TOP 10 TIPS FOR WINDOWS

ADMINISTRATORS

Presented by Jim Long & Chris Long

Email:
long@more.net,
clong18@moberlyspartans.org

Copyright ©2016 MOREnet and The Curators of the University of

Missouri
OVERVIEW
•  Exclusive Group Policies
•  Active Directory Delegations
•  Administrators Group Membership
•  Active Directory Recycle Bin
•  Fine-Grained Password Policies
•  System Audit Policies
•  Identifying Inactive User Accounts and Computers
•  Local Administrator Password Solution (LAPS)
•  Project Honolulu
•  PowerShell Scripting
BLOCKING WINDOWS SPOTLIGHT

•  This Group Policy only applies to Windows 10 Enterprise

and Education

•  Disable Advertising
•  Disable Tips, Tricks and Fun Facts
•  Disable rotation of lock screen picture (daily)

#1
•  User
•  User Configuration > Administrative Templates >
Windows Components > Cloud Content

•  Computer
•  User Configuration > Administrative Templates >
Windows Components > Cloud Content
LINKS

•  Group Policies that apply only to Windows 10

Enterprise and Education
•  https://docs.microsoft.com/en-us/windows/client-
management/group-policies-for-enterprise-and-
education-editions
•  Group Policies that were added in Windows 10
Version 1703
•  https://docs.microsoft.com/en-us/windows/client-
management/new-policies-for-windows-10
ACTIVE DIRECTORY DELEGATIONS

•  Delegate permissions to a group in order to manage

specific items items in Active Directory
•  User account delegation
•  Reset passwords
•  Unlock accounts
•  Disable/Enable accounts
•  Computer Accounts
•  Add/remove computer to specific OU’s

#2
ADMINISTRATORS GROUP MEMBERSHIP

•  Manage the local workstation Administrators Group

•  Create Group Policy
•  Computer Configuration > Policies > Windows
Settings > Security Settings > Restricted Group
•  Add Group/User(s) that you want to have
administrative access to workstations

•  Example:
•  Domain\WorkstationAdmins
•  Domain\DomainAdmins

#3
ENABLING THE ACTIVE DIRECTORY
RECYCLE BIN
•  The Active Directory Recycle Bin stores deleted
Active Directory data for a specified amount of time
•  Default Tombstone age is 180 days
•  Server Manager > Tools > Active Directory
Administrative Center
•  Click Domain
•  Click Enable Recycle Bin in Right Frame
•  PowerShell
•  Enable-ADOptionalFeature "Recycle Bin Feature" -server $((Get-ADForest -Current
LocalComputer).DomainNamingMaster) -scope ForestOrConfigurationSet -target $
(Get-ADForest -Current LocalComputer)

#4
FINE-GRAINED PASSWORD POLICIES

•  Fine-Grained Password Policies are policies that apply to

only a specific group of users
•  Server Management > Tools > Active Directory
Administrative Center
•  Click on your Domain
•  System > Password Settings Container
•  Click “New > Password Settings” in the “Tasks”
Panel
•  Create your policy and add desired group(s)
•  PowerShell
•  new-adfinegrainedpasswordpolicy -name “MyPWPolicy” –Precedence “100” -
LockoutThreshold “10” -LockoutDuration “0:00:10:00” -LockoutObservationWindow
“0:00:10:00” -MaxPasswordAge “90:00:00:00” -MinPasswordAge “1:00:00:00” -
MinPasswordLength “8” -PasswordHistoryCount “14”

#5
SYSTEM AUDIT POLICIES

•  Enable System Auditing

•  Computer Policy
•  Create separate policy for Workstations and Servers

#6
IDENTIFYING INACTIVE USERS AND
COMPUTERS (COMMAND LINE)
•  Dsquery Command:
•  Run from cmd prompt
•  Query Inactive Computers and output to a text file
•  Dsquery computer -inactive 90 > c:
\temp\inactive-computers.txt
•  Query Inactive Users and output to a text file
•  Dsquery user -inactive 90 > c:
\temp\inactive-users.txt

#7
IDENTIFYING INACTIVE USERS AND
COMPUTERS (POWERSHELL)
•  Computer
•  $DaysInactive = 90
•  $time = (Get-Date).Adddays(-($DaysInactive))
•  Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties
LastLogonTimeStamp | Select-Object Name | Sort-Object Name | Out-
Default

•  User
•  $DaysInactive = 90
•  $time = (Get-Date).Adddays(-($DaysInactive))
•  Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties
LastLogonTimeStamp | Select-Object Name | Sort-Object Name | Out-
Default
ONE-LINERS….

•  Computer
•  $DaysInactive = 90; $time = (Get-Date).Adddays(-($DaysInactive));
Get-ADUser -Filter {LastLogonTimeStamp -lt $time} -Properties
LastLogonTimeStamp | Select-Object Name | Sort-Object Name | Out-
Default
•  User
•  $DaysInactive = 90; $time = (Get-Date).Adddays(-($DaysInactive));
Get-ADUser -Filter {LastLogonTimeStamp -lt $time} -Properties
LastLogonTimeStamp | Select-Object Name | Sort-Object Name | Out-
Default

•  Find Disabled Users:

