Using Saved Queries to filter Active Directory Users and Computers

imageJust a quick article here for a late Friday afternoon article.

If you managed Microsoft Windows Active Directory based domains you should be very familiar with the management console Active Directory Users and Computers (ADUC). When you have a sprawling OU design it can be difficult to find the user, computer or group that needs your attention. I set up a few saved queries to give me an easy to read list view of certain object types. If you can’t figure out how to create a new saved query then you may be in the wrong job but the is a comprehensive guide over at the Petri IT Knowledgebase. The 3 I use most often are set up as follows

  • All Devices
    • A simple query where just the computer object must have a value to display
  • All Users
    • Same as above, just make sure you are focussing on Users not Computers
  • Locked accounts
    • My most useful time saver. This one is only slightly more tricky as you need to enter a custom search string. Credit goes to an article on WinodwsNetworking.com for this one. By using the string below, when somebody calls to say they have been locked out, I can quickly bring up this saved query and unlock them in a matter of seconds
    • (&(&(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))))

You can really go to town on these queries and there is a great list already created for you, back over on the Petri IT Knowledgebase

Advertisements

Tips – Finding the right Group Policy setting

UPDATED – see below for info on the new Group Policy Search web app

Now Windows Internet Explorer 9 (IE9) is nearing the end of it’s beta process it won’t be long before SysAdmins will be deploying it out across their networks. Something that occurs with any new Microsoft software is the need to update Group Policy to control any new features and lock down as appropriate. I thought I’d share a few tips on how I find discover and configure these new settings.

It seems that with each new Administrative template (ADMX) there are an ever-increasing amount of settings that can be managed (Over 1500 for IE9 alone!). While great for security it can be a headache to navigate. Microsoft usually lists the group policy settings for each product on the TechNet site, like this page for IE9, but did you know there is also an MSDN website (hosted on Azure) called Group Policy Search. This is a godsend policy administrators because not only does it allow you to search the contents of all the Microsoft Windows & Office policies but it also gives you the info like what the policy is supported on and even the registry key that the policy changes. This is a great place to copy details if you need to report to a manager on what a certain setting can do.

Group Policy Search Cloud App
Group Policy Search Cloud App

 This site does work on smartphones but I can see this working really well as a reference app on a mobile device. UPDATE: I just found that somebody has made this into an app for Windows Phone 7/8. Find it in the web store or search on your phones marketplace for Group Policy Search. Now it’s up to another dev to make one for Android and iPhone!

If you use Windows 7/Server 2008 R2, or later, you can also download a Search Connector (from the site’s Settings menu). This lets you search the Group Policy Search website from Windows Explorer, giving you an excerpt of the description and link to the relevant webpage. UPDATE: Unfortunately, due to the change of host for the web app, the connector is broken. Luckily, it is easily fixed by editing the OSDX file. Download the GroupPolicySearch.osdx connector from the site and open with a text editor. Change line 5 to the code below, save and then double-click the file to install to your userprofile/Searches folder

<Url type="application/rss+xml" template="http://gpsearch.azurewebsites.net/gps/rss.ashx?search={searchTerms}"/>
Group Policy Search Connector
Group Policy Search Connector in Windows 7

Another task that becomes complicated is to find settings you have previously changed. I may open up the Group Policy Editor knowing I need to modify a previous setting change but it can be like finding a needle in a haystack digging through all the non-configured settings. You can find it via a report in the Group Policy Management console but did you know you can also filter policies in the editor? Go to the View menu and choose Filter Options. Here you can set up a number of criteria on what you want to see. I typically would change it to only show configured settings and also any policy with my initials in the comments. This makes it really easy to see the changes I have made and adjust them appropriately.

Group Policy Filtering
Group Policy Filtering

I hope that’s given you a bit of help in discovering and managing group policy settings. Let me know your tips in the comments.

UPDATE: I discovered this great page in the increasingly useful TechNet Wiki – Group Policy Survival Guide. It contains links to anything and everything to do with Group Policy