Get a List of All Useless Group Policy Objects

I have another problem today. The problem is that the previous Group Policy administrator had no strategy. I have been the chosen one to clean up our Group Policy strategy. As a result there are bunch of Group Policy objects (GPOs) that go nowhere or do nothing.

I had noticed this powershell guys article, but it looked like utterly complex.

import-module grouppolicy 
 
function IsNotLinked($xmldata){ 
    If ($xmldata.GPO.LinksTo -eq $null) { 
        Return $true 
    } 
     
    Return $false 
} 

Function IsEmpty($xmldata){
    If ($xmldata.GPO.Computer.VersionDirectory -eq 0 -and $xmldata.GPO.User.VersionDirectory -eq 0) { 
        Return $true 
    } 
     
    Return $false 
}
 
$unlinkedGPOs = @() 
$emptyGPOs = @() 

#Search for NotLinked GPOs
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }} 
 
If ($unlinkedGPOs.Count -eq 0) { 
    "No Unlinked GPO's Found" 
} 
Else{
	$unlinkedGPOs | Select DisplayName,ID | ft 
	$unlinkedGPOs | backup-GPO -path S:\ActiveDirectory\GPOBackups | select DisplayName,GpoID, BackupDirectory | ft
	$unlinkedGPOs | remove-gpo -Confirm
}

#Search for Empty GPOs
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsEmpty([xml]$_)){$emptyGPOs += $gpo} }} 

If ($emptyGPOs.Count -eq 0) { 
    "No Empty GPO's Found" 
} 
Else{
	$emptyGPOs | Select DisplayName,ID | ft 
	$emptyGPOs | backup-GPO -path S:\ActiveDirectory\GPOBackups | select DisplayName,GpoID, BackupDirectory | ft
	$emptyGPOs | remove-gpo -Confirm
}

It is to be used simply and get some output list – or uncomment the warranty info and backup and then delete the nasty stuff.

DisplayName                                                 Id
———–                                                 —
Disable Outlook Cache                                       7aca484c-ebcd-4779-9bc8-b2fb8e7302d1
Turn Outlook Junk Mail Filter Off                           de14544c-39be-444f-ac53-089ca0bc65a8
Microsoft Office Trust Centre                               ed6fb632-fdd2-4718-96b0-b3981b4145bd

DisplayName                                                 Id
———–                                                 —
Portal Home page — mandatory                               bbc9efe7-05c3-4187-92ac-948772f50bf8

Please note that GPO backup ID during the Backup-gpo is not the GPOID!

Advertisements

Extending the AD delegation wizard

I found myself trying to reorganize IT teams while focusing on security – also because there was no time to analyze logs to see who did what.

AD permission can be tweaked to infinity and beyond while most of the time IT shops just use the same permission roles. That’s when I noticed that the default delegation wizard did not offer much of those roles.

The default settings will only describe 13 “roles”. Microsoft documents how to extend this to 70 common roles here with the infamous appendix O. The article points to C:\%WINDIR%\inf which is fine for Windows Server 2003 I think. Anything above will be in c:\%WINDIR%\system32 directly. You can obviously tweak it to your liking and follow the other infamous kb 308404.

Once you have that it should be easier to delegate security by roles.

This said, you will still need tools to find out what the current permissioning is and how to clean it.  My favorite, Liza, is a free tool for Active Directory environments which allows you to display and analyze object rights in the directory hierarchy.

With the CLI, the assigned permissions can be display in the form of access control entries (ACE) with the command tool DSREVOKE and can be removed too.

More traditionnal dsacls or ADUC should do the trick but is way less intuitive.

Microsoft also lists some of them here.

HP Comware 5500 Initial Config and Essentials

#go to conf

system-view

System View: return to User View with Ctrl+Z.