•  Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName,
GivenName, Surname
IDENTIFYING INACTIVE COMPUTERS
(ACTIVE DIRECTORY)
•  You can use the Active Directory itself to make a permanent
Query
•  Server Manager > Tools > Active Directory Users and
Computers > Saved Queries
•  Right-Click “New” then “Define Query”
•  Click the “Find” drop-down box and select Custom
Search
•  (&(&(&(objectCategory=computer)
(lastLogonTimestamp<=131514804000000000)))))
•  To Find the Hashed Timestamp type “(Get-Date
“10/3/2017”).ToFileTime()” into PowerShell
•  To turn a Hashed Timestamp into the Date use the
PowerShell command
[datetime]::FromFileTime(131514804000000000)
IDENTIFYING INACTIVE USERS (ACTIVE
DIRECTORY)
•  You can use the Active Directory itself to make a
permanent Query
•  Server Manager > Tools > Active Directory Users
and Computers > Saved Queries
•  Right-Click “New” then “Define Query”
•  Click the “Find” drop-down box and select
Common Queries
•  Go to the “Users” tab and click the “Days since
last logon” dropdown box and select the range
•  Note that the range only goes up in increments of 30
days and has a cap at 180 days
LOCAL ADMINISTRATOR PASSWORD
SOLUTION
•  LAPS integrates with Active Directory
•  Used to change Local Administrator Password Regularly
•  Installed on Domain Controller and clients
•  Set minimum length and Complexity
•  GPO
•  LAPS creates Group Policy settings
•  Computer Configuration > Administrative Templates >
LAPS
•  Deploy LAPS via Software Installation GPO
•  View Password in AD or via Powershell
•  Get-AdmPwdPassword -ComputerName <computername>
•  https://www.microsoft.com/en-us/download/details.aspx?
id=46899

#8
PROJECT HONOLULU
•  Project Honolulu is a new web-based management tool that combines the
roles of many Windows server tools including:
•  Displaying resources and resource utilization
•  Certificate Management
•  Event Viewer
•  File Explorer
•  Firewall Management
•  Configuring Local Users and Groups
•  Network Settings
•  Viewing/Ending Processes and Creating Process Dumps
•  Registry Editing
•  Managing Windows Services
•  Enabling/Disabling Roles & Features
•  Managing Hyper-V VMs & Virtual Switches
•  Managing Storage
•  Managing Windows Update
•  Internet Explorer does NOT work in Honolulu
•  Update your WMF to version 5.1 if you’re using Windows 2012 or 2012 R2
•  https://www.microsoft.com/en-us/download/details.aspx?id=54616
•  https://aka.ms/HonoluluDownload

•  Manage 2012R2 – Must install WMF 5.1

#9
AND #10….. POWERSHELL

•  ‘Nuf Said!!!

•  No, really!

•  Ya just gotta learn it…

#10
POWERSHELL

•  Some Basics

•  Find repetitive tasks that take your time

•  Determine if these tasks would benefit from being
scripted
•  Make a script!
A POWERSHELL SCRIPT

•  Powershell Scripts end with the file extension .ps1

•  Let’s look at a task I have to do repeatedly, how can
we automate this:
•  Join computer to domain?

•  First to run scripts we need to allow the scripts to be

run, by default running scripts is restricted
•  Open PowerShell (Admin)
•  Run: set-executionpolicy unrestricted –force
JOIN DOMAIN

•  Let’s ask our friend Google…

•  Powershell join domain
•  618,000 results. I think we can find something
•  What do we do with all these commands…
•  Open Powershell ISE (Integrated Scripting
Environment)
•  The ISE allows you to write, test and debug
scripts
JOIN DOMAIN

•  Within a script we can use the # sign to denote a

comment

•  # Join my domain script

•  Add-computer –domainname mydomain.lan

•  That is all there is to it

VARIABLES
•  We can get a little more fancy with our scripts
•  Using Variables:
•  Place a $ in front of something and it will act as a
variable:
•  $domain = mydomain.lan
•  Let’s pass this into our script

•  # Join my domain script

•  $domain = mydomain.lan
•  Add-computer –domainname $domain
 if (!(gwmi win32_computersystem).partofdomain)
{
$domain = "swords.lan"
$WGName = "swords"
$CPath = "OU=Computers,OU=Chris,DC=Swords,DC=Lan"

" Enter Domain credentials..."

$credential = (Get-Credential)

" Join YOURORG Domain..."

Add-Computer -DomainName $domain -OUPath $CPath -Credential

$credential
restart-computer
}
SCRIPTING THROUGH POWERSHELL

•  Don’t recreate the wheel

•  http://www.powershellgallery.com
•  http://www.google.com
•  ftp://ftp.more.net/S_P/Presentations/Scripts
•  PowerShell Cookbooks:
•  https://docs.microsoft.com/en-us/powershell/
scripting/getting-started/basic-cookbooks?
view=powershell-5.1
THE POWERSHELL GALLERY

•  Install Modules from Microsoft PowerShell Gallery

•  Install-PackageProvider -Name NuGet –Force
•  Find-Module –Repository PSGallery
•  Find-Script –Repository PSGallery
•  https://docs.microsoft.com/en-us/powershell/
gallery/psgallery/psgallery_gettingstarted
•  Install-Module and Install-Script
•  Update-Module and Update-Script
 QUESTIONS

•  There is a lot of information here and many ways to

do things
•  Please ask or send your questions and we will do
our best to provide answers
 OUR E-MAIL ADDRESSES!

•  Long@more.net
•  clong18@moberlyspartans.org

Download this PowerPoint and Powershell scripts

from the FTP site!

ftp://ftp.more.net/pub/S_P/Presentations/
THANK YOU!

Have a great day!