AD GPO notes - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki
In this page I describe how I leveraged GPOs with Active Directory Domain Services.
Notes
First I had to reset my Domain Admin accounts as I had not used them for awhile. An easy way to do this was to sign into ad01 and enter my old account credentials and then be asked by the system to reset them. I did not remeber one of the accounts password, the account being "oliver.mustoe-adm", so I signed in with another domain admin account on ad01 and used the following command to reset it:
- Set-ADAccountPassword -Identity oliver.mustoe-adm -NewPassword $NewPwd -Reset
After that on mgmt01 I opened "Active Directory Users and Computers" and right clicked on "oliver.local" > selected "New" > selected "Organizational Unit" > named it "Test OU" WITHOUT ACCIDENTAL DELETION PROTECTION > pressed "OK".
Then I moved my user account, oliver.mustoe, and a workstation, WKS01-OLIVER, into it.
I then created a new OU, Software Deploy, and moved the contents of "Test OU" to it as well as deleting it with the following code (run "Set-ExecutionPolicy Unrestricted", make sure to start the powershell in administrator, yes to all):
# Oliver Mustoe
# Check Tech Journal entry for SYS265 assignment "AD-GPO" for sources
# Script to create an OU "Software Deploy", check if "Test OU" exists, if it does then move the user account and computer that was placed in it to "Software Deploy" and remove "Test OU"
# Create new OU, with results, will give an error if it does exist
New-ADOrganizationalUnit -Name "Software Deploy" -Path "DC=oliver,DC=local" -PassThru
# Check if "Test OU" exists, and if it does, perform certain actions
if ([adsi]::Exists("LDAP://OU=Test OU,DC=oliver,DC=local"))
{ # If "True", move objects out
Move-ADObject -Identity "CN=oliver.mustoe,OU=Test OU,DC=oliver,DC=local" -TargetPath "OU=Software Deploy,DC=oliver,DC=local" -PassThru
Move-ADObject -Identity "CN=WKS01-OLIVER,OU=Test OU,DC=oliver,DC=local" -TargetPath "OU=Software Deploy,DC=oliver,DC=local" -PassThru
# then remove "Test OU", MAKE SURE THAT NOTHING IMPORTANT WILL BE LEFT INSIDE (disable accidential deletion if need be)
Get-ADOrganizationalUnit -Filter "Name -eq 'Test OU'" | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false -PassThru
Get-ADOrganizationalUnit -Filter "Name -eq 'Test OU'" | Remove-ADOrganizationalUnit -Recursive
}
else
{
# If "False", then report unable to do anything
echo("No OU to delete or move objects from :(")
}
Or I could run the following commands in an administrative powershell session instead:
Create new OU
- New-ADOrganizationalUnit -Name "Software Deploy" -Path "DC=oliver,DC=local" -PassThru
Move user account to new OU
- Move-ADObject -Identity "CN=oliver.mustoe,OU=Test OU,DC=oliver,DC=local" -TargetPath "OU=Software Deploy,DC=oliver,DC=local" -PassThru
Move workstation to new OU
- Move-ADObject -Identity "CN=WKS01-OLIVER,OU=Test OU,DC=oliver,DC=local" -TargetPath "OU=Software Deploy,DC=oliver,DC=local" -PassThru
Delete old OU
- Get-ADOrganizationalUnit -Filter "Name -eq 'Test OU'" | Remove-ADOrganizationalUnit -Recursive
Next I made a file share on mgmt01 by doing the following:
- In server manager, go to "File and Storage Services"
- Go into "Shares"
- Right click > click "New Share..."
- Set "SMB Share - Quick" > click next
- Set "mgmt01-oliver" as the target with "C:" being the volume > click next
- Name the share "Software" > click next
- Set nothing on next screen > click next
- Click "Customize permissions" > click "Change" > type "Doman Admins" > click ok > click apply, ok to the popup, and ok again > click next
- Click "Create"
After the creation I then downloaded the MSI package for PuTTY and placed it in my newly made file share, located "\mgmt01-oliver\Software".
Then I downloaded the group policy management application by, in server manager, clicking "Manage" > click "Add Roles and Features" > have it be role and feature based installation and selecting "mgmt01-oliver" for it to be installed on > selecting "Group Policy Management" from the features tab > confirming and installing the feature.
From inside "Group Policy Management" I right-clicked "Software Deploy" and created a new GPO named "Deploy SW". I then right-clicked "Deploy-SW" and and selected "Edit...".
In the editor I expanded "Computer Configuration" > expanded "Policies" > expanded "Software Settings" > right-clicked "Software installation" and selected "New" then "Package..." > navigated to the file share (\mgmt01-oliver\Software) and selected the PuTTY installer > selected "Assigned" and clicked OK.
Then on wks01, I was able to run the command "gpupdate /force" to update my policy and was prompted to restart the computer and install the new software, which I accepted.
Once restarted, I was able to access PuTTY on the machine and see the event log for it in Powershell and in Event Viewer.
Powershell
Below is a screenshot showing a Powershell window running the command "Get-Eventlog -LogName system -Message "The install of application PuTTY*"" to see the event log for the PuTTY install:
Event Viewer
Below is a screenshot of Event Viewer showing the event log for the PuTTY install, under system:
(TIP: The following screenshot shows Event Viewer settings to see event logs related to software install including the desired PuTTY log)
Sources
Includes sources for code
https://adamtheautomator.com/set-adaccountpassword/
https://theitbros.com/active-directory-organizational-unit-ou/
https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi
https://www.ntweekly.com/2020/08/17/check-if-organizational-unit-ou-exist-with-powershell/
https://www.itprotoday.com/windows-78/check-if-ou-exists-using-powershell