#Set the hostname

sysname TT-SWCR-1

#Time settings

ntp-service unicast-server 192.168.1.8

ntp-service unicast-server 192.168.1.5
clock timezone EST minus 4:00:00
clock summer-time EDT repeating 02:00:00 2012 March second Sunday 02:00:00 2012 November first Sunday 02:00:00

#logging to Alienvault

info-center loghost 192.168.1.247

#snmp

snmp-agent community write your_snmp

snmp-agent sys-info contact “IT Infrastructure”

snmp-agent sys-info location “Server Rack 9th Floor”

#enable snmpv2

snmp-agent sys-info version v2c

#Set up some access

header motd %

#######################################################################

# Authorised Users Only

# Property of Yours Ltd. All unauthorized access will be prosecuted.

# If you are not authorized to access this device,

# please disconnect immediately. Your activities are

# monitored for security reasons.

########################################################################

%

#Create users and security

[TT-SWCR-1]local-user manager

[TT-SWCR-1-luser-manager]password simple epl$#hp1w

[TT-SWCR-1-luser-manager]service-type ssh

[TT-SWCR-1-luser-manager]authorization-attribute level 3

#Crypto

public-key local create rsa

ssh server enable

#no telnet

user-interface vty 0 4

authentication-mode scheme

protocol inbound ssh

#Do some verification

#[TT-SWCR-1]display ssh server status

# SSH server: Enable

# SSH version : 1.99

# SSH authentication-timeout : 60 second(s)

# SSH server key generating interval : 0 hour(s)

# SSH authentication retries : 3 time(s)

# SFTP server: Disable

# SFTP server Idle-Timeout: 10 minute(s)

user-interface aux 0

[TT-SWCR-1-ui-aux0]idle-timeout 10

#Enable Network features

stp enable

#dhcp-snoop if config well done. Otherwise can block dhcp relay

#create vlan and interface

[]vlan 99

[vlan 99]name 99-mgmt

[vlan 99]quit

[] interface vlan-interface 99

[interface vlan-interface 99]ip address 10.80.99.10 255.255.255.0

[]quit

#configure a port as trunk for all vlans

[]int ten 1/0/29
port link-mode bridge
port link-type trunk
port trunk permit vlan all

#OR do a LACP group – dynamic is important for inter-make connection such as comware/procurve

interface Bridge-Aggregation10

description LACP to old Core

link-aggregation mode dynamic

#then put the interface inside

interface GigabitEthernet1/0/10
port link-aggregation group 10

#only then configure the trunk type and so on

[TT-SWCR-1-Bridge-Aggregation10]port link-type trunk
[TT-SWCR-1-Bridge-Aggregation10]port trunk permit vlan all

Please wait……………………………………. Done.

Configuring GigabitEthernet1/0/10……………………………………. Done.

Configuring GigabitEthernet1/0/11……………………………………. Done.

Configuring GigabitEthernet2/0/10……………………………………. Done.

Configuring GigabitEthernet2/0/11……………………………………. Done.

#if all is ok the flag will be ACDEF on comware on partner’d on procurve

#Verify trunk and LACP

[TT-SWCR-1]display link-aggregation verbose

Loadsharing Type: Shar — Loadsharing, NonS — Non-Loadsharing

Port Status: S — Selected, U — Unselected

Flags: A — LACP_Activity, B — LACP_Timeout, C — Aggregation,

D — Synchronization, E — Collecting, F — Distributing,

G — Defaulted, H — Expired

Aggregation Interface: Bridge-Aggregation10

Aggregation Mode: Dynamic

Loadsharing Type: Shar

System ID: 0x8000, 7848-5952-8f88

Local:

Port             Status Priority Oper-Key Flag

——————————————————————————–

GE1/0/10         S       32768   1         {ACDEF}

GE1/0/11         S       32768   1         {ACDEF}

GE2/0/10         S       32768   1         {ACDEF}

GE2/0/11         S       32768   1         {ACDEF}

Remote:

Actor           Partner Priority Oper-Key SystemID               Flag

——————————————————————————–

GE1/0/10         217     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE1/0/11         219     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE2/0/10         218     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE2/0/11         220     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

