DISCLAIMER: Use of anything provided here is at you own risk!
Some scripts to schedule on the DC to enhance its functionality.
-
Change DC password monthly
-
Check DC replication daily
-
Disable special users daily (extra security on certain users, e.g. admins)
-
More details are in README
Set of scripts to ease the life of an operator.
- Get all (nested) groups of a user, computer or group
- Get all (nested) users of a group
- Get user (or computer) account-control information
- Get user (or computer) account expiry information
- Get user (or computer) misconfigured (potentially weak) configured kerberos encryption types
- Get GPO information (multiple scripts)
More details are in README
Reasons:
- With these settings Windows will not change permissions when it manages files on sysvol.
- No
Domain-adminrequired to manage GPOs, instead members ofGroup Policy Creator Ownerscan
Setup details are in README
GPOs come in a number of forms depending on their generation (implementation time). All of them have an LDAP component and a set of files on the sysvol share under Policies. The oldest generation uses utf-16 ini-files, the next generation has utf-8 xml-files and the latest incarnation uses binary regpol-files.
GPOs from will work on the latest generation GPO files: it generates regpol-files from json. This makes the json source files easily portable across domains and makes it possible to store the GPO as text in a versioning system (git).
The Samba code to manage GPOs was largely written by David Mulder, who also wrote the book "Group Policy on Linux" with a lot of technical information about GPOs (on just for Linux).
Setup details are in README