at; the process works the same for any.  In this case, I want to look at the old machine’s SOFTWARE hive, so select HKEY_LOCAL_MACHINE.

regedit1

Now, click on the File menu and select “Load Hive…”.

regedit2

Browse to file location on the hard drive and select the hive which you wish to load.

regedit3

The hive you’re loading is going to show up as a registry key in Registry Editor.  Click “Open”, and give the new key a name.

regedit4

You’ll see that the new registry key appears under HKEY_LOCAL_MACHINE.

regedit5

4. Unload the hive once you’re done
Once you’ve found the information you need, make sure you get rid of this key you’ve created.  It most likely won’t harm anything if you forget (after all, nothing in the OS is going to look for information there), but better safe than sorry.  You can’t just delete the key (you’ll get an error).  Instead, you have to unload the hive.  Just select the key, go to the File menu and select “Unload Hive…” and you’re done.

regedit5

regedit6

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.