tor_sw1-5412zl(config)# show lacp

LACP

LACP     Trunk     Port               LACP     Admin   Oper

Port   Enabled   Group     Status   Partner   Status   Key     Key

—-   ——-   ——-   ——-   ——-   ——-   —— ——

A23   Active   Trk5     Up       Yes       Success   0       294

A24   Active   Trk5     Up       Yes       Success   0       294

J1     Active   Trk60     Up       Yes       Success   0       349

J2     Active   Trk60     Up       Yes       Success   0       349

J3     Active   Trk60     Up       Yes       Success   0       349

J4     Active   Trk60     Up       Yes       Success   0       349

#verify trunks

[TT-SWCR-1]dis port trunk

Interface               PVID VLAN passing

BAGG10                   1     1, 99-100,

XGE1/0/29               1     1, 99-100,

XGE1/0/30               1     1, 99-100,

XGE2/0/29               1     1, 99-100,

XGE2/0/30               1     1, 99-100,

#info on lacp

[TT-SWCR-1]dis interface Bridge-Aggregation

Bridge-Aggregation10 current state: DOWN

IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 7848-5952-8f88

Description: LACP to old Core

Unknown-speed mode, unknown-duplex mode

Link speed type is autonegotiation, link duplex type is autonegotiation

PVID: 1

Port link-type: trunk

VLAN passing : 1(default vlan), 99-100

VLAN permitted: 1(default vlan), 2-4094

Trunk port encapsulation: IEEE 802.1q

Last clearing of counters: Never

Last 300 seconds input: 0 packets/sec 0 bytes/sec   -%

Last 300 seconds output: 0 packets/sec 0 bytes/sec   -%

Input (total): 0 packets, 0 bytes

0 unicasts, 0 broadcasts, 0 multicasts

Input (normal): 0 packets, – bytes

0 unicasts, 0 broadcasts, 0 multicasts

Input: 0 input errors, 0 runts, 0 giants, 0 throttles

0 CRC, 0 frame, – overruns, 0 aborts

– ignored, – parity errors

Output (total): 0 packets, 0 bytes

0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

Output (normal): 0 packets, – bytes

0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

Output: 0 output errors, – underruns, – buffer failures

0 aborts, 0 deferred, 0 collisions, 0 late collisions

0 lost carrier, – no carrier

#note for PVID 1

#As per 802.1q, the PVID cannot be tagged so I arbitrarily set the PVID of all port trunk to port trunk pvid vlan 77 so that there are tagged for vlan 1 (yet untagged for vlan 77)

#For instance on this trunk link

#

interface Ten-GigabitEthernet1/0/29

port link-mode bridge

port link-type trunk

port trunk permit vlan all

port trunk pvid vlan 77

#

#so now it is tagged on VID1

[TT-SWCR-1]dis vlan 1

VLAN ID: 1

VLAN Type: static

Route Interface: not configured

Description: VLAN 0001

Name: leg-1-mgmt

Tagged   Ports:

Bridge-Aggregation10

GigabitEthernet1/0/10   GigabitEthernet1/0/11   GigabitEthernet2/0/10

GigabitEthernet2/0/11

Ten-GigabitEthernet1/0/29

Ten-GigabitEthernet1/0/30

Ten-GigabitEthernet2/0/29

Ten-GigabitEthernet2/0/30

Untagged Ports:

GigabitEthernet1/0/1     GigabitEthernet1/0/2     GigabitEthernet1/0/3

GigabitEthernet1/0/4     GigabitEthernet1/0/5     GigabitEthernet1/0/6

GigabitEthernet1/0/7     GigabitEthernet1/0/8     GigabitEthernet1/0/9

GigabitEthernet1/0/12   GigabitEthernet1/0/13   GigabitEthernet1/0/14

GigabitEthernet1/0/15   GigabitEthernet1/0/16   GigabitEthernet1/0/17

GigabitEthernet1/0/18   GigabitEthernet1/0/19   GigabitEthernet1/0/20

GigabitEthernet1/0/21   GigabitEthernet1/0/22   GigabitEthernet1/0/23

GigabitEthernet1/0/24   GigabitEthernet1/0/25   GigabitEthernet1/0/26

GigabitEthernet1/0/27   GigabitEthernet1/0/28   GigabitEthernet2/0/1

GigabitEthernet2/0/2     GigabitEthernet2/0/3     GigabitEthernet2/0/4

GigabitEthernet2/0/5     GigabitEthernet2/0/6     GigabitEthernet2/0/7

GigabitEthernet2/0/8     GigabitEthernet2/0/9     GigabitEthernet2/0/12

GigabitEthernet2/0/13   GigabitEthernet2/0/14   GigabitEthernet2/0/15

GigabitEthernet2/0/16   GigabitEthernet2/0/17   GigabitEthernet2/0/18

GigabitEthernet2/0/19   GigabitEthernet2/0/20   GigabitEthernet2/0/21

GigabitEthernet2/0/22   GigabitEthernet2/0/23   GigabitEthernet2/0/24

GigabitEthernet2/0/25   GigabitEthernet2/0/26   GigabitEthernet2/0/27

GigabitEthernet2/0